POC for CVE-2018-8097 This script exploits CVE-2018-8097 and can retrieve files and contents using a blind RCE method.## CVE-2018-8097
POC for CVE-2018-8097 This script exploits CVE-2018-8097 and can retrieve files and contents using a time based blind RCE method.
## Usage
```bash
python cve-2018-8097.py [-h] -u URL -c COMMAND -t TIME -id OBJECTID -d FILEPATH
options:
-h, --help show this help message and exit
-u, --url URL Target base URL (e.g., http://127.0.0.1:5000)
-d, --dir DIR Path to the file on the target system (e.g., /etc/passwd)
-id, --objectid OBJECTID
MongoDB ObjectId value for the injection
-t, --time TIME Delay in seconds for time-based check (default: 3)
-v, --verbose Enable verbose output (shows found characters)
-m, --max-length MAX_LENGTH
Maximum file length to read (default: 100)
```
## Resources
https://www.cvedetails.com/cve/CVE-2018-8097/ <br>
pyeve/eve#1101 <br>
https://github.com/pyeve/eve/commit/f8f7019ffdf9b4e05faf95e1f04e204aa4c91f98 <br>
https://github.com/SilentVoid13/CVE-2018-8097
## Disclaimer
This proof-of-concept (PoC) script is intended solely for educational and research purposes. It is provided without any warranty, express or implied.
By using this script, you agree that:
You will not use it for unauthorized or malicious purposes.
You understand that exploiting vulnerabilities may have legal consequences depending on your jurisdiction.
The authors and contributors of this repository are not responsible for any misuse or damages resulting from its use.
If you are a security researcher, ethical hacker, or developer, ensure you have proper authorization before testing or using this script on any system.
[4.0K] /data/pocs/13d75a39c25613cf5f490b96c6e8e216cf37dc81
├── [3.6K] cve-2018-8097.py
└── [1.6K] README.md
0 directories, 2 files