当前位置:网站首页>Vulhub vulnerability recurrence 72_ uWSGI
Vulhub vulnerability recurrence 72_ uWSGI
2022-07-06 05:19:00 【Revenge_ scan】
One 、 CVE-2018-7490_ uWSGI PHP Directory traversal vulnerability
Preface
uWSGI Is a Web Application server , It has achieved WSGI、uwsgi and http Such agreement , And support to run various languages through plug-ins .
Vulnerability Details
uWSGI 2.0.17 Previous PHP plug-in unit , There is no right way to deal with `DOCUMENT_ROOT` testing , So that users can pass `..%2f` To cross directories , Read or run `DOCUMENT_ROOT` Files outside the directory .
Vulnerability environment
shooting range :192.168.4.10_Ubuntu
Run flawed uWSGI The server :
#docker-compose up -d
After completion of operation , visit `http://your-ip:8080/` You can see phpinfo Information , explain uwsgi-php The server has run successfully .
Loophole recurrence
visit `http://your-ip:8080/..%2f..%2f..%2f..%2f..%2fetc/passwd`, Successfully read file :
Two 、 uWSGI Unauthorized access vulnerability
Preface
uWSGI Is a Web Application server , It has achieved WSGI、uwsgi and http Such agreement , And support to run various languages through plug-ins , Usually used to run Python WEB application .uwsgi In addition to the name of the application container , It and Fastcgi Something like that , It's also the front end server A communication standard with the back-end application container . at present nginx,apache Also support uwsgi The protocol forwards requests by proxy .
Vulnerability Details
uWSGI Support through magic variables (Magic Variables) Dynamically configure the backend Web application . If its port is exposed , An attacker can construct uwsgi Data packets , And specify magic variables `UWSGI_FILE`, Application `exec://` The protocol executes arbitrary commands .
Reference link :
- https://github.com/wofeiwo/webcgi-exploits/blob/master/python/uwsgi-rce-zh.md
- https://xz.aliyun.com/t/3512
- https://uwsgi-docs.readthedocs.io/en/latest/Vars.html
Vulnerability environment
Execute the following command to start nginx+uwsgi Environmental Science :
#docker-compose up -d
After the environment starts , visit `http://your-ip:8080` You can view one Web application , Its uwsgi Exposure to the 8000 port .
Loophole recurrence
Use [poc.py](poc.py), Carry out orders `python poc.py -u your-ip:8000 -c "touch /tmp/success"`:
perform `docker-compose exec web bash` Into the container , so `/tmp/success` Has successfully executed :
边栏推荐
- Fluent implements a loadingbutton with loading animation
- Some common skills on unity inspector are generally used for editor extension or others
- The ECU of 21 Audi q5l 45tfsi brushes is upgraded to master special adjustment, and the horsepower is safely and stably increased to 305 horsepower
- Notes, continuation, escape and other symbols
- Extension of graph theory
- Principle and performance analysis of lepton lossless compression
- 【OSPF 和 ISIS 在多路访问网络中对掩码的要求】
- Leetcode dynamic planning day 16
- 初识CDN
- Drive development - the first helloddk
猜你喜欢
GAMES202-WebGL中shader的編譯和連接(了解向)
flutter 实现一个有加载动画的按钮(loadingButton)
Talking about the type and function of lens filter
Fluent implements a loadingbutton with loading animation
Check the useful photo lossless magnification software on Apple computer
Vulhub vulnerability recurrence 67_ Supervisor
Cuda11.1 online installation
Postman manage test cases
Safe mode on Windows
C Advanced - data storage (Part 1)
随机推荐
Raspberry pie 3.5-inch white screen display connection
Talking about the type and function of lens filter
C进阶-数据的存储(上)
Idea one key guide package
Lepton 无损压缩原理及性能分析
Codeforces Round #804 (Div. 2) Editorial(A-B)
SQLite add index
Nacos - TC Construction of High available seata (02)
JDBC calls the stored procedure with call and reports an error
[noip2009 popularization group] score line delimitation
Check the useful photo lossless magnification software on Apple computer
nacos-高可用seata之TC搭建(02)
JS quick start (II)
Microblogging hot search stock selection strategy
Sliding window problem review
The ECU of 21 Audi q5l 45tfsi brushes is upgraded to master special adjustment, and the horsepower is safely and stably increased to 305 horsepower
毕业设计游戏商城
Three.js学习-光照和阴影(了解向)
Building intelligent gray-scale data system from 0 to 1: Taking vivo game center as an example
[classic example] binary tree recursive structure classic topic collection @ binary tree