From 83fe8367fc263b785ff520c16b60dcaa97247849 Mon Sep 17 00:00:00 2001
From: wy876 <139549762+wy876@users.noreply.github.com>
Date: Wed, 23 Aug 2023 12:47:40 +0800
Subject: [PATCH] =?UTF-8?q?Create=20=E9=9D=92=E8=97=A4=E4=BA=91=20EDR=20?=
 =?UTF-8?q?=E6=9D=83=E9=99=90=E6=8F=90=E5=8D=87=E6=BC=8F=E6=B4=9E.md?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 青藤云 EDR 权限提升漏洞.md | 29 +++++++++++++++++++++++++++++
 1 file changed, 29 insertions(+)
 create mode 100644 青藤云 EDR 权限提升漏洞.md

diff --git a/青藤云 EDR 权限提升漏洞.md b/青藤云 EDR 权限提升漏洞.md
new file mode 100644
index 0000000..e5a2dca
--- /dev/null
+++ b/青藤云 EDR 权限提升漏洞.md	
@@ -0,0 +1,29 @@
+## 青藤云 EDR 权限提升漏洞
+```
+青藤的测试 POC
+local function save_python_info(ctx, info_table)
+local proc_names = {"python.exe"}
+local procs_ret = ctx.get_proc_list_info_rely(ctx, proc_names)
+if next(procs_ret) == nil then
+return
+end
+-- call get version
+-- ... 省略无关代码
+get_python_ver(proc) -- ... 省略无关代码
+end
+function get_python_ver(proc)
+if proc == nil then
+return "" end
+
+if file_api.file_exists(proc.path) then
+local cmdline = "\"" .. proc.path .. "\" -V"
+local ret, output = common.execute_shell(cmdline)
+if ret == 0 and output and output ~= "" then
+return regex.match(output, "\\d.+\\d")
+else
+agent.error_log("get python version info error:" .. tostring(ret))
+return "" end
+end
+End
+
+```