POC详情: 130b84e78a836dbe13caae4315616b36770de7ad

来源
https://github.com/BishopFox/pwn-pulse
关联漏洞
标题: Pulse Secure Pulse Connect Secure 路径遍历漏洞 (CVE-2019-11510)
描述:Pulse Secure Pulse Connect Secure(又名PCS,前称Juniper Junos Pulse)是美国Pulse Secure公司的一套SSL VPN解决方案。 Pulse Secure PCS 9.0RX版本、8.3RX版本和8.2RX版本中存在路径遍历漏洞。该漏洞源于网络系统或产品未能正确地过滤资源或文件路径中的特殊元素。攻击者可利用该漏洞访问受限目录之外的位置。
描述
Exploit for Pulse Connect Secure SSL VPN arbitrary file read vulnerability (CVE-2019-11510)
介绍
# pwn-pulse.sh
**Exploit for Pulse Connect Secure SSL VPN arbitrary file read vulnerability (CVE-2019-11510)**

Script authored by braindead @BishopFox. Based on [research by Orange Tsai and Meh Chang](https://blog.orange.tw/2019/09/attacking-ssl-vpn-part-3-golden-pulse-secure-rce-chain.html). Thanks also to Alyssa Herrera and 0xDezzy for additional insights. Huge thanks to bl4ckh0l3z for fixing, cleaning and refactoring the code significantly!

This script extracts private keys, usernames, admin details (including session cookies) and observed logins (including passwords) from Pulse Connect Secure VPN files downloaded via CVE-2019-11510.

* It takes the target domain or IP as an argument and will download important files from the server using the arbitrary file read vulnerability.
* It then greps through the files for sensitive information and dumps it all into a file named [TARGET]_report.txt
* It could also test each session cookie to see if the session is currently active (and thus available for hijacking).

Additional details about the development of the script are available in [this blog article](https://know.bishopfox.com/blog/breaching-the-trusted-perimeter).

### Usage:
```
./pwn-pulse.sh -h

  [pwn-pulse.sh by braindead @BishopFox]

  This script extracts private keys, usernames, admin details (including
  session cookies) and observed logins (including passwords) from Pulse
  Connect Secure VPN files downloaded via CVE-2019-11510.

  Usage: pwn-pulse.sh [options]

  Options:
        -h   show this output
        -t   set the target (IPs - single entry by stdin, in csv format, single column in a file)
        -d   download config, cache and sessions files
        -c   test cookies in order to identify active sessions
        -k   test cookies without downloading files (already downloaded and extracted)
        -s   extract ssh keys
        -a   all tests
        
```
文件快照
 [4.0K]  /data/pocs/130b84e78a836dbe13caae4315616b36770de7ad
├── [ 34K]  LICENSE
├── [ 22K]  pwn-pulse.sh
└── [1.9K]  README.md

0 directories, 3 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。