关联漏洞
Description
Unauthenticated Arbitrary File Deletion by abusing Livestatus Query Language Injection in Checkmk <= 2.1.0p11, Checkmk <= 2.0.0p28, and all versions of Checkmk 1.6.0 (EOL)
介绍
# CVE-2022-47909 - Unauthenticated Arbitrary File Deletion
This exploit abuses two CVEs in Checkmk <= 2.1.0p11, Checkmk <= 2.0.0p28, and all versions of Checkmk 1.6.0 (EOL) to achieve unauthenticated arbitrary file deletion.
* **CVE-2022-48321** - An SSRF vulnerability in the Agent_Receiver endpoint of the CheckMK software. By abusing the vulnerable /register_with_hostname endpoint, we can cause a blind SSRF.
* **CVE-2022-47909** - Through our blind SSRF we can abuse a line feed injection in the /ajax_graph_images.py endpoint to initiate an attacker controlled LQL query. This injection can be used to extract data, or to run Nagios External Commands.
This exploit uses the SSRF + LQL injection combination for an arbitrary file deletion vulnerability. This exploit can be chained with other exploits in the vulnerable versions for unauthenticated remote code execution as described in the following series of articles: https://www.sonarsource.com/blog/checkmk-rce-chain-1/
DISCLAIMER: This script is made to audit the security of systems. Only use this script on your own systems or on systems you have written permission to exploit.
文件快照
[4.0K] /data/pocs/2425ee67af22cf9d6eb23542ac0f24e11e559875
├── [5.1K] exploit.py
├── [1.0K] LICENSE
└── [1.1K] README.md
0 directories, 3 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮件到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对 POC 代码进行快照,为了长期维护,请考虑为本地 POC 付费/捐赠,感谢您的支持。