关联漏洞
标题:pac4j 代码问题漏洞 (CVE-2023-25581)Description:pac4j是pac4j开源的一个简单而强大的 Java 安全引擎。用于验证用户、获取他们的配置文件和管理授权,以保护 Web 应用程序和 Web 服务。 pac4j 4.0.0之前版本存在代码问题漏洞,该漏洞源于受到Java反序列化漏洞的影响,可能导致远程代码执行(RCE)。
介绍
This Python script demonstrates the exploitation of the CVE-2023-25581 vulnerability in pac4j-core. The vulnerability allows an attacker to execute arbitrary code (RCE) by deserializing maliciously crafted Base64-encoded data.
Prerequisites
Before running the script, make sure you have the following installed:
Python 3.x: Download Python
requests library: Install it by running the command:
bash
pip install requests
Usage
Clone the Repository:
Clone this repository to your local machine:
bash
git clone https://github.com/p33d/CVE-2023-25581
cd CVE-2023-25581
Run the Exploit Script:
To run the script, use the following command in your terminal:
bash
python3 Poc-CVE-2023-25581.py
Input the Target URL:
After running the script, you will be prompted to enter the target URL of the vulnerable application. For example:
bash
Enter the target URL (e.g., http://vulnerable-app.com/api/profile): http://vulnerable-app.com/api/profile
Payload Execution:
If the target is vulnerable, the script will send a payload and attempt to exploit the system. If successful, you may achieve remote code execution (RCE). The script will print the following message if the exploit is successful:
bash
Payload sent successfully! Check your terminal for RCE.
If the exploit fails or the target is not vulnerable, an error message will be displayed.
文件快照
[4.0K] /data/pocs/497a8df1e0b1fcf80c42c0433d6204e44e5aa2c8
├── [1.0K] Poc-CVE-2023-25581.py
└── [1.4K] README.md
0 directories, 2 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮件到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对 POC 代码进行快照,为了长期维护,请考虑为本地 POC 付费/捐赠,感谢您的支持。