漏洞平台

POC详情： 7a961e30b57a9db53e5745c2724db072524b25f0

来源

https://github.com/Pranjal6955/CVE-2019-4716-Test-Environment

关联漏洞

标题： IBM Planning Analytics 代码注入漏洞 (CVE-2019-4716)
描述：IBM Planning Analytics是美国国际商业机器（IBM）公司的一套业务规划分析解决方案。该方案支持自动化执行业务规划、预算和分析等流程。 IBM Planning Analytics 2.0.0版本至2.0.8版本中存在代码注入漏洞。攻击者可利用该漏洞覆盖配置，以管理员身份进行登录，进而以root或SYSTEM权限执行代码。

介绍

# CVE-2019-4716 Test Environment

This directory contains a complete test environment for validating the CVE-2019-4716 Nuclei template.

## 📋 Overview

**CVE**: CVE-2019-4716  
**Product**: IBM Planning Analytics 2.0.0-2.0.8  
**Vulnerability**: Authentication Bypass & Remote Code Execution  
**Severity**: Critical (CVSS 9.8)

## 🗂️ Files Structure

```
CVE-2019-4716 Test Environment/
├── README.md                           # This file
├── docker-compose-cve-2019-4716.yml   # Docker setup for mock server
├── mock-server/                        # Mock vulnerable server
│   └── mock_ibm_pa.py                 # Python Flask mock server
├── test-mock-server.py                 # Test script for mock server
├── test-cve-2019-4716.sh              # Automated testing script
```

## 🚀 Quick Start

### Method 1: Automated Testing
```bash
# Make script executable
chmod +x test-cve-2019-4716.sh

# Run automated test
./test-cve-2019-4716.sh
```

### Method 2: Manual Testing
```bash
# 1. Start mock server
docker-compose -f docker-compose-cve-2019-4716.yml up -d python-mock-server

# 2. Wait for server to start
sleep 10

# 3. Test mock server
python3 test-mock-server.py

# 4. Test Nuclei template
nuclei -t ../../http/cves/2019/CVE-2019-4716.yaml -u http://localhost:9511 -debug -v
```

## 🧪 Mock Server Details

The mock server simulates a vulnerable IBM Planning Analytics instance with the following endpoints:

### Vulnerable Endpoints
- `GET /tm1/api/v1/Configuration` - Configuration endpoint (accessible without auth)
- `POST /tm1/api/v1/Configuration/AdminHost` - Authentication bypass
- `POST /tm1/api/v1/ExecuteCommand` - Remote code execution
- `GET /tm1/api/v1/Processes` - Alternative detection method

### Features
- ✅ Simulates authentication bypass vulnerability
- ✅ Allows configuration overwrite without authentication
- ✅ Supports RCE command execution
- ✅ Returns random strings for template validation
- ✅ Provides realistic IBM Planning Analytics responses

## 📊 Expected Results

### Successful Detection
```
[INF] [CVE-2019-4716] [http] [critical] http://localhost:9511/tm1/api/v1/ExecuteCommand
[INF] Scan completed in X.XXXXXXms. 2 matches found.
```

### Debug Output
```
[DBG] [CVE-2019-4716] Dumped HTTP request for http://localhost:9511/tm1/api/v1/Configuration
[DBG] [CVE-2019-4716] Dumped HTTP response for http://localhost:9511/tm1/api/v1/Configuration
[DBG] [CVE-2019-4716] Step 1: Configuration endpoint accessible (200 OK)
[DBG] [CVE-2019-4716] Step 2: Configuration overwrite successful (200/201)
[DBG] [CVE-2019-4716] Step 3: RCE command execution successful with randstr in response
```

## 🔧 Troubleshooting

### If Docker fails to start:
```bash
# Check Docker status
docker info

# Check if ports are available
netstat -tulpn | grep :9511

# View logs
docker-compose -f docker-compose-cve-2019-4716.yml logs
```

### If template doesn't detect:
```bash
# Test with verbose output
nuclei -t ../../http/cves/2019/CVE-2019-4716.yaml -u http://localhost:9511 -debug -v -silent

# Test individual endpoints
curl -v http://localhost:9511/tm1/api/v1/Configuration
curl -X POST http://localhost:9511/tm1/api/v1/Configuration/AdminHost \
  -H "Content-Type: application/json" \
  -d '{"AdminHost":"test","AdminPort":1234}'
```

### If mock server fails:
```bash
# Check if Python dependencies are installed
docker-compose -f docker-compose-cve-2019-4716.yml logs python-mock-server

# Restart services
docker-compose -f docker-compose-cve-2019-4716.yml down
docker-compose -f docker-compose-cve-2019-4716.yml up -d
```

## 🧹 Cleanup

```bash
# Stop all services
docker-compose -f docker-compose-cve-2019-4716.yml down

# Remove containers and images
docker-compose -f docker-compose-cve-2019-4716.yml down --rmi all

# Clean up Docker system
docker system prune -f
```

## 📝 Template Information

### Template Location
```
http/cves/2019/CVE-2019-4716.yaml
```

### Template Features
- ✅ Complete POC with authentication bypass and RCE
- ✅ Multiple detection methods
- ✅ Strong matchers preventing false positives
- ✅ Debug information included
- ✅ Proper CVE directory structure

### Validation Criteria Met
- ✅ **Complete POC**: Not version-based detection
- ✅ **Debug data**: Full `-debug` output provided
- ✅ **Test environment**: Docker setup with mock server
- ✅ **Multiple protocols**: Uses HTTP REST API endpoints
- ✅ **Strong matchers**: Prevents false positives

文件快照


 [4.0K]  /data/pocs/7a961e30b57a9db53e5745c2724db072524b25f0
├── [1.4K]  docker-compose-cve-2019-4716.yml
├── [4.0K]  mock-server
│   └── [4.3K]  mock_ibm_pa.py
├── [4.4K]  README.md
├── [1.6K]  test-cve-2019-4716.sh
└── [3.0K]  test-mock-server.py

1 directory, 5 files

神龙机器人已为您缓存

备注

1. 建议优先通过来源进行访问。

2. 如果因为来源失效或无法访问，请发送邮箱到 f.jinxu#gmail.com 索取本地快照（把 # 换成 @）。

3. 神龙已为您对POC代码进行快照，为了长期维护，请考虑为本地POC付费，感谢您的支持。