CVE-2018-1000802 PoC — Python 命令注入漏洞

Source

https://github.com/tna0y/CVE-2018-1000802-PoC

Associated Vulnerability

Title:Python 命令注入漏洞 (CVE-2018-1000802)
Description:Python是Python基金会的一套开源的、面向对象的程序设计语言。该语言具有可扩展、支持模块和包、支持多种平台等特点。 Python（CPython） 2.7版本中的shutil模块（make_archive函数）存在命令注入漏洞。攻击者可通过输入消息利用该漏洞造成拒绝服务或获取信息。

Description

Python CVE-2018-1000802 Proof-of-Concept

Readme

# Python CVE-2018-1000802 Proof-of-Concept

This is a PoC for the vulnerability in `make_archive` function exported by `shutil` builtin module.

Vulnerability is present in CPython (Python) 2.7 prior to commit add531a1e55b0a739b0f42582f1c9747e5649ace.

For the vulnerability to be exploitable in the wild there are several conditions:
1.	Code must run on Windows machine;
2.	There must be a zip utility accessible via command line e.g. Zip for Windows;
3.	Import zipfile must fail.

Please see poc.py for code examples.

File Snapshot


 [4.0K]  /data/pocs/7c0dc829faf0ad73152f48d13f485f5161e76f7b
├── [  18]  external_file.txt
├── [ 458]  poc.py
├── [ 520]  README.md
├── [4.0K]  testdir
│   └── [   4]  file.txt
└── [  51]  zipfile.py

1 directory, 5 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!