漏洞平台

POC详情： 7dd950747f09675e110e36750e4980554c49c381

来源

https://github.com/drackyjr/CVE-2020-15778-SCP-Command-Injection-Check

关联漏洞

标题： OpenSSH 操作系统命令注入漏洞 (CVE-2020-15778)
描述：OpenSSH（OpenBSD Secure Shell）是加拿大OpenBSD计划组的一套用于安全访问远程计算机的连接工具。该工具是SSH协议的开源实现，支持对所有的传输进行加密，可有效阻止窃听、连接劫持以及其他网络级的攻击。 OpenSSH 8.3p1及之前版本中的scp的scp.c文件存在操作系统命令注入漏洞。该漏洞源于外部输入数据构造操作系统可执行命令过程中，网络系统或产品未正确过滤其中的特殊字符、命令等。攻击者可利用该漏洞执行非法操作系统命令。

描述

This script is a safe and simple tool that helps system users, students, and administrators check if their SCP (Secure Copy) client is vulnerable to CVE-2020-15778, a command injection vulnerability in OpenSSH SCP (versions ≤ 8.3p1).

介绍

### CVE-2020-15778 – OpenSSH SCP Command Injection Vulnerability (Detection Script)

## About

**CVE-2020-15778** is a command injection vulnerability discovered in the `scp` utility provided by OpenSSH (versions ≤ 8.3p1). The issue allows an attacker to execute arbitrary commands on the client system if a crafted destination argument (containing backticks) is passed to `scp`.

This repository includes a **safe detection and simulation script** written in Bash. The script helps users and system administrators:

- Identify whether their system's `scp` version is vulnerable
- Understand how the vulnerability works
- Test and detect risky command inputs (e.g., arguments containing backticks)
- Learn how to mitigate and avoid this vulnerability

## What is CVE-2020-15778?

In OpenSSH `scp`, versions up to 8.3p1 do not properly sanitize destination arguments before passing them to the shell. This allows an attacker to use shell metacharacters like backticks (`` ` ``) to inject arbitrary commands.

### Example of a Malicious Command

```
scp file.txt user@host:`touch /tmp/pwned`/file.txt
```

In a vulnerable SCP version, this will execute `touch /tmp/pwned` on the client’s machine when the command runs.

## Affected Versions

| SCP Version | Status         |
|-------------|----------------|
| ≤ 8.3p1     | Vulnerable     |
| ≥ 8.4p1     | Not Vulnerable |

---

## Script Features

This Bash script performs the following actions:

- Detects the current SCP version installed on the system
- Compares it against version 8.3p1 to determine if it is vulnerable
- Prompts the user to input a sample SCP destination string
- Analyzes the input for unsafe patterns (such as backticks)
- Displays warnings and provides guidance on mitigation

---

## How to Use

### Step 1: Clone or Download the Script

```
git clone https://github.com/drackyjr/CVE-2020-15778-SCP-Command-Injection-Check.git
cd scp-cve-2020-15778-checker
```

### Step 2: Make the Script Executable

```
chmod +x scp_cve_check.sh
```
### Step 3: Run the Script

```
./scp_cve_check.sh
```

## References

- [CVE Record: CVE-2020-15778](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15778)
- [OpenSSH Release Notes](https://www.openssh.com/releasenotes.html)
- [Redhat](https://access.redhat.com/security/cve/CVE-2020-15778)

文件快照


 [4.0K]  /data/pocs/7dd950747f09675e110e36750e4980554c49c381
├── [ 11K]  LICENSE
├── [2.3K]  README.md
└── [2.3K]  scp_cve_check.sh

0 directories, 3 files

神龙机器人已为您缓存

备注

1. 建议优先通过来源进行访问。

2. 如果因为来源失效或无法访问，请发送邮箱到 f.jinxu#gmail.com 索取本地快照（把 # 换成 @）。

3. 神龙已为您对POC代码进行快照，为了长期维护，请考虑为本地POC付费，感谢您的支持。