Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2021-43609 PoC — Spiceworks 安全漏洞

Source
https://github.com/d5sec/CVE-2021-43609-POC
Associated Vulnerability
Title:Spiceworks 安全漏洞 (CVE-2021-43609)
Description:Spiceworks是Spiceworks社区的一个IT管理软件。它专注于为中小型企业的 IT 专业人员简化盘点、监控网络和生成报告的过程。 Spiceworks Help Desk Server 1.3.3之前版本存在安全漏洞,该漏洞源于order_by_for_ticket函数存在SQL注入漏洞。攻击者可利用该漏洞泄漏本地文件,并导致远程代码执行(RCE)。
Description
Proof of Concept Exploit for CVE-2021-43609
Readme
# Spiceworks Sort SQLi

There's a SQLi in a `sort` parameter of Spiceworks. The full exploit chain is SQLi -> file read -> RCE.

## Demo
[![asciicast](https://asciinema.org/a/yOhUguVcK0brlITWq8t9DLL7J.svg)](https://asciinema.org/a/yOhUguVcK0brlITWq8t9DLL7J?t=5:30)

## Prerequisites
```bash
apt update && apt install -y ruby-dev nodejs python3 python3-pip libsqlite3-dev
pip3 install requests
gem install bundler && cd rce && bundle install
```

## Stage 1
Use `poc.py` to exploit the SQLi -> file read and extract the secret_key_base environment variable. It will then generate a PoC ruby script to gain a reverse shell, with the values obtained from `poc.py`. 

### Usage
```
usage: poc.py [-h] --rhost RHOST --lhost LHOST --lport LPORT -u USER -p PASSWORD [-e ENV_PATH]

There's a SQLi in a `sort` parameter of Spiceworks. The exploit chain is SQLi -> file read -> RCE.

optional arguments:
  -h, --help            show this help message and exit
  --rhost RHOST         https://example.com
  --lhost LHOST         10.10.10.10
  --lport LPORT         9001
  -u USER, --user USER  test@test.com
  -p PASSWORD, --password PASSWORD
                        P@$$w0rd!
  -e ENV_PATH, --env_path ENV_PATH
                        Path to environment variables
```

## Stage 2
Use `rce.rb`. Spin up a nc listener on the IP & port you provided in Stage 1, then simply:

```bash
cd rce && ruby rce.rb
```

Voila!

# Credits
- [@aidanstansfield](https://github.com/aidanstansfield)
File Snapshot

 [4.0K]  /data/pocs/8658e09c1c29046c262e12978453c13668fb9ae5
├── [3.8K]  poc.py
├── [4.0K]  rce
│   ├── [4.0K]  app
│   │   ├── [4.0K]  assets
│   │   │   ├── [4.0K]  config
│   │   │   │   └── [ 101]  manifest.js
│   │   │   ├── [4.0K]  images
│   │   │   ├── [4.0K]  javascripts
│   │   │   │   ├── [ 721]  application.js
│   │   │   │   ├── [ 360]  cable.js
│   │   │   │   └── [4.0K]  channels
│   │   │   └── [4.0K]  stylesheets
│   │   │       └── [ 709]  application.css
│   │   ├── [4.0K]  channels
│   │   │   └── [4.0K]  application_cable
│   │   │       ├── [  79]  channel.rb
│   │   │       └── [  85]  connection.rb
│   │   ├── [4.0K]  controllers
│   │   │   ├── [  57]  application_controller.rb
│   │   │   └── [4.0K]  concerns
│   │   ├── [4.0K]  helpers
│   │   │   └── [  29]  application_helper.rb
│   │   ├── [4.0K]  jobs
│   │   │   └── [  43]  application_job.rb
│   │   ├── [4.0K]  mailers
│   │   │   └── [ 102]  application_mailer.rb
│   │   ├── [4.0K]  models
│   │   │   ├── [  78]  application_record.rb
│   │   │   └── [4.0K]  concerns
│   │   └── [4.0K]  views
│   │       └── [4.0K]  layouts
│   │           ├── [ 341]  application.html.erb
│   │           ├── [ 229]  mailer.html.erb
│   │           └── [  13]  mailer.text.erb
│   ├── [4.0K]  bin
│   │   ├── [ 125]  bundle
│   │   ├── [ 264]  rails
│   │   ├── [ 213]  rake
│   │   ├── [ 957]  setup
│   │   ├── [ 507]  spring
│   │   ├── [ 819]  update
│   │   └── [ 303]  yarn
│   ├── [4.0K]  config
│   │   ├── [ 654]  application.rb
│   │   ├── [ 207]  boot.rb
│   │   ├── [ 185]  cable.yml
│   │   ├── [ 464]  credentials.yml.enc
│   │   ├── [ 594]  database.yml
│   │   ├── [ 128]  environment.rb
│   │   ├── [4.0K]  environments
│   │   │   ├── [2.1K]  development.rb
│   │   │   ├── [3.8K]  production.rb
│   │   │   └── [1.8K]  test.rb
│   │   ├── [4.0K]  initializers
│   │   │   ├── [ 216]  application_controller_renderer.rb
│   │   │   ├── [ 630]  assets.rb
│   │   │   ├── [ 404]  backtrace_silencers.rb
│   │   │   ├── [1.1K]  content_security_policy.rb
│   │   │   ├── [ 244]  cookies_serializer.rb
│   │   │   ├── [ 194]  filter_parameter_logging.rb
│   │   │   ├── [ 647]  inflections.rb
│   │   │   ├── [ 156]  mime_types.rb
│   │   │   └── [ 485]  wrap_parameters.rb
│   │   ├── [4.0K]  locales
│   │   │   └── [ 848]  en.yml
│   │   ├── [1.5K]  puma.rb
│   │   ├── [ 139]  routes.rb
│   │   ├── [ 111]  spring.rb
│   │   └── [1.1K]  storage.yml
│   ├── [ 130]  config.ru
│   ├── [4.0K]  db
│   │   └── [ 370]  seeds.rb
│   ├── [2.1K]  Gemfile
│   ├── [5.1K]  Gemfile.lock
│   ├── [4.0K]  lib
│   │   ├── [4.0K]  assets
│   │   └── [4.0K]  tasks
│   ├── [4.0K]  log
│   ├── [  61]  package.json
│   ├── [4.0K]  public
│   │   ├── [1.7K]  404.html
│   │   ├── [1.7K]  422.html
│   │   ├── [1.6K]  500.html
│   │   ├── [   0]  apple-touch-icon.png
│   │   ├── [   0]  apple-touch-icon-precomposed.png
│   │   ├── [   0]  favicon.ico
│   │   └── [  98]  robots.txt
│   ├── [ 227]  Rakefile
│   ├── [ 374]  README.md
│   ├── [4.0K]  storage
│   ├── [4.0K]  test
│   │   ├── [ 157]  application_system_test_case.rb
│   │   ├── [4.0K]  controllers
│   │   ├── [4.0K]  fixtures
│   │   │   └── [4.0K]  files
│   │   ├── [4.0K]  helpers
│   │   ├── [4.0K]  integration
│   │   ├── [4.0K]  mailers
│   │   ├── [4.0K]  models
│   │   ├── [4.0K]  system
│   │   └── [ 290]  test_helper.rb
│   ├── [4.0K]  tmp
│   └── [4.0K]  vendor
├── [1.4K]  README.md
└── [ 12K]  writeup.md

42 directories, 63 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.