关联漏洞
标题:
Splunk 安全漏洞
(CVE-2024-36991)
描述:Splunk是美国Splunk公司的一套数据收集分析软件。该软件主要用于收集、索引和分析及其所产生的数据,包括所有IT系统和基础结构(物理、虚拟机和云)生成的数据。 Splunk存在安全漏洞。攻击者利用该漏洞可以访问存储在web根文件夹之外的文件和目录。
描述
Critical Splunk Vulnerability CVE-2024-36991: Patch Now to Prevent Arbitrary File Reads
介绍
# Splunk Path Traversal Exploit (CVE-2024-36991)
<img width="1671" alt="Screenshot 2025-03-30 at 8 18 32 PM" src="https://github.com/user-attachments/assets/d4707d40-08b4-482e-891e-4cd3ad424a23" />
## Description
This is a Proof-of-Concept (PoC) exploit script for **CVE-2024-36991**, a path traversal vulnerability affecting **Splunk Enterprise** on Windows versions below:
- **9.2.2**
- **9.1.5**
- **9.0.10**
The vulnerability allows unauthenticated attackers to access sensitive files on the server by exploiting a path traversal flaw in the Splunk web interface.
**Severity:** Critical
**Impact:** Arbitrary File Read
---
## ⚠️ Vulnerable Versions
- Splunk Enterprise < 9.2.2
- Splunk Enterprise < 9.1.5
- Splunk Enterprise < 9.0.10
---
## 💡 Usage
To run the exploit, use the following commands:
<img width="1670" alt="Screenshot 2025-03-30 at 8 17 55 PM" src="https://github.com/user-attachments/assets/0a4007ea-45d7-463c-9ef5-0f8b8a322392" />
```bash
# Using Python3
python3 exploit.py -u http://victim.com -s 1
# Running directly
./exploit.py -u http://victim.com -s 1
```
### Parameters:
- `-u`, `--url`: The base URL of the target Splunk server.
- `-s`, `--section`: Select the section to enumerate (1-5):
### Sections:
1. **Credentials & Secrets:**
- `/etc/passwd`
- `/etc/auth/splunk.secret`
- `/etc/auth/server.pem`
- `/var/run/splunk/session`
- `/etc/system/local/authentication.conf`
2. **Configuration Files:**
- `/etc/system/local/web.conf`
- `/etc/system/local/inputs.conf`
3. **Logs & History:**
- `/var/log/splunk/splunkd.log`
- `/var/log/splunk/audit.log`
- `/var/log/splunk/metrics.log`
- `/var/log/splunk/searches.log`
- `/var/run/splunk/dispatch`
4. **System & Service Files:**
- `/bin/splunk.exe`
- `/bin/splunkd.exe`
- `/etc/system/default/server.conf`
- `/etc/system/default/user-seed.conf`
- `/var/lib/splunk/persistentstorage.db`
5. **Apps & Custom Scripts:**
- `/etc/apps/Splunk_TA_windows/bin`
- `/etc/apps/Splunk_TA_nix/bin`
- `/etc/apps/SplunkForwarder/local`
- `/etc/apps/Splunk_SA_CIM/local`
---
## 🛡️ Mitigation
To protect your Splunk server:
- Upgrade to **Splunk Enterprise 9.2.2, 9.1.5, or 9.0.10** or later.
- Apply proper access controls and firewall rules.
---
## ⚠️ Disclaimer
This exploit is for educational and authorized penetration testing purposes only. Unauthorized use is illegal and unethical. The author takes no responsibility for misuse.
文件快照
[4.0K] /data/pocs/91bc2942fa1c46ef12eb187725e9a789573f4401
├── [5.5K] exploit.py
└── [2.5K] README.md
0 directories, 2 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。