关联漏洞
Description
Authenticated Remote Code Execution by abusing a single quote injection to write to an auth.php file imported by the NagVis component in Checkmk <= 2.1.0p10, Checkmk <= 2.0.0p27, and Checkmk <= 1.6.0p29
介绍
# CVE-2022-46836 - Remote Code Execution
This exploit abuses an authenticated remote code execution CVE in Checkmk <= 2.1.0p10, Checkmk <= 2.0.0p27, and Checkmk <= 1.6.0p29 to create a reverse shell.
* **CVE-2022-46836** - PHP code injection in watolib auth.php and hosttags.php allows us to write arbitrary php code into the application. This injection is possible because the settings provided in the profile of a user are inserted into a php file. The settings are placed between single quotes and any attempts to enter a single quote as input is filtered by the system prepending a backslash. This backslash can be bypassed by prepending our own backslash. The injected PHP code is triggered upon accessing the application. Specifically the NagVis component of the application. This allows the execution of arbitrary commands on the system.
This exploit can be chained with other vulnerabilities in the system for unauthenticated remote code execution instead. Perhaps this version will be released at a later date. The exploit chain is described in the following article: https://www.sonarsource.com/blog/checkmk-rce-chain-1/
DISCLAIMER: This script is made to audit the security of systems. Only use this script on your own systems or on systems you have written permission to exploit.
文件快照
[4.0K] /data/pocs/963da075cb3218159fa0cdc0a3fa133380582a7a
├── [7.7K] exploit.py
├── [1.0K] LICENSE
└── [1.3K] README.md
0 directories, 3 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮件到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对 POC 代码进行快照,为了长期维护,请考虑为本地 POC 付费/捐赠,感谢您的支持。