POC详情: d13765f99d95fc0ce3137ecb491d1b7b0eebfe30

来源
https://github.com/LongWayHomie/CVE-2021-43857
关联漏洞
标题: Gerapy 操作系统命令注入漏洞 (CVE-2021-43857)
描述:Gerapy是一款基于Scrapy、Scrapyd、Django和Vue.js的分布式爬虫管理框架。 Gerapy 0.9.8之前版本存在操作系统命令注入漏洞,该漏洞源于软件对于系统命令缺少有效的过滤和转义,导致容易受到远程代码执行的影响。
描述
Gerapy prior to version 0.9.8 is vulnerable to remote code execution. This issue is patched in version 0.9.8.
介绍
# CVE-2021-43857
Gerapy prior to version 0.9.8 is vulnerable to remote code execution. This issue is patched in version 0.9.8.
CVE-2021-43857 is a vulnerability marked as Critical priority (CVSS 9.8) leading to remote code execution.</br>
This vulnerability works on all versions prior to 0.9.8.</br>
Tested only on 0.9.6. Needs correct credentials. </br>
Exploit works by logging in to application, then getting the list of created projects (it will fail if there's none), then use the project setting to run the vulnerable _spider_ mechanism by sending reverse shell payload.</br>
</br>

Usage example:
`python3 cve-2021-43857.py -t 172.17.0.2 -p 8000 -L 172.17.0.1 -P 4444`

![Screen](img.PNG)
文件快照

 [4.0K]  /data/pocs/d13765f99d95fc0ce3137ecb491d1b7b0eebfe30
├── [4.1K]  cve-2021-43857.py
├── [127K]  img.PNG
├── [1.2K]  LICENSE
└── [ 699]  README.md

0 directories, 4 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。