关联漏洞
标题:Microsoft SQL Server Reporting Services 代码问题漏洞 (CVE-2020-0618)Description:Microsoft SQL Server Reporting Services(SSRS)是美国微软(Microsoft)公司的一套基于服务器的报告平台,它支持创建、部署和管理移动和分页报表。 Microsoft SQL Server Reporting Services中存在代码问题漏洞,该漏洞源于程序不正确的处理页面请求。攻击者可利用该漏洞在系统上执行代码。以下产品及版本受到影响:Microsoft SQL Server 2012,Microsoft SQL Server 2014 Service P
Description
CVE-2020-0618 Honeypot
介绍
# CVE-2020-0618 Honeypot
- Detects and logs attempts to exploit CVE-020-0618 (SQL Reporting Services RCE)
- Serves content and headers like SSRS would, in order to increase chance of indexing on search engines (e.g. google, shodan etc.)
- Based on the great work of [MDSec](https://www.mdsec.co.uk/2020/02/cve-2020-0618-rce-in-sql-server-reporting-services-ssrs/) and [x1sec](https://github.com/x1sec/citrix-honeypot)
## Installation
### Get the code
Make sure you have a [Go](https://golang.org/) environment ready to go.
```
git clone https://github.com/wortell/cve-2020-0618
```
### Generate certificates
Generate self signed certificate:
```
openssl genrsa -out server.key 2048
openssl ecparam -genkey -name secp384r1 -out server.key
openssl req -new -x509 -sha256 -key server.key -out server.crt -days 3650
```
### Run
It's easy as:
```
go get github.com/gorilla/mux
go run honeypot.go
```
The honeypot will listen on both port `80` and `443` (so it must be run as `root` user)
Or to detach and run as a background process:
```
nohup go run honeypot.go &
```
### Docker
Or run it in a Docker container instead:
```
git clone https://github.com/wortell/cve-2020-0618
cd cve-2020-0618
docker image build -t cve-2020-0618:1.0 .
docker container run --publish 80:80 --publish 443:443 --detach --name honeypot cve-2020-0618:1.0
```
PRO TIP: Mount the Logs directory locally, so you don't loose the files
## Logs
Results / data is written to the `./log` directory. They are:
`cve.log` - Exploitation attempts and exploitation attempts with all data (e.g. headers, post body)
`allrequests.log` - All HTTP requests that are observed hitting the server
`tls.log` - Often internet scanners will send invalid data to port `443`. HTTPS errors are logged here.
文件快照
[4.0K] /data/pocs/f750066aac369454500c6353f65e37e2a8da54bc
├── [ 784] Dockerfile
├── [4.0K] docs
│ ├── [ 54K] construct-the-http-request.png
│ ├── [ 46K] cve-log.png
│ ├── [5.0K] cve.sample.log
│ ├── [303K] cyberchef-decode-payload.png
│ ├── [605K] cyberchef-investigate.png
│ ├── [214K] docker.jpg
│ ├── [ 64K] fake-ssrs.png
│ ├── [151K] generate-payload.png
│ ├── [162K] github_repo.png
│ ├── [ 42K] honeypot-listening.png
│ ├── [319K] malicious-actor-captured.png
│ ├── [395K] mdatp.png
│ ├── [ 76K] payload.png
│ ├── [ 90K] post-http-request.png
│ ├── [ 42K] reverse-shell.png
│ └── [101K] ysoserial blocked.png
├── [ 88] go.mod
├── [6.8K] honeypot.go
├── [4.0K] img
│ └── [ 50K] honeypot.png
├── [1.0K] LICENSE
├── [1.8K] README.md
└── [4.0K] static
├── [1.6K] index.html
└── [4.0K] ui
├── [ 850] browse.png
├── [4.1K] commands.png
├── [ 601] download.png
├── [1.0K] favorites.png
├── [ 395] help.png
├── [2.1K] home.png
├── [ 763] red_chart.png
├── [ 968] search.png
├── [ 663] settings.png
├── [1.1K] ssrs.css
└── [ 865] username.png
4 directories, 34 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮件到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对 POC 代码进行快照,为了长期维护,请考虑为本地 POC 付费/捐赠,感谢您的支持。