CVE-2022-29464 PoC — WSO2 API Manager 路径遍历漏洞

Source

https://github.com/hxlxmj/Mass-exploit-CVE-2022-29464

Associated Vulnerability

Title:WSO2 API Manager 路径遍历漏洞 (CVE-2022-29464)
Description:Certain WSO2 products allow unrestricted file upload with resultant remote code execution. The attacker must use a /fileupload endpoint with a Content-Disposition directory traversal sequence to reach a directory under the web root, such as a ../../../../repository/deployment/server/webapps directory. This affects WSO2 API Manager 2.2.0 up to 4.0.0, WSO2 Identity Server 5.2.0 up to 5.11.0, WSO2 Identity Server Analytics 5.4.0, 5.4.1, 5.5.0 and 5.6.0, WSO2 Identity Server as Key Manager 5.3.0 up to 5.11.0, WSO2 Enterprise Integrator 6.2.0 up to 6.6.0, WSO2 Open Banking AM 1.4.0 up to 2.0.0 and WSO2 Open Banking KM 1.4.0, up to 2.0.0.

Description

Mass Exploit for CVE 2022-29464 on Carbon

Readme

## Meow Meow Meow!<br>

Just a Mass Exploit based on a Python PoC for # WSO2 Carbon Server [CVE-2022-29464](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29464)<br>
Pre-auth RCE bug  [CVE-2022-29464](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29464).<br>
## Meow Meow Meow? Requirements? <br>
<br>
Python3<br>
Shodan<br>
Zoomeye<br>
A Brain<br>

## What is this tool? <br>

This is a mass-autoscan-exploit of [CVE-2022-29464](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29464) based on the PoC wrote in python by a third part.<br>
The Py file is available and readable, see also the bash script that don't contain any encoded string.<br>
Massexploit will upload a shell and a reverse shell and print out the path to access it. Easy, Quick and Cool.<br>
I know that probably the code could be wrote better and saving some lines, but i did it when i was drunk and just to do something.<br>
So?<br>
Just run:<br>

```bash
./mass_exploit.sh
```
This command can setup your shodan and zoomeye tool, API included (if you want to skip the setup of tools or api, just press enter to skip.)<br>
Then it start search for vulnerable hosts based on the dorks (examples are provided in the file examples_dorks.txt).<br>
If you prefer, the manual mode is always available through the command below.<br>
The mass_exploit.sh output will be printed in the shell screen.<br>

![PoC](https://github.com/electr0lulz/Mass-exploit-CVE-2022-29464/blob/12c649eddaed6033a1aec05d27fc93408900a128/poc.png)<br>


```bash
python3 exploit.py -u host:port
```
or easily:

```bash
python3 exploit.py -f <file>
```
################################################################<br>
## Search tools: <br>
## Shodan  <br>
Get your account and an API Key here: https://account.shodan.io/<br>
```bash
sudo apt-get install python-setuptools -y
sudo apt-get install pip -y
pip install shodan
easy_install shodan
```
## Zoomeye <br>
Get an account and your API Key here: https://www.zoomeye.org/
```bash
pip3 install git+https://github.com/knownsec/ZoomEye-python.git
```
## Enjoy it <br>
This tool has been provided just for accademic purposes. I am not responsible for any illegal action made with this code.<br>
Electrolulz - https://github.com/electr0lulz - electrolulz@protonmail.com<br>
Tested on a Ubuntu based O.S.

File Snapshot


 [4.0K]  /data/pocs/cd3545559c04866980b5b04c5951a71bab3b1eac
├── [ 185]  dorks_example.txt
├── [4.5K]  exploit.py
├── [ 34K]  LICENSE
├── [4.2K]  mass_exploit.sh
├── [206K]  poc.png
├── [2.3K]  README.md
└── [3.5K]  results_shodan_example.txt

0 directories, 7 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.

View subscription plans →

Goal Reached Thanks to every supporter — we hit 100%!