CVE-2019-7609 Kibana Prototype Pollution lead to Remote Code Execution
正文
Prototype Pollution in Kibana (CVE-2019-7609)
Presentation did for OWASP Poland Day, 14th October 2019
https://slides.com/securitymb/prototype-pollution-in-kibana/#/1
[漏洞预警] kibana < 6.6.0 代码执行漏洞
https://mp.weixin.qq.com/s/R4rzYDp9-q2NYAOvPK951A
Prototype pollution attack
https://github.com/HoLyVieR/prototype-pollution-nsec18
Olivier Arteau — Prototype pollution attacks in NodeJS applications
https://www.youtube.com/watch?v=LUsiFV3dsK8
说明
从漏洞利用/漏洞扫描器角度看,这个漏洞比较鸡肋,因为在输入 payload 点击按钮后,用户还要额外点击 canvas 才能触发远程命令执行。
不过这个 payload 的构造过程有很多值得学习的地方。
Leave a Reply