Share
## https://sploitus.com/exploit?id=CE317723-385F-5DAE-AE1C-B524AAA4233E
# CVE-2021-22911

### ์š”์•ฝ

- Rocker.chat์€ ์˜คํ”ˆ์†Œ์Šค ํŒ€ ์ฑ„ํŒ… ํ”Œ๋žซํผ์ด๋‹ค.
- Rocket Chat 3.12.1~3.13.2์—์„œ๋Š” ํ•ด๋‹น getPasswordPolicy ๋ฐฉ์‹์ด NoSQL Injection ๊ณต๊ฒฉ์— ์ทจ์•ฝํ•˜๋ฉฐ ์ธ์ฆ/๊ถŒํ•œ ๋ถ€์—ฌ๊ฐ€ ํ•„์š”ํ•˜์ง€ ์•Š์Œ
- ๋น„๋ฐ€๋ฒˆํ˜ธ ์žฌ์„ค์ • ํ† ํฐ์„ ์œ ์ถœํ•˜์—ฌ ์ผ๋ฐ˜ ์‚ฌ์šฉ์ž ๊ณ„์ •์„ ํƒˆ์ทจํ•˜๋Š” ๋ฐ ์‚ฌ์šฉ๋  ์ˆ˜ ์žˆ์Œ

### ํ™˜๊ฒฝ ๊ตฌ์„ฑ ๋ฐ ์‹คํ–‰

- wget https://github.com/vulhub/vulhub/tree/master/rocketchat/CVE-2021-22911
- `docker compose up -d`

### ์ทจ์•ฝ์  ์žฌํ˜„ ๋‹จ๊ณ„

1. ๋กœ๊ทธ์ธ ํŽ˜์ด์ง€์—์„œ ๋น„๋ฐ€๋ฒˆํ˜ธ๋ฅผ ์žฌ์„ค์ •ํ•˜๋ฉด ์„œ๋ฒ„๊ฐ€ ๋ฐ์ดํ„ฐ ๋ฒ ์ด์Šค์— ๋น„๋ฐ€๋ฒˆํ˜ธ ์žฌ์„ค์ • ํ† ํฐ์„ ์ƒ์„ฑํ•จ
2. NoSQL Injection์„ ์‚ฌ์šฉํ•˜์—ฌ ์ด ๋น„๋ฐ€๋ฒˆํ˜ธ ์žฌ์„ค์ • ํ† ํฐ์„ ๋…ธ์ถœ์‹œํ‚ฌ ์ˆ˜ ์žˆ์Œ
3. ๋น„๋ฐ€๋ฒˆํ˜ธ ์žฌ์„ค์ • ํ† ํฐ์„ ์‚ฌ์šฉํ•˜์—ฌ ์‚ฌ์šฉ์ž ๋น„๋ฐ€๋ฒˆํ˜ธ๋ฅผ ๋ณ€๊ฒฝํ•  ์ˆ˜ ์žˆ์Œ

### ์ต์Šคํ”Œ๋กœ์ž‡ ์ง„ํ–‰
![1](https://github.com/vlrhsgody/vulhub/assets/106510018/4c3d1725-1651-4404-9cfb-71f0954cd4cd)


- ๋น„๋ฐ€๋ฒˆํ˜ธ ์žฌ์„ค์ •์‹œ ์„œ๋ฒ„๊ฐ€ ๋ฐ์ดํ„ฐ ๋ฒ ์ด์Šค์— ๋น„๋ฐ€๋ฒˆํ˜ธ ์žฌ์„ค์ • ํ† ํฐ์„ ์ƒ์„ฑ

    
![2](https://github.com/vlrhsgody/vulhub/assets/106510018/0b8f238e-1f56-4a35-a3c0-61cc9f3e131e)
    
- [CVE-2021-22911.py](http://CVE-2021-22911.py)๋ฅผ ํ†ตํ•ด ๋น„๋ฐ€๋ฒˆํ˜ธ ์žฌ์„ค์ • ํ† ํฐ์„ ์ถ”์ถœํ•จ
    
    
    
- ๋น„๋ฐ€๋ฒˆํ˜ธ ์žฌ์„ค์ • ํ† ํฐ์„ ์ด์šฉํ•ด ๋น„๋ฐ€๋ฒˆํ˜ธ ์žฌ์„ค์ • ํ† ํฐ์„ ์ถ”์ถœํ•  ์ˆ˜ ์žˆ๊ณ  ์ด๋ฅผ ํ†ตํ•ด NoSQL Injection ๊ฐ€๋Šฅํ•จ