奇安信攻防社区-亿邮电子邮件系统远程命令执行漏洞分析与复现

亿邮电子邮件系统远程命令执行漏洞分析与复现

漏洞分析
----

首先 代码全局搜索`moni_detail`  
找到了一个`em_controller_action_app_mailadmin_moni_detail.class.php` 的文件。然后再进去搜索`gragh`  
[![](https://shs3.b.qianxin.com/attack_forum/2021/04/attach-a30be9e8a8fe92f110327d28e18b880944c62ee4.png)](https://shs3.b.qianxin.com/attack_forum/2021/04/attach-a30be9e8a8fe92f110327d28e18b880944c62ee4.png)  
根据这个函数

```php
    /**         
     * 生成图像 
     *          
     * @return void
     */
    protected function _get_graph()
    {   
        $cluster = $this->__request->get_request('cluster', '');
        $hostname = $this->__request->get_request('hostname', 'elephant110');
        $type = $this->__request->get_request('type', 'cpu_report');

$date_type = $this->__request->get_request('date_type', 'hour');
        $date_value = $this->__request->get_request('date_value', '1');
        $columns = $this->__request->get_request('columns', 2);
        $size = $this->__request->get_request('size', 'small');

require_once PATH_EYOUM_LIB . 'em_monitor.class.php';
        $graph = new em_monitor;

$condition = em_condition::factory('monitor', 'report:get_report');
        $condition->set_clustername($cluster);
        $condition->set_hostname($hostname);

// 默认图形
        switch ($type) {
            case 'cpu_report':
            case 'mem_report':
            case 'network_report':
            case 'packet_report':
            case 'load_report':
                $condition->set_graph($type);
                break;

// metric 图形
            default:
                $condition->set_graph('metric');
                $condition->set_metricname($type);
                break;
        }

$size_array = $this->_get_recover_size($type);
        $graph->set_graph_size($size_array);

$condition->set_size($size);
        $start = em_monitor::get_start_timestamp($date_value . ' ' . $date_type);
        $condition->set_start($start);
        $condition->set_end('now');

$graph->set_graph($condition);
        $graph->set_debug(true);
        $graph->draw();
    }
```

最终执行到了draw这个函数。跟进draw函数

```php
/**
     * 画出 rrdtool 图形 
     * 
     * @return void
     * @throws em_monitor_exception
     */
    public function draw()
    {
        $command = implode(' ', $this->__graph);

/*Make sure the image is not cached*/
        header ("Expires: Mon, 26 Jul 1997 05:00:00 GMT");   // Date in the past
        header ("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT"); // always modified
        header ("Cache-Control: no-cache, must-revalidate");   // HTTP/1.1
        header ("Pragma: no-cache");                     // HTTP/1.0

if ($this->__debug) {
            $fp = fopen('/tmp/monitor.log', 'w');
            fwrite($fp, $command . "\n");
            fclose($fp);
        }

header ("Content-type: image/gif");
        passthru($command);
    }
```

这里通过了passthru 接受参数来生成的。然后导致了一个命令执行的问题

0x02 漏洞复现
---------

[![](https://shs3.b.qianxin.com/attack_forum/2021/04/attach-9d8b0f7a5a8a7371f990b8f99c02d4768b1c06f6.png)](https://shs3.b.qianxin.com/attack_forum/2021/04/attach-9d8b0f7a5a8a7371f990b8f99c02d4768b1c06f6.png)

0x03 文章来源
---------

文章转载于`print('')`博客，原文链接为：<https://www.o2oxy.cn/3404.html>

发表于 2021-04-11 18:23:30
阅读 ( 7020 )
分类：漏洞分析

亿邮电子邮件系统远程命令执行漏洞分析与复现

0 条评论