免责声明
0x01 概述
今天发现群里有个人发了个"0"Day,结果发现是三年前的洞了,闲来无事对这个源码简单看了下,整个系统没有框架结果源码也挺简单的,除了公开的任意文件读取,前几天自己审出来几个rce漏洞.....
![[0Day]-FLIR-FLIR-AX8系统代码审计](http://cn-sec.com/wp-content/uploads/2024/03/9-1710916825.png "[0Day]-FLIR-FLIR-AX8系统代码审计")
0x02 正文
if (isset($_POST["action"])) {switch ($_POST["action"]) {case "get":if(isset($_POST["resource"])){switch ($_POST["resource"]) {case ".rtp.hflip":if (!file_exists("/FLIR/system/journal.d/horizontal_flip.cfg")) {$result = "false";break;}$result = file_get_contents("/FLIR/system/journal.d/horizontal_flip.cfg") === "1" ? "true" : "false";break;case ".rtp.vflip":if (!file_exists("/FLIR/system/journal.d/vertical_flip.cfg")) {$result = "false";break;}$result = file_get_contents("/FLIR/system/journal.d/vertical_flip.cfg") === "1" ? "true" : "false";break;default:$result = trim(shell_exec("LD_LIBRARY_PATH=/FLIR/usr/lib /FLIR/usr/bin/rls -o ".$_POST["resource"]));}}break;case "set":if(isset($_POST["resource"]) and isset($_POST["value"])) {switch ($_POST["resource"]) {case "rtp.hflip":file_put_contents("/FLIR/system/journal.d/horizontal_flip.cfg", $_POST["value"] === "true" ? "1" : "0");break;case "rtp.vflip":file_put_contents("/FLIR/system/journal.d/vertical_flip.cfg", $_POST["value"] === "true" ? "1" : "0");break;default:$result = trim(shell_exec("LD_LIBRARY_PATH=/FLIR/usr/lib /FLIR/usr/bin/rset ".$_POST["resource"]." ".$_POST["value"]));;}}break;case "measurement":if (isset($_POST["type"]) && isset($_POST["id"])) {$nodeData = trim(shell_exec("LD_LIBRARY_PATH=/FLIR/usr/lib /FLIR/usr/bin/rls -i .image.sysimg.measureFuncs.".$_POST["type"].".".$_POST["id"]));$lines = explode("n", $nodeData);foreach($lines as $line){$resource = preg_split('/s+/', $line);$value = trim($resource[1], """);$result[$resource[0]] = $value;}}break;case "global-parameters":$nodeData = trim(shell_exec("LD_LIBRARY_PATH=/FLIR/usr/lib /FLIR/usr/bin/rls -i .image.sysimg.basicImgData.objectParams"));$lines = explode("n", $nodeData);foreach($lines as $line){$resource = preg_split('/s+/', $line);$result[$resource[0]] = $resource[1];}case "alarm":if(isset($_POST["id"])){$nodeData = trim(shell_exec("LD_LIBRARY_PATH=/FLIR/usr/lib /FLIR/usr/bin/rls .image.sysimg.alarms.measfunc.".$_POST["id"]));$lines = explode("n", $nodeData);foreach($lines as $line){$resource = preg_split('/s+/', $line);$value = trim($resource[1], """);$result[$resource[0]] = $value;}}break;case "calibrate":$result = shell_exec("LD_LIBRARY_PATH=/FLIR/usr/lib /FLIR/usr/bin/nuc");break;case "node":$nodes = trim(shell_exec("LD_LIBRARY_PATH=/FLIR/usr/lib /FLIR/usr/bin/rls ".$_POST["resource"]));$result = preg_split("/s+n/", $nodes);break;}echo json_encode($result);}
没有任何权限校验奥(6666666)直接就是判断post传参action,然后进入switch判断,我们直接构造shellexec执行命令的数据,这里由于有很多我就举例几个
![[0Day]-FLIR-FLIR-AX8系统代码审计](http://cn-sec.com/wp-content/uploads/2024/03/7-1710916826.png "[0Day]-FLIR-FLIR-AX8系统代码审计")
![[0Day]-FLIR-FLIR-AX8系统代码审计](http://cn-sec.com/wp-content/uploads/2024/03/8-1710916827.png "[0Day]-FLIR-FLIR-AX8系统代码审计")
![[0Day]-FLIR-FLIR-AX8系统代码审计](http://cn-sec.com/wp-content/uploads/2024/03/2-1710916829.png "[0Day]-FLIR-FLIR-AX8系统代码审计")
if(isset($_POST["palette"])){shell_exec("LD_LIBRARY_PATH=/FLIR/usr/lib /FLIR/usr/bin/palette ".$_POST["palette"]);echo json_encode(array("success"));}
![[0Day]-FLIR-FLIR-AX8系统代码审计](http://cn-sec.com/wp-content/uploads/2024/03/9-1710916829.png "[0Day]-FLIR-FLIR-AX8系统代码审计")
![[0Day]-FLIR-FLIR-AX8系统代码审计](http://cn-sec.com/wp-content/uploads/2024/03/7-1710916831.png "[0Day]-FLIR-FLIR-AX8系统代码审计")
OK收工下课,总之洞很多。。。。。大家也可以多去审一些其他的洞
原文始发于微信公众号(XK Team):[0Day]-FLIR-FLIR-AX8系统代码审计
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论