免费、自由、人人可编辑的漏洞库--pwnwiki.com
,
简介
IoT 控制器 OVA 中包含一个升级帐户,该帐户通过安全复制 (SCP) 为供应商提供未记录的访问权限。
POC
With the VMDK file mounted at the current working directory: $ find . -name authorized_keys ./VRIOT/ap-images/authorized_keys ./VRIOT/ops/ap-images/authorized_keys $ cat VRIOT/ap-images/authorized_keys ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCp1X4UH+0IALnLKsqbSZwgbzA1clXWXguNpTZ+Km7irkMaXVRt6IL78mdK+nKUvvQcRnAhQ0TgoqINrdLzMTYwoVaOcBq5Lw21A5JrP8IQANMAiVSM30umJYuTqnbPO4HHIi9/Gk/wUtJiwvD/ygNx7z0g1a9PIzQxOITLpwVkEU2iDdlrZDHR35jI/ddRRsbPe9ezeYGDoprgQagw634fa9tzI74oj5/Xh64679yjA0bQx+i8ZXSIHFPSHp0yiDyMZfvLIqdqb0mEAN1JnaHfIiq4o8/wa8zp7nVADo6Pxweklc1kqALFUxrzdP/6Z0hITp1Ke/xdA2S4LT3ye85QVM/k3Dd54qFpMAJsinYb18Ykyj0PTZskcBWB+l9VevpJXv+3DDH2+98Ledv/fnXQ9VapxW572fX2HkEoh4Nmt5VUx0JPR/0onwOVeuwQLp5qnHxmzgL8DMS62QkTT1VdaCqXS01DMPorKQUtmvAxohJUJX4df9JoOcwRpvKSspn+6UU1krPZHX1QYvPrRsfYhJ9SCzrVxmuC0DR3FqxGoix5su4DqCpRxq0QhwC4+DwIMt4KTIjF3p35s+bjP1luwITJOxVlIswpyZKS0hITFLJtAE7c493wX7hxUdy+LfyHXlMIoJcYM11WXLAysHcWyfmSpQ8H5GV0vxela0Qg7Q== email protected $ cat VRIOT/ops/ap-images/authorized_keys ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCp1X4UH+0IALnLKsqbSZwgbzA1clXWXguNpTZ+Km7irkMaXVRt6IL78mdK+nKUvvQcRnAhQ0TgoqINrdLzMTYwoVaOcBq5Lw21A5JrP8IQANMAiVSM30umJYuTqnbPO4HHIi9/Gk/wUtJiwvD/ygNx7z0g1a9PIzQxOITLpwVkEU2iDdlrZDHR35jI/ddRRsbPe9ezeYGDoprgQagw634fa9tzI74oj5/Xh64679yjA0bQx+i8ZXSIHFPSHp0yiDyMZfvLIqdqb0mEAN1JnaHfIiq4o8/wa8zp7nVADo6Pxweklc1kqALFUxrzdP/6Z0hITp1Ke/xdA2S4LT3ye85QVM/k3Dd54qFpMAJsinYb18Ykyj0PTZskcBWB+l9VevpJXv+3DDH2+98Ledv/fnXQ9VapxW572fX2HkEoh4Nmt5VUx0JPR/0onwOVeuwQLp5qnHxmzgL8DMS62QkTT1VdaCqXS01DMPorKQUtmvAxohJUJX4df9JoOcwRpvKSspn+6UU1krPZHX1QYvPrRsfYhJ9SCzrVxmuC0DR3FqxGoix5su4DqCpRxq0QhwC4+DwIMt4KTIjF3p35s+bjP1luwITJOxVlIswpyZKS0hITFLJtAE7c493wX7hxUdy+LfyHXlMIoJcYM11WXLAysHcWyfmSpQ8H5GV0vxela0Qg7Q== email protected $ grep "ap-images" etc/passwd vriotiotupgrade:x:1002:1002::/VRIOT/ap-images/:/usr/bin/rssh $ tail -8 etc/ssh/sshd_config Match User vriotiotupgrade PasswordAuthentication no AuthorizedKeysFile /VRIOT/ap-images/authorized_keys Match User vriotha PasswordAuthentication yes $ grep -v ^# etc/rssh.conf logfacility = LOG_USER allowscp umask = 022
PWNWIK.COM==免费、自由、人人可编辑的漏洞库