Ethical Hacking Automation

Automate Recon and scanning process with Vidoc. All security teams in one place

Sangfor BA - Remote Code Execution

By kannthu

Critical
Vidoc logoVidoc Module
#rce#sangfor
Description

What is "Sangfor BA - Remote Code Execution?"

The "Sangfor BA - Remote Code Execution" module is designed to detect a critical vulnerability in Sangfor products. Sangfor products are targeted by this module, allowing remote unauthenticated users to execute arbitrary commands. The severity of this vulnerability is classified as critical, with a CVSS score of 10.

This module was authored by ritikchaddha.

Impact

If exploited, this vulnerability can lead to unauthorized remote code execution on Sangfor products. Attackers can execute arbitrary commands, potentially gaining full control over the affected system. This can result in severe consequences, including data breaches, unauthorized access, and system compromise.

How the module works?

The "Sangfor BA - Remote Code Execution" module works by sending an HTTP request to the targeted Sangfor product. The request is made to the "/tool/log/c.php" path with a parameter that includes a randomly generated alphanumeric string. The module then checks the response for two matching conditions:

    - The response body must contain the MD5 hash of the randomly generated string. - The response status code must be 200 (OK).

If both conditions are met, the module reports a vulnerability, indicating that the Sangfor product is susceptible to remote code execution.

Example HTTP request:

GET /tool/log/c.php?strip_slashes=md5&host={%randTextAlphanumeric(10)%} HTTP/1.1
Host: [target host]

Note: The actual HTTP request may contain additional headers or parameters not shown in this example.

It is important to address this vulnerability promptly by applying the necessary security patches or updates provided by Sangfor to mitigate the risk of remote code execution.

For more information, refer to the reference.

Module preview

Concurrent Requests (1)
1. HTTP Request template
GET/tool/log/c.php?stri...
Matching conditions
word: {{md5("{{randstr}}")}}and
status: 200
Passive global matcher
No matching conditions.
On match action
Report vulnerability