admin/GobyVuls
1
0
Fork 0
mirror of https://github.com/gobysec/GobyVuls.git synced 2025-06-20 09:50:49 +00:00
Code Issues Packages Projects Releases Wiki Activity

Create Tianqing_terminal_security_management_system_YII_CSRF_TOKEN_remote_code_execution_vulnerability.md

Browse Source 
add Tianqing terminal security management system YII_CSRF_TOKEN remote code execution vulnerability
This commit is contained in:
Goby 2023-07-14 11:13:30 +08:00 committed by GitHub
parent eb31288fc5
commit de0050396d
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 12 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
Tianqing_terminal_security_management_system_YII_CSRF_TOKEN_remote_code_execution_vulnerability.md Normal file
View File

@ -0,0 +1,12 @@
## Tianqing terminal security management system YII_CSRF_TOKEN remote code execution vulnerability
| **Vulnerability** | **Tianqing terminal security management system YII_CSRF_TOKEN remote code execution vulnerability** |
| :----: | :-----|
| **Chinese name** | 天擎终端安全管理系统 YII_CSRF_TOKEN 远程代码执行漏洞 |
| **CVSS core** | 9.8 |
| **FOFA Query** (click to view the results directly)| [title="360新天擎" \|\| body="appid\":\"skylar6" \|\| body="/task/index/detail?id={item.id}" \|\| body="已过期或者未授权购买请联系4008-136-360" \|\| title="360天擎" \|\| title="360天擎终端安全管理系统"](https://en.fofa.info/result?qbase64=dGl0bGU9IjM2MOaWsOWkqeaTjiIgfHwgYm9keT0iYXBwaWRcIjpcInNreWxhcjYiIHx8IGJvZHk9Ii90YXNrL2luZGV4L2RldGFpbD9pZD17aXRlbS5pZH0iIHx8IGJvZHk9IuW3sui%2Fh%2Bacn%2BaIluiAheacquaOiOadg%2B%2B8jOi0reS5sOivt%2BiBlOezuzQwMDgtMTM2LTM2MCIgfHwgdGl0bGU9IjM2MOWkqeaTjiIgfHwgdGl0bGU9IjM2MOWkqeaTjue7iOerr%2BWuieWFqOeuoeeQhuezu%2Be7nyI%3D) |
| **Number of assets affected** | 875 |
| **Description** | Qi Anxin Tianqing is a terminal security management system (referred to as "Tianqing") product of Qi Anxin Group dedicated to integrated terminal security solutions.The web part of Qi'an Xintianqing terminal security management system uses the yii framework. This version of the framework has its own deserialization entry point, and the attacker can execute arbitrary code to obtain server permissions. |
| **Impact** | The web part of Qi'an Xintianqing terminal security management system uses the yii framework. This version of the framework has its own deserialization entry point, and the attacker can execute arbitrary code to obtain server permissions. |
![](https://s3.bmp.ovh/imgs/2023/07/14/fdc6987a22268e3b.gif)