Skip to content

Latest commit

 

History

History
41 lines (23 loc) · 1.51 KB

Dst-admin 1.5.0 background kickPlayer interface remote command execution.md

File metadata and controls

41 lines (23 loc) · 1.51 KB

Dst-admin 1.5.0 background kickPlayer interface remote command execution

An issue was discovered in dst-admin v1.5.0. The product has an background kickPlayer interface remote command execution that can expose sensitive information.

Vulnerability address:http://101.42.5.89:8080/

Vulnerability exploitation

通过get请求/home/kickPlayer接口,传入userId,value为“open -a Calculator”之类的命令的字符串,可远程执行命令。

执行时需要将userId的值URL编码处理,不然会返回400报错。

POC如下:

\")\n"&open -a Calculator&screen -S "DST_CAVES" -p 0 -X stuff "TheNet:Kick(\"

Through the get request '/home/kickPlayer' interface, a string of commands such as userId and value "open - a Calculator" is passed in to execute commands remotely. The value URL of userId needs to be encoded during execution, otherwise an error of 400 will be returned. The POC is as follows:

\")\n"&open -a Calculator&screen -S "DST_CAVES" -p 0 -X stuff "TheNet:Kick(\"

1

通过后台打印日志可以看出通过TheNet:Kick执行userId,所以需要闭合TheNet:Kick命令,才能执行命令。

The spooling log shows that the userId is executed through TheNet: Kick, so the TheNet: Kick command needs to be closed before the command can be executed.

1

命令执行成功。

The command was executed successfully.

1