POC详情： 38a142cb1d80288f739d0bd76e12a3fe81645240

介绍

# CVE-2025-26056

# Auhtor: Rohan Deshpande

# OS Command Injection

# Summary 
OS command injection is a security vulnerability that allows an 
attacker to execute arbitrary commands on a host operating system 
via a vulnerable application. This can lead to unauthorized access, 
data breaches, and system compromise.

# Impact 
The impact of OS command injection can include unauthorized 
access to system resources, data theft, system compromise, and 
potential full control over the affected server, leading to severe 
security breaches and operational disruptions.

# Affected URL 
http://<ip>:<port>/generateMTRReport

# Recommendation 
To mitigate OS command injection vulnerabilities, validate and 
sanitize all user inputs, use parameterized commands or APIs, and 
implement least privilege principles to limit the execution context of 
applications. Regular security testing and code reviews are also 
essential to identify and remediate potential weaknesses. 

# Proof of Concept
1. Login to the console and navigate to Troubleshoot → MTR.
2. Enter IP and capture the request in burp.
3. Try to fetch ‘/etc/passwd’ file through parameter mtrIP and notice file displayed
in HTTP response.

文件快照

 [4.0K]  /data/pocs/38a142cb1d80288f739d0bd76e12a3fe81645240
└── [1.2K]  README.md

0 directories, 1 file

备注