关联漏洞
标题:
14Finger 安全漏洞
(CVE-2024-37770)
描述:14Finger是b1ackc4t个人开发者的一个功能齐全的 Web 指纹识别和分享平台。 14Finger v1.1版本存在安全漏洞,该漏洞源于在指纹功能中包含远程命令执行(RCE)漏洞,允许攻击者通过精心设计的有效载荷执行任意命令。
描述
CVE-2024-37770
介绍
# CVE-2024-37770
## description
14Finger v1.1 was discovered to contain a remote command execution (RCE) vulnerability in the fingerprint function. This vulnerability allows attackers to execute arbitrary commands via a crafted payload.
## Attack Vector
Unauthenticated attackers can execute command injection through shell metacharacters, thereby RCE remote servers.
## Detail
There is an unauthorized remote command execution vulnerability at the fingerprint scanning point of the core function
Through the audit source code, you can see that when only_spider is false, spider is true, you will execute the crawl_site() function
Continue to follow up, find that the submitted URL will be stitched to CMD, handed over to the subprocess module of Python for execution, and arbitrarily commands can be executed by constructing Payload.
Exploit:
The program is blocked, why? Because our command execution was successful!
SUCCEED!
文件快照
[4.0K] /data/pocs/c5b271014e0b235fcedf5fee89133cb6ffb03909
└── [1.4K] README.md
0 directories, 1 file
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。