CVE-2019-12986 PoC — Citrix Systems SD-WAN Center和NetScaler SD-WAN Center 命令操作系统命令注入漏洞

Source

https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2019/CVE-2019-12986.yaml

Associated Vulnerability

Title:Citrix Systems SD-WAN Center和NetScaler SD-WAN Center 命令操作系统命令注入漏洞 (CVE-2019-12986)
Description:Citrix Systems SD-WAN Center是美国思杰系统（Citrix Systems）公司的一套集中管理系统。该系统主要用于配置、监控和分析WAN上的所有Citrix SD-WAN设备。 Citrix Systems SD-WAN Center 10.2.3之前的10.2.x版本和NetScaler SD-WAN Center 10.0.8之前的10.0.x版本中存在命令操作系统命令注入漏洞。该漏洞源于外部输入数据构造可执行命令过程中，网络系统或产品未正确过滤其中的特殊元素。攻击者可利用该

Description

Citrix SD-WAN Center is susceptible to remote command injection via the trace_route function in DiagnosticsController, which does not sufficiently validate or sanitize HTTP request parameter values used to construct a shell command. An attacker can trigger this vulnerability by routing traffic through the Collector controller and supplying a crafted value for ipAddress, thereby potentially being able to obtain sensitive information, modify data, and/or execute unauthorized operations.

File Snapshot


 id: CVE-2019-12986

info:
  name: Citrix SD-WAN Center - Remote Command Injection
  author: gy741
  

...

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!