Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2020-7200 PoC — HPE Systems Insight Manager 安全漏洞

Source
https://github.com/alexfrancow/CVE-2020-7200
Associated Vulnerability
Title:HPE Systems Insight Manager 安全漏洞 (CVE-2020-7200)
Description:HPE Systems Insight Manager(HPE SIM)是美国HPE公司的一款用于服务器管理应用软件。该软件支持发现识别设备、主动通知实际或即将发生的组件故障等监控管理功能。 HPE Systems Insight Manager (SIM) 7.6 版本存在安全漏洞,攻击者可以利用该漏洞执行远程代码。
Description
CVE-2020-7200: HPE Systems Insight Manager (SIM) RCE PoC
Readme
# CVE-2020-7200

Download HPE SIM 7.6: https://support.hpe.com/hpesc/public/docDisplay?docId=emr_na-c05350303#N10011

Details: https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=hpesbgn04068en_us

🎞 Video: https://www.youtube.com/watch?v=QNhcNJtjKyw

HPE does not provide a patch but only for a temporary fix simply delete simsearch.war in ```C:\Program Files\HP\Systems Insight Manager\jboss\server\hpsim\deploy\simsearch.war```, so this means This is the main cause of this vulnerability!

```
Program Files\HP\Systems Insight Manager\jboss\server\hpsim\deploy\simsearch.war
└───WEB-INF
    │
    └───lib
            axis-1.4.jar
            backport-util-concurrent.jar
            cfgatewayadapter.jar
            commons-codec-1.3.jar
            commons-httpclient-3.0.1.jar
            commons-logging.jar
            concurrent.jar
            flex-messaging-common.jar
            flex-messaging-core.jar
            flex-messaging-opt.jar
            flex-messaging-proxy.jar
            flex-messaging-remoting.jar
            flex-rds-server.jar
            jaxrpc.jar
            simsearch.jar
            xalan.jar
            
Program Files\HP\Systems Insight Manager
└───lib
        jgroups-2.2.1.jar

Program Files\HP\Systems Insight Manager\jboss\server\hpsim
└───lib
        commons-collections.jar
        javassist.jar
```

Start server:

```
C:\Program Files\HP\Systems Insight Manager\lbin>hpsimsvc.exe -console
```

Request:

```
POST /simsearch/messagebroker/amfsecure HTTP/1.1
Host: 127.0.0.1:50000
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Lenght: 0

<PAYLOAD>
```
File Snapshot

 [4.0K]  /data/pocs/6de6ca09ce411d13fed2948d05653a1d7c1f547a
├── [1.3K]  emp2.ser
├── [  63]  emp.ser
├── [4.0K]  libs
│   ├── [545K]  commons-collections.jar
│   ├── [586K]  javassist.jar
│   ├── [1.5M]  jgroups-2.2.1.jar
│   └── [7.6M]  simsearch.war
├── [4.0K]  out
│   └── [4.0K]  production
│       └── [4.0K]  ProjectSIM
│           ├── [ 743]  Strings$ToStringComparator.class
│           ├── [2.9K]  Strings.class
│           ├── [2.5K]  Test0.class
│           └── [7.1K]  Test1.class
├── [1.2K]  ProjectSIM.iml
├── [1.8K]  README.md
└── [4.0K]  src
    ├── [1.8K]  Strings.java
    ├── [1.4K]  Test0.java
    └── [5.1K]  Test1.java

5 directories, 15 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.