CVE-2023-7116 PoC — DataX-Web 操作系统命令注入漏洞

Source

https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2023/CVE-2023-7116.yaml

Associated Vulnerability

Title:DataX-Web 操作系统命令注入漏洞 (CVE-2023-7116)
Description:DataX-Web是WeiYe个人开发者的一个在 DataX 之上开发的分布式数据同步工具。 DataX-Web 2.1.2版本存在操作系统命令注入漏洞，该漏洞源于组件HTTP POST Request Handler中的 /api/log/killJob 存在一些未知函数，通过参数 processId 导致操作系统命令注入。

Description

A vulnerability, which was classified as critical, has been found in WeiYe-Jing datax-web 2.1.2. Affected by this issue is some unknown functionality of the file /api/log/killJob of the component HTTP POST Request Handler. The manipulation of the argument processId leads to os command injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-249086 is the identifier assigned to this vulnerability.

File Snapshot


 id: CVE-2023-7116

info:
  name: WeiYe-Jing datax-web <= 2.1.2 - OS Command Injection
  author: puss

...

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!