CVE-2007-3010 PoC — Alcatel-Lucent OmniPCX Enterprise远程命令注入漏洞

Source

https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2007/CVE-2007-3010.yaml

Associated Vulnerability

Title:Alcatel-Lucent OmniPCX Enterprise远程命令注入漏洞 (CVE-2007-3010)
Description:OmniPCX Enterprise是企业级的集成通讯解决方案。 OmniPCX所带的CGI脚本实现上存在输入验证漏洞，远程攻击者可能利用此漏洞在服务器上执行任意命令。 OmniPCX的Web界面所安装的CGI脚本masterCGI提供了ping功能，如果以ping和user参数运行该脚本的话，就可以从Web界面所在的服务器ping任意可到达的IP。ping是在服务器上执行的，运行服务器上所安装的ping程序，但在将user变量传送到shell之前没有进行任何过滤，因此可以在将任何命令注入到user变量中

Description

The OmniPCX web interface has a script "masterCGI" with a remote command execution vulnerability via the "user" parameter.

File Snapshot


 id: CVE-2007-3010

info:
  name: Alcatel-Lucent OmniPCX - Remote Command Execution
  author: king-al

...

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!