CVE-2017-14535 PoC — Fonality trixbox 操作系统命令注入漏洞

Source

https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2017/CVE-2017-14535.yaml

Associated Vulnerability

Title:Fonality trixbox 操作系统命令注入漏洞 (CVE-2017-14535)
Description:Fonality Trixbox（前称Asterisk Home）是美国Fonality公司的一套集成VoIP和CRM功能的开源电话交换机解决方案。该方案支持语音信箱、多方语音会议和交互式语音应答(IVR)等。 Fonality trixbox 2.8.0.4版本中存在操作系统命令注入漏洞。远程攻击者可通过向/maint/modules/home/index.php发送带有shell元字符的‘lang’参数利用该漏洞注入并执行任意的命令。

Description

Trixbox 2.8.0.4 is vulnerable to OS command injection via shell metacharacters in the lang parameter to /maint/modules/home/index.php.

File Snapshot


 id: CVE-2017-14535

info:
  name: Trixbox - 2.8.0.4 OS Command Injection
  author: pikpikcu
  severi

...

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!