CVE-2021-27561 PoC — Yealink Device Management 操作系统命令注入漏洞

Source

https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2021/CVE-2021-27561.yaml

Associated Vulnerability

Title:Yealink Device Management 操作系统命令注入漏洞 (CVE-2021-27561)
Description:Yealink Device Management（Yealink Dm）是中国亿联（Yealink）公司的一种适用于 Microsoft 认证的 Yealink Skype For Business Ip 电话。 Yealink Device Management 3.6.0.20及其之前版本存在操作系统命令注入漏洞，该漏洞源于软件允许攻击者通过 /sm/api/v1/firewall/zone/services 的URI 以root身份注入命令，无需认证。

Description

Yealink Device Management (DM) 3.6.0.20 allows command injection as root via the /sm/api/v1/firewall/zone/services URI, without authentication.

File Snapshot


 id: CVE-2021-27561

info:
  name: YeaLink DM 3.6.0.20 - Remote Command Injection
  author: shifacycl

...

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!