CVE-2023-33831 PoC — FUXA 命令注入漏洞

Source

https://github.com/rodolfomarianocy/Unauthenticated-RCE-FUXA-CVE-2023-33831

Associated Vulnerability

Title:FUXA 命令注入漏洞 (CVE-2023-33831)
Description:A remote command execution (RCE) vulnerability in the /api/runscript endpoint of FUXA 1.1.13 allows attackers to execute arbitrary commands via a crafted POST request.

Description

Description and exploit of CVE-2023-33831 affecting FUXA web-based Process Visualization (SCADA/HMI/Dashboard) software.

Readme

# Unauthenticated-RCE-FUXA-CVE-2023-33831
The vulnerability affects FUXA's scripting component, due to lack of control or sanitization on inputs that can be controlled by users, thus allowing the use of dangerous methods that can be scaled for remote code execution.
The affected route is /api/runscript, where it is possible to execute commands without having to be authenticated through the code parameter via the POST method using the child_process module via the exec function.

<p align="center">
  <img height=300 src="https://github.com/rodolfomarianocy/Unauthenticated-RCE-FUXA-CVE-2023-33831/assets/54555784/07c1b06a-737d-4842-b47b-abdebffa3b5b" />
</p>

---

#### Mode of Use
```
python CVE-2023-33831.py --rhost <ip> --rport <rport> --lhost <lhost> --lport <lport>
```
Link: https://www.youtube.com/watch?v=Xxa6yRB2Fpw

File Snapshot


 [4.0K]  /data/pocs/6838d93ef2f267240f1615cf7a5e7a3bdd5ed318
├── [1.9K]  CVE-2023-33831.py
└── [ 830]  README.md

0 directories, 2 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.

View subscription plans →

Goal Reached Thanks to every supporter — we hit 100%!