{"id":1152,"date":"2022-12-10T22:58:26","date_gmt":"2022-12-10T14:58:26","guid":{"rendered":"https:\/\/blog.langsasec.cn\/?p=1152"},"modified":"2022-12-10T22:58:41","modified_gmt":"2022-12-10T14:58:41","slug":"apt-t00ls","status":"publish","type":"post","link":"https:\/\/blog.langsasec.cn\/index.php\/2022\/12\/10\/apt-t00ls\/","title":{"rendered":"\u5de5\u5177\u63a8\u8350\u2014\u2014Apt-t00ls"},"content":{"rendered":"

<\/span>\u9879\u76ee\u5730\u5740<\/span><\/h2>\n
\n

https:\/\/github.com\/White-hua\/Apt_t00ls<\/a><\/p>\n<\/blockquote>\n

<\/span>\u5305\u542b\u6f0f\u6d1e<\/span><\/h2>\n

<\/span>\u6cdb\u5fae:<\/span><\/h3>\n
    \n
  • e-cology workrelate_uploadOperation.jsp-RCE (\u9ed8\u8ba4\u5199\u5165\u51b0\u874e4.0.3aes)<\/li>\n
  • e-cology page_uploadOperation.jsp-RCE (\u6682\u672a\u627e\u5230\u6848\u4f8b \u4ec5\u4f9b\u68c0\u6d4bpoc)<\/li>\n
  • e-cology BshServlet-RCE (\u53ef\u76f4\u63a5\u6267\u884c\u7cfb\u7edf\u547d\u4ee4)<\/li>\n
  • e-cology KtreeUploadAction-RCE (\u9ed8\u8ba4\u5199\u5165\u51b0\u874e4.0.3aes)<\/li>\n
  • e-cology WorkflowServiceXml-RCE (\u9ed8\u8ba4\u5199\u5165\u5185\u5b58\u9a6c \u51b0\u874e 3.0 beta11)<\/li>\n
  • e-office logo_UploadFile.php-RCE (\u9ed8\u8ba4\u5199\u5165\u51b0\u874e4.0.3aes)<\/li>\n
  • e-office10 OfficeServer.php-RCE (\u9ed8\u8ba4\u5199\u5165\u51b0\u874e4.0.3aes)<\/li>\n
  • e-office doexecl.php-RCE (\u5199\u5165phpinfo,\u9700\u8981getshell\u8bf7\u81ea\u884c\u5229\u7528)<\/li>\n
  • e-mobile_6.6 messageType.do-SQlli (sqlmap\u5229\u7528\uff0c\u6682\u65e0\u76f4\u63a5shell\u7684exp)<\/li>\n<\/ul>\n

    <\/span>\u84dd\u51cc\uff1a<\/span><\/h3>\n
      \n
    • landray_datajson-RCE (\u53ef\u76f4\u63a5\u6267\u884c\u7cfb\u7edf\u547d\u4ee4)<\/li>\n
    • landray_treexmlTmpl-RCE (\u53ef\u76f4\u63a5\u6267\u884c\u7cfb\u7edf\u547d\u4ee4)<\/li>\n
    • landray_sysSearchMain-RCE (\u591a\u4e2apayload\uff0c\u5199\u5165\u54e5\u65af\u62c9 3.03 \u5bc6\u7801 yes)<\/li>\n<\/ul>\n

      <\/span>\u7528\u53cb:<\/span><\/h3>\n
        \n
      • yongyou_chajet_RCE (\u7528\u53cb\u7545\u6377\u901aT+ rce \u9ed8\u8ba4\u5199\u5165\u54e5\u65af\u62c9Cshap\/Cshap_aes_base64)<\/li>\n
      • yongyou_NC_FileReceiveServlet-RCE \u53cd\u5e8f\u5217\u5316rce (\u9ed8\u8ba4\u5199\u5165\u51b0\u874e4.0.3aes)<\/li>\n
      • yongyou_NC_bsh.servlet.BshServlet_RCE (\u53ef\u76f4\u63a5\u6267\u884c\u7cfb\u7edf\u547d\u4ee4)<\/li>\n
      • yongyou_NC_NCFindWeb \u76ee\u5f55\u904d\u5386\u6f0f\u6d1e (\u53ef\u67e5\u770b\u662f\u5426\u5b58\u5728\u5386\u53f2\u9057\u7559webshell)<\/li>\n
      • yongyou_GRP_UploadFileData-RCE(\u9ed8\u8ba4\u5199\u5165\u51b0\u874e4.0.3aes)<\/li>\n<\/ul>\n

        <\/span>\u4e07\u6237\uff1a<\/span><\/h3>\n
          \n
        • wanhuoa_OfficeServer-RCE(\u9ed8\u8ba4\u5199\u5165\u51b0\u874e4.0.3aes)<\/li>\n
        • wanhuoa_OfficeServer-RCE(\u9ed8\u8ba4\u5199\u5165\u54e5\u65af\u62c94.0.1 jsp aes \u9ed8\u8ba4\u5bc6\u7801\u5bc6\u94a5)<\/li>\n
        • wanhuoa_DocumentEdit-SQlli(mssql\u6570\u636e\u5e93 \u53ef os-shell)<\/li>\n
        • wanhuoa_OfficeServerservlet-RCE(\u9ed8\u8ba4\u5199\u5165\u51b0\u874e4.0.3aes)<\/li>\n
        • wanhuoa_fileUploadController-RCE(\u9ed8\u8ba4\u5199\u5165\u51b0\u874e4.0.3aes)<\/li>\n<\/ul>\n

          <\/span>\u81f4\u8fdc\uff1a<\/span><\/h3>\n
            \n
          • seeyonoa_main_log4j2-RCE (\u4ec5\u652f\u6301\u68c0\u6d4b\uff0c\u81ea\u884c\u5f00\u542fladp\u670d\u52a1\u5229\u7528)<\/li>\n
          • seeyonoa_wpsAssistServlet-RCE(\u9ed8\u8ba4\u5199\u5165\u51b0\u874e4.0.3aes)<\/li>\n
          • seeyonoa_htmlofficeservlet-RCE(\u9ed8\u8ba4\u5199\u5165\u51b0\u874e4.0.3aes)<\/li>\n
          • seeyonoa_ajaxBypass-RCE(\u5199\u5165\u5929\u874e \u5bc6\u7801sky)<\/li>\n<\/ul>\n

            <\/span>\u4e2d\u95f4\u4ef6:<\/span><\/h3>\n
              \n
            • IIS_PUT_RCE (emm\u6682\u65f6\u6ca1\u529e\u6cd5getshell \u4ec5\u652f\u6301\u68c0\u6d4b java\u6ca1\u6709MOVE\u65b9\u6cd5)<\/li>\n<\/ul>\n

              <\/span>\u5b89\u5168\u8bbe\u5907:<\/span><\/h3>\n
                \n
              • \u7efc\u5408\u5b89\u9632applyCT_fastjson-RCE(\u4ec5\u652f\u6301\u68c0\u6d4b,\u81ea\u884c\u4f7f\u7528ladp\u670d\u52a1\u5229\u7528)<\/li>\n
              • \u7f51\u5eb7\u4e0b\u4e00\u4ee3\u9632\u706b\u5899_ngfw_waf_route-RCE(\u5199\u5165\u83dc\u5200shell \u5bc6\u7801:nishizhu)<\/li>\n
              • \u7f51\u5fa1\u661f\u4e91\u8d26\u53f7\u5bc6\u7801\u6cc4\u9732<\/li>\n<\/ul>\n

                <\/span>\u4f7f\u7528\u622a\u56fe<\/span><\/h2>\n

                \"\u6807\u9898:
                \n\"\u6807\u9898:
                \n\"\u6807\u9898:<\/p>\n

                <\/span>\u5de5\u5177\u6a21\u5757:<\/span><\/h2>\n

                <\/span>\u6587\u4ef6\u4e0a\u4f20\u6307\u4ee4\u751f\u6210<\/span><\/h3>\n

                \"img\"<\/p>\n

                <\/span>Tasklist\u654f\u611f\u8fdb\u7a0b\u68c0\u6d4b<\/span><\/h3>\n

                \"\u6807\u9898:<\/p>\n

                <\/span>\u53cd\u5f39shell\u547d\u4ee4\u751f\u6210<\/span><\/h3>\n

                \"img\"<\/p>\n

                <\/span>\u5b58\u5728\u95ee\u9898<\/span><\/h2>\n

                \u82e5\u662f\u9875\u9762\u663e\u793a\u4e0d\u6b63\u5e38\u4e3a\uff0c\u4e3a\u5206\u8fa8\u7387\u95ee\u9898\uff0c\u53ef\u901a\u8fc7\u8c03\u6574\u5c4f\u5e55\u7f29\u653e\u6bd4\u4f8b\u6216\u8005\u5728\u6e90\u7801\u4e3b\u51fd\u6570\u4e2d\u4fee\u6539\u5230\u81ea\u5df1\u7535\u8111\u7684\u5408\u9002\u5c3a\u5bf8<\/p>\n

                \"img\"<\/p>\n

                <\/span>\u83b7\u53d6\u65b9\u5f0f<\/span><\/h2>\n
                \n

                \u5173\u6ce8\u6d6a\u98d2sec\u56de\u590dATT<\/code>\u83b7\u53d6\u5feb\u901f\u4e0b\u8f7d\u5730\u5740<\/p>\n<\/blockquote>\n","protected":false},"excerpt":{"rendered":"

                \u9879\u76ee\u5730\u5740 https:\/\/github.com\/White-hua\/Apt_t00ls \u5305\u542b\u6f0f\u6d1e \u6cdb\u5fae: e- […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[36],"tags":[],"class_list":["post-1152","post","type-post","status-publish","format-standard","hentry","category-tools"],"_links":{"self":[{"href":"https:\/\/blog.langsasec.cn\/index.php\/wp-json\/wp\/v2\/posts\/1152","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.langsasec.cn\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.langsasec.cn\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.langsasec.cn\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.langsasec.cn\/index.php\/wp-json\/wp\/v2\/comments?post=1152"}],"version-history":[{"count":1,"href":"https:\/\/blog.langsasec.cn\/index.php\/wp-json\/wp\/v2\/posts\/1152\/revisions"}],"predecessor-version":[{"id":1153,"href":"https:\/\/blog.langsasec.cn\/index.php\/wp-json\/wp\/v2\/posts\/1152\/revisions\/1153"}],"wp:attachment":[{"href":"https:\/\/blog.langsasec.cn\/index.php\/wp-json\/wp\/v2\/media?parent=1152"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.langsasec.cn\/index.php\/wp-json\/wp\/v2\/categories?post=1152"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.langsasec.cn\/index.php\/wp-json\/wp\/v2\/tags?post=1152"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}