Open lovelyjuice opened 1 day ago
用的这个poc: https://github.com/iamHuFei/HVVault/blob/4558fdb/oa/%E9%87%91%E8%9D%B6OA/kingdee-erp-srm-scpsupreghandler-fileupload.yaml
两个请求包都正确发出去了,但是
PS D:\DevDir\Go\neutron> go run ./cmd/shot -proxy http://127.0.0.1:8083 D:\DevDir\Go\gogo\v2\templates\neutron\http\HVVault\oa\金蝶OA\kingdee-erp-srm-scpsupreghandler-fileupload.yaml http://xxx.xx.xx.xx:8090 Using proxy: http://127.0.0.1:8083 Load success for D:\DevDir\Go\gogo\v2\templates\neutron\http\HVVault\oa\金蝶OA\kingdee-erp-srm-scpsupreghandler-fileupload.yaml OK: <nil> Execution time: 841.3678ms
用nuclei和yakit都是可以扫出漏洞的,但是neutron不行
200 == 200
OK: &{true false map[] map[] [] map[] map[] map[filename:OStCs]}
status_code_1 == 200
status_code == 200
- contains((body_1), 'true')
- contains((body), 'true')
contains((body), '{{randstr}}')
{{randstr_1}}这种形式是不是也不能在neutron中用?
{{randstr_1}}
用的这个poc: https://github.com/iamHuFei/HVVault/blob/4558fdb/oa/%E9%87%91%E8%9D%B6OA/kingdee-erp-srm-scpsupreghandler-fileupload.yaml
两个请求包都正确发出去了,但是
用nuclei和yakit都是可以扫出漏洞的,但是neutron不行
200 == 200
后,neutron显示OK: &{true false map[] map[] [] map[] map[] map[filename:OStCs]}
status_code_1 == 200
,neutron就不行了status_code == 200
,成功- contains((body_1), 'true')
,失败- contains((body), 'true')
,成功contains((body), '{{randstr}}')
,失败